9.8.0-P1

11 files changed, 388 insertions, 862 deletions

diff --git a/CHANGES b/CHANGES
index b42ec094..e654241d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+	--- 9.8.0-P1 released ---
+
+3100.	[security]	Certain response policy zone configurations could
+			trigger an INSIST when receiving a query of type
+			RRSIG. [RT #24280]
+
 	--- 9.8.0 released ---
 
 3025.	[bug]		Fixed a possible deadlock due to zone resigning.
diff --git a/RELEASE-NOTES-BIND-9.8.html b/RELEASE-NOTES-BIND-9.8.html
deleted file mode 100644
index a0fe61fc..00000000
--- a/RELEASE-NOTES-BIND-9.8.html
+++ /dev/null
@@ -1,308 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title></title><link rel="stylesheet" href="release-notes.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article"><div class="titlepage"><hr /></div>
-
-  <div class="section" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2609042"></a>Introduction</h2></div></div></div>
-    
-    <p>
-			BIND 9.8.0 is the first production release of BIND 9.8.
-		</p>
-    <p>
-			This document summarizes changes from BIND 9.7 to BIND 9.8.
-			Please see the CHANGES file in the source code release for a
-			complete list of all changes.
-		</p>
-  </div>
-
-  <div class="section" title="Download"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475544"></a>Download</h2></div></div></div>
-    
-    <p>
-			The latest development versions of BIND 9 software can always be found
-	 		on our web site at
-      <a class="ulink" href="http://www.isc.org/downloads/development" target="_top">http://www.isc.org/downloads/development</a>.
-  		There you will find additional information about each release,
- 			source code, and some pre-compiled versions for certain operating
- 			systems.
-		</p>
-  </div>
-
-  <div class="section" title="Support"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475577"></a>Support</h2></div></div></div>
-    
-    <p>Product support information is available on
-      <a class="ulink" href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
-      for paid support options.  Free support is provided by our user
- 			community via a mailing list.  Information on all public email
- 			lists is available at
-      <a class="ulink" href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
-    </p>
-  </div>
-
-  <div class="section" title="New Features"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475533"></a>New Features</h2></div></div></div>
-    
-		<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id2609063"></a>9.8.0</h3></div></div></div>
-			
-	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-The ADB hash table stores informations about which authoritative
-servers to query about particular domains. Previous versions of BIND
-had the hash table size as a fixed value. On a busy recursive server,
-this could lead to hash table collisions in the ADB cache, resulting
-in degraded response time to queries. Bind 9.8 now has a dynamically
-scalable ADB hash table, which helps a busy server to avoid hash
-table collisions and maintain a consistent query response time.
-[RT #21186]
-</li><li class="listitem">
-				BIND now supports a new zone type, static-stub. This allows the
-				administrator of a recursive nameserver to force queries for
-				a particular zone to go to IP addresses of the administrator's
-				choosing, on a per zone basis, both globally or per view. I.e. if the
-				administrator wishes to have their recursive server query 192.0.2.1
-				and 192.0.2.2 for zone example.com rather than the servers listed by
-				the .com gTLDs, they would configure example.com as a static-stub zone
-				in their recursive server. [RT #21474]
-				</li><li class="listitem">
-				BIND now supports Response Policy Zones, a way of expressing "reputation"
-				in real time via specially constructed DNS zones. See the draft specification
-				here:
-<a class="ulink" href="http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt" target="_top">http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt</a>
-				[RT #21726]
-				</li><li class="listitem">
-				BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records from
-				specified A records if no AAAA record exists. IP6.ARPA CNAME records will be synthesized
-				from corresponding IN-ADDR.ARPA. [RT #21991/22769]
-				</li><li class="listitem">
-				Dynamically Loadable Zones (DLZ) now support dynamic updates.
-				Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
-				</li><li class="listitem">
-				Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers
-				that can be loaded as shared objects at runtime rather than having to be
-				linked with named at compile time. Currently this is switched on via a
-				compile-time option, "configure --with-dlz-dlopen".
-				Note: the syntax for configuring DLZ zones is likely to be refined in future releases.
-				Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
-				</li><li class="listitem">
-				named now retains GSS-TSIG keys across restarts. This is for
-				compatibility with Microsoft DHCP servers doing dynamic DNS
-				updates for clients, which don't know to renegotiate the GSS-TSIG
-				session key when named restarts. [RT #22639]
-				</li><li class="listitem">
-				There is a new update-policy match type "external". This
-				allows named to decide whether to allow a dynamic update
-				by checking with an external daemon.
-				Contributed by Andrew Tridgell of the Samba Project. [RT #22758]
-				</li><li class="listitem">
-				There have been a number of bug fixes and ease of use enhancements
-				for configuring BIND to support GSS-TSIG [RT #22629/22795]. These include:
-	    <div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem">
-Added a "tkey-gssapi-keytab" option. If set, dynamic updates will be
-allowed for any key matching a Kerberos principal in the specified keytab
-file. "tkey-gssapi-credential" is no longer required and is expected to
-be deprecated. Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
-</li><li class="listitem">
-It is no longer necessary to have a valid /etc/krb5.conf file. Using
-the syntax DNS/hostname@REALM in nsupdate is sufficient for
-to correctly set the default realm. [RT #22795]
-</li><li class="listitem">
-Documentation updated new gssapi configuration options (new option tkey-gssapi-keytab and changes in tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
-</li><li class="listitem">
-DLZ correctly deals with NULL zone in a query. [RT 22795]
-</li><li class="listitem">
-TSIG correctly deals with a NULL tkey-&gt;creator. [RT 22795]
-</li></ul></div>
-</li><li class="listitem">
-A new test has been added to check the apex NSEC3 records after DNSKEY
-records have been added via dynamic update. [RT #23229]
-</li><li class="listitem">
-<p>
-RTT banding (randomized server selection on queries) was introduced in
-BIND releases in 2008, due to the Kaminsky cache poisoning bug. Instead
-of always picking the authoritative server with the lowest RTT to the
-caching resolver, all the authoritative servers within an RTT range were
-randomly used by the recursive server.
-</p>
-<p>
-While this did add an extra bit of randomness that an attacker had to
-overcome to poison a recursive server's cache, it also impacts the
-resolver's speed in answering end customer queries, since it's no
-longer the fastest auth server that gets asked. This means that
-performance optimizations, such using topologically close
-authoritative servers, are rendered ineffective.
-</p>
-<p>
-ISC has evaluated the amount of security added versus the performance
-hit to end users and has decided that RTT banding is causing more harm
-than good. Therefore, with this release, BIND is going back to the server
-selection used prior to adding RTT banding.
-[RT #23310]
-</p>
-				</li></ul></div>
-		</div>
-  </div>
-
-  <div class="section" title="Feature Changes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475792"></a>Feature Changes</h2></div></div></div>
-    
-		<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475798"></a>9.8.0</h3></div></div></div>
-			
-	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-					There is a new option in dig, +onesoa, that allows the final SOA record in an AXFR response to be suppressed. [RT #20929
-				</li><li class="listitem">
-					There is additional information displayed in the recursing log (qtype, qclass, qid and whether we are following the original name). [RT #22043]
-				</li><li class="listitem">
-Added option 'resolver-query-timeout' in named.conf (max query timeout
-in seconds) to set a different value than the default (30 seconds). A
-value of 0 means 'use the compiled in default'; anything longer than 30
-will be silently set to 30.
-[RT #22852]
-                                </li><li class="listitem">
-					For Mac OS X, you can now have the test interfaces used during "make test" stay beyond reboot. See bin/tests/system/README for details.
-				</li></ul></div>
-		</div>
-  </div>
-
-  <div class="section" title="Security Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475834"></a>Security Fixes</h2></div></div></div>
-    
-		<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475839"></a>9.8.0</h3></div></div></div>
-			
-			<p>None.</p>
-		</div>
-  </div>
-
-  <div class="section" title="Bug Fixes"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475850"></a>Bug Fixes</h2></div></div></div>
-    
-		<div class="section" title="9.8.0"><div class="titlepage"><div><div><h3 class="title"><a id="id3475855"></a>9.8.0</h3></div></div></div>
-			
-	    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-				BIND now builds with threads disabled in versions of NetBSD earlier
-				than 5.0 and with pthreads enabled by default in NetBSD versions 5.0
-				and higher. Also removes support for unproven-pthreads, mit-pthreads
-				and ptl2. [RT #19203]
-				</li><li class="listitem">
-				If BIND has openssl compiled in (the default) and has any permission
-				problems opening the openssl.cnf file, BIND utilities fail. Currently
-				ISC is including a patch to openssl in bin/pkcs11/openssl-0.9.8l-patch
-				but ISC is working on a better solution until openssl fixes this.
-				[RT #20668]
-				</li><li class="listitem">
-				nsupdate will now preserve the entered case of domain names in
-				update requests it sends. [RT #20928]
-				</li><li class="listitem">
-				Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
-				to properly update the zone when adding a DNSKEY for publication
-				only). [RT #21324]
-				</li><li class="listitem">
-				"nsupdate -l" now gives error message if "session.key" file is not
-				found. [RT #21670]
-				</li><li class="listitem">
-				HPUX now correctly defaults to using /dev/poll, which should
-				increase performance. [RT #21919]
-				</li><li class="listitem">
-				If named is running as a threaded application, after an "rndc stop"
-				command has been issued, other inbound TCP requests can cause named
-				to hang and never complete shutdown. [RT #22108]
-				</li><li class="listitem">
-                                After an "rndc reconfig", the refresh timer for managed-keys is ignored, resulting in managed-keys
-                                not being refreshed until named is restarted. [RT #22296]
-                                </li><li class="listitem">
-				An NSEC3PARAM record placed inside a zone which is not properly
-				signed with NSEC3 could cause named to crash, if changed via dynamic
-				update. [RT #22363]				
-				</li><li class="listitem">
-				"rndc -h" now includes "loadkeys" option. [RT #22493]
-				</li><li class="listitem">
-				When performing a GSS-TSIG signed dynamic zone update, memory could be
-				leaked. This causes an unclean shutdown and may affect long-running
-				servers. [RT #22573]
-				</li><li class="listitem">
-				A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows
-				for a TCP DoS attack. Until there is a kernel fix, ISC is disabling
-				SO_ACCEPTFILTER support in BIND. [RT #22589]
-				</li><li class="listitem">
-When signing records, named didn't filter out any TTL changes
-to DNSKEY records. This resulted in an incomplete key set. TTL
-changes are now dealt with before signing. [RT #22590]
-                                </li><li class="listitem">
-				Corrected a defect where a combination of dynamic updates and zone 
-				transfers incorrectly locked the in-memory zone database, causing
-				named to freeze. [RT #22614]
-				</li><li class="listitem">
-				Don't run MX checks (check-mx) when the MX record points to ".".
-[RT #22645]
-				</li><li class="listitem">
-				DST key reference counts can now be incremented via dst_key_attach.
-[RT #22672]
-				</li><li class="listitem">
-The IN6_IS_ADDR_LINKLOCAL and
-IN6_IS_ADDR_SITELOCAL macros in win32 were updated/corrected
-per current Windows OS. [RT #22724]
-                                </li><li class="listitem">
-				"dnssec-settime -S" no longer tests prepublication interval validity
-				when the interval is set to 0. [RT #22761]
-				</li><li class="listitem">
-				isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy attr. [RT #22766]
-				</li><li class="listitem">
-				The Kerberos realm was being truncated when being pulled from the
-				the host prinicipal, make krb5-self updates fail. [RT #22770]
-				</li><li class="listitem">
-				Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853]
-				</li><li class="listitem">
-Prior to this fix, when named was was writing a zone to disk (as slave,
-when resigning, etc.), it might not correctly preserve the case of domain
-name labels within RDATA, if the RDATA was not compressible. The result is
-that when reloading the zone from disk would, named could serve data
-that did not match the RRSIG for that data, due to case mismatch. named
-now correctly preserves case. After upgrading to fixed code, the
-operator should either resign the data (on the master) or delete the
-disk file on the slave and reload the zone. [RT #22863]
-                                </li><li class="listitem">
-The man page for dnssec-keyfromlabel incorrectly had "-U" rather
-than the correct option "-I". [RT #22887]
-                                </li><li class="listitem">
-The "rndc" command usage statement was missing the "-b" option.
-[RT #22937]
-                                </li><li class="listitem">
-Fixed a possible deadlock due to zone re-signing.
-[RT #22964]
-                                </li><li class="listitem">
-The TTL for DNS64 synthesized answers was not always set correctly.
-[RT #23034]
-                                </li><li class="listitem">
-The secure zone update feature in named is based on the zone
-being signed and configured for dynamic updates. A bug in the ACL
-processing for "allow-update { none; };" resulted in a zone that is
-supposed to be static being treated as a dynamic zone. Thus, name
-would try to sign/re-sign that zone erroneously. [RT #23120]
-                                </li><li class="listitem">
-When using auto-dnssec and updating DNSKEY records, named did correctly
-update the zone. [RT #23232]
-                                </li><li class="listitem">
-After a failed zone transfer of an RPZ (response policy zone), named
-would respond with SERVFAIL for subsequent queries in the RPZ zone. 
-[RT #23246]
-                                </li><li class="listitem">
-If a slave initiates a TSIG signed AXFR from the master and the master
-fails to correctly TSIG sign the final message, the slave would be left
-with the zone in an unclean state. named detected this error too late
-and named would crash with an INSIST. The order dependancy has been
-fixed. [RT #23254]
-                                </li></ul></div>
-		</div>
-  </div>
-
-  <div class="section" title="Known issues in this release"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3475865"></a>Known issues in this release</h2></div></div></div>
-    
-    <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem">
-        <p>
-          None.
-        </p>
-      </li></ul></div>
-  </div>
-
-  <div class="section" title="Thank You"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id3476076"></a>Thank You</h2></div></div></div>
-    
-    <p>
-      Thank you to everyone who assisted us in making this release possible.
-      If you would like to contribute to ISC to assist us in continuing to make
-      quality open source software, please visit our donations page at
-      <a class="ulink" href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
-    </p>
-  </div>
-</div></body></html>
diff --git a/RELEASE-NOTES-BIND-9.8.pdf b/RELEASE-NOTES-BIND-9.8.pdf
deleted file mode 100644
index ced7ae36..00000000
--- a/RELEASE-NOTES-BIND-9.8.pdf
+++ /dev/null
diff --git a/RELEASE-NOTES-BIND-9.8.txt b/RELEASE-NOTES-BIND-9.8.txt
deleted file mode 100644
index 1d24e545..00000000
--- a/RELEASE-NOTES-BIND-9.8.txt
+++ /dev/null
@@ -1,227 +0,0 @@
-     __________________________________________________________________
-
-Introduction
-
-   BIND 9.8.0 is the first production release of BIND 9.8.
-
-   This document summarizes changes from BIND 9.7 to BIND 9.8. Please see
-   the CHANGES file in the source code release for a complete list of all
-   changes.
-
-Download
-
-   The latest development versions of BIND 9 software can always be found
-   on our web site at http://www.isc.org/downloads/development. There you
-   will find additional information about each release, source code, and
-   some pre-compiled versions for certain operating systems.
-
-Support
-
-   Product support information is available on
-   http://www.isc.org/services/support for paid support options. Free
-   support is provided by our user community via a mailing list.
-   Information on all public email lists is available at
-   https://lists.isc.org/mailman/listinfo.
-
-New Features
-
-9.8.0
-
-     * The ADB hash table stores informations about which authoritative
-       servers to query about particular domains. Previous versions of
-       BIND had the hash table size as a fixed value. On a busy recursive
-       server, this could lead to hash table collisions in the ADB cache,
-       resulting in degraded response time to queries. Bind 9.8 now has a
-       dynamically scalable ADB hash table, which helps a busy server to
-       avoid hash table collisions and maintain a consistent query
-       response time. [RT #21186]
-     * BIND now supports a new zone type, static-stub. This allows the
-       administrator of a recursive nameserver to force queries for a
-       particular zone to go to IP addresses of the administrator's
-       choosing, on a per zone basis, both globally or per view. I.e. if
-       the administrator wishes to have their recursive server query
-       192.0.2.1 and 192.0.2.2 for zone example.com rather than the
-       servers listed by the .com gTLDs, they would configure example.com
-       as a static-stub zone in their recursive server. [RT #21474]
-     * BIND now supports Response Policy Zones, a way of expressing
-       "reputation" in real time via specially constructed DNS zones. See
-       the draft specification here:
-       http://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt [RT #21726]
-     * BIND 9.8.0 now has DNS64 support. named synthesizes AAAA records
-       from specified A records if no AAAA record exists. IP6.ARPA CNAME
-       records will be synthesized from corresponding IN-ADDR.ARPA. [RT
-       #21991/22769]
-     * Dynamically Loadable Zones (DLZ) now support dynamic updates.
-       Contributed by Andrew Tridgell of the Samba Project. [RT #22629]
-     * Added a "dlopen" DLZ driver, allowing the creation of external DLZ
-       drivers that can be loaded as shared objects at runtime rather than
-       having to be linked with named at compile time. Currently this is
-       switched on via a compile-time option, "configure
-       --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is
-       likely to be refined in future releases. Contributed by Andrew
-       Tridgell of the Samba Project. [RT #22629]
-     * named now retains GSS-TSIG keys across restarts. This is for
-       compatibility with Microsoft DHCP servers doing dynamic DNS updates
-       for clients, which don't know to renegotiate the GSS-TSIG session
-       key when named restarts. [RT #22639]
-     * There is a new update-policy match type "external". This allows
-       named to decide whether to allow a dynamic update by checking with
-       an external daemon. Contributed by Andrew Tridgell of the Samba
-       Project. [RT #22758]
-     * There have been a number of bug fixes and ease of use enhancements
-       for configuring BIND to support GSS-TSIG [RT #22629/22795]. These
-       include:
-          + Added a "tkey-gssapi-keytab" option. If set, dynamic updates
-            will be allowed for any key matching a Kerberos principal in
-            the specified keytab file. "tkey-gssapi-credential" is no
-            longer required and is expected to be deprecated. Contributed
-            by Andrew Tridgell of the Samba Project. [RT #22629]
-          + It is no longer necessary to have a valid /etc/krb5.conf file.
-            Using the syntax DNS/hostname@REALM in nsupdate is sufficient
-            for to correctly set the default realm. [RT #22795]
-          + Documentation updated new gssapi configuration options (new
-            option tkey-gssapi-keytab and changes in
-            tkey-gssapi-credential and tkey-domain behavior). [RT 22795]
-          + DLZ correctly deals with NULL zone in a query. [RT 22795]
-          + TSIG correctly deals with a NULL tkey->creator. [RT 22795]
-     * A new test has been added to check the apex NSEC3 records after
-       DNSKEY records have been added via dynamic update. [RT #23229]
-     * RTT banding (randomized server selection on queries) was introduced
-       in BIND releases in 2008, due to the Kaminsky cache poisoning bug.
-       Instead of always picking the authoritative server with the lowest
-       RTT to the caching resolver, all the authoritative servers within
-       an RTT range were randomly used by the recursive server.
-       While this did add an extra bit of randomness that an attacker had
-       to overcome to poison a recursive server's cache, it also impacts
-       the resolver's speed in answering end customer queries, since it's
-       no longer the fastest auth server that gets asked. This means that
-       performance optimizations, such using topologically close
-       authoritative servers, are rendered ineffective.
-       ISC has evaluated the amount of security added versus the
-       performance hit to end users and has decided that RTT banding is
-       causing more harm than good. Therefore, with this release, BIND is
-       going back to the server selection used prior to adding RTT
-       banding. [RT #23310]
-
-Feature Changes
-
-9.8.0
-
-     * There is a new option in dig, +onesoa, that allows the final SOA
-       record in an AXFR response to be suppressed. [RT #20929
-     * There is additional information displayed in the recursing log
-       (qtype, qclass, qid and whether we are following the original
-       name). [RT #22043]
-     * Added option 'resolver-query-timeout' in named.conf (max query
-       timeout in seconds) to set a different value than the default (30
-       seconds). A value of 0 means 'use the compiled in default';
-       anything longer than 30 will be silently set to 30. [RT #22852]
-     * For Mac OS X, you can now have the test interfaces used during
-       "make test" stay beyond reboot. See bin/tests/system/README for
-       details.
-
-Security Fixes
-
-9.8.0
-
-   None.
-
-Bug Fixes
-
-9.8.0
-
-     * BIND now builds with threads disabled in versions of NetBSD earlier
-       than 5.0 and with pthreads enabled by default in NetBSD versions
-       5.0 and higher. Also removes support for unproven-pthreads,
-       mit-pthreads and ptl2. [RT #19203]
-     * If BIND has openssl compiled in (the default) and has any
-       permission problems opening the openssl.cnf file, BIND utilities
-       fail. Currently ISC is including a patch to openssl in
-       bin/pkcs11/openssl-0.9.8l-patch but ISC is working on a better
-       solution until openssl fixes this. [RT #20668]
-     * nsupdate will now preserve the entered case of domain names in
-       update requests it sends. [RT #20928]
-     * Added a regression test for fix 2896/RT #21045 ("rndc sign" failed
-       to properly update the zone when adding a DNSKEY for publication
-       only). [RT #21324]
-     * "nsupdate -l" now gives error message if "session.key" file is not
-       found. [RT #21670]
-     * HPUX now correctly defaults to using /dev/poll, which should
-       increase performance. [RT #21919]
-     * If named is running as a threaded application, after an "rndc stop"
-       command has been issued, other inbound TCP requests can cause named
-       to hang and never complete shutdown. [RT #22108]
-     * After an "rndc reconfig", the refresh timer for managed-keys is
-       ignored, resulting in managed-keys not being refreshed until named
-       is restarted. [RT #22296]
-     * An NSEC3PARAM record placed inside a zone which is not properly
-       signed with NSEC3 could cause named to crash, if changed via
-       dynamic update. [RT #22363]
-     * "rndc -h" now includes "loadkeys" option. [RT #22493]
-     * When performing a GSS-TSIG signed dynamic zone update, memory could
-       be leaked. This causes an unclean shutdown and may affect
-       long-running servers. [RT #22573]
-     * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled
-       allows for a TCP DoS attack. Until there is a kernel fix, ISC is
-       disabling SO_ACCEPTFILTER support in BIND. [RT #22589]
-     * When signing records, named didn't filter out any TTL changes to
-       DNSKEY records. This resulted in an incomplete key set. TTL changes
-       are now dealt with before signing. [RT #22590]
-     * Corrected a defect where a combination of dynamic updates and zone
-       transfers incorrectly locked the in-memory zone database, causing
-       named to freeze. [RT #22614]
-     * Don't run MX checks (check-mx) when the MX record points to ".".
-       [RT #22645]
-     * DST key reference counts can now be incremented via dst_key_attach.
-       [RT #22672]
-     * The IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL macros in win32
-       were updated/corrected per current Windows OS. [RT #22724]
-     * "dnssec-settime -S" no longer tests prepublication interval
-       validity when the interval is set to 0. [RT #22761]
-     * isc_mutex_init_errcheck() in phtreads/mutex.c failed to destroy
-       attr. [RT #22766]
-     * The Kerberos realm was being truncated when being pulled from the
-       the host prinicipal, make krb5-self updates fail. [RT #22770]
-     * Fixed GSS TSIG test problems for Solaris/MacOSX. [RT #22853]
-     * Prior to this fix, when named was was writing a zone to disk (as
-       slave, when resigning, etc.), it might not correctly preserve the
-       case of domain name labels within RDATA, if the RDATA was not
-       compressible. The result is that when reloading the zone from disk
-       would, named could serve data that did not match the RRSIG for that
-       data, due to case mismatch. named now correctly preserves case.
-       After upgrading to fixed code, the operator should either resign
-       the data (on the master) or delete the disk file on the slave and
-       reload the zone. [RT #22863]
-     * The man page for dnssec-keyfromlabel incorrectly had "-U" rather
-       than the correct option "-I". [RT #22887]
-     * The "rndc" command usage statement was missing the "-b" option. [RT
-       #22937]
-     * Fixed a possible deadlock due to zone re-signing. [RT #22964]
-     * The TTL for DNS64 synthesized answers was not always set correctly.
-       [RT #23034]
-     * The secure zone update feature in named is based on the zone being
-       signed and configured for dynamic updates. A bug in the ACL
-       processing for "allow-update { none; };" resulted in a zone that is
-       supposed to be static being treated as a dynamic zone. Thus, name
-       would try to sign/re-sign that zone erroneously. [RT #23120]
-     * When using auto-dnssec and updating DNSKEY records, named did
-       correctly update the zone. [RT #23232]
-     * After a failed zone transfer of an RPZ (response policy zone),
-       named would respond with SERVFAIL for subsequent queries in the RPZ
-       zone. [RT #23246]
-     * If a slave initiates a TSIG signed AXFR from the master and the
-       master fails to correctly TSIG sign the final message, the slave
-       would be left with the zone in an unclean state. named detected
-       this error too late and named would crash with an INSIST. The order
-       dependancy has been fixed. [RT #23254]
-
-Known issues in this release
-
-     * None.
-
-Thank You
-
-   Thank you to everyone who assisted us in making this release possible.
-   If you would like to contribute to ISC to assist us in continuing to
-   make quality open source software, please visit our donations page at
-   http://www.isc.org/supportisc.
diff --git a/bin/named/query.c b/bin/named/query.c
index f47cd38e..573f4504 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.353.8.2 2011-02-18 15:27:58 smann Exp $ */
+/* $Id: query.c,v 1.353.8.2.2.1 2011-04-27 17:06:27 each Exp $ */
 
 /*! \file */
 
@@ -4087,9 +4087,15 @@ rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
 			if (dns_rdataset_isassociated(*rdatasetp))
 				dns_rdataset_disassociate(*rdatasetp);
 			dns_db_detachnode(*dbp, nodep);
-			result = dns_db_find(*dbp, qnamef, version, qtype, 0,
-					     client->now, nodep, found,
-					     *rdatasetp, NULL);
+
+			if (qtype == dns_rdatatype_rrsig ||
+			    qtype == dns_rdatatype_sig)
+				result = DNS_R_NXRRSET;
+			else 
+				result = dns_db_find(*dbp, qnamef, version,
+						     qtype, 0, client->now,
+						     nodep, found, *rdatasetp,
+						     NULL);
 		}
 	}
 	switch (result) {
diff --git a/bin/tests/system/rpz/ns3/base.db b/bin/tests/system/rpz/ns3/base.db
index d1d92e84..16eb47f9 100644
--- a/bin/tests/system/rpz/ns3/base.db
+++ b/bin/tests/system/rpz/ns3/base.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: base.db,v 1.3 2011-01-13 04:59:25 tbox Exp $
+; $Id: base.db,v 1.3.130.1 2011-04-27 17:06:28 each Exp $
 
 ; RPZ test
 
@@ -29,3 +29,7 @@ $TTL	120
 128.zz.3333.4444.0.7777.8888.rpz-ip			CNAME	.
 128.zz.3333.4444.0.8777.8888.rpz-ip			CNAME	.
 127.zz.3333.4444.0.8777.8888.rpz-ip			CNAME	.
+
+; for testing rrset replacement
+redirect	IN      A       127.0.0.1
+*.redirect	IN      A       127.0.0.1
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index bf4f2bba..fd980a4b 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.3 2011-01-13 04:59:24 tbox Exp $
+# $Id: tests.sh,v 1.3.130.1 2011-04-27 17:06:27 each Exp $
 
 # test response policy zones (RPZ)
 
@@ -215,6 +215,38 @@ if grep CNAME $DIGNM >/dev/null; then : ; else
 fi
 end_test
 
+ret=0
+echo "I:checking RRSIG queries"
+# We don't actually care about the query results; the important
+# thing is the server handles RRSIG queries okay
+$DIGCMD a3-1.tld2 -trrsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-2.tld2 -trrsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-5.tld2 -trrsig @$s3 > /dev/null 2>&1
+$DIGCMD www.redirect -trrsig @$s3 > /dev/null 2>&1
+
+$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then
+    echo "I:failed";
+    (cd ..; $PERL start.pl --noclean --restart rpz ns3)
+fi
+status=`expr $status + $ret`
+
+ret=0
+echo "I:checking SIG queries"
+# We don't actually care about the query results; the important
+# thing is the server handles SIG queries okay
+$DIGCMD a3-1.tld2 -tsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-2.tld2 -tsig @$s3 > /dev/null 2>&1
+$DIGCMD a3-5.tld2 -tsig @$s3 > /dev/null 2>&1
+$DIGCMD www.redirect -tsig @$s3 > /dev/null 2>&1
+
+$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then
+    echo "I:failed";
+    (cd ..; $PERL start.pl --noclean --restart rpz ns3)
+fi
+status=`expr $status + $ret`
+
 if test "$status" -eq 0; then
     rm -f dig.out*
 fi
diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl
index 0b487f5c..86723dd8 100644
--- a/bin/tests/system/start.pl
+++ b/bin/tests/system/start.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: start.pl,v 1.16 2010-09-15 12:07:55 marka Exp $
+# $Id: start.pl,v 1.16.114.1 2011-04-27 17:06:27 each Exp $
 
 # Framework for starting test servers.
 # Based on the type of server specified, check for port availability, remove
@@ -34,9 +34,10 @@ use Getopt::Long;
 #   server - name of the server directory
 #   options - alternate options for the server
 
-my $usage = "usage: $0 [--noclean] test-directory [server-directory [server-options]]";
-my $noclean;
-GetOptions('noclean' => \$noclean);
+my $usage = "usage: $0 [--noclean] [--restart] test-directory [server-directory [server-options]]";
+my $noclean = '';
+my $restart = '';
+GetOptions('noclean' => \$noclean, 'restart' => \$restart);
 my $test = $ARGV[0];
 my $server = $ARGV[1];
 my $options = $ARGV[2];
@@ -137,7 +138,11 @@ sub start_server {
 				if (-e "$testdir/$server/named.noaa");
 			$command .= "-c named.conf -d 99 -g";
 		}
-		$command .= " >named.run 2>&1 &";
+		if ($restart) {
+			$command .= " >>named.run 2>&1 &";
+		} else {
+			$command .= " >named.run 2>&1 &";
+		}
 		$pid_file = "named.pid";
 	} elsif ($server =~ /^lwresd/) {
 		$cleanup_files = "{lwresd.run}";
@@ -150,7 +155,11 @@ sub start_server {
 			$command .= "-C resolv.conf -d 99 -g ";
 			$command .= "-i lwresd.pid -P 9210 -p 5300";
 		}
-		$command .= " >lwresd.run 2>&1 &";
+		if ($restart) {
+			$command .= " >>lwresd.run 2>&1 &";
+		} else {
+			$command .= " >lwresd.run 2>&1 &";
+		}
 		$pid_file = "lwresd.pid";
 	} elsif ($server =~ /^ans/) {
 		$cleanup_files = "{ans.run}";
@@ -160,7 +169,11 @@ sub start_server {
 		} else {
 			$command .= "";
 		}
-		$command .= " >ans.run 2>&1 &";
+		if ($restart) {
+			$command .= " >>ans.run 2>&1 &";
+		} else {
+			$command .= " >ans.run 2>&1 &";
+		}
 		$pid_file = "ans.pid";
 	} else {
 		print "I:Unknown server type $server\n";
@@ -200,8 +213,8 @@ sub verify_server {
 	while (1) {
 		my $return = system("$DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 version.bind. chaos txt \@10.53.0.$n > dig.out");
 		last if ($return == 0);
-		print `grep ";" dig.out`;
 		if (++$tries >= 30) {
+			print `grep ";" dig.out > /dev/null`;
 			print "I:no response from $server\n";
 			print "R:FAIL\n";
 			system("$PERL $topdir/stop.pl $testdir");
diff --git a/version b/version
index 681eabeb..e171ab52 100644
--- a/version
+++ b/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.53.8.2 2011-02-19 08:21:16 each Exp $
+# $Id: version,v 1.53.8.2.2.1 2011-04-27 17:06:27 each Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -6,5 +6,5 @@
 MAJORVER=9
 MINORVER=8
 PATCHVER=0
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=-P
+RELEASEVER=1
diff --git a/win32utils/readme1st.txt b/win32utils/readme1st.txt
index 1e401907..538c5bf2 100644
--- a/win32utils/readme1st.txt
+++ b/win32utils/readme1st.txt
@@ -1,159 +1,159 @@
-Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2001, 2003  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: readme1st.txt,v 1.24 2009-09-01 06:51:47 marka Exp $
-
-	   Release of BIND 9.7 for Windows and later.
-
-This is a release of BIND 9.7 for Windows XP and later.
-  
-	Important Kit Installation Information
-
-As of release 9.3.0, BINDInstall requires that you install it under
-a account with restricted privileges. The installer will prompt
-you for an account name, the default is "named", and a password for
-that account. It will also check for the existence of that account.
-If it does not exist is will create it with only the privileges
-required to run BIND. If the account does exist it will check that
-it has only the one privilege required: "Log on as a service". If
-it has too many privileges it will prompt you if you want to continue.
-
-With BIND running under an account name it is necessary for all
-files and directories that BIND uses to have permissions set up for
-the named account if the files are on an NTFS disk. BIND requires
-that the account have read and write access to the directory for
-the pid file, any files that are maintained either for slave zones
-or for master zones supporting dynamic updates. The account will
-also need read access to the named.conf and any other file that it
-needs to read.
-
-"NT AUTHORITY\LocalService" is also an acceptable account.  This
-account is built into Windows and no password is required.  Appropriate
-file permissions will also need to be set for "NT AUTHORITY\LocalService"
-similar to those that would have been required for the "named" account.
-
-It is important that on Windows the directory directive is used in
-the options section to tell BIND where to find the files used in
-named.conf (default %WINDOWS%\system32\dns\etc\named.conf).
-
-e.g.
-	options {
-		directory "C:\WINDOWS\system32\dns\etc";
-	};
-
-If you have previously installed BIND 8 or BIND 4 on the system
-that you wish to install this kit, you MUST use the BIND 8 or BIND
-4 installer to uninstall the previous kit.  For BIND 8.2.x, you can
-use the BINDInstall that comes with the BIND 8 kit to uninstall it.
-The BIND 9 installer will NOT uninstall the BIND 8 binaries.  That
-will be fixed in a future release.
-
-Unpack the kit into any convenient directory and run the BINDInstall
-program.  This will install the named and associated programs into
-the correct directories and set up the required registry keys.
-
-Messages are logged to the Application log in the EventViewer.
-
-	Controlling BIND
-
-Windows uses the same rndc program as is used on Unix systems.  The
-rndc.conf file must be configured for your system in order to work.
-You will need to generate a key for this. To do this use the
-rndc-confgen program. The program will be installed in the same
-directory as named: dns/bin/.  From the DOS prompt, use the command
-this way:
-
-rndc-confgen -a
-
-which will create a rndc.key file in the dns/etc directory. This will
-allow you to run rndc without an explicit rndc.conf file or key and
-control entry in named.conf file. See section 3.4.1.2 of the ARM for
-details of this. An rndc.conf can also be generated by running:
-
-rndc-confgen > rndc.conf
-
-which will create the rndc.conf file in the current directory, but
-not copy it to the dns/etc directory where it needs to reside. If
-you create rndc.conf this way you will need to copy the same key
-statement into named.conf.
-
-The additions look like the following:
-
-key "rndc-key" { algorithm hmac-md5; secret "xxxxxxxxx=="; };
-
-controls {
-	inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };
-};
-
-Note that the value of the secret must come from the key generated
-above for rndc and must be the same key value for both. Details of
-this may be found in section 3.4.1.2 of the ARM. If you have rndc
-on a Unix box you can use it to control BIND on the Windows box as
-well as using the Windows version of rndc to control a BIND 9 daemon
-on a Unix box. However you must have key statements valid for the
-servers you wish to control, specifically the IP address and key
-in both named.conf and rndc.conf. Again see section 3.4.1.2 of the
-ARM for details.
-
-In order to you rndc from a different system it is important to
-ensure that the clocks are synchronized. The clocks must be kept
-within 5 minutes of each other or the rndc commands will fail
-authentication. Use NTP or other time synchronization software to
-keep your clocks accurate. NTP can be found at http://www.ntp.org/.
-
-In addition BIND is installed as a win32 system service, can be
-started and stopped in the same way as any other service and
-automatically starts whenever the system is booted. Signals are not
-supported and are in fact ignored.
-
-Note: Unlike most Windows applications, named does not, change its
-working directory when started as a service.  If you wish to use
-relative files in named.conf you will need to specify a working
-directory using the directory directive options.
-
-	Documentation
-
-This kit includes Documentation in HTML format.  The documentation
-is not copied during the installation process so you should move
-it to any convenient location for later reference. Of particular
-importance is the BIND 9 Administrator's Reference Manual (Bv9ARM*.html)
-which provides detailed information on BIND 9. In addition, there
-are HTML pages for each of the BIND 9 applications.
-
-	DNS Tools
-
-The following tools have been built for Windows: dig, nslookup,
-host, nsupdate, rndc, rndc-confgen, named-checkconf, named-checkzone,
-dnssec-keygen, dnssec-signzone, dnssec-dsfromkey and dnssec-keyfromlabel.
-The latter tools are for use with DNSSEC.  All tools are installed
-in the dns/bin directory.
-
-IMPORTANT NOTE ON USING THE TOOLS:
-
-It is no longer necessary to create a resolv.conf file on Windows
-as the tools will look in the registry for the required nameserver
-information. However if you wish to create a resolv.conf file as
-follows it will use it in preference to the registry nameserver
-entries.
-
-To create a resolv.conf you need to place it in the System32\Drivers\etc
-directory and it needs to contain a list of nameserver addresses
-to use to find the nameserver authoritative for the zone. The format
-of this file is:
-
-nameserver 1.2.3.4
-nameserver 5.6.7.8
-
-Replace the IP addresses with your real addresses.  127.0.0.1 is a
-valid address if you are running a nameserver on the localhost.
-
-	Problems
-
-Please report all problems to bind9-bugs@isc.org and not to me. All
-other questions should go to the bind-users@isc.org mailing list
-or the comp.protocol.dns.bind news group.
-
-	Danny Mayer
-	mayer@ntp.isc.org
-
+Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")

+Copyright (C) 2001, 2003  Internet Software Consortium.

+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

+

+$Id: readme1st.txt,v 1.24 2009-09-01 06:51:47 marka Exp $

+

+	   Release of BIND 9.7 for Windows and later.

+

+This is a release of BIND 9.7 for Windows XP and later.

+  

+	Important Kit Installation Information

+

+As of release 9.3.0, BINDInstall requires that you install it under

+a account with restricted privileges. The installer will prompt

+you for an account name, the default is "named", and a password for

+that account. It will also check for the existence of that account.

+If it does not exist is will create it with only the privileges

+required to run BIND. If the account does exist it will check that

+it has only the one privilege required: "Log on as a service". If

+it has too many privileges it will prompt you if you want to continue.

+

+With BIND running under an account name it is necessary for all

+files and directories that BIND uses to have permissions set up for

+the named account if the files are on an NTFS disk. BIND requires

+that the account have read and write access to the directory for

+the pid file, any files that are maintained either for slave zones

+or for master zones supporting dynamic updates. The account will

+also need read access to the named.conf and any other file that it

+needs to read.

+

+"NT AUTHORITY\LocalService" is also an acceptable account.  This

+account is built into Windows and no password is required.  Appropriate

+file permissions will also need to be set for "NT AUTHORITY\LocalService"

+similar to those that would have been required for the "named" account.

+

+It is important that on Windows the directory directive is used in

+the options section to tell BIND where to find the files used in

+named.conf (default %WINDOWS%\system32\dns\etc\named.conf).

+

+e.g.

+	options {

+		directory "C:\WINDOWS\system32\dns\etc";

+	};

+

+If you have previously installed BIND 8 or BIND 4 on the system

+that you wish to install this kit, you MUST use the BIND 8 or BIND

+4 installer to uninstall the previous kit.  For BIND 8.2.x, you can

+use the BINDInstall that comes with the BIND 8 kit to uninstall it.

+The BIND 9 installer will NOT uninstall the BIND 8 binaries.  That

+will be fixed in a future release.

+

+Unpack the kit into any convenient directory and run the BINDInstall

+program.  This will install the named and associated programs into

+the correct directories and set up the required registry keys.

+

+Messages are logged to the Application log in the EventViewer.

+

+	Controlling BIND

+

+Windows uses the same rndc program as is used on Unix systems.  The

+rndc.conf file must be configured for your system in order to work.

+You will need to generate a key for this. To do this use the

+rndc-confgen program. The program will be installed in the same

+directory as named: dns/bin/.  From the DOS prompt, use the command

+this way:

+

+rndc-confgen -a

+

+which will create a rndc.key file in the dns/etc directory. This will

+allow you to run rndc without an explicit rndc.conf file or key and

+control entry in named.conf file. See section 3.4.1.2 of the ARM for

+details of this. An rndc.conf can also be generated by running:

+

+rndc-confgen > rndc.conf

+

+which will create the rndc.conf file in the current directory, but

+not copy it to the dns/etc directory where it needs to reside. If

+you create rndc.conf this way you will need to copy the same key

+statement into named.conf.

+

+The additions look like the following:

+

+key "rndc-key" { algorithm hmac-md5; secret "xxxxxxxxx=="; };

+

+controls {

+	inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };

+};

+

+Note that the value of the secret must come from the key generated

+above for rndc and must be the same key value for both. Details of

+this may be found in section 3.4.1.2 of the ARM. If you have rndc

+on a Unix box you can use it to control BIND on the Windows box as

+well as using the Windows version of rndc to control a BIND 9 daemon

+on a Unix box. However you must have key statements valid for the

+servers you wish to control, specifically the IP address and key

+in both named.conf and rndc.conf. Again see section 3.4.1.2 of the

+ARM for details.

+

+In order to you rndc from a different system it is important to

+ensure that the clocks are synchronized. The clocks must be kept

+within 5 minutes of each other or the rndc commands will fail

+authentication. Use NTP or other time synchronization software to

+keep your clocks accurate. NTP can be found at http://www.ntp.org/.

+

+In addition BIND is installed as a win32 system service, can be

+started and stopped in the same way as any other service and

+automatically starts whenever the system is booted. Signals are not

+supported and are in fact ignored.

+

+Note: Unlike most Windows applications, named does not, change its

+working directory when started as a service.  If you wish to use

+relative files in named.conf you will need to specify a working

+directory using the directory directive options.

+

+	Documentation

+

+This kit includes Documentation in HTML format.  The documentation

+is not copied during the installation process so you should move

+it to any convenient location for later reference. Of particular

+importance is the BIND 9 Administrator's Reference Manual (Bv9ARM*.html)

+which provides detailed information on BIND 9. In addition, there

+are HTML pages for each of the BIND 9 applications.

+

+	DNS Tools

+

+The following tools have been built for Windows: dig, nslookup,

+host, nsupdate, rndc, rndc-confgen, named-checkconf, named-checkzone,

+dnssec-keygen, dnssec-signzone, dnssec-dsfromkey and dnssec-keyfromlabel.

+The latter tools are for use with DNSSEC.  All tools are installed

+in the dns/bin directory.

+

+IMPORTANT NOTE ON USING THE TOOLS:

+

+It is no longer necessary to create a resolv.conf file on Windows

+as the tools will look in the registry for the required nameserver

+information. However if you wish to create a resolv.conf file as

+follows it will use it in preference to the registry nameserver

+entries.

+

+To create a resolv.conf you need to place it in the System32\Drivers\etc

+directory and it needs to contain a list of nameserver addresses

+to use to find the nameserver authoritative for the zone. The format

+of this file is:

+

+nameserver 1.2.3.4

+nameserver 5.6.7.8

+

+Replace the IP addresses with your real addresses.  127.0.0.1 is a

+valid address if you are running a nameserver on the localhost.

+

+	Problems

+

+Please report all problems to bind9-bugs@isc.org and not to me. All

+other questions should go to the bind-users@isc.org mailing list

+or the comp.protocol.dns.bind news group.

+

+	Danny Mayer

+	mayer@ntp.isc.org

+

diff --git a/win32utils/win32-build.txt b/win32utils/win32-build.txt
index 25f0c5a4..5eeaed5e 100644
--- a/win32utils/win32-build.txt
+++ b/win32utils/win32-build.txt
@@ -1,151 +1,151 @@
-Copyright (C) 2004, 2005, 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2001, 2002  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: win32-build.txt,v 1.19 2009-11-06 03:14:10 each Exp $
-
-       BIND 9.7 for Win32 Source Build Instructions.  02-Jul-2009
-
-Building BIND 9.7 on Windows XP/2003/2008 has the following prerequisites:
-
-1) You need to install Perl for Windows.  ActivePerl
-(http://www.activestate.com/) and Strawberry Perl
-(http://www.strawberryperl.com) have both been tested and found
-to work.
-
-2) OpenSSL (http://www.openssl.org) needs to be downloaded and built
-on the system on which you are building BIND.
-
-3) If you wish to use the statistics channel, LibXML2
-(ftp://xmlsoft.org/libxml2) needs to be downloaded and built on
-the system on which you are building BIND.  (If you do not wish
-to use the statistics channel, remove HAVE_LIBXML2 from config.h.win32.)
-
-4) If you want to build using Visual C++ 6.0, you'll need some extra
-files that are to be found in the Platform SDK (which you will need
-to install), namely:
-
-iphlpapi.h
-iptypes.h
-ipexport.h
-iphlpapi.lib
-
-You'll also need an updated Iprtrmib.h - using the VC++6.0 one will
-get you some compilation errors. You can just overwrite the old one if
-you're not using it for any purposes, and maybe keep a backup of it. 
-
-You can copy the header files under VC98\INCLUDE and the library file
-under VC98\LIB. I think you can also put them in a separate directory
-and add it to the include search list, but I don't know if that can be
-made persistent. 
-
-For building on VC++ 7.0 no extra files are required. 
-
-The instructions assume a Visual C++ 6.0 compiler with Visual Studio and
-Visual Studio Service Pack 3 or later. It may build and work with earlier
-versions but it has not been tested. The binaries may be built and run on
-any of the following platforms: NT 4.0 Workstation (SP3 or later), NT 4.0
-Server (SP3 or later), Windows 2000 Professional (SP1 or later),
-Windows 2000 Server or any kind (SP1 or later), Windows XP, Windows 2003
-Server. It will NOT build or run on Windows 95, Windows 98, etc. platforms.
-
-Step 1: Download and build OpenSSL
-
-Download and untar the OpenSSL sources from http://www.openssl.org/.
-Extract them at in the same directory in which you extracted the BIND9
-source:  If BIND9 is in \build\bind-9.7.0, for instance, OpenSSL should be
-in \build\openssl-0.9.8l (subject to version number changes).
-
-Note: Building OpenSSL requires that you install Perl as it uses
-it during its build process. The following commands work as of
-openssl-0.9.8l, but you should check the OpenSSL distribution 
-to see if the build instructions have changed:
-
-  cd openssl-0.9.8l
-  perl Configure VC-WIN32 --prefix=c:/openssl
-  ms\do_masm
-  nmake /f ms\ntdll.mak
-
-If you wish to use PKCS #11 to control a cryptographic hardware service
-module, please see bind9\README.pkcs11.  You will need to apply the patch
-in bind9\bin\pkcs11\openssl-0.9.8l-patch (this can be done using the Cygwin
-'patch' utility) and add --pk11-libname and --pk11-flavor to the Configure
-command above.
-
-Step 2: Download and build libxml2
-
-Download and untar the libxml2 sources from ftp://xmlsoft.org/libxml2.
-Extract them at in the same directory in which you extracted the BIND9
-source:  If BIND9 is in \build\bind-9.7.0, for instance, libxml2 should
-be in \build\libxml2-2.7.3 (subject to version number changes).
-
-Now build libxml2, and copy the resulting files into the include and lib
-directories:
-
- cd libxml2-2.7.3\win32
- cscript configure.js compiler=msvc vcmanifest=yes static=yes debug=no iconv=no
- nmake /f Makefile.msvc libxml
-
-Step 3: Building BIND
-
-You must build openssl and libxml2 first. 
-
-From the command prompt cd to the win32utils directory under
-the BIND9 root:
-
-  cd bind-9.7.0\win32utils
-
-If you wish to use PKCS #11 to control a cryptographic hardware service
-module, set the path to the PKCS #11 provider library:
-
-  perl setpk11provider.pl <DLL path>
-  
-If using VC++ 6.0, run the BuildAll.bat file:
-
-  BuildAll
-
-This will do the following:
-1) copy config.h.win32 to config.h in the root.
-2) create the versions.h file in the root.
-3) Build the gen application in the lib/dns directory.
-4) Run the gen application and build the required lib/dns header
-   files.
-5) Create the Build/Release subdirectory under the root of the BIND
-   source tree which will hold the binaries being built.
-6) Build the libraries, named, application tools like dig, rndc
-   dnssec tools, installer, checkconf and checkzones programs,
-   BIND 9 Installer.
-7) Copies the release notes and the OpenSSL DLL to the BUILD/Release
-   directory.
-8) Copies the BIND 9 ARM HTML files and the application HTML files
-   to the Build\Release area.
-
-If you wish to use the Visual Studio GUI for building, you can just
-run the BuildSetup.bat file:
-
-  BuildSetup
-  
-This will create or find and copy into place several files which are
-necessary for the build to proceed.  It also locates and copies into place
-the DLLs for OpenSSL and libxml2.
-
-Use BINDBuild.dsw (also located in the win32utils directory) to open the
-workspace for all of the BIND9 libraries and applications.  Select
-"Build->Batch Build", click "Select All", then click "Build".
-
-After the build has completed, run the BuildPost.bat file:
-
-  BuildPost
-
-...which does post-build processing.
-
-Installation is accomplished by running the BINDInstall program. All DLL's
-are copied to the system32 area and all applications (including BINDInstall
-which may be necessary for uninstalling BIND 9) to the dns/bin directory.
-If BIND 8 has previously been installed on the system it must be uninstalled
-first by running it's own BINDInstall program.  The BIND 9 installer does
-not yet do this.
-
-All bugs found, whether in the process of building the application or
-running BIND or the tools should be reported to the bind9 bugs email
-account at bind9-bugs@isc.org.
+Copyright (C) 2004, 2005, 2008, 2009  Internet Systems Consortium, Inc. ("ISC")

+Copyright (C) 2001, 2002  Internet Software Consortium.

+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

+

+$Id: win32-build.txt,v 1.19 2009-11-06 03:14:10 each Exp $

+

+       BIND 9.7 for Win32 Source Build Instructions.  02-Jul-2009

+

+Building BIND 9.7 on Windows XP/2003/2008 has the following prerequisites:

+

+1) You need to install Perl for Windows.  ActivePerl

+(http://www.activestate.com/) and Strawberry Perl

+(http://www.strawberryperl.com) have both been tested and found

+to work.

+

+2) OpenSSL (http://www.openssl.org) needs to be downloaded and built

+on the system on which you are building BIND.

+

+3) If you wish to use the statistics channel, LibXML2

+(ftp://xmlsoft.org/libxml2) needs to be downloaded and built on

+the system on which you are building BIND.  (If you do not wish

+to use the statistics channel, remove HAVE_LIBXML2 from config.h.win32.)

+

+4) If you want to build using Visual C++ 6.0, you'll need some extra

+files that are to be found in the Platform SDK (which you will need

+to install), namely:

+

+iphlpapi.h

+iptypes.h

+ipexport.h

+iphlpapi.lib

+

+You'll also need an updated Iprtrmib.h - using the VC++6.0 one will

+get you some compilation errors. You can just overwrite the old one if

+you're not using it for any purposes, and maybe keep a backup of it. 

+

+You can copy the header files under VC98\INCLUDE and the library file

+under VC98\LIB. I think you can also put them in a separate directory

+and add it to the include search list, but I don't know if that can be

+made persistent. 

+

+For building on VC++ 7.0 no extra files are required. 

+

+The instructions assume a Visual C++ 6.0 compiler with Visual Studio and

+Visual Studio Service Pack 3 or later. It may build and work with earlier

+versions but it has not been tested. The binaries may be built and run on

+any of the following platforms: NT 4.0 Workstation (SP3 or later), NT 4.0

+Server (SP3 or later), Windows 2000 Professional (SP1 or later),

+Windows 2000 Server or any kind (SP1 or later), Windows XP, Windows 2003

+Server. It will NOT build or run on Windows 95, Windows 98, etc. platforms.

+

+Step 1: Download and build OpenSSL

+

+Download and untar the OpenSSL sources from http://www.openssl.org/.

+Extract them at in the same directory in which you extracted the BIND9

+source:  If BIND9 is in \build\bind-9.7.0, for instance, OpenSSL should be

+in \build\openssl-0.9.8l (subject to version number changes).

+

+Note: Building OpenSSL requires that you install Perl as it uses

+it during its build process. The following commands work as of

+openssl-0.9.8l, but you should check the OpenSSL distribution 

+to see if the build instructions have changed:

+

+  cd openssl-0.9.8l

+  perl Configure VC-WIN32 --prefix=c:/openssl

+  ms\do_masm

+  nmake /f ms\ntdll.mak

+

+If you wish to use PKCS #11 to control a cryptographic hardware service

+module, please see bind9\README.pkcs11.  You will need to apply the patch

+in bind9\bin\pkcs11\openssl-0.9.8l-patch (this can be done using the Cygwin

+'patch' utility) and add --pk11-libname and --pk11-flavor to the Configure

+command above.

+

+Step 2: Download and build libxml2

+

+Download and untar the libxml2 sources from ftp://xmlsoft.org/libxml2.

+Extract them at in the same directory in which you extracted the BIND9

+source:  If BIND9 is in \build\bind-9.7.0, for instance, libxml2 should

+be in \build\libxml2-2.7.3 (subject to version number changes).

+

+Now build libxml2, and copy the resulting files into the include and lib

+directories:

+

+ cd libxml2-2.7.3\win32

+ cscript configure.js compiler=msvc vcmanifest=yes static=yes debug=no iconv=no

+ nmake /f Makefile.msvc libxml

+

+Step 3: Building BIND

+

+You must build openssl and libxml2 first. 

+

+From the command prompt cd to the win32utils directory under

+the BIND9 root:

+

+  cd bind-9.7.0\win32utils

+

+If you wish to use PKCS #11 to control a cryptographic hardware service

+module, set the path to the PKCS #11 provider library:

+

+  perl setpk11provider.pl <DLL path>

+  

+If using VC++ 6.0, run the BuildAll.bat file:

+

+  BuildAll

+

+This will do the following:

+1) copy config.h.win32 to config.h in the root.

+2) create the versions.h file in the root.

+3) Build the gen application in the lib/dns directory.

+4) Run the gen application and build the required lib/dns header

+   files.

+5) Create the Build/Release subdirectory under the root of the BIND

+   source tree which will hold the binaries being built.

+6) Build the libraries, named, application tools like dig, rndc

+   dnssec tools, installer, checkconf and checkzones programs,

+   BIND 9 Installer.

+7) Copies the release notes and the OpenSSL DLL to the BUILD/Release

+   directory.

+8) Copies the BIND 9 ARM HTML files and the application HTML files

+   to the Build\Release area.

+

+If you wish to use the Visual Studio GUI for building, you can just

+run the BuildSetup.bat file:

+

+  BuildSetup

+  

+This will create or find and copy into place several files which are

+necessary for the build to proceed.  It also locates and copies into place

+the DLLs for OpenSSL and libxml2.

+

+Use BINDBuild.dsw (also located in the win32utils directory) to open the

+workspace for all of the BIND9 libraries and applications.  Select

+"Build->Batch Build", click "Select All", then click "Build".

+

+After the build has completed, run the BuildPost.bat file:

+

+  BuildPost

+

+...which does post-build processing.

+

+Installation is accomplished by running the BINDInstall program. All DLL's

+are copied to the system32 area and all applications (including BINDInstall

+which may be necessary for uninstalling BIND 9) to the dns/bin directory.

+If BIND 8 has previously been installed on the system it must be uninstalled

+first by running it's own BINDInstall program.  The BIND 9 installer does

+not yet do this.

+

+All bugs found, whether in the process of building the application or

+running BIND or the tools should be reported to the bind9 bugs email

+account at bind9-bugs@isc.org.