9.0.0b3

801 files changed, 50514 insertions, 34291 deletions

diff --git a/CHANGES b/CHANGES
new file mode 100644
index 00000000..acb71de8
--- /dev/null
+++ b/CHANGES
@@ -0,0 +1,725 @@
+	--- 9.0.0b3 released ---
+
+ 200.	[bug]		Failures in sending query responses to clients
+			(e.g., running out of network buffers) were
+			not logged.
+
+ 199.	[bug]		isc_heap_delete() sometimes violated the heap
+			invariant, causing timer events not to be posted
+			when due.
+
+ 198.	[func]		Dispatch managers hold memory pools which
+			any managed dispatcher may use.  This allows
+			us to avoid dipping into the memory context for
+			most allocations.  [19-May-2000 explorer]
+
+ 197.	[bug]		When an incoming AXFR or IXFR completes, the
+			zone's internal state is refreshed from the
+			SOA data.  [19-May-2000 explorer]
+
+ 196.	[func]		Dispatchers can be shared easily between views
+			and/or interfaces.  [19-May-2000 explorer]
+
+ 195.	[bug]		Including the NXT record of the root domain
+			in a negative response caused an assertion
+			failure.
+
+ 194.	[doc]		The PDF version of the Administrator's Reference
+			Manual is no longer included in the ISC BIND9
+			distribution.
+
+ 193.	[func]		changed dst_key_free() prototype
+
+ 192.	[bug]		Zone configuration validation is now done at end 
+			of config file parsing, and before loading
+			callbacks.
+
+ 191.   [func]          Patched to compile on UnixWare 7.x.  This platform
+                        is not directly supported by the ISC.
+
+ 190.   [cleanup]	The DNSSEC tools have been moved to a separate 
+			directory dnssec/ and given the following new,
+			more descriptive names:
+
+			      dnssec-keygen
+			      dnssec-signzone
+			      dnssec-signkey
+			      dnssec-makekeyset
+
+			Their command line arguments have also been changed to
+			be more consistent.  dnssec-keygen now prints the
+			name of the generated key files (sans extension)
+			on standard output to simplify its use in automated
+			scripts.
+
+ 189.   [func]          isc_time_secondsastimet(), a new function, will ensure
+                        that the number of seconds in an isc_time_t does not
+                        exceed the range of a time_t, or return ISC_R_RANGE.
+                        Similarly, isc_time_now(), isc_time_nowplusinterval(),
+                        isc_time_add() and isc_time_subtract() now check the
+                        range for overflow/underflow.  In the case of
+                        isc_time_subtract, this changed a calling requirement
+                        (ie, something that could generate an assertion)
+                        into merely a condition that returns an error result.
+                        isc_time_add() and isc_time_subtract() were void-
+                        valued before but now return isc_result_t.
+
+ 188.	[func]		Log a warning message when an incoming zone transfer
+			contains out-of-zone data.
+
+ 187.	[func]		isc_ratelimter_enqueue() has an additional arguement
+			'task'.
+
+ 186.	[func]		dns_request_getresponse() has an additional arguement
+			'preserve_order'.
+
+ 185.   [bug]           Fixed up handling of ISC_MEMCLUSTER_LEGACY.  Several
+                        public functions did not have an isc__ prefix, and
+                        referred to functions that had previously been
+                        renamed.
+
+ 184.   [cleanup]       Variables/functions which began with two leading
+                        underscores were made to conform to the ANSI/ISO
+                        standard, which says that such names are reserved.
+
+ 183.   [func]          ISC_LOG_PRINTTAG option for log channels.  Useful
+                        for logging the program name or other identifier.
+
+ 182.	[cleanup]	New commandline parameters for dnssec tools
+
+ 181.	[func]		Added dst_key_buildfilename and dst_key_parsefilename
+
+ 180.   [func]          New isc_result_t ISC_R_RANGE.  Supersedes DNS_R_RANGE.
+
+ 179.	[func]		options named.conf statement *must* now come
+			before any zone or view statements.
+
+ 178.	[func]		Post-load of named.conf check verifies a slave zone
+			has non-empty list of masters defined.
+
+ 177.	[func]		New per-zone boolean:
+
+				enable-zone yes | no ;
+
+			intended to let a zone be disabled without having
+			to comment out the entire zone statement.
+
+ 176.   [func]		New global and per-view option:
+				
+				max-cache-ttl number
+
+ 175.	[func]		New global and per-view option:
+
+				addition-data internal | minimal | maximal;
+
+ 174.   [func]		New public function isc_sockaddr_format(), for
+			formatting socket addresses in log messages.
+
+ 173.   [func]		Keep a queue of zones waiting for zone transfer
+			quota so that a new transfer can be dispatched
+			immediately whenever quota becomes available.
+
+ 172.   [bug]		$TTL directive was sometimes missing from dumped 
+			master files because totext_ctx_init() failed to
+			initialize ctx->current_ttl_valid.
+
+ 171.   [cleanup] 	On NetBSD systems, the mit-pthreads or
+			unproven-pthreads library is now always used
+			unless --with-ptl2 is explicitly specified on
+			the configure command line.  The
+			--with-mit-pthreads option is no longer needed
+			and has been removed.
+
+ 170.	[cleanup]	Remove inter server consistancy checks from zone,
+			these should return as a seperate module in 9.1.
+			dns_zone_checkservers(), dns_zone_checkparents(),
+			dns_zone_checkchildren(), dns_zone_checkglue().
+
+			Remove dns_zone_setadb(), dns_zone_setresolver(),
+			dns_zone_setrequestmgr() these should now be found
+			via the view.
+
+ 169.	[func]		ratelimiter can now process N events per interval.
+
+ 168.	[bug]		include statements in named.conf caused syntax errors
+			due to not consuming the semicolon ending the include
+			statement before switching input streams.
+
+ 167.	[bug]		Make lack of masters for a slave zone a soft error.
+
+ 166.	[bug]		Keygen was overwriting existing keys if key_id
+			conflicted, now it will retry, and non-null keys
+			with key_id == 0 are not generated anymore.  Key
+			was not able to generate NOAUTHCONF DSA key,
+			increased RSA key size to 2048 bits.
+
+ 165.   [cleanup]       Silence "end-of-loop condition not reached" warnings
+                        from Solaris compiler.
+
+ 164.   [func]		Added functions isc_stdio_open(), isc_stdio_close(),
+			isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
+			isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
+			to encapsulate nonportable usage of errno and sync.
+
+ 163.   [func]		Added result codes ISC_R_FILENOTFOUND and
+			ISC_R_FILEEXISTS.
+
+ 162.   [bug]           Ensure proper range for arguments to ctype.h functions.
+
+ 161.	[cleanup]	error in yyparse prototype that only HPUX caught.
+
+ 160.	[cleanup]	getnet*() are not going to be implemented at this
+			stage.
+
+ 159.	[func]		Redefinition of config file elements is now an
+			error (instead of a warning).
+
+ 158.   [bug]		Log channel and category list copy routines
+			weren't assigning properly to output parameter.
+
+ 157.   [port]		Fix missing prototype for getopt().
+
+ 156.	[func]		Support new 'database' statement in zone.
+
+				database "quoted-string";
+
+ 155.	[bug]		ns_notify_start() was not detaching the found zone.
+
+ 154.   [func]		The signer now logs libdns warnings to stderr even when
+			not verbose, and in a nicer format.
+
+ 153.	[func]		dns_rdata_tostruct() 'mctx' is now optional.  If 'mctx'
+			is NULL then you need to preserve the 'rdata' until
+			you have finished using the structure as there may be
+			references to the associated memory.  If 'mctx' is 
+			non-NULL it is guaranteed that there are no references
+			to memory associated with 'rdata'.
+
+			dns_rdata_freestruct() must be called if 'mctx' was
+			non-NULL and may safely be called if 'mctx' was NULL.
+
+ 152.   [bug]		keygen dumped core if domain name argument was omitted
+			from command line.
+
+ 151.   [func]		Support 'disabled' statement in zone config (causes
+			zone to be parsed and then ignored). Currently must
+			come after the 'type' clause.
+
+ 150.	[func]		Support optional ports in masters and also-notify
+			statements: 
+
+				masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
+
+ 149.   [cleanup]	Removed usused argument 'olist' from
+			dns_c_view_unsetordering().
+
+ 148.   [cleanup]	Stop issuing some warnings about some configuration
+			file statements that were not implemented, but now are.
+
+ 147.   [bug]		Changed yacc union size to be smaller for yaccs that
+			put yacc-stack on the real stack.
+
+ 146.   [cleanup]       More general redundant header file cleanup.  Rather
+                        than continuing to itemize every header which changed,
+                        this changelog entry just notes that if a header file
+                        did not need another header file that it was including
+                        in order to provide its advertized functionality, the
+                        inclusion of the other header file was removed.  See
+                        util/check-includes for how this was tested.
+
+ 145.   [cleanup]       Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
+                        ISC_LANG_ENDDECLS to header files that had function
+                        prototypes, and removed it from those that did not.
+
+ 144.   [cleanup]       libdns header files too numerous to name were made
+                        to conform to the same style for multiple inclusion
+                        protection.
+
+ 143.   [func]		Added function dns_rdatatype_isknown().
+
+ 142.   [cleanup]       <isc/stdtime.h> does not need <time.h> or
+                        <isc/result.h>.
+
+ 141.	[bug]		Corrupt requests with multiple questions could
+			cause an assertion failure.
+
+ 140.   [cleanup]       <isc/time.h> does not need <time.h> or <isc/result.h>.
+
+ 139.   [cleanup]       <isc/net.h> now includes <isc/types.h> instead of
+                        <isc/int.h> and <isc/result.h>.
+
+ 138.   [cleanup]       isc_strtouq moved from str.[ch] to string.[ch] and
+                        renamed isc_string_touint64.  isc_strsep moved from
+                        strsep.c to string.c and renamed isc_string_separate.
+
+ 137.   [cleanup]       <isc/commandline.h>, <isc/mem.h>, <isc/print.h>
+                        <isc/serial.h>, <isc/string.h> and <isc/offset.h>
+                        made to conform to the same style for multiple
+                        inclusion protection.
+
+ 136.   [cleanup]       <isc/commandline.h>, <isc/interfaceiter.h>,
+                        <isc/net.h> and Win32's <isc/thread.h> needed
+                        ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
+
+ 135.   [cleanup]       Win32's <isc/condition.h> did not need <isc/result.h>
+                        or <isc/boolean.h>, now uses <isc/types.h> in place
+                        of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
+                        and ISC_LANG_ENDDECLS.
+
+ 134.   [cleanup]       <isc/dir.h> does not need <limits.h>.
+
+ 133.   [cleanup]       <isc/ipv6.h> needs <isc/platform.h>.
+
+ 132.   [cleanup]       <isc/app.h> does not need <isc/task.h>, but does
+                        need <isc/eventclass.h>.
+
+ 131.   [cleanup]       <isc/mutex.h> and <isc/util.h> need <isc/result.h>
+                        for ISC_R_* codes used in macros.
+
+ 130.   [cleanup]       <isc/condition.h> does not need <pthread.h> or
+                        <isc/boolean.h>, and now includes <isc/types.h>
+                        instead of <isc/time.h>.
+
+ 129.   [bug]		The 'default_debug' log channel was not set up when
+			'category default' was present in the config file
+
+ 128.   [cleanup]       <isc/dir.h> had ISC_LANG_BEGINDECLS instead of
+                        ISC_LANG_ENDDECLS at end of header.
+
+ 127.	[cleanup]	The contracts for the comparision routines
+			dns_name_fullcompare(), dns_name_compare(),
+			dns_name_rdatacompare(), and dns_rdata_compare() now
+			specify that the order value returned is < 0, 0, or > 0
+			instead of -1, 0, or 1.
+
+ 126.   [cleanup]       <isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
+
+ 125.   [cleanup]       <isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
+                        <isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
+                        <isc/resultclass.h> do not need <isc/lang.h>.
+
+ 124.   [func]		signer now imports parent's zone key signature
+			and creates null keys/sets zone status bit for
+			children when necessary
+
+ 123.   [cleanup]       <isc/event.h> does not need <stddef.h>.
+
+ 122.   [cleanup]       <isc/task.h> does not need <isc/mem.h> or
+                        <isc/result.h>.
+
+ 121.   [cleanup]       <isc/symtab.h> does not need <isc/mem.h> or
+                        <isc/result.h>.  Multiple inclusion protection
+                        symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
+                        isc_symtab_t moved to <isc/types.h>.
+
+ 120.   [cleanup]       <isc/socket.h> does not need <isc/boolean.h>,
+                        <isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
+                        <isc/net.h>.
+
+ 119.	[cleanup]	structure definitions for generic rdata stuctures do
+			not have _generic_ in their names.
+
+ 118.	[cleanup]	libdns.a is now namespace-clean, on NetBSD, excepting
+			YACC crust (yyparse, etc) [2000-apr-27 explorer]
+
+ 117.	[cleanup]	libdns.a changes:
+			dns_zone_clearnotify() and dns_zone_addnotify()
+			are replaced by dns_zone_setnotifyalso().
+ 			dns_zone_clearmasters() and dns_zone_addmaster()
+			are replaced by dns_zone_setmasters().
+			
+ 116.   [func]          Added <isc/offset.h> for isc_offset_t (aka off_t
+                        on Unix systems).
+
+ 115.   [port]          Shut up the -Wmissing-declarations warning about
+                        <stdio.h>'s __sputaux on BSD/OS pre-4.1.
+
+ 114.   [cleanup]       <isc/sockaddr.h> does not need <isc/buffer.h> or
+                        <isc/list.h>.
+
+ 113.	[func]		Utility programs dig and host added.
+
+ 112.   [cleanup]       <isc/serial.h> does not need <isc/boolean.h>.
+
+ 111.   [cleanup]       <isc/rwlock.h> does not need <isc/result.h> or
+                        <isc/mutex.h>.
+
+ 110.   [cleanup]       <isc/result.h> does not need <isc/boolean.h> or
+                        <isc/list.h>.
+
+ 109.   [bug]           "make depend" did nothing for
+                        bin/tests/{db,mem,sockaddr,tasks,timers}/.
+
+ 108.   [cleanup]       DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
+                        <dns/types.h> to <dns/bit.h> and renamed to
+                        DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
+
+ 107.   [func]		Add keysigner and keysettool.
+
+ 106.   [func]		Allow dnssec verifications to ignore the validity
+			period.  Used by several of the dnssec tools.
+
+ 105.   [doc]           doc/dev/coding.html expanded with other
+                        implicit conventions the developers have used.
+
+ 104.   [bug]           Made compress_add and compress_find static to
+                        lib/dns/compress.c.
+
+ 103.   [func]          libisc buffer API changes for <isc/buffer.h>:
+                        Added:
+                                isc_buffer_base(b)          (pointer)
+                                isc_buffer_current(b)       (pointer)
+                                isc_buffer_active(b)        (pointer)
+                                isc_buffer_used(b)          (pointer)
+                                isc_buffer_length(b)            (int)
+                                isc_buffer_usedlength(b)        (int)
+                                isc_buffer_consumedlength(b)    (int)
+                                isc_buffer_remaininglength(b)   (int)
+                                isc_buffer_activelength(b)      (int)
+                                isc_buffer_availablelength(b)   (int)
+                        Removed:
+                                ISC_BUFFER_USEDCOUNT(b)
+                                ISC_BUFFER_AVAILABLECOUNT(b)
+                                isc_buffer_type(b)
+                        Changed names:
+                                isc_buffer_used(b, r) ->
+                                        isc_buffer_usedregion(b, r)
+                                isc_buffer_available(b, r) ->
+                                        isc_buffer_available_region(b, r)
+                                isc_buffer_consumed(b, r) ->
+                                        isc_buffer_consumedregion(b, r)
+                                isc_buffer_active(b, r) ->
+                                        isc_buffer_activeregion(b, r)
+                                isc_buffer_remaining(b, r) ->
+                                        isc_buffer_remainingregion(b, r)
+
+                        Buffer types were removed, so the ISC_BUFFERTYPE_*
+                        macros are no more, and the type argument to
+                        isc_buffer_init and isc_buffer_allocate were removed.
+                        isc_buffer_putstr is now void (instead of isc_result_t)
+                        and requires that the caller ensure that there
+                        is enough available buffer space for the string.
+
+ 102.   [port]          Correctly detect inet_aton, inet_pton and inet_ptop
+                        on BSD/OS 4.1.
+
+ 101.   [cleanup]       Quieted EGCS warnings from lib/isc/print.c.
+
+ 100.   [cleanup]       <isc/random.h> does not need <isc/int.h> or
+                        <isc/mutex.h>.  isc_random_t moved to <isc/types.h>.
+
+  99.   [cleanup]	Rate limiter now has separate shutdown() and
+			destroy() functions, and it guarantees that all 
+			queued events are delivered even in the shutdown case.
+
+  98.   [cleanup]       <isc/print.h> does not need <stdarg.h> or <stddef.h>
+                        unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
+
+  97.   [cleanup]       <isc/ondestroy.h> does not need <stddef.h> or
+                        <isc/event.h>.
+
+  96.   [cleanup]       <isc/mutex.h> does not need <isc/result.h>.
+
+  95.   [cleanup]       <isc/mutexblock.h> does not need <isc/result.h>.
+
+  94.   [cleanup]       Some installed header files did not compile as C++.
+
+  93.   [cleanup]       <isc/msgcat.h> does not need <isc/result.h>.
+
+  92.   [cleanup]       <isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
+                        or <isc/result.h>.
+
+  91.   [cleanup]       <isc/log.h> does not need <sys/types.h> or
+                        <isc/result.h>.
+
+  90.	[cleanup]	Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
+			from <named/listenlist.h>.
+
+  89.   [cleanup]       <isc/lex.h> does not need <stddef.h>.
+
+  88.   [cleanup]       <isc/interfaceiter.h> does not need <isc/result.h> or
+                        <isc/mem.h>.  isc_interface_t and isc_interfaceiter_t
+                        moved to <isc/types.h>.
+
+  87.   [cleanup]       <isc/heap.h> does not need <isc/boolean.h>,
+                        <isc/mem.h> or <isc/result.h>.
+
+  86.   [cleanup]       isc_bufferlist_t moved from <isc/bufferlist.h> to
+                        <isc/types.h>.
+
+  85.   [cleanup]       <isc/bufferlist.h> does not need <isc/buffer.h>,
+                        <isc/list.h>, <isc/mem.h>, <isc/region.h> or
+                        <isc/int.h>.
+
+  84.	[func]		allow-query ACL checks now apply to all data
+			added to a response.
+
+  83.	[func]		If the server is authoritative for both a
+			delegating zone and its (nonsecure) delegatee, and
+			a query is made for a KEY RR at the top of the
+			delegatee, then the server will look for a KEY
+			in the delegator if it is not found in the delegatee.
+
+  82.   [cleanup]       <isc/buffer.h> does not need <isc/list.h>.
+
+  81.   [cleanup]       <isc/int.h> and <isc/boolean.h> do not need
+                        <isc/lang.h>.
+
+  80.   [cleanup]       <isc/print.h> does not need <stdio.h> or <stdlib.h>.
+
+  79.   [cleanup]       <dns/callbacks.h> does not need <stdio.h>.
+
+  78.   [cleanup]       lwres_conftest renamed to lwresconf_test for
+                        consistency with other *_test programs.
+
+  77.   [cleanup]       typedef of isc_time_t and isc_interval_t moved from
+                        <isc/time.h> to <isc/types.h>.  
+
+  76.   [cleanup]	Rewrote keygen.
+
+  75.   [func]          Don't load a zone if its database file is older
+                        than the last time the zone was loaded.
+
+  74.   [cleanup]       Removed mktemplate.o and ufile.o from libisc.a,
+                        subsumed by file.o.
+
+  73.   [func]          New "file" API in libisc, including new function
+                        isc_file_getmodtime, isc_mktemplate renamed to
+                        isc_file_mktemplate and isc_ufile renamed to
+                        isc_file_openunique.  By no means an exhaustive API,
+                        it is just what's needed for now.
+
+  72.   [func]          DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
+                        added for dns_rbt_findnode, the former to disable the
+                        setting of the chain to the predecessor, and the
+                        latter to make clear when no options are set.
+
+  71.   [cleanup]       Made explicit the implicit REQUIREs of
+                        isc_time_seconds, isc_time_nanoseconds, and
+                        isc_time_subtract.
+
+  70.   [func]          isc_time_set() added.
+
+  69.   [bug]		The zone object's master and also-notify lists grew
+			longer with each server reload.
+
+  68.	[func]		Partial support for SIG(0) on incoming messages.
+
+  67.	[performance]	Allow use of alternate (compile-time supplied)
+			OpenSSL libraries/headers.
+
+  66.   [func]		Data in authoritative zones should have a trust level
+			beyond secure.
+
+  65.   [cleanup]       Removed obsolete typedef of dns_zone_callbackarg_t
+			from <dns/types.h>.
+
+  64.	[func]		The RBT, DB, and zone table APIs now allow the
+			caller find the most-enclosing superdomain of
+			a name.
+
+  63	[func]		Generate NOTIFY messages.
+
+  62.	[func]		Add UDP refresh support.
+
+  61.   [cleanup]       Use single quotes consistently in log messages.
+
+  60.	[func]		Catch and disallow singleton types on message
+			parse.
+
+  59.	[bug]		Cause net/host unreachable to be a hard error
+			when sending and receiving.
+
+  58.	[bug]		bin/named/query.c could sometimes trigger the
+			(client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
+			== 0 assertion in query_newname().
+
+  57.   [func]          Added dns_nxt_typepresent()
+
+  56.	[bug]		SIG records were not properly returned in cached
+			negative answers.
+
+  55.	[bug]		Responses containing multiple names in the authority
+			section were not negatively cached.
+
+  54.	[bug]		If a fetch with sigrdataset==NULL joined one with
+			sigrdataset!=NULL or vice versa, the resolver
+			could catch an assertion or lose signature data,
+			respectively.
+
+  53.	[port]		freebsd 4.0: lib/isc/unix/socket.c requires
+			<sys/param.h>.
+
+  52.	[bug]		rndc: taskmgr and socketmgr were not initaliased
+			to NULL.
+
+  51.   [cleanup]       dns/compress.h and dns/zt.h did not need to include
+                        dns/rbt.h; it was needed only by compress.c and zt.c.
+
+  50.   [func]          RBT deletion no longer requires a valid chain to work,
+                        and dns_rbt_deletenode was added.
+
+  49.	[func]		Each cache now has its own mctx.
+
+  48.	[func]		isc_task_create() no longer takes an mctx.
+			isc_task_mem() has been eliminated.
+
+  47.	[func]		A number of modules now use memory context reference
+			counting.
+
+  46.	[func]		Memory contexts are now reference counted.
+			Added isc_mem_inuse() and isc_mem_preallocate().
+			Renamed isc_mem_destroy_check() to
+			isc_mem_setdestroycheck().
+
+  45.	[bug]		The trusted-key statement incorrectly loaded keys.
+
+  44.	[bug]		Don't include authority data if it would force us
+			to unset the AD bit in the message.
+
+  43.	[bug]		DNSSEC verification of cached rdatasets was failing.
+
+  42.	[cleanup]	Simplified logging of messages with embedded domain
+			names by introducing a new convenience function
+			dns_name_format().
+
+  41.	[func]		Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
+			to allow 'named' to run as a non-root user while
+			retaining the ability to bind() to privileged
+			ports.
+
+  40.	[func]		Introduced new logging category "dnssec" and
+			logging module "dns/validator".
+
+  39.	[cleanup]	Moved the typedefs for isc_region_t, isc_textregion_t, 
+			and isc_lex_t to <isc/types.h>.
+
+  38.	[bug]		TSIG signed incoming zone transfers work now.
+
+  37.	[bug]		If the first RR in an incoming zone transfer was 
+			not an SOA, the server died with an assertion failure
+			instead of just reporting an error.
+
+  36.	[cleanup]	Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
+
+  35.   [performance]   Log messages which are of a level too high to be
+                        logged by any channel in the logging configuration
+                        will not cause the log mutex to be locked.
+
+  34.   [bug]           Recursion was allowed even with 'recursion no'.
+
+  33.   [func]          The RBT now maintains a parent pointer at each node.
+
+  32.   [cleanup]       bin/lwresd/client.c needs <string.h> for memset()
+                        prototype.
+
+  31.   [bug]           Use ${LIBTOOL} to compile bin/named/main.@O@.
+
+  30.	[func]		config file grammer change to support optional 
+			class type for a view.
+
+  29.	[func]		support new config file view options:
+
+				auth-nxdomain recursion query-source
+				query-source-v6 transfer-source
+				transfer-source-v6 max-transfer-time-out
+				max-transfer-idle-out transfer-format
+				request-ixfr privide-ixfr cleaning-interval
+				fetch-glue notify rfc2308-type1 lame-ttl
+				max-ncache-ttl min-roots
+
+  28.	[func]		support lame-ttl, min-roots and serial-queries 
+			config global options.
+			
+  27.   [bug]           Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
+                        Including it on other platforms (eg, NetBSD) can
+                        cause a forced #error from the C preprocessor.
+
+  26.	[func]		new match-clients statement in config file view.
+
+  25.	[bug]		make install failed to install <isc/log.h> and
+			<isc/ondestroy.h>.
+
+  24.	[cleanup]	Eliminate some unnecessary #includes of header
+			files from header files.
+
+  23.	[cleanup]	Provide more context in log messages about client
+			requests, using a new function ns_client_log().
+
+  22.   [bug]		SIGs weren't returned in the answer section when
+			the query resulted in a fetch.
+
+  21.   [port]          Look at STD_CINCLUDES after CINCLUDES during
+                        compilation, so additional system include directories
+                        can be searched but header files in the bind9 source
+                        tree with conflicting names take precedence.  This
+                        avoids issues with installed versions of dnssafe and
+                        openssl.
+
+  20.	[func]		Configuration file post-load validation of zones
+			failed if there were no zones.
+
+  19.	[bug]		dns_zone_notifyreceive() failed to unlock the zone
+			lock in certain error cases.
+
+  18.   [bug]           Use AC_TRY_LINK rather than AC_TRY_COMPILE in
+                        configure.in to check for presence of in6addr_any.
+
+  17.	[func]		Do configuration file post-load validation of zones.
+
+  16.	[bug]		put quotes around key names on config file 
+			output to avoid possible keyword clashes.
+
+  15.	[func]		Add dns_name_dupwithoffsets().  This function is
+			improves comparison performance for duped names.
+
+  14.	[bug]		free_rbtdb() could have 'put' unallocated memory in
+			an unlikely error path.
+
+  13.	[bug]		lib/dns/master.c and lib/dns/xfrin.c didn't ignore
+			out-of-zone data.
+
+  12.	[bug]		Fixed possible unitialized variable error.
+
+  11.	[bug]		axfr_rrstream_first() didn't check the result code of
+			db_rr_iterator_first(), possibly causing an assertion
+			to be triggered later.
+
+  10.	[bug]		A bug in the code which makes EDNS0 OPT records in
+			bin/named/client.c and lib/dns/resolver.c could
+			trigger an assertion.
+
+   9.   [cleanup]	replaced bit-setting code in confctx.c and replaced
+			repeated code with macro calls.
+
+   8.   [bug]		Shutdown of incoming zone transfer accessed
+			freed memory.
+
+   7.   [cleanup]	removed 'listen-on' from view statement.
+
+   6.   [bug]		quote RR names when generating config file to 
+			prevent possible clash with config file keywords 
+			(such as 'key').
+
+   5.   [func]		syntax change to named.conf file: new ssu grant/deny 
+			statements must now be enclosed by an 'update-policy'
+			block.
+
+   4.	[port]		bin/named/unix/os.c didn't compile on systems with
+			linux 2.3 kernel includes due to conflicts between
+			C library includes and the kernel includes.  We now
+			get only what we need from <linux/capability.h>, and
+			avoid pulling in other linux kernel .h files.
+
+   3.	[bug]		TKEYs go in the answer section of responses, not
+			the additional section.
+
+   2.	[bug]		Generating cryptographic randomness failed on
+			systems without /dev/random.
+
+   1.	[bug]		The installdirs rule in
+			lib/isc/unix/include/isc/Makefile.in had a typo which
+			prevented the isc directory from being created if it
+			didn't exist.
+
+	--- 9.0.0b2 released ---
diff --git a/Makefile.in b/Makefile.in
index ed1eff18..fbb396f5 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -21,10 +21,10 @@ top_srcdir =	@top_srcdir@
 
 SUBDIRS =	make lib bin
 TARGETS =
-DISTFILES =	Makefile.in README \
+DISTFILES =	CHANGES Makefile.in README \
 		acconfig.h aclocal.m4 config.guess config.h.in config.h.win32 \
 		config.status.win32 config.sub configure configure.in \
-		install-sh ltconfig ltmain.sh \
+		install-sh libtool.m4 ltconfig ltmain.sh \
 		bin lib make \
 		version
 DOCDIRS =	arm draft misc rfc
diff --git a/README b/README
index 23565803..2cbd7ffb 100644
--- a/README
+++ b/README
@@ -68,57 +68,66 @@ BIND 9
 		Stichting NLnet - NLnet Foundation
 
 
-BIND 9.0.0b2
+BIND 9.0.0b3
 
-	BIND 9.0.0b2 is the second public release of BIND 9 code.  It will
+	BIND 9.0.0b3 is the third public release of BIND 9 code.  It will
 	be most useful to advanced users working with IPv6 or DNSSEC.
 
-	BIND 9.0.0b2 is not functionally complete, and is not a release
-	candidate for BIND 9.0.0.  The ISC anticipates a number of additional
-	beta releases between now and May, when BIND 9.0.0 is scheduled to
+	BIND 9.0.0b3 is not functionally complete, and is not a release
+	candidate for BIND 9.0.0.  ISC anticipates at least one additional
+	beta release between now and June, when BIND 9.0.0 is scheduled to
 	be released.
 
-	The ISC does not recommend using BIND 9.0.0b2 for "production"
+	ISC does not recommend using BIND 9.0.0b3 for "production"
 	services.
 
-	We hope users of BIND 9.0.0b2 will provide feedback, bug fixes, and
+	We hope users of BIND 9.0.0b3 will provide feedback, bug fixes, and
 	enhancements.  If you are not in a position to do so, it would
 	probably be better to wait until subsequent releases.
 
-	There have been many changes since beta 1; the highlights are:
+	There have been many changes since beta 2; the highlights are:
 
-		Many more config file options are now implemented.  See
-		doc/misc/options for a summary of the current implementation
-		status.
+		The server now supports "views", a mechanism for answering
+		DNS queries differently to different requestors.  This
+		will make split DNS setups much easier to build.
 
-		Portability improvements.  In particular, this beta should work
-		much better than beta 1 on FreeBSD 3.4.
+		NOTIFY (RFC1996) has been implemented.
 
-		Bug fixes.  Almost all bugs reported against beta 1 have been
+		Basic support for validation of DNSSEC signatures has
+		been implemented.  For details, see doc/misc/dnssec.
+
+		The "dig" and "host" tools have been completely rewritten
+		and are included in the base distribution.
+
+		Bug fixes.  Most bugs reported against beta 2 have been
 		fixed.
 
-	Some of the more significant items that will be implemented or
-	enhanced in a future beta are
+	There are a few known bugs:
 
-		DNSSEC validation
+		The option "query-source * port 53;" will not work as
+		expected.  Instead of the wildcard address "*", you need 
+		to use an explicit source IP address.
 
-			The server does not currently validate DNSSEC
-			signatures.
+		On some systems, IPv6 and IPv4 sockets interact in
+		unexpected ways.  For details, see doc/misc/ipv6.
 
-		Notify
+	For a detailed list of user-visible changes since beta 2, see
+	the CHANGES file.	
 
-			Notify is not yet implemented.
+	Some of the more significant items that will be implemented or
+	enhanced in a future beta are
 
-		Selective Forwarding
+		Selective forwarding
+
+		Stub zones
 
 		Documentation
 
 			Future releases will contain a lot more documentation,
 			but a preliminary version of the Administrator's
-			Reference Manual is in the doc/arm subdirectory.
-
-			A detailed CHANGES file like that in BIND 4 and BIND 8
-			will be provided in future betas.
+			Reference Manual is in the doc/arm subdirectory in
+			HTML format.  A plain text version will be added
+			in a future release.
 
 
 Building
@@ -133,8 +142,8 @@ Building
 		FreeBSD 3.4-STABLE
 		HP-UX 11
 		IRIX64 6.5
-		NetBSD current (with "unproven" pthreads)
-		Red Hat Linux 6.0, 6.1
+		NetBSD-current (with "unproven" pthreads, foreground only)
+		Red Hat Linux 6.0, 6.1, 6.2
 		Solaris 2.6, 7, 8 (beta)
 
 	To build, just
@@ -142,13 +151,39 @@ Building
 		./configure
 		make
 
+        Several environment variables that can be set before running
+        configure will affect compilation:
+
+            CC
+                The C compiler to use.  configure tries to figure
+                out the right one for supported systems.
+
+            CFLAGS
+                C compiler flags.  Defaults to include -g and/or -O2
+                as supported by the compiler.
+
+            STD_CINCLUDES
+                System header file directories.  Can be used to specify
+                where add-on thread or IPv6 support is, for example.
+                Defaults to empty string.
+
+            STD_CDEFINES
+                Any additional preprocessor symbols you want defined.
+                Defaults to empty string.
+
+        To build shared libraries, specify "--with-libtool" on the
+	configure command line.
+
+	If your operating system has integrated support for IPv6, it
+	will be used automatically.  If you have installed KAME IPv6
+	separately, use "--with-kame[=PATH]" to specify its location.
+	
+        To see additional configure options, run "configure --help".
+
 	"make install" will install "named" and the various BIND 9 libraries.
 	By default, installation is into /usr/local, but this can be changed
 	with the "--prefix" option when running "configure".
 
-	Shared libraries will be built if "--with-libtool" is added to the
-	"configure" command.
-
 	If you're planning on making changes to the BIND 9 source, you
 	should also "make depend".  If you're using Emacs, you might find
 	"make tags" helpful.
@@ -200,13 +235,19 @@ Bug Reports and Mailing Lists
 	enhance security on most systems.  The way chroot() is defined
 	allows a process with root privileges to escape the chroot jail.
 
-	The "-u" option is not currently useful on Linux.  Linux threads
-	are actually processes sharing a common address space.  An unfortunate
-	side effect of this is that some system calls, e.g. setuid() that
-	in a typical pthreads environment would affect all threads only affect
-	the calling thread/process on Linux.  The good news is that BIND 9
-	uses the Linux kernel's capability mechanism to drop all root
-	powers except the ability to bind() to a privileged port.
+	The "-u" option is not currently useful on Linux kernels older
+	than 2.3.99-pre3.  Linux threads are actually processes sharing a
+	common address space.  An unfortunate side effect of this is that
+	some system calls, e.g. setuid() that in a typical pthreads
+	environment would affect all threads only affect the calling
+	thread/process on Linux.  The good news is that BIND 9 uses the
+	Linux kernel's capability mechanism to drop all root powers except
+	the ability to bind() to a privileged port.  2.3.99-pre3 and later
+	kernels allow a process to say that its capabilities should be
+	retained after setuid().  If BIND 9 is compiled with 2.3.99-pre3 or
+	later kernel .h files, the "-u" option will cause the server to
+	run with the specified user id, but it will retain the capability
+	to bind() to privileged ports.
 
 	On systems with more than one CPU, the "-n" option should be used
 	to indicate how many CPUs there are.
diff --git a/acconfig.h b/acconfig.h
index 4cdb733d..5ce99df0 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -30,6 +30,9 @@
 /* define if your system has sigwait() */
 #undef HAVE_SIGWAIT
 
+/* define if sigwait() is the UnixWare flavor */
+#undef HAVE_UNIXWARE_SIGWAIT
+
 /* define on Solaris to get sigwait() to work using pthreads semantics */
 #undef _POSIX_PTHREAD_SEMANTICS
 
@@ -52,3 +55,10 @@
 
 /* define if chroot() is available */
 #undef HAVE_CHROOT
+
+/* Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
+#undef SHUTUP_SPUTAUX
+#ifdef SHUTUP_SPUTAUX
+struct __sFILE;
+extern __inline int __sputaux(int _c, struct __sFILE *_p);
+#endif
diff --git a/aclocal.m4 b/aclocal.m4
index 2ad32064..c1a594c1 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,427 +1,2 @@
-## libtool.m4 - Configure libtool for the target system. -*-Shell-script-*-
-## Copyright (C) 1996-1999 Free Software Foundation, Inc.
-## Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
-##
-## This program is free software; you can redistribute it and/or modify
-## it under the terms of the GNU General Public License as published by
-## the Free Software Foundation; either version 2 of the License, or
-## (at your option) any later version.
-##
-## This program is distributed in the hope that it will be useful, but
-## WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-## General Public License for more details.
-##
-## You should have received a copy of the GNU General Public License
-## along with this program; if not, write to the Free Software
-## Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-##
-## As a special exception to the GNU General Public License, if you
-## distribute this file as part of a program that contains a
-## configuration script generated by Autoconf, you may include it under
-## the same distribution terms that you use for the rest of that program.
+sinclude(./libtool.m4)dnl
 
-# serial 40 AC_PROG_LIBTOOL
-AC_DEFUN(AC_PROG_LIBTOOL,
-[AC_REQUIRE([AC_LIBTOOL_SETUP])dnl
-
-# Save cache, so that ltconfig can load it
-AC_CACHE_SAVE
-
-# Actually configure libtool.  ac_aux_dir is where install-sh is found.
-CC="$CC" CFLAGS="$CFLAGS" CPPFLAGS="$CPPFLAGS" \
-LD="$LD" LDFLAGS="$LDFLAGS" LIBS="$LIBS" \
-LN_S="$LN_S" NM="$NM" RANLIB="$RANLIB" \
-DLLTOOL="$DLLTOOL" AS="$AS" OBJDUMP="$OBJDUMP" \
-${CONFIG_SHELL-/bin/sh} $ac_aux_dir/ltconfig --no-reexec \
-$libtool_flags --no-verify $ac_aux_dir/ltmain.sh $host \
-|| AC_MSG_ERROR([libtool configure failed])
-
-# Reload cache, that may have been modified by ltconfig
-AC_CACHE_LOAD
-
-# This can be used to rebuild libtool when needed
-LIBTOOL_DEPS="$ac_aux_dir/ltconfig $ac_aux_dir/ltmain.sh"
-
-# Always use our own libtool.
-LIBTOOL='$(SHELL) $(top_builddir)/libtool'
-AC_SUBST(LIBTOOL)dnl
-
-# Redirect the config.log output again, so that the ltconfig log is not
-# clobbered by the next message.
-exec 5>>./config.log
-])
-
-AC_DEFUN(AC_LIBTOOL_SETUP,
-[AC_PREREQ(2.13)dnl
-AC_REQUIRE([AC_ENABLE_SHARED])dnl
-AC_REQUIRE([AC_ENABLE_STATIC])dnl
-AC_REQUIRE([AC_ENABLE_FAST_INSTALL])dnl
-AC_REQUIRE([AC_CANONICAL_HOST])dnl
-AC_REQUIRE([AC_CANONICAL_BUILD])dnl
-AC_REQUIRE([AC_PROG_RANLIB])dnl
-AC_REQUIRE([AC_PROG_CC])dnl
-AC_REQUIRE([AC_PROG_LD])dnl
-AC_REQUIRE([AC_PROG_NM])dnl
-AC_REQUIRE([AC_PROG_LN_S])dnl
-dnl
-
-# Check for any special flags to pass to ltconfig.
-libtool_flags="--cache-file=$cache_file"
-test "$enable_shared" = no && libtool_flags="$libtool_flags --disable-shared"
-test "$enable_static" = no && libtool_flags="$libtool_flags --disable-static"
-test "$enable_fast_install" = no && libtool_flags="$libtool_flags --disable-fast-install"
-test "$ac_cv_prog_gcc" = yes && libtool_flags="$libtool_flags --with-gcc"
-test "$ac_cv_prog_gnu_ld" = yes && libtool_flags="$libtool_flags --with-gnu-ld"
-ifdef([AC_PROVIDE_AC_LIBTOOL_DLOPEN],
-[libtool_flags="$libtool_flags --enable-dlopen"])
-ifdef([AC_PROVIDE_AC_LIBTOOL_WIN32_DLL],
-[libtool_flags="$libtool_flags --enable-win32-dll"])
-AC_ARG_ENABLE(libtool-lock,
-  [  --disable-libtool-lock  avoid locking (might break parallel builds)])
-test "x$enable_libtool_lock" = xno && libtool_flags="$libtool_flags --disable-lock"
-test x"$silent" = xyes && libtool_flags="$libtool_flags --silent"
-
-# Some flags need to be propagated to the compiler or linker for good
-# libtool support.
-case "$host" in
-*-*-irix6*)
-  # Find out which ABI we are using.
-  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-    case "`/usr/bin/file conftest.o`" in
-    *32-bit*)
-      LD="${LD-ld} -32"
-      ;;
-    *N32*)
-      LD="${LD-ld} -n32"
-      ;;
-    *64-bit*)
-      LD="${LD-ld} -64"
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-
-*-*-sco3.2v5*)
-  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
-  SAVE_CFLAGS="$CFLAGS"
-  CFLAGS="$CFLAGS -belf"
-  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
-    [AC_TRY_LINK([],[],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])])
-  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
-    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
-    CFLAGS="$SAVE_CFLAGS"
-  fi
-  ;;
-
-ifdef([AC_PROVIDE_AC_LIBTOOL_WIN32_DLL],
-[*-*-cygwin* | *-*-mingw*)
-  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
-  AC_CHECK_TOOL(AS, as, false)
-  AC_CHECK_TOOL(OBJDUMP, objdump, false)
-  ;;
-])
-esac
-])
-
-# AC_LIBTOOL_DLOPEN - enable checks for dlopen support
-AC_DEFUN(AC_LIBTOOL_DLOPEN, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])])
-
-# AC_LIBTOOL_WIN32_DLL - declare package support for building win32 dll's
-AC_DEFUN(AC_LIBTOOL_WIN32_DLL, [AC_BEFORE([$0], [AC_LIBTOOL_SETUP])])
-
-# AC_ENABLE_SHARED - implement the --enable-shared flag
-# Usage: AC_ENABLE_SHARED[(DEFAULT)]
-#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
-#   `yes'.
-AC_DEFUN(AC_ENABLE_SHARED, [dnl
-define([AC_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl
-AC_ARG_ENABLE(shared,
-changequote(<<, >>)dnl
-<<  --enable-shared[=PKGS]  build shared libraries [default=>>AC_ENABLE_SHARED_DEFAULT],
-changequote([, ])dnl
-[p=${PACKAGE-default}
-case "$enableval" in
-yes) enable_shared=yes ;;
-no) enable_shared=no ;;
-*)
-  enable_shared=no
-  # Look at the argument we got.  We use all the common list separators.
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
-  for pkg in $enableval; do
-    if test "X$pkg" = "X$p"; then
-      enable_shared=yes
-    fi
-  done
-  IFS="$ac_save_ifs"
-  ;;
-esac],
-enable_shared=AC_ENABLE_SHARED_DEFAULT)dnl
-])
-
-# AC_DISABLE_SHARED - set the default shared flag to --disable-shared
-AC_DEFUN(AC_DISABLE_SHARED, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-AC_ENABLE_SHARED(no)])
-
-# AC_ENABLE_STATIC - implement the --enable-static flag
-# Usage: AC_ENABLE_STATIC[(DEFAULT)]
-#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
-#   `yes'.
-AC_DEFUN(AC_ENABLE_STATIC, [dnl
-define([AC_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl
-AC_ARG_ENABLE(static,
-changequote(<<, >>)dnl
-<<  --enable-static[=PKGS]  build static libraries [default=>>AC_ENABLE_STATIC_DEFAULT],
-changequote([, ])dnl
-[p=${PACKAGE-default}
-case "$enableval" in
-yes) enable_static=yes ;;
-no) enable_static=no ;;
-*)
-  enable_static=no
-  # Look at the argument we got.  We use all the common list separators.
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
-  for pkg in $enableval; do
-    if test "X$pkg" = "X$p"; then
-      enable_static=yes
-    fi
-  done
-  IFS="$ac_save_ifs"
-  ;;
-esac],
-enable_static=AC_ENABLE_STATIC_DEFAULT)dnl
-])
-
-# AC_DISABLE_STATIC - set the default static flag to --disable-static
-AC_DEFUN(AC_DISABLE_STATIC, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-AC_ENABLE_STATIC(no)])
-
-
-# AC_ENABLE_FAST_INSTALL - implement the --enable-fast-install flag
-# Usage: AC_ENABLE_FAST_INSTALL[(DEFAULT)]
-#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
-#   `yes'.
-AC_DEFUN(AC_ENABLE_FAST_INSTALL, [dnl
-define([AC_ENABLE_FAST_INSTALL_DEFAULT], ifelse($1, no, no, yes))dnl
-AC_ARG_ENABLE(fast-install,
-changequote(<<, >>)dnl
-<<  --enable-fast-install[=PKGS]  optimize for fast installation [default=>>AC_ENABLE_FAST_INSTALL_DEFAULT],
-changequote([, ])dnl
-[p=${PACKAGE-default}
-case "$enableval" in
-yes) enable_fast_install=yes ;;
-no) enable_fast_install=no ;;
-*)
-  enable_fast_install=no
-  # Look at the argument we got.  We use all the common list separators.
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
-  for pkg in $enableval; do
-    if test "X$pkg" = "X$p"; then
-      enable_fast_install=yes
-    fi
-  done
-  IFS="$ac_save_ifs"
-  ;;
-esac],
-enable_fast_install=AC_ENABLE_FAST_INSTALL_DEFAULT)dnl
-])
-
-# AC_ENABLE_FAST_INSTALL - set the default to --disable-fast-install
-AC_DEFUN(AC_DISABLE_FAST_INSTALL, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-AC_ENABLE_FAST_INSTALL(no)])
-
-# AC_PROG_LD - find the path to the GNU or non-GNU linker
-AC_DEFUN(AC_PROG_LD,
-[AC_ARG_WITH(gnu-ld,
-[  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]],
-test "$withval" = no || with_gnu_ld=yes, with_gnu_ld=no)
-AC_REQUIRE([AC_PROG_CC])dnl
-AC_REQUIRE([AC_CANONICAL_HOST])dnl
-AC_REQUIRE([AC_CANONICAL_BUILD])dnl
-ac_prog=ld
-if test "$ac_cv_prog_gcc" = yes; then
-  # Check if gcc -print-prog-name=ld gives a path.
-  AC_MSG_CHECKING([for ld used by GCC])
-  ac_prog=`($CC -print-prog-name=ld) 2>&5`
-  case "$ac_prog" in
-    # Accept absolute paths.
-changequote(,)dnl
-    [\\/]* | [A-Za-z]:[\\/]*)
-      re_direlt='/[^/][^/]*/\.\./'
-changequote([,])dnl
-      # Canonicalize the path of ld
-      ac_prog=`echo $ac_prog| sed 's%\\\\%/%g'`
-      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
-	ac_prog=`echo $ac_prog| sed "s%$re_direlt%/%"`
-      done
-      test -z "$LD" && LD="$ac_prog"
-      ;;
-  "")
-    # If it fails, then pretend we aren't using GCC.
-    ac_prog=ld
-    ;;
-  *)
-    # If it is relative, then search for the first ld in PATH.
-    with_gnu_ld=unknown
-    ;;
-  esac
-elif test "$with_gnu_ld" = yes; then
-  AC_MSG_CHECKING([for GNU ld])
-else
-  AC_MSG_CHECKING([for non-GNU ld])
-fi
-AC_CACHE_VAL(ac_cv_path_LD,
-[if test -z "$LD"; then
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR-:}"
-  for ac_dir in $PATH; do
-    test -z "$ac_dir" && ac_dir=.
-    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
-      ac_cv_path_LD="$ac_dir/$ac_prog"
-      # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some GNU ld's only accept -v.
-      # Break only if it was the GNU/non-GNU ld that we prefer.
-      if "$ac_cv_path_LD" -v 2>&1 < /dev/null | egrep '(GNU|with BFD)' > /dev/null; then
-	test "$with_gnu_ld" != no && break
-      else
-	test "$with_gnu_ld" != yes && break
-      fi
-    fi
-  done
-  IFS="$ac_save_ifs"
-else
-  ac_cv_path_LD="$LD" # Let the user override the test with a path.
-fi])
-LD="$ac_cv_path_LD"
-if test -n "$LD"; then
-  AC_MSG_RESULT($LD)
-else
-  AC_MSG_RESULT(no)
-fi
-test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
-AC_SUBST(LD)
-AC_PROG_LD_GNU
-])
-
-AC_DEFUN(AC_PROG_LD_GNU,
-[AC_CACHE_CHECK([if the linker ($LD) is GNU ld], ac_cv_prog_gnu_ld,
-[# I'd rather use --version here, but apparently some GNU ld's only accept -v.
-if $LD -v 2>&1 </dev/null | egrep '(GNU|with BFD)' 1>&5; then
-  ac_cv_prog_gnu_ld=yes
-else
-  ac_cv_prog_gnu_ld=no
-fi])
-])
-
-# AC_PROG_NM - find the path to a BSD-compatible name lister
-AC_DEFUN(AC_PROG_NM,
-[AC_MSG_CHECKING([for BSD-compatible nm])
-AC_CACHE_VAL(ac_cv_path_NM,
-[if test -n "$NM"; then
-  # Let the user override the test.
-  ac_cv_path_NM="$NM"
-else
-  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR-:}"
-  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/nm || test -f $ac_dir/nm$ac_exeext ; then
-      # Check to see if the nm accepts a BSD-compat flag.
-      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
-      #   nm: unknown option "B" ignored
-      if ($ac_dir/nm -B /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
-	ac_cv_path_NM="$ac_dir/nm -B"
-	break
-      elif ($ac_dir/nm -p /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
-	ac_cv_path_NM="$ac_dir/nm -p"
-	break
-      else
-	ac_cv_path_NM=${ac_cv_path_NM="$ac_dir/nm"} # keep the first match, but
-	continue # so that we can try to find one that supports BSD flags
-      fi
-    fi
-  done
-  IFS="$ac_save_ifs"
-  test -z "$ac_cv_path_NM" && ac_cv_path_NM=nm
-fi])
-NM="$ac_cv_path_NM"
-AC_MSG_RESULT([$NM])
-AC_SUBST(NM)
-])
-
-# AC_CHECK_LIBM - check for math library
-AC_DEFUN(AC_CHECK_LIBM,
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-LIBM=
-case "$host" in
-*-*-beos* | *-*-cygwin*)
-  # These system don't have libm
-  ;;
-*-ncr-sysv4.3*)
-  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw")
-  AC_CHECK_LIB(m, main, LIBM="$LIBM -lm")
-  ;;
-*)
-  AC_CHECK_LIB(m, main, LIBM="-lm")
-  ;;
-esac
-])
-
-# AC_LIBLTDL_CONVENIENCE[(dir)] - sets LIBLTDL to the link flags for
-# the libltdl convenience library, adds --enable-ltdl-convenience to
-# the configure arguments.  Note that LIBLTDL is not AC_SUBSTed, nor
-# is AC_CONFIG_SUBDIRS called.  If DIR is not provided, it is assumed
-# to be `${top_builddir}/libltdl'.  Make sure you start DIR with
-# '${top_builddir}/' (note the single quotes!) if your package is not
-# flat, and, if you're not using automake, define top_builddir as
-# appropriate in the Makefiles.
-AC_DEFUN(AC_LIBLTDL_CONVENIENCE, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-  case "$enable_ltdl_convenience" in
-  no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;;
-  "") enable_ltdl_convenience=yes
-      ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;;
-  esac
-  LIBLTDL=ifelse($#,1,$1,['${top_builddir}/libltdl'])/libltdlc.la
-  INCLTDL=ifelse($#,1,-I$1,['-I${top_builddir}/libltdl'])
-])
-
-# AC_LIBLTDL_INSTALLABLE[(dir)] - sets LIBLTDL to the link flags for
-# the libltdl installable library, and adds --enable-ltdl-install to
-# the configure arguments.  Note that LIBLTDL is not AC_SUBSTed, nor
-# is AC_CONFIG_SUBDIRS called.  If DIR is not provided, it is assumed
-# to be `${top_builddir}/libltdl'.  Make sure you start DIR with
-# '${top_builddir}/' (note the single quotes!) if your package is not
-# flat, and, if you're not using automake, define top_builddir as
-# appropriate in the Makefiles.
-# In the future, this macro may have to be called after AC_PROG_LIBTOOL.
-AC_DEFUN(AC_LIBLTDL_INSTALLABLE, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-  AC_CHECK_LIB(ltdl, main,
-  [test x"$enable_ltdl_install" != xyes && enable_ltdl_install=no],
-  [if test x"$enable_ltdl_install" = xno; then
-     AC_MSG_WARN([libltdl not installed, but installation disabled])
-   else
-     enable_ltdl_install=yes
-   fi
-  ])
-  if test x"$enable_ltdl_install" = x"yes"; then
-    ac_configure_args="$ac_configure_args --enable-ltdl-install"
-    LIBLTDL=ifelse($#,1,$1,['${top_builddir}/libltdl'])/libltdl.la
-    INCLTDL=ifelse($#,1,-I$1,['-I${top_builddir}/libltdl'])
-  else
-    ac_configure_args="$ac_configure_args --enable-ltdl-install=no"
-    LIBLTDL="-lltdl"
-    INCLTDL=
-  fi
-])
-
-dnl old names
-AC_DEFUN(AM_PROG_LIBTOOL, [indir([AC_PROG_LIBTOOL])])dnl
-AC_DEFUN(AM_ENABLE_SHARED, [indir([AC_ENABLE_SHARED], $@)])dnl
-AC_DEFUN(AM_ENABLE_STATIC, [indir([AC_ENABLE_STATIC], $@)])dnl
-AC_DEFUN(AM_DISABLE_SHARED, [indir([AC_DISABLE_SHARED], $@)])dnl
-AC_DEFUN(AM_DISABLE_STATIC, [indir([AC_DISABLE_STATIC], $@)])dnl
-AC_DEFUN(AM_PROG_LD, [indir([AC_PROG_LD])])dnl
-AC_DEFUN(AM_PROG_NM, [indir([AC_PROG_NM])])dnl
-
-dnl This is just to silence aclocal about the macro not being used
-ifelse([AC_DISABLE_FAST_INSTALL])dnl
diff --git a/bin/Makefile.in b/bin/Makefile.in
index 878c5572..f16047a4 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -17,7 +17,7 @@ srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-SUBDIRS =	named lwresd rndc tests
+SUBDIRS =	named lwresd rndc dig dnssec tests
 TARGETS =
 
 @BIND9_MAKE_RULES@
diff --git a/bin/dig/.cvsignore b/bin/dig/.cvsignore
new file mode 100644
index 00000000..d0918cbb
--- /dev/null
+++ b/bin/dig/.cvsignore
@@ -0,0 +1,3 @@
+Makefile
+dig
+host
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
new file mode 100644
index 00000000..5e6ade76
--- /dev/null
+++ b/bin/dig/Makefile.in
@@ -0,0 +1,70 @@
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include \
+		${DNS_INCLUDES} ${ISC_INCLUDES}
+
+CDEFINES =	
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+
+SUBDIRS =	unix
+
+TARGETS =	dig host
+
+OBJS =		dig.@O@ dighost.@O@ host.@O@
+
+UOBJS =		
+
+SRCS =		dig.c dighost.c host.c
+
+@BIND9_MAKE_RULES@
+
+dig: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ dig.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+
+host: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ host.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+
+nslookup: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ nslookup.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS}
+
+installdirs:
+	if [ ! -d ${DESTDIR}${sbindir} ]; then \
+		mkdir ${DESTDIR}${sbindir}; \
+	fi
+
+install:: dig host installdirs
+	${LIBTOOL} ${INSTALL_PROGRAM} dig ${DESTDIR}${sbindir}
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
new file mode 100644
index 00000000..291957db
--- /dev/null
+++ b/bin/dig/dig.c
@@ -0,0 +1,1172 @@
+/*
+ * Copyright (C) 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+extern int h_errno;
+
+#include <isc/app.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/message.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+
+#include <dig/dig.h>
+
+extern ISC_LIST(dig_lookup_t) lookup_list;
+extern ISC_LIST(dig_server_t) server_list;
+extern ISC_LIST(dig_searchlist_t) search_list;
+
+extern isc_boolean_t have_ipv6, show_details, specified_source,
+	usesearch, qr;
+extern in_port_t port;
+extern unsigned int timeout;
+extern isc_mem_t *mctx;
+extern isc_taskmgr_t *taskmgr;
+extern isc_task_t *task;
+extern isc_timermgr_t *timermgr;
+extern isc_socketmgr_t *socketmgr;
+extern dns_messageid_t id;
+extern char *rootspace[BUFSIZE];
+extern isc_buffer_t rootbuf;
+extern int sendcount;
+extern int ndots;
+extern int tries;
+extern int lookup_counter;
+extern char fixeddomain[MXNAME];
+#ifdef TWIDDLE
+extern isc_boolean_t twiddle;
+#endif
+extern int exitcode;
+extern isc_sockaddr_t bind_address;
+
+isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE;
+
+isc_uint16_t bufsize = 0;
+isc_boolean_t identify = ISC_FALSE,
+	trace = ISC_FALSE, ns_search_only = ISC_FALSE,
+	forcecomment = ISC_FALSE, stats = ISC_TRUE,
+	comments = ISC_TRUE, section_question = ISC_TRUE,
+	section_answer = ISC_TRUE, section_authority = ISC_TRUE,
+	section_additional = ISC_TRUE, recurse = ISC_TRUE,
+	defname = ISC_TRUE, aaonly = ISC_FALSE, tcpmode = ISC_FALSE;
+
+
+static char *opcodetext[] = {
+	"QUERY",
+	"IQUERY",
+	"STATUS",
+	"RESERVED3",
+	"NOTIFY",
+	"UPDATE",
+	"RESERVED6",
+	"RESERVED7",
+	"RESERVED8",
+	"RESERVED9",
+	"RESERVED10",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15"
+};
+
+static char *rcodetext[] = {
+	"NOERROR",
+	"FORMERR",
+	"SERVFAIL",
+	"NXDOMAIN",
+	"NOTIMPL",
+	"REFUSED",
+	"YXDOMAIN",
+	"YXRRSET",
+	"NXRRSET",
+	"NOTAUTH",
+	"NOTZONE",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15",
+	"BADVERS"
+};
+
+static void
+show_usage() {
+	fputs (
+"Usage:  dig [@global-server] [domain] [q-type] [q-class] {q-opt}\n"
+"        {global-d-opt} host [@local-server] {local-d-opt}\n"
+"        [ host [@local-server] {local-d-opt} [...]]\n"
+"Where:  domain	  are in the Domain Name System\n"
+"        q-class  is one of (in,chaos,...) [default: in]\n"
+"        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n"
+"        q-opt    is one of:\n"
+"                 -x dot-notation     (shortcut for in-addr lookups)\n"
+"                 -f filename         (batch mode)\n"
+"                 -p port             (specify port number)\n"
+"                 -t type             (specify query type)\n"
+"                 -c class            (specify query class)\n"
+"        d-opt    is of the form +keyword[=value], where keyword is:\n"
+"                 +[no]vc             (TCP mode)\n"
+"                 +[no]tcp            (TCP mode, alternate syntax)\n"
+"                 +time=###           (Set query timeout) [5]\n"
+"                 +tries=###          (Set number of UDP attempts) [3]\n"
+"                 +domain=###         (Set default domainname)\n"
+"                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
+"                 +[no]search         (Set whether to use searchlist)\n"
+"                 +[no]defname        (Set whether to use default domaon)\n"
+"                 +[no]recursive      (Recursive mode)\n"
+"                 +[no]aaonly         (Set AA flag in query)\n"
+"                 +[no]details        (Show details of all requests)\n"
+#ifdef TWIDDLE
+"                 +twiddle            (Intentionally form bad requests)\n"
+#endif
+"                 +ndots=###          (Set NDOTS value)\n"
+"                 +[no]comments       (Control display of comment lines)\n"
+"                 +[no]question       (Control display of question)\n"
+"                 +[no]answer         (Control display of answer)\n"
+"                 +[no]authority      (Control display of authority)\n"
+"                 +[no]additional     (Control display of additional)\n"
+"                 +[no]short          (Disable everything except short\n"
+"                                      form of answer)\n"
+"                 +qr                 (Print question before sending)\n"
+"        Additional d-opts subject to removal before release:\n"
+"                 +[no]nssearch       (Search all authorative nameservers)\n"
+"                 +[no]identify       (ID responders in short answers)\n"
+"        Available but not yet completed:\n"
+"                 +[no]trace          (Trace delegation down from root)\n"
+"        global d-opts and servers (before host name) affect all queries.\n"
+"        local d-opts and servers (after host name) affect only that lookup.\n"
+, stderr);
+}				
+
+void
+dighost_shutdown(void) {
+	isc_app_shutdown();
+}
+
+void
+received(int bytes, int frmsize, char *frm, dig_query_t *query) {
+	isc_uint64_t diff;
+	isc_time_t now;
+	isc_result_t result;
+	time_t tnow;
+
+	result = isc_time_now(&now);
+	check_result (result, "isc_time_now");
+	
+	if (query->lookup->stats) {
+		diff = isc_time_microdiff(&now, &query->time_sent);
+		printf(";; Query time: %ld msec\n", (long int)diff/1000);
+		printf(";; SERVER: %.*s\n", frmsize, frm);
+		time (&tnow);
+		printf(";; WHEN: %s", ctime(&tnow));
+		printf (";; MSG SIZE  rcvd: %d\n\n", bytes);
+	} else if (query->lookup->identify && !short_form) {
+		diff = isc_time_microdiff(&now, &query->time_sent);
+		printf(";; Received %u bytes from %.*s in %d ms\n",
+		       bytes, frmsize, frm, (int)diff/1000);
+	}
+}
+
+void
+trying(int frmsize, char *frm, dig_lookup_t *lookup) {
+	UNUSED (frmsize);
+	UNUSED (frm);
+	UNUSED (lookup);
+
+}
+
+static void
+say_message(dns_rdata_t *rdata, dig_query_t *query) {
+	isc_buffer_t *b=NULL, *b2=NULL;
+	isc_region_t r, r2;
+	isc_result_t result;
+	isc_uint64_t diff;
+	isc_time_t now;
+
+	result = isc_buffer_allocate(mctx, &b, BUFSIZE);
+	check_result (result, "isc_buffer_allocate");
+	result = dns_rdata_totext(rdata, NULL, b);
+	check_result(result, "dns_rdata_totext");
+	isc_buffer_usedregion(b, &r);
+	if (!query->lookup->trace && !query->lookup->ns_search_only)
+		printf ( "%.*s", (int)r.length, (char *)r.base);
+	else {
+		result = isc_buffer_allocate(mctx, &b2, BUFSIZE);
+		check_result (result, "isc_buffer_allocate");
+		result = dns_rdatatype_totext(rdata->type, b2);
+		check_result(result, "dns_rdatatype_totext");
+		isc_buffer_usedregion(b2, &r2);
+		printf ( "%.*s %.*s",(int)r2.length, (char *)r2.base, 
+			 (int)r.length, (char *)r.base);
+		isc_buffer_free (&b2);
+	}
+	if (query->lookup->identify) {
+		result = isc_time_now(&now);
+		check_result (result, "isc_time_now");
+		diff = isc_time_microdiff(&now, &query->time_sent);
+		printf (" from server %s in %d ms", query->servname,
+			(int)diff/1000);
+	}
+	printf ("\n");
+	isc_buffer_free(&b);
+}
+
+static isc_result_t
+printsection(dns_message_t *msg, dns_section_t sectionid, char *section_name,
+	     isc_boolean_t headers, dig_query_t *query)
+{
+	dns_name_t *name, *print_name;
+	dns_rdataset_t *rdataset;
+	isc_buffer_t target;
+	isc_result_t result, loopresult;
+	isc_region_t r;
+	dns_name_t empty_name;
+	char t[4096];
+	isc_boolean_t first;
+	isc_boolean_t no_rdata;
+	dns_rdata_t rdata;
+	
+	if (sectionid == DNS_SECTION_QUESTION)
+		no_rdata = ISC_TRUE;
+	else
+		no_rdata = ISC_FALSE;
+
+	if (headers && query->lookup->comments && !short_form)
+		printf(";; %s SECTION:\n", section_name);
+
+	dns_name_init(&empty_name, NULL);
+
+	result = dns_message_firstname(msg, sectionid);
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_SUCCESS);
+	else if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (;;) {
+		name = NULL;
+		dns_message_currentname(msg, sectionid, &name);
+
+		isc_buffer_init(&target, t, sizeof(t));
+		first = ISC_TRUE;
+		print_name = name;
+
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (!short_form) {
+				result = dns_rdataset_totext(rdataset,
+							     print_name,
+							     ISC_FALSE,
+							     no_rdata,
+							     &target);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+#ifdef USEINITALWS
+				if (first) {
+					print_name = &empty_name;
+					first = ISC_FALSE;
+				}
+#endif
+			} else {
+				loopresult = dns_rdataset_first(rdataset);
+				while (loopresult == ISC_R_SUCCESS) {
+					dns_rdataset_current(rdataset, &rdata);
+					say_message(&rdata, query);
+					loopresult = dns_rdataset_next(
+								 rdataset);
+				}
+			}
+
+		}
+		isc_buffer_usedregion(&target, &r);
+		if (no_rdata)
+			printf(";%.*s", (int)r.length, (char *)r.base);
+		else
+			printf("%.*s", (int)r.length, (char *)r.base);
+
+		result = dns_message_nextname(msg, sectionid);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+printrdata(dns_message_t *msg, dns_rdataset_t *rdataset, dns_name_t *owner,
+	   char *set_name, isc_boolean_t headers)
+{
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char t[4096];
+
+	UNUSED(msg);
+	if (headers) 
+		printf(";; %s SECTION:\n", set_name);
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
+				     &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&target, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
+	isc_boolean_t did_flag = ISC_FALSE;
+	isc_result_t result;
+	dns_rdataset_t *opt, *tsig = NULL;
+	dns_name_t *tsigname;
+
+	UNUSED (query);
+
+	/*
+	 * Exitcode 9 means we timed out, but if we're printing a message,
+	 * we much have recovered.  Go ahead and reset it to code 0, and
+	 * call this a success.
+	 */
+	if (exitcode == 9)
+		exitcode = 0;
+
+	result = ISC_R_SUCCESS;
+
+	if (query->lookup->comments && !short_form &&
+	    !query->lookup->doing_xfr) {
+		if (msg == query->lookup->sendmsg)
+			printf (";; Sending:\n");
+		else
+			printf (";; Got answer:\n");
+	}
+
+	if (headers) {
+		if (query->lookup->comments && !short_form) {
+			printf(";; ->>HEADER<<- opcode: %s, status: %s, "
+			       "id: %u\n",
+			       opcodetext[msg->opcode], rcodetext[msg->rcode],
+			       msg->id);
+			printf(";; flags: ");
+			if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
+				printf("qr");
+				did_flag = ISC_TRUE;
+			}
+			if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) {
+				printf("%saa", did_flag ? " " : "");
+				did_flag = ISC_TRUE; }
+			if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+				printf("%stc", did_flag ? " " : "");
+				did_flag = ISC_TRUE;
+			}	
+			if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
+				printf("%srd", did_flag ? " " : "");
+				did_flag = ISC_TRUE;
+			}
+			if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) {
+				printf("%sra", did_flag ? " " : "");
+				did_flag = ISC_TRUE;
+			}
+			if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) {
+				printf("%sad", did_flag ? " " : "");
+				did_flag = ISC_TRUE;
+			}
+			if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) {
+				printf("%scd", did_flag ? " " : "");
+				did_flag = ISC_TRUE;
+			}
+			
+			printf("; QUERY: %u, ANSWER: %u, "
+			       "AUTHORITY: %u, ADDITIONAL: %u\n",
+			       msg->counts[DNS_SECTION_QUESTION],
+			       msg->counts[DNS_SECTION_ANSWER],
+			       msg->counts[DNS_SECTION_AUTHORITY],
+			       msg->counts[DNS_SECTION_ADDITIONAL]);
+
+			opt = dns_message_getopt(msg);
+			if (opt != NULL)
+				printf(";; EDNS: version: %u, udp=%u\n",
+				       (unsigned int)((opt->ttl & 
+						       0x00ff0000) >> 16),
+				       (unsigned int)opt->rdclass);
+			tsigname = NULL;
+			tsig = dns_message_gettsig(msg, &tsigname);
+			if (tsig != NULL)
+				printf(";; PSEUDOSECTIONS: TSIG\n");
+		}
+	}
+	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_QUESTION]) &&
+	    headers && query->lookup->section_question) {
+		printf("\n");
+		result = printsection(msg, DNS_SECTION_QUESTION, "QUESTION",
+				      ISC_TRUE, query);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER]) && 
+	    query->lookup->section_answer ) {
+		if (headers && query->lookup->comments && !short_form)
+			printf("\n");
+		result = printsection(msg, DNS_SECTION_ANSWER, "ANSWER",
+				      headers, query);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if ((! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_AUTHORITY]) &&
+	    headers && query->lookup->section_authority) || 
+	    ( ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER]) &&
+	      headers && query->lookup->section_answer &&
+	      query->lookup->trace )) {
+		if (headers && query->lookup->comments && !short_form)
+			printf("\n");
+		result = printsection(msg, DNS_SECTION_AUTHORITY, "AUTHORITY",
+				      ISC_TRUE, query);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ADDITIONAL]) &&
+	    headers && query->lookup->section_additional) {
+		if (headers && query->lookup->comments && !short_form)
+			printf("\n");
+		result = printsection(msg, DNS_SECTION_ADDITIONAL,
+				      "ADDITIONAL", ISC_TRUE, query);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if ((tsig != NULL) && headers && query->lookup->section_additional) {
+		if (headers && query->lookup->comments && !short_form)
+			printf("\n");
+		result = printrdata(msg, tsig, tsigname,
+				    "PSEUDOSECTION TSIG", ISC_TRUE);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (headers && query->lookup->comments && !short_form)
+		printf("\n");
+
+	return (result);
+}
+
+static void
+printgreeting(int argc, char **argv) {
+	int i = 1;
+
+	if (printcmd) {
+		puts ("");
+		printf ("; <<>> DiG 9.0 <<>>");
+		while (i < argc) {
+			printf (" %s", argv[i++]);
+		}
+		puts ("");
+		printf (";; global options: %s %s\n",
+			short_form?"short_form":"",
+			printcmd?"printcmd":"");
+	}
+}
+
+/*
+ * Reorder an argument list so that server names all come at the end.
+ * This is a bit of a hack, to allow batch-mode processing to properly
+ * handle the server options.
+ */
+static void
+reorder_args(int argc, char *argv[]) {
+	int i, j;
+	char *ptr;
+	int end;
+
+	debug ("reorder_args()");
+	end = argc-1;
+	while (argv[end][0] == '@') {
+		end--;
+		if (end == 0)
+			return;
+	}
+	debug ("arg[end]=%s",argv[end]);
+	for (i=1; i<end-1; i++) {
+		if (argv[i][0]=='@') {
+			debug ("Arg[%d]=%s", i, argv[i]);
+			ptr=argv[i];
+			for (j=i+1; j<end; j++) {
+				debug ("Moving %s to %d", argv[j], j-1);
+				argv[j-1]=argv[j];
+			}
+			debug ("Moving %s to end, %d", ptr, end-1);
+			argv[end-1]=ptr;
+			end--;
+			if (end < 1)
+				return;
+		}
+	}
+}
+
+/*
+ * We're not using isc_commandline_parse() here since the command line
+ * syntax of dig is quite a bit different from that which can be described
+ * that routine.  There is a portability issue here.
+ */
+static void
+parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
+	isc_boolean_t have_host = ISC_FALSE;
+	dig_server_t *srv = NULL;
+	dig_lookup_t *lookup = NULL;
+	char *batchname = NULL;
+	char batchline[MXNAME];
+	char address[MXNAME];
+	FILE *fp = NULL;
+	int bargc;
+	char *bargv[16];
+	int i, n;
+	int adrs[4];
+	int rc;
+	char **rv;
+
+	/*
+	 * The semantics for parsing the args is a bit complex; if
+	 * we don't have a host yet, make the arg apply globally,
+	 * otherwise make it apply to the latest host.  This is
+	 * a bit different than the previous versions, but should
+	 * form a consistent user interface.
+	 */
+
+	rc = argc;
+	rv = argv;
+	for (rc--, rv++; rc > 0; rc--, rv++) {
+		debug ("Main parsing %s", rv[0]);
+		if (strncmp(rv[0], "@", 1) == 0) {
+			srv=isc_mem_allocate(mctx, sizeof(struct dig_server));
+			if (srv == NULL)
+				fatal("Memory allocation failure.");
+			strncpy(srv->servername, &rv[0][1], MXNAME-1);
+			if (is_batchfile && have_host) {
+				if (!lookup->use_my_server_list) {
+					ISC_LIST_INIT (lookup->
+						       my_server_list);
+					lookup->use_my_server_list =
+						ISC_TRUE;
+				}
+				ISC_LIST_APPEND(lookup->my_server_list,
+						srv, link);
+			} else {
+				ISC_LIST_APPEND(server_list, srv, link);
+			}
+		} else if ((strcmp(rv[0], "+vc") == 0)
+			   && (!is_batchfile)) {
+			if (have_host)
+				lookup->tcp_mode = ISC_TRUE;
+			else
+				tcpmode = ISC_TRUE;
+		} else if ((strcmp(rv[0], "+novc") == 0)
+			   && (!is_batchfile)) {
+			if (have_host)
+				lookup->tcp_mode = ISC_FALSE;
+			else
+				tcpmode = ISC_FALSE;
+		} else if ((strcmp(rv[0], "+tcp") == 0)
+			   && (!is_batchfile)) {
+			if (have_host)
+				lookup->tcp_mode = ISC_TRUE;
+			else
+				tcpmode = ISC_TRUE;
+		} else if ((strcmp(rv[0], "+notcp") == 0)
+			   && (!is_batchfile)) {
+			if (have_host)
+				lookup->tcp_mode = ISC_FALSE;
+			else
+				tcpmode = ISC_FALSE;
+		} else if (strncmp(rv[0], "+domain=", 8) == 0) {
+			/* Global option always */
+			strncpy (fixeddomain, &rv[0][8], MXNAME);
+		} else if (strncmp(rv[0], "+sea", 4) == 0) {
+			/* Global option always */
+			usesearch = ISC_TRUE;
+		} else if (strncmp(rv[0], "+nosea", 6) == 0) {
+			usesearch = ISC_FALSE;
+		} else if (strncmp(rv[0], "+defn", 5) == 0) {
+			if (have_host)
+				lookup->defname = ISC_TRUE;
+			else
+				defname = ISC_TRUE;
+		} else if (strncmp(rv[0], "+nodefn", 7) == 0) {
+			if (have_host)
+				lookup->defname = ISC_FALSE;
+			else
+				defname = ISC_FALSE;
+		} else if (strncmp(rv[0], "+time=", 6) == 0) {
+			/* Global option always */
+			timeout = atoi(&rv[0][6]);
+			if (timeout <= 0)
+				timeout = 1;
+		} else if (strncmp(rv[0], "+tries=", 7) == 0) {
+			if (have_host) {
+				lookup->retries = atoi(&rv[0][7]);
+				if (lookup->retries <= 0)
+					lookup->retries = 1;
+			} else {
+				tries = atoi(&rv[0][7]);
+				if (tries <= 0)
+					tries = 1;
+			}
+		} else if (strncmp(rv[0], "+buf=", 5) == 0) {
+			if (have_host) {
+				lookup->udpsize = atoi(&rv[0][5]);
+				if (lookup->udpsize <= 0)
+					lookup->udpsize = 0;
+				if (lookup->udpsize > COMMSIZE)
+					lookup->udpsize = COMMSIZE;
+			} else {
+				bufsize = atoi(&rv[0][5]);
+				if (bufsize <= 0)
+					bufsize = 0;
+				if (bufsize > COMMSIZE)
+					bufsize = COMMSIZE;
+			}
+		} else if (strncmp(rv[0], "+bufsize=", 9) == 0) {
+			if (have_host) {
+				lookup->udpsize = atoi(&rv[0][9]);
+				if (lookup->udpsize <= 0)
+					lookup->udpsize = 0;
+				if (lookup->udpsize > COMMSIZE)
+					lookup->udpsize = COMMSIZE;
+			} else {
+				bufsize = atoi(&rv[0][9]);
+				if (bufsize <= 0)
+					bufsize = 0;
+				if (bufsize > COMMSIZE)
+					bufsize = COMMSIZE;
+			}
+		} else if (strncmp(rv[0], "+ndots=", 7) == 0) {
+			/* Global option always */
+			ndots = atoi(&rv[0][7]);
+			if (ndots < 0)
+				ndots = 0;
+		} else if (strncmp(rv[0], "+rec", 4) == 0) {
+			if (have_host)
+				lookup->recurse = ISC_TRUE;
+			else
+				recurse = ISC_TRUE;
+		} else if (strncmp(rv[0], "+norec", 6) == 0) {
+			if (have_host)
+				lookup->recurse = ISC_FALSE;
+			else
+				recurse = ISC_FALSE;
+		} else if (strncmp(rv[0], "+aa", 3) == 0) {
+			if (have_host) 
+				lookup->aaonly = ISC_TRUE;
+			else
+				aaonly = ISC_TRUE;
+		} else if (strncmp(rv[0], "+noaa", 5) == 0) {
+			if (have_host) 
+				lookup->aaonly = ISC_FALSE;
+			else
+				aaonly = ISC_FALSE;
+		} else if (strncmp(rv[0], "+ns", 3) == 0) {
+			if (have_host) {
+				lookup->ns_search_only = ISC_TRUE;
+				lookup->recurse = ISC_FALSE;
+				lookup->identify = ISC_TRUE;
+				lookup->trace = ISC_TRUE;
+				if (!forcecomment)
+					lookup->comments = ISC_FALSE;
+				lookup->section_additional = ISC_FALSE;
+				lookup->section_authority = ISC_FALSE;
+				lookup->section_question = ISC_FALSE;
+			} else {
+				ns_search_only = ISC_TRUE;
+				recurse = ISC_FALSE;
+				identify = ISC_TRUE;
+				if (!forcecomment)
+					comments = ISC_FALSE;
+				section_additional = ISC_FALSE;
+				section_authority = ISC_FALSE;
+				section_question = ISC_FALSE;
+			}
+		} else if (strncmp(rv[0], "+nons", 6) == 0) {
+			if (have_host)
+				lookup->ns_search_only = ISC_FALSE;
+			else
+				ns_search_only = ISC_FALSE;
+		} else if (strncmp(rv[0], "+tr", 3) == 0) {
+			if (have_host) {
+				lookup->trace = ISC_TRUE;
+				lookup->trace_root = ISC_TRUE;
+				lookup->recurse = ISC_FALSE;
+				lookup->identify = ISC_TRUE;
+				if (!forcecomment) {
+					lookup->comments = ISC_FALSE;
+					lookup->stats = ISC_FALSE;
+				}
+				lookup->section_additional = ISC_FALSE;
+				lookup->section_authority = ISC_FALSE;
+				lookup->section_question = ISC_FALSE;
+				show_details = ISC_TRUE;
+			} else {
+				trace = ISC_TRUE;
+				recurse = ISC_FALSE;
+				identify = ISC_TRUE;
+				if (!forcecomment) {
+					comments = ISC_FALSE;
+					stats = ISC_FALSE;
+				}
+				section_additional = ISC_FALSE;
+				section_authority = ISC_FALSE;
+				section_question = ISC_FALSE;
+				show_details = ISC_TRUE;
+			}
+		} else if (strncmp(rv[0], "+notr", 6) == 0) {
+			if (have_host) {
+				lookup->trace = ISC_FALSE;
+				lookup->trace_root = ISC_FALSE;
+			}
+			else
+				trace = ISC_FALSE;
+		} else if (strncmp(rv[0], "+det", 4) == 0) {
+			show_details = ISC_TRUE;
+		} else if (strncmp(rv[0], "+nodet", 6) == 0) {
+			show_details = ISC_FALSE;
+		} else if (strncmp(rv[0], "+cmd", 4) == 0) {
+			printcmd = ISC_TRUE;
+		} else if (strncmp(rv[0], "+nocmd", 6) == 0) {
+			printcmd = ISC_FALSE;
+		} else if (strncmp(rv[0], "+sho", 4) == 0) {
+			short_form = ISC_TRUE;
+			printcmd = ISC_FALSE;
+			if (have_host) {
+				lookup->section_additional = ISC_FALSE;
+				lookup->section_authority = ISC_FALSE;
+				lookup->section_question = ISC_FALSE;
+				if (!forcecomment) {
+					lookup->comments = ISC_FALSE;
+					lookup->stats = ISC_FALSE;
+				}
+			} else {
+				section_additional = ISC_FALSE;
+				section_authority = ISC_FALSE;
+				section_question = ISC_FALSE;
+				if (!forcecomment) {
+					comments = ISC_FALSE;
+					stats = ISC_FALSE;
+				}
+			}
+		} else if (strncmp(rv[0], "+nosho", 6) == 0) {
+			short_form = ISC_FALSE;
+		} else if (strncmp(rv[0], "+id", 3) == 0) {
+			if (have_host)
+				lookup->identify = ISC_TRUE;
+			else
+				identify = ISC_TRUE;
+		} else if (strncmp(rv[0], "+noid", 5) == 0) {
+			if (have_host)
+				lookup->identify = ISC_FALSE;
+			else
+				identify = ISC_FALSE;
+		} else if (strncmp(rv[0], "+com", 4) == 0) {
+			if (have_host)
+				lookup->comments = ISC_TRUE;
+			else
+				comments = ISC_TRUE;
+			forcecomment = ISC_TRUE;
+		} else if (strncmp(rv[0], "+nocom", 6) == 0) {
+			if (have_host) {
+				lookup->comments = ISC_FALSE;
+				lookup->stats = ISC_FALSE;
+			} else {
+				comments = ISC_FALSE;
+				stats = ISC_FALSE;
+			}
+			forcecomment = ISC_FALSE;
+		} else if (strncmp(rv[0], "+sta", 4) == 0) {
+			if (have_host)
+				lookup->stats = ISC_TRUE;
+			else
+				stats = ISC_TRUE;
+		} else if (strncmp(rv[0], "+nosta", 6) == 0) {
+			if (have_host)
+				lookup->stats = ISC_FALSE;
+			else
+				stats = ISC_FALSE;
+		} else if (strncmp(rv[0], "+qr", 3) == 0) {
+			qr = ISC_TRUE;
+		} else if (strncmp(rv[0], "+noqr", 5) == 0) {
+			qr = ISC_FALSE;
+		} else if (strncmp(rv[0], "+que", 4) == 0) {
+			if (have_host)
+				lookup->section_question = ISC_TRUE;
+			else
+				section_question = ISC_TRUE;
+		} else if (strncmp(rv[0], "+noque", 6) == 0) {
+			if (have_host)
+				lookup->section_question = ISC_FALSE;
+			else
+				section_question = ISC_FALSE;
+		} else if (strncmp(rv[0], "+ans", 4) == 0) {
+			if (have_host)
+				lookup->section_answer = ISC_TRUE;
+			else
+				section_answer = ISC_TRUE;
+		} else if (strncmp(rv[0], "+noans", 6) == 0) {
+			if (have_host)
+				lookup->section_answer = ISC_FALSE;
+			else
+				section_answer = ISC_FALSE;
+		} else if (strncmp(rv[0], "+add", 4) == 0) {
+			if (have_host)
+				lookup->section_additional = ISC_TRUE;
+			else
+				section_additional = ISC_TRUE;
+		} else if (strncmp(rv[0], "+noadd", 6) == 0) {
+			if (have_host)
+				lookup->section_additional = ISC_FALSE;
+			else
+				section_additional = ISC_FALSE;
+		} else if (strncmp(rv[0], "+aut", 4) == 0) {
+			if (have_host)
+				lookup->section_authority = ISC_TRUE;
+			else
+				section_authority = ISC_TRUE;
+		} else if (strncmp(rv[0], "+noaut", 6) == 0) {
+			if (have_host)
+				lookup->section_authority = ISC_FALSE;
+			else
+				section_authority = ISC_FALSE;
+		} else if (strncmp(rv[0], "+all", 4) == 0) {
+			if (have_host) {
+				lookup->section_question = ISC_TRUE;
+				lookup->section_authority = ISC_TRUE;
+				lookup->section_answer = ISC_TRUE;
+				lookup->section_additional = ISC_TRUE;
+				lookup->comments = ISC_TRUE;
+			} else {
+				section_question = ISC_TRUE;
+				section_authority = ISC_TRUE;
+				section_answer = ISC_TRUE;
+				section_additional = ISC_TRUE;
+				comments = ISC_TRUE;
+			}
+		} else if (strncmp(rv[0], "+noall", 6) == 0) {
+			if (have_host) {
+				lookup->section_question = ISC_FALSE;
+				lookup->section_authority = ISC_FALSE;
+				lookup->section_answer = ISC_FALSE;
+				lookup->section_additional = ISC_FALSE;
+				lookup->comments = ISC_FALSE;
+			} else {
+				section_question = ISC_FALSE;
+				section_authority = ISC_FALSE;
+				section_answer = ISC_FALSE;
+				section_additional = ISC_FALSE;
+				comments = ISC_FALSE;
+			}
+
+#ifdef TWIDDLE
+		} else if (strncmp(rv[0], "+twiddle", 6) == 0) {
+			twiddle = ISC_TRUE;
+#endif
+		} else if (strncmp(rv[0], "-c", 2) == 0) {
+ 			if (have_host) {
+				if (rv[0][2]!=0) {
+					strncpy(lookup->rctext, &rv[0][2],
+						MXRD);
+				} else {
+					strncpy(lookup->rctext, rv[1],
+						MXRD);
+					rv++;
+					rc--;
+				}
+			}
+		} else if (strncmp(rv[0], "-t", 2) == 0) {
+ 			if (have_host) {
+				if (rv[0][2]!=0) {
+					strncpy(lookup->rttext, &rv[0][2],
+						MXRD);
+				} else {
+					strncpy(lookup->rttext, rv[1],
+						MXRD);
+					rv++;
+					rc--;
+				}
+			}
+		} else if (strncmp(rv[0], "-f", 2) == 0) {
+			if (rv[0][2]!=0) {
+				batchname=&rv[0][2];
+			} else {
+				batchname=rv[1];
+				rv++;
+				rc--;
+			}
+		} else if (strncmp(rv[0], "-p", 2) == 0) {
+			if (rv[0][2]!=0) {	
+				port=atoi(&rv[0][2]);
+			} else {
+				port=atoi(rv[1]);
+				rv++;
+				rc--;
+			}
+		} else if (strncmp(rv[0], "-b", 2) == 0) {
+			if (rv[0][2]!=0) {
+				strncpy(address, &rv[0][2],
+					MXRD);
+			} else {
+				strncpy(address, rv[1],
+					MXRD);
+				rv++;
+				rc--;
+			}
+			get_address(address, 0, &bind_address);
+			specified_source = ISC_TRUE;
+		} else if (strncmp(rv[0], "-h", 2) == 0) {
+			show_usage();
+			exit (exitcode);
+		} else if (strncmp(rv[0], "-x", 2) == 0) {
+			/*
+			 *XXXMWS Only works for ipv4 now.
+			 * Can't use inet_pton here, since we allow
+			 * partial addresses.
+			 */
+			if (rc == 1) {
+				show_usage();
+				exit (exitcode);
+			}
+			n = sscanf(rv[1], "%d.%d.%d.%d", &adrs[0], &adrs[1],
+				    &adrs[2], &adrs[3]);
+			if (n == 0)
+				show_usage();
+			lookup_counter++;
+			if (lookup_counter > LOOKUP_LIMIT)
+				fatal ("Too many lookups.");
+			lookup = isc_mem_allocate(mctx,
+						  sizeof(struct dig_lookup));
+			if (lookup == NULL)
+				fatal("Memory allocation failure.");
+			lookup->pending = ISC_FALSE;
+			lookup->textname[0]=0;
+			for (i = n - 1; i >= 0; i--) {
+				snprintf(batchline, MXNAME/8, "%d.",
+					  adrs[i]);
+				strncat(lookup->textname, batchline, MXNAME);
+			}
+			strncat(lookup->textname, "in-addr.arpa.", MXNAME);
+			debug("Looking up %s", lookup->textname);
+			strcpy(lookup->rttext, "ptr");
+			strcpy(lookup->rctext, "in");
+			lookup->namespace[0]=0;
+			lookup->sendspace[0]=0;
+			lookup->sendmsg=NULL;
+			lookup->name=NULL;
+			lookup->oname=NULL;
+			lookup->timer = NULL;
+			lookup->xfr_q = NULL;
+			lookup->origin = NULL;
+			lookup->use_my_server_list = ISC_FALSE;
+			lookup->trace = (trace || ns_search_only);
+			lookup->trace_root = trace;
+			lookup->ns_search_only = ns_search_only;
+			lookup->doing_xfr = ISC_FALSE;
+			lookup->defname = ISC_FALSE;
+			lookup->identify = identify;
+			lookup->recurse = recurse;
+			lookup->aaonly = aaonly;
+			lookup->retries = tries;
+			lookup->udpsize = bufsize;
+			lookup->nsfound = 0;
+			lookup->comments = comments;
+			lookup->tcp_mode = tcpmode;
+			lookup->stats = stats;
+			lookup->section_question = section_question;
+			lookup->section_answer = section_answer;
+			lookup->section_authority = section_authority;
+			lookup->section_additional = section_additional;
+			ISC_LIST_INIT(lookup->q);
+			lookup->origin = NULL;
+			ISC_LIST_INIT(lookup->my_server_list);
+			ISC_LIST_APPEND(lookup_list, lookup, link);
+			have_host = ISC_TRUE;
+			rv++;
+			rc--;
+		} else {
+ 			if (have_host) {
+				ENSURE(lookup != NULL);
+			       if (istype(rv[0])) {
+					strncpy(lookup->rttext, rv[0], MXRD);
+					continue;
+			       } else if (isclass(rv[0])) {
+				       strncpy(lookup->rctext, rv[0],
+					       MXRD);
+				       continue;
+			       }
+			}
+			lookup_counter++;
+			if (lookup_counter > LOOKUP_LIMIT)
+				fatal ("Too many lookups.");
+			lookup = isc_mem_allocate(mctx, 
+						  sizeof(struct dig_lookup));
+			if (lookup == NULL)
+				fatal("Memory allocation failure.");
+			lookup->pending = ISC_FALSE;
+			strncpy(lookup->textname, rv[0], MXNAME-1);
+			lookup->rttext[0]=0;
+			lookup->rctext[0]=0;
+			lookup->namespace[0]=0;
+			lookup->sendspace[0]=0;
+			lookup->sendmsg=NULL;
+			lookup->name=NULL;
+			lookup->oname=NULL;
+			lookup->timer = NULL;
+			lookup->xfr_q = NULL;
+			lookup->origin = NULL;
+			lookup->use_my_server_list = ISC_FALSE;
+			lookup->doing_xfr = ISC_FALSE;
+			lookup->defname = ISC_FALSE;
+			lookup->trace = (trace || ns_search_only);
+			lookup->trace_root = trace;
+			lookup->ns_search_only = ns_search_only;
+			lookup->identify = identify;
+			lookup->recurse = recurse;
+			lookup->aaonly = aaonly;
+			lookup->retries = tries;
+			lookup->udpsize = bufsize;
+			lookup->nsfound = 0;
+			lookup->comments = comments;
+			lookup->tcp_mode = tcpmode;
+			lookup->stats = stats;
+			lookup->section_question = section_question;
+			lookup->section_answer = section_answer;
+			lookup->section_authority = section_authority;
+			lookup->section_additional = section_additional;
+			ISC_LIST_INIT(lookup->q);
+			ISC_LIST_APPEND(lookup_list, lookup, link);
+			lookup->origin = NULL;
+			ISC_LIST_INIT(lookup->my_server_list);
+			have_host = ISC_TRUE;
+			debug("Looking up %s", lookup->textname);
+		}
+	}
+	if (batchname != NULL) {
+		fp = fopen(batchname, "r");
+		if (fp == NULL) {
+			perror(batchname);
+			if (exitcode < 10)
+				exitcode = 10;
+			fatal("Couldn't open specified batch file.");
+		}
+		while (fgets(batchline, MXNAME, fp) != 0) {
+			debug ("Batch line %s", batchline);
+			bargc=1;
+			bargv[bargc]=strtok(batchline, " \t\r\n");
+			while ((bargv[bargc] != NULL) &&
+			       (bargc < 14 )) {
+				bargc++;
+				bargv[bargc]=strtok(NULL, " \t\r\n");
+			}
+			bargc--;
+			bargv[0]="dig";
+			reorder_args(bargc+1, (char**)bargv);
+			parse_args(ISC_TRUE, bargc+1, (char**)bargv);
+		}
+	}
+	if (lookup_list.head == NULL) {
+		lookup_counter++;
+		if (lookup_counter > LOOKUP_LIMIT)
+			fatal ("Too many lookups.");
+		lookup = isc_mem_allocate(mctx, sizeof(struct dig_lookup));
+		if (lookup == NULL)
+			fatal("Memory allocation failure.");
+		lookup->pending = ISC_FALSE;
+		lookup->rctext[0]=0;
+		lookup->namespace[0]=0;
+		lookup->sendspace[0]=0;
+		lookup->sendmsg=NULL;
+		lookup->name=NULL;
+		lookup->oname=NULL;
+		lookup->timer = NULL;
+		lookup->xfr_q = NULL;
+		lookup->origin = NULL;
+		lookup->use_my_server_list = ISC_FALSE;
+		lookup->doing_xfr = ISC_FALSE;
+		lookup->defname = ISC_FALSE;
+		lookup->trace = (trace || ns_search_only);
+		lookup->trace_root = trace;
+		lookup->ns_search_only = ns_search_only;
+		lookup->identify = identify;
+		lookup->recurse = recurse;
+		lookup->aaonly = aaonly;
+		lookup->retries = tries;
+		lookup->udpsize = bufsize;
+		lookup->nsfound = 0;
+		lookup->comments = comments;
+		lookup->tcp_mode = tcpmode;
+		lookup->stats = stats;
+		lookup->section_question = section_question;
+		lookup->section_answer = section_answer;
+		lookup->section_authority = section_authority;
+		lookup->section_additional = section_additional;
+		ISC_LIST_INIT(lookup->q);
+		ISC_LIST_INIT(lookup->my_server_list);
+		strcpy(lookup->textname, ".");
+		strcpy(lookup->rttext, "NS");
+		lookup->rctext[0]=0;
+		ISC_LIST_APPEND(lookup_list, lookup, link);
+	}
+	if (!is_batchfile)
+		printgreeting (argc, argv);
+}
+
+int
+main(int argc, char **argv) {
+#ifdef TWIDDLE
+	FILE *fp;
+	int i, p;
+#endif
+
+	ISC_LIST_INIT(lookup_list);
+	ISC_LIST_INIT(server_list);
+	ISC_LIST_INIT(search_list);
+
+	debug ("dhmain()");
+#ifdef TWIDDLE
+	fp = fopen("/dev/urandom", "r");
+	if (fp!=NULL) {
+		fread (&i, sizeof(int), 1, fp);
+		srandom(i);
+	}
+	else {
+		srandom ((int)&main);
+	}
+	p = getpid()%16+8;
+	for (i=0 ; i<p; i++);
+#endif
+	setup_libs();
+	parse_args(ISC_FALSE, argc, argv);
+	setup_system();
+	start_lookup();
+	isc_app_run();
+	free_lists(0);
+	return (exitcode);
+}
+
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
new file mode 100644
index 00000000..de13fc32
--- /dev/null
+++ b/bin/dig/dighost.c
@@ -0,0 +1,1683 @@
+/*
+ * Copyright (C) 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Notice to programmers:  Do not use this code as an example of how to
+ * use the ISC library to perform DNS lookups.  Dig and Host both operate
+ * on the request level, since they allow fine-tuning of output and are
+ * intended as debugging tools.  As a result, they perform many of the
+ * functions which could be better handled using the dns_resolver
+ * functions in most applications.
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <unistd.h>
+
+extern int h_errno;
+
+#include <isc/app.h>
+#include <isc/netdb.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/message.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+#include <dns/rdatalist.h>
+#include <dns/result.h>
+
+#include <dig/dig.h>
+
+ISC_LIST(dig_lookup_t) lookup_list;
+ISC_LIST(dig_server_t) server_list;
+ISC_LIST(dig_searchlist_t) search_list;
+
+isc_boolean_t have_ipv6 = ISC_FALSE, specified_source = ISC_FALSE,
+	free_now = ISC_FALSE, show_details = ISC_FALSE, usesearch=ISC_TRUE,
+	qr = ISC_FALSE;
+#ifdef TWIDDLE
+isc_boolean_t twiddle = ISC_FALSE;
+#endif
+in_port_t port = 53;
+unsigned int timeout = 5;
+isc_mem_t *mctx = NULL;
+isc_taskmgr_t *taskmgr = NULL;
+isc_task_t *task = NULL;
+isc_timermgr_t *timermgr = NULL;
+isc_socketmgr_t *socketmgr = NULL;
+isc_sockaddr_t bind_address;
+char *rootspace[BUFSIZE];
+isc_buffer_t rootbuf;
+int sendcount = 0;
+int ndots = -1;
+int tries = 3;
+int lookup_counter = 0;
+char fixeddomain[MXNAME]="";
+int exitcode = 9;
+
+static void
+cancel_lookup(dig_lookup_t *lookup);
+
+static int
+count_dots(char *string) {
+	char *s;
+	int i=0;
+
+	s = string;
+	while (*s != 0) {
+		if (*s == '.')
+			i++;
+		s++;
+	}
+	return (i);
+}
+
+static void
+hex_dump(isc_buffer_t *b) {
+	unsigned int len;
+	isc_region_t r;
+
+	isc_buffer_remainingregion(b, &r);
+
+	printf("Printing a buffer with length %d\n", r.length);
+	for (len = 0 ; len < r.length ; len++) {
+		printf("%02x ", r.base[len]);
+		if (len != 0 && len % 16 == 0)
+			printf("\n");
+	}
+	if (len % 16 != 0)
+		printf("\n");
+}
+
+
+void
+fatal(char *format, ...) {
+	va_list args;
+
+	va_start(args, format);	
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	if (exitcode == 0)
+		exitcode = 8;
+#ifdef NEVER
+	dighost_shutdown();
+	free_lists(exitcode);
+	if (mctx != NULL) {
+#ifdef MEMDEBUG
+		isc_mem_stats(mctx, stderr);
+#endif
+		isc_mem_destroy(&mctx);
+	}
+#endif
+	exit(exitcode);
+}
+
+#ifdef DEBUG
+void
+debug(char *format, ...) {
+	va_list args;
+
+	va_start(args, format);	
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+}
+#else
+void
+debug(char *format, ...) {
+	va_list args;
+	UNUSED(args);
+	UNUSED(format);
+}
+#endif
+
+void
+check_result(isc_result_t result, char *msg) {
+	if (result != ISC_R_SUCCESS) {
+		exitcode = 1;
+		fatal("%s: %s", msg, isc_result_totext(result));
+	}
+}
+
+isc_boolean_t
+isclass(char *text) {
+	/* Tests if a field is a class, without needing isc libs
+	 * initialized.  This list will have to be manually kept in 
+	 * sync with what the libs support.
+	 */
+	const char *classlist[] = {"in", "hs"};
+	const int numclasses = 2;
+	int i;
+
+	for (i = 0; i < numclasses; i++)
+		if (strcasecmp(text, classlist[i]) == 0)
+			return ISC_TRUE;
+
+	return ISC_FALSE;
+}
+
+isc_boolean_t
+istype(char *text) {
+	/* Tests if a field is a type, without needing isc libs
+	 * initialized.  This list will have to be manually kept in 
+	 *  sync with what the libs support.
+	 */
+	const char *typelist[] = {"a", "ns", "md", "mf", "cname",
+				  "soa", "mb", "mg", "mr", "null",
+				  "wks", "ptr", "hinfo", "minfo",
+				  "mx", "txt", "rp", "afsdb",
+				  "x25", "isdn", "rt", "nsap",
+				  "nsap_ptr", "sig", "key", "px",
+				  "gpos", "aaaa", "loc", "nxt",
+				  "srv", "naptr", "kx", "cert",
+				  "a6", "dname", "opt", "unspec",
+				  "tkey", "tsig", "axfr", "any"};
+	const int numtypes = 42;
+	int i;
+
+	for (i = 0; i < numtypes; i++) {
+		if (strcasecmp(text, typelist[i]) == 0)
+			return ISC_TRUE;
+	}
+	return ISC_FALSE;
+}
+
+
+#ifdef TWIDDLE
+void
+twiddlebuf(isc_buffer_t buf) {
+	isc_region_t r;
+	int len, pos, bit;
+	unsigned char bitfield;
+	int i, tw;
+
+	hex_dump(&buf);
+	tw=TWIDDLE;
+	printf ("Twiddling %d bits: ", tw);
+	for (i=0;i<tw;i++) {
+		isc_buffer_usedregion (&buf, &r);
+		len = r.length;
+		pos=(int)random();
+		pos = pos%len;
+		bit = (int)random()%8;
+		bitfield = 1 << bit;
+		printf ("%d@%03x ", bit, pos);
+		r.base[pos] ^= bitfield;
+	}
+	puts ("");
+	hex_dump(&buf);
+}
+#endif
+
+dig_lookup_t
+*requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
+	dig_lookup_t *looknew;
+	dig_server_t *s, *srv;
+
+	debug("requeue_lookup()");
+
+	if (free_now)
+		return(ISC_R_SUCCESS);
+
+	lookup_counter++;
+	if (lookup_counter > LOOKUP_LIMIT)
+		fatal ("Too many lookups.");
+	looknew = isc_mem_allocate
+		(mctx, sizeof(struct dig_lookup));
+	if (looknew == NULL)
+		fatal ("Memory allocation failure in %s:%d",
+		       __FILE__, __LINE__);
+	looknew->pending = ISC_FALSE;
+	strncpy (looknew->textname, lookold-> textname, MXNAME);
+	strncpy (looknew->rttext, lookold-> rttext, 32);
+	strncpy (looknew->rctext, lookold-> rctext, 32);
+	looknew->namespace[0]=0;
+	looknew->sendspace[0]=0;
+	looknew->sendmsg=NULL;
+	looknew->name=NULL;
+	looknew->oname=NULL;
+	looknew->timer = NULL;
+	looknew->xfr_q = NULL;
+	looknew->doing_xfr = lookold->doing_xfr;
+	looknew->defname = lookold->defname;
+	looknew->trace = lookold->trace;
+	looknew->trace_root = lookold->trace_root;
+	looknew->identify = lookold->identify;
+	looknew->udpsize = lookold->udpsize;
+	looknew->recurse = lookold->recurse;
+	looknew->aaonly = lookold->aaonly;
+	looknew->ns_search_only = lookold->ns_search_only;
+	looknew->origin = NULL;
+	looknew->retries = tries;
+	looknew->nsfound = 0;
+	looknew->tcp_mode = lookold->tcp_mode;
+	looknew->comments = lookold->comments;
+	looknew->stats = lookold->stats;
+	looknew->section_question = lookold->section_question;
+	looknew->section_answer = lookold->section_answer;
+	looknew->section_authority = lookold->section_authority;
+	looknew->section_additional = lookold->section_additional;
+	ISC_LIST_INIT(looknew->my_server_list);
+	ISC_LIST_INIT(looknew->q);
+
+	looknew->use_my_server_list = ISC_FALSE;
+	if (servers) {
+		looknew->use_my_server_list = lookold->use_my_server_list;
+		if (looknew->use_my_server_list) {
+			s = ISC_LIST_HEAD(lookold->my_server_list);
+			while (s != NULL) {
+				srv = isc_mem_allocate (mctx, sizeof(struct
+								dig_server));
+				if (srv == NULL)
+					fatal("Memory allocation failure "
+					      "in %s:%d", __FILE__, __LINE__);
+				strncpy(srv->servername, s->servername,
+					MXNAME);
+				ISC_LIST_ENQUEUE(looknew->my_server_list, srv,
+						 link);
+				s = ISC_LIST_NEXT(s, link);
+			}
+		}
+	}
+	debug ("Before insertion, init@%lx "
+	       "-> %lx, new@%lx "
+	       "-> %lx", (long int)lookold,
+	       (long int)lookold->link.next,
+	       (long int)looknew, (long int)looknew->
+	       link.next);
+	ISC_LIST_INSERTAFTER(lookup_list, lookold, looknew, link);
+	debug ("After insertion, init -> "
+	       "%lx, new = %lx, "
+	       "new -> %lx", (long int)lookold,
+	       (long int)looknew, (long int)looknew->
+	       link.next);
+	return (looknew);
+}	
+
+void
+setup_system(void) {
+	char rcinput[MXNAME];
+	FILE *fp;
+	char *ptr;
+	dig_server_t *srv;
+	dig_searchlist_t *search;
+	dig_lookup_t *l;
+	isc_boolean_t get_servers;
+
+
+	if (fixeddomain[0]!=0) {
+		search = isc_mem_allocate( mctx, sizeof(struct dig_server));
+		if (search == NULL)
+			fatal("Memory allocation failure in %s:%d",
+			      __FILE__, __LINE__);
+		strncpy(search->origin, fixeddomain, MXNAME - 1);
+		ISC_LIST_PREPEND(search_list, search, link);
+	}
+
+	debug ("setup_system()");
+
+	free_now = ISC_FALSE;
+	get_servers = (server_list.head == NULL);
+	fp = fopen (RESOLVCONF, "r");
+	if (fp != NULL) {
+		while (fgets(rcinput, MXNAME, fp) != 0) {
+			ptr = strtok (rcinput, " \t\r\n");
+			if (ptr != NULL) {
+				if (get_servers &&
+				    strcasecmp(ptr, "nameserver") == 0) {
+					debug ("Got a nameserver line");
+					ptr = strtok (NULL, " \t\r\n");
+					if (ptr != NULL) {
+						srv = isc_mem_allocate(mctx,
+						   sizeof(struct dig_server));
+						if (srv == NULL)
+							fatal("Memory "
+							      "allocation "
+							      "failure in "
+							      "%s:%d",
+							      __FILE__,
+							      __LINE__);
+							strncpy((char *)srv->
+								servername,
+								ptr,
+								MXNAME - 1);
+							ISC_LIST_APPEND
+								(server_list,
+								 srv, link);
+					}
+				} else if (strcasecmp(ptr, "options") == 0) {
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr != NULL) {
+						if ((strncasecmp(ptr, "ndots:",
+							    6) == 0) &&
+						    (ndots == -1)) {
+							ndots = atoi(
+							      &ptr[6]);
+							debug ("ndots is "
+							       "%d.",
+							       ndots);
+						}
+					}
+				} else if ((strcasecmp(ptr, "search") == 0)
+					   && usesearch){
+					while ((ptr = strtok(NULL, " \t\r\n"))
+					       != NULL) {
+						search = isc_mem_allocate(
+						   mctx, sizeof(struct
+								dig_server));
+						if (search == NULL)
+							fatal("Memory "
+							      "allocation "
+							      "failure in %s:"
+							      "%d", __FILE__, 
+							      __LINE__);
+						strncpy(search->
+							origin,
+							ptr,
+							MXNAME - 1);
+						ISC_LIST_APPEND
+							(search_list,
+							 search,
+							 link);
+					}
+				} else if ((strcasecmp(ptr, "domain") == 0) &&
+					   (fixeddomain[0] == 0 )){
+					while ((ptr = strtok(NULL, " \t\r\n"))
+					       != NULL) {
+						search = isc_mem_allocate(
+						   mctx, sizeof(struct
+								dig_server));
+						if (search == NULL)
+							fatal("Memory "
+							      "allocation "
+							      "failure in %s:"
+							      "%d", __FILE__, 
+							      __LINE__);
+						strncpy(search->
+							origin,
+							ptr,
+							MXNAME - 1);
+						ISC_LIST_PREPEND
+							(search_list,
+							 search,
+							 link);
+					}
+				}
+						
+			}
+		}
+		fclose (fp);
+	}
+
+	if (ndots == -1)
+		ndots = 1;
+
+	if (server_list.head == NULL) {
+		srv = isc_mem_allocate(mctx, sizeof(dig_server_t));
+		if (srv == NULL)
+			fatal("Memory allocation failure");
+		strcpy(srv->servername, "127.0.0.1");
+		ISC_LIST_APPEND(server_list, srv, link);
+	}
+
+	for (l = ISC_LIST_HEAD(lookup_list) ;
+	     l != NULL;
+	     l = ISC_LIST_NEXT(l, link) ) {
+	     l -> origin = ISC_LIST_HEAD(search_list);
+	     }
+}
+	
+void
+setup_libs(void) {
+	isc_result_t result;
+	isc_buffer_t b;
+
+	debug ("setup_libs()");
+
+	/*
+	 * Warning: This is not particularly good randomness.  We'll
+	 * just use random() now for getting id values, but doing so
+	 * does NOT insure that id's cann't be guessed.
+	 */
+	srandom (getpid() + (int)&setup_libs);
+
+	result = isc_app_start();
+	check_result(result, "isc_app_start");
+
+	result = isc_net_probeipv4();
+	check_result(result, "isc_net_probeipv4");
+
+	result = isc_net_probeipv6();
+	if (result == ISC_R_SUCCESS)
+		have_ipv6=ISC_TRUE;
+
+	result = isc_mem_create(0, 0, &mctx);
+	check_result(result, "isc_mem_create");
+
+	result = isc_taskmgr_create (mctx, 1, 0, &taskmgr);
+	check_result(result, "isc_taskmgr_create");
+
+	result = isc_task_create (taskmgr, 0, &task);
+	check_result(result, "isc_task_create");
+
+	result = isc_timermgr_create (mctx, &timermgr);
+	check_result(result, "isc_timermgr_create");
+
+	result = isc_socketmgr_create (mctx, &socketmgr);
+	check_result(result, "isc_socketmgr_create");
+	isc_buffer_init(&b, ".", 1);
+	isc_buffer_add(&b, 1);
+}
+
+static void
+add_opt (dns_message_t *msg, isc_uint16_t udpsize) {
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdata_t *rdata = NULL;
+	isc_result_t result;
+
+	debug ("add_opt()");
+	result = dns_message_gettemprdataset(msg, &rdataset);
+	check_result (result, "dns_message_gettemprdataset");
+	dns_rdataset_init (rdataset);
+	result = dns_message_gettemprdatalist(msg, &rdatalist);
+	check_result (result, "dns_message_gettemprdatalist");
+	result = dns_message_gettemprdata(msg, &rdata);
+	check_result (result, "dns_message_gettemprdata");
+	
+	debug ("Setting udp size of %d", udpsize);
+	rdatalist->type = dns_rdatatype_opt;
+	rdatalist->covers = 0;
+	rdatalist->rdclass = udpsize;
+	rdatalist->ttl = 0;
+	rdata->data = NULL;
+	rdata->length = 0;
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	result = dns_message_setopt(msg, rdataset);
+	check_result (result, "dns_message_setopt");
+}
+
+static void
+add_type(dns_message_t *message, dns_name_t *name, dns_rdataclass_t rdclass,
+	 dns_rdatatype_t rdtype)
+{
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	debug ("add_type()"); 
+	rdataset = NULL;
+	result = dns_message_gettemprdataset(message, &rdataset);
+	check_result(result, "dns_message_gettemprdataset()");
+	dns_rdataset_init(rdataset);
+	dns_rdataset_makequestion(rdataset, rdclass, rdtype);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+}
+
+static void
+check_next_lookup(dig_lookup_t *lookup) {
+	dig_lookup_t *next;
+	dig_query_t *query;
+	isc_boolean_t still_working=ISC_FALSE;
+	
+	if (free_now)
+		return;
+
+	debug("check_next_lookup(%lx)", (long int)lookup);
+	for (query = ISC_LIST_HEAD(lookup->q);
+	     query != NULL;
+	     query = ISC_LIST_NEXT(query, link)) {
+		if (query->working) {
+			debug("Still have a worker.", stderr);
+			still_working=ISC_TRUE;
+		}
+	}
+	if (still_working)
+		return;
+
+	debug ("Have %d retries left for %s",
+	       lookup->retries-1, lookup->textname);
+	debug ("Lookup %s pending", lookup->pending?"is":"is not");
+
+	next = ISC_LIST_NEXT(lookup, link);
+	
+	if (lookup->tcp_mode) {
+		if (next == NULL) {
+			debug("Shutting Down.", stderr);
+			dighost_shutdown();
+			return;
+		}
+		if (next->sendmsg == NULL) {
+			debug ("Setting up for TCP");
+			setup_lookup(next);
+			do_lookup(next);
+		}
+	} else {
+		if (!lookup->pending) {
+			if (next == NULL) {
+				debug("Shutting Down.", stderr);
+				dighost_shutdown();
+				return;
+			}
+			if (next->sendmsg == NULL) {
+				debug ("Setting up for UDP");
+				setup_lookup(next);
+				do_lookup(next);
+			}
+		} else {
+			if (lookup->retries > 1) {
+				debug ("Retrying");
+				lookup->retries --;
+				if (lookup->timer != NULL)
+					isc_timer_detach(&lookup->timer);
+				send_udp(lookup);
+			} else {
+				debug ("Cancelling");
+				cancel_lookup(lookup);
+			}
+		}
+	}
+}
+
+
+static void
+followup_lookup(dns_message_t *msg, dig_query_t *query,
+		dns_section_t section) {
+	dig_lookup_t *lookup = NULL;
+	dig_server_t *srv = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata;
+	dns_name_t *name = NULL;
+	isc_result_t result, loopresult;
+	isc_buffer_t *b = NULL;
+	isc_region_t r;
+	isc_boolean_t success = ISC_FALSE;
+	int len;
+
+	debug ("followup_lookup()"); 
+	if (free_now)
+		return;
+	result = dns_message_firstname (msg,section);
+	if (result != ISC_R_SUCCESS) {
+		debug ("Firstname returned %s",
+			isc_result_totext(result));
+		if ((section == DNS_SECTION_ANSWER) &&
+		    query->lookup->trace)
+			followup_lookup (msg, query, DNS_SECTION_AUTHORITY);
+                return;
+	}
+
+	debug ("Following up %s", query->lookup->textname);
+
+	for (;;) {
+		name = NULL;
+		dns_message_currentname(msg, section, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			loopresult = dns_rdataset_first(rdataset);
+			while (loopresult == ISC_R_SUCCESS) {
+				dns_rdataset_current(rdataset, &rdata);
+				debug ("Got rdata with type %d",
+				       rdata.type);
+				if ((rdata.type == dns_rdatatype_ns) &&
+				    (!query->lookup->trace_root ||
+				     (query->lookup->nsfound < ROOTNS)))
+				{
+					query->lookup->nsfound++;
+					result = isc_buffer_allocate(mctx, &b,
+								     BUFSIZE);
+					check_result (result,
+						      "isc_buffer_allocate");
+					result = dns_rdata_totext (&rdata,
+								   NULL,
+								   b);
+					check_result (result,
+						      "dns_rdata_totext");
+					isc_buffer_usedregion(b, &r);
+					len = r.length-1;
+					if (len >= MXNAME)
+						len = MXNAME-1;
+				/* Initialize lookup if we've not yet */
+					debug ("Found NS %d %.*s",
+						 (int)r.length, (int)r.length,
+						 (char *)r.base);
+					if (!success) {
+						success = ISC_TRUE;
+						lookup_counter++;
+						lookup = requeue_lookup
+							(query->lookup,
+							 ISC_FALSE);
+						lookup->doing_xfr = ISC_FALSE;
+						lookup->defname = ISC_FALSE;
+						lookup->use_my_server_list = 
+							ISC_TRUE;
+						if (section ==
+						    DNS_SECTION_ANSWER)
+							lookup->trace =
+								ISC_FALSE;
+						else
+							lookup->trace =
+								query->
+								lookup->trace;
+						lookup->trace_root = ISC_FALSE;
+						ISC_LIST_INIT(lookup->
+							      my_server_list);
+					}
+					srv = isc_mem_allocate (mctx,
+								sizeof(
+								struct
+								dig_server));
+					if (srv == NULL)
+						fatal("Memory allocation "
+						      "failure in %s:%d",
+						      __FILE__, __LINE__);
+					strncpy(srv->servername, 
+						(char *)r.base, len);
+					srv->servername[len]=0;
+					debug ("Adding server %s",
+					       srv->servername);
+					ISC_LIST_APPEND
+						(lookup->my_server_list,
+						 srv, link);
+					isc_buffer_free (&b);
+				}
+				loopresult = dns_rdataset_next(rdataset);
+			}
+		}
+		result = dns_message_nextname (msg, section);
+		if (result != ISC_R_SUCCESS)
+			break;
+	}
+	if ((lookup == NULL) && (section == DNS_SECTION_ANSWER) &&
+	    query->lookup->trace)
+		followup_lookup(msg, query, DNS_SECTION_AUTHORITY);
+}
+
+static void
+next_origin(dns_message_t *msg, dig_query_t *query) {
+	dig_lookup_t *lookup;
+
+	UNUSED (msg);
+
+	debug ("next_origin()"); 
+	if (free_now)
+		return;
+	debug ("Following up %s", query->lookup->textname);
+
+	if (query->lookup->origin == NULL) { /*Then we just did rootorg;
+					      there's nothing left. */
+		debug ("Made it to the root whith nowhere to go.");
+		return;
+	}
+	lookup = requeue_lookup(query->lookup, ISC_TRUE);
+	lookup->defname = ISC_FALSE;
+	lookup->origin = ISC_LIST_NEXT(query->lookup->origin, link);
+}
+
+
+void
+setup_lookup(dig_lookup_t *lookup) {
+	isc_result_t result, res2;
+	int len;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	dig_server_t *serv;
+	dig_query_t *query;
+	isc_region_t r;
+	isc_textregion_t tr;
+	isc_buffer_t b;
+	char store[MXNAME];
+	
+	REQUIRE (lookup != NULL);
+
+	debug("setup_lookup(%lx)",(long int)lookup);
+
+	if (free_now)
+		return;
+
+	debug("Setting up for looking up %s @%lx->%lx", 
+		lookup->textname, (long int)lookup,
+		(long int)lookup->link.next);
+
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
+				    &lookup->sendmsg);
+	check_result(result, "dns_message_create");
+
+
+	result = dns_message_gettempname(lookup->sendmsg, &lookup->name);
+	check_result(result, "dns_message_gettempname");
+	dns_name_init(lookup->name, NULL);
+
+	isc_buffer_init(&lookup->namebuf, lookup->namespace, BUFSIZE);
+	isc_buffer_init(&lookup->onamebuf, lookup->onamespace, BUFSIZE);
+
+	if ((count_dots(lookup->textname) >= ndots) || lookup->defname)
+		lookup->origin = NULL; /* Force root lookup */
+	debug ("lookup->origin = %lx", (long int)lookup->origin);
+	if (lookup->origin != NULL) {
+		debug ("Trying origin %s", lookup->origin->origin);
+		result = dns_message_gettempname(lookup->sendmsg,
+						 &lookup->oname);
+		check_result(result, "dns_message_gettempname");
+		dns_name_init(lookup->oname, NULL);
+		len=strlen(lookup->origin->origin);
+		isc_buffer_init(&b, lookup->origin->origin, len);
+		isc_buffer_add(&b, len);
+		result = dns_name_fromtext(lookup->oname, &b, dns_rootname,
+					   ISC_FALSE, &lookup->onamebuf);
+		if (result != ISC_R_SUCCESS) {
+		dns_message_puttempname(lookup->sendmsg,
+						&lookup->name);
+			dns_message_puttempname(lookup->sendmsg,
+						&lookup->oname);
+			fatal("Aborting: %s is not a legal name syntax. (%s)",
+			      lookup->origin->origin,
+			      dns_result_totext(result));
+		}
+		if (!lookup->trace_root) {
+			len=strlen(lookup->textname);
+			isc_buffer_init(&b, lookup->textname, len);
+			isc_buffer_add(&b, len);
+			result = dns_name_fromtext(lookup->name, &b,
+						   lookup->oname, ISC_FALSE, 
+						   &lookup->namebuf);
+		} else {
+			isc_buffer_init(&b, ". ", 1);
+			isc_buffer_add(&b, 1);
+			result = dns_name_fromtext(lookup->name, &b,
+						   lookup->oname, ISC_FALSE, 
+						   &lookup->namebuf);
+		}			
+		if (result != ISC_R_SUCCESS) {
+			dns_message_puttempname(lookup->sendmsg,
+						&lookup->name);
+			dns_message_puttempname(lookup->sendmsg,
+						&lookup->oname);
+			fatal("Aborting: %s is not a legal name syntax. (%s)",
+			      lookup->textname, dns_result_totext(result));
+		}
+		dns_message_puttempname(lookup->sendmsg, &lookup->oname);
+	} else {
+		debug ("Using root origin.");
+		if (!lookup->trace_root) {
+			len = strlen (lookup->textname);
+			isc_buffer_init(&b, lookup->textname, len);
+			isc_buffer_add(&b, len);
+			result = dns_name_fromtext(lookup->name, &b,
+						   dns_rootname,
+						   ISC_FALSE,
+						   &lookup->namebuf);
+		} else {
+			isc_buffer_init(&b, ". ", 1);
+			isc_buffer_add(&b, 1);
+			result = dns_name_fromtext(lookup->name, &b,
+						   dns_rootname,
+						   ISC_FALSE,
+						   &lookup->namebuf);
+		}
+		if (result != ISC_R_SUCCESS) {
+			dns_message_puttempname(lookup->sendmsg,
+						&lookup->name);
+			isc_buffer_init(&b, store, MXNAME);
+			res2 = dns_name_totext(dns_rootname, ISC_FALSE, &b);
+			check_result (res2, "dns_name_totext");
+			isc_buffer_usedregion (&b, &r);
+			fatal("Aborting: %s/%.*s is not a legal name syntax. "
+			      "(%s)", lookup->textname, (int)r.length,
+			      (char *)r.base, dns_result_totext(result));
+		}
+	}		
+	isc_buffer_init (&b, store, MXNAME);
+	dns_name_totext(lookup->name, ISC_FALSE, &b);
+	isc_buffer_usedregion (&b, &r);
+	trying((int)r.length, (char *)r.base, lookup);
+#ifdef DEBUG
+	if (dns_name_isabsolute(lookup->name))
+		debug ("This is an absolute name.");
+	else
+		debug ("This is a relative name (which is wrong).");
+#endif
+
+	if (lookup->rctext[0] == 0)
+		strcpy(lookup->rctext, "IN");
+	if (lookup->rttext[0] == 0)
+		strcpy(lookup->rttext, "A");
+
+	lookup->sendmsg->id = random();
+	lookup->sendmsg->opcode = dns_opcode_query;
+	/* If this is a trace request, completely disallow recursion, since
+	 * it's meaningless for traces */
+	if (lookup->recurse && !lookup->trace) {
+		debug ("Recursive query");
+		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_RD;
+	}
+
+	if (lookup->aaonly) {
+		debug ("AA query");
+		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_AA;
+	}
+
+	dns_message_addname(lookup->sendmsg, lookup->name,
+			    DNS_SECTION_QUESTION);
+	
+	
+	if (lookup->trace_root) {
+		tr.base="SOA";
+		tr.length=3;
+	} else {
+		tr.base=lookup->rttext;
+		tr.length=strlen(lookup->rttext);
+	}
+	result = dns_rdatatype_fromtext(&rdtype, &tr);
+	check_result(result, "dns_rdatatype_fromtext");
+	if (rdtype == dns_rdatatype_axfr) {
+		lookup->doing_xfr = ISC_TRUE;
+		/*
+		 * Force TCP mode if we're doing an xfr.
+		 */
+		lookup->tcp_mode = ISC_TRUE;
+	}
+	if (lookup->trace_root) {
+		tr.base="IN";
+		tr.length=2;
+	} else {
+		tr.base=lookup->rctext;
+		tr.length=strlen(lookup->rctext);
+	}
+	result = dns_rdataclass_fromtext(&rdclass, &tr);
+	check_result(result, "dns_rdataclass_fromtext");
+	add_type(lookup->sendmsg, lookup->name, rdclass, rdtype);
+
+	isc_buffer_init(&lookup->sendbuf, lookup->sendspace, COMMSIZE);
+	debug ("Starting to render the message");
+	result = dns_message_renderbegin(lookup->sendmsg, &lookup->sendbuf);
+	check_result(result, "dns_message_renderbegin");
+	if (lookup->udpsize > 0) {
+		add_opt(lookup->sendmsg, lookup->udpsize);
+	}
+	result = dns_message_rendersection(lookup->sendmsg,
+					   DNS_SECTION_QUESTION, 0);
+	check_result(result, "dns_message_rendersection");
+	result = dns_message_renderend(lookup->sendmsg);
+	check_result(result, "dns_message_renderend");
+	debug ("Done rendering.");
+
+	lookup->pending = ISC_FALSE;
+
+	if (lookup->use_my_server_list)
+		serv = ISC_LIST_HEAD(lookup->my_server_list);
+	else
+		serv = ISC_LIST_HEAD(server_list);
+	for (; serv != NULL;
+	     serv = ISC_LIST_NEXT(serv, link)) {
+		query = isc_mem_allocate(mctx, sizeof(dig_query_t));
+		if (query == NULL)
+			fatal("Memory allocation failure in %s:%d", __FILE__, __LINE__);
+		debug ("Create query %lx linked to lookup %lx",
+		       (long int)query, (long int)lookup);
+		query->lookup = lookup;
+		query->working = ISC_FALSE;
+		query->waiting_connect = ISC_FALSE;
+		query->first_pass = ISC_TRUE;
+		query->first_soa_rcvd = ISC_FALSE;
+		query->servname = serv->servername;
+		ISC_LIST_INIT(query->sendlist);
+		ISC_LIST_INIT(query->recvlist);
+		ISC_LIST_INIT(query->lengthlist);
+		query->sock = NULL;
+
+		isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
+		isc_buffer_init(&query->lengthbuf, query->lengthspace, 2);
+		isc_buffer_init(&query->slbuf, query->slspace, 2);
+
+		ISC_LIST_ENQUEUE(lookup->q, query, link);
+	}
+	if (!ISC_LIST_EMPTY(lookup->q) && qr) {
+		printmessage (ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
+			      ISC_TRUE);
+	}
+}	
+
+static void
+send_done(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+	isc_event_free(&event);
+
+	debug("send_done()");
+}
+
+static void
+cancel_lookup(dig_lookup_t *lookup) {
+	dig_query_t *query=NULL;
+
+	debug("cancel_lookup()");
+	for (query = ISC_LIST_HEAD(lookup->q);
+	     query != NULL;
+	     query = ISC_LIST_NEXT(query, link)) {
+		if (query->working) {
+			debug ("Cancelling a worker.");
+			isc_socket_cancel(query->sock, task,
+					  ISC_SOCKCANCEL_ALL);
+		}
+	}
+	lookup->pending = ISC_FALSE;
+	lookup->retries = 0;
+	check_next_lookup(lookup);
+}
+
+static void
+recv_done(isc_task_t *task, isc_event_t *event);
+
+static void
+connect_timeout(isc_task_t *task, isc_event_t *event);
+
+void
+send_udp(dig_lookup_t *lookup) {
+	dig_query_t *query;
+	isc_result_t result;
+
+	debug ("send_udp()");
+
+	isc_interval_set(&lookup->interval, timeout, 0);
+	result = isc_timer_create(timermgr, isc_timertype_once, NULL,
+				  &lookup->interval, task, connect_timeout,
+				  lookup, &lookup->timer);
+	check_result(result, "isc_timer_create");
+	for (query = ISC_LIST_HEAD(lookup->q);
+	     query != NULL;
+	     query = ISC_LIST_NEXT(query, link)) {
+		debug ("Working on lookup %lx, query %lx",
+		       (long int)query->lookup, (long int)query);
+		ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
+		query->working = ISC_TRUE;
+		debug ("recving with lookup=%lx, query=%lx",
+		       (long int)query->lookup, (long int)query);
+		result = isc_socket_recvv(query->sock, &query->recvlist, 1,
+					  task, recv_done, query);
+		check_result(result, "isc_socket_recvv");
+		sendcount++;
+		debug("Sent count number %d", sendcount);
+#ifdef TWIDDLE
+		if (twiddle) {
+			twiddlebuf(lookup->sendbuf);
+		}
+#endif
+		ISC_LIST_ENQUEUE(query->sendlist, &lookup->sendbuf, link);
+		debug("Sending a request.");
+		result = isc_time_now(&query->time_sent);
+		check_result(result, "isc_time_now");
+		result = isc_socket_sendtov(query->sock, &query->sendlist,
+					    task, send_done, query,
+					    &query->sockaddr, NULL);
+		check_result(result, "isc_socket_sendtov");
+	}
+}
+
+/* connect_timeout is used for both UDP recieves and TCP connects. */
+static void
+connect_timeout(isc_task_t *task, isc_event_t *event) {
+	dig_lookup_t *lookup=NULL, *next=NULL;
+	dig_query_t *q=NULL;
+	isc_result_t result;
+	isc_buffer_t *b=NULL;
+	isc_region_t r;
+
+	REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE);
+
+	debug("connect_timeout()");
+	lookup = event->ev_arg;
+
+	debug ("Buffer Allocate connect_timeout");
+	result = isc_buffer_allocate(mctx, &b, 256);
+	check_result(result, "isc_buffer_allocate");
+	for (q = ISC_LIST_HEAD(lookup->q);
+	     q != NULL;
+	     q = ISC_LIST_NEXT(q, link)) {
+		if (q->working) {
+			if (!free_now) {
+				isc_buffer_clear(b);
+				result = isc_sockaddr_totext(&q->sockaddr, b);
+				check_result(result, "isc_sockaddr_totext");
+				isc_buffer_usedregion(b, &r);
+				if (q->lookup->retries > 1)
+					printf(";; Connection to server %.*s "
+					       "for %s timed out.  "
+					       "Retrying %d.\n",
+					       (int)r.length, r.base,
+					       q->lookup->textname,
+					       q->lookup->retries-1);
+				else {
+					if (lookup->tcp_mode) {
+						printf(";; Connection to "
+						       "server %.*s "
+						       "for %s timed out.  "
+						       "Giving up.\n",
+						       (int)r.length, r.base,
+						       q->lookup->textname);
+					} else {
+						printf(";; Connection to "
+						       "server %.*s "
+						       "for %s timed out.  "
+						       "Trying TCP.\n",
+						       (int)r.length, r.base,
+						       q->lookup->textname);
+						next = requeue_lookup
+							(lookup,ISC_TRUE);
+						next->tcp_mode = ISC_TRUE;
+					}
+				}
+			}
+			isc_socket_cancel(q->sock, task,
+					  ISC_SOCKCANCEL_ALL);
+		}
+	}
+	ENSURE(lookup->timer != NULL);
+	isc_timer_detach(&lookup->timer);
+	isc_buffer_free(&b);
+	isc_event_free(&event);
+	debug ("Done with connect_timeout()");
+}
+
+static void
+tcp_length_done(isc_task_t *task, isc_event_t *event) { 
+	isc_socketevent_t *sevent;
+	isc_buffer_t *b=NULL;
+	isc_region_t r;
+	isc_result_t result;
+	dig_query_t *query=NULL;
+	isc_uint16_t length;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
+
+	UNUSED(task);
+
+	debug("tcp_length_done()");
+
+	if (free_now)
+		return;
+
+	sevent = (isc_socketevent_t *)event;	
+
+	query = event->ev_arg;
+
+	if (sevent->result == ISC_R_CANCELED) {
+		query->working = ISC_FALSE;
+		check_next_lookup(query->lookup);
+		isc_event_free(&event);
+		return;
+	}
+	if (sevent->result != ISC_R_SUCCESS) {
+		debug ("Buffer Allocate connect_timeout");
+		result = isc_buffer_allocate(mctx, &b, 256);
+		check_result(result, "isc_buffer_allocate");
+		result = isc_sockaddr_totext(&query->sockaddr, b);
+		check_result(result, "isc_sockaddr_totext");
+		isc_buffer_usedregion(b, &r);
+		printf("%.*s: %s\n", (int)r.length, r.base,
+		       isc_result_totext(sevent->result));
+		isc_buffer_free(&b);
+		query->working = ISC_FALSE;
+		isc_socket_detach(&query->sock);
+		check_next_lookup(query->lookup);
+		isc_event_free(&event);
+		return;
+	}
+	b = ISC_LIST_HEAD(sevent->bufferlist);
+	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->lengthbuf, link);
+	length = isc_buffer_getuint16(b);
+	if (length > COMMSIZE) {
+		isc_event_free (&event);
+		fatal ("Length of %X was longer than I can handle!",
+		       length);
+	}
+	/*
+	 * Even though the buffer was already init'ed, we need
+	 * to redo it now, to force the length we want.
+	 */
+	isc_buffer_invalidate(&query->recvbuf);
+	isc_buffer_init(&query->recvbuf, query->recvspace, length);
+	ENSURE(ISC_LIST_EMPTY(query->recvlist));
+	ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
+	debug ("recving with lookup=%lx, query=%lx",
+	       (long int)query->lookup, (long int)query);
+	result = isc_socket_recvv(query->sock, &query->recvlist, length, task,
+				  recv_done, query);
+	check_result(result, "isc_socket_recvv");
+	debug("Resubmitted recv request with length %d", length);
+	isc_event_free(&event);
+}
+
+static void
+launch_next_query(dig_query_t *query, isc_boolean_t include_question) {
+	isc_result_t result;
+
+	debug("launch_next_query()");
+
+	if (free_now)
+		return;
+
+	if (!query->lookup->pending) {
+		debug("Ignoring launch_next_query because !pending.");
+		isc_socket_detach(&query->sock);
+		query->working = ISC_FALSE;
+		query->waiting_connect = ISC_FALSE;
+		check_next_lookup(query->lookup);
+		return;
+	}
+
+	isc_buffer_clear(&query->slbuf);
+	isc_buffer_clear(&query->lengthbuf);
+	isc_buffer_putuint16(&query->slbuf, query->lookup->sendbuf.used);
+	ISC_LIST_ENQUEUE(query->sendlist, &query->slbuf, link);
+	if (include_question) {
+#ifdef TWIDDLE
+		if (twiddle) {
+			twiddlebuf(query->lookup->sendbuf);
+		}
+#endif
+		ISC_LIST_ENQUEUE(query->sendlist, &query->lookup->sendbuf,
+				 link);
+	}
+	ISC_LIST_ENQUEUE(query->lengthlist, &query->lengthbuf, link);
+
+	result = isc_socket_recvv(query->sock, &query->lengthlist, 0, task,
+				  tcp_length_done, query);
+	check_result(result, "isc_socket_recvv");
+	sendcount++;
+	if (!query->first_soa_rcvd) {
+		debug("Sending a request.");
+		result = isc_time_now(&query->time_sent);
+		check_result(result, "isc_time_now");
+		result = isc_socket_sendv(query->sock, &query->sendlist, task,
+					  send_done, query);
+		check_result(result, "isc_socket_recvv");
+	}
+	query->waiting_connect = ISC_FALSE;
+	check_next_lookup(query->lookup);
+	return;
+}
+	
+static void
+connect_done(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_socketevent_t *sevent=NULL;
+	dig_query_t *query=NULL;
+	isc_buffer_t *b=NULL;
+	isc_region_t r;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
+
+	if (free_now)
+		return;
+
+	sevent = (isc_socketevent_t *)event;
+	query = sevent->ev_arg;
+
+	REQUIRE(query->waiting_connect);
+
+	query->waiting_connect = ISC_FALSE;
+
+	debug("connect_done()");
+	if (sevent->result != ISC_R_SUCCESS) {
+		debug ("Buffer Allocate connect_timeout");
+		result = isc_buffer_allocate(mctx, &b, 256);
+		check_result(result, "isc_buffer_allocate");
+		result = isc_sockaddr_totext(&query->sockaddr, b);
+		check_result(result, "isc_sockaddr_totext");
+		isc_buffer_usedregion(b, &r);
+		printf(";; Connection to server %.*s for %s failed: %s.\n",
+		       (int)r.length, r.base, query->lookup->textname,
+		       isc_result_totext(sevent->result));
+		if (exitcode < 9)
+			exitcode = 9;
+		isc_buffer_free(&b);
+		query->working = ISC_FALSE;
+		query->waiting_connect = ISC_FALSE;
+		check_next_lookup(query->lookup);
+		isc_event_free(&event);
+		return;
+	}
+	isc_event_free(&event);
+	launch_next_query(query, ISC_TRUE);
+}
+
+static isc_boolean_t
+msg_contains_soa(dns_message_t *msg, dig_query_t *query) {
+	isc_result_t result;
+	dns_name_t *name=NULL;
+
+	debug("msg_contains_soa()");
+
+	result = dns_message_findname(msg, DNS_SECTION_ANSWER,
+				      query->lookup->name, dns_rdatatype_soa,
+				      0, &name, NULL);
+	if (result == ISC_R_SUCCESS) {
+		debug("Found SOA", stderr);
+		return (ISC_TRUE);
+	} else {
+		debug("Didn't find SOA, result=%d:%s",
+			result, dns_result_totext(result));
+		return (ISC_FALSE);
+	}
+	
+}
+
+static void
+recv_done(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = NULL;
+	dig_query_t *query = NULL;
+	isc_buffer_t *b = NULL;
+	dns_message_t *msg = NULL;
+	isc_result_t result;
+	isc_buffer_t ab;
+	char abspace[MXNAME];
+	isc_region_t r;
+	dig_lookup_t *n;
+	
+	UNUSED (task);
+
+	if (free_now)
+		return;
+
+	query = event->ev_arg;
+	debug("recv_done(lookup=%lx, query=%lx)",
+	      (long int)query->lookup, (long int)query);
+
+	if (free_now) {
+		debug("Bailing out, since freeing now.");
+		isc_event_free (&event);
+		return;
+	}
+
+	sendcount--;
+	debug("In recv_done, counter down to %d", sendcount);
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
+	sevent = (isc_socketevent_t *)event;
+
+	if (!query->lookup->pending && !query->lookup->ns_search_only) {
+
+		debug("No longer pending.  Got %s",
+			isc_result_totext(sevent->result));
+		query->working = ISC_FALSE;
+		query->waiting_connect = ISC_FALSE;
+		
+		cancel_lookup(query->lookup);
+		isc_event_free(&event);
+		return;
+	}
+
+	if (sevent->result == ISC_R_SUCCESS) {
+		b = ISC_LIST_HEAD(sevent->bufferlist);
+		ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
+		result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
+					    &msg);
+		check_result(result, "dns_message_create");
+		debug ("Before parse starts");
+		result = dns_message_parse(msg, b, ISC_TRUE);
+		if (result != ISC_R_SUCCESS) {
+			printf (";; Got bad UDP packet:\n");
+			hex_dump(b);
+			isc_event_free(&event);
+			query->working = ISC_FALSE;
+			query->waiting_connect = ISC_FALSE;
+			if (!query->lookup->tcp_mode) {
+				printf (";; Retrying in TCP mode.\n");
+				n = requeue_lookup(query->lookup, ISC_TRUE);
+				n->tcp_mode = ISC_TRUE;
+			}
+			cancel_lookup(query->lookup);
+			dns_message_destroy(&msg);
+			return;
+		}
+		debug ("After parse has started");
+		if (query->lookup->xfr_q == NULL)
+			query->lookup->xfr_q = query;
+		if (query->lookup->xfr_q == query) {
+			if (query->lookup->trace) {
+				if (show_details || ((dns_message_firstname
+						  (msg, DNS_SECTION_ANSWER)==
+						  ISC_R_SUCCESS) &&
+						  !query->lookup->trace_root)) {
+					printmessage(query, msg, ISC_TRUE);
+				}
+				if ((msg->rcode != 0) &&
+				    (query->lookup->origin != NULL)) {
+					next_origin(msg, query);
+				} else {
+					result = dns_message_firstname
+						(msg,DNS_SECTION_ANSWER);
+					if ((result != ISC_R_SUCCESS) ||
+					    query->lookup->trace_root)
+						followup_lookup(msg, query,
+							DNS_SECTION_AUTHORITY);
+				}
+			} else if ((msg->rcode != 0) &&
+				 (query->lookup->origin != NULL)) {
+				next_origin(msg, query);
+				if (show_details) {
+				       printmessage(query, msg, ISC_TRUE);
+				}
+			} else {
+				if (query->first_soa_rcvd &&
+				    query->lookup->doing_xfr)
+					printmessage(query, msg, ISC_FALSE);
+				else
+					printmessage(query, msg, ISC_TRUE);
+			}
+		} else if (( dns_message_firstname(msg, DNS_SECTION_ANSWER)
+			    == ISC_R_SUCCESS) &&
+			   query->lookup->ns_search_only &&
+			   !query->lookup->trace_root ) {
+			printmessage (query, msg, ISC_TRUE);
+		}
+		
+#ifdef DEBUG
+		if (query->lookup->pending)
+			debug("Still pending.");
+#endif
+		if (query->lookup->doing_xfr) {
+			if (!query->first_soa_rcvd) {
+				debug("Not yet got first SOA");
+				if (!msg_contains_soa(msg, query)) {
+					puts("; Transfer failed.  "
+					     "Didn't start with SOA answer.");
+					query->working = ISC_FALSE;
+					cancel_lookup(query->lookup);
+					isc_event_free (&event);
+					dns_message_destroy (&msg);
+					return;
+					launch_next_query(query, ISC_FALSE);
+				}
+				else {
+					query->first_soa_rcvd = ISC_TRUE;
+					launch_next_query(query, ISC_FALSE);
+				}
+			} 
+			else {
+				if (msg_contains_soa(msg, query)) {
+					isc_buffer_init(&ab, abspace, MXNAME);
+					result = isc_sockaddr_totext(&sevent->
+								     address,
+								     &ab);
+					check_result(result,
+						     "isc_sockaddr_totext");
+					isc_buffer_usedregion(&ab, &r);
+					received(b->used, r.length,
+						 (char *)r.base, query);
+					query->working = ISC_FALSE;
+					cancel_lookup(query->lookup);
+					isc_event_free(&event);
+					dns_message_destroy (&msg);
+					return;
+				}
+				else {
+					launch_next_query(query, ISC_FALSE);
+				}
+			}
+		}
+		else {
+			if ((msg->rcode == 0) ||
+			    (query->lookup->origin == NULL)) {
+				isc_buffer_init(&ab, abspace, MXNAME);
+				result = isc_sockaddr_totext(&sevent->address,
+							     &ab);
+				check_result(result, "isc_sockaddr_totext");
+				isc_buffer_usedregion(&ab, &r);
+				received(b->used, r.length, (char *)r.base,
+					 query);
+			}
+			query->working = ISC_FALSE;
+			query->lookup->pending = ISC_FALSE;
+			if (!query->lookup->ns_search_only ||
+			    query->lookup->trace_root ) {
+				cancel_lookup(query->lookup);
+			}
+			check_next_lookup(query->lookup);
+		}
+		dns_message_destroy(&msg);
+		isc_event_free(&event);
+		return;
+	}
+	/* In truth, we should never get into the CANCELED routine, since
+	   the cancel_lookup() routine clears the pending flag. */
+	if (sevent->result == ISC_R_CANCELED) {
+		debug ("In cancel handler");
+		query->working = ISC_FALSE;
+		query->waiting_connect = ISC_FALSE;
+		check_next_lookup(query->lookup);
+		isc_event_free(&event);
+		return;
+	}
+	isc_event_free(&event);
+	fatal("recv_done got result %s",
+	      isc_result_totext(sevent->result));
+}
+
+void
+get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
+	struct in_addr in4;
+	struct in6_addr in6;
+	struct hostent *he;
+
+	debug("get_address()");
+
+	if (have_ipv6 && inet_pton(AF_INET6, host, &in6) == 1)
+		isc_sockaddr_fromin6(sockaddr, &in6, port);
+	else if (inet_pton(AF_INET, host, &in4) == 1)
+		isc_sockaddr_fromin(sockaddr, &in4, port);
+	else {
+		he = gethostbyname(host);
+		if (he == NULL)
+		     fatal("Couldn't look up your server host %s.  errno=%d",
+			      host, h_errno);
+		INSIST(he->h_addrtype == AF_INET);
+		isc_sockaddr_fromin(sockaddr,
+				    (struct in_addr *)(he->h_addr_list[0]),
+				    port);
+	}
+}
+
+static void
+do_lookup_tcp(dig_lookup_t *lookup) {
+	dig_query_t *query;
+	isc_result_t result;
+
+	debug("do_lookup_tcp()");
+	lookup->pending = ISC_TRUE;
+	isc_interval_set(&lookup->interval, timeout, 0);
+	result = isc_timer_create(timermgr, isc_timertype_once, NULL,
+				  &lookup->interval, task, connect_timeout,
+				  lookup, &lookup->timer);
+	check_result(result, "isc_timer_create");
+
+	for (query = ISC_LIST_HEAD(lookup->q);
+	     query != NULL;
+	     query = ISC_LIST_NEXT(query, link)) {
+		query->working = ISC_TRUE;
+		query->waiting_connect = ISC_TRUE;
+		get_address(query->servname, port, &query->sockaddr);
+
+		result = isc_socket_create(socketmgr,
+					   isc_sockaddr_pf(&query->sockaddr),
+					   isc_sockettype_tcp, &query->sock) ;
+		check_result(result, "isc_socket_create");
+		if (specified_source) {
+			result = isc_socket_bind(query->sock, &bind_address);
+			check_result(result, "isc_socket_bind");
+		}
+		result = isc_socket_connect(query->sock, &query->sockaddr,
+					    task, connect_done, query);
+		check_result (result, "isc_socket_connect");
+	}
+}
+
+static void
+do_lookup_udp(dig_lookup_t *lookup) {
+	dig_query_t *query;
+	isc_result_t result;
+
+#ifdef DEBUG
+	debug("do_lookup_udp()");
+	if (lookup->tcp_mode)
+		debug("I'm starting UDP with tcp_mode set!!!");
+#endif
+	lookup->pending = ISC_TRUE;
+
+	for (query = ISC_LIST_HEAD(lookup->q);
+	     query != NULL;
+	     query = ISC_LIST_NEXT(query, link)) {
+		query->working = ISC_TRUE;
+		query->waiting_connect = ISC_FALSE;
+		get_address(query->servname, port, &query->sockaddr);
+
+		result = isc_socket_create(socketmgr,
+					   isc_sockaddr_pf(&query->sockaddr),
+					   isc_sockettype_udp, &query->sock) ;
+		check_result(result, "isc_socket_create");
+		if (specified_source) {
+			result = isc_socket_bind(query->sock, &bind_address);
+			check_result(result, "isc_socket_bind");
+		}
+	}
+
+	send_udp(lookup);
+}
+
+void
+do_lookup(dig_lookup_t *lookup) {
+
+	REQUIRE (lookup != NULL);
+
+	debug ("do_lookup()");
+	if (lookup->tcp_mode)
+		do_lookup_tcp(lookup);
+	else
+		do_lookup_udp(lookup);
+}
+
+void
+start_lookup(void) {
+	dig_lookup_t *lookup;
+
+	debug ("start_lookup()");
+
+	if (free_now)
+		return;
+
+	lookup = ISC_LIST_HEAD(lookup_list);
+	if (lookup != NULL) {
+		setup_lookup(lookup);
+		do_lookup(lookup);
+	}
+}
+     
+void
+free_lists(int _exitcode) {
+	void *ptr;
+	dig_lookup_t *l;
+	dig_query_t *q;
+	dig_server_t *s;
+	dig_searchlist_t *o;
+
+	debug("free_lists()");
+
+	if (free_now)
+		return;
+
+	free_now = ISC_TRUE;
+
+	l = ISC_LIST_HEAD(lookup_list);
+	while (l != NULL) {
+		q = ISC_LIST_HEAD(l->q);
+		while (q != NULL) {
+			if (q->sock != NULL) {
+				isc_socket_cancel(q->sock, NULL,
+						  ISC_SOCKCANCEL_ALL);
+				isc_socket_detach(&q->sock);
+			}
+			if (ISC_LINK_LINKED(&q->recvbuf, link))
+				ISC_LIST_DEQUEUE(q->recvlist, &q->recvbuf,
+						 link);
+			if (ISC_LINK_LINKED(&q->lengthbuf, link))
+				ISC_LIST_DEQUEUE(q->lengthlist, &q->lengthbuf,
+						 link);
+			isc_buffer_invalidate(&q->recvbuf);
+			isc_buffer_invalidate(&q->lengthbuf);
+			ptr = q;
+			q = ISC_LIST_NEXT(q, link);
+			isc_mem_free(mctx, ptr);
+		}
+		if (l->use_my_server_list) {
+			s = ISC_LIST_HEAD(l->my_server_list);
+			while (s != NULL) {
+				ptr = s;
+				s = ISC_LIST_NEXT(s, link);
+				isc_mem_free(mctx, ptr);
+
+			}
+		}
+		if (l->sendmsg != NULL)
+			dns_message_destroy (&l->sendmsg);
+		if (l->timer != NULL)
+			isc_timer_detach (&l->timer);
+		ptr = l;
+		l = ISC_LIST_NEXT(l, link);
+		isc_mem_free(mctx, ptr);
+	}
+	s = ISC_LIST_HEAD(server_list);
+	while (s != NULL) {
+		ptr = s;
+		s = ISC_LIST_NEXT(s, link);
+		isc_mem_free(mctx, ptr);
+	}
+	o = ISC_LIST_HEAD(search_list);
+	while (o != NULL) {
+		ptr = o;
+		o = ISC_LIST_NEXT(o, link);
+		isc_mem_free(mctx, ptr);
+	}
+	if (socketmgr != NULL)
+		isc_socketmgr_destroy(&socketmgr);
+	if (timermgr != NULL)
+		isc_timermgr_destroy(&timermgr);
+	if (task != NULL)
+		isc_task_detach(&task);
+	if (taskmgr != NULL)
+		isc_taskmgr_destroy(&taskmgr);
+
+#ifdef MEMDEBUG
+	isc_mem_stats(mctx, stderr);
+#endif
+	isc_app_finish();
+	if (mctx != NULL)
+		isc_mem_destroy(&mctx);
+
+	debug("Getting ready to exit, code=%d",_exitcode);
+	if (_exitcode != 0)
+		exit(_exitcode);
+}
diff --git a/bin/dig/host.c b/bin/dig/host.c
new file mode 100644
index 00000000..0c09507b
--- /dev/null
+++ b/bin/dig/host.c
@@ -0,0 +1,659 @@
+/*
+ * Copyright (C) 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+extern int h_errno;
+
+#include <isc/app.h>
+#include <isc/commandline.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/message.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+
+#include <dig/dig.h>
+
+extern ISC_LIST(dig_lookup_t) lookup_list;
+extern ISC_LIST(dig_server_t) server_list;
+extern ISC_LIST(dig_searchlist_t) search_list;
+
+extern isc_boolean_t have_ipv6, show_details;
+extern in_port_t port;
+extern unsigned int timeout;
+extern isc_mem_t *mctx;
+extern isc_taskmgr_t *taskmgr;
+extern isc_task_t *task;
+extern isc_timermgr_t *timermgr;
+extern isc_socketmgr_t *socketmgr;
+extern dns_messageid_t id;
+extern dns_name_t rootorg;
+extern char *rootspace[BUFSIZE];
+extern isc_buffer_t rootbuf;
+extern int sendcount;
+extern int ndots;
+extern int tries;
+extern int lookup_counter;
+extern int exitcode;
+
+isc_boolean_t short_form=ISC_TRUE,
+	filter=ISC_FALSE,
+	showallsoa=ISC_FALSE,
+	tcpmode = ISC_FALSE;
+
+static char *opcodetext[] = {
+	"QUERY",
+	"IQUERY",
+	"STATUS",
+	"RESERVED3",
+	"NOTIFY",
+	"UPDATE",
+	"RESERVED6",
+	"RESERVED7",
+	"RESERVED8",
+	"RESERVED9",
+	"RESERVED10",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15"
+};
+
+static char *rcodetext[] = {
+	"NOERROR",
+	"FORMERR",
+	"SERVFAIL",
+	"NXDOMAIN",
+	"NOTIMPL",
+	"REFUSED",
+	"YXDOMAIN",
+	"YXRRSET",
+	"NXRRSET",
+	"NOTAUTH",
+	"NOTZONE",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15",
+	"BADVERS"
+};
+
+static char *rtypetext[] = {
+	"zero",				/* 0 */
+	"has address",			/* 1 */
+	"name server",			/* 2 */
+	"MD",				/* 3 */
+	"MF",				/* 4 */
+	"is an alias for",		/* 5 */
+	"SOA",				/* 6 */
+	"MB",				/* 7 */	
+	"MG",				/* 8 */
+	"MR",				/* 9 */
+	"NULL",				/* 10 */
+	"has well known services",	/* 11 */
+	"domain name pointer",		/* 12 */
+	"host information",		/* 13 */
+	"MINFO",			/* 14 */
+	"mail is handled by",	       	/* 15 */
+	"text",				/* 16 */
+	"RP",				/* 17 */
+	"AFSDB",			/* 18 */
+	"x25 address",			/* 19 */
+	"isdn address",			/* 20 */
+	"RT"				/* 21 */
+	"NSAP",				/* 22 */
+	"NSAP_PTR",			/* 23 */
+	"has signature",		/* 24 */
+	"has key",			/* 25 */
+	"PX",				/* 26 */
+	"GPOS",				/* 27 */
+	"has AAAA address",		/* 28 */
+	"LOC",				/* 29 */
+	"has next record",		/* 30 */
+	"has 31 record",		/* 31 */
+	"has 32 record",		/* 32 */
+	"SRV",				/* 33 */
+	"has 34 record",		/* 34 */
+	"NAPTR",			/* 35 */
+	"KX",				/* 36 */
+	"CERT",				/* 37 */
+	"has v6 address",		/* 38 */
+	"DNAME",			/* 39 */
+	"has 40 record",       		/* 40 */
+	"has optional information"};	/* 41 */
+
+
+static void
+show_usage() {
+	fputs (
+"Usage: host [-aCdlrTwv] [-c class] [-N ndots] [-t type] [-W time]\n"
+"            [-R number] hostname [server]\n"
+"       -a is equivalent to -v -t *\n"
+"       -c specifies query class for non-IN data\n"
+"       -C compares SOA records on authorative nameservers\n"
+"       -d is equivalent to -v\n"
+"       -l lists all hosts in a domain, using AXFR\n"
+"       -N changes the number of dots allowed before root lookup is done\n"
+"       -r disables recursive processing\n"
+"       -R specifies number of retries for UDP packets\n"
+"       -t specifies the query type\n"
+"       -T enables TCP/IP mode\n"
+"       -v enables verbose output\n"
+"       -w specifies to wait forever for a reply\n"
+"       -W specifies how long to wait for a reply\n", stderr);
+	exit (exitcode);
+}				
+
+void
+dighost_shutdown(void) {
+	isc_app_shutdown();
+}
+
+void
+received(int bytes, int frmsize, char *frm, dig_query_t *query) {
+	isc_time_t now;
+	isc_result_t result;
+	int diff;
+
+	if ((!short_form) || (show_details)) {
+		result = isc_time_now(&now);
+		check_result (result, "isc_time_now");
+		diff = isc_time_microdiff(&now, &query->time_sent);
+		printf("Received %u bytes from %.*s in %d ms\n",
+		       bytes, frmsize, frm, diff/1000);
+	}
+}
+
+void
+trying(int frmsize, char *frm, dig_lookup_t *lookup) {
+	UNUSED (lookup);
+
+	if (!short_form)
+		printf ("Trying \"%.*s\"\n", frmsize, frm);
+}
+
+static void
+say_message(dns_name_t *name, char *msg, dns_rdata_t *rdata,
+	    dig_query_t *query)
+{
+	isc_buffer_t *b=NULL, *b2=NULL;
+	isc_region_t r, r2;
+	isc_result_t result;
+
+	result = isc_buffer_allocate(mctx, &b, BUFSIZE);
+	check_result (result, "isc_buffer_allocate");
+	result = isc_buffer_allocate(mctx, &b2, BUFSIZE);
+	check_result (result, "isc_buffer_allocate");
+	result = dns_name_totext(name, ISC_FALSE, b);
+	check_result(result, "dns_name_totext");
+	isc_buffer_usedregion(b, &r);
+	result = dns_rdata_totext(rdata, NULL, b2);
+	check_result(result, "dns_rdata_totext");
+	isc_buffer_usedregion(b2, &r2);
+	printf ( "%.*s %s %.*s", (int)r.length, (char *)r.base,
+		 msg, (int)r2.length, (char *)r2.base);
+	if (query->lookup->identify) {
+		printf (" on server %s", query->servname);
+	}
+	printf ("\n");
+	isc_buffer_free(&b);
+	isc_buffer_free(&b2);
+}
+
+
+static isc_result_t
+printsection(dns_message_t *msg, dns_section_t sectionid, char *section_name,
+	     isc_boolean_t headers, dig_query_t *query)
+{
+	dns_name_t *name, *print_name;
+	dns_rdataset_t *rdataset;
+	dns_rdata_t rdata;
+	isc_buffer_t target;
+	isc_result_t result, loopresult;
+	isc_region_t r;
+	dns_name_t empty_name;
+	char t[4096];
+	isc_boolean_t first;
+	isc_boolean_t no_rdata;
+	char *rtt;
+	
+	if (sectionid == DNS_SECTION_QUESTION)
+		no_rdata = ISC_TRUE;
+	else
+		no_rdata = ISC_FALSE;
+
+	if (headers)
+		printf(";; %s SECTION:\n", section_name);
+
+	dns_name_init(&empty_name, NULL);
+
+	result = dns_message_firstname(msg, sectionid);
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_SUCCESS);
+	else if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (;;) {
+		name = NULL;
+		dns_message_currentname(msg, sectionid, &name);
+
+		isc_buffer_init(&target, t, sizeof(t));
+		first = ISC_TRUE;
+		print_name = name;
+
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (!short_form) {
+				result = dns_rdataset_totext(rdataset,
+							     print_name,
+							     ISC_FALSE,
+							     no_rdata,
+							     &target);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+#ifdef USEINITALWS
+				if (first) {
+					print_name = &empty_name;
+					first = ISC_FALSE;
+				}
+#endif
+			} else { 
+				loopresult = dns_rdataset_first(rdataset);
+				while (loopresult == ISC_R_SUCCESS) {
+					dns_rdataset_current(rdataset, &rdata);
+					if (rdata.type <= 41)
+						rtt=rtypetext[rdata.type];
+					else if (rdata.type == 103)
+						rtt="unspecified data";
+					else if (rdata.type == 249)
+						rtt="key";
+					else if (rdata.type == 250)
+						rtt="signature";
+					else
+						rtt="unknown";
+					say_message(print_name,
+						    rtypetext[rdata.type],
+						    &rdata, query);
+					loopresult = dns_rdataset_next(
+								 rdataset);
+				}
+			}
+		}
+		if (!short_form) {
+			isc_buffer_usedregion(&target, &r);
+			if (no_rdata)
+				printf(";%.*s", (int)r.length,
+				       (char *)r.base);
+			else
+				printf("%.*s", (int)r.length, (char *)r.base);
+		}
+		
+		result = dns_message_nextname(msg, sectionid);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+printrdata(dns_message_t *msg, dns_rdataset_t *rdataset, dns_name_t *owner,
+	   char *set_name, isc_boolean_t headers)
+{
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char t[4096];
+
+	UNUSED(msg);
+	if (headers) 
+		printf(";; %s SECTION:\n", set_name);
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
+				     &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&target, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
+	isc_boolean_t did_flag = ISC_FALSE;
+	dns_rdataset_t *opt, *tsig = NULL;
+	dns_name_t *tsigname;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_buffer_t *b;
+	isc_region_t r;
+
+	UNUSED (headers);
+
+	/*
+	 * Exitcode 9 means we timed out, but if we're printing a message,
+	 * we much have recovered.  Go ahead and reset it to code 0, and
+	 * call this a success.
+	 */
+	if (exitcode == 9)
+		exitcode = 0;
+
+	if (msg->rcode != 0) {
+		result = isc_buffer_allocate(mctx, &b, MXNAME);
+		check_result (result, "isc_buffer_allocate");
+		result = dns_name_totext(query->lookup->name, ISC_FALSE,
+					 b);
+		check_result (result, "dns_name_totext");
+		isc_buffer_usedregion (b, &r);
+		printf ("Host %.*s not found: %d(%s)\n",
+			(int)r.length, (char *)r.base,
+			msg->rcode, rcodetext[msg->rcode]);
+		isc_buffer_free (&b);
+		return (ISC_R_SUCCESS);
+	}
+	if (!short_form) {
+		printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n",
+		       opcodetext[msg->opcode], rcodetext[msg->rcode],
+		       msg->id);
+		printf(";; flags: ");
+		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
+			printf("qr");
+			did_flag = ISC_TRUE;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) {
+			printf("%saa", did_flag ? " " : "");
+			did_flag = ISC_TRUE;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+			printf("%stc", did_flag ? " " : "");
+			did_flag = ISC_TRUE;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
+			printf("%srd", did_flag ? " " : "");
+			did_flag = ISC_TRUE;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) {
+			printf("%sra", did_flag ? " " : "");
+			did_flag = ISC_TRUE;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) {
+			printf("%sad", did_flag ? " " : "");
+			did_flag = ISC_TRUE;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) {
+			printf("%scd", did_flag ? " " : "");
+			did_flag = ISC_TRUE;
+		}
+		printf("; QUERY: %u, ANSWER: %u, "
+		       "AUTHORITY: %u, ADDITIONAL: %u\n",
+		       msg->counts[DNS_SECTION_QUESTION],
+		       msg->counts[DNS_SECTION_ANSWER],
+		       msg->counts[DNS_SECTION_AUTHORITY],
+		       msg->counts[DNS_SECTION_ADDITIONAL]);
+		opt = dns_message_getopt(msg);
+		if (opt != NULL)
+			printf(";; EDNS: version: %u, udp=%u\n",
+			       (unsigned int)((opt->ttl & 0x00ff0000) >> 16),
+			       (unsigned int)opt->rdclass);
+		tsigname = NULL;
+		tsig = dns_message_gettsig(msg, &tsigname);
+		if (tsig != NULL)
+			printf(";; PSEUDOSECTIONS: TSIG\n");
+	}
+	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_QUESTION]) &&
+	    !short_form ) {
+		printf("\n");
+		result = printsection(msg, DNS_SECTION_QUESTION, "QUESTION",
+				      ISC_TRUE, query);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
+		if (!short_form)
+			printf("\n");
+		result = printsection(msg, DNS_SECTION_ANSWER, "ANSWER",
+				      !short_form, query);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_AUTHORITY]) &&
+	    !short_form ) {
+		printf("\n");
+		result = printsection(msg, DNS_SECTION_AUTHORITY, "AUTHORITY",
+				      ISC_TRUE, query);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ADDITIONAL]) &&
+	    !short_form ) {
+		printf("\n");
+		result = printsection(msg, DNS_SECTION_ADDITIONAL,
+				      "ADDITIONAL", ISC_TRUE, query);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if ((tsig != NULL) && !short_form) {
+		printf("\n");
+		result = printrdata(msg, tsig, tsigname,
+				    "PSEUDOSECTION TSIG", ISC_TRUE);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (!short_form)
+		printf("\n");
+
+	return (result);
+}
+
+static void
+parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
+	isc_boolean_t have_host=ISC_FALSE,
+		recursion=ISC_TRUE,
+		xfr_mode=ISC_FALSE,
+		nsfind=ISC_FALSE;
+	char hostname[MXNAME];
+	char querytype[32]="";
+	char queryclass[32]="";
+	dig_server_t *srv;
+	dig_lookup_t *lookup;
+	int i, c, n, adrs[4];
+	char store[MXNAME];
+
+	UNUSED(is_batchfile);
+
+	while ((c = isc_commandline_parse(argc, argv, "lvwrdt:c:aTCN:R:W:"))
+	       != EOF) {
+		switch (c) {
+		case 'l':
+			tcpmode = ISC_TRUE;
+			xfr_mode = ISC_TRUE;
+			filter = ISC_TRUE;
+			strcpy (querytype, "axfr");
+			break;
+		case 'v':
+		case 'd':
+			short_form = ISC_FALSE;
+			break;
+		case 'r':
+			recursion = ISC_FALSE;
+			break;
+		case 't':
+			strncpy (querytype, isc_commandline_argument, 32);
+			break;
+		case 'c':
+			strncpy (queryclass, isc_commandline_argument, 32);
+			break;
+		case 'a':
+			strcpy (querytype, "any");
+			short_form = ISC_FALSE;
+			break;
+		case 'w':
+			/* XXXMWS This should be a system-indep.
+			 * thing! */
+			timeout = 32767;
+			break;
+		case 'W':
+			timeout = atoi(isc_commandline_argument);
+			if (timeout < 1)
+				timeout = 1;
+			break;
+		case 'R':
+			tries = atoi(isc_commandline_argument);
+			if (tries < 1)
+				tries = 1;
+			break;
+		case 'T':
+			tcpmode = ISC_TRUE;
+			break;
+		case 'C':
+			debug ("Showing all SOA's");
+			if (querytype[0] == 0)
+				strcpy (querytype, "soa");
+			if (queryclass[0] == 0)
+				strcpy (queryclass, "in");
+			nsfind = ISC_TRUE;
+			showallsoa = ISC_TRUE;
+			show_details = ISC_TRUE;
+			break;
+		case 'N':
+			debug ("Setting NDOTS to %s", 
+			       isc_commandline_argument);
+			ndots = atoi(isc_commandline_argument);
+			break;
+		}
+	}
+	if (isc_commandline_index >= argc) {
+		show_usage();
+	}
+	strncpy (hostname, argv[isc_commandline_index], MXNAME);
+	if (argc > isc_commandline_index+1) {
+			srv=isc_mem_allocate(mctx, sizeof(struct dig_server));
+			if (srv == NULL)
+				fatal ("Memory allocation failure.");
+			strncpy(srv->servername,
+				argv[isc_commandline_index+1], MXNAME-1);
+			debug("Server is %s", srv->servername);
+			ISC_LIST_APPEND(server_list, srv, link);
+	}
+	
+	lookup_counter++;
+	if (lookup_counter > LOOKUP_LIMIT)
+		fatal ("Too many lookups.");
+	lookup = isc_mem_allocate (mctx, 
+				   sizeof(struct dig_lookup));
+	if (lookup == NULL)	
+		fatal ("Memory allocation failure.");
+	lookup->pending = ISC_FALSE;
+	/* 
+	 * XXXMWS Add IPv6 translation here, probably using inet_pton
+	 * to extract the formatted text.
+	 */
+	if (strspn(hostname, "0123456789.") == strlen(hostname)) {
+		lookup->textname[0]=0;
+		n = sscanf(hostname, "%d.%d.%d.%d", &adrs[0], &adrs[1],
+				   &adrs[2], &adrs[3]);
+		if (n==0) {
+			show_usage();
+			exit (exitcode);
+		}
+		for (i = n - 1; i >= 0; i--) {
+			snprintf(store, MXNAME/8, "%d.",
+				 adrs[i]);
+			strncat(lookup->textname, store, MXNAME);
+		}
+		strncat(lookup->textname, "in-addr.arpa.", MXNAME);
+		if (querytype[0] == 0)
+			strcpy (querytype, "ptr");
+	} else
+		strncpy (lookup->textname, hostname, MXNAME);
+	if (querytype[0] == 0)
+		strcpy (querytype, "a");
+	if (queryclass[0] == 0)
+		strcpy (queryclass, "in");
+	strncpy (lookup->rttext, querytype, 32);
+	strncpy (lookup->rctext, queryclass, 32);
+	lookup->namespace[0]=0;
+	lookup->sendspace[0]=0;
+	lookup->sendmsg=NULL;
+	lookup->name=NULL;
+	lookup->oname=NULL;
+	lookup->timer = NULL;
+	lookup->xfr_q = NULL;
+	lookup->origin = NULL;
+	lookup->doing_xfr = ISC_FALSE;
+	lookup->defname = ISC_FALSE;
+	lookup->identify = ISC_FALSE;
+	lookup->recurse = recursion;
+	lookup->ns_search_only = showallsoa;
+	lookup->use_my_server_list = ISC_FALSE;
+	lookup->retries = tries;
+	lookup->udpsize = 0;
+	lookup->nsfound = 0;
+	lookup->trace = showallsoa;
+	lookup->trace_root = ISC_FALSE;
+	lookup->tcp_mode = tcpmode;
+	ISC_LIST_INIT(lookup->q);
+	ISC_LIST_APPEND(lookup_list, lookup, link);
+	lookup->origin = NULL;
+	ISC_LIST_INIT(lookup->my_server_list);
+	have_host = ISC_TRUE;
+}
+
+int
+main(int argc, char **argv) {
+#ifdef TWIDDLE
+	FILE *fp;
+	int i, p;
+#endif
+
+	ISC_LIST_INIT(lookup_list);
+	ISC_LIST_INIT(server_list);
+	ISC_LIST_INIT(search_list);
+
+	debug ("dhmain()");
+#ifdef TWIDDLE
+	fp = fopen("/dev/urandom", "r");
+	if (fp!=NULL) {
+		fread (&i, sizeof(int), 1, fp);
+		srandom(i);
+	}
+	else {
+		srandom ((int)&main);
+	}
+	p = getpid()%16+8;
+	for (i=0 ; i<p; i++);
+#endif
+	setup_libs();
+	parse_args(ISC_FALSE, argc, argv);
+	setup_system();
+	start_lookup();
+	isc_app_run();
+	free_lists(0);
+	return (0);
+}
+
diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h
new file mode 100644
index 00000000..c642a541
--- /dev/null
+++ b/bin/dig/include/dig/dig.h
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DIG_H
+#define DIG_H
+
+#define SDIG_BUFFER_SIZE 2048
+#include <isc/lang.h>
+#include <isc/socket.h>
+#include <isc/buffer.h>
+#include <isc/bufferlist.h>
+#include <isc/sockaddr.h>
+#include <isc/boolean.h>
+#include <isc/mem.h>
+#include <isc/list.h>
+#include <isc/print.h>
+
+#define MXSERV 4
+#define MXNAME 256
+#define MXRD 32
+#define BUFSIZE 512
+#define COMMSIZE 32767
+#define RESOLVCONF "/etc/resolv.conf"
+#define LOOKUP_LIMIT 64
+/* Lookup_limit is just a limiter, keeping too many lookups from being
+ * created.  It's job is mainly to prevent the program from running away
+ * in a tight loop of constant lookups.  It's value is arbitrary.
+ */
+#define ROOTNS 1
+/* Set the number of root servers to ask for information when running in
+ * trace mode.
+ * XXXMWS -- trace mode is currently semi-broken, and this number *MUST*
+ * be 1.
+ */
+
+ISC_LANG_BEGINDECLS
+
+typedef struct dig_lookup dig_lookup_t;
+typedef struct dig_query dig_query_t;
+typedef struct dig_server dig_server_t;
+typedef struct dig_searchlist dig_searchlist_t;
+
+struct dig_lookup {
+	isc_boolean_t
+	        pending, /* Pending a successful answer */
+		waiting_connect,
+		doing_xfr,
+		ns_search_only,
+		use_my_server_list,
+		identify,
+		recurse,
+		aaonly,
+		trace,
+		trace_root,
+		defname,
+		tcp_mode,
+		comments,
+		stats,
+		section_question,
+		section_answer,
+		section_authority,
+		section_additional;
+	char textname[MXNAME]; /* Name we're going to be looking up */
+	char rttext[MXRD]; /* rdata type text */
+	char rctext[MXRD]; /* rdata class text */
+	char namespace[BUFSIZE];
+	char onamespace[BUFSIZE];
+	isc_buffer_t namebuf;
+	isc_buffer_t onamebuf;
+	isc_buffer_t sendbuf;
+	char sendspace[COMMSIZE];
+	dns_name_t *name;
+	isc_timer_t *timer;
+	isc_interval_t interval;
+	dns_message_t *sendmsg;
+	dns_name_t *oname;
+	ISC_LINK(dig_lookup_t) link;
+	ISC_LIST(dig_query_t) q;
+	ISC_LIST(dig_server_t) my_server_list;
+	dig_searchlist_t *origin;
+	dig_query_t *xfr_q;
+	int retries;
+	int nsfound;
+	isc_uint16_t udpsize;
+};
+
+struct dig_query {
+	dig_lookup_t *lookup;
+	isc_boolean_t working,
+		waiting_connect,
+		first_pass,
+		first_soa_rcvd;
+	int retries;
+	char *servname;
+	isc_bufferlist_t sendlist,
+		recvlist,
+		lengthlist;
+	isc_buffer_t recvbuf,
+		lengthbuf,
+		slbuf;
+	char recvspace[COMMSIZE],
+		lengthspace[4],
+		slspace[4];
+	isc_socket_t *sock;
+	ISC_LINK(dig_query_t) link;
+	isc_sockaddr_t sockaddr;
+	isc_time_t time_sent;
+};
+
+struct dig_server {
+	char servername[MXNAME];
+	ISC_LINK(dig_server_t) link;
+};
+
+struct dig_searchlist {
+	char origin[MXNAME];
+	ISC_LINK(dig_searchlist_t) link;
+};
+
+/* Routines in dighost.c */
+void
+get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr);
+void
+fatal(char *format, ...) ;
+void
+debug(char *format, ...) ;
+void
+check_result(isc_result_t result, char *msg);
+isc_boolean_t
+isclass(char *text) ;
+isc_boolean_t
+istype(char *text) ;
+void
+setup_lookup(dig_lookup_t *lookup);
+void
+do_lookup(dig_lookup_t *lookup);
+void
+start_lookup (void);
+void
+send_udp(dig_lookup_t *lookup);
+int
+dhmain(int argc, char **argv);
+void
+setup_libs(void);
+void
+setup_system(void);
+void
+free_lists(int exitcode);
+dig_lookup_t
+*requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
+
+
+/* Routines needed in dig.c and host.c */
+isc_result_t
+printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) ;
+void
+received(int bytes, int frmsize, char *frm, dig_query_t *query);
+void
+trying(int frmsize, char *frm, dig_lookup_t *lookup);
+void
+dighost_shutdown(void);
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
new file mode 100644
index 00000000..2a94160d
--- /dev/null
+++ b/bin/dig/nslookup.c
@@ -0,0 +1,866 @@
+/*
+ * Copyright (C) 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+extern int h_errno;
+
+#include <isc/app.h>
+#include <isc/string.h>
+#include <isc/util.h>
+#include <isc/mutex.h>
+#include <isc/condition.h>
+#include <isc/commandline.h>
+#include <isc/timer.h>
+
+#include <dns/message.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+
+#include <dig/dig.h>
+
+extern ISC_LIST(dig_lookup_t) lookup_list;
+extern ISC_LIST(dig_server_t) server_list;
+extern ISC_LIST(dig_searchlist_t) search_list;
+
+extern isc_boolean_t have_ipv6, show_details,
+	usesearch, trace, qr;
+extern in_port_t port;
+extern unsigned int timeout;
+extern isc_mem_t *mctx;
+extern isc_taskmgr_t *taskmgr;
+extern isc_task_t *task;
+extern isc_timermgr_t *timermgr;
+extern isc_socketmgr_t *socketmgr;
+extern dns_messageid_t id;
+extern char *rootspace[BUFSIZE];
+extern isc_buffer_t rootbuf;
+extern int sendcount;
+extern int ndots;
+extern int tries;
+extern int lookup_counter;
+extern char fixeddomain[MXNAME];
+extern int exitcode;
+
+isc_boolean_t short_form = ISC_TRUE, printcmd = ISC_TRUE,
+	filter = ISC_FALSE, showallsoa = ISC_FALSE,
+	tcpmode = ISC_FALSE;
+
+isc_uint16_t bufsize = 0;
+isc_boolean_t identify = ISC_FALSE,
+	trace = ISC_FALSE, ns_search_only = ISC_FALSE,
+	forcecomment = ISC_FALSE, stats = ISC_TRUE,
+	comments = ISC_TRUE, section_question = ISC_TRUE,
+	section_answer = ISC_TRUE, section_authority = ISC_TRUE,
+	section_additional = ISC_TRUE, recurse = ISC_TRUE,
+	defname = ISC_TRUE, aaonly = ISC_FALSE;
+isc_mutex_t lock;
+isc_condition_t cond;
+isc_boolean_t busy = ISC_FALSE, in_use = ISC_FALSE;
+char defclass[MXRD] = "IN";
+char deftype[MXRD] = "A";
+
+static char *rcodetext[] = {
+	"NOERROR",
+	"FORMERR",
+	"SERVFAIL",
+	"NXDOMAIN",
+	"NOTIMPL",
+	"REFUSED",
+	"YXDOMAIN",
+	"YXRRSET",
+	"NXRRSET",
+	"NOTAUTH",
+	"NOTZONE",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15",
+	"BADVERS"
+};
+
+static char *rtypetext[] = {
+	"rtype_0 = ",			/* 0 */
+	"internet address = ",		/* 1 */
+	"nameserver = ",		/* 2 */
+	"md = ",			/* 3 */
+	"mf = ",			/* 4 */
+	"canonical name = ",		/* 5 */
+	"soa = ",		       	/* 6 */
+	"mb = ",		       	/* 7 */	
+	"mg = ",		       	/* 8 */
+	"mr = ",		       	/* 9 */
+	"rtype_10 = ",		       	/* 10 */
+	"protocol = ",			/* 11 */
+	"name = ",			/* 12 */
+	"hinfo = ",			/* 13 */
+	"minfo = ",			/* 14 */
+	"mail exchanger = ",	       	/* 15 */
+	"text = ",			/* 16 */
+	"rp = ",       			/* 17 */
+	"afsdb = ",			/* 18 */
+	"x25 address = ",		/* 19 */
+	"isdn address = ",		/* 20 */
+	"rt = "				/* 21 */
+	"nsap = ",			/* 22 */
+	"nsap_ptr = ",			/* 23 */
+	"signature = ",			/* 24 */
+	"key = ",			/* 25 */
+	"px = ",		       	/* 26 */
+	"gpos = ",		       	/* 27 */
+	"has AAAA address",	        /* 28 */
+	"loc = ",		       	/* 29 */
+	"next = ",			/* 30 */
+	"rtype_31 = ",			/* 31 */
+	"rtype_32 = ",			/* 32 */
+	"service = ",	       		/* 33 */
+	"rtype_34 = ",			/* 34 */
+	"naptr = ",			/* 35 */
+	"kx = ",			/* 36 */
+	"cert = ",			/* 37 */
+	"v6 address = ",		/* 38 */
+	"dname = ",			/* 39 */
+	"rtype_40 = ",       		/* 40 */
+	"optional = "};			/* 41 */
+
+
+static void
+show_usage() {
+	fputs (
+"Usage:\n"
+, stderr);
+}				
+
+void
+dighost_shutdown(void) {
+	isc_mutex_lock(&lock);
+	busy = ISC_FALSE;
+	isc_condition_signal(&cond);
+	isc_mutex_unlock(&lock);
+
+}
+void
+received(int bytes, int frmsize, char *frm, dig_query_t *query) {
+	UNUSED (bytes);
+	UNUSED (frmsize);
+	UNUSED (frm);
+	UNUSED (query);
+}
+
+void
+trying(int frmsize, char *frm, dig_lookup_t *lookup) {
+	UNUSED (frmsize);
+	UNUSED (frm);
+	UNUSED (lookup);
+
+}
+
+
+static isc_result_t
+printsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
+	     dns_section_t section) {
+	isc_result_t result, loopresult;
+	isc_buffer_t *b = NULL;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata;
+	char *ptr;
+
+	UNUSED (query);
+	UNUSED (headers);
+
+	debug("printsection()");
+
+	/*
+	 * Exitcode 9 means we timed out, but if we're printing a message,
+	 * we much have recovered.  Go ahead and reset it to code 0, and
+	 * call this a success.
+	 */
+	if (exitcode == 9)
+		exitcode = 0;
+
+	result = dns_message_firstname(msg, section);
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_SUCCESS);
+	else if (result != ISC_R_SUCCESS)
+		return (result);
+	result = isc_buffer_allocate(mctx, &b, MXNAME);
+	check_result(result, "isc_buffer_allocate");
+	for (;;) {
+		name = NULL;
+		dns_message_currentname(msg, section, 
+					&name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			loopresult = dns_rdataset_first(rdataset);
+			while (loopresult == ISC_R_SUCCESS) {
+				dns_rdataset_current(rdataset, &rdata);
+				switch (rdata.type) {
+				case dns_rdatatype_a:
+					if (section != DNS_SECTION_ANSWER)
+						goto def_short_section;
+					isc_buffer_clear(b);
+					result = dns_name_totext(name,
+							ISC_TRUE,
+							b);
+					check_result(result,
+						     "dns_name_totext");
+					printf("Name:\t%.*s\n",
+					       (int)isc_buffer_usedlength(b),
+					       (char*)isc_buffer_base(b));
+					isc_buffer_clear(b);
+					result = dns_rdata_totext(&rdata,
+								  NULL,
+								  b);
+					check_result(result,
+						     "dns_rdata_totext");
+					printf("Address: %.*s\n",
+					       (int)isc_buffer_usedlength(b),
+					       (char*)isc_buffer_base(b));
+					break;
+				case dns_rdatatype_soa:
+					isc_buffer_clear(b);
+					result = dns_name_totext(name,
+							ISC_TRUE,
+							b);
+					check_result(result,
+						     "dns_name_totext");
+					printf("%.*s\n",
+					       (int)isc_buffer_usedlength(b),
+					       (char*)isc_buffer_base(b));
+					isc_buffer_clear(b);
+					result = dns_rdata_totext(&rdata,
+								  NULL,
+								  b);
+					check_result(result,
+						     "dns_rdata_totext");
+					isc_buffer_used(b)[0]=0;
+					ptr = strtok(isc_buffer_base(b),
+						     " \t\r\n");
+					if (ptr == NULL)
+						break;
+					printf("\torigin = %s\n",
+					       ptr);
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr == NULL)
+						break;
+					printf("\tmail addr = %s\n",
+					       ptr);
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr == NULL)
+						break;
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr == NULL)
+						break;
+					printf("\tserial = %s\n",
+					       ptr);
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr == NULL)
+						break;
+					printf("\trefresh = %s\n",
+					       ptr);
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr == NULL)
+						break;
+					printf("\tretry = %s\n",
+					       ptr);
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr == NULL)
+						break;
+					printf("\texpire = %s\n",
+					       ptr);
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr == NULL)
+						break;
+					printf("\tminimum = %s\n",
+					       ptr);
+					break;
+				default:
+				def_short_section:
+					isc_buffer_clear(b);
+					result = dns_name_totext(name,
+							ISC_TRUE,
+							b);
+					check_result(result,
+						     "dns_name_totext");
+					if (rdata.type <= 41)
+						printf ("%.*s\t%s",
+						(int)isc_buffer_usedlength(b),
+						(char*)isc_buffer_base(b),
+						rtypetext[rdata.type]);
+					else
+						printf ("%.*s\trdata_%d = ",
+						(int)isc_buffer_usedlength(b),
+						(char*)isc_buffer_base(b),
+						 rdata.type);
+					isc_buffer_clear(b);
+					result = dns_rdata_totext(&rdata, 
+								  NULL, b);
+					check_result(result,
+						     "dns_rdata_totext");
+					printf("%.*s\n",
+					       (int)isc_buffer_usedlength(b),
+					       (char*)isc_buffer_base(b));
+				}	
+				loopresult = dns_rdataset_next(rdataset);
+			}
+		}
+		result = dns_message_nextname(msg, section);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS) {
+			isc_buffer_free (&b);
+			return (result);
+		}
+	}
+	isc_buffer_free(&b);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+detailsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
+	     dns_section_t section) {
+	isc_result_t result, loopresult;
+	isc_buffer_t *b = NULL;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata;
+	char *ptr;
+
+	UNUSED (query);
+
+	debug("printsection()");
+
+	/*
+	 * Exitcode 9 means we timed out, but if we're printing a message,
+	 * we much have recovered.  Go ahead and reset it to code 0, and
+	 * call this a success.
+	 */
+	if (exitcode == 9)
+		exitcode = 0;
+
+	if (headers) {
+		switch (section) {
+		case DNS_SECTION_QUESTION:
+			puts ("    QUESTIONS:");
+			break;
+		case DNS_SECTION_ANSWER:
+			puts ("    ANSWERS:");
+			break;
+		case DNS_SECTION_AUTHORITY:
+			puts ("    AUTHORITY RECORDS:");
+			break;
+		case DNS_SECTION_ADDITIONAL:
+			puts ("    ADDITIONAL RECORDS:");
+			break;
+		}
+	}
+
+	result = dns_message_firstname(msg, section);
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_SUCCESS);
+	else if (result != ISC_R_SUCCESS)
+		return (result);
+	result = isc_buffer_allocate(mctx, &b, MXNAME);
+	check_result(result, "isc_buffer_allocate");
+	for (;;) {
+		name = NULL;
+		dns_message_currentname(msg, section, 
+					&name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			loopresult = dns_rdataset_first(rdataset);
+			while (loopresult == ISC_R_SUCCESS) {
+				dns_rdataset_current(rdataset, &rdata);
+				isc_buffer_clear(b);
+				result = dns_name_totext(name,
+							 ISC_TRUE,
+							 b);
+				check_result(result,
+					     "dns_name_totext");
+				printf("    ->  %.*s\n",
+				       (int)isc_buffer_usedlength(b),
+				       (char*)isc_buffer_base(b));
+				switch (rdata.type) {
+				case dns_rdatatype_soa:
+					isc_buffer_clear(b);
+					result = dns_rdata_totext(&rdata,
+								  NULL,
+								  b);
+					check_result(result,
+						     "dns_rdata_totext");
+					isc_buffer_used(b)[0]=0;
+					ptr = strtok(isc_buffer_base(b),
+						     " \t\r\n");
+					if (ptr == NULL)
+						break;
+					printf("\torigin = %s\n",
+					       ptr);
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr == NULL)
+						break;
+					printf("\tmail addr = %s\n",
+					       ptr);
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr == NULL)
+						break;
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr == NULL)
+						break;
+					printf("\tserial = %s\n",
+					       ptr);
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr == NULL)
+						break;
+					printf("\trefresh = %s\n",
+					       ptr);
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr == NULL)
+						break;
+					printf("\tretry = %s\n",
+					       ptr);
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr == NULL)
+						break;
+					printf("\texpire = %s\n",
+					       ptr);
+					ptr = strtok(NULL, " \t\r\n");
+					if (ptr == NULL)
+						break;
+					printf("\tminimum = %s\n",
+					       ptr);
+					break;
+				default:
+					isc_buffer_clear(b);
+					if (rdata.type <= 41)
+						printf ("\t%s",
+						rtypetext[rdata.type]);
+					else
+						printf ("\trdata_%d = ",
+						 rdata.type);
+					isc_buffer_clear(b);
+					result = dns_rdata_totext(&rdata, 
+								  NULL, b);
+					check_result(result,
+						     "dns_rdata_totext");
+					printf("%.*s\n",
+					       (int)isc_buffer_usedlength(b),
+					       (char*)isc_buffer_base(b));
+				}	
+				loopresult = dns_rdataset_next(rdataset);
+			}
+		}
+		result = dns_message_nextname(msg, section);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS) {
+			isc_buffer_free (&b);
+			return (result);
+		}
+	}
+	isc_buffer_free(&b);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
+	isc_buffer_t *b = NULL;
+	isc_region_t r;
+	isc_result_t result;
+
+	debug ("printmessage()");
+
+	if (msg->rcode != 0) {
+		result = isc_buffer_allocate(mctx, &b, MXNAME);
+		check_result(result, "isc_buffer_allocate");
+		result = dns_name_totext(query->lookup->name, ISC_FALSE,
+					 b);
+		check_result(result, "dns_name_totext");
+		isc_buffer_usedregion(b, &r);
+		printf("** server can't find %.*s: %s\n",
+		       (int)r.length, (char*)r.base,
+		       rcodetext[msg->rcode]);
+		isc_buffer_free(&b);
+		debug ("Returning with rcode == 0");
+		return (ISC_R_SUCCESS);
+	}
+	debug ("Continuing on with rcode != 0");
+	result = isc_buffer_allocate(mctx, &b, MXNAME);
+	check_result(result, "isc_buffer_allocate");
+	printf("Server:\t\t%s\n", query->servname);
+	result = isc_sockaddr_totext(&query->sockaddr, b);
+	check_result(result, "isc_sockaddr_totext");
+	printf("Address:\t%.*s\n", (int)isc_buffer_usedlength(b),
+	       (char*)isc_buffer_base(b));
+	isc_buffer_free(&b);
+	puts("");
+	if (!short_form){
+		puts ("------------");
+		/*		detailheader(query, msg);*/
+		detailsection(query, msg, headers, DNS_SECTION_QUESTION);
+		detailsection(query, msg, headers, DNS_SECTION_ANSWER);
+		detailsection(query, msg, headers, DNS_SECTION_AUTHORITY);
+		detailsection(query, msg, headers, DNS_SECTION_ADDITIONAL);
+		puts ("------------");
+	}
+	
+	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0)
+		puts ("Non-authorative answer:");
+	printsection(query, msg, headers, DNS_SECTION_ANSWER);
+	
+	if (((msg->flags & DNS_MESSAGEFLAG_AA) == 0) &&
+	    (strcasecmp(query->lookup->rttext,"a") != 0)) {
+		puts ("\nAuthorative answers can be found from:");
+		printsection(query, msg, headers,
+			     DNS_SECTION_AUTHORITY);
+		printsection(query, msg, headers,
+			     DNS_SECTION_ADDITIONAL);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static void
+show_settings(isc_boolean_t full) {
+	dig_server_t *srv;
+	isc_sockaddr_t sockaddr;
+	isc_buffer_t *b = NULL;
+	isc_result_t result;
+	
+	srv = ISC_LIST_HEAD(server_list);
+
+	while (srv != NULL) {
+		result = isc_buffer_allocate(mctx, &b, MXNAME);
+		check_result(result, "isc_buffer_allocate");
+		get_address(srv->servername, 53, &sockaddr);
+		result = isc_sockaddr_totext(&sockaddr, b);
+		check_result(result, "isc_sockaddr_totext");
+		printf ("Default server: %s\nAddress: %.*s\n",
+			srv->servername, (int)isc_buffer_usedlength(b),
+			(char*)isc_buffer_base(b));
+		isc_buffer_free(&b);
+		if (!full)
+			return;
+		srv = ISC_LIST_NEXT(srv, link);
+	}
+	printf ("\n\tSet options:\n");
+	printf ("\t  %s\t\t\t%s\t\t%s\n",
+		tcpmode?"vc":"novc", short_form?"nodebug":"debug",
+		recurse?"recurse":"norecurse");
+	printf ("\t  %s\t\t%s\t\tport = %d\n",
+		defname?"defname":"nodefname",
+		usesearch?"search":"nosearch",
+		port);
+	printf ("\t  timeout = %d\t\tretry = %d\n",
+		timeout, tries);
+	printf ("\t  querytype = %-8s\tclass=%s\n",deftype, defclass);
+
+
+}
+
+static void
+setoption(char *opt) {
+
+	if (strncasecmp(opt,"all",4) == 0) {
+		show_settings(ISC_TRUE);
+	} else if (strncasecmp(opt, "class=", 6) == 0) {
+		strncpy(defclass, &opt[6], MXRD);
+	} else if (strncasecmp(opt, "cl=", 3) == 0) {
+		strncpy(defclass, &opt[3], MXRD);
+	} else if (strncasecmp(opt, "type=", 5) == 0) {
+		strncpy(deftype, &opt[5], MXRD);
+	} else if (strncasecmp(opt, "ty=", 3) == 0) {
+		strncpy(deftype, &opt[3], MXRD);
+	} else if (strncasecmp(opt, "querytype=", 10) == 0) {
+		strncpy(deftype, &opt[10], MXRD);
+	} else if (strncasecmp(opt, "query=", 6) == 0) {
+		strncpy(deftype, &opt[6], MXRD);
+	} else if (strncasecmp(opt, "qu=", 3) == 0) {
+		strncpy(deftype, &opt[3], MXRD);
+	} else if (strncasecmp(opt, "domain=", 7) == 0) {
+		strncpy(fixeddomain, &opt[7], MXNAME);
+	} else if (strncasecmp(opt, "do=", 3) == 0) {
+		strncpy(fixeddomain, &opt[3], MXNAME);
+	} else if (strncasecmp(opt, "port=", 5) == 0) {
+		port = atoi(&opt[5]);
+	} else if (strncasecmp(opt, "po=", 3) == 0) {
+		port = atoi(&opt[3]);
+	} else if (strncasecmp(opt, "timeout=", 8) == 0) {
+		timeout = atoi(&opt[8]);
+	} else if (strncasecmp(opt, "t=", 2) == 0) {
+		timeout = atoi(&opt[2]);
+	} else if (strncasecmp(opt, "retry=", 6) == 0) {
+		tries = atoi(&opt[6]);
+	} else if (strncasecmp(opt, "ret=", 4) == 0) {
+		tries = atoi(&opt[4]);
+ 	} else if (strncasecmp(opt, "def", 3) == 0) {
+		defname = ISC_TRUE;
+	} else if (strncasecmp(opt, "nodef", 5) == 0) {
+		defname = ISC_FALSE;
+ 	} else if (strncasecmp(opt, "deb", 3) == 0) {
+		short_form = ISC_FALSE;
+	} else if (strncasecmp(opt, "nodeb", 5) == 0) {
+		short_form = ISC_TRUE;
+	}
+}
+
+static void
+addlookup(char *opt) {
+	dig_lookup_t *lookup;
+
+	debug ("addlookup()");
+	lookup_counter++;
+	if (lookup_counter > LOOKUP_LIMIT)
+		fatal ("Too many lookups.");
+	lookup = isc_mem_allocate(mctx, sizeof(struct dig_lookup));
+	if (lookup == NULL)
+		fatal("Memory allocation failure.");
+	lookup->pending = ISC_FALSE;
+	strncpy(lookup->textname, opt, MXNAME-1);
+	strncpy (lookup->rttext, deftype, MXNAME);
+	strncpy (lookup->rctext, defclass, MXNAME);
+	lookup->namespace[0]=0;
+	lookup->sendspace[0]=0;
+	lookup->sendmsg=NULL;
+	lookup->name=NULL;
+	lookup->oname=NULL;
+	lookup->timer = NULL;
+	lookup->xfr_q = NULL;
+	lookup->origin = NULL;
+	lookup->use_my_server_list = ISC_FALSE;
+	lookup->doing_xfr = ISC_FALSE;
+	lookup->defname = ISC_FALSE;
+	lookup->trace = (trace || ns_search_only);
+	lookup->trace_root = trace;
+	lookup->ns_search_only = ns_search_only;
+	lookup->identify = identify;
+	lookup->recurse = recurse;
+	lookup->aaonly = aaonly;
+	lookup->retries = tries;
+	lookup->udpsize = bufsize;
+	lookup->nsfound = 0;
+	lookup->comments = comments;
+	lookup->tcp_mode = tcpmode;
+	lookup->stats = stats;
+	lookup->section_question = section_question;
+	lookup->section_answer = section_answer;
+	lookup->section_authority = section_authority;
+	lookup->section_additional = section_additional;
+	ISC_LIST_INIT(lookup->q);
+	ISC_LIST_APPEND(lookup_list, lookup, link);
+	lookup->origin = NULL;
+	ISC_LIST_INIT(lookup->my_server_list);
+	debug("Looking up %s", lookup->textname);
+}
+
+static void
+flush_server_list() {
+	dig_server_t *s, *ps;
+
+	debug ("flush_lookup_list()");
+	s = ISC_LIST_HEAD(server_list);
+	while (s != NULL) {
+		ps = s;
+		s = ISC_LIST_NEXT(s, link);
+		ISC_LIST_DEQUEUE(server_list, ps, link);
+		isc_mem_free(mctx, ps);
+	}
+
+}
+
+/* 
+ * This works on the global server list, instead of on a per-lookup
+ * server list, since the change is persistent.
+ */
+static void
+setsrv(char *opt) {
+	dig_server_t *srv;
+
+	flush_server_list();
+	srv=isc_mem_allocate(mctx, sizeof(struct dig_server));
+	if (srv == NULL)
+		fatal("Memory allocation failure.");
+	strncpy(srv->servername, opt, MXNAME-1);
+	ISC_LIST_APPEND(server_list, srv, link);
+}
+
+static void
+get_next_command() {
+	char input[COMMSIZE];
+	char *ptr, *arg;
+
+	fputs("> ", stderr);
+	ptr = fgets(input, COMMSIZE, stdin);
+	if (ptr == NULL) {
+		in_use = ISC_FALSE;
+		return;
+	}
+	ptr = strtok(input, " \t\r\n");
+	if (ptr == NULL) {
+		in_use = ISC_FALSE;
+		return;
+	}
+	arg = strtok(NULL, " \t\r\n");
+	if ((strcasecmp(ptr, "set") == 0) &&
+	    (arg != NULL))
+		setoption(arg);
+	else if ((strcasecmp(ptr, "server") == 0) ||
+		 (strcasecmp(ptr, "lserver") == 0)) {
+		printf("Server:\t%s\n", arg); 
+		setsrv(arg);
+	} else 
+		addlookup(ptr);
+}
+
+static void
+parse_args(int argc, char **argv) {
+	dig_lookup_t *lookup = NULL;
+	isc_boolean_t have_host = ISC_FALSE;
+
+	for (argc--, argv++; argc > 0; argc--, argv++) {
+		debug ("Main parsing %s", argv[0]);
+		if (argv[0][0] == '-') {
+			if ((argv[0][1] == 'h') &&
+			    (argv[0][2] == 0)) {
+				show_usage();
+				exit (1);
+			}
+			if (argv[0][1] != 0)
+				setoption(&argv[0][1]);
+			else {
+				
+		} else {
+			if (lookup == NULL) {
+				in_use = ISC_TRUE;
+				addlookup(argv[0]);
+			}
+			else
+				setsrv(argv[0]);
+		}
+	}
+}
+
+static void
+flush_lookup_list(void) {
+	dig_lookup_t *l, *lp;
+	dig_query_t *q, *qp;
+	dig_server_t *s, *sp;
+
+	lookup_counter = 0;
+	l = ISC_LIST_HEAD(lookup_list);
+	while (l != NULL) {
+		q = ISC_LIST_HEAD(l->q);
+		while (q != NULL) {
+			if (q->sock != NULL) {
+				isc_socket_cancel(q->sock, NULL,
+						  ISC_SOCKCANCEL_ALL);
+				isc_socket_detach(&q->sock);
+			}
+			if (ISC_LINK_LINKED(&q->recvbuf, link))
+				ISC_LIST_DEQUEUE(q->recvlist, &q->recvbuf,
+						 link);
+			if (ISC_LINK_LINKED(&q->lengthbuf, link))
+				ISC_LIST_DEQUEUE(q->lengthlist, &q->lengthbuf,
+						 link);
+			isc_buffer_invalidate(&q->recvbuf);
+			isc_buffer_invalidate(&q->lengthbuf);
+			qp = q;
+			q = ISC_LIST_NEXT(q, link);
+			ISC_LIST_DEQUEUE(l->q, qp, link);
+			isc_mem_free(mctx, qp);
+		}
+		if (l->use_my_server_list) {
+			s = ISC_LIST_HEAD(l->my_server_list);
+			while (s != NULL) {
+				sp = s;
+				s = ISC_LIST_NEXT(s, link);
+				ISC_LIST_DEQUEUE(l->my_server_list, sp, link);
+				isc_mem_free(mctx, sp);
+
+			}
+		}
+		if (l->sendmsg != NULL)
+			dns_message_destroy(&l->sendmsg);
+		if (l->timer != NULL)
+			isc_timer_detach(&l->timer);
+		lp = l;
+		l = ISC_LIST_NEXT(l, link);
+		ISC_LIST_DEQUEUE(lookup_list, lp, link);
+		isc_mem_free(mctx, lp);
+	}
+}	
+
+int
+main(int argc, char **argv) {
+	isc_result_t result;
+
+	ISC_LIST_INIT(lookup_list);
+	ISC_LIST_INIT(server_list);
+	ISC_LIST_INIT(search_list);
+
+	setup_libs();
+	result = isc_mutex_init(&lock);
+	check_result(result, "isc_mutex_init");
+	result = isc_condition_init(&cond);
+	check_result(result, "isc_condition_init");
+	result = isc_mutex_trylock(&lock);
+	check_result(result, "isc_mutex_trylock");
+
+	parse_args(argc, argv);
+	setup_system();
+
+	if (in_use) {
+		busy = ISC_TRUE;
+		start_lookup();
+		while (busy) {
+			result = isc_condition_wait(&cond, &lock);
+			check_result(result, "isc_condition_wait");
+		}
+		flush_lookup_list();
+		in_use = ISC_FALSE;
+	} else {
+		show_settings(ISC_FALSE);
+		in_use = ISC_TRUE;
+	}
+
+	while (in_use) {
+		get_next_command();
+		if (ISC_LIST_HEAD(lookup_list) != NULL) {
+			busy = ISC_TRUE;
+			start_lookup();
+			while (busy) {
+				result = isc_condition_wait(&cond, &lock);
+				check_result(result, "isc_condition_wait");
+			}
+			flush_lookup_list();
+		}
+	}
+
+	puts ("");
+	debug ("Fell through app_run");
+	free_lists(0);
+	isc_mutex_destroy(&lock);
+	isc_condition_destroy(&cond);
+	
+	return (0);
+}
+
diff --git a/bin/dnssec/.cvsignore b/bin/dnssec/.cvsignore
new file mode 100644
index 00000000..34694852
--- /dev/null
+++ b/bin/dnssec/.cvsignore
@@ -0,0 +1,5 @@
+Makefile
+dnssec-keygen
+dnssec-makekeyset
+dnssec-signkey
+dnssec-signzone
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
new file mode 100644
index 00000000..218b5d6d
--- /dev/null
+++ b/bin/dnssec/Makefile.in
@@ -0,0 +1,75 @@
+# Copyright (C) 1998, 1999, 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS = 
+
+# Alphabetically
+TARGETS =	dnssec-keygen \
+		dnssec-makekeyset \
+		dnssec-signkey \
+		dnssec-signzone
+
+SRCS =		dnssec-keygen.c \
+		dnssec-makekeyset.c \
+		dnssec-signkey.c \
+		dnssec-signzone.c
+
+@BIND9_MAKE_RULES@
+
+dnssec-keygen: dnssec-keygen.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-keygen.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+dnssec-makekeyset: dnssec-makekeyset.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-makekeyset.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+dnssec-signkey: dnssec-signkey.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-signkey.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+dnssec-signzone: dnssec-signzone.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ dnssec-signzone.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+clean distclean::
+	rm -f ${TARGETS}
+
+installdirs:
+	if [ ! -d ${DESTDIR}${sbindir} ]; then \
+		mkdir ${DESTDIR}${sbindir}; \
+	fi
+
+install:: ${TARGSTS} installdirs
+	${LIBTOOL} ${INSTALL_PROGRAM} ${TARGETS} ${DESTDIR}${sbindir}
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
new file mode 100644
index 00000000..045ac031
--- /dev/null
+++ b/bin/dnssec/dnssec-keygen.c
@@ -0,0 +1,384 @@
+/*
+ * Portions Copyright (c) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND NETWORK ASSOCIATES
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
+ * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
+ */
+
+/* $Id: dnssec-keygen.c,v 1.23 2000/05/19 00:20:39 bwelling Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/secalg.h>
+#include <dst/dst.h>
+#include <dst/result.h>
+
+#define PROGRAM "dnssec-keygen"
+
+#define MAX_RSA 2048 /* XXX ogud update this when rsa library is updated */
+
+static int verbose;
+
+static void
+fatal(char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", PROGRAM);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static inline void
+check_result(isc_result_t result, char *message) {
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "%s: %s: %s\n", PROGRAM, message,
+			isc_result_totext(result));
+		exit(1);
+	}
+}
+
+/* Not thread-safe! */
+static char *
+algtostr(const dns_secalg_t alg) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	static char data[10];
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_secalg_totext(alg, &b);
+	check_result(result, "dns_secalg_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	return (char *) r.base;
+}
+
+static isc_boolean_t
+dsa_size_ok(int size) {
+	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
+}
+
+static void
+usage() {
+	printf("Usage:\n");
+	printf("    %s [options] name\n\n", PROGRAM);
+	printf("Required options:\n");
+	printf("    -a algorithm: RSA | RSAMD5 | DH | DSA | HMAC-MD5\n");
+	printf("    -b key size, in bits:\n");
+	printf("        RSA:\t\t[512..%d]\n", MAX_RSA);
+	printf("        DH:\t\t[128..4096]\n");
+	printf("        DSA:\t\t[512..1024] and dividable by 64\n");
+	printf("        HMAC-MD5:\t[1..512]\n");
+	printf("    -n nametype: ZONE | HOST | ENTITY | USER\n");
+	printf("    name: owner of the key\n");
+	printf("Other options:\n");
+	printf("    -e use large exponent (RSA only)\n");
+	printf("    -g use specified generator (DH only)\n");
+	printf("    -t type: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF\n");
+	printf("        default: AUTHCONF\n");
+	printf("    -p protocol value\n");
+	printf("        default: 2 (email) for User keys, "
+	       			"3 (dnssec) for all others\n");
+	printf("    -s strength value this key signs DNS records with\n");
+	printf("        default: 0\n");
+	printf("    -v verbose level\n");
+
+	exit (-1);
+}
+
+int
+main(int argc, char **argv) {
+	char		*algname = NULL, *nametype = NULL, *type = NULL;
+	char		*prog, *endp;
+	dst_key_t	*key = NULL, *oldkey;
+	char		*name = NULL;
+	isc_uint16_t	flags = 0;
+	dns_secalg_t	alg;
+	isc_boolean_t    conflict = ISC_FALSE, null_key = ISC_FALSE;
+	isc_mem_t	*mctx = NULL;
+	int		ch, rsa_exp = 0, generator = 0, param = 0;
+	int		protocol = -1, size = -1, signatory = 0;
+	isc_result_t	ret;
+	isc_textregion_t r;
+	char		filename[255];
+	isc_buffer_t	buf;
+
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+
+	if ((prog = strrchr(argv[0],'/')) == NULL)
+		prog = isc_mem_strdup(mctx, argv[0]);
+	else
+		prog = isc_mem_strdup(mctx, ++prog);
+	if (prog == NULL)
+		fatal("out of memory");
+
+	if (argc == 1)
+		usage();
+
+	while ((ch = isc_commandline_parse(argc, argv,
+					   "a:b:eg:n:t:p:s:hv:")) != -1)
+	{
+	    switch (ch) {
+		case 'a':
+			algname = isc_mem_strdup(mctx,
+						  isc_commandline_argument);
+			if (algname == NULL)
+				fatal("out of memory");
+			break;
+		case 'b':
+			size = strtol(isc_commandline_argument, &endp, 10);
+			if (*endp != '\0' || size < 0)
+				fatal("-b requires a non-negative number");
+			break;
+		case 'e':
+			rsa_exp = 1;
+			break;
+		case 'g':
+			generator = strtol(isc_commandline_argument, &endp, 10);
+			if (*endp != '\0' || generator <= 0)
+				fatal("-g requires a positive number");
+			break;
+		case 'n':
+			nametype = isc_mem_strdup(mctx,
+						  isc_commandline_argument);
+			if (nametype == NULL)
+				fatal("out of memory");
+			break;
+		case 't':
+			type = isc_mem_strdup(mctx, isc_commandline_argument);
+			if (type == NULL)
+				fatal("out of memory");
+			break;
+		case 'p':
+			protocol = strtol(isc_commandline_argument, &endp, 10);
+			if (*endp != '\0' || protocol < 0 || protocol > 255)
+				fatal("-p must be followed by a number "
+				      "[0..255]");
+			break;
+		case 's':
+			signatory = strtol(isc_commandline_argument,
+					   &endp, 10);
+			if (*endp != '\0' || signatory < 0 || signatory > 15)
+				fatal("-s must be followed by a number "
+				      "[0..15]");
+			break;
+		case 'v':
+			endp = NULL;
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("-v must be followed by a number");
+			break;
+
+		case 'h':
+			usage();
+		default:
+			fprintf(stderr, "%s: invalid argument -%c\n",
+				PROGRAM, ch);
+			usage();
+		} 
+	}
+
+	if (argc < isc_commandline_index + 1)
+		fatal("the key name was not specified");
+	if (argc > isc_commandline_index + 1)
+		fatal("extraneous arguments");
+
+	if (algname == NULL)
+		fatal("no algorithm was specified");
+	if (strcasecmp(algname, "RSA") == 0)
+		alg = DNS_KEYALG_RSA;
+	else if (strcasecmp(algname, "HMAC-MD5") == 0)
+		alg = DST_ALG_HMACMD5;
+	else {
+		r.base = algname;
+		r.length = strlen(algname);
+		ret = dns_secalg_fromtext(&alg, &r);
+		if (ret != ISC_R_SUCCESS)
+			fatal("unknown algorithm %s", algname);
+	}
+	if (dst_algorithm_supported(alg) == ISC_FALSE)
+		fatal("unsupported algorithm %s", algname);
+
+	if (type != NULL) {
+		if (strcasecmp(type, "NOAUTH") == 0)
+			flags |= DNS_KEYTYPE_NOAUTH;
+		else if (strcasecmp(type, "NOCONF") == 0)
+			flags |= DNS_KEYTYPE_NOCONF;
+		else if (strcasecmp(type, "NOAUTHCONF") == 0) {
+			flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
+			if (size < 0)
+				size = 0;
+		}
+		else if (strcasecmp(type, "AUTHCONF") == 0)
+			/* nothing */;
+		else
+			fatal("invalid type %s", type);
+	}
+
+	if (size < 0)
+		fatal("key size not specified (-b option)");
+
+	switch (alg) {
+	case DNS_KEYALG_RSA:
+		if (size != 0 && (size < 512 || size > MAX_RSA))
+			fatal("RSA key size %d out of range", size);
+		break;
+	case DNS_KEYALG_DH:
+		if (size != 0 && (size < 128 || size > 4096))
+			fatal("DH key size %d out of range", size);
+		break;
+	case DNS_KEYALG_DSA:
+		if (size != 0 && !dsa_size_ok(size))
+			fatal("Invalid DSS key size: %d", size);
+		break;
+	case DST_ALG_HMACMD5:
+		if (size < 1 || size > 512)
+			fatal("HMAC-MD5 key size %d out of range", size);
+		break;
+	}
+
+	if (alg != DNS_KEYALG_RSA && rsa_exp != 0)
+		fatal("specified RSA exponent without RSA");
+
+	if (alg != DNS_KEYALG_DH && generator != 0)
+		fatal("specified DH generator without DH");
+
+	if (nametype == NULL)
+		fatal("no nametype specified");
+	if (strcasecmp(nametype, "zone") == 0)
+		flags |= DNS_KEYOWNER_ZONE;
+	else if (strcasecmp(nametype, "host") == 0 ||
+		 strcasecmp(nametype, "entity") == 0)
+		flags |= DNS_KEYOWNER_ENTITY;
+	else if (strcasecmp(nametype, "user") == 0)
+		flags |= DNS_KEYOWNER_USER;
+	else
+		fatal("invalid nametype %s", nametype);
+
+	flags |= signatory;
+
+	if (protocol == -1) {
+		if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_USER)
+			protocol = DNS_KEYPROTO_EMAIL;
+		else
+			protocol = DNS_KEYPROTO_DNSSEC;
+	}
+
+	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
+		if (size > 0)
+			fatal("Specified null key with non-zero size");
+		if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
+			fatal("Specified null key with signing authority");
+	}
+
+	name = isc_mem_allocate(mctx, strlen(argv[isc_commandline_index]) + 2);
+	if (name == NULL)
+		fatal("out of memory");
+	strcpy(name, argv[isc_commandline_index]);
+	if (name[strlen(name) - 1] != '.') {
+		strcat(name, ".");
+		fprintf(stderr,
+			"%s: added a trailing dot to fully qualify the name\n",
+			PROGRAM);
+	}
+
+	switch(alg) {
+	case DNS_KEYALG_RSA:
+		param = rsa_exp;
+		break;
+	case DNS_KEYALG_DH:
+		param = generator;
+		break;
+	case DNS_KEYALG_DSA:
+	case DST_ALG_HMACMD5:
+		param = 0;
+		break;
+	}
+
+	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
+		null_key = ISC_TRUE;
+
+	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
+	dst_result_register();
+
+	do { 
+		conflict = ISC_FALSE; 
+		oldkey = NULL;
+
+		/* generate the key */
+		ret = dst_key_generate(name, alg, size, param, flags, protocol,
+				       mctx, &key);
+
+		if (ret != ISC_R_SUCCESS) {
+			fatal("failed to generate key %s/%d: %s\n", name, alg,
+				dst_result_totext(ret));
+			exit(-1);
+		}
+		
+		/*
+		 * Try to read a key with the same name, alg and id from disk.
+		 * If there is one we must continue generating a new one 
+		 * unless we were asked to generate a null key, in which
+		 * case we return failure.
+		 */
+		ret = dst_key_fromfile(name, dst_key_id(key), alg, 
+				       DST_TYPE_PRIVATE, mctx, &oldkey);
+		/* do not overwrite an existing key  */
+		if (ret == ISC_R_SUCCESS) {
+			dst_key_free(&oldkey);
+			conflict = ISC_TRUE;
+			if (null_key)
+				break;
+		}
+		if (conflict == ISC_TRUE)
+			dst_key_free(&key);
+
+	} while (conflict == ISC_TRUE);
+
+	if (conflict)
+		fatal("cannot generate a null key when a key with id 0 "
+		      "already exists");
+
+	ret = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE);
+	if (ret != ISC_R_SUCCESS)
+		fatal("failed to write key %s/%s/%d: %s\n", name, 
+			dst_key_id(key), algtostr(alg), isc_result_totext(ret));
+
+	isc_buffer_clear(&buf);
+	ret = dst_key_buildfilename(key, 0, &buf);
+	filename[isc_buffer_usedlength(&buf)] = 0;
+	printf("%s\n", filename);
+	isc_mem_free(mctx, name);
+	isc_mem_free(mctx, algname);
+	isc_mem_free(mctx, nametype);
+	isc_mem_free(mctx, prog);
+	if (type != NULL)
+		isc_mem_free(mctx, type);
+	dst_key_free(&key);
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/dnssec/dnssec-makekeyset.c b/bin/dnssec/dnssec-makekeyset.c
new file mode 100644
index 00000000..aa6fca65
--- /dev/null
+++ b/bin/dnssec/dnssec-makekeyset.c
@@ -0,0 +1,453 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/time.h>
+
+#define PROGRAM "dnssec-makekeyset"
+
+#define BUFSIZE 2048
+
+typedef struct keynode keynode_t;
+struct keynode {
+	dst_key_t *key;
+	ISC_LINK(keynode_t) link;
+};
+typedef ISC_LIST(keynode_t) keylist_t;
+
+static isc_stdtime_t starttime = 0, endtime = 0, now;
+static int ttl = -1;
+static int verbose;
+
+static isc_mem_t *mctx = NULL;
+
+static keylist_t keylist;
+
+static void
+fatal(char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", PROGRAM);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static inline void
+check_result(isc_result_t result, char *message) {
+	if (result != ISC_R_SUCCESS) {
+		fatal("%s: %s\n", message, isc_result_totext(result));
+		exit(1);
+	}
+}
+
+/* Not thread-safe! */
+static char *
+nametostr(dns_name_t *name) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	static char data[1025];
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_name_totext(name, ISC_FALSE, &b);
+	check_result(result, "dns_name_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	return (char *) r.base;
+}
+
+/* Not thread-safe! */
+static char *
+algtostr(const dns_secalg_t alg) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	static char data[10];
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_secalg_totext(alg, &b);
+	check_result(result, "dns_secalg_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	return (char *) r.base;
+}
+
+
+static isc_stdtime_t
+strtotime(char *str, isc_int64_t now, isc_int64_t base) {
+	isc_int64_t val, offset;
+	isc_result_t result;
+	char *endp = "";
+
+	if (str[0] == '+') {
+		offset = strtol(str + 1, &endp, 0);
+		val = base + offset;
+	}
+	else if (strncmp(str, "now+", 4) == 0) {
+		offset = strtol(str + 4, &endp, 0);
+		val = now + offset;
+	}
+	else {
+		result = dns_time64_fromtext(str, &val);
+		if (result != ISC_R_SUCCESS)
+			fatal("time %s must be numeric", str);
+	}
+	if (*endp != '\0')
+		fatal("time value %s is invalid", str);
+
+	return ((isc_stdtime_t) val);
+}
+
+static void
+usage() {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "\t%s [options] keys\n", PROGRAM);
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "Options: (default value in parenthesis) \n");
+	fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
+	fprintf(stderr, "\t\tSIG start time - absolute|offset (now)\n");
+	fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
+	fprintf(stderr, "\t\tSIG end time  - "
+			     "absolute|from start|from now (now + 30 days)\n");
+	fprintf(stderr, "\t-t ttl\n");
+	fprintf(stderr, "\t-v level:\n");
+	fprintf(stderr, "\t\tverbose level (0)\n");
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "keys:\n");
+	fprintf(stderr, "\tkeyfile (Kname+alg+id)\n");
+	exit(0);
+}
+
+int
+main(int argc, char *argv[]) {
+	int i, ch;
+	char *startstr = NULL, *endstr = NULL;
+	dns_fixedname_t fdomain;
+	dns_name_t *domain = NULL;
+	char *output = NULL;
+	char *endp;
+	unsigned char *data;
+	dns_db_t *db;
+	dns_dbnode_t *node;
+	dns_dbversion_t *version;
+	dst_key_t *key = NULL;
+	dns_rdata_t *rdata;
+	dns_rdatalist_t rdatalist, sigrdatalist;
+	dns_rdataset_t rdataset, sigrdataset;
+	isc_result_t result;
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_log_t *log = NULL;
+	isc_logconfig_t *logconfig;
+	keynode_t *keynode;
+	char *savedname = NULL;
+
+	dns_result_register();
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to create memory context: %s",
+		      isc_result_totext(result));
+
+	while ((ch = isc_commandline_parse(argc, argv, "s:e:t:v:")) != -1)
+	{
+		switch (ch) {
+		case 's':
+			startstr = isc_mem_strdup(mctx,
+						  isc_commandline_argument);
+			if (startstr == NULL)
+				fatal("out of memory");
+			break;
+
+		case 'e':
+			endstr = isc_mem_strdup(mctx,
+						isc_commandline_argument);
+			if (endstr == NULL)
+				fatal("out of memory");
+			break;
+
+		case 't':
+			endp = NULL;
+			ttl = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("TTL must be numeric");
+			break;
+
+		case 'v':
+			endp = NULL;
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("verbose level must be numeric");
+			break;
+
+		default:
+			usage();
+
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc < 1)
+		usage();
+
+	isc_stdtime_get(&now);
+
+	if (startstr != NULL) {
+		starttime = strtotime(startstr, now, now);
+		isc_mem_free(mctx, startstr);
+	}
+	else
+		starttime = now;
+
+	if (endstr != NULL) {
+		endtime = strtotime(endstr, now, starttime);
+		isc_mem_free(mctx, endstr);
+	}
+	else
+		endtime = starttime + (30 * 24 * 60 * 60);
+
+	if (ttl == -1) {
+		ttl = 3600;
+		fprintf(stderr, "%s: TTL not specified, assuming 3600\n",
+			PROGRAM);
+	}
+
+	if (verbose > 0) {
+		RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig)
+			      == ISC_R_SUCCESS);
+		isc_log_setcontext(log);
+		dns_log_init(log);
+		dns_log_setcontext(log);
+		RUNTIME_CHECK(isc_log_usechannel(logconfig, "default_stderr",
+						 NULL, NULL) == ISC_R_SUCCESS);
+	}
+
+	dns_rdatalist_init(&rdatalist);
+	rdatalist.rdclass = dns_rdataclass_in;
+	rdatalist.type = dns_rdatatype_key;
+	rdatalist.covers = 0;
+	rdatalist.ttl = ttl;
+
+	ISC_LIST_INIT(keylist);
+
+	for (i = 0; i < argc; i++) {
+		isc_uint16_t id;
+		int alg;
+		char *namestr = NULL;
+
+		isc_buffer_init(&b, argv[i], strlen(argv[i]));
+		isc_buffer_add(&b, strlen(argv[i]));
+		result = dst_key_parsefilename(&b, mctx, &namestr, &id, &alg,
+					       NULL);
+		if (result != ISC_R_SUCCESS)
+			fatal("%s is not a valid key filename", argv[i]);
+
+		if (savedname == NULL) {
+			savedname = isc_mem_strdup(mctx, namestr);
+			if (savedname == NULL)
+				fatal("out of memory");
+		}
+		else {
+			if (strcmp(savedname, namestr) != 0)
+				fatal("all keys must have the same owner - %s "
+				      "and %s do not match",
+				      savedname, namestr);
+		}
+		if (output == NULL) {
+			output = isc_mem_allocate(mctx,
+						  strlen(namestr) +
+						  strlen("keyset") + 1);
+			if (output == NULL)
+				fatal("out of memory");
+			strcpy(output, namestr);
+			strcat(output, "keyset");
+		}
+		if (domain == NULL) {
+			dns_fixedname_init(&fdomain);
+			domain = dns_fixedname_name(&fdomain);
+			isc_buffer_init(&b, namestr, strlen(namestr));
+			isc_buffer_add(&b, strlen(namestr));
+			result = dns_name_fromtext(domain, &b, dns_rootname,
+						   ISC_FALSE, NULL);
+			if (result != ISC_R_SUCCESS)
+				fatal("%s is not a valid name: %s",
+				      namestr, isc_result_totext(result));
+		}
+		key = NULL;
+		result = dst_key_fromfile(namestr, id, alg, DST_TYPE_PUBLIC,
+					  mctx, &key);
+		check_result(result, "dst_key_fromfile");
+		if (dst_key_iszonekey(key)) {
+			dst_key_t *zonekey = NULL;
+			result = dst_key_fromfile(namestr, id, alg,
+						  DST_TYPE_PRIVATE, mctx,
+						  &zonekey);
+			
+			if (result != ISC_R_SUCCESS)
+				fatal("failed to read key %s/%s/%d: %s",
+				      namestr, id, algtostr(alg),
+				      isc_result_totext(result));
+			keynode = isc_mem_get(mctx, sizeof (keynode_t));
+			if (keynode == NULL)
+				fatal("out of memory");
+			keynode->key = zonekey;
+			ISC_LINK_INIT(keynode, link);
+			ISC_LIST_APPEND(keylist, keynode, link);
+		}
+		rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
+		if (rdata == NULL)
+			fatal("out of memory");
+		data = isc_mem_get(mctx, BUFSIZE);
+		if (data == NULL)
+			fatal("out of memory");
+		isc_buffer_init(&b, data, BUFSIZE);
+		result = dst_key_todns(key, &b);
+		if (result != ISC_R_SUCCESS)
+			fatal("failed to convert key %s/%s/%d to a DNS KEY: %s",
+			      namestr, id, algtostr(alg),
+			      isc_result_totext(result));
+		isc_buffer_usedregion(&b, &r);
+		dns_rdata_fromregion(rdata, dns_rdataclass_in,
+				     dns_rdatatype_key, &r);
+		ISC_LIST_APPEND(rdatalist.rdata, rdata, link);
+		isc_mem_put(mctx, namestr, strlen(namestr) + 1);
+		dst_key_free(&key);
+	}
+
+	isc_mem_free(mctx, savedname);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	check_result(result, "dns_rdatalist_tordataset()");
+
+	dns_rdatalist_init(&sigrdatalist);
+	sigrdatalist.rdclass = dns_rdataclass_in;
+	sigrdatalist.type = dns_rdatatype_sig;
+	sigrdatalist.covers = dns_rdatatype_key;
+	sigrdatalist.ttl = ttl;
+
+	if (ISC_LIST_EMPTY(keylist))
+		fprintf(stderr,
+			"%s: no private zone key found; not self-signing\n",
+			PROGRAM);
+	for (keynode = ISC_LIST_HEAD(keylist);
+	     keynode != NULL;
+	     keynode = ISC_LIST_NEXT(keynode, link))
+	{
+		rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
+		if (rdata == NULL)
+			fatal("out of memory");
+		data = isc_mem_get(mctx, BUFSIZE);
+		if (data == NULL)
+			fatal("out of memory");
+		isc_buffer_init(&b, data, BUFSIZE);
+		result = dns_dnssec_sign(domain, &rdataset, keynode->key,
+					 &starttime, &endtime, mctx, &b,
+					 rdata);
+		if (result != ISC_R_SUCCESS)
+			fatal("failed to sign keyset with key %s/%s/%d: %s",
+			      dst_key_name(keynode->key),
+			      algtostr(dst_key_alg(keynode->key)),
+			      dst_key_id(keynode->key),
+			      isc_result_totext(result));
+		ISC_LIST_APPEND(sigrdatalist.rdata, rdata, link);
+		dns_rdataset_init(&sigrdataset);
+		result = dns_rdatalist_tordataset(&sigrdatalist, &sigrdataset);
+		check_result(result, "dns_rdatalist_tordataset()");
+	}
+
+	db = NULL;
+	result = dns_db_create(mctx, "rbt", domain, ISC_FALSE,
+			       dns_rdataclass_in, 0, NULL, &db);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to create a database for %s", nametostr(domain));
+
+	version = NULL;
+	dns_db_newversion(db, &version);
+
+	node = NULL;
+	result = dns_db_findnode(db, domain, ISC_TRUE, &node);
+	check_result(result, "dns_db_findnode()");
+
+	dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL);
+	if (!ISC_LIST_EMPTY(keylist))
+		dns_db_addrdataset(db, node, version, 0, &sigrdataset, 0,
+				   NULL);
+
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &version, ISC_TRUE);
+	result = dns_db_dump(db, version, output);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to write database for %s to %s",
+		      nametostr(domain), output);
+
+	dns_db_detach(&db);
+
+	dns_rdataset_disassociate(&rdataset);
+	while (!ISC_LIST_EMPTY(rdatalist.rdata)) {
+		rdata = ISC_LIST_HEAD(rdatalist.rdata);
+		ISC_LIST_UNLINK(rdatalist.rdata, rdata, link);
+		isc_mem_put(mctx, rdata->data, BUFSIZE);
+		isc_mem_put(mctx, rdata, sizeof *rdata);
+	}
+	while (!ISC_LIST_EMPTY(sigrdatalist.rdata)) {
+		rdata = ISC_LIST_HEAD(sigrdatalist.rdata);
+		ISC_LIST_UNLINK(sigrdatalist.rdata, rdata, link);
+		isc_mem_put(mctx, rdata->data, BUFSIZE);
+		isc_mem_put(mctx, rdata, sizeof *rdata);
+	}
+
+	while (!ISC_LIST_EMPTY(keylist)) {
+		keynode = ISC_LIST_HEAD(keylist);
+		ISC_LIST_UNLINK(keylist, keynode, link);
+		dst_key_free(&keynode->key);
+		isc_mem_put(mctx, keynode, sizeof(keynode_t));
+	}
+
+	if (log != NULL)
+		isc_log_destroy(&log);
+
+	isc_mem_free(mctx, output);
+	isc_mem_destroy(&mctx);
+	return (0);
+}
diff --git a/bin/dnssec/dnssec-signkey.c b/bin/dnssec/dnssec-signkey.c
new file mode 100644
index 00000000..24ccc96e
--- /dev/null
+++ b/bin/dnssec/dnssec-signkey.c
@@ -0,0 +1,415 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/string.h>
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dnssec.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+
+#define PROGRAM "dnssec-signkey"
+
+#define BUFSIZE 2048
+
+typedef struct keynode keynode_t;
+struct keynode {
+	dst_key_t *key;
+	isc_boolean_t verified;
+	ISC_LINK(keynode_t) link;
+};
+typedef ISC_LIST(keynode_t) keylist_t;
+
+static isc_stdtime_t now;
+static int verbose;
+
+static isc_mem_t *mctx = NULL;
+static keylist_t keylist;
+
+static void
+fatal(char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", PROGRAM);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static inline void
+check_result(isc_result_t result, char *message) {
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "%s: %s: %s\n", PROGRAM, message,
+			isc_result_totext(result));
+		exit(1);
+	}
+}
+
+/* Not thread-safe! */
+static char *
+nametostr(dns_name_t *name) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	static char data[1025];
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_name_totext(name, ISC_FALSE, &b);
+	check_result(result, "dns_name_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	return (char *) r.base;
+}
+
+/* Not thread-safe! */
+static char *
+algtostr(const dns_secalg_t alg) {
+	isc_buffer_t b;
+		        isc_region_t r;
+	isc_result_t result;
+	static char data[10];
+
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_secalg_totext(alg, &b);
+	check_result(result, "dns_secalg_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	return (char *) r.base;
+}
+
+
+static void
+usage() {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "\t%s [options] keyset keys\n", PROGRAM);
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "Options: (default value in parenthesis) \n");
+	fprintf(stderr, "\t-v level:\n");
+	fprintf(stderr, "\t\tverbose level (0)\n");
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "keyset:\n");
+	fprintf(stderr, "\tfile name of key set to be signed\n");
+	fprintf(stderr, "keys:\n");
+	fprintf(stderr, "\tkeyfile (Kname+alg+id)\n");
+	exit(0);
+}
+
+static void
+loadkeys(dns_name_t *name, dns_rdataset_t *rdataset) {
+	dst_key_t *key;
+	dns_rdata_t rdata;
+	keynode_t *keynode;
+	isc_result_t result;
+
+	ISC_LIST_INIT(keylist);
+	result = dns_rdataset_first(rdataset);
+	check_result(result, "dns_rdataset_first");
+	for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) {
+		dns_rdataset_current(rdataset, &rdata);
+		key = NULL;
+		result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &key);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		if (!dst_key_iszonekey(key))
+			continue;
+		keynode = isc_mem_get(mctx, sizeof (keynode_t));
+		if (keynode == NULL)
+			fatal("out of memory");
+		keynode->key = key;
+		keynode->verified = ISC_FALSE;
+		ISC_LINK_INIT(keynode, link);
+		ISC_LIST_APPEND(keylist, keynode, link);
+	}
+	if (result != ISC_R_NOMORE)
+		fatal("failure traversing key list");
+}
+
+static dst_key_t *
+findkey(dns_rdata_sig_t *sig) {
+	keynode_t *keynode;
+	for (keynode = ISC_LIST_HEAD(keylist);
+	     keynode != NULL;
+	     keynode = ISC_LIST_NEXT(keynode, link))
+	{
+		if (dst_key_id(keynode->key) == sig->keyid &&
+		    dst_key_alg(keynode->key) == sig->algorithm) {
+			keynode->verified = ISC_TRUE;
+			return (keynode->key);
+		}
+	}
+	fatal("signature generated by non-zone or missing key");
+	return (NULL);
+}
+
+int
+main(int argc, char *argv[]) {
+	int i, ch;
+	char tdomain[1025];
+	dns_fixedname_t fdomain;
+	dns_name_t *domain;
+	char *output = NULL;
+	char *endp;
+	unsigned char *data;
+	dns_db_t *db;
+	dns_dbnode_t *node;
+	dns_dbversion_t *version;
+	dst_key_t *key = NULL;
+	dns_rdata_t *rdata, sigrdata;
+	dns_rdatalist_t sigrdatalist;
+	dns_rdataset_t rdataset, sigrdataset, newsigrdataset;
+	dns_rdata_sig_t sig;
+	isc_result_t result;
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_log_t *log = NULL;
+	isc_logconfig_t *logconfig;
+	keynode_t *keynode;
+
+	dns_result_register();
+
+	result = isc_mem_create(0, 0, &mctx);
+	check_result(result, "isc_mem_create()");
+
+	while ((ch = isc_commandline_parse(argc, argv, "v:")) != -1)
+	{
+		switch (ch) {
+		case 'v':
+			endp = NULL;
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("verbose level must be numeric");
+			break;
+
+		default:
+			usage();
+
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc < 2)
+		usage();
+
+	isc_stdtime_get(&now);
+
+	if (verbose > 0) {
+		RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig)
+			      == ISC_R_SUCCESS);
+		isc_log_setcontext(log);
+		dns_log_init(log);
+		dns_log_setcontext(log);
+		RUNTIME_CHECK(isc_log_usechannel(logconfig, "default_stderr",
+						 NULL, NULL) == ISC_R_SUCCESS);
+	}
+
+	if (strlen(argv[0]) < 8 ||
+	    strcmp(argv[0] + strlen(argv[0]) - 7, ".keyset") != 0)
+		fatal("keyset file must end in .keyset");
+
+	dns_fixedname_init(&fdomain);
+	domain = dns_fixedname_name(&fdomain);
+	isc_buffer_init(&b, argv[0], strlen(argv[0]) - 7);
+	isc_buffer_add(&b, strlen(argv[0]) - 7);
+	result = dns_name_fromtext(domain, &b, dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("'%s' does not contain a valid domain name", argv[0]);
+	isc_buffer_init(&b, tdomain, sizeof(tdomain) - 1);
+	result = dns_name_totext(domain, ISC_FALSE, &b);
+	check_result(result, "dns_name_totext()");
+	isc_buffer_usedregion(&b, &r);
+	tdomain[r.length] = 0;
+
+	output = isc_mem_allocate(mctx,
+				  strlen(tdomain) + strlen("signedkey") + 1);
+	if (output == NULL)
+		fatal("out of memory");
+	strcpy(output, tdomain);
+	strcat(output, "signedkey");
+
+	db = NULL;
+	result = dns_db_create(mctx, "rbt", domain, ISC_FALSE,
+			       dns_rdataclass_in, 0, NULL, &db);
+	check_result(result, "dns_db_create()");
+
+	result = dns_db_load(db, argv[0]);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to load database from '%s': %s", argv[0],
+		      isc_result_totext(result));
+
+	version = NULL;
+	dns_db_newversion(db, &version);
+
+	node = NULL;
+	result = dns_db_findnode(db, domain, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find database node '%s': %s",
+		      nametostr(domain), isc_result_totext(result));
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&sigrdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_key, 0,
+				     0, &rdataset, &sigrdataset);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find rdataset '%s KEY': %s",
+		      nametostr(domain), isc_result_totext(result));
+
+	loadkeys(domain, &rdataset);
+
+	if (!dns_rdataset_isassociated(&sigrdataset))
+		fatal("no SIG KEY set present");
+
+	result = dns_rdataset_first(&sigrdataset);
+	check_result(result, "dns_rdataset_first()");
+	do {
+		dns_rdataset_current(&sigrdataset, &sigrdata);
+		result = dns_rdata_tostruct(&sigrdata, &sig, mctx);
+		check_result(result, "dns_rdata_tostruct()");
+		key = findkey(&sig);
+		result = dns_dnssec_verify(domain, &rdataset, key,
+					   ISC_TRUE, mctx, &sigrdata);
+		if (result != ISC_R_SUCCESS)
+			fatal("signature by key '%s/%s/%d' did not verify: %s",
+			      dst_key_name(key), algtostr(dst_key_alg(key)),
+			      dst_key_id(key), isc_result_totext(result));
+		dns_rdata_freestruct(&sig);
+		result = dns_rdataset_next(&sigrdataset);
+	} while (result == ISC_R_SUCCESS);
+
+	for (keynode = ISC_LIST_HEAD(keylist);
+	     keynode != NULL;
+	     keynode = ISC_LIST_NEXT(keynode, link))
+		if (!keynode->verified)
+			fatal("Not all zone keys self signed the key set");
+
+	result = dns_rdataset_first(&sigrdataset);
+	check_result(result, "dns_rdataset_first()");
+	dns_rdataset_current(&sigrdataset, &sigrdata);
+	result = dns_rdata_tostruct(&sigrdata, &sig, mctx);
+	check_result(result, "dns_rdata_tostruct()");
+
+	dns_rdataset_disassociate(&sigrdataset);
+
+	argc -= 1;
+	argv += 1;
+
+	dns_rdatalist_init(&sigrdatalist);
+	sigrdatalist.rdclass = rdataset.rdclass;
+	sigrdatalist.type = dns_rdatatype_sig;
+	sigrdatalist.covers = dns_rdatatype_key;
+	sigrdatalist.ttl = rdataset.ttl;
+
+	for (i = 0; i < argc; i++) {
+		isc_uint16_t id;
+		int alg;
+		char *namestr = NULL;
+
+		isc_buffer_init(&b, argv[i], strlen(argv[i]));
+		isc_buffer_add(&b, strlen(argv[i]));
+		result = dst_key_parsefilename(&b, mctx, &namestr, &id, &alg,
+					       NULL);
+		if (result != ISC_R_SUCCESS)
+			usage();
+
+		key = NULL;
+		result = dst_key_fromfile(namestr, id, alg, DST_TYPE_PRIVATE,
+					  mctx, &key);
+		if (result != ISC_R_SUCCESS)
+			fatal("failed to read key %s/%s/%d from disk: %s",
+			      dst_key_name(key), algtostr(dst_key_alg(key)),
+			      dst_key_id(key), isc_result_totext(result));
+		isc_mem_put(mctx, namestr, strlen(namestr) + 1);
+
+		rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
+		if (rdata == NULL)
+			fatal("out of memory");
+		data = isc_mem_get(mctx, BUFSIZE);
+		if (data == NULL)
+			fatal("out of memory");
+		isc_buffer_init(&b, data, BUFSIZE);
+		result = dns_dnssec_sign(domain, &rdataset, key,
+					 &sig.timesigned, &sig.timeexpire,
+					 mctx, &b, rdata);
+		if (result != ISC_R_SUCCESS)
+			fatal("key '%s/%s/%d' failed to sign data: %s",
+			      dst_key_name(key), algtostr(dst_key_alg(key)),
+			      dst_key_id(key), isc_result_totext(result));
+		ISC_LIST_APPEND(sigrdatalist.rdata, rdata, link);
+		dst_key_free(&key);
+	}
+
+	dns_rdataset_init(&newsigrdataset);
+	result = dns_rdatalist_tordataset(&sigrdatalist, &newsigrdataset);
+	check_result (result, "dns_rdatalist_tordataset()");
+
+	dns_db_addrdataset(db, node, version, 0, &newsigrdataset, 0, NULL);
+	check_result (result, "dns_db_addrdataset()");
+
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &version, ISC_TRUE);
+	result = dns_db_dump(db, version, output);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to write database to '%s': %s",
+		      output, isc_result_totext(result));
+
+	dns_rdataset_disassociate(&rdataset);
+	dns_rdataset_disassociate(&newsigrdataset);
+
+	dns_rdata_freestruct(&sig);
+
+        while (!ISC_LIST_EMPTY(sigrdatalist.rdata)) {
+                rdata = ISC_LIST_HEAD(sigrdatalist.rdata);
+                ISC_LIST_UNLINK(sigrdatalist.rdata, rdata, link);
+                isc_mem_put(mctx, rdata->data, BUFSIZE);
+                isc_mem_put(mctx, rdata, sizeof *rdata);
+        }
+
+	dns_db_detach(&db);
+
+	while (!ISC_LIST_EMPTY(keylist)) {
+		keynode = ISC_LIST_HEAD(keylist);
+		ISC_LIST_UNLINK(keylist, keynode, link);
+		dst_key_free(&keynode->key);
+		isc_mem_put(mctx, keynode, sizeof(keynode_t));
+	}
+
+	if (log != NULL)
+		isc_log_destroy(&log);
+
+        isc_mem_free(mctx, output);
+	isc_mem_destroy(&mctx);
+	return (0);
+}
diff --git a/bin/tests/signer.c b/bin/dnssec/dnssec-signzone.c
index 7b73b04d..1a58d5cf 100644
--- a/bin/tests/signer.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -17,25 +17,19 @@
 
 #include <config.h>
 
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/types.h>
-#include <isc/assertions.h>
 #include <isc/commandline.h>
-#include <isc/boolean.h>
-#include <isc/buffer.h>
-#include <isc/error.h>
 #include <isc/mem.h>
-#include <isc/stdtime.h>
-#include <isc/list.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
-#include <dns/types.h>
-#include <dns/name.h>
-#include <dns/fixedname.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
+#include <dns/dnssec.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/nxt.h>
 #include <dns/rdata.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
@@ -43,19 +37,16 @@
 #include <dns/rdatastruct.h>
 #include <dns/rdatatype.h>
 #include <dns/result.h>
-#include <dns/dnssec.h>
-#include <dns/keyvalues.h>
 #include <dns/secalg.h>
-#include <dns/nxt.h>
 #include <dns/time.h>
-#include <dns/zone.h>
-#include <dns/log.h>
 
-#include <dst/dst.h>
+#include <dst/result.h>
+
+#define PROGRAM "dnssec-signzone"
+
+/*#define USE_ZONESTATUS*/
 
 #define BUFSIZE 2048
-#define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
-			  == DNS_KEYOWNER_ZONE)
 
 typedef struct signer_key_struct signer_key_t;
 typedef struct signer_array_struct signer_array_t;
@@ -75,20 +66,26 @@ static ISC_LIST(signer_key_t) keylist;
 static isc_stdtime_t starttime = 0, endtime = 0, now;
 static int cycle = -1;
 static int verbose;
-static int tryverify = 0;
+static isc_boolean_t tryverify = ISC_FALSE;
 
 static isc_mem_t *mctx = NULL;
 
-static inline void
-fatal(char *message) {
-	fprintf(stderr, "%s\n", message);
+static void
+fatal(char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", PROGRAM);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
 	exit(1);
 }
 
 static inline void
 check_result(isc_result_t result, char *message) {
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "%s: %s\n", message,
+		fprintf(stderr, "%s: %s: %s\n", PROGRAM, message,
 			isc_result_totext(result));
 		exit(1);
 	}
@@ -100,6 +97,7 @@ vbprintf(int level, const char *fmt, ...) {
 	if (level > verbose)
 		return;
 	va_start(ap, fmt);
+	fprintf(stderr, "%s: ", PROGRAM);
 	vfprintf(stderr, fmt, ap);
 	va_end(ap);
 }
@@ -109,11 +107,13 @@ static char *
 nametostr(dns_name_t *name) {
 	isc_buffer_t b;
 	isc_region_t r;
+	isc_result_t result;
 	static char data[1025];
 
-	isc_buffer_init(&b, data, sizeof(data), ISC_BUFFERTYPE_TEXT);
-	dns_name_totext(name, ISC_FALSE, &b);
-	isc_buffer_used(&b, &r);
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_name_totext(name, ISC_FALSE, &b);
+	check_result(result, "dns_name_totext()");
+	isc_buffer_usedregion(&b, &r);
 	r.base[r.length] = 0;
 	return (char *) r.base;
 }
@@ -123,11 +123,13 @@ static char *
 typetostr(const dns_rdatatype_t type) {
 	isc_buffer_t b;
 	isc_region_t r;
+	isc_result_t result;
 	static char data[10];
 
-	isc_buffer_init(&b, data, sizeof(data), ISC_BUFFERTYPE_TEXT);
-	dns_rdatatype_totext(type, &b);
-	isc_buffer_used(&b, &r);
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_rdatatype_totext(type, &b);
+	check_result(result, "dns_rdatatype_totext()");
+	isc_buffer_usedregion(&b, &r);
 	r.base[r.length] = 0;
 	return (char *) r.base;
 }
@@ -137,11 +139,13 @@ static char *
 algtostr(const dns_secalg_t alg) {
 	isc_buffer_t b;
 	isc_region_t r;
+	isc_result_t result;
 	static char data[10];
 
-	isc_buffer_init(&b, data, sizeof(data), ISC_BUFFERTYPE_TEXT);
-	dns_secalg_totext(alg, &b);
-	isc_buffer_used(&b, &r);
+	isc_buffer_init(&b, data, sizeof(data));
+	result = dns_secalg_totext(alg, &b);
+	check_result(result, "dns_secalg_totext()");
+	isc_buffer_usedregion(&b, &r);
 	r.base[r.length] = 0;
 	return (char *) r.base;
 }
@@ -169,21 +173,18 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
 	dns_rdata_init(rdata);
 	result = dns_dnssec_sign(name, rdataset, key, &starttime, &endtime,
 				 mctx, b, rdata);
-	check_result(result, "dns_dnssec_sign()");
-
-	if (tryverify != 0) {
-		isc_stdtime_t current;
-		isc_stdtime_get(&current);
-		if (current >= starttime && current < endtime) {
-			result = dns_dnssec_verify(name, rdataset, key, mctx,
-						   rdata);
-			if (result == ISC_R_SUCCESS)
-				vbprintf(3, "\tsignature verified\n");
-			else
-				vbprintf(3, "\tsignature failed to verify\n");
-		}
+	if (result != ISC_R_SUCCESS)
+		fatal("key '%s/%s/%d' failed to sign data: %s",
+		      dst_key_name(key), algtostr(dst_key_alg(key)),
+		      dst_key_id(key), isc_result_totext(result));
+
+	if (tryverify) {
+		result = dns_dnssec_verify(name, rdataset, key,
+					   ISC_TRUE, mctx, rdata);
+		if (result == ISC_R_SUCCESS)
+			vbprintf(3, "\tsignature verified\n");
 		else
-			vbprintf(3, "\tsignature is not currently valid\n");
+			vbprintf(3, "\tsignature failed to verify\n");
 	}
 }
 
@@ -198,7 +199,7 @@ iszonekey(signer_key_t *key, dns_db_t *db) {
 	isc_buffer_t b;
 	isc_result_t result;
 
-	isc_buffer_init(&b, origin, sizeof(origin), ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&b, origin, sizeof(origin));
 	result = dns_name_totext(dns_db_origin(db), ISC_FALSE, &b);
 	check_result(result, "dns_name_totext()");
 
@@ -212,7 +213,7 @@ iszonekey(signer_key_t *key, dns_db_t *db) {
  * that we've loaded already, and then see if there's a key on disk.
  */
 static signer_key_t *
-keythatsigned(dns_rdata_generic_sig_t *sig) {
+keythatsigned(dns_rdata_sig_t *sig) {
 	char *keyname;
 	isc_result_t result;
 	dst_key_t *pubkey = NULL, *privkey = NULL;
@@ -236,13 +237,13 @@ keythatsigned(dns_rdata_generic_sig_t *sig) {
 
 	key = isc_mem_get(mctx, sizeof(signer_key_t));
 	if (key == NULL)
-		check_result(ISC_R_FAILURE, "isc_mem_get");
+		fatal("out of memory");
 
 	result = dst_key_fromfile(keyname, sig->keyid, sig->algorithm,
 				  DST_TYPE_PRIVATE, mctx, &privkey);
 	if (result == ISC_R_SUCCESS) {
 		key->key = privkey;
-		dst_key_free(pubkey);
+		dst_key_free(&pubkey);
 	}
 	else
 		key->key = pubkey;
@@ -266,16 +267,17 @@ expecttofindkey(dns_name_t *name, dns_db_t *db, dns_dbversion_t *version) {
 	result = dns_db_find(db, name, version, dns_rdatatype_key, options,
 			     0, NULL, dns_fixedname_name(&fname), NULL, NULL);
 	switch (result) {
-		case DNS_R_SUCCESS:
+		case ISC_R_SUCCESS:
 		case DNS_R_NXDOMAIN:
-		case DNS_R_NXRDATASET:
+		case DNS_R_NXRRSET:
 			return ISC_TRUE;
 		case DNS_R_DELEGATION:
 		case DNS_R_CNAME:
 		case DNS_R_DNAME:
 			return ISC_FALSE;
 		default:
-			check_result(result, "dns_db_find");
+			fatal("failure looking for '%s KEY' in database: %s",
+			      nametostr(name), isc_result_totext(result));
 			return ISC_FALSE; /* removes a warning */
 	}
 }
@@ -284,7 +286,8 @@ static inline isc_boolean_t
 setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
 	    dns_rdata_t *sig)
 {
-	isc_result_t result = dns_dnssec_verify(name, set, key->key, mctx, sig);
+	isc_result_t result;
+	result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, sig);
 	return (ISC_TF(result == ISC_R_SUCCESS));
 }
 
@@ -294,9 +297,8 @@ setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
 	tdata = isc_mem_get(mctx, sizeof(signer_array_t)); \
 	ISC_LIST_APPEND(arraylist, tdata, link); \
 	if (trdata == NULL || tdata == NULL) \
-		check_result(ISC_R_FAILURE, "isc_mem_get"); \
-	isc_buffer_init(&b, tdata->array, sizeof(tdata->array), \
-			ISC_BUFFERTYPE_BINARY);
+		fatal("out of memory"); \
+	isc_buffer_init(&b, tdata->array, sizeof(tdata->array));
 
 /*
  * Signs a set.  Goes through contortions to decide if each SIG should
@@ -311,7 +313,7 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 	dns_rdataset_t sigset, oldsigset;
 	dns_rdata_t oldsigrdata;
 	dns_rdata_t *trdata;
-	dns_rdata_generic_sig_t sig;
+	dns_rdata_sig_t sig;
 	signer_key_t *key;
 	isc_result_t result;
 	isc_boolean_t notsigned = ISC_TRUE, nosigs = ISC_FALSE;
@@ -333,7 +335,10 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 		result = ISC_R_SUCCESS;
 		nosigs = ISC_TRUE;
 	}
-	check_result(result, "dns_db_findrdataset()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed while looking for '%s SIG %s': %s",
+		      nametostr(name), typetostr(set->type),
+		      isc_result_totext(result));
 
 	vbprintf(1, "%s/%s:\n", nametostr(name), typetostr(set->type));
 
@@ -386,7 +391,7 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 				    setverifies(name, set, key, &oldsigrdata))
 				{
 					vbprintf(2,
-						 "\tsig by %s/%s/%d retained\n",
+						"\tsig by %s/%s/%d retained\n",
 						 nametostr(&sig.signer),
 						 algtostr(sig.algorithm),
 						 sig.keyid);
@@ -411,7 +416,7 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 				    setverifies(name, set, key, &oldsigrdata))
 				{
 					vbprintf(2,
-						 "\tsig by %s/%s/%d retained\n",
+						"\tsig by %s/%s/%d retained\n",
 						 nametostr(&sig.signer),
 						 algtostr(sig.algorithm),
 						 sig.keyid);
@@ -421,8 +426,8 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 				}
 				else {
 					vbprintf(2,
-						 "\tsig by %s/%s/%d dropped - ",
-						 "%s\n",
+						 "\tsig by %s/%s/%d "
+						 "dropped - %s\n",
 						 nametostr(&sig.signer),
 						 algtostr(sig.algorithm),
 						 sig.keyid,
@@ -451,7 +456,7 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 				allocbufferandrdata;
 				result = dns_rdata_fromstruct(trdata,
 							      set->rdclass,
-							      dns_rdatatype_sig,
+							     dns_rdatatype_sig,
 							      &sig, &b);
 				nowsignedby[sig.algorithm] = ISC_TRUE;
 				ISC_LIST_APPEND(siglist.rdata, trdata, link);
@@ -470,7 +475,7 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 			dns_rdata_freestruct(&sig);
 			result = dns_rdataset_next(&oldsigset);
 		}
-		if (result == DNS_R_NOMORE)
+		if (result == ISC_R_NOMORE)
 			result = ISC_R_SUCCESS;
 		check_result(result, "dns_db_dns_rdataset_first()/next()");
 		dns_rdataset_disassociate(&oldsigset);
@@ -530,6 +535,8 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 			result = ISC_R_SUCCESS;
 		check_result(result, "dns_db_deleterdataset");
 #endif
+		fatal("File is currently signed but no private keys were "
+		      "found.  This won't work.");
 	}
 
 	trdata = ISC_LIST_HEAD(siglist.rdata);
@@ -547,37 +554,196 @@ signset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 	}
 }
 
+#ifndef USE_ZONESTATUS
 /* Determine if a KEY set contains a null key */
 static isc_boolean_t
-hasnullkey(dns_rdataset_t rdataset) {
+hasnullkey(dns_rdataset_t *rdataset) {
 	isc_result_t result;
 	dns_rdata_t rdata;
-	isc_uint32_t flags;
+	isc_boolean_t found = ISC_FALSE;
 
-	result = dns_rdataset_first(&rdataset);
+	result = dns_rdataset_first(rdataset);
 	while (result == ISC_R_SUCCESS) {
 		dst_key_t *key = NULL;
 
-		dns_rdataset_current(&rdataset, &rdata);
+		dns_rdataset_current(rdataset, &rdata);
 		result = dns_dnssec_keyfromrdata(dns_rootname,
 						 &rdata, mctx, &key);
-		check_result(result, "dns_dnssec_keyfromrdata()");
-		flags = dst_key_flags(key);
-		dst_key_free(key);
-		if (((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) &&
-		    ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE))
+		if (result != ISC_R_SUCCESS)
+			fatal("could not convert KEY into internal format");
+		if (dst_key_isnullkey(key))
+			found = ISC_TRUE;
+                dst_key_free(&key);
+		if (found == ISC_TRUE)
 			return (ISC_TRUE);
-		result = dns_rdataset_next(&rdataset);
+                result = dns_rdataset_next(rdataset);
+        }
+        if (result != ISC_R_NOMORE)
+                fatal("failure looking for null keys");
+        return (ISC_FALSE);
+}
+#endif
+
+/*
+ * Looks for signatures of the zone keys by the parent, and imports them
+ * if found.
+ */
+static void
+importparentsig(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
+		dns_name_t *name, dns_rdataset_t *set)
+{
+	unsigned char filename[256];
+	isc_buffer_t b;
+	isc_region_t r;
+	dns_db_t *newdb = NULL;
+	dns_dbnode_t *newnode = NULL;
+	dns_rdataset_t newset, sigset;
+	dns_rdata_t rdata, newrdata;
+	isc_result_t result;
+
+	isc_buffer_init(&b, filename, sizeof(filename) - 10);
+	result = dns_name_totext(name, ISC_FALSE, &b);
+	check_result(result, "dns_name_totext()");
+	isc_buffer_usedregion(&b, &r);
+	strcpy((char *)r.base + r.length, "signedkey");
+	result = dns_db_create(mctx, "rbt", name, ISC_FALSE, dns_db_class(db),
+			       0, NULL, &newdb);
+	check_result(result, "dns_db_create()");
+	result = dns_db_load(newdb, (char *)filename);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	result = dns_db_findnode(newdb, name, ISC_FALSE, &newnode);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	dns_rdataset_init(&newset);
+	dns_rdataset_init(&sigset);
+	result = dns_db_findrdataset(newdb, newnode, NULL, dns_rdatatype_key,
+				     0, 0, &newset, &sigset);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	if (dns_rdataset_count(set) != dns_rdataset_count(&newset))
+		goto failure;
+
+	dns_rdata_init(&rdata);
+	dns_rdata_init(&newrdata);
+
+	result = dns_rdataset_first(set);
+	check_result(result, "dns_rdataset_first()");
+	for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(set)) {
+		dns_rdataset_current(set, &rdata);
+		result = dns_rdataset_first(&newset);
+		check_result(result, "dns_rdataset_first()");
+		for (;
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&newset))
+		{
+			dns_rdataset_current(&newset, &newrdata);
+			if (dns_rdata_compare(&rdata, &newrdata) == 0)
+				break;
+		}
+		if (result != ISC_R_SUCCESS)
+			break;
+	}
+	if (result != ISC_R_NOMORE) 
+		goto failure;
+
+	vbprintf(2, "found the parent's signature of our zone key\n");
+
+	result = dns_db_addrdataset(db, node, version, 0, &sigset, 0, NULL);
+	check_result(result, "dns_db_addrdataset");
+	dns_rdataset_disassociate(&newset);
+	dns_rdataset_disassociate(&sigset);
+
+ failure:
+	if (newnode != NULL)
+		dns_db_detachnode(newdb, &newnode);
+	if (newdb != NULL)
+		dns_db_detach(&newdb);
+}
+
+/*
+ * Looks for our signatures of child keys.  If present, inform the caller,
+ * who will set the zone status (KEY) bit in the NXT record.
+ */
+static isc_boolean_t
+haschildkey(dns_db_t *db, dns_name_t *name) {
+	unsigned char filename[256];
+	isc_buffer_t b;
+	isc_region_t r;
+	dns_db_t *newdb = NULL;
+	dns_dbnode_t *newnode = NULL;
+	dns_rdataset_t set, sigset;
+	dns_rdata_t sigrdata;
+	isc_result_t result;
+	isc_boolean_t found = ISC_FALSE;
+	dns_rdata_sig_t sig;
+	signer_key_t *key;
+
+	isc_buffer_init(&b, filename, sizeof(filename) - 10);
+	result = dns_name_totext(name, ISC_FALSE, &b);
+	check_result(result, "dns_name_totext()");
+	isc_buffer_usedregion(&b, &r);
+	strcpy((char *)r.base + r.length, "signedkey");
+	result = dns_db_create(mctx, "rbt", name, ISC_FALSE, dns_db_class(db),
+			       0, NULL, &newdb);
+	check_result(result, "dns_db_create()");
+	result = dns_db_load(newdb, (char *)filename);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	result = dns_db_findnode(newdb, name, ISC_FALSE, &newnode);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	dns_rdataset_init(&set);
+	dns_rdataset_init(&sigset);
+	result = dns_db_findrdataset(newdb, newnode, NULL, dns_rdatatype_key,
+				     0, 0, &set, &sigset);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	if (!dns_rdataset_isassociated(&set) ||
+	    !dns_rdataset_isassociated(&sigset))
+		goto disfail;
+
+	result = dns_rdataset_first(&sigset);
+	check_result(result, "dns_rdataset_first()");
+	dns_rdata_init(&sigrdata);
+	for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(&sigset)) {
+		dns_rdataset_current(&sigset, &sigrdata);
+		result = dns_rdata_tostruct(&sigrdata, &sig, mctx);
+		if (result != ISC_R_SUCCESS)
+			goto disfail;
+		key = keythatsigned(&sig);
+		dns_rdata_freestruct(&sig);
+		if (key == NULL)
+			goto disfail;
+		result = dns_dnssec_verify(name, &set, key->key,
+					   ISC_FALSE, mctx, &sigrdata);
+		if (result == ISC_R_SUCCESS) {
+			found = ISC_TRUE;
+			break;
+		}
 	}
-	if (result != DNS_R_NOMORE)
-		check_result(result, "iteration over keys");
-	return (ISC_FALSE);
+
+ disfail:
+	if (dns_rdataset_isassociated(&set))
+		dns_rdataset_disassociate(&set);
+	if (dns_rdataset_isassociated(&sigset))
+		dns_rdataset_disassociate(&sigset);
+
+ failure:
+	if (newnode != NULL)
+		dns_db_detachnode(newdb, &newnode);
+	if (newdb != NULL)
+		dns_db_detach(&newdb);
+
+	return (found);
 }
 
 /*
  * Signs all records at a name.  This mostly just signs each set individually,
- * but also handles exceptional cases and adds the SIG bit to any NXTs
- * generated earlier.
+ * but also adds the SIG bit to any NXTs generated earlier, deals with
+ * parent/child KEY signatures, and handles other exceptional cases.
  */
 static void
 signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
@@ -585,19 +751,27 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 {
 	isc_result_t result;
 	dns_rdata_t rdata;
-	dns_rdataset_t rdataset, nsset;
+	dns_rdataset_t rdataset;
 	dns_rdatasetiter_t *rdsiter;
 	isc_boolean_t isdelegation = ISC_FALSE;
+	isc_boolean_t childkey = ISC_FALSE;
 	static int warnwild = 0;
 
 	if (dns_name_iswildcard(name)) {
-		fprintf(stderr, "Warning: wildcard name seen: %s\n",
-			nametostr(name));
-		if (warnwild++ == 0)
-			fprintf(stderr, "\tBIND 9 doesn't completely handle "
-				"wildcards in secure zones\n");
+		if (warnwild++ == 0) {
+			fprintf(stderr, "%s: warning: BIND 9 doesn't properly "
+				"handle wildcards in secure zones:\n", PROGRAM);
+			fprintf(stderr, "\t- wildcard nonexistence proof is "
+				"not generated by the server\n");
+			fprintf(stderr, "\t- wildcard nonexistence proof is "
+				"not required by the resolver\n");
+		}
+		fprintf(stderr, "%s: warning: wildcard name seen: %s\n",
+			PROGRAM, nametostr(name));
 	}
 	if (!atorigin) {
+		dns_rdataset_t nsset;
+
 		dns_rdataset_init(&nsset);
 		result = dns_db_findrdataset(db, node, version,
 					     dns_rdatatype_ns, 0, 0, &nsset,
@@ -620,37 +794,50 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 		if (rdataset.type == dns_rdatatype_sig)
 			goto skip;
 
-		/* If this is a KEY set at the apex, skip it. */
-		if (rdataset.type == dns_rdatatype_key && atorigin)
+		/*
+		 * If this is a KEY set at the apex, look for a signedkey file.
+		 */
+		if (rdataset.type == dns_rdatatype_key && atorigin) {
+			importparentsig(db, version, node, name, &rdataset);
 			goto skip;
+		}
 
 		/*
 		 * If this name is a delegation point, skip all records
-		 * except a KEY set containing a NULL key or an NXT set.
+		 * except an NXT set, unless we're using null keys, in
+		 * which case we need to check for a null key and add one
+		 * if it's not present.
 		 */
 		if (isdelegation) {
 			switch (rdataset.type) {
-				case dns_rdatatype_nxt:
+			case dns_rdatatype_nxt:
+				childkey = haschildkey(db, name);
+				break;
+#ifndef USE_ZONESTATUS
+			case dns_rdatatype_key:
+				if (hasnullkey(&rdataset))
 					break;
-				case dns_rdatatype_key:
-					if (hasnullkey(rdataset))
-						break;
-					goto skip;
-				default:
-					goto skip;
+				goto skip;
+#endif
+			default:
+				goto skip;
 			}
+
 		}
 
 		/*
 		 * There probably should be a dns_nxtsetbit, but it can get
 		 * complicated if we need to extend the length of the
 		 * bit set.  In this case, since the NXT bit is set and
-		 * SIG < NXT, the easy way works.
+		 * SIG < NXT and KEY < NXT, the easy way works.
 		 */
 		if (rdataset.type == dns_rdatatype_nxt) {
 			unsigned char *nxt_bits;
 			dns_name_t nxtname;
 			isc_region_t r, r2;
+			unsigned char keydata[4];
+			dst_key_t *dstkey;
+			isc_buffer_t b;
 
 			result = dns_rdataset_first(&rdataset);
 			check_result(result, "dns_rdataset_first()");
@@ -661,6 +848,84 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 			dns_name_toregion(&nxtname, &r2);
 			nxt_bits = r.base + r2.length;
 			set_bit(nxt_bits, dns_rdatatype_sig, 1);
+#ifdef USE_ZONESTATUS
+			if (isdelegation && childkey) {
+				set_bit(nxt_bits, dns_rdatatype_key, 1);
+				vbprintf(2, "found a child key for %s, "
+					 "setting KEY bit in NXT\n",
+					 nametostr(name));
+			}
+
+#else
+			if (isdelegation && !childkey) {
+				dns_rdataset_t keyset;
+				dns_rdatalist_t keyrdatalist;
+				dns_rdata_t keyrdata;
+
+				dns_rdataset_init(&keyset);
+				result = dns_db_findrdataset(db, node, version,
+							     dns_rdatatype_key,
+							     0, 0, &keyset,
+							     NULL);
+				if (result == ISC_R_SUCCESS &&
+				    hasnullkey(&keyset))
+					goto alreadyhavenullkey;
+
+				if (result == ISC_R_NOTFOUND)
+					result = ISC_R_SUCCESS;
+				if (result != ISC_R_SUCCESS)
+					fatal("failure looking for null key "
+					      "at '%s': %s", nametostr(name),
+					      isc_result_totext(result));
+
+				if (dns_rdataset_isassociated(&keyset))
+					dns_rdataset_disassociate(&keyset);
+
+				vbprintf(2, "no child key for %s, "
+					 "adding null key\n",
+					 nametostr(name));
+				dns_rdatalist_init(&keyrdatalist);
+				dstkey = NULL;
+				
+				result = dst_key_generate("", DNS_KEYALG_DSA,
+							  0, 0,
+							  DNS_KEYTYPE_NOKEY |
+							  DNS_KEYOWNER_ZONE,
+							  DNS_KEYPROTO_DNSSEC,
+							  mctx, &dstkey);
+				if (result != ISC_R_SUCCESS)
+					fatal("failed to generate null key");
+				isc_buffer_init(&b, keydata, sizeof keydata);
+				result = dst_key_todns(dstkey, &b);
+				dst_key_free(&dstkey);
+				isc_buffer_usedregion(&b, &r);
+				dns_rdata_fromregion(&keyrdata,
+						     rdataset.rdclass,
+						     dns_rdatatype_key, &r);
+				
+				ISC_LIST_APPEND(keyrdatalist.rdata, &keyrdata,
+						link);
+				keyrdatalist.rdclass = rdataset.rdclass;
+				keyrdatalist.type = dns_rdatatype_key;
+				keyrdatalist.covers = 0;
+				keyrdatalist.ttl = rdataset.ttl;
+				result =
+					dns_rdatalist_tordataset(&keyrdatalist,
+								 &keyset);
+				check_result(result,
+					     "dns_rdatalist_tordataset");
+				dns_db_addrdataset(db, node, version, 0,
+						   &keyset, DNS_DBADD_MERGE,
+						   NULL);
+				set_bit(nxt_bits, dns_rdatatype_key, 1);
+				signset(db, version, node, name, &keyset);
+
+				dns_rdataset_disassociate(&keyset);
+
+ alreadyhavenullkey:
+				;
+			}
+#endif
 		}
 
 		signset(db, version, node, name, &rdataset);
@@ -669,8 +934,9 @@ signname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 		dns_rdataset_disassociate(&rdataset);
 		result = dns_rdatasetiter_next(rdsiter);
 	}
-	if (result != DNS_R_NOMORE)
-		fatal("rdataset iteration failed");
+	if (result != ISC_R_NOMORE)
+		fatal("rdataset iteration for name '%s' failed: %s",
+		      nametostr(name), isc_result_totext(result));
 	dns_rdatasetiter_destroy(&rdsiter);
 }
 
@@ -694,10 +960,11 @@ active_node(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
 		if (!active)
 			result = dns_rdatasetiter_next(rdsiter);
 		else
-			result = DNS_R_NOMORE;
+			result = ISC_R_NOMORE;
 	}
-	if (result != DNS_R_NOMORE)
-		fatal("rdataset iteration failed");
+	if (result != ISC_R_NOMORE)
+		fatal("rdataset iteration failed: %s",
+		      isc_result_totext(result));
 	dns_rdatasetiter_destroy(&rdsiter);
 
 	if (!active) {
@@ -786,12 +1053,14 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 	dns_rdataset_init(&soaset);
 	result = dns_db_find(db, origin, version, dns_rdatatype_soa,
 			     0, 0, NULL, name, &soaset, NULL);
-	check_result(result, "dns_db_find");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find '%s SOA' in the zone: %s",
+		      nametostr(name), isc_result_totext(result));
 	result = dns_rdataset_first(&soaset);
-	check_result(result, "dns_rdataset_first");
+	check_result(result, "dns_rdataset_first()");
 	dns_rdataset_current(&soaset, &soarr);
 	result = dns_rdata_tostruct(&soarr, &soa, mctx);
-	check_result(result, "dns_rdataset_tostruct");
+	check_result(result, "dns_rdataset_tostruct()");
 	zonettl = soa.minimum;
 	dns_rdata_freestruct(&soa);
 	dns_rdataset_disassociate(&soaset);
@@ -828,7 +1097,8 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 				result = dns_rdatasetiter_next(rdsiter);
 			}
 			if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE)
-				fatal("rdataset iteration failed");
+				fatal("rdataset iteration failed: %s",
+				      isc_result_totext(result));
 			if (result == ISC_R_SUCCESS) {
 				if (lastcut != NULL)
 					dns_name_free(lastcut, mctx);
@@ -836,11 +1106,11 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 					lastcut = isc_mem_get(mctx,
 							sizeof(dns_name_t));
 					if (lastcut == NULL)
-						fatal("allocation failure");
+						fatal("out of memory");
 				}
 				dns_name_init(lastcut, NULL);
 				result = dns_name_dup(curname, mctx, lastcut);
-				check_result(result, "dns_name_dup");
+				check_result(result, "dns_name_dup()");
 			}
 			dns_rdatasetiter_destroy(&rdsiter);
 		}
@@ -850,11 +1120,12 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 					      &nextnode, origin, lastcut);
 		if (result == ISC_R_SUCCESS)
 			target = nextname;
-		else if (result == DNS_R_NOMORE)
+		else if (result == ISC_R_NOMORE)
 			target = origin;
 		else {
 			target = NULL;	/* Make compiler happy. */
-			fatal("db iteration failed");
+			fatal("iterating through the database failed: %s",
+			      isc_result_totext(result));
 		}
 		nxtresult = dns_buildnxt(db, version, node, target, zonettl);
 		check_result(nxtresult, "dns_buildnxt()");
@@ -864,8 +1135,9 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 		dns_db_detachnode(db, &curnode);
 		node = nextnode;
 	}
-	if (result != DNS_R_NOMORE)
-		fatal("db iteration failed");
+	if (result != ISC_R_NOMORE)
+		fatal("iterating through the database failed: %s",
+		      isc_result_totext(result));
 	if (lastcut != NULL) {
 		dns_name_free(lastcut, mctx);
 		isc_mem_put(mctx, lastcut, sizeof(dns_name_t));
@@ -874,7 +1146,7 @@ signzone(dns_db_t *db, dns_dbversion_t *version) {
 }
 
 static void
-loadzone(char *file, char *origin, dns_zone_t **zone) {
+loadzone(char *file, char *origin, dns_db_t **db) {
 	isc_buffer_t b, b2;
 	unsigned char namedata[1024];
 	int len;
@@ -882,44 +1154,32 @@ loadzone(char *file, char *origin, dns_zone_t **zone) {
 	isc_result_t result;
 
 	len = strlen(origin);
-	isc_buffer_init(&b, origin, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&b, origin, len);
 	isc_buffer_add(&b, len);
 
-	isc_buffer_init(&b2, namedata, sizeof(namedata), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&b2, namedata, sizeof(namedata));
 
 	dns_name_init(&name, NULL);
 	result = dns_name_fromtext(&name, &b, dns_rootname, ISC_FALSE, &b2);
-	check_result(result, "dns_name_fromtext()");
-
-	result = dns_zone_create(zone, mctx);
-	check_result(result, "dns_zone_create()");
-
-	dns_zone_settype(*zone, dns_zone_master);
-
-	result = dns_zone_setdbtype(*zone, "rbt");
-	check_result(result, "dns_zone_setdbtype()");
-
-	result = dns_zone_setdatabase(*zone, file);
-	check_result(result, "dns_zone_setdatabase()");
-
-	result = dns_zone_setorigin(*zone, &name);
-	check_result(result, "dns_zone_origin()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed converting name '%s' to dns format: %s",
+		      origin, isc_result_totext(result));
 
-	dns_zone_setclass(*zone, dns_rdataclass_in); /* XXX */
+	result = dns_db_create(mctx, "rbt", &name, ISC_FALSE,
+			       dns_rdataclass_in, 0, NULL, db);
+	check_result(result, "dns_db_create()");
 
-	result = dns_zone_load(*zone);
-	check_result(result, "dns_zone_load()");
+	result = dns_db_load(*db, file);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed loading zone from '%s': %s",
+		      file, isc_result_totext(result));
 }
 
 static void
-getdb(dns_zone_t *zone, dns_db_t **db, dns_dbversion_t **version) {
+getversion(dns_db_t *db, dns_dbversion_t **version) {
 	isc_result_t result;
 
-	*db = NULL;
-	result = dns_zone_getdb(zone, db);
-	check_result(result, "dns_zone_getdb()");
-
-	result = dns_db_newversion(*db, version);
+	result = dns_db_newversion(db, version);
 	check_result(result, "dns_db_newversion()");
 }
 
@@ -939,20 +1199,24 @@ loadzonekeys(dns_db_t *db, dns_dbversion_t *version) {
 
 	node = NULL;
 	result = dns_db_findnode(db, origin, ISC_FALSE, &node);
-	check_result(result, "dns_db_findnode()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find the zone's origin: %s",
+		      isc_result_totext(result));
 
 	result = dns_dnssec_findzonekeys(db, version, node, origin, mctx,
 					 20, keys, &nkeys);
 	if (result == ISC_R_NOTFOUND)
 		result = ISC_R_SUCCESS;
-	check_result(result, "dns_dnssec_findzonekeys()");
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find the zone keys: %s",
+		      isc_result_totext(result));
 
 	for (i = 0; i < nkeys; i++) {
 		signer_key_t *key;
 
 		key = isc_mem_get(mctx, sizeof(signer_key_t));
 		if (key == NULL)
-			check_result(ISC_R_FAILURE, "isc_mem_get(key)");
+			fatal("out of memory");
 		key->key = keys[i];
 		key->isdefault = ISC_FALSE;
 
@@ -961,21 +1225,6 @@ loadzonekeys(dns_db_t *db, dns_dbversion_t *version) {
 	dns_db_detachnode(db, &node);
 }
 
-static void
-dumpzone(dns_zone_t *zone, char *filename) {
-	isc_result_t result;
-	FILE *fp;
-
-	fp = fopen(filename, "w");
-	if (fp == NULL) {
-		fprintf(stderr, "failure opening %s\n", filename);
-		exit(-1);
-	}
-	result = dns_zone_dumptostream(zone, fp);
-	check_result(result, "dns_zone_dump");
-	fclose(fp);
-}
-
 static isc_stdtime_t
 strtotime(char *str, isc_int64_t now, isc_int64_t base) {
 	isc_int64_t val, offset;
@@ -992,10 +1241,11 @@ strtotime(char *str, isc_int64_t now, isc_int64_t base) {
 	}
 	else {
 		result = dns_time64_fromtext(str, &val);
-		check_result(result, "dns_time64_fromtext()");
+		if (result != ISC_R_SUCCESS)
+			fatal("time %s must be numeric", str);
 	}
 	if (*endp != '\0')
-		check_result(ISC_R_FAILURE, "strtol()");
+		fatal("time value %s is invalid", str);
 
 	return ((isc_stdtime_t) val);
 }
@@ -1003,7 +1253,7 @@ strtotime(char *str, isc_int64_t now, isc_int64_t base) {
 static void
 usage() {
 	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "\tsigner [options] zonefile [keys]\n");
+	fprintf(stderr, "\t%s [options] zonefile [keys]\n", PROGRAM);
 
 	fprintf(stderr, "\n");
 
@@ -1013,7 +1263,8 @@ usage() {
 	fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
 	fprintf(stderr, "\t\tSIG end time  - absolute|from start|from now (now + 30 days)\n");
 	fprintf(stderr, "\t-c ttl:\n");
-	fprintf(stderr, "\t\tcycle period - regenerate if < cycle from end ( (end-start)/4 )\n");
+	fprintf(stderr, "\t\tcycle period - regenerate "
+				"if < cycle from end ( (end-start)/4 )\n");
 	fprintf(stderr, "\t-v level:\n");
 	fprintf(stderr, "\t\tverbose level (0)\n");
 	fprintf(stderr, "\t-o origin:\n");
@@ -1022,87 +1273,119 @@ usage() {
 	fprintf(stderr, "\t\tfile the signed zone is written in " \
 			"(zonefile + .signed)\n");
 	fprintf(stderr, "\t-a:\n");
-	fprintf(stderr, "\t\tverify generated signatures (if currently valid)\n");
+	fprintf(stderr, "\t\tverify generated signatures "
+					"(if currently valid)\n");
 
 	fprintf(stderr, "\n");
 
 	fprintf(stderr, "Signing Keys: ");
 	fprintf(stderr, "(default: all zone keys that have private keys)\n");
-	fprintf(stderr, "\tid:\t\t");
-	fprintf(stderr, "zone key with matching keyid\n");
-	fprintf(stderr, "\tid/alg:\t\t");
-	fprintf(stderr, "zone key with matching keyid and algorithm\n");
-	fprintf(stderr, "\tname/id/alg:\t");
-	fprintf(stderr, "key with matching name, keyid and algorithm\n");
+	fprintf(stderr, "\tkeyfile (Kname+alg+id)\n");
 	exit(0);
 }
 
+static void
+setup_logging(int level, isc_log_t **logp) {
+	isc_result_t result;
+	isc_logdestination_t destination;
+	isc_logconfig_t *logconfig;
+	isc_log_t *log = 0;
+	
+	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig)
+		      == ISC_R_SUCCESS);
+	isc_log_setcontext(log);
+	dns_log_init(log);
+	dns_log_setcontext(log);
+	
+	/*
+	 * Set up a channel similar to default_stderr except:
+	 *  - the logging level is passed in
+	 *  - the logging level is printed
+	 *  - no time stamp is printed
+	 */
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	result = isc_log_createchannel(logconfig, "stderr",
+				       ISC_LOG_TOFILEDESC,
+				       level,
+				       &destination,
+				       ISC_LOG_PRINTLEVEL);
+	check_result(result, "isc_log_createchannel()");
+
+	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
+					 NULL, NULL) == ISC_R_SUCCESS);
+
+	*logp = log;
+}
+
 int
 main(int argc, char *argv[]) {
 	int i, ch;
 	char *startstr = NULL, *endstr = NULL;
 	char *origin = NULL, *file = NULL, *output = NULL;
 	char *endp;
-	dns_zone_t *zone;
 	dns_db_t *db;
 	dns_dbversion_t *version;
 	signer_key_t *key;
 	isc_result_t result;
 	isc_log_t *log = NULL;
-	isc_logconfig_t *logconfig;
+	int loglevel;
 
 	dns_result_register();
 
 	result = isc_mem_create(0, 0, &mctx);
-	check_result(result, "isc_mem_create()");
+	if (result != ISC_R_SUCCESS)
+		fatal("out of memory");
 
-	while ((ch = isc_commandline_parse(argc, argv, "s:e:c:v:o:f:ah")) != -1)
-	{
+	while ((ch = isc_commandline_parse(argc, argv, "s:e:c:v:o:f:ah"))
+	       != -1) {
 		switch (ch) {
 		case 's':
 			startstr = isc_mem_strdup(mctx,
 						  isc_commandline_argument);
 			if (startstr == NULL)
-				check_result(ISC_R_FAILURE, "isc_mem_strdup()");
+				fatal("out of memory");
 			break;
 
 		case 'e':
 			endstr = isc_mem_strdup(mctx,
 						isc_commandline_argument);
 			if (endstr == NULL)
-				check_result(ISC_R_FAILURE, "isc_mem_strdup()");
+				fatal("out of memory");
 			break;
 
 		case 'c':
 			endp = NULL;
 			cycle = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
-				check_result(ISC_R_FAILURE, "strtol()");
+				fatal("cycle period must be numeric");
 			break;
 
 		case 'v':
 			endp = NULL;
 			verbose = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
-				check_result(ISC_R_FAILURE, "strtol()");
+				fatal("verbose level must be numeric");
 			break;
 
 		case 'o':
 			origin = isc_mem_strdup(mctx,
 						isc_commandline_argument);
 			if (origin == NULL)
-				check_result(ISC_R_FAILURE, "isc_mem_strdup()");
+				fatal("out of memory");
 			break;
 
 		case 'f':
 			output = isc_mem_strdup(mctx,
 						isc_commandline_argument);
 			if (output == NULL)
-				check_result(ISC_R_FAILURE, "isc_mem_strdup()");
+				fatal("out of memory");
 			break;
 
 		case 'a':
-			tryverify = 1;
+			tryverify = ISC_TRUE;
 			break;
 
 		case 'h':
@@ -1132,14 +1415,23 @@ main(int argc, char *argv[]) {
 		cycle = (endtime - starttime) / 4;
 	}
 
-	if (verbose > 0) {
-		RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig)
-			      == ISC_R_SUCCESS);
-		dns_log_init(log);
-		RUNTIME_CHECK(isc_log_usechannel(logconfig, "default_stderr",
-						 NULL, NULL) == ISC_R_SUCCESS);
+	switch (verbose) {
+	case 0:
+		/*
+		 * We want to see warnings about things like out-of-zone
+		 * data in the master file even when not verbose.
+		 */
+		loglevel = ISC_LOG_WARNING;
+		break;
+	case 1:
+		loglevel = ISC_LOG_INFO;
+		break;
+	default:
+		loglevel = ISC_LOG_DEBUG(verbose - 2 + 1);
+		break;
 	}
-
+	setup_logging(loglevel, &log);
+	
 	argc -= isc_commandline_index;
 	argv += isc_commandline_index;
 
@@ -1148,34 +1440,33 @@ main(int argc, char *argv[]) {
 
 	file = isc_mem_strdup(mctx, argv[0]);
 	if (file == NULL)
-		check_result(ISC_R_FAILURE, "isc_mem_strdup()");
+		fatal("out of memory");
 
 	argc -= 1;
 	argv += 1;
 
 	if (output == NULL) {
 		output = isc_mem_allocate(mctx,
-					  strlen(file) + strlen(".signed") + 1);
+					 strlen(file) + strlen(".signed") + 1);
 		if (output == NULL)
-			check_result(ISC_R_FAILURE, "isc_mem_allocate()");
+			fatal("out of memory");
 		sprintf(output, "%s.signed", file);
 	}
 
 	if (origin == NULL) {
 		origin = isc_mem_allocate(mctx, strlen(file) + 2);
 		if (origin == NULL)
-			check_result(ISC_R_FAILURE, "isc_mem_allocate()");
+			fatal("out of memory");
 		strcpy(origin, file);
 		if (file[strlen(file) - 1] != '.')
 			strcat(origin, ".");
 	}
 
-	zone = NULL;
-	loadzone(file, origin, &zone);
-
 	db = NULL;
+	loadzone(file, origin, &db);
+
 	version = NULL;
-	getdb(zone, &db, &version);
+	getversion(db, &version);
 
 	ISC_LIST_INIT(keylist);
 	loadzonekeys(db, version);
@@ -1191,87 +1482,77 @@ main(int argc, char *argv[]) {
 	}
 	else {
 		for (i = 0; i < argc; i++) {
-			int id, alg;
-			char *idstr = NULL, *name = NULL, *algstr = NULL, *s;
-
-			idstr = argv[i];
-			algstr = strchr(idstr, '/');
-			if (algstr != NULL) {
-				*algstr++ = 0;
-				s = strchr(algstr, '/');
-				if (s != NULL) {
-					*s++ = 0;
-					name = idstr;
-					idstr = algstr;
-					algstr = s;
-				}
-			}
+			isc_uint16_t id;
+			int alg;
+			char *namestr = NULL;
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, argv[i], strlen(argv[i]));
+			isc_buffer_add(&b, strlen(argv[i]));
+			result = dst_key_parsefilename(&b, mctx, &namestr,
+						       &id, &alg, NULL);
+			if (result != ISC_R_SUCCESS)
+				usage();
 
-			endp = NULL;
-			id = strtol(idstr, &endp, 0);
-			if (*endp != '\0')
-				check_result(ISC_R_FAILURE, "strtol");
-
-			if (algstr != NULL) {
-				endp = NULL;
-				alg = strtol(algstr, &endp, 0);
-				if (*endp != '\0')
-					check_result(ISC_R_FAILURE, "strtol");
-			}
-			else
-				alg = 0;
-
-			if (name == NULL)
-				name = origin;
 			key = ISC_LIST_HEAD(keylist);
 			while (key != NULL) {
 				dst_key_t *dkey = key->key;
 				if (dst_key_id(dkey) == id &&
-				    (alg == 0 || dst_key_alg(dkey) == alg) &&
-				    strcasecmp(name, dst_key_name(dkey)) == 0)
+				    dst_key_alg(dkey) == alg &&
+				    strcasecmp(namestr,
+					       dst_key_name(dkey)) == 0)
 				{
 					key->isdefault = ISC_TRUE;
 					if (!dst_key_isprivate(dkey))
-						check_result
-							(DST_R_NOTPRIVATEKEY,
-							 "key specify");
-					if (alg == 0)
-						alg = dst_key_alg(dkey);
+						fatal("cannot sign zone with "
+						      "non-private key "
+						      "'%s/%s/%d'",
+						      dst_key_name(dkey),
+						      algtostr(dst_key_alg(dkey)),
+						      dst_key_id(dkey));
 					break;
 				}
 				key = ISC_LIST_NEXT(key, link);
 			}
-			if (key == NULL && alg != 0) {
+			if (key == NULL) {
 				dst_key_t *dkey = NULL;
-				result = dst_key_fromfile(name, id, alg,
+				result = dst_key_fromfile(namestr, id, alg,
 							  DST_TYPE_PRIVATE,
 							  mctx, &dkey);
-				check_result (result, "dst_key_fromfile");
+				if (result != ISC_R_SUCCESS)
+					fatal("failed to load key '%s/%s/%d' "
+					      "from disk: %s", namestr,
+					      algtostr(alg), id,
+					      isc_result_totext(result));
 				key = isc_mem_get(mctx, sizeof(signer_key_t));
 				if (key == NULL)
-					check_result(ISC_R_FAILURE,
-						     "isc_mem_get");
+					fatal("out of memory");
 				key->key = dkey;
 				key->isdefault = ISC_TRUE;
 				ISC_LIST_APPEND(keylist, key, link);
 			}
-			else
-				printf("Ignoring key with algorithm 0\n");
+		isc_mem_put(mctx, namestr, strlen(namestr) + 1);
 		}
 	}
 
 	signzone(db, version);
 
-	/* should we update the SOA serial? */
+	/*
+	 * Should we update the SOA serial?
+	 */
+
+	result = dns_db_dump(db, version, output);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to write new database to '%s': %s",
+		      output, isc_result_totext(result));
 	dns_db_closeversion(db, &version, ISC_TRUE);
-	dumpzone(zone, output);
+
 	dns_db_detach(&db);
-	dns_zone_detach(&zone);
 
 	key = ISC_LIST_HEAD(keylist);
 	while (key != NULL) {
 		signer_key_t *next = ISC_LIST_NEXT(key, link);
-		dst_key_free(key->key);
+		dst_key_free(&key->key);
 		isc_mem_put(mctx, key, sizeof(signer_key_t));
 		key = next;
 	}
diff --git a/bin/lwresd/Makefile.in b/bin/lwresd/Makefile.in
index f7a85932..9eedb76d 100644
--- a/bin/lwresd/Makefile.in
+++ b/bin/lwresd/Makefile.in
@@ -27,12 +27,19 @@ CINCLUDES =	\
 CDEFINES =	
 CWARNINGS =
 
-DEPLIBS =	../../lib/lwres/liblwres.@A@ \
-		../../lib/dns/libdns.@A@ \
-		../../lib/isc/libisc.@A@
+OMAPILIBS =	../../lib/omapi/libomapi.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@
+LWRESLIBS =	../../lib/lwres/liblwres.@A@
 
-LIBS =		${DEPLIBS} \
-		@LIBS@
+OMAPIDEPLIBS =	../../lib/omapi/libomapi.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
+
+DEPLIBS =	${OMAPIDEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS} ${LWRESDEPLIBS}
+
+LIBS =		${OMAPILIBS} ${DNSLIBS} ${ISCLIBS} ${LWRESLIBS} @LIBS@
 
 TARGETS =	lwresd
 
diff --git a/bin/lwresd/client.c b/bin/lwresd/client.c
index 13d6d9a0..1aec4334 100644
--- a/bin/lwresd/client.c
+++ b/bin/lwresd/client.c
@@ -17,23 +17,18 @@
 
 #include <config.h>
 
-#include <sys/types.h>
-
-#include <isc/assertions.h>
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
 #include <isc/socket.h>
+#include <isc/string.h>
 #include <isc/task.h>
 #include <isc/util.h>
 
-#include <lwres/lwres.h>
+#include <dns/view.h>
+#include <dns/log.h>
 
 #include "client.h"
 
 void
-DP(int level, char *format, ...)
-{
+DP(int level, char *format, ...) {
 	va_list args;
 
 	va_start(args, format);
@@ -44,8 +39,7 @@ DP(int level, char *format, ...)
 }
 
 void
-hexdump(char *msg, void *base, size_t len)
-{
+hexdump(char *msg, void *base, size_t len) {
 	unsigned char *p;
 	unsigned int cnt;
 	char buffer[180];
@@ -85,8 +79,7 @@ hexdump(char *msg, void *base, size_t len)
 }
 
 static void
-clientmgr_can_die(clientmgr_t *cm)
-{
+clientmgr_can_die(clientmgr_t *cm) {
 	if ((cm->flags & CLIENTMGR_FLAG_SHUTTINGDOWN) == 0)
 		return;
 
@@ -99,8 +92,7 @@ clientmgr_can_die(clientmgr_t *cm)
 }
 
 static void
-process_request(client_t *client)
-{
+process_request(client_t *client) {
 	lwres_buffer_t b;
 	isc_result_t result;
 
@@ -139,9 +131,8 @@ process_request(client_t *client)
 }
 
 void
-client_recv(isc_task_t *task, isc_event_t *ev)
-{
-	client_t *client = ev->arg;
+client_recv(isc_task_t *task, isc_event_t *ev) {
+	client_t *client = ev->ev_arg;
 	clientmgr_t *cm = client->clientmgr;
 	isc_socketevent_t *dev = (isc_socketevent_t *)ev;
 
@@ -186,8 +177,7 @@ client_recv(isc_task_t *task, isc_event_t *ev)
  * This function will start a new recv() on a socket for this client manager.
  */
 isc_result_t
-client_start_recv(clientmgr_t *cm)
-{
+client_start_recv(clientmgr_t *cm) {
 	client_t *client;
 	isc_result_t result;
 	isc_region_t r;
@@ -236,12 +226,11 @@ client_start_recv(clientmgr_t *cm)
 }
 
 void
-client_shutdown(isc_task_t *task, isc_event_t *ev)
-{
-	clientmgr_t *cm = ev->arg;
+client_shutdown(isc_task_t *task, isc_event_t *ev) {
+	clientmgr_t *cm = ev->ev_arg;
 
 	REQUIRE(task == cm->task);
-	REQUIRE(ev->type == LWRD_SHUTDOWN);
+	REQUIRE(ev->ev_type == LWRD_SHUTDOWN);
 	REQUIRE((cm->flags & CLIENTMGR_FLAG_SHUTTINGDOWN) == 0);
 
 	DP(50, "Got shutdown event, task %p", task);
@@ -266,8 +255,7 @@ client_shutdown(isc_task_t *task, isc_event_t *ev)
  * queue.
  */
 void
-client_state_idle(client_t *client)
-{
+client_state_idle(client_t *client) {
 	clientmgr_t *cm;
 
 	cm = client->clientmgr;
@@ -289,14 +277,14 @@ client_state_idle(client_t *client)
 }
 
 void
-client_send(isc_task_t *task, isc_event_t *ev)
-{
-	client_t *client = ev->arg;
+client_send(isc_task_t *task, isc_event_t *ev) {
+	client_t *client = ev->ev_arg;
 	clientmgr_t *cm = client->clientmgr;
 	isc_socketevent_t *dev = (isc_socketevent_t *)ev;
 
 	UNUSED(task);
-
+	UNUSED(dev);
+	
 	INSIST(CLIENT_ISSEND(client));
 	INSIST(client->sendbuf == dev->region.base);
 
@@ -314,8 +302,7 @@ client_send(isc_task_t *task, isc_event_t *ev)
 }
 
 void
-client_initialize(client_t *client, clientmgr_t *cmgr)
-{
+client_initialize(client_t *client, clientmgr_t *cmgr) {
 	client->clientmgr = cmgr;
 	ISC_LINK_INIT(client, link);
 	CLIENT_SETIDLE(client);
@@ -339,8 +326,7 @@ client_initialize(client_t *client, clientmgr_t *cmgr)
 }
 
 void
-client_init_aliases(client_t *client)
-{
+client_init_aliases(client_t *client) {
 	int i;
 
 	for (i = 0 ; i < LWRES_MAX_ALIASES ; i++) {
@@ -356,8 +342,7 @@ client_init_aliases(client_t *client)
 }
 
 void
-client_init_gabn(client_t *client)
-{
+client_init_gabn(client_t *client) {
 	/*
 	 * Initialize the real name and alias arrays in the reply we're
 	 * going to build up.
@@ -377,12 +362,11 @@ client_init_gabn(client_t *client)
 	 * Set up the internal buffer to point to the receive region.
 	 */
 	isc_buffer_init(&client->recv_buffer, client->buffer,
-			LWRES_RECVLENGTH, ISC_BUFFERTYPE_TEXT);
+			LWRES_RECVLENGTH);
 }
 
 void
-client_init_gnba(client_t *client)
-{
+client_init_gnba(client_t *client) {
 	/*
 	 * Initialize the real name and alias arrays in the reply we're
 	 * going to build up.
@@ -397,5 +381,5 @@ client_init_gnba(client_t *client)
 	client->gnba.baselen = 0;
 
 	isc_buffer_init(&client->recv_buffer, client->buffer,
-			LWRES_RECVLENGTH, ISC_BUFFERTYPE_TEXT);
+			LWRES_RECVLENGTH);
 }
diff --git a/bin/lwresd/client.h b/bin/lwresd/client.h
index 111abb44..d1f9b14f 100644
--- a/bin/lwresd/client.h
+++ b/bin/lwresd/client.h
@@ -20,23 +20,14 @@
 
 #include <isc/event.h>
 #include <isc/eventclass.h>
-#include <isc/list.h>
-#include <isc/log.h>
-#include <isc/mem.h>
 #include <isc/netaddr.h>
 #include <isc/sockaddr.h>
-#include <isc/socket.h>
-#include <isc/task.h>
+#include <isc/types.h>
 
-#include <dns/adb.h>
-#include <dns/byaddr.h>
-#include <dns/cache.h>
-#include <dns/db.h>
 #include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/name.h>
-#include <dns/view.h>
+#include <dns/types.h>
+
+#include <lwres/lwres.h>
 
 #define LWRD_EVENTCLASS		ISC_EVENTCLASS(4242)
 
diff --git a/bin/lwresd/err_pkt.c b/bin/lwresd/err_pkt.c
index 1d2d3b0f..8d170a55 100644
--- a/bin/lwresd/err_pkt.c
+++ b/bin/lwresd/err_pkt.c
@@ -17,21 +17,9 @@
 
 #include <config.h>
 
-#include <sys/types.h>
-
-#include <isc/assertions.h>
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
 #include <isc/socket.h>
-#include <isc/task.h>
 #include <isc/util.h>
 
-#include <dns/fixedname.h>
-
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
 #include "client.h"
 
 /*
@@ -47,8 +35,7 @@
  * size we use, set the reply bit, and recompute any security information.
  */
 void
-error_pkt_send(client_t *client, isc_uint32_t _result)
-{
+error_pkt_send(client_t *client, isc_uint32_t _result) {
 	isc_result_t result;
 	int lwres;
 	isc_region_t r;
@@ -65,7 +52,7 @@ error_pkt_send(client_t *client, isc_uint32_t _result)
 	 * for sending an error reply.  This is a Good Thing.
 	 */
 	client->pkt.length = LWRES_LWPACKET_LENGTH;
-	client->pkt.flags |= LWRES_LWPACKETFLAG_RESPONSE;
+	client->pkt.pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
 	client->pkt.recvlength = LWRES_RECVLENGTH;
 	client->pkt.authtype = 0; /* XXXMLG */
 	client->pkt.authlength = 0;
@@ -90,7 +77,3 @@ error_pkt_send(client_t *client, isc_uint32_t _result)
 
 	CLIENT_SETSEND(client);
 }
-
-
-
-
diff --git a/bin/lwresd/main.c b/bin/lwresd/main.c
index 21795b3a..dc220357 100644
--- a/bin/lwresd/main.c
+++ b/bin/lwresd/main.c
@@ -17,25 +17,21 @@
 
 #include <config.h>
 
-#include <sys/types.h>
-
 #include <isc/app.h>
-#include <isc/assertions.h>
-#include <isc/event.h>
 #include <isc/mem.h>
-#include <isc/log.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
-#include <isc/socket.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/task.h>
+#include <isc/timer.h>
 #include <isc/util.h>
 
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/log.h>
 #include <dns/resolver.h>
+#include <dns/result.h>
 #include <dns/rootns.h>
-#include <dns/log.h>
-
-#include <lwres/lwres.h>
-#include <lwres/result.h>
+#include <dns/view.h>
 
 #include "client.h"
 
@@ -58,12 +54,12 @@ dns_view_t *view;
 isc_taskmgr_t *taskmgr;
 isc_socketmgr_t *sockmgr;
 isc_timermgr_t *timermgr;
+dns_dispatchmgr_t *dispatchmgr;
 
 isc_sockaddrlist_t forwarders;
 
 static isc_result_t
-create_view(isc_mem_t *mctx)
-{
+create_view(isc_mem_t *mctx) {
 	dns_cache_t *cache;
 	isc_result_t result;
 	dns_db_t *rootdb;
@@ -94,7 +90,7 @@ create_view(isc_mem_t *mctx)
 	 * XXXMLG hardwired number of tasks.
 	 */
 	result = dns_view_createresolver(view, taskmgr, 16, sockmgr,
-					 timermgr, 0, NULL, NULL);
+					 timermgr, 0, dispatchmgr, NULL, NULL);
 	if (result != ISC_R_SUCCESS)
 		goto out;
 
@@ -137,20 +133,17 @@ out:
  * Wrappers around our memory management stuff, for the lwres functions.
  */
 static void *
-mem_alloc(void *arg, size_t size)
-{
+mem_alloc(void *arg, size_t size) {
 	return (isc_mem_get(arg, size));
 }
 
 static void
-mem_free(void *arg, void *mem, size_t size)
-{
+mem_free(void *arg, void *mem, size_t size) {
 	isc_mem_put(arg, mem, size);
 }
 
 static void
-parse_resolv_conf(isc_mem_t *mem)
-{
+parse_resolv_conf(isc_mem_t *mem) {
 	lwres_context_t *lwctx;
 	lwres_conf_t *lwc;
 	int lwresult;
@@ -208,8 +201,7 @@ parse_resolv_conf(isc_mem_t *mem)
 }
 
 int
-main(int argc, char **argv)
-{
+main(int argc, char **argv) {
 	isc_mem_t *mem;
 	isc_socket_t *sock;
 	isc_sockaddr_t localhost;
@@ -239,7 +231,9 @@ main(int argc, char **argv)
 	lctx = NULL;
         result = isc_log_create(mem, &lctx, &lcfg);
 	INSIST(result == ISC_R_SUCCESS);
+	isc_log_setcontext(lctx);
 	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
 
 	destination.file.stream = stderr;
 	destination.file.name = NULL;
@@ -280,6 +274,13 @@ main(int argc, char **argv)
 	INSIST(result == ISC_R_SUCCESS);
 
 	/*
+	 * Create a dispatch manager.
+	 */
+	dispatchmgr = NULL;
+	result = dns_dispatchmgr_create(mem, &dispatchmgr);
+	INSIST(result == ISC_R_SUCCESS);
+
+	/*
 	 * Read resolv.conf to get our forwarders.
 	 */
 	ISC_LIST_INIT(forwarders);
@@ -325,7 +326,7 @@ main(int argc, char **argv)
 			       NULL, NULL);
 		ISC_LIST_INIT(cmgr[i].idle);
 		ISC_LIST_INIT(cmgr[i].running);
-		result = isc_task_create(taskmgr, mem, 0, &cmgr[i].task);
+		result = isc_task_create(taskmgr, 0, &cmgr[i].task);
 		if (result != ISC_R_SUCCESS)
 			break;
 		isc_task_setname(cmgr[i].task, "lwresd client", &cmgr[i]);
diff --git a/bin/lwresd/process_gabn.c b/bin/lwresd/process_gabn.c
index 5781e9f6..2e39e85e 100644
--- a/bin/lwresd/process_gabn.c
+++ b/bin/lwresd/process_gabn.c
@@ -17,22 +17,13 @@
 
 #include <config.h>
 
-#include <sys/types.h>
-
-#include <isc/assertions.h>
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
 #include <isc/socket.h>
-#include <isc/task.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
 
-#include <dns/fixedname.h>
 #include <dns/adb.h>
 #include <dns/events.h>
-
-#include <lwres/lwres.h>
-#include <lwres/result.h>
+#include <dns/result.h>
 
 #include "client.h"
 
@@ -48,8 +39,7 @@ static void start_find(client_t *);
  * should only be called when events are _not_ being generated by the finds.
  */
 static void
-cleanup_gabn(client_t *client)
-{
+cleanup_gabn(client_t *client) {
 	dns_adbfind_t *v4;
 
 	DP(50, "Cleaning up client %p", client);
@@ -67,8 +57,7 @@ cleanup_gabn(client_t *client)
 }
 
 static void
-setup_addresses(client_t *client, dns_adbfind_t *find, unsigned int at)
-{
+setup_addresses(client_t *client, dns_adbfind_t *find, unsigned int at) {
 	dns_adbaddrinfo_t *ai;
 	lwres_addr_t *addr;
 	int af;
@@ -119,8 +108,7 @@ setup_addresses(client_t *client, dns_adbfind_t *find, unsigned int at)
 }
 
 static void
-generate_reply(client_t *client)
-{
+generate_reply(client_t *client) {
 	isc_result_t result;
 	int lwres;
 	isc_region_t r;
@@ -215,8 +203,7 @@ generate_reply(client_t *client)
  * not having enough alias slots open is NOT a failure.
  */
 static isc_result_t
-add_alias(client_t *client)
-{
+add_alias(client_t *client) {
 	isc_buffer_t b;
 	isc_result_t result;
 	isc_uint16_t naliases;
@@ -251,8 +238,7 @@ add_alias(client_t *client)
 }
 
 static isc_result_t
-store_realname(client_t *client)
-{
+store_realname(client_t *client) {
 	isc_buffer_t b;
 	isc_result_t result;
 
@@ -276,15 +262,14 @@ store_realname(client_t *client)
 }
 
 static void
-process_gabn_finddone(isc_task_t *task, isc_event_t *ev)
-{
-	client_t *client = ev->arg;
-	isc_eventtype_t result;
+process_gabn_finddone(isc_task_t *task, isc_event_t *ev) {
+	client_t *client = ev->ev_arg;
+	isc_eventtype_t evtype;
 	isc_boolean_t claimed;
 
 	DP(50, "Find done for task %p, client %p", task, client);
 
-	result = ev->type;
+	evtype = ev->ev_type;
 	isc_event_free(&ev);
 
 	/*
@@ -292,7 +277,7 @@ process_gabn_finddone(isc_task_t *task, isc_event_t *ev)
 	 * right now, so we can render things.
 	 */
 	claimed = ISC_FALSE;
-	if (result == DNS_EVENT_ADBNOMOREADDRESSES) {
+	if (evtype == DNS_EVENT_ADBNOMOREADDRESSES) {
 		if (NEED_V4(client)) {
 			client->v4find = client->find;
 			claimed = ISC_TRUE;
@@ -328,7 +313,7 @@ process_gabn_finddone(isc_task_t *task, isc_event_t *ev)
 	 * We have some new information we can gather.  Run off and fetch
 	 * it.
 	 */
-	if (result == DNS_EVENT_ADBMOREADDRESSES) {
+	if (evtype == DNS_EVENT_ADBMOREADDRESSES) {
 		start_find(client);
 		return;
 	}
@@ -341,8 +326,7 @@ process_gabn_finddone(isc_task_t *task, isc_event_t *ev)
 }
 
 static void
-start_find(client_t *client)
-{
+start_find(client_t *client) {
 	unsigned int options;
 	isc_result_t result;
 	isc_boolean_t claimed;
@@ -482,8 +466,7 @@ start_find(client_t *client)
  * FINDWAIT state if we need to look things up.
  */
 void
-process_gabn(client_t *client, lwres_buffer_t *b)
-{
+process_gabn(client_t *client, lwres_buffer_t *b) {
 	isc_result_t result;
 	lwres_gabnrequest_t *req;
 	isc_buffer_t namebuf;
@@ -497,8 +480,7 @@ process_gabn(client_t *client, lwres_buffer_t *b)
 	if (result != LWRES_R_SUCCESS)
 		goto out;
 
-	isc_buffer_init(&namebuf, req->name, req->namelen,
-			ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&namebuf, req->name, req->namelen);
 	isc_buffer_add(&namebuf, req->namelen);
 
 	dns_fixedname_init(&client->target_name);
diff --git a/bin/lwresd/process_gnba.c b/bin/lwresd/process_gnba.c
index 80957518..3315a724 100644
--- a/bin/lwresd/process_gnba.c
+++ b/bin/lwresd/process_gnba.c
@@ -17,31 +17,20 @@
 
 #include <config.h>
 
-#include <string.h>
-
-#include <sys/types.h>
-
-#include <isc/assertions.h>
-#include <isc/mem.h>
-#include <isc/netaddr.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
 #include <isc/socket.h>
-#include <isc/task.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
 
+#include <dns/adb.h>
 #include <dns/byaddr.h>
-
-#include <lwres/lwres.h>
-#include <lwres/result.h>
+#include <dns/result.h>
 
 #include "client.h"
 
 static void start_byaddr(client_t *);
 
 static void
-byaddr_done(isc_task_t *task, isc_event_t *event)
-{
+byaddr_done(isc_task_t *task, isc_event_t *event) {
 	client_t *client;
 	clientmgr_t *cm;
 	dns_byaddrevent_t *bevent;
@@ -55,12 +44,12 @@ byaddr_done(isc_task_t *task, isc_event_t *event)
 	isc_uint16_t naliases;
 	isc_stdtime_t now;
 
-	(void)task;
+	UNUSED(task);
 
 	lwb.base = NULL;
-	client = event->arg;
+	client = event->ev_arg;
 	cm = client->clientmgr;
-	INSIST(client->byaddr == event->sender);
+	INSIST(client->byaddr == event->ev_sender);
 
 	bevent = (dns_byaddrevent_t *)event;
 	gnba = &client->gnba;
@@ -174,8 +163,7 @@ byaddr_done(isc_task_t *task, isc_event_t *event)
 }
 
 static void
-start_byaddr(client_t *client)
-{
+start_byaddr(client_t *client) {
 	isc_result_t result;
 	clientmgr_t *cm;
 
@@ -194,8 +182,7 @@ start_byaddr(client_t *client)
 }
 
 void
-process_gnba(client_t *client, lwres_buffer_t *b)
-{
+process_gnba(client_t *client, lwres_buffer_t *b) {
 	lwres_gnbarequest_t *req;
 	isc_result_t result;
 	isc_sockaddr_t sa;
diff --git a/bin/lwresd/process_noop.c b/bin/lwresd/process_noop.c
index feb2e817..d2d431fa 100644
--- a/bin/lwresd/process_noop.c
+++ b/bin/lwresd/process_noop.c
@@ -17,26 +17,13 @@
 
 #include <config.h>
 
-#include <sys/types.h>
-
-#include <isc/assertions.h>
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
 #include <isc/socket.h>
-#include <isc/task.h>
 #include <isc/util.h>
 
-#include <dns/fixedname.h>
-
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
 #include "client.h"
 
 void
-process_noop(client_t *client, lwres_buffer_t *b)
-{
+process_noop(client_t *client, lwres_buffer_t *b) {
 	lwres_nooprequest_t *req;
 	lwres_noopresponse_t resp;
 	isc_result_t result;
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 98db3754..ca9d2de9 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -27,12 +27,17 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include \
 CDEFINES =	
 CWARNINGS =
 
-DEPLIBS =	../../lib/dns/libdns.@A@ \
-		../../lib/omapi/libomapi.@A@ \
-		../../lib/isc/libisc.@A@
+OMAPILIBS =	../../lib/omapi/libomapi.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@
 
-LIBS =		${DEPLIBS} \
-		@LIBS@
+OMAPIDEPLIBS =	../../lib/omapi/libomapi.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+DEPLIBS =	${OMAPIDEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${OMAPILIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
 
 SUBDIRS =	unix
 
@@ -51,7 +56,7 @@ SRCS =		client.c interfacemgr.c listenlist.c \
 @BIND9_MAKE_RULES@
 
 main.@O@: main.c
-	${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+	${LIBTOOL} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
 		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
 		-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
 
diff --git a/bin/named/client.c b/bin/named/client.c
index 7061ce05..6e4f7164 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -17,17 +17,12 @@
 
 #include <config.h>
 
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/result.h>
+#include <isc/print.h>
 #include <isc/task.h>
+#include <isc/string.h>
 #include <isc/timer.h>
 #include <isc/util.h>
 
-#include <dns/acl.h>
 #include <dns/dispatch.h>
 #include <dns/events.h>
 #include <dns/message.h>
@@ -37,12 +32,9 @@
 #include <dns/view.h>
 #include <dns/zone.h>
 
-#include <named/client.h>
-#include <named/globals.h>
 #include <named/interfacemgr.h>
 #include <named/log.h>
 #include <named/notify.h>
-#include <named/query.h>
 #include <named/server.h>
 #include <named/update.h>
 
@@ -63,16 +55,19 @@
 
 #define NS_CLIENT_TRACE
 #ifdef NS_CLIENT_TRACE
-#define CTRACE(m)	isc_log_write(ns_g_lctx, \
+#define CTRACE(m)	ns_client_log(client, \
 				      NS_LOGCATEGORY_CLIENT, \
 				      NS_LOGMODULE_CLIENT, \
 				      ISC_LOG_DEBUG(3), \
-				      "client %p: %s", client, (m))
+				      "%s", (m))
 #define MTRACE(m)	isc_log_write(ns_g_lctx, \
 				      NS_LOGCATEGORY_GENERAL, \
 				      NS_LOGMODULE_CLIENT, \
 				      ISC_LOG_DEBUG(3), \
-				      "clientmgr %p: %s", manager, (m))
+				      "clientmgr @%p: %s", manager, (m))
+#else
+#define CTRACE(m)	((void)(m))
+#define MTRACE(m)	((void)(m))
 #endif
 
 #define TCP_CLIENT(c)	(((c)->attributes & NS_CLIENTATTR_TCP) != 0)
@@ -166,24 +161,6 @@ static void ns_client_endrequest(ns_client_t *client);
 static void ns_client_checkactive(ns_client_t *client);
 
 /*
- * Format a human-readable representation of the socket address '*sa'
- * into the character array 'array', which is of size 'size'.
- * The resulting string is guaranteed to be null-terminated.
- */
-static void
-sockaddr_format(isc_sockaddr_t *sa, char *array, unsigned int size)
-{
-	isc_result_t result;
-	isc_buffer_t buf;
-	isc_buffer_init(&buf, array, size, ISC_BUFFERTYPE_TEXT);
-	result = isc_sockaddr_totext(sa, &buf);
-	if (result != ISC_R_SUCCESS) {
-		strncpy(array, "<unknown address>", size);
-		array[size-1] = '\0';
-	}
-}
-
-/*
  * Enter the inactive state.
  *
  * Requires:
@@ -192,6 +169,7 @@ sockaddr_format(isc_sockaddr_t *sa, char *array, unsigned int size)
 static void
 client_deactivate(ns_client_t *client) {
 	REQUIRE(NS_CLIENT_VALID(client));
+	
 	if (client->interface)
 		ns_interface_detach(&client->interface);
 
@@ -205,9 +183,7 @@ client_deactivate(ns_client_t *client) {
 			deventp = &client->dispevent;
 		else
 			deventp = NULL;
-		dns_dispatch_removerequest(client->dispatch,
-					   &client->dispentry,
-					   deventp);
+		dns_dispatch_removerequest(&client->dispentry, deventp);
 	}
 	if (client->dispatch != NULL)
 		dns_dispatch_detach(&client->dispatch);
@@ -279,11 +255,12 @@ static void
 set_timeout(ns_client_t *client, unsigned int seconds) {
 	isc_result_t result;
 	isc_interval_t interval;
+	
 	isc_interval_set(&interval, seconds, 0);
 	result = isc_timer_reset(client->timer, isc_timertype_once, NULL,
 				 &interval, ISC_FALSE);
 	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, NS_LOGCATEGORY_CLIENT,
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 			      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
 			      "setting timouet: %s",
 			      isc_result_totext(result));
@@ -362,7 +339,6 @@ exit_check(ns_client_t *client) {
 		 * if any.
 		 */
 		INSIST(client->newstate <= NS_CLIENTSTATE_READY);
-		CTRACE("closetcp");
 		if (client->nreads > 0)
 			dns_tcpmsg_cancelread(&client->tcpmsg);
 		if (! client->nreads == 0) {
@@ -374,8 +350,10 @@ exit_check(ns_client_t *client) {
 			dns_tcpmsg_invalidate(&client->tcpmsg);
 			client->tcpmsg_valid = ISC_FALSE;
 		}
-		if (client->tcpsocket != NULL)
+		if (client->tcpsocket != NULL) {
+			CTRACE("closetcp");
 			isc_socket_detach(&client->tcpsocket);
+		}
 
 		if (client->tcpquota != NULL)
 			isc_quota_detach(&client->tcpquota);
@@ -383,6 +361,8 @@ exit_check(ns_client_t *client) {
 		(void) isc_timer_reset(client->timer, isc_timertype_inactive,
 				       NULL, NULL, ISC_TRUE);
 
+		client->peeraddr_valid = ISC_FALSE;
+
 		client->state = NS_CLIENTSTATE_READY;
 
 		/*
@@ -453,11 +433,13 @@ client_shutdown(isc_task_t *task, isc_event_t *event) {
 	ns_client_t *client;
 
 	REQUIRE(event != NULL);
-	REQUIRE(event->type == ISC_TASKEVENT_SHUTDOWN);
-	client = event->arg;
+	REQUIRE(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
+	client = event->ev_arg;
 	REQUIRE(NS_CLIENT_VALID(client));
 	REQUIRE(task == client->task);
 
+	UNUSED(task);
+
 	CTRACE("shutdown");
 
 	isc_event_free(&event);
@@ -469,7 +451,7 @@ client_shutdown(isc_task_t *task, isc_event_t *event) {
 	}
 
 	client->newstate = NS_CLIENTSTATE_FREED;
-	(void) exit_check(client);
+	(void)exit_check(client);
 }
 
 
@@ -479,10 +461,10 @@ ns_client_endrequest(ns_client_t *client) {
 	INSIST(client->nreads == 0);
 	INSIST(client->nsends == 0);
 	INSIST(client->lockview == NULL);
-	CTRACE("endrequest");
-
 	INSIST(client->state == NS_CLIENTSTATE_WORKING);
 
+	CTRACE("endrequest");
+
 	if (client->next != NULL) {
 		(client->next)(client);
 		client->next = NULL;
@@ -540,15 +522,16 @@ ns_client_checkactive(ns_client_t *client) {
 void
 ns_client_next(ns_client_t *client, isc_result_t result) {
 	int newstate;
+	
 	REQUIRE(NS_CLIENT_VALID(client));
 	REQUIRE(client->state == NS_CLIENTSTATE_WORKING);
+
 	CTRACE("next");
 	
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
+	if (result != ISC_R_SUCCESS)
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 			      "request failed: %s", isc_result_totext(result));
-	}
 
 	/*
 	 * An error processing a TCP request may have left
@@ -571,14 +554,22 @@ client_senddone(isc_task_t *task, isc_event_t *event) {
 	ns_client_t *client;
 	isc_socketevent_t *sevent = (isc_socketevent_t *) event;
 
+	UNUSED(task);
+
 	REQUIRE(sevent != NULL);
-	REQUIRE(sevent->type == ISC_SOCKEVENT_SENDDONE);
-	client = sevent->arg;
+	REQUIRE(sevent->ev_type == ISC_SOCKEVENT_SENDDONE);
+	client = sevent->ev_arg;
 	REQUIRE(NS_CLIENT_VALID(client));
 	REQUIRE(task == client->task);
 
 	CTRACE("senddone");
 
+	if (sevent->result != ISC_R_SUCCESS)
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
+			      "error sending response: %s",
+			      isc_result_totext(sevent->result));
+
 	INSIST(client->nsends > 0);
 	client->nsends--;
 
@@ -618,16 +609,14 @@ ns_client_send(ns_client_t *client) {
 		/*
 		 * XXXRTH  "tcpbuffer" is a hack to get things working.
 		 */
-		isc_buffer_init(&tcpbuffer, data, SEND_BUFFER_SIZE,
-				ISC_BUFFERTYPE_BINARY);
-		isc_buffer_init(&buffer, data + 2, SEND_BUFFER_SIZE - 2,
-				ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&tcpbuffer, data, SEND_BUFFER_SIZE);
+		isc_buffer_init(&buffer, data + 2, SEND_BUFFER_SIZE - 2);
 	} else {
 		if (client->udpsize < SEND_BUFFER_SIZE)
 			bufsize = client->udpsize;
 		else
 			bufsize = SEND_BUFFER_SIZE;
-		isc_buffer_init(&buffer, data, bufsize, ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&buffer, data, bufsize);
 	}
 
 	result = dns_message_renderbegin(client->message, &buffer);
@@ -674,14 +663,14 @@ ns_client_send(ns_client_t *client) {
 	if (TCP_CLIENT(client)) {
 		socket = client->tcpsocket;
 		address = NULL;
-		isc_buffer_used(&buffer, &r);
+		isc_buffer_usedregion(&buffer, &r);
 		isc_buffer_putuint16(&tcpbuffer, (isc_uint16_t) r.length);
 		isc_buffer_add(&tcpbuffer, r.length);
-		isc_buffer_used(&tcpbuffer, &r);
+		isc_buffer_usedregion(&tcpbuffer, &r);
 	} else {
 		socket = dns_dispatch_getsocket(client->dispatch);
 		address = &client->dispevent->addr;
-		isc_buffer_used(&buffer, &r);
+		isc_buffer_usedregion(&buffer, &r);
 	}
 	CTRACE("sendto");
 	if ((client->attributes & NS_CLIENTATTR_PKTINFO) != 0)
@@ -778,6 +767,8 @@ client_addopt(ns_client_t *client) {
 	 */
 	rdata->data = NULL;
 	rdata->length = 0;
+	rdata->rdclass = rdatalist->rdclass;
+	rdata->type = rdatalist->type;
 
 	ISC_LIST_INIT(rdatalist->rdata);
 	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
@@ -801,13 +792,14 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	dns_view_t *view;
 	dns_rdataset_t *opt;
 	isc_boolean_t ra; 	/* Recursion available. */
-	char peerbuf[256];
 
 	REQUIRE(event != NULL);
-	client = event->arg;
+	client = event->ev_arg;
 	REQUIRE(NS_CLIENT_VALID(client));
 	REQUIRE(task == client->task);
 
+	UNUSED(task);
+	
 	INSIST(client->recursionquota == NULL);
 
 	INSIST(client->state ==
@@ -818,7 +810,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	RWLOCK(&ns_g_server->conflock, isc_rwlocktype_read);
 	dns_zonemgr_lockconf(ns_g_server->zonemgr, isc_rwlocktype_read);
 
-	if (event->type == DNS_EVENT_DISPATCH) {
+	if (event->ev_type == DNS_EVENT_DISPATCH) {
 		INSIST(!TCP_CLIENT(client));
 		devent = (dns_dispatchevent_t *)event;
 		REQUIRE(client->dispentry != NULL);
@@ -826,18 +818,17 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		buffer = &devent->buffer;
 		result = devent->result;
 		client->peeraddr = devent->addr;
-		if ((devent->attributes & DNS_DISPATCHATTR_PKTINFO) != 0) {
+		client->peeraddr_valid = ISC_TRUE;
+		if ((devent->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0) {
 			client->attributes |= NS_CLIENTATTR_PKTINFO;
 			client->pktinfo = devent->pktinfo;
-			printf("client: interface %u\n",
-			       client->pktinfo.ipi6_ifindex);
 		} else {
 			client->attributes &= ~NS_CLIENTATTR_PKTINFO;
 		}
 	} else {
 		INSIST(TCP_CLIENT(client));
-		REQUIRE(event->type == DNS_EVENT_TCPMSG);
-		REQUIRE(event->sender == &client->tcpmsg);
+		REQUIRE(event->ev_type == DNS_EVENT_TCPMSG);
+		REQUIRE(event->ev_sender == &client->tcpmsg);
 		buffer = &client->tcpmsg.buffer;
 		result = client->tcpmsg.result;
 		INSIST(client->nreads == 1);
@@ -847,12 +838,10 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		client->nreads--;
 	}
 
-	sockaddr_format(&client->peeraddr, peerbuf, sizeof(peerbuf));	
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_CLIENT,
+	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-		      "client %p: %s request from %s",
-		      client, TCP_CLIENT(client) ? "TCP" : "UDP",
-		      peerbuf);
+		      "%s request",
+		      TCP_CLIENT(client) ? "TCP" : "UDP");
 
 	if (exit_check(client))
 		goto cleanup_serverlock;
@@ -922,29 +911,44 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	}
 
 	/*
+	 * Find a view that matches the client's source address.
+	 * 
 	 * XXXRTH  View list management code will be moving to its own module
 	 *         soon.
 	 */
 	for (view = ISC_LIST_HEAD(ns_g_server->viewlist);
 	     view != NULL;
 	     view = ISC_LIST_NEXT(view, link)) {
-		/*
-		 * XXXRTH  View matching will become more powerful later.
-		 */
 		if (client->message->rdclass == view->rdclass ||
 		    client->message->rdclass == dns_rdataclass_any)
 		{
-			dns_view_attach(view, &client->view);
-			break;
+			isc_netaddr_t netaddr;
+			int match;
+			isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+			if (view->matchclients == NULL ||
+			    (dns_acl_match(&netaddr, NULL, view->matchclients,
+					   &ns_g_server->aclenv,
+					   &match, NULL) == ISC_R_SUCCESS &&
+			     match > 0))
+			{
+				dns_view_attach(view, &client->view);
+				break;
+			}
 		}
 	}
 
 	if (view == NULL) {
-		CTRACE("no view");
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
+			      "no matching view");
 		ns_client_error(client, DNS_R_REFUSED);
 		goto cleanup_serverlock;
 	}
 
+	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(5),
+		      "using view '%s'", view->name);
+	
 	/*
 	 * Lock the view's configuration data for reading.
 	 * We must attach a separate view reference for this
@@ -972,22 +976,22 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	client->signer = NULL;
 	dns_name_init(&client->signername, NULL);
 	result = dns_message_signer(client->message, &client->signername);
-	if (result == DNS_R_SUCCESS) {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
+	if (result == ISC_R_SUCCESS) {
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 			      "request has valid signature");
 		client->signer = &client->signername;
-	} else if (result == DNS_R_NOTFOUND) {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
+	} else if (result == ISC_R_NOTFOUND) {
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 			      "request is not signed");
 	} else if (result == DNS_R_NOIDENTITY) {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 			      "request is signed by a nonauthoritative key");
 	} else {
 		/* There is a signature, but it is bad. */
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
 			      "request has invalid signature: %s",
 			      isc_result_totext(result));
@@ -999,20 +1003,15 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	 * set the RA bit correctly on all kinds of responses, not just
 	 * responses to ordinary queries.
 	 */
-	if (client->view->resolver == NULL) {
-		ra = ISC_FALSE;
-	} else {
+	ra = ISC_FALSE;
+	if (client->view->resolver != NULL &&
+	    client->view->recursion == ISC_TRUE &&
+	    /* XXX this will log too much too early */
+	    ns_client_checkacl(client, "recursion",
+			       client->view->recursionacl,
+			       ISC_TRUE) == ISC_R_SUCCESS)
 		ra = ISC_TRUE;
-		if (ns_g_server->recursion == ISC_TRUE) {
-			/* XXX ACL should be view specific. */
-			/* XXX this will log too much too early */
-			result = ns_client_checkacl(client, "recursion",
-						    ns_g_server->recursionacl,
-						    ISC_TRUE);
-			if (result != DNS_R_SUCCESS)
-				ra = ISC_FALSE;
-		}
-	}
+
 	if (ra == ISC_TRUE)
 		client->attributes |= NS_CLIENTATTR_RA;
 
@@ -1054,13 +1053,15 @@ client_timeout(isc_task_t *task, isc_event_t *event) {
 	ns_client_t *client;
 
 	REQUIRE(event != NULL);
-	REQUIRE(event->type == ISC_TIMEREVENT_LIFE ||
-		event->type == ISC_TIMEREVENT_IDLE);
-	client = event->arg;
+	REQUIRE(event->ev_type == ISC_TIMEREVENT_LIFE ||
+		event->ev_type == ISC_TIMEREVENT_IDLE);
+	client = event->ev_arg;
 	REQUIRE(NS_CLIENT_VALID(client));
 	REQUIRE(task == client->task);
 	REQUIRE(client->timer != NULL);
 
+	UNUSED(task);
+	
 	CTRACE("timeout");
 
 	isc_event_free(&event);
@@ -1097,8 +1098,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp)
 		return (ISC_R_NOMEMORY);
 
 	client->task = NULL;
-	result = isc_task_create(manager->taskmgr, manager->mctx, 0,
-				 &client->task);
+	result = isc_task_create(manager->taskmgr, 0, &client->task);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_client;
 	isc_task_setname(client->task, "client", client);
@@ -1152,6 +1152,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp)
 	client->tcpquota = NULL;
 	client->recursionquota = NULL;
 	client->interface = NULL;
+	client->peeraddr_valid = ISC_FALSE;
 	ISC_LINK_INIT(client, link);
 	client->list = NULL;
 
@@ -1218,19 +1219,18 @@ client_read(ns_client_t *client) {
 
 static void
 client_newconn(isc_task_t *task, isc_event_t *event) {
-	ns_client_t *client = event->arg;
+	ns_client_t *client = event->ev_arg;
 	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
 	isc_result_t result;
-	char peerbuf[256];
 	
-	REQUIRE(event->type == ISC_SOCKEVENT_NEWCONN);
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
 	REQUIRE(NS_CLIENT_VALID(client));
 	REQUIRE(client->task == task);
 
+	UNUSED(task);
+
 	INSIST(client->state == NS_CLIENTSTATE_READY);
 	
-	CTRACE("newconn");
-
 	INSIST(client->naccepts == 1);
 	client->naccepts--;
 
@@ -1249,11 +1249,10 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 
 		(void) isc_socket_getpeername(client->tcpsocket,
 					      &client->peeraddr);
-		sockaddr_format(&client->peeraddr, peerbuf, sizeof(peerbuf));
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_CLIENT,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "client %p: TCP connection from %s",
-			      client, peerbuf);
+		client->peeraddr_valid = ISC_TRUE;
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			   NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			   "new TCP connection");
 	} else {
 		/*
 		 * XXXRTH  What should we do?  We're trying to accept but
@@ -1265,9 +1264,9 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 		 *	   Going idle is probably the right thing if the
 		 *	   I/O was canceled.
 		 */
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_CLIENT,
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "client %p: accept failed: %s", client,
+			      "accept failed: %s",
 			      isc_result_totext(nevent->result));
 	}
 	
@@ -1291,7 +1290,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 		if (result == ISC_R_SUCCESS)
 			result = ns_client_replace(client);
 		if (result != ISC_R_SUCCESS) {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_CLIENT,
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 				      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
 				      "no more TCP clients: %s",
 				      isc_result_totext(result));
@@ -1335,6 +1334,7 @@ void
 ns_client_attach(ns_client_t *source, ns_client_t **targetp) {
 	REQUIRE(NS_CLIENT_VALID(source));
 	REQUIRE(targetp != NULL && *targetp == NULL);
+	
 	source->references++;
 	*targetp = source;
 }
@@ -1342,6 +1342,7 @@ ns_client_attach(ns_client_t *source, ns_client_t **targetp) {
 void
 ns_client_detach(ns_client_t **clientp) {
 	ns_client_t *client = *clientp;
+	
 	client->references--;
 	INSIST(client->references >= 0);
 	*clientp = NULL;
@@ -1350,12 +1351,13 @@ ns_client_detach(ns_client_t **clientp) {
 
 isc_boolean_t
 ns_client_shuttingdown(ns_client_t *client) {
-	return (client->newstate == NS_CLIENTSTATE_FREED);
+	return (ISC_TF(client->newstate == NS_CLIENTSTATE_FREED));
 }
 
 isc_result_t
 ns_client_replace(ns_client_t *client) {
 	isc_result_t result;
+
 	CTRACE("replace");
 
 	result = ns_clientmgr_createclients(client->manager,
@@ -1519,7 +1521,7 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
 							 client,
 							 &client->dispentry);
 			if (result != ISC_R_SUCCESS) {
-				isc_log_write(dns_lctx,
+				ns_client_log(client,
 					      DNS_LOGCATEGORY_SECURITY,
 					      NS_LOGMODULE_CLIENT,
 					      ISC_LOG_DEBUG(3),
@@ -1573,22 +1575,53 @@ ns_client_checkacl(ns_client_t  *client,
 	result = dns_acl_match(&netaddr, client->signer, acl,
 			       &ns_g_server->aclenv,
 			       &match, NULL);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto deny; /* Internal error, already logged. */
 	if (match > 0)
 		goto allow;
 	goto deny; /* Negative match or no match. */
 
  allow:
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
+	ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 		      "%s approved", opname);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
  deny:
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
+	ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 		      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
 		      "%s denied", opname);
 	return (DNS_R_REFUSED);
 }
 
+static void
+ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
+	   isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+{
+	char msgbuf[2048];
+	char peerbuf[256];
+
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+
+	if (client->peeraddr_valid) {
+		isc_sockaddr_format(&client->peeraddr,
+				    peerbuf, sizeof peerbuf);
+		isc_log_write(ns_g_lctx, category, module, level,
+			      "client %s: %s", peerbuf, msgbuf);
+	} else {
+		isc_log_write(ns_g_lctx, category, module, level,
+			      "client @%p: %s", client, msgbuf);
+	}
+}
+
+void
+ns_client_log(ns_client_t *client, isc_logcategory_t *category,
+	   isc_logmodule_t *module, int level, const char *fmt, ...)
+{
+	va_list ap;
+
+	va_start(ap, fmt);
+	ns_client_logv(client, category, module, level, fmt, ap);
+	va_end(ap);
+}
+
diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
index b2637cf4..5c901901 100644
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef NS_CLIENT_H
-#define NS_CLIENT_H 1
+#ifndef NAMED_CLIENT_H
+#define NAMED_CLIENT_H 1
 
 /*****
  ***** Module Info
@@ -60,9 +60,8 @@
  *** Imports
  ***/
 
-#include <isc/types.h>
-#include <isc/stdtime.h>
 #include <isc/buffer.h>
+#include <isc/stdtime.h>
 #include <isc/quota.h>
 
 #include <dns/name.h>
@@ -79,54 +78,56 @@
 typedef ISC_LIST(ns_client_t) client_list_t;
 
 struct ns_client {
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	ns_clientmgr_t *		manager;
-	int				state;
-	int				newstate;
-	isc_boolean_t			disconnect;
-	int				naccepts;
-	int				nreads;
-	int				nsends;
-	int				references;
-	unsigned int			attributes;
-	isc_task_t *			task;
-	dns_view_t *			view;
-	dns_view_t *			lockview;
-	dns_dispatch_t *		dispatch;
-	dns_dispentry_t *		dispentry;
-	dns_dispatchevent_t *		dispevent;
-	isc_socket_t *			tcplistener;
-	isc_socket_t *			tcpsocket;
-	dns_tcpmsg_t			tcpmsg;
-	isc_boolean_t			tcpmsg_valid;
-	isc_timer_t *			timer;
-	dns_message_t *			message;
-	unsigned char *			sendbuf;
-	dns_rdataset_t *		opt;
-	isc_uint16_t			udpsize;
-	void				(*next)(ns_client_t *);
-	void				(*shutdown)(void *arg, isc_result_t result);
-	void 				*shutdown_arg;
-	ns_query_t			query;
-	isc_stdtime_t			requesttime;
-	isc_stdtime_t			now;
-	dns_name_t			signername; /* [T]SIG key name */
-	dns_name_t *			signer; /* NULL if not valid sig */
-	isc_boolean_t			mortal; /* Die after handling request. */
-	isc_quota_t			*tcpquota;
-	isc_quota_t			*recursionquota;
-	ns_interface_t			*interface;
-	isc_sockaddr_t			peeraddr;
-	struct in6_pktinfo		pktinfo;
-	ISC_LINK(ns_client_t)		link;
-	client_list_t			*list;	/* The list 'link' is part of,
-					   or NULL if not on any list. */
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	ns_clientmgr_t *	manager;
+	int			state;
+	int			newstate;
+	isc_boolean_t		disconnect;
+	int			naccepts;
+	int			nreads;
+	int			nsends;
+	int			references;
+	unsigned int		attributes;
+	isc_task_t *		task;
+	dns_view_t *		view;
+	dns_view_t *		lockview;
+	dns_dispatch_t *	dispatch;
+	dns_dispentry_t *	dispentry;
+	dns_dispatchevent_t *	dispevent;
+	isc_socket_t *		tcplistener;
+	isc_socket_t *		tcpsocket;
+	dns_tcpmsg_t		tcpmsg;
+	isc_boolean_t		tcpmsg_valid;
+	isc_timer_t *		timer;
+	dns_message_t *		message;
+	unsigned char *		sendbuf;
+	dns_rdataset_t *	opt;
+	isc_uint16_t		udpsize;
+	void			(*next)(ns_client_t *);
+	void			(*shutdown)(void *arg, isc_result_t result);
+	void 			*shutdown_arg;
+	ns_query_t		query;
+	isc_stdtime_t		requesttime;
+	isc_stdtime_t		now;
+	dns_name_t		signername;   /* [T]SIG key name */
+	dns_name_t *		signer;	      /* NULL if not valid sig */
+	isc_boolean_t		mortal;	      /* Die after handling request */
+	isc_quota_t		*tcpquota;
+	isc_quota_t		*recursionquota;
+	ns_interface_t		*interface;
+	isc_sockaddr_t		peeraddr;
+	isc_boolean_t		peeraddr_valid;
+	struct in6_pktinfo	pktinfo;
+	ISC_LINK(ns_client_t)	link;
+	/*
+	 * The list 'link' is part of, or NULL if not on any list.
+	 */
+	client_list_t		*list;
 };
 
 #define NS_CLIENT_MAGIC			0x4E534363U	/* NSCc */
-#define NS_CLIENT_VALID(c)		((c) != NULL && \
-					 (c)->magic == NS_CLIENT_MAGIC)
+#define NS_CLIENT_VALID(c)		ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)
 
 #define NS_CLIENTATTR_TCP		0x01
 #define NS_CLIENTATTR_RA		0x02 /* Client gets recusive service */
@@ -249,5 +250,9 @@ ns_client_checkacl(ns_client_t  *client,
  *	No other return values are possible.
  */
 
+void
+ns_client_log(ns_client_t *client, isc_logcategory_t *category,
+	      isc_logmodule_t *module, int level,
+	      const char *fmt, ...);
 
-#endif /* NS_CLIENT_H */
+#endif /* NAMED_CLIENT_H */
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index 66681e06..1e442b8f 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -15,16 +15,13 @@
  * SOFTWARE.
  */
 
-#ifndef NS_GLOBALS_H
-#define NS_GLOBALS_H 1
+#ifndef NAMED_GLOBALS_H
+#define NAMED_GLOBALS_H 1
 
-#include <isc/types.h>
 #include <isc/rwlock.h>
 #include <isc/log.h>
 #include <isc/net.h>
 
-#include <dns/types.h>
-
 #include <omapi/types.h>
 
 #include <named/types.h>
@@ -42,6 +39,7 @@
 EXTERN isc_mem_t *		ns_g_mctx		INIT(NULL);
 EXTERN unsigned int		ns_g_cpus		INIT(1);
 EXTERN isc_taskmgr_t *		ns_g_taskmgr		INIT(NULL);
+EXTERN dns_dispatchmgr_t *	ns_g_dispatchmgr	INIT(NULL);
 /*
  * XXXRTH  We're going to want multiple timer managers eventually.  One
  *         for really short timers, another for client timers, and one
@@ -89,4 +87,4 @@ EXTERN const char *		ns_g_cachefile		INIT(NULL);
 #undef EXTERN
 #undef INIT
 
-#endif /* NS_GLOBALS_H */
+#endif /* NAMED_GLOBALS_H */
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
index df896633..d0535217 100644
--- a/bin/named/include/named/interfacemgr.h
+++ b/bin/named/include/named/interfacemgr.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef NS_INTERFACEMGR_H
-#define NS_INTERFACEMGR_H 1
+#ifndef NAMED_INTERFACEMGR_H
+#define NAMED_INTERFACEMGR_H 1
 
 /*****
  ***** Module Info
@@ -47,8 +47,7 @@
  *** Imports
  ***/
 
-#include <isc/types.h>
-#include <isc/result.h>
+#include <isc/magic.h>
 #include <isc/mem.h>
 #include <isc/socket.h>
 
@@ -62,7 +61,7 @@
  ***/
 
 #define IFACE_MAGIC		0x493A2D29U	/* I:-). */	
-#define NS_INTERFACE_VALID(t)	((t) != NULL && (t)->magic == IFACE_MAGIC)
+#define NS_INTERFACE_VALID(t)	ISC_MAGIC_VALID(t, IFACE_MAGIC)
 
 struct ns_interface {
 	unsigned int		magic;		/* Magic number. */
@@ -86,15 +85,14 @@ struct ns_interface {
  *** Functions
  ***/
 
-
 isc_result_t
 ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		       isc_socketmgr_t *socketmgr, ns_clientmgr_t *clientmgr,
-		       ns_interfacemgr_t **mgrp);
+		       isc_socketmgr_t *socketmgr,
+		       dns_dispatchmgr_t *dispatchmgr,
+		       ns_clientmgr_t *clientmgr, ns_interfacemgr_t **mgrp);
 
 void
-ns_interfacemgr_attach(ns_interfacemgr_t *source,
-		       ns_interfacemgr_t **target);
+ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target);
 
 void 
 ns_interfacemgr_detach(ns_interfacemgr_t **targetp);
@@ -115,8 +113,7 @@ ns_interfacemgr_scan(ns_interfacemgr_t *mgr);
  */
 
 void
-ns_interfacemgr_setlistenon(ns_interfacemgr_t *mgr,
-			    ns_listenlist_t *value);
+ns_interfacemgr_setlistenon(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
 /*
  * Set the "listen-on" list of 'mgr' to 'value'.
  * The previous listen-on list is freed.
@@ -134,10 +131,9 @@ dns_aclenv_t *
 ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr);
 
 void
-ns_interface_attach(ns_interface_t *source,
-		    ns_interface_t **target);
+ns_interface_attach(ns_interface_t *source, ns_interface_t **target);
 
 void 
 ns_interface_detach(ns_interface_t **targetp);
 
-#endif /* NS_INTERFACEMGR_H */
+#endif /* NAMED_INTERFACEMGR_H */
diff --git a/bin/named/include/named/listenlist.h b/bin/named/include/named/listenlist.h
index 4eca218b..00ab6cbc 100644
--- a/bin/named/include/named/listenlist.h
+++ b/bin/named/include/named/listenlist.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef NS_LISTENLIST_H
-#define NS_LISTENLIST_H 1
+#ifndef NAMED_LISTENLIST_H
+#define NAMED_LISTENLIST_H 1
 
 /*****
  ***** Module Info
@@ -29,6 +29,7 @@
 /***
  *** Imports
  ***/
+#include <isc/net.h>
 
 #include <dns/types.h>
 
@@ -56,8 +57,6 @@ struct ns_listenlist {
  *** Functions
  ***/
 
-ISC_LANG_BEGINDECLS
-
 isc_result_t
 ns_listenelt_create(isc_mem_t *mctx, in_port_t port,
 		    dns_acl_t *acl, ns_listenelt_t **target);
@@ -82,8 +81,6 @@ ns_listenlist_default(isc_mem_t *mctx, in_port_t port,
  * all addresses with port 'port'.
  */
 
-ISC_LANG_ENDDECLS
-
-#endif /* NS_LISTENLIST_H */
+#endif /* NAMED_LISTENLIST_H */
 
 
diff --git a/bin/named/include/named/log.h b/bin/named/include/named/log.h
index 74aac91d..0ce529c9 100644
--- a/bin/named/include/named/log.h
+++ b/bin/named/include/named/log.h
@@ -15,22 +15,24 @@
  * SOFTWARE.
  */
 
-#ifndef NS_LOG_H
-#define NS_LOG_H 1
+#ifndef NAMED_LOG_H
+#define NAMED_LOG_H 1
 
-#include <isc/types.h>
 #include <isc/log.h>
+#include <isc/types.h>
 
 #include <dns/log.h>
 
-#include <named/globals.h>
+#include <named/globals.h>	/* Required for ns_g_(categories|modules). */
 
-/* Unused slot */
+/* Unused slot 0. */
 #define NS_LOGCATEGORY_CLIENT		(&ns_g_categories[1])
 #define NS_LOGCATEGORY_NETWORK		(&ns_g_categories[2])
 #define NS_LOGCATEGORY_UPDATE		(&ns_g_categories[3])
 
-/* Backwards compatibility. */
+/*
+ * Backwards compatibility.
+ */
 #define NS_LOGCATEGORY_GENERAL		ISC_LOGCATEGORY_GENERAL
 
 #define NS_LOGMODULE_MAIN		(&ns_g_modules[0])
@@ -45,12 +47,38 @@
 #define NS_LOGMODULE_OMAPI		(&ns_g_modules[9])
 
 isc_result_t
-ns_log_init(void);
+ns_log_init(isc_boolean_t safe);
+/*
+ * Initialize the logging system and set up an initial default
+ * logging default configuration that will be used until the
+ * config file has been read.
+ * 
+ * If 'safe' is true, use a default configuration that refrains
+ * from opening files.  This is to avoid creating log files
+ * as root.
+ */
 
 isc_result_t
-ns_log_setdefaults(isc_logconfig_t *lcfg);
+ns_log_setdefaultchannels(isc_logconfig_t *lcfg);
+/*
+ * Set up logging channels according to the named defaults, which
+ * may differ from the logging library defaults.  Currently,
+ * this just means setting up default_debug.
+ */
+
+isc_result_t
+ns_log_setsafechannels(isc_logconfig_t *lcfg);
+/*
+ * Like ns_log_setdefaultchannels(), but omits any logging to files.
+ */
+
+isc_result_t
+ns_log_setdefaultcategory(isc_logconfig_t *lcfg);
+/*
+ * Set up "category default" to go to the right places.
+ */
 
 void
 ns_log_shutdown(void);
 
-#endif /* NS_LOG_H */
+#endif /* NAMED_LOG_H */
diff --git a/bin/named/include/named/logconf.h b/bin/named/include/named/logconf.h
index d456a951..5ccd3e91 100644
--- a/bin/named/include/named/logconf.h
+++ b/bin/named/include/named/logconf.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef NS_LOGCONF_H
-#define NS_LOGCONF_H 1
+#ifndef NAMED_LOGCONF_H
+#define NAMED_LOGCONF_H 1
 
 #include <isc/log.h>
 
@@ -29,4 +29,4 @@ ns_log_configure(isc_logconfig_t *logconf, dns_c_logginglist_t *clog);
  * the named.conf data in 'clog'.
  */
 
-#endif /* NS_LOGCONF_H */
+#endif /* NAMED_LOGCONF_H */
diff --git a/bin/named/include/named/main.h b/bin/named/include/named/main.h
index b737b7c1..7a2caf07 100644
--- a/bin/named/include/named/main.h
+++ b/bin/named/include/named/main.h
@@ -15,10 +15,10 @@
  * SOFTWARE.
  */
 
-#ifndef NS_MAIN_H
-#define NS_MAIN_H 1
+#ifndef NAMED_MAIN_H
+#define NAMED_MAIN_H 1
 
 void
 ns_main_earlyfatal(const char *format, ...);
 
-#endif /* NS_MAIN_H */
+#endif /* NAMED_MAIN_H */
diff --git a/bin/named/include/named/notify.h b/bin/named/include/named/notify.h
index a3b43a37..51873a9f 100644
--- a/bin/named/include/named/notify.h
+++ b/bin/named/include/named/notify.h
@@ -48,4 +48,5 @@ ns_notify_start(ns_client_t *client);
  *	client to be valid.
  */
 
-#endif
+#endif /* NAMED_NOTIFY_H */
+
diff --git a/bin/named/include/named/omapi.h b/bin/named/include/named/omapi.h
index 828106e4..1f83107f 100644
--- a/bin/named/include/named/omapi.h
+++ b/bin/named/include/named/omapi.h
@@ -15,6 +15,9 @@
  * SOFTWARE.
  */
 
+#ifndef NAMED_OMAPI_H
+#define NAMED_OMAPI_H 1
+
 #include <omapi/omapi.h>
 
 #define NS_OMAPI_PORT			953
@@ -34,3 +37,4 @@ ns_omapi_init(void);
 isc_result_t
 ns_omapi_listen(omapi_object_t **managerp);
 
+#endif /* NAMED_OMAPI_H */
diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h
index 4dd5255a..4fc259ed 100644
--- a/bin/named/include/named/query.h
+++ b/bin/named/include/named/query.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef NS_QUERY_H
-#define NS_QUERY_H 1
+#ifndef NAMED_QUERY_H
+#define NAMED_QUERY_H 1
 
 #include <isc/types.h>
 #include <isc/buffer.h>
@@ -29,6 +29,7 @@
 typedef struct ns_dbversion {
 	dns_db_t			*db;
 	dns_dbversion_t			*version;
+	isc_boolean_t			queryok;
 	ISC_LINK(struct ns_dbversion)	link;
 } ns_dbversion_t;
 
@@ -53,6 +54,8 @@ struct ns_query {
 #define NS_QUERYATTR_NAMEBUFUSED	0x08
 #define NS_QUERYATTR_RECURSING		0x10
 #define NS_QUERYATTR_CACHEGLUEOK	0x20
+#define NS_QUERYATTR_QUERYOKVALID	0x40
+#define NS_QUERYATTR_QUERYOK		0x80
 
 isc_result_t
 ns_query_init(ns_client_t *client);
@@ -63,4 +66,4 @@ ns_query_free(ns_client_t *client);
 void
 ns_query_start(ns_client_t *client);
 
-#endif /* NS_QUERY_H */
+#endif /* NAMED_QUERY_H */
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index 56ce3389..2d1fab43 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef NS_SERVER_H
-#define NS_SERVER_H 1
+#ifndef NAMED_SERVER_H
+#define NAMED_SERVER_H 1
 
 #include <isc/log.h>
 #include <isc/sockaddr.h>
@@ -42,15 +42,9 @@ struct ns_server {
 	isc_rwlock_t		conflock;
 	
 	/* Configurable data. */
-	isc_boolean_t		recursion;
-	isc_boolean_t		auth_nxdomain;
-	dns_transfer_format_t	transfer_format;
-	dns_acl_t *		queryacl;
-	dns_acl_t *		recursionacl;
 	isc_quota_t		xfroutquota;
 	isc_quota_t		tcpquota;
 	isc_quota_t		recursionquota;
-	isc_boolean_t		provide_ixfr;
 
 	/* Not really configurable, but covered by conflock. */
 	dns_aclenv_t		aclenv;
@@ -60,12 +54,8 @@ struct ns_server {
 	ns_clientmgr_t *	clientmgr;
 	dns_viewlist_t		viewlist;
 	ns_interfacemgr_t *	interfacemgr;
-	dns_db_t *		roothints;
+	dns_db_t *		in_roothints;
 	dns_tkey_ctx_t *	tkeyctx;
-	isc_sockaddr_t		querysrc_addressv4;
-	dns_dispatch_t *	querysrc_dispatchv4;
-	isc_sockaddr_t		querysrc_addressv6;
-	dns_dispatch_t *	querysrc_dispatchv6;
 	isc_timer_t *		interface_timer;
 	
 	isc_mutex_t		reload_event_lock;
@@ -100,4 +90,4 @@ ns_server_reloadwanted(ns_server_t *server);
  */
 
 
-#endif /* NS_SERVER_H */
+#endif /* NAMED_SERVER_H */
diff --git a/bin/named/include/named/types.h b/bin/named/include/named/types.h
index d3f4b2ef..cc061ab3 100644
--- a/bin/named/include/named/types.h
+++ b/bin/named/include/named/types.h
@@ -15,10 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef NS_TYPES_H
-#define NS_TYPES_H 1
-
-#include <isc/list.h>
+#ifndef NAMED_TYPES_H
+#define NAMED_TYPES_H 1
 
 #include <dns/types.h>
 
@@ -29,4 +27,4 @@ typedef struct ns_server 		ns_server_t;
 typedef struct ns_interface 		ns_interface_t;
 typedef struct ns_interfacemgr		ns_interfacemgr_t;
 
-#endif /* NS_TYPES_H */
+#endif /* NAMED_TYPES_H */
diff --git a/bin/named/include/named/update.h b/bin/named/include/named/update.h
index 72109756..ad5d33b8 100644
--- a/bin/named/include/named/update.h
+++ b/bin/named/include/named/update.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef NS_UPDATE_H
-#define NS_UPDATE_H 1
+#ifndef NAMED_UPDATE_H
+#define NAMED_UPDATE_H 1
 
 /*****
  ***** Module Info
@@ -30,7 +30,6 @@
  *** Imports
  ***/
 
-#include <isc/types.h>
 #include <dns/types.h>
 #include <dns/result.h>
 
@@ -42,6 +41,7 @@
  *** Functions
  ***/
 
-void ns_update_start(ns_client_t *client);
+void
+ns_update_start(ns_client_t *client);
 
-#endif /* NS_UPDATE_H */
+#endif /* NAMED_UPDATE_H */
diff --git a/bin/named/include/named/xfrout.h b/bin/named/include/named/xfrout.h
index bb2dfecf..66b1e439 100644
--- a/bin/named/include/named/xfrout.h
+++ b/bin/named/include/named/xfrout.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef NS_XFROUT_H
-#define NS_XFROUT_H 1
+#ifndef NAMED_XFROUT_H
+#define NAMED_XFROUT_H 1
 
 /*****
  ***** Module Info
@@ -30,6 +30,7 @@
  *** Functions
  ***/
 
-void ns_xfr_start(ns_client_t *client, dns_rdatatype_t xfrtype);
+void
+ns_xfr_start(ns_client_t *client, dns_rdatatype_t xfrtype);
 
-#endif /* NS_XFROUT_H */
+#endif /* NAMED_XFROUT_H */
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index b33ff244..28999b12 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -17,33 +17,20 @@
 
 #include <config.h>
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <errno.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/socket.h>
-#include <isc/types.h>
-#include <isc/net.h>
 #include <isc/interfaceiter.h>
+#include <isc/string.h>
+#include <isc/task.h>
 #include <isc/util.h>
 
 #include <dns/acl.h>
 #include <dns/dispatch.h>
 
 #include <named/client.h>
-#include <named/globals.h>
-#include <named/listenlist.h>
 #include <named/log.h>
 #include <named/interfacemgr.h>
 
 #define IFMGR_MAGIC		0x49464D47U	/* IFMG. */	
-#define NS_INTERFACEMGR_VALID(t) ((t) != NULL && (t)->magic == IFMGR_MAGIC)
+#define NS_INTERFACEMGR_VALID(t) ISC_MAGIC_VALID(t, IFMGR_MAGIC)
 
 #define IFMGR_COMMON_LOGARGS \
 	ns_g_lctx, NS_LOGCATEGORY_NETWORK, NS_LOGMODULE_INTERFACEMGR
@@ -55,6 +42,7 @@ struct ns_interfacemgr {
 	isc_mem_t *		mctx;		/* Memory context. */
 	isc_taskmgr_t *		taskmgr;	/* Task manager. */
 	isc_socketmgr_t *	socketmgr;	/* Socket manager. */
+	dns_dispatchmgr_t *	dispatchmgr;
 	ns_clientmgr_t *	clientmgr;	/* Client manager. */
 	unsigned int		generation;	/* Current generation no. */
 	ns_listenlist_t *	listenon;
@@ -62,30 +50,14 @@ struct ns_interfacemgr {
 	ISC_LIST(ns_interface_t) interfaces;	/* List of interfaces. */
 };
 
-static void purge_old_interfaces(ns_interfacemgr_t *mgr);
-
-/*
- * Format a human-readable representation of the socket address '*sa'
- * into the character array 'array', which is of size 'size'.
- * The resulting string is guaranteed to be null-terminated.
- */
 static void
-sockaddr_format(isc_sockaddr_t *sa, char *array, unsigned int size)
-{
-	isc_result_t result;
-	isc_buffer_t buf;
-	isc_buffer_init(&buf, array, size, ISC_BUFFERTYPE_TEXT);
-	result = isc_sockaddr_totext(sa, &buf);
-	if (result != ISC_R_SUCCESS) {
-		strncpy(array, "<unknown address>", size);
-		array[size-1] = '\0';
-	}
-}
+purge_old_interfaces(ns_interfacemgr_t *mgr);
 
 isc_result_t
 ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		       isc_socketmgr_t *socketmgr, ns_clientmgr_t *clientmgr,
-		       ns_interfacemgr_t **mgrp)
+		       isc_socketmgr_t *socketmgr,
+		       dns_dispatchmgr_t *dispatchmgr,
+		       ns_clientmgr_t *clientmgr, ns_interfacemgr_t **mgrp)
 {
 	isc_result_t result;
 	ns_interfacemgr_t *mgr;
@@ -96,7 +68,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	
 	mgr = isc_mem_get(mctx, sizeof(*mgr));
 	if (mgr == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	result = isc_mutex_init(&mgr->lock);
 	if (result != ISC_R_SUCCESS)
@@ -105,6 +77,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	mgr->mctx = mctx;
 	mgr->taskmgr = taskmgr;
 	mgr->socketmgr = socketmgr;
+	mgr->dispatchmgr = dispatchmgr;
 	mgr->clientmgr = clientmgr;
 	mgr->generation = 1;
 	mgr->listenon = NULL;
@@ -112,7 +85,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 
 	result = ns_listenlist_default(mctx, ns_g_port,
 				       &mgr->listenon);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_mem;
 
 	result = dns_aclenv_init(mctx, &mgr->aclenv);
@@ -122,7 +95,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	mgr->references = 1;
 	mgr->magic = IFMGR_MAGIC;
 	*mgrp = mgr;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
  cleanup_listenon:
 	ns_listenlist_detach(&mgr->listenon);
@@ -132,8 +105,7 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 }
 
 static void
-ns_interfacemgr_destroy(ns_interfacemgr_t *mgr)
-{
+ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) {
 	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
 	dns_aclenv_destroy(&mgr->aclenv);
 	ns_listenlist_detach(&mgr->listenon);
@@ -143,15 +115,12 @@ ns_interfacemgr_destroy(ns_interfacemgr_t *mgr)
 }
 
 dns_aclenv_t *
-ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr)
-{
+ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr) {
 	return (&mgr->aclenv);
 }
 
 void
-ns_interfacemgr_attach(ns_interfacemgr_t *source,
-		       ns_interfacemgr_t **target)
-{
+ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target) {
 	REQUIRE(NS_INTERFACEMGR_VALID(source));
 	LOCK(&source->lock);
 	INSIST(source->references > 0);
@@ -161,8 +130,7 @@ ns_interfacemgr_attach(ns_interfacemgr_t *source,
 }
 
 void 
-ns_interfacemgr_detach(ns_interfacemgr_t **targetp)
-{
+ns_interfacemgr_detach(ns_interfacemgr_t **targetp) {
 	isc_result_t need_destroy = ISC_FALSE;
 	ns_interfacemgr_t *target = *targetp;
 	REQUIRE(target != NULL);
@@ -179,8 +147,7 @@ ns_interfacemgr_detach(ns_interfacemgr_t **targetp)
 }
 
 void
-ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr)
-{
+ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) {
 	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
 
 	LOCK(&mgr->lock);
@@ -206,7 +173,7 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
 	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
 	ifp = isc_mem_get(mgr->mctx, sizeof(*ifp));
 	if (ifp == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	ifp->mgr = NULL;
 	ifp->generation = mgr->generation;
 	ifp->addr = *addr;
@@ -221,7 +188,7 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
 	 * Create a task.
 	 */
 	ifp->task = NULL;
-	result = isc_task_create(mgr->taskmgr, mgr->mctx, 0, &ifp->task);
+	result = isc_task_create(mgr->taskmgr, 0, &ifp->task);
 	if (result != ISC_R_SUCCESS) {
 		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
 				 "isc_task_create() failed: %s",
@@ -230,7 +197,6 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
 	}
 	isc_task_setname(ifp->task, "ifp", ifp);
 
-	ifp->udpsocket = NULL;
 	ifp->udpdispatch = NULL;
 	
 	ifp->tcpsocket = NULL;
@@ -250,7 +216,7 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
 	ifp->magic = IFACE_MAGIC;
 	*ifpret = ifp;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
  task_create_failure:
 	isc_mutex_destroy(&ifp->lock);
@@ -258,36 +224,28 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
 	ifp->magic = 0;
 	isc_mem_put(mgr->mctx, ifp, sizeof(*ifp));
 
-	return (DNS_R_UNEXPECTED);
+	return (ISC_R_UNEXPECTED);
 }
 
 static isc_result_t
 ns_interface_listenudp(ns_interface_t *ifp) {
 	isc_result_t result;
+	unsigned int attrs;
+	unsigned int attrmask;
 	
-	/*
-	 * Open a UDP socket.
-	 */
-	result = isc_socket_create(ifp->mgr->socketmgr,
-				   isc_sockaddr_pf(&ifp->addr),
-				   isc_sockettype_udp,
-				   &ifp->udpsocket);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "creating UDP socket: %s",
-				 isc_result_totext(result));
-		goto udp_socket_failure;
-	}
-	result = isc_socket_bind(ifp->udpsocket, &ifp->addr);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "binding UDP socket: %s",
-				 isc_result_totext(result));
-		goto udp_bind_failure;
-	}
-	result = dns_dispatch_create(ifp->mgr->mctx, ifp->udpsocket, ifp->task,
-				     4096, 1000, 32768, 8219, 8237, NULL,
-				     &ifp->udpdispatch);
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	if (isc_sockaddr_pf(&ifp->addr) == AF_INET)
+		attrs |= DNS_DISPATCHATTR_IPV4;
+	else
+		attrs |= DNS_DISPATCHATTR_IPV6;
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
+	result = dns_dispatch_getudp(ifp->mgr->dispatchmgr, ns_g_socketmgr,
+				     ns_g_taskmgr, &ifp->addr,
+				     4096, 1000, 32768, 8219, 8237,
+				     attrs, attrmask, &ifp->udpdispatch);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "UDP dns_dispatch_create(): %s",
@@ -308,9 +266,6 @@ ns_interface_listenudp(ns_interface_t *ifp) {
  addtodispatch_failure:
 	dns_dispatch_detach(&ifp->udpdispatch);
  udp_dispatch_failure:
- udp_bind_failure:
-	isc_socket_detach(&ifp->udpsocket);
- udp_socket_failure:
 	return (result);
 }
 
@@ -362,7 +317,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
  tcp_bind_failure:
 	isc_socket_detach(&ifp->tcpsocket);
  tcp_socket_failure:
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -374,20 +329,20 @@ ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
 	REQUIRE(ifpret != NULL && *ifpret == NULL);
 	
 	result = ns_interface_create(mgr, addr, name, &ifp);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 
 	result = ns_interface_listenudp(ifp);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_interface;
 
 	result = ns_interface_accepttcp(ifp);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		/*
-		 * XXXRTH  We don't currently have a way to easily stop dispatch
-		 * service, so we return currently return DNS_R_SUCCESS (the UDP
-		 * stuff will work even if TCP creation failed).  This will be fixed
-		 * later.
+		 * XXXRTH We don't currently have a way to easily stop dispatch
+		 * service, so we return currently return ISC_R_SUCCESS (the
+		 * UDP stuff will work even if TCP creation failed).  This will
+		 * be fixed later.
 		 */
 		result = ISC_R_SUCCESS;
 	}
@@ -407,10 +362,6 @@ ns_interface_destroy(ns_interface_t *ifp) {
 
 	if (ifp->udpdispatch != NULL)
 		dns_dispatch_detach(&ifp->udpdispatch);
-	if (ifp->udpsocket != NULL) {
-		isc_socket_cancel(ifp->udpsocket, NULL, ISC_SOCKCANCEL_ALL);
-		isc_socket_detach(&ifp->udpsocket);
-	}
 	if (ifp->tcpsocket != NULL) {
 		isc_socket_cancel(ifp->tcpsocket, NULL, ISC_SOCKCANCEL_ALL);
 		isc_socket_detach(&ifp->tcpsocket);
@@ -426,9 +377,7 @@ ns_interface_destroy(ns_interface_t *ifp) {
 }
 
 void
-ns_interface_attach(ns_interface_t *source,
-		    ns_interface_t **target)
-{
+ns_interface_attach(ns_interface_t *source, ns_interface_t **target) {
 	REQUIRE(NS_INTERFACE_VALID(source));
 	LOCK(&source->lock);
 	INSIST(source->references > 0);
@@ -438,8 +387,7 @@ ns_interface_attach(ns_interface_t *source,
 }
 
 void 
-ns_interface_detach(ns_interface_t **targetp)
-{
+ns_interface_detach(ns_interface_t **targetp) {
 	isc_result_t need_destroy = ISC_FALSE;
 	ns_interface_t *target = *targetp;
 	REQUIRE(target != NULL);
@@ -482,7 +430,7 @@ purge_old_interfaces(ns_interfacemgr_t *mgr) {
 		if (ifp->generation != mgr->generation) {
 			char sabuf[256];
 			ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link);
-			sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf));
+			isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf));
 			isc_log_write(IFMGR_COMMON_LOGARGS,
 				      ISC_LOG_INFO,
 				      "no longer listening on %s", sabuf);
@@ -590,8 +538,8 @@ do_ipv4(ns_interfacemgr_t *mgr) {
 				ifp->generation = mgr->generation;
 			} else {
 				char sabuf[256];
-				sockaddr_format(&listen_sockaddr,
-						sabuf, sizeof(sabuf));
+				isc_sockaddr_format(&listen_sockaddr,
+						    sabuf, sizeof(sabuf));
 				isc_log_write(IFMGR_COMMON_LOGARGS,
 					      ISC_LOG_INFO,
 					      "listening on IPv4 interface "
@@ -601,7 +549,7 @@ do_ipv4(ns_interfacemgr_t *mgr) {
 							    &listen_sockaddr,
 							    interface.name,
 							    &ifp);
-				if (result != DNS_R_SUCCESS) {
+				if (result != ISC_R_SUCCESS) {
 					isc_log_write(IFMGR_COMMON_LOGARGS,
 						 ISC_LOG_ERROR,
 						 "creating IPv4 interface %s "
@@ -647,7 +595,7 @@ do_ipv6(ns_interfacemgr_t *mgr) {
 			      "listening on IPv6 interfaces, port %u",
 			      ns_g_port);
 		result = ns_interface_setup(mgr, &listen_addr, "<any>", &ifp);
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			isc_log_write(IFMGR_COMMON_LOGARGS,
 				      ISC_LOG_ERROR,			
 				      "listening on IPv6 interfaces failed");
@@ -692,9 +640,7 @@ ns_interfacemgr_scan(ns_interfacemgr_t *mgr) {
 }
 
 void
-ns_interfacemgr_setlistenon(ns_interfacemgr_t *mgr,
-			    ns_listenlist_t *value)
-{
+ns_interfacemgr_setlistenon(ns_interfacemgr_t *mgr, ns_listenlist_t *value) {
 	LOCK(&mgr->lock);
 	ns_listenlist_detach(&mgr->listenon);
 	ns_listenlist_attach(value, &mgr->listenon);
diff --git a/bin/named/listenlist.c b/bin/named/listenlist.c
index c9fd7c46..c5f36e09 100644
--- a/bin/named/listenlist.c
+++ b/bin/named/listenlist.c
@@ -17,15 +17,15 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
 #include <isc/mem.h>
-#include <isc/result.h>
+#include <isc/util.h>
 
 #include <dns/acl.h>
 
 #include <named/listenlist.h>
 
-static void destroy(ns_listenlist_t *list);
+static void
+destroy(ns_listenlist_t *list);
 
 isc_result_t
 ns_listenelt_create(isc_mem_t *mctx, in_port_t port,
@@ -79,16 +79,14 @@ destroy(ns_listenlist_t *list) {
 }
 
 void
-ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target)
-{
+ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target) {
 	INSIST(source->refcount > 0);
 	source->refcount++;
 	*target = source;
 }
 
 void
-ns_listenlist_detach(ns_listenlist_t **listp)
-{
+ns_listenlist_detach(ns_listenlist_t **listp) {
 	ns_listenlist_t *list = *listp;
 	INSIST(list->refcount > 0);
 	list->refcount--;
diff --git a/bin/named/log.c b/bin/named/log.c
index f9c11bb9..4811a4d0 100644
--- a/bin/named/log.c
+++ b/bin/named/log.c
@@ -17,13 +17,6 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/log.h>
-#include <isc/result.h>
-
-#include <dns/log.h>
-
-#include <named/globals.h>
 #include <named/log.h>
 
 /*
@@ -56,7 +49,7 @@ static isc_logmodule_t modules[] = {
 };
 
 isc_result_t
-ns_log_init(void) {
+ns_log_init(isc_boolean_t safe) {
 	isc_result_t result;
 	isc_logconfig_t *lcfg;
 
@@ -64,11 +57,6 @@ ns_log_init(void) {
 	ns_g_modules = modules;
 
 	/*
-	 * XXXRTH  This is not necessarily the final default logging
-	 *         setup.
-	 */
-
-	/*
 	 * Setup a logging context.
 	 */
 	result = isc_log_create(ns_g_mctx, &ns_g_lctx, &lcfg);
@@ -77,9 +65,18 @@ ns_log_init(void) {
 
 	isc_log_registercategories(ns_g_lctx, ns_g_categories);
 	isc_log_registermodules(ns_g_lctx, ns_g_modules);
+	isc_log_setcontext(ns_g_lctx);
 	dns_log_init(ns_g_lctx);
+	dns_log_setcontext(ns_g_lctx);
+
+	if (safe)
+		result = ns_log_setsafechannels(lcfg);
+	else
+		result = ns_log_setdefaultchannels(lcfg);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
 
-	result = ns_log_setdefaults(lcfg);
+	result = ns_log_setdefaultcategory(lcfg);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
@@ -92,7 +89,7 @@ ns_log_init(void) {
 }
 
 isc_result_t
-ns_log_setdefaults(isc_logconfig_t *lcfg) {
+ns_log_setdefaultchannels(isc_logconfig_t *lcfg) {
 	isc_result_t result;
 	isc_logdestination_t destination;
 	
@@ -116,6 +113,46 @@ ns_log_setdefaults(isc_logconfig_t *lcfg) {
 			goto cleanup;
 	}
 
+	/*
+	 * Set the initial debug level.
+	 */
+	isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
+
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	return (result);
+}
+
+isc_result_t
+ns_log_setsafechannels(isc_logconfig_t *lcfg) {
+	isc_result_t result;
+	
+	if (! ns_g_logstderr) {
+		result = isc_log_createchannel(lcfg, "default_debug",
+                                               ISC_LOG_TONULL,
+                                               ISC_LOG_DYNAMIC,
+                                               NULL, 0);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	/*
+	 * Setting the debug level to zero should get the output
+	 * discarded a bit faster.
+	 */
+	isc_log_setdebuglevel(ns_g_lctx, 0);
+
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	return (result);
+}
+
+isc_result_t
+ns_log_setdefaultcategory(isc_logconfig_t *lcfg) {
+	isc_result_t result;
+
 	result = isc_log_usechannel(lcfg, "default_syslog",
 				    ISC_LOGCATEGORY_DEFAULT, NULL);
 	if (result != ISC_R_SUCCESS)
@@ -126,12 +163,7 @@ ns_log_setdefaults(isc_logconfig_t *lcfg) {
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
-	/*
-	 * Set the initial debug level.
-	 */
-	isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
-
-	return (ISC_R_SUCCESS);
+	result = ISC_R_SUCCESS;
 
  cleanup:
 	return (result);
diff --git a/bin/named/logconf.c b/bin/named/logconf.c
index 042380b8..e349a1a0 100644
--- a/bin/named/logconf.c
+++ b/bin/named/logconf.c
@@ -17,9 +17,8 @@
 
 #include <config.h>
 
-#include <isc/result.h>
+#include <isc/string.h>
 
-#include <named/globals.h>
 #include <named/log.h>
 #include <named/logconf.h>
 
@@ -28,14 +27,12 @@
 	       if (result != ISC_R_SUCCESS) goto cleanup; 	 \
 	} while (0)
 
-
 /*
  * Set up a logging category according to the named.conf data
  * in 'ccat' and add it to 'lctx'.
  */
 static isc_result_t
-category_fromconf(dns_c_logcat_t *ccat, isc_logconfig_t *lctx)
-{
+category_fromconf(dns_c_logcat_t *ccat, isc_logconfig_t *lctx) {
 	isc_result_t result;
 	unsigned int i;
 	isc_logcategory_t *category;
@@ -69,8 +66,7 @@ category_fromconf(dns_c_logcat_t *ccat, isc_logconfig_t *lctx)
  * in 'cchan' and add it to 'lctx'.
  */
 static isc_result_t
-channel_fromconf(dns_c_logchan_t *cchan, isc_logconfig_t *lctx)
-{
+channel_fromconf(dns_c_logchan_t *cchan, isc_logconfig_t *lctx) {
 	isc_result_t result;
 	isc_logdestination_t dest;
 	unsigned int type;
@@ -83,9 +79,13 @@ channel_fromconf(dns_c_logchan_t *cchan, isc_logconfig_t *lctx)
 		type = ISC_LOG_TOFILE;
 		{
 			const char *path = NULL;
-			isc_uint32_t versions = ISC_LOG_ROLLNEVER; 
+			isc_int32_t versions = ISC_LOG_ROLLNEVER; 
+			/*
+			 * XXXDCL should be isc_offset_t, but that
+			 * is incompatible with dns_c_logchan_getsize.
+			 */
 			isc_uint32_t size = 0;
-			(void) dns_c_logchan_getpath(cchan, &path);
+			(void)dns_c_logchan_getpath(cchan, &path);
 			if (path == NULL) {
 				isc_log_write(ns_g_lctx,
 					      DNS_LOGCATEGORY_CONFIG,
@@ -95,11 +95,13 @@ channel_fromconf(dns_c_logchan_t *cchan, isc_logconfig_t *lctx)
 					      "no file name");
 				return (ISC_R_UNEXPECTED);
 			}
-			(void) dns_c_logchan_getversions(cchan, &versions);
-			(void) dns_c_logchan_getsize(cchan, &size);
+			(void)dns_c_logchan_getversions(cchan,
+							(isc_uint32_t *)
+							&versions);
+			(void)dns_c_logchan_getsize(cchan, &size);
 			dest.file.stream = NULL;
 			dest.file.name = cchan->u.filec.path;
-			dest.file.versions = (int)versions;
+			dest.file.versions = versions;
 			dest.file.maximum_size = size;
 		}
 		break;
@@ -108,7 +110,7 @@ channel_fromconf(dns_c_logchan_t *cchan, isc_logconfig_t *lctx)
 		type = ISC_LOG_TOSYSLOG;
 		{
 			int facility = LOG_DAEMON;
-			(void) dns_c_logchan_getfacility(cchan, &facility);
+			(void)dns_c_logchan_getfacility(cchan, &facility);
 			dest.facility = facility;
 		}
 		break;
@@ -125,9 +127,9 @@ channel_fromconf(dns_c_logchan_t *cchan, isc_logconfig_t *lctx)
 		isc_boolean_t printsev = ISC_FALSE;
 		isc_boolean_t printtime = ISC_FALSE;
 
-		(void) dns_c_logchan_getprintcat(cchan, &printcat);
-		(void) dns_c_logchan_getprintsev(cchan, &printsev);
-		(void) dns_c_logchan_getprinttime(cchan, &printtime);
+		(void)dns_c_logchan_getprintcat(cchan, &printcat);
+		(void)dns_c_logchan_getprintsev(cchan, &printsev);
+		(void)dns_c_logchan_getprinttime(cchan, &printtime);
 
 		if (printcat)
 			flags |= ISC_LOG_PRINTCATEGORY;
@@ -139,7 +141,7 @@ channel_fromconf(dns_c_logchan_t *cchan, isc_logconfig_t *lctx)
 	}
 	
 	level = ISC_LOG_INFO;
-	(void) dns_c_logchan_getdebuglevel(cchan, &level);
+	(void)dns_c_logchan_getdebuglevel(cchan, &level);
 	
 	result = isc_log_createchannel(lctx, cchan->name,
 				       type, level, &dest, flags);
@@ -147,13 +149,14 @@ channel_fromconf(dns_c_logchan_t *cchan, isc_logconfig_t *lctx)
 }
 
 isc_result_t
-ns_log_configure(isc_logconfig_t *lcctx, dns_c_logginglist_t *clog)
-{
+ns_log_configure(isc_logconfig_t *lcctx, dns_c_logginglist_t *clog) {
 	isc_result_t result;
 	dns_c_logchan_t *cchan;
 	dns_c_logcat_t *ccat;
 	isc_boolean_t default_set = ISC_FALSE;
 
+	CHECK(ns_log_setdefaultchannels(lcctx));
+		
 	for (cchan = ISC_LIST_HEAD(clog->channels);
 	     cchan != NULL;
 	     cchan = ISC_LIST_NEXT(cchan, next)) {
@@ -170,7 +173,7 @@ ns_log_configure(isc_logconfig_t *lcctx, dns_c_logginglist_t *clog)
 	}
 
 	if (! default_set)
-		CHECK(ns_log_setdefaults(lcctx));
+		CHECK(ns_log_setdefaultcategory(lcctx));
 
 	return (ISC_R_SUCCESS);
 
@@ -179,5 +182,3 @@ ns_log_configure(isc_logconfig_t *lcctx, dns_c_logginglist_t *clog)
 		isc_logconfig_destroy(&lcctx);
 	return (result);
 }
-
-
diff --git a/bin/named/main.c b/bin/named/main.c
index 3b5e16aa..fc2be1f5 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -17,30 +17,25 @@
 
 #include <config.h>
 
-#include <errno.h>
-#include <string.h>
-#include <stdarg.h>
 #include <stdlib.h>
-#include <stddef.h>
 
 #include <isc/app.h>
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/boolean.h>
 #include <isc/commandline.h>
 #include <isc/task.h>
 #include <isc/timer.h>
+#include <isc/util.h>
 
-#include <dns/dbtable.h>
-#include <dns/tsig.h>
-#include <dns/tkey.h>
-#include <dns/result.h>
+#include <dns/dispatch.h>
 
 #include <dst/result.h>
 
-#define NS_MAIN 1
+/*
+ * Defining NS_MAIN provides storage declaratons (rather than extern)
+ * for variables in named/globals.h.
+ */
+#define NS_MAIN 1		
 
-#include <named/globals.h>
+#include <named/globals.h>	/* Explicit, though named/log.h includes it. */
 #include <named/interfacemgr.h>
 #include <named/log.h>
 #include <named/omapi.h>
@@ -238,7 +233,7 @@ parse_command_line(int argc, char *argv[]) {
 }
 
 static isc_result_t
-create_managers() {
+create_managers(void) {
 	isc_result_t result;
 
 	result = isc_taskmgr_create(ns_g_mctx, ns_g_cpus, 0, &ns_g_taskmgr);
@@ -284,12 +279,22 @@ destroy_managers(void) {
 }
 
 static void
-setup() {
+setup(void) {
 	isc_result_t result;
 
 	ns_os_chroot(ns_g_chrootdir);
 
-	result = ns_log_init();
+	/*
+	 * For operating systems which have a capability mechanism, now
+	 * is the time to switch to minimal privs and change our user id.
+	 * On traditional UNIX systems, this call will be a no-op, and we
+	 * will change the user ID after reading the config file the first
+	 * time.  (We need to read the config file to know which possibly
+	 * privileged ports to bind() to.)
+	 */
+	ns_os_minprivs(ns_g_username);
+
+	result = ns_log_init(ISC_TF(ns_g_username != NULL));
 	if (result != ISC_R_SUCCESS)
 		ns_main_earlyfatal("ns_log_init() failed: %s",
 				   isc_result_totext(result));
@@ -332,7 +337,7 @@ setup() {
 }
 
 static void
-cleanup() {
+cleanup(void) {
 	destroy_managers();
 	ns_server_destroy(&ns_g_server);
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
diff --git a/bin/named/notify.c b/bin/named/notify.c
index 082b20e7..b9994353 100644
--- a/bin/named/notify.c
+++ b/bin/named/notify.c
@@ -17,40 +17,13 @@
 
 #include <config.h>
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/taskpool.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/dbtable.h>
-#include <dns/dnssec.h>
-#include <dns/events.h>
-#include <dns/fixedname.h>
-#include <dns/journal.h>
 #include <dns/message.h>
-#include <dns/name.h>
-#include <dns/nxt.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
 #include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
 #include <dns/result.h>
-#include <dns/types.h>
 #include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zt.h>
 
-#include <named/globals.h>
-#include <named/client.h>
 #include <named/log.h>
 #include <named/notify.h>
 
@@ -91,23 +64,28 @@
  */
 #define CHECK(op) \
 	do { result = (op); 				  	 \
-	       if (result != DNS_R_SUCCESS) goto failure; 	 \
+	       if (result != ISC_R_SUCCESS) goto failure; 	 \
 	} while (0)
 
 /*
  * Fail unconditionally with result 'code', which must not
- * be DNS_R_SUCCESS.  The reason for failure presumably has
+ * be ISC_R_SUCCESS.  The reason for failure presumably has
  * been logged already.
+ *
+ * The test is there to keep the Solaris compiler from complaining
+ * about "end-of-loop code not reached".
  */
 
 #define FAIL(code) \
 	do {							\
 		result = (code);				\
-		goto failure;					\
+		if (code != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
 /*
  * Fail unconditionally and log as a client error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
  */
 #define FAILC(code, msg) \
 	do {							\
@@ -115,11 +93,13 @@
 		isc_log_write(NOTIFY_PROTOCOL_LOGARGS,		\
 			      "notify failed: %s (%s)",	\
 		      	      msg, isc_result_totext(code));	\
-		goto failure;					\
+		if (code != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
 /*
  * Fail unconditionally and log as a server error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
  */
 #define FAILS(code, msg) \
 	do {							\
@@ -127,7 +107,7 @@
 		isc_log_write(NOTIFY_PROTOCOL_LOGARGS,		\
 			      "notify error: %s: %s", 	\
 			      msg, isc_result_totext(code));	\
-		goto failure;					\
+		if (code != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
 /**************************************************************************/
@@ -166,7 +146,7 @@ ns_notify_start(ns_client_t *client)
 	 * Interpret the question section.
 	 */
 	result = dns_message_firstname(request, DNS_SECTION_QUESTION);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		FAILC(DNS_R_FORMERR,
 		      "notify question section empty");
 
@@ -183,12 +163,13 @@ ns_notify_start(ns_client_t *client)
 
 	/* The zone section must have exactly one name. */
 	result = dns_message_nextname(request, DNS_SECTION_ZONE);
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		FAILC(DNS_R_FORMERR,
 		      "notify question section contains multiple RRs");
 
-	result = dns_zt_find(client->view->zonetable, zonename, NULL, &zone);
-	if (result != DNS_R_SUCCESS)
+	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL,
+			     &zone);
+	if (result != ISC_R_SUCCESS)
 		FAILC(DNS_R_REFUSED,
 		      "not authoritative for notify zone");
 
@@ -202,8 +183,11 @@ ns_notify_start(ns_client_t *client)
 		FAILC(DNS_R_REFUSED,
 		      "not authoritative for notify zone");
 	}
+	dns_zone_detach(&zone);
 	return;
 	
  failure:
+	if (zone != NULL)
+		dns_zone_detach(&zone);
 	respond(client, result);
 }
diff --git a/bin/named/omapi.c b/bin/named/omapi.c
index 3107a029..09238b8a 100644
--- a/bin/named/omapi.c
+++ b/bin/named/omapi.c
@@ -15,19 +15,17 @@
  * SOFTWARE.
  */
 
-/* $Id: omapi.c,v 1.10 2000/03/18 02:38:20 tale Exp $ */
+/* $Id: omapi.c,v 1.13 2000/05/08 14:32:57 tale Exp $ */
 
 /*
  * Principal Author: DCL
  */
 
-#include <stdlib.h>
-#include <stdarg.h>
+#include <config.h>
 
-#include <isc/assertions.h>
+#include <isc/event.h>
 #include <isc/util.h>
 
-#include <named/globals.h>
 #include <named/log.h>
 #include <named/omapi.h>
 #include <named/server.h>
diff --git a/bin/named/query.c b/bin/named/query.c
index 1a775d57..de0dc1bb 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -17,41 +17,26 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/buffer.h>
 #include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/result.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/event.h>
-#include <isc/log.h>
 #include <isc/util.h>
 
-#include <dns/a6.h>
-#include <dns/acl.h>
 #include <dns/db.h>
-#include <dns/dbtable.h>
-#include <dns/dispatch.h>
 #include <dns/events.h>
-#include <dns/fixedname.h>
 #include <dns/message.h>
-#include <dns/name.h>
 #include <dns/rdata.h>
-#include <dns/rdatatype.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
 #include <dns/resolver.h>
-#include <dns/view.h>
+#include <dns/result.h>
 #include <dns/tkey.h>
+#include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zt.h>
 
 #include <named/client.h>
-#include <named/globals.h>
 #include <named/log.h>
-#include <named/query.h>
 #include <named/server.h>
 #include <named/xfrout.h>
 
@@ -203,8 +188,7 @@ query_newnamebuf(ns_client_t *client) {
 	 */
 
 	dbuf = NULL;
-	result = isc_buffer_allocate(client->mctx, &dbuf, 1024,
-				     ISC_BUFFERTYPE_BINARY);
+	result = isc_buffer_allocate(client->mctx, &dbuf, 1024);
 	if (result != ISC_R_SUCCESS) {
 		CTRACE("query_newnamebuf: isc_buffer_allocate failed: done");
 		return (result);
@@ -237,7 +221,7 @@ query_getnamebuf(ns_client_t *client) {
 
 	dbuf = ISC_LIST_TAIL(client->query.namebufs);
 	INSIST(dbuf != NULL);
-	isc_buffer_available(dbuf, &r);
+	isc_buffer_availableregion(dbuf, &r);
 	if (r.length < 255) {
 		result = query_newnamebuf(client);
 		if (result != ISC_R_SUCCESS) {
@@ -246,7 +230,7 @@ query_getnamebuf(ns_client_t *client) {
 
 		}
 		dbuf = ISC_LIST_TAIL(client->query.namebufs);
-		isc_buffer_available(dbuf, &r);
+		isc_buffer_availableregion(dbuf, &r);
 		INSIST(r.length >= 255);
 	}
 	CTRACE("query_getnamebuf: done");
@@ -308,8 +292,8 @@ query_newname(ns_client_t *client, isc_buffer_t *dbuf,
 		CTRACE("query_newname: dns_message_gettempname failed: done");
 		return (NULL);
 	}
-	isc_buffer_available(dbuf, &r);
-	isc_buffer_init(nbuf, r.base, r.length, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_availableregion(dbuf, &r);
+	isc_buffer_init(nbuf, r.base, r.length);
 	dns_name_init(name, NULL);
 	dns_name_setbuffer(name, nbuf);
 	client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED;
@@ -342,7 +326,7 @@ query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
 
 	CTRACE("query_putrdataset");
 	if (rdataset != NULL) {
-		if (rdataset->methods != NULL)
+		if (dns_rdataset_isassociated(rdataset))
 			dns_rdataset_disassociate(rdataset);
 		dns_message_puttemprdataset(client->message, rdatasetp);
 	}
@@ -412,11 +396,12 @@ ns_query_init(ns_client_t *client) {
 	return (query_newnamebuf(client));
 }
 
-static inline dns_dbversion_t *
-query_findversion(ns_client_t *client, dns_db_t *db) {
+static inline ns_dbversion_t *
+query_findversion(ns_client_t *client, dns_db_t *db,
+		  isc_boolean_t *newzonep)
+{
 	ns_dbversion_t *dbversion;
 
-	CTRACE("query_findversion");
 	/*
 	 * We may already have done a query related to this
 	 * database.  If so, we must be sure to make subsequent
@@ -438,12 +423,129 @@ query_findversion(ns_client_t *client, dns_db_t *db) {
 			return (NULL);
 		dns_db_attach(db, &dbversion->db);
 		dns_db_currentversion(db, &dbversion->version);
+		dbversion->queryok = ISC_FALSE;
 		ISC_LIST_APPEND(client->query.activeversions,
 				dbversion, link);
-	}
+		*newzonep = ISC_TRUE;
+	} else
+		*newzonep = ISC_FALSE;
 	
-	CTRACE("query_findversion: done");
-	return (dbversion->version);
+	return (dbversion);
+}
+
+static inline isc_result_t
+query_getdb(ns_client_t *client, dns_name_t *name, unsigned int options,
+	    dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp,
+	    isc_boolean_t *is_zonep)
+{
+	isc_result_t result;
+	isc_boolean_t check_acl, new_zone;
+	dns_acl_t *queryacl;
+	ns_dbversion_t *dbversion;
+
+	/*
+	 * Find a database to answer the query.
+	 */
+
+	result = dns_zt_find(client->view->zonetable, name, options, NULL,
+			     zonep);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		result = dns_zone_getdb(*zonep, dbp);
+		*is_zonep = ISC_TRUE;
+	}
+
+	if (result == ISC_R_NOTFOUND) {
+		if (!USECACHE(client))
+			return (DNS_R_REFUSED);
+		dns_db_attach(client->view->cachedb, dbp);
+		*is_zonep = ISC_FALSE;
+	} else if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * If we have a zone, and it has an ACL, we'll check it, otherwise
+	 * we use the view's "allow-query" ACL.  Each ACL is only checked
+	 * once per query.
+	 *
+	 * Also, if we have a zone, we will get the version to use.
+	 */
+
+	check_acl = ISC_TRUE;	/* Keep compiler happy. */
+	queryacl = NULL;
+	dbversion = NULL;
+	if (*is_zonep) {
+		/*
+		 * Get the current version of this database.
+		 */
+		dbversion = query_findversion(client, *dbp, &new_zone);
+		if (dbversion == NULL)
+			return (DNS_R_SERVFAIL);
+		*versionp = dbversion->version;
+		if (new_zone) {
+			queryacl = dns_zone_getqueryacl(*zonep);
+			check_acl = ISC_TRUE;
+		} else if (!dbversion->queryok)
+			return (DNS_R_REFUSED);
+		else
+			check_acl = ISC_FALSE;
+	} else
+		*versionp = NULL;
+
+	if (queryacl == NULL) {
+		queryacl = client->view->queryacl;
+		if ((client->query.attributes &
+		     NS_QUERYATTR_QUERYOKVALID) != 0) {
+			/*
+			 * We've evaluated the view's queryacl already.  If
+			 * NS_QUERYATTR_QUERYOK is set, then the client is
+			 * allowed to make queries, otherwise the query should
+			 * be refused.
+			 */
+			check_acl = ISC_FALSE;
+			if ((client->query.attributes &
+			     NS_QUERYATTR_QUERYOK) == 0)
+				return (DNS_R_REFUSED);
+		} else {
+			/*
+			 * We haven't evaluated the view's queryacl yet.
+			 */
+			check_acl = ISC_TRUE;
+		}
+	}
+
+	if (check_acl) {
+		/*
+		 * XXX RTH  need a "should we log acl failure" flag.
+		 */
+		result = ns_client_checkacl(client, "query", queryacl,
+					    ISC_TRUE);
+		if (queryacl == client->view->queryacl) {
+			if (result == ISC_R_SUCCESS) {
+				/*
+				 * We were allowed by the default
+				 * "allow-query" ACL.  Remember this so we
+				 * don't have to check again.
+				 */
+				client->query.attributes |=
+					NS_QUERYATTR_QUERYOK;
+			}
+			/*
+			 * We've now evaluated the view's query ACL, and
+			 * the NS_QUERYATTR_QUERYOK attribute is now valid.
+			 */
+			client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
+		} 
+	} else
+		result = ISC_R_SUCCESS;
+
+	/*
+	 * Remember the result of the ACL check so we
+	 * don't have to check again.
+	 */
+	if (dbversion != NULL && result == ISC_R_SUCCESS)
+		dbversion->queryok = ISC_TRUE;
+		
+	return (result);
 }
 
 static isc_result_t
@@ -473,29 +575,10 @@ query_simplefind(void *arg, dns_name_t *name, dns_rdatatype_t type,
 	 */
 	zone = NULL;
 	db = NULL;
-	result = dns_zt_find(client->view->zonetable, name, NULL, &zone);
-	if (result == DNS_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
-		isc_result_t tresult;
-		tresult = dns_zone_getdb(zone, &db);
-		if (tresult != DNS_R_SUCCESS)
-			result = tresult;
-	}
-
-	if (result == ISC_R_NOTFOUND && USECACHE(client))
-		dns_db_attach(client->view->cachedb, &db);
-	else if (result != DNS_R_SUCCESS && result != DNS_R_PARTIALMATCH)
-		goto cleanup;
-
-	/*
-	 * Get the current version of this database.
-	 */
 	version = NULL;
-	is_zone = dns_db_iszone(db);
-	if (is_zone) {
-		version = query_findversion(client, db);
-		if (version == NULL)
-			goto cleanup;
-	}
+	result = query_getdb(client, name, 0, &zone, &db, &version, &is_zone);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
 
  db_find:
 	/*
@@ -508,12 +591,11 @@ query_simplefind(void *arg, dns_name_t *name, dns_rdatatype_t type,
 	result = dns_db_find(db, name, version, type, dboptions,
 			     now, NULL, dns_fixedname_name(&foundname),
 			     rdataset, sigrdataset);
-
 	if (result == DNS_R_DELEGATION ||
-	    result == DNS_R_NOTFOUND) {
-		if (rdataset->methods != NULL)
+	    result == ISC_R_NOTFOUND) {
+		if (dns_rdataset_isassociated(rdataset))
 			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset->methods != NULL)
+		if (dns_rdataset_isassociated(sigrdataset))
 			dns_rdataset_disassociate(sigrdataset);
 		if (is_zone) {
 			if (USECACHE(client)) {
@@ -532,9 +614,9 @@ query_simplefind(void *arg, dns_name_t *name, dns_rdatatype_t type,
 			 * We don't have the data in the cache.  If we've got
 			 * glue from the zone, use it.
 			 */
-			if (zrdataset.methods != NULL) {
+			if (dns_rdataset_isassociated(&zrdataset)) {
 				dns_rdataset_clone(&zrdataset, rdataset);
-				if (zsigrdataset.methods != NULL)
+				if (dns_rdataset_isassociated(&zsigrdataset))
 					dns_rdataset_clone(&zsigrdataset,
 							   sigrdataset);
 				result = ISC_R_SUCCESS;
@@ -544,7 +626,7 @@ query_simplefind(void *arg, dns_name_t *name, dns_rdatatype_t type,
 		/*
 		 * We don't know the answer.
 		 */
-		result = DNS_R_NOTFOUND;
+		result = ISC_R_NOTFOUND;
 	} else if (result == DNS_R_GLUE) {
 		if (USECACHE(client) && RECURSIONOK(client)) {
 			/*
@@ -555,7 +637,7 @@ query_simplefind(void *arg, dns_name_t *name, dns_rdatatype_t type,
 			version = NULL;
 			dns_rdataset_clone(rdataset, &zrdataset);
 			dns_rdataset_disassociate(rdataset);
-			if (sigrdataset->methods != NULL) {
+			if (dns_rdataset_isassociated(sigrdataset)) {
 				dns_rdataset_clone(sigrdataset, &zsigrdataset);
 				dns_rdataset_disassociate(sigrdataset);
 			}
@@ -568,17 +650,17 @@ query_simplefind(void *arg, dns_name_t *name, dns_rdatatype_t type,
 		 */
 		result = ISC_R_SUCCESS;
 	} else if (result != ISC_R_SUCCESS) {
-		if (rdataset->methods != NULL)
+		if (dns_rdataset_isassociated(rdataset))
 			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset->methods != NULL)
+		if (dns_rdataset_isassociated(sigrdataset))
 			dns_rdataset_disassociate(sigrdataset);
-		result = DNS_R_NOTFOUND;
+		result = ISC_R_NOTFOUND;
 	}
 
  cleanup:
-	if (zrdataset.methods != NULL) {
+	if (dns_rdataset_isassociated(&zrdataset)) {
 		dns_rdataset_disassociate(&zrdataset);
-		if (zsigrdataset.methods != NULL)
+		if (dns_rdataset_isassociated(&zsigrdataset))
 			dns_rdataset_disassociate(&zsigrdataset);
 	}
 	if (db != NULL)
@@ -610,7 +692,7 @@ query_isduplicate(ns_client_t *client, dns_name_t *name,
 			 */
 			CTRACE("query_isduplicate: true: done");
 			return (ISC_TRUE);
-		} else if (result == DNS_R_NXRDATASET) {
+		} else if (result == DNS_R_NXRRSET) {
 			/*
 			 * The name exists, but the rdataset does not.
 			 */
@@ -677,6 +759,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	added_something = ISC_FALSE;
 	need_addname = ISC_FALSE;
 	zone = NULL;
+	is_zone = ISC_FALSE;
 	if (qtype == dns_rdatatype_a)
 		type = dns_rdatatype_any;
 	else
@@ -685,27 +768,14 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	/*
 	 * Find a database to answer the query.
 	 */
-	result = dns_zt_find(client->view->zonetable, name, NULL, &zone);
-	if (result == DNS_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
-		isc_result_t tresult;
-		tresult = dns_zone_getdb(zone, &db);
-		if (tresult != DNS_R_SUCCESS)
-			result = tresult;
-	}
-
-	if (result == ISC_R_NOTFOUND && USECACHE(client))
-		dns_db_attach(client->view->cachedb, &db);
-	else if (result != DNS_R_SUCCESS && result != DNS_R_PARTIALMATCH)
+	result = query_getdb(client, name, 0, &zone, &db, &version, &is_zone);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * We don't want an ACL failure to fail the query.
+		 */
+		if (result == DNS_R_REFUSED)
+			result = ISC_R_SUCCESS;
 		goto cleanup;
-
-	/*
-	 * Get the current version of this database.
-	 */
-	is_zone = dns_db_iszone(db);
-	if (is_zone) {
-		version = query_findversion(client, db);
-		if (version == NULL)
-			goto cleanup;
 	}
 
  db_find:
@@ -733,7 +803,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 			     client->now, &node, fname, rdataset,
 			     sigrdataset);
 
-	if (result == DNS_R_DELEGATION || result == DNS_R_NOTFOUND) {
+	if (result == DNS_R_DELEGATION || result == ISC_R_NOTFOUND) {
 		if (is_zone) {
 			if (USECACHE(client)) {
 				/*
@@ -809,7 +879,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 		query_keepname(client, fname, dbuf);
 
 	mname = NULL;
-	if (rdataset->methods != NULL &&
+	if (dns_rdataset_isassociated(rdataset) &&
 	    !query_isduplicate(client, fname, type, &mname)) {
 		if (mname != NULL) {
 			query_releasename(client, &fname);
@@ -825,7 +895,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 		 * so we do not need to check if the SIG rdataset is already
 		 * in the response.
 		 */
-		if (sigrdataset->methods != NULL) {
+		if (dns_rdataset_isassociated(sigrdataset)) {
 			ISC_LIST_APPEND(fname->list, sigrdataset, link);
 			sigrdataset = NULL;
 		}
@@ -842,7 +912,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 		 * XXXRTH  This code could be more efficient.
 		 */
 		if (rdataset != NULL) {
-			if (rdataset->methods != NULL)
+			if (dns_rdataset_isassociated(rdataset))
 				dns_rdataset_disassociate(rdataset);
 		} else {
 			rdataset = query_newrdataset(client);
@@ -850,7 +920,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 				goto addname;
 		}	
 		if (sigrdataset != NULL) {
-			if (sigrdataset->methods != NULL)
+			if (dns_rdataset_isassociated(sigrdataset))
 				dns_rdataset_disassociate(sigrdataset);
 		} else {
 			sigrdataset = query_newrdataset(client);
@@ -868,7 +938,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 			/*
 			 * Negative cache entries don't have sigrdatasets.
 			 */
-			INSIST(sigrdataset->methods == NULL);
+			INSIST(! dns_rdataset_isassociated(sigrdataset));
 		}
 		if (zdb != NULL && result == ISC_R_NOTFOUND) {
 			/*
@@ -892,7 +962,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 					need_addname = ISC_TRUE;
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
-				if (sigrdataset->methods != NULL) {
+				if (dns_rdataset_isassociated(sigrdataset)) {
 					ISC_LIST_APPEND(fname->list,
 							sigrdataset, link);
 					sigrdataset =
@@ -903,7 +973,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 					goto addname;
 			} else {
 				dns_rdataset_disassociate(rdataset);
-				if (sigrdataset->methods != NULL)
+				if (dns_rdataset_isassociated(sigrdataset))
 					dns_rdataset_disassociate(sigrdataset);
 			}
 		}
@@ -915,7 +985,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 			goto addname;
 		if (result == DNS_R_NCACHENXRRSET) {
 			dns_rdataset_disassociate(rdataset);
-			INSIST(sigrdataset->methods == NULL);
+			INSIST(! dns_rdataset_isassociated(sigrdataset));
 		}
 		if (zdb != NULL && result == ISC_R_NOTFOUND) {
 			/*
@@ -940,7 +1010,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 				a6rdataset = rdataset;
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
-				if (sigrdataset->methods != NULL) {
+				if (dns_rdataset_isassociated(sigrdataset)) {
 					ISC_LIST_APPEND(fname->list,
 							sigrdataset, link);
 					sigrdataset =
@@ -960,7 +1030,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 			goto addname;
 		if (result == DNS_R_NCACHENXRRSET) {
 			dns_rdataset_disassociate(rdataset);
-			INSIST(sigrdataset->methods == NULL);
+			INSIST(! dns_rdataset_isassociated(sigrdataset));
 		}
 		if (zdb != NULL && result == ISC_R_NOTFOUND) {
 			/*
@@ -984,7 +1054,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 					need_addname = ISC_TRUE;
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
-				if (sigrdataset->methods != NULL) {
+				if (dns_rdataset_isassociated(sigrdataset)) {
 					ISC_LIST_APPEND(fname->list,
 							sigrdataset, link);
 					sigrdataset = NULL;
@@ -1117,7 +1187,7 @@ query_adda6rrset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset,
 	if (dns_name_concatenate(name, NULL, fname, NULL) != ISC_R_SUCCESS)
 		goto cleanup;
 	dns_rdataset_clone(rdataset, crdataset);
-	if (sigrdataset->methods != NULL)
+	if (dns_rdataset_isassociated(sigrdataset))
 		dns_rdataset_clone(sigrdataset, csigrdataset);
 
 	mname = NULL;
@@ -1139,7 +1209,7 @@ query_adda6rrset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset,
 	 * we do not need to check if the SIG rdataset is already in the
 	 * response.
 	 */
-	if (csigrdataset->methods != NULL) {
+	if (dns_rdataset_isassociated(csigrdataset)) {
 		ISC_LIST_APPEND(fname->list, csigrdataset, link);
 		csigrdataset = NULL;
 	}
@@ -1210,6 +1280,12 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
 	dns_rdataset_t *rdataset, *mrdataset, *sigrdataset;
 	isc_result_t result;
 
+	/*
+	 * If 'dbuf' is not NULL, then '*namep' is name whose data is
+	 * stored in 'dbuf'.  In this case, query_addrrset() guarantees that
+	 * when it returns the name will either have been kept or released.
+	 */
+
 	CTRACE("query_addrrset");
 	name = *namep;
 	rdataset = *rdatasetp;
@@ -1228,6 +1304,8 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
 		 * There's nothing else to do;
 		 */
 		CTRACE("query_addrrset: dns_message_findname succeeded: done");
+		if (dbuf != NULL)
+			query_releasename(client, namep);
 		return;
 	} else if (result == DNS_R_NXDOMAIN) {
 		/*
@@ -1238,8 +1316,11 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
 		dns_message_addname(client->message, name, section);
 		*namep = NULL;
 		mname = name;
-	} else
-		RUNTIME_CHECK(result == DNS_R_NXRDATASET);
+	} else {
+		RUNTIME_CHECK(result == DNS_R_NXRRSET);
+		if (dbuf != NULL)
+			query_releasename(client, namep);
+	}
 
 	/*
 	 * Note: we only add SIGs if we've added the type they cover, so
@@ -1248,7 +1329,7 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
 	 */
 	query_addrdataset(client, mname, rdataset);
 	*rdatasetp = NULL;
-	if (sigrdataset != NULL && sigrdataset->methods != NULL) {
+	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) {
 		/*
 		 * We have a signature.  Add it to the response.
 		 */
@@ -1471,38 +1552,17 @@ query_addbestns(ns_client_t *client) {
 	zdb = NULL;
 	version = NULL;
 	zone = NULL;
+	is_zone = ISC_FALSE;
 	use_zone = ISC_FALSE;
 
 	/*
 	 * Find the right database.
 	 */
-	result = dns_zt_find(client->view->zonetable, client->query.qname,
-			     NULL, &zone);
-	if (result == DNS_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		result = dns_zone_getdb(zone, &db);
-	if (result == ISC_R_NOTFOUND) {
-		/*
-		 * We're not directly authoritative for this query name, nor
-		 * is it a subdomain of any zone for which we're
-		 * authoritative.
-		 */
-		if (!USECACHE(client))
-			goto cleanup;
-		INSIST(client->view->cachedb != NULL);
-		dns_db_attach(client->view->cachedb, &db);
-	} else if (result != ISC_R_SUCCESS) {
-		/*
-		 * Something is broken.
-		 */
+	result = query_getdb(client, client->query.qname, 0, &zone, &db,
+			     &version, &is_zone);
+	if (result != ISC_R_SUCCESS)
 		goto cleanup;
-	}
-	is_zone = dns_db_iszone(db);
-	if (is_zone) {
-		version = query_findversion(client, db);
-		if (version == NULL)
-			goto cleanup;
-	} else
-		version = NULL;
+
  db_find:
 	/*
 	 * We'll need some resources...
@@ -1581,6 +1641,10 @@ query_addbestns(ns_client_t *client) {
 		zsigrdataset = NULL;
 	}
 
+	if ((client->message->flags & DNS_MESSAGEFLAG_CD) == 0 &&
+	    rdataset->trust == dns_trust_pending)
+		goto cleanup;
+
 	query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
 		       DNS_SECTION_AUTHORITY);
 
@@ -1638,8 +1702,10 @@ query_resume(isc_task_t *task, isc_event_t *event) {
 	 * Resume a query after recursion.
 	 */
 
-	REQUIRE(event->type == DNS_EVENT_FETCHDONE);
-	client = devent->arg;
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	client = devent->ev_arg;
 	REQUIRE(NS_CLIENT_VALID(client));
 	REQUIRE(task == client->task);
 	REQUIRE(RECURSING(client));
@@ -1720,7 +1786,7 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 		if (result == ISC_R_SUCCESS)
 			result = ns_client_replace(client);
 		if (result != ISC_R_SUCCESS) {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_CLIENT,
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
 				      "no more recursive clients: %s",
 				      isc_result_totext(result));
@@ -1768,6 +1834,88 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 	return (result);
 }
 
+static inline isc_result_t
+query_findparentkey(ns_client_t *client, dns_name_t *name,
+		    dns_zone_t **zonep, dns_db_t **dbp,
+		    dns_dbversion_t **versionp, dns_dbnode_t **nodep,
+		    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_db_t *pdb;
+	dns_dbnode_t *pnode;
+	dns_dbversion_t *pversion;
+	dns_rdataset_t prdataset, psigrdataset;
+	isc_result_t result;
+	dns_zone_t *pzone;
+	isc_boolean_t is_zone;
+	dns_fixedname_t pfoundname;
+
+	/*
+	 * 'name' is at a zone cut.  Try to find a KEY for 'name' in
+	 * the deepest ancestor zone of 'name' (if any).  If it exists,
+	 * update *zonep, *dbp, *nodep, rdataset, and sigrdataset and
+	 * return ISC_R_SUCCESS.  If not, leave them alone and return a
+	 * non-success status.
+	 */
+
+	pzone = NULL;
+	pdb = NULL;
+	pnode = NULL;
+	pversion = NULL;
+	dns_rdataset_init(&prdataset);
+	dns_rdataset_init(&psigrdataset);
+	is_zone = ISC_FALSE;
+	dns_fixedname_init(&pfoundname);
+
+	result = query_getdb(client, name, DNS_ZTFIND_NOEXACT,
+			     &pzone, &pdb, &pversion, &is_zone);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (!is_zone) {
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+		
+	result = dns_db_find(pdb, name, pversion, dns_rdatatype_key, 0,
+			     client->now, &pnode,
+			     dns_fixedname_name(&pfoundname),
+			     &prdataset, &psigrdataset);
+	if (result == ISC_R_SUCCESS) {
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		if (dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+		dns_rdataset_clone(&prdataset, rdataset);
+		if (dns_rdataset_isassociated(&psigrdataset))
+			dns_rdataset_clone(&psigrdataset, sigrdataset);
+		if (*nodep != NULL)
+			dns_db_detachnode(*dbp, nodep);
+		*nodep = pnode;
+		pnode = NULL;
+		*versionp = pversion;
+		if (*dbp != NULL)
+			dns_db_detach(dbp);
+		*dbp = pdb;
+		pdb = NULL;
+		if (*zonep != NULL)
+			dns_zone_detach(zonep);
+		*zonep = pzone;
+		pzone = NULL;
+	}
+
+ cleanup:
+	if (dns_rdataset_isassociated(&prdataset))
+		dns_rdataset_disassociate(&prdataset);
+	if (dns_rdataset_isassociated(&psigrdataset))
+		dns_rdataset_disassociate(&psigrdataset);
+	if (pnode != NULL)
+		dns_db_detachnode(pdb, &pnode);
+	if (pdb != NULL)
+		dns_db_detach(&pdb);
+	if (pzone != NULL)
+		dns_zone_detach(&pzone);
+
+	return (result);
+}
 
 #define MAX_RESTARTS 16
 
@@ -1787,7 +1935,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 	dns_rdataset_t *sigrdataset, *zrdataset, *zsigrdataset;
 	dns_rdata_t rdata;
 	dns_rdatasetiter_t *rdsiter;
-	isc_boolean_t want_restart, authoritative, is_zone, clear_fname;
+	isc_boolean_t want_restart, authoritative, is_zone;
 	unsigned int qcount, n, nlabels, nbits;
 	dns_namereln_t namereln;
 	int order;
@@ -1798,7 +1946,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 	dns_fixedname_t fixed;
 	dns_dbversion_t *version;
 	dns_zone_t *zone;
-	dns_acl_t *queryacl;
 
 	CTRACE("query_find");
 
@@ -1830,7 +1977,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 
 		want_restart = ISC_FALSE;
 		authoritative = ISC_FALSE;
-		clear_fname = ISC_FALSE;
 		is_zone = ISC_FALSE;
 
 		qtype = event->qtype;
@@ -1873,71 +2019,23 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 	CTRACE("query_find: restart");
 	want_restart = ISC_FALSE;
 	authoritative = ISC_FALSE;
-	clear_fname = ISC_FALSE;
+	version = NULL;
 
 	/*
 	 * First we must find the right database.
 	 */
-	result = dns_zt_find(client->view->zonetable, client->query.qname,
-			     NULL, &zone);
-	if (result == DNS_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		result = dns_zone_getdb(zone, &db);
-
-	if (result == ISC_R_NOTFOUND) {
-		/*
-		 * We're not directly authoritative for this query name, nor
-		 * is it a subdomain of any zone for which we're
-		 * authoritative.
-		 */
-		if (!USECACHE(client)) {
-			/*
-			 * If we can't use the cache, either because we
-			 * don't have one or because its use has been
-			 * disallowed, there's no more progress we can make
-			 * on this query.
-			 */
+	result = query_getdb(client, client->query.qname, 0, &zone, &db,
+			     &version, &is_zone);
+	if (result != ISC_R_SUCCESS) {
+		if (result == DNS_R_REFUSED)
 			QUERY_ERROR(DNS_R_REFUSED);
-			goto cleanup;
-		}
-		INSIST(client->view->cachedb != NULL);
-		dns_db_attach(client->view->cachedb, &db);
-	} else if (result != ISC_R_SUCCESS) {
-		/*
-		 * Something is broken.
-		 */
-		QUERY_ERROR(DNS_R_SERVFAIL);
+		else
+			QUERY_ERROR(DNS_R_SERVFAIL);
 		goto cleanup;
 	}
 
-	is_zone = dns_db_iszone(db);
-	if (is_zone) {
-		authoritative = ISC_TRUE;
-
-		/*
-		 * Get the current version of this database.
-		 */
-		version = query_findversion(client, db);
-		if (version == NULL) {
-			QUERY_ERROR(DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-	} else
-		version = NULL;
-
-	queryacl = NULL;
 	if (is_zone)
-		queryacl = dns_zone_getqueryacl(zone);
-	if (queryacl == NULL)
-		queryacl = ns_g_server->queryacl;
-	/*
-	 * Check the query against the "allow-query" AMLs.
-	 * XXX there should also be a per-view one.
-	 */
-	result = ns_client_checkacl(client, "query", queryacl, ISC_TRUE);
-	if (result != DNS_R_SUCCESS) {
-		QUERY_ERROR(result);
-		goto cleanup;
-	}
+		authoritative = ISC_TRUE;
 
 	/*
 	 * Find the first unanswered type in the question section.
@@ -2015,10 +2113,67 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 			     client->now, &node, fname, rdataset,
 			     sigrdataset);
 
+	/*
+	 * We interrupt our normal query processing to bring you this special
+	 * case...
+	 *
+	 * RFC 2535 (DNSSEC), section 2.3.4, discusses various special
+	 * cases that can occur at delegation points.
+	 *
+	 * One of these cases is that the NULL KEY for an unsecure zone
+	 * may occur in the delegating zone instead of in the delegated zone.
+	 * If we're authoritative for both zones, we need to look for the
+	 * key in the delegator if we didn't find it in the delegatee.  If
+	 * we didn't do this, a client doing DNSSEC validation could fail
+	 * because it couldn't get the NULL KEY.
+	 */
+	if (type == dns_rdatatype_key &&
+	    is_zone &&
+	    result == DNS_R_NXRRSET &&
+	    !dns_db_issecure(db) &&
+	    dns_name_equal(client->query.qname, dns_db_origin(db))) {
+		/*
+		 * We're looking for a KEY at the top of an unsecure zone,
+		 * and we didn't find it.
+		 */
+		result = query_findparentkey(client, client->query.qname,
+					     &zone, &db, &version, &node,
+					     rdataset, sigrdataset);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * We found the parent KEY.
+			 *
+			 * zone, db, version, node, rdataset, and sigrdataset
+			 * have all been updated to refer to the parent's
+			 * data.  We will resume query processing as if
+			 * we had looked for the KEY in the parent zone in
+			 * the first place.
+			 *
+			 * We need to set fname correctly.  We do this here
+			 * instead of in query_findparentkey() because
+			 * dns_name_concatenate() can fail (though it shouldn't
+			 * ever do so since we should have enough space).
+			 */
+			result = dns_name_concatenate(client->query.qname,
+						      NULL, fname, NULL);
+			if (result != ISC_R_SUCCESS) {
+				QUERY_ERROR(DNS_R_SERVFAIL);
+				goto cleanup;
+			}
+		} else {
+			/*
+			 * We couldn't find the KEY in a parent zone.
+			 * Continue with processing of the original
+			 * results of dns_db_find().
+			 */
+			result = DNS_R_NXRRSET;
+		}
+	}
+
  resume:
 	CTRACE("query_find: resume");
 	switch (result) {
-	case DNS_R_SUCCESS:
+	case ISC_R_SUCCESS:
 		/*
 		 * This case is handled in the main line below.
 		 */
@@ -2031,7 +2186,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 		INSIST(is_zone);
 		authoritative = ISC_FALSE;
 		break;
-	case DNS_R_NOTFOUND:
+	case ISC_R_NOTFOUND:
 		/*
 		 * The cache doesn't even have the root NS.  Get them from
 		 * the hints DB.
@@ -2163,7 +2318,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 			}
 		}
 		goto cleanup;
-	case DNS_R_NXRDATASET:
+	case DNS_R_NXRRSET:
 		INSIST(is_zone);
 		if (dns_rdataset_isassociated(rdataset)) {
 			/*
@@ -2363,8 +2518,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 					prefix, NULL);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;	
-		if (fname != NULL)
-			query_releasename(client, &fname);
+		INSIST(fname == NULL);
 		dbuf = query_getnamebuf(client);
 		if (dbuf == NULL)
 			goto cleanup;
@@ -2431,6 +2585,19 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 			QUERY_ERROR(DNS_R_SERVFAIL);
 			goto cleanup;
 		}
+		/*
+		 * Calling query_addrrset() with a non-NULL dbuf is going
+		 * to either keep or release the name.  We don't want it to
+		 * release fname, since we may have to call query_addrrset()
+		 * more than once.  That means we have to call query_keepname()
+		 * now, and pass a NULL dbuf to query_addrrset().
+		 *
+		 * Since we've done the keepname, it's important that we
+		 * set fname to NULL before we leave this 'if' block
+		 * otherwise we might try to cleanup fname even though we've
+		 * kept it!
+		 */
+		query_keepname(client, fname, dbuf);
 		result = dns_rdatasetiter_first(rdsiter);
 		while (result == ISC_R_SUCCESS) {
 			dns_rdatasetiter_current(rdsiter, rdataset);
@@ -2438,18 +2605,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 			     rdataset->type == qtype) && rdataset->type != 0) {
 				tname = fname;
 				query_addrrset(client, &tname, &rdataset, NULL,
-					       dbuf, DNS_SECTION_ANSWER);
+					       NULL, DNS_SECTION_ANSWER);
 				n++;
-				if (tname == NULL) {
-					clear_fname = ISC_TRUE;
-					/*
-					 * We set dbuf to NULL because we only
-					 * want the query_keepname() call in
-					 * query_addrrset() to be called once.
-					 */
-					dbuf = NULL;
-				}
-
 				/*
 				 * We shouldn't ever fail to add 'rdataset'
 				 * because it's already in the answer.
@@ -2466,15 +2623,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 			}
 			result = dns_rdatasetiter_next(rdsiter);
 		}
-		if (n > 0) {
-			if (clear_fname)
-				fname = NULL;
-		} else {
+		/*
+		 * As mentioned above, we must now clear fname since we have
+		 * kept it.
+		 */
+		fname = NULL;
+		if (n == 0) {
 			/*
 			 * We didn't match any rdatasets.
 			 */
 			if (qtype == dns_rdatatype_sig &&
-			    result == DNS_R_NOMORE) {
+			    result == ISC_R_NOMORE) {
 				/*
 				 * XXXRTH  If this is a secure zone and we
 				 * didn't find any SIGs, we should generate
@@ -2485,16 +2644,13 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 				 * We were searching for SIG records in
 				 * a nonsecure zone.  Send a "no error,
 				 * no data" response.
-				 *
-				 * First we must release fname.
 				 */
-				query_releasename(client, &fname);
 				/*
 				 * Add SOA.
 				 */
 				result = query_addsoa(client, db);
 				if (result == ISC_R_SUCCESS)
-					result = DNS_R_NOMORE;
+					result = ISC_R_NOMORE;
 			} else {
 				/*
 				 * Something went wrong.
@@ -2503,7 +2659,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 			}
 		}
 		dns_rdatasetiter_destroy(&rdsiter);
-		if (result != DNS_R_NOMORE) {
+		if (result != ISC_R_NOMORE) {
 			QUERY_ERROR(DNS_R_SERVFAIL);
 			goto cleanup;
 		}
@@ -2512,26 +2668,18 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 		 * This is the "normal" case -- an ordinary question to which
 		 * we know the answer.
 		 */
-		tname = fname;
-		query_addrrset(client, &tname, &rdataset, &sigrdataset, dbuf,
+		query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
 			       DNS_SECTION_ANSWER);
-		if (tname == NULL)
-			clear_fname = ISC_TRUE;
-		
 		/*
 		 * We shouldn't ever fail to add 'rdataset'
 		 * because it's already in the answer.
 		 */
 		INSIST(rdataset == NULL);
-		
 		/*
 		 * Remember that we've answered this question.
 		 */
 		client->query.qrdataset->attributes |=
 			DNS_RDATASETATTR_ANSWERED;
-
-		if (clear_fname)
-			fname = NULL;
 	}
 
  addauth:
@@ -2607,7 +2755,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 		 * response.
 		 */
 		if (client->message->rcode == dns_rcode_nxdomain &&
-		    ns_g_server->auth_nxdomain == ISC_TRUE)
+		    client->view->auth_nxdomain == ISC_TRUE)
 			client->message->flags |= DNS_MESSAGEFLAG_AA;
 		
 		ns_client_send(client);
@@ -2616,45 +2764,23 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
 	CTRACE("query_find: done");
 }
 
-/*
- * XXXRTH  Problem areas.
- *
- * If we're authoritative for both a parent and a child, the
- * child is non-secure, and we are asked for the KEY of the
- * nonsecure child, we need to get it from the parent.
- * If we're not auth for the parent, then we have to go
- * looking for it in the cache.  How do we even know who
- * the parent is?  We probably won't find this KEY when doing
- * additional data KEY retrievals, but that's probably OK,
- * since it's a SHOULD not a MUST.  We don't want to be doing
- * tons of work just to fill out additional data.
- *
- * Similar problems occur with NXT queries, since there can
- * be NXT records at a delegation point in both the parent
- * and the child.  RFC 2535 section 5.5 says that on explicit
- * query we should return both, if available.  That seems
- * to imply we shouldn't recurse to get the missing one
- * if only one is available.  Is that right?
- */
-
 static inline void
 log_query(ns_client_t *client) {
 	isc_buffer_t b;
-	char text[1024];
+	char namebuf[1024];
+	char text[256];
 	isc_region_t r;
 	dns_rdataset_t *rdataset;
 
 	/* XXXRTH  Allow this to be turned off! */
 
-	isc_buffer_init(&b, (unsigned char *)text, sizeof text,
-			ISC_BUFFERTYPE_TEXT);
-	if (dns_name_totext(client->query.qname, ISC_TRUE, &b) !=
-	    ISC_R_SUCCESS)
-		return;
+	dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
+	
+	isc_buffer_init(&b, (unsigned char *)text, sizeof(text));
 	for (rdataset = ISC_LIST_HEAD(client->query.qname->list);
 	     rdataset != NULL;
 	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-		isc_buffer_available(&b, &r);
+		isc_buffer_availableregion(&b, &r);
 		if (r.length < 1)
 			return;
 		*r.base = ' ';
@@ -2662,9 +2788,9 @@ log_query(ns_client_t *client) {
 		if (dns_rdatatype_totext(rdataset->type, &b) != ISC_R_SUCCESS)
 			return;
 	}
-	isc_buffer_used(&b, &r);
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_QUERY,
-		      ISC_LOG_DEBUG(1), "query: %.*s",
+	isc_buffer_usedregion(&b, &r);
+	ns_client_log(client, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_QUERY,
+		      ISC_LOG_DEBUG(1), "query: %s%.*s", namebuf,
 		      (int)r.length, (char *)r.base);
 }
 
diff --git a/bin/named/server.c b/bin/named/server.c
index dea952f2..6df21523 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -17,61 +17,40 @@
 
 #include <config.h>
 
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <stdio.h>
 #include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <stdarg.h>
 
 #include <isc/app.h>
-#include <isc/assertions.h>
+#include <isc/base64.h>
 #include <isc/dir.h>
-#include <isc/error.h>
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/rwlock.h>
-#include <isc/socket.h>
+#include <isc/lex.h>
+#include <isc/string.h>
 #include <isc/task.h>
-#include <isc/thread.h>
 #include <isc/timer.h>
 #include <isc/util.h>
 
-#include <dns/acl.h>
-#include <dns/aclconf.h>
 #include <dns/cache.h>
-#include <dns/confacl.h>
-#include <dns/confctx.h>
-#include <dns/confip.h>
 #include <dns/confparser.h>
 #include <dns/db.h>
 #include <dns/dispatch.h>
-#include <dns/fixedname.h>
 #include <dns/journal.h>
-#include <dns/master.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
+#include <dns/keytable.h>
+#include <dns/peer.h>
+#include <dns/rdatastruct.h>
 #include <dns/resolver.h>
-#include <dns/result.h>
 #include <dns/rootns.h>
+#include <dns/tkey.h>
 #include <dns/tkeyconf.h>
 #include <dns/tsigconf.h>
-#include <dns/types.h>
 #include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zoneconf.h>
 
 #include <named/client.h>
-#include <named/globals.h>
 #include <named/interfacemgr.h>
-#include <named/listenlist.h>
 #include <named/log.h>
 #include <named/logconf.h>
 #include <named/os.h>
 #include <named/server.h>
-#include <named/types.h>
 
 /*
  * Check an operation for failure.  Assumes that the function
@@ -120,11 +99,269 @@ ns_listenlist_fromconfig(dns_c_lstnlist_t *clist, dns_c_ctx_t *cctx,
 			 isc_mem_t *mctx, ns_listenlist_t **target);
 
 /*
- * Configure 'view' according to 'cctx'.
+ * Configure a single view ACL at '*aclp'.  Get its configuration by
+ * calling 'getvcacl' (for per-view configuration) and maybe 'getscacl'
+ * (for a global default).
  */
 static isc_result_t
-configure_view(dns_view_t *view, dns_c_ctx_t *cctx, isc_mem_t *mctx,
-	       dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6)
+configure_view_acl(dns_c_view_t *cview, 
+		   dns_c_ctx_t *cctx,
+		   dns_aclconfctx_t *actx, isc_mem_t *mctx,
+		   isc_result_t (*getvcacl)
+		       (dns_c_view_t *, dns_c_ipmatchlist_t **),
+		   isc_result_t (*getscacl)
+		       (dns_c_ctx_t *, dns_c_ipmatchlist_t **),
+		   dns_acl_t **aclp)
+{
+	isc_result_t result;
+	
+	dns_c_ipmatchlist_t *cacl = NULL;
+	if (*aclp != NULL)
+		dns_acl_detach(aclp);
+	if (getvcacl != NULL && cview != NULL)
+		(void) (*getvcacl)(cview, &cacl);
+	if (cacl == NULL && getscacl != NULL)
+		(void) (*getscacl)(cctx, &cacl);
+	if (cacl == NULL) {
+		/* No value available.  *aclp == NULL. */		
+		return (ISC_R_SUCCESS);
+	}
+
+	result = dns_acl_fromconfig(cacl, cctx, actx, mctx, aclp);
+
+	dns_c_ipmatchlist_detach(&cacl);
+
+	return (result);
+}
+
+
+/*
+ * Convert a null-terminated string of base64 text into
+ * binary, storing it in a buffer.
+ * 'mctx' is only used internally.
+ */
+static isc_result_t
+base64_cstring_tobuffer(isc_mem_t *mctx, char *cstr, isc_buffer_t *target)
+{
+	isc_result_t result;
+	isc_buffer_t source;
+	isc_lex_t *lex = NULL;
+	isc_boolean_t isopen = ISC_FALSE;
+	
+	isc_buffer_init(&source, cstr, strlen(cstr));
+	isc_buffer_add(&source, strlen(cstr));
+	CHECK(isc_lex_create(mctx, 256, &lex));
+	CHECK(isc_lex_openbuffer(lex, &source));
+	isopen = ISC_TRUE;
+	CHECK(isc_base64_tobuffer(lex, target, -1));
+	
+ cleanup:
+	if (isopen)
+		(void) isc_lex_close(lex);
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+	return (result);
+}
+
+/*
+ * Configure the trusted keys or security roots of a view.
+ * The configuration values are read from 'cctx' and 'cview' using 
+ * the function 'cget'.  The variable to be configured is '*target'.
+ * XXX not really view specific yet
+ */
+static isc_result_t
+configure_view_dnsseckeys(dns_c_ctx_t *cctx,
+			  dns_c_view_t *cview,
+			  isc_mem_t *mctx,
+			  isc_result_t (*cget)
+			      (dns_c_ctx_t *, dns_c_tkeylist_t **),
+			  dns_keytable_t **target)
+{
+	isc_result_t result;
+	dns_c_tkeylist_t *ckeys = NULL;
+	dns_c_tkey_t *ckey;
+	dns_keytable_t *keytable = NULL;
+	dst_key_t *dstkey = NULL;
+	
+	CHECK(dns_keytable_create(mctx, &keytable));
+
+	result = (*cget)(cctx, &ckeys);
+	if (result == ISC_R_SUCCESS) {
+		for (ckey = ISC_LIST_HEAD(ckeys->tkeylist);
+		     ckey != NULL;
+		     ckey = ISC_LIST_NEXT(ckey, next))
+		{
+			dns_rdataclass_t viewclass;
+			dns_rdata_key_t keystruct;
+			isc_int32_t flags, proto, alg;
+			unsigned char keydata[4096];
+			isc_buffer_t keydatabuf;
+			unsigned char rrdata[4096];
+			isc_buffer_t rrdatabuf;
+			isc_region_t r;
+			
+			if (cview == NULL)
+				viewclass = dns_rdataclass_in;
+			else
+				CHECK(dns_c_view_getviewclass(cview,
+							      &viewclass));
+			keystruct.common.rdclass = viewclass;
+			keystruct.common.rdtype = dns_rdatatype_key;
+			/*
+			 * The key data in keystruct is not 
+			 * dynamically allocated.
+			 */
+			keystruct.mctx = NULL; 
+			
+			ISC_LINK_INIT(&keystruct.common, link);
+			
+			flags = ckey->pubkey->flags;
+			proto = ckey->pubkey->protocol;
+			alg = ckey->pubkey->algorithm;
+			if (flags < 0 || flags > 0xffff)
+				CHECKM(ISC_R_RANGE, "key flags");
+			if (proto < 0 || proto > 0xff)
+				CHECKM(ISC_R_RANGE, "key protocol");
+			if (alg < 0 || alg > 0xff)
+				CHECKM(ISC_R_RANGE, "key algorithm");
+			keystruct.flags = flags;
+			keystruct.protocol = proto;
+			keystruct.algorithm = alg;
+			
+			isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
+			isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+			
+			CHECK(base64_cstring_tobuffer(mctx, ckey->pubkey->key,
+						      &keydatabuf));
+			isc_buffer_usedregion(&keydatabuf, &r);
+			keystruct.datalen = r.length;
+			keystruct.data = r.base;
+			
+			CHECK(dns_rdata_fromstruct(NULL,
+						   keystruct.common.rdclass,
+						   keystruct.common.rdtype,
+						   &keystruct, &rrdatabuf));
+			CHECK(dst_key_fromdns(ckey->domain, &rrdatabuf, mctx,
+					      &dstkey));
+			
+			CHECK(dns_keytable_add(keytable, &dstkey));
+			INSIST(dstkey == NULL);
+		}
+	} else if (result != ISC_R_NOTFOUND)
+		goto cleanup;
+	
+	dns_keytable_detach(target);
+	*target = keytable; /* Transfer ownership. */
+	keytable = NULL;
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	return (result);
+}
+				  
+
+/*
+ * Get a dispatch appropriate for the resolver of a given view.
+ */
+static isc_result_t
+get_view_querysource_dispatch(dns_c_ctx_t *cctx, dns_c_view_t *cview,
+			      int af, dns_dispatch_t **dispatchp)
+{
+	isc_result_t result;
+	dns_dispatch_t *disp;
+	isc_sockaddr_t sa;
+	unsigned int attrs, attrmask;
+
+	/*
+	 * Make compiler happy.
+	 */
+	result = ISC_R_FAILURE;
+
+	switch (af) {
+	case AF_INET:
+		result = ISC_R_NOTFOUND;
+		if (cview != NULL)
+			result = dns_c_view_getquerysource(cview, &sa);
+		if (result != ISC_R_SUCCESS)
+			result = dns_c_ctx_getquerysource(cctx, &sa);			
+		if (result != ISC_R_SUCCESS)
+			isc_sockaddr_any(&sa);
+		break;
+	case AF_INET6:
+		result = ISC_R_NOTFOUND;
+		if (cview != NULL)
+			result = dns_c_view_getquerysourcev6(cview, &sa);
+		if (result != ISC_R_SUCCESS)
+			result = dns_c_ctx_getquerysourcev6(cctx, &sa);
+		if (result != ISC_R_SUCCESS)
+			isc_sockaddr_any6(&sa);			
+		break;
+	default:
+		INSIST(0);
+	}
+	
+	INSIST(isc_sockaddr_pf(&sa) == af);
+
+	/*
+	 * If we don't support this address family, we're done!
+	 */
+	switch (af) {
+	case AF_INET:
+		result = isc_net_probeipv4();
+		break;
+	case AF_INET6:
+		result = isc_net_probeipv6();
+		break;
+	default:
+		INSIST(0);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+
+	/*
+	 * Try to find a dispatcher that we can share.
+	 */
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	switch (af) {
+	case AF_INET:
+		attrs |= DNS_DISPATCHATTR_IPV4;
+		break;
+	case AF_INET6:
+		attrs |= DNS_DISPATCHATTR_IPV6;
+		break;
+	}
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP;
+	attrmask |= DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4;
+	attrmask |= DNS_DISPATCHATTR_IPV6;
+
+	disp = NULL;
+	result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
+				     ns_g_taskmgr, &sa, 4096,
+				     1000, 32768, 16411, 16433,
+				     attrs, attrmask, &disp);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	*dispatchp = disp;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Configure 'view' according to 'cview', taking defaults from 'cctx'
+ * where values are missing in cctx.
+ *
+ * When configuring the default view, cctx will be NULL and the 
+ * glboal defaults in cview used exclusively.
+ */
+static isc_result_t
+configure_view(dns_view_t *view, dns_c_ctx_t *cctx, dns_c_view_t *cview,
+	       isc_mem_t *mctx, dns_aclconfctx_t *actx)
 {
 	dns_cache_t *cache = NULL;
 	isc_result_t result;
@@ -137,10 +374,14 @@ configure_view(dns_view_t *view, dns_c_ctx_t *cctx, isc_mem_t *mctx,
 	isc_sockaddr_t *sa, *next_sa;
 	dns_view_t *pview = NULL;	/* Production view */
 	unsigned int i;
+	isc_mem_t *cmctx;
+	dns_dispatch_t *dispatch4 = NULL;
+	dns_dispatch_t *dispatch6 = NULL;
 	
 	REQUIRE(DNS_VIEW_VALID(view));
 
 	ISC_LIST_INIT(addresses);
+	cmctx = NULL;
 
 	RWLOCK(&view->conflock, isc_rwlocktype_write);
 	
@@ -170,13 +411,22 @@ configure_view(dns_view_t *view, dns_c_ctx_t *cctx, isc_mem_t *mctx,
 		dns_cache_attach(pview->cache, &cache);
 		dns_view_detach(&pview);
 	} else {
-		CHECK(dns_cache_create(mctx, ns_g_taskmgr, ns_g_timermgr,
+		CHECK(isc_mem_create(0, 0, &cmctx));
+		CHECK(dns_cache_create(cmctx, ns_g_taskmgr, ns_g_timermgr,
 				       view->rdclass, "rbt", 0, NULL, &cache));
 	}
 	dns_view_setcache(view, cache);
-	cleaning_interval = 3600; /* Default is 1 hour. */
-	(void) dns_c_ctx_getcleaninterval(cctx, &cleaning_interval);
+
+	result = ISC_R_NOTFOUND;
+	if (cview != NULL)
+		result = dns_c_view_getcleaninterval(cview,
+						     &cleaning_interval);
+	if (result != ISC_R_SUCCESS)
+		result = dns_c_ctx_getcleaninterval(cctx, &cleaning_interval);
+	if (result != ISC_R_SUCCESS)
+		cleaning_interval = 3600; /* Default is 1 hour. */
 	dns_cache_setcleaninginterval(cache, cleaning_interval);
+
 	dns_cache_detach(&cache);
 
 	/*
@@ -195,14 +445,26 @@ configure_view(dns_view_t *view, dns_c_ctx_t *cctx, isc_mem_t *mctx,
 	 *
 	 * XXXRTH  Hardwired number of tasks.
 	 */
+	CHECK(get_view_querysource_dispatch(cctx, cview, AF_INET,
+					    &dispatch4));
+	CHECK(get_view_querysource_dispatch(cctx, cview, AF_INET6,
+					    &dispatch6));
 	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31,
 				      ns_g_socketmgr, ns_g_timermgr,
-				      0, dispatchv4, dispatchv6));
+				      0, ns_g_dispatchmgr,
+				      dispatch4, dispatch6));
+	if (dispatch4 != NULL)
+		dns_dispatch_detach(&dispatch4);
+	if (dispatch6 != NULL)
+		dns_dispatch_detach(&dispatch6);
 
 	/*
 	 * Set resolver forwarding policy.
 	 */
-	if (dns_c_ctx_getforwarders(cctx, &forwarders) == ISC_R_SUCCESS) {
+	if ((cview != NULL &&
+	     dns_c_view_getforwarders(cview, &forwarders) == ISC_R_SUCCESS) ||
+	    (dns_c_ctx_getforwarders(cctx, &forwarders) == ISC_R_SUCCESS))
+	{
 		fwdpolicy = dns_fwdpolicy_first;
 		/*
 		 * Ugh.  Convert between list formats.
@@ -225,7 +487,9 @@ configure_view(dns_view_t *view, dns_c_ctx_t *cctx, isc_mem_t *mctx,
 		 * XXXRTH  The configuration type 'dns_c_forw_t' should be
 		 *         elminated.
 		 */
-		if (dns_c_ctx_getforward(cctx, &forward) == ISC_R_SUCCESS) {
+		if ((cview != NULL &&
+		    dns_c_view_getforward(cview, &forward) == ISC_R_SUCCESS) ||
+		    (dns_c_ctx_getforward(cctx, &forward) == ISC_R_SUCCESS)) {
 			INSIST(forward == dns_c_forw_first ||
 			       forward == dns_c_forw_only);
 			if (forward == dns_c_forw_only)
@@ -238,9 +502,22 @@ configure_view(dns_view_t *view, dns_c_ctx_t *cctx, isc_mem_t *mctx,
 	 * We have default hints for class IN if we need them.
 	 */
 	if (view->rdclass == dns_rdataclass_in && view->hints == NULL)
-		dns_view_sethints(view, ns_g_server->roothints);
+		dns_view_sethints(view, ns_g_server->in_roothints);
 
 	/*
+	 * If we still have no hints, this is a non-IN view with no
+	 * "hints zone" configured.  That's an error.
+	 */
+	if (view->hints == NULL) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "no root hints for view '%s'",
+			      cview == NULL ? "<default>" : cview->name);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+	
+	/*
 	 * Configure the view's TSIG keys.
 	 */
 	ring = NULL;
@@ -260,7 +537,69 @@ configure_view(dns_view_t *view, dns_c_ctx_t *cctx, isc_mem_t *mctx,
 		dns_peerlist_detach(&view->peers);
 		view->peers = newpeers; /* Transfer ownership. */
 	}
+
+	/*
+	 * Configure the "match-clients" ACL.
+	 */
+	CHECK(configure_view_acl(cview, cctx, actx, ns_g_mctx, 
+				 dns_c_view_getmatchclients, NULL,
+				 &view->matchclients));
+
+	/*
+	 * Configure other configurable data.
+	 */
+	view->recursion = ISC_TRUE;
+	(void) dns_c_ctx_getrecursion(cctx, &view->recursion);
+	if (cview != NULL)
+		(void) dns_c_view_getrecursion(cview, &view->recursion);
+
+	view->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */
+	(void) dns_c_ctx_getauthnxdomain(cctx, &view->auth_nxdomain);
+	if (cview != NULL)
+		(void) dns_c_view_getauthnxdomain(cview, &view->auth_nxdomain);
+
+	view->transfer_format = dns_one_answer;	
+	(void) dns_c_ctx_gettransferformat(cctx, &view->transfer_format);
+	if (cview != NULL)	
+		(void) dns_c_view_gettransferformat(cview,
+						    &view->transfer_format);
+
+	CHECK(configure_view_acl(cview, cctx, actx, ns_g_mctx,
+				 dns_c_view_getallowquery,
+				 dns_c_ctx_getallowquery,
+				 &view->queryacl));
 	
+	CHECK(configure_view_acl(cview, cctx, actx, ns_g_mctx,
+				 dns_c_view_getrecursionacl,
+				 dns_c_ctx_getallowrecursion,
+				 &view->recursionacl));
+
+	result = ISC_R_NOTFOUND;
+	if (cview != NULL)
+		result = dns_c_view_getrequestixfr(cview, &view->requestixfr);
+	if (result != ISC_R_SUCCESS)
+		result = dns_c_ctx_getrequestixfr(cctx, &view->requestixfr);
+	if (result != ISC_R_SUCCESS)
+		view->requestixfr = ISC_TRUE;
+
+	result = ISC_R_NOTFOUND;
+	if (cview != NULL)
+		result = dns_c_view_getprovideixfr(cview, &view->provideixfr);
+	if (result != ISC_R_SUCCESS)
+		result = dns_c_ctx_getprovideixfr(cctx, &view->provideixfr);
+	if (result != ISC_R_SUCCESS)
+		view->provideixfr = ISC_TRUE;
+
+	/*
+	 * For now, there is only one kind of trusted keys, the
+	 * "security roots".
+	 */
+	CHECK(configure_view_dnsseckeys(cctx, cview, mctx,
+				  dns_c_ctx_gettrustedkeys,
+				  &view->secroots));
+
+	result = ISC_R_SUCCESS;
+
  cleanup:
 	RWUNLOCK(&view->conflock, isc_rwlocktype_write);
 
@@ -271,17 +610,21 @@ configure_view(dns_view_t *view, dns_c_ctx_t *cctx, isc_mem_t *mctx,
 		isc_mem_put(view->mctx, sa, sizeof *sa);
 	}
 
+	if (cmctx != NULL)
+		isc_mem_detach(&cmctx);
+
 	return (result);
 }
 
 /*
  * Create the special view that handles queries for
  * "version.bind. CH".   The version string returned is that
- * configured in 'configctx', or a compiled-in default if
+ * configured in 'cctx', or a compiled-in default if
  * there is no "version" configuration option.
  */
 static isc_result_t
-create_version_view(dns_c_ctx_t *configctx, dns_view_t **viewp) {
+create_version_view(dns_c_ctx_t *cctx, dns_zonemgr_t *zmgr, dns_view_t **viewp)
+{
 	isc_result_t result;
 	dns_db_t *db = NULL;
 	dns_zone_t *zone = NULL;
@@ -299,6 +642,9 @@ create_version_view(dns_c_ctx_t *configctx, dns_view_t **viewp) {
 
 	REQUIRE(viewp != NULL && *viewp == NULL);
 
+	CHECK(dns_view_create(ns_g_mctx, dns_rdataclass_ch, "_version",
+			      &view));
+
 	dns_diff_init(ns_g_mctx, &diff);
 
 	dns_name_init(&origin, NULL);
@@ -306,8 +652,8 @@ create_version_view(dns_c_ctx_t *configctx, dns_view_t **viewp) {
 	r.length = sizeof(origindata);
 	dns_name_fromregion(&origin, &r);
 
-	(void) dns_c_ctx_getversion(configctx, &versiontext);
-	if (versiontext == NULL)
+	result = dns_c_ctx_getversion(cctx, &versiontext);
+	if (result != ISC_R_SUCCESS)
 		versiontext = ns_g_version;
 	len = strlen(versiontext);
 	if (len > 255)
@@ -321,6 +667,10 @@ create_version_view(dns_c_ctx_t *configctx, dns_view_t **viewp) {
 
 	CHECK(dns_zone_create(&zone, ns_g_mctx));
 	CHECK(dns_zone_setorigin(zone, &origin));
+	dns_zone_setclass(zone, dns_rdataclass_ch);
+	dns_zone_setview(zone, view);	
+	
+	CHECK(dns_zonemgr_managezone(zmgr, zone));
 
 	CHECK(dns_db_create(ns_g_mctx, "rbt", &origin, ISC_FALSE,
 			    dns_rdataclass_ch, 0, NULL, &db));
@@ -334,9 +684,6 @@ create_version_view(dns_c_ctx_t *configctx, dns_view_t **viewp) {
 
 	dns_db_closeversion(db, &dbver, ISC_TRUE);
 
-	CHECK(dns_view_create(ns_g_mctx, dns_rdataclass_ch, "_version",
-			      &view));
-
 	CHECK(dns_zone_replacedb(zone, db, ISC_FALSE));
 
 	CHECK(dns_view_addzone(view, zone));
@@ -379,6 +726,51 @@ configure_hints(dns_view_t *view, const char *filename) {
 }
 
 /*
+ * Find an existing view matching the name and class of 'cview'
+ * in 'viewlist', or create a new one and add it to the list.
+ *
+ * If 'cview' is NULL, find or create the default view.
+ *
+ * The view found or created is attached to '*viewp'.
+ */
+static isc_result_t
+find_or_create_view(dns_c_view_t *cview, dns_viewlist_t *viewlist,
+		    dns_view_t **viewp)
+{
+	isc_result_t result;
+	char *viewname;
+	dns_rdataclass_t viewclass;
+	dns_view_t *view = NULL;
+
+	if (cview != NULL) {
+		viewname = cview->name;
+		result = dns_c_view_getviewclass(cview, &viewclass);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} else {
+		viewname = "_default";
+		viewclass = dns_rdataclass_in;
+	}
+	result = dns_viewlist_find(viewlist, viewname,
+				   viewclass, &view);
+	if (result == ISC_R_SUCCESS) {
+		*viewp = view;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_NOTFOUND)
+		return (result);
+	INSIST(view == NULL);
+
+	result = dns_view_create(ns_g_mctx, viewclass, viewname, &view);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	
+	ISC_LIST_APPEND(*viewlist, view, link);
+	dns_view_attach(view, viewp);
+	return (ISC_R_SUCCESS);
+}
+
+/*
  * Configure or reconfigure a zone.  This callback function
  * is called after parsing each "zone" statement in named.conf.
  */
@@ -390,8 +782,7 @@ configure_zone(dns_c_ctx_t *cctx, dns_c_zone_t *czone, dns_c_view_t *cview,
 	dns_view_t *view = NULL;	/* New view */
 	dns_view_t *pview = NULL;	/* Production view */
 	dns_zone_t *zone = NULL;	/* New or reused zone */
-	dns_zone_t *tzone = NULL;	/* Temporary zone */
-	char *viewname;
+	dns_zone_t *dupzone = NULL;
 	
 	isc_result_t result;
 
@@ -406,8 +797,7 @@ configure_zone(dns_c_ctx_t *cctx, dns_c_zone_t *czone, dns_c_view_t *cview,
 	corigin = NULL;
 	/* XXX casting away const */
 	CHECK(dns_c_zone_getname(czone, (const char **) &corigin));
-	isc_buffer_init(&buffer, corigin, strlen(corigin),
-			ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&buffer, corigin, strlen(corigin));
 	isc_buffer_add(&buffer, strlen(corigin));
 	dns_fixedname_init(&fixorigin);
 	CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
@@ -418,22 +808,17 @@ configure_zone(dns_c_ctx_t *cctx, dns_c_zone_t *czone, dns_c_view_t *cview,
 	 * Find or create the view in the new view list.
 	 */
 	view = NULL;
-	if (cview != NULL)
-		viewname = cview->name;
-	else
-		viewname = "_default";
-	result = dns_viewlist_find(&lctx->viewlist, viewname,
-				   czone->zclass, &view);
-	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
+	CHECK(find_or_create_view(cview, &lctx->viewlist, &view));
+
+	if (czone->zclass != view->rdclass) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+		      "zone '%s': wrong class for view '%s'",
+			      corigin, cview ? cview->name : "<default view>");
+		result = ISC_R_FAILURE;
 		goto cleanup;
-	if (view == NULL) {
-		dns_view_t *tview = NULL;
-		CHECK(dns_view_create(ns_g_mctx, czone->zclass,
-				      viewname, &view));
-		dns_view_attach(view, &tview);
-		ISC_LIST_APPEND(lctx->viewlist, tview, link);
 	}
-
+	
 	/*
 	 * Master zones must have 'file' set.
 	 */
@@ -503,14 +888,16 @@ configure_zone(dns_c_ctx_t *cctx, dns_c_zone_t *czone, dns_c_view_t *cview,
 	/*
 	 * Check for duplicates in the new zone table.
 	 */
-	result = dns_view_findzone(view, origin, &tzone);
+	result = dns_view_findzone(view, origin, &dupzone);
 	if (result == ISC_R_SUCCESS) {
 		/*
 		 * We already have this zone!
 		 */
+		dns_zone_detach(&dupzone);
 		result = ISC_R_EXISTS;
 		goto cleanup;
 	}
+	INSIST(dupzone == NULL);
 
 	/*
 	 * See if we can reuse an existing zone.  This is
@@ -535,21 +922,27 @@ configure_zone(dns_c_ctx_t *cctx, dns_c_zone_t *czone, dns_c_view_t *cview,
 			dns_zone_detach(&zone);
 	}
 
-	/*
-	 * If we cannot reuse an existing zone, we will have to
-	 * create a new one.
-	 */
-	if (zone == NULL) {
+	if (zone != NULL) {
+		/*
+		 * We found a reusable zone.  Make it use the
+		 * new view.
+		 */
+		dns_zone_setview(zone, view);
+	} else {
+		/*
+		 * We cannot reuse an existing zone, we have
+		 * to create a new one.
+		 */
 		CHECK(dns_zone_create(&zone, lctx->mctx));
 		CHECK(dns_zone_setorigin(zone, origin));
-		CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
-					     zone));
+		dns_zone_setview(zone, view);
+		CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
 	}
 
 	/*
 	 * Configure the zone.
 	 */
-	CHECK(dns_zone_configure(cctx, lctx->aclconf, czone, zone));
+	CHECK(dns_zone_configure(cctx, cview, czone, lctx->aclconf, zone));
 
 	/*
 	 * Add the zone to its view in the new view list.
@@ -557,8 +950,6 @@ configure_zone(dns_c_ctx_t *cctx, dns_c_zone_t *czone, dns_c_view_t *cview,
 	CHECK(dns_view_addzone(view, zone));
 
  cleanup:
-	if (tzone != NULL)
-		dns_zone_detach(&tzone);
 	if (zone != NULL)
 		dns_zone_detach(&zone);
 	if (pview != NULL)
@@ -570,27 +961,6 @@ configure_zone(dns_c_ctx_t *cctx, dns_c_zone_t *czone, dns_c_view_t *cview,
 }
 
 /*
- * Configure a single server ACL at '*aclp'.  Get its configuration by
- * calling 'getacl'.
- */
-static isc_result_t
-configure_server_acl(dns_c_ctx_t *cctx, dns_aclconfctx_t *actx, isc_mem_t *mctx,
-		     isc_result_t (*getcacl)(dns_c_ctx_t *, dns_c_ipmatchlist_t **),
-		     dns_acl_t **aclp)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_c_ipmatchlist_t *cacl = NULL;
-	if (*aclp != NULL)
-		dns_acl_detach(aclp);
-	(void) (*getcacl)(cctx, &cacl);
-	if (cacl != NULL) {
-		result = dns_acl_fromconfig(cacl, cctx, actx, mctx, aclp);
-		dns_c_ipmatchlist_detach(&cacl);
-	}
-	return (result);
-}
-
-/*
  * Configure a single server quota.
  */
 static void
@@ -603,150 +973,6 @@ configure_server_quota(dns_c_ctx_t *cctx,
 	quota->max = val;
 }
 
-static isc_result_t
-configure_server_querysource(dns_c_ctx_t *cctx, ns_server_t *server, int af,
-			     dns_dispatch_t **dispatchp) {
-	isc_result_t result;
-	struct in_addr ina;
-	isc_sockaddr_t sa, any4, any6, *any;
-	isc_socket_t *socket;
-	dns_dispatch_t **server_dispatchp;
-	isc_sockaddr_t *server_dispatchaddr;
-
-	/*
-	 * Make compiler happy.
-	 */
-	result = ISC_R_FAILURE;
-	any = NULL;
-	server_dispatchp = NULL;
-	server_dispatchaddr = NULL;
-
-	ina.s_addr = htonl(INADDR_ANY);
-	isc_sockaddr_fromin(&any4, &ina, 0);
-	isc_sockaddr_fromin6(&any6, &in6addr_any, 0);
-	
-	*dispatchp = NULL;
-
-	switch (af) {
-	case AF_INET:
-		any = &any4;
-		result = dns_c_ctx_getquerysource(cctx, &sa);
-		break;
-	case AF_INET6:
-		any = &any6;
-		result = dns_c_ctx_getquerysourcev6(cctx, &sa);
-		break;
-	default:
-		INSIST(0);
-	}
-	if (result != ISC_R_SUCCESS)
-		sa = *any;
-	
-	INSIST(isc_sockaddr_pf(&sa) == af);
-
-	/*
-	 * If we don't support this address family, we're done!
-	 */
-	switch (af) {
-	case AF_INET:
-		result = isc_net_probeipv4();
-		break;
-	case AF_INET6:
-		result = isc_net_probeipv6();
-		break;
-	default:
-		INSIST(0);
-	}
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_SUCCESS);
-
-	if (isc_sockaddr_equal(&sa, any)) {
-		/*
-		 * The query source is fully wild.  No special dispatcher
-		 * work needs to be done.
-		 */
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * If the interface manager has a dispatcher for this address,
-	 * use it.
-	 */
-	switch (af) {
-	case AF_INET:
-		server_dispatchp = &server->querysrc_dispatchv4;
-		server_dispatchaddr = &server->querysrc_addressv4;
-		break;
-	case AF_INET6:
-		server_dispatchp = &server->querysrc_dispatchv6;
-		server_dispatchaddr = &server->querysrc_addressv6;
-		break;
-	default:
-		INSIST(0);
-	}
-	if (ns_interfacemgr_findudpdispatcher(server->interfacemgr, &sa,
-					      dispatchp) !=
-	    ISC_R_SUCCESS) {
-		/*
-		 * The interface manager doesn't have a matching dispatcher.
-		 */
-		if (*server_dispatchp != NULL) {
-			/*
-			 * We've already got a custom dispatcher.  If it is
-			 * compatible with the new configuration, use it.
-			 */
-			if (isc_sockaddr_equal(server_dispatchaddr,
-					       &sa)) {
-				dns_dispatch_attach(*server_dispatchp,
-						    dispatchp);
-				return (ISC_R_SUCCESS);
-			}
-			/*
-			 * The existing custom dispatcher is not compatible.
-			 * We don't need it anymore.
-			 */
-			dns_dispatch_detach(server_dispatchp);
-		}
-		/*
-		 * Create a custom dispatcher.
-		 */
-		INSIST(*server_dispatchp == NULL);
-		*server_dispatchaddr = sa;
-		socket = NULL;
-		result = isc_socket_create(ns_g_socketmgr, af,
-					   isc_sockettype_udp,
-					   &socket);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = isc_socket_bind(socket, &sa);
-		if (result != ISC_R_SUCCESS) {
-			isc_socket_detach(&socket);	
-			return (result);
-		}
-		result = dns_dispatch_create(ns_g_mctx, socket,
-					     server->task, 4096,
-					     1000, 32768, 16411, 16433, NULL,
-					     server_dispatchp);
-		/*
-		 * Regardless of whether dns_dispatch_create() succeeded or
-		 * failed, we don't need to keep the reference to the socket.
-		 */
-		isc_socket_detach(&socket);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		dns_dispatch_attach(*server_dispatchp, dispatchp);
-	} else {
-		/*
-		 * We're sharing a UDP dispatcher with the interface manager
-		 * now.  Any prior custom dispatcher can be discarded.
-		 */
-		if (*server_dispatchp != NULL)
-			dns_dispatch_detach(server_dispatchp);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
 /*
  * This function is called as soon as the 'options' statement has been
  * parsed.
@@ -791,7 +1017,7 @@ scan_interfaces(ns_server_t *server) {
  */
 static void
 interface_timer_tick(isc_task_t *task, isc_event_t *event) {
-	ns_server_t *server = (ns_server_t *) event->arg;	
+	ns_server_t *server = (ns_server_t *) event->ev_arg;	
 	UNUSED(task);
 	isc_event_free(&event);
 	RWLOCK(&server->conflock, isc_rwlocktype_write);
@@ -806,8 +1032,9 @@ load_configuration(const char *filename, ns_server_t *server,
 	isc_result_t result;
 	ns_load_t lctx;
 	dns_c_cbks_t callbacks;
-	dns_c_ctx_t *configctx;
-	dns_view_t *view, *view_next;
+	dns_c_ctx_t *cctx;
+	dns_view_t *view = NULL;
+	dns_view_t *view_next;
 	dns_viewlist_t tmpviewlist;
 	dns_aclconfctx_t aclconfctx;
 	dns_dispatch_t *dispatchv4 = NULL;
@@ -838,54 +1065,33 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * 'zone' statements are handled immediately by calling
 	 * configure_zone() through 'callbacks'.
 	 */
-	configctx = NULL;
-	CHECK(dns_c_parse_namedconf(filename, ns_g_mctx, &configctx,
+	cctx = NULL;
+	CHECK(dns_c_parse_namedconf(filename, ns_g_mctx, &cctx,
 				    &callbacks));
 	
 	/*
 	 * Configure various server options.
 	 */
-	(void) dns_c_ctx_getrecursion(configctx, &server->recursion);	
-	(void) dns_c_ctx_getauthnxdomain(configctx, &server->auth_nxdomain);
-	(void) dns_c_ctx_gettransferformat(configctx,
-					   &server->transfer_format);
-	
-	CHECK(configure_server_acl(configctx, &aclconfctx, ns_g_mctx,
-				   dns_c_ctx_getqueryacl, &server->queryacl));
-	
-	CHECK(configure_server_acl(configctx, &aclconfctx, ns_g_mctx,
-				   dns_c_ctx_getrecursionacl,
-				   &server->recursionacl));
-	
-	configure_server_quota(configctx, dns_c_ctx_gettransfersout,
+	configure_server_quota(cctx, dns_c_ctx_gettransfersout,
 				     &server->xfroutquota, 10);
-	configure_server_quota(configctx, dns_c_ctx_gettcpclients,
+	configure_server_quota(cctx, dns_c_ctx_gettcpclients,
 				     &server->tcpquota, 100);
-	configure_server_quota(configctx, dns_c_ctx_getrecursiveclients,
+	configure_server_quota(cctx, dns_c_ctx_getrecursiveclients,
 				     &server->recursionquota, 100);
 
-	(void) dns_c_ctx_getprovideixfr(configctx, &server->provide_ixfr);
-	
-
 	/*
 	 * Configure the zone manager.
 	 */
 	{
  		isc_int32_t transfersin = 10;
-		(void) dns_c_ctx_gettransfersin(configctx, &transfersin);
+		(void) dns_c_ctx_gettransfersin(cctx, &transfersin);
 		dns_zonemgr_settransfersin(server->zonemgr, transfersin);
 	}
 	{
  		isc_int32_t transfersperns = 2;
-		(void) dns_c_ctx_gettransfersperns(configctx, &transfersperns);
+		(void) dns_c_ctx_gettransfersperns(cctx, &transfersperns);
 		dns_zonemgr_settransfersperns(server->zonemgr, transfersperns);
 	}
-	{
- 		isc_boolean_t requestixfr = ISC_TRUE;
-		(void) dns_c_ctx_getrequestixfr(configctx, &requestixfr);
-		dns_zonemgr_setrequestixfr(server->zonemgr, requestixfr);
-	}
-	
 
 	/*
 	 * Configure the interface manager according to the "listen-on"
@@ -895,10 +1101,10 @@ load_configuration(const char *filename, ns_server_t *server,
 		dns_c_lstnlist_t *clistenon = NULL;
 		ns_listenlist_t *listenon = NULL;
 
-		(void) dns_c_ctx_getlistenlist(configctx, &clistenon);
+		(void) dns_c_ctx_getlistenlist(cctx, &clistenon);
 		if (clistenon != NULL) {
 			result = ns_listenlist_fromconfig(clistenon,
-							  configctx,
+							  cctx,
 							  &aclconfctx,
 							  ns_g_mctx,
 							  &listenon);
@@ -924,9 +1130,10 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * as specified by the "interface-interval" option.
 	 */
 	interface_interval = 3600; /* Default is 1 hour. */
-	(void) dns_c_ctx_getinterfaceinterval(configctx, &interface_interval);
+	(void) dns_c_ctx_getinterfaceinterval(cctx, &interface_interval);
 	if (interface_interval == 0) {
-		isc_timer_reset(server->interface_timer, isc_timertype_inactive,
+		isc_timer_reset(server->interface_timer,
+				isc_timertype_inactive,
 				NULL, NULL, ISC_TRUE);
 	} else {
 		isc_interval_t interval;
@@ -935,42 +1142,68 @@ load_configuration(const char *filename, ns_server_t *server,
 				NULL, &interval, ISC_FALSE);
 	}
 
-	CHECK(configure_server_querysource(configctx, server,
-					   AF_INET, &dispatchv4));
-	CHECK(configure_server_querysource(configctx, server,
-					   AF_INET6, &dispatchv6));
-
 	/*
-	 * If we haven't created any views, create a default view for class
-	 * IN.  (We're a caching-only server.)
+	 * Configure and freeze all explicit views.  Explicit
+	 * views that have zones were already created at parsing
+	 * time, but views with no zones must be created here.
 	 */
-	if (ISC_LIST_EMPTY(lctx.viewlist)) {
-		view = NULL;
-		CHECKM(dns_view_create(ns_g_mctx, dns_rdataclass_in, 
-				       "_default", &view),
-		       "creating default view");
-		ISC_LIST_APPEND(lctx.viewlist, view, link);
+	if (cctx->views != NULL) {
+		dns_c_view_t *cview;
+		for (cview = ISC_LIST_HEAD(cctx->views->views);
+		     cview != NULL;
+		     cview = ISC_LIST_NEXT(cview, next))
+		{
+			view = NULL;
+			CHECK(find_or_create_view(cview,
+						  &lctx.viewlist, &view));
+			INSIST(view != NULL);
+			CHECK(configure_view(view, cctx, cview, ns_g_mctx,
+					     &aclconfctx));
+			dns_view_freeze(view);
+			dns_view_detach(&view);
+		}
 	}
-
+	INSIST(view == NULL);
+		
 	/*
-	 * Configure and freeze the views.  Their zone tables have
-	 * already been filled in at parsing time, but other stuff
-	 * like the resolvers are still unconfigured.
+	 * Make sure we have a default view if and only if there 
+	 * were no explicit views.  
 	 */
-	for (view = ISC_LIST_HEAD(lctx.viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link))
-	{
-		CHECK(configure_view(view, configctx, ns_g_mctx,
-				     dispatchv4, dispatchv6));
+	if (cctx->views == NULL || ISC_LIST_EMPTY(cctx->views->views)) {
+		/*
+		 * No explicit views; there ought to be a default view.
+		 * There may already be one created as a size effect
+		 * of zone statements, or we may have to create one.
+		 * In either case, we need to configure and freeze it.
+		 */
+		CHECK(find_or_create_view(NULL, &lctx.viewlist, &view));
+		CHECK(configure_view(view, cctx, NULL,
+				     ns_g_mctx, &aclconfctx));
 		dns_view_freeze(view);
+		dns_view_detach(&view);
+	} else {
+		/*
+		 * There are explicit views.  There should not be
+		 * a default view.  If there is one, complain.
+		 */
+		result = dns_viewlist_find(&lctx.viewlist, "_default", 
+					   dns_rdataclass_in, &view);
+		if (result == ISC_R_SUCCESS) {
+			dns_view_detach(&view);
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "when using 'view' statements, "
+				      "all zones must be in views");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
 	}
-
+	
 	/*
 	 * Create (or recreate) the version view.
 	 */
 	view = NULL;
-	CHECK(create_version_view(configctx, &view));
+	CHECK(create_version_view(cctx, server->zonemgr, &view));
 	ISC_LIST_APPEND(lctx.viewlist, view, link);
 	view = NULL;
 
@@ -986,7 +1219,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	 */
 	{
 		dns_tkey_ctx_t *t = NULL;
-		CHECKM(dns_tkeyctx_fromconfig(configctx, ns_g_mctx, &t),
+		CHECKM(dns_tkeyctx_fromconfig(cctx, ns_g_mctx, &t),
 		       "configuring TKEY");
 		if (server->tkeyctx != NULL)
 			dns_tkeyctx_destroy(&server->tkeyctx);
@@ -994,13 +1227,23 @@ load_configuration(const char *filename, ns_server_t *server,
 	}
 
 	/*
+	 * Relinquish root privileges.
+	 */
+	if (first_time)
+		ns_os_changeuser(ns_g_username);
+
+	/*
 	 * Configure the logging system.
+	 * 
+	 * Do this after changing UID to make sure that any log 
+	 * files specified in named.conf get created by the
+	 * unprivileged user, not root.
 	 */
 	if (ns_g_logstderr) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "ignoring named.conf logging statement "
-			      "due to -g option");
+			      "ignoring config file logging "
+			      "statement due to -g option");
 	} else {
 		dns_c_logginglist_t *clog = NULL;
 		isc_logconfig_t *logc = NULL;
@@ -1008,32 +1251,37 @@ load_configuration(const char *filename, ns_server_t *server,
 		CHECKM(isc_logconfig_create(ns_g_lctx, &logc),
 		       "creating new logging configuration");
 
-		(void) dns_c_ctx_getlogging(configctx, &clog);
-		if (clog != NULL)
+		(void) dns_c_ctx_getlogging(cctx, &clog);
+		if (clog != NULL) {
 			CHECKM(ns_log_configure(logc, clog),
 			       "configuring logging");
-		else
-			CHECKM(ns_log_setdefaults(logc),
-			       "setting up default logging defaults");
+		} else {
+			CHECKM(ns_log_setdefaultchannels(logc),
+			       "setting up default logging channels");
+			CHECKM(ns_log_setdefaultcategory(logc),
+			       "setting up default 'category default'");
+		}
 
 		result = isc_logconfig_use(ns_g_lctx, logc);
 		if (result != ISC_R_SUCCESS) {
 			isc_logconfig_destroy(&logc);
-			CHECKM(result, "intalling logging configuration");
+			CHECKM(result, "installing logging configuration");
 		}
 	}
 
-	if (first_time)
-		ns_os_changeuser(ns_g_username);
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
+		      "now using logging configuration from "
+		      "config file");
 
-	if (dns_c_ctx_getpidfilename(configctx, &pidfilename) ==
+	if (dns_c_ctx_getpidfilename(cctx, &pidfilename) ==
 	    ISC_R_NOTFOUND)
 		pidfilename = ns_g_defaultpidfile;
 	ns_os_writepidfile(pidfilename);
 	
 	dns_aclconfctx_destroy(&aclconfctx);	
 
-	dns_c_ctx_delete(&configctx);
+	dns_c_ctx_delete(&cctx);
 	
  cleanup:
 	/*
@@ -1091,18 +1339,22 @@ load_zones(ns_server_t *server, isc_boolean_t stop) {
 static void
 run_server(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result;
-	ns_server_t *server = (ns_server_t *) event->arg;
+	ns_server_t *server = (ns_server_t *)event->ev_arg;
 
 	UNUSED(task);
 
 	isc_event_free(&event);
 
+	CHECKFATAL(dns_dispatchmgr_create(ns_g_mctx, &ns_g_dispatchmgr),
+		   "creating dispatch manager");
+
 	CHECKFATAL(ns_clientmgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_timermgr,
 				       &server->clientmgr),
 		   "creating client manager");
 	
 	CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr,
-					  ns_g_socketmgr, server->clientmgr,
+					  ns_g_socketmgr, ns_g_dispatchmgr,
+					  server->clientmgr,
 					  &server->interfacemgr),
 		   "creating interface manager");
 
@@ -1125,7 +1377,7 @@ run_server(isc_task_t *task, isc_event_t *event) {
 static void
 shutdown_server(isc_task_t *task, isc_event_t *event) {
 	dns_view_t *view, *view_next;
-	ns_server_t *server = (ns_server_t *) event->arg;
+	ns_server_t *server = (ns_server_t *)event->ev_arg;
 		
 	UNUSED(task);
 
@@ -1142,16 +1394,17 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 		dns_view_detach(&view);
 	}
 
-	if (server->querysrc_dispatchv4 != NULL)
-		dns_dispatch_detach(&server->querysrc_dispatchv4);
-	if (server->querysrc_dispatchv6 != NULL)
-		dns_dispatch_detach(&server->querysrc_dispatchv6);
 	ns_clientmgr_destroy(&server->clientmgr);
 	isc_timer_detach(&server->interface_timer);
+
 	ns_interfacemgr_shutdown(server->interfacemgr);
 	ns_interfacemgr_detach(&server->interfacemgr);	
-	dns_zonemgr_shutdown(server->zonemgr);
+
+	dns_dispatchmgr_destroy(&ns_g_dispatchmgr);
 	
+	dns_zonemgr_shutdown(server->zonemgr);
+	dns_zonemgr_detach(&server->zonemgr);
+
 	isc_task_detach(&server->task);
 
 	isc_event_free(&event);
@@ -1174,12 +1427,6 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 		   "initializing server configuration lock");
 
 	/* Initialize configuration data with default values. */
-	server->recursion = ISC_TRUE;
-	server->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */
-	server->transfer_format = dns_one_answer;
-
-	server->queryacl = NULL;
-	server->recursionacl = NULL;
 
 	result = isc_quota_init(&server->xfroutquota, 10);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS); 
@@ -1188,8 +1435,6 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	result = isc_quota_init(&server->recursionquota, 100);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS); 
 
-	server->provide_ixfr = ISC_TRUE;
-
 	result = dns_aclenv_init(mctx, &server->aclenv);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		
@@ -1198,10 +1443,10 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	server->clientmgr = NULL;
 	server->interfacemgr = NULL;
 	ISC_LIST_INIT(server->viewlist);
-	server->roothints = NULL;
+	server->in_roothints = NULL;
 		
 	CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
-				     &server->roothints),
+				     &server->in_roothints),
 		   "setting up root hints");
 
 	CHECKFATAL(isc_mutex_init(&server->reload_event_lock),
@@ -1219,14 +1464,12 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	server->tkeyctx = NULL;
 	CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, &server->tkeyctx),
 		   "creating TKEY context");
-	server->querysrc_dispatchv4 = NULL;
-	server->querysrc_dispatchv6 = NULL;
 
 	/*
 	 * Setup the server task, which is responsible for coordinating
 	 * startup and shutdown of the server.
 	 */
-	CHECKFATAL(isc_task_create(ns_g_taskmgr, ns_g_mctx, 0, &server->task),
+	CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task),
 		   "creating server task");
 	isc_task_setname(server->task, "server", server);
 	CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server),
@@ -1251,8 +1494,6 @@ ns_server_destroy(ns_server_t **serverp) {
 	ns_server_t *server = *serverp;
 	REQUIRE(NS_SERVER_VALID(server));
 
-	REQUIRE(server->querysrc_dispatchv4 == NULL);
-	REQUIRE(server->querysrc_dispatchv6 == NULL);
 	if (server->tkeyctx != NULL)
 		dns_tkeyctx_destroy(&server->tkeyctx);
 
@@ -1260,16 +1501,8 @@ ns_server_destroy(ns_server_t **serverp) {
 	
 	INSIST(ISC_LIST_EMPTY(server->viewlist));
 
-	dns_zonemgr_destroy(&server->zonemgr);
-	server->zonemgr = NULL;
-
-	dns_db_detach(&server->roothints);
+	dns_db_detach(&server->in_roothints);
 	
-	if (server->queryacl != NULL)
-		dns_acl_detach(&server->queryacl);
-	if (server->recursionacl != NULL)
-		dns_acl_detach(&server->recursionacl);
-
 	dns_aclenv_destroy(&server->aclenv);
 
 	isc_quota_destroy(&server->recursionquota);
@@ -1294,18 +1527,18 @@ fatal(char *msg, isc_result_t result) {
 static void
 ns_server_reload(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result;
-	ns_server_t *server = (ns_server_t *)event->arg;
+	ns_server_t *server = (ns_server_t *)event->ev_arg;
 	UNUSED(task);
 	
 	result = load_configuration(ns_g_conffile, server, ISC_FALSE);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 			      "reloading configuration failed: %s",
 			      isc_result_totext(result));
 	}
 	result = load_zones(server, ISC_FALSE);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 			      "reloading zones failed: %s",
@@ -1346,7 +1579,7 @@ ns_listenlist_fromconfig(dns_c_lstnlist_t *clist, dns_c_ctx_t *cctx,
 	{
 		ns_listenelt_t *delt = NULL;
 		result = ns_listenelt_fromconfig(ce, cctx, actx, mctx, &delt);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		ISC_LIST_APPEND(dlist->elts, delt, link);
 	}
@@ -1375,7 +1608,7 @@ ns_listenelt_fromconfig(dns_c_lstnon_t *celt, dns_c_ctx_t *cctx,
 		return (result);
 
 	result = dns_acl_fromconfig(celt->iml, cctx, actx, mctx, &delt->acl);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		ns_listenelt_destroy(delt);
 		return (result);
 	}
diff --git a/bin/named/unix/include/named/os.h b/bin/named/unix/include/named/os.h
index 95cdbe7f..f29fb9d4 100644
--- a/bin/named/unix/include/named/os.h
+++ b/bin/named/unix/include/named/os.h
@@ -33,6 +33,9 @@ void
 ns_os_changeuser(const char *username);
 
 void
+ns_os_minprivs(const char *username);
+
+void
 ns_os_writepidfile(const char *filename);
 
 void
diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c
index 05452e3f..6f0a0291 100644
--- a/bin/named/unix/os.c
+++ b/bin/named/unix/os.c
@@ -17,22 +17,19 @@
 
 #include <config.h>
 
-#include <sys/types.h>
 #include <sys/stat.h>
 
 #include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
 #include <errno.h>
-#include <syslog.h>
 #include <fcntl.h>
+#include <grp.h>		/* Required for initgroups() on IRIX. */
 #include <pwd.h>
-#include <grp.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <unistd.h>
 
-#include <isc/result.h>
-#include <isc/boolean.h>
+#include <isc/string.h>
 
 #include <named/main.h>
 #include <named/os.h>
@@ -40,12 +37,25 @@
 static char *pidfile = NULL;
 #ifdef HAVE_LINUXTHREADS
 static pid_t mainpid = 0;
+static isc_boolean_t non_root_caps = ISC_FALSE;
 #endif
 
 #ifdef HAVE_LINUX_CAPABILITY_H
 
-#include <sys/syscall.h>
-#include <linux/capability.h>
+/*
+ * We define _LINUX_FS_H to prevent it from being included.  We don't need
+ * anything from it, and the files it includes cause warnings with 2.2
+ * kernels, and compilation failures (due to conflicts between <linux/string.h>
+ * and <string.h>) on 2.3 kernels.
+ */
+#define _LINUX_FS_H
+
+#include <sys/syscall.h>	/* Required for syscall(). */
+#include <linux/capability.h>	/* Required for _LINUX_CAPABILITY_VERSION. */
+
+#ifdef HAVE_LINUX_PRCTL_H
+#include <sys/prctl.h>		/* Required for prctl(). */
+#endif
 
 #ifndef SYS_capset
 #define SYS_capset __NR_capset
@@ -56,7 +66,7 @@ linux_setcaps(unsigned int caps) {
 	struct __user_cap_header_struct caphead;
 	struct __user_cap_data_struct cap;
 
-	if (getuid() != 0)
+	if (getuid() != 0 && !non_root_caps)
 		return;
 
 	memset(&caphead, 0, sizeof caphead);
@@ -75,17 +85,41 @@ linux_initialprivs(void) {
 	unsigned int caps;
 
 	/*
-	 * Drop all privileges except the abilities to bind() to privileged
-	 * ports and chroot().
+	 * We don't need most privileges, so we drop them right away.
+	 * Later on linux_minprivs() will be called, which will drop our
+	 * capabilities to the minimum needed to run the server.
 	 */
 
 	caps = 0;
+
+	/*
+	 * We need to be able to bind() to privileged ports, notably port 53!
+	 */
 	caps |= (1 << CAP_NET_BIND_SERVICE);
+
+	/*
+	 * We need chroot() initially too.
+	 */
 	caps |= (1 << CAP_SYS_CHROOT);
+
+#if defined(HAVE_LINUX_PRCTL_H) && defined(PR_SET_KEEPCAPS)
+	/*
+	 * If the kernel supports keeping capabilities after setuid(), we
+	 * also want the setuid and setgid capabilities.
+	 *
+	 * There's no point turning these on if we don't have PR_SET_KEEPCAPS,
+	 * because changing user ids only works right with linuxthreads if
+	 * we can do it early (before creating threads).
+	 */
+	caps |= (1 << CAP_SETGID);
+	caps |= (1 << CAP_SETUID);
+#endif
+
 	/*
 	 * XXX  We might want to add CAP_SYS_RESOURCE, though it's not
 	 *      clear it would work right given the way linuxthreads work.
 	 */
+
 	linux_setcaps(caps);
 }
 
@@ -94,8 +128,11 @@ linux_minprivs(void) {
 	unsigned int caps;
 
 	/*
-	 * Drop all privileges except the abilities to bind() to privileged
+	 * Drop all privileges except the ability to bind() to privileged
 	 * ports.
+	 *
+	 * It's important that we drop CAP_SYS_CHROOT.  If we didn't, it
+	 * chroot() could be used to escape from the chrooted area.
 	 */
 
 	caps = 0;
@@ -104,6 +141,23 @@ linux_minprivs(void) {
 	linux_setcaps(caps);
 }
 
+#if defined(HAVE_LINUX_PRCTL_H) && defined(PR_SET_KEEPCAPS)
+static void
+linux_keepcaps(void) {
+	/*
+	 * Ask the kernel to allow us to keep our capabilities after we
+	 * setuid().
+	 */
+
+	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
+		if (errno != EINVAL)
+			ns_main_earlyfatal("prctl() failed: %s",
+					   strerror(errno));
+	} else
+		non_root_caps = ISC_TRUE;
+}
+#endif
+
 #endif	/* HAVE_LINUX_CAPABILITY_H */
 
 
@@ -139,7 +193,7 @@ ns_os_daemonize(void) {
 	if (pid == -1)
 		ns_main_earlyfatal("fork(): %s", strerror(errno));
 	if (pid != 0)
-                _exit(0);
+		_exit(0);
 
 	/*
 	 * We're the child.
@@ -188,13 +242,6 @@ ns_os_chroot(const char *root) {
 		if (chdir("/") < 0)
 			ns_main_earlyfatal("chdir(/): %s", strerror(errno));
 	}
-#ifdef HAVE_LINUX_CAPABILITY_H
-	/*
-	 * We must drop the chroot() capability, otherwise it could be used
-	 * to escape.
-	 */
-	linux_minprivs();
-#endif
 }
 
 void
@@ -204,6 +251,12 @@ ns_os_changeuser(const char *username) {
 	if (username == NULL || getuid() != 0)
 		return;
 
+#ifdef HAVE_LINUXTHREADS
+	if (!non_root_caps)
+		ns_main_earlyfatal(
+		   "-u not supported on Linux kernels older than 2.3.99-pre3");
+#endif	
+
 	if (all_digits(username))
 		pw = getpwuid((uid_t)atoi(username));
 	else
@@ -219,6 +272,21 @@ ns_os_changeuser(const char *username) {
 		ns_main_earlyfatal("setuid(): %s", strerror(errno));
 }
 
+void
+ns_os_minprivs(const char *username) {
+#ifdef HAVE_LINUX_CAPABILITY_H
+#if defined(HAVE_LINUX_PRCTL_H) && defined(PR_SET_KEEPCAPS)
+	linux_keepcaps();
+	ns_os_changeuser(username);
+#else
+	(void)username;
+#endif
+	linux_minprivs();
+#else
+	(void)username;
+#endif /* HAVE_LINUX_CAPABILITY_H */
+}
+
 static int
 safe_open(const char *filename) {
         struct stat sb;
diff --git a/bin/named/update.c b/bin/named/update.c
index 67054c55..77f19b39 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -17,45 +17,26 @@
 
 #include <config.h>
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/mem.h>
-#include <isc/result.h>
+#include <isc/string.h>
 #include <isc/taskpool.h>
 #include <isc/util.h>
 
-#include <dns/acl.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
-#include <dns/dbtable.h>
 #include <dns/dnssec.h>
 #include <dns/events.h>
-#include <dns/fixedname.h>
 #include <dns/journal.h>
 #include <dns/message.h>
-#include <dns/name.h>
 #include <dns/nxt.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
 #include <dns/ssu.h>
-#include <dns/types.h>
 #include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zt.h>
 
 #include <named/client.h>
-#include <named/globals.h>
 #include <named/log.h>
-#include <named/server.h>
 #include <named/update.h>
 
 /*
@@ -101,23 +82,28 @@
  */
 #define CHECK(op) \
 	do { result = (op); 				  	 \
-	       if (result != DNS_R_SUCCESS) goto failure; 	 \
+	       if (result != ISC_R_SUCCESS) goto failure; 	 \
 	} while (0)
 
 /*
  * Fail unconditionally with result 'code', which must not
- * be DNS_R_SUCCESS.  The reason for failure presumably has
+ * be ISC_R_SUCCESS.  The reason for failure presumably has
  * been logged already.
+ *
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
  */
 
 #define FAIL(code) \
 	do {							\
 		result = (code);				\
-		goto failure;					\
+		if (code != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
 /*
  * Fail unconditionally and log as a client error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
  */
 #define FAILC(code, msg) \
 	do {							\
@@ -125,11 +111,13 @@
 		isc_log_write(UPDATE_PROTOCOL_LOGARGS,		\
 			      "dynamic update failed: %s (%s)",	\
 		      	      msg, isc_result_totext(code));	\
-		goto failure;					\
+		if (code != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
 /*
  * Fail unconditionally and log as a server error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
  */
 #define FAILS(code, msg) \
 	do {							\
@@ -137,7 +125,7 @@
 		isc_log_write(UPDATE_PROTOCOL_LOGARGS,		\
 			      "dynamic update error: %s: %s", 	\
 			      msg, isc_result_totext(code));	\
-		goto failure;					\
+		if (code != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
 /**************************************************************************/
@@ -191,7 +179,7 @@ do_one_tuple(dns_difftuple_t **tuple,
 
 	/* Apply it to the database. */
 	result = dns_diff_apply(&temp_diff, db, ver);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		dns_difftuple_free(tuple);
 		return (result);
 	}
@@ -201,7 +189,7 @@ do_one_tuple(dns_difftuple_t **tuple,
 
 	/* Do not clear temp_diff. */
 	
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 	      
 static isc_result_t
@@ -213,7 +201,7 @@ update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
 	isc_result_t result;
 	result = dns_difftuple_create(diff->mctx, op,
 				      name, ttl, rdata, &tuple);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	return (do_one_tuple(&tuple, db, ver, diff));
 }
@@ -257,19 +245,19 @@ foreach_node_rr_action(void *data, dns_rdataset_t *rdataset)
 	isc_result_t result;
 	foreach_node_rr_ctx_t *ctx = data;
 	for (result = dns_rdataset_first(rdataset);
-	     result == DNS_R_SUCCESS;
+	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(rdataset))
 	{
 		rr_t rr;
 		dns_rdataset_current(rdataset, &rr.rdata);
 		rr.ttl = rdataset->ttl;
 		result = (*ctx->rr_action)(ctx->rr_action_data, &rr);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		return (result);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 /*
@@ -292,19 +280,19 @@ foreach_rrset(dns_db_t *db,
 	
 	node = NULL;
 	result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result == DNS_R_NOTFOUND)
-		return (DNS_R_SUCCESS);
-	if (result != DNS_R_SUCCESS)
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	
 	iter = NULL;
 	result = dns_db_allrdatasets(db, node, ver,
 				     (isc_stdtime_t) 0, &iter);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_node;
 
 	for (result = dns_rdatasetiter_first(iter);
-	     result == DNS_R_SUCCESS;
+	     result == ISC_R_SUCCESS;
 	     result = dns_rdatasetiter_next(iter))
 	{
 		dns_rdataset_t rdataset;
@@ -315,11 +303,11 @@ foreach_rrset(dns_db_t *db,
 		result = (*action)(action_data, &rdataset);
 
 		dns_rdataset_disassociate(&rdataset);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			goto cleanup_iterator;
 	}
-	if (result == DNS_R_NOMORE)
-		result = DNS_R_SUCCESS;
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
 
  cleanup_iterator:
 	dns_rdatasetiter_destroy(&iter);
@@ -382,35 +370,35 @@ foreach_rr(dns_db_t *db,
 	
 	node = NULL;
 	result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result == DNS_R_NOTFOUND)
-		return (DNS_R_SUCCESS);
-	if (result != DNS_R_SUCCESS)
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
 		return (result);
 
 	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(db, node, ver, type, covers,
 				     (isc_stdtime_t) 0, &rdataset, NULL);
-	if (result == DNS_R_NOTFOUND) {
-		result = DNS_R_SUCCESS;
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
 		goto cleanup_node;
 	}
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_node;
 
 	for (result = dns_rdataset_first(&rdataset);
-	     result == DNS_R_SUCCESS;
+	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset))
 	{
 		rr_t rr;
 		dns_rdataset_current(&rdataset, &rr.rdata);
 		rr.ttl = rdataset.ttl;
 		result = (*rr_action)(rr_action_data, &rr);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			goto cleanup_rdataset;
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		goto cleanup_rdataset;
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
 
  cleanup_rdataset:
 	dns_rdataset_disassociate(&rdataset);
@@ -438,14 +426,14 @@ rrset_exists_action(void *data, rr_t *rr) /*ARGSUSED*/
 {
 	UNUSED(data);
 	UNUSED(rr);
-	return (DNS_R_EXISTS);
+	return (ISC_R_EXISTS);
 }
 
 /*
  * Utility macro for RR existence checking functions.
  *
- * If the variable 'result' has the value DNS_R_EXISTS or
- * DNS_R_SUCCESS, set *exists to ISC_TRUE or ISC_FALSE,
+ * If the variable 'result' has the value ISC_R_EXISTS or
+ * ISC_R_SUCCESS, set *exists to ISC_TRUE or ISC_FALSE,
  * respectively, and return success.
  *
  * If 'result' has any other value, there was a failure.
@@ -455,10 +443,10 @@ rrset_exists_action(void *data, rr_t *rr) /*ARGSUSED*/
  * but that form generates tons of warnings on Solaris 2.6.
  */
 #define RETURN_EXISTENCE_FLAG 				\
-	return ((result == DNS_R_EXISTS) ? 		\
-		(*exists = ISC_TRUE, DNS_R_SUCCESS) : 	\
-		((result == DNS_R_SUCCESS) ?		\
-		 (*exists = ISC_FALSE, DNS_R_SUCCESS) :	\
+	return ((result == ISC_R_EXISTS) ? 		\
+		(*exists = ISC_TRUE, ISC_R_SUCCESS) : 	\
+		((result == ISC_R_SUCCESS) ?		\
+		 (*exists = ISC_FALSE, ISC_R_SUCCESS) :	\
 		 result));
 	
 /*
@@ -484,8 +472,8 @@ cname_compatibility_action(void *data, dns_rdataset_t *rrset)
 	UNUSED(data);
 	if (rrset->type != dns_rdatatype_cname &&
 	    ! dns_rdatatype_isdnssec(rrset->type))
-		return (DNS_R_EXISTS);
-	return (DNS_R_SUCCESS);
+		return (ISC_R_EXISTS);
+	return (ISC_R_SUCCESS);
 }
 
 /*
@@ -511,7 +499,7 @@ count_rr_action(void *data, rr_t *rr) /*ARGSUSED*/ {
 	int *countp = data;
 	UNUSED(rr);
 	(*countp)++;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 /*
@@ -542,8 +530,8 @@ static isc_result_t
 matching_rr_exists_action(void *data, rr_t *rr) {
 	matching_rr_exists_ctx_t *ctx = data;
 	if ((*ctx->predicate)(ctx->update_rr, &rr->rdata))
-		return (DNS_R_EXISTS);
-	return (DNS_R_SUCCESS);
+		return (ISC_R_EXISTS);
+	return (ISC_R_SUCCESS);
 }
 
 /*
@@ -582,7 +570,7 @@ name_exists_action(void *data, dns_rdataset_t *rrset) /*ARGSUSED*/
 {
 	UNUSED(data);
 	UNUSED(rrset);
-	return (DNS_R_EXISTS);
+	return (ISC_R_EXISTS);
 }
 
 /*
@@ -668,7 +656,7 @@ temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata)
 /*
  * Compare two rdatasets represented as sorted lists of tuples.
  * All list elements must have the same owner name and type.
- * Return DNS_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset)
+ * Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset)
  * if not.
  */
 static isc_result_t 
@@ -686,7 +674,7 @@ temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) {
 	}
 	if (a != NULL || b != NULL)
 		return (DNS_R_NXRRSET);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 /*
@@ -716,7 +704,7 @@ temp_order(const void *av, const void *bv)
  * Check the "RRset exists (value dependent)" prerequisite information
  * in 'temp' against the contents of the database 'db'.
  *
- * Return DNS_R_SUCCESS if the prerequisites are satisfied,
+ * Return ISC_R_SUCCESS if the prerequisites are satisfied,
  * rcode(dns_rcode_nxrrset) if not.
  */
 
@@ -732,14 +720,14 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
 	
 	/* Exit early if the list is empty (for efficiency only). */
 	if (ISC_LIST_HEAD(temp->tuples) == NULL)
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 
 	/*
 	 * Sort the prerequisite records by owner name,
 	 * type, and rdata.
 	 */
 	result = dns_diff_sort(temp, temp_order);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 
 	dns_diff_init(mctx, &trash);
@@ -756,9 +744,9 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
 		/* A new unique name begins here. */
 		node = NULL;
 		result = dns_db_findnode(db, name, ISC_FALSE, &node);
-		if (result == DNS_R_NOTFOUND)
+		if (result == ISC_R_NOTFOUND)
 			return (DNS_R_NXRRSET);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 
 		/* A new unique type begins here. */		
@@ -784,7 +772,7 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
 			result = dns_db_findrdataset(db, node, ver, type,
 						     covers, (isc_stdtime_t) 0,
 						     &rdataset, NULL);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 				dns_db_detachnode(db, &node);
 				return (DNS_R_NXRRSET);
 			}
@@ -793,19 +781,19 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
 			dns_diff_init(mctx, &u_rrs);
 
 			for (result = dns_rdataset_first(&rdataset);
-			     result == DNS_R_SUCCESS;
+			     result == ISC_R_SUCCESS;
 			     result = dns_rdataset_next(&rdataset))
 			{
 				dns_rdata_t rdata;
 				dns_rdataset_current(&rdataset, &rdata);
 				result = temp_append(&d_rrs, name, &rdata);
-				if (result != DNS_R_SUCCESS)
+				if (result != ISC_R_SUCCESS)
 					goto failure;
 			}
-			if (result != DNS_R_NOMORE)
+			if (result != ISC_R_NOMORE)
 				goto failure;
 			result = dns_diff_sort(&d_rrs, temp_order);
-			if (result != DNS_R_SUCCESS) 
+			if (result != ISC_R_SUCCESS) 
 				goto failure;
 
 			/*
@@ -827,7 +815,7 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
 			/* Compare the two sorted lists. */
 			result = temp_check_rrset(ISC_LIST_HEAD(u_rrs.tuples),
 						  ISC_LIST_HEAD(d_rrs.tuples));
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				goto failure;
 
 			/*
@@ -854,7 +842,7 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
 	}
 	
 	dns_diff_clear(&trash);	
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 /**************************************************************************/
@@ -950,7 +938,7 @@ delete_if_action(void *data, rr_t *rr) {
 				       rr->ttl, &rr->rdata);
 		return (result);
 	} else {
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 	}
 }
 
@@ -1010,9 +998,9 @@ get_current_rr(dns_message_t *msg, dns_section_t section,
 	*covers = rdataset->covers;
 	*ttl = rdataset->ttl;
 	result = dns_rdataset_first(rdataset);
-	INSIST(result == DNS_R_SUCCESS);
+	INSIST(result == ISC_R_SUCCESS);
 	dns_rdataset_current(rdataset, rdata);
-	INSIST(dns_rdataset_next(rdataset) == DNS_R_NOMORE);
+	INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE);
 	*update_class = rdata->rdclass;
 	rdata->rdclass = zoneclass;
 }
@@ -1052,7 +1040,7 @@ increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver,
 	dns_soa_setserial(serial, &addtuple->rdata);
 	CHECK(do_one_tuple(&addtuple, db, ver, diff));
 	CHECK(do_one_tuple(&deltuple, db, ver, diff));
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
 	
  failure:
 	if (addtuple != NULL)
@@ -1094,7 +1082,7 @@ check_soa_increment(dns_db_t *db, dns_dbversion_t *ver,
 	update_serial = dns_soa_getserial(update_rdata);
 	
 	result = dns_db_getsoaserial(db, ver, &db_serial);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 
 	if (DNS_SERIAL_GE(db_serial, update_serial)) {
@@ -1103,7 +1091,7 @@ check_soa_increment(dns_db_t *db, dns_dbversion_t *ver,
 		*ok = ISC_TRUE;
 	}
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
 }
 
@@ -1144,7 +1132,7 @@ namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected)
 	CHECK(dns_db_createiterator(db, ISC_FALSE, &dbit));
 	
 	for (result = dns_dbiterator_seek(dbit, name);
-	     result == DNS_R_SUCCESS;
+	     result == ISC_R_SUCCESS;
 	     result = dns_dbiterator_next(dbit))
 	{
 		dns_dbnode_t *node = NULL;
@@ -1172,8 +1160,8 @@ is_non_nxt_action(void *data, dns_rdataset_t *rrset)
 	if (!(rrset->type == dns_rdatatype_nxt ||
 	      (rrset->type == dns_rdatatype_sig &&
 	       rrset->covers == dns_rdatatype_nxt)))
-		return (DNS_R_EXISTS);
-	return (DNS_R_SUCCESS);
+		return (ISC_R_EXISTS);
+	return (ISC_R_SUCCESS);
 }
 
 /*
@@ -1241,16 +1229,16 @@ is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 			     (isc_stdtime_t) 0, NULL,
 			     dns_fixedname_name(&foundname),
 			     NULL, NULL);
-	if (result == DNS_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS) {
 		*flag = ISC_FALSE;
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 	} else if (result == DNS_R_ZONECUT) {
 		/* XXX should omit non-delegation types from NXT */
 		*flag = ISC_FALSE;
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 	} else if (result == DNS_R_GLUE) {
 		*flag = ISC_TRUE;
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 	} else {
 		return (result);
 	}
@@ -1280,7 +1268,7 @@ next_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *oldname,
 			result = dns_dbiterator_next(dbit);			
 		else
 			result = dns_dbiterator_prev(dbit);
-		if (result == DNS_R_NOMORE) {
+		if (result == ISC_R_NOMORE) {
 			/* Wrap around. */
 			if (forward)
 				CHECK(dns_dbiterator_first(dbit));
@@ -1401,7 +1389,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	unsigned int i;
 
 	dns_rdataset_init(&rdataset);
-	isc_buffer_init(&buffer, data, sizeof data, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&buffer, data, sizeof(data));
 
 	/* Get the rdataset to sign. */
 	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
@@ -1465,7 +1453,7 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 
 	result = find_zone_keys(db, newver, mctx, 
 				MAXZONEKEYS, zone_keys, &nkeys);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE,
 			      NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
 			      "could not get zone keys for secure "
@@ -1724,7 +1712,7 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 	dns_diff_clear(&diffnames);
 
 	for (i = 0; i < nkeys; i++) 
-		dst_key_free(zone_keys[i]);
+		dst_key_free(&zone_keys[i]);
 	
 	return (result);
 }	
@@ -1738,7 +1726,7 @@ update_signatures(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *oldver,
 
 static isc_result_t
 send_update_event(ns_client_t *client, dns_zone_t *zone) {
-	isc_result_t result = DNS_R_SUCCESS;
+	isc_result_t result = ISC_R_SUCCESS;
 	update_event_t *event = NULL;
 	isc_task_t *zonetask = NULL;
 	ns_client_t *evclient;
@@ -1747,20 +1735,20 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
 		isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
 				   update_action, NULL, sizeof(*event));
 	if (event == NULL)
-		FAIL(DNS_R_NOMEMORY);
+		FAIL(ISC_R_NOMEMORY);
 	event->zone = zone;
-	event->result = DNS_R_SUCCESS;
+	event->result = ISC_R_SUCCESS;
 
 	evclient = NULL;
 	ns_client_attach(client, &evclient);
-	event->arg = evclient;
+	event->ev_arg = evclient;
 
 	dns_zone_gettask(zone, &zonetask);
-	isc_task_send(zonetask, (isc_event_t **) &event);
+	isc_task_send(zonetask, (isc_event_t **)&event);
 
  failure:
 	if (event != NULL)
-		isc_event_free((isc_event_t **) &event);
+		isc_event_free((isc_event_t **)&event);
 	return (result);
 }
 
@@ -1769,7 +1757,7 @@ respond(ns_client_t *client, isc_result_t result) {
 	isc_result_t msg_result;
 
 	msg_result = dns_message_reply(client->message, ISC_TRUE);
-	if (msg_result != DNS_R_SUCCESS)
+	if (msg_result != ISC_R_SUCCESS)
 		goto msg_failure;
 	client->message->rcode = dns_result_torcode(result);
 
@@ -1798,7 +1786,7 @@ ns_update_start(ns_client_t *client)
 	 * Interpret the zone section.
 	 */
 	result = dns_message_firstname(request, DNS_SECTION_ZONE);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		FAILC(DNS_R_FORMERR,
 		      "update zone section empty");
 
@@ -1819,12 +1807,13 @@ ns_update_start(ns_client_t *client)
 
 	/* The zone section must have exactly one name. */
 	result = dns_message_nextname(request, DNS_SECTION_ZONE);
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		FAILC(DNS_R_FORMERR,
 		      "update zone section contains multiple RRs");
 
-	result = dns_zt_find(client->view->zonetable, zonename, NULL, &zone);
-	if (result != DNS_R_SUCCESS)
+	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL,
+			     &zone);
+	if (result != ISC_R_SUCCESS)
 		FAILC(DNS_R_NOTAUTH,
 		      "not authoritative for update zone");
 
@@ -1855,7 +1844,7 @@ update_action(isc_task_t *task, isc_event_t *event)
 {
 	update_event_t *uev = (update_event_t *) event;
 	dns_zone_t *zone = uev->zone;
-	ns_client_t *client = (ns_client_t *) event->arg;
+	ns_client_t *client = (ns_client_t *)event->ev_arg;
 
 	isc_result_t result;
 	dns_db_t *db = NULL;
@@ -1871,7 +1860,7 @@ update_action(isc_task_t *task, isc_event_t *event)
 	dns_name_t *zonename;
 	dns_ssutable_t *ssutable = NULL;
 		
-	INSIST(event->type == DNS_EVENT_UPDATE);
+	INSIST(event->ev_type == DNS_EVENT_UPDATE);
 
 	dns_diff_init(mctx, &diff);
 	dns_diff_init(mctx, &temp);
@@ -1886,7 +1875,7 @@ update_action(isc_task_t *task, isc_event_t *event)
 	/* Check prerequisites. */
 
 	for (result = dns_message_firstname(request, DNS_SECTION_PREREQUISITE);
-	     result == DNS_R_SUCCESS;
+	     result == ISC_R_SUCCESS;
 	     result = dns_message_nextname(request, DNS_SECTION_PREREQUISITE))
 	{
 		dns_name_t *name = NULL;
@@ -1952,17 +1941,17 @@ update_action(isc_task_t *task, isc_event_t *event)
 		} else if (update_class == zoneclass) {
 			/* "temp<rr.name, rr.type> += rr;" */
 			result = temp_append(&temp, name, &rdata);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 				UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "temp entry creation failed: %s",
 						 dns_result_totext(result));
-				FAIL(DNS_R_UNEXPECTED);
+				FAIL(ISC_R_UNEXPECTED);
 			}
 		} else {
 			FAILC(DNS_R_FORMERR, "malformed prerequisite");
 		}
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		FAIL(result);
 
 	/*
@@ -1970,7 +1959,7 @@ update_action(isc_task_t *task, isc_event_t *event)
 	 * prerequisites.
 	 */
 	result = temp_check(mctx, &temp, db, ver);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		FAILC(result, "'RRset exists (value dependent)' "
 		      "prerequisite not satisfied");
 
@@ -1992,7 +1981,7 @@ update_action(isc_task_t *task, isc_event_t *event)
 	/* Perform the Update Section Prescan. */
 
 	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
-	     result == DNS_R_SUCCESS;
+	     result == ISC_R_SUCCESS;
 	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
 	{
 		dns_name_t *name = NULL;
@@ -2060,7 +2049,7 @@ update_action(isc_task_t *task, isc_event_t *event)
 			}
 		}
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		FAIL(result);
 
 	isc_log_write(UPDATE_DEBUG_LOGARGS, "update section prescan OK");
@@ -2068,7 +2057,7 @@ update_action(isc_task_t *task, isc_event_t *event)
 	/* Process the Update Section. */
 
 	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
-	     result == DNS_R_SUCCESS;
+	     result == ISC_R_SUCCESS;
 	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
 	{
 		dns_name_t *name = NULL;
@@ -2144,7 +2133,7 @@ update_action(isc_task_t *task, isc_event_t *event)
 				result = update_one_rr(db, ver, &diff,
 						       DNS_DIFFOP_ADD,
 						       name, ttl, &rdata);
-				if (result != DNS_R_SUCCESS)
+				if (result != ISC_R_SUCCESS)
 					FAIL(result);
 			} else {
 				isc_log_write(UPDATE_PROTOCOL_LOGARGS,
@@ -2211,7 +2200,7 @@ update_action(isc_task_t *task, isc_event_t *event)
 					rdata.type, covers, &rdata, &diff));
 		}
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		FAIL(result);
 
 	/*
@@ -2233,7 +2222,7 @@ update_action(isc_task_t *task, isc_event_t *event)
 		if (dns_db_issecure(db)) {
 			result = update_signatures(mctx, db,
 						   oldver, ver, &diff);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE,
 					      NS_LOGMODULE_UPDATE,
 					      ISC_LOG_ERROR,
@@ -2249,11 +2238,11 @@ update_action(isc_task_t *task, isc_event_t *event)
 		journal = NULL;
 		result = dns_journal_open(mctx, dns_zone_getjournal(zone),
 					  ISC_TRUE, &journal);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			FAILS(result, "journal open failed");
 
 		result = dns_journal_write_transaction(journal, &diff);
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			dns_journal_destroy(&journal);
 			FAILS(result, "journal write failed");
 		}
@@ -2268,7 +2257,14 @@ update_action(isc_task_t *task, isc_event_t *event)
 	 */
 	isc_log_write(UPDATE_DEBUG_LOGARGS, "committing update transaction");
 	dns_db_closeversion(db, &ver, ISC_TRUE);
-	result = DNS_R_SUCCESS;
+
+
+	/*
+	 * Notify slaves of the change we just made.
+	 */
+	dns_zone_notify(zone);
+	
+	result = ISC_R_SUCCESS;
 	goto common;
 	
  failure:
@@ -2294,8 +2290,8 @@ update_action(isc_task_t *task, isc_event_t *event)
 
 	isc_task_detach(&task);
 	uev->result = result;
-	uev->type = DNS_EVENT_UPDATEDONE;
-	uev->action = updatedone_action;
+	uev->ev_type = DNS_EVENT_UPDATEDONE;
+	uev->ev_action = updatedone_action;
 	isc_task_send(client->task, &event);
 	INSIST(event == NULL);
 }
@@ -2304,9 +2300,11 @@ static void
 updatedone_action(isc_task_t *task, isc_event_t *event)
 {
 	update_event_t *uev = (update_event_t *) event;
-	ns_client_t *client = (ns_client_t *) event->arg;	
+	ns_client_t *client = (ns_client_t *) event->ev_arg;	
 
-	INSIST(event->type == DNS_EVENT_UPDATEDONE);
+	UNUSED(task);
+	
+	INSIST(event->ev_type == DNS_EVENT_UPDATEDONE);
 	INSIST(task == client->task);
 
 	respond(client, uev->result);
diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c
index 91800a30..452a8156 100644
--- a/bin/named/xfrout.c
+++ b/bin/named/xfrout.c
@@ -15,44 +15,29 @@
  * SOFTWARE.
  */
 
-/* $Id: xfrout.c,v 1.49 2000/03/23 00:54:44 gson Exp $ */
+/* $Id: xfrout.c,v 1.62 2000/05/15 21:14:01 tale Exp $ */
 
 #include <config.h>
 
-#include <string.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <sys/types.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/mem.h>
-#include <isc/result.h>
 #include <isc/timer.h>
+#include <isc/print.h>
 #include <isc/util.h>
 
-#include <dns/acl.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
-#include <dns/fixedname.h>
 #include <dns/journal.h>
 #include <dns/message.h>
-#include <dns/name.h>
 #include <dns/peer.h>
-#include <dns/rdata.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
 #include <dns/result.h>
-#include <dns/types.h>
 #include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zt.h>
 
 #include <named/client.h>
-#include <named/globals.h>
 #include <named/log.h>
 #include <named/server.h>
 #include <named/xfrout.h>
@@ -77,19 +62,22 @@
 
 /*
  * Fail unconditionally and log as a client error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
  */
 #define FAILC(code, msg) \
 	do {							\
 		result = (code);				\
-		isc_log_write(XFROUT_PROTOCOL_LOGARGS,		\
-			      "bad zone transfer request: %s (%s)", \
-		      	      msg, isc_result_totext(code));	\
-		goto failure;					\
+		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \
+			   NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \
+			   "bad zone transfer request: %s (%s)", \
+		      	   msg, isc_result_totext(code));	\
+		if (result != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
 #define CHECK(op) \
      	do { result = (op); 					\
-		if (result != DNS_R_SUCCESS) goto failure; 	\
+		if (result != ISC_R_SUCCESS) goto failure; 	\
 	} while (0)
 
 /**************************************************************************/
@@ -113,17 +101,22 @@ struct db_rr_iterator {
 	dns_rdata_t		rdata;
 };
 
-isc_result_t db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db,
-				 dns_dbversion_t *ver, isc_stdtime_t now);
+isc_result_t
+db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
+		    isc_stdtime_t now);
 
-isc_result_t db_rr_iterator_first(db_rr_iterator_t *it);
+isc_result_t
+db_rr_iterator_first(db_rr_iterator_t *it);
 
-isc_result_t db_rr_iterator_next(db_rr_iterator_t *it);
+isc_result_t
+db_rr_iterator_next(db_rr_iterator_t *it);
 
-void db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name, 
-			    isc_uint32_t *ttl, dns_rdata_t **rdata);
+void
+db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name,
+		       isc_uint32_t *ttl, dns_rdata_t **rdata);
 
-void db_rr_iterator_destroy(db_rr_iterator_t *it);
+void
+db_rr_iterator_destroy(db_rr_iterator_t *it);
 
 isc_result_t
 db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
@@ -136,34 +129,34 @@ db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
 	it->now = now;
 	it->node = NULL;
 	result = dns_db_createiterator(it->db, ISC_FALSE, &it->dbit);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	it->rdatasetit = NULL;
 	dns_rdataset_init(&it->rdataset);
 	dns_fixedname_init(&it->fixedname);
 	INSIST(! dns_rdataset_isassociated(&it->rdataset));
-	it->result = DNS_R_SUCCESS;
+	it->result = ISC_R_SUCCESS;
 	return (it->result);
 }
 
 isc_result_t
 db_rr_iterator_first(db_rr_iterator_t *it) {
 	it->result = dns_dbiterator_first(it->dbit);
-	if (it->result != DNS_R_SUCCESS)
+	if (it->result != ISC_R_SUCCESS)
 		return (it->result);
 	it->result = dns_dbiterator_current(it->dbit, &it->node,
 				    dns_fixedname_name(&it->fixedname));
-	if (it->result != DNS_R_SUCCESS) 
+	if (it->result != ISC_R_SUCCESS) 
 		return (it->result);
 
 	it->result = dns_db_allrdatasets(it->db, it->node,
 					 it->ver, it->now,
 					 &it->rdatasetit);
-	if (it->result != DNS_R_SUCCESS) 
+	if (it->result != ISC_R_SUCCESS) 
 		return (it->result);
 		
 	it->result = dns_rdatasetiter_first(it->rdatasetit);
-	if (it->result != DNS_R_SUCCESS) 
+	if (it->result != ISC_R_SUCCESS) 
 		return (it->result);
 
 	dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
@@ -175,7 +168,7 @@ db_rr_iterator_first(db_rr_iterator_t *it) {
 
 isc_result_t
 db_rr_iterator_next(db_rr_iterator_t *it) {
-	if (it->result != DNS_R_SUCCESS)
+	if (it->result != ISC_R_SUCCESS)
 		return (it->result);
 
 	INSIST(it->dbit != NULL);
@@ -183,32 +176,32 @@ db_rr_iterator_next(db_rr_iterator_t *it) {
 	INSIST(it->rdatasetit != NULL);
 
 	it->result = dns_rdataset_next(&it->rdataset);
-	if (it->result == DNS_R_NOMORE) {
+	if (it->result == ISC_R_NOMORE) {
 		dns_rdataset_disassociate(&it->rdataset);
 		it->result = dns_rdatasetiter_next(it->rdatasetit);
-		while (it->result == DNS_R_NOMORE) {
+		while (it->result == ISC_R_NOMORE) {
 			dns_rdatasetiter_destroy(&it->rdatasetit);
 			dns_db_detachnode(it->db, &it->node);
 			it->result = dns_dbiterator_next(it->dbit);
-			if (it->result == DNS_R_NOMORE) {
+			if (it->result == ISC_R_NOMORE) {
 				/* We are at the end of the entire database. */
 				return (it->result);
 			}
-			if (it->result != DNS_R_SUCCESS)
+			if (it->result != ISC_R_SUCCESS)
 				return (it->result);
 			it->result = dns_dbiterator_current(it->dbit,
 				    &it->node,
 				    dns_fixedname_name(&it->fixedname));
-			if (it->result != DNS_R_SUCCESS)
+			if (it->result != ISC_R_SUCCESS)
 				return (it->result);
 			it->result = dns_db_allrdatasets(it->db, it->node,
 					 it->ver, it->now,
 					 &it->rdatasetit);
-			if (it->result != DNS_R_SUCCESS)
+			if (it->result != ISC_R_SUCCESS)
 				return (it->result);
 			it->result = dns_rdatasetiter_first(it->rdatasetit);
 		}
-		if (it->result != DNS_R_SUCCESS)
+		if (it->result != ISC_R_SUCCESS)
 			return (it->result);
 		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
 	}
@@ -231,7 +224,7 @@ db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name,
 		      isc_uint32_t *ttl, dns_rdata_t **rdata)
 {
 	REQUIRE(name != NULL && *name == NULL);
-	REQUIRE(it->result == DNS_R_SUCCESS);
+	REQUIRE(it->result == ISC_R_SUCCESS);
 	*name = dns_fixedname_name(&it->fixedname);
 	*ttl = it->rdataset.ttl;
 	dns_rdataset_current(&it->rdataset, &it->rdata);
@@ -259,18 +252,22 @@ log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) {
 	ISC_LINK_INIT(&rdl, link);
 	dns_rdataset_init(&rds);
 	ISC_LIST_APPEND(rdl.rdata, rdata, link);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(&rdl, &rds) == DNS_R_SUCCESS);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(&rdl, &rds) == ISC_R_SUCCESS);
 		
-	isc_buffer_init(&buf, mem, sizeof(mem), ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&buf, mem, sizeof(mem));
 	result = dns_rdataset_totext(&rds, name,
 				     ISC_FALSE, ISC_FALSE, &buf);
 
 	/* Get rid of final newline. */
 	INSIST(buf.used >= 1 && ((char *) buf.base)[buf.used-1] == '\n');
 	buf.used--;
-	
-	if (result == DNS_R_SUCCESS) {
-		isc_buffer_used(&buf, &r);
+
+	/*
+	 * We could use xfrout_log(), but that would produce
+	 * very long lines with a repetitive prefix.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		isc_buffer_usedregion(&buf, &r);
 		isc_log_write(XFROUT_DEBUG_LOGARGS(8),
 			      "%.*s", (int) r.length, (char *) r.base);
 	} else {
@@ -320,7 +317,9 @@ typedef struct ixfr_rrstream {
 } ixfr_rrstream_t;
 
 /* Forward declarations. */
-static void ixfr_rrstream_destroy(rrstream_t **sp);
+static void
+ixfr_rrstream_destroy(rrstream_t **sp);
+
 static rrstream_methods_t ixfr_rrstream_methods;
 
 /*
@@ -342,7 +341,7 @@ ixfr_rrstream_create(isc_mem_t *mctx,
 
 	s = isc_mem_get(mctx, sizeof(*s));
 	if (s == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	s->common.mctx = mctx;
 	s->common.methods = &ixfr_rrstream_methods;
 	s->journal = NULL;
@@ -352,7 +351,7 @@ ixfr_rrstream_create(isc_mem_t *mctx,
 	CHECK(dns_journal_iter_init(s->journal, begin_serial, end_serial));
 
 	*sp = (rrstream_t *) s;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
  failure:
 	ixfr_rrstream_destroy((rrstream_t **) &s);
@@ -360,20 +359,17 @@ ixfr_rrstream_create(isc_mem_t *mctx,
 }
 
 static isc_result_t
-ixfr_rrstream_first(rrstream_t *rs)
-{
+ixfr_rrstream_first(rrstream_t *rs) {
 	ixfr_rrstream_t *s = (ixfr_rrstream_t *) rs;
 	return (dns_journal_first_rr(s->journal));
 }
 
 static isc_result_t
-ixfr_rrstream_next(rrstream_t *rs)
-{
+ixfr_rrstream_next(rrstream_t *rs) {
 	ixfr_rrstream_t *s = (ixfr_rrstream_t *) rs;	
 	return (dns_journal_next_rr(s->journal));
 }
 
-
 static void
 ixfr_rrstream_current(rrstream_t *rs,
 		       dns_name_t **name, isc_uint32_t *ttl,
@@ -391,8 +387,7 @@ ixfr_rrstream_destroy(rrstream_t **rsp) {
 	isc_mem_put(s->common.mctx, s, sizeof(*s));
 }
 
-static rrstream_methods_t ixfr_rrstream_methods = 
-{
+static rrstream_methods_t ixfr_rrstream_methods = {
 	ixfr_rrstream_first,
 	ixfr_rrstream_next,
 	ixfr_rrstream_current,		
@@ -415,15 +410,17 @@ typedef struct axfr_rrstream {
 	isc_boolean_t		it_valid;
 } axfr_rrstream_t;
 
-/* Forward declarations. */
-static void axfr_rrstream_destroy(rrstream_t **rsp);
+/*
+ * Forward declarations.
+ */
+static void
+axfr_rrstream_destroy(rrstream_t **rsp);
+
 static rrstream_methods_t axfr_rrstream_methods;
 
 static isc_result_t
-axfr_rrstream_create(isc_mem_t *mctx,
-		      dns_db_t *db,
-		      dns_dbversion_t *ver,
-		      rrstream_t **sp)
+axfr_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
+		     rrstream_t **sp)
 {
 	axfr_rrstream_t *s;
 	isc_result_t result;
@@ -432,7 +429,7 @@ axfr_rrstream_create(isc_mem_t *mctx,
 
 	s = isc_mem_get(mctx, sizeof(*s));
 	if (s == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	s->common.mctx = mctx;
 	s->common.methods = &axfr_rrstream_methods;
 	s->it_valid = ISC_FALSE;
@@ -441,7 +438,7 @@ axfr_rrstream_create(isc_mem_t *mctx,
 	s->it_valid = ISC_TRUE;
 
 	*sp = (rrstream_t *) s;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
  failure:
 	axfr_rrstream_destroy((rrstream_t **) &s);
@@ -449,11 +446,12 @@ axfr_rrstream_create(isc_mem_t *mctx,
 }
 
 static isc_result_t
-axfr_rrstream_first(rrstream_t *rs)
-{
+axfr_rrstream_first(rrstream_t *rs) {
 	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
 	isc_result_t result;
 	result = db_rr_iterator_first(&s->it);
+	if (result != ISC_R_SUCCESS)
+		return (result);
 	/* Skip SOA records. */
 	for (;;) {
 		dns_name_t *name_dummy = NULL;
@@ -464,15 +462,14 @@ axfr_rrstream_first(rrstream_t *rs)
 		if (rdata->type != dns_rdatatype_soa)
 			break;
 		result = db_rr_iterator_next(&s->it);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			break;
 	}
 	return (result);
 }
 
 static isc_result_t
-axfr_rrstream_next(rrstream_t *rs)
-{
+axfr_rrstream_next(rrstream_t *rs) {
 	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
 	isc_result_t result;
 	
@@ -482,7 +479,7 @@ axfr_rrstream_next(rrstream_t *rs)
 		isc_uint32_t ttl_dummy;
 		dns_rdata_t *rdata = NULL;
 		result = db_rr_iterator_next(&s->it);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			break;
 		db_rr_iterator_current(&s->it, &name_dummy,
 				      &ttl_dummy, &rdata);
@@ -493,9 +490,8 @@ axfr_rrstream_next(rrstream_t *rs)
 }
 
 static void
-axfr_rrstream_current(rrstream_t *rs,
-		       dns_name_t **name, isc_uint32_t *ttl,
-		       dns_rdata_t **rdata)
+axfr_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl,
+		      dns_rdata_t **rdata)
 {
 	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
 	db_rr_iterator_current(&s->it, name, ttl, rdata);
@@ -509,8 +505,7 @@ axfr_rrstream_destroy(rrstream_t **rsp) {
 	isc_mem_put(s->common.mctx, s, sizeof(*s));
 }
 
-static rrstream_methods_t axfr_rrstream_methods = 
-{
+static rrstream_methods_t axfr_rrstream_methods = {
 	axfr_rrstream_first,
 	axfr_rrstream_next,
 	axfr_rrstream_current,		
@@ -528,14 +523,16 @@ typedef struct soa_rrstream {
 	dns_difftuple_t 	*soa_tuple;
 } soa_rrstream_t;
 
-/* Forward declarations. */
-static void soa_rrstream_destroy(rrstream_t **rsp);
+/*
+ * Forward declarations.
+ */
+static void
+soa_rrstream_destroy(rrstream_t **rsp);
+
 static rrstream_methods_t soa_rrstream_methods;
 
 static isc_result_t
-soa_rrstream_create(isc_mem_t *mctx,
-		    dns_db_t *db,
-		    dns_dbversion_t *ver,
+soa_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
 		    rrstream_t **sp)
 {
 	soa_rrstream_t *s;
@@ -545,7 +542,7 @@ soa_rrstream_create(isc_mem_t *mctx,
 
 	s = isc_mem_get(mctx, sizeof(*s));
 	if (s == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	s->common.mctx = mctx;
 	s->common.methods = &soa_rrstream_methods;
 	s->soa_tuple = NULL;
@@ -554,7 +551,7 @@ soa_rrstream_create(isc_mem_t *mctx,
 				    &s->soa_tuple));
 
 	*sp = (rrstream_t *) s;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
  failure:
 	soa_rrstream_destroy((rrstream_t **) &s);
@@ -564,18 +561,17 @@ soa_rrstream_create(isc_mem_t *mctx,
 static isc_result_t
 soa_rrstream_first(rrstream_t *rs) {
 	UNUSED(rs);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
 soa_rrstream_next(rrstream_t *rs) {
 	UNUSED(rs);
-	return (DNS_R_NOMORE);
+	return (ISC_R_NOMORE);
 }
 
 static void
-soa_rrstream_current(rrstream_t *rs,
-		     dns_name_t **name, isc_uint32_t *ttl,
+soa_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl,
 		     dns_rdata_t **rdata)
 {
 	soa_rrstream_t *s = (soa_rrstream_t *) rs;	
@@ -592,8 +588,7 @@ soa_rrstream_destroy(rrstream_t **rsp) {
 	isc_mem_put(s->common.mctx, s, sizeof(*s));
 }
 
-static rrstream_methods_t soa_rrstream_methods = 
-{
+static rrstream_methods_t soa_rrstream_methods = {
 	soa_rrstream_first,
 	soa_rrstream_next,
 	soa_rrstream_current,		
@@ -618,9 +613,15 @@ typedef struct compound_rrstream {
 	isc_result_t		result;
 } compound_rrstream_t;
 
-/* Forward declarations. */
-static void compound_rrstream_destroy(rrstream_t **rsp);
-static isc_result_t compound_rrstream_next(rrstream_t *rs);
+/*
+ * Forward declarations.
+ */
+static void
+compound_rrstream_destroy(rrstream_t **rsp);
+
+static isc_result_t
+compound_rrstream_next(rrstream_t *rs);
+
 static rrstream_methods_t compound_rrstream_methods;
 
 /*
@@ -637,10 +638,8 @@ static rrstream_methods_t compound_rrstream_methods;
  *	when the compound_rrstream_t is destroyed.
  */
 static isc_result_t
-compound_rrstream_create(isc_mem_t *mctx,
-			 rrstream_t **soa_stream,
-			 rrstream_t **data_stream,
-			 rrstream_t **sp)
+compound_rrstream_create(isc_mem_t *mctx, rrstream_t **soa_stream,
+			 rrstream_t **data_stream, rrstream_t **sp)
 {
 	compound_rrstream_t *s;
 
@@ -648,7 +647,7 @@ compound_rrstream_create(isc_mem_t *mctx,
 
 	s = isc_mem_get(mctx, sizeof(*s));
 	if (s == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	s->common.mctx = mctx;
 	s->common.methods = &compound_rrstream_methods;
 	s->components[0] = *soa_stream;
@@ -660,7 +659,7 @@ compound_rrstream_create(isc_mem_t *mctx,
 	*soa_stream = NULL;
 	*data_stream = NULL;
 	*sp = (rrstream_t *) s;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -670,7 +669,7 @@ compound_rrstream_first(rrstream_t *rs) {
 	do {
 		rrstream_t *curstream = s->components[s->state];
 		s->result = curstream->methods->first(curstream);
-	} while (s->result == DNS_R_NOMORE && s->state < 2) ;
+	} while (s->result == ISC_R_NOMORE && s->state < 2) ;
 	return (s->result);
 }
 
@@ -679,9 +678,9 @@ compound_rrstream_next(rrstream_t *rs) {
 	compound_rrstream_t *s = (compound_rrstream_t *) rs;
 	rrstream_t *curstream = s->components[s->state];	
 	s->result = curstream->methods->next(curstream);
-	while (s->result == DNS_R_NOMORE) {
+	while (s->result == ISC_R_NOMORE) {
 		if (s->state == 2)
-			return (DNS_R_NOMORE);
+			return (ISC_R_NOMORE);
 		s->state++;
 		curstream = s->components[s->state];
 		s->result = curstream->methods->first(curstream);
@@ -690,14 +689,13 @@ compound_rrstream_next(rrstream_t *rs) {
 }
 
 static void
-compound_rrstream_current(rrstream_t *rs,
-		     dns_name_t **name, isc_uint32_t *ttl,
-		     dns_rdata_t **rdata)
+compound_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl,
+			  dns_rdata_t **rdata)
 {
 	compound_rrstream_t *s = (compound_rrstream_t *) rs;
 	rrstream_t *curstream;
 	INSIST(0 <= s->state && s->state < 3);
-	INSIST(s->result == DNS_R_SUCCESS);
+	INSIST(s->result == ISC_R_SUCCESS);
 	curstream = s->components[s->state];
 	curstream->methods->current(curstream, name, ttl, rdata);
 }
@@ -711,8 +709,7 @@ compound_rrstream_destroy(rrstream_t **rsp) {
 	isc_mem_put(s->common.mctx, s, sizeof(*s));
 }
 
-static rrstream_methods_t compound_rrstream_methods = 
-{
+static rrstream_methods_t compound_rrstream_methods = {
 	compound_rrstream_first,
 	compound_rrstream_next,
 	compound_rrstream_current,		
@@ -761,19 +758,35 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client,
 		  isc_boolean_t many_answers,
 		  xfrout_ctx_t **xfrp);
 
-static void sendstream(xfrout_ctx_t *xfr);
+static void
+sendstream(xfrout_ctx_t *xfr);
+
+static void
+xfrout_senddone(isc_task_t *task, isc_event_t *event);
+
+static void
+xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, char *msg);
+
+static void
+xfrout_maybe_destroy(xfrout_ctx_t *xfr);
+
+static void
+xfrout_ctx_destroy(xfrout_ctx_t **xfrp);
+
+static void
+xfrout_client_shutdown(void *arg, isc_result_t result);
 
-static void xfrout_senddone(isc_task_t *task, isc_event_t *event);
-static void xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, char *msg);
-static void xfrout_maybe_destroy(xfrout_ctx_t *xfr);
-static void xfrout_ctx_destroy(xfrout_ctx_t **xfrp);
-static void xfrout_client_shutdown(void *arg, isc_result_t result);
+static void
+xfrout_log1(ns_client_t *client, dns_name_t *zonename, int level,
+	    const char *fmt, ...);
+
+static void
+xfrout_log(xfrout_ctx_t *xfr, unsigned int level, const char *fmt, ...);
 
 /**************************************************************************/
 
 void
-ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
-{
+ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	isc_result_t result;
 	dns_name_t *question_name;
 	dns_rdataset_t *question_rdataset;
@@ -794,7 +807,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
 	dns_message_t *request = client->message;
 	xfrout_ctx_t *xfr = NULL;
 	isc_quota_t *quota = NULL;
-	dns_transfer_format_t format = ns_g_server->transfer_format;
+	dns_transfer_format_t format = client->view->transfer_format;
 	isc_netaddr_t na;
 	dns_peer_t *peer = NULL;
 
@@ -810,15 +823,16 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
 		break;
 	}
 	
-	isc_log_write(XFROUT_DEBUG_LOGARGS(6), "got %s request", mnemonic);
-
+	ns_client_log(client,
+		      DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT,
+		      ISC_LOG_DEBUG(6), "%s request", mnemonic);
 	/*
 	 * Apply quota.
 	 */
 	result = isc_quota_attach(&ns_g_server->xfroutquota, &quota);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		isc_log_write(XFROUT_COMMON_LOGARGS, ISC_LOG_WARNING,
-			      "zone transfer request denied: %s",
+			      "%s request denied: %s", mnemonic,
 			      isc_result_totext(result));
 		goto failure;
 	}
@@ -827,7 +841,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
 	 * Interpret the question section.
 	 */
 	result = dns_message_firstname(request, DNS_SECTION_QUESTION);
-	INSIST(result == DNS_R_SUCCESS);
+	INSIST(result == ISC_R_SUCCESS);
 
 	/*
 	 * The question section must contain exactly one question, and
@@ -839,44 +853,43 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
 	question_class = question_rdataset->rdclass;
 	INSIST(question_rdataset->type == reqtype);
 	if (ISC_LIST_NEXT(question_rdataset, link) != NULL)
-		FAILC(DNS_R_FORMERR,
-		      "multiple questions in AXFR/IXFR request");
+		FAILC(DNS_R_FORMERR, "multiple questions");
 	result = dns_message_nextname(request, DNS_SECTION_QUESTION);
-	if (result != DNS_R_NOMORE)
-		FAILC(DNS_R_FORMERR,
-		      "multiple questions in AXFR/IXFR request");
-
-	result = dns_zt_find(client->view->zonetable, question_name, NULL, &zone);
-	if (result != DNS_R_SUCCESS)
-		FAILC(DNS_R_NOTAUTH,
-		      "AXFR/IXFR requested for non-authoritative zone");
+	if (result != ISC_R_NOMORE)
+		FAILC(DNS_R_FORMERR, "multiple questions");
+
+	result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
+			     &zone);
+	if (result != ISC_R_SUCCESS)
+		FAILC(DNS_R_NOTAUTH, "non-authoritative zone");
 	switch(dns_zone_gettype(zone)) {
 	case dns_zone_master:
 	case dns_zone_slave:
 		break;	/* Master and slave zones are OK for transfer. */
 	default:
-		FAILC(DNS_R_NOTAUTH,
-		      "AXFR/IXFR requested for non-authoritative zone"); 
+		FAILC(DNS_R_NOTAUTH, "non-authoritative zone"); 
 	}
 	CHECK(dns_zone_getdb(zone, &db));
 	dns_db_currentversion(db, &ver);
 
-	isc_log_write(XFROUT_DEBUG_LOGARGS(6), "%s question section OK",
-		      mnemonic);
+	xfrout_log1(client, question_name, ISC_LOG_DEBUG(6), 
+		    "%s question section OK", mnemonic);
 
 	/*
 	 * Check the authority section.  Look for a SOA record with
 	 * the same name and class as the question.
 	 */
 	for (result = dns_message_firstname(request, DNS_SECTION_AUTHORITY);
-	     result == DNS_R_SUCCESS;
+	     result == ISC_R_SUCCESS;
 	     result = dns_message_nextname(request, DNS_SECTION_AUTHORITY))
 	{
 		soa_name = NULL;
 		dns_message_currentname(request, DNS_SECTION_AUTHORITY,
 					&soa_name);
 
-		/* Ignore data whose owner name is not the zone apex. */
+		/*
+		 * Ignore data whose owner name is not the zone apex.
+		 */
 		if (! dns_name_equal(soa_name, question_name))
 			continue;
 		
@@ -884,7 +897,9 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
 		     soa_rdataset != NULL;
 		     soa_rdataset = ISC_LIST_NEXT(soa_rdataset, link))
 		{
-			/* Ignore non-SOA data. */
+			/*
+			 * Ignore non-SOA data.
+			 */
 			if (soa_rdataset->type != dns_rdatatype_soa)
 				continue;
 			if (soa_rdataset->rdclass != question_class)
@@ -893,7 +908,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
 			CHECK(dns_rdataset_first(soa_rdataset));
 			dns_rdataset_current(soa_rdataset, &soa_rdata);
 			result = dns_rdataset_next(soa_rdataset);
-			if (result == DNS_R_SUCCESS)
+			if (result == ISC_R_SUCCESS)
 				FAILC(DNS_R_FORMERR,
 				      "IXFR authority section "
 				      "has multiple SOAs");
@@ -902,36 +917,44 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
 		}
 	}
  got_soa:
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		CHECK(result);
 
-	isc_log_write(XFROUT_DEBUG_LOGARGS(6), "%s authority section OK",
-		      mnemonic);
+	xfrout_log1(client, question_name, ISC_LOG_DEBUG(6), 
+		    "%s authority section OK", mnemonic);
 
-	/* Decide whether to allow this transfer. */
-	CHECK(ns_client_checkacl(client, "zone transfer", 
-				 dns_zone_getxfracl(zone),
-				 ISC_TRUE));
+	/*
+	 * Decide whether to allow this transfer.
+	 */
+	CHECK(ns_client_checkacl(client, "zone transfer",
+				 dns_zone_getxfracl(zone), ISC_TRUE));
 
-	/* AXFR over UDP is not possible. */
+	/*
+	 * AXFR over UDP is not possible.
+	 */
 	if (reqtype == dns_rdatatype_axfr &&
 	    (client->attributes & NS_CLIENTATTR_TCP) == 0) {
 		FAILC(DNS_R_FORMERR, "attempted AXFR over UDP");
 	}
 
-	/* Look up the requesting server in the peer table. */
+	/*
+	 * Look up the requesting server in the peer table.
+	 */
 	isc_netaddr_fromsockaddr(&na, &client->peeraddr);
-	(void) dns_peerlist_peerbyaddr(client->view->peers,
-				       &na, &peer);
+	(void)dns_peerlist_peerbyaddr(client->view->peers, &na, &peer);
 	   
-	/* Decide on the transfer format (one-answer or many-answers). */
+	/*
+	 * Decide on the transfer format (one-answer or many-answers).
+	 */
 	if (peer != NULL)
-		(void) dns_peer_gettransferformat(peer, &format);
+		(void)dns_peer_gettransferformat(peer, &format);
 	
-	/* Get a dynamically allocated copy of the current SOA. */
+	/*
+	 * Get a dynamically allocated copy of the current SOA.
+	 */
 	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS,
 				    &current_soa_tuple));
-	
+
 	if (reqtype == dns_rdatatype_ixfr) {
 		isc_uint32_t begin_serial, current_serial;
 		isc_boolean_t provide_ixfr;
@@ -940,7 +963,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
 		 * Outgoing IXFR may have been disabled for this peer
 		 * or globally.
 		 */
-		provide_ixfr = ns_g_server->provide_ixfr;
+		provide_ixfr = client->view->provideixfr;
 		if (peer != NULL)
 			(void) dns_peer_getprovideixfr(peer, &provide_ixfr);
 		if (provide_ixfr == ISC_FALSE)
@@ -976,10 +999,10 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
 					      current_serial,
 					      &data_stream);
 		if (result == ISC_R_NOTFOUND ||
-		    result == DNS_R_RANGE) {
-			isc_log_write(XFROUT_DEBUG_LOGARGS(4),
-				      "IXFR version not in journal, "
-				      "falling back to AXFR");
+		    result == ISC_R_RANGE) {
+			xfrout_log1(client, question_name, ISC_LOG_DEBUG(4), 
+				    "IXFR version not in journal, "
+				    "falling back to AXFR");
 			goto axfr_fallback;
 		}
 		CHECK(result);
@@ -989,7 +1012,9 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
 					   &data_stream));
 	}
 
-	/* Bracket the the data stream with SOAs. */
+	/*
+	 * Bracket the the data stream with SOAs.
+	 */
 	CHECK(soa_rrstream_create(mctx, db, ver, &soa_stream));
 	CHECK(compound_rrstream_create(mctx, &soa_stream, &data_stream,
 				       &stream));
@@ -1024,7 +1049,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
 	sendstream(xfr);
 	xfr = NULL;
 	
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
 
  failure:
 	if (quota != NULL)
@@ -1046,16 +1071,14 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype)
 	/* XXX kludge */
 	if (xfr != NULL) {
 		xfrout_fail(xfr, result, "setting up zone transfer");
-	} else if (result != DNS_R_SUCCESS) {
-		isc_log_write(XFROUT_DEBUG_LOGARGS(3),
-			      "zone transfer setup failed"); 
+	} else if (result != ISC_R_SUCCESS) {
+		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT,
+			      NS_LOGMODULE_XFER_OUT,
+			      ISC_LOG_DEBUG(3), "zone transfer setup failed"); 
 		ns_client_error(client, result);
 	}
 }
 
-
-
-
 static isc_result_t
 xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id,
 		  dns_name_t *qname, dns_rdatatype_t qtype,
@@ -1075,7 +1098,7 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id,
 	INSIST(xfrp != NULL && *xfrp == NULL);
 	xfr = isc_mem_get(mctx, sizeof(*xfr));
 	if (xfr == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	xfr->mctx = mctx;
 	xfr->client = NULL;
 	ns_client_attach(client, &xfr->client);
@@ -1109,10 +1132,10 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id,
 	len = 65535;
 	mem = isc_mem_get(mctx, len);
 	if (mem == NULL) {
-		result = DNS_R_NOMEMORY;
+		result = ISC_R_NOMEMORY;
 		goto failure;
 	}
-	isc_buffer_init(&xfr->buf, mem, len, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&xfr->buf, mem, len);
 
 	/*
 	 * Allocate another temporary buffer for the compressed
@@ -1121,12 +1144,11 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id,
 	len = 2 + 65535;
 	mem = isc_mem_get(mctx, len);
 	if (mem == NULL) {
-		result = DNS_R_NOMEMORY;
+		result = ISC_R_NOMEMORY;
 		goto failure;
 	}
-	isc_buffer_init(&xfr->txlenbuf, mem, 2, ISC_BUFFERTYPE_BINARY);
-	isc_buffer_init(&xfr->txbuf, (char *) mem + 2, len - 2,
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&xfr->txlenbuf, mem, 2);
+	isc_buffer_init(&xfr->txbuf, (char *) mem + 2, len - 2);
 	xfr->txmem = mem;
 	xfr->txmemlen = len;
 
@@ -1148,7 +1170,7 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id,
 	xfr->client->shutdown_arg = xfr;
 		
 	*xfrp = xfr;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 	
 failure:
 	xfrout_ctx_destroy(&xfr);
@@ -1165,8 +1187,7 @@ failure:
  *      _first method of the iterator has been called).
  */
 static void
-sendstream(xfrout_ctx_t *xfr)
-{
+sendstream(xfrout_ctx_t *xfr) {
 	dns_message_t *msg = NULL;
 	isc_result_t result;
 	isc_region_t used;
@@ -1224,7 +1245,7 @@ sendstream(xfrout_ctx_t *xfr)
 		if (result != ISC_R_SUCCESS)
 			goto failure;
 		dns_name_init(qname, NULL);
-		isc_buffer_available(&xfr->buf, &r);
+		isc_buffer_availableregion(&xfr->buf, &r);
 		INSIST(r.length >= xfr->qname->length);
 		r.length = xfr->qname->length;
 		isc_buffer_putmem(&xfr->buf, xfr->qname->ndata,
@@ -1258,7 +1279,7 @@ sendstream(xfrout_ctx_t *xfr)
 		xfr->stream->methods->current(xfr->stream,
 					      &name, &ttl, &rdata);
 		size = name->length + 10 + rdata->length;
-		isc_buffer_available(&xfr->buf, &r);
+		isc_buffer_availableregion(&xfr->buf, &r);
 		if (size >= r.length) {
 			/*
 			 * RR would not fit.  If there are other RRs in the 
@@ -1273,10 +1294,9 @@ sendstream(xfrout_ctx_t *xfr)
 			 * slave.
 			 */
 			if (n_rrs == 0) {
-				isc_log_write(XFROUT_COMMON_LOGARGS,
-					      ISC_LOG_WARNING,
-					      "RR too large for zone transfer "
-					      "(%d bytes)", size);
+				xfrout_log(xfr, ISC_LOG_WARNING, 
+					   "RR too large for zone transfer "
+					   "(%d bytes)", size);
 				/* XXX DNS_R_RRTOOLARGE? */
 				result = ISC_R_NOSPACE;
 				goto failure;
@@ -1288,7 +1308,7 @@ sendstream(xfrout_ctx_t *xfr)
 		
 		dns_message_gettempname(msg, &msgname);
 		dns_name_init(msgname, NULL);
-		isc_buffer_available(&xfr->buf, &r);
+		isc_buffer_availableregion(&xfr->buf, &r);
 		INSIST(r.length >= name->length);
 		r.length = name->length;
 		isc_buffer_putmem(&xfr->buf, name->ndata, name->length);
@@ -1298,7 +1318,7 @@ sendstream(xfrout_ctx_t *xfr)
 		isc_buffer_add(&xfr->buf, 10);
 		
 		dns_message_gettemprdata(msg, &msgrdata);
-		isc_buffer_available(&xfr->buf, &r);
+		isc_buffer_availableregion(&xfr->buf, &r);
 		r.length = rdata->length;
 		isc_buffer_putmem(&xfr->buf, rdata->data, rdata->length);
 		dns_rdata_init(msgrdata);
@@ -1316,14 +1336,14 @@ sendstream(xfrout_ctx_t *xfr)
 		dns_message_gettemprdataset(msg, &msgrds);
 		dns_rdataset_init(msgrds);
 		result = dns_rdatalist_tordataset(msgrdl, msgrds);
-		INSIST(result == DNS_R_SUCCESS);
+		INSIST(result == ISC_R_SUCCESS);
 
 		ISC_LIST_APPEND(msgname->list, msgrds, link);
 
 		dns_message_addname(msg, msgname, DNS_SECTION_ANSWER);
 
 		result = xfr->stream->methods->next(xfr->stream);
-		if (result == DNS_R_NOMORE) {
+		if (result == ISC_R_NOMORE) {
 			xfr->end_of_stream = ISC_TRUE;
 			break;
 		}
@@ -1339,21 +1359,21 @@ sendstream(xfrout_ctx_t *xfr)
 		CHECK(dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0));
 		CHECK(dns_message_renderend(msg));
 		
-		isc_buffer_used(&xfr->txbuf, &used);
+		isc_buffer_usedregion(&xfr->txbuf, &used);
 		isc_buffer_putuint16(&xfr->txlenbuf, used.length);
 		region.base = xfr->txlenbuf.base;
 		region.length = 2 + used.length;
-		isc_log_write(XFROUT_DEBUG_LOGARGS(8),
-			      "sending zone transfer TCP message of %d bytes",
-			      used.length);
+		xfrout_log(xfr, ISC_LOG_DEBUG(8), 
+			   "sending TCP message of %d bytes",
+			   used.length);
 		CHECK(isc_socket_send(xfr->client->tcpsocket, /* XXX */
 				      &region, xfr->client->task,
 				      xfrout_senddone,
 				      xfr));
 		xfr->sends++;
 	} else {
-		isc_log_write(XFROUT_DEBUG_LOGARGS(8),
-			      "sending IXFR UDP response");
+		xfrout_log(xfr, ISC_LOG_DEBUG(8),
+			   "sending IXFR UDP response");
 		/* XXX kludge */
 		dns_message_destroy(&xfr->client->message);
 		xfr->client->message = msg;
@@ -1385,7 +1405,7 @@ sendstream(xfrout_ctx_t *xfr)
 	if (msg != NULL) {
 		dns_message_destroy(&msg);
 	}
-	if (result == DNS_R_SUCCESS)
+	if (result == ISC_R_SUCCESS)
 		return;
 
 	xfrout_fail(xfr, result, "sending zone data");
@@ -1426,15 +1446,19 @@ xfrout_ctx_destroy(xfrout_ctx_t **xfrp) {
 
 static void
 xfrout_senddone(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sev = (isc_socketevent_t *) event;	
-	xfrout_ctx_t *xfr = (xfrout_ctx_t *) event->arg;
+	isc_socketevent_t *sev = (isc_socketevent_t *)event;	
+	xfrout_ctx_t *xfr = (xfrout_ctx_t *)event->ev_arg;
 	isc_result_t evresult = sev->result;
+
 	UNUSED(task);
-	INSIST(event->type == ISC_SOCKEVENT_SENDDONE);
+
+	INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+
 	isc_event_free(&event);
 	xfr->sends--;
 	INSIST(xfr->sends == 0);
-	(void) isc_timer_touch(xfr->client->timer);
+
+	(void)isc_timer_touch(xfr->client->timer);
 	if (xfr->shuttingdown == ISC_TRUE) {
 		xfrout_maybe_destroy(xfr);
 	} else if (evresult != ISC_R_SUCCESS) {
@@ -1443,20 +1467,18 @@ xfrout_senddone(isc_task_t *task, isc_event_t *event) {
 		sendstream(xfr);
 	} else {
 		/* End of zone transfer stream. */
-		isc_log_write(XFROUT_DEBUG_LOGARGS(6),
-			      "end of outgoing zone transfer");
-		ns_client_next(xfr->client, DNS_R_SUCCESS);
+		xfrout_log(xfr, ISC_LOG_DEBUG(6),
+			   "end of transfer");
+		ns_client_next(xfr->client, ISC_R_SUCCESS);
 		xfrout_ctx_destroy(&xfr);
 	}
 }
 
 static void
-xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, char *msg)
-{
+xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, char *msg) {
 	xfr->shuttingdown = ISC_TRUE;
-	isc_log_write(XFROUT_COMMON_LOGARGS, ISC_LOG_ERROR,
-		      "outgoing zone transfer: %s: %s",
-		      msg, isc_result_totext(result));
+	xfrout_log(xfr, ISC_LOG_ERROR, "%s: %s",
+		   msg, isc_result_totext(result));
 	xfrout_maybe_destroy(xfr);
 }
 
@@ -1477,8 +1499,49 @@ xfrout_maybe_destroy(xfrout_ctx_t *xfr) {
 }
 
 static void
-xfrout_client_shutdown(void *arg, isc_result_t result)
-{
+xfrout_client_shutdown(void *arg, isc_result_t result) {
 	xfrout_ctx_t *xfr = (xfrout_ctx_t *) arg;
 	xfrout_fail(xfr, result, "aborted");
 }
+
+/*
+ * Log outgoing zone transfer messages in a format like
+ * <client>: transfer of <zone>: <message> 
+ */
+static void
+xfrout_logv(ns_client_t *client, dns_name_t *zonename, int level,
+	    const char *fmt, va_list ap)
+{
+	char msgbuf[2048];
+	char namebuf[1024];
+
+	dns_name_format(zonename, namebuf, sizeof(namebuf));
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT,
+		      NS_LOGMODULE_XFER_OUT, level,
+		      "transfer of '%s': %s", namebuf, msgbuf);
+}
+
+/*
+ * Logging function for use when a xfrout_ctx_t has not yet been created.
+ */
+static void
+xfrout_log1(ns_client_t *client, dns_name_t *zonename, int level,
+	    const char *fmt, ...)
+{
+        va_list ap;
+	va_start(ap, fmt);
+	xfrout_logv(client, zonename, level, fmt, ap);
+	va_end(ap);
+}
+
+/*
+ * Logging function for use when there is a xfrout_ctx_t.
+ */
+static void
+xfrout_log(xfrout_ctx_t *xfr, unsigned int level, const char *fmt, ...) {
+        va_list ap;
+	va_start(ap, fmt);
+	xfrout_logv(xfr->client, xfr->qname, level, fmt, ap);
+	va_end(ap);
+}
diff --git a/bin/rndc/Makefile.in b/bin/rndc/Makefile.in
index fe5967fc..90a3c507 100644
--- a/bin/rndc/Makefile.in
+++ b/bin/rndc/Makefile.in
@@ -27,12 +27,17 @@ CINCLUDES =	-I${top_srcdir}/bin/named/include \
 CDEFINES =	
 CWARNINGS =
 
-DEPLIBS =	../../lib/omapi/libomapi.@A@ \
-		../../lib/dns/libdns.@A@ \
-		../../lib/isc/libisc.@A@
+OMAPILIBS =	../../lib/omapi/libomapi.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@
 
-LIBS =		${DEPLIBS} \
-		@LIBS@
+OMAPIDEPLIBS =	../../lib/omapi/libomapi.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+DEPLIBS =	${OMAPIDEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${OMAPILIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
 
 TARGETS =	rndc
 
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index 77ac7540..7af7e722 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -15,27 +15,29 @@
  * SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.7 2000/03/18 00:53:11 tale Exp $ */
+/* $Id: rndc.c,v 1.11 2000/05/08 14:33:19 tale Exp $ */
 
 /* 
  * Principal Author: DCL
  */
 
-#include <stdio.h>
+#include <config.h>
+
 #include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
 
-#include <isc/assertions.h>
 #include <isc/commandline.h>
 #include <isc/mem.h>
 #include <isc/socket.h>
+#include <isc/string.h>
 #include <isc/task.h>
 #include <isc/util.h>
 
+#include <dns/confndc.h>
+
 #include <named/omapi.h>
 
 char *progname;
+char *conffile = "/etc/rndc.conf";
 isc_mem_t *mctx;
 
 typedef struct ndc_object {
@@ -207,7 +209,7 @@ ndc_signalhandler(omapi_object_t *handle, const char *name, va_list ap) {
 static void
 usage(void) {
 	fprintf(stderr, "\
-Usage: %s [-p port] [-m] server command [command ...]\n\
+Usage: %s [-c config] [-s server] [-p port] [-m] command [command ...]\n\
 \n\
 Where command is one of the following for named:\n\
 \n\
@@ -230,21 +232,31 @@ Where command is one of the following for named:\n\
 	do { \
 		if (result == ISC_R_SUCCESS) { \
 			result = function; \
-			if (result != ISC_R_SUCCESS) \
+			if (result != ISC_R_SUCCESS) { \
 				fprintf(stderr, "%s: %s: %s\n", progname, \
 					name, isc_result_totext(result)); \
+				exit(1); \
+			} \
 		} \
 	} while (0)
 
 int
 main(int argc, char **argv) {
-	isc_socketmgr_t *socketmgr;
-	isc_taskmgr_t *taskmgr;
-	omapi_object_t *omapimgr = NULL;
 	isc_boolean_t show_final_mem = ISC_FALSE;
 	isc_result_t result = ISC_R_SUCCESS;
-	char *command, *server;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	omapi_object_t *omapimgr = NULL;
+	dns_c_ndcctx_t *config = NULL;
+	dns_c_ndcopts_t *configopts = NULL;
+	dns_c_ndcserver_t *server = NULL;
+	dns_c_kdeflist_t *keys = NULL;
+	dns_c_kdef_t *key = NULL;
+	char *command;
+	const char *servername = NULL, *keyname = NULL;
+	const char *host = NULL, *secret = NULL;
 	unsigned int port = NS_OMAPI_PORT;
+	unsigned int algorithm;
 	int ch;
 
 	progname = strrchr(*argv, '/');
@@ -253,8 +265,12 @@ main(int argc, char **argv) {
 	else
 		progname = *argv;
 
-	while ((ch = isc_commandline_parse(argc, argv, "mp:")) != -1) {
+	while ((ch = isc_commandline_parse(argc, argv, "c:mp:s:")) != -1) {
 		switch (ch) {
+		case 'c':
+			conffile = isc_commandline_argument;
+			break;
+
 		case 'm':
 			show_final_mem = ISC_TRUE;
 			break;
@@ -268,6 +284,10 @@ main(int argc, char **argv) {
 			}
 			break;
 
+		case 's':
+			servername = isc_commandline_argument;
+			break;
+
 		case '?':
 			usage();
 			exit(1);
@@ -283,17 +303,64 @@ main(int argc, char **argv) {
 	argc -= isc_commandline_index;
 	argv += isc_commandline_index;
 
-	if (argc < 2) {
+	if (argc < 1) {
 		usage();
 		exit(1);
 	}
 
-	server = *argv;
-
 	DO("create memory context", isc_mem_create(0, 0, &mctx));
 	DO("create socket manager", isc_socketmgr_create(mctx, &socketmgr));
 	DO("create task manager", isc_taskmgr_create(mctx, 1, 0, &taskmgr));
 
+	DO("parse configuration", dns_c_ndcparseconf(conffile, mctx, &config));
+
+	(void)dns_c_ndcctx_getoptions(config, &configopts);
+
+	if (servername == NULL)
+		result = dns_c_ndcopts_getdefserver(configopts, &servername);
+
+	if (servername != NULL)
+		result = dns_c_ndcctx_getserver(config, servername, &server);
+	else {
+		fprintf(stderr, "%s: no server specified and no default\n",
+			progname);
+		exit (1);
+	}
+
+	if (server != NULL)
+		DO("get key for server", dns_c_ndcserver_getkey(server,
+								&keyname));
+	else if (configopts != NULL)
+		DO("get default key",
+		   dns_c_ndcopts_getdefkey(configopts, &keyname));
+	else {
+		fprintf(stderr, "%s: no key for server and no default\n",
+			progname);
+		exit(1);
+	}
+
+	DO("get config key list", dns_c_ndcctx_getkeys(config, &keys));
+	DO("get key definition", dns_c_kdeflist_find(keys, keyname, &key));
+
+	/* XXX need methods for structure access? */
+	INSIST(key->secret != NULL);
+	INSIST(key->algorithm != NULL);
+
+	secret = key->secret;
+	if (strcasecmp(key->algorithm, "hmac-md5") == 0)
+		algorithm = OMAPI_AUTH_HMACMD5;
+	else {
+		fprintf(stderr, "%s: unsupported algorithm: %s\n",
+			progname, key->algorithm);
+		exit(1);
+	}
+
+	if (server != NULL)
+		(void)dns_c_ndcserver_gethost(server, &host);
+
+	if (host == NULL)
+		host = servername;
+
 	DO("initialize omapi",  omapi_lib_init(mctx, taskmgr, socketmgr));
 
 	DO("register omapi object",
@@ -314,10 +381,15 @@ main(int argc, char **argv) {
 	ndc_g_ndc.refcnt = 1;
 	ndc_g_ndc.type = ndc_type;
 
-	DO("create protocol manager",
-	   omapi_object_create(&omapimgr, NULL, 0));
+	DO("register local authenticator",
+	   omapi_auth_register(keyname, secret, algorithm));
+
+	DO("create protocol manager", omapi_object_create(&omapimgr, NULL, 0));
+
+	DO("connect", omapi_protocol_connect(omapimgr, host, port, NULL));
 
-	DO("connect", omapi_protocol_connect(omapimgr, server, port, NULL));
+	DO("send remote authenticator",
+	   omapi_auth_use(omapimgr, keyname, algorithm));
 
 	/*
 	 * Preload the waitresult as successful.
diff --git a/bin/rndc/rndc.conf b/bin/rndc/rndc.conf
new file mode 100644
index 00000000..09400a52
--- /dev/null
+++ b/bin/rndc/rndc.conf
@@ -0,0 +1,13 @@
+options {
+        default-server  localhost;
+        default-key     "key";
+};
+
+server localhost {
+        key     "key";
+};
+
+key "key" {
+        algorithm       hmac-md5;
+        secret          "strong enough for a man, but made for a woman";
+};
diff --git a/bin/tests/.cvsignore b/bin/tests/.cvsignore
index 9af1e974..4dbf41f5 100644
--- a/bin/tests/.cvsignore
+++ b/bin/tests/.cvsignore
@@ -3,21 +3,26 @@ Makefile
 *.la
 *.lo
 adb_test
+byaddr_test
+byname_test
 compress_test
 db_test
 dispatch_tcp_test
 dispatch_test
 gxba_test
 gxbn_test
-keygen
+headerdep_test.sh
+inter_test
 lex_test
 lfsr_test
 log_test
 lwres_test
+lwresconf_test
 master_test
 mem_test
 mempool_test
 name_test
+ndcconf_test
 nconf_test
 nxtify
 omapi_test
@@ -29,7 +34,6 @@ rwlock_test
 sdig
 serial_test
 shutdown_test
-signer
 sock_test
 sym_test
 t_journal
@@ -39,6 +43,3 @@ tkey_test
 wire_test
 zone2_test
 zone_test
-byaddr_test
-inter_test
-byname_test
diff --git a/bin/tests/Makefile.in b/bin/tests/Makefile.in
index abd46a1e..52b594b7 100644
--- a/bin/tests/Makefile.in
+++ b/bin/tests/Makefile.in
@@ -25,7 +25,7 @@ CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${LWRES_INCLUDES} \
 CDEFINES =
 CWARNINGS =
 
-DNSLIBS =	../../lib/dns/libdns.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
 ISCLIBS =	../../lib/isc/libisc.@A@
 OMAPILIBS =	../../lib/omapi/libomapi.@A@
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
@@ -40,8 +40,11 @@ LIBS =		@LIBS@
 SUBDIRS = db dst master mem names rbt sockaddr tasks timers
 
 # Alphabetically
-TARGETS =	keygen sdig signer
+TARGETS =	
+
 XTARGETS =	adb_test \
+		byaddr_test \
+		byname_test \
 		compress_test \
 		db_test \
 		dispatch_tcp_test \
@@ -53,7 +56,7 @@ XTARGETS =	adb_test \
 		lfsr_test \
 		log_test \
 		lwres_test \
-		lwres_conftest \
+		lwresconf_test \
 		master_test \
 		mempool_test \
 		name_test \
@@ -68,17 +71,18 @@ XTARGETS =	adb_test \
 		sdig \
 		serial_test \
 		shutdown_test \
-		signer \
 		sock_test \
 		sym_test \
 		task_test \
 		timer_test \
 		tkey_test \
 		wire_test \
-		zone_test
+		zone2_test
 
 # Alphabetically
 SRCS =		adb_test.c \
+		byaddr_test.c \
+		byname_test.c \
 		compress_test.c \
 		db_test.c \
 		dispatch_tcp_test.c \
@@ -86,12 +90,11 @@ SRCS =		adb_test.c \
 		gxba_test.c \
 		gxbn_test.c \
 		inter_test.c \
-		keygen.c \
 		lex_test.c \
 		lfsr_test.c \
 		log_test.c \
-		lwres_conftest.c \
 		lwres_test.c \
+		lwresconf_test.c \
 		master_test.c \
 		mempool_test.c \
 		name_test.c \
@@ -107,7 +110,6 @@ SRCS =		adb_test.c \
 		sdig.c \
 		serial_test.c \
 		shutdown_test.c \
-		signer.c \
 		sock_test.c \
 		sym_test.c \
 		task_test.c \
@@ -133,18 +135,6 @@ nxtify: nxtify.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL} ${CC} ${CFLAGS} -o $@ nxtify.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-signer: signer.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL} ${CC} ${CFLAGS} -o $@ signer.@O@ \
-		${DNSLIBS} ${ISCLIBS} ${LIBS}
-
-keygen: keygen.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL} ${CC} ${CFLAGS} -o $@ keygen.@O@ \
-		${DNSLIBS} ${ISCLIBS} ${LIBS}
-
-res_test: res_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL} ${CC} ${CFLAGS} -o $@ res_test.@O@ \
-		${DNSLIBS} ${ISCLIBS} ${LIBS}
-
 byaddr_test: byaddr_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL} ${CC} ${CFLAGS} -o $@ byaddr_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
@@ -241,12 +231,12 @@ zone_test: zone_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL} ${CC} ${CFLAGS} -o $@ zone_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-dispatch_test: dispatch_test.@O@ printmsg.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL} ${CC} ${CFLAGS} -o $@ dispatch_test.@O@ printmsg.@O@ \
+dispatch_test: dispatch_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ dispatch_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-dispatch_tcp_test: dispatch_tcp_test.@O@ printmsg.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL} ${CC} ${CFLAGS} -o $@ dispatch_tcp_test.@O@ printmsg.@O@ \
+dispatch_tcp_test: dispatch_tcp_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ dispatch_tcp_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
 nconf_test: nconf_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
@@ -265,8 +255,8 @@ inter_test: inter_test.@O@ ${ISCDEPLIBS}
 	${LIBTOOL} ${CC} ${CFLAGS} -o $@ inter_test.@O@ \
 		${ISCLIBS} ${LIBS}
 
-lwres_conftest: lwres_conftest.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS}
-	${LIBTOOL} ${CC} ${CFLAGS} -o $@ lwres_conftest.@O@ \
+lwresconf_test: lwresconf_test.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS}
+	${LIBTOOL} ${CC} ${CFLAGS} -o $@ lwresconf_test.@O@ \
 		${LWRESLIBS} ${ISCLIBS} ${LIBS}
 
 lwres_test: lwres_test.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS}
@@ -281,6 +271,9 @@ gxba_test: gxba_test.@O@ ${LWRESDEPLIBS}
 	${LIBTOOL} ${CC} ${CFLAGS} -o $@ gxba_test.@O@ \
 		${LWRESLIBS} ${ISCLIBS} ${LIBS}
 
+distclean::
+	rm -f headerdep_test.sh
+
 clean distclean::
 	rm -f ${TARGETS} ${XTARGETS}
 	rm -f t_journal
diff --git a/bin/tests/adb_test.c b/bin/tests/adb_test.c
index bab49b4b..abcf5a6e 100644
--- a/bin/tests/adb_test.c
+++ b/bin/tests/adb_test.c
@@ -17,31 +17,23 @@
 
 #include <config.h>
 
-#include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
-#include <string.h>
 
 #include <isc/app.h>
-#include <isc/assertions.h>
 #include <isc/buffer.h>
-#include <isc/error.h>
-#include <isc/mem.h>
 #include <isc/task.h>
-#include <isc/thread.h>
 #include <isc/timer.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
 #include <isc/socket.h>
-#include <isc/net.h>
+#include <isc/util.h>
 
 #include <dns/adb.h>
 #include <dns/cache.h>
+#include <dns/dispatch.h>
 #include <dns/db.h>
-#include <dns/master.h>
 #include <dns/log.h>
-#include <dns/name.h>
 #include <dns/rootns.h>
+#include <dns/result.h>
 
 typedef struct client client_t;
 struct client {
@@ -53,9 +45,11 @@ struct client {
 isc_mem_t *mctx;
 isc_mempool_t *cmp;
 isc_log_t *lctx;
+isc_logconfig_t *lcfg;
 isc_taskmgr_t *taskmgr;
 isc_socketmgr_t *socketmgr;
 isc_timermgr_t *timermgr;
+dns_dispatchmgr_t *dispatchmgr;
 isc_task_t *t1, *t2;
 dns_view_t *view;
 dns_db_t *rootdb;
@@ -64,20 +58,8 @@ isc_mutex_t client_lock;
 isc_stdtime_t now;
 dns_adb_t *adb;
 
-static void check_result(isc_result_t, char *, ...);
-isc_result_t ns_rootns_init(void);
-void create_managers(void);
-static void lookup_callback(isc_task_t *, isc_event_t *);
-void create_view(void);
-client_t *new_client(void);
-void free_client(client_t **);
-static inline void CLOCK(void);
-static inline void CUNLOCK(void);
-void lookup(char *);
-
 static void
-check_result(isc_result_t result, char *format, ...)
-{
+check_result(isc_result_t result, char *format, ...) {
 	va_list args;
 
 	if (result == ISC_R_SUCCESS)
@@ -90,9 +72,8 @@ check_result(isc_result_t result, char *format, ...)
 	exit(1);
 }
 
-client_t *
-new_client(void)
-{
+static client_t *
+new_client(void) {
 	client_t *client;
 
 	client = isc_mempool_get(cmp);
@@ -104,9 +85,8 @@ new_client(void)
 	return (client);
 }
 
-void
-free_client(client_t **c)
-{
+static void
+free_client(client_t **c) {
 	client_t *client;
 
 	INSIST(c != NULL);
@@ -121,27 +101,24 @@ free_client(client_t **c)
 }
 
 static inline void
-CLOCK(void)
-{
+CLOCK(void) {
 	RUNTIME_CHECK(isc_mutex_lock(&client_lock) == ISC_R_SUCCESS);
 }
 
 static inline void
-CUNLOCK(void)
-{
+CUNLOCK(void) {
 	RUNTIME_CHECK(isc_mutex_unlock(&client_lock) == ISC_R_SUCCESS);
 }
 
 static void
-lookup_callback(isc_task_t *task, isc_event_t *ev)
-{
+lookup_callback(isc_task_t *task, isc_event_t *ev) {
 	client_t *client;
 
-	client = ev->arg;
-	INSIST(client->find == ev->sender);
+	client = ev->ev_arg;
+	INSIST(client->find == ev->ev_sender);
 
 	printf("Task %p got event %p type %08x from %p, client %p\n",
-	       task, ev, ev->type, client->find, client);
+	       task, ev, ev->ev_type, client->find, client);
 
 	isc_event_free(&ev);
 
@@ -156,9 +133,8 @@ lookup_callback(isc_task_t *task, isc_event_t *ev)
 	CUNLOCK();
 }
 
-void
-create_managers(void)
-{
+static void
+create_managers(void) {
 	isc_result_t result;
 
 	taskmgr = NULL;
@@ -172,11 +148,14 @@ create_managers(void)
 	socketmgr = NULL;
 	result = isc_socketmgr_create(mctx, &socketmgr);
 	check_result(result, "isc_socketmgr_create");
+
+	dispatchmgr = NULL;
+	result = dns_dispatchmgr_create(mctx, &dispatchmgr);
+	check_result(result, "dns_dispatchmgr_create");
 }
 
-void
-create_view(void)
-{
+static void
+create_view(void) {
 	dns_cache_t *cache;
 	isc_result_t result;
 
@@ -204,7 +183,7 @@ create_view(void)
 	 * see if we are dealing with a shared dispatcher in this view.
 	 */
 	result = dns_view_createresolver(view, taskmgr, 16, socketmgr,
-					 timermgr, 0, NULL, NULL);
+					 timermgr, 0, dispatchmgr, NULL, NULL);
 	check_result(result, "dns_view_createresolver()");
 
 	rootdb = NULL;
@@ -216,9 +195,8 @@ create_view(void)
 	dns_view_freeze(view);
 }
 
-void
-lookup(char *target)
-{
+static void
+lookup(char *target) {
 	dns_name_t name;
 	unsigned char namedata[256];
 	client_t *client;
@@ -229,10 +207,9 @@ lookup(char *target)
 	INSIST(target != NULL);
 
 	client = new_client();
-	isc_buffer_init(&t, target, strlen(target), ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&t, target, strlen(target));
 	isc_buffer_add(&t, strlen(target));
-	isc_buffer_init(&namebuf, namedata, sizeof namedata,
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&namebuf, namedata, sizeof(namedata));
 	dns_name_init(&name, NULL);
 	result = dns_name_fromtext(&name, &t, dns_rootname, ISC_FALSE,
 				   &namebuf);
@@ -262,13 +239,12 @@ lookup(char *target)
 }
 
 int
-main(int argc, char **argv)
-{
+main(int argc, char **argv) {
 	isc_result_t result;
 	isc_logdestination_t destination;
 
-	(void)argc;
-	(void)argv;
+	UNUSED(argc);
+	UNUSED(argv);
 
 	dns_result_register();
 	result = isc_app_start();
@@ -291,11 +267,11 @@ main(int argc, char **argv)
 		      == ISC_R_SUCCESS);
 	isc_mempool_setname(cmp, "adb test clients");
 
-	result = isc_log_create(mctx, &lctx);
+	result = isc_log_create(mctx, &lctx, &lcfg);
 	check_result(result, "isc_log_create()");
-
-	result = dns_log_init(lctx);
-	check_result(result, "dns_log_init()");
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
 
 	/*
 	 * Create and install the default channel.
@@ -304,12 +280,12 @@ main(int argc, char **argv)
 	destination.file.name = NULL;
 	destination.file.versions = ISC_LOG_ROLLNEVER;
 	destination.file.maximum_size = 0;
-	result = isc_log_createchannel(lctx, "_default",
+	result = isc_log_createchannel(lcfg, "_default",
 				       ISC_LOG_TOFILEDESC,
 				       ISC_LOG_DYNAMIC,
 				       &destination, ISC_LOG_PRINTTIME);
 	check_result(result, "isc_log_createchannel()");
-	result = isc_log_usechannel(lctx, "_default", NULL, NULL);
+	result = isc_log_usechannel(lcfg, "_default", NULL, NULL);
 	check_result(result, "isc_log_usechannel()");
 
 	/*
@@ -320,10 +296,10 @@ main(int argc, char **argv)
 	create_managers();
 
 	t1 = NULL;
-	result = isc_task_create(taskmgr, NULL, 0, &t1);
+	result = isc_task_create(taskmgr, 0, &t1);
 	check_result(result, "isc_task_create t1");
 	t2 = NULL;
-	result = isc_task_create(taskmgr, NULL, 0, &t2);
+	result = isc_task_create(taskmgr, 0, &t2);
 	check_result(result, "isc_task_create t2");
 
 	printf("task 1 = %p\n", t1);
diff --git a/bin/tests/byaddr_test.c b/bin/tests/byaddr_test.c
index c984f8b8..71e0a34c 100644
--- a/bin/tests/byaddr_test.c
+++ b/bin/tests/byaddr_test.c
@@ -21,20 +21,12 @@
 
 #include <config.h>
 
-#include <stddef.h>
 #include <stdlib.h>
-#include <string.h>
 
 #include <isc/app.h>
-#include <isc/assertions.h>
-#include <isc/boolean.h>
-#include <isc/buffer.h>
 #include <isc/commandline.h>
-#include <isc/error.h>
-#include <isc/mutex.h>
-#include <isc/net.h>
+#include <isc/mem.h>
 #include <isc/netaddr.h>
-#include <isc/socket.h>
 #include <isc/task.h>
 #include <isc/timer.h>
 #include <isc/util.h>
@@ -43,11 +35,8 @@
 #include <dns/cache.h>
 #include <dns/dispatch.h>
 #include <dns/events.h>
-#include <dns/fixedname.h>
-#include <dns/name.h>
 #include <dns/resolver.h>
 #include <dns/result.h>
-#include <dns/types.h>
 #include <dns/view.h>
 
 static void
@@ -60,7 +49,7 @@ done(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result;
 	isc_region_t r;
 
-	REQUIRE(event->type == DNS_EVENT_BYADDRDONE);
+	REQUIRE(event->ev_type == DNS_EVENT_BYADDRDONE);
 	bevent = (dns_byaddrevent_t *)event;
 
 	(void)task;
@@ -69,8 +58,7 @@ done(isc_task_t *task, isc_event_t *event) {
 	       isc_result_totext(bevent->result));
 
 	if (bevent->result == ISC_R_SUCCESS) {
-		isc_buffer_init(&buffer, textname, sizeof textname,
-				ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&buffer, textname, sizeof(textname));
 		for (name = ISC_LIST_HEAD(bevent->names);
 		     name != NULL;
 		     name = ISC_LIST_NEXT(name, link)) {
@@ -81,12 +69,12 @@ done(isc_task_t *task, isc_event_t *event) {
 				       isc_result_totext(result));
 				break;
 			}
-			isc_buffer_used(&buffer, &r);
+			isc_buffer_usedregion(&buffer, &r);
 			printf("%.*s\n", (int)r.length, r.base);
 		}
 	}
 
-	byaddr = event->sender;
+	byaddr = event->ev_sender;
 	dns_byaddr_destroy(&byaddr);
 	isc_event_free(&event);
 
@@ -104,6 +92,7 @@ main(int argc, char *argv[]) {
 	dns_view_t *view;
 	int ch;
 	isc_socketmgr_t *socketmgr;
+	dns_dispatchmgr_t *dispatchmgr;
 	isc_netaddr_t na;
 	dns_byaddr_t *byaddr;
 	isc_result_t result;
@@ -138,11 +127,15 @@ main(int argc, char *argv[]) {
 	}
 
 	taskmgr = NULL;
-	RUNTIME_CHECK(isc_taskmgr_create(mctx, workers, 0, &taskmgr) ==
-		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_taskmgr_create(mctx, workers, 0, &taskmgr)
+		      == ISC_R_SUCCESS);
 	task = NULL;
-	RUNTIME_CHECK(isc_task_create(taskmgr, mctx, 0, &task) ==
-		      ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &task)
+		      == ISC_R_SUCCESS);
+
+	dispatchmgr = NULL;
+	RUNTIME_CHECK(dns_dispatchmgr_create(mctx, &dispatchmgr)
+		      == ISC_R_SUCCESS);
 
 	timermgr = NULL;
 	RUNTIME_CHECK(isc_timermgr_create(mctx, &timermgr) == ISC_R_SUCCESS);
@@ -159,8 +152,9 @@ main(int argc, char *argv[]) {
 				      &view) == ISC_R_SUCCESS);
 
 	RUNTIME_CHECK(dns_view_createresolver(view, taskmgr, 10, socketmgr,
-					      timermgr, 0, NULL, NULL) ==
-		      DNS_R_SUCCESS);
+					      timermgr, 0,
+					      dispatchmgr, NULL, NULL) ==
+		      ISC_R_SUCCESS);
 
 	{
 		struct in_addr ina;
diff --git a/bin/tests/byname_test.c b/bin/tests/byname_test.c
index 16eb621c..8be21186 100644
--- a/bin/tests/byname_test.c
+++ b/bin/tests/byname_test.c
@@ -24,39 +24,21 @@
 
 #include <config.h>
 
-#include <stddef.h>
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
-#include <isc/buffer.h>
+#include <isc/app.h>
 #include <isc/commandline.h>
-#include <isc/error.h>
 #include <isc/task.h>
 #include <isc/timer.h>
-#include <isc/app.h>
-#include <isc/mutex.h>
-#include <isc/boolean.h>
-#include <isc/net.h>
-#include <isc/region.h>
-#include <isc/sockaddr.h>
-#include <isc/socket.h>
 #include <isc/util.h>
-#include <isc/netaddr.h>
-#include <isc/log.h>
 
-#include <dns/types.h>
-#include <dns/result.h>
 #include <dns/adb.h>
 #include <dns/cache.h>
-#include <dns/name.h>
-#include <dns/fixedname.h>
-#include <dns/resolver.h>
-#include <dns/events.h>
 #include <dns/dispatch.h>
-#include <dns/byaddr.h>
-#include <dns/view.h>
+#include <dns/events.h>
 #include <dns/log.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
 
 static isc_mem_t *mctx = NULL;
 static dns_view_t *view = NULL;
@@ -65,6 +47,7 @@ static isc_task_t *task = NULL;
 static dns_fixedname_t name;
 static dns_fixedname_t target;
 static isc_log_t *lctx;
+static isc_logconfig_t *lcfg;
 static unsigned int level = 0;
 
 static void adb_callback(isc_task_t *task, isc_event_t *event);
@@ -77,8 +60,10 @@ log_init(void) {
 	/*
 	 * Setup a logging context.
 	 */
-	RUNTIME_CHECK(isc_log_create(mctx, &lctx) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(dns_log_init(lctx) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_log_create(mctx, &lctx, &lcfg) == ISC_R_SUCCESS);
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
 
 	/*
 	 * Create and install the default channel.
@@ -88,12 +73,12 @@ log_init(void) {
 	destination.file.versions = ISC_LOG_ROLLNEVER;
 	destination.file.maximum_size = 0;
 	flags = ISC_LOG_PRINTTIME;
-	RUNTIME_CHECK(isc_log_createchannel(lctx, "_default",
+	RUNTIME_CHECK(isc_log_createchannel(lcfg, "_default",
 					    ISC_LOG_TOFILEDESC,
 					    ISC_LOG_DYNAMIC,
 					    &destination, flags) ==
 		      ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_log_usechannel(lctx, "_default", NULL, NULL) ==
+	RUNTIME_CHECK(isc_log_usechannel(lcfg, "_default", NULL, NULL) ==
 		      ISC_R_SUCCESS);
 	isc_log_setdebuglevel(lctx, level);
 }
@@ -106,7 +91,7 @@ print_addresses(dns_adbfind_t *find) {
 	isc_region_t r;
 	char text[1024];
 
-	isc_buffer_init(&b, text, sizeof text, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&b, text, sizeof(text));
 
 	for (address = ISC_LIST_HEAD(find->list);
 	     address != NULL;
@@ -114,7 +99,7 @@ print_addresses(dns_adbfind_t *find) {
 		isc_buffer_clear(&b);
 		result = isc_sockaddr_totext(address->sockaddr, &b);
 		if (result == ISC_R_SUCCESS) {
-			isc_buffer_used(&b, &r);
+			isc_buffer_usedregion(&b, &r);
 			printf("%.*s\n", (int)r.length, r.base);
 		} else
 			printf("isc_sockaddr_totext() failed: %s\n",
@@ -129,11 +114,11 @@ print_name(dns_name_t *name) {
 	isc_region_t r;
 	char text[1024];
 
-	isc_buffer_init(&b, text, sizeof text, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&b, text, sizeof(text));
 
 	result = dns_name_totext(name, ISC_FALSE, &b);
 	if (result == ISC_R_SUCCESS) {
-		isc_buffer_used(&b, &r);
+		isc_buffer_usedregion(&b, &r);
 		printf("%.*s\n", (int)r.length, r.base);
 	} else
 		printf("dns_name_totext() failed: %s\n",
@@ -199,7 +184,7 @@ do_find(isc_boolean_t want_event) {
 
 static void
 adb_callback(isc_task_t *etask, isc_event_t *event) {
-	unsigned int type = event->type;
+	unsigned int type = event->ev_type;
 
 	REQUIRE(etask == task);
 
@@ -232,6 +217,7 @@ main(int argc, char *argv[]) {
 	isc_timermgr_t *timermgr;
 	int ch;
 	isc_socketmgr_t *socketmgr;
+	dns_dispatchmgr_t *dispatchmgr;
 	dns_cache_t *cache;
 	isc_buffer_t b;
 
@@ -268,14 +254,20 @@ main(int argc, char *argv[]) {
 	RUNTIME_CHECK(isc_taskmgr_create(mctx, workers, 0, &taskmgr) ==
 		      ISC_R_SUCCESS);
 	task = NULL;
-	RUNTIME_CHECK(isc_task_create(taskmgr, mctx, 0, &task) ==
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &task) ==
 		      ISC_R_SUCCESS);
 
+	dispatchmgr = NULL;
+	RUNTIME_CHECK(dns_dispatchmgr_create(mctx, &dispatchmgr)
+		      == ISC_R_SUCCESS);
+
 	timermgr = NULL;
 	RUNTIME_CHECK(isc_timermgr_create(mctx, &timermgr) == ISC_R_SUCCESS);
 	socketmgr = NULL;
 	RUNTIME_CHECK(isc_socketmgr_create(mctx, &socketmgr) == ISC_R_SUCCESS);
 
+	
+
 	cache = NULL;
 	RUNTIME_CHECK(dns_cache_create(mctx, taskmgr, timermgr,
 				       dns_rdataclass_in, "rbt", 0, NULL,
@@ -286,8 +278,9 @@ main(int argc, char *argv[]) {
 				      &view) == ISC_R_SUCCESS);
 
 	RUNTIME_CHECK(dns_view_createresolver(view, taskmgr, 10, socketmgr,
-					      timermgr, 0, NULL, NULL) ==
-		      DNS_R_SUCCESS);
+					      timermgr, 0,
+					      dispatchmgr, NULL, NULL) ==
+		      ISC_R_SUCCESS);
 
 	{
 		struct in_addr ina;
@@ -310,8 +303,7 @@ main(int argc, char *argv[]) {
 
 	printf("name = %s\n", argv[isc_commandline_index]);
 	isc_buffer_init(&b, argv[isc_commandline_index],
-			strlen(argv[isc_commandline_index]),
-			ISC_BUFFERTYPE_TEXT);
+			strlen(argv[isc_commandline_index]));
 	isc_buffer_add(&b, strlen(argv[isc_commandline_index]));
 	dns_fixedname_init(&name);
 	dns_fixedname_init(&target);
diff --git a/bin/tests/compress_test.c b/bin/tests/compress_test.c
index 50af499e..821f2908 100644
--- a/bin/tests/compress_test.c
+++ b/bin/tests/compress_test.c
@@ -17,23 +17,25 @@
 
 #include <config.h>
 
-#include <stdio.h>
 #include <stdlib.h>
 
-#include <isc/assertions.h>
+#include <isc/buffer.h>
 #include <isc/commandline.h>
-#include <isc/error.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
 #include <dns/compress.h>
 #include <dns/name.h>
 
 unsigned char plain1[] = "\003yyy\003foo";
 unsigned char plain2[] = "\003bar\003yyy\003foo";
 unsigned char plain3[] = "\003xxx\003bar\003foo";
-unsigned char plain[] =
-	"\003yyy\003foo\0\003bar\003yyy\003foo\0\003bar\003yyy\003foo\0\003xxx\003bar\003foo";
-
-/* result concatenate (plain1, plain2, plain2, plain3) */
+unsigned char plain[] = "\003yyy\003foo\0\003bar\003yyy\003foo\0\003"
+			"bar\003yyy\003foo\0\003xxx\003bar\003foo";
 
+/*
+ * Result concatenate (plain1, plain2, plain2, plain3).
+ */
 unsigned char bit1[] = "\101\010b";
 unsigned char bit2[] = "\101\014b\260";
 unsigned char bit3[] = "\101\020b\264";
@@ -42,8 +44,9 @@ unsigned char bit[] = "\101\010b\0\101\014b\260\0\101\014b\260\0\101\020b\264";
 int raw = 0;
 int verbose = 0;
 
-void test(unsigned int, dns_name_t *, dns_name_t *, dns_name_t *,
-          unsigned char *, unsigned int);
+void
+test(unsigned int, dns_name_t *, dns_name_t *, dns_name_t *,
+     unsigned char *, unsigned int);
 
 int
 main(int argc, char *argv[]) {
@@ -105,7 +108,7 @@ main(int argc, char *argv[]) {
 	test(DNS_COMPRESS_GLOBAL, &name1, &name2, &name3, bit, sizeof bit);
 	test(DNS_COMPRESS_ALL, &name1, &name2, &name3, bit, sizeof bit);
 
-	exit(0);
+	return (0);
 }
 
 void
@@ -128,25 +131,29 @@ test(unsigned int allowed, dns_name_t *name1, dns_name_t *name2,
 		case DNS_COMPRESS_GLOBAL14: s = "DNS_COMPRESS_GLOBAL14"; break;
 		case DNS_COMPRESS_GLOBAL16: s = "DNS_COMPRESS_GLOBAL16"; break;
 		case DNS_COMPRESS_GLOBAL: s = "DNS_COMPRESS_GLOBAL"; break;
-		case DNS_COMPRESS_ALL: s = "DNS_COMPRESS_ALL"; break;
+		/* case DNS_COMPRESS_ALL: s = "DNS_COMPRESS_ALL"; break; */
 		default: s = "UNKOWN"; break;
 		}
 		fprintf(stdout, "Allowed = %s\n", s);
 	}
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-	isc_buffer_init(&source, buf1, sizeof buf1, ISC_BUFFERTYPE_BINARY);
-	RUNTIME_CHECK(dns_compress_init(&cctx, -1, mctx) == DNS_R_SUCCESS);
+	isc_buffer_init(&source, buf1, sizeof(buf1));
+	RUNTIME_CHECK(dns_compress_init(&cctx, -1, mctx) == ISC_R_SUCCESS);
 
-	RUNTIME_CHECK(dns_name_towire(name1, &cctx, &source) == DNS_R_SUCCESS);
+	RUNTIME_CHECK(dns_name_towire(name1, &cctx, &source) == ISC_R_SUCCESS);
 
+	/*
 	RUNTIME_CHECK(dns_compress_localinit(&cctx, name1, &source) == 
-		      DNS_R_SUCCESS);
+		      ISC_R_SUCCESS);
+	*/
 	dns_compress_setmethods(&cctx, allowed);
-	RUNTIME_CHECK(dns_name_towire(name2, &cctx, &source) == DNS_R_SUCCESS);
-	RUNTIME_CHECK(dns_name_towire(name2, &cctx, &source) == DNS_R_SUCCESS);
-	RUNTIME_CHECK(dns_name_towire(name3, &cctx, &source) == DNS_R_SUCCESS);
+	RUNTIME_CHECK(dns_name_towire(name2, &cctx, &source) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_name_towire(name2, &cctx, &source) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_name_towire(name3, &cctx, &source) == ISC_R_SUCCESS);
 
+	/*
 	dns_compress_localinvalidate(&cctx);
+	*/
 	dns_compress_rollback(&cctx, 0);	/* testing only */
 	dns_compress_invalidate(&cctx);
 
@@ -166,21 +173,25 @@ test(unsigned int allowed, dns_name_t *name1, dns_name_t *name2,
 	}
 
 	isc_buffer_setactive(&source, source.used);
-	isc_buffer_init(&target, buf2, sizeof buf2, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&target, buf2, sizeof(buf2));
 	dns_decompress_init(&dctx, -1, ISC_TRUE);
 
 	dns_name_init(&name, NULL);
 	RUNTIME_CHECK(dns_name_fromwire(&name, &source, &dctx, ISC_FALSE,
-					&target) == DNS_R_SUCCESS);
+					&target) == ISC_R_SUCCESS);
 	dns_decompress_setmethods(&dctx, allowed);
+	/*
 	dns_decompress_localinit(&dctx, &name, &source);
+	*/
 	RUNTIME_CHECK(dns_name_fromwire(&name, &source, &dctx, ISC_FALSE,
-					&target) == DNS_R_SUCCESS);
+					&target) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(dns_name_fromwire(&name, &source, &dctx, ISC_FALSE,
-					&target) == DNS_R_SUCCESS);
+					&target) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(dns_name_fromwire(&name, &source, &dctx, ISC_FALSE,
-					&target) == DNS_R_SUCCESS);
+					&target) == ISC_R_SUCCESS);
+	/*
 	dns_decompress_localinvalidate(&dctx);
+	*/
 	dns_decompress_invalidate(&dctx);
 
 	if (raw) {
diff --git a/bin/tests/db/Makefile.in b/bin/tests/db/Makefile.in
index dabbd219..06ede7fa 100644
--- a/bin/tests/db/Makefile.in
+++ b/bin/tests/db/Makefile.in
@@ -24,14 +24,20 @@ CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 CDEFINES =
 CWARNINGS =
 
-DEPLIBS =	../../../lib/dns/libdns.@A@ \
-		../../../lib/isc/libisc.@A@ 
+DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
+ISCLIBS =	../../../lib/isc/libisc.@A@
 
-LIBS =		${DEPLIBS} \
-		@LIBS@
+DNSDEPLIBS =	../../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../../lib/isc/libisc.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
 TLIB =		../../../lib/tests/libt_api.@A@
 
+SRCS =		t_db.c
+
 TARGETS =	t_db
 
 @BIND9_MAKE_RULES@
diff --git a/bin/tests/db/dns_db_expirenode_data b/bin/tests/db/dns_db_expirenode_data
index cf6a330d..f51858a2 100644
--- a/bin/tests/db/dns_db_expirenode_data
+++ b/bin/tests/db/dns_db_expirenode_data
@@ -4,4 +4,4 @@
 # format:
 # filename type origin class existing_name existing_type
 #
-dns_db_expirenode.data	rbt	vix.com.	in	a.vix.com.	10000	0	DNS_R_NOTFOUND
+dns_db_expirenode.data	rbt	vix.com.	in	a.vix.com.	10000	0	ISC_R_NOTFOUND
diff --git a/bin/tests/db/dns_db_find_10_data b/bin/tests/db/dns_db_find_10_data
index 1430878b..d1ab1d3b 100644
--- a/bin/tests/db/dns_db_find_10_data
+++ b/bin/tests/db/dns_db_find_10_data
@@ -4,5 +4,5 @@
 # format:
 #	dbfile dbtype dborigin dbclass dbcache findname findtype findopts findtime expected_results
 #
-dns_db_find_10.data	rbt	vix.com.	in	cache	a.b.c.vix.com.	NS	0	1010	DNS_R_NOTFOUND
-dns_db_find_10.data	rbt	vix.com.	in	cache	a.b.c.vix.com.	NS	0	0	DNS_R_SUCCESS
+dns_db_find_10.data	rbt	vix.com.	in	cache	a.b.c.vix.com.	NS	0	1010	ISC_R_NOTFOUND
+dns_db_find_10.data	rbt	vix.com.	in	cache	a.b.c.vix.com.	NS	0	0	ISC_R_SUCCESS
diff --git a/bin/tests/db/dns_db_find_5.data b/bin/tests/db/dns_db_find_5.data
index 94d8aa07..e33f631a 100644
--- a/bin/tests/db/dns_db_find_5.data
+++ b/bin/tests/db/dns_db_find_5.data
@@ -5,6 +5,6 @@ $TTL 1000
 				1800		;retry
 				604800		;expiration
 				3600 )		;minimum
-a.b.c.		in	DNAME	x.y.z.
-a.x.y.z.	in	A	1.2.3.4
+a.b.c		in	DNAME	x.y.z
+a.x.y.z		in	A	1.2.3.4
 
diff --git a/bin/tests/db/dns_db_find_5_data b/bin/tests/db/dns_db_find_5_data
index 43780410..dab47c80 100644
--- a/bin/tests/db/dns_db_find_5_data
+++ b/bin/tests/db/dns_db_find_5_data
@@ -4,5 +4,5 @@
 # format:
 #	dbfile dbtype dborigin dbclass dbcache findname findtype findopts findtime expected_results
 #
-dns_db_find_5.data	rbt	vix.com.	in	zone	x.a.b.c.	ANY	0	0	DNS_R_DNAME
-dns_db_find_5.data	rbt	vix.com.	in	zone	a.a.b.c.	ANY	0	0	DNS_R_DNAME
+dns_db_find_5.data	rbt	vix.com.	in	zone	x.a.b.c.vix.com.	ANY	0	0	DNS_R_DNAME
+dns_db_find_5.data	rbt	vix.com.	in	zone	a.a.b.c.vix.com.	ANY	0	0	DNS_R_DNAME
diff --git a/bin/tests/db/dns_db_find_6_data b/bin/tests/db/dns_db_find_6_data
index c8ff075f..47de0e66 100644
--- a/bin/tests/db/dns_db_find_6_data
+++ b/bin/tests/db/dns_db_find_6_data
@@ -5,4 +5,4 @@
 #	dbfile dbtype dborigin dbclass dbcache findname findtype findopts findtime expected_results
 #
 dns_db_find_6.data	rbt	vix.com.	in	zone	exploder.vix.com.	A	0	0	DNS_R_CNAME
-dns_db_find_6.data	rbt	vix.com.	in	zone	exploder.vix.com.	ANY	0	0	DNS_R_SUCCESS
+dns_db_find_6.data	rbt	vix.com.	in	zone	exploder.vix.com.	ANY	0	0	ISC_R_SUCCESS
diff --git a/bin/tests/db/dns_db_find_7.data b/bin/tests/db/dns_db_find_7.data
index cd19bd0f..f0ec22bd 100644
--- a/bin/tests/db/dns_db_find_7.data
+++ b/bin/tests/db/dns_db_find_7.data
@@ -7,7 +7,6 @@ $TTL 1000
 				3600 )		;minimum
 
 a.b.c.d		in	A	1.2.3.4
-a.b.c.		in	A	1.2.3.4
 a.b		in	A	1.2.3.4
 a		in	NS	ns1.vix.com.
 
diff --git a/bin/tests/db/dns_db_find_8_data b/bin/tests/db/dns_db_find_8_data
index 063541d6..4ad0c83c 100644
--- a/bin/tests/db/dns_db_find_8_data
+++ b/bin/tests/db/dns_db_find_8_data
@@ -1,7 +1,7 @@
 #
-# test data for dns_db_find DNS_R_NXRDATASET
+# test data for dns_db_find DNS_R_NXRRSET
 #
 # format:
 #	dbfile dbtype dborigin dbclass dbcache findname findtype findopts findtime expected_results
 #
-dns_db_find_8.data	rbt	vix.com.	in	zone	a.b.c.vix.com.	NS	0	0	DNS_R_NXRDATASET
+dns_db_find_8.data	rbt	vix.com.	in	zone	a.b.c.vix.com.	NS	0	0	DNS_R_NXRRSET
diff --git a/bin/tests/db/dns_db_find_9.data b/bin/tests/db/dns_db_find_9.data
index 2d1c4dc7..54a6d5f1 100644
--- a/bin/tests/db/dns_db_find_9.data
+++ b/bin/tests/db/dns_db_find_9.data
@@ -10,5 +10,4 @@ a.b.c.d		in	NS	ns1.vix.com.
 a.b.c		in	A	1.2.3.4
 a.b		in	NS	ns1.vix.com.
 a		in	NS	ns1.vix.com.
-a.b.c.		in	NS	ns1.vix.com.
 
diff --git a/bin/tests/db/dns_db_find_9_data b/bin/tests/db/dns_db_find_9_data
index 28345052..d80795cf 100644
--- a/bin/tests/db/dns_db_find_9_data
+++ b/bin/tests/db/dns_db_find_9_data
@@ -1,7 +1,7 @@
 #
-# test data for dns_db_find DNS_R_NOTFOUND
+# test data for dns_db_find ISC_R_NOTFOUND
 #
 # format:
 #	dbfile dbtype dborigin dbclass dbcache findname findtype findopts findtime expected_results
 #
-dns_db_find_9.data	rbt	vix.com.	in	cache	a.b.c.vix.com.	NS	0	0	DNS_R_NOTFOUND
+dns_db_find_9.data	rbt	vix.com.	in	cache	a.b.c.vix.com.	NS	0	0	ISC_R_NOTFOUND
diff --git a/bin/tests/db/dns_db_findnode_1_data b/bin/tests/db/dns_db_findnode_1_data
index e4848643..a73c4254 100644
--- a/bin/tests/db/dns_db_findnode_1_data
+++ b/bin/tests/db/dns_db_findnode_1_data
@@ -1,9 +1,9 @@
 #
-# test data for dns_db_findnode, case DNS_R_SUCCESS
+# test data for dns_db_findnode, case ISC_R_SUCCESS
 #
 # format:
 # filename type origin class cache existingname rdatatype
 #
-dns_db_findnode_1.data	rbt	vix.com.	in	zone	a.vix.com.	NS	DNS_R_SUCCESS
-dns_db_findnode_1.data	rbt	vix.com.	in	zone	b.vix.com.	A	DNS_R_SUCCESS
-dns_db_findnode_1.data	rbt	vix.com.	in	zone	c.vix.com.	A	DNS_R_NOTFOUND
+dns_db_findnode_1.data	rbt	vix.com.	in	zone	a.vix.com.	NS	ISC_R_SUCCESS
+dns_db_findnode_1.data	rbt	vix.com.	in	zone	b.vix.com.	A	ISC_R_SUCCESS
+dns_db_findnode_1.data	rbt	vix.com.	in	zone	c.vix.com.	A	ISC_R_NOTFOUND
diff --git a/bin/tests/db/dns_db_load_data b/bin/tests/db/dns_db_load_data
index 6e0ce4b5..0684c625 100644
--- a/bin/tests/db/dns_db_load_data
+++ b/bin/tests/db/dns_db_load_data
@@ -4,4 +4,4 @@
 # format:
 # filename type origin cache class findname expected_result
 #
-dns_db_load_1.data	rbt	.	zone	in	DNS_R_SUCCESS	a.	A	DNS_R_DELEGATION
+dns_db_load_1.data	rbt	.	zone	in	ISC_R_SUCCESS	a.	A	DNS_R_DELEGATION
diff --git a/bin/tests/db/t_db.c b/bin/tests/db/t_db.c
index 8de4dce8..7fc914f9 100644
--- a/bin/tests/db/t_db.c
+++ b/bin/tests/db/t_db.c
@@ -18,41 +18,24 @@
 #include <config.h>
 
 #include <ctype.h>
-#include <stddef.h>
 #include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <sys/time.h>
-#include <unistd.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/boolean.h>
-#include <isc/region.h>
-#include <isc/list.h>
-
-#include <dns/types.h>
-#include <dns/result.h>
-#include <dns/name.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>
+
+#include <dns/db.h>
 #include <dns/fixedname.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatatype.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/compress.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/dbtable.h>
 
 #include <tests/t_api.h>
 
 static isc_result_t
 t_create(char *db_type, char *origin, char *class, char *cache,
-		isc_mem_t *mctx, dns_db_t **db) {
-
+	 isc_mem_t *mctx, dns_db_t **db) {
 	int			len;
 	isc_result_t		dns_result;
 	isc_boolean_t		iscache;
@@ -68,11 +51,11 @@ t_create(char *db_type, char *origin, char *class, char *cache,
 
 	dns_fixedname_init(&dns_origin);
 	len = strlen(origin);
-	isc_buffer_init(&origin_buffer, origin, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&origin_buffer, origin, len);
 	isc_buffer_add(&origin_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_origin),
 				&origin_buffer, NULL, ISC_FALSE, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		return(dns_result);
@@ -81,24 +64,23 @@ t_create(char *db_type, char *origin, char *class, char *cache,
 	textregion.base = class;
 	textregion.length = strlen(class);
 	dns_result = dns_rdataclass_fromtext(&rdataclass, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdataclass_fromtext failed %s\n",
 				dns_result_totext(dns_result));
 		return(dns_result);
 	}
 
-	dns_result = dns_db_create(mctx, db_type, dns_fixedname_name(&dns_origin),
-				iscache, rdataclass, 0, NULL, db);
-	if (dns_result != DNS_R_SUCCESS) {
+	dns_result = dns_db_create(mctx, db_type,
+				   dns_fixedname_name(&dns_origin),
+				   iscache, rdataclass, 0, NULL, db);
+	if (dns_result != ISC_R_SUCCESS)
 		t_info("dns_db_create failed %s\n",
 			dns_result_totext(dns_result));
-	}
 
 	return(dns_result);
 
 }
 
-
 static int
 t_dns_db_load(char **av) {
 
@@ -155,7 +137,7 @@ t_dns_db_load(char **av) {
 	}
 
 	dns_result = t_create(db_type, origin, class, cache, mctx, &db);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -172,11 +154,11 @@ t_dns_db_load(char **av) {
 
 	dns_fixedname_init(&dns_findname);
 	len = strlen(findname);
-	isc_buffer_init(&findname_buffer, findname, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&findname_buffer, findname, len);
 	isc_buffer_add(&findname_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_findname),
 				&findname_buffer, NULL, ISC_FALSE, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -187,7 +169,7 @@ t_dns_db_load(char **av) {
 	textregion.base = find_type;
 	textregion.length = strlen(find_type);
 	dns_result = dns_rdatatype_fromtext(&rdatatype, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdatatype_fromtext %s failed %s\n",
 				find_type,
 				dns_result_totext(dns_result));
@@ -223,7 +205,7 @@ t_dns_db_load(char **av) {
 		result = T_PASS;
 	}
 
-	if (dns_result != DNS_R_NOTFOUND) {
+	if (dns_result != ISC_R_NOTFOUND) {
 		dns_db_detachnode(db, &nodep);
 		if (dns_rdataset_isassociated(&rdataset))
 			dns_rdataset_disassociate(&rdataset);
@@ -255,12 +237,9 @@ static char *a2 =
 	"dns_db_iscache(db) returns ISC_TRUE.";
 
 static int
-t_dns_db_zc_x(char *filename,
-		char *db_type, char *origin, char *class,
-		isc_boolean_t cache,
-		isc_boolean_t(*cf)(dns_db_t *),
-		isc_boolean_t exp_result) {
-
+t_dns_db_zc_x(char *filename, char *db_type, char *origin, char *class,
+	      isc_boolean_t cache, isc_boolean_t(*cf)(dns_db_t *),
+	      isc_boolean_t exp_result) {
 	int			result;
 	int			len;
 	dns_db_t		*db;
@@ -281,11 +260,11 @@ t_dns_db_zc_x(char *filename,
 
 	dns_fixedname_init(&dns_origin);
 	len = strlen(origin);
-	isc_buffer_init(&origin_buffer, origin, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&origin_buffer, origin, len);
 	isc_buffer_add(&origin_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_origin),
 				&origin_buffer, NULL, ISC_FALSE, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		return(T_UNRESOLVED);
@@ -294,7 +273,7 @@ t_dns_db_zc_x(char *filename,
 	textregion.base = class;
 	textregion.length = strlen(class);
 	dns_result = dns_rdataclass_fromtext(&rdataclass, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdataclass_fromtext failed %s\n",
 				dns_result_totext(dns_result));
 		return(T_UNRESOLVED);
@@ -310,7 +289,7 @@ t_dns_db_zc_x(char *filename,
 	dns_result = dns_db_create(mctx, db_type,
 				dns_fixedname_name(&dns_origin),
 				cache, rdataclass, 0, NULL, &db);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_create failed %s\n",
 			dns_result_totext(dns_result));
 		isc_mem_destroy(&mctx);
@@ -318,7 +297,7 @@ t_dns_db_zc_x(char *filename,
 	}
 
 	dns_result = dns_db_load(db, filename);
-	if (dns_result == DNS_R_SUCCESS) {
+	if (dns_result == ISC_R_SUCCESS) {
 		if ((*cf)(db) == exp_result)
 			result = T_PASS;
 		else
@@ -358,8 +337,10 @@ test_dns_db_zc_x(char *filename, isc_boolean_t cache,
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = t_bustline(p, tokens);
@@ -496,7 +477,7 @@ t_dns_db_origin(char **av) {
 	}
 
 	dns_result = t_create("rbt", origin, "in", "isc_true", mctx, &db);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("t_create failed %s\n",
 			dns_result_totext(dns_result));
 		isc_mem_destroy(&mctx);
@@ -506,11 +487,11 @@ t_dns_db_origin(char **av) {
 	dns_fixedname_init(&dns_dborigin);
 
 	len = strlen(origin);
-	isc_buffer_init(&origin_buffer, origin, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&origin_buffer, origin, len);
 	isc_buffer_add(&origin_buffer, len);
 
 	dns_result = dns_db_load(db, filename);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_load failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -520,7 +501,7 @@ t_dns_db_origin(char **av) {
 
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_origin),
 				&origin_buffer, NULL, ISC_FALSE, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -590,7 +571,7 @@ t_dns_db_class(char **av) {
 	textregion.base = class;
 	textregion.length = strlen(class);
 	dns_result = dns_rdataclass_fromtext(&rdataclass, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdataclass_fromtext failed %s\n",
 				dns_result_totext(dns_result));
 		return(T_UNRESOLVED);
@@ -604,7 +585,7 @@ t_dns_db_class(char **av) {
 	}
 
 	dns_result = t_create("rbt", ".", class, "isc_true", mctx, &db);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("t_create failed %s\n",
 			dns_result_totext(dns_result));
 		isc_mem_destroy(&mctx);
@@ -612,7 +593,7 @@ t_dns_db_class(char **av) {
 	}
 
 	dns_result = dns_db_load(db, filename);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_load failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -621,11 +602,10 @@ t_dns_db_class(char **av) {
 	}
 
 	db_rdataclass = dns_db_class(db);
-	if (db_rdataclass == rdataclass) {
+	if (db_rdataclass == rdataclass)
 		result = T_PASS;
-	}
 	else {
-		isc_buffer_init(&isc_buffer, buf, CLASSBUFLEN, ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&isc_buffer, buf, CLASSBUFLEN);
 		dns_rdataclass_totext(db_rdataclass, &isc_buffer);
 		t_info("dns_db_class returned %.*s, expected %s\n",
 			isc_buffer.used, isc_buffer.base, class);
@@ -653,7 +633,6 @@ static char *a8 =
 
 static int
 t_dns_db_currentversion(char **av) {
-
 	char			*filename;
 	char			*db_type;
 	char			*origin;
@@ -700,13 +679,13 @@ t_dns_db_currentversion(char **av) {
 	}
 
 	dns_result = t_create(db_type, origin, class, cache, mctx, &db);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
 
 	dns_result = dns_db_load(db, filename);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_load returned %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -716,11 +695,11 @@ t_dns_db_currentversion(char **av) {
 
 	dns_fixedname_init(&dns_findname);
 	len = strlen(findname);
-	isc_buffer_init(&findname_buffer, findname, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&findname_buffer, findname, len);
 	isc_buffer_add(&findname_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_findname),
 				&findname_buffer, NULL, ISC_FALSE, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -731,7 +710,7 @@ t_dns_db_currentversion(char **av) {
 	textregion.base = findtype;
 	textregion.length = strlen(findtype);
 	dns_result = dns_rdatatype_fromtext(&rdatatype, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdatatype_fromtext %s failed %s\n",
 				findtype,
 				dns_result_totext(dns_result));
@@ -760,7 +739,7 @@ t_dns_db_currentversion(char **av) {
 			dns_fixedname_name(&dns_foundname),
 			&rdataset, NULL);
 
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("unable to find %s using current version\n", findname);
 		dns_db_closeversion(db, &cversionp, ISC_FALSE);
 		dns_db_detach(&db);
@@ -779,7 +758,7 @@ t_dns_db_currentversion(char **av) {
 
 	nversionp = NULL;
 	dns_result = dns_db_newversion(db, &nversionp);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_newversion failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
@@ -792,7 +771,7 @@ t_dns_db_currentversion(char **av) {
 
 	/* delete the found rdataset in the new version */
 	dns_result = dns_db_deleterdataset(db, nodep, nversionp, rdatatype, 0);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_deleterdataset failed %s\n",
 				dns_result_totext(dns_result));
 		dns_rdataset_disassociate(&rdataset);
@@ -820,8 +799,9 @@ t_dns_db_currentversion(char **av) {
 			dns_fixedname_name(&dns_foundname),
 			&rdataset, NULL);
 
-	if ((dns_result != DNS_R_NOTFOUND) && (dns_result != DNS_R_NXDOMAIN)) {
-		t_info("unexpectedly found %s using current version\n", findname);
+	if ((dns_result != ISC_R_NOTFOUND) && (dns_result != DNS_R_NXDOMAIN)) {
+		t_info("unexpectedly found %s using current version\n",
+		       findname);
 		dns_db_closeversion(db, &cversionp, ISC_FALSE);
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
 		dns_db_detach(&db);
@@ -844,7 +824,7 @@ t_dns_db_currentversion(char **av) {
 			&rdataset, NULL);
 
 	/* and expect it to succeed */
-	if (dns_result == DNS_R_SUCCESS) {
+	if (dns_result == ISC_R_SUCCESS) {
 		result = T_PASS;
 	}
 	else {
@@ -870,16 +850,15 @@ t8() {
 	int	result;
 
 	t_assert("dns_db_currentversion", 8, T_REQUIRED, a8);
-	result = t_eval("dns_db_currentversion_data", t_dns_db_currentversion, 7);
+	result = t_eval("dns_db_currentversion_data",
+			t_dns_db_currentversion, 7);
 	t_result(result);
 }
 
-
 static char *a9 =
 	"A call to dns_db_newversion() opens a new version for "
 	"reading and writing.";
 
-
 static int
 t_dns_db_newversion(char **av) {
 
@@ -940,13 +919,13 @@ t_dns_db_newversion(char **av) {
 	}
 
 	dns_result = t_create(db_type, origin, class, cache, mctx, &db);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
 
 	dns_result = dns_db_load(db, filename);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_load returned %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -960,11 +939,11 @@ t_dns_db_newversion(char **av) {
 
 	dns_fixedname_init(&dns_newname);
 	len = strlen(newname);
-	isc_buffer_init(&newname_buffer, newname, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&newname_buffer, newname, len);
 	isc_buffer_add(&newname_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_newname),
 				&newname_buffer, NULL, ISC_FALSE, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -975,7 +954,7 @@ t_dns_db_newversion(char **av) {
 	nodep = NULL;
 	dns_result = dns_db_findnode(db, dns_fixedname_name(&dns_newname),
 				ISC_TRUE, &nodep);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_findnode failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -991,7 +970,7 @@ t_dns_db_newversion(char **av) {
 	textregion.length = strlen(newtype);
 	dns_result = dns_rdatatype_fromtext(&rdatatype, &textregion);
 
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdatatype_fromtext %s failed %s\n",
 				newtype,
 				dns_result_totext(dns_result));
@@ -1004,7 +983,7 @@ t_dns_db_newversion(char **av) {
 	textregion.base = class;
 	textregion.length = strlen(class);
 	dns_result = dns_rdataclass_fromtext(&rdataclass, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdataclass_fromtext failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
@@ -1028,7 +1007,7 @@ t_dns_db_newversion(char **av) {
 	ISC_LIST_APPEND(rdatalist.rdata, &added_rdata, link);
 
 	dns_result = dns_rdatalist_tordataset(&rdatalist, &added_rdataset);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdatalist_tordataset failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
@@ -1039,7 +1018,7 @@ t_dns_db_newversion(char **av) {
 
 	nversionp = NULL;
 	dns_result = dns_db_newversion(db, &nversionp);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_newversion failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
@@ -1050,7 +1029,7 @@ t_dns_db_newversion(char **av) {
 
 	dns_result = dns_db_addrdataset(db, nodep, nversionp, 0,
 				&added_rdataset, 0, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_addrdataset failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
@@ -1086,7 +1065,7 @@ t_dns_db_newversion(char **av) {
 			&found_rdataset,
 			NULL);
 
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 /* ZZZ - NXRRSET ???  reference counts ??? */
 		t_info("dns_db_find failed %s\n",
 				dns_result_totext(dns_result));
@@ -1100,7 +1079,7 @@ t_dns_db_newversion(char **av) {
 	}
 
 	dns_result = dns_rdataset_first(&found_rdataset);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdataset_first failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
@@ -1134,6 +1113,7 @@ t_dns_db_newversion(char **av) {
 
 	return(result);
 }
+
 static void
 t9() {
 	int	result;
@@ -1143,16 +1123,14 @@ t9() {
 	t_result(result);
 }
 
-
 static char *a10 =
 	"When versionp points to a read-write version and commit is "
 	"ISC_TRUE, a call to dns_db_closeversion(db, versionp, commit) "
 	"causes all changes made in the version to take effect, "
-	"and returns DNS_R_SUCCESS.";
+	"and returns ISC_R_SUCCESS.";
 
 static int
 t_dns_db_closeversion_1(char **av) {
-
 	char			*filename;
 	char			*db_type;
 	char			*origin;
@@ -1218,13 +1196,13 @@ t_dns_db_closeversion_1(char **av) {
 	}
 
 	dns_result = t_create(db_type, origin, class, cache, mctx, &db);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
 
 	dns_result = dns_db_load(db, filename);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_load returned %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -1238,11 +1216,11 @@ t_dns_db_closeversion_1(char **av) {
 
 	dns_fixedname_init(&dns_existingname);
 	len = strlen(existing_name);
-	isc_buffer_init(&name_buffer, existing_name, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&name_buffer, existing_name, len);
 	isc_buffer_add(&name_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_existingname),
 			&name_buffer, NULL, ISC_FALSE, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -1253,7 +1231,7 @@ t_dns_db_closeversion_1(char **av) {
 	textregion.base = existing_type;
 	textregion.length = strlen(existing_type);
 	dns_result = dns_rdatatype_fromtext(&existing_rdatatype, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdatatype_fromtext %s failed %s\n",
 				existing_type,
 				dns_result_totext(dns_result));
@@ -1266,7 +1244,7 @@ t_dns_db_closeversion_1(char **av) {
 	nodep = NULL;
 	dns_result = dns_db_findnode(db, dns_fixedname_name(&dns_existingname),
 				ISC_FALSE, &nodep);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_findnode %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -1277,7 +1255,7 @@ t_dns_db_closeversion_1(char **av) {
 	/* open a new version */
 	nversionp = NULL;
 	dns_result = dns_db_newversion(db, &nversionp);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_newversion failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
@@ -1287,7 +1265,7 @@ t_dns_db_closeversion_1(char **av) {
 	}
 
 	dns_result = dns_db_deleterdataset(db, nodep, nversionp, existing_rdatatype, 0);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_deleterdataset failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
@@ -1306,11 +1284,11 @@ t_dns_db_closeversion_1(char **av) {
 
 	dns_fixedname_init(&dns_newname);
 	len = strlen(new_name);
-	isc_buffer_init(&name_buffer, new_name, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&name_buffer, new_name, len);
 	isc_buffer_add(&name_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_newname),
 				&name_buffer, NULL, ISC_FALSE, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
@@ -1321,7 +1299,7 @@ t_dns_db_closeversion_1(char **av) {
 
 	dns_result = dns_db_findnode(db, dns_fixedname_name(&dns_newname),
 				ISC_TRUE, &nodep);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_findnode failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
@@ -1337,7 +1315,7 @@ t_dns_db_closeversion_1(char **av) {
 	textregion.base = new_type;
 	textregion.length = strlen(new_type);
 	dns_result = dns_rdatatype_fromtext(&new_rdatatype, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdatatype_fromtext %s failed %s\n",
 				new_type,
 				dns_result_totext(dns_result));
@@ -1350,7 +1328,7 @@ t_dns_db_closeversion_1(char **av) {
 	textregion.base = class;
 	textregion.length = strlen(class);
 	dns_result = dns_rdataclass_fromtext(&rdataclass, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdataclass_fromtext failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
@@ -1374,7 +1352,7 @@ t_dns_db_closeversion_1(char **av) {
 	ISC_LIST_APPEND(rdatalist.rdata, &added_rdata, link);
 
 	dns_result = dns_rdatalist_tordataset(&rdatalist, &added_rdataset);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdatalist_tordataset failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
@@ -1385,7 +1363,7 @@ t_dns_db_closeversion_1(char **av) {
 
 	dns_result = dns_db_addrdataset(db, nodep, nversionp, 0,
 				&added_rdataset, 0, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_addrdataset failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
@@ -1417,7 +1395,7 @@ t_dns_db_closeversion_1(char **av) {
 			dns_fixedname_name(&dns_foundname),
 			&found_rdataset, NULL);
 
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 /* ZZZ NXRRSET ??? reference counting ??? */
 		t_info("dns_db_find failed %s\n",
 				dns_result_totext(dns_result));
@@ -1431,7 +1409,7 @@ t_dns_db_closeversion_1(char **av) {
 	}
 
 	dns_result = dns_rdataset_first(&found_rdataset);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdataset_first failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
@@ -1472,7 +1450,7 @@ t_dns_db_closeversion_1(char **av) {
 			&found_rdataset, NULL);
 
 
-	if ((dns_result != DNS_R_NOTFOUND) && (dns_result != DNS_R_NXDOMAIN)) {
+	if ((dns_result != ISC_R_NOTFOUND) && (dns_result != DNS_R_NXDOMAIN)) {
 		dns_rdataset_disassociate(&found_rdataset);
 		dns_db_detachnode(db, &nodep);
 		t_info("dns_db_find %s returned %s\n", existing_name,
@@ -1497,20 +1475,19 @@ t10() {
 	int	result;
 
 	t_assert("dns_db_closeversion", 10, T_REQUIRED, a10);
-	result = t_eval("dns_db_closeversion_1_data", t_dns_db_closeversion_1, 9);
+	result = t_eval("dns_db_closeversion_1_data",
+			t_dns_db_closeversion_1, 9);
 	t_result(result);
 }
 
-
 static char *a11 =
 	"When versionp points to a read-write version and commit is "
 	"ISC_FALSE, a call to dns_db_closeversion(db, versionp, commit) "
 	"causes all changes made in the version to to be rolled back, "
-	"and returns DNS_R_SUCCESS.";
+	"and returns ISC_R_SUCCESS.";
 
 static int
 t_dns_db_closeversion_2(char **av) {
-
 	char			*filename;
 	char			*db_type;
 	char			*origin;
@@ -1576,13 +1553,13 @@ t_dns_db_closeversion_2(char **av) {
 	}
 
 	dns_result = t_create(db_type, origin, class, cache, mctx, &db);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
 
 	dns_result = dns_db_load(db, filename);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_load returned %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -1596,11 +1573,11 @@ t_dns_db_closeversion_2(char **av) {
 
 	dns_fixedname_init(&dns_existingname);
 	len = strlen(existing_name);
-	isc_buffer_init(&name_buffer, existing_name, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&name_buffer, existing_name, len);
 	isc_buffer_add(&name_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_existingname),
 			&name_buffer, NULL, ISC_FALSE, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -1611,7 +1588,7 @@ t_dns_db_closeversion_2(char **av) {
 	textregion.base = existing_type;
 	textregion.length = strlen(existing_type);
 	dns_result = dns_rdatatype_fromtext(&existing_rdatatype, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdatatype_fromtext %s failed %s\n",
 				existing_type,
 				dns_result_totext(dns_result));
@@ -1624,7 +1601,7 @@ t_dns_db_closeversion_2(char **av) {
 	nodep = NULL;
 	dns_result = dns_db_findnode(db, dns_fixedname_name(&dns_existingname),
 				ISC_FALSE, &nodep);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_findnode %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -1635,7 +1612,7 @@ t_dns_db_closeversion_2(char **av) {
 	/* open a new version */
 	nversionp = NULL;
 	dns_result = dns_db_newversion(db, &nversionp);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_newversion failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
@@ -1645,7 +1622,7 @@ t_dns_db_closeversion_2(char **av) {
 	}
 
 	dns_result = dns_db_deleterdataset(db, nodep, nversionp, existing_rdatatype, 0);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_deleterdataset failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
@@ -1664,11 +1641,11 @@ t_dns_db_closeversion_2(char **av) {
 
 	dns_fixedname_init(&dns_newname);
 	len = strlen(new_name);
-	isc_buffer_init(&name_buffer, new_name, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&name_buffer, new_name, len);
 	isc_buffer_add(&name_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_newname),
 				&name_buffer, NULL, ISC_FALSE, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
@@ -1679,7 +1656,7 @@ t_dns_db_closeversion_2(char **av) {
 
 	dns_result = dns_db_findnode(db, dns_fixedname_name(&dns_newname),
 				ISC_TRUE, &nodep);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_findnode failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
@@ -1691,7 +1668,7 @@ t_dns_db_closeversion_2(char **av) {
 	textregion.base = new_type;
 	textregion.length = strlen(new_type);
 	dns_result = dns_rdatatype_fromtext(&new_rdatatype, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdatatype_fromtext %s failed %s\n",
 				new_type,
 				dns_result_totext(dns_result));
@@ -1704,7 +1681,7 @@ t_dns_db_closeversion_2(char **av) {
 	textregion.base = class;
 	textregion.length = strlen(class);
 	dns_result = dns_rdataclass_fromtext(&rdataclass, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdataclass_fromtext failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
@@ -1728,7 +1705,7 @@ t_dns_db_closeversion_2(char **av) {
 	ISC_LIST_APPEND(rdatalist.rdata, &added_rdata, link);
 
 	dns_result = dns_rdatalist_tordataset(&rdatalist, &added_rdataset);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdatalist_tordataset failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
@@ -1739,7 +1716,7 @@ t_dns_db_closeversion_2(char **av) {
 
 	dns_result = dns_db_addrdataset(db, nodep, nversionp, 0,
 				&added_rdataset, 0, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_addrdataset failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_closeversion(db, &nversionp, ISC_FALSE);
@@ -1766,9 +1743,9 @@ t_dns_db_closeversion_2(char **av) {
 			dns_fixedname_name(&dns_foundname),
 			&found_rdataset, NULL);
 
-	if (	(dns_result == DNS_R_NOTFOUND)	||
+	if (	(dns_result == ISC_R_NOTFOUND)	||
 		(dns_result == DNS_R_NXDOMAIN)	||
-		(dns_result == DNS_R_NXRDATASET)) {
+		(dns_result == DNS_R_NXRRSET)) {
 
 		t_info("dns_db_find failed %s\n",
 				dns_result_totext(dns_result));
@@ -1782,7 +1759,7 @@ t_dns_db_closeversion_2(char **av) {
 	}
 
 	dns_result = dns_rdataset_first(&found_rdataset);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdataset_first failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
@@ -1823,7 +1800,7 @@ t_dns_db_closeversion_2(char **av) {
 			&found_rdataset, NULL);
 
 
-	if ((dns_result != DNS_R_NOTFOUND) && (dns_result != DNS_R_NXDOMAIN)) {
+	if ((dns_result != ISC_R_NOTFOUND) && (dns_result != DNS_R_NXDOMAIN)) {
 		t_info("dns_db_find %s returned %s\n", existing_name,
 				dns_result_totext(dns_result));
 		if (dns_rdataset_isassociated(&found_rdataset))
@@ -1853,7 +1830,7 @@ t_dns_db_closeversion_2(char **av) {
 			dns_fixedname_name(&dns_foundname),
 			&found_rdataset, NULL);
 
-	if ((dns_result != DNS_R_NOTFOUND) && (dns_result != DNS_R_NXDOMAIN)) {
+	if ((dns_result != ISC_R_NOTFOUND) && (dns_result != DNS_R_NXDOMAIN)) {
 		t_info("dns_db_find %s returned %s\n", new_name,
 				dns_result_totext(dns_result));
 		dns_rdataset_disassociate(&found_rdataset);
@@ -1881,9 +1858,9 @@ t_dns_db_closeversion_2(char **av) {
 			&found_rdataset, NULL);
 
 
-	if (	(dns_result == DNS_R_NOTFOUND)	||
+	if (	(dns_result == ISC_R_NOTFOUND)	||
 		(dns_result == DNS_R_NXDOMAIN)	||
-		(dns_result == DNS_R_NXRDATASET)) {
+		(dns_result == DNS_R_NXRRSET)) {
 
 		t_info("dns_db_find %s returned %d\n", existing_name,
 				dns_result_totext(dns_result));
@@ -1911,11 +1888,11 @@ t11() {
 	int	result;
 
 	t_assert("dns_db_closeversion", 11, T_REQUIRED, a11);
-	result = t_eval("dns_db_closeversion_2_data", t_dns_db_closeversion_2, 9);
+	result = t_eval("dns_db_closeversion_2_data",
+			t_dns_db_closeversion_2, 9);
 	t_result(result);
 }
 
-
 static char *a12 =
 	"A call to dns_db_expirenode() marks as stale all records at node  "
 	"which expire at or before 'now'. If 'now' is zero, then the current  "
@@ -1923,7 +1900,6 @@ static char *a12 =
 
 static int
 t_dns_db_expirenode(char **av) {
-
 	char			*filename;
 	char			*db_type;
 	char			*origin;
@@ -1974,11 +1950,11 @@ t_dns_db_expirenode(char **av) {
 
 	dns_fixedname_init(&dns_existingname);
 	len = strlen(existing_name);
-	isc_buffer_init(&name_buffer, existing_name, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&name_buffer, existing_name, len);
 	isc_buffer_add(&name_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_existingname),
 				&name_buffer, NULL, ISC_FALSE, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 				dns_result_totext(dns_result));
 		return(T_UNRESOLVED);
@@ -1994,13 +1970,13 @@ t_dns_db_expirenode(char **av) {
 
 	db = NULL;
 	dns_result = t_create(db_type, origin, class, "cache", mctx, &db);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
 
 	dns_result = dns_db_load(db, filename);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_load returned %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -2015,7 +1991,7 @@ t_dns_db_expirenode(char **av) {
 			dns_fixedname_name(&dns_existingname),
 			ISC_FALSE,
 			&nodep);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("unable to find %s\n", existing_name);
 		dns_db_detach(&db);
 		isc_mem_destroy(&mctx);
@@ -2027,7 +2003,7 @@ t_dns_db_expirenode(char **av) {
 		node_expire_time += now;
 
 	dns_result = dns_db_expirenode(db, nodep, node_expire_time);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_expirenode failed %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detachnode(db, &nodep);
@@ -2063,9 +2039,9 @@ t_dns_db_expirenode(char **av) {
 		result = T_FAIL;
 	}
 
-	if (	(dns_result != DNS_R_NOTFOUND)	&&
+	if (	(dns_result != ISC_R_NOTFOUND)	&&
 		(dns_result != DNS_R_NXDOMAIN)	&&
-		(dns_result != DNS_R_NXRDATASET)) {
+		(dns_result != DNS_R_NXRRSET)) {
 
 		/*
 		 * don't need to disassociate the rdataset because
@@ -2090,17 +2066,14 @@ t12() {
 	t_result(result);
 }
 
-
 static char *a13 =
 	"If the node name exists, then a call to "
 	"dns_db_findnode(db, name, ISC_FALSE, nodep) initializes nodep "
-	"to point to the node and returns DNS_R_SUCCESS, otherwise "
-	"it returns DNS_R_NOTFOUND.";
-
+	"to point to the node and returns ISC_R_SUCCESS, otherwise "
+	"it returns ISC_R_NOTFOUND.";
 
 static int
 t_dns_db_findnode_1(char **av) {
-
 	char		*filename;
 	char		*db_type;
 	char		*origin;
@@ -2145,7 +2118,7 @@ t_dns_db_findnode_1(char **av) {
 	textregion.base = find_type;
 	textregion.length = strlen(find_type);
 	dns_result = dns_rdatatype_fromtext(&rdatatype, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdatatype_fromtext %s failed %s\n",
 				find_type,
 				dns_result_totext(dns_result));
@@ -2160,13 +2133,13 @@ t_dns_db_findnode_1(char **av) {
 	}
 
 	dns_result = t_create(db_type, origin, class, cache, mctx, &db);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
 
 	dns_result = dns_db_load(db, filename);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_load returned %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -2178,7 +2151,7 @@ t_dns_db_findnode_1(char **av) {
 	dns_fixedname_init(&dns_name);
 
 	len = strlen(find_name);
-	isc_buffer_init(&name_buffer, find_name, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&name_buffer, find_name, len);
 	isc_buffer_add(&name_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_name),
 				&name_buffer, NULL, ISC_FALSE, NULL);
@@ -2188,7 +2161,7 @@ t_dns_db_findnode_1(char **av) {
 	if (dns_result != exp_result) {
 		t_info("dns_db_findnode failed %s\n",
 				dns_result_totext(dns_result));
-		if (dns_result == DNS_R_SUCCESS)
+		if (dns_result == ISC_R_SUCCESS)
 			dns_db_detachnode(db, &nodep);
 		dns_db_detach(&db);
 		isc_mem_destroy(&mctx);
@@ -2202,7 +2175,7 @@ t_dns_db_findnode_1(char **av) {
 	 * and expecting the search to succeed
 	 */
 
-	if (dns_result == DNS_R_SUCCESS) {
+	if (dns_result == ISC_R_SUCCESS) {
 		cversionp = NULL;
 		dns_db_currentversion(db, &cversionp);
 		dns_rdataset_init(&rdataset);
@@ -2210,7 +2183,7 @@ t_dns_db_findnode_1(char **av) {
 		dns_result = dns_db_findrdataset(db, nodep, cversionp,
 						 rdatatype, 0,
 						 0, &rdataset, NULL);
-		if (dns_result == DNS_R_SUCCESS) {
+		if (dns_result == ISC_R_SUCCESS) {
 			dns_rdataset_disassociate(&rdataset);
 			result = T_PASS;
 		}
@@ -2245,11 +2218,10 @@ static char *a14 =
 	"If the node name does not exist and create is ISC_TRUE, "
 	"then a call to dns_db_findnode(db, name, create, nodep) "
 	"creates the node, initializes nodep to point to the node, "
-	"and returns DNS_R_SUCCESS.";
+	"and returns ISC_R_SUCCESS.";
 
 static int
 t_dns_db_findnode_2(char **av) {
-
 	char			*filename;
 	char			*db_type;
 	char			*origin;
@@ -2294,13 +2266,13 @@ t_dns_db_findnode_2(char **av) {
 	}
 
 	dns_result = t_create(db_type, origin, class, cache, mctx, &db);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
 
 	dns_result = dns_db_load(db, filename);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_load returned %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -2313,16 +2285,16 @@ t_dns_db_findnode_2(char **av) {
 
 	/* make sure the name isn't there */
 	len = strlen(newname);
-	isc_buffer_init(&name_buffer, newname, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&name_buffer, newname, len);
 	isc_buffer_add(&name_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_name),
 				&name_buffer, NULL, ISC_FALSE, NULL);
 
 	dns_result = dns_db_findnode(db, dns_fixedname_name(&dns_name),
 				ISC_FALSE, &nodep);
-	if (	(dns_result != DNS_R_NOTFOUND)	&&
+	if (	(dns_result != ISC_R_NOTFOUND)	&&
 		(dns_result != DNS_R_NXDOMAIN)	&&
-		(dns_result != DNS_R_NXRDATASET)) {
+		(dns_result != DNS_R_NXRRSET)) {
 
 		t_info("dns_db_findnode %s\n",
 				dns_result_totext(dns_result));
@@ -2335,7 +2307,7 @@ t_dns_db_findnode_2(char **av) {
 	/* add it */
 	dns_result = dns_db_findnode(db, dns_fixedname_name(&dns_name),
 				ISC_TRUE, &nodep);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_findnode %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -2360,7 +2332,7 @@ t_dns_db_findnode_2(char **av) {
 			&newnodep,
 			dns_fixedname_name(&dns_foundname),
 			&rdataset, NULL);
-	if ((dns_result != DNS_R_NOTFOUND) && (dns_result != DNS_R_NXDOMAIN)) {
+	if ((dns_result != ISC_R_NOTFOUND) && (dns_result != DNS_R_NXDOMAIN)) {
 		dns_db_detachnode(db, &newnodep);
 	}
 
@@ -2370,10 +2342,10 @@ t_dns_db_findnode_2(char **av) {
 		++nfails;
 	}
 
-	/* then try dns_db_findnode DNS_R_SUCCESS */
+	/* then try dns_db_findnode ISC_R_SUCCESS */
 	dns_result = dns_db_findnode(db, dns_fixedname_name(&dns_name), ISC_FALSE, &newnodep);
 	t_info("dns_db_findnode %s\n", dns_result_totext(dns_result));
-	if (dns_result == DNS_R_SUCCESS) {
+	if (dns_result == ISC_R_SUCCESS) {
 		dns_db_detachnode(db, &newnodep);
 	}
 	else {
@@ -2407,7 +2379,6 @@ t14() {
 
 static int
 t_dns_db_find_x(char **av) {
-
 	char			*dbfile;
 	char			*dbtype;
 	char			*dborigin;
@@ -2464,13 +2435,13 @@ t_dns_db_find_x(char **av) {
 	}
 
 	dns_result = t_create(dbtype, dborigin, dbclass, dbcache, mctx, &db);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
 
 	dns_result = dns_db_load(db, dbfile);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_db_load returned %s\n",
 				dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -2482,11 +2453,11 @@ t_dns_db_find_x(char **av) {
 
 	dns_fixedname_init(&dns_findname);
 	len = strlen(findname);
-	isc_buffer_init(&findname_buffer, findname, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&findname_buffer, findname, len);
 	isc_buffer_add(&findname_buffer, len);
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_findname),
 				&findname_buffer, NULL, ISC_FALSE, NULL);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 			dns_result_totext(dns_result));
 		dns_db_detach(&db);
@@ -2497,7 +2468,7 @@ t_dns_db_find_x(char **av) {
 	textregion.base = findtype;
 	textregion.length = strlen(findtype);
 	dns_result = dns_rdatatype_fromtext(&rdatatype, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdatatype_fromtext %s failed %s\n",
 				findtype,
 				dns_result_totext(dns_result));
@@ -2535,18 +2506,20 @@ t_dns_db_find_x(char **av) {
 			&rdataset, NULL);
 
 	if (dns_result != exp_result) {
-		t_info("dns_db_find %s %s unexpectedly returned %s, expected %s\n",
-				findname, findtype, dns_result_totext(dns_result),
-				dns_result_totext(exp_result));
+		t_info("dns_db_find %s %s unexpectedly returned %s, "
+		       "expected %s\n",
+		       findname, findtype, dns_result_totext(dns_result),
+		       dns_result_totext(exp_result));
 		result = T_FAIL;
 	}
 	else {
 		result = T_PASS;
 	}
 
-	if ((dns_result != DNS_R_NOTFOUND) && (dns_result != DNS_R_NXDOMAIN)) {
+	if ((dns_result != ISC_R_NOTFOUND) && (dns_result != DNS_R_NXDOMAIN)) {
 
-		if ((dns_result != DNS_R_NXRDATASET) && (dns_result != DNS_R_ZONECUT))
+		if ((dns_result != DNS_R_NXRRSET) &&
+		    (dns_result != DNS_R_ZONECUT))
 			if (dns_rdataset_isassociated(&rdataset))
 				dns_rdataset_disassociate(&rdataset);
 		dns_db_detachnode(db, &nodep);
@@ -2562,8 +2535,8 @@ t_dns_db_find_x(char **av) {
 
 static char *a15 =
 	"A call to dns_db_find(db, name, version, type, options, now, ...)  "
-	"finds the best match for 'name' and 'type' in version 'version' of 'db'.";
-
+	"finds the best match for 'name' and 'type' in version 'version' "
+	"of 'db'.";
 
 static void
 t15() {
@@ -2581,7 +2554,6 @@ static char *a16 =
 	"dns_db_find(db, name, version, type, options, now, ...)  "
 	"returns DNS_R_GLUE.";
 
-
 static void
 t16() {
 	int	result;
@@ -2591,12 +2563,10 @@ t16() {
 	t_result(result);
 }
 
-
 static char *a17 =
 	"A call to dns_db_find() returns DNS_R_DELEGATION when the data "
 	"requested is beneath a zone cut.";
 
-
 static void
 t17() {
 	int	result;
@@ -2606,12 +2576,10 @@ t17() {
 	t_result(result);
 }
 
-
 static char *a18 =
 	"A call to dns_db_find() returns DNS_R_ZONECUT when type is "
 	"dns_rdatatype_any and the desired node is a zone cut.";
 
-
 static void
 t18() {
 	int	result;
@@ -2621,7 +2589,6 @@ t18() {
 	t_result(result);
 }
 
-
 static char *a19 =
 	"A call to dns_db_find() returns DNS_R_DNAME when the data "
 	"requested is beneath a DNAME.";
@@ -2635,7 +2602,6 @@ t19() {
 	t_result(result);
 }
 
-
 static char *a20 =
 	"A call to dns_db_find() returns DNS_R_CNAME when the requested "
 	"rdataset was not found but there is a CNAME at the desired name.";
@@ -2663,7 +2629,7 @@ t21() {
 }
 
 static char *a22 =
-	"A call to dns_db_find() returns DNS_R_NXRDATASET when "
+	"A call to dns_db_find() returns DNS_R_NXRRSET when "
 	"the desired name exists, but the desired type does not.";
 
 static void
@@ -2675,10 +2641,9 @@ t22() {
 	t_result(result);
 }
 
-
 static char *a23 =
 	"When db is a cache database, a call to dns_db_find() "
-	"returns DNS_R_NOTFOUND when the desired name does not exist, "
+	"returns ISC_R_NOTFOUND when the desired name does not exist, "
 	"and no delegation could be found.";
 
 static void
@@ -2703,7 +2668,6 @@ t24() {
 	t_result(result);
 }
 
-
 testspec_t	T_testlist[] = {
 	{	t1,		"dns_db_load"		},
 	{	t2,		"dns_db_iscache"	},
@@ -2731,4 +2695,3 @@ testspec_t	T_testlist[] = {
 	{	t24,		"dns_db_find"		},
 	{	NULL,		NULL			}
 };
-
diff --git a/bin/tests/db_test.c b/bin/tests/db_test.c
index dc169663..21a9a6c3 100644
--- a/bin/tests/db_test.c
+++ b/bin/tests/db_test.c
@@ -21,34 +21,21 @@
 
 #include <config.h>
 
-#include <stddef.h>
 #include <stdlib.h>
-#include <string.h>
-#include <time.h>
 
-#include <isc/assertions.h>
 #include <isc/commandline.h>
-#include <isc/error.h>
-#include <isc/boolean.h>
-#include <isc/region.h>
-#include <isc/list.h>
+#include <isc/mem.h>
 #include <isc/time.h>
-#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
-#include <dns/types.h>
-#include <dns/result.h>
-#include <dns/name.h>
-#include <dns/fixedname.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/compress.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
 #include <dns/dbtable.h>
+#include <dns/fixedname.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
 
 #define MAXHOLD			100
 #define MAXVERSIONS		100
@@ -96,11 +83,11 @@ print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset) {
 	isc_result_t result;
 	isc_region_t r;
 
-	isc_buffer_init(&text, t, sizeof t, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&text, t, sizeof(t));
 	result = dns_rdataset_totext(rdataset, name, ISC_FALSE, ISC_FALSE,
 				     &text);
-	isc_buffer_used(&text, &r);
-	if (result == DNS_R_SUCCESS)
+	isc_buffer_usedregion(&text, &r);
+	if (result == ISC_R_SUCCESS)
 		printf("%.*s", (int)r.length, (char *)r.base);
 	else
 		print_result("", result);
@@ -113,13 +100,13 @@ print_rdatasets(dns_name_t *name, dns_rdatasetiter_t *rdsiter) {
 
 	dns_rdataset_init(&rdataset);
 	result = dns_rdatasetiter_first(rdsiter);
-	while (result == DNS_R_SUCCESS) {
+	while (result == ISC_R_SUCCESS) {
 		dns_rdatasetiter_current(rdsiter, &rdataset);
 		print_rdataset(name, &rdataset);
 		dns_rdataset_disassociate(&rdataset);
 		result = dns_rdatasetiter_next(rdsiter);
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		print_result("", result);
 }
 
@@ -138,13 +125,13 @@ select_db(char *origintext) {
 		return (cache_dbi);
 	}
 	len = strlen(origintext);
-	isc_buffer_init(&source, origintext, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&source, origintext, len);
 	isc_buffer_add(&source, len);
 	dns_fixedname_init(&forigin);
 	origin = dns_fixedname_name(&forigin);
 	result = dns_name_fromtext(origin, &source, dns_rootname, ISC_FALSE,
 				   NULL);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		print_result("bad name", result);
 		return (NULL);
 	}
@@ -187,11 +174,10 @@ list(dbinfo *dbi, char *seektext) {
 		
 		result = dns_db_createiterator(dbi->db, ISC_FALSE,
 					       &dbi->dbiterator);
-		if (result == DNS_R_SUCCESS) {
+		if (result == ISC_R_SUCCESS) {
 			if (seektext != NULL) {
 				len = strlen(seektext);
-				isc_buffer_init(&source, seektext, len,
-						ISC_BUFFERTYPE_TEXT);
+				isc_buffer_init(&source, seektext, len);
 				isc_buffer_add(&source, len);
 				dns_fixedname_init(&fseekname);
 				seekname = dns_fixedname_name(&fseekname);
@@ -210,18 +196,18 @@ list(dbinfo *dbi, char *seektext) {
 				result = dns_dbiterator_last(dbi->dbiterator);
 		}
 	} else
-		result = DNS_R_SUCCESS;
+		result = ISC_R_SUCCESS;
 
 	node = NULL;
 	rdsiter = NULL;
 	i = 0;
-	while (result == DNS_R_SUCCESS) {
+	while (result == ISC_R_SUCCESS) {
 		result = dns_dbiterator_current(dbi->dbiterator, &node, name);
-		if (result != DNS_R_SUCCESS && result != DNS_R_NEWORIGIN)
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
 			break;
 		result = dns_db_allrdatasets(dbi->db, node, dbi->iversion, 0,
 					     &rdsiter);
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			dns_db_detachnode(dbi->db, &node);
 			break;
 		}
@@ -233,14 +219,14 @@ list(dbinfo *dbi, char *seektext) {
 		else
 			result = dns_dbiterator_prev(dbi->dbiterator);
 		i++;
-		if (result == DNS_R_SUCCESS && i == dbi->pause_every) {
+		if (result == ISC_R_SUCCESS && i == dbi->pause_every) {
 			printf("[more...]\n");
 			result = dns_dbiterator_pause(dbi->dbiterator);
-			if (result == DNS_R_SUCCESS)
+			if (result == ISC_R_SUCCESS)
 				return;
 		}
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		print_result("", result);
 
 	dns_dbiterator_destroy(&dbi->dbiterator);
@@ -260,7 +246,7 @@ load(char *filename, char *origintext, isc_boolean_t cache) {
 
 	dbi = isc_mem_get(mctx, sizeof *dbi);
 	if (dbi == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	dbi->db = NULL;
 	dbi->version = NULL;
@@ -276,25 +262,25 @@ load(char *filename, char *origintext, isc_boolean_t cache) {
 	dbi->ascending = ascending;
 	
 	len = strlen(origintext);
-	isc_buffer_init(&source, origintext, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&source, origintext, len);
 	isc_buffer_add(&source, len);
 	dns_fixedname_init(&forigin);
 	origin = dns_fixedname_name(&forigin);
 	result = dns_name_fromtext(origin, &source, dns_rootname, ISC_FALSE,
 				   NULL);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 
 	result = dns_db_create(mctx, dbtype, origin, cache, dns_rdataclass_in,
 			       0, NULL, &dbi->db);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		isc_mem_put(mctx, dbi, sizeof *dbi);
 		return (result);
 	}
 
 	printf("loading %s (%s)\n", filename, origintext);
 	result = dns_db_load(dbi->db, filename);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		dns_db_detach(&dbi->db);
 		isc_mem_put(mctx, dbi, sizeof *dbi);
 		return (result);
@@ -306,7 +292,7 @@ load(char *filename, char *origintext, isc_boolean_t cache) {
 		dns_dbtable_adddefault(dbtable, dbi->db);
 		cache_dbi = dbi;
 	} else {
-		if (dns_dbtable_add(dbtable, dbi->db) != DNS_R_SUCCESS) {
+		if (dns_dbtable_add(dbtable, dbi->db) != ISC_R_SUCCESS) {
 			dns_db_detach(&dbi->db);
 			isc_mem_put(mctx, dbi, sizeof *dbi);
 			return (result);
@@ -314,7 +300,7 @@ load(char *filename, char *origintext, isc_boolean_t cache) {
 	}
 	ISC_LIST_APPEND(dbs, dbi, link);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static void
@@ -365,6 +351,8 @@ main(int argc, char *argv[]) {
 	isc_boolean_t quiet = ISC_FALSE;
 	isc_boolean_t time_lookups = ISC_FALSE;
 	isc_boolean_t found_as;
+	isc_boolean_t find_zonecut = ISC_FALSE;
+	isc_boolean_t noexact_zonecut = ISC_FALSE;
 	int i, v;
 	dns_rdatasetiter_t *rdsiter;
 	char t1[256];
@@ -373,7 +361,7 @@ main(int argc, char *argv[]) {
 	isc_region_t r1, r2;
 	dns_fixedname_t foundname;
 	dns_name_t *fname;
-	unsigned int options = 0;
+	unsigned int options = 0, zcoptions;
 	isc_time_t start, finish;
 	char *origintext;
 	dbinfo *dbi;
@@ -387,7 +375,7 @@ main(int argc, char *argv[]) {
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(dns_dbtable_create(mctx, dns_rdataclass_in, &dbtable) ==
-		      DNS_R_SUCCESS);
+		      ISC_R_SUCCESS);
 
 	strcpy(dbtype, "rbt");
 	while ((ch = isc_commandline_parse(argc, argv, "c:d:t:z:P:Q:gpqvT"))
@@ -395,7 +383,7 @@ main(int argc, char *argv[]) {
 		switch (ch) {
 		case 'c':
 			result = load(isc_commandline_argument, ".", ISC_TRUE);
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				printf("cache load(%s) %08x: %s\n",
 				       isc_commandline_argument, result,
 				       isc_result_totext(result));
@@ -437,7 +425,7 @@ main(int argc, char *argv[]) {
 				origintext++;	/* Skip '/'. */
 			result = load(isc_commandline_argument, origintext,
 				      ISC_FALSE);
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				printf("zone load(%s) %08x: %s\n",
 				       isc_commandline_argument, result,
 				       isc_result_totext(result));
@@ -507,7 +495,7 @@ main(int argc, char *argv[]) {
 				continue;
 			}
 			result = dns_db_newversion(dbi->db, &dbi->wversion);
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				print_result("", result);
 			else
 				printf("newversion\n");
@@ -661,7 +649,7 @@ main(int argc, char *argv[]) {
 		} else if (strstr(s, "!DU ") == s) {
 			DBI_CHECK(dbi);
 			result = dns_db_dump(dbi->db, dbi->version, s+4);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 				printf("\n");
 				print_result("", result);
 			}
@@ -710,22 +698,42 @@ main(int argc, char *argv[]) {
 				       "now searching all databases\n");
 			}
 			continue;
+		} else if (strcmp(s, "!ZC") == 0) {
+			if (find_zonecut)
+				find_zonecut = ISC_FALSE;
+			else
+				find_zonecut = ISC_TRUE;
+			printf("find_zonecut = %s\n",
+			       find_zonecut ? "TRUE" : "FALSE");
+			continue;
+		} else if (strcmp(s, "!NZ") == 0) {
+			if (noexact_zonecut)
+				noexact_zonecut = ISC_FALSE;
+			else
+				noexact_zonecut = ISC_TRUE;
+			printf("noexact_zonecut = %s\n",
+			       noexact_zonecut ? "TRUE" : "FALSE");
+			continue;
 		}
 
-		isc_buffer_init(&source, s, len, ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&source, s, len);
 		isc_buffer_add(&source, len);
-		isc_buffer_init(&target, b, sizeof b, ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&target, b, sizeof(b));
 		result = dns_name_fromtext(&name, &source, origin,
 					   ISC_FALSE, &target);
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			print_result("bad name: ", result);
 			continue;
 		}
 
 		if (dbi == NULL) {
+			zcoptions = 0;
+			if (noexact_zonecut)
+				zcoptions |= DNS_DBTABLEFIND_NOEXACT;
 			db = NULL;
-			result = dns_dbtable_find(dbtable, &name, &db);
-			if (result != DNS_R_SUCCESS &&
+			result = dns_dbtable_find(dbtable, &name, zcoptions,
+						  &db);
+			if (result != ISC_R_SUCCESS &&
 			    result != DNS_R_PARTIALMATCH) {
 				if (!quiet) {
 					printf("\n");
@@ -733,17 +741,16 @@ main(int argc, char *argv[]) {
 				}
 				continue;
 			}
-			isc_buffer_init(&tb1, t1, sizeof t1,
-					ISC_BUFFERTYPE_TEXT);
+			isc_buffer_init(&tb1, t1, sizeof(t1));
 			result = dns_name_totext(dns_db_origin(db), ISC_FALSE,
 						 &tb1);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 				printf("\n");
 				print_result("", result);
 				dns_db_detach(&db);
 				continue;
 			}
-			isc_buffer_used(&tb1, &r1);
+			isc_buffer_usedregion(&tb1, &r1);
 			printf("\ndatabase = %.*s (%s)\n",
 			       (int)r1.length, r1.base,
 			       (dns_db_iszone(db)) ? "zone" : "cache");
@@ -751,8 +758,20 @@ main(int argc, char *argv[]) {
 		node = NULL;
 		dns_rdataset_init(&rdataset);
 		dns_rdataset_init(&sigrdataset);
-		result = dns_db_find(db, &name, version, type, options, 0,
-				     &node, fname, &rdataset, &sigrdataset);
+
+		if (find_zonecut && dns_db_iscache(db)) {
+			zcoptions = options;
+			if (noexact_zonecut)
+				zcoptions |= DNS_DBFIND_NOEXACT;
+			result = dns_db_findzonecut(db, &name, zcoptions,
+						    0, &node, fname,
+						    &rdataset, &sigrdataset);
+		} else {
+			result = dns_db_find(db, &name, version, type,
+					     options, 0, &node, fname,
+					     &rdataset, &sigrdataset);
+		}
+
 		if (!quiet) {
 			if (dbi != NULL)
 				printf("\n");
@@ -761,7 +780,7 @@ main(int argc, char *argv[]) {
 
 		found_as = ISC_FALSE;
 		switch (result) {
-		case DNS_R_SUCCESS:
+		case ISC_R_SUCCESS:
 		case DNS_R_GLUE:
 		case DNS_R_CNAME:
 		case DNS_R_ZONECUT:
@@ -770,7 +789,7 @@ main(int argc, char *argv[]) {
 		case DNS_R_DELEGATION:
 			found_as = ISC_TRUE;
 			break;
-		case DNS_R_NXRDATASET:
+		case DNS_R_NXRRSET:
 			if (dns_rdataset_isassociated(&rdataset))
 				break;
 			if (dbi != NULL) {
@@ -799,12 +818,10 @@ main(int argc, char *argv[]) {
 			continue;
 		}
 		if (found_as && !quiet) {
-			isc_buffer_init(&tb1, t1, sizeof t1,
-					ISC_BUFFERTYPE_TEXT);
-			isc_buffer_init(&tb2, t2, sizeof t2,
-					ISC_BUFFERTYPE_TEXT);
+			isc_buffer_init(&tb1, t1, sizeof(t1));
+			isc_buffer_init(&tb2, t2, sizeof(t2));
 			result = dns_name_totext(&name, ISC_FALSE, &tb1);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 				print_result("", result);
 				dns_db_detachnode(db, &node);
 				if (dbi == NULL)
@@ -812,15 +829,15 @@ main(int argc, char *argv[]) {
 				continue;
 			}
 			result = dns_name_totext(fname, ISC_FALSE, &tb2);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 				print_result("", result);
 				dns_db_detachnode(db, &node);
 				if (dbi == NULL)
 					dns_db_detach(&db);
 				continue;
 			}
-			isc_buffer_used(&tb1, &r1);
-			isc_buffer_used(&tb2, &r2);
+			isc_buffer_usedregion(&tb1, &r1);
+			isc_buffer_usedregion(&tb2, &r2);
 			printf("found %.*s as %.*s\n",
 			       (int)r1.length, r1.base,
 			       (int)r2.length, r2.base);
@@ -833,7 +850,7 @@ main(int argc, char *argv[]) {
 			rdsiter = NULL;
 			result = dns_db_allrdatasets(db, node, version, 0,
 						     &rdsiter);
-			if (result == DNS_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS) {
 				if (!quiet)
 					print_rdatasets(fname, rdsiter);
 				dns_rdatasetiter_destroy(&rdsiter);
@@ -857,7 +874,7 @@ main(int argc, char *argv[]) {
 				result = dns_db_addrdataset(db, node, version,
 							    0, &rdataset,
 							    addopts, NULL);
-				if (result != DNS_R_SUCCESS)
+				if (result != ISC_R_SUCCESS)
 					print_result("", result);
 				if (printnode)
 					dns_db_printnode(db, node, stdout);
@@ -865,7 +882,7 @@ main(int argc, char *argv[]) {
 				result = dns_db_deleterdataset(db, node,
 							       version, type,
 							       0);
-				if (result != DNS_R_SUCCESS)
+				if (result != ISC_R_SUCCESS)
 					print_result("", result);
 				if (printnode)
 					dns_db_printnode(db, node, stdout);
diff --git a/bin/tests/dispatch_tcp_test.c b/bin/tests/dispatch_tcp_test.c
index 67a1ccdc..158315b8 100644
--- a/bin/tests/dispatch_tcp_test.c
+++ b/bin/tests/dispatch_tcp_test.c
@@ -17,39 +17,29 @@
 
 #include <config.h>
 
-#include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
-#include <string.h>
-
-#include <sys/types.h>
 
 #include <isc/app.h>
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <isc/log.h>
 #include <isc/mem.h>
-#include <isc/net.h>
+#include <isc/string.h>
 #include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/result.h>
-#include <isc/socket.h>
-#include <isc/timer.h>
+#include <isc/util.h>
 
 #include <dns/dispatch.h>
+#include <dns/log.h>
 #include <dns/message.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
-
-#include "printmsg.h"
+#include <dns/result.h>
 
 isc_mem_t *mctx;
-isc_taskmgr_t *manager;
+isc_taskmgr_t *taskmgr;
 isc_socketmgr_t *socketmgr;
+dns_dispatchmgr_t *dispatchmgr;
 dns_dispatch_t *disp;
-isc_task_t *t0, *t1, *t2;
+isc_task_t *t0;
 isc_buffer_t render;
 unsigned char render_buffer[1024];
 dns_rdataset_t rdataset;
@@ -63,13 +53,32 @@ static inline void CHECKRESULT(isc_result_t, char *);
 void send_done(isc_task_t *, isc_event_t *);
 void hex_dump(isc_buffer_t *);
 
+static isc_result_t
+printmsg(dns_message_t *msg, FILE *out) {
+	unsigned char text[8192];
+	isc_buffer_t textbuf;
+	int result;
+
+	isc_buffer_init(&textbuf, text, sizeof text);
+	result = dns_message_totext(msg, ISC_TRUE, ISC_TRUE,
+				    ISC_FALSE, &textbuf);
+
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	fprintf(out, "msg:\n%*s\n",
+		isc_buffer_usedlength(&textbuf),
+		isc_buffer_base(&textbuf));
+
+	return (ISC_R_SUCCESS);
+}
+
 void
-hex_dump(isc_buffer_t *b)
-{
+hex_dump(isc_buffer_t *b) {
 	unsigned int len;
 	isc_region_t r;
 
-	isc_buffer_remaining(b, &r);
+	isc_buffer_remainingregion(b, &r);
 
 	printf("Buffer %p (%p, %d):  used region base %p, length %d",
 	       b, b->base, b->length, r.base, r.length);
@@ -82,9 +91,8 @@ hex_dump(isc_buffer_t *b)
 }
 
 static inline void
-CHECKRESULT(isc_result_t result, char *msg)
-{
-	if (result != DNS_R_SUCCESS) {
+CHECKRESULT(isc_result_t result, char *msg) {
+	if (result != ISC_R_SUCCESS) {
 		printf("%s: %s\n", msg, isc_result_totext(result));
 
 		exit(1);
@@ -92,10 +100,10 @@ CHECKRESULT(isc_result_t result, char *msg)
 }
 
 void
-my_accept(isc_task_t *task, isc_event_t *ev_in)
-{
+my_accept(isc_task_t *task, isc_event_t *ev_in) {
 	isc_socket_newconnev_t *ev = (isc_socket_newconnev_t *)ev_in;
 	dns_dispentry_t *resp;
+	unsigned int attrs;
 
 	if (ev->result != ISC_R_SUCCESS) {
 		isc_event_free(&ev_in);
@@ -105,9 +113,13 @@ my_accept(isc_task_t *task, isc_event_t *ev_in)
 	/*
 	 * Create a dispatch context
 	 */
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_IPV4;
+	attrs |= DNS_DISPATCHATTR_TCP;
 	disp = NULL;
-	RUNTIME_CHECK(dns_dispatch_create(mctx, ev->newsocket, task,
-					  512, 6, 1024, 17, 19, NULL, &disp)
+	RUNTIME_CHECK(dns_dispatch_createtcp(dispatchmgr, ev->newsocket,
+					     taskmgr, 4096, 64, 1024,
+					     17, 19, attrs, &disp)
 		      == ISC_R_SUCCESS);
 
 	resp = NULL;
@@ -121,10 +133,9 @@ my_accept(isc_task_t *task, isc_event_t *ev_in)
 }
 
 void
-send_done(isc_task_t *task, isc_event_t *ev_in)
-{
+send_done(isc_task_t *task, isc_event_t *ev_in) {
 	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
-	dns_dispentry_t *resp = (dns_dispentry_t *)ev_in->arg;
+	dns_dispentry_t *resp = (dns_dispentry_t *)ev_in->ev_arg;
 
 	(void)task;
 
@@ -139,13 +150,12 @@ send_done(isc_task_t *task, isc_event_t *ev_in)
 	isc_event_free(&ev_in);
 
 	printf("--- removing response (FAILURE)\n");
-	dns_dispatch_removeresponse(disp, &resp, NULL);
+	dns_dispatch_removeresponse(&resp, NULL);
 	isc_app_shutdown();
 }
 
 void
-start_response(void)
-{
+start_response(void) {
 	dns_dispentry_t *resp;
 	dns_messageid_t id;
 	isc_sockaddr_t from;
@@ -159,12 +169,10 @@ start_response(void)
 
 #define QUESTION "flame.org."
 
-	isc_buffer_init(&source, QUESTION, strlen(QUESTION),
-			ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&source, QUESTION, strlen(QUESTION));
 	isc_buffer_add(&source, strlen(QUESTION));
 	isc_buffer_setactive(&source, strlen(QUESTION));
-	isc_buffer_init(&target, namebuf, sizeof(namebuf),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&target, namebuf, sizeof(namebuf));
 
 	memset(&from, 0, sizeof(from));
 	from.length = sizeof(struct sockaddr_in);
@@ -202,11 +210,10 @@ start_response(void)
 
 	ISC_LIST_APPEND(name->list, &rdataset, link);
 
-	result = printmessage(msg);
-	CHECKRESULT(result, "printmessage()");
+	result = printmsg(msg, stderr);
+	CHECKRESULT(result, "printmsg()");
 
-	isc_buffer_init(&render, render_buffer, sizeof(render_buffer),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&render, render_buffer, sizeof(render_buffer));
 	result = dns_message_renderbegin(msg, &render);
 	CHECKRESULT(result, "dns_message_renderbegin()");
 
@@ -226,7 +233,7 @@ start_response(void)
 
 	printf("--- adding response\n");
 	resp = NULL;
-	result = dns_dispatch_addresponse(disp, &from, t2, got_response, NULL,
+	result = dns_dispatch_addresponse(disp, &from, t0, got_response, NULL,
 					  &id, &resp);
 	CHECKRESULT(result, "dns_dispatch_addresponse");
 
@@ -242,17 +249,16 @@ start_response(void)
 
 	dns_message_destroy(&msg);
 
-	isc_buffer_used(&render, &region);
+	isc_buffer_usedregion(&render, &region);
 	result = isc_socket_send(dns_dispatch_getsocket(disp), &region,
-				   t2, send_done, resp);
+				 t0, send_done, resp);
 	CHECKRESULT(result, "isc_socket_send()");
 }
 
 void
-got_response(isc_task_t *task, isc_event_t *ev_in)
-{
+got_response(isc_task_t *task, isc_event_t *ev_in) {
 	dns_dispatchevent_t *ev = (dns_dispatchevent_t *)ev_in;
-	dns_dispentry_t *resp = ev->sender;
+	dns_dispentry_t *resp = ev->ev_sender;
 	dns_message_t *msg;
 	isc_result_t result;
 
@@ -268,22 +274,21 @@ got_response(isc_task_t *task, isc_event_t *ev_in)
 	result = dns_message_parse(msg, &ev->buffer, ISC_FALSE);
 	CHECKRESULT(result, "dns_message_parse() failed");
 
-	result = printmessage(msg);
-	CHECKRESULT(result, "printmessage() failed");
+	result = printmsg(msg, stderr);
+	CHECKRESULT(result, "printmsg() failed");
 
 	dns_message_destroy(&msg);
 
 	printf("--- removing response\n");
-	dns_dispatch_removeresponse(disp, &resp, &ev);
+	dns_dispatch_removeresponse(&resp, &ev);
 
 	isc_app_shutdown();
 }
 
 void
-got_request(isc_task_t *task, isc_event_t *ev_in)
-{
+got_request(isc_task_t *task, isc_event_t *ev_in) {
 	dns_dispatchevent_t *ev = (dns_dispatchevent_t *)ev_in;
-	dns_dispentry_t *resp = ev->sender;
+	dns_dispentry_t *resp = ev->ev_sender;
 	static int cnt = 0;
 	dns_message_t *msg;
 	isc_result_t result;
@@ -291,9 +296,9 @@ got_request(isc_task_t *task, isc_event_t *ev_in)
 	printf("App:  Got request.  Result: %s\n",
 	       isc_result_totext(ev->result));
 
-	if (ev->result != DNS_R_SUCCESS) {
+	if (ev->result != ISC_R_SUCCESS) {
 		printf("Got error, terminating application\n");
-		dns_dispatch_removerequest(disp, &resp, &ev);
+		dns_dispatch_removerequest(&resp, &ev);
 		dns_dispatch_detach(&disp);
 		isc_app_shutdown();
 		return;
@@ -308,8 +313,8 @@ got_request(isc_task_t *task, isc_event_t *ev_in)
 	result = dns_message_parse(msg, &ev->buffer, ISC_FALSE);
 	CHECKRESULT(result, "dns_message_parse() failed");
 
-	result = printmessage(msg);
-	CHECKRESULT(result, "printmessage() failed");
+	result = printmsg(msg, stderr);
+	CHECKRESULT(result, "printmsg() failed");
 
 	dns_message_destroy(&msg);
 
@@ -320,18 +325,18 @@ got_request(isc_task_t *task, isc_event_t *ev_in)
 	switch (cnt) {
 	case 6:
 		printf("--- removing request\n");
-		dns_dispatch_removerequest(disp, &resp, &ev);
+		dns_dispatch_removerequest(&resp, &ev);
 		dns_dispatch_detach(&disp);
 		isc_app_shutdown();
 		break;
 		
 	case 3:
 		printf("--- removing request\n");
-		dns_dispatch_removerequest(disp, &resp, &ev);
+		dns_dispatch_removerequest(&resp, &ev);
 		printf("--- adding request\n");
 		RUNTIME_CHECK(dns_dispatch_addrequest(disp, task, got_request,
 						      NULL, &resp)
-			      == DNS_R_SUCCESS);
+			      == ISC_R_SUCCESS);
 		break;
 
 	default:
@@ -341,8 +346,7 @@ got_request(isc_task_t *task, isc_event_t *ev_in)
 }
 
 int
-main(int argc, char *argv[])
-{
+main(int argc, char *argv[]) {
 	isc_socket_t *s0;
 	isc_sockaddr_t sockaddr;
 
@@ -362,20 +366,20 @@ main(int argc, char *argv[])
 	/*
 	 * The task manager is independent (other than memory context)
 	 */
-	manager = NULL;
-	RUNTIME_CHECK(isc_taskmgr_create(mctx, 5, 0, &manager) ==
+	taskmgr = NULL;
+	RUNTIME_CHECK(isc_taskmgr_create(mctx, 5, 0, &taskmgr) ==
 		      ISC_R_SUCCESS);
 
 	t0 = NULL;
-	RUNTIME_CHECK(isc_task_create(manager, NULL, 0, &t0) == ISC_R_SUCCESS);
-	t1 = NULL;
-	RUNTIME_CHECK(isc_task_create(manager, NULL, 0, &t1) == ISC_R_SUCCESS);
-	t2 = NULL;
-	RUNTIME_CHECK(isc_task_create(manager, NULL, 0, &t2) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &t0) == ISC_R_SUCCESS);
 
 	socketmgr = NULL;
 	RUNTIME_CHECK(isc_socketmgr_create(mctx, &socketmgr) == ISC_R_SUCCESS);
 
+	dispatchmgr = NULL;
+	RUNTIME_CHECK(dns_dispatchmgr_create(mctx, &dispatchmgr)
+		      == ISC_R_SUCCESS);
+
 	/*
 	 * Open up a random socket.  Who cares where.
 	 */
@@ -389,28 +393,52 @@ main(int argc, char *argv[])
 		      ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_socket_bind(s0, &sockaddr) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_socket_listen(s0, 0) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_socket_accept(s0, t1, my_accept, NULL)
+	RUNTIME_CHECK(isc_socket_accept(s0, t0, my_accept, NULL)
 		      == ISC_R_SUCCESS);
 
 	isc_app_run();
 
 	isc_socket_detach(&s0);
 
+	fprintf(stderr, "canceling dispatcher\n");
+	isc_mem_stats(mctx, stderr);
+	sleep(2);
+	dns_dispatch_cancel(disp);
+
+	INSIST(disp != NULL);
+	fprintf(stderr, "detaching from dispatcher\n");
+	isc_mem_stats(mctx, stderr);
+	sleep(2);
+	dns_dispatch_detach(&disp);
+
+	fprintf(stderr, "destroying dispatch manager\n");
+	isc_mem_stats(mctx, stderr);
+	sleep(2);
+	dns_dispatchmgr_destroy(&dispatchmgr);
+
 	fprintf(stderr, "Destroying socket manager\n");
+	isc_mem_stats(mctx, stderr);
+	sleep(2);
 	isc_socketmgr_destroy(&socketmgr);
 
 	isc_task_shutdown(t0);
 	isc_task_detach(&t0);
-	isc_task_shutdown(t1);
-	isc_task_detach(&t1);
-	isc_task_shutdown(t2);
-	isc_task_detach(&t2);
 
 	fprintf(stderr, "Destroying task manager\n");
-	isc_taskmgr_destroy(&manager);
+	isc_mem_stats(mctx, stderr);
+	sleep(2);
+	isc_taskmgr_destroy(&taskmgr);
+
+	isc_app_finish();
+
+#if 0
+	isc_log_destroy(&log);
+	sleep(2);
+#endif
 
 	isc_mem_stats(mctx, stderr);
-	isc_mem_destroy(&mctx);
+	fflush(stderr);
+	isc_mem_detach(&mctx);
 
 	isc_app_finish();
 
diff --git a/bin/tests/dispatch_test.c b/bin/tests/dispatch_test.c
index 1216192d..52593978 100644
--- a/bin/tests/dispatch_test.c
+++ b/bin/tests/dispatch_test.c
@@ -17,67 +17,75 @@
 
 #include <config.h>
 
-#include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
-#include <string.h>
-
-#include <sys/types.h>
 
 #include <isc/app.h>
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <isc/log.h>
 #include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/net.h>
+#include <isc/string.h>
 #include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/result.h>
-#include <isc/socket.h>
-#include <isc/timer.h>
+#include <isc/util.h>
 
 #include <dns/dispatch.h>
+#include <dns/log.h>
 #include <dns/message.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
+#include <dns/result.h>
 
-#include "printmsg.h"
+#define NCLIENTS	16
 
 typedef struct {
+	unsigned int client_number;
 	int count;
+	dns_dispentry_t *resp;
 	isc_buffer_t render;
 	unsigned char render_buffer[1024];
-	dns_rdataset_t rdataset;
-	dns_rdatalist_t rdatalist;
-	dns_dispentry_t *resp;
 } clictx_t;
 
 isc_mem_t *mctx;
-isc_taskmgr_t *manager;
+isc_taskmgr_t *taskmgr;
 isc_socketmgr_t *socketmgr;
+dns_dispatchmgr_t *dispatchmgr;
 dns_dispatch_t *disp;
-isc_task_t *t0, *t1, *t2;
-clictx_t clients[16];  /* lots of things might want to use this */
+isc_task_t *t0;
+clictx_t clients[NCLIENTS];  /* Lots of things might want to use this. */
 unsigned int client_count = 0;
 isc_mutex_t client_lock;
 
-void got_request(isc_task_t *, isc_event_t *);
-void got_response(isc_task_t *, isc_event_t *);
-void start_response(clictx_t *, char *, isc_task_t *);
-static inline void CHECKRESULT(isc_result_t, char *);
-void send_done(isc_task_t *, isc_event_t *);
-void hex_dump(isc_buffer_t *);
-
+/*
+ * Forward declarations.
+ */
 void
-hex_dump(isc_buffer_t *b)
-{
+got_response(isc_task_t *, isc_event_t *);
+
+static isc_result_t
+printmsg(dns_message_t *msg, FILE *out) {
+	unsigned char text[8192];
+	isc_buffer_t textbuf;
+	int result;
+
+	isc_buffer_init(&textbuf, text, sizeof text);
+	result = dns_message_totext(msg, ISC_TRUE, ISC_TRUE,
+				    ISC_FALSE, &textbuf);
+
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	fprintf(out, "msg:\n%*s\n",
+		isc_buffer_usedlength(&textbuf),
+		isc_buffer_base(&textbuf));
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+hex_dump(isc_buffer_t *b) {
 	unsigned int len;
 	isc_region_t r;
 
-	isc_buffer_remaining(b, &r);
+	isc_buffer_remainingregion(b, &r);
 
 	printf("Buffer %p:  used region base %p, length %d",
 	       b, r.base, r.length);
@@ -90,20 +98,18 @@ hex_dump(isc_buffer_t *b)
 }
 
 static inline void
-CHECKRESULT(isc_result_t result, char *msg)
-{
-	if (result != DNS_R_SUCCESS) {
+CHECKRESULT(isc_result_t result, char *msg) {
+	if (result != ISC_R_SUCCESS) {
 		printf("%s: %s\n", msg, isc_result_totext(result));
 
 		exit(1);
 	}
 }
 
-void
-send_done(isc_task_t *task, isc_event_t *ev_in)
-{
+static void
+send_done(isc_task_t *task, isc_event_t *ev_in) {
 	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
-	clictx_t *cli = (clictx_t *)ev_in->arg;
+	clictx_t *cli = (clictx_t *)ev_in->ev_arg;
 
 	(void)task;
 
@@ -118,14 +124,12 @@ send_done(isc_task_t *task, isc_event_t *ev_in)
 	isc_event_free(&ev_in);
 
 	printf("--- removing response (FAILURE)\n");
-	dns_dispatch_removeresponse(disp, &cli->resp, NULL);
+	dns_dispatch_removeresponse(&cli->resp, NULL);
 	isc_app_shutdown();
 }
 
-
-void
-start_response(clictx_t *cli, char *query, isc_task_t *task)
-{
+static void
+start_response(clictx_t *cli, char *query, isc_task_t *task) {
 	dns_messageid_t id;
 	isc_sockaddr_t from;
 	dns_message_t *msg;
@@ -135,12 +139,13 @@ start_response(clictx_t *cli, char *query, isc_task_t *task)
 	isc_buffer_t target;
 	isc_buffer_t source;
 	isc_region_t region;
+	dns_rdataset_t *rdataset;
+	dns_rdatalist_t *rdatalist;
 
-	isc_buffer_init(&source, query, strlen(query), ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&source, query, strlen(query));
 	isc_buffer_add(&source, strlen(query));
 	isc_buffer_setactive(&source, strlen(query));
-	isc_buffer_init(&target, namebuf, sizeof(namebuf),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&target, namebuf, sizeof(namebuf));
 
 	memset(&from, 0, sizeof(from));
 	from.length = sizeof(struct sockaddr_in);
@@ -167,27 +172,37 @@ start_response(clictx_t *cli, char *query, isc_task_t *task)
 
 	dns_message_addname(msg, name, DNS_SECTION_QUESTION);
 
-	cli->rdatalist.rdclass = dns_rdataclass_in;
-	cli->rdatalist.type = dns_rdatatype_a;
-	cli->rdatalist.ttl = 0;
-	ISC_LIST_INIT(cli->rdatalist.rdata);
+	rdataset = NULL;
+	result = dns_message_gettemprdataset(msg, &rdataset);
+	CHECKRESULT(result, "dns_message_gettemprdataset()");
+
+	rdatalist = NULL;
+	result = dns_message_gettemprdatalist(msg, &rdatalist);
+	CHECKRESULT(result, "dns_message_gettemprdatalist()");
 
-	dns_rdataset_init(&cli->rdataset);
-	result = dns_rdatalist_tordataset(&cli->rdatalist, &cli->rdataset);
+	dns_rdatalist_init(rdatalist);
+	rdatalist->rdclass = dns_rdataclass_in;
+	rdatalist->type = dns_rdatatype_a;
+	rdatalist->ttl = 0;
+	ISC_LIST_INIT(rdatalist->rdata);
+
+	dns_rdataset_init(rdataset);
+	result = dns_rdatalist_tordataset(rdatalist, rdataset);
 	CHECKRESULT(result, "dns_rdatalist_tordataset()");
+	rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
 
-	ISC_LIST_APPEND(name->list, &cli->rdataset, link);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+	rdataset = NULL;
+	rdatalist = NULL;
 
-	result = printmessage(msg);
-	CHECKRESULT(result, "printmessage()");
+	result = printmsg(msg, stderr);
+	CHECKRESULT(result, "printmsg() failed");
 
 	isc_buffer_init(&cli->render, cli->render_buffer,
-			sizeof(cli->render_buffer), ISC_BUFFERTYPE_BINARY);
+			sizeof(cli->render_buffer));
 	result = dns_message_renderbegin(msg, &cli->render);
 	CHECKRESULT(result, "dns_message_renderbegin()");
 
-	cli->rdataset.attributes |= DNS_RDATASETATTR_QUESTION;
-
 	result = dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0);
 	CHECKRESULT(result, "dns_message_rendersection(QUESTION)");
 
@@ -221,17 +236,16 @@ start_response(clictx_t *cli, char *query, isc_task_t *task)
 
 	dns_message_destroy(&msg);
 
-	isc_buffer_used(&cli->render, &region);
+	isc_buffer_usedregion(&cli->render, &region);
 	result = isc_socket_sendto(dns_dispatch_getsocket(disp), &region,
 				   task, send_done, cli->resp, &from, NULL);
 	CHECKRESULT(result, "isc_socket_sendto()");
 }
 
 void
-got_response(isc_task_t *task, isc_event_t *ev_in)
-{
+got_response(isc_task_t *task, isc_event_t *ev_in) {
 	dns_dispatchevent_t *ev = (dns_dispatchevent_t *)ev_in;
-	dns_dispentry_t *resp = ev->sender;
+	dns_dispentry_t *resp = ev->ev_sender;
 	dns_message_t *msg;
 	isc_result_t result;
 	unsigned int cnt;
@@ -246,7 +260,7 @@ got_response(isc_task_t *task, isc_event_t *ev_in)
 		printf("--- shutting down dispatcher\n");
 		dns_dispatch_cancel(disp);
 		printf("--- removing response\n");
-		dns_dispatch_removeresponse(disp, &resp, &ev);
+		dns_dispatch_removeresponse(&resp, &ev);
 		RUNTIME_CHECK(isc_mutex_lock(&client_lock) == ISC_R_SUCCESS);
 		INSIST(client_count > 0);
 		client_count--;
@@ -264,15 +278,15 @@ got_response(isc_task_t *task, isc_event_t *ev_in)
 	result = dns_message_parse(msg, &ev->buffer, ISC_FALSE);
 	CHECKRESULT(result, "dns_message_parse() failed");
 
-	result = printmessage(msg);
-	CHECKRESULT(result, "printmessage() failed");
+	result = printmsg(msg, stderr);
+	CHECKRESULT(result, "printmsg() failed");
 
 	dns_message_destroy(&msg);
 
 	printf("--- shutting down dispatcher\n");
 	dns_dispatch_cancel(disp);
 	printf("--- removing response\n");
-	dns_dispatch_removeresponse(disp, &resp, &ev);
+	dns_dispatch_removeresponse(&resp, &ev);
 	RUNTIME_CHECK(isc_mutex_lock(&client_lock) == ISC_R_SUCCESS);
 	INSIST(client_count > 0);
 	client_count--;
@@ -282,11 +296,10 @@ got_response(isc_task_t *task, isc_event_t *ev_in)
 		isc_app_shutdown();
 }
 
-void
-got_request(isc_task_t *task, isc_event_t *ev_in)
-{
+static void
+got_request(isc_task_t *task, isc_event_t *ev_in) {
 	dns_dispatchevent_t *ev = (dns_dispatchevent_t *)ev_in;
-	clictx_t *cli = (clictx_t *)ev_in->arg;
+	clictx_t *cli = (clictx_t *)ev_in->ev_arg;
 	dns_message_t *msg;
 	isc_result_t result;
 	unsigned int cnt;
@@ -294,11 +307,11 @@ got_request(isc_task_t *task, isc_event_t *ev_in)
 	printf("App:  Got request.  Result: %s\n",
 	       isc_result_totext(ev->result));
 
-	if (ev->result != DNS_R_SUCCESS) {
+	if (ev->result != ISC_R_SUCCESS) {
 		RUNTIME_CHECK(isc_mutex_lock(&client_lock) == ISC_R_SUCCESS);
 		printf("Got error, terminating CLIENT %p resp %p\n",
 		       cli, cli->resp);
-		dns_dispatch_removerequest(disp, &cli->resp, &ev);
+		dns_dispatch_removerequest(&cli->resp, &ev);
 		INSIST(client_count > 0);
 		client_count--;
 		cnt = client_count;
@@ -318,14 +331,14 @@ got_request(isc_task_t *task, isc_event_t *ev_in)
 	result = dns_message_parse(msg, &ev->buffer, ISC_FALSE);
 	CHECKRESULT(result, "dns_message_parse() failed");
 
-	result = printmessage(msg);
-	CHECKRESULT(result, "printmessage() failed");
+	result = printmsg(msg, stderr);
+	CHECKRESULT(result, "printmsg() failed");
 
 	dns_message_destroy(&msg);
 
-	sleep (1);
 	cli->count++;
-	printf("App:  Client %p ready, count == %d.\n", cli, cli->count);
+	printf("App:  Client %p(%u) ready, count == %d.\n",
+	       cli, cli->client_number, cli->count);
 	switch (cli->count) {
 	case 4:
 		printf("--- starting DNS lookup\n");
@@ -337,11 +350,11 @@ got_request(isc_task_t *task, isc_event_t *ev_in)
 		
 	case 2:
 		printf("--- removing request\n");
-		dns_dispatch_removerequest(disp, &cli->resp, &ev);
+		dns_dispatch_removerequest(&cli->resp, &ev);
 		printf("--- adding request\n");
 		RUNTIME_CHECK(dns_dispatch_addrequest(disp, task, got_request,
 						      cli, &cli->resp)
-			      == DNS_R_SUCCESS);
+			      == ISC_R_SUCCESS);
 		break;
 
 	default:
@@ -351,14 +364,17 @@ got_request(isc_task_t *task, isc_event_t *ev_in)
 }
 
 int
-main(int argc, char *argv[])
-{
-	isc_socket_t *s0;
-	isc_sockaddr_t sockaddr;
+main(int argc, char *argv[]) {
+	isc_sockaddr_t sa;
 	unsigned int i;
+	unsigned int attrs;
+	isc_log_t *log;
+	isc_logconfig_t *lcfg;
+	isc_logdestination_t destination;
+	isc_result_t result;
 
-	(void)argc;
-	(void)argv;
+	UNUSED(argc);
+	UNUSED(argv);
 
 	RUNTIME_CHECK(isc_app_start() == ISC_R_SUCCESS);
 
@@ -370,85 +386,122 @@ main(int argc, char *argv[])
 
 	dns_result_register();
 
+	log = NULL;
+	lcfg = NULL;
+	RUNTIME_CHECK(isc_log_create(mctx, &log, &lcfg) == ISC_R_SUCCESS);
+	isc_log_setcontext(log);
+	dns_log_init(log);
+	dns_log_setcontext(log);
+	
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	result = isc_log_createchannel(lcfg, "_default",
+				       ISC_LOG_TOFILEDESC,
+				       ISC_LOG_DYNAMIC,
+				       &destination, ISC_LOG_PRINTTIME);
+	INSIST(result == ISC_R_SUCCESS);
+	result = isc_log_usechannel(lcfg, "_default", NULL, NULL);
+	INSIST(result == ISC_R_SUCCESS);
+
 	/*
-	 * The task manager is independent (other than memory context)
+	 * The task manager is independent (other than memory context).
 	 */
-	manager = NULL;
-	RUNTIME_CHECK(isc_taskmgr_create(mctx, 5, 0, &manager) ==
+	taskmgr = NULL;
+	RUNTIME_CHECK(isc_taskmgr_create(mctx, 5, 0, &taskmgr) ==
 		      ISC_R_SUCCESS);
 
+	isc_log_setdebuglevel(log, 99);
+
 	t0 = NULL;
-	RUNTIME_CHECK(isc_task_create(manager, NULL, 0, &t0) == ISC_R_SUCCESS);
-	t1 = NULL;
-	RUNTIME_CHECK(isc_task_create(manager, NULL, 0, &t1) == ISC_R_SUCCESS);
-	t2 = NULL;
-	RUNTIME_CHECK(isc_task_create(manager, NULL, 0, &t2) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &t0) == ISC_R_SUCCESS);
 
 	socketmgr = NULL;
 	RUNTIME_CHECK(isc_socketmgr_create(mctx, &socketmgr) == ISC_R_SUCCESS);
 
-	/*
-	 * Open up a random socket.  Who cares where.
-	 */
-	s0 = NULL;
-	memset(&sockaddr, 0, sizeof(sockaddr));
-	sockaddr.type.sin.sin_family = AF_INET;
-	sockaddr.type.sin.sin_port = htons(5555);
-	sockaddr.length = sizeof (struct sockaddr_in);
-	RUNTIME_CHECK(isc_socket_create(socketmgr, PF_INET,
-					isc_sockettype_udp, &s0) ==
-		      ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_socket_bind(s0, &sockaddr) == ISC_R_SUCCESS);
+	dispatchmgr = NULL;
+	RUNTIME_CHECK(dns_dispatchmgr_create(mctx, &dispatchmgr)
+		      == ISC_R_SUCCESS);
+
+	isc_sockaddr_any(&sa);
+	isc_sockaddr_setport(&sa, 5356);
 
 	/*
-	 * Create a dispatch context
+	 * Get or create a dispatch context.
 	 */
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_IPV4;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	
 	disp = NULL;
-	RUNTIME_CHECK(dns_dispatch_create(mctx, s0, t0, 512, 6, 1024,
-					 17, 19, NULL, &disp)
+	RUNTIME_CHECK(dns_dispatch_getudp(dispatchmgr, socketmgr,
+					  taskmgr, &sa, 512, 6, 1024,
+					  17, 19, attrs, attrs, &disp)
 		      == ISC_R_SUCCESS);
+	INSIST(disp != NULL);
 
 	RUNTIME_CHECK(isc_mutex_init(&client_lock) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_mutex_lock(&client_lock) == ISC_R_SUCCESS);
+
+	memset(clients, 0, sizeof (clients));
+	for (i = 0 ; i < NCLIENTS ; i++)
+		clients[i].client_number = i;
+
 	for (i = 0 ; i < 2 ; i++) {
 		clients[i].count = 0;
 		clients[i].resp = NULL;
-		RUNTIME_CHECK(dns_dispatch_addrequest(disp, t1, got_request,
+		RUNTIME_CHECK(dns_dispatch_addrequest(disp, t0, got_request,
 						      &clients[i],
 						      &clients[i].resp)
 			      == ISC_R_SUCCESS);
+		INSIST(clients[i].resp != NULL);
+		fprintf(stderr, "Started client %i via addrequest\n", i);
 		client_count++;
 	}
 	RUNTIME_CHECK(isc_mutex_unlock(&client_lock) == ISC_R_SUCCESS);
 
+	isc_mem_stats(mctx, stderr);
+
 	isc_app_run();
 
 	fprintf(stderr, "canceling dispatcher\n");
+	isc_mem_stats(mctx, stderr);
+	sleep(2);
 	dns_dispatch_cancel(disp);
 
-	fprintf(stderr, "detaching from socket\n");
-	isc_socket_detach(&s0);
-
+	INSIST(disp != NULL);
 	fprintf(stderr, "detaching from dispatcher\n");
+	isc_mem_stats(mctx, stderr);
+	sleep(2);
 	dns_dispatch_detach(&disp);
 
+	fprintf(stderr, "destroying dispatch manager\n");
+	isc_mem_stats(mctx, stderr);
+	sleep(2);
+	dns_dispatchmgr_destroy(&dispatchmgr);
+
 	fprintf(stderr, "Destroying socket manager\n");
+	isc_mem_stats(mctx, stderr);
+	sleep(2);
 	isc_socketmgr_destroy(&socketmgr);
 
 	isc_task_shutdown(t0);
 	isc_task_detach(&t0);
-	isc_task_shutdown(t1);
-	isc_task_detach(&t1);
-	isc_task_shutdown(t2);
-	isc_task_detach(&t2);
 
 	fprintf(stderr, "Destroying task manager\n");
-	isc_taskmgr_destroy(&manager);
-
 	isc_mem_stats(mctx, stderr);
-	isc_mem_destroy(&mctx);
+	sleep(2);
+	isc_taskmgr_destroy(&taskmgr);
 
 	isc_app_finish();
 
+	isc_log_destroy(&log);
+	sleep(2);
+
+	isc_mem_stats(mctx, stderr);
+	fflush(stderr);
+	isc_mem_detach(&mctx);
+
 	return (0);
 }
diff --git a/bin/tests/dst/Makefile.in b/bin/tests/dst/Makefile.in
index 8715cb56..99c22120 100644
--- a/bin/tests/dst/Makefile.in
+++ b/bin/tests/dst/Makefile.in
@@ -24,11 +24,15 @@ CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 CDEFINES =
 CWARNINGS =
 
-DEPLIBS = 	../../../lib/dns/libdns.@A@ \
-		../../../lib/isc/libisc.@A@
+DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
+ISCLIBS =	../../../lib/isc/libisc.@A@
 
-LIBS =		${DEPLIBS} \
-		@LIBS@
+DNSDEPLIBS =	../../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../../lib/isc/libisc.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
 TLIB =		../../../lib/tests/libt_api.@A@
 
diff --git a/bin/tests/dst/dst_2_data b/bin/tests/dst/dst_2_data
index a52c88f0..1b4e316d 100644
--- a/bin/tests/dst/dst_2_data
+++ b/bin/tests/dst/dst_2_data
@@ -4,13 +4,13 @@
 # format:
 #	datafile, sigpath, keyname, keyid, alg, exp_result
 #
-t2_data_1	t2_dsasig	test.	6204	DST_ALG_DSA	DNS_R_SUCCESS
-t2_data_1	t2_rsasig	test.	54622	DST_ALG_RSA	DNS_R_SUCCESS
+t2_data_1	t2_dsasig	test.	6204	DST_ALG_DSA	ISC_R_SUCCESS
+t2_data_1	t2_rsasig	test.	54622	DST_ALG_RSA	ISC_R_SUCCESS
 # wrong sig
-t2_data_1	t2_dsasig	test.	54622	DST_ALG_RSA	!DNS_R_SUCCESS
+t2_data_1	t2_dsasig	test.	54622	DST_ALG_RSA	!ISC_R_SUCCESS
 # wrong key
-#t2_data_1	t2_dsasig	test.	54622	DST_ALG_DSA	!DNS_R_SUCCESS
+#t2_data_1	t2_dsasig	test.	54622	DST_ALG_DSA	!ISC_R_SUCCESS
 # wrong alg
-#t2_data_1	t2_dsasig	test.	6204	DST_ALG_RSA	!DNS_R_SUCCESS
+#t2_data_1	t2_dsasig	test.	6204	DST_ALG_RSA	!ISC_R_SUCCESS
 # wrong data
-t2_data_2	t2_dsasig	test.	6204	DST_ALG_DSA	!DNS_R_SUCCESS
+t2_data_2	t2_dsasig	test.	6204	DST_ALG_DSA	!ISC_R_SUCCESS
diff --git a/bin/tests/dst/dst_test.c b/bin/tests/dst/dst_test.c
index cf5643eb..13e71fcd 100644
--- a/bin/tests/dst/dst_test.c
+++ b/bin/tests/dst/dst_test.c
@@ -17,19 +17,14 @@
 
 #include <config.h>
 
-#include <ctype.h>
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
 #include <unistd.h>		/* XXX */
 
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/boolean.h>
-#include <isc/region.h>
+#include <isc/buffer.h>
 #include <isc/mem.h>
-#include <isc/result.h>
+#include <isc/region.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
 
 #include <dns/result.h>
 
@@ -46,28 +41,63 @@ use(dst_key_t *key) {
 	isc_buffer_t databuf, sigbuf;
 	isc_region_t datareg, sigreg;
 
-	isc_buffer_init(&sigbuf, sig, sizeof(sig), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&sigbuf, sig, sizeof(sig));
 	/* Advance 1 byte for fun */
 	isc_buffer_add(&sigbuf, 1);
 
-	isc_buffer_init(&databuf, data, strlen(data), ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&databuf, data, strlen(data));
 	isc_buffer_add(&databuf, strlen(data));
-	isc_buffer_used(&databuf, &datareg);
+	isc_buffer_usedregion(&databuf, &datareg);
 
-	ret = dst_sign(DST_SIGMODE_ALL, key, NULL, &datareg, &sigbuf);
+	ret = dst_key_sign(DST_SIGMODE_ALL, key, NULL, &datareg, &sigbuf);
 	printf("sign(%d) returned: %s\n", dst_key_alg(key),
 	       isc_result_totext(ret));
 
 	isc_buffer_forward(&sigbuf, 1);
-	isc_buffer_remaining(&sigbuf, &sigreg);
-	ret = dst_verify(DST_SIGMODE_ALL, key, NULL, &datareg, &sigreg);
+	isc_buffer_remainingregion(&sigbuf, &sigreg);
+	ret = dst_key_verify(DST_SIGMODE_ALL, key, NULL, &datareg, &sigreg);
 	printf("verify(%d) returned: %s\n", dst_key_alg(key),
 	       isc_result_totext(ret));
 }
 
 static void
+dns(dst_key_t *key, isc_mem_t *mctx) {
+	unsigned char buffer1[2048];
+	unsigned char buffer2[2048];
+	isc_buffer_t buf1, buf2;
+	isc_region_t r1, r2;
+	dst_key_t *newkey = NULL;
+	isc_result_t ret;
+	isc_boolean_t match;
+
+	isc_buffer_init(&buf1, buffer1, sizeof(buffer1));
+	ret = dst_key_todns(key, &buf1);
+	printf("todns(%d) returned: %s\n", dst_key_alg(key),
+	       isc_result_totext(ret));
+	if (ret != ISC_R_SUCCESS)
+		return;
+	ret = dst_key_fromdns(dst_key_name(key), &buf1, mctx, &newkey);
+	printf("fromdns(%d) returned: %s\n", dst_key_alg(key),
+	       isc_result_totext(ret));
+	if (ret != ISC_R_SUCCESS)
+		return;
+	isc_buffer_init(&buf2, buffer2, sizeof(buffer2));
+	ret = dst_key_todns(newkey, &buf2);
+	printf("todns2(%d) returned: %s\n", dst_key_alg(key),
+	       isc_result_totext(ret));
+	if (ret != ISC_R_SUCCESS)
+		return;
+	isc_buffer_usedregion(&buf1, &r1);
+	isc_buffer_usedregion(&buf2, &r2);
+	match = (r1.length == r2.length &&
+		 memcmp(r1.base, r2.base, r1.length) == 0);
+	printf("compare(%d): %s\n", dst_key_alg(key), match ? "true" : "false");
+	dst_key_free(&newkey);
+}
+
+static void
 io(char *name, int id, int alg, int type, isc_mem_t *mctx) {
-	dst_key_t *key;
+	dst_key_t *key = NULL;
 	isc_result_t ret;
 
 	chdir(current);
@@ -81,12 +111,13 @@ io(char *name, int id, int alg, int type, isc_mem_t *mctx) {
 	if (ret != 0)
 		return;
 	use(key);
-	dst_key_free(key);
+	dns(key, mctx);
+	dst_key_free(&key);
 }
 
 static void
 dh(char *name1, int id1, char *name2, int id2, isc_mem_t *mctx) {
-	dst_key_t *key1, *key2;
+	dst_key_t *key1 = NULL, *key2 = NULL;
 	isc_result_t ret;
 	isc_buffer_t b1, b2;
 	isc_region_t r1, r2;
@@ -114,20 +145,20 @@ dh(char *name1, int id1, char *name2, int id2, isc_mem_t *mctx) {
 	if (ret != 0)
 		return;
 
-	isc_buffer_init(&b1, array1, sizeof(array1), ISC_BUFFERTYPE_BINARY);
-	ret = dst_computesecret(key1, key2, &b1);
+	isc_buffer_init(&b1, array1, sizeof(array1));
+	ret = dst_key_computesecret(key1, key2, &b1);
 	printf("computesecret() returned: %s\n", isc_result_totext(ret));
 	if (ret != 0)
 		return;
 
-	isc_buffer_init(&b2, array2, sizeof(array2), ISC_BUFFERTYPE_BINARY);
-	ret = dst_computesecret(key2, key1, &b2);
+	isc_buffer_init(&b2, array2, sizeof(array2));
+	ret = dst_key_computesecret(key2, key1, &b2);
 	printf("computesecret() returned: %s\n", isc_result_totext(ret));
 	if (ret != 0)
 		return;
 
-	isc_buffer_used(&b1, &r1);
-	isc_buffer_used(&b2, &r2);
+	isc_buffer_usedregion(&b1, &r1);
+	isc_buffer_usedregion(&b2, &r2);
 
 	if (r1.length != r2.length || memcmp(r1.base, r2.base, r1.length) != 0)
 	{
@@ -142,14 +173,14 @@ dh(char *name1, int id1, char *name2, int id2, isc_mem_t *mctx) {
 			printf("%02x ", r2.base[i]);
 		printf("\n");
 	}
-	dst_key_free(key1);
-	dst_key_free(key2);
+	dst_key_free(&key1);
+	dst_key_free(&key2);
 }
 
 static void
 generate(int alg, isc_mem_t *mctx) {
 	isc_result_t ret;
-	dst_key_t *key;
+	dst_key_t *key = NULL;
 
 	ret = dst_key_generate("test.", alg, 512, 0, 0, 0, mctx, &key);
 	printf("generate(%d) returned: %s\n", alg, isc_result_totext(ret));
@@ -157,7 +188,7 @@ generate(int alg, isc_mem_t *mctx) {
 	if (alg != DST_ALG_DH)
 		use(key);
 
-	dst_key_free(key);
+	dst_key_free(&key);
 }
 
 static void
@@ -167,7 +198,7 @@ get_random() {
 	isc_result_t ret;
 	unsigned int i;
 
-	isc_buffer_init(&databuf, data, sizeof data, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&databuf, data, sizeof(data));
 	ret = dst_random_get(sizeof(data), &databuf);
 	printf("random() returned: %s\n", isc_result_totext(ret));
 	for (i = 0; i < sizeof data; i++)
@@ -206,5 +237,5 @@ main() {
 /*	isc_mem_stats(mctx, stdout);*/
 	isc_mem_destroy(&mctx);
 
-	exit(0);
+	return (0);
 }
diff --git a/bin/tests/dst/t_dst.c b/bin/tests/dst/t_dst.c
index 4afef3dc..68400b3f 100644
--- a/bin/tests/dst/t_dst.c
+++ b/bin/tests/dst/t_dst.c
@@ -17,37 +17,30 @@
 
 #include <config.h>
 
-#include <ctype.h>
-#include <sys/types.h>
+#include <sys/types.h>		/* Required for dirent.h */
+#include <sys/stat.h>
+
 #include <dirent.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
-#include <sys/stat.h>
 
 #include <unistd.h>		/* XXX */
 
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/boolean.h>
-#include <isc/region.h>
+#include <isc/buffer.h>
 #include <isc/mem.h>
-#include <isc/result.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dst/dst.h>
 #include <dst/result.h>
 
 #include <tests/t_api.h>
 
-static void	t1(void);
-
-static void	t2(void);
-
 /*
- * adapted from the original dst_test.c program
+ * Adapted from the original dst_test.c program.
  */
 
 static void
@@ -81,7 +74,6 @@ cleandir(char *path) {
 	return;
 }
 
-
 static void
 use(dst_key_t *key, isc_result_t exp_result, int *nfails) {
 
@@ -91,12 +83,12 @@ use(dst_key_t *key, isc_result_t exp_result, int *nfails) {
 	isc_buffer_t databuf, sigbuf;
 	isc_region_t datareg, sigreg;
 
-	isc_buffer_init(&sigbuf, sig, sizeof(sig), ISC_BUFFERTYPE_BINARY);
-	isc_buffer_init(&databuf, data, strlen(data), ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&sigbuf, sig, sizeof(sig));
+	isc_buffer_init(&databuf, data, strlen(data));
 	isc_buffer_add(&databuf, strlen(data));
-	isc_buffer_used(&databuf, &datareg);
+	isc_buffer_usedregion(&databuf, &datareg);
 
-	ret = dst_sign(DST_SIGMODE_ALL, key, NULL, &datareg, &sigbuf);
+	ret = dst_key_sign(DST_SIGMODE_ALL, key, NULL, &datareg, &sigbuf);
 	if (ret != exp_result) {
 		t_info("dst_sign(%d) returned (%s) expected (%s)\n",
 				dst_key_alg(key), dst_result_totext(ret),
@@ -106,8 +98,8 @@ use(dst_key_t *key, isc_result_t exp_result, int *nfails) {
 	}
 
 
-	isc_buffer_remaining(&sigbuf, &sigreg);
-	ret = dst_verify(DST_SIGMODE_ALL, key, NULL, &datareg, &sigreg);
+	isc_buffer_remainingregion(&sigbuf, &sigreg);
+	ret = dst_key_verify(DST_SIGMODE_ALL, key, NULL, &datareg, &sigreg);
 	if (ret != exp_result) {
 		t_info("dst_verify(%d) returned (%s) expected (%s)\n",
 				dst_key_alg(key), dst_result_totext(ret),
@@ -120,7 +112,7 @@ static void
 dh(char *name1, int id1, char *name2, int id2, isc_mem_t *mctx,
    isc_result_t exp_result, int *nfails, int *nprobs)
 {
-	dst_key_t	*key1, *key2;
+	dst_key_t	*key1 = NULL, *key2 = NULL;
 	isc_result_t	ret;
 	int		rval;
 	char		current[PATH_MAX + 1];
@@ -132,7 +124,7 @@ dh(char *name1, int id1, char *name2, int id2, isc_mem_t *mctx,
 	isc_buffer_t	b1, b2;
 	isc_region_t	r1, r2;
 
-	exp_result = exp_result; /* unused */
+	UNUSED(exp_result);
 
 	p = getcwd(current, PATH_MAX);;
 	if (p == NULL) {
@@ -204,8 +196,8 @@ dh(char *name1, int id1, char *name2, int id2, isc_mem_t *mctx,
 
 	cleandir(tmp);
 
-	isc_buffer_init(&b1, array1, sizeof(array1), ISC_BUFFERTYPE_BINARY);
-	ret = dst_computesecret(key1, key2, &b1);
+	isc_buffer_init(&b1, array1, sizeof(array1));
+	ret = dst_key_computesecret(key1, key2, &b1);
 	if (ret != 0) {
 		t_info("dst_computesecret() returned: %s\n",
 		       dst_result_totext(ret));
@@ -213,8 +205,8 @@ dh(char *name1, int id1, char *name2, int id2, isc_mem_t *mctx,
 		return;
 	}
 
-	isc_buffer_init(&b2, array2, sizeof(array2), ISC_BUFFERTYPE_BINARY);
-	ret = dst_computesecret(key2, key1, &b2);
+	isc_buffer_init(&b2, array2, sizeof(array2));
+	ret = dst_key_computesecret(key2, key1, &b2);
 	if (ret != 0) {
 		t_info("dst_computesecret() returned: %s\n",
 		       dst_result_totext(ret));
@@ -222,8 +214,8 @@ dh(char *name1, int id1, char *name2, int id2, isc_mem_t *mctx,
 		return;
 	}
 
-	isc_buffer_used(&b1, &r1);
-	isc_buffer_used(&b2, &r2);
+	isc_buffer_usedregion(&b1, &r1);
+	isc_buffer_usedregion(&b2, &r2);
 	if (r1.length != r2.length || memcmp(r1.base, r2.base, r1.length) != 0)
 	{
 		t_info("computed secrets don't match\n");
@@ -231,14 +223,15 @@ dh(char *name1, int id1, char *name2, int id2, isc_mem_t *mctx,
 		return;
 	}
 
-	dst_key_free(key1);
-	dst_key_free(key2);
+	dst_key_free(&key1);
+	dst_key_free(&key2);
 }
 
 static void
-io(char *name, int id, int alg, int type, isc_mem_t *mctx, isc_result_t exp_result,
-		int *nfails, int *nprobs) {
-	dst_key_t	*key;
+io(char *name, int id, int alg, int type, isc_mem_t *mctx,
+   isc_result_t exp_result, int *nfails, int *nprobs)
+{
+	dst_key_t	*key = NULL;
 	isc_result_t	ret;
 	int		rval;
 	char		current[PATH_MAX + 1];
@@ -299,24 +292,25 @@ io(char *name, int id, int alg, int type, isc_mem_t *mctx, isc_result_t exp_resu
 
 	cleandir(tmp);
 
-	dst_key_free(key);
+	dst_key_free(&key);
 }
 
 static void
 generate(int alg, isc_mem_t *mctx, int size, int *nfails) {
 	isc_result_t ret;
-	dst_key_t *key;
+	dst_key_t *key = NULL;
 
 	ret = dst_key_generate("test.", alg, size, 0, 0, 0, mctx, &key);
 	if (ret != ISC_R_SUCCESS) {
-		t_info("dst_key_generate(%d) returned: %s\n", alg, dst_result_totext(ret));
+		t_info("dst_key_generate(%d) returned: %s\n", alg,
+		       dst_result_totext(ret));
 		++*nfails;
 		return;
 	}
 
 	if (alg != DST_ALG_DH)
 		use(key, ISC_R_SUCCESS, nfails);
-	dst_key_free(key);
+	dst_key_free(&key);
 }
 
 #define	DBUFSIZ	25
@@ -330,7 +324,7 @@ get_random(int *nfails) {
 	isc_result_t ret;
 	unsigned int i;
 
-	isc_buffer_init(&databuf1, data1, sizeof(data1), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&databuf1, data1, sizeof(data1));
 	ret = dst_random_get(sizeof(data1), &databuf1);
 	if (ret != ISC_R_SUCCESS) {
 		t_info("random() returned: %s\n", dst_result_totext(ret));
@@ -338,7 +332,7 @@ get_random(int *nfails) {
 		return;
 	}
 
-	isc_buffer_init(&databuf2, data2, sizeof(data2), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&databuf2, data2, sizeof(data2));
 	ret = dst_random_get(sizeof(data2), &databuf2);
 	if (ret != ISC_R_SUCCESS) {
 		t_info("random() returned: %s\n", dst_result_totext(ret));
@@ -367,7 +361,7 @@ static char	*a1 =
 		"compute Diffie-Hellman shared secrets, "
 		"and generate random number sequences.";
 static void
-t1() {
+t1(void) {
 	isc_mem_t	*mctx;
 	int		nfails;
 	int		nprobs;
@@ -381,19 +375,23 @@ t1() {
 	mctx = NULL;
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_mem_create failed %d\n", isc_result_totext(isc_result));
+		t_info("isc_mem_create failed %d\n",
+		       isc_result_totext(isc_result));
 		t_result(T_UNRESOLVED);
 		return;
 	}
 
-	t_info("testing use of stored keys\n");
+	t_info("testing use of stored keys [1]\n");
 	io("test.", 6204, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
 			mctx, ISC_R_SUCCESS, &nfails, &nprobs);
+	t_info("testing use of stored keys [2]\n");
 	io("test.", 54622, DST_ALG_RSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
 			mctx, ISC_R_SUCCESS, &nfails, &nprobs);
 
+	t_info("testing use of stored keys [3]\n");
 	io("test.", 0, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
 			mctx, DST_R_NULLKEY, &nfails, &nprobs);
+	t_info("testing use of stored keys [4]\n");
 	io("test.", 0, DST_ALG_RSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
 			mctx, DST_R_NULLKEY, &nfails, &nprobs);
 
@@ -426,7 +424,9 @@ t1() {
 
 #ifdef	NEWSIG
 
-/* write a sig in buf to file at path */
+/*
+ * Write a sig in buf to file at path.
+ */
 static int
 sig_tofile(char *path, isc_buffer_t *buf) {
 	int		rval;
@@ -441,7 +441,8 @@ sig_tofile(char *path, isc_buffer_t *buf) {
 	nprobs = 0;
 	len = buf->used - buf->current;
 
-	t_info("buf: current %d used %d len %d\n", buf->current, buf->used, len);
+	t_info("buf: current %d used %d len %d\n",
+	       buf->current, buf->used, len);
 
 	fd = open(path, O_CREAT|O_TRUNC|O_WRONLY, S_IRWXU|S_IRWXO|S_IRWXG);
 	if (fd < 0) {
@@ -497,7 +498,9 @@ sig_tofile(char *path, isc_buffer_t *buf) {
 
 #endif	/* NEWSIG */
 
-/* read sig in file at path to buf */
+/*
+ * Read sig in file at path to buf.
+ */
 static int
 sig_fromfile(char *path, isc_buffer_t *iscbuf) {
 	int		rval;
@@ -571,18 +574,17 @@ sig_fromfile(char *path, isc_buffer_t *iscbuf) {
 	return(0);
 }
 
-
 static void
 t2_sigchk(char *datapath, char *sigpath, char *keyname,
 		int id, int alg, int type,
 		isc_mem_t *mctx, char *expected_result,
-		int *nfails, int *nprobs) {
-
+		int *nfails, int *nprobs)
+{
 	int		rval;
 	int		len;
 	int		fd;
 	int		exp_res;
-	dst_key_t	*key;
+	dst_key_t	*key = NULL;
 	unsigned char	sig[T_SIGMAX];
 	unsigned char	*p;
 	unsigned char	*data;
@@ -593,7 +595,9 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 	isc_region_t	datareg;
 	isc_region_t	sigreg;
 
-	/* read data from file in a form usable by dst_verify */
+	/*
+	 * Read data from file in a form usable by dst_verify.
+	 */
 	rval = stat(datapath, &sb);
 	if (rval != 0) {
 		t_info("t2_sigchk: stat (%s) failed %d\n", datapath, errno);
@@ -627,7 +631,9 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 	} while (len);
 	(void) close(fd);
 
-	/* read key from file in a form usable by dst_verify */
+	/*
+	 * Read key from file in a form usable by dst_verify.
+	 */
 	isc_result = dst_key_fromfile(keyname, id, alg, type, mctx, &key);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("dst_key_fromfile failed %s\n",
@@ -637,25 +643,26 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 		return;
 	}
 
-	isc_buffer_init(&databuf, data, sb.st_size, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&databuf, data, sb.st_size);
 	isc_buffer_add(&databuf, sb.st_size);
-	isc_buffer_used(&databuf, &datareg);
+	isc_buffer_usedregion(&databuf, &datareg);
 
 #ifdef	NEWSIG
 
 	/*
-	 * if we're generating a signature for the first time,
+	 * If we're generating a signature for the first time,
 	 * sign the data and save the signature to a file
 	 */
 
 	memset(sig, 0, sizeof(sig));
-	isc_buffer_init(&sigbuf, sig, sizeof(sig), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&sigbuf, sig, sizeof(sig));
 
 	isc_result = dst_sign(DST_SIGMODE_ALL, key, NULL, &datareg, &sigbuf);
 	if (isc_result != ISC_R_SUCCESS) {
-		t_info("dst_sign(%d) failed %s\n", dst_result_totext(isc_result));
+		t_info("dst_sign(%d) failed %s\n",
+		       dst_result_totext(isc_result));
 		(void) free(data);
-		(void) dst_key_free(key);
+		dst_key_free(&key);
 		++*nprobs;
 		return;
 	}
@@ -665,33 +672,38 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 		t_info("sig_tofile failed\n");
 		++*nprobs;
 		(void) free(data);
-		(void) dst_key_free(key);
+		dst_key_free(&key);
 		return;
 	}
 
 #endif	/* NEWSIG */
 
 	memset(sig, 0, sizeof(sig));
-	isc_buffer_init(&sigbuf, sig, sizeof(sig), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&sigbuf, sig, sizeof(sig));
 
-	/* read precomputed signature from file in a form usable by dst_verify */
+	/*
+	 * Read precomputed signature from file in a form usable by dst_verify.
+	 */
 	rval = sig_fromfile(sigpath, &sigbuf);
 	if (rval != 0) {
 		t_info("sig_fromfile failed\n");
 		(void) free(data);
-		(void) dst_key_free(key);
+		dst_key_free(&key);
 		++*nprobs;
 		return;
 	}
 
-	/* verify that the key signed the data */
-	isc_buffer_remaining(&sigbuf, &sigreg);
+	/*
+	 * Verify that the key signed the data.
+	 */
+	isc_buffer_remainingregion(&sigbuf, &sigreg);
 
 	exp_res = 0;
 	if (strstr(expected_result, "!"))
 		exp_res = 1;
 
-	isc_result = dst_verify(DST_SIGMODE_ALL, key, NULL, &datareg, &sigreg);
+	isc_result = dst_key_verify(DST_SIGMODE_ALL, key, NULL, &datareg,
+				    &sigreg);
 	if (	((exp_res == 0) && (isc_result != ISC_R_SUCCESS))	||
 		((exp_res != 0) && (isc_result == ISC_R_SUCCESS)))	{
 
@@ -702,22 +714,23 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
 	}
 
 	(void) free(data);
-	(void) dst_key_free(key);
+	dst_key_free(&key);
 	return;
 }
 
 /*
- * the astute observer will note that t1() signs then verifies data
+ * The astute observer will note that t1() signs then verifies data
  * during the test but that t2() verifies data that has been
  * signed at some earlier time, possibly with an entire different
  * version or implementation of the DSA and RSA algorithms
  */
-
 static char	*a2 =
 		"the dst module provides the capability to "
 		"verify data signed with the RSA and DSA algorithms";
 
-/* av ==  datafile, sigpath, keyname, keyid, alg, exp_result */
+/*
+ * av ==  datafile, sigpath, keyname, keyid, alg, exp_result.
+ */
 static int
 t2_vfy(char **av) {
 	char		*datapath;
@@ -756,7 +769,8 @@ t2_vfy(char **av) {
 	mctx = NULL;
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_mem_create failed %d\n", isc_result_totext(isc_result));
+		t_info("isc_mem_create failed %d\n",
+		       isc_result_totext(isc_result));
 		return(T_UNRESOLVED);
 	}
 
@@ -774,12 +788,12 @@ t2_vfy(char **av) {
 		result = T_FAIL;
 	else if ((nfails == 0) && (nprobs == 0))
 		result = T_PASS;
-	return(result);
 
+	return(result);
 }
 
 static void
-t2() {
+t2(void) {
 	int	result;
 	t_assert("dst", 2, T_REQUIRED, a2);
 	result = t_eval("dst_2_data", t2_vfy, 6);
diff --git a/bin/tests/gxba_test.c b/bin/tests/gxba_test.c
index 33306956..8fc36a1a 100644
--- a/bin/tests/gxba_test.c
+++ b/bin/tests/gxba_test.c
@@ -14,10 +14,9 @@
  * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
  * SOFTWARE.
  */
+#include <config.h>
 
 #include <stdio.h>
-#include <stdlib.h>
-#include <sys/socket.h>
 
 #include <isc/net.h>
 
diff --git a/bin/tests/gxbn_test.c b/bin/tests/gxbn_test.c
index 0a004101..db7c422f 100644
--- a/bin/tests/gxbn_test.c
+++ b/bin/tests/gxbn_test.c
@@ -15,9 +15,9 @@
  * SOFTWARE.
  */
 
+#include <config.h>
+
 #include <stdio.h>
-#include <stdlib.h>
-#include <sys/socket.h>
 
 #include <isc/net.h>
 
diff --git a/bin/tests/headerdep_test.sh.in b/bin/tests/headerdep_test.sh.in
new file mode 100644
index 00000000..6ee51124
--- /dev/null
+++ b/bin/tests/headerdep_test.sh.in
@@ -0,0 +1,55 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+#
+# Check the installed bind9 headers to make sure that no header
+# depends on another header having been included first.
+#
+
+prefix=@prefix@
+tmp=/tmp/thdr$$.tmp
+
+status=0
+
+echo "Checking for header interdependencies..."
+
+# Make a list of header files.
+(cd $prefix/include; find . -name '*.h' -print | sed 's!^./!!') > $tmp
+
+# Check each header.
+while read h
+do
+    echo " - <$h>"
+
+    # Build a test program.
+    cat <<EOF >test.c
+#include <$h>
+EOF
+
+    # Compile the test program.
+    if 
+       gcc @STD_CWARNINGS@ @STD_CINCLUDES@ -I$prefix/include -c test.c 2>&1
+    then
+       :
+    else
+       status=1
+    fi
+done <$tmp
+
+rm -f test.c test.o $tmp
+
+exit $status
diff --git a/bin/tests/inter_test.c b/bin/tests/inter_test.c
index 23a9242a..95fb25f4 100644
--- a/bin/tests/inter_test.c
+++ b/bin/tests/inter_test.c
@@ -15,12 +15,12 @@
  * SOFTWARE.
  */
 
+#include <config.h>
+
 #include <stdlib.h>
 
-#include <isc/assertions.h>
 #include <isc/interfaceiter.h>
 #include <isc/mem.h>
-#include <isc/result.h>
 #include <isc/util.h>
 
 int
@@ -50,16 +50,19 @@ main(int argc, char **argv) {
 		fprintf(stdout, "%s %d %x\n", ifdata.name, ifdata.af,
 			ifdata.flags);
 		INSIST(ifdata.af == AF_INET || ifdata.af == AF_INET6);
-		res = inet_ntop(ifdata.af, &ifdata.address.type, buf, sizeof buf);
+		res = inet_ntop(ifdata.af, &ifdata.address.type, buf,
+				sizeof(buf));
 		fprintf(stdout, "address = %s\n", res == NULL ? "BAD" : res);
 		INSIST(ifdata.address.family == ifdata.af);
-		res = inet_ntop(ifdata.af, &ifdata.netmask.type, buf, sizeof buf);
+		res = inet_ntop(ifdata.af, &ifdata.netmask.type, buf,
+				sizeof(buf));
 		fprintf(stdout, "netmask = %s\n", res == NULL ? "BAD" : res);
 		INSIST(ifdata.netmask.family == ifdata.af);
 		if ((ifdata.flags & INTERFACE_F_POINTTOPOINT) != 0) {
 			res = inet_ntop(ifdata.af, &ifdata.dstaddress.type,
-					 buf, sizeof buf);
-			fprintf(stdout, "dstaddress = %s\n", res == NULL ? "BAD" : res);
+					 buf, sizeof(buf));
+			fprintf(stdout, "dstaddress = %s\n",
+				res == NULL ? "BAD" : res);
 
 			INSIST(ifdata.dstaddress.family == ifdata.af);
 		}
@@ -73,5 +76,6 @@ main(int argc, char **argv) {
 	isc_interfaceiter_destroy(&iter);
  cleanup:
 	isc_mem_destroy(&mctx);
-	exit(0);
+
+	return (0);
 }
diff --git a/bin/tests/keygen.c b/bin/tests/keygen.c
deleted file mode 100644
index da20cce5..00000000
--- a/bin/tests/keygen.c
+++ /dev/null
@@ -1,301 +0,0 @@
-/*
- * Portions Copyright (c) 1995-1999 by TISLabs at Network Associates, Inc.
- *
- * Permission to use, copy modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND NETWORK ASSOCIATES
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
- * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
- */
-
-/* $Id: keygen.c,v 1.10 2000/03/23 19:03:32 bwelling Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <ctype.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/boolean.h>
-#include <isc/commandline.h>
-#include <isc/error.h>
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <dns/keyvalues.h>
-#include <dst/dst.h>
-#include <dst/result.h>
-
-static isc_boolean_t dsa_size_ok(int size);
-static void die(char *str);
-static void usage(char *prog);
-
-int
-main(int argc, char **argv) {
-	char		*prog;
-	dst_key_t	*key;
-	char		*name = NULL, *zonefile = NULL;
-	isc_uint16_t	flags = 0;
-	int		alg = -1;
-	isc_mem_t	*mctx = NULL;
-	int		ch, rsa_exp = 0, generator = 0, param = 0;
-	int		protocol = -1, size = -1;
-	isc_result_t	ret;
-
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-
-	if ((prog = strrchr(argv[0],'/')) == NULL)
-		prog = strdup(argv[0]);
-	else
-		prog = strdup(++prog);
-
-	while ((ch = isc_commandline_parse(argc, argv,
-					   "achiuzn:s:p:D:H:R:d:Fg:")) != -1) {
-	    switch (ch) {
-		case 'a':
-			flags |= DNS_KEYTYPE_NOAUTH;
-			break;
-		case 'c':
-			flags |= DNS_KEYTYPE_NOCONF;
-			break;
-		case 'F':
-			rsa_exp=1;
-			break;
-		case 'g':
-			if (isc_commandline_argument != NULL &&
-			    isdigit(isc_commandline_argument[0] & 0xff)) {
-				generator = atoi(isc_commandline_argument);
-				if (generator < 0)
-					die("-g value is not positive");
-			}
-			else
-				die("-g not followed by a number");
-			break;
-		case 'p':
-			if (isc_commandline_argument != NULL &&
-			    isdigit(isc_commandline_argument[0] & 0xff)) {
-				protocol = atoi(isc_commandline_argument);
-				if (protocol < 0 || protocol > 255)
-					die("-p value is not [0..15]");
-			}
-			else
-				die("-p not followed by a number [0..255]");
-			break;
-		case 's':
-			/* Default: not signatory key */
-			if (isc_commandline_argument != NULL &&
-			    isdigit(isc_commandline_argument[0] & 0xff)) {
-				int sign_val = atoi(isc_commandline_argument);
-				if (sign_val < 0 || sign_val > 15)
-					die("-s value is not [0..15] ");
-				flags |= sign_val;
-			}
-			else
-				die("-s not followed by a number [0..15] ");
-			break;
-		case 'h':
-			if ((flags & DNS_KEYFLAG_OWNERMASK) != 0)
-				die("Only one key type can be specified");
-			flags |= DNS_KEYOWNER_ENTITY;
-			break;
-		case 'u' :
-			if ((flags & DNS_KEYFLAG_OWNERMASK) != 0)
-				die("Only one key type can be specified");
-			flags |= DNS_KEYOWNER_USER;
-			break ;
-		case 'z':
-			if ((flags & DNS_KEYFLAG_OWNERMASK) != 0)
-				die("Only one key type can be specified");
-			flags |= DNS_KEYOWNER_ZONE;
-			break;
-		case 'H':
-			if (alg > 0) 
-				die("Only one alg can be specified");
-			if (isc_commandline_argument != NULL &&
-			    isdigit(isc_commandline_argument[0] & 0xff))
-				size = atoi(isc_commandline_argument);
-			else
-				die("-H requires a size");
-			alg = DST_ALG_HMACMD5;
-			break;
-		case 'R':
-			if (alg > 0) 
-				die("Only one alg can be specified");
-			if (isc_commandline_argument != NULL &&
-			    isdigit(isc_commandline_argument[0] & 0xff))
-				size = atoi(isc_commandline_argument);
-			else
-				die("-R requires a size");
-			alg = DNS_KEYALG_RSA;
-			break;
-		case 'D':
-			if (alg > 0) 
-				die("Only one alg can be specified");
-			if (isc_commandline_argument != NULL &&
-			    isdigit(isc_commandline_argument[0] & 0xff))
-				size = atoi(isc_commandline_argument);
-			else
-				die("-D requires a size");
-			alg = DNS_KEYALG_DSA;
-			break;
-		case 'd':
-			if (alg > 0) 
-				die("Only one alg can be specified");
-			if (isc_commandline_argument != NULL &&
-			    isdigit(isc_commandline_argument[0] & 0xff))
-				size = atoi(isc_commandline_argument);
-			else
-				die("-d requires a size");
-			alg = DNS_KEYALG_DH;
-			break;
-		default:
-			printf("invalid argument -%c\n", ch);
-			usage(prog);
-		} 
-	}
-
-	if (isc_commandline_index == argc)
-		usage(prog);
-
-	if (alg < 0)
-		die("No algorithm specified");
-	if (dst_supported_algorithm(alg) == ISC_FALSE)
-		die("Unsupported algorithm");
-
-	if (protocol == -1) {
-		if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_USER)
-			protocol = DNS_KEYPROTO_EMAIL;
-		else
-			protocol = DNS_KEYPROTO_DNSSEC;
-	}
-
-	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
-		if (size > 0)
-			die("Specified null key with non-zero size");
-		if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
-			die("Specified null key with signing authority");
-	}
-		
-	if (size > 0) {
-		if (alg == DNS_KEYALG_RSA) {
-			if (size < 512 || size > 4096)
-				die("RSA key size out of range");
-		}
-		else if (rsa_exp != 0)
-			die("-F can only be specified with -R");
-
-		if (alg == DNS_KEYALG_DH) {
-			if (size < 16 || size > 4096)
-				die("DH key size out of range");
-		}
-		else if (generator != 0)
-			die("-g can only be specified with -d");
-
-		if (alg == DNS_KEYALG_DSA && !dsa_size_ok(size))
-			die("Invalid DSS key size");
-	}
-	else if (size < 0)
-		die("No key size specified");
-
-	name = argv[isc_commandline_index++];
-	if (argc > isc_commandline_index)
-		zonefile = argv[isc_commandline_index];
-	if (name[strlen(name) - 1] != '.' && alg != DST_ALG_HMACMD5) {
-		name = isc_mem_get(mctx, strlen(name) + 2);
-		sprintf(name, "%s.", argv[isc_commandline_index - 1]);
-		printf("** Added a trailing dot to the name to make it"
-			" fully qualified **\n");
-	}
-
-	printf("Generating %d bit ", size);
-	switch(alg) {
-		case DNS_KEYALG_RSA:
-			printf("RSA");
-			param = rsa_exp;
-			break;
-		case DNS_KEYALG_DH:
-			printf("DH");
-			param = generator;
-			break;
-		case DNS_KEYALG_DSA:
-			printf("DSS");
-			param = 0;
-			break;
-		case DST_ALG_HMACMD5:
-			printf("HMAC-MD5");
-			param = 0;
-			break;
-		default:
-			die("Unknown algorithm");
-	}
-	printf(" key for %s\n\n", name);
-
-	dst_result_register();
-	ret = dst_key_generate(name, alg, size, param, flags, protocol, mctx,
-			       &key);
-
-	if (ret != ISC_R_SUCCESS) {
-		printf("Failed generating key %s\n", name);
-		exit(-1);
-	}
-
-	ret = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE);
-	if (ret != ISC_R_SUCCESS) {
-		printf("Failed to write key %s(%d)\n", name, dst_key_id(key));
-		exit(-1); 
-	}
-
-	printf("Generated %d bit key %s: id=%d alg=%d flags=%d\n\n", size,
-	       name, dst_key_id(key), dst_key_alg(key), dst_key_flags(key));
-
-	exit(0);
-}
-
-static isc_boolean_t
-dsa_size_ok(int size) {
-	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
-}
-
-static void
-die(char *str) {
-	printf("%s\n", str);
-	exit(-1);
-}
-
-static void
-usage(char *prog) {
-	printf("Usage:\n\t");
-	printf ("%s <-D|-H|-R|-d> <size> [-F] [-g n] [-z|-h|-u] [-a] [-c] "
-		" [-p n] [-s n] name [zonefile] \n\n", prog);
-	printf("\t-D generate DSA/DSS key: size must be in the range\n");
-	printf("\t\t[512..1024] and a multiple of 64\n");
-	printf("\t-H generate HMAC-MD5 key: size in the range [1..512]\n");
-	printf("\t-R generate RSA key: size in the range [512..4096]\n");
-	printf("\t-d generate DH key in the range [16..4096]\n");
-	printf("\t-F use large exponent (RSA only)\n");
-	printf("\t-g use specified generator (DH only)\n");
-
-	printf("\t-z Zone key \n");
-	printf("\t-h Host/Entity key \n");
-	printf("\t-u User key (default) \n");
-
-	printf("\t-a Key CANNOT be used for authentication\n");
-	printf("\t-c Key CANNOT be used for encryption\n");
-
-	printf("\t-p Set protocol field to <n>\n");
-	printf("\t\t default: 2 (email) for User keys, 3 (dnssec) for all others\n");
-	printf("\t-s Strength value this key signs DNS records with\n");
-	printf("\t\t default: 0\n");
-	printf("\tname: the owner of the key\n");
-
-	exit (-1);
-}
-
-
diff --git a/bin/tests/lex_test.c b/bin/tests/lex_test.c
index 2f277a9f..f74c811b 100644
--- a/bin/tests/lex_test.c
+++ b/bin/tests/lex_test.c
@@ -17,14 +17,10 @@
 
 #include <config.h>
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/assertions.h>
 #include <isc/commandline.h>
-#include <isc/error.h>
 #include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/util.h>
 
 isc_mem_t *mctx;
 isc_lex_t *lex;
diff --git a/bin/tests/lfsr_test.c b/bin/tests/lfsr_test.c
index be3da72c..02317a3a 100644
--- a/bin/tests/lfsr_test.c
+++ b/bin/tests/lfsr_test.c
@@ -15,18 +15,17 @@
  * SOFTWARE.
  */
 
+#include <config.h>
+
 #include <stdio.h>
 
-#include <isc/assertions.h>
-#include <isc/types.h>
 #include <isc/lfsr.h>
 #include <isc/util.h>
 
 isc_uint32_t state[1024 * 64];
 
 int
-main(int argc, char **argv)
-{
+main(int argc, char **argv) {
 	isc_lfsr_t lfsr1, lfsr2;
 	int i;
 	isc_uint32_t temp;
@@ -46,7 +45,8 @@ main(int argc, char **argv)
 	for (i = 0 ; i < 32 ; i++) {
 		isc_lfsr_generate(&lfsr1, &temp, 4);
 		if (state[i] != temp)
-			printf("lfsr1:  state[%2d] = %08x, but new state is %08x\n",
+			printf("lfsr1:  state[%2d] = %08x, "
+			       "but new state is %08x\n",
 			       i, state[i], temp);
 	}
 
@@ -64,7 +64,8 @@ main(int argc, char **argv)
 		isc_lfsr_generate(&lfsr1, &temp, 4);
 		isc_lfsr_skip(&lfsr1, 32);
 		if (state[i] != temp)
-			printf("lfsr1:  state[%2d] = %08x, but new state is %08x\n",
+			printf("lfsr1:  state[%2d] = %08x, "
+			       "but new state is %08x\n",
 			       i, state[i], temp);
 	}
 
@@ -82,10 +83,10 @@ main(int argc, char **argv)
 	for (i = 0 ; i < 32 ; i++) {
 		isc_lfsr_generate(&lfsr2, &temp, 4);
 		if (state[i] != temp)
-			printf("lfsr2:  state[%2d] = %08x, but new state is %08x\n",
+			printf("lfsr2:  state[%2d] = %08x, "
+			       "but new state is %08x\n",
 			       i, state[i], temp);
 	}
 
-
 	return (0);
 }
diff --git a/bin/tests/log_test.c b/bin/tests/log_test.c
index 4a544009..cc35e4c9 100644
--- a/bin/tests/log_test.c
+++ b/bin/tests/log_test.c
@@ -15,22 +15,20 @@
  * SOFTWARE.
  */
 
-/* $Id: log_test.c,v 1.11 2000/03/04 03:05:17 tale Exp $ */
+/* $Id: log_test.c,v 1.16 2000/05/16 03:33:51 tale Exp $ */
 
 /* Principal Authors: DCL */
 
+#include <config.h>
+
 #include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
 #include <unistd.h>
 
 #include <isc/commandline.h>
 #include <isc/mem.h>
-#include <isc/log.h>
-#include <isc/result.h>
+#include <isc/string.h>
 
 #include <dns/log.h>
-#include <dns/result.h>
 
 #define TEST_FILE "/tmp/test_log"
 #define SYSLOG_FILE "/var/log/daemon.log"
@@ -38,7 +36,7 @@
 
 char usage[] = "Usage: %s [-m] [-s syslog_logfile] [-r file_versions]\n";
 
-#define CHECK_ISC(expr) result = expr; \
+#define CHECK(expr) result = expr; \
 	if (result != ISC_R_SUCCESS) { \
 		fprintf(stderr, "%s: " #expr "%s: exiting\n", \
 			progname, isc_result_totext(result)); \
@@ -115,23 +113,28 @@ main (int argc, char **argv) {
 	mctx = NULL;
 	lctx = NULL;
 
-	CHECK_ISC(isc_mem_create(0, 0, &mctx));
-	CHECK_ISC(isc_log_create(mctx, &lctx, &lcfg));
+	CHECK(isc_mem_create(0, 0, &mctx));
+	CHECK(isc_log_create(mctx, &lctx, &lcfg));
+
+	isc_log_settag(lcfg, progname);
 
+	isc_log_setcontext(lctx);
 	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
 
 	/*
 	 * Test isc_log_categorybyname and isc_log_modulebyname.
 	 */
-	category = isc_log_categorybyname(lctx, "dns_parser");
+	category = isc_log_categorybyname(lctx, "xfer-in");
 	if (category != NULL)
-		fprintf(stderr, "%s category found.\n", category->name);
+		fprintf(stderr, "%s category found. (expected)\n",
+			category->name);
 	else
-		fprintf(stderr, "dns_parser category not found!\n");
+		fprintf(stderr, "xfer-in category not found!\n");
 
 	module = isc_log_modulebyname(lctx, "xyzzy");
 	if (module != NULL)
-		fprintf(stderr, "%s module found! (error)\n", module->name);
+		fprintf(stderr, "%s module found!\n", module->name);
 	else
 		fprintf(stderr, "xyzzy module not found. (expected)\n");
 
@@ -144,50 +147,51 @@ main (int argc, char **argv) {
 	destination.file.maximum_size = 1;
 	destination.file.versions = file_versions;
 
-	CHECK_ISC(isc_log_createchannel(lcfg, "file_test", ISC_LOG_TOFILE,
-					ISC_LOG_INFO, &destination,
-					ISC_LOG_PRINTTIME|
-					ISC_LOG_PRINTLEVEL|
-					ISC_LOG_PRINTCATEGORY|
-					ISC_LOG_PRINTMODULE));
+	CHECK(isc_log_createchannel(lcfg, "file_test", ISC_LOG_TOFILE,
+				    ISC_LOG_INFO, &destination,
+				    ISC_LOG_PRINTTIME|
+				    ISC_LOG_PRINTTAG|
+				    ISC_LOG_PRINTLEVEL|
+				    ISC_LOG_PRINTCATEGORY|
+				    ISC_LOG_PRINTMODULE));
 
 	/*
 	 * Create a dynamic debugging channel to a file descriptor.
 	 */
 	destination.file.stream = stderr;
 
-	CHECK_ISC(isc_log_createchannel(lcfg, "debug_test", ISC_LOG_TOFILEDESC,
-					ISC_LOG_DYNAMIC, &destination,
-					ISC_LOG_PRINTTIME|
-					ISC_LOG_PRINTLEVEL|
-					ISC_LOG_DEBUGONLY));
+	CHECK(isc_log_createchannel(lcfg, "debug_test", ISC_LOG_TOFILEDESC,
+				    ISC_LOG_DYNAMIC, &destination,
+				    ISC_LOG_PRINTTIME|
+				    ISC_LOG_PRINTLEVEL|
+				    ISC_LOG_DEBUGONLY));
 
 	/*
 	 * Test the usability of the four predefined logging channels.
 	 */
-	CHECK_ISC(isc_log_usechannel(lcfg, "default_syslog",
-				     DNS_LOGCATEGORY_DATABASE,
-				     DNS_LOGMODULE_CACHE));
-	CHECK_ISC(isc_log_usechannel(lcfg, "default_stderr",
-				     DNS_LOGCATEGORY_DATABASE,
-				     DNS_LOGMODULE_CACHE));
-	CHECK_ISC(isc_log_usechannel(lcfg, "default_debug",
-				     DNS_LOGCATEGORY_DATABASE,
-				     DNS_LOGMODULE_CACHE));
-	CHECK_ISC(isc_log_usechannel(lcfg, "null",
-				     DNS_LOGCATEGORY_DATABASE,
-				     NULL));
+	CHECK(isc_log_usechannel(lcfg, "default_syslog",
+				 DNS_LOGCATEGORY_DATABASE,
+				 DNS_LOGMODULE_CACHE));
+	CHECK(isc_log_usechannel(lcfg, "default_stderr",
+				 DNS_LOGCATEGORY_DATABASE,
+				 DNS_LOGMODULE_CACHE));
+	CHECK(isc_log_usechannel(lcfg, "default_debug",
+				 DNS_LOGCATEGORY_DATABASE,
+				 DNS_LOGMODULE_CACHE));
+	CHECK(isc_log_usechannel(lcfg, "null",
+				 DNS_LOGCATEGORY_DATABASE,
+				 NULL));
 
 	/*
 	 * Use the custom channels.
 	 */
-	CHECK_ISC(isc_log_usechannel(lcfg, "file_test",
-				     DNS_LOGCATEGORY_GENERAL,
-				     DNS_LOGMODULE_DB));
+	CHECK(isc_log_usechannel(lcfg, "file_test",
+				 DNS_LOGCATEGORY_GENERAL,
+				 DNS_LOGMODULE_DB));
 
-	CHECK_ISC(isc_log_usechannel(lcfg, "debug_test",
-				     DNS_LOGCATEGORY_GENERAL,
-				     DNS_LOGMODULE_RBTDB));
+	CHECK(isc_log_usechannel(lcfg, "debug_test",
+				 DNS_LOGCATEGORY_GENERAL,
+				 DNS_LOGMODULE_RBTDB));
 
 	fprintf(stderr, "\n==> stderr begin\n");
 
@@ -225,9 +229,8 @@ main (int argc, char **argv) {
 	 * Reset the internal default to use syslog instead of stderr,
 	 * and test it.
 	 */
-	CHECK_ISC(isc_log_usechannel(lcfg, "default_syslog",
-				     ISC_LOGCATEGORY_DEFAULT,
-				     NULL));
+	CHECK(isc_log_usechannel(lcfg, "default_syslog",
+				 ISC_LOGCATEGORY_DEFAULT, NULL));
 	isc_log_write(lctx, DNS_LOGCATEGORY_SECURITY, DNS_LOGMODULE_RBT,
 		      ISC_LOG_ERROR, "%s%s",
 		      "This message to the redefined default category should ",
@@ -254,12 +257,12 @@ main (int argc, char **argv) {
 		for (i = file_versions - 1; i >= 0; i--)
 			isc_log_write(lctx, DNS_LOGCATEGORY_GENERAL,
 				      DNS_LOGMODULE_DB, ISC_LOG_NOTICE,
-				      "This should be in file %d/%d", i,
+				      "should be in file %d/%d", i,
 				      file_versions - 1);
 
 		isc_log_write(lctx, DNS_LOGCATEGORY_GENERAL,
 			      DNS_LOGMODULE_DB, ISC_LOG_NOTICE,
-			      "This should be in the base file");
+			      "should be in base file");
 
 	} else {
 		file_versions = FILE_VERSIONS;
@@ -331,5 +334,5 @@ main (int argc, char **argv) {
 	if (show_final_mem)
 		isc_mem_stats(mctx, stderr);
 
-	exit(0);
+	return (0);
 }
diff --git a/bin/tests/lwres_test.c b/bin/tests/lwres_test.c
index f7eed98b..6f1d76b0 100644
--- a/bin/tests/lwres_test.c
+++ b/bin/tests/lwres_test.c
@@ -18,26 +18,18 @@
 #include <config.h>
 
 #include <assert.h>
-#include <ctype.h>
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/mem.h>
 #include <isc/netaddr.h>
+#include <isc/util.h>
 
-#include <lwres/context.h>
-#include <lwres/lwbuffer.h>
 #include <lwres/lwres.h>
-#include <lwres/lwpacket.h>
 
 #define USE_ISC_MEM
 
 static inline void
-CHECK(int val, char *msg)
-{
+CHECK(int val, char *msg) {
 	if (val != 0) {
 		fprintf(stderr, "%s returned %d\n", msg, val);
 		exit(1);
@@ -45,8 +37,7 @@ CHECK(int val, char *msg)
 }
 
 static void
-hexdump(char *msg, void *base, size_t len)
-{
+hexdump(char *msg, void *base, size_t len) {
 	unsigned char *p;
 	unsigned int cnt;
 
@@ -75,15 +66,14 @@ static char *TESTSTRING = "This is a test.  This is only a test.  !!!";
 static lwres_context_t *ctx;
 
 static void
-test_noop(void)
-{
+test_noop(void) {
 	int ret;
 	lwres_lwpacket_t pkt, pkt2;
 	lwres_nooprequest_t nooprequest, *nooprequest2;
 	lwres_noopresponse_t noopresponse, *noopresponse2;
 	lwres_buffer_t b;
 
-	pkt.flags = 0;
+	pkt.pktflags = 0;
 	pkt.serial = 0x11223344;
 	pkt.recvlength = 0x55667788;
 	pkt.result = 0;
@@ -118,7 +108,7 @@ test_noop(void)
 	b.base = NULL;
 	b.length = 0;
 
-	pkt.flags = 0;
+	pkt.pktflags = 0;
 	pkt.serial = 0x11223344;
 	pkt.recvlength = 0x55667788;
 	pkt.result = 0xdeadbeef;
@@ -155,8 +145,7 @@ test_noop(void)
 }
 
 static void
-test_gabn(char *target)
-{
+test_gabn(char *target) {
 	lwres_gabnresponse_t *res;
 	lwres_addr_t *addr;
 	int ret;
@@ -200,8 +189,7 @@ test_gabn(char *target)
 }
 
 static void
-test_gnba(char *target, lwres_uint32_t af)
-{
+test_gnba(char *target, lwres_uint32_t af) {
 	lwres_gnbaresponse_t *res;
 	int ret;
 	unsigned int i;
@@ -238,21 +226,18 @@ test_gnba(char *target, lwres_uint32_t af)
  * Wrappers around our memory management stuff, for the lwres functions.
  */
 static void *
-mem_alloc(void *arg, size_t size)
-{
+mem_alloc(void *arg, size_t size) {
 	return (isc_mem_get(arg, size));
 }
 
 static void
-mem_free(void *arg, void *mem, size_t size)
-{
+mem_free(void *arg, void *mem, size_t size) {
 	isc_mem_put(arg, mem, size);
 }
 #endif
 
 int
-main(int argc, char *argv[])
-{
+main(int argc, char *argv[]) {
 	int ret;
 #ifdef USE_ISC_MEM
 	isc_mem_t *mem;
diff --git a/bin/tests/lwres_conftest.c b/bin/tests/lwresconf_test.c
index 772f5ae1..241c25c3 100644
--- a/bin/tests/lwres_conftest.c
+++ b/bin/tests/lwresconf_test.c
@@ -17,27 +17,17 @@
 
 #include <config.h>
 
-#include <assert.h>
-#include <ctype.h>
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/mem.h>
-#include <isc/netaddr.h>
+#include <isc/util.h>
 
-#include <lwres/context.h>
-#include <lwres/lwbuffer.h>
 #include <lwres/lwres.h>
-#include <lwres/lwpacket.h>
 
 #define USE_ISC_MEM
 
 static inline void
-CHECK(int val, char *msg)
-{
+CHECK(int val, char *msg) {
 	if (val != 0) {
 		fprintf(stderr, "%s returned %d\n", msg, val);
 		exit(1);
@@ -49,23 +39,19 @@ CHECK(int val, char *msg)
  * Wrappers around our memory management stuff, for the lwres functions.
  */
 static void *
-mem_alloc(void *arg, size_t size)
-{
+mem_alloc(void *arg, size_t size) {
 	return (isc_mem_get(arg, size));
 }
 
 static void
-mem_free(void *arg, void *mem, size_t size)
-{
+mem_free(void *arg, void *mem, size_t size) {
 	isc_mem_put(arg, mem, size);
 }
 #endif
 
 int
-main(int argc, char *argv[])
-{
+main(int argc, char *argv[]) {
 	lwres_context_t *ctx;
-	lwres_conf_t conf;
 	const char *file = "/etc/resolv.conf";
 	int ret;
 #ifdef USE_ISC_MEM
@@ -91,14 +77,14 @@ main(int argc, char *argv[])
 #endif
 	CHECK(ret, "lwres_context_create");
 
-	lwres_conf_init(&conf);
-	if (lwres_conf_parse(ctx, file, &conf) == 0) {
-		lwres_conf_print(stderr, &conf);
+	lwres_conf_init(ctx);
+	if (lwres_conf_parse(ctx, file) == 0) {
+		lwres_conf_print(ctx, stderr);
 	} else {
 		perror("lwres_conf_parse");
 	}
 
-	lwres_conf_clear(ctx, &conf);
+	lwres_conf_clear(ctx);
 	lwres_context_destroy(&ctx);
 
 #ifdef USE_ISC_MEM
diff --git a/bin/tests/master/Makefile.in b/bin/tests/master/Makefile.in
index d0aa8003..6fc346df 100644
--- a/bin/tests/master/Makefile.in
+++ b/bin/tests/master/Makefile.in
@@ -25,11 +25,15 @@ CDEFINES =
 CWARNINGS =
 
 # Note that we do not want to use libtool for libt_api
-DEPLIBS =	../../../lib/dns/libdns.@A@ \
-		../../../lib/isc/libisc.@A@
+DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
+ISCLIBS =	../../../lib/isc/libisc.@A@
 
-LIBS =		${DEPLIBS} \
-		@LIBS@
+DNSDEPLIBS =	../../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../../lib/isc/libisc.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
 TLIB =		../../../lib/tests/libt_api.@A@
 
diff --git a/bin/tests/master/dns_master_load_1_data b/bin/tests/master/dns_master_load_1_data
index 1140ba6d..fc92c748 100644
--- a/bin/tests/master/dns_master_load_1_data
+++ b/bin/tests/master/dns_master_load_1_data
@@ -9,4 +9,4 @@
 #	class is the zone's class
 # 	expected_result is a text representation of a dns_result_t
 #
-master1.data	test	in	DNS_R_SUCCESS
+master1.data	test	in	ISC_R_SUCCESS
diff --git a/bin/tests/master/dns_master_load_2_data b/bin/tests/master/dns_master_load_2_data
index b71c2dae..a6e44b34 100644
--- a/bin/tests/master/dns_master_load_2_data
+++ b/bin/tests/master/dns_master_load_2_data
@@ -9,4 +9,4 @@
 #	class is the zone's class
 # 	expected_result is a text representation of a dns_result_t
 #
-master2.data	test	in	DNS_R_UNEXPECTEDEND
+master2.data	test	in	ISC_R_UNEXPECTEDEND
diff --git a/bin/tests/master/dns_master_load_6_data b/bin/tests/master/dns_master_load_6_data
index 8d0621cd..d14aa888 100644
--- a/bin/tests/master/dns_master_load_6_data
+++ b/bin/tests/master/dns_master_load_6_data
@@ -9,4 +9,4 @@
 #	class is the zone's class
 # 	expected_result is a text representation of a dns_result_t
 #
-master6.data	test	in	DNS_R_SUCCESS
+master6.data	test	in	ISC_R_SUCCESS
diff --git a/bin/tests/master/dns_master_load_7_data b/bin/tests/master/dns_master_load_7_data
index 5d3c8d7c..dbe7ef9a 100644
--- a/bin/tests/master/dns_master_load_7_data
+++ b/bin/tests/master/dns_master_load_7_data
@@ -9,4 +9,4 @@
 #	class is the zone's class
 # 	expected_result is a text representation of a dns_result_t
 #
-master7.data	test	in	DNS_R_SUCCESS
+master7.data	test	in	ISC_R_SUCCESS
diff --git a/bin/tests/master/t_master.c b/bin/tests/master/t_master.c
index 97cddbde..4a5fa79d 100644
--- a/bin/tests/master/t_master.c
+++ b/bin/tests/master/t_master.c
@@ -15,56 +15,55 @@
  * SOFTWARE.
  */
 
-#include	<config.h>
+#include <config.h>
 
-#include	<ctype.h>
-#include	<stdio.h>
-#include	<stdlib.h>
-#include	<string.h>
+#include <ctype.h>
+#include <stdlib.h>
 
-#include	<isc/mem.h>
-#include	<isc/buffer.h>
-#include	<isc/error.h>
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
 
-#include	<dns/master.h>
-#include	<dns/name.h>
-#include	<dns/rdataclass.h>
-#include	<dns/rdataset.h>
-#include	<dns/result.h>
-#include	<dns/types.h>
-#include	<tests/t_api.h>
+#include <dns/callbacks.h>
+#include <dns/master.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+
+#include <tests/t_api.h>
 
 #define	BUFLEN		255
 #define	BIGBUFLEN	(64 * 1024)
 
-static isc_result_t	t1_add_callback(void *arg, dns_name_t *owner,
-					dns_rdataset_t *dataset);
-static void		t1(void);
+static isc_result_t
+t1_add_callback(void *arg, dns_name_t *owner, dns_rdataset_t *dataset);
+
+static void
+t1(void);
 
 isc_mem_t	*T1_mctx;
 char		*Tokens[T_MAXTOKS + 1];
 
 static isc_result_t
 t1_add_callback(void *arg, dns_name_t *owner, dns_rdataset_t *dataset) {
-
 	char buf[BIGBUFLEN];
 	isc_buffer_t target;
 	isc_result_t result;
 	
-	arg = arg;	/*unused*/
+	UNUSED(arg);
 
-	isc_buffer_init(&target, buf, BIGBUFLEN, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&target, buf, BIGBUFLEN);
 	result = dns_rdataset_totext(dataset, owner, ISC_FALSE, ISC_FALSE,
 				     &target);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		t_info("dns_rdataset_totext: %s\n", dns_result_totext(result));
 
 	return(result);
 }
 
 static int
-test_master(char *testfile, char *origin, char *class,
-	    isc_result_t exp_result)
+test_master(char *testfile, char *origin, char *class, isc_result_t exp_result)
 {
 	int			result;
 	int			len;
@@ -91,15 +90,14 @@ test_master(char *testfile, char *origin, char *class,
 	}
 
 	len = strlen(origin);
-	isc_buffer_init(&source, origin, len,
-			ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&source, origin, len);
 	isc_buffer_add(&source, len);
 	isc_buffer_setactive(&source, len);
-	isc_buffer_init(&target, name_buf, BUFLEN, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&target, name_buf, BUFLEN);
 	dns_name_init(&dns_origin, NULL);
 	dns_result = dns_name_fromtext(&dns_origin, &source, dns_rootname,
 				   ISC_FALSE, &target);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed %s\n",
 				dns_result_totext(dns_result));
 		return(T_UNRESOLVED);
@@ -112,7 +110,7 @@ test_master(char *testfile, char *origin, char *class,
 	textregion.length = strlen(class);
 
 	dns_result = dns_rdataclass_fromtext(&rdataclass, &textregion);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rdataclass_fromtext failed %s\n",
 				dns_result_totext(dns_result));
 		return(T_UNRESOLVED);
@@ -157,36 +155,36 @@ test_master_x(char *filename) {
 
 			++line;
 
-			/* skip comment lines */
+			/*
+			 * Skip comment lines.
+			 */
 			if ((isspace(*p & 0xff)) || (*p == '#'))
 				continue;
 
-			/* name of data file, origin, zclass, expected result */
+			/*
+			 * Name of data file, origin, zclass, expected result.
+			 */
 			cnt = t_bustline(p, Tokens);
 			if (cnt == 4) {
-				result = test_master(
-						Tokens[0],
-						Tokens[1],
-						Tokens[2],
-						t_dns_result_fromtext(Tokens[3]));
-			}
-			else {
+				result = test_master(Tokens[0], Tokens[1],
+					     Tokens[2],
+					     t_dns_result_fromtext(Tokens[3]));
+			} else {
 				t_info("bad format in %s at line %d\n",
-						filename, line);
+				       filename, line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile %s\n", filename);
 	}
 	return(result);
 }
 
 static char *a1 =	"dns_master_loadfile loads a valid master file and "
-			"returns DNS_R_SUCCESS";
+			"returns ISC_R_SUCCESS";
 static void
 t1() {
 	int	result;
@@ -195,8 +193,9 @@ t1() {
 	t_result(result);
 }
 
-static char *a2 =	"dns_master_loadfile returns DNS_R_UNEXPECTEDEND when the "
-			"masterfile input ends unexpectedly";
+static char *a2 = "dns_master_loadfile returns ISC_R_UNEXPECTEDEND when the "
+		  "masterfile input ends unexpectedly";
+
 static void
 t2() {
 	int	result;
@@ -240,8 +239,8 @@ t5() {
 	t_result(result);
 }
 
-static char *a6 =	"dns_master_loadfile understands KEY RR specifications "
-			"containing key material";
+static char *a6 = "dns_master_loadfile understands KEY RR specifications "
+		  "containing key material";
 
 static void
 t6() {
@@ -253,8 +252,8 @@ t6() {
 	t_result(result);
 }
 
-static char *a7 =	"dns_master_loadfile understands KEY RR specifications "
-			"containing no key material";
+static char *a7 = "dns_master_loadfile understands KEY RR specifications "
+		  "containing no key material";
 
 static void
 t7() {
@@ -267,8 +266,8 @@ t7() {
 }
 
 testspec_t	T_testlist[] = {
-	{	t1,	"DNS_R_SUCCESS"		},
-	{	t2,	"DNS_R_UNEXPECTEDEND"	},
+	{	t1,	"ISC_R_SUCCESS"		},
+	{	t2,	"ISC_R_UNEXPECTEDEND"	},
 	{	t3,	"DNS_NOOWNER"		},
 	{	t4,	"DNS_NOTTL"		},
 	{	t5,	"DNS_BADCLASS"		},
diff --git a/bin/tests/master_test.c b/bin/tests/master_test.c
index b9ca276a..db7c4aa0 100644
--- a/bin/tests/master_test.c
+++ b/bin/tests/master_test.c
@@ -17,44 +17,39 @@
 
 #include <config.h>
 
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/mem.h>
 #include <isc/buffer.h>
-#include <isc/error.h>
+#include <isc/mem.h>
+#include <isc/util.h>
 
+#include <dns/callbacks.h>
 #include <dns/master.h>
 #include <dns/name.h>
 #include <dns/rdataset.h>
 #include <dns/result.h>
-#include <dns/types.h>
-
-isc_result_t print_dataset(void *arg, dns_name_t *owner,
-			   dns_rdataset_t *dataset);
 
 isc_mem_t *mctx;
 
-isc_result_t
+static isc_result_t
 print_dataset(void *arg, dns_name_t *owner, dns_rdataset_t *dataset) {
 	char buf[64*1024];
 	isc_buffer_t target;
 	isc_result_t result;
 	
-	arg = arg;	/*unused*/
+	UNUSED(arg);
 
-	isc_buffer_init(&target, buf, 64*1024, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&target, buf, 64*1024);
 	result = dns_rdataset_totext(dataset, owner, ISC_FALSE, ISC_FALSE,
 				     &target);
-	if (result == DNS_R_SUCCESS)
+	if (result == ISC_R_SUCCESS)
 		fprintf(stdout, "%.*s\n", (int)target.used,
 					  (char*)target.base);
 	else 
 		fprintf(stdout, "dns_rdataset_totext: %s\n",
 			dns_result_totext(result));
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 int
@@ -68,20 +63,19 @@ main(int argc, char *argv[]) {
 	int nscount = 0;
 	dns_rdatacallbacks_t callbacks;
 
-	argc = argc;
+	UNUSED(argc);
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
 	if (argv[1]) {
-		isc_buffer_init(&source, argv[1], strlen(argv[1]),
-				ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&source, argv[1], strlen(argv[1]));
 		isc_buffer_add(&source, strlen(argv[1]));
 		isc_buffer_setactive(&source, strlen(argv[1]));
-		isc_buffer_init(&target, name_buf, 255, ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&target, name_buf, 255);
 		dns_name_init(&origin, NULL);
 		result = dns_name_fromtext(&origin, &source, dns_rootname,
 					   ISC_FALSE, &target);
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			fprintf(stdout, "dns_name_fromtext: %s\n",
 				dns_result_totext(result));
 			exit(1);
@@ -96,7 +90,7 @@ main(int argc, char *argv[]) {
 					     &callbacks, mctx);
 		fprintf(stdout, "dns_master_loadfile: %s\n",
 			dns_result_totext(result));
-		if (result == DNS_R_SUCCESS)
+		if (result == ISC_R_SUCCESS)
 			fprintf(stdout, "soacount = %d, nscount = %d\n",
 				soacount, nscount);
 	}
diff --git a/bin/tests/mem/Makefile.in b/bin/tests/mem/Makefile.in
index 599df933..6f589f48 100644
--- a/bin/tests/mem/Makefile.in
+++ b/bin/tests/mem/Makefile.in
@@ -24,15 +24,22 @@ CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 CDEFINES =
 CWARNINGS =
 
-DEPLIBS =	../../../lib/dns/libdns.@A@ \
-		../../../lib/tests/libt_api.@A@ \
-		../../../lib/isc/libisc.@A@
+DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
+ISCLIBS =	../../../lib/isc/libisc.@A@
+TAPIDEPLIBS =	../../../lib/tests/libt_api.@A@
 
-LIBS =		${DEPLIBS} \
-		@LIBS@
+DNSDEPLIBS =	../../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../../lib/isc/libisc.@A@
+TAPILIBS =	../../../lib/tests/libt_api.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${TAPIDEPLIBS} ${ISCDEPLIBS} 
+
+LIBS =		${DNSLIBS} ${TAPILIBS} ${ISCLIBS} @LIBS@
 
 TARGETS =	t_mem
 
+SRCS =		t_mem.c
+
 @BIND9_MAKE_RULES@
 
 t_mem: t_mem.@O@ ${DEPLIBS}
diff --git a/bin/tests/mem/t_mem.c b/bin/tests/mem/t_mem.c
index 64a4653a..9414766b 100644
--- a/bin/tests/mem/t_mem.c
+++ b/bin/tests/mem/t_mem.c
@@ -17,22 +17,13 @@
 
 #include <config.h>
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/mem.h>
-#include <isc/result.h>
-#include <tests/t_api.h>
 
-static void	t1(void);
+#include <tests/t_api.h>
 
 /*
- * adapted from the original mempool_test.c program
+ * Adapted from the original mempool_test.c program.
  */
-
 isc_mem_t *mctx;
 
 #define	MP1_FREEMAX	10
@@ -43,7 +34,7 @@ isc_mem_t *mctx;
 #define	MP2_FILLCNT	25
 
 static int
-memtest() {
+memtest(void) {
 	int		nfails;
 	void		*items1[50];
 	void		*items2[50];
@@ -58,7 +49,8 @@ memtest() {
 	mctx = NULL;
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_mem_create failed %s\n", isc_result_totext(isc_result));
+		t_info("isc_mem_create failed %s\n",
+		       isc_result_totext(isc_result));
 		++nfails;
 		return(nfails);
 	}
@@ -66,7 +58,8 @@ memtest() {
 	mp1 = NULL;
 	isc_result = isc_mempool_create(mctx, 24, &mp1);
 	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_mempool_create failed %s\n", isc_result_totext(isc_result));
+		t_info("isc_mempool_create failed %s\n",
+		       isc_result_totext(isc_result));
 		++nfails;
 		return(nfails);
 	}
@@ -74,7 +67,8 @@ memtest() {
 	mp2 = NULL;
 	isc_result = isc_mempool_create(mctx, 31, &mp2);
 	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_mempool_create failed %s\n", isc_result_totext(isc_result));
+		t_info("isc_mempool_create failed %s\n",
+		       isc_result_totext(isc_result));
 		++nfails;
 		return(nfails);
 	}
@@ -190,7 +184,7 @@ static char	*a1 =
 		"the memory module supports the creation of memory contexts "
 		"and the management of memory pools.";
 static void
-t1() {
+t1(void) {
 	int	rval;
 	int	result;
 
diff --git a/bin/tests/mempool_test.c b/bin/tests/mempool_test.c
index b904abb9..1254331d 100644
--- a/bin/tests/mempool_test.c
+++ b/bin/tests/mempool_test.c
@@ -17,21 +17,13 @@
 
 #include <config.h>
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/result.h>
+#include <isc/util.h>
 
 isc_mem_t *mctx;
 
 int
-main(int argc, char *argv[])
-{
+main(int argc, char *argv[]) {
 	void *items1[50];
 	void *items2[50];
 	void *tmp;
@@ -39,9 +31,8 @@ main(int argc, char *argv[])
 	unsigned int i, j;
 	isc_mutex_t lock;
 
-	/* Silence annoying compiler warning. */
-	(void)argc;
-	(void)argv;
+	UNUSED(argc);
+	UNUSED(argv);
 
 	RUNTIME_CHECK(isc_mutex_init(&lock) == ISC_R_SUCCESS);
 
diff --git a/bin/tests/name_test.c b/bin/tests/name_test.c
index 3305ed93..56286955 100644
--- a/bin/tests/name_test.c
+++ b/bin/tests/name_test.c
@@ -17,20 +17,14 @@
 
 #include <config.h>
 
-#include <ctype.h>
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
 #include <isc/commandline.h>
-#include <isc/boolean.h>
-#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
-#include <dns/types.h>
-#include <dns/result.h>
-#include <dns/name.h>
 #include <dns/fixedname.h>
+#include <dns/result.h>
 
 static void
 print_wirename(isc_region_t *name) {
@@ -54,13 +48,13 @@ print_name(dns_name_t *name) {
 	isc_region_t r;
 	char s[1000];
 
-	isc_buffer_init(&source, s, sizeof s, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&source, s, sizeof(s));
 	if (dns_name_countlabels(name) > 0)
 		result = dns_name_totext(name, ISC_FALSE, &source);
 	else
-		result = DNS_R_SUCCESS;
-	if (result == DNS_R_SUCCESS) {
-		isc_buffer_used(&source, &r);
+		result = ISC_R_SUCCESS;
+	if (result == ISC_R_SUCCESS) {
+		isc_buffer_usedregion(&source, &r);
 		if (r.length > 0)
 			printf("%.*s\n", (int)r.length, r.base);
 		else
@@ -127,8 +121,7 @@ main(int argc, char *argv[]) {
 			origin = NULL;
 		else {
 			len = strlen(argv[0]);
-			isc_buffer_init(&source, argv[0], len,
-					ISC_BUFFERTYPE_TEXT);
+			isc_buffer_init(&source, argv[0], len);
 			isc_buffer_add(&source, len);
 			dns_fixedname_init(&oname);
 			origin = &oname.name;
@@ -152,8 +145,7 @@ main(int argc, char *argv[]) {
 			comp = NULL;
 		else {
 			len = strlen(argv[0]);
-			isc_buffer_init(&source, argv[0], len,
-					ISC_BUFFERTYPE_TEXT);
+			isc_buffer_init(&source, argv[0], len);
 			isc_buffer_add(&source, len);
 			dns_fixedname_init(&compname);
 			comp = &compname.name;
@@ -178,7 +170,7 @@ main(int argc, char *argv[]) {
 			s[len - 1] = '\0';
 			len--;
 		}
-		isc_buffer_init(&source, s, len, ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&source, s, len);
 		isc_buffer_add(&source, len);
 
 		if (len > 0)
@@ -189,10 +181,10 @@ main(int argc, char *argv[]) {
 				dns_fixedname_init(&wname);
 			else
 				dns_fixedname_init(&wname2);
-			result = DNS_R_SUCCESS;
+			result = ISC_R_SUCCESS;
 		}
 
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			printf("%s\n", dns_result_totext(result));
 			if (name == dns_fixedname_name(&wname))
 				dns_fixedname_init(&wname);
@@ -228,7 +220,7 @@ main(int argc, char *argv[]) {
 							      &wname2.name,
 							      NULL);
 				name = &wname2.name;
-				if (result == DNS_R_SUCCESS) {
+				if (result == ISC_R_SUCCESS) {
 					if (check_absolute &&
 					    dns_name_countlabels(name) > 0) {
 						if (dns_name_isabsolute(name))
@@ -259,13 +251,13 @@ main(int argc, char *argv[]) {
 			} else
 				got_name = ISC_TRUE;
 		}
-		isc_buffer_init(&source, s, sizeof s, ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&source, s, sizeof(s));
 		if (dns_name_countlabels(name) > 0)
 			result = dns_name_totext(name, ISC_FALSE, &source);
 		else
-			result = DNS_R_SUCCESS;
-		if (result == DNS_R_SUCCESS) {
-			isc_buffer_used(&source, &r);
+			result = ISC_R_SUCCESS;
+		if (result == ISC_R_SUCCESS) {
+			isc_buffer_usedregion(&source, &r);
 			if (r.length > 0)
 				printf("%.*s\n", (int)r.length, r.base);
 			else
@@ -292,8 +284,7 @@ main(int argc, char *argv[]) {
 				       dns_name_countlabels(down),
 				       r.length);
 			}
-			isc_buffer_init(&source, s, sizeof s,
-					ISC_BUFFERTYPE_TEXT);
+			isc_buffer_init(&source, s, sizeof(s));
 			print_name(down);
 		}
 
diff --git a/bin/tests/named.conf b/bin/tests/named.conf
index d153401c..b65d6057 100644
--- a/bin/tests/named.conf
+++ b/bin/tests/named.conf
@@ -15,53 +15,37 @@
 // watch out for ";" -- it's important!
 
 options {
-	request-ixfr yes;
-	provide-ixfr yes;
-	listen-on { 
-		10/24;
-		10.0.0.3; 1:2:3:4:5:6:7:8; 			
-	};
-	transfer-source 10.0.0.5;
-	transfer-source-v6 4:3:2:1:5:6:7:8;
+	version "my version string";
+	directory "/tmp";
 
-	directory ".";			// use current directory
+# Obsolete
 	named-xfer "/usr/libexec/named-xfer";	// _PATH_XFER
+
 	dump-file "named_dump.db";  	// _PATH_DUMPFILE
 	pid-file "/var/run/named.pid";  // _PATH_PIDFILE
 	statistics-file "named.stats";  // _PATH_STATS
 	memstatistics-file "named.memstats";	// _PATH_MEMSTATS
 
-	tcp-clients	143;
-	recursive-clients	777;
-	rfc2308-type1	no;
-	tkey-domain	"foo.com";
-	tkey-dhkey	"xyz" 666 ;
-	check-names master fail;
-	check-names slave warn;
-	check-names response ignore;
-	host-statistics no;
-	deallocate-on-exit no;		// Painstakingly deallocate all
-					// objects when exiting instead of
-					// letting the OS clean up for us.
-					// Useful a memory leak is suspected.
-					// Final statistics are written to the
-					// memstatistics-file.
-	datasize default;
-	stacksize default;
-	coresize default;
-	files unlimited;
-	recursion yes;
-	expert-mode true;		// don't issue warnings for some things
-	fetch-glue yes;
-	fake-iquery no;
-	notify yes;			// send NOTIFY messages.  You can set
-					// notify on a zone-by-zone
-					// basis in the "zone" statement
-					// see (below)
+	additional-data minimal;
+	max-cache-ttl 999;
 	auth-nxdomain yes;		// always set AA on NXDOMAIN.
 					// don't set this to 'no' unless
 					// you know what you're doing -- older
 					// servers won't like it.
+
+# Obsolete
+	deallocate-on-exit no;		
+
+	dialup yes;
+
+# Obsolete
+	fake-iquery no;
+
+	fetch-glue yes;
+	has-old-clients yes;
+	host-statistics no;
+
+# Obsolete
 	multiple-cnames no;		// if yes, then a name my have more
 					// than one CNAME RR.  This use
 					// is non-standard and is not
@@ -69,116 +53,111 @@ options {
 					// because previous releases supported
 					// it and it was used by large sites
 					// for load balancing.
-	allow-query { any; };
-	allow-transfer { any; };
-	transfers-in 10;		// DEFAULT_XFERS_RUNNING, cannot be
-					// set > than MAX_XFERS_RUNNING (20)
-	transfers-per-ns 2;		// DEFAULT_XFERS_PER_NS
-	transfers-out 0;		// not implemented
-	max-transfer-time-in 300;	// MAX_XFER_TIME; the default number
-					// of minutes an inbound zone transfer
-					// may run.  May be set on a per-zone
-					// basis.
-	max-transfer-time-out 10;	// MAX_XFER_TIME; the default number
-	max-transfer-idle-in 100;	// MAX_XFER_TIME; the default number
-	max-transfer-idle-out 11;	// MAX_XFER_TIME; the default number
-	/*
-	 * The "transfer-format" option specifies the way outbound zone
-	 * transfers (i.e. from us to them) are formatted.  Two values are
-	 * allowed:
-	 *
-	 *	one-answer		Each RR gets its own DNS message.
-	 *				This format is not very efficient,
-	 *				but is widely understood.  All
-	 *				versions of BIND prior to 8.1 generate
-	 *				this format for outbound zone 
-	 *				and require it on inbound transfers.
-	 *
-	 *	many-answers		As many RRs as will fit are put into
-	 *				each DNS message.  This format is
-	 *				the most efficient, but is only known
-	 *				to work with BIND 8.  Patches to
-	 *				BIND 4.9.5 named-xfer that enable it
-	 *				to understand 'many-answers' will be
-	 *				available.
-	 *
-	 * If you are going to be doing zone transfers to older servers, you
-	 * shouldn't use 'many-answers'.  'transfer-format' may also be set
-	 * on a host-by-host basis using the 'server' statement (see below).
-	 */
-	transfer-format one-answer;
-	query-source-v6 address 8:7:6:5:4:3:2:1 port *;
-	query-source port * address 10.0.0.54  ;
-	/*
-	 * The "forward" option is only meaningful if you've defined
-	 * forwarders.  "first" gives the normal BIND
-	 * forwarding behavior, i.e. ask the forwarders first, and if that
-	 * doesn't work then do the full lookup.  You can also say
-	 * "forward only;" which is what used to be specified with
-	 * "slave" or "options forward-only".  "only" will never attempt
-	 * a full lookup; only the forwarders will be used.
-	 */
+
+	notify yes;			// send NOTIFY messages.  You can set
+					// notify on a zone-by-zone
+					// basis in the "zone" statement
+					// see (below)
+	recursion yes;
+	rfc2308-type1	no;
+
+# Obsolete
+	use-id-pool yes;
+
+# Obsolete
+	treat-cr-as-space yes;
+
+	also-notify { 10.0.2.3; };
+
+	// The "forward" option is only meaningful if you've defined
+	// forwarders.  "first" gives the normal BIND
+	// forwarding behavior, i.e. ask the forwarders first, and if that
+	// doesn't work then do the full lookup.  You can also say
+	// "forward only;" which is what used to be specified with
+	// "slave" or "options forward-only".  "only" will never attempt
+	// a full lookup; only the forwarders will be used.
 	forward first;
-	forwarders { };			// default is no forwarders
-	/*
-	 * Here's a forwarders example that isn't trivial
-	 */
-	/*
 	forwarders {
 		1.2.3.4;
 		5.6.7.8;
 	};
-	*/
-//	topology { localhost; localnets; };	// prefer local nameservers
-	/*
-	 * Here's a more complicated topology example; it's commented out
-	 * because only one topology block is allowed.
-	 */
-	topology {
-		10/8;			// prefer network 10.0.0.0
-					// netmask 255.0.0.0 most
-		!1.2.3/24;		// don't like 1.2.3.0 netmask
-					// 255.255.255.0 at all
-		{ 1.2/16; 3/8; };	// like 1.2.0.0 netmask 255.255.0.0
-					// and 3.0.0.0 netmask 255.0.0.0
-					// equally well, but less than 10/8
+
+	check-names master fail;
+	check-names slave warn;
+	check-names response ignore;
+
+	allow-query { any; };
+	allow-transfer { any; };
+	allow-recursion { !any; };
+	blackhole { 45/24; };
+
+	listen-on { 
+		10/24;
+		10.0.0.3; 1:2:3:4:5:6:7:8; 			
 	};
 
+	listen-on port 53 { any; };	
+					
+	listen-on { 5.6.7.8; };		
+					
+	listen-on port 1234 {		
+		!1.2.3.4;		
+		1.2.3/24;		
+	};				
 
-	listen-on port 53 { any; };	// listen for queries on port 53 on
-					// any interface on the system
-					// (i.e. all interfaces).  The
-					// "port 53" is optional; if you
-					// don't specify a port, port 53
-					// is assumed.
-	/*
-	 * Multiple listen-on statements are allowed.  Here's a more
-	 * complicated example:
-	 */
+	query-source-v6 address 8:7:6:5:4:3:2:1 port *;
+	query-source port * address 10.0.0.54  ;
 
-	listen-on { 5.6.7.8; };		// listen on port 53 on interface
-					// 5.6.7.8
-	listen-on port 1234 {		// listen on port 1234 on any
-		!1.2.3.4;		// interface on network 1.2.3
-		1.2.3/24;		// netmask 255.255.255.0, except for
-	};				// interface 1.2.3.4.
+	lame-ttl 477;
 
+	max-transfer-time-in 300;
+	max-transfer-time-out 10;
+	max-transfer-idle-in 100;
+	max-transfer-idle-out 11;
+	
+	max-ncache-ttl 333;
+	min-roots 15;
+	serial-queries 34;
 
-	/*
-	 * Interval Timers
-	 */
-	cleaning-interval 60;		// clean the cache of expired RRs
-					// every 'cleaning-interval' minutes
-	interface-interval 60;		// scan for new or deleted interfaces
-					// every 'interface-interval' minutes
-	statistics-interval 60;		// log statistics every 
-					// 'statistics-interval' minutes
-	/*
-	 * IXFR options
-     */
-    maintain-ixfr-base no;   // If yes, keep transaction log file for IXFR
-    max-ixfr-log-size 20;	 // Not implemented, maximum size the 
-	                         // IXFR transaction log file to grow
+	transfer-format one-answer;
+
+	transfers-in 10;
+	transfers-per-ns 2;
+	transfers-out 0;
+
+	transfer-source 10.0.0.5;
+	transfer-source-v6 4:3:2:1:5:6:7:8;
+
+	request-ixfr yes;
+	provide-ixfr yes;
+
+# Now called 'provide-ixfr'
+#    maintain-ixfr-base no;   // If yes, keep transaction log file for IXFR
+
+	max-ixfr-log-size 20;
+	coresize 100;
+	datasize 101;
+	files 230;
+	stacksize 231;
+	cleaning-interval 1000;
+	heartbeat-interval 1001;
+	interface-interval 1002;
+	statistics-interval 1003;
+	
+	topology {
+		10/8;			
+					
+		!1.2.3/24;		
+					
+		{ 1.2/16; 3/8; };	
+					
+					
+	};
+
+	sortlist { 10/8; 11/8; };
+
+	tkey-domain	"foo.com";
+	tkey-dhkey	"xyz" 666 ;
 };
 
 /*
@@ -191,6 +170,7 @@ controls {
 
 zone "master.demo.zone" {
 	type master;			// what used to be called "primary" 
+	database "somedb -option1 -option2 arg1 arg2 arg3";
 	file "master.demo.zone";
 	check-names fail;
 	allow-update { none; };
@@ -201,7 +181,7 @@ zone "master.demo.zone" {
 					// zone?  The global option is used
 					// if "notify" is not specified
 					// here.
-	also-notify { };		// don't notify any nameservers other
+	also-notify {  1.0.0.1; };	// don't notify any nameservers other
 					// than those on the NS list for this
 					// zone
 	forward first;
@@ -226,30 +206,65 @@ zone "slave.demo.zone" {
 	max-transfer-time-out 1;	// if not set, global option is used.
 	max-transfer-idle-in 2;	// if not set, global option is used.
 	max-transfer-idle-out 3;	// if not set, global option is used.
-	also-notify { };		// don't notify any nameservers other
-					// than those on the NS list for this
-					// zone
+	also-notify { 1.0.0.2; };
 	forward only;
 	forwarders { 10.45.45.45; 10.0.0.3; 1:2:3:4:5:6:7:8; };
 };
 
-view "test-view" {
-	allow-update-forwarding { 10.0.0.30;};
+key "non-viewkey" { secret "aaa" ; algorithm "zzz" ; };
+
+view "test-view" in {
+	key "viewkey" { algorithm "xxx" ; secret "yyy" ; };
+	allow-query { 10.0.0.30;};
+	match-clients { 10.0.0.1 ; };
+	check-names master warn;
+	check-names slave ignore;
+	check-names response fail;
+	auth-nxdomain false;
+	recursion true;
+	provide-ixfr false;
+	request-ixfr true;
+	fetch-glue true;
+	notify false;
+	rfc2308-type1 false;
+	additional-data internal;
+	transfer-source 10.0.0.55;
+	transfer-source-v6 4:3:8:1:5:6:7:8;
+	query-source port * address 10.0.0.54  ;
+ 	query-source-v6 address 6:6:6:6:6:6:6:6 port *;
+	max-transfer-time-out 45;
+	max-transfer-idle-out 55;
+	cleaning-interval 100;
+	min-roots 3;
+	lame-ttl 477;
+	max-ncache-ttl 333;
+	max-cache-ttl 777;
+	transfer-format many-answers;
+
 	zone "view-zone.com" {
 		type master;
 		allow-update-forwarding { 10.0.0.34;};
 		file "view-zone-master";
 	};
+
+	server 5.6.7.8 {
+		keys "viewkey";
+	};
+
+	server 10.9.8.7 {
+		keys "non-viewkey";
+	};
 };
 
+
 zone "stub.demo.zone" {
 	type stub;			// stub zones are like slave zones,
 					// except that only the NS records
 					// are transferred.
 	file "stub.demo.zone";
 	masters {
-		1.2.3.4;		// where to zone transfer from
-		5.6.7.8;
+		1.2.3.4 ;		// where to zone transfer from
+		5.6.7.8 port 999;
 	};
 	check-names warn;
 	allow-update { none; };
@@ -276,6 +291,14 @@ acl can_query { !1.2.3/24; any; };	// network 1.2.3.0 mask 255.255.255.0
 acl can_axfr { 1.2.3.4; can_query; };	// host 1.2.3.4 and any host allowed
 					// by can_query are OK
 
+zone "disabled-zone.com" {
+	type master;
+	file "bar";
+
+	# Will make zone configurer skip this one.
+	enable-zone false;
+};
+
 zone "non-default-acl.demo.zone" {
 	type master;
 	file "foo";
@@ -294,13 +317,16 @@ zone "non-default-acl.demo.zone" {
 	//	- certain rdatatype values (such as "key") are config file keywords and
 	// 	  must be quoted or a syntax error will occur.
 	//
-	grant root.domain. subdomain host.domain. A MX CNAME; 
-	grant sub.root.domain. wildcard *.host.domain. A; 
-	grant root.domain. name host.domain. a ns md mf cname soa mb mg 
-		mr "null" wks ptr hinfo minfo mx txt rp afsdb x25
-		isdn rt nsap sig "key" px gpos aaaa loc nxt srv naptr kx 
-		cert a6 dname opt unspec tkey tsig ;
-	grant foo.bar.com. self foo.bar.com. a;
+
+	update-policy {
+		grant root.domain. subdomain host.domain. A MX CNAME; 
+		grant sub.root.domain. wildcard *.host.domain. A; 
+		grant root.domain. name host.domain. a ns md mf cname soa mb mg 
+			mr "null" wks ptr hinfo minfo mx txt rp afsdb x25
+			isdn rt nsap sig "key" px gpos aaaa loc nxt srv naptr kx 
+			cert a6 dname opt unspec tkey tsig ;
+		grant foo.bar.com. self foo.bar.com. a;
+	};
 };
 
 key sample_key {			// for TSIG; supported by parser
@@ -329,7 +355,8 @@ server 1.2.3.4 {
 	keys { "sample_key" };	// for TSIG; supported by the parser
 					// but not yet implemented in the
 					// rest of the server
-	support-ixfr yes;      // for IXFR supported by server
+# Now called 'request-ixfr'
+#	support-ixfr yes;      // for IXFR supported by server
 					// if yes, the listed server talks IXFR 
 };
 
diff --git a/bin/tests/names/Makefile.in b/bin/tests/names/Makefile.in
index c5931200..b5cf2164 100644
--- a/bin/tests/names/Makefile.in
+++ b/bin/tests/names/Makefile.in
@@ -25,11 +25,15 @@ CDEFINES =
 CWARNINGS =
 
 # Note that we do not want to use libtool for libt_api
-DEPLIBS =	../../../lib/dns/libdns.@A@ \
-		../../../lib/isc/libisc.@A@
+DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
+ISCLIBS =	../../../lib/isc/libisc.@A@
 
-LIBS =		${DEPLIBS} \
-		@LIBS@
+DNSDEPLIBS =	../../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../../lib/isc/libisc.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
 TLIB =		../../../lib/tests/libt_api.@A@
 
diff --git a/bin/tests/names/dns_name_fromwire_1_data b/bin/tests/names/dns_name_fromwire_1_data
index 46628673..7816699d 100644
--- a/bin/tests/names/dns_name_fromwire_1_data
+++ b/bin/tests/names/dns_name_fromwire_1_data
@@ -22,11 +22,11 @@
 # or case conversion
 #
 # and where exp_result may be one of
-#		DNS_R_NOSPACE
+#		ISC_R_NOSPACE
 #		DNS_R_BADLABELTYPE
 #		DNS_R_DISALLOWED
 #		DNS_R_BADPOINTER
-#		DNS_R_UNEXPECTEDEND
+#		ISC_R_UNEXPECTEDEND
 #		DNS_R_TOOMANYHOPS
 #		
-wire_test1.data	25	1	DNS_COMPRESS_ALL	vix.com.	DNS_R_SUCCESS
+wire_test1.data	25	1	DNS_COMPRESS_ALL	vix.com.	ISC_R_SUCCESS
diff --git a/bin/tests/names/dns_name_fromwire_2_data b/bin/tests/names/dns_name_fromwire_2_data
index 74868888..728d5da2 100644
--- a/bin/tests/names/dns_name_fromwire_2_data
+++ b/bin/tests/names/dns_name_fromwire_2_data
@@ -22,11 +22,11 @@
 # or case conversion
 #
 # and where exp_result may be one of
-#		DNS_R_NOSPACE
+#		ISC_R_NOSPACE
 #		DNS_R_BADLABELTYPE
 #		DNS_R_DISALLOWED
 #		DNS_R_BADPOINTER
-#		DNS_R_UNEXPECTEDEND
+#		ISC_R_UNEXPECTEDEND
 #		DNS_R_TOOMANYHOPS
 #		
-wire_test2.data	25	1	DNS_COMPRESS_ALL	vix.com.	DNS_R_NOSPACE
+wire_test2.data	25	1	DNS_COMPRESS_ALL	vix.com.	ISC_R_NOSPACE
diff --git a/bin/tests/names/dns_name_fromwire_3_data b/bin/tests/names/dns_name_fromwire_3_data
index fd6ca5ff..22277891 100644
--- a/bin/tests/names/dns_name_fromwire_3_data
+++ b/bin/tests/names/dns_name_fromwire_3_data
@@ -22,11 +22,11 @@
 # or case conversion
 #
 # and where exp_result may be one of
-#		DNS_R_NOSPACE
+#		ISC_R_NOSPACE
 #		DNS_R_BADLABELTYPE
 #		DNS_R_DISALLOWED
 #		DNS_R_BADPOINTER
-#		DNS_R_UNEXPECTEDEND
+#		ISC_R_UNEXPECTEDEND
 #		DNS_R_TOOMANYHOPS
 #		
 wire_test3_1.data	25	1	DNS_COMPRESS_ALL	vix.com.	DNS_R_BADLABELTYPE
diff --git a/bin/tests/names/dns_name_fromwire_4_data b/bin/tests/names/dns_name_fromwire_4_data
index b63fb071..f51b1b69 100644
--- a/bin/tests/names/dns_name_fromwire_4_data
+++ b/bin/tests/names/dns_name_fromwire_4_data
@@ -22,11 +22,11 @@
 # or case conversion
 #
 # and where exp_result may be one of
-#		DNS_R_NOSPACE
+#		ISC_R_NOSPACE
 #		DNS_R_BADLABELTYPE
 #		DNS_R_DISALLOWED
 #		DNS_R_BADPOINTER
-#		DNS_R_UNEXPECTEDEND
+#		ISC_R_UNEXPECTEDEND
 #		DNS_R_TOOMANYHOPS
 #		
-wire_test4.data	550	1	DNS_COMPRESS_ALL	vix.com.	DNS_R_NOSPACE
+wire_test4.data	550	1	DNS_COMPRESS_ALL	vix.com.	ISC_R_NOSPACE
diff --git a/bin/tests/names/dns_name_fromwire_5_data b/bin/tests/names/dns_name_fromwire_5_data
index 0aca1ba8..b813557d 100644
--- a/bin/tests/names/dns_name_fromwire_5_data
+++ b/bin/tests/names/dns_name_fromwire_5_data
@@ -22,11 +22,11 @@
 # or case conversion
 #
 # and where exp_result may be one of
-#		DNS_R_NOSPACE
+#		ISC_R_NOSPACE
 #		DNS_R_BADLABELTYPE
 #		DNS_R_DISALLOWED
 #		DNS_R_BADPOINTER
-#		DNS_R_UNEXPECTEDEND
+#		ISC_R_UNEXPECTEDEND
 #		DNS_R_TOOMANYHOPS
 #		
 wire_test5.data	25	1	DNS_COMPRESS_NONE	vix.com.	DNS_R_DISALLOWED
diff --git a/bin/tests/names/dns_name_fromwire_6_data b/bin/tests/names/dns_name_fromwire_6_data
index 77f56e50..319515da 100644
--- a/bin/tests/names/dns_name_fromwire_6_data
+++ b/bin/tests/names/dns_name_fromwire_6_data
@@ -22,11 +22,11 @@
 # or case conversion
 #
 # and where exp_result may be one of
-#		DNS_R_NOSPACE
+#		ISC_R_NOSPACE
 #		DNS_R_BADLABELTYPE
 #		DNS_R_DISALLOWED
 #		DNS_R_BADPOINTER
-#		DNS_R_UNEXPECTEDEND
+#		ISC_R_UNEXPECTEDEND
 #		DNS_R_TOOMANYHOPS
 #		
 wire_test6.data	25	1	DNS_COMPRESS_ALL	vix.com.	DNS_R_BADPOINTER
diff --git a/bin/tests/names/dns_name_fromwire_7_data b/bin/tests/names/dns_name_fromwire_7_data
index 8a5f092c..7b47691c 100644
--- a/bin/tests/names/dns_name_fromwire_7_data
+++ b/bin/tests/names/dns_name_fromwire_7_data
@@ -22,11 +22,11 @@
 # or case conversion
 #
 # and where exp_result may be one of
-#		DNS_R_NOSPACE
+#		ISC_R_NOSPACE
 #		DNS_R_BADLABELTYPE
 #		DNS_R_DISALLOWED
 #		DNS_R_BADPOINTER
-#		DNS_R_UNEXPECTEDEND
+#		ISC_R_UNEXPECTEDEND
 #		DNS_R_TOOMANYHOPS
 #		
-wire_test7.data	25	1	DNS_COMPRESS_ALL	vix.com.	DNS_R_UNEXPECTEDEND
+wire_test7.data	25	1	DNS_COMPRESS_ALL	vix.com.	ISC_R_UNEXPECTEDEND
diff --git a/bin/tests/names/dns_name_fromwire_8_data b/bin/tests/names/dns_name_fromwire_8_data
index b1e3014b..ddf49f3c 100644
--- a/bin/tests/names/dns_name_fromwire_8_data
+++ b/bin/tests/names/dns_name_fromwire_8_data
@@ -22,11 +22,11 @@
 # or case conversion
 #
 # and where exp_result may be one of
-#		DNS_R_NOSPACE
+#		ISC_R_NOSPACE
 #		DNS_R_BADLABELTYPE
 #		DNS_R_DISALLOWED
 #		DNS_R_BADPOINTER
-#		DNS_R_UNEXPECTEDEND
+#		ISC_R_UNEXPECTEDEND
 #		DNS_R_TOOMANYHOPS
 #		
 wire_test8.data	383	1	DNS_COMPRESS_ALL	vix.com.	DNS_R_TOOMANYHOPS
diff --git a/bin/tests/names/dns_name_fromwire_9_data b/bin/tests/names/dns_name_fromwire_9_data
index 10ed4ed8..2f6cb1bc 100644
--- a/bin/tests/names/dns_name_fromwire_9_data
+++ b/bin/tests/names/dns_name_fromwire_9_data
@@ -22,11 +22,11 @@
 # or case conversion
 #
 # and where exp_result may be one of
-#		DNS_R_NOSPACE
+#		ISC_R_NOSPACE
 #		DNS_R_BADLABELTYPE
 #		DNS_R_DISALLOWED
 #		DNS_R_BADPOINTER
-#		DNS_R_UNEXPECTEDEND
+#		ISC_R_UNEXPECTEDEND
 #		DNS_R_TOOMANYHOPS
 #		
-wire_test9.data	25	1	DNS_COMPRESS_ALL	vix.com.	DNS_R_NOSPACE
+wire_test9.data	25	1	DNS_COMPRESS_ALL	vix.com.	ISC_R_NOSPACE
diff --git a/bin/tests/names/dns_name_towire_1_data b/bin/tests/names/dns_name_towire_1_data
index b592317a..a853989f 100644
--- a/bin/tests/names/dns_name_towire_1_data
+++ b/bin/tests/names/dns_name_towire_1_data
@@ -16,4 +16,4 @@
 # and where exp_data_len is the length of the expected data in decimal format
 # and where exp_result is the expected return value of dns_name_towire
 #
-a.vix.com.	DNS_COMPRESS_NONE	01610376697803636f6d00	11	DNS_R_SUCCESS
+a.vix.com.	DNS_COMPRESS_NONE	01610376697803636f6d00	11	ISC_R_SUCCESS
diff --git a/bin/tests/names/dns_name_towire_2_data b/bin/tests/names/dns_name_towire_2_data
index e74201a0..77bfc92e 100644
--- a/bin/tests/names/dns_name_towire_2_data
+++ b/bin/tests/names/dns_name_towire_2_data
@@ -16,4 +16,4 @@
 # and where exp_data_len is the length of the expected data in decimal format
 # and where exp_result is the expected return value of dns_name_towire
 #
-a.vix.com	DNS_COMPRESS_NONE	01610376697803636f6d	10	DNS_R_NOSPACE
+a.vix.com	DNS_COMPRESS_NONE	01610376697803636f6d	10	ISC_R_NOSPACE
diff --git a/bin/tests/names/t_names.c b/bin/tests/names/t_names.c
index 3f3462f9..b2b4f5bb 100644
--- a/bin/tests/names/t_names.c
+++ b/bin/tests/names/t_names.c
@@ -15,19 +15,18 @@
  * SOFTWARE.
  */
 
-#include	<ctype.h>
-#include	<limits.h>
-#include	<stdio.h>
-#include	<stdlib.h>
-#include	<string.h>
-#include	<unistd.h>
-
-#include	<isc/region.h>
-#include	<dns/compress.h>
-#include	<dns/name.h>
-#include	<dns/result.h>
-#include	<dns/types.h>
-#include	<tests/t_api.h>
+#include <config.h>
+
+#include <ctype.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+
+#include <dns/name.h>
+
+#include <tests/t_api.h>
 
 #define	MAXTOKS		16
 #define	BUFLEN		256
@@ -257,7 +256,7 @@ getmsg(char *datafile_name, unsigned char *buf, int buflen,
 	}
 
 	*p = '\0';
-	isc_buffer_init(pbuf, buf, cnt, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(pbuf, buf, cnt);
 	isc_buffer_add(pbuf, cnt);
 	return(cnt);
 }
@@ -357,19 +356,19 @@ dname_from_tname(char *name, dns_name_t *dns_name)
 	isc_result_t	result;
 
 	len = strlen(name);
-	isc_buffer_init(&txtbuf, name, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&txtbuf, name, len);
 	isc_buffer_add(&txtbuf, len);
 	junk = (unsigned char *) malloc(sizeof(unsigned char) * BUFLEN);
 	binbuf = (isc_buffer_t *)malloc(sizeof(isc_buffer_t));
 	if ((junk != NULL) && (binbuf != NULL)) {
-		isc_buffer_init(binbuf, junk, BUFLEN, ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(binbuf, junk, BUFLEN);
 		dns_name_init(dns_name, NULL);
 		dns_name_setbuffer(dns_name, binbuf);
 		result = dns_name_fromtext(dns_name,  &txtbuf,
 						NULL, ISC_FALSE, NULL);
 	}
 	else {
-		result = DNS_R_NOSPACE;
+		result = ISC_R_NOSPACE;
 		if (junk != NULL)
 			(void) free(junk);
 		if (binbuf != NULL)
@@ -391,7 +390,7 @@ test_dns_label_countbits(char *test_name, int pos, int expected_bits) {
 	t_info("testing name %s, label %d\n", test_name, pos);
 
 	result = dname_from_tname(test_name, &dns_name);
-	if (result == DNS_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS) {
 		dns_name_getlabel(&dns_name, pos, &label);
 		bits = dns_label_countbits(&label);
 		if (bits == expected_bits)
@@ -428,28 +427,30 @@ t_dns_label_countbits() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
-			/* testname, labelpos, bitpos, expected val */
+			/*
+			 * testname, labelpos, bitpos, expected val.
+			 */
 			cnt = bustline(p, Tokens);
 			if (cnt == 3) {
 				result = test_dns_label_countbits(Tokens[0],
-						atoi(Tokens[1]),
-						atoi(Tokens[2]));
-			}
-			else {
+							      atoi(Tokens[1]),
+							      atoi(Tokens[2]));
+			} else {
 				t_info("bad datafile format at line %d\n",
-						line);
+				       line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile dns_label_countbits_data\n");
 		t_result(result);
 	}
@@ -460,8 +461,8 @@ char	*a2 =	"dns_label_getbit returns the n'th most significant "
 
 static int
 test_dns_label_getbit(char *test_name, int label_pos, int bit_pos,
-		int expected_bitval) {
-
+		      int expected_bitval)
+{
 	dns_label_t	label;
 	dns_name_t	dns_name;
 	int		bitval;
@@ -474,7 +475,7 @@ test_dns_label_getbit(char *test_name, int label_pos, int bit_pos,
 		test_name, label_pos, bit_pos);
 
 	result = dname_from_tname(test_name, &dns_name);
-	if (result == DNS_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS) {
 		dns_name_getlabel(&dns_name, label_pos, &label);
 		bitval = dns_label_getbit(&label, bit_pos);
 		if (bitval == expected_bitval)
@@ -495,7 +496,6 @@ test_dns_label_getbit(char *test_name, int label_pos, int bit_pos,
 
 void
 t_dns_label_getbit() {
-
 	int	line;
 	int	cnt;
 	int	result;
@@ -512,29 +512,31 @@ t_dns_label_getbit() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 4) {
-				/* label, bitpos, expected value */
+				/*
+				 * label, bitpos, expected value.
+				 */
 				result = test_dns_label_getbit(Tokens[0],
-						atoi(Tokens[1]),
-						atoi(Tokens[2]),
-						atoi(Tokens[3]));
-			}
-			else {
+							      atoi(Tokens[1]),
+							      atoi(Tokens[2]),
+							      atoi(Tokens[3]));
+			} else {
 				t_info("bad datafile format at line %d\n",
 						line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile dns_label_getbit_data\n");
 		t_result(result);
 	}
@@ -656,7 +658,7 @@ t_dns_name_setbuffer() {
 
 	t_assert("dns_name_setbuffer", 1, T_REQUIRED, a5);
 
-	isc_buffer_init(&buffer, junk, BUFLEN, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&buffer, junk, BUFLEN);
 	dns_name_init(&name, NULL);
 	dns_name_setbuffer(&name, &buffer);
 	if (name.buffer == &buffer)
@@ -681,7 +683,7 @@ t_dns_name_hasbuffer() {
 	t_assert("dns_name_hasbuffer", 1, T_REQUIRED, a6);
 
 	rval = 0;
-	isc_buffer_init(&buffer, junk, BUFLEN, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&buffer, junk, BUFLEN);
 	dns_name_init(&name, NULL);
 	if (dns_name_hasbuffer(&name) != ISC_FALSE)
 		++rval;
@@ -715,13 +717,13 @@ test_dns_name_isabsolute(char *test_name, isc_boolean_t expected) {
 
 	t_info("testing name %s\n", test_name);
 	len = strlen(test_name);
-	isc_buffer_init(&buf, test_name, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&buf, test_name, len);
 	isc_buffer_add(&buf, len);
-	isc_buffer_init(&binbuf, &junk[0], BUFLEN, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&binbuf, &junk[0], BUFLEN);
 	dns_name_init(&name, NULL);
 	dns_name_setbuffer(&name, &binbuf);
 	result = dns_name_fromtext(&name,  &buf, NULL, ISC_FALSE, NULL);
-	if (result == DNS_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS) {
 		isabs_p = dns_name_isabsolute(&name);
 		if (isabs_p == expected)
 			rval = T_PASS;
@@ -754,29 +756,32 @@ t_dns_name_isabsolute() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 2) {
-				/* label, bitpos, expected value */
-				result = test_dns_name_isabsolute(
-						Tokens[0],
-						atoi(Tokens[1]) == 0 ?
-							ISC_FALSE : ISC_TRUE);
-			}
-			else {
+				/*
+				 * label, bitpos, expected value.
+				 */
+				result = test_dns_name_isabsolute(Tokens[0],
+							        atoi(Tokens[1])
+								  == 0 ?
+								  ISC_FALSE :
+								  ISC_TRUE);
+			} else {
 				t_info("bad datafile format at line %d\n",
-						line);
+				       line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
 		(void) fclose(fp);
-	}
-	else {
+	} else {
 		t_info("Missing datafile dns_name_isabsolute_data\n");
 		t_result(result);
 	}
@@ -786,7 +791,9 @@ char	*a8 =	"dns_name_hash(name, case_sensitive) returns "
 		"a hash of 'name' which is case_sensitive if case_sensitive "
 		"is true";
 
-/* a9 merged with a8 */
+/*
+ * a9 merged with a8.
+ */
 
 static int
 test_dns_name_hash(char *test_name1, char *test_name2,
@@ -806,9 +813,9 @@ test_dns_name_hash(char *test_name1, char *test_name2,
 	t_info("testing names %s and %s\n", test_name1, test_name2);
 
 	result = dname_from_tname(test_name1, &dns_name1);
-	if (result == DNS_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS) {
 		result = dname_from_tname(test_name2, &dns_name2);
-		if (result == DNS_R_SUCCESS) {
+		if (result == ISC_R_SUCCESS) {
 			hash1 = dns_name_hash(&dns_name1, ISC_TRUE);
 			hash2 = dns_name_hash(&dns_name2, ISC_TRUE);
 			match = ISC_FALSE;
@@ -863,8 +870,10 @@ t_dns_name_hash() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
@@ -881,18 +890,16 @@ t_dns_name_hash() {
 							ISC_FALSE : ISC_TRUE,
 						atoi(Tokens[3]) == 0 ?
 							ISC_FALSE : ISC_TRUE);
-			}
-			else {
+			} else {
 				t_info("bad datafile format at line %d\n",
 						line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile dns_name_hash_data\n");
 		t_result(result);
 	}
@@ -906,8 +913,9 @@ char	*a10 =	"dns_name_fullcompare(name1, name2, orderp, nlabelsp, nbitsp) "
 		"and sets nbitsp to the number of bits name1 and name2 "
 		"have in common";
 
-/* a11 thru a22 merged into a10 */
-
+/*
+ * a11 thru a22 merged into a10.
+ */
 static char *
 dns_namereln_to_text(dns_namereln_t reln) {
 
@@ -930,8 +938,10 @@ dns_namereln_to_text(dns_namereln_t reln) {
 }
 
 static int
-test_dns_name_fullcompare(char *name1, char *name2, dns_namereln_t exp_dns_reln,
-				int exp_order, int exp_nlabels, int exp_nbits) {
+test_dns_name_fullcompare(char *name1, char *name2,
+			  dns_namereln_t exp_dns_reln,
+			  int exp_order, int exp_nlabels, int exp_nbits)
+{
 	int		result;
 	int		nfails;
 	int		order;
@@ -947,12 +957,12 @@ test_dns_name_fullcompare(char *name1, char *name2, dns_namereln_t exp_dns_reln,
 
 
 	t_info("testing names %s and %s for relation %s\n", name1, name2,
-			dns_namereln_to_text(exp_dns_reln));
+	       dns_namereln_to_text(exp_dns_reln));
 
 	dns_result = dname_from_tname(name1, &dns_name1);
-	if (dns_result == DNS_R_SUCCESS) {
+	if (dns_result == ISC_R_SUCCESS) {
 		dns_result = dname_from_tname(name2, &dns_name2);
-		if (dns_result == DNS_R_SUCCESS) {
+		if (dns_result == ISC_R_SUCCESS) {
 			dns_reln = dns_name_fullcompare(&dns_name1, &dns_name2,
 					&order, &nlabels, &nbits);
 			
@@ -962,37 +972,44 @@ test_dns_name_fullcompare(char *name1, char *name2, dns_namereln_t exp_dns_reln,
 					dns_namereln_to_text(exp_dns_reln),
 					dns_namereln_to_text(dns_reln));
 			}
+			/*
+			 * Normalize order.
+			 */
+			if (order < 0)
+				order = -1;
+			else if (order > 0)
+				order = 1;
 			if (order != exp_order) {
 				++nfails;
 				t_info("expected ordering %d, got %d\n",
 						exp_order, order);
 			}
-			if ((exp_nlabels >= 0) && (nlabels != (unsigned int) exp_nlabels)) {
+			if ((exp_nlabels >= 0) &&
+			    (nlabels != (unsigned int) exp_nlabels)) {
 				++nfails;
 				t_info("expecting %d labels, got %d\n",
-						exp_nlabels, nlabels);
+				       exp_nlabels, nlabels);
 			}
-			if ((exp_nbits >= 0) && (nbits != (unsigned int) exp_nbits)) {
+			if ((exp_nbits >= 0) &&
+			    (nbits != (unsigned int) exp_nbits)) {
 				++nfails;
 				t_info("expecting %d bits, got %d\n",
-						exp_nbits, nbits);
+				       exp_nbits, nbits);
 			}
 			if (nfails == 0)
 				result = T_PASS;
 			else
 				result = T_FAIL;
-		}
-		else {
+		} else {
 			t_info("dname_from_tname failed, result == %s\n",
-					dns_result_totext(result));
+			       dns_result_totext(result));
 		}
-	}
-	else {
+	} else {
 		t_info("dname_from_tname failed, result == %s\n",
-				dns_result_totext(result));
+		       dns_result_totext(result));
 	}
 
-	return(result);
+	return (result);
 }
 
 void
@@ -1015,8 +1032,10 @@ t_dns_name_fullcompare() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
@@ -1036,7 +1055,8 @@ t_dns_name_fullcompare() {
 				else if (!strcmp(Tokens[2], "commonancestor"))
 					reln = dns_namereln_commonancestor;
 				else {
-					t_info("bad format at line %d\n", line);
+					t_info("bad format at line %d\n",
+					       line);
 					continue;
 				}
 				result = test_dns_name_fullcompare(
@@ -1046,17 +1066,15 @@ t_dns_name_fullcompare() {
 						atoi(Tokens[3]),
 						atoi(Tokens[4]),
 						atoi(Tokens[5]));
-			}
-			else {
+			} else {
 				t_info("bad format at line %d\n", line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile dns_name_fullcompare_data\n");
 		t_result(result);
 	}
@@ -1066,11 +1084,12 @@ char	*a23 =	"dns_name_compare(name1, name2) returns information about "
 		"the relative ordering under the DNSSEC ordering relationship "
 		"of name1 and name2";
 
-/* a24 thru a29 merged into a23 */
+/*
+ * a24 thru a29 merged into a23.
+ */
 
 static int
 test_dns_name_compare(char *name1, char *name2, int exp_order) {
-
 	int		result;
 	int		order;
 	isc_result_t	dns_result;
@@ -1079,41 +1098,42 @@ test_dns_name_compare(char *name1, char *name2, int exp_order) {
 
 	result = T_UNRESOLVED;
 
-	t_info("testing %s %s %s\n",
-			name1,
-			exp_order == 0 ? "==": (exp_order == -1 ? "<" : ">"),
-			name2);
+	t_info("testing %s %s %s\n", name1,
+	       exp_order == 0 ? "==": (exp_order == -1 ? "<" : ">"),
+	       name2);
 
 	dns_result = dname_from_tname(name1, &dns_name1);
-	if (dns_result == DNS_R_SUCCESS) {
+	if (dns_result == ISC_R_SUCCESS) {
 		dns_result = dname_from_tname(name2, &dns_name2);
-		if (dns_result == DNS_R_SUCCESS) {
+		if (dns_result == ISC_R_SUCCESS) {
 			order = dns_name_compare(&dns_name1, &dns_name2);
-			
+			/*
+			 * Normalize order.
+			 */
+			if (order < 0)
+				order = -1;
+			else if (order > 0)
+				order = 1;
 			if (order != exp_order) {
 				t_info("expected order of %d, got %d\n",
-						exp_order, order);
+				       exp_order, order);
 				result = T_FAIL;
-			}
-			else
+			} else
 				result = T_PASS;
-		}
-		else {
+		} else {
 			t_info("dname_from_tname failed, result == %s\n",
 					dns_result_totext(result));
 		}
-	}
-	else {
+	} else {
 		t_info("dname_from_tname failed, result == %s\n",
 				dns_result_totext(result));
 	}
 
-	return(result);
+	return (result);
 }
 
 void
-t_dns_name_compare() {
-
+t_dns_name_compare(void) {
 	int		line;
 	int		cnt;
 	int		result;
@@ -1130,31 +1150,31 @@ t_dns_name_compare() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 3) {
 				/*
-				 * name1, name2, order
+				 * name1, name2, order.
 				 */
 				result = test_dns_name_compare(
 						Tokens[0],
 						Tokens[1],
 						atoi(Tokens[2]));
-			}
-			else {
+			} else {
 				t_info("bad datafile format at line %d\n",
-						line);
+				       line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile dns_name_compare_data\n");
 		t_result(result);
 	}
@@ -1164,11 +1184,12 @@ char	*a30 =	"dns_name_rdatacompare(name1, name2) returns information about "
 		"the relative ordering of name1 and name2 as if they are part "
 		"of rdata in DNSSEC canonical form";
 
-/* a31, a32 merged into a30 */
+/*
+ * a31, a32 merged into a30.
+ */
 
 static int
 test_dns_name_rdatacompare(char *name1, char *name2, int exp_order) {
-
 	int		result;
 	int		order;
 	isc_result_t	dns_result;
@@ -1177,33 +1198,34 @@ test_dns_name_rdatacompare(char *name1, char *name2, int exp_order) {
 
 	result = T_UNRESOLVED;
 
-	t_info("testing %s %s %s\n",
-			name1,
-			exp_order == 0 ? "==": (exp_order == -1 ? "<" : ">"),
-			name2);
+	t_info("testing %s %s %s\n", name1,
+	       exp_order == 0 ? "==": (exp_order == -1 ? "<" : ">"), name2);
 
 	dns_result = dname_from_tname(name1, &dns_name1);
-	if (dns_result == DNS_R_SUCCESS) {
+	if (dns_result == ISC_R_SUCCESS) {
 		dns_result = dname_from_tname(name2, &dns_name2);
-		if (dns_result == DNS_R_SUCCESS) {
+		if (dns_result == ISC_R_SUCCESS) {
 			order = dns_name_rdatacompare(&dns_name1, &dns_name2);
-			
+			/*
+			 * Normalize order.
+			 */
+			if (order < 0)
+				order = -1;
+			else if (order > 0)
+				order = 1;
 			if (order != exp_order) {
 				t_info("expected order of %d, got %d\n",
-						exp_order, order);
+				       exp_order, order);
 				result = T_FAIL;
-			}
-			else
+			} else
 				result = T_PASS;
-		}
-		else {
+		} else {
 			t_info("dname_from_tname failed, result == %s\n",
-					dns_result_totext(result));
+			       dns_result_totext(result));
 		}
-	}
-	else {
+	} else {
 		t_info("dname_from_tname failed, result == %s\n",
-				dns_result_totext(result));
+		       dns_result_totext(result));
 	}
 
 	return(result);
@@ -1211,7 +1233,6 @@ test_dns_name_rdatacompare(char *name1, char *name2, int exp_order) {
 
 void
 t_dns_name_rdatacompare() {
-
 	int		line;
 	int		cnt;
 	int		result;
@@ -1228,31 +1249,31 @@ t_dns_name_rdatacompare() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 3) {
 				/*
-				 * name1, name2, order
+				 * name1, name2, order.
 				 */
 				result = test_dns_name_rdatacompare(
 						Tokens[0],
 						Tokens[1],
 						atoi(Tokens[2]));
-			}
-			else {
+			} else {
 				t_info("bad datafile format at line %d\n",
-						line);
+				       line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile dns_name_rdatacompare_data\n");
 		t_result(result);
 	}
@@ -1263,11 +1284,12 @@ char	*a33 =	"when name1 is a subdomain of name2, "
 		"dns_name_issubdomain(name1, name2) returns true, "
 		"otherwise it returns false.";
 
-/* a34 merged into a33 */
+/*
+ * a34 merged into a33.
+ */
 
 static int
 test_dns_name_issubdomain(char *name1, char *name2, isc_boolean_t exp_rval) {
-
 	int		result;
 	isc_boolean_t	rval;
 	isc_result_t	dns_result;
@@ -1276,42 +1298,36 @@ test_dns_name_issubdomain(char *name1, char *name2, isc_boolean_t exp_rval) {
 
 	result = T_UNRESOLVED;
 
-	t_info("testing %s %s a subdomain of %s\n",
-			name1,
-			exp_rval == 0 ? "is not" : "is",
-			name2);
+	t_info("testing %s %s a subdomain of %s\n", name1,
+	       exp_rval == 0 ? "is not" : "is", name2);
 
 	dns_result = dname_from_tname(name1, &dns_name1);
-	if (dns_result == DNS_R_SUCCESS) {
+	if (dns_result == ISC_R_SUCCESS) {
 		dns_result = dname_from_tname(name2, &dns_name2);
-		if (dns_result == DNS_R_SUCCESS) {
+		if (dns_result == ISC_R_SUCCESS) {
 			rval = dns_name_issubdomain(&dns_name1, &dns_name2);
 			
 			if (rval != exp_rval) {
 				t_info("expected return value of %s, got %s\n",
-					exp_rval == ISC_TRUE ? "true" : "false",
-					rval == ISC_TRUE ? "true" : "false");
+				       exp_rval == ISC_TRUE ? "true" : "false",
+				       rval == ISC_TRUE ? "true" : "false");
 				result = T_FAIL;
-			}
-			else
+			} else
 				result = T_PASS;
-		}
-		else {
+		} else {
 			t_info("dname_from_tname failed, result == %s\n",
-					dns_result_totext(result));
+			       dns_result_totext(result));
 		}
-	}
-	else {
+	} else {
 		t_info("dname_from_tname failed, result == %s\n",
-				dns_result_totext(result));
+		       dns_result_totext(result));
 	}
 
-	return(result);
+	return (result);
 }
 
 void
-t_dns_name_issubdomain() {
-
+t_dns_name_issubdomain(void) {
 	int		line;
 	int		cnt;
 	int		result;
@@ -1328,31 +1344,32 @@ t_dns_name_issubdomain() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 3) {
 				/*
-				 * name1, name2, issubdomain_p
+				 * name1, name2, issubdomain_p.
 				 */
 				result = test_dns_name_issubdomain(
 						Tokens[0],
 						Tokens[1],
 						atoi(Tokens[2]) == 0 ?
-							ISC_FALSE : ISC_TRUE);
-			}
-			else {
-				t_info("bad datafile format at line %d\n", line);
+						ISC_FALSE : ISC_TRUE);
+			} else {
+				t_info("bad datafile format at line %d\n",
+				       line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile dns_name_issubdomain_data\n");
 		t_result(result);
 	}
@@ -1363,7 +1380,6 @@ char	*a35 =	"dns_name_countlabels(name) returns the number "
 
 static int
 test_dns_name_countlabels(char *test_name, unsigned int exp_nlabels) {
-
 	int		result;
 	unsigned int	nlabels;
 	isc_result_t	dns_result;
@@ -1374,27 +1390,24 @@ test_dns_name_countlabels(char *test_name, unsigned int exp_nlabels) {
 	t_info("testing %s\n", test_name);
 
 	dns_result = dname_from_tname(test_name, &dns_name);
-	if (dns_result == DNS_R_SUCCESS) {
+	if (dns_result == ISC_R_SUCCESS) {
 		nlabels = dns_name_countlabels(&dns_name);
 			
 		if (nlabels != exp_nlabels) {
 			t_info("expected %d, got %d\n", exp_nlabels, nlabels);
 			result = T_FAIL;
-		}
-		else
+		} else
 			result = T_PASS;
-	}
-	else {
+	} else {
 		t_info("dname_from_tname failed, result == %s\n",
-				dns_result_totext(dns_result));
+		       dns_result_totext(dns_result));
 	}
 
 	return(result);
 }
 
 void
-t_dns_name_countlabels() {
-
+t_dns_name_countlabels(void) {
 	int		line;
 	int		cnt;
 	int		result;
@@ -1411,29 +1424,28 @@ t_dns_name_countlabels() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 2) {
 				/*
-				 * name, nlabels
+				 * name, nlabels.
 				 */
-				result = test_dns_name_countlabels(
-						Tokens[0],
-						atoi(Tokens[1]));
-			}
-			else {
+				result = test_dns_name_countlabels(Tokens[0],
+							      atoi(Tokens[1]));
+			} else {
 				t_info("bad format at line %d\n", line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile dns_name_countlabels_data\n");
 		t_result(result);
 	}
@@ -1450,9 +1462,9 @@ char	*a36 =	"when n is less than the number of labels in name, "
  */
 
 static int
-test_dns_name_getlabel(char *test_name1, int label1_pos,
-				char *test_name2, int label2_pos) {
-
+test_dns_name_getlabel(char *test_name1, int label1_pos, char *test_name2,
+		       int label2_pos)
+{
 	int		result;
 	int		nfails;
 	unsigned int	cnt;
@@ -1470,9 +1482,9 @@ test_dns_name_getlabel(char *test_name1, int label1_pos,
 	t_info("testing with %s and %s\n", test_name1, test_name2);
 
 	dns_result = dname_from_tname(test_name1, &dns_name1);
-	if (dns_result == DNS_R_SUCCESS) {
+	if (dns_result == ISC_R_SUCCESS) {
 		dns_result = dname_from_tname(test_name2, &dns_name2);
-		if (dns_result == DNS_R_SUCCESS) {
+		if (dns_result == ISC_R_SUCCESS) {
 			dns_name_getlabel(&dns_name1, label1_pos, &dns_label1);
 			dns_name_getlabel(&dns_name2, label2_pos, &dns_label2);
 			if (dns_label1.length != dns_label2.length) {
@@ -1484,7 +1496,7 @@ test_dns_name_getlabel(char *test_name1, int label1_pos,
 			for (cnt = 0; cnt < dns_label1.length; ++cnt) {
 				if (*p++ != *q++) {
 					t_info("labels differ at position %d",
-							cnt);
+					       cnt);
 					++nfails;
 				}
 			}
@@ -1492,22 +1504,19 @@ test_dns_name_getlabel(char *test_name1, int label1_pos,
 				result = T_PASS;
 			else
 				result = T_FAIL;
-		}
-		else {
+		} else {
 			t_info("dname_from_tname failed, result == %s",
-					dns_result_totext(result));
+			       dns_result_totext(result));
 		}
-	}
-	else {
+	} else {
 		t_info("dname_from_tname failed, result == %s",
-				dns_result_totext(result));
+		       dns_result_totext(result));
 	}
-	return(result);
+	return (result);
 }
 
 void
-t_dns_name_getlabel() {
-
+t_dns_name_getlabel(void) {
 	int		line;
 	int		cnt;
 	int		result;
@@ -1524,31 +1533,30 @@ t_dns_name_getlabel() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 4) {
 				/*
-				 * name1, name2, nlabels
+				 * name1, name2, nlabels.
 				 */
-				result = test_dns_name_getlabel(
-						Tokens[0],
-						atoi(Tokens[1]),
-						Tokens[2],
-						atoi(Tokens[3]));
-			}
-			else {
+				result = test_dns_name_getlabel(Tokens[0],
+							      atoi(Tokens[1]),
+							           Tokens[2],
+							      atoi(Tokens[3]));
+			} else {
 				t_info("bad format at line %d\n", line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile dns_name_getlabel_data\n");
 		t_result(result);
 	}
@@ -1560,13 +1568,13 @@ char	*a37 =	"when source contains at least first + n labels, "
 		"labels in source starting with first";
 
 /*
- * we adopt a similiar strategy to that used by the dns_name_getlabel test
+ * We adopt a similiar strategy to that used by the dns_name_getlabel test.
  */
 
 static int
 test_dns_name_getlabelsequence(char *test_name1, int label1_start,
-				char *test_name2, int label2_start, int range) {
-
+			       char *test_name2, int label2_start, int range)
+{
 	int		result;
 	int		nfails;
 	unsigned int	cnt;
@@ -1585,22 +1593,22 @@ test_dns_name_getlabelsequence(char *test_name1, int label1_start,
 	nfails = 0;
 	result = T_UNRESOLVED;
 	dns_result = dname_from_tname(test_name1, &dns_name1);
-	if (dns_result == DNS_R_SUCCESS) {
+	if (dns_result == ISC_R_SUCCESS) {
 		dns_result = dname_from_tname(test_name2, &dns_name2);
-		if (dns_result == DNS_R_SUCCESS) {
+		if (dns_result == ISC_R_SUCCESS) {
 			t_info("testing %s %s\n", test_name1, test_name2);
 			dns_name_init(&dns_targetname1, NULL);
 			dns_name_init(&dns_targetname2, NULL);
 			dns_name_getlabelsequence(&dns_name1, label1_start,
-					range, &dns_targetname1);
+						  range, &dns_targetname1);
 			dns_name_getlabelsequence(&dns_name2, label2_start,
-					range, &dns_targetname2);
+						  range, &dns_targetname2);
 
-			/* now convert both targets to text for comparison */
-			isc_buffer_init(&buffer1, junk1,
-						BUFLEN, ISC_BUFFERTYPE_TEXT);
-			isc_buffer_init(&buffer2, junk2,
-						BUFLEN, ISC_BUFFERTYPE_TEXT);
+			/*
+			 * Now convert both targets to text for comparison.
+			 */
+			isc_buffer_init(&buffer1, junk1, BUFLEN);
+			isc_buffer_init(&buffer2, junk2, BUFLEN);
 			dns_name_totext(&dns_targetname1, ISC_TRUE, &buffer1);
 			dns_name_totext(&dns_targetname2, ISC_TRUE, &buffer2);
 			if (buffer1.used == buffer2.used) {
@@ -1610,13 +1618,12 @@ test_dns_name_getlabelsequence(char *test_name1, int label1_start,
 					if (*p != *q) {
 						++nfails;
 						t_info("names differ at %d\n",
-								cnt);
+						       cnt);
 						break;
 					}
 					++p; ++q;
 				}
-			}
-			else {
+			} else {
 				++nfails;
 				t_info("lengths differ\n");
 			}
@@ -1624,20 +1631,18 @@ test_dns_name_getlabelsequence(char *test_name1, int label1_start,
 				result = T_PASS;
 			else
 				result = T_FAIL;
-		}
-		else {
+		} else {
 			t_info("dname_from_tname failed, result == %s",
-					dns_result_totext(dns_result));
+			       dns_result_totext(dns_result));
 		}
-	}
-	else {
+	} else {
 		t_info("dname_from_tname failed, result == %s",
-				dns_result_totext(dns_result));
+		       dns_result_totext(dns_result));
 	}
-	return(result);
+	return (result);
 }
 void
-t_dns_name_getlabelsequence() {
+t_dns_name_getlabelsequence(void) {
 	int		line;
 	int		cnt;
 	int		result;
@@ -1654,32 +1659,32 @@ t_dns_name_getlabelsequence() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 5) {
 				/*
-				 * name1, name2, nlabels
+				 * name1, name2, nlabels.
 				 */
 				result = test_dns_name_getlabelsequence(
-						Tokens[0],
-						atoi(Tokens[1]),
-						Tokens[2],
-						atoi(Tokens[3]),
-						atoi(Tokens[4]));
-			}
-			else {
+								   Tokens[0],
+							      atoi(Tokens[1]),
+								   Tokens[2],
+							      atoi(Tokens[3]),
+							      atoi(Tokens[4]));
+			} else {
 				t_info("bad format at line %d\n", line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile dns_name_getlabelsequence_data\n");
 		t_result(result);
 	}
@@ -1705,29 +1710,27 @@ test_dns_name_fromregion(char *test_name) {
 	t_info("testing %s\n", test_name);
 
 	dns_result = dname_from_tname(test_name, &dns_name1);
-	if (dns_result == DNS_R_SUCCESS) {
+	if (dns_result == ISC_R_SUCCESS) {
 
 		dns_name_toregion(&dns_name1, &region);
 
 		dns_name_init(&dns_name2, NULL);
 		dns_name_fromregion(&dns_name2, &region);
 		dns_namereln = dns_name_fullcompare(&dns_name1, &dns_name2,
-			&order, &nlabels, &nbits);
-		if ( dns_namereln == dns_namereln_equal)
+						    &order, &nlabels, &nbits);
+		if (dns_namereln == dns_namereln_equal)
 			result = T_PASS;
 		else
 			result = T_FAIL;
-	}
-	else {
+	} else {
 		t_info("dname_from_tname failed, result == %s\n",
-				dns_result_totext(result));
+		       dns_result_totext(result));
 	}
 	return(result);
 }
 
 void
-t_dns_name_fromregion() {
-
+t_dns_name_fromregion(void) {
 	int		line;
 	int		cnt;
 	int		result;
@@ -1744,27 +1747,27 @@ t_dns_name_fromregion() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 1) {
 				/*
-				 * test_name
+				 * test_name.
 				 */
 				result = test_dns_name_fromregion(Tokens[0]);
-			}
-			else {
+			} else {
 				t_info("bad format at line %d\n", line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile dns_name_fromregion_data\n");
 		t_result(result);
 	}
@@ -1773,10 +1776,8 @@ t_dns_name_fromregion() {
 char	*a39 =	"dns_name_toregion(name, region) converts a DNS name "
 		"from a region representation to a name representation";
 
-
 void
-t_dns_name_toregion() {
-
+t_dns_name_toregion(void) {
 	int		line;
 	int		cnt;
 	int		result;
@@ -1793,27 +1794,27 @@ t_dns_name_toregion() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 1) {
 				/*
-				 * test_name
+				 * test_name.
 				 */
 				result = test_dns_name_fromregion(Tokens[0]);
-			}
-			else {
+			} else {
 				t_info("bad format at line %d\n", line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile dns_name_toregion_data\n");
 		t_result(result);
 	}
@@ -1827,9 +1828,9 @@ char	*a40 =	"dns_name_fromtext(name, source, origin, downcase, target) "
 		"if downcase is true.";
 
 static int
-test_dns_name_fromtext(char *test_name1, char *test_name2,
-				char *test_origin, isc_boolean_t downcase) {
-
+test_dns_name_fromtext(char *test_name1, char *test_name2, char *test_origin,
+		       isc_boolean_t downcase)
+{
 	int		result;
 	int		order;
 	unsigned int	nlabels;
@@ -1853,20 +1854,17 @@ test_dns_name_fromtext(char *test_name1, char *test_name2,
 
 	t_info("testing %s %s %s\n", test_name1, test_name2, test_origin);
 
-	isc_buffer_init(&binbuf1, junk1, BUFLEN, ISC_BUFFERTYPE_BINARY);
-	isc_buffer_init(&binbuf2, junk2, BUFLEN, ISC_BUFFERTYPE_BINARY);
-	isc_buffer_init(&binbuf3, junk3, BUFLEN, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&binbuf1, junk1, BUFLEN);
+	isc_buffer_init(&binbuf2, junk2, BUFLEN);
+	isc_buffer_init(&binbuf3, junk3, BUFLEN);
 
-	isc_buffer_init(&txtbuf1, test_name1, strlen(test_name1),
-				ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&txtbuf1, test_name1, strlen(test_name1));
 	isc_buffer_add(&txtbuf1, strlen(test_name1));
 
-	isc_buffer_init(&txtbuf2, test_name2, strlen(test_name2),
-				ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&txtbuf2, test_name2, strlen(test_name2));
 	isc_buffer_add(&txtbuf2, strlen(test_name2));
 
-	isc_buffer_init(&txtbuf3, test_origin, strlen(test_origin),
-				ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&txtbuf3, test_origin, strlen(test_origin));
 	isc_buffer_add(&txtbuf3, strlen(test_origin));
 	dns_name_init(&dns_name1, NULL);
 	dns_name_init(&dns_name2, NULL);
@@ -1877,36 +1875,36 @@ test_dns_name_fromtext(char *test_name1, char *test_name2,
 
 	dns_result = dns_name_fromtext(&dns_name3,  &txtbuf3, NULL,
 						ISC_FALSE, &binbuf3);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext(dns_name3) failed, result == %s\n",
 			dns_result_totext(dns_result));
-		return(T_FAIL);
+		return (T_FAIL);
 	}
 
 	dns_result = dns_name_fromtext(&dns_name1, &txtbuf1, &dns_name3,
-						downcase, &binbuf1);
-	if (dns_result != DNS_R_SUCCESS) {
+				       downcase, &binbuf1);
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext(dns_name1) failed, result == %s\n",
-			dns_result_totext(dns_result));
-		return(T_FAIL);
+		       dns_result_totext(dns_result));
+		return (T_FAIL);
 	}
 
 	dns_result = dns_name_fromtext(&dns_name2,  &txtbuf2, NULL,
 						ISC_FALSE, &binbuf2);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext(dns_name2) failed, result == %s\n",
-			dns_result_totext(dns_result));
-		return(T_FAIL);
+		       dns_result_totext(dns_result));
+		return (T_FAIL);
 	}
 
 	dns_namereln = dns_name_fullcompare(&dns_name1, &dns_name2, &order,
-				&nlabels, &nbits);
+					    &nlabels, &nbits);
 
 	if (dns_namereln == dns_namereln_equal)
 		result = T_PASS;
 	else {
 		t_info("dns_name_fullcompare returned %s\n",
-				dns_namereln_to_text(dns_namereln));
+		       dns_namereln_to_text(dns_namereln));
 		result = T_FAIL;
 	}
 
@@ -1914,8 +1912,7 @@ test_dns_name_fromtext(char *test_name1, char *test_name2,
 }
 
 void
-t_dns_name_fromtext() {
-
+t_dns_name_fromtext(void) {
 	int		line;
 	int		cnt;
 	int		result;
@@ -1932,31 +1929,34 @@ t_dns_name_fromtext() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 4) {
 				/*
-				 * test_name1, test_name2, test_origin
-				 * downcase
+				 * test_name1, test_name2, test_origin,
+				 * downcase.
 				 */
 				result = test_dns_name_fromtext(Tokens[0],
-						Tokens[1], Tokens[2],
-						atoi(Tokens[3]) == 0 ?
-							ISC_FALSE : ISC_TRUE);
-			}
-			else {
+								Tokens[1],
+								Tokens[2],
+							   atoi(Tokens[3])
+								== 0 ?
+								ISC_FALSE :
+								ISC_TRUE);
+			} else {
 				t_info("bad format at line %d\n", line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile dns_name_fromtext\n");
 		t_result(result);
 	}
@@ -1969,7 +1969,6 @@ char	*a41 =	"dns_name_totext(name, omit_final_dot, target) converts "
 
 static int
 test_dns_name_totext(char *test_name, isc_boolean_t omit_final) {
-
 	int		result;
 	int		len;
 	int		order;
@@ -1991,58 +1990,63 @@ test_dns_name_totext(char *test_name, isc_boolean_t omit_final) {
 	t_info("testing %s\n", test_name);
 
 	len = strlen(test_name);
-	isc_buffer_init(&buf1, test_name, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&buf1, test_name, len);
 	isc_buffer_add(&buf1, len);
 
 	dns_name_init(&dns_name1, NULL);
-	isc_buffer_init(&buf2, junk2, BUFLEN, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&buf2, junk2, BUFLEN);
 
-	/* out of the data file to dns_name1 */
+	/*
+	 * Out of the data file to dns_name1.
+	 */
 	dns_result = dns_name_fromtext(&dns_name1, &buf1, NULL, ISC_FALSE,
-					&buf2);
-	if (dns_result != DNS_R_SUCCESS) {
+				       &buf2);
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed, result == %s\n",
-				dns_result_totext(dns_result));
-		return(T_UNRESOLVED);
+		       dns_result_totext(dns_result));
+		return (T_UNRESOLVED);
 	}
 
-	/* from dns_name1 into a text buffer */
+	/*
+	 * From dns_name1 into a text buffer.
+	 */
 	isc_buffer_invalidate(&buf1);
-	isc_buffer_init(&buf1, junk1, BUFLEN, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&buf1, junk1, BUFLEN);
 	dns_result = dns_name_totext(&dns_name1, omit_final, &buf1);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_totext failed, result == %s\n",
-				dns_result_totext(dns_result));
-		return(T_FAIL);
+		       dns_result_totext(dns_result));
+		return (T_FAIL);
 	}
 
-	/* from the text buffer into dns_name2 */
+	/*
+	 * From the text buffer into dns_name2.
+	 */
 	dns_name_init(&dns_name2, NULL);
-	isc_buffer_init(&buf3, junk3, BUFLEN, ISC_BUFFERTYPE_BINARY);
-	dns_result = dns_name_fromtext(&dns_name2, &buf1,
-				       NULL, ISC_FALSE, &buf3);
-	if (dns_result != DNS_R_SUCCESS) {
+	isc_buffer_init(&buf3, junk3, BUFLEN);
+	dns_result = dns_name_fromtext(&dns_name2, &buf1, NULL, ISC_FALSE,
+				       &buf3);
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_fromtext failed, result == %s\n",
-				dns_result_totext(dns_result));
-		return(T_UNRESOLVED);
+		       dns_result_totext(dns_result));
+		return (T_UNRESOLVED);
 	}
 
 	dns_namereln = dns_name_fullcompare(&dns_name1, &dns_name2,
-				&order, &nlabels, &nbits);
+					    &order, &nlabels, &nbits);
 	if (dns_namereln == dns_namereln_equal)
 		result = T_PASS;
 	else {
 		t_info("dns_name_fullcompare returned %s\n",
-				dns_namereln_to_text(dns_namereln));
+		       dns_namereln_to_text(dns_namereln));
 		result = T_FAIL;
 	}
 
-	return(result);
+	return (result);
 }
 
 void
-t_dns_name_totext() {
-
+t_dns_name_totext(void) {
 	int		line;
 	int		cnt;
 	int		result;
@@ -2059,29 +2063,30 @@ t_dns_name_totext() {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
 			if (cnt == 2) {
 				/*
-				 * test_name, omit_final
+				 * test_name, omit_final.
 				 */
-				result = test_dns_name_totext( Tokens[0],
-						atoi(Tokens[1]) == 0 ?
-							ISC_FALSE : ISC_TRUE);
-			}
-			else {
+				result = test_dns_name_totext(Tokens[0],
+							 atoi(Tokens[1]) == 0 ?
+							      ISC_FALSE :
+							      ISC_TRUE);
+			} else {
 				t_info("bad format at line %d\n", line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile dns_name_totext\n");
 		t_result(result);
 	}
@@ -2091,16 +2096,16 @@ char	*a42 =	"dns_name_fromwire(name, source, dctx, downcase, target) "
 		"converts the possibly compressed DNS name 'name' in wire "
 		"format to canonicalized form at target, performing upper to "
 		"lower case conversion if downcase is true, and returns "
-		"DNS_R_SUCCESS"; 
+		"ISC_R_SUCCESS"; 
 
 char	*a43 =	"when a label length is invalid, dns_name_fromwire() "
-		"returns DNS_R_NOSPACE";
+		"returns ISC_R_NOSPACE";
 
 char	*a44 =	"when a label type is invalid, dns_name_fromwire() "
 		"returns DNS_R_BADLABELTYPE";
 
 char	*a45 =	"when a name length is invalid, dns_name_fromwire() "
-		"returns DNS_R_NOSPACE";
+		"returns ISC_R_NOSPACE";
 
 char	*a46 =	"when a compression type is invalid, dns_name_fromwire() "
 		"returns DNS_R_DISALLOWED";
@@ -2109,24 +2114,20 @@ char	*a47 =	"when a bad compression pointer is encountered, "
 		"dns_name_fromwire() returns DNS_R_BADPOINTER";
 
 char	*a48 =	"when input ends unexpected, dns_name_fromwire() "
-		"returns DNS_R_UNEXPECTEDEND";
+		"returns ISC_R_UNEXPECTEDEND";
 
 char	*a49 =	"when there are too many compression pointers, "
 		"dns_name_fromwire() returns DNS_R_TOOMANYHOPS";
 
 char	*a50 =	"when there is not enough space in target, "
 		"dns_name_fromwire(name, source, dcts, downcase, target) "
-		"returns DNS_R_NOSPACE";
+		"returns ISC_R_NOSPACE";
 
 static int
-test_dns_name_fromwire( char *datafile_name,
-			int testname_offset,
-			int downcase,
-			int dc_method,
-			char *exp_name,
-			isc_result_t exp_result,
-			size_t buflen) {
-
+test_dns_name_fromwire(char *datafile_name, int testname_offset, int downcase,
+		       int dc_method, char *exp_name, isc_result_t exp_result,
+		       size_t buflen)
+{
 	int			result;
 	int			order;
 	unsigned int		nlabels;
@@ -2150,44 +2151,39 @@ test_dns_name_fromwire( char *datafile_name,
 	isc_buffer_setactive(&iscbuf1, len);
 	iscbuf1.current = testname_offset;
 
-	isc_buffer_init(&iscbuf2, buf2, buflen, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&iscbuf2, buf2, buflen);
 	dns_name_init(&dns_name1, NULL);
-	dns_decompress_init(&dctx, -1, ISC_FALSE);
+	dns_decompress_init(&dctx, -1, ISC_TRUE);
 	dns_decompress_setmethods(&dctx, dc_method);
 	dns_result = dns_name_fromwire(&dns_name1, &iscbuf1,
-					&dctx, downcase ? ISC_TRUE : ISC_FALSE, &iscbuf2);
+				       &dctx, downcase ? ISC_TRUE : ISC_FALSE,
+				       &iscbuf2);
 
-	if ((dns_result == exp_result) && (exp_result == DNS_R_SUCCESS)) {
+	if ((dns_result == exp_result) && (exp_result == ISC_R_SUCCESS)) {
 
 		dns_result = dname_from_tname(exp_name, &dns_name2);
-		if (dns_result == DNS_R_SUCCESS) {
-			dns_namereln = dns_name_fullcompare(
-						&dns_name1,
-						&dns_name2,
-						&order,
-						&nlabels,
-						&nbits);
+		if (dns_result == ISC_R_SUCCESS) {
+			dns_namereln = dns_name_fullcompare(&dns_name1,
+							    &dns_name2,
+							    &order, &nlabels,
+							    &nbits);
 			if (dns_namereln != dns_namereln_equal) {
 				t_info("dns_name_fullcompare  returned %s\n",
-					dns_namereln_to_text(dns_namereln)); 
+				       dns_namereln_to_text(dns_namereln)); 
 				result = T_FAIL;
-			}
-			else {
+			} else {
 				result = T_PASS;
 			}
-		}
-		else {
+		} else {
 			t_info("dns_name_fromtext %s failed, result = %s\n",
-				exp_name, dns_result_totext(dns_result));
+			       exp_name, dns_result_totext(dns_result));
 			result = T_UNRESOLVED;
 		}
-	}
-	else if (dns_result == exp_result) {
+	} else if (dns_result == exp_result) {
 		result = T_PASS;
-	}
-	else {
+	} else {
 		t_info("dns_name_fromwire returned %s\n",
-				dns_result_totext(dns_result));
+		       dns_result_totext(dns_result));
 		result = T_FAIL;
 	}
 
@@ -2196,7 +2192,6 @@ test_dns_name_fromwire( char *datafile_name,
 
 static void
 t_dns_name_fromwire_x(char *testfile, size_t buflen) {
-
 	int		line;
 	int		cnt;
 	int		result;
@@ -2214,8 +2209,10 @@ t_dns_name_fromwire_x(char *testfile, size_t buflen) {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
@@ -2223,21 +2220,21 @@ t_dns_name_fromwire_x(char *testfile, size_t buflen) {
 				/*
 				 *	datafile_name, testname_offset,
 				 *	downcase, dc_method,
-				 *	exp_name, exp_result
+				 *	exp_name, exp_result.
 				 */
 
 				tok = Tokens[5];
-				exp_result = DNS_R_SUCCESS;
-				if (! strcmp(tok, "DNS_R_SUCCESS"))
-					exp_result = DNS_R_SUCCESS;
-				else if (! strcmp(tok, "DNS_R_NOSPACE"))
-					exp_result = DNS_R_NOSPACE;
+				exp_result = ISC_R_SUCCESS;
+				if (! strcmp(tok, "ISC_R_SUCCESS"))
+					exp_result = ISC_R_SUCCESS;
+				else if (! strcmp(tok, "ISC_R_NOSPACE"))
+					exp_result = ISC_R_NOSPACE;
 				else if (! strcmp(tok, "DNS_R_BADLABELTYPE"))
 					exp_result = DNS_R_BADLABELTYPE;
 				else if (! strcmp(tok, "DNS_R_BADPOINTER"))
 					exp_result = DNS_R_BADPOINTER;
-				else if (! strcmp(tok, "DNS_R_UNEXPECTEDEND"))
-					exp_result = DNS_R_UNEXPECTEDEND;
+				else if (! strcmp(tok, "ISC_R_UNEXPECTEDEND"))
+					exp_result = ISC_R_UNEXPECTEDEND;
 				else if (! strcmp(tok, "DNS_R_TOOMANYHOPS"))
 					exp_result = DNS_R_TOOMANYHOPS;
 				else if (! strcmp(tok, "DNS_R_DISALLOWED"))
@@ -2247,40 +2244,36 @@ t_dns_name_fromwire_x(char *testfile, size_t buflen) {
 				dc_method = DNS_COMPRESS_NONE;
 				if (! strcmp(tok, "DNS_COMPRESS_GLOBAL14"))
 					dc_method = DNS_COMPRESS_GLOBAL14;
-				else if (! strcmp(tok, "DNS_COMPRESS_GLOBAL16"))
+				else if (! strcmp(tok,"DNS_COMPRESS_GLOBAL16"))
 					dc_method = DNS_COMPRESS_GLOBAL16;
 				else if (! strcmp(tok, "DNS_COMPRESS_GLOBAL"))
 					dc_method = DNS_COMPRESS_GLOBAL;
 				else if (! strcmp(tok, "DNS_COMPRESS_ALL"))
 					dc_method = DNS_COMPRESS_ALL;
 
-				result = test_dns_name_fromwire(
-						Tokens[0],
-						atoi(Tokens[1]),
-						atoi(Tokens[2]),
-						dc_method,
-						Tokens[4],
-						exp_result,
-						buflen);
-			}
-			else {
+				result = test_dns_name_fromwire(Tokens[0],
+							   atoi(Tokens[1]),
+							   atoi(Tokens[2]),
+								dc_method,
+								Tokens[4],
+								exp_result,
+								buflen);
+			} else {
 				t_info("bad format at line %d\n", line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile %s\n", testfile);
 		t_result(result);
 	}
 }
 
 void
-t_dns_name_fromwire() {
-
+t_dns_name_fromwire(void) {
 	t_assert("dns_name_fromwire", 1, T_REQUIRED, a42);
 	t_dns_name_fromwire_x("dns_name_fromwire_1_data", BUFLEN);
 
@@ -2313,7 +2306,6 @@ t_dns_name_fromwire() {
 
 	t_assert("dns_name_fromwire", 9, T_REQUIRED, a50);
 	t_dns_name_fromwire_x("dns_name_fromwire_9_data", 2);
-
 }
 
 
@@ -2323,16 +2315,12 @@ char	*a51 =	"dns_name_towire(name, cctx, target) converts the DNS name "
 		"target and returns DNS_SUCCESS";
 
 char	*a52 =	"when not enough space exists in target, "
-		"dns_name_towire(name, cctx, target) returns DNS_R_NOSPACE";
+		"dns_name_towire(name, cctx, target) returns ISC_R_NOSPACE";
 
 static int
-test_dns_name_towire(	char *testname,
-			int dc_method,
-			char *exp_data,
-			int exp_data_len,
-			isc_result_t exp_result,
-			size_t buflen) {
-
+test_dns_name_towire(char *testname, int dc_method, char *exp_data,
+		     int exp_data_len, isc_result_t exp_result, size_t buflen)
+{
 	int			result;
 	int			val;
 	int			len;
@@ -2361,44 +2349,41 @@ test_dns_name_towire(	char *testname,
 	dns_compress_setmethods(&cctx, dc_method);
 	dns_name_init(&dns_name, NULL);
 	len = strlen(testname);
-	isc_buffer_init(&iscbuf1, testname, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&iscbuf1, testname, len);
 	isc_buffer_add(&iscbuf1, len);
-	isc_buffer_init(&iscbuf2, buf2, BUFLEN, ISC_BUFFERTYPE_BINARY);
-	dns_result = dns_name_fromtext(&dns_name, &iscbuf1, NULL, ISC_FALSE, &iscbuf2);
-	if (dns_result == DNS_R_SUCCESS) {
-		isc_buffer_init(&iscbuf3, buf3, buflen, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&iscbuf2, buf2, BUFLEN);
+	dns_result = dns_name_fromtext(&dns_name, &iscbuf1, NULL, ISC_FALSE,
+				       &iscbuf2);
+	if (dns_result == ISC_R_SUCCESS) {
+		isc_buffer_init(&iscbuf3, buf3, buflen);
 		dns_result = dns_name_towire(&dns_name, &cctx, &iscbuf3);
 		if (dns_result == exp_result) {
-			if (exp_result == DNS_R_SUCCESS) {
-				/* compare results with expected data */
-				val = chkdata(	buf3,
-						iscbuf3.used,
-						exp_data,
-						exp_data_len);
+			if (exp_result == ISC_R_SUCCESS) {
+				/*
+				 * Compare results with expected data.
+				 */
+				val = chkdata(buf3, iscbuf3.used, exp_data,
+					      exp_data_len);
 				if (val == 0)
 					result = T_PASS;
 				else
 					result = T_FAIL;
-			}
-			else
+			} else
 				result = T_PASS;
-		}
-		else {
+		} else {
 			t_info("dns_name_towire unexpectedly returned %s\n",
 					dns_result_totext(dns_result));
 			result = T_FAIL;
 		}
-	}
-	else {
+	} else {
 		t_info("dns_name_fromtext %s failed, result = %s\n",
 				testname, dns_result_totext(dns_result));
 	}
-	return(result);
+	return (result);
 }
 
 static void
 t_dns_name_towire_x(char *testfile, size_t buflen) {
-
 	int		line;
 	int		cnt;
 	int		result;
@@ -2415,8 +2400,10 @@ t_dns_name_towire_x(char *testfile, size_t buflen) {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = bustline(p, Tokens);
@@ -2424,48 +2411,45 @@ t_dns_name_towire_x(char *testfile, size_t buflen) {
 				/*
 				 *	testname, dc_method,
 				 *	exp_data, exp_data_len,
-				 *	exp_result
+				 *	exp_result.
 				 */
 
 				dc_method = t_dc_method_fromtext(Tokens[3]);
 				exp_result = t_dns_result_fromtext(Tokens[4]);
 
-				result = test_dns_name_towire(
-						Tokens[0],
-						dc_method,
-						Tokens[2],
-						atoi(Tokens[3]),
-						exp_result,
-						buflen);
-			}
-			else {
+				result = test_dns_name_towire(Tokens[0],
+							      dc_method,
+							      Tokens[2],
+							      atoi(Tokens[3]),
+							      exp_result,
+							      buflen);
+			} else {
 				t_info("bad format at line %d\n", line);
 			}
 
-			(void) free(p);
+			(void)free(p);
 			t_result(result);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile %s\n", testfile);
 		t_result(result);
 	}
 }
 void
-t_dns_name_towire() {
+t_dns_name_towire(void) {
 	t_dns_name_towire_1();
 	t_dns_name_towire_2();
 }
 
 void
-t_dns_name_towire_1() {
+t_dns_name_towire_1(void) {
 	t_assert("dns_name_towire", 1, T_REQUIRED, a51);
 	t_dns_name_towire_x("dns_name_towire_1_data", BUFLEN);
 }
 
 void
-t_dns_name_towire_2() {
+t_dns_name_towire_2(void) {
 	t_assert("dns_name_towire", 2, T_REQUIRED, a52);
 	t_dns_name_towire_x("dns_name_towire_2_data", 2);
 }
@@ -2473,10 +2457,10 @@ t_dns_name_towire_2() {
 char	*a53 =	"dns_name_concatenate(prefix, suffix, name, target) "
 		"concatenates prefix and suffix, stores the result "
 		"in target, canonicalizes any bitstring labels "
-		"and returns DNS_R_SUCCESS";
+		"and returns ISC_R_SUCCESS";
 
 void
-t_dns_name_concatenate() {
+t_dns_name_concatenate(void) {
 	t_assert("dns_name_concatenate", 1, T_REQUIRED, a53);
 	t_result(T_UNTESTED);
 }
diff --git a/bin/tests/nconf_test.c b/bin/tests/nconf_test.c
index 39d2e9b4..6f195bbd 100644
--- a/bin/tests/nconf_test.c
+++ b/bin/tests/nconf_test.c
@@ -17,32 +17,23 @@
 
 #include <config.h>
 
-#include <stdlib.h>
-#include <unistd.h>
-#include <stdio.h>
 #include <errno.h>
-#include <string.h>
+#include <stdlib.h>
 
 #include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dns/log.h>
 #include <dns/namedconf.h>
 
-#include <isc/error.h>
-
-isc_result_t zonecbk(dns_c_ctx_t *ctx, dns_c_zone_t *zone,
-		     dns_c_view_t *view, void *uap);
-isc_result_t optscbk(dns_c_ctx_t *ctx, void *uap);
-
-
-isc_result_t
-zonecbk(dns_c_ctx_t *ctx, dns_c_zone_t *zone, dns_c_view_t *view, void *uap)
-{
+static isc_result_t
+zonecbk(dns_c_ctx_t *ctx, dns_c_zone_t *zone, dns_c_view_t *view, void *uap) {
 	const char *zname;
 	const char *vname;
 
-	(void) ctx;
-	(void) uap;
+	UNUSED(ctx);
+	UNUSED(uap);
 	
 	dns_c_zone_getname(zone, &zname);
 
@@ -53,7 +44,7 @@ zonecbk(dns_c_ctx_t *ctx, dns_c_zone_t *zone, dns_c_view_t *view, void *uap)
 		vname = "no current view";
 	}
 #else
-	(void) view;
+	UNUSED(view);
 	vname = "foo";
 #endif	
 
@@ -62,20 +53,20 @@ zonecbk(dns_c_ctx_t *ctx, dns_c_zone_t *zone, dns_c_view_t *view, void *uap)
 	return (ISC_R_SUCCESS);
 }
 
-
-isc_result_t
-optscbk(dns_c_ctx_t *ctx, void *uap)
-{
-	(void) ctx;
-	(void) uap;
+static isc_result_t
+optscbk(dns_c_ctx_t *ctx, void *uap) {
+	UNUSED(ctx);
+	UNUSED(uap);
 	
 	fprintf(stderr, "Processing options in callback.\n");
 	return (ISC_R_SUCCESS);
 }
 
 
-	
-int main (int argc, char **argv) {
+extern int dns__yydebug;
+
+int
+main (int argc, char **argv) {
 	dns_c_ctx_t *configctx = NULL;
 	const char *conffile;
 	FILE *outfp;
@@ -84,22 +75,21 @@ int main (int argc, char **argv) {
 	isc_log_t *log = NULL;
 	isc_logconfig_t *logcfg = NULL;
 	
-#if 1
-	callbacks.zonecbk = NULL;
-	callbacks.zonecbkuap = NULL;
-	callbacks.optscbk = NULL;
-	callbacks.optscbkuap = NULL;
-#else
 	callbacks.zonecbk = zonecbk;
-	callbacks.zonecbkuap = NULL;
 	callbacks.optscbk = optscbk;
+	callbacks.zonecbkuap = NULL;
 	callbacks.optscbkuap = NULL;
+
+#if 1
+	callbacks.zonecbk = NULL;
+	callbacks.optscbk = NULL;
 #endif
 	
 	if (argc > 1 && strcmp(argv[1],"-d") == 0) {
 		argv++;
 		argc--;
-		debug_mem_print = ISC_TRUE;
+		/* debug_mem_print = ISC_TRUE; */
+		dns__yydebug = 1;
 	}
 	
 	conffile = getenv("NAMED_CONF");
@@ -111,7 +101,9 @@ int main (int argc, char **argv) {
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mem) == ISC_R_SUCCESS);
 
 	RUNTIME_CHECK(isc_log_create(mem, &log, &logcfg) == ISC_R_SUCCESS);
+	isc_log_setcontext(log);
 	dns_log_init(log);
+	dns_log_setcontext(log);
 	
 	RUNTIME_CHECK(isc_log_usechannel(logcfg, "default_stderr", NULL, NULL)
 		      == ISC_R_SUCCESS);
@@ -166,7 +158,3 @@ int main (int argc, char **argv) {
 
 	return (0);
 }
-	
-	
-
-	
diff --git a/bin/tests/ndcconf_test.c b/bin/tests/ndcconf_test.c
index 7f0c2df2..2ea60448 100644
--- a/bin/tests/ndcconf_test.c
+++ b/bin/tests/ndcconf_test.c
@@ -18,30 +18,36 @@
 #include <config.h>
 
 #include <stdlib.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <errno.h>
-#include <string.h>
 
 #include <isc/mem.h>
-#include <isc/error.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dns/log.h>
 #include <dns/confndc.h>
 
 
-int main (int argc, char **argv) {
+int
+main(int argc, char **argv) {
 	dns_c_ndcctx_t *ndcctx = NULL;
 	const char *conffile;
 	isc_mem_t *mem = NULL;
 	isc_log_t *log = NULL;
 	isc_logconfig_t *logcfg = NULL;
+	const char *program = NULL;
 
+	program = strrchr(argv[0], '/');
+	if (program == NULL) {
+		program = argv[0];
+	} else {
+		program++;
+	}
+	
 	argc--;
 	argv++;
 	
 	if (argc == 0) {
-		fprintf(stderr, "usage: %s file\n", argv[0]);
+		fprintf(stderr, "usage: %s file\n", program);
 		exit (1);
 	}
 	
@@ -49,7 +55,9 @@ int main (int argc, char **argv) {
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mem) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_log_create(mem, &log, &logcfg) == ISC_R_SUCCESS);
+	isc_log_setcontext(log);
 	dns_log_init(log);
+	dns_log_setcontext(log);
 	
 	RUNTIME_CHECK(isc_log_usechannel(logcfg, "default_stderr", NULL, NULL)
 		      == ISC_R_SUCCESS);
@@ -73,7 +81,4 @@ int main (int argc, char **argv) {
 
 	return (0);
 }
-	
-	
-
-	
+     
diff --git a/bin/tests/nxtify.c b/bin/tests/nxtify.c
index 532dfebc..9e62dfbc 100644
--- a/bin/tests/nxtify.c
+++ b/bin/tests/nxtify.c
@@ -17,27 +17,18 @@
 
 #include <config.h>
 
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/types.h>
-#include <isc/assertions.h>
-#include <isc/buffer.h>
-#include <isc/error.h>
 #include <isc/mem.h>
+#include <isc/string.h>
 
-#include <dns/types.h>
-#include <dns/name.h>
-#include <dns/fixedname.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
+#include <dns/fixedname.h>
+#include <dns/nxt.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
 #include <dns/result.h>
-#include <dns/nxt.h>
 
 static isc_mem_t *mctx = NULL;
 
@@ -76,9 +67,9 @@ active_node(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
 		if (!active)
 			result = dns_rdatasetiter_next(rdsiter);
 		else
-			result = DNS_R_NOMORE;
+			result = ISC_R_NOMORE;
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		fatal("rdataset iteration failed");
 	dns_rdatasetiter_destroy(&rdsiter);
 
@@ -143,7 +134,7 @@ nxtify(char *filename) {
 	else
 		origintext++;	/* Skip '/'. */
 	len = strlen(origintext);
-	isc_buffer_init(&b, origintext, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&b, origintext, len);
 	isc_buffer_add(&b, len);
 	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
 	check_result(result, "dns_name_fromtext()");
@@ -171,7 +162,7 @@ nxtify(char *filename) {
 					     &nextnode);
 		if (result == ISC_R_SUCCESS)
 			target = nextname;
-		else if (result == DNS_R_NOMORE)
+		else if (result == ISC_R_NOMORE)
 			target = dns_db_origin(db);
 		else {
 			target = NULL;	/* Make compiler happy. */
@@ -181,7 +172,7 @@ nxtify(char *filename) {
 		dns_db_detachnode(db, &node);
 		node = nextnode;
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		fatal("db iteration failed");
 	dns_dbiterator_destroy(&dbiter);
 	/*
diff --git a/bin/tests/omapi_test.c b/bin/tests/omapi_test.c
index 9128be1f..b4b8f38d 100644
--- a/bin/tests/omapi_test.c
+++ b/bin/tests/omapi_test.c
@@ -18,26 +18,18 @@
 /* 
  * Test code for OMAPI.
  */
+#include <config.h>
 
-#include <time.h>
-#include <stdio.h>
 #include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
 
-#include <isc/assertions.h>
 #include <isc/commandline.h>
 #include <isc/condition.h>
 #include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/region.h>
-#include <isc/result.h>
 #include <isc/socket.h>
+#include <isc/string.h>
 #include <isc/task.h>
 #include <isc/util.h>
 
-#include <dns/acl.h>
-
 #include <dst/result.h>
 
 #include <omapi/omapi.h>
@@ -531,7 +523,7 @@ do_connect(const char *host, int port) {
 
 static void
 listen_done(isc_task_t *task, isc_event_t *event) {
-	omapi_object_t *listener = event->arg;
+	omapi_object_t *listener = event->ev_arg;
 
 	UNUSED(task);
 
diff --git a/bin/tests/printmsg.c b/bin/tests/printmsg.c
index 286eb16e..7126e867 100644
--- a/bin/tests/printmsg.c
+++ b/bin/tests/printmsg.c
@@ -17,26 +17,9 @@
 
 #include <config.h>
 
-#include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/boolean.h>
-#include <isc/region.h>
-
-#include <dns/types.h>
-#include <dns/result.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
-#include <dns/rdatalist.h>
+#include <isc/util.h>
+
 #include <dns/rdataset.h>
-#include <dns/compress.h>
-#include <dns/message.h>
 
 #include "printmsg.h"
 
@@ -80,8 +63,7 @@ static char *rcodetext[] = {
 };
 
 static isc_result_t
-printsection(dns_message_t *msg, dns_section_t sectionid, char *section_name)
-{
+printsection(dns_message_t *msg, dns_section_t sectionid, char *section_name) {
 	dns_name_t *name, *print_name;
 	dns_rdataset_t *rdataset;
 	isc_buffer_t target;
@@ -102,16 +84,16 @@ printsection(dns_message_t *msg, dns_section_t sectionid, char *section_name)
 	dns_name_init(&empty_name, NULL);
 
 	result = dns_message_firstname(msg, sectionid);
-	if (result == DNS_R_NOMORE)
-		return (DNS_R_SUCCESS);
-	else if (result != DNS_R_SUCCESS)
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_SUCCESS);
+	else if (result != ISC_R_SUCCESS)
 		return (result);
 
 	for (;;) {
 		name = NULL;
 		dns_message_currentname(msg, sectionid, &name);
 
-		isc_buffer_init(&target, t, sizeof t, ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&target, t, sizeof(t));
 		first = ISC_TRUE;
 		print_name = name;
 
@@ -123,7 +105,7 @@ printsection(dns_message_t *msg, dns_section_t sectionid, char *section_name)
 						     ISC_FALSE,
 						     no_rdata,
 						     &target);
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				return (result);
 #ifdef USEINITALWS
 			if (first) {
@@ -132,26 +114,51 @@ printsection(dns_message_t *msg, dns_section_t sectionid, char *section_name)
 			}
 #endif
 		}
-		isc_buffer_used(&target, &r);
+		isc_buffer_usedregion(&target, &r);
 		printf("%.*s", (int)r.length, (char *)r.base);
 
 		result = dns_message_nextname(msg, sectionid);
-		if (result == DNS_R_NOMORE)
+		if (result == ISC_R_NOMORE)
 			break;
-		else if (result != DNS_R_SUCCESS)
+		else if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 	
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+printrdata(dns_message_t *msg, dns_rdataset_t *rdataset, dns_name_t *owner,
+	   char *set_name)
+{
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char t[4096];
+
+	UNUSED(msg);
+	printf(";; %s SECTION:\n", set_name);
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
+				     &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&target, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
 printmessage(dns_message_t *msg) {
 	isc_boolean_t did_flag = ISC_FALSE;
 	isc_result_t result;
-	dns_rdataset_t *opt;
+	dns_rdataset_t *opt, *tsig;
+	dns_name_t *tsigname;
 
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
 
 	printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n",
 	       opcodetext[msg->opcode], rcodetext[msg->rcode], msg->id);
@@ -196,38 +203,40 @@ printmessage(dns_message_t *msg) {
 		       (unsigned int)((opt->ttl & 0x00ff0000) >> 16),
 		       (unsigned int)opt->rdclass);
 
-	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG]))
+	tsigname = NULL;
+	tsig = dns_message_gettsig(msg, &tsigname);
+	if (tsig != NULL)
 		printf(";; PSEUDOSECTIONS: TSIG\n");
 	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_QUESTION])) {
 		printf("\n");
 		result = printsection(msg, DNS_SECTION_QUESTION, "QUESTION");
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
 		printf("\n");
 		result = printsection(msg, DNS_SECTION_ANSWER, "ANSWER");
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_AUTHORITY])) {
 		printf("\n");
 		result = printsection(msg, DNS_SECTION_AUTHORITY, "AUTHORITY");
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ADDITIONAL])) {
 		printf("\n");
 		result = printsection(msg, DNS_SECTION_ADDITIONAL,
 				      "ADDITIONAL");
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
-	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG])) {
+	if (tsig != NULL) {
 		printf("\n");
-		result = printsection(msg, DNS_SECTION_TSIG,
-				      "PSEUDOSECTION TSIG");
-		if (result != DNS_R_SUCCESS)
+		result = printrdata(msg, tsig, tsigname,
+				    "PSEUDOSECTION TSIG");
+		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 	printf("\n");
diff --git a/bin/tests/ratelimiter_test.c b/bin/tests/ratelimiter_test.c
index 5a0dd152..e4630946 100644
--- a/bin/tests/ratelimiter_test.c
+++ b/bin/tests/ratelimiter_test.c
@@ -17,54 +17,95 @@
 
 #include <config.h>
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <isc/app.h>
 #include <isc/mem.h>
 #include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/result.h>
+#include <isc/time.h>
 #include <isc/timer.h>
 #include <isc/ratelimiter.h>
+#include <isc/util.h>
 
 isc_ratelimiter_t *rlim = NULL;
+isc_taskmgr_t *taskmgr = NULL;
+isc_timermgr_t *timermgr = NULL;
+isc_task_t *g_task = NULL;
+isc_mem_t *mctx = NULL;
+
+static void utick(isc_task_t *task, isc_event_t *event);
+static void shutdown_rl(isc_task_t *task, isc_event_t *event);
+static void shutdown_all(isc_task_t *task, isc_event_t *event);
+
+typedef struct {
+	int milliseconds;
+	void (*fun)(isc_task_t *, isc_event_t *);
+} schedule_t;
+
+schedule_t schedule[] = {
+	{   100, utick },
+	{   200, utick },
+	{   300, utick },
+	{  3000, utick },
+	{  3100, utick },
+	{  3200, utick },
+	{  3300, shutdown_rl },
+	{  5000, utick },
+	{  6000, shutdown_all }
+};
+
+#define NEVENTS (int)(sizeof(schedule)/sizeof(schedule[0]))
+
+isc_timer_t *timers[NEVENTS];
 
 static void
-ltick(isc_task_t *task, isc_event_t *event)
-{
-	(void) task;
-	printf("** ltick **\n");
+ltick(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+	printf("** ltick%s **\n",
+	       (event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0 ?
+	       " (canceled)" : "");
 	isc_event_free(&event);
 }
 
 static void
-utick(isc_task_t *task, isc_event_t *event)
-{
-	(void) task;
-	printf("utick\n");
-	event->action = ltick;
-	isc_ratelimiter_enqueue(rlim, &event);
+utick(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	UNUSED(task);
+	event->ev_action = ltick;
+	event->ev_sender = NULL;
+	result = isc_ratelimiter_enqueue(rlim, g_task, &event);
+	printf("enqueue: %s\n",
+	       result == ISC_R_SUCCESS ? "ok" : "failed");
 }
 
-#define N 7
+static void
+shutdown_rl(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+	UNUSED(event);
+	printf("shutdown ratelimiter\n");	
+	isc_ratelimiter_shutdown(rlim);
+}
+
+static void
+shutdown_all(isc_task_t *task, isc_event_t *event) {
+	int i;
+	UNUSED(task);
+	UNUSED(event);
+	printf("shutdown all\n");
+	for (i = 0; i < NEVENTS; i++) {
+		isc_timer_detach(&timers[i]);
+	}
+
+	isc_app_shutdown();
+}
 
 int
 main(int argc, char *argv[]) {
-	isc_mem_t *mctx = NULL;
-	isc_taskmgr_t *taskmgr = NULL;
-	isc_timermgr_t *timermgr = NULL;
-	isc_task_t *task = NULL;
-	int times[N] = { 1, 2, 3, 10000, 10001, 10002, 11500 };
-	isc_timer_t *timers[N];
 	isc_interval_t linterval;
 	int i;
 
-	(void) argc;
-	(void) argv;
-	
+	UNUSED(argc);
+	UNUSED(argv);
+
+	isc_app_start();
 	isc_interval_set(&linterval, 1, 0);
 	
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
@@ -72,41 +113,39 @@ main(int argc, char *argv[]) {
 		      ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_timermgr_create(mctx, &timermgr) ==
 		      ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_task_create(taskmgr, mctx, 0, &task) ==
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &g_task) ==
 		      ISC_R_SUCCESS);
 
-	RUNTIME_CHECK(isc_ratelimiter_create(mctx, timermgr, task, 
+	RUNTIME_CHECK(isc_ratelimiter_create(mctx, timermgr, g_task, 
 					     &rlim) == ISC_R_SUCCESS);
 
 	RUNTIME_CHECK(isc_ratelimiter_setinterval(rlim, &linterval) ==
 		      ISC_R_SUCCESS);
-	
-	for (i = 0; i < N; i++) {
+
+	for (i = 0; i < NEVENTS; i++) {
 		isc_interval_t uinterval;
-		isc_interval_set(&uinterval, times[i] / 1000,
-				 (times[i] % 1000) * 1000000);
+		int ms = schedule[i].milliseconds;
+		isc_interval_set(&uinterval,  ms / 1000,
+				 (ms % 1000) * 1000000);
+		timers[i] = NULL;
 		RUNTIME_CHECK(isc_timer_create(timermgr,
 					       isc_timertype_once, NULL,
 					       &uinterval,
-					       task, utick, NULL,
+					       g_task, schedule[i].fun, NULL,
 					       &timers[i]) == ISC_R_SUCCESS);
 	}
-	sleep(15);
-	
-	printf("destroy\n");
 
-	for (i = 0; i < N; i++) {
-		isc_timer_detach(&timers[i]);
-	}
+	isc_app_run();
 
-	isc_ratelimiter_destroy(&rlim);
-	isc_task_destroy(&task);
+	isc_task_destroy(&g_task);
 
+	isc_ratelimiter_destroy(&rlim);
+	
 	isc_timermgr_destroy(&timermgr);
 	isc_taskmgr_destroy(&taskmgr);
 
-	sleep(2);
 	isc_mem_stats(mctx, stdout);
 	
+	isc_app_finish();
 	return (0);
 }
diff --git a/bin/tests/rbt/Makefile.in b/bin/tests/rbt/Makefile.in
index ab896c84..1ff70a67 100644
--- a/bin/tests/rbt/Makefile.in
+++ b/bin/tests/rbt/Makefile.in
@@ -25,11 +25,15 @@ CDEFINES =
 CWARNINGS =
 
 # Note that we do not want to use libtool for libt_api
-DEPLIBS =	../../../lib/dns/libdns.@A@ \
-		../../../lib/isc/libisc.@A@
+DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
+ISCLIBS =	../../../lib/isc/libisc.@A@
 
-LIBS =		${DEPLIBS} \
-		@LIBS@
+DNSDEPLIBS =	../../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../../lib/isc/libisc.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
 TLIB =		../../../lib/tests/libt_api.@A@
 
diff --git a/bin/tests/rbt/dns_rbt_addname_1_data b/bin/tests/rbt/dns_rbt_addname_1_data
index 703561f3..b7475ed6 100644
--- a/bin/tests/rbt/dns_rbt_addname_1_data
+++ b/bin/tests/rbt/dns_rbt_addname_1_data
@@ -3,7 +3,7 @@
 #
 # format is: <dbfile> <command> <testname> <exp_result>
 #
-dns_rbt.data	add	new.name	DNS_R_SUCCESS
-dns_rbt.data	add	\[x42/7].name	DNS_R_SUCCESS
-dns_rbt.data	add	\[b11011].name	DNS_R_SUCCESS
-dns_rbt.data	add	\[o033/9].name	DNS_R_SUCCESS
+dns_rbt.data	add	new.name	ISC_R_SUCCESS
+dns_rbt.data	add	\[x42/7].name	ISC_R_SUCCESS
+dns_rbt.data	add	\[b11011].name	ISC_R_SUCCESS
+dns_rbt.data	add	\[o033/9].name	ISC_R_SUCCESS
diff --git a/bin/tests/rbt/dns_rbt_addname_2_data b/bin/tests/rbt/dns_rbt_addname_2_data
index 936c63bf..762bd8bc 100644
--- a/bin/tests/rbt/dns_rbt_addname_2_data
+++ b/bin/tests/rbt/dns_rbt_addname_2_data
@@ -3,4 +3,4 @@
 #
 # format is: <dbfile> <command> <testname> <exp_result>
 #
-dns_rbt.data	add	a.vix.com	DNS_R_EXISTS
+dns_rbt.data	add	a.vix.com	ISC_R_EXISTS
diff --git a/bin/tests/rbt/dns_rbt_create_1_data b/bin/tests/rbt/dns_rbt_create_1_data
index 8264f237..72f8dc4b 100644
--- a/bin/tests/rbt/dns_rbt_create_1_data
+++ b/bin/tests/rbt/dns_rbt_create_1_data
@@ -3,5 +3,5 @@
 #
 # format is: <dbfile> <command> <testname> <exp_result>
 #
-dns_rbt.data	create	not.used	DNS_R_SUCCESS
-dns_rbt_bitstring.data	create	not.used	DNS_R_SUCCESS
+dns_rbt.data	create	not.used	ISC_R_SUCCESS
+dns_rbt_bitstring.data	create	not.used	ISC_R_SUCCESS
diff --git a/bin/tests/rbt/dns_rbt_deletename_1_data b/bin/tests/rbt/dns_rbt_deletename_1_data
index 14b2a4e8..5a34481b 100644
--- a/bin/tests/rbt/dns_rbt_deletename_1_data
+++ b/bin/tests/rbt/dns_rbt_deletename_1_data
@@ -3,7 +3,7 @@
 #
 # format is: <dbfile> <command> <testname> <exp_result>
 #
-dns_rbt.data	delete	a.vix.com	DNS_R_SUCCESS
-dns_rbt_bitstring.data	delete	\[x42/7].vix.com	DNS_R_SUCCESS
-dns_rbt_bitstring.data	delete	a.\[x42/7].com	DNS_R_SUCCESS
-dns_rbt_bitstring.data	delete	a.vix.\[x42/7]	DNS_R_SUCCESS
+dns_rbt.data	delete	a.vix.com	ISC_R_SUCCESS
+dns_rbt_bitstring.data	delete	\[x42/7].vix.com	ISC_R_SUCCESS
+dns_rbt_bitstring.data	delete	a.\[x42/7].com	ISC_R_SUCCESS
+dns_rbt_bitstring.data	delete	a.vix.\[x42/7]	ISC_R_SUCCESS
diff --git a/bin/tests/rbt/dns_rbt_deletename_2_data b/bin/tests/rbt/dns_rbt_deletename_2_data
index 93e92710..a3d195b2 100644
--- a/bin/tests/rbt/dns_rbt_deletename_2_data
+++ b/bin/tests/rbt/dns_rbt_deletename_2_data
@@ -3,7 +3,7 @@
 #
 # format is: <dbfile> <command> <testname> <exp_result>
 #
-dns_rbt.data	delete	new.name	DNS_R_NOTFOUND
-dns_rbt.data	delete	\[x42/7].vix.com	DNS_R_NOTFOUND
-dns_rbt.data	delete	a.\[x42/7].com	DNS_R_NOTFOUND
-dns_rbt.data	delete	a.vix.\[x42/7]	DNS_R_NOTFOUND
+dns_rbt.data	delete	new.name	ISC_R_NOTFOUND
+dns_rbt.data	delete	\[x42/7].vix.com	ISC_R_NOTFOUND
+dns_rbt.data	delete	a.\[x42/7].com	ISC_R_NOTFOUND
+dns_rbt.data	delete	a.vix.\[x42/7]	ISC_R_NOTFOUND
diff --git a/bin/tests/rbt/dns_rbt_findname_1_data b/bin/tests/rbt/dns_rbt_findname_1_data
index 06011f47..e478c675 100644
--- a/bin/tests/rbt/dns_rbt_findname_1_data
+++ b/bin/tests/rbt/dns_rbt_findname_1_data
@@ -3,7 +3,7 @@
 #
 # format is: <dbfile> <command> <testname> <exp_result>
 #
-dns_rbt.data	search	a.vix.com	DNS_R_SUCCESS
-dns_rbt_bitstring.data	search	\[x42/7].vix.com	DNS_R_SUCCESS
-dns_rbt_bitstring.data	search	a.\[x42/7].com	DNS_R_SUCCESS
-dns_rbt_bitstring.data	search	a.vix.\[x42/7]	DNS_R_SUCCESS
+dns_rbt.data	search	a.vix.com	ISC_R_SUCCESS
+dns_rbt_bitstring.data	search	\[x42/7].vix.com	ISC_R_SUCCESS
+dns_rbt_bitstring.data	search	a.\[x42/7].com	ISC_R_SUCCESS
+dns_rbt_bitstring.data	search	a.vix.\[x42/7]	ISC_R_SUCCESS
diff --git a/bin/tests/rbt/dns_rbt_findname_2_data b/bin/tests/rbt/dns_rbt_findname_2_data
index 03db49da..7bf35406 100644
--- a/bin/tests/rbt/dns_rbt_findname_2_data
+++ b/bin/tests/rbt/dns_rbt_findname_2_data
@@ -3,7 +3,7 @@
 #
 # format is: <dbfile> <command> <testname> <exp_result>
 #
-dns_rbt.data	search	not.used.here	DNS_R_NOTFOUND
-dns_rbt.data	search	\[x42/7].vix.com	DNS_R_NOTFOUND
-dns_rbt.data	search	a.\[x42/7].com	DNS_R_NOTFOUND
-dns_rbt.data	search	a.vix.\[x42/7]	DNS_R_NOTFOUND
+dns_rbt.data	search	not.used.here	ISC_R_NOTFOUND
+dns_rbt.data	search	\[x42/7].vix.com	ISC_R_NOTFOUND
+dns_rbt.data	search	a.\[x42/7].com	ISC_R_NOTFOUND
+dns_rbt.data	search	a.vix.\[x42/7]	ISC_R_NOTFOUND
diff --git a/bin/tests/rbt/t_rbt.c b/bin/tests/rbt/t_rbt.c
index 13173cfd..6cded78f 100644
--- a/bin/tests/rbt/t_rbt.c
+++ b/bin/tests/rbt/t_rbt.c
@@ -15,22 +15,18 @@
  * SOFTWARE.
  */
 
-#include	<config.h>
+#include <config.h>
 
-#include	<ctype.h>
-#include	<stdlib.h>
-#include	<stdio.h>
-#include	<string.h>
-#include	<unistd.h>
+#include <ctype.h>
+#include <stdlib.h>
 
-#include	<isc/boolean.h>
+#include <isc/mem.h>
+#include <isc/string.h>
 
-#include	<dns/rbt.h>
-#include	<dns/fixedname.h>
-#include	<dns/name.h>
-#include	<dns/result.h>
+#include <dns/rbt.h>
+#include <dns/fixedname.h>
 
-#include	<tests/t_api.h>
+#include <tests/t_api.h>
 
 #define		BUFLEN	1024
 #define		DNSNAMELEN 255
@@ -38,20 +34,29 @@
 char		*progname;
 char		*Tokens[T_MAXTOKS];
 
-static int	t_dns_rbtnodechain_init(char *dbfile, char *findname,
+static int
+t_dns_rbtnodechain_init(char *dbfile, char *findname,
 			char *firstname, char *firstorigin,
 			char *nextname, char *nextorigin,
 			char *prevname, char *prevorigin,
 			char *lastname, char *lastorigin);
-static char	*fixedname_totext(dns_fixedname_t *name);
-static int	fixedname_cmp(dns_fixedname_t *dns_name, char *txtname);
-static char	*dnsname_totext(dns_name_t *name);
-static int	t_namechk(isc_result_t dns_result, dns_fixedname_t *dns_name, char *exp_name,
-			  dns_fixedname_t *dns_origin, char *exp_origin,
-			  isc_result_t exp_result);
+static char *
+fixedname_totext(dns_fixedname_t *name);
+
+static int
+fixedname_cmp(dns_fixedname_t *dns_name, char *txtname);
+
+static char *
+dnsname_totext(dns_name_t *name);
 
-/* parts adapted from the original rbt_test.c */
+static int
+t_namechk(isc_result_t dns_result, dns_fixedname_t *dns_name, char *exp_name,
+	  dns_fixedname_t *dns_origin, char *exp_origin,
+	  isc_result_t exp_result);
 
+/*
+ * Parts adapted from the original rbt_test.c.
+ */
 static int
 fixedname_cmp(dns_fixedname_t *dns_name, char *txtname) {
 	char	*name;
@@ -61,8 +66,7 @@ fixedname_cmp(dns_fixedname_t *dns_name, char *txtname) {
 		if ((name == NULL) || (*name == '\0'))
 			return(0);
 		return(1);
-	}
-	else {
+	} else {
 		return(strcmp(name, txtname));
 	}
 }
@@ -72,7 +76,7 @@ dnsname_totext(dns_name_t *name) {
 	static char	buf[BUFLEN];
 	isc_buffer_t	target;
 
-	isc_buffer_init(&target, buf, BUFLEN, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&target, buf, BUFLEN);
 	dns_name_totext(name, ISC_FALSE, &target);
 	*((char *)(target.base) + target.used) = '\0';
 	return(target.base);
@@ -84,7 +88,7 @@ fixedname_totext(dns_fixedname_t *name) {
 	isc_buffer_t	target;
 
 	memset(buf, 0, BUFLEN);
-	isc_buffer_init(&target, buf, BUFLEN, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&target, buf, BUFLEN);
 	dns_name_totext(dns_fixedname_name(name), ISC_FALSE, &target);
 	*((char *)(target.base) + target.used) = '\0';
 	return(target.base);
@@ -98,10 +102,10 @@ print_data(void *data) {
 	isc_buffer_t	target;
 	char		*buffer[DNSNAMELEN];
 
-	isc_buffer_init(&target, buffer, sizeof(buffer), ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&target, buffer, sizeof(buffer));
 
 	dns_result = dns_name_totext(data, ISC_FALSE, &target);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_name_totext failed %s\n",
 				dns_result_totext(dns_result));
 	}
@@ -124,7 +128,7 @@ create_name(char *s, isc_mem_t *mctx, dns_name_t **dns_name) {
 
 		length = strlen(s);
 	
-		isc_buffer_init(&source, s, length, ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&source, s, length);
 		isc_buffer_add(&source, length);
 	
 		/*
@@ -138,19 +142,17 @@ create_name(char *s, isc_mem_t *mctx, dns_name_t **dns_name) {
 		}
 	
 		dns_name_init(*dns_name, NULL);
-		isc_buffer_init(&target, *dns_name + 1, DNSNAMELEN,
-					ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&target, *dns_name + 1, DNSNAMELEN);
 	
 		result = dns_name_fromtext(*dns_name, &source, dns_rootname,
 					   ISC_FALSE, &target);
 	
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			++nfails;
 			t_info("dns_name_fromtext(%s) failed %s\n",
 			       s, dns_result_totext(result));
 		}
-	}
-	else {
+	} else {
 		++nfails;
 		t_info("create_name: empty name\n");
 	}
@@ -167,60 +169,60 @@ delete_name(void *data, void *arg) {
 }
 
 
-/* adapted from the original rbt_test.c */
-
+/*
+ * Adapted from the original rbt_test.c.
+ */
 static int
 t1_add(char *name, dns_rbt_t *rbt, isc_mem_t *mctx, isc_result_t *dns_result) {
-
 	int		nprobs;
 	dns_name_t	*dns_name;
 
 	nprobs = 0;
 	if (name && dns_result) {
 		*dns_result = create_name(name, mctx, &dns_name);
-		if (*dns_result == DNS_R_SUCCESS) {
+		if (*dns_result == ISC_R_SUCCESS) {
 			if (T_debug)
 				t_info("dns_rbt_addname succeeded\n");
 			*dns_result = dns_rbt_addname(rbt, dns_name, dns_name);
-		}
-		else {
+		} else {
 			t_info("dns_rbt_addname failed %s\n",
 		       			dns_result_totext(*dns_result));
 			delete_name(dns_name, mctx);
 			++nprobs;
 		}
-	}
-	else {
+	} else {
 		++nprobs;
 	}
 	return(nprobs);
 }
 
 static int
-t1_delete(char *name, dns_rbt_t *rbt, isc_mem_t *mctx, isc_result_t *dns_result) {
+t1_delete(char *name, dns_rbt_t *rbt, isc_mem_t *mctx,
+	  isc_result_t *dns_result)
+{
 	int		nprobs;
 	dns_name_t	*dns_name;
 
 	nprobs = 0;
 	if (name && dns_result) {
 		*dns_result = create_name(name, mctx, &dns_name);
-		if (*dns_result == DNS_R_SUCCESS) {
-			*dns_result = dns_rbt_deletename(rbt, dns_name, ISC_FALSE);
+		if (*dns_result == ISC_R_SUCCESS) {
+			*dns_result = dns_rbt_deletename(rbt, dns_name,
+							 ISC_FALSE);
 			delete_name(dns_name, mctx);
-		}
-		else {
+		} else {
 			++nprobs;
 		}
-	}
-	else {
+	} else {
 		++nprobs;
 	}
 	return(nprobs);
 }
 
 static int
-t1_search(char *name, dns_rbt_t *rbt, isc_mem_t *mctx, isc_result_t *dns_result) {
-
+t1_search(char *name, dns_rbt_t *rbt, isc_mem_t *mctx,
+	  isc_result_t *dns_result)
+{
 	int		nprobs;
 	dns_name_t	*dns_searchname;
 	dns_name_t	*dns_foundname;
@@ -230,28 +232,27 @@ t1_search(char *name, dns_rbt_t *rbt, isc_mem_t *mctx, isc_result_t *dns_result)
 	nprobs = 0;
 	if (name && dns_result) {
 		*dns_result = create_name(name, mctx, &dns_searchname);
-		if (*dns_result == DNS_R_SUCCESS) {
+		if (*dns_result == ISC_R_SUCCESS) {
 			dns_fixedname_init(&dns_fixedname);
 			dns_foundname = dns_fixedname_name(&dns_fixedname);
 			data = NULL;
-			*dns_result = dns_rbt_findname(rbt, dns_searchname,
+			*dns_result = dns_rbt_findname(rbt, dns_searchname, 0,
 						dns_foundname, &data);
 			delete_name(dns_searchname, mctx);
-		}
-		else {
+		} else {
 			++nprobs;
 		}
-	}
-	else {
+	} else {
 		++nprobs;
 	}
 	return(nprobs);
 }
 
-/* initialize a database from filename */
+/*
+ * Initialize a database from filename.
+ */
 static int
 rbt_init(char *filename, dns_rbt_t **rbt, isc_mem_t *mctx) {
-
 	int		rval;
 	isc_result_t	dns_result;
 	char		*p;
@@ -264,7 +265,7 @@ rbt_init(char *filename, dns_rbt_t **rbt, isc_mem_t *mctx) {
 	}
 
 	dns_result = dns_rbt_create(mctx, delete_name, mctx, rbt);
-	if (dns_result != DNS_R_SUCCESS) {
+	if (dns_result != ISC_R_SUCCESS) {
 		t_info("dns_rbt_create failed %s\n",
 		       		dns_result_totext(dns_result));
 		fclose(fp);
@@ -283,7 +284,7 @@ rbt_init(char *filename, dns_rbt_t **rbt, isc_mem_t *mctx) {
 			t_info("adding name %s to the rbt\n", p);
 
 		rval = t1_add(p, *rbt, mctx, &dns_result);
-		if ((rval != 0) || (dns_result != DNS_R_SUCCESS)) {
+		if ((rval != 0) || (dns_result != ISC_R_SUCCESS)) {
 			t_info("add of %s failed\n", p);
 			dns_rbt_destroy(rbt);
 			fclose(fp);
@@ -296,7 +297,9 @@ rbt_init(char *filename, dns_rbt_t **rbt, isc_mem_t *mctx) {
 }
 
 static int
-test_rbt_gen(char *filename, char *command, char *testname, isc_result_t exp_result) {
+test_rbt_gen(char *filename, char *command, char *testname,
+	     isc_result_t exp_result)
+{
 	int		rval;
 	int		result;
 	dns_rbt_t	*rbt;
@@ -329,82 +332,73 @@ test_rbt_gen(char *filename, char *command, char *testname, isc_result_t exp_res
 	/* now try the database command */
 	if (strcmp(command, "create") == 0) {
 		result = T_PASS;
-	}
-	else if (strcmp(command, "add") == 0) {
+	} else if (strcmp(command, "add") == 0) {
 		dns_result = create_name(testname, mctx, &dns_name);
-		if (dns_result == DNS_R_SUCCESS) {
+		if (dns_result == ISC_R_SUCCESS) {
 			dns_result = dns_rbt_addname(rbt, dns_name, dns_name);
 
-			if (dns_result != DNS_R_SUCCESS)
+			if (dns_result != ISC_R_SUCCESS)
 				delete_name(dns_name, mctx);
 
 			if (dns_result == exp_result) {
-				if (dns_result == DNS_R_SUCCESS) {
-					rval = t1_search(testname, rbt, mctx, &dns_result);
+				if (dns_result == ISC_R_SUCCESS) {
+					rval = t1_search(testname, rbt, mctx,
+							 &dns_result);
 					if (rval == 0) {
-						if (dns_result == DNS_R_SUCCESS) {
-							result = T_PASS;
-						}
-						else {
-							result = T_FAIL;
-						}
-					}
-					else {
+					     if (dns_result == ISC_R_SUCCESS) {
+						     result = T_PASS;
+					     } else {
+						     result = T_FAIL;
+					     }
+					} else {
 						t_info("t1_search failed\n");
 						result = T_UNRESOLVED;
 					}
-				}
-				else {
+				} else {
 					result = T_PASS;
 				}
-			}
-			else {
-				t_info("dns_rbt_addname returned %s, expected %s\n",
-					dns_result_totext(dns_result),
-					dns_result_totext(exp_result));
+			} else {
+				t_info("dns_rbt_addname returned %s, "
+				       "expected %s\n",
+				       dns_result_totext(dns_result),
+				       dns_result_totext(exp_result));
 				result = T_FAIL;
 			}
-		}
-		else {
+		} else {
 			t_info("create_name failed %s\n",
 				dns_result_totext(dns_result));
 			result = T_UNRESOLVED;
 		}
-	}
-	else if ((strcmp(command, "delete") == 0) ||
-		(strcmp(command, "nuke") == 0)) {
-
+	} else if ((strcmp(command, "delete") == 0) ||
+		   (strcmp(command, "nuke") == 0)) {
 		rval = t1_delete(testname, rbt, mctx, &dns_result);
 		if (rval == 0) {
 			if (dns_result == exp_result) {
-				rval = t1_search(testname, rbt, mctx, &dns_result);
+				rval = t1_search(testname, rbt, mctx,
+						 &dns_result);
 				if (rval == 0) {
-					if (dns_result == DNS_R_SUCCESS) {
-						t_info("dns_rbt_deletename didn't "
-							"delete the name");
+					if (dns_result == ISC_R_SUCCESS) {
+						t_info("dns_rbt_deletename "
+						       "didn't delete "
+						       "the name");
 						result = T_FAIL;
-					}
-					else {
+					} else {
 						result = T_PASS;
 					}
 				}
-			}
-			else {
+			} else {
 				t_info("delete returned %s, expected %s\n",
 					dns_result_totext(dns_result),
 					dns_result_totext(exp_result));
 				result = T_FAIL;
 			}
 		}
-	}
-	else if (strcmp(command, "search") == 0) {
-
+	} else if (strcmp(command, "search") == 0) {
 		rval = t1_search(testname, rbt, mctx, &dns_result);
 		if (rval == 0) {
 			if (dns_result == exp_result) {
 				result = T_PASS;
-			}
-			else {
+			} else {
 				t_info("find returned %s, expected %s\n",
 					dns_result_totext(dns_result),
 					dns_result_totext(exp_result));
@@ -420,7 +414,6 @@ test_rbt_gen(char *filename, char *command, char *testname, isc_result_t exp_res
 
 static int
 test_dns_rbt_x(char *filename) {
-
 	FILE		*fp;
 	char		*p;
 	int		line;
@@ -439,32 +432,33 @@ test_dns_rbt_x(char *filename) {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
-			/* name of db file, command, testname, expected result */
+			/*
+			 * Name of db file, command, testname,
+			 * expected result.
+			 */
 			cnt = t_bustline(p, Tokens);
 			if (cnt == 4) {
-				result = test_rbt_gen(
-						Tokens[0],
-						Tokens[1],
-						Tokens[2],
-						t_dns_result_fromtext(Tokens[3]));
+				result = test_rbt_gen(Tokens[0], Tokens[1],
+					     Tokens[2],
+					     t_dns_result_fromtext(Tokens[3]));
 				if (result != T_PASS)
 					++nfails;
-			}
-			else {
+			} else {
 				t_info("bad format in %s at line %d\n",
 						filename, line);
 				++nprobs;
 			}
 
-			(void) free(p);
+			(void)free(p);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile %s\n", filename);
 		++nprobs;
 	}
@@ -479,8 +473,8 @@ test_dns_rbt_x(char *filename) {
 }
 
 
-static char	*a1 =	"dns_rbt_create creates a rbt and returns DNS_R_SUCCESS "
-			"on success";
+static char	*a1 =	"dns_rbt_create creates a rbt and returns "
+			"ISC_R_SUCCESS on success";
 
 static void
 t1() {
@@ -491,8 +485,9 @@ t1() {
 	t_result(result);
 }
 
-static char	*a2 =	"dns_rbt_addname adds a name to a database and returns "
-			"DNS_R_SUCCESS on success";
+static char	*a2 =	"dns_rbt_addname adds a name to a database and "
+			"returns ISC_R_SUCCESS on success";
+
 static void
 t2() {
 	int	result;
@@ -502,8 +497,8 @@ t2() {
 	t_result(result);
 }
 
-static char	*a3 =	"when name already exists, dns_rbt_addname() returns "
-			"DNS_R_EXISTS";
+static char	*a3 =	"when name already exists, dns_rbt_addname() "
+			"returns ISC_R_EXISTS";
 
 static void
 t3() {
@@ -515,7 +510,7 @@ t3() {
 }
 
 static char	*a4 =	"when name exists, dns_rbt_deletename() returns "
-			"DNS_R_SUCCESS";
+			"ISC_R_SUCCESS";
 
 static void
 t4() {
@@ -526,8 +521,8 @@ t4() {
 	t_result(result);
 }
 
-static char	*a5 =	"when name does not exist, dns_rbt_deletename() returns "
-			"DNS_R_NOTFOUND";
+static char	*a5 =	"when name does not exist, dns_rbt_deletename() "
+			"returns ISC_R_NOTFOUND";
 static void
 t5() {
 	int	result;
@@ -537,8 +532,8 @@ t5() {
 	t_result(result);
 }
 
-static char	*a6 =	"when name exists and exactly matches the search name, "
-			"dns_rbt_findname() returns DNS_R_SUCCESS";
+static char	*a6 =	"when name exists and exactly matches the "
+			"search name dns_rbt_findname() returns ISC_R_SUCCESS";
 
 static void
 t6() {
@@ -550,7 +545,7 @@ t6() {
 }
 
 static char	*a7 =	"when a name does not exist, "
-			"dns_rbt_findname returns DNS_R_NOTFOUND";
+			"dns_rbt_findname returns ISC_R_NOTFOUND";
 
 static void
 t7() {
@@ -595,7 +590,7 @@ t9_walkchain(dns_rbtnodechain_t *chain, dns_rbt_t *rbt) {
 	cnt = 0;
 	nprobs = 0;
 
-	while (1) {
+	do {
 
 		if (cnt == 0) {
 			dns_fixedname_init(&name);
@@ -611,51 +606,60 @@ t9_walkchain(dns_rbtnodechain_t *chain, dns_rbt_t *rbt) {
 				break;
 			}
 			t_info("first name:\t<%s>\n", fixedname_totext(&name));
-			t_info("first origin:\t<%s>\n", fixedname_totext(&origin));
-		}
-		else {
+			t_info("first origin:\t<%s>\n",
+			       fixedname_totext(&origin));
+		} else {
 			dns_fixedname_init(&fullname1);
-			dns_result = dns_name_concatenate(dns_fixedname_name(&name),
-							dns_name_isabsolute(dns_fixedname_name(&name)) ?
-								NULL : dns_fixedname_name(&origin),
-							dns_fixedname_name(&fullname1),
-							NULL);
-			if (dns_result != DNS_R_SUCCESS) {
+			dns_result = dns_name_concatenate(
+			       dns_fixedname_name(&name),
+			       dns_name_isabsolute(dns_fixedname_name(&name)) ?
+					    NULL : dns_fixedname_name(&origin),
+			       dns_fixedname_name(&fullname1), NULL);
+			if (dns_result != ISC_R_SUCCESS) {
 				t_info("dns_name_concatenate failed %s\n",
 						dns_result_totext(dns_result));
 				++nprobs;
 				break;
 			}
 
-			/* expecting origin not to get touched if next doesn't return NEWORIGIN */
+			/*
+			 * Expecting origin not to get touched if next
+			 * doesn't return NEWORIGIN.
+			 */
 			dns_fixedname_init(&name);
-			dns_result = dns_rbtnodechain_next(chain, dns_fixedname_name(&name),
-						dns_fixedname_name(&origin));
-			if ((dns_result != DNS_R_SUCCESS) && (dns_result != DNS_R_NEWORIGIN)) {
-				if (dns_result != DNS_R_NOMORE) {
-					t_info("dns_rbtnodechain_next failed %s\n",
-							dns_result_totext(dns_result));
+			dns_result = dns_rbtnodechain_next(chain,
+						  dns_fixedname_name(&name),
+						  dns_fixedname_name(&origin));
+			if ((dns_result != ISC_R_SUCCESS) &&
+			    (dns_result != DNS_R_NEWORIGIN)) {
+				if (dns_result != ISC_R_NOMORE) {
+					t_info("dns_rbtnodechain_next "
+					       "failed %s\n",
+					       dns_result_totext(dns_result));
 					++nprobs;
 				}
 				break;
 			}
 
 			t_info("next name:\t<%s>\n", fixedname_totext(&name));
-			t_info("next origin:\t<%s>\n", fixedname_totext(&origin));
+			t_info("next origin:\t<%s>\n",
+			       fixedname_totext(&origin));
 
 			dns_fixedname_init(&fullname2);
-			dns_result = dns_name_concatenate(dns_fixedname_name(&name),
-							dns_name_isabsolute(dns_fixedname_name(&name)) ?
-								NULL : dns_fixedname_name(&origin),
-							dns_fixedname_name(&fullname2),
-							NULL);
-			if (dns_result != DNS_R_SUCCESS) {
-				t_info("dns_name_concatenate failed %s\n", dns_result_totext(dns_result));
+			dns_result = dns_name_concatenate(
+			       dns_fixedname_name(&name),
+			       dns_name_isabsolute(dns_fixedname_name(&name)) ?
+			                    NULL : dns_fixedname_name(&origin),
+			       dns_fixedname_name(&fullname2), NULL);
+			if (dns_result != ISC_R_SUCCESS) {
+				t_info("dns_name_concatenate failed %s\n",
+				       dns_result_totext(dns_result));
 				++nprobs;
 				break;
 			}
 
-			t_info("comparing\t<%s>\n", fixedname_totext(&fullname1));
+			t_info("comparing\t<%s>\n",
+			       fixedname_totext(&fullname1));
 			t_info("\twith\t<%s>\n", fixedname_totext(&fullname2));
 
 			dns_namereln = dns_name_fullcompare(
@@ -664,20 +668,23 @@ t9_walkchain(dns_rbtnodechain_t *chain, dns_rbt_t *rbt) {
 						&order, &nlabels, &nbits);
 
 			if (order >= 0) {
-				t_info("unexpected order %s %s %s\n",
-					dnsname_totext(dns_fixedname_name(&fullname1)),
-					order == -1 ? "<" : (order == 0 ? "==" : ">"),
-					dnsname_totext(dns_fixedname_name(&fullname2)));
+			    t_info("unexpected order %s %s %s\n",
+			       dnsname_totext(dns_fixedname_name(&fullname1)),
+			       order == -1 ? "<" : (order == 0 ? "==" : ">"),
+			       dnsname_totext(dns_fixedname_name(&fullname2)));
 				++nprobs;
 			}
 		}
 
 		++cnt;
-	}
-	return(nprobs);
+	} while (1);
+
+	return (nprobs);
 }
 
-/* test by exercising the first|last|next|prev funcs in useful ways */
+/*
+ * Test by exercising the first|last|next|prev funcs in useful ways.
+ */
 
 static int
 t_namechk(isc_result_t dns_result, dns_fixedname_t *dns_name, char *exp_name,
@@ -743,7 +750,8 @@ t_dns_rbtnodechain_init(char *dbfile, char *findname,
 	mctx = NULL;
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_mem_create failed %s\n", isc_result_totext(isc_result));
+		t_info("isc_mem_create failed %s\n",
+		       isc_result_totext(isc_result));
 		return(result);
 	}
 
@@ -757,7 +765,7 @@ t_dns_rbtnodechain_init(char *dbfile, char *findname,
 	}
 
 	len = strlen(findname);
-	isc_buffer_init(&isc_buffer, findname, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&isc_buffer, findname, len);
 	isc_buffer_add(&isc_buffer, len);
 
 	dns_fixedname_init(&dns_foundname);
@@ -771,94 +779,113 @@ t_dns_rbtnodechain_init(char *dbfile, char *findname,
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_findname),
 					&isc_buffer, NULL, ISC_FALSE, NULL);
 
-	if (dns_result != DNS_R_SUCCESS) {
-		t_info("dns_name_fromtext failed %s\n", dns_result_totext(dns_result));
+	if (dns_result != ISC_R_SUCCESS) {
+		t_info("dns_name_fromtext failed %s\n",
+		       dns_result_totext(dns_result));
 		return(result);
 	}
 
-	/* set the starting node */
+	/*
+	 * Set the starting node.
+	 */
 	node = NULL;
 	dns_result = dns_rbt_findnode(rbt, dns_fixedname_name(&dns_findname),
-					dns_fixedname_name(&dns_foundname),
-					&node, &chain, ISC_TRUE, NULL, NULL);
+				      dns_fixedname_name(&dns_foundname),
+				      &node, &chain, DNS_RBTFIND_EMPTYDATA,
+				      NULL, NULL);
 
-	if (dns_result != DNS_R_SUCCESS) {
-		t_info("dns_rbt_findnode failed %s\n", dns_result_totext(dns_result));
+	if (dns_result != ISC_R_SUCCESS) {
+		t_info("dns_rbt_findnode failed %s\n",
+		       dns_result_totext(dns_result));
 		return(result);
 	}
 
-	/* check next */
+	/*
+	 * Check next.
+	 */
 	t_info("checking for next name of %s and new origin of %s\n",
-			nextname, nextorigin);
+	       nextname, nextorigin);
 	dns_result = dns_rbtnodechain_next(&chain,
-			dns_fixedname_name(&dns_nextname),
-			dns_fixedname_name(&dns_origin));
+					   dns_fixedname_name(&dns_nextname),
+					   dns_fixedname_name(&dns_origin));
 
-	if ((dns_result != DNS_R_SUCCESS) && (dns_result != DNS_R_NEWORIGIN)) {
+	if ((dns_result != ISC_R_SUCCESS) &&
+	    (dns_result != DNS_R_NEWORIGIN)) {
 		t_info("dns_rbtnodechain_next unexpectedly returned %s\n",
-				dns_result_totext(dns_result));
+		       dns_result_totext(dns_result));
 	}
 
-	nfails += t_namechk(dns_result, &dns_nextname, nextname, &dns_origin, nextorigin,
-			    DNS_R_NEWORIGIN);
+	nfails += t_namechk(dns_result, &dns_nextname, nextname, &dns_origin,
+			    nextorigin, DNS_R_NEWORIGIN);
 
-	/* set the starting node again */
+	/*
+	 * Set the starting node again.
+	 */
 	node = NULL;
 	dns_fixedname_init(&dns_foundname);
 	dns_result = dns_rbt_findnode(rbt, dns_fixedname_name(&dns_findname),
-					dns_fixedname_name(&dns_foundname),
-					&node, &chain, ISC_TRUE, NULL, NULL);
+				      dns_fixedname_name(&dns_foundname),
+				      &node, &chain, DNS_RBTFIND_EMPTYDATA,
+				      NULL, NULL);
 
-	if (dns_result != DNS_R_SUCCESS) {
-		t_info("\tdns_rbt_findnode failed %s\n", dns_result_totext(dns_result));
+	if (dns_result != ISC_R_SUCCESS) {
+		t_info("\tdns_rbt_findnode failed %s\n",
+		       dns_result_totext(dns_result));
 		return(result);
 	}
 
-	/* check previous */
+	/*
+	 * Check previous.
+	 */
 	t_info("checking for previous name of %s and new origin of %s\n",
-			prevname, prevorigin);
+	       prevname, prevorigin);
 	dns_fixedname_init(&dns_origin);
 	dns_result = dns_rbtnodechain_prev(&chain,
-			dns_fixedname_name(&dns_prevname),
-			dns_fixedname_name(&dns_origin));
+					   dns_fixedname_name(&dns_prevname),
+					   dns_fixedname_name(&dns_origin));
 
-	if ((dns_result != DNS_R_SUCCESS) && (dns_result != DNS_R_NEWORIGIN)) {
+	if ((dns_result != ISC_R_SUCCESS) &&
+	    (dns_result != DNS_R_NEWORIGIN)) {
 		t_info("dns_rbtnodechain_prev unexpectedly returned %s\n",
-				dns_result_totext(dns_result));
+		       dns_result_totext(dns_result));
 	}
-	nfails += t_namechk(dns_result, &dns_prevname, prevname, &dns_origin, prevorigin,
-			    DNS_R_NEWORIGIN);
-
+	nfails += t_namechk(dns_result, &dns_prevname, prevname, &dns_origin,
+			    prevorigin, DNS_R_NEWORIGIN);
 
-	/* check first */
+	/*
+	 * Check first.
+	 */
 	t_info("checking for first name of %s and new origin of %s\n",
-			firstname, firstorigin);
+	       firstname, firstorigin);
 	dns_result = dns_rbtnodechain_first(&chain, rbt,
-			dns_fixedname_name(&dns_firstname),
-			dns_fixedname_name(&dns_origin));
+					    dns_fixedname_name(&dns_firstname),
+					    dns_fixedname_name(&dns_origin));
 
 	if (dns_result != DNS_R_NEWORIGIN) {
 		t_info("dns_rbtnodechain_first unexpectedly returned %s\n",
-				dns_result_totext(dns_result));
+		       dns_result_totext(dns_result));
 	}
-	nfails += t_namechk(dns_result, &dns_firstname, firstname, &dns_origin, firstorigin,
-			    DNS_R_NEWORIGIN);
+	nfails += t_namechk(dns_result, &dns_firstname, firstname,
+			    &dns_origin, firstorigin, DNS_R_NEWORIGIN);
 
-
-	/* check last */
+	/*
+	 * Check last.
+	 */
 	t_info("checking for last name of %s\n", lastname);
 	dns_result = dns_rbtnodechain_last(&chain, rbt,
-			dns_fixedname_name(&dns_lastname),
-			dns_fixedname_name(&dns_origin));
+					   dns_fixedname_name(&dns_lastname),
+					   dns_fixedname_name(&dns_origin));
 
 	if (dns_result != DNS_R_NEWORIGIN) {
 		t_info("dns_rbtnodechain_last unexpectedly returned %s\n",
-				dns_result_totext(dns_result));
+		       dns_result_totext(dns_result));
 	}
-	nfails += t_namechk(dns_result, &dns_lastname, lastname, &dns_origin, lastorigin,
-			    DNS_R_NEWORIGIN);
+	nfails += t_namechk(dns_result, &dns_lastname, lastname, &dns_origin,
+			    lastorigin, DNS_R_NEWORIGIN);
 
-	/* check node ordering */
+	/*
+	 * Check node ordering.
+	 */
 	t_info("checking node ordering\n");
 	nfails += t9_walkchain(&chain, rbt);
 
@@ -874,7 +901,6 @@ t_dns_rbtnodechain_init(char *dbfile, char *findname,
 
 static int
 test_dns_rbtnodechain_init(char *filename) {
-
 	FILE		*fp;
 	char		*p;
 	int		line;
@@ -893,41 +919,41 @@ test_dns_rbtnodechain_init(char *filename) {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = t_bustline(p, Tokens);
 			if (cnt == 10) {
 				result = t_dns_rbtnodechain_init(
-						Tokens[0],	/* dbfile */
-						Tokens[1],	/* startname */
-						Tokens[2],	/* nextname */
-						Tokens[3],	/* nextorigin */
-						Tokens[4],	/* prevname */
-						Tokens[5],	/* prevorigin */
-						Tokens[6],	/* firstname */
-						Tokens[7],	/* firstorigin */
-						Tokens[8],	/* lastname */
-						Tokens[9]);	/* lastorigin */
+						Tokens[0],  /* dbfile */
+						Tokens[1],  /* startname */
+						Tokens[2],  /* nextname */
+						Tokens[3],  /* nextorigin */
+						Tokens[4],  /* prevname */
+						Tokens[5],  /* prevorigin */
+						Tokens[6],  /* firstname */
+						Tokens[7],  /* firstorigin */
+						Tokens[8],  /* lastname */
+						Tokens[9]); /* lastorigin */
 				if (result != T_PASS) {
 					if (result == T_FAIL)
 						++nfails;
 					else
 						++nprobs;
 				}
-			}
-			else {
+			} else {
 				t_info("bad format in %s at line %d\n",
 						filename, line);
 				++nprobs;
 			}
 
-			(void) free(p);
+			(void)free(p);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile %s\n", filename);
 		++nprobs;
 	}
@@ -955,8 +981,8 @@ static int
 t_dns_rbtnodechain_first(char *dbfile, char *expected_firstname,
 				char *expected_firstorigin,
 				char *expected_nextname,
-				char *expected_nextorigin) {
-
+				char *expected_nextorigin)
+{
 	int			result;
 	int			nfails;
 	dns_rbt_t		*rbt;
@@ -978,7 +1004,8 @@ t_dns_rbtnodechain_first(char *dbfile, char *expected_firstname,
 
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_mem_create failed %s\n", isc_result_totext(isc_result));
+		t_info("isc_mem_create failed %s\n",
+		       isc_result_totext(isc_result));
 		return(result);
 	}
 
@@ -1013,12 +1040,12 @@ t_dns_rbtnodechain_first(char *dbfile, char *expected_firstname,
 	t_info("testing for next name of %s, origin of %s\n",
 			expected_nextname, expected_nextorigin);
 			
-	if ((dns_result != DNS_R_SUCCESS) && (dns_result != DNS_R_NEWORIGIN)) {
+	if ((dns_result != ISC_R_SUCCESS) && (dns_result != DNS_R_NEWORIGIN)) {
 		t_info("dns_rbtnodechain_next unexpectedly returned %s\n",
 				dns_result_totext(dns_result));
 	}
 	if (strcasecmp(expected_firstorigin, expected_nextorigin) == 0)
-		expected_result = DNS_R_SUCCESS;
+		expected_result = ISC_R_SUCCESS;
 	else
 		expected_result = DNS_R_NEWORIGIN;
 	nfails += t_namechk(dns_result, &dns_name, expected_nextname,
@@ -1036,7 +1063,6 @@ t_dns_rbtnodechain_first(char *dbfile, char *expected_firstname,
 
 static int
 test_dns_rbtnodechain_first(char *filename) {
-
 	FILE		*fp;
 	char		*p;
 	int		line;
@@ -1055,36 +1081,36 @@ test_dns_rbtnodechain_first(char *filename) {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = t_bustline(p, Tokens);
 			if (cnt == 5) {
 				result = t_dns_rbtnodechain_first(
-						Tokens[0],	/* dbfile */
-						Tokens[1],	/* expected firstname */
-						Tokens[2],	/* expected firstorigin */
-						Tokens[3],	/* expected nextname */
-						Tokens[4]);	/* expected nextorigin */
+						Tokens[0],  /* dbfile */
+						Tokens[1],  /* firstname */
+						Tokens[2],  /* firstorigin */
+						Tokens[3],  /* nextname */
+						Tokens[4]); /* nextorigin */
 				if (result != T_PASS) {
 					if (result == T_FAIL)
 						++nfails;
 					else
 						++nprobs;
 				}
-			}
-			else {
+			} else {
 				t_info("bad format in %s at line %d\n",
 						filename, line);
 				++nprobs;
 			}
 
-			(void) free(p);
+			(void)free(p);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile %s\n", filename);
 		++nprobs;
 	}
@@ -1099,10 +1125,11 @@ test_dns_rbtnodechain_first(char *filename) {
 	return(result);
 }
 
-static char	*a10 =	"a call to dns_rbtnodechain_first(chain, rbt, name, origin) "
+static char	*a10 =	"a call to "
+			"dns_rbtnodechain_first(chain, rbt, name, origin) "
 			"sets name to point to the root of the tree, "
 			"origin to point to the origin, "
-			" and returns DNS_R_NEWORIGIN";
+			"and returns DNS_R_NEWORIGIN";
 
 static void
 t10() {
@@ -1115,9 +1142,10 @@ t10() {
 
 static int
 t_dns_rbtnodechain_last(char *dbfile, char *expected_lastname,
-				char *expected_lastorigin,
-				char *expected_prevname,
-				char *expected_prevorigin) {
+			char *expected_lastorigin,
+			char *expected_prevname,
+			char *expected_prevorigin)
+{
 
 	int			result;
 	int			nfails;
@@ -1140,7 +1168,8 @@ t_dns_rbtnodechain_last(char *dbfile, char *expected_lastname,
 
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_mem_create failed %s\n", isc_result_totext(isc_result));
+		t_info("isc_mem_create failed %s\n",
+		       isc_result_totext(isc_result));
 		return(result);
 	}
 
@@ -1153,32 +1182,35 @@ t_dns_rbtnodechain_last(char *dbfile, char *expected_lastname,
 		return(result);
 	}
 
-	t_info("testing for last name of %s, origin of %s\n", expected_lastname, expected_lastorigin);
+	t_info("testing for last name of %s, origin of %s\n",
+	       expected_lastname, expected_lastorigin);
 
 	dns_result = dns_rbtnodechain_last(&chain, rbt,
-			dns_fixedname_name(&dns_name),
-			dns_fixedname_name(&dns_origin));
+					   dns_fixedname_name(&dns_name),
+					   dns_fixedname_name(&dns_origin));
 
 	if (dns_result != DNS_R_NEWORIGIN) {
 		t_info("dns_rbtnodechain_last unexpectedly returned %s\n",
-			dns_result_totext(dns_result));
+		       dns_result_totext(dns_result));
 	}
-	nfails = t_namechk(dns_result, &dns_name, expected_lastname, &dns_origin, expected_lastorigin,
-			   DNS_R_NEWORIGIN);
+	nfails = t_namechk(dns_result, &dns_name, expected_lastname,
+			   &dns_origin, expected_lastorigin, DNS_R_NEWORIGIN);
 
-	t_info("testing for previous name of %s, origin of %s\n", expected_prevname, expected_prevorigin);
+	t_info("testing for previous name of %s, origin of %s\n",
+	       expected_prevname, expected_prevorigin);
 
 	dns_fixedname_init(&dns_name);
 	dns_result = dns_rbtnodechain_prev(&chain,
-			dns_fixedname_name(&dns_name),
-			dns_fixedname_name(&dns_origin));
+					   dns_fixedname_name(&dns_name),
+					   dns_fixedname_name(&dns_origin));
 
-	if ((dns_result != DNS_R_SUCCESS) && (dns_result != DNS_R_NEWORIGIN)) {
+	if ((dns_result != ISC_R_SUCCESS) &&
+	    (dns_result != DNS_R_NEWORIGIN)) {
 		t_info("dns_rbtnodechain_prev unexpectedly returned %s\n",
-			dns_result_totext(dns_result));
+		       dns_result_totext(dns_result));
 	}
 	if (strcasecmp(expected_lastorigin, expected_prevorigin) == 0)
-		expected_result = DNS_R_SUCCESS;
+		expected_result = ISC_R_SUCCESS;
 	else
 		expected_result = DNS_R_NEWORIGIN;
 	nfails += t_namechk(dns_result, &dns_name, expected_prevname,
@@ -1196,7 +1228,6 @@ t_dns_rbtnodechain_last(char *dbfile, char *expected_lastname,
 
 static int
 test_dns_rbtnodechain_last(char *filename) {
-
 	FILE		*fp;
 	char		*p;
 	int		line;
@@ -1215,36 +1246,36 @@ test_dns_rbtnodechain_last(char *filename) {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = t_bustline(p, Tokens);
 			if (cnt == 5) {
 				result = t_dns_rbtnodechain_last(
-						Tokens[0],	/* dbfile */
-						Tokens[1],	/* expected lastname */
-						Tokens[2],	/* expected lastorigin */
-						Tokens[3],	/* expected prevname */
-						Tokens[4]);	/* expected prevorigin */
+						Tokens[0],     /* dbfile */
+						Tokens[1],     /* lastname */
+						Tokens[2],     /* lastorigin */
+						Tokens[3],     /* prevname */
+						Tokens[4]);    /* prevorigin */
 				if (result != T_PASS) {
 					if (result == T_FAIL)
 						++nfails;
 					else
 						++nprobs;
 				}
-			}
-			else {
+			} else {
 				t_info("bad format in %s at line %d\n",
-						filename, line);
+				       filename, line);
 				++nprobs;
 			}
 
-			(void) free(p);
+			(void)free(p);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile %s\n", filename);
 		++nprobs;
 	}
@@ -1259,7 +1290,8 @@ test_dns_rbtnodechain_last(char *filename) {
 	return(result);
 }
 
-static char	*a11 =	"a call to dns_rbtnodechain_last(chain, rbt, name, origin) "
+static char	*a11 =	"a call to "
+			"dns_rbtnodechain_last(chain, rbt, name, origin) "
 			"sets name to point to the last node of the megatree, "
 			"origin to the name of the level above it, "
 			"and returns DNS_R_NEWORIGIN";
@@ -1275,7 +1307,8 @@ t11() {
 
 static int
 t_dns_rbtnodechain_next(char *dbfile, char *findname,
-			char *nextname, char *nextorigin) {
+			char *nextname, char *nextorigin)
+{
 
 	int			result;
 	int			len;
@@ -1300,7 +1333,8 @@ t_dns_rbtnodechain_next(char *dbfile, char *findname,
 	mctx = NULL;
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_mem_create failed %s\n", isc_result_totext(isc_result));
+		t_info("isc_mem_create failed %s\n",
+		       isc_result_totext(isc_result));
 		return(result);
 	}
 
@@ -1314,7 +1348,7 @@ t_dns_rbtnodechain_next(char *dbfile, char *findname,
 	}
 
 	len = strlen(findname);
-	isc_buffer_init(&isc_buffer, findname, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&isc_buffer, findname, len);
 	isc_buffer_add(&isc_buffer, len);
 
 	dns_fixedname_init(&dns_foundname);
@@ -1323,38 +1357,45 @@ t_dns_rbtnodechain_next(char *dbfile, char *findname,
 	dns_fixedname_init(&dns_origin);
 
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_findname),
-					&isc_buffer, NULL, ISC_FALSE, NULL);
+				       &isc_buffer, NULL, ISC_FALSE, NULL);
 
-	if (dns_result != DNS_R_SUCCESS) {
-		t_info("dns_name_fromtext failed %s\n", dns_result_totext(dns_result));
+	if (dns_result != ISC_R_SUCCESS) {
+		t_info("dns_name_fromtext failed %s\n",
+		       dns_result_totext(dns_result));
 		return(result);
 	}
 
-	/* set the starting node */
+	/*
+	 * Set the starting node.
+	 */
 	node = NULL;
 	dns_result = dns_rbt_findnode(rbt, dns_fixedname_name(&dns_findname),
-					dns_fixedname_name(&dns_foundname),
-					&node, &chain, ISC_TRUE, NULL, NULL);
+				      dns_fixedname_name(&dns_foundname),
+				      &node, &chain, DNS_RBTFIND_EMPTYDATA,
+				      NULL, NULL);
 
-	if (dns_result != DNS_R_SUCCESS) {
-		t_info("dns_rbt_findnode failed %s\n", dns_result_totext(dns_result));
+	if (dns_result != ISC_R_SUCCESS) {
+		t_info("dns_rbt_findnode failed %s\n",
+		       dns_result_totext(dns_result));
 		return(result);
 	}
 
-	/* check next */
+	/*
+	 * Check next.
+	 */
 	t_info("checking for next name of %s and new origin of %s\n",
-			nextname, nextorigin);
+	       nextname, nextorigin);
 	dns_result = dns_rbtnodechain_next(&chain,
-			dns_fixedname_name(&dns_nextname),
-			dns_fixedname_name(&dns_origin));
+					   dns_fixedname_name(&dns_nextname),
+					   dns_fixedname_name(&dns_origin));
 
-	if ((dns_result != DNS_R_SUCCESS) && (dns_result != DNS_R_NEWORIGIN)) {
+	if ((dns_result != ISC_R_SUCCESS) && (dns_result != DNS_R_NEWORIGIN)) {
 		t_info("dns_rbtnodechain_next unexpectedly returned %s\n",
-				dns_result_totext(dns_result));
+		       dns_result_totext(dns_result));
 	}
 
-	nfails += t_namechk(dns_result, &dns_nextname, nextname, &dns_origin, nextorigin,
-			    DNS_R_NEWORIGIN);
+	nfails += t_namechk(dns_result, &dns_nextname, nextname, &dns_origin,
+			    nextorigin, DNS_R_NEWORIGIN);
 
 	if (nfails)
 		result = T_FAIL;
@@ -1368,7 +1409,6 @@ t_dns_rbtnodechain_next(char *dbfile, char *findname,
 
 static int
 test_dns_rbtnodechain_next(char *filename) {
-
 	FILE		*fp;
 	char		*p;
 	int		line;
@@ -1387,35 +1427,35 @@ test_dns_rbtnodechain_next(char *filename) {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = t_bustline(p, Tokens);
 			if (cnt == 4) {
 				result = t_dns_rbtnodechain_next(
-						Tokens[0],	/* dbfile */
-						Tokens[1],	/* findname */
-						Tokens[2],	/* expected nextname */
-						Tokens[3]);	/* expected nextorigin */
+						Tokens[0],     /* dbfile */
+						Tokens[1],     /* findname */
+						Tokens[2],     /* nextname */
+						Tokens[3]);    /* nextorigin */
 				if (result != T_PASS) {
 					if (result == T_FAIL)
 						++nfails;
 					else
 						++nprobs;
 				}
-			}
-			else {
+			} else {
 				t_info("bad format in %s at line %d\n",
-						filename, line);
+				       filename, line);
 				++nprobs;
 			}
 
-			(void) free(p);
+			(void)free(p);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile %s\n", filename);
 		++nprobs;
 	}
@@ -1432,7 +1472,8 @@ test_dns_rbtnodechain_next(char *filename) {
 
 static char	*a12 =	"a call to dns_rbtnodechain_next(chain, name, origin) "
 			"sets name to point to the next node of the tree "
-			"and returns DNS_R_SUCCESS or DNS_R_NEWORIGIN on success";
+			"and returns ISC_R_SUCCESS or "
+			"DNS_R_NEWORIGIN on success";
 
 
 static void
@@ -1445,9 +1486,9 @@ t12() {
 }
 
 static int
-t_dns_rbtnodechain_prev(char *dbfile, char *findname,
-			char *prevname, char *prevorigin) {
-
+t_dns_rbtnodechain_prev(char *dbfile, char *findname, char *prevname,
+			char *prevorigin)
+{
 	int			result;
 	int			len;
 	int			nfails;
@@ -1471,7 +1512,8 @@ t_dns_rbtnodechain_prev(char *dbfile, char *findname,
 	mctx = NULL;
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
-		t_info("isc_mem_create failed %s\n", isc_result_totext(isc_result));
+		t_info("isc_mem_create failed %s\n",
+		       isc_result_totext(isc_result));
 		return(result);
 	}
 
@@ -1485,7 +1527,7 @@ t_dns_rbtnodechain_prev(char *dbfile, char *findname,
 	}
 
 	len = strlen(findname);
-	isc_buffer_init(&isc_buffer, findname, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&isc_buffer, findname, len);
 	isc_buffer_add(&isc_buffer, len);
 
 	dns_fixedname_init(&dns_foundname);
@@ -1494,38 +1536,45 @@ t_dns_rbtnodechain_prev(char *dbfile, char *findname,
 	dns_fixedname_init(&dns_origin);
 
 	dns_result = dns_name_fromtext(dns_fixedname_name(&dns_findname),
-					&isc_buffer, NULL, ISC_FALSE, NULL);
+				       &isc_buffer, NULL, ISC_FALSE, NULL);
 
-	if (dns_result != DNS_R_SUCCESS) {
-		t_info("dns_name_fromtext failed %s\n", dns_result_totext(dns_result));
+	if (dns_result != ISC_R_SUCCESS) {
+		t_info("dns_name_fromtext failed %s\n",
+		       dns_result_totext(dns_result));
 		return(result);
 	}
 
-	/* set the starting node */
+	/*
+	 * Set the starting node.
+	 */
 	node = NULL;
 	dns_result = dns_rbt_findnode(rbt, dns_fixedname_name(&dns_findname),
-					dns_fixedname_name(&dns_foundname),
-					&node, &chain, ISC_TRUE, NULL, NULL);
+				      dns_fixedname_name(&dns_foundname),
+				      &node, &chain, DNS_RBTFIND_EMPTYDATA,
+				      NULL, NULL);
 
-	if (dns_result != DNS_R_SUCCESS) {
-		t_info("dns_rbt_findnode failed %s\n", dns_result_totext(dns_result));
+	if (dns_result != ISC_R_SUCCESS) {
+		t_info("dns_rbt_findnode failed %s\n",
+		       dns_result_totext(dns_result));
 		return(result);
 	}
 
-	/* check next */
+	/*
+	 * Check next.
+	 */
 	t_info("checking for next name of %s and new origin of %s\n",
-			prevname, prevorigin);
+	       prevname, prevorigin);
 	dns_result = dns_rbtnodechain_prev(&chain,
-			dns_fixedname_name(&dns_prevname),
-			dns_fixedname_name(&dns_origin));
+					   dns_fixedname_name(&dns_prevname),
+					   dns_fixedname_name(&dns_origin));
 
-	if ((dns_result != DNS_R_SUCCESS) && (dns_result != DNS_R_NEWORIGIN)) {
+	if ((dns_result != ISC_R_SUCCESS) && (dns_result != DNS_R_NEWORIGIN)) {
 		t_info("dns_rbtnodechain_prev unexpectedly returned %s\n",
-				dns_result_totext(dns_result));
+		       dns_result_totext(dns_result));
 	}
 
-	nfails += t_namechk(dns_result, &dns_prevname, prevname, &dns_origin, prevorigin,
-			    DNS_R_NEWORIGIN);
+	nfails += t_namechk(dns_result, &dns_prevname, prevname, &dns_origin,
+			    prevorigin, DNS_R_NEWORIGIN);
 
 	if (nfails)
 		result = T_FAIL;
@@ -1539,7 +1588,6 @@ t_dns_rbtnodechain_prev(char *dbfile, char *findname,
 
 static int
 test_dns_rbtnodechain_prev(char *filename) {
-
 	FILE		*fp;
 	char		*p;
 	int		line;
@@ -1558,35 +1606,35 @@ test_dns_rbtnodechain_prev(char *filename) {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = t_bustline(p, Tokens);
 			if (cnt == 4) {
 				result = t_dns_rbtnodechain_prev(
-						Tokens[0],	/* dbfile */
-						Tokens[1],	/* findname */
-						Tokens[2],	/* expected prevname */
-						Tokens[3]);	/* expected prevorigin */
+						Tokens[0],     /* dbfile */
+						Tokens[1],     /* findname */
+						Tokens[2],     /* prevname */
+						Tokens[3]);    /* prevorigin */
 				if (result != T_PASS) {
 					if (result == T_FAIL)
 						++nfails;
 					else
 						++nprobs;
 				}
-			}
-			else {
+			} else {
 				t_info("bad format in %s at line %d\n",
 						filename, line);
 				++nprobs;
 			}
 
-			(void) free(p);
+			(void)free(p);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile %s\n", filename);
 		++nprobs;
 	}
@@ -1603,7 +1651,8 @@ test_dns_rbtnodechain_prev(char *filename) {
 
 static char	*a13 =	"a call to dns_rbtnodechain_prev(chain, name, origin) "
 			"sets name to point to the previous node of the tree "
-			"and returns DNS_R_SUCCESS or DNS_R_NEWORIGIN on success";
+			"and returns ISC_R_SUCCESS or "
+			"DNS_R_NEWORIGIN on success";
 
 static void
 t13() {
diff --git a/bin/tests/rbt_test.c b/bin/tests/rbt_test.c
index 3dd5c388..c7a77bec 100644
--- a/bin/tests/rbt_test.c
+++ b/bin/tests/rbt_test.c
@@ -16,15 +16,16 @@
  */
 
 #include <config.h>
+
 #include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
 
 #include <isc/commandline.h>
-#include <isc/boolean.h>
+#include <isc/mem.h>
+#include <isc/string.h>
 
 #include <dns/rbt.h>
 #include <dns/fixedname.h>
+#include <dns/result.h>
 
 char *progname;
 isc_mem_t *mctx;
@@ -45,12 +46,12 @@ create_name(char *s) {
 
 	length = strlen(s);
 
-	isc_buffer_init(&source, s, length, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&source, s, length);
 	isc_buffer_add(&source, length);
 
 	/*
 	 * It isn't really necessary in this program to create individual
-	 * memory spaces for each name structure and its associate character
+	 * memory spaces for each name structure and its associated character
 	 * string.  It is done here to provide a relatively easy way to test
 	 * the callback from dns_rbt_deletename that is supposed to free the
 	 * data associated with a node.
@@ -65,12 +66,12 @@ create_name(char *s) {
 	}
 
 	dns_name_init(name, NULL);
-	isc_buffer_init(&target, name + 1, DNSNAMELEN, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&target, name + 1, DNSNAMELEN);
 
 	result = dns_name_fromtext(name, &source, dns_rootname,
 				   ISC_FALSE, &target);
 
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		printf("dns_name_fromtext(%s) failed: %s\n",
 		       s, dns_result_totext(result));
 		return (NULL);
@@ -93,7 +94,7 @@ print_name(dns_name_t *name) {
 	isc_buffer_t target;
 	char *buffer[256];
 
-	isc_buffer_init(&target, buffer, sizeof(buffer), ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&target, buffer, sizeof(buffer));
 
 	/*
 	 * ISC_FALSE means absolute names have the final dot added.
@@ -129,17 +130,17 @@ detail(dns_rbt_t *rbt, dns_name_t *name) {
 	printf("\n");
 
 	result = dns_rbt_findnode(rbt, name, foundname, &node1, &chain,
-				  ISC_TRUE, NULL, NULL);
+				  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
 
 	switch (result) {
-	case DNS_R_SUCCESS:
+	case ISC_R_SUCCESS:
 		printf("  found exact.");
 		nodes_should_match = ISC_TRUE;
 		break;
 	case DNS_R_PARTIALMATCH:
 		printf("  found parent.");
 		break;
-	case DNS_R_NOTFOUND:
+	case ISC_R_NOTFOUND:
 		printf("  name not found.");
 		break;
 	default:
@@ -153,14 +154,14 @@ detail(dns_rbt_t *rbt, dns_name_t *name) {
 	} else
 		printf("  no data at node.");
 
-	if (result == DNS_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
 		printf("\n  name from dns_rbt_findnode: ");
 		print_name(foundname);
 	}
 
 	result = dns_rbtnodechain_current(&chain, foundname, origin, &node2);
 
-	if (result == DNS_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS) {
 		printf("\n  name from dns_rbtnodechain_current: ");
 
 		/*
@@ -172,7 +173,7 @@ detail(dns_rbt_t *rbt, dns_name_t *name) {
 					      dns_name_isabsolute(foundname) ?
 					          NULL : origin,
 					      fullname, NULL);
-		if (result == DNS_R_SUCCESS)
+		if (result == ISC_R_SUCCESS)
 			print_name(fullname);
 		else
 			printf("%s\n", dns_result_totext(result));
@@ -223,7 +224,7 @@ iterate(dns_rbt_t *rbt, isc_boolean_t forward) {
 					       origin);
 	}
 
-	if (result != DNS_R_SUCCESS && result != DNS_R_NEWORIGIN)
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
 		printf("start not found!\n");
 
 	else {
@@ -234,13 +235,13 @@ iterate(dns_rbt_t *rbt, isc_boolean_t forward) {
 				printf("\n");
 			}
 
-			if (result == DNS_R_SUCCESS ||
+			if (result == ISC_R_SUCCESS ||
 			    result == DNS_R_NEWORIGIN) {
 				print_name(&foundname);
 				printf("\n");
 
 			} else {
-				if (result != DNS_R_NOMORE)
+				if (result != ISC_R_NOMORE)
 				       printf("UNEXEPCTED ITERATION ERROR: %s",
 					      dns_result_totext(result));
 				break;
@@ -253,7 +254,7 @@ iterate(dns_rbt_t *rbt, isc_boolean_t forward) {
 
 
 #define CMDCHECK(s)	(strncasecmp(command, (s), length) == 0)
-#define PRINTERR(r)	if (r != DNS_R_SUCCESS) \
+#define PRINTERR(r)	if (r != ISC_R_SUCCESS) \
 				printf("... %s\n", dns_result_totext(r));
 
 int
@@ -299,7 +300,7 @@ main (int argc, char **argv) {
 	}
 
 	result = dns_rbt_create(mctx, delete_name, NULL, &rbt);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		printf("dns_rbt_create: %s: exiting\n",
 		       dns_result_totext(result));
 		exit(1);
@@ -372,11 +373,11 @@ main (int argc, char **argv) {
 						dns_fixedname_name(&fixedname);
 					data = NULL;
 
-					result = dns_rbt_findname(rbt, name,
+					result = dns_rbt_findname(rbt, name, 0,
 								  foundname,
 								  &data);
 					switch (result) {
-					case DNS_R_SUCCESS:
+					case ISC_R_SUCCESS:
 						printf("found exact: ");
 						print_name(data);
 						putchar('\n');
@@ -388,10 +389,10 @@ main (int argc, char **argv) {
 						print_name(foundname);
 						printf(")\n");
 						break;
-					case DNS_R_NOTFOUND:
+					case ISC_R_NOTFOUND:
 						printf("NOT FOUND!\n");
 						break;
-					case DNS_R_NOMEMORY:
+					case ISC_R_NOMEMORY:
 						printf("OUT OF MEMORY!\n");
 						break;
 					default:
diff --git a/bin/tests/rdata_test.c b/bin/tests/rdata_test.c
index 3178f950..0b37c4ec 100644
--- a/bin/tests/rdata_test.c
+++ b/bin/tests/rdata_test.c
@@ -17,25 +17,754 @@
 
 #include <config.h>
 
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
+#include <isc/buffer.h>
 #include <isc/commandline.h>
-#include <isc/error.h>
 #include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dns/rdata.h>
 #include <dns/compress.h>
 #include <dns/rdataclass.h>
+#include <dns/rdatastruct.h>
 #include <dns/rdatatype.h>
+#include <dns/result.h>
 
 isc_mem_t *mctx;
 isc_lex_t *lex;
 
 isc_lexspecials_t specials;
 
+static void
+viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
+	  dns_rdata_t *rdata2, isc_buffer_t *b)
+{
+	isc_result_t result;
+	void *sp = NULL;
+	isc_boolean_t need_free = ISC_FALSE;
+	dns_rdatatype_t rdt;
+	dns_rdataclass_t rdc;
+
+	UNUSED(rdata2);	/* XXXMPA remove when fromstruct is ready. */
+	UNUSED(b);
+
+	switch (rdata->type) {
+	case dns_rdatatype_a6: {
+		dns_rdata_in_a6_t in_a6;
+		result = dns_rdata_tostruct(rdata, sp = &in_a6, NULL);
+		break;
+	}
+	case dns_rdatatype_a: {
+		switch (rdata->rdclass) {
+		case dns_rdataclass_hs: {
+			dns_rdata_hs_a_t hs_a;
+			result = dns_rdata_tostruct(rdata, sp = &hs_a, NULL);
+			break;
+		}
+		case dns_rdataclass_in: {
+			dns_rdata_in_a_t in_a;
+			result = dns_rdata_tostruct(rdata, sp = &in_a, NULL);
+			break;
+		}
+		default:
+			result = ISC_R_NOTIMPLEMENTED;
+			break;
+		}
+		break;
+	}
+	case dns_rdatatype_aaaa: {
+		dns_rdata_in_aaaa_t in_aaaa;
+		result = dns_rdata_tostruct(rdata, sp = &in_aaaa, NULL);
+		break;
+	}
+	case dns_rdatatype_afsdb: {
+		dns_rdata_afsdb_t afsdb;
+		result = dns_rdata_tostruct(rdata, sp = &afsdb, NULL);
+		break;
+	}
+	case dns_rdatatype_any: {
+		result = ISC_R_NOTIMPLEMENTED;
+		break;
+	}
+	case dns_rdatatype_cert: {
+		dns_rdata_cert_t cert;
+		result = dns_rdata_tostruct(rdata, sp = &cert, NULL);
+		break;
+	}
+	case dns_rdatatype_cname: {
+		dns_rdata_cname_t cname;
+		result = dns_rdata_tostruct(rdata, sp = &cname, NULL);
+		break;
+	}
+	case dns_rdatatype_dname: {
+		dns_rdata_dname_t dname;
+		result = dns_rdata_tostruct(rdata, sp = &dname, NULL);
+		break;
+	}
+	case dns_rdatatype_gpos: {
+		dns_rdata_gpos_t gpos;
+		result = dns_rdata_tostruct(rdata, sp = &gpos, NULL);
+		break;
+	}
+	case dns_rdatatype_hinfo: {
+		dns_rdata_hinfo_t hinfo;
+		result = dns_rdata_tostruct(rdata, sp = &hinfo, NULL);
+		break;
+	}
+	case dns_rdatatype_isdn: {
+		dns_rdata_isdn_t isdn;
+		result = dns_rdata_tostruct(rdata, sp = &isdn, NULL);
+		break;
+	}
+	case dns_rdatatype_key: {
+		dns_rdata_key_t key;
+		result = dns_rdata_tostruct(rdata, sp = &key, NULL);
+		break;
+	}
+	case dns_rdatatype_kx: {
+		dns_rdata_in_kx_t in_kx;
+		result = dns_rdata_tostruct(rdata, sp = &in_kx, NULL);
+		break;
+	}
+	case dns_rdatatype_loc: {
+		dns_rdata_loc_t loc;
+		result = dns_rdata_tostruct(rdata, sp = &loc, NULL);
+		break;
+	}
+	case dns_rdatatype_mb: {
+		dns_rdata_mb_t mb;
+		result = dns_rdata_tostruct(rdata, sp = &mb, NULL);
+		break;
+	}
+	case dns_rdatatype_md: {
+		dns_rdata_md_t md;
+		result = dns_rdata_tostruct(rdata, sp = &md, NULL);
+		break;
+	}
+	case dns_rdatatype_mf: {
+		dns_rdata_mf_t mf;
+		result = dns_rdata_tostruct(rdata, sp = &mf, NULL);
+		break;
+	}
+	case dns_rdatatype_mg: {
+		dns_rdata_mg_t mg;
+		result = dns_rdata_tostruct(rdata, sp = &mg, NULL);
+		break;
+	}
+	case dns_rdatatype_minfo: {
+		dns_rdata_minfo_t minfo;
+		result = dns_rdata_tostruct(rdata, sp = &minfo, NULL);
+		break;
+	}
+	case dns_rdatatype_mr: {
+		dns_rdata_mr_t mr;
+		result = dns_rdata_tostruct(rdata, sp = &mr, NULL);
+		break;
+	}
+	case dns_rdatatype_mx: {
+		dns_rdata_mx_t mx;
+		result = dns_rdata_tostruct(rdata, sp = &mx, NULL);
+		break;
+	}
+	case dns_rdatatype_naptr: {
+		dns_rdata_in_naptr_t in_naptr;
+		result = dns_rdata_tostruct(rdata, sp = &in_naptr, NULL);
+		break;
+	}
+	case dns_rdatatype_ns: {
+		dns_rdata_ns_t ns;
+		result = dns_rdata_tostruct(rdata, sp = &ns, NULL);
+		break;
+	}
+	case dns_rdatatype_nsap: {
+		dns_rdata_in_nsap_t in_nsap;
+		result = dns_rdata_tostruct(rdata, sp = &in_nsap, NULL);
+		break;
+	}
+	case dns_rdatatype_nsap_ptr: {
+		dns_rdata_in_nsap_ptr_t in_nsap_ptr;
+		result = dns_rdata_tostruct(rdata, sp = &in_nsap_ptr, NULL);
+		break;
+	}
+	case dns_rdatatype_null: {
+		dns_rdata_null_t null;
+		result = dns_rdata_tostruct(rdata, sp = &null, NULL);
+		break;
+	}
+	case dns_rdatatype_nxt: {
+		dns_rdata_nxt_t nxt;
+		result = dns_rdata_tostruct(rdata, sp = &nxt, NULL);
+		break;
+	}
+	case dns_rdatatype_opt: {
+		dns_rdata_opt_t opt;
+		result = dns_rdata_tostruct(rdata, sp = &opt, NULL);
+		break;
+	}
+	case dns_rdatatype_ptr: {
+		dns_rdata_ptr_t ptr;
+		result = dns_rdata_tostruct(rdata, sp = &ptr, NULL);
+		break;
+	}
+	case dns_rdatatype_px: {
+		dns_rdata_in_px_t in_px;
+		result = dns_rdata_tostruct(rdata, sp = &in_px, NULL);
+		break;
+	}
+	case dns_rdatatype_rp: {
+		dns_rdata_rp_t rp;
+		result = dns_rdata_tostruct(rdata, sp = &rp, NULL);
+		break;
+	}
+	case dns_rdatatype_rt: {
+		dns_rdata_rt_t rt;
+		result = dns_rdata_tostruct(rdata, sp = &rt, NULL);
+		break;
+	}
+	case dns_rdatatype_sig: {
+		dns_rdata_sig_t sig;
+		result = dns_rdata_tostruct(rdata, sp = &sig, NULL);
+		break;
+	}
+	case dns_rdatatype_soa: {
+		dns_rdata_soa_t soa;
+		result = dns_rdata_tostruct(rdata, sp = &soa, NULL);
+		break;
+	}
+	case dns_rdatatype_srv: {
+		dns_rdata_in_srv_t in_srv;
+		result = dns_rdata_tostruct(rdata, sp = &in_srv, NULL);
+		break;
+	}
+	case dns_rdatatype_tkey: {
+		dns_rdata_tkey_t tkey;
+		result = dns_rdata_tostruct(rdata, sp = &tkey, NULL);
+		break;
+	}
+	case dns_rdatatype_tsig: {
+		dns_rdata_any_tsig_t tsig;
+		result = dns_rdata_tostruct(rdata, sp = &tsig, NULL);
+		break;
+	}
+	case dns_rdatatype_txt: {
+		dns_rdata_txt_t txt;
+		result = dns_rdata_tostruct(rdata, sp = &txt, NULL);
+		break;
+	}
+	case dns_rdatatype_unspec: {
+		dns_rdata_unspec_t unspec;
+		result = dns_rdata_tostruct(rdata, sp = &unspec, NULL);
+		break;
+	}
+	case dns_rdatatype_wks: {
+		dns_rdata_in_wks_t in_wks;
+		result = dns_rdata_tostruct(rdata, sp = &in_wks, NULL);
+		break;
+	}
+	case dns_rdatatype_x25: {
+		dns_rdata_x25_t x25;
+		result = dns_rdata_tostruct(rdata, sp = &x25, NULL);
+		break;
+	}
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		break;
+	}
+	if (result != ISC_R_SUCCESS)
+		fprintf(stdout, "viastruct: tostuct %d %d return %s\n",
+			rdata->type, rdata->rdclass,
+			dns_result_totext(result));
+	else
+		dns_rdata_freestruct(sp);
+
+	switch (rdata->type) {
+	case dns_rdatatype_a6: {
+		dns_rdata_in_a6_t in_a6;
+		result = dns_rdata_tostruct(rdata, sp = &in_a6, mctx);
+		break;
+	}
+	case dns_rdatatype_a: {
+		switch (rdata->rdclass) {
+		case dns_rdataclass_hs: {
+			dns_rdata_hs_a_t hs_a;
+			result = dns_rdata_tostruct(rdata, sp = &hs_a, mctx);
+			break;
+		}
+		case dns_rdataclass_in: {
+			dns_rdata_in_a_t in_a;
+			result = dns_rdata_tostruct(rdata, sp = &in_a, mctx);
+			break;
+		}
+		default:
+			result = ISC_R_NOTIMPLEMENTED;
+			break;
+		}
+		break;
+	}
+	case dns_rdatatype_aaaa: {
+		dns_rdata_in_aaaa_t in_aaaa;
+		result = dns_rdata_tostruct(rdata, sp = &in_aaaa, mctx);
+		break;
+	}
+	case dns_rdatatype_afsdb: {
+		dns_rdata_afsdb_t afsdb;
+		result = dns_rdata_tostruct(rdata, sp = &afsdb, mctx);
+		break;
+	}
+	case dns_rdatatype_any: {
+		result = ISC_R_NOTIMPLEMENTED;
+		break;
+	}
+	case dns_rdatatype_cert: {
+		dns_rdata_cert_t cert;
+		result = dns_rdata_tostruct(rdata, sp = &cert, mctx);
+		break;
+	}
+	case dns_rdatatype_cname: {
+		dns_rdata_cname_t cname;
+		result = dns_rdata_tostruct(rdata, sp = &cname, mctx);
+		break;
+	}
+	case dns_rdatatype_dname: {
+		dns_rdata_dname_t dname;
+		result = dns_rdata_tostruct(rdata, sp = &dname, mctx);
+		break;
+	}
+	case dns_rdatatype_gpos: {
+		dns_rdata_gpos_t gpos;
+		result = dns_rdata_tostruct(rdata, sp = &gpos, mctx);
+		break;
+	}
+	case dns_rdatatype_hinfo: {
+		dns_rdata_hinfo_t hinfo;
+		result = dns_rdata_tostruct(rdata, sp = &hinfo, mctx);
+		break;
+	}
+	case dns_rdatatype_isdn: {
+		dns_rdata_isdn_t isdn;
+		result = dns_rdata_tostruct(rdata, sp = &isdn, mctx);
+		break;
+	}
+	case dns_rdatatype_key: {
+		dns_rdata_key_t key;
+		result = dns_rdata_tostruct(rdata, sp = &key, mctx);
+		break;
+	}
+	case dns_rdatatype_kx: {
+		dns_rdata_in_kx_t in_kx;
+		result = dns_rdata_tostruct(rdata, sp = &in_kx, mctx);
+		break;
+	}
+	case dns_rdatatype_loc: {
+		dns_rdata_loc_t loc;
+		result = dns_rdata_tostruct(rdata, sp = &loc, mctx);
+		break;
+	}
+	case dns_rdatatype_mb: {
+		dns_rdata_mb_t mb;
+		result = dns_rdata_tostruct(rdata, sp = &mb, mctx);
+		break;
+	}
+	case dns_rdatatype_md: {
+		dns_rdata_md_t md;
+		result = dns_rdata_tostruct(rdata, sp = &md, mctx);
+		break;
+	}
+	case dns_rdatatype_mf: {
+		dns_rdata_mf_t mf;
+		result = dns_rdata_tostruct(rdata, sp = &mf, mctx);
+		break;
+	}
+	case dns_rdatatype_mg: {
+		dns_rdata_mg_t mg;
+		result = dns_rdata_tostruct(rdata, sp = &mg, mctx);
+		break;
+	}
+	case dns_rdatatype_minfo: {
+		dns_rdata_minfo_t minfo;
+		result = dns_rdata_tostruct(rdata, sp = &minfo, mctx);
+		break;
+	}
+	case dns_rdatatype_mr: {
+		dns_rdata_mr_t mr;
+		result = dns_rdata_tostruct(rdata, sp = &mr, mctx);
+		break;
+	}
+	case dns_rdatatype_mx: {
+		dns_rdata_mx_t mx;
+		result = dns_rdata_tostruct(rdata, sp = &mx, mctx);
+		break;
+	}
+	case dns_rdatatype_naptr: {
+		dns_rdata_in_naptr_t in_naptr;
+		result = dns_rdata_tostruct(rdata, sp = &in_naptr, mctx);
+		break;
+	}
+	case dns_rdatatype_ns: {
+		dns_rdata_ns_t ns;
+		result = dns_rdata_tostruct(rdata, sp = &ns, mctx);
+		break;
+	}
+	case dns_rdatatype_nsap: {
+		dns_rdata_in_nsap_t in_nsap;
+		result = dns_rdata_tostruct(rdata, sp = &in_nsap, mctx);
+		break;
+	}
+	case dns_rdatatype_nsap_ptr: {
+		dns_rdata_in_nsap_ptr_t in_nsap_ptr;
+		result = dns_rdata_tostruct(rdata, sp = &in_nsap_ptr, mctx);
+		break;
+	}
+	case dns_rdatatype_null: {
+		dns_rdata_null_t null;
+		result = dns_rdata_tostruct(rdata, sp = &null, mctx);
+		break;
+	}
+	case dns_rdatatype_nxt: {
+		dns_rdata_nxt_t nxt;
+		result = dns_rdata_tostruct(rdata, sp = &nxt, mctx);
+		break;
+	}
+	case dns_rdatatype_opt: {
+		dns_rdata_opt_t opt;
+		result = dns_rdata_tostruct(rdata, sp = &opt, mctx);
+		break;
+	}
+	case dns_rdatatype_ptr: {
+		dns_rdata_ptr_t ptr;
+		result = dns_rdata_tostruct(rdata, sp = &ptr, mctx);
+		break;
+	}
+	case dns_rdatatype_px: {
+		dns_rdata_in_px_t in_px;
+		result = dns_rdata_tostruct(rdata, sp = &in_px, mctx);
+		break;
+	}
+	case dns_rdatatype_rp: {
+		dns_rdata_rp_t rp;
+		result = dns_rdata_tostruct(rdata, sp = &rp, mctx);
+		break;
+	}
+	case dns_rdatatype_rt: {
+		dns_rdata_rt_t rt;
+		result = dns_rdata_tostruct(rdata, sp = &rt, mctx);
+		break;
+	}
+	case dns_rdatatype_sig: {
+		dns_rdata_sig_t sig;
+		result = dns_rdata_tostruct(rdata, sp = &sig, mctx);
+		break;
+	}
+	case dns_rdatatype_soa: {
+		dns_rdata_soa_t soa;
+		result = dns_rdata_tostruct(rdata, sp = &soa, mctx);
+		break;
+	}
+	case dns_rdatatype_srv: {
+		dns_rdata_in_srv_t in_srv;
+		result = dns_rdata_tostruct(rdata, sp = &in_srv, mctx);
+		break;
+	}
+	case dns_rdatatype_tkey: {
+		dns_rdata_tkey_t tkey;
+		result = dns_rdata_tostruct(rdata, sp = &tkey, mctx);
+		break;
+	}
+	case dns_rdatatype_tsig: {
+		dns_rdata_any_tsig_t tsig;
+		result = dns_rdata_tostruct(rdata, sp = &tsig, mctx);
+		break;
+	}
+	case dns_rdatatype_txt: {
+		dns_rdata_txt_t txt;
+		result = dns_rdata_tostruct(rdata, sp = &txt, mctx);
+		break;
+	}
+	case dns_rdatatype_unspec: {
+		dns_rdata_unspec_t unspec;
+		result = dns_rdata_tostruct(rdata, sp = &unspec, mctx);
+		break;
+	}
+	case dns_rdatatype_wks: {
+		dns_rdata_in_wks_t in_wks;
+		result = dns_rdata_tostruct(rdata, sp = &in_wks, mctx);
+		break;
+	}
+	case dns_rdatatype_x25: {
+		dns_rdata_x25_t x25;
+		result = dns_rdata_tostruct(rdata, sp = &x25, mctx);
+		break;
+	}
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		break;
+	}
+	if (result != ISC_R_SUCCESS)
+		fprintf(stdout, "viastruct: tostuct %d %d return %s\n",
+			rdata->type, rdata->rdclass,
+			dns_result_totext(result));
+	else {
+		need_free = ISC_TRUE;
+
+		rdc = rdata->rdclass;
+		rdt = rdata->type;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, sp, b);
+		if (result != ISC_R_SUCCESS)
+			fprintf(stdout, "viastruct: fromstuct %d %d return %s\n",
+				rdata->type, rdata->rdclass,
+				dns_result_totext(result));
+		else if (rdata->length != rdata2->length ||
+			 memcmp(rdata->data, rdata2->data, rdata->length) != 0)
+		{
+			isc_uint32_t i;
+			isc_uint32_t l;
+
+			fprintf(stdout, "viastruct: memcmp failed\n");
+
+			fprintf(stdout, "%d %d\n",
+				rdata->length, rdata2->length);
+			l = rdata->length;
+			if (rdata2->length < l)
+				l = rdata2->length;
+			for (i = 0; i < l; i++)
+				fprintf(stdout, "%02x %02x\n",
+					rdata->data[i], rdata2->data[i]);
+		}
+	}
+#if 0
+	switch (rdata->type) {
+	case dns_rdatatype_a6: {
+		dns_rdata_in_a6_t in_a6;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &in_a6, b);
+		break;
+	}
+	case dns_rdatatype_a: {
+		switch (rdata->rdclass) {
+		case dns_rdataclass_hs: {
+			dns_rdata_hs_a_t hs_a;
+			result = dns_rdata_fromstruct(rdata2, rdc, rdt,
+						      &hs_a, b);
+			break;
+		}
+		case dns_rdataclass_in: {
+			dns_rdata_in_a_t in_a;
+			result = dns_rdata_fromstruct(rdata2, rdc, rdt,
+						      &in_a, b);
+			break;
+		}
+		default:
+			result = ISC_R_NOTIMPLEMENTED;
+			break;
+		}
+		break;
+	}
+	case dns_rdatatype_aaaa: {
+		dns_rdata_in_aaaa_t in_aaaa;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &in_aaaa, b);
+		break;
+	}
+	case dns_rdatatype_afsdb: {
+		dns_rdata_afsdb_t afsdb;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &afsdb, b);
+		break;
+	}
+	case dns_rdatatype_any: {
+		result = ISC_R_NOTIMPLEMENTED;
+		break;
+	}
+	case dns_rdatatype_cert: {
+		dns_rdata_cert_t cert;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &cert, b);
+		break;
+	}
+	case dns_rdatatype_cname: {
+		dns_rdata_cname_t cname;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &cname, b);
+		break;
+	}
+	case dns_rdatatype_dname: {
+		dns_rdata_dname_t dname;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &dname, b);
+		break;
+	}
+	case dns_rdatatype_gpos: {
+		dns_rdata_gpos_t gpos;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &gpos, b);
+		break;
+	}
+	case dns_rdatatype_hinfo: {
+		dns_rdata_hinfo_t hinfo;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &hinfo, b);
+		break;
+	}
+	case dns_rdatatype_isdn: {
+		dns_rdata_isdn_t isdn;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &isdn, b);
+		break;
+	}
+	case dns_rdatatype_key: {
+		dns_rdata_key_t key;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &key, b);
+		break;
+	}
+	case dns_rdatatype_kx: {
+		dns_rdata_in_kx_t in_kx;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &in_kx, b);
+		break;
+	}
+	case dns_rdatatype_loc: {
+		dns_rdata_loc_t loc;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &loc, b);
+		break;
+	}
+	case dns_rdatatype_mb: {
+		dns_rdata_mb_t mb;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &mb, b);
+		break;
+	}
+	case dns_rdatatype_md: {
+		dns_rdata_md_t md;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &md, b);
+		break;
+	}
+	case dns_rdatatype_mf: {
+		dns_rdata_mf_t mf;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &mf, b);
+		break;
+	}
+	case dns_rdatatype_mg: {
+		dns_rdata_mg_t mg;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &mg, b);
+		break;
+	}
+	case dns_rdatatype_minfo: {
+		dns_rdata_minfo_t minfo;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &minfo, b);
+		break;
+	}
+	case dns_rdatatype_mr: {
+		dns_rdata_mr_t mr;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &mr, b);
+		break;
+	}
+	case dns_rdatatype_mx: {
+		dns_rdata_mx_t mx;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &mx, b);
+		break;
+	}
+	case dns_rdatatype_naptr: {
+		dns_rdata_in_naptr_t in_naptr;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &in_naptr, b);
+		break;
+	}
+	case dns_rdatatype_ns: {
+		dns_rdata_ns_t ns;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &ns, b);
+		break;
+	}
+	case dns_rdatatype_nsap: {
+		dns_rdata_in_nsap_t in_nsap;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &in_nsap, b);
+		break;
+	}
+	case dns_rdatatype_nsap_ptr: {
+		dns_rdata_in_nsap_ptr_t in_nsap_ptr;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &in_nsap_ptr,
+					      b);
+		break;
+	}
+	case dns_rdatatype_null: {
+		dns_rdata_null_t null;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &null, b);
+		break;
+	}
+	case dns_rdatatype_nxt: {
+		dns_rdata_nxt_t nxt;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &nxt, b);
+		break;
+	}
+	case dns_rdatatype_opt: {
+		dns_rdata_opt_t opt;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &opt, b);
+		break;
+	}
+	case dns_rdatatype_ptr: {
+		dns_rdata_ptr_t ptr;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &ptr, b);
+		break;
+	}
+	case dns_rdatatype_px: {
+		dns_rdata_in_px_t in_px;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &in_px, b);
+		break;
+	}
+	case dns_rdatatype_rp: {
+		dns_rdata_rp_t rp;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &rp, b);
+		break;
+	}
+	case dns_rdatatype_rt: {
+		dns_rdata_rt_t rt;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &rt, b);
+		break;
+	}
+	case dns_rdatatype_sig: {
+		dns_rdata_sig_t sig;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &sig, b);
+		break;
+	}
+	case dns_rdatatype_soa: {
+		dns_rdata_soa_t soa;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &soa, b);
+		break;
+	}
+	case dns_rdatatype_srv: {
+		dns_rdata_in_srv_t in_srv;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &in_srv, b);
+		break;
+	}
+	case dns_rdatatype_tkey: {
+		dns_rdata_tkey_t tkey;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &tkey, b);
+		break;
+	}
+	case dns_rdatatype_tsig: {
+		dns_rdata_any_tsig_t tsig;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &tsig, b);
+		break;
+	}
+	case dns_rdatatype_txt: {
+		dns_rdata_txt_t txt;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &txt, b);
+		break;
+	}
+	case dns_rdatatype_unspec: {
+		dns_rdata_unspec_t unspec;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &unspec, b);
+		break;
+	}
+	case dns_rdatatype_wks: {
+		dns_rdata_in_wks_t in_wks;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &in_wks, b);
+		break;
+	}
+	case dns_rdatatype_x25: {
+		dns_rdata_x25_t x25;
+		result = dns_rdata_fromstruct(rdata2, rdc, rdt, &x25, b);
+		break;
+	}
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		break;
+	}
+#endif
+	if (need_free)
+		dns_rdata_freestruct(sp);
+}
+
 int
 main(int argc, char *argv[]) {
 	isc_token_t token;
@@ -50,6 +779,7 @@ main(int argc, char *argv[]) {
 	char outbuf[16*1024];
 	char inbuf[16*1024];
 	char wirebuf[16*1024];
+	char viabuf[16*1024];
 	isc_buffer_t dbuf;
 	isc_buffer_t tbuf;
 	isc_buffer_t wbuf;
@@ -67,8 +797,9 @@ main(int argc, char *argv[]) {
 	isc_region_t region;
 	int first = 1;
 	int raw = 0;
+	int tostruct = 0;
 
-	while ((c = isc_commandline_parse(argc, argv, "dqswtarz")) != -1) {
+	while ((c = isc_commandline_parse(argc, argv, "dqswtarzS")) != -1) {
 		switch (c) {
 		case 'd':
 			debug = 1;
@@ -96,6 +827,9 @@ main(int argc, char *argv[]) {
 		case 'r':
 			raw++;
 			break;
+		case 'S':
+			tostruct++;
+			break;
 		}
 	}
 
@@ -131,15 +865,14 @@ main(int argc, char *argv[]) {
 		/* get type */
 		if (token.type == isc_tokentype_number) {
 			type = token.value.as_ulong;
-			isc_buffer_init(&tbuf, outbuf, sizeof(outbuf),
-					ISC_BUFFERTYPE_TEXT);
+			isc_buffer_init(&tbuf, outbuf, sizeof(outbuf));
 			result = dns_rdatatype_totext(type, &tbuf);
 			fprintf(stdout, "type = %.*s(%d)\n",
 				(int)tbuf.used, (char*)tbuf.base, type);
 		} else if (token.type == isc_tokentype_string) {
 			result = dns_rdatatype_fromtext(&type,
 					&token.value.as_textregion);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 				fprintf(stdout,
 				    "dns_rdatatype_fromtext returned %s(%d)\n",
 					dns_result_totext(result), result);
@@ -162,15 +895,14 @@ main(int argc, char *argv[]) {
 				break;
 		if (token.type == isc_tokentype_number) {
 			class = token.value.as_ulong;
-			isc_buffer_init(&tbuf, outbuf, sizeof(outbuf),
-					ISC_BUFFERTYPE_TEXT);
+			isc_buffer_init(&tbuf, outbuf, sizeof(outbuf));
 			result = dns_rdatatype_totext(class, &tbuf);
 			fprintf(stdout, "class = %.*s(%d)\n",
 				(int)tbuf.used, (char*)tbuf.base, class);
 		} else if (token.type == isc_tokentype_string) {
 			result = dns_rdataclass_fromtext(&class,
 					&token.value.as_textregion);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 				fprintf(stdout,
 				    "dns_rdataclass_fromtext returned %s(%d)\n",
 					dns_result_totext(result), result);
@@ -186,11 +918,10 @@ main(int argc, char *argv[]) {
 
 		fflush(stdout);
 		dns_rdata_init(&rdata);
-		isc_buffer_init(&dbuf, inbuf, sizeof(inbuf),
-				ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&dbuf, inbuf, sizeof(inbuf));
 		result = dns_rdata_fromtext(&rdata, class, type, lex,
 					    NULL, ISC_FALSE, &dbuf, NULL);
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			fprintf(stdout,
 				"dns_rdata_fromtext returned %s(%d)\n",
 				dns_result_totext(result), result);
@@ -214,17 +945,16 @@ main(int argc, char *argv[]) {
 		/* Convert to wire and back? */
 		if (wire) {
 			result = dns_compress_init(&cctx, -1, mctx);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 				fprintf(stdout,
 					"dns_compress_init returned %s(%d)\n",
 					dns_result_totext(result), result);
 				continue;
 			}
-			isc_buffer_init(&wbuf, wirebuf, sizeof(wirebuf),
-					ISC_BUFFERTYPE_BINARY);
+			isc_buffer_init(&wbuf, wirebuf, sizeof(wirebuf));
 			result = dns_rdata_towire(&rdata, &cctx, &wbuf);
 			dns_compress_invalidate(&cctx);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 				fprintf(stdout,
 					"dns_rdata_towire returned %s(%d)\n",
 					dns_result_totext(result), result);
@@ -257,13 +987,12 @@ main(int argc, char *argv[]) {
 
 			isc_buffer_setactive(&wbuf, len);
 			dns_rdata_init(&rdata);
-			isc_buffer_init(&dbuf, inbuf, sizeof(inbuf),
-					ISC_BUFFERTYPE_BINARY);
+			isc_buffer_init(&dbuf, inbuf, sizeof(inbuf));
 			dns_decompress_init(&dctx, -1, ISC_FALSE);
 			result = dns_rdata_fromwire(&rdata, class, type, &wbuf,
 						    &dctx, ISC_FALSE, &dbuf);
 			dns_decompress_invalidate(&dctx);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 			fprintf(stdout,
 					"dns_rdata_fromwire returned %s(%d)\n",
 					dns_result_totext(result), result);
@@ -285,11 +1014,25 @@ main(int argc, char *argv[]) {
 						fputs(" ", stdout);
 			}
 		}
+		if (tostruct) {
+			isc_mem_t *mctx2 = NULL;
+			dns_rdata_t rdata2;
+			isc_buffer_t vbuf;
+
+			RUNTIME_CHECK(isc_mem_create(0, 0, &mctx2)
+				      == ISC_R_SUCCESS);
+
+			isc_buffer_init(&vbuf, viabuf, sizeof(viabuf));
+			dns_rdata_init(&rdata2);
+			viastruct(&rdata, mctx2, &rdata2, &vbuf);
+			if (!quiet && stats)
+				isc_mem_stats(mctx2, stdout);
+			isc_mem_destroy(&mctx2);
+		}
 
-		isc_buffer_init(&tbuf, outbuf, sizeof(outbuf),
-				ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&tbuf, outbuf, sizeof(outbuf));
 		result = dns_rdata_totext(&rdata, NULL, &tbuf);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			fprintf(stdout, "dns_rdata_totext returned %s(%d)\n",
 				dns_result_totext(result), result);
 		else
diff --git a/bin/tests/res_test.c b/bin/tests/res_test.c
deleted file mode 100644
index 9e357b4e..00000000
--- a/bin/tests/res_test.c
+++ /dev/null
@@ -1,267 +0,0 @@
-/*
- * Copyright (C) 1999, 2000  Internet Software Consortium.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Principal Author: Bob Halley
- */
-
-#include <config.h>
-
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/commandline.h>
-#include <isc/error.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/app.h>
-#include <isc/mutex.h>
-#include <isc/boolean.h>
-#include <isc/net.h>
-#include <isc/socket.h>
-
-#include "../../isc/util.h"		/* XXX Naughty. */
-
-#include <dns/types.h>
-#include <dns/result.h>
-#include <dns/name.h>
-#include <dns/fixedname.h>
-#include <dns/resolver.h>
-#include <dns/events.h>
-#include <dns/dispatch.h>
-#include <dns/tsig.h>
-#include <dns/view.h>
-
-isc_mutex_t lock;
-
-ISC_LIST(dns_fetch_t) fetches;
-
-static void
-cancel(dns_fetch_t *fetch, isc_task_t *task) {
-	isc_boolean_t need_shutdown = ISC_FALSE;
-
-	LOCK(&lock);
-
-	printf("fetch %p canceled\n", fetch);
-	ISC_LIST_UNLINK(fetches, fetch, link);
-	dns_resolver_destroyfetch(&fetch, task);
-	if (ISC_LIST_EMPTY(fetches))
-		need_shutdown = ISC_TRUE;
-
-	UNLOCK(&lock);
-
-	if (need_shutdown)
-		isc_app_shutdown();
-}
-
-static void
-done(isc_task_t *task, isc_event_t *event) {
-	dns_fetchdoneevent_t *devent = (dns_fetchdoneevent_t *)event;
-	isc_boolean_t need_shutdown = ISC_FALSE;
-	dns_fetch_t *fetch, *next_fetch;
-
-	REQUIRE(devent->type == DNS_EVENT_FETCHDONE);
-
-	(void)task;
-
-	LOCK(&lock);
-
-	for (fetch = ISC_LIST_HEAD(fetches);
-	     fetch != NULL;
-	     fetch = next_fetch) {
-		next_fetch = ISC_LIST_NEXT(fetch, link);
-		if (fetch->private == event->sender &&
-		    fetch == event->tag)
-			break;
-	}
-	INSIST(fetch != NULL);
-	printf("fetch %p done: %s\n", fetch,
-	       dns_result_totext(devent->result));
-	ISC_LIST_UNLINK(fetches, fetch, link);
-	if (ISC_LIST_EMPTY(fetches))
-		need_shutdown = ISC_TRUE;
-
-	UNLOCK(&lock);
-
-	isc_event_free(&event);
-	dns_resolver_destroyfetch(&fetch, NULL);
-
-	if (need_shutdown)
-		isc_app_shutdown();
-}
-
-static dns_fetch_t *
-launch(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
-       isc_boolean_t shared_ok, isc_boolean_t recursive, isc_task_t *task)
-{
-	dns_fetch_t *fetch;
-	unsigned int options = 0;
-
-	if (!shared_ok)
-		options |= DNS_FETCHOPT_UNSHARED;
-	if (recursive)
-		options |= DNS_FETCHOPT_RECURSIVE;
-
-	LOCK(&lock);
-
-	fetch = NULL;
-	RUNTIME_CHECK(dns_resolver_createfetch(res, name, type, NULL, NULL,
-					       NULL, options, task, done,
-					       NULL,
-					       &fetch) ==
-		      DNS_R_SUCCESS);
-	ISC_LIST_APPEND(fetches, fetch, link);
-
-	UNLOCK(&lock);
-
-	return (fetch);
-}
-
-int
-main(int argc, char *argv[]) {
-	isc_mem_t *mctx;
-	isc_boolean_t verbose = ISC_FALSE;
-	unsigned int workers = 2;
-	isc_taskmgr_t *taskmgr;
-	isc_task_t *task1, *task2;
-	isc_timermgr_t *timermgr;
-	dns_view_t *view;
-	dns_resolver_t *res;
-	int ch;
-	dns_fetch_t *fetch;
-	dns_dispatch_t *dispatch;
-	isc_socket_t *s;
-	isc_socketmgr_t *socketmgr;
-
-	RUNTIME_CHECK(isc_app_start() == ISC_R_SUCCESS);
-
-	RUNTIME_CHECK(isc_mutex_init(&lock) == ISC_R_SUCCESS);
-
-	mctx = NULL;
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-
-	while ((ch = isc_commandline_parse(argc, argv, "vw:")) != -1) {
-		switch (ch) {
-		case 'v':
-			verbose = ISC_TRUE;
-			break;
-		case 'w':
-			workers = (unsigned int)atoi(isc_commandline_argument);
-			break;
-		}
-	}
-
-	if (verbose) {
-		printf("%u workers\n", workers);
-		printf("IPv4: %s\n", isc_result_totext(isc_net_probeipv4()));
-		printf("IPv6: %s\n", isc_result_totext(isc_net_probeipv6()));
-	}
-
-	taskmgr = NULL;
-	RUNTIME_CHECK(isc_taskmgr_create(mctx, workers, 0, &taskmgr) ==
-		      ISC_R_SUCCESS);
-	task1 = NULL;
-	RUNTIME_CHECK(isc_task_create(taskmgr, mctx, 0, &task1) ==
-		      ISC_R_SUCCESS);
-	task2 = NULL;
-	RUNTIME_CHECK(isc_task_create(taskmgr, mctx, 0, &task2) ==
-		      ISC_R_SUCCESS);
-	timermgr = NULL;
-	RUNTIME_CHECK(isc_timermgr_create(mctx, &timermgr) == ISC_R_SUCCESS);
-	socketmgr = NULL;
-	RUNTIME_CHECK(isc_socketmgr_create(mctx, &socketmgr) == ISC_R_SUCCESS);
-
-	RUNTIME_CHECK(dns_tsig_init(mctx) == ISC_R_SUCCESS);
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-
-	if (argc != 0)
-		printf("ignoring trailing arguments\n");
-
-	s = NULL;
-	RUNTIME_CHECK(isc_socket_create(socketmgr, PF_INET,
-					isc_sockettype_udp, &s) ==
-		      ISC_R_SUCCESS);
-
-	view = NULL;
-	RUNTIME_CHECK(dns_view_create(mctx, dns_rdataclass_in, "default",
-				      &view) == ISC_R_SUCCESS);
-
-	dispatch = NULL;
-	RUNTIME_CHECK(dns_dispatch_create(mctx, s, task1, 4096, 1000, 1000,
-					  17, 19, &dispatch) == DNS_R_SUCCESS);
-
-#ifdef notyet
-	res = NULL;
-	RUNTIME_CHECK(dns_resolver_create(mctx, view, taskmgr, 10, timermgr,
-					  dispatch, &res) ==
-		      DNS_R_SUCCESS);
-
-	dns_view_setresolver(view, res);
-	dns_view_freeze(view);
-
-	ISC_LIST_INIT(fetches);
-	fetch = launch(res, dns_rootname, dns_rdatatype_a,
-		       ISC_TRUE, ISC_FALSE, task1);
-	fetch = launch(res, dns_rootname, dns_rdatatype_a,
-		       ISC_TRUE, ISC_FALSE, task2);
-	fetch = launch(res, dns_rootname, dns_rdatatype_a,
-		       ISC_TRUE, ISC_FALSE, task2);
-	fetch = launch(res, dns_rootname, dns_rdatatype_mx,
-		       ISC_TRUE, ISC_FALSE, task1);
-	fetch = launch(res, dns_rootname, dns_rdatatype_ns,
-		       ISC_FALSE, ISC_TRUE, task2);
-	fetch = launch(res, dns_rootname, dns_rdatatype_ns,
-		       ISC_TRUE, ISC_FALSE, task1);
-	cancel(fetch, task1);
-#endif
-	(void)isc_app_run();
-
-	/*
-	 * XXXRTH if we get a control-C before we get to isc_app_run(),
-	 * we're in trouble (because we might try to destroy things before
-	 * they've been created.
-	 */
-
-	dns_view_detach(&view);
-	dns_resolver_detach(&res);
-	dns_dispatch_detach(&dispatch);
-
-	isc_task_shutdown(task1);
-	isc_task_detach(&task1);
-	isc_task_shutdown(task2);
-	isc_task_detach(&task2);
-	isc_taskmgr_destroy(&taskmgr);
-
-	isc_socket_detach(&s);
-	isc_socketmgr_destroy(&socketmgr);
-	isc_timermgr_destroy(&timermgr);
-
-	dns_tsig_destroy();
-	if (verbose)
-		isc_mem_stats(mctx, stdout);
-	isc_mem_destroy(&mctx);
-
-	isc_mutex_destroy(&lock);
-
-	isc_app_finish();
-
-	return (0);
-}
diff --git a/bin/tests/rwlock_test.c b/bin/tests/rwlock_test.c
index c30b9932..a3c0cba6 100644
--- a/bin/tests/rwlock_test.c
+++ b/bin/tests/rwlock_test.c
@@ -19,14 +19,12 @@
 
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 #include <unistd.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/thread.h>
-#include <isc/result.h>
 #include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 isc_rwlock_t lock;
 
diff --git a/bin/tests/sdig.c b/bin/tests/sdig.c
index 02aee63e..78eae7fa 100644
--- a/bin/tests/sdig.c
+++ b/bin/tests/sdig.c
@@ -17,29 +17,18 @@
 
 #include <config.h>
 
-#include <errno.h>
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
 extern int h_errno;
 
-#include <isc/types.h>
 #include <isc/app.h>
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/mem.h>
-#include <isc/net.h>
 #include <isc/netdb.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
 #include <isc/socket.h>
+#include <isc/string.h>
 #include <isc/task.h>
+#include <isc/util.h>
 
-#include <dns/types.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/fixedname.h>
 #include <dns/rdata.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
@@ -148,7 +137,7 @@ hex_dump(isc_buffer_t *b)
 	unsigned int len;
 	isc_region_t r;
 
-	isc_buffer_remaining(b, &r);
+	isc_buffer_remainingregion(b, &r);
 
 	for (len = 0 ; len < r.length ; len++) {
 		printf("%02x ", r.base[len]);
@@ -187,13 +176,13 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	isc_buffer_t *b;
 	isc_result_t result;
 
-	REQUIRE(event->type == ISC_SOCKEVENT_RECVDONE);
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
 	sevent = (isc_socketevent_t *)event;
 
-	(void)task;
+	UNUSED(task);
 
 	/*
-	 * There will be one buffer (since that is what we put on the list)
+	 * There will be one buffer (since that is what we put on the list).
 	 */
 	if (sevent->result == ISC_R_SUCCESS) {
 		b = ISC_LIST_HEAD(sevent->bufferlist);
@@ -215,7 +204,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 
 static void
 send_done(isc_task_t *task, isc_event_t *event) {
-	(void)task;
+	UNUSED(task);
+
 	isc_event_free(&event);
 }
 
@@ -265,7 +255,7 @@ main(int argc, char *argv[]) {
 	result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
 	check_result(result, "isc_taskmgr_create()");
 	task = NULL;
-	result = isc_task_create(taskmgr, NULL, 0, &task);
+	result = isc_task_create(taskmgr, 0, &task);
 	check_result(result, "isc_task_create()");
 	socketmgr = NULL;
 	result = isc_socketmgr_create(mctx, &socketmgr);
@@ -289,8 +279,7 @@ main(int argc, char *argv[]) {
 	check_result(result, "dns_message_gettempname()");
 	dns_name_init(name, NULL);
 
-	isc_buffer_init(&namebuffer, namedata, sizeof(namedata),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&namebuffer, namedata, sizeof(namedata));
 
 	printf("\n; <<>> sdig <<>>");
 	for (i = 1; i < argc; i++) {
@@ -321,8 +310,7 @@ main(int argc, char *argv[]) {
 			tr.base = argv[0];
 			tr.length = len;
 			if (!have_name) {
-				isc_buffer_init(&b, argv[0], len,
-						ISC_BUFFERTYPE_TEXT);
+				isc_buffer_init(&b, argv[0], len);
 				isc_buffer_add(&b, len);
 				result = dns_name_fromtext(name, &b,
 							   dns_rootname,
@@ -358,7 +346,7 @@ main(int argc, char *argv[]) {
 		message->flags |= DNS_MESSAGEFLAG_RD;
 	dns_message_addname(message, name, DNS_SECTION_QUESTION);
 
-	isc_buffer_init(&b, data, sizeof data, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&b, data, sizeof(data));
 	result = dns_message_renderbegin(message, &b);
 	check_result(result, "dns_message_renderbegin()");
 	if (edns0)
@@ -377,7 +365,7 @@ main(int argc, char *argv[]) {
 	check_result(result, "isc_socket_create()");
 
 	ISC_LIST_INIT(bufferlist);
-	isc_buffer_init(&b2, data2, sizeof data2, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&b2, data2, sizeof data2);
 	ISC_LIST_ENQUEUE(bufferlist, &b2, link);
 	result = isc_socket_recvv(sock, &bufferlist, 1, task, recv_done, NULL);
 	check_result(result, "isc_socket_recvv()");
diff --git a/bin/tests/serial_test.c b/bin/tests/serial_test.c
index 19fdb15f..5b88c5ec 100644
--- a/bin/tests/serial_test.c
+++ b/bin/tests/serial_test.c
@@ -15,8 +15,11 @@
  * SOFTWARE.
  */
 
+#include <config.h>
+
 #include <stdio.h>
 #include <stdlib.h>
+
 #include <isc/serial.h>
 
 int
@@ -25,7 +28,6 @@ main() {
 	char buf[1024];
 	char *s, *e;
 
-
 	while (fgets(buf, sizeof buf, stdin) != NULL) {
 		buf[sizeof buf - 1] = '\0';
 		s = buf;
diff --git a/bin/tests/shutdown_test.c b/bin/tests/shutdown_test.c
index 78701372..338a2048 100644
--- a/bin/tests/shutdown_test.c
+++ b/bin/tests/shutdown_test.c
@@ -17,23 +17,14 @@
 
 #include <config.h>
 
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <isc/app.h>
 #include <isc/mem.h>
 #include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/result.h>
+#include <isc/time.h>
 #include <isc/timer.h>
-#include <isc/mutex.h>
-#include <isc/condition.h>
-#include <isc/event.h>
-#include <isc/eventclass.h>
-#include <isc/app.h>
+#include <isc/util.h>
 
 typedef struct {
 	isc_mem_t *	mctx;
@@ -57,7 +48,7 @@ static isc_timermgr_t *		timer_manager;
 
 static void
 t1_shutdown(isc_task_t *task, isc_event_t *event) {
-	t_info *info = event->arg;
+	t_info *info = event->ev_arg;
 	
 	printf("task %s (%p) t1_shutdown\n", info->name, task);
 	isc_task_detach(&info->task);
@@ -66,7 +57,7 @@ t1_shutdown(isc_task_t *task, isc_event_t *event) {
 
 static void
 t2_shutdown(isc_task_t *task, isc_event_t *event) {
-	t_info *info = event->arg;
+	t_info *info = event->ev_arg;
 
 	printf("task %s (%p) t2_shutdown\n", info->name, task);
 	info->exiting = ISC_TRUE;
@@ -75,10 +66,10 @@ t2_shutdown(isc_task_t *task, isc_event_t *event) {
 
 static void
 shutdown_action(isc_task_t *task, isc_event_t *event) {
-	t_info *info = event->arg;
+	t_info *info = event->ev_arg;
 	isc_event_t *nevent;
 
-	INSIST(event->type == ISC_TASKEVENT_SHUTDOWN);
+	INSIST(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
 
 	printf("task %s (%p) shutdown\n", info->name, task);
 	if (strcmp(info->name, "0") == 0) {
@@ -102,10 +93,10 @@ foo_event(isc_task_t *task, isc_event_t *event) {
 static void
 tick(isc_task_t *task, isc_event_t *event)
 {
-	t_info *info = event->arg;
+	t_info *info = event->ev_arg;
 	isc_event_t *nevent;
 
-	INSIST(event->type == ISC_TIMEREVENT_TICK);
+	INSIST(event->ev_type == ISC_TIMEREVENT_TICK);
 
 	printf("task %s (%p) tick\n", info->name, task);
 
@@ -154,7 +145,7 @@ new_task(isc_mem_t *mctx, char *name) {
 		strcpy(ti->name, name);
 	} else
 		sprintf(ti->name, "%d", task_count);
-	RUNTIME_CHECK(isc_task_create(task_manager, mctx, 0, &ti->task) ==
+	RUNTIME_CHECK(isc_task_create(task_manager, 0, &ti->task) ==
 		      ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_task_onshutdown(ti->task, shutdown_action, ti) ==
 		      ISC_R_SUCCESS);
@@ -209,14 +200,14 @@ main(int argc, char *argv[]) {
 	 * Test implicit shutdown.
 	 */
 	task = NULL;
-	RUNTIME_CHECK(isc_task_create(task_manager, mctx, 0, &task) ==
+	RUNTIME_CHECK(isc_task_create(task_manager, 0, &task) ==
 		      ISC_R_SUCCESS);
 	isc_task_detach(&task);
 
 	/*
 	 * Test anti-zombie code.
 	 */
-	RUNTIME_CHECK(isc_task_create(task_manager, mctx, 0, &task) ==
+	RUNTIME_CHECK(isc_task_create(task_manager, 0, &task) ==
 		      ISC_R_SUCCESS);
 	isc_task_detach(&task);
 
diff --git a/bin/tests/sock_test.c b/bin/tests/sock_test.c
index e15d7c47..f577aa0b 100644
--- a/bin/tests/sock_test.c
+++ b/bin/tests/sock_test.c
@@ -17,31 +17,21 @@
 
 #include <config.h>
 
-#include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
-#include <string.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/mem.h>
 #include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/result.h>
 #include <isc/socket.h>
 #include <isc/timer.h>
-#include <isc/net.h>
+#include <isc/util.h>
 
 isc_mem_t *mctx;
 isc_taskmgr_t *manager;
 
-static void my_send(isc_task_t *task, isc_event_t *event);
-static void my_recv(isc_task_t *task, isc_event_t *event);
-
 static void
-my_shutdown(isc_task_t *task, isc_event_t *event)
-{
-	char *name = event->arg;
+my_shutdown(isc_task_t *task, isc_event_t *event) {
+	char *name = event->ev_arg;
 
 	printf("shutdown %s (%p)\n", name, task);
 	fflush(stdout);
@@ -49,19 +39,42 @@ my_shutdown(isc_task_t *task, isc_event_t *event)
 }
 
 static void
-my_recv(isc_task_t *task, isc_event_t *event)
-{
+my_send(isc_task_t *task, isc_event_t *event) {
+	isc_socket_t *sock;
+	isc_socketevent_t *dev;
+
+	sock = event->ev_sender;
+	dev = (isc_socketevent_t *)event;
+
+	printf("my_send: %s task %p\n\t(sock %p, base %p, length %d, n %d, "
+	       "result %d)\n",
+	       (char *)(event->ev_arg), task, sock,
+	       dev->region.base, dev->region.length,
+	       dev->n, dev->result);
+
+	if (dev->result != ISC_R_SUCCESS) {
+		isc_socket_detach(&sock);
+		isc_task_shutdown(task);
+	}
+
+	isc_mem_put(mctx, dev->region.base, dev->region.length);
+
+	isc_event_free(&event);
+}
+
+static void
+my_recv(isc_task_t *task, isc_event_t *event) {
 	isc_socket_t *sock;
 	isc_socketevent_t *dev;
 	isc_region_t region;
 	char buf[1024];
 	char host[256];
 
-	sock = event->sender;
+	sock = event->ev_sender;
 	dev = (isc_socketevent_t *)event;
 
 	printf("Socket %s (sock %p, base %p, length %d, n %d, result %d)\n",
-	       (char *)(event->arg), sock,
+	       (char *)(event->ev_arg), sock,
 	       dev->region.base, dev->region.length,
 	       dev->n, dev->result);
 	if (dev->address.type.sa.sa_family == AF_INET6) {
@@ -88,62 +101,38 @@ my_recv(isc_task_t *task, isc_event_t *event)
 	}
 
 	/*
-	 * Echo the data back
+	 * Echo the data back.
 	 */
-	if (strcmp(event->arg, "so2") != 0) {
+	if (strcmp(event->ev_arg, "so2") != 0) {
 		region = dev->region;
 		sprintf(buf, "\r\nReceived: %.*s\r\n\r\n",
 			(int)dev->n, (char *)region.base);
 		region.base = isc_mem_get(mctx, strlen(buf) + 1);
 		region.length = strlen(buf) + 1;
 		strcpy((char *)region.base, buf);  /* strcpy is safe */
-		isc_socket_send(sock, &region, task, my_send, event->arg);
+		isc_socket_send(sock, &region, task, my_send, event->ev_arg);
 	} else {
 		region = dev->region;
 		printf("\r\nReceived: %.*s\r\n\r\n",
 		       (int)dev->n, (char *)region.base);
 	}
 
-	isc_socket_recv(sock, &dev->region, 1, task, my_recv, event->arg);
-
-	isc_event_free(&event);
-}
-
-static void
-my_send(isc_task_t *task, isc_event_t *event)
-{
-	isc_socket_t *sock;
-	isc_socketevent_t *dev;
-
-	sock = event->sender;
-	dev = (isc_socketevent_t *)event;
-
-	printf("my_send: %s task %p\n\t(sock %p, base %p, length %d, n %d, result %d)\n",
-	       (char *)(event->arg), task, sock,
-	       dev->region.base, dev->region.length,
-	       dev->n, dev->result);
-
-	if (dev->result != ISC_R_SUCCESS) {
-		isc_socket_detach(&sock);
-		isc_task_shutdown(task);
-	}
-
-	isc_mem_put(mctx, dev->region.base, dev->region.length);
+	isc_socket_recv(sock, &dev->region, 1, task, my_recv, event->ev_arg);
 
 	isc_event_free(&event);
 }
 
 static void
-my_http_get(isc_task_t *task, isc_event_t *event)
-{
+my_http_get(isc_task_t *task, isc_event_t *event) {
 	isc_socket_t *sock;
 	isc_socketevent_t *dev;
 
-	sock = event->sender;
+	sock = event->ev_sender;
 	dev = (isc_socketevent_t *)event;
 
-	printf("my_http_get: %s task %p\n\t(sock %p, base %p, length %d, n %d, result %d)\n",
-	       (char *)(event->arg), task, sock,
+	printf("my_http_get: %s task %p\n\t(sock %p, base %p, length %d, "
+	       "n %d, result %d)\n",
+	       (char *)(event->ev_arg), task, sock,
 	       dev->region.base, dev->region.length,
 	       dev->n, dev->result);
 
@@ -154,23 +143,22 @@ my_http_get(isc_task_t *task, isc_event_t *event)
 		return;
 	}
 
-	isc_socket_recv(sock, &dev->region, 1, task, my_recv, event->arg);
+	isc_socket_recv(sock, &dev->region, 1, task, my_recv, event->ev_arg);
 
 	isc_event_free(&event);
 }
 
 static void
-my_connect(isc_task_t *task, isc_event_t *event)
-{
+my_connect(isc_task_t *task, isc_event_t *event) {
 	isc_socket_t *sock;
 	isc_socket_connev_t *dev;
 	isc_region_t region;
 	char buf[1024];
 
-	sock = event->sender;
+	sock = event->ev_sender;
 	dev = (isc_socket_connev_t *)event;
 
-	printf("%s: Connection result:  %d\n", (char *)(event->arg),
+	printf("%s: Connection result:  %d\n", (char *)(event->ev_arg),
 	       dev->result);
 
 	if (dev->result != ISC_R_SUCCESS) {
@@ -184,20 +172,20 @@ my_connect(isc_task_t *task, isc_event_t *event)
 	 * Send a GET string, and set up to receive (and just display)
 	 * the result.
 	 */
-	strcpy(buf, "GET / HTTP/1.1\r\nHost: www.flame.org\r\nConnection: Close\r\n\r\n");
+	strcpy(buf, "GET / HTTP/1.1\r\nHost: www.flame.org\r\n"
+	       "Connection: Close\r\n\r\n");
 	region.base = isc_mem_get(mctx, strlen(buf) + 1);
 	region.length = strlen(buf) + 1;
-	strcpy((char *)region.base, buf);  /* strcpy is safe */
+	strcpy((char *)region.base, buf);  /* This strcpy is safe. */
 
-	isc_socket_send(sock, &region, task, my_http_get, event->arg);
+	isc_socket_send(sock, &region, task, my_http_get, event->ev_arg);
 
 	isc_event_free(&event);
 }
 
 static void
-my_listen(isc_task_t *task, isc_event_t *event)
-{
-	char *name = event->arg;
+my_listen(isc_task_t *task, isc_event_t *event) {
+	char *name = event->ev_arg;
 	isc_socket_newconnev_t *dev;
 	isc_region_t region;
 	isc_socket_t *oldsock;
@@ -206,14 +194,15 @@ my_listen(isc_task_t *task, isc_event_t *event)
 	dev = (isc_socket_newconnev_t *)event;
 
 	printf("newcon %s (task %p, oldsock %p, newsock %p, result %d)\n",
-	       name, task, event->sender, dev->newsocket, dev->result);
+	       name, task, event->ev_sender, dev->newsocket, dev->result);
 	fflush(stdout);
 
 	if (dev->result == ISC_R_SUCCESS) {
 		/*
-		 * queue another listen on this socket
+		 * Queue another listen on this socket.
 		 */
-		isc_socket_accept(event->sender, task, my_listen, event->arg);
+		isc_socket_accept(event->ev_sender, task, my_listen,
+				  event->ev_arg);
 
 		region.base = isc_mem_get(mctx, 20);
 		region.length = 20;
@@ -223,14 +212,14 @@ my_listen(isc_task_t *task, isc_event_t *event)
 		 * recv on it.
 		 */
 		newtask = NULL;
-		RUNTIME_CHECK(isc_task_create(manager, NULL, 0, &newtask)
+		RUNTIME_CHECK(isc_task_create(manager, 0, &newtask)
 			      == ISC_R_SUCCESS);
 		isc_socket_recv(dev->newsocket, &region, 1,
-				newtask, my_recv, event->arg);
+				newtask, my_recv, event->ev_arg);
 		isc_task_detach(&newtask);
 	} else {
-		printf("detaching from socket %p\n", event->sender);
-		oldsock = event->sender;
+		printf("detaching from socket %p\n", event->ev_sender);
+		oldsock = event->ev_sender;
 
 		isc_socket_detach(&oldsock);
 
@@ -243,20 +232,18 @@ my_listen(isc_task_t *task, isc_event_t *event)
 }
 
 static void
-timeout(isc_task_t *task, isc_event_t *event)
-{
-	isc_socket_t *sock = event->arg;
+timeout(isc_task_t *task, isc_event_t *event) {
+	isc_socket_t *sock = event->ev_arg;
 
 	printf("Timeout, canceling IO on socket %p (task %p)\n", sock, task);
 
 	isc_socket_cancel(sock, NULL, ISC_SOCKCANCEL_ALL);
-	isc_timer_detach((isc_timer_t **)&event->sender);
+	isc_timer_detach((isc_timer_t **)&event->ev_sender);
 	isc_event_free(&event);
 }
 
 int
-main(int argc, char *argv[])
-{
+main(int argc, char *argv[]) {
 	isc_task_t *t1, *t2;
 	isc_timermgr_t *timgr;
 	isc_time_t expires;
@@ -302,9 +289,9 @@ main(int argc, char *argv[])
 	RUNTIME_CHECK(isc_timermgr_create(mctx, &timgr) == ISC_R_SUCCESS);
 
 	t1 = NULL;
-	RUNTIME_CHECK(isc_task_create(manager, NULL, 0, &t1) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(manager, 0, &t1) == ISC_R_SUCCESS);
 	t2 = NULL;
-	RUNTIME_CHECK(isc_task_create(manager, NULL, 0, &t2) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(manager, 0, &t2) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_task_onshutdown(t1, my_shutdown, "1") ==
 		      ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_task_onshutdown(t2, my_shutdown, "2") ==
@@ -317,7 +304,7 @@ main(int argc, char *argv[])
 	RUNTIME_CHECK(isc_socketmgr_create(mctx, &socketmgr) == ISC_R_SUCCESS);
 
 	/*
-	 * open up a listener socket
+	 * Open up a listener socket.
 	 */
 	so1 = NULL;
 
@@ -335,7 +322,7 @@ main(int argc, char *argv[])
 	RUNTIME_CHECK(isc_socket_listen(so1, 0) == ISC_R_SUCCESS);
 
 	/*
-	 * queue up the first accept event
+	 * Queue up the first accept event.
 	 */
 	RUNTIME_CHECK(isc_socket_accept(so1, t1, my_listen,
 					"so1") == ISC_R_SUCCESS);
@@ -347,7 +334,7 @@ main(int argc, char *argv[])
 		      ISC_R_SUCCESS);
 
 	/*
-	 * open up a socket that will connect to www.flame.org, port 80.
+	 * Open up a socket that will connect to www.flame.org, port 80.
 	 * Why not.  :)
 	 */
 	so2 = NULL;
@@ -371,7 +358,7 @@ main(int argc, char *argv[])
 	isc_task_detach(&t2);
 
 	/*
-	 * wait a short while.
+	 * Wait a short while.
 	 */
 	sleep(10);
 
diff --git a/bin/tests/sockaddr/Makefile.in b/bin/tests/sockaddr/Makefile.in
index 027543fa..fe656fad 100644
--- a/bin/tests/sockaddr/Makefile.in
+++ b/bin/tests/sockaddr/Makefile.in
@@ -24,15 +24,22 @@ CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 CDEFINES =
 CWARNINGS =
 
-DEPLIBS =	../../../lib/dns/libdns.@A@ \
-		../../../lib/tests/libt_api.@A@ \
-		../../../lib/isc/libisc.@A@
+DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
+ISCLIBS =	../../../lib/isc/libisc.@A@
+TAPIDEPLIBS =	../../../lib/tests/libt_api.@A@
 
-LIBS =		${DEPLIBS} \
-		@LIBS@
+DNSDEPLIBS =	../../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../../lib/isc/libisc.@A@
+TAPILIBS =	../../../lib/tests/libt_api.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${TAPIDEPLIBS} ${ISCDEPLIBS} 
+
+LIBS =		${DNSLIBS} ${TAPILIBS} ${ISCLIBS} @LIBS@
 
 TARGETS =	t_sockaddr
 
+SRCS =		t_sockaddr.c
+
 @BIND9_MAKE_RULES@
 
 t_sockaddr: t_sockaddr.@O@ ${DEPLIBS}
diff --git a/bin/tests/sockaddr/t_sockaddr.c b/bin/tests/sockaddr/t_sockaddr.c
index 76d57078..576671d5 100644
--- a/bin/tests/sockaddr/t_sockaddr.c
+++ b/bin/tests/sockaddr/t_sockaddr.c
@@ -17,15 +17,7 @@
 
 #include <config.h>
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/mem.h>
 #include <isc/netaddr.h>
-#include <isc/result.h>
 #include <isc/sockaddr.h>
 
 #include <tests/t_api.h>
diff --git a/bin/tests/sym_test.c b/bin/tests/sym_test.c
index 3210e788..429e03f2 100644
--- a/bin/tests/sym_test.c
+++ b/bin/tests/sym_test.c
@@ -17,24 +17,18 @@
 
 #include <config.h>
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/assertions.h>
 #include <isc/commandline.h>
-#include <isc/error.h>
-#include <isc/result.h>
+#include <isc/mem.h>
 #include <isc/symtab.h>
+#include <isc/util.h>
 
 isc_mem_t *mctx;
 isc_symtab_t *st;
 
 static void
-undefine_action(char *key, unsigned int type, isc_symvalue_t value, 
-		void *arg) 
+undefine_action(char *key, unsigned int type, isc_symvalue_t value, void *arg)
 {
-	(void) arg;
+	UNUSED(arg);
 
 	INSIST(type == 1);
 	isc_mem_free(mctx, key);
diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in
new file mode 100644
index 00000000..f4a537c4
--- /dev/null
+++ b/bin/tests/system/Makefile.in
@@ -0,0 +1,31 @@
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+test: xfer_test dnssec_test xferquota_test notify_test views_test
+
+xfer_test:
+	sh ./run.sh xfer
+
+xferquota_test:
+	sh ./run.sh xferquota
+
+dnssec_test:
+	sh ./run.sh dnssec
+
+notify_test:
+	sh ./run.sh notify
+
+views_test:
+	sh ./run.sh views
diff --git a/bin/tests/system/README b/bin/tests/system/README
new file mode 100644
index 00000000..af9e91d2
--- /dev/null
+++ b/bin/tests/system/README
@@ -0,0 +1,42 @@
+
+This is a simple test environment for running bind9 system tests
+involving multiple name servers.
+
+There are multiple test suites, each in a separate subdirectory and
+involving a different DNS setup.  They are:
+
+  xfer/		Zone transfer, update, and NOTIFY tests
+  notify/	More NOTIFY tests
+  xferquota/	Zone transfer quota tests
+  dnssec/	DNSSEC tests
+
+Typically each test suite sets up 2-4 name servers and then performs
+one or more tests against them.  Within the test suite subdirectory,
+each name server has a separate subdirectory containing its
+configuration data.  By convention, these subdirectories are named
+"ns1", "ns2", etc.
+
+The tests are completely self-contained and do not require access to
+the real DNS.  One of the test servers (ns1) is set up as a root
+name server and is listed in the hints file of the others.
+
+To enable all servers to run on the same machine, they bind to
+separate virtual IP address on the loopback interface.  ns1 runs on
+10.53.0.1, ns2 on 10.53.0.2, etc.  Before running any tests, you must
+set up these addresses by running the script "ifconfig.sh".
+
+Because the servers run on port 53, the tests must be run as root.
+
+To run the tests:
+
+  sh run.sh xfer
+
+  sh run.sh notify
+
+  etc.
+
+To clean up files left behind by the tests:
+
+  sh clean.sh
+
+$Id: README,v 1.3 2000/05/22 21:29:21 gson Exp $
diff --git a/bin/tests/system/clean.sh b/bin/tests/system/clean.sh
new file mode 100755
index 00000000..e2a53ba4
--- /dev/null
+++ b/bin/tests/system/clean.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+#
+# Clean up after system tests.
+#
+
+. ./conf.sh
+
+find . -type f \( \
+    -name 'K*' -o -name '*~' -o -name '*.core' -o -name '*.log' \
+    -o -name '*.pid' -o -name '*.run' -o -name '*.keyset' \
+\) -print | xargs rm
+
+for d in $SUBDIRS
+do
+   test ! -f $d/clean.sh || ( cd $d && sh clean.sh )
+done
diff --git a/bin/tests/system/conf.sh b/bin/tests/system/conf.sh
new file mode 100755
index 00000000..4d83188a
--- /dev/null
+++ b/bin/tests/system/conf.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+# 
+# Common configuration data for system tests, to be sourced into
+# other shell scripts.
+#
+
+TOP="`cd ../../..; pwd`"
+
+NAMED=$TOP/bin/named/named
+DIG=$TOP/bin/dig/dig
+KEYGEN=$TOP/bin/dnssec/dnssec-keygen
+SIGNER=$TOP/bin/dnssec/dnssec-signzone
+KEYSIGNER=$TOP/bin/dnssec/dnssec-signkey
+KEYSETTOOL=$TOP/bin/dnssec/dnssec-makekeyset
+
+SUBDIRS="xfer dnssec xferquota"
+
+export NAMED DIG KEYGEN SIGNER KEYSIGNER KEYSETTOOL
diff --git a/bin/tests/system/digcomp.pl b/bin/tests/system/digcomp.pl
new file mode 100755
index 00000000..52d44773
--- /dev/null
+++ b/bin/tests/system/digcomp.pl
@@ -0,0 +1,93 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 1999, 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+# Compare two files, each with the output from dig, for differences.
+# Ignore "unimportant" differences, like ordering of NS lines, TTL's,
+# etc...
+
+$file1 = $ARGV[0];
+$file2 = $ARGV[1];
+
+$count = 0;
+$firstname = "";
+$status = 0;
+
+open(FILE1, $file1) || die("$! $file1");
+while (<FILE1>) {
+  chomp;
+  next if (/^;/);
+  if (/^(\S+)\s+\S+\s+(\S+)\s+(\S+)\s+(.+)$/) {
+    $name = $1;
+    $class = $2;
+    $type = $3;
+    $value = $4;
+    if ($type eq "SOA") {
+      $firstname = $name if ($firstname eq "");
+      if ($name eq $firstname) {
+	$name = "$name$count";
+	$count++;
+      }
+    }
+    if ($entry{"$name ; $class.$type ; $value"} ne "") {
+      $line = $entry{"$name ; $class.$type ; $value"};
+      print ("Duplicate entry in $file1:\n> $_\n< $line\n");
+    } else {
+      $entry{"$name ; $class.$type ; $value"} = $_;
+    }
+  }
+}
+close (FILE1);
+
+$printed = 0;
+
+open(FILE2, $file2) || die("$! $file2");
+while (<FILE2>) {
+  chomp;
+  next if (/^;/);
+  if (/^(\S+)\s+\S+\s+(\S+)\s+(\S+)\s+(.+)$/) {
+    $name = $1;
+    $class = $2;
+    $type = $3;
+    $value = $4;
+    if (($name eq $firstname) && ($type eq "SOA")) {
+      $count--;
+      $name = "$name$count";
+    }
+    if ($entry{"$name ; $class.$type ; $value"} ne "") {
+      $entry{"$name ; $class.$type ; $value"} = "";
+    } else {
+      print ("Only in $file2 (missing from $file1):\n") if ($printed == 0);
+      print ("> $_\n");
+      $printed++;
+      $status = 1;
+    }
+  }
+}
+close (FILE2);
+
+$printed = 0;
+
+foreach $key (keys(%entry)) {
+  if ($entry{$key} ne "") {
+    print ("Only in $file1 (missing from $file2):\n") if ($printed == 0);
+    print ("< $entry{$key}\n");
+    $status = 1;
+    $printed++;
+  }
+}
+
+exit($status);
diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
new file mode 100644
index 00000000..c8d1f451
--- /dev/null
+++ b/bin/tests/system/dnssec/clean.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+rm -f */K* */*.keyset */*.signedkey */*.signed */trusted.conf
+rm -f ns1/root.db ns2/example.db ns3/secure.example.db
+rm -f ns3/unsecure.example.db ns3/bogus.example.db
+rm -f dig.out.* 
+
diff --git a/bin/tests/system/dnssec/ns1/named.conf b/bin/tests/system/dnssec/ns1/named.conf
new file mode 100644
index 00000000..740f08b9
--- /dev/null
+++ b/bin/tests/system/dnssec/ns1/named.conf
@@ -0,0 +1,16 @@
+//NS1
+
+options {
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	recursion no;
+	notify yes;
+};
+
+zone "." {
+	type master;
+	file "root.db.signed";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in
new file mode 100644
index 00000000..86dccdc6
--- /dev/null
+++ b/bin/tests/system/dnssec/ns1/root.db.in
@@ -0,0 +1,13 @@
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry 
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
new file mode 100644
index 00000000..b1c42501
--- /dev/null
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+keyname=`$KEYGEN -a RSA -b 768 -n zone $zone`
+
+(cd ../ns2 && sh sign.sh )
+
+cp ../ns2/example.keyset .
+
+$KEYSIGNER example.keyset $keyname
+
+cat example.signedkey >> ../ns2/example.db.signed
+
+$KEYSETTOOL -t 3600 $keyname
+
+cat $infile $keyname.key > $zonefile
+
+$SIGNER -o $zone $zonefile
+
+# Configure the resolving server with a trusted key.
+
+cat $keyname.key | perl -n -e '
+my ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+my $key = join("", @rest);
+print <<EOF
+trusted-keys {
+    "$dn" $flags $proto $alg "$key";
+};
+EOF
+' > trusted.conf
+cp trusted.conf ../ns2/trusted.conf
+cp trusted.conf ../ns3/trusted.conf
+cp trusted.conf ../ns4/trusted.conf
diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
new file mode 100644
index 00000000..c4999882
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -0,0 +1,31 @@
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			NS	ns3
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+
+; A secure subdomain
+secure			NS	ns.secure
+ns.secure		A	10.53.0.3
+
+; An insecure subdomain
+insecure		NS	ns.insecure
+ns.insecure		A	10.53.0.3
+
+
+; A secure subdomain we're going to inject bogus data into
+bogus			NS	ns.bogus
+ns.bogus		A	10.53.0.3
+
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns2/named.conf b/bin/tests/system/dnssec/ns2/named.conf
new file mode 100644
index 00000000..f989db97
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/named.conf
@@ -0,0 +1,22 @@
+// NS2
+
+options {
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	recursion no;
+	notify yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "example" {
+	type master;
+	file "example.db.signed";
+	allow-update { any; };
+};
+
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns2/root.hint b/bin/tests/system/dnssec/ns2/root.hint
new file mode 100644
index 00000000..753aa036
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/root.hint
@@ -0,0 +1,3 @@
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.1
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
new file mode 100755
index 00000000..ad780e1e
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+zone=example.
+infile=example.db.in
+zonefile=example.db
+
+keyname=`$KEYGEN -a RSA -b 768 -n zone $zone`
+
+# Have the child generate a zone key and pass it to us,
+# sign it, and pass it back
+
+( cd ../ns3 && sh sign.sh )
+
+cp ../ns3/secure.example.keyset .
+
+$KEYSIGNER secure.example.keyset $keyname
+
+# This will leave two copies of the child's zone key in the signed db file;
+# that shouldn't cause any problems.
+cat secure.example.signedkey >>../ns3/secure.example.db.signed
+
+cp ../ns3/bogus.example.keyset .
+
+$KEYSIGNER bogus.example.keyset $keyname
+
+# This will leave two copies of the child's zone key in the signed db file;
+# that shouldn't cause any problems.
+cat bogus.example.signedkey >>../ns3/bogus.example.db.signed
+
+$KEYSETTOOL -t 3600 $keyname
+
+cat $infile $keyname.key >$zonefile
+
+$SIGNER -o $zone $zonefile
+
+
diff --git a/bin/tests/system/dnssec/ns3/bogus.example.db.in b/bin/tests/system/dnssec/ns3/bogus.example.db.in
new file mode 100644
index 00000000..88e71ad2
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/bogus.example.db.in
@@ -0,0 +1,15 @@
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns3/insecure.example.db b/bin/tests/system/dnssec/ns3/insecure.example.db
new file mode 100644
index 00000000..88e71ad2
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/insecure.example.db
@@ -0,0 +1,15 @@
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
new file mode 100644
index 00000000..c6f1b76d
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/named.conf
@@ -0,0 +1,40 @@
+// NS3
+
+options {
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	recursion no;
+	notify yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "example" {
+	type slave;
+	masters { 10.53.0.2; };
+	file "example.bk";
+};
+
+zone "secure.example" {
+	type master;
+	file "secure.example.db.signed";
+	allow-update { any; };
+};
+
+zone "bogus.example" {
+	type master;
+	file "bogus.example.db.signed";
+	allow-update { any; };
+};
+
+zone "insecure.example" {
+	type master;
+	file "insecure.example.db";
+	allow-update { any; };
+};
+
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns3/root.hint b/bin/tests/system/dnssec/ns3/root.hint
new file mode 100644
index 00000000..753aa036
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/root.hint
@@ -0,0 +1,3 @@
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.1
diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in
new file mode 100644
index 00000000..88e71ad2
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/secure.example.db.in
@@ -0,0 +1,15 @@
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+d			A	10.0.0.4
+z			A	10.0.0.26
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
new file mode 100755
index 00000000..7e7eb40b
--- /dev/null
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+zone=secure.example.
+infile=secure.example.db.in
+zonefile=secure.example.db
+
+keyname=`$KEYGEN -a RSA -b 768 -n zone $zone`
+
+$KEYSETTOOL -t 3600 $keyname.key
+
+cat $infile $keyname.key >$zonefile
+
+$SIGNER -o $zone $zonefile
+
+zone=bogus.example.
+infile=bogus.example.db.in
+zonefile=bogus.example.db
+
+keyname=`$KEYGEN -a RSA -b 768 -n zone $zone`
+
+$KEYSETTOOL -t 3600 $keyname.key
+
+cat $infile $keyname.key >$zonefile
+
+$SIGNER -o $zone $zonefile
diff --git a/bin/tests/system/dnssec/ns4/named.conf b/bin/tests/system/dnssec/ns4/named.conf
new file mode 100644
index 00000000..4e93547d
--- /dev/null
+++ b/bin/tests/system/dnssec/ns4/named.conf
@@ -0,0 +1,15 @@
+// NS4
+
+options {
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	recursion yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns4/root.hint b/bin/tests/system/dnssec/ns4/root.hint
new file mode 100644
index 00000000..753aa036
--- /dev/null
+++ b/bin/tests/system/dnssec/ns4/root.hint
@@ -0,0 +1,3 @@
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.1
diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh
new file mode 100755
index 00000000..d69f32f3
--- /dev/null
+++ b/bin/tests/system/dnssec/setup.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+cd ns1 && sh sign.sh
+
+echo "a.bogus.example.	A	10.0.0.22" >>../ns3/bogus.example.db.signed
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
new file mode 100644
index 00000000..e9964130
--- /dev/null
+++ b/bin/tests/system/dnssec/tests.sh
@@ -0,0 +1,134 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+echo "S:`date`"
+echo "T:system_dnssec:1"
+echo "A:A test to determine online functionality of dnssec tools"
+
+#
+# Perform tests
+#
+
+if [ -f dig.out.ns2 ]; then
+	rm -f dig.out.ns2
+fi
+if [ -f dig.out.ns3 ]; then
+	rm -f dig.out.ns3
+fi
+if [ -f dig.out.ns4 ]; then
+	rm -f dig.out.ns4
+fi
+
+# Make sure all of the servers are up
+status=0;
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd . \
+	@10.53.0.2 soa > dig.out.ns2
+status=`expr $status + $?`
+grep ";" dig.out.ns2
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd . \
+	@10.53.0.3 soa > dig.out.ns3
+status=`expr $status + $?`
+grep ";" dig.out.ns3
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd . \
+	@10.53.0.4 soa > dig.out.ns4
+status=`expr $status + $?`
+grep ";" dig.out.ns4
+
+rm -f dig.out.*
+
+# Check the example. domain
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+	a.example. @10.53.0.2 a > dig.out.ns2
+status=`expr $status + $?`
+grep ";" dig.out.ns2
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+	a.example. @10.53.0.3 a > dig.out.ns3
+status=`expr $status + $?`
+grep ";" dig.out.ns3
+
+perl ../digcomp.pl dig.out.ns2 dig.out.ns3
+status=`expr $status + $?`
+
+rm -f dig.out.*
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noauth \
+	a.example. @10.53.0.2 a > dig.out.ns2
+status=`expr $status + $?`
+grep ";" dig.out.ns2
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noauth \
+	a.example. @10.53.0.4 a > dig.out.ns4
+status=`expr $status + $?`
+grep ";" dig.out.ns2
+
+perl ../digcomp.pl dig.out.ns2 dig.out.ns4
+status=`expr $status + $?`
+
+# Check the insecure.example domain
+
+rm -f dig.out.*
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+	a.insecure.example. @10.53.0.3 a > dig.out.ns3
+status=`expr $status + $?`
+grep ";" dig.out.ns3
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+	a.insecure.example. @10.53.0.4 a > dig.out.ns4
+status=`expr $status + $?`
+grep ";" dig.out.ns4
+
+perl ../digcomp.pl dig.out.ns3 dig.out.ns4
+status=`expr $status + $?`
+
+# Check the secure.example domain
+
+rm -f dig.out.*
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+	a.secure.example. @10.53.0.3 a > dig.out.ns3
+status=`expr $status + $?`
+grep ";" dig.out.ns3
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+	a.secure.example. @10.53.0.4 a > dig.out.ns4
+status=`expr $status + $?`
+grep ";" dig.out.ns4
+
+perl ../digcomp.pl dig.out.ns3 dig.out.ns4
+status=`expr $status + $?`
+
+# Check the bogus domain
+
+rm -f dig.out.*
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocmd \
+	a.bogus.example. @10.53.0.4 a > dig.out.ns4
+grep "SERVFAIL" dig.out.ns4 > /dev/null
+status=`expr $status + $?`
+echo "SERVFAIL is expected in the following:"
+grep ";" dig.out.ns4
+
+if [ $status != 0 ]; then
+	echo "R:FAIL"
+else
+	echo "R:PASS"
+fi
+
diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh
new file mode 100755
index 00000000..9f82bff1
--- /dev/null
+++ b/bin/tests/system/ifconfig.sh
@@ -0,0 +1,95 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+#
+# Set up interface aliases for bind9 system tests.
+#
+
+sys=`../../../config.guess`
+
+case "$1" in
+
+    'start')
+	for ns in 1 2 3 4
+	do
+		case "$sys" in 
+		    sparc-sun-solaris2.[6-8])
+			ifconfig lo0:$ns 10.53.0.$ns up
+			;;
+		    *-pc-linux-gnu)
+			ifconfig lo:$ns 10.53.0.$ns up
+		        ;;
+		    *-unknown-freebsdelf3.4)
+			ifconfig lo0 10.53.0.$ns alias
+			;;
+		    *-unknown-netbsd*)
+			ifconfig lo0 10.53.0.$ns alias
+			;;
+		    *-pc-bsdi3.*)
+			ifconfig lo0 add 10.53.0.$ns
+			;;
+		    *-dec-osf5.*)
+			/sbin/ifconfig lo0 alias 10.53.0.$ns
+			;;
+		    *-dec-osf4.*)
+			/sbin/ifconfig lo0 alias 10.53.0.$ns
+			;;
+		    *-pc-bsdi4.*)
+			ifconfig lo0 add 10.53.0.$ns
+			;;
+	            *)
+			echo "Don't know how to set up interface.  Giving up."
+			exit 1
+		esac
+	done
+	;;
+
+    'stop')
+	for ns in 4 3 2 1
+	do
+		case "$sys" in 
+		    sparc-sun-solaris2.[6-8])
+			ifconfig lo0:$ns 10.53.0.$ns down
+			;;
+		    *-pc-linux-gnu)
+			ifconfig lo:$ns 10.53.0.$ns down
+		        ;;
+		    *-unknown-freebsdelf3.4)
+			ifconfig lo0 10.53.0.$ns delete
+			;;
+		    *-unknown-netbsd*)
+			ifconfig lo0 10.53.0.$ns delete
+			;;
+		    *-pc-bsdi3.*)
+			ifconfig lo0 remove 10.53.0.$ns
+			;;
+		    *-dec-osf5.*)
+			ifconfig lo0 -alias 10.53.0.$ns
+			;;
+		    *-dec-osf4.*)
+			ifconfig lo0 -alias 10.53.0.$ns
+			;;
+		    *-pc-bsdi4.*)
+			ifconfig lo0 remove 10.53.0.$ns
+			;;
+	            *)
+			echo "Don't know how to destroy interface.  Giving up."
+			exit 1
+		esac
+	done
+	;;
+esac
diff --git a/bin/tests/system/notify/clean.sh b/bin/tests/system/notify/clean.sh
new file mode 100755
index 00000000..edd71791
--- /dev/null
+++ b/bin/tests/system/notify/clean.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f ns3/example.bk dig.out.ns2 dig.out.ns3 ns*/named.run
+
diff --git a/bin/tests/system/notify/ns1/named.conf b/bin/tests/system/notify/ns1/named.conf
new file mode 100644
index 00000000..60e76813
--- /dev/null
+++ b/bin/tests/system/notify/ns1/named.conf
@@ -0,0 +1,12 @@
+options {
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	recursion no;
+	notify yes;
+};
+
+zone "." {
+	type master;
+	file "root.db";
+};
diff --git a/bin/tests/system/notify/ns1/root.db b/bin/tests/system/notify/ns1/root.db
new file mode 100644
index 00000000..86dccdc6
--- /dev/null
+++ b/bin/tests/system/notify/ns1/root.db
@@ -0,0 +1,13 @@
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry 
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/notify/ns2/example1.db b/bin/tests/system/notify/ns2/example1.db
new file mode 100644
index 00000000..3b11e002
--- /dev/null
+++ b/bin/tests/system/notify/ns2/example1.db
@@ -0,0 +1,140 @@
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				1          ; serial
+				300        ; refresh (300 seconds)
+				300        ; retry (300 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+a			A	10.0.0.1
+$TTL 3600	; 1 hour
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+			A6	64 ::ffff:ffff:ffff:ffff foo.
+			A6	127 ::1 foo.
+			A6	128  .
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+$TTL 300	; 5 minutes
+b			CNAME	foo.net.
+c			A	73.80.65.49
+$TTL 3600	; 1 hour
+cert01			CERT	65534 65535 PRIVATEOID (
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+$TTL 300	; 5 minutes
+d			A	73.80.65.49
+$TTL 3600	; 1 hour
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+$TTL 300	; 5 minutes
+e			MX	10 mail
+			TXT	"one"
+			TXT	"three"
+			TXT	"two"
+			A	73.80.65.49
+			A	73.80.65.50
+			A	73.80.65.52
+			A	73.80.65.51
+f			A	73.80.65.52
+$TTL 3600	; 1 hour
+gpos01			GPOS	"-22.6882" "116.8652" "250.0"
+gpos02			GPOS	"" "" ""
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	"PC" "NetBSD"
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	"isdn-address"
+isdn04			ISDN	"isdn-address" "subaddress"
+key01			KEY	512 255 1 (
+				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
+				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
+				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
+				jqf0BaqHT+8= )
+kx01			KX	10 kdc
+kx02			KX	10 .
+loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01			MG	madname
+mb02			MG	.
+md01			MD	madname
+			MD	.
+mf01			MF	madname
+			MF	.
+mg01			MG	mgmname
+mg02			MG	.
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. .
+mr01			MR	mrname
+mr02			MR	.
+mx01			MX	10 mail
+mx02			MX	10 .
+naptr01			NAPTR	0 0 "" "" "" .
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+nsap-ptr01		NSAP-PTR foo.
+			NSAP-PTR .
+nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
+nxt02			NXT	. ( NSAP-PTR NXT )
+nxt03			NXT	. ( A )
+nxt04			NXT	. ( 127 )
+ptr01			PTR	example.
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. .
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+$TTL 300	; 5 minutes
+s			NS	ns.s
+$ORIGIN s.example.
+ns			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+sig01			SIG	NXT 1 3 3600 20000102030405 (
+				19961211100908 2143 foo
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+srv01			SRV	0 0 0 .
+srv02			SRV	65535 65535 65535 old-slow-box.example.com.
+$TTL 301	; 5 minutes 1 second
+t			A	73.80.65.49
+$TTL 3600	; 1 hour
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	"foo"
+txt04			TXT	"foo" "bar"
+txt05			TXT	"foo bar"
+txt06			TXT	"foo bar"
+txt07			TXT	"foo bar"
+txt08			TXT	"foo\010bar"
+txt09			TXT	"foo\010bar"
+txt10			TXT	"foo bar"
+txt11			TXT	"\"foo\""
+txt12			TXT	"\"foo\""
+$TTL 300	; 5 minutes
+u			TXT	"txt-not-in-nxt"
+$ORIGIN u.example.
+a			A	73.80.65.49
+b			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
+wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
+wks03			WKS	10.0.0.2 6 ( 65535 )
+x2501			X25	"123456789"
diff --git a/bin/tests/system/notify/ns2/example2.db b/bin/tests/system/notify/ns2/example2.db
new file mode 100644
index 00000000..ab2bb6a2
--- /dev/null
+++ b/bin/tests/system/notify/ns2/example2.db
@@ -0,0 +1,140 @@
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				2          ; serial
+				300        ; refresh (300 seconds)
+				300        ; retry (300 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+a			A	10.0.0.2
+$TTL 3600	; 1 hour
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+			A6	64 ::ffff:ffff:ffff:ffff foo.
+			A6	127 ::1 foo.
+			A6	128  .
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+$TTL 300	; 5 minutes
+b			CNAME	foo.net.
+c			A	73.80.65.49
+$TTL 3600	; 1 hour
+cert01			CERT	65534 65535 PRIVATEOID (
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+$TTL 300	; 5 minutes
+d			A	73.80.65.49
+$TTL 3600	; 1 hour
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+$TTL 300	; 5 minutes
+e			MX	10 mail
+			TXT	"one"
+			TXT	"three"
+			TXT	"two"
+			A	73.80.65.49
+			A	73.80.65.50
+			A	73.80.65.52
+			A	73.80.65.51
+f			A	73.80.65.52
+$TTL 3600	; 1 hour
+gpos01			GPOS	"-22.6882" "116.8652" "250.0"
+gpos02			GPOS	"" "" ""
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	"PC" "NetBSD"
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	"isdn-address"
+isdn04			ISDN	"isdn-address" "subaddress"
+key01			KEY	512 255 1 (
+				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
+				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
+				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
+				jqf0BaqHT+8= )
+kx01			KX	10 kdc
+kx02			KX	10 .
+loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01			MG	madname
+mb02			MG	.
+md01			MD	madname
+			MD	.
+mf01			MF	madname
+			MF	.
+mg01			MG	mgmname
+mg02			MG	.
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. .
+mr01			MR	mrname
+mr02			MR	.
+mx01			MX	10 mail
+mx02			MX	10 .
+naptr01			NAPTR	0 0 "" "" "" .
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+nsap-ptr01		NSAP-PTR foo.
+			NSAP-PTR .
+nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
+nxt02			NXT	. ( NSAP-PTR NXT )
+nxt03			NXT	. ( A )
+nxt04			NXT	. ( 127 )
+ptr01			PTR	example.
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. .
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+$TTL 300	; 5 minutes
+s			NS	ns.s
+$ORIGIN s.example.
+ns			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+sig01			SIG	NXT 1 3 3600 20000102030405 (
+				19961211100908 2143 foo
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+srv01			SRV	0 0 0 .
+srv02			SRV	65535 65535 65535 old-slow-box.example.com.
+$TTL 301	; 5 minutes 1 second
+t			A	73.80.65.49
+$TTL 3600	; 1 hour
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	"foo"
+txt04			TXT	"foo" "bar"
+txt05			TXT	"foo bar"
+txt06			TXT	"foo bar"
+txt07			TXT	"foo bar"
+txt08			TXT	"foo\010bar"
+txt09			TXT	"foo\010bar"
+txt10			TXT	"foo bar"
+txt11			TXT	"\"foo\""
+txt12			TXT	"\"foo\""
+$TTL 300	; 5 minutes
+u			TXT	"txt-not-in-nxt"
+$ORIGIN u.example.
+a			A	73.80.65.49
+b			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
+wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
+wks03			WKS	10.0.0.2 6 ( 65535 )
+x2501			X25	"123456789"
diff --git a/bin/tests/system/notify/ns2/example3.db b/bin/tests/system/notify/ns2/example3.db
new file mode 100644
index 00000000..e444a4c4
--- /dev/null
+++ b/bin/tests/system/notify/ns2/example3.db
@@ -0,0 +1,140 @@
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				3          ; serial
+				300        ; refresh (300 seconds)
+				300        ; retry (300 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+a			A	10.0.0.3
+$TTL 3600	; 1 hour
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+			A6	64 ::ffff:ffff:ffff:ffff foo.
+			A6	127 ::1 foo.
+			A6	128  .
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+$TTL 300	; 5 minutes
+b			CNAME	foo.net.
+c			A	73.80.65.49
+$TTL 3600	; 1 hour
+cert01			CERT	65534 65535 PRIVATEOID (
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+$TTL 300	; 5 minutes
+d			A	73.80.65.49
+$TTL 3600	; 1 hour
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+$TTL 300	; 5 minutes
+e			MX	10 mail
+			TXT	"one"
+			TXT	"three"
+			TXT	"two"
+			A	73.80.65.49
+			A	73.80.65.50
+			A	73.80.65.52
+			A	73.80.65.51
+f			A	73.80.65.52
+$TTL 3600	; 1 hour
+gpos01			GPOS	"-22.6882" "116.8652" "250.0"
+gpos02			GPOS	"" "" ""
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	"PC" "NetBSD"
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	"isdn-address"
+isdn04			ISDN	"isdn-address" "subaddress"
+key01			KEY	512 255 1 (
+				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
+				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
+				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
+				jqf0BaqHT+8= )
+kx01			KX	10 kdc
+kx02			KX	10 .
+loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01			MG	madname
+mb02			MG	.
+md01			MD	madname
+			MD	.
+mf01			MF	madname
+			MF	.
+mg01			MG	mgmname
+mg02			MG	.
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. .
+mr01			MR	mrname
+mr02			MR	.
+mx01			MX	10 mail
+mx02			MX	10 .
+naptr01			NAPTR	0 0 "" "" "" .
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+nsap-ptr01		NSAP-PTR foo.
+			NSAP-PTR .
+nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
+nxt02			NXT	. ( NSAP-PTR NXT )
+nxt03			NXT	. ( A )
+nxt04			NXT	. ( 127 )
+ptr01			PTR	example.
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. .
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+$TTL 300	; 5 minutes
+s			NS	ns.s
+$ORIGIN s.example.
+ns			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+sig01			SIG	NXT 1 3 3600 20000102030405 (
+				19961211100908 2143 foo
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+srv01			SRV	0 0 0 .
+srv02			SRV	65535 65535 65535 old-slow-box.example.com.
+$TTL 301	; 5 minutes 1 second
+t			A	73.80.65.49
+$TTL 3600	; 1 hour
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	"foo"
+txt04			TXT	"foo" "bar"
+txt05			TXT	"foo bar"
+txt06			TXT	"foo bar"
+txt07			TXT	"foo bar"
+txt08			TXT	"foo\010bar"
+txt09			TXT	"foo\010bar"
+txt10			TXT	"foo bar"
+txt11			TXT	"\"foo\""
+txt12			TXT	"\"foo\""
+$TTL 300	; 5 minutes
+u			TXT	"txt-not-in-nxt"
+$ORIGIN u.example.
+a			A	73.80.65.49
+b			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
+wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
+wks03			WKS	10.0.0.2 6 ( 65535 )
+x2501			X25	"123456789"
diff --git a/bin/tests/system/notify/ns2/example4.db b/bin/tests/system/notify/ns2/example4.db
new file mode 100644
index 00000000..6496db0a
--- /dev/null
+++ b/bin/tests/system/notify/ns2/example4.db
@@ -0,0 +1,140 @@
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				4          ; serial
+				300        ; refresh (300 seconds)
+				300        ; retry (300 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+a			A	10.0.0.4
+$TTL 3600	; 1 hour
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+			A6	64 ::ffff:ffff:ffff:ffff foo.
+			A6	127 ::1 foo.
+			A6	128  .
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+$TTL 300	; 5 minutes
+b			CNAME	foo.net.
+c			A	73.80.65.49
+$TTL 3600	; 1 hour
+cert01			CERT	65534 65535 PRIVATEOID (
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+$TTL 300	; 5 minutes
+d			A	73.80.65.49
+$TTL 3600	; 1 hour
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+$TTL 300	; 5 minutes
+e			MX	10 mail
+			TXT	"one"
+			TXT	"three"
+			TXT	"two"
+			A	73.80.65.49
+			A	73.80.65.50
+			A	73.80.65.52
+			A	73.80.65.51
+f			A	73.80.65.52
+$TTL 3600	; 1 hour
+gpos01			GPOS	"-22.6882" "116.8652" "250.0"
+gpos02			GPOS	"" "" ""
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	"PC" "NetBSD"
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	"isdn-address"
+isdn04			ISDN	"isdn-address" "subaddress"
+key01			KEY	512 255 1 (
+				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
+				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
+				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
+				jqf0BaqHT+8= )
+kx01			KX	10 kdc
+kx02			KX	10 .
+loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01			MG	madname
+mb02			MG	.
+md01			MD	madname
+			MD	.
+mf01			MF	madname
+			MF	.
+mg01			MG	mgmname
+mg02			MG	.
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. .
+mr01			MR	mrname
+mr02			MR	.
+mx01			MX	10 mail
+mx02			MX	10 .
+naptr01			NAPTR	0 0 "" "" "" .
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+nsap-ptr01		NSAP-PTR foo.
+			NSAP-PTR .
+nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
+nxt02			NXT	. ( NSAP-PTR NXT )
+nxt03			NXT	. ( A )
+nxt04			NXT	. ( 127 )
+ptr01			PTR	example.
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. .
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+$TTL 300	; 5 minutes
+s			NS	ns.s
+$ORIGIN s.example.
+ns			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+sig01			SIG	NXT 1 3 3600 20000102030405 (
+				19961211100908 2143 foo
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+srv01			SRV	0 0 0 .
+srv02			SRV	65535 65535 65535 old-slow-box.example.com.
+$TTL 301	; 5 minutes 1 second
+t			A	73.80.65.49
+$TTL 3600	; 1 hour
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	"foo"
+txt04			TXT	"foo" "bar"
+txt05			TXT	"foo bar"
+txt06			TXT	"foo bar"
+txt07			TXT	"foo bar"
+txt08			TXT	"foo\010bar"
+txt09			TXT	"foo\010bar"
+txt10			TXT	"foo bar"
+txt11			TXT	"\"foo\""
+txt12			TXT	"\"foo\""
+$TTL 300	; 5 minutes
+u			TXT	"txt-not-in-nxt"
+$ORIGIN u.example.
+a			A	73.80.65.49
+b			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
+wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
+wks03			WKS	10.0.0.2 6 ( 65535 )
+x2501			X25	"123456789"
diff --git a/bin/tests/system/notify/ns2/named.conf b/bin/tests/system/notify/ns2/named.conf
new file mode 100644
index 00000000..57402f61
--- /dev/null
+++ b/bin/tests/system/notify/ns2/named.conf
@@ -0,0 +1,18 @@
+options {
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	recursion no;
+	notify yes;
+	query-source address 10.53.0.2;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "example" {
+	type master;
+	file "example.db";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/notify/ns2/root.hint b/bin/tests/system/notify/ns2/root.hint
new file mode 100644
index 00000000..753aa036
--- /dev/null
+++ b/bin/tests/system/notify/ns2/root.hint
@@ -0,0 +1,3 @@
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.1
diff --git a/bin/tests/system/notify/ns3/named.conf b/bin/tests/system/notify/ns3/named.conf
new file mode 100644
index 00000000..bbf30f0f
--- /dev/null
+++ b/bin/tests/system/notify/ns3/named.conf
@@ -0,0 +1,22 @@
+options {
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	recursion yes;
+	notify yes;
+	query-source address 10.53.0.3;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "example" {
+	type slave;
+	masters { 10.53.0.2; };
+        allow-update { any; };
+	file "example.bk";
+};
+
+
diff --git a/bin/tests/system/notify/ns3/root.hint b/bin/tests/system/notify/ns3/root.hint
new file mode 100644
index 00000000..753aa036
--- /dev/null
+++ b/bin/tests/system/notify/ns3/root.hint
@@ -0,0 +1,3 @@
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.1
diff --git a/bin/tests/system/notify/setup.sh b/bin/tests/system/notify/setup.sh
new file mode 100644
index 00000000..1f8d051a
--- /dev/null
+++ b/bin/tests/system/notify/setup.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+cp ns2/example1.db ns2/example.db
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
new file mode 100644
index 00000000..a1b82a1c
--- /dev/null
+++ b/bin/tests/system/notify/tests.sh
@@ -0,0 +1,116 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+echo "S:`date`"
+echo "T:system_notify:1"
+echo "A:A test to determine online functionality of notify"
+
+#
+# Perform tests
+#
+
+TOP="`cd ../../../..; pwd`"
+
+NAMED=$TOP/bin/named/named
+export NAMED
+
+if [ -f dig.out.ns2 ]; then
+	rm -f dig.out.ns2
+fi
+if [ -f dig.out.ns3 ]; then
+	rm -f dig.out.ns3
+fi
+
+status=0
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\
+	@10.53.0.2 a > dig.out.ns2
+status=`expr $status + $?`
+grep ";" dig.out.ns2
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\
+	@10.53.0.3 a > dig.out.ns3
+status=`expr $status + $?`
+grep ";" dig.out.ns3
+
+perl ../digcomp.pl dig.out.ns2 dig.out.ns3
+status=`expr $status + $?`
+
+rm -f ns2/example.db
+cp ns2/example2.db ns2/example.db
+sleep 6
+kill -HUP `cat ns2/named.pid`
+sleep 6
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\
+	@10.53.0.2 a > dig.out.ns2
+status=`expr $status + $?`
+grep ";" dig.out.ns2
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\
+	@10.53.0.3 a > dig.out.ns3
+status=`expr $status + $?`
+grep ";" dig.out.ns3
+
+perl ../digcomp.pl dig.out.ns2 dig.out.ns3
+status=`expr $status + $?`
+
+kill `cat ns3/named.pid`
+rm -f ns2/example.db
+cp ns2/example3.db ns2/example.db
+sleep 6
+kill -HUP `cat ns2/named.pid`
+(cd ns3 ; $NAMED -c named.conf -d 99 -g >> named.run 2>&1 & )
+sleep 6
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\
+	@10.53.0.2 a > dig.out.ns2
+status=`expr $status + $?`
+grep ";" dig.out.ns2
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\
+	@10.53.0.3 a > dig.out.ns3
+status=`expr $status + $?`
+grep ";" dig.out.ns3
+
+perl ../digcomp.pl dig.out.ns2 dig.out.ns3
+status=`expr $status + $?`
+
+rm -f ns2/example.db
+kill `cat ns2/named.pid`
+cp ns2/example4.db ns2/example.db
+sleep 6
+(cd ns2 ; $NAMED -c named.conf -d 99 -g >> named.run 2>&1 & )
+sleep 6
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\
+	@10.53.0.2 a > dig.out.ns2
+status=`expr $status + $?`
+grep ";" dig.out.ns2
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd a.example.\
+	@10.53.0.3 a > dig.out.ns3
+status=`expr $status + $?`
+grep ";" dig.out.ns3
+
+perl ../digcomp.pl dig.out.ns2 dig.out.ns3
+status=`expr $status + $?`
+
+if [ $status != 0 ]; then
+	echo "R:FAIL"
+else
+	echo "R:PASS"
+fi
diff --git a/bin/tests/system/run.sh b/bin/tests/system/run.sh
new file mode 100755
index 00000000..2d2ddc80
--- /dev/null
+++ b/bin/tests/system/run.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+#
+# Run a system test.
+#
+. ./conf.sh
+
+whoami=`whoami`
+if [ $whoami != "root" ]; then
+	echo "I:System tests must be run as root."
+	exit
+fi
+
+sh ifconfig.sh start
+
+if [ $? != 0 ]; then
+	exit 0
+fi
+
+test $# -gt 0 || { echo "usage: runtest.sh test-directory" >&2; exit 1; }
+
+test=$1
+shift
+
+test -d $test || { echo "$0: $test: no such test" >&2; exit 1; }
+
+# Set up any dynamically generated test data
+if test -f $test/setup.sh
+then
+   ( cd $test && sh setup.sh "$@" )
+fi
+
+# Start name servers running
+sh start.sh $test
+
+sleep 10
+
+# Run the tests
+( cd $test ; sh tests.sh )
+
+status=$?
+
+# Shutdown
+sh stop.sh $test
+
+# Cleanup
+( cd $test ; sh clean.sh )
+
+sh ifconfig.sh stop
+
+exit $status
diff --git a/bin/tests/system/setup.sh b/bin/tests/system/setup.sh
new file mode 100755
index 00000000..7c01a3b1
--- /dev/null
+++ b/bin/tests/system/setup.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+#
+# Run a system test.
+#
+. ./conf.sh
+
+test $# -gt 0 || { echo "usage: runtest.sh test-directory" >&2; exit 1; }
+
+test=$1
+shift
+
+test -d $test || { echo "$0: $test: no such test" >&2; exit 1; }
+
+# Set up any dynamically generated test data
+if test -f $test/setup.sh
+then
+   ( cd $test && sh setup.sh "$@" )
+fi
+
+
diff --git a/bin/tests/system/start.sh b/bin/tests/system/start.sh
new file mode 100755
index 00000000..e6241c75
--- /dev/null
+++ b/bin/tests/system/start.sh
@@ -0,0 +1,48 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+#
+# Start name servers for running system tests.
+#
+
+
+. ./conf.sh
+cd $1
+
+for d in ns*
+do
+    (
+        cd $d
+	rm -f *.jnl *.bk named.run &&
+	if test -f named.pid
+	then
+	    if kill -0 `cat named.pid` 2>/dev/null
+	    then
+		echo "$0: named pid `cat named.pid` still running" >&2
+	        exit 1
+	    else
+		rm -f named.pid
+	    fi
+	fi
+	$NAMED -c named.conf -d 99 -g >named.run 2>&1 &
+	while test ! -f named.pid
+	do
+	    sleep 1
+        done
+    )
+done
+
diff --git a/bin/tests/system/stop.sh b/bin/tests/system/stop.sh
new file mode 100755
index 00000000..e0d59e73
--- /dev/null
+++ b/bin/tests/system/stop.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+#
+# Stop name servers.
+#
+
+cd $1
+
+for d in ns*
+do
+     pidfile="$d/named.pid"
+     if [ -f $pidfile ]; then
+        kill -TERM `cat $pidfile`
+     fi
+done
+
+sleep 5
+
+for d in ns*
+do
+     pidfile="$d/named.pid"
+     if [ -f $pidfile ]; then
+        kill -KILL `cat $pidfile`
+     fi
+done
diff --git a/bin/tests/system/views/clean.sh b/bin/tests/system/views/clean.sh
new file mode 100755
index 00000000..edd71791
--- /dev/null
+++ b/bin/tests/system/views/clean.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f ns3/example.bk dig.out.ns2 dig.out.ns3 ns*/named.run
+
diff --git a/bin/tests/system/views/setup.sh b/bin/tests/system/views/setup.sh
new file mode 100644
index 00000000..673f6b31
--- /dev/null
+++ b/bin/tests/system/views/setup.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+
+cp ns2/example1.db ns2/example.db
+cp ns2/named1.conf ns2/named.conf
+cp ns3/named1.conf ns3/named.conf
diff --git a/bin/tests/system/views/tests.sh b/bin/tests/system/views/tests.sh
new file mode 100644
index 00000000..8b635e64
--- /dev/null
+++ b/bin/tests/system/views/tests.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+echo "S:`date`"
+echo "T:system_views:1"
+echo "A:A test to determine online functionality of views"
+
+#
+# Perform tests
+#
+
+TOP="`cd ../../../..; pwd`"
+
+NAMED=$TOP/bin/named/named
+export NAMED
+
+rm -f dig.out.ns2* dig.out.ns3* 2>&1 > /dev/null
+
+status=0;
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noauth\
+	a.example. @10.53.0.2 any > dig.out.ns2.1
+status=`expr $status + $?`
+grep ";" dig.out.ns2.1
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noauth\
+	a.example. @10.53.0.3 any > dig.out.ns3.1
+status=`expr $status + $?`
+grep ";" dig.out.ns3.1
+
+rm -f ns2/named.conf ns3/named.conf ns2/example.db
+cp ns2/named2.conf ns2/named.conf
+cp ns3/named2.conf ns3/named.conf
+cp ns2/example2.db ns2/example.db
+kill -HUP `cat ns2/named.pid`
+kill -HUP `cat ns3/named.pid`
+sleep 10
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noauth\
+	-b 10.53.0.4 a.example. @10.53.0.4 any > dig.out.ns4.2
+status=`expr $status + $?`
+grep ";" dig.out.ns4.2
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noauth\
+	-b 10.53.0.2 a.example. @10.53.0.2 any > dig.out.ns2.2
+status=`expr $status + $?`
+grep ";" dig.out.ns2.2
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noauth\
+	@10.53.0.3 a.example. any > dig.out.ns3.2
+status=`expr $status + $?`
+grep ";" dig.out.ns3.2
+
+perl ../digcomp.pl dig.out.ns2.1 dig.out.ns4.2
+status=`expr $status + $?`
+
+perl ../digcomp.pl dig.out.ns3.1 dig.out.ns2.2
+status=`expr $status + $?`
+
+perl ../digcomp.pl dig.out.ns3.1 dig.out.ns3.2
+status=`expr $status + $?`
+
+echo "Differences should be found in the following lines:"
+perl ../digcomp.pl dig.out.ns2.1 dig.out.ns3.2
+if [ $? = 0 ]; then
+	echo "No differences found.  Something's wrong."
+	$status=`expr $status + 1`
+fi
+
+if [ $status != 0 ]; then
+	echo "R:FAIL"
+else
+	echo "R:PASS"
+fi
diff --git a/bin/tests/system/xfer/clean.sh b/bin/tests/system/xfer/clean.sh
new file mode 100755
index 00000000..edd71791
--- /dev/null
+++ b/bin/tests/system/xfer/clean.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+#
+# Clean up after zone transfer tests.
+#
+
+rm -f ns3/example.bk dig.out.ns2 dig.out.ns3 ns*/named.run
+
diff --git a/bin/tests/system/xfer/knowngood.dig.out b/bin/tests/system/xfer/knowngood.dig.out
new file mode 100644
index 00000000..e85ecd62
--- /dev/null
+++ b/bin/tests/system/xfer/knowngood.dig.out
@@ -0,0 +1,105 @@
+example.		300	IN	SOA	mname1. . ( 2000042795 20 20 1814400 3600 )
+example.		300	IN	NS	ns2.example.
+example.		300	IN	NS	ns3.example.
+*.example.		300	IN	MX	10 mail.example.
+a.example.		300	IN	TXT	"foo foo foo"
+a.example.		300	IN	PTR	foo.net.
+a01.example.		3600	IN	A	0.0.0.0
+a02.example.		3600	IN	A	255.255.255.255
+a601.example.		3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+a601.example.		3600	IN	A6	64 ::ffff:ffff:ffff:ffff foo.
+a601.example.		3600	IN	A6	127 ::1 foo.
+a601.example.		3600	IN	A6	128  .
+afsdb01.example.	3600	IN	AFSDB	0 hostname.example.
+afsdb02.example.	3600	IN	AFSDB	65535 .
+b.example.		300	IN	CNAME	foo.net.
+c.example.		300	IN	A	73.80.65.49
+cert01.example.		3600	IN	CERT	65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+cname01.example.	3600	IN	CNAME	cname-target.
+cname02.example.	3600	IN	CNAME	cname-target.example.
+cname03.example.	3600	IN	CNAME	.
+d.example.		300	IN	A	73.80.65.49
+dname01.example.	3600	IN	DNAME	dname-target.
+dname02.example.	3600	IN	DNAME	dname-target.example.
+dname03.example.	3600	IN	DNAME	.
+e.example.		300	IN	MX	10 mail.example.
+e.example.		300	IN	TXT	"one"
+e.example.		300	IN	TXT	"three"
+e.example.		300	IN	TXT	"two"
+e.example.		300	IN	A	73.80.65.49
+e.example.		300	IN	A	73.80.65.50
+e.example.		300	IN	A	73.80.65.52
+e.example.		300	IN	A	73.80.65.51
+f.example.		300	IN	A	73.80.65.52
+gpos01.example.		3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
+gpos02.example.		3600	IN	GPOS	"" "" ""
+hinfo01.example.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02.example.	3600	IN	HINFO	"PC" "NetBSD"
+isdn01.example.		3600	IN	ISDN	"isdn-address"
+isdn02.example.		3600	IN	ISDN	"isdn-address" "subaddress"
+isdn03.example.		3600	IN	ISDN	"isdn-address"
+isdn04.example.		3600	IN	ISDN	"isdn-address" "subaddress"
+key01.example.		3600	IN	KEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+kx01.example.		3600	IN	KX	10 kdc.example.
+kx02.example.		3600	IN	KX	10 .
+loc01.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01.example.		3600	IN	MG	madname.example.
+mb02.example.		3600	IN	MG	.
+md01.example.		3600	IN	MD	madname.example.
+md01.example.		3600	IN	MD	.
+mf01.example.		3600	IN	MF	madname.example.
+mf01.example.		3600	IN	MF	.
+mg01.example.		3600	IN	MG	mgmname.example.
+mg02.example.		3600	IN	MG	.
+minfo01.example.	3600	IN	MINFO	rmailbx.example. emailbx.example.
+minfo02.example.	3600	IN	MINFO	. .
+mr01.example.		3600	IN	MR	mrname.example.
+mr02.example.		3600	IN	MR	.
+mx01.example.		3600	IN	MX	10 mail.example.
+mx02.example.		3600	IN	MX	10 .
+naptr01.example.	3600	IN	NAPTR	0 0 "" "" "" .
+naptr02.example.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+ns2.example.		300	IN	A	10.53.0.2
+ns3.example.		300	IN	A	10.53.0.3
+nsap-ptr01.example.	3600	IN	NSAP-PTR foo.
+nsap-ptr01.example.	3600	IN	NSAP-PTR .
+nsap01.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01.example.		3600	IN	NXT	a.secure.example. ( NS SOA MX SIG KEY LOC NXT )
+nxt02.example.		3600	IN	NXT	. ( NSAP-PTR NXT )
+nxt03.example.		3600	IN	NXT	. ( A )
+nxt04.example.		3600	IN	NXT	. ( 127 )
+ptr01.example.		3600	IN	PTR	example.
+px01.example.		3600	IN	PX	65535 foo. bar.
+px02.example.		3600	IN	PX	65535 . .
+rp01.example.		3600	IN	RP	mbox-dname.example. txt-dname.example.
+rp02.example.		3600	IN	RP	. .
+rt01.example.		3600	IN	RT	0 intermediate-host.example.
+rt02.example.		3600	IN	RT	65535 .
+s.example.		300	IN	NS	ns.s.example.
+ns.s.example.		300	IN	A	73.80.65.49
+sig01.example.		3600	IN	SIG	NXT 1 3 3600 20000102030405 19961211100908 2143 foo.example. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
+srv01.example.		3600	IN	SRV	0 0 0 .
+srv02.example.		3600	IN	SRV	65535 65535 65535 old-slow-box.example.com.
+t.example.		301	IN	A	73.80.65.49
+txt01.example.		3600	IN	TXT	"foo"
+txt02.example.		3600	IN	TXT	"foo" "bar"
+txt03.example.		3600	IN	TXT	"foo"
+txt04.example.		3600	IN	TXT	"foo" "bar"
+txt05.example.		3600	IN	TXT	"foo bar"
+txt06.example.		3600	IN	TXT	"foo bar"
+txt07.example.		3600	IN	TXT	"foo bar"
+txt08.example.		3600	IN	TXT	"foo\010bar"
+txt09.example.		3600	IN	TXT	"foo\010bar"
+txt10.example.		3600	IN	TXT	"foo bar"
+txt11.example.		3600	IN	TXT	"\"foo\""
+txt12.example.		3600	IN	TXT	"\"foo\""
+u.example.		300	IN	TXT	"txt-not-in-nxt"
+a.u.example.		300	IN	A	73.80.65.49
+b.u.example.		300	IN	A	73.80.65.49
+wks01.example.		3600	IN	WKS	10.0.0.1 6 ( 0 1 2 21 23 )
+wks02.example.		3600	IN	WKS	10.0.0.1 17 ( 0 1 2 53 )
+wks03.example.		3600	IN	WKS	10.0.0.2 6 ( 65535 )
+x2501.example.		3600	IN	X25	"123456789"
+example.		300	IN	SOA	mname1. . ( 2000042795 20 20 1814400 3600 )
diff --git a/bin/tests/system/xfer/ns1/named.conf b/bin/tests/system/xfer/ns1/named.conf
new file mode 100644
index 00000000..60e76813
--- /dev/null
+++ b/bin/tests/system/xfer/ns1/named.conf
@@ -0,0 +1,12 @@
+options {
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	recursion no;
+	notify yes;
+};
+
+zone "." {
+	type master;
+	file "root.db";
+};
diff --git a/bin/tests/system/xfer/ns1/root.db b/bin/tests/system/xfer/ns1/root.db
new file mode 100644
index 00000000..86dccdc6
--- /dev/null
+++ b/bin/tests/system/xfer/ns1/root.db
@@ -0,0 +1,13 @@
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry 
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/xfer/ns2/example.db b/bin/tests/system/xfer/ns2/example.db
new file mode 100644
index 00000000..dbc6fddd
--- /dev/null
+++ b/bin/tests/system/xfer/ns2/example.db
@@ -0,0 +1,142 @@
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				2000042795 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+*			MX	10 mail
+a			TXT	"foo foo foo"
+			PTR	foo.net.
+$TTL 3600	; 1 hour
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+			A6	64 ::ffff:ffff:ffff:ffff foo.
+			A6	127 ::1 foo.
+			A6	128  .
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+$TTL 300	; 5 minutes
+b			CNAME	foo.net.
+c			A	73.80.65.49
+$TTL 3600	; 1 hour
+cert01			CERT	65534 65535 PRIVATEOID (
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+$TTL 300	; 5 minutes
+d			A	73.80.65.49
+$TTL 3600	; 1 hour
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+$TTL 300	; 5 minutes
+e			MX	10 mail
+			TXT	"one"
+			TXT	"three"
+			TXT	"two"
+			A	73.80.65.49
+			A	73.80.65.50
+			A	73.80.65.52
+			A	73.80.65.51
+f			A	73.80.65.52
+$TTL 3600	; 1 hour
+gpos01			GPOS	"-22.6882" "116.8652" "250.0"
+gpos02			GPOS	"" "" ""
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	"PC" "NetBSD"
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	"isdn-address"
+isdn04			ISDN	"isdn-address" "subaddress"
+key01			KEY	512 255 1 (
+				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
+				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
+				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
+				jqf0BaqHT+8= )
+kx01			KX	10 kdc
+kx02			KX	10 .
+loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01			MG	madname
+mb02			MG	.
+md01			MD	madname
+			MD	.
+mf01			MF	madname
+			MF	.
+mg01			MG	mgmname
+mg02			MG	.
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. .
+mr01			MR	mrname
+mr02			MR	.
+mx01			MX	10 mail
+mx02			MX	10 .
+naptr01			NAPTR	0 0 "" "" "" .
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+nsap-ptr01		NSAP-PTR foo.
+			NSAP-PTR .
+nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
+nxt02			NXT	. ( NSAP-PTR NXT )
+nxt03			NXT	. ( A )
+nxt04			NXT	. ( 127 )
+ptr01			PTR	example.
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. .
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+$TTL 300	; 5 minutes
+s			NS	ns.s
+$ORIGIN s.example.
+ns			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+sig01			SIG	NXT 1 3 3600 20000102030405 (
+				19961211100908 2143 foo
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+srv01			SRV	0 0 0 .
+srv02			SRV	65535 65535 65535 old-slow-box.example.com.
+$TTL 301	; 5 minutes 1 second
+t			A	73.80.65.49
+$TTL 3600	; 1 hour
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	"foo"
+txt04			TXT	"foo" "bar"
+txt05			TXT	"foo bar"
+txt06			TXT	"foo bar"
+txt07			TXT	"foo bar"
+txt08			TXT	"foo\010bar"
+txt09			TXT	"foo\010bar"
+txt10			TXT	"foo bar"
+txt11			TXT	"\"foo\""
+txt12			TXT	"\"foo\""
+$TTL 300	; 5 minutes
+u			TXT	"txt-not-in-nxt"
+$ORIGIN u.example.
+a			A	73.80.65.49
+b			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
+wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
+wks03			WKS	10.0.0.2 6 ( 65535 )
+x2501			X25	"123456789"
diff --git a/bin/tests/system/xfer/ns2/named.conf b/bin/tests/system/xfer/ns2/named.conf
new file mode 100644
index 00000000..b50587bd
--- /dev/null
+++ b/bin/tests/system/xfer/ns2/named.conf
@@ -0,0 +1,18 @@
+options {
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	query-source address 10.53.0.2 port 1995;
+	recursion no;
+	notify yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "example" {
+	type master;
+	file "example.db";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/xfer/ns2/root.hint b/bin/tests/system/xfer/ns2/root.hint
new file mode 100644
index 00000000..753aa036
--- /dev/null
+++ b/bin/tests/system/xfer/ns2/root.hint
@@ -0,0 +1,3 @@
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.1
diff --git a/bin/tests/system/xfer/ns3/named.conf b/bin/tests/system/xfer/ns3/named.conf
new file mode 100644
index 00000000..584ec030
--- /dev/null
+++ b/bin/tests/system/xfer/ns3/named.conf
@@ -0,0 +1,20 @@
+options {
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	recursion yes;
+	notify yes;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+zone "example" {
+	type slave;
+	masters { 10.53.0.2; };
+	file "example.bk";
+};
+
+
diff --git a/bin/tests/system/xfer/ns3/root.hint b/bin/tests/system/xfer/ns3/root.hint
new file mode 100644
index 00000000..753aa036
--- /dev/null
+++ b/bin/tests/system/xfer/ns3/root.hint
@@ -0,0 +1,3 @@
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.1
diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh
new file mode 100644
index 00000000..26fa5957
--- /dev/null
+++ b/bin/tests/system/xfer/tests.sh
@@ -0,0 +1,55 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+echo "S:`date`"
+echo "T:system_xfer:1"
+echo "A:A test to determine online functionality of domain name transfers"
+
+#
+# Perform tests
+#
+
+if [ -f dig.out.ns2 ]; then
+	rm -f dig.out.ns2
+fi
+if [ -f dig.out.ns3 ]; then
+	rm -f dig.out.ns3
+fi
+
+
+status=0;
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example. \
+	@10.53.0.2 axfr > dig.out.ns2
+status=`expr $status + $?`
+grep ";" dig.out.ns2
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example. \
+	@10.53.0.3 axfr > dig.out.ns3
+status=`expr $status + $?`
+grep ";" dig.out.ns3
+
+perl ../digcomp.pl knowngood.dig.out dig.out.ns2
+status=`expr $status + $?`
+
+perl ../digcomp.pl knowngood.dig.out dig.out.ns3
+status=`expr $status + $?`
+
+if [ $status != 0 ]; then
+	echo "R:FAIL"
+else
+	echo "R:PASS"
+fi
diff --git a/bin/tests/system/xferquota/clean.sh b/bin/tests/system/xferquota/clean.sh
new file mode 100755
index 00000000..954e038a
--- /dev/null
+++ b/bin/tests/system/xferquota/clean.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+#
+# Clean up after zone transfer quota tests.
+#
+
+rm -f ns1/zone*.example.db ns1/zones.conf
+rm -f ns2/zone*.example.bk ns2/zones.conf
+rm -f dig.out.* rm ns*/named.run
+
diff --git a/bin/tests/system/xferquota/ns1/named.conf b/bin/tests/system/xferquota/ns1/named.conf
new file mode 100644
index 00000000..e468eed4
--- /dev/null
+++ b/bin/tests/system/xferquota/ns1/named.conf
@@ -0,0 +1,14 @@
+options {
+	directory ".";
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	recursion no;
+	notify yes;
+};
+
+zone "." {
+	type master;
+	file "root.db";
+};
+
+include "zones.conf";
diff --git a/bin/tests/system/xferquota/ns1/root.db b/bin/tests/system/xferquota/ns1/root.db
new file mode 100644
index 00000000..86dccdc6
--- /dev/null
+++ b/bin/tests/system/xferquota/ns1/root.db
@@ -0,0 +1,13 @@
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry 
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
diff --git a/bin/tests/system/xferquota/ns2/example.db b/bin/tests/system/xferquota/ns2/example.db
new file mode 100644
index 00000000..dbc6fddd
--- /dev/null
+++ b/bin/tests/system/xferquota/ns2/example.db
@@ -0,0 +1,142 @@
+$ORIGIN .
+$TTL 300	; 5 minutes
+example			IN SOA	mname1. . (
+				2000042795 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.		NS	ns2.example.
+ns2.example.		A	10.53.0.2
+example.		NS	ns3.example.
+ns3.example.		A	10.53.0.3
+
+$ORIGIN example.
+*			MX	10 mail
+a			TXT	"foo foo foo"
+			PTR	foo.net.
+$TTL 3600	; 1 hour
+a01			A	0.0.0.0
+a02			A	255.255.255.255
+a601			A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+			A6	64 ::ffff:ffff:ffff:ffff foo.
+			A6	127 ::1 foo.
+			A6	128  .
+afsdb01			AFSDB	0 hostname
+afsdb02			AFSDB	65535 .
+$TTL 300	; 5 minutes
+b			CNAME	foo.net.
+c			A	73.80.65.49
+$TTL 3600	; 1 hour
+cert01			CERT	65534 65535 PRIVATEOID (
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+cname01			CNAME	cname-target.
+cname02			CNAME	cname-target
+cname03			CNAME	.
+$TTL 300	; 5 minutes
+d			A	73.80.65.49
+$TTL 3600	; 1 hour
+dname01			DNAME	dname-target.
+dname02			DNAME	dname-target
+dname03			DNAME	.
+$TTL 300	; 5 minutes
+e			MX	10 mail
+			TXT	"one"
+			TXT	"three"
+			TXT	"two"
+			A	73.80.65.49
+			A	73.80.65.50
+			A	73.80.65.52
+			A	73.80.65.51
+f			A	73.80.65.52
+$TTL 3600	; 1 hour
+gpos01			GPOS	"-22.6882" "116.8652" "250.0"
+gpos02			GPOS	"" "" ""
+hinfo01			HINFO	"Generic PC clone" "NetBSD-1.4"
+hinfo02			HINFO	"PC" "NetBSD"
+isdn01			ISDN	"isdn-address"
+isdn02			ISDN	"isdn-address" "subaddress"
+isdn03			ISDN	"isdn-address"
+isdn04			ISDN	"isdn-address" "subaddress"
+key01			KEY	512 255 1 (
+				AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aR
+				yzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3
+				GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5o
+				jqf0BaqHT+8= )
+kx01			KX	10 kdc
+kx02			KX	10 .
+loc01			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+loc02			LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
+mb01			MG	madname
+mb02			MG	.
+md01			MD	madname
+			MD	.
+mf01			MF	madname
+			MF	.
+mg01			MG	mgmname
+mg02			MG	.
+minfo01			MINFO	rmailbx emailbx
+minfo02			MINFO	. .
+mr01			MR	mrname
+mr02			MR	.
+mx01			MX	10 mail
+mx02			MX	10 .
+naptr01			NAPTR	0 0 "" "" "" .
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+nsap-ptr01		NSAP-PTR foo.
+			NSAP-PTR .
+nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
+nsap02			NSAP	0x47000580005a0000000001e133ffffff00016100
+nxt01			NXT	a.secure ( NS SOA MX SIG KEY LOC NXT )
+nxt02			NXT	. ( NSAP-PTR NXT )
+nxt03			NXT	. ( A )
+nxt04			NXT	. ( 127 )
+ptr01			PTR	example.
+px01			PX	65535 foo. bar.
+px02			PX	65535 . .
+rp01			RP	mbox-dname txt-dname
+rp02			RP	. .
+rt01			RT	0 intermediate-host
+rt02			RT	65535 .
+$TTL 300	; 5 minutes
+s			NS	ns.s
+$ORIGIN s.example.
+ns			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+sig01			SIG	NXT 1 3 3600 20000102030405 (
+				19961211100908 2143 foo
+				MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgi
+				WCn/GxHhai6VAuHAoNUz4YoU1tVfSCSqQYn6//11U6Nl
+				d80jEeC8aTrO+KKmCaY= )
+srv01			SRV	0 0 0 .
+srv02			SRV	65535 65535 65535 old-slow-box.example.com.
+$TTL 301	; 5 minutes 1 second
+t			A	73.80.65.49
+$TTL 3600	; 1 hour
+txt01			TXT	"foo"
+txt02			TXT	"foo" "bar"
+txt03			TXT	"foo"
+txt04			TXT	"foo" "bar"
+txt05			TXT	"foo bar"
+txt06			TXT	"foo bar"
+txt07			TXT	"foo bar"
+txt08			TXT	"foo\010bar"
+txt09			TXT	"foo\010bar"
+txt10			TXT	"foo bar"
+txt11			TXT	"\"foo\""
+txt12			TXT	"\"foo\""
+$TTL 300	; 5 minutes
+u			TXT	"txt-not-in-nxt"
+$ORIGIN u.example.
+a			A	73.80.65.49
+b			A	73.80.65.49
+$ORIGIN example.
+$TTL 3600	; 1 hour
+wks01			WKS	10.0.0.1 6 ( 0 1 2 21 23 )
+wks02			WKS	10.0.0.1 17 ( 0 1 2 53 )
+wks03			WKS	10.0.0.2 6 ( 65535 )
+x2501			X25	"123456789"
diff --git a/bin/tests/system/xferquota/ns2/named.conf b/bin/tests/system/xferquota/ns2/named.conf
new file mode 100644
index 00000000..46522223
--- /dev/null
+++ b/bin/tests/system/xferquota/ns2/named.conf
@@ -0,0 +1,16 @@
+options {
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	recursion no;
+	notify yes;
+
+	transfers-in 5;
+	transfers-per-ns 5;
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
+
+include "zones.conf";
diff --git a/bin/tests/system/xferquota/ns2/root.hint b/bin/tests/system/xferquota/ns2/root.hint
new file mode 100644
index 00000000..753aa036
--- /dev/null
+++ b/bin/tests/system/xferquota/ns2/root.hint
@@ -0,0 +1,3 @@
+$TTL 999999
+.			 IN NS	a.root-servers.nil.
+a.root-servers.nil.	 IN A	10.53.0.1
diff --git a/bin/tests/system/xferquota/setup.pl b/bin/tests/system/xferquota/setup.pl
new file mode 100755
index 00000000..560c0a84
--- /dev/null
+++ b/bin/tests/system/xferquota/setup.pl
@@ -0,0 +1,42 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+#
+# Set up test data for zone transfer quota tests.
+#
+use FileHandle;
+
+my $masterconf = new FileHandle("ns1/zones.conf", "w") or die;
+my $slaveconf  = new FileHandle("ns2/zones.conf", "w") or die;
+
+for ($z = 0; $z < 100; $z++) {
+    my $zn = sprintf("zone%06d.example", $z);
+    print $masterconf "zone \"$zn\" { type master; file \"$zn.db\"; };\n";
+    print $slaveconf  "zone \"$zn\" { type slave; file \"$zn.bk\"; masters { 10.53.0.1; }; };\n";
+    my $fn = "ns1/$zn.db";
+    my $f = new FileHandle($fn, "w") or die "open: $fn: $!";
+    print $f "\$TTL 300
+\@	IN SOA 	. . 1 300 120 3600 86400
+	NS	ns1
+	NS	ns2
+	MX	10 mail1.isp.example.
+	MX	20 mail2.isp.example.
+www	A	10.0.0.1
+xyzzy   A       10.0.0.2
+";
+    $f->close;
+}
diff --git a/bin/tests/system/xferquota/setup.sh b/bin/tests/system/xferquota/setup.sh
new file mode 100755
index 00000000..4a3bd2f4
--- /dev/null
+++ b/bin/tests/system/xferquota/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+#
+# Set up test data for zone transfer quota tests.
+#
+perl setup.pl
+
diff --git a/bin/tests/system/xferquota/tests.sh b/bin/tests/system/xferquota/tests.sh
new file mode 100644
index 00000000..e47f98e9
--- /dev/null
+++ b/bin/tests/system/xferquota/tests.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+#
+# Copyright (C) 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+echo "S:`date`"
+echo "T:system_xferquota:1"
+echo "A:A test to determine online speed of domain name transfers"
+
+#
+# Perform tests
+#
+
+if [ -f dig.out.ns1 ]; then
+	rm -f dig.out.ns1
+fi
+if [ -f dig.out.ns2 ]; then
+	rm -f dig.out.ns2
+fi
+
+count=0
+ticks=0
+while [ $count != 100 ]; do
+	sleep 5
+	ticks=`expr $ticks + 1`
+	seconds=`expr $ticks \* 5`
+	if [ $ticks = 60 ]; then
+		echo "Took too long to load domains."
+		exit 1;
+	fi
+	count=`cat ns2/zone*.bk | grep xyzzy | wc -l`
+	echo "I:Have $count domains up in $seconds seconds"
+done
+
+status=0;
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+	zone000099.example. @10.53.0.1 axfr > dig.out.ns1
+status=`expr $status + $?`
+grep ";" dig.out.ns1
+
+../../../dig/dig +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+	zone000099.example. @10.53.0.2 axfr > dig.out.ns2
+status=`expr $status + $?`
+grep ";" dig.out.ns2
+
+perl ../digcomp.pl dig.out.ns1 dig.out.ns2
+status=`expr $status + $?`
+
+if [ $status != 0 ]; then
+	echo "R:FAIL"
+else
+	echo "R:PASS"
+fi
diff --git a/bin/tests/task_test.c b/bin/tests/task_test.c
index 2772c6e8..6fc10205 100644
--- a/bin/tests/task_test.c
+++ b/bin/tests/task_test.c
@@ -17,25 +17,21 @@
 
 #include <config.h>
 
-#include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/mem.h>
 #include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/result.h>
+#include <isc/time.h>
 #include <isc/timer.h>
+#include <isc/util.h>
 
 isc_mem_t *mctx = NULL;
 
 static void
-my_callback(isc_task_t *task, isc_event_t *event)
-{
+my_callback(isc_task_t *task, isc_event_t *event) {
 	int i, j;
-	char *name = event->arg;
+	char *name = event->ev_arg;
 
 	j = 0;
 	for (i = 0; i < 1000000; i++)
@@ -46,16 +42,15 @@ my_callback(isc_task_t *task, isc_event_t *event)
 
 static void
 my_shutdown(isc_task_t *task, isc_event_t *event) {
-	char *name = event->arg;
+	char *name = event->ev_arg;
 
 	printf("shutdown %s (%p)\n", name, task);
 	isc_event_free(&event);
 }
 
 static void
-my_tick(isc_task_t *task, isc_event_t *event)
-{
-	char *name = event->arg;
+my_tick(isc_task_t *task, isc_event_t *event) {
+	char *name = event->ev_arg;
 
 	printf("task %p tick %s\n", task, name);
 	isc_event_free(&event);
@@ -83,10 +78,10 @@ main(int argc, char *argv[]) {
 	RUNTIME_CHECK(isc_taskmgr_create(mctx, workers, 0, &manager) ==
 		      ISC_R_SUCCESS);
 
-	RUNTIME_CHECK(isc_task_create(manager, NULL, 0, &t1) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_task_create(manager, NULL, 0, &t2) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_task_create(manager, NULL, 0, &t3) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_task_create(manager, NULL, 0, &t4) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(manager, 0, &t1) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(manager, 0, &t2) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(manager, 0, &t3) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_task_create(manager, 0, &t4) == ISC_R_SUCCESS);
 
 	RUNTIME_CHECK(isc_task_onshutdown(t1, my_shutdown, "1") ==
 		      ISC_R_SUCCESS);
diff --git a/bin/tests/tasks/Makefile.in b/bin/tests/tasks/Makefile.in
index 07b6579b..1c36caaa 100644
--- a/bin/tests/tasks/Makefile.in
+++ b/bin/tests/tasks/Makefile.in
@@ -24,16 +24,22 @@ CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 CDEFINES =
 CWARNINGS =
 
+DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
+ISCLIBS =	../../../lib/isc/libisc.@A@
+TAPIDEPLIBS =	../../../lib/tests/libt_api.@A@
 
-DEPLIBS =	../../../lib/dns/libdns.@A@ \
-		../../../lib/tests/libt_api.@A@ \
-		../../../lib/isc/libisc.@A@
+DNSDEPLIBS =	../../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../../lib/isc/libisc.@A@
+TAPILIBS =	../../../lib/tests/libt_api.@A@
 
-LIBS =		${DEPLIBS} \
-		@LIBS@
+DEPLIBS =	${DNSDEPLIBS} ${TAPIDEPLIBS} ${ISCDEPLIBS} 
+
+LIBS =		${DNSLIBS} ${TAPILIBS} ${ISCLIBS} @LIBS@
 
 TARGETS =	t_tasks
 
+SRCS =		t_tasks.c
+
 @BIND9_MAKE_RULES@
 
 t_tasks: t_tasks.@O@ ${DEPLIBS}
diff --git a/bin/tests/tasks/t_tasks.c b/bin/tests/tasks/t_tasks.c
index 4c9d9091..4a615e09 100644
--- a/bin/tests/tasks/t_tasks.c
+++ b/bin/tests/tasks/t_tasks.c
@@ -15,23 +15,19 @@
  * SOFTWARE.
  */
 
-#include	<config.h>
+#include <config.h>
 
-#include	<stdio.h>
-#include	<stdlib.h>
-#include	<unistd.h>
+#include <stdlib.h>
+#include <unistd.h>
 
-#include	<isc/assertions.h>
-#include	<isc/condition.h>
-#include	<isc/mutex.h>
-#include	<isc/error.h>
-#include	<isc/mem.h>
-#include	<isc/task.h>
-#include	<isc/thread.h>
-#include	<isc/result.h>
-#include	<isc/timer.h>
+#include <isc/condition.h>
+#include <isc/mem.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
 
-#include	<tests/t_api.h>
+#include <tests/t_api.h>
 
 void	t1(void);
 void	t2(void);
@@ -56,8 +52,7 @@ static int	t_tasks13(void);
 isc_mem_t *mctx = NULL;
 
 static void
-t1_callback(isc_task_t *task, isc_event_t *event)
-{
+t1_callback(isc_task_t *task, isc_event_t *event) {
 	int	i;
 	int	j;
 
@@ -66,7 +61,7 @@ t1_callback(isc_task_t *task, isc_event_t *event)
 	for (i = 0; i < 1000000; i++)
 		j += 100;
 
-	t_info("task %s\n", event->arg);
+	t_info("task %s\n", event->ev_arg);
 	isc_event_free(&event);
 }
 
@@ -74,15 +69,14 @@ static void
 t1_shutdown(isc_task_t *task, isc_event_t *event) {
 
 	task = task;
-	t_info("shutdown %s\n", event->arg);
+	t_info("shutdown %s\n", event->ev_arg);
 	isc_event_free(&event);
 }
 
 static void
-my_tick(isc_task_t *task, isc_event_t *event)
-{
+my_tick(isc_task_t *task, isc_event_t *event) {
 	task = task;
-	t_info("%s\n", event->arg);
+	t_info("%s\n", event->ev_arg);
 	isc_event_free(&event);
 }
 
@@ -134,25 +128,25 @@ t_tasks1() {
 		return(T_FAIL);
 	}
 
-	isc_result = isc_task_create(manager, NULL, 0, &task1);
+	isc_result = isc_task_create(manager, 0, &task1);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_create failed %d\n", isc_result);
 		return(T_FAIL);
 	}
 
-	isc_result = isc_task_create(manager, NULL, 0, &task2);
+	isc_result = isc_task_create(manager, 0, &task2);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_create failed %d\n", isc_result);
 		return(T_FAIL);
 	}
 
-	isc_result = isc_task_create(manager, NULL, 0, &task3);
+	isc_result = isc_task_create(manager, 0, &task3);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_create failed %d\n", isc_result);
 		return(T_FAIL);
 	}
 
-	isc_result = isc_task_create(manager, NULL, 0, &task4);
+	isc_result = isc_task_create(manager, 0, &task4);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_create failed %d\n", isc_result);
 		return(T_FAIL);
@@ -404,8 +398,8 @@ t2_shutdown(isc_task_t *task, isc_event_t *event) {
 
 	task = task; /* notused */
 
-	if (event->arg != NULL) {
-		isc_task_destroy((isc_task_t**) &event->arg);
+	if (event->ev_arg != NULL) {
+		isc_task_destroy((isc_task_t**) &event->ev_arg);
 	}
 	else {
 		isc_result = isc_mutex_lock(&T2_mx);
@@ -435,8 +429,7 @@ t2_shutdown(isc_task_t *task, isc_event_t *event) {
 }
 
 static void
-t2_callback(isc_task_t *task, isc_event_t *event)
-{
+t2_callback(isc_task_t *task, isc_event_t *event) {
 	isc_result_t	isc_result;
 	isc_task_t	*newtask;
 
@@ -446,13 +439,15 @@ t2_callback(isc_task_t *task, isc_event_t *event)
 		t_info("T2_ntasks %d\n", T2_ntasks);
 	}
 
-	if (event->arg) {
+	if (event->ev_arg) {
 
-		event->arg = (void* ) (((int) event->arg) - 1);
+		event->ev_arg = (void *)(((int) event->ev_arg) - 1);
 
-		/* create a new task and forward the message */
+		/*
+		 * Create a new task and forward the message.
+		 */
 		newtask = NULL;
-		isc_result = isc_task_create(T2_manager, NULL, 0, &newtask);
+		isc_result = isc_task_create(T2_manager, 0, &newtask);
 		if (isc_result != ISC_R_SUCCESS) {
 			t_info("isc_task_create failed %d\n", isc_result);
 			++T2_nfails;
@@ -460,7 +455,7 @@ t2_callback(isc_task_t *task, isc_event_t *event)
 		}
 	
 		isc_result = isc_task_onshutdown(newtask, t2_shutdown,
-							(void *) task);
+						 (void *)task);
 		if (isc_result != ISC_R_SUCCESS) {
 			t_info("isc_task_onshutdown failed %d\n",
 						isc_result);
@@ -469,16 +464,16 @@ t2_callback(isc_task_t *task, isc_event_t *event)
 		}
 	
 		isc_task_send(newtask, &event);
-	}
-	else {
-		/* time to unwind, shutdown should perc back up */
+	} else {
+		/*
+		 * Time to unwind, shutdown should perc back up.
+		 */
 		isc_task_destroy(&task);
 	}
 }
 
 static int
 t_tasks2(void) {
-
 	int			ntasks;
 	int			result;
 	char			*p;
@@ -539,7 +534,7 @@ t_tasks2(void) {
 	}
 
 	T2_event = isc_event_allocate(T2_mctx, (void *)1, 1, t2_callback,
-					(void *) ntasks, sizeof *event);
+					(void *)ntasks, sizeof *event);
 	if (T2_event == NULL) {
 		t_info("isc_event_allocate failed\n");
 		return(T_UNRESOLVED);
@@ -594,7 +589,6 @@ static	int		T3_nprobs;
 
 static void
 t3_sde1(isc_task_t *task, isc_event_t *event) {
-
 	task = task;
 
 	if (T3_nevents != T3_NEVENTS) {
@@ -603,8 +597,7 @@ t3_sde1(isc_task_t *task, isc_event_t *event) {
 	}
 	if (T3_nsdevents == 1) {
 		++T3_nsdevents;
-	}
-	else {
+	} else {
 		t_info("Shutdown events not processed in LIFO order\n");
 		++T3_nfails;
 	}
@@ -622,8 +615,7 @@ t3_sde2(isc_task_t *task, isc_event_t *event) {
 	}
 	if (T3_nsdevents == 0) {
 		++T3_nsdevents;
-	}
-	else {
+	} else {
 		t_info("Shutdown events not processed in LIFO order\n");
 		++T3_nfails;
 	}
@@ -632,7 +624,6 @@ t3_sde2(isc_task_t *task, isc_event_t *event) {
 
 static void
 t3_event1(isc_task_t *task, isc_event_t *event) {
-
 	isc_result_t	isc_result;
 
 	task = task;
@@ -640,7 +631,7 @@ t3_event1(isc_task_t *task, isc_event_t *event) {
 	isc_result = isc_mutex_lock(&T3_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T3_nprobs;
 	}
 	while (T3_flag != 1) {
@@ -650,7 +641,7 @@ t3_event1(isc_task_t *task, isc_event_t *event) {
 	isc_result = isc_mutex_unlock(&T3_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T3_nprobs;
 	}
 	isc_event_free(&event);
@@ -658,7 +649,6 @@ t3_event1(isc_task_t *task, isc_event_t *event) {
 
 static void
 t3_event2(isc_task_t *task, isc_event_t *event) {
-
 	task = task;
 
 	++T3_nevents;
@@ -667,7 +657,6 @@ t3_event2(isc_task_t *task, isc_event_t *event) {
 
 static int
 t_tasks3() {
-
 	int		cnt;
 	int		result;
 	char		*p;
@@ -698,14 +687,14 @@ t_tasks3() {
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mem_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		return(T_UNRESOLVED);
 	}
 
 	isc_result = isc_mutex_init(&T3_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_init failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -713,7 +702,7 @@ t_tasks3() {
 	isc_result = isc_condition_init(&T3_cv);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_condition_init failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -722,7 +711,7 @@ t_tasks3() {
 	isc_result = isc_taskmgr_create(mctx, workers, 0, &tmgr);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_taskmgr_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -730,36 +719,42 @@ t_tasks3() {
 	isc_result = isc_mutex_lock(&T3_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_taskmgr_destroy(&tmgr);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
 
 	task = NULL;
-	isc_result = isc_task_create(tmgr, mctx, 0, &task);
+	isc_result = isc_task_create(tmgr, 0, &task);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mutex_unlock(&T3_mx);
 		isc_taskmgr_destroy(&tmgr);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
 
-	/* this event causes the task to wait on T3_cv */
+	/*
+	 * This event causes the task to wait on T3_cv.
+	 */
 	event = isc_event_allocate(mctx, sender, event_type, t3_event1, NULL,
 				   sizeof(*event));
 	isc_task_send(task, &event);
 
-	/* now we fill up the task's event queue with some events */
+	/*
+	 * Now we fill up the task's event queue with some events.
+	 */
 	for (cnt = 0; cnt < T3_NEVENTS; ++cnt) {
 		event = isc_event_allocate(mctx, sender, event_type,
 					   t3_event2, NULL, sizeof(*event));
 		isc_task_send(task, &event);
 	}
 
-	/* now we register two shutdown events */
+	/*
+	 * Now we register two shutdown events.
+	 */
 	isc_result = isc_task_onshutdown(task, t3_sde1, NULL);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_send failed %s\n",
@@ -784,7 +779,9 @@ t_tasks3() {
 
 	isc_task_shutdown(task);
 
-	/* now we free the task by signaling T3_cv */
+	/*
+	 * Now we free the task by signaling T3_cv.
+	 */
 	T3_flag = 1;
 	isc_result = isc_condition_signal(&T3_cv);
 	if (isc_result != ISC_R_SUCCESS) {
@@ -825,9 +822,10 @@ t_tasks3() {
 	return(result);
 }
 
-static char	*a3 =	"When isc_task_shutdown() is called, any shutdown events "
-			"that have been requested via prior isc_task_onshutdown() calls "
-			"are posted in LIFO order.";
+static char	*a3 =	"When isc_task_shutdown() is called, any shutdown "
+			"events that have been requested via prior "
+			"isc_task_onshutdown() calls are posted in "
+			"LIFO order.";
 void
 t3(void) {
 	int	result;
@@ -845,15 +843,14 @@ static int		T4_nfails;
 
 static void
 t4_event1(isc_task_t *task, isc_event_t *event) {
-
 	isc_result_t	isc_result;
 
-	task = task;
+	UNUSED(task);
 
 	isc_result = isc_mutex_lock(&T4_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T4_nprobs;
 	}
 	while (T4_flag != 1) {
@@ -863,7 +860,7 @@ t4_event1(isc_task_t *task, isc_event_t *event) {
 	isc_result = isc_mutex_unlock(&T4_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T4_nprobs;
 	}
 	isc_event_free(&event);
@@ -871,10 +868,12 @@ t4_event1(isc_task_t *task, isc_event_t *event) {
 
 static void
 t4_sde(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
 
-	task = task;
+	/*
+	 * No-op.
+	 */
 
-	/* no-op */
 	isc_event_free(&event);
 }
 
@@ -891,13 +890,12 @@ t_tasks4() {
 	isc_eventtype_t	event_type;
 	isc_event_t	*event;
 
-
 	T4_nprobs = 0;
 	T4_nfails = 0;
 	T4_flag = 0;
 
 	result = T_UNRESOLVED;
-	sender = (void *) 1;
+	sender = (void *)1;
 	event_type = 4;
 
 	workers = 2;
@@ -909,14 +907,14 @@ t_tasks4() {
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mem_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		return(T_UNRESOLVED);
 	}
 
 	isc_result = isc_mutex_init(&T4_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_init failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -924,7 +922,7 @@ t_tasks4() {
 	isc_result = isc_condition_init(&T4_cv);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_condition_init failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mutex_destroy(&T4_mx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
@@ -934,7 +932,7 @@ t_tasks4() {
 	isc_result = isc_taskmgr_create(mctx, workers, 0, &tmgr);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_taskmgr_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mutex_destroy(&T4_mx);
 		isc_condition_destroy(&T4_cv);
 		isc_mem_destroy(&mctx);
@@ -944,7 +942,7 @@ t_tasks4() {
 	isc_result = isc_mutex_lock(&T4_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mutex_destroy(&T4_mx);
 		isc_condition_destroy(&T4_cv);
 		isc_taskmgr_destroy(&tmgr);
@@ -953,10 +951,10 @@ t_tasks4() {
 	}
 
 	task = NULL;
-	isc_result = isc_task_create(tmgr, mctx, 0, &task);
+	isc_result = isc_task_create(tmgr, 0, &task);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mutex_destroy(&T4_mx);
 		isc_condition_destroy(&T4_cv);
 		isc_taskmgr_destroy(&tmgr);
@@ -964,7 +962,9 @@ t_tasks4() {
 		return(T_UNRESOLVED);
 	}
 
-	/* this event causes the task to wait on T4_cv */
+	/*
+	 * This event causes the task to wait on T4_cv.
+	 */
 	event = isc_event_allocate(mctx, sender, event_type, t4_event1, NULL,
 				   sizeof(*event));
 	isc_task_send(task, &event);
@@ -974,11 +974,13 @@ t_tasks4() {
 	isc_result = isc_task_onshutdown(task, t4_sde, NULL);
 	if (isc_result != ISC_R_SHUTTINGDOWN) {
 		t_info("isc_task_onshutdown returned %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T4_nfails;
 	}
 
-	/* release the task */
+	/*
+	 * Release the task.
+	 */
 	T4_flag = 1;
 
 	isc_result = isc_condition_signal(&T4_cv);
@@ -1011,8 +1013,8 @@ t_tasks4() {
 	return(result);
 }
 
-static char	*a4 =	"After isc_task_shutdown() has been called, any call to "
-			"isc_task_onshutdown() will return ISC_R_SHUTTINGDOWN.";
+static char *a4 = "After isc_task_shutdown() has been called, any call to "
+		  "isc_task_onshutdown() will return ISC_R_SHUTTINGDOWN.";
 
 void
 t4() {
@@ -1032,8 +1034,7 @@ static isc_condition_t	T7_cv;
 
 static void
 t7_event1(isc_task_t *task, isc_event_t *event) {
-
-	task = task;
+	UNUSED(task);
 
 	++T7_eflag;
 
@@ -1042,15 +1043,14 @@ t7_event1(isc_task_t *task, isc_event_t *event) {
 
 static void
 t7_sde(isc_task_t *task, isc_event_t *event) {
-
 	isc_result_t	isc_result;
 
-	task = task;
+	UNUSED(task);
 
 	isc_result = isc_mutex_lock(&T7_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T7_nprobs;
 	}
 
@@ -1059,14 +1059,14 @@ t7_sde(isc_task_t *task, isc_event_t *event) {
 	isc_result = isc_condition_signal(&T7_cv);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_condition_signal failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T7_nprobs;
 	}
 
 	isc_result = isc_mutex_unlock(&T7_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T7_nprobs;
 	}
 
@@ -1095,7 +1095,7 @@ t_tasks7() {
 	T7_eflag = 0;
 
 	result = T_UNRESOLVED;
-	sender = (void *) 1;
+	sender = (void *)1;
 	event_type = 7;
 
 	workers = 2;
@@ -1107,14 +1107,14 @@ t_tasks7() {
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mem_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		return(T_UNRESOLVED);
 	}
 
 	isc_result = isc_mutex_init(&T7_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_init failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1122,7 +1122,7 @@ t_tasks7() {
 	isc_result = isc_condition_init(&T7_cv);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_condition_init failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mutex_destroy(&T7_mx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
@@ -1132,7 +1132,7 @@ t_tasks7() {
 	isc_result = isc_taskmgr_create(mctx, workers, 0, &tmgr);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_taskmgr_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mutex_destroy(&T7_mx);
 		isc_condition_destroy(&T7_cv);
 		isc_mem_destroy(&mctx);
@@ -1142,7 +1142,7 @@ t_tasks7() {
 	isc_result = isc_mutex_lock(&T7_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mutex_destroy(&T7_mx);
 		isc_condition_destroy(&T7_cv);
 		isc_taskmgr_destroy(&tmgr);
@@ -1151,10 +1151,10 @@ t_tasks7() {
 	}
 
 	task = NULL;
-	isc_result = isc_task_create(tmgr, mctx, 0, &task);
+	isc_result = isc_task_create(tmgr, 0, &task);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mutex_destroy(&T7_mx);
 		isc_condition_destroy(&T7_cv);
 		isc_taskmgr_destroy(&tmgr);
@@ -1165,7 +1165,7 @@ t_tasks7() {
 	isc_result = isc_task_onshutdown(task, t7_sde, NULL);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_onshutdown returned %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mutex_destroy(&T7_mx);
 		isc_condition_destroy(&T7_cv);
 		isc_task_destroy(&task);
@@ -1187,7 +1187,7 @@ t_tasks7() {
 		isc_result = isc_time_nowplusinterval(&now, &interval);
 		if (isc_result != ISC_R_SUCCESS) {
 			t_info("isc_time_nowplusinterval failed %s\n",
-					isc_result_totext(isc_result));
+			       isc_result_totext(isc_result));
 			isc_mutex_destroy(&T7_mx);
 			isc_condition_destroy(&T7_cv);
 			isc_task_destroy(&task);
@@ -1199,7 +1199,7 @@ t_tasks7() {
 		isc_result = isc_condition_waituntil(&T7_cv, &T7_mx, &now);
 		if (isc_result != ISC_R_SUCCESS) {
 			t_info("isc_condition_waituntil returned %s\n",
-					isc_result_totext(isc_result));
+			       isc_result_totext(isc_result));
 			isc_mutex_destroy(&T7_mx);
 			isc_condition_destroy(&T7_cv);
 			isc_task_destroy(&task);
@@ -1212,7 +1212,7 @@ t_tasks7() {
 	isc_result = isc_mutex_unlock(&T7_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T7_nprobs;
 	}
 
@@ -1269,7 +1269,6 @@ static int		T10_testrange;
 
 static void
 t10_event1(isc_task_t *task, isc_event_t *event) {
-
 	isc_result_t	isc_result;
 
 	task = task;
@@ -1277,7 +1276,7 @@ t10_event1(isc_task_t *task, isc_event_t *event) {
 	isc_result = isc_mutex_lock(&T10_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T10_nprobs;
 	}
 
@@ -1285,7 +1284,7 @@ t10_event1(isc_task_t *task, isc_event_t *event) {
 		isc_result = isc_condition_wait(&T10_cv, &T10_mx);
 		if (isc_result != ISC_R_SUCCESS) {
 			t_info("isc_mutex_lock failed %s\n",
-					isc_result_totext(isc_result));
+			       isc_result_totext(isc_result));
 			++T10_nprobs;
 		}
 	}
@@ -1293,7 +1292,7 @@ t10_event1(isc_task_t *task, isc_event_t *event) {
 	isc_result = isc_mutex_unlock(&T10_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T10_nprobs;
 	}
 
@@ -1315,44 +1314,44 @@ t10_event2(isc_task_t *task, isc_event_t *event) {
 
 	if (T_debug) {
 		t_info("Event %p,%d,%d,%s\n",
-			event->sender,
-			(int) event->type,
-			event->tag,
-			event->attributes & ISC_EVENTATTR_NOPURGE ? "NP" : "P");
+		       event->ev_sender,
+		       (int)event->ev_type,
+		       event->ev_tag,
+		       event->ev_attributes & ISC_EVENTATTR_NOPURGE ?
+		       		"NP" : "P");
 	}
 
 	if ((T10_purge_sender == 0) ||
-	    (T10_purge_sender == event->sender)) {
+	    (T10_purge_sender == event->ev_sender)) {
 		sender_match = 1;
 	}
 	if (T10_testrange == 0) {
-		if (T10_purge_type_first == event->type) {
+		if (T10_purge_type_first == event->ev_type) {
 			type_match = 1;
 		}
-	}
-	else {
-		if ((T10_purge_type_first <= event->type) &&
-		    (event->type <= T10_purge_type_last)) {
+	} else {
+		if ((T10_purge_type_first <= event->ev_type) &&
+		    (event->ev_type <= T10_purge_type_last)) {
 			type_match = 1;
 		}
 	}
 	if ((T10_purge_tag == NULL) ||
-	    (T10_purge_tag == event->tag)) {
+	    (T10_purge_tag == event->ev_tag)) {
 		tag_match = 1;
 	}
 		
 	if (sender_match && type_match && tag_match) {
-		if (event->attributes & ISC_EVENTATTR_NOPURGE) {
+		if (event->ev_attributes & ISC_EVENTATTR_NOPURGE) {
 			t_info("event %p,%d,%d matched but was not purgable\n",
-				event->sender, (int) event->type, event->tag);
+				event->ev_sender, (int)event->ev_type,
+			       event->ev_tag);
 			++T10_eventcnt;
-		}
-		else {
+		} else {
 			t_info("*** event %p,%d,%d not purged\n",
-				event->sender, (int) event->type, event->tag);
+				event->ev_sender, (int)event->ev_type,
+			       event->ev_tag);
 		}
-	}
-	else {
+	} else {
 		++T10_eventcnt;
 	}
 	isc_event_free(&event);
@@ -1361,7 +1360,6 @@ t10_event2(isc_task_t *task, isc_event_t *event) {
 
 static void
 t10_sde(isc_task_t *task, isc_event_t *event) {
-
 	isc_result_t	isc_result;
 
 	task = task;
@@ -1369,7 +1367,7 @@ t10_sde(isc_task_t *task, isc_event_t *event) {
 	isc_result = isc_mutex_lock(&T10_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T10_nprobs;
 	}
 
@@ -1378,14 +1376,14 @@ t10_sde(isc_task_t *task, isc_event_t *event) {
 	isc_result = isc_condition_signal(&T10_cv);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_condition_signal failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T10_nprobs;
 	}
 
 	isc_result = isc_mutex_unlock(&T10_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T10_nprobs;
 	}
 
@@ -1393,10 +1391,10 @@ t10_sde(isc_task_t *task, isc_event_t *event) {
 }
 
 static void
-t_taskpurge_x(	int sender, int type, int tag,
-		int purge_sender, int purge_type_first, int purge_type_last, void *purge_tag,
-		int exp_nevents, int *nfails, int *nprobs, int testrange) {
-
+t_taskpurge_x(int sender, int type, int tag, int purge_sender,
+	      int purge_type_first, int purge_type_last, void *purge_tag,
+	      int exp_nevents, int *nfails, int *nprobs, int testrange)
+{
 	char		*p;
 	isc_mem_t	*mctx;
 	isc_taskmgr_t	*tmgr;
@@ -1433,7 +1431,7 @@ t_taskpurge_x(	int sender, int type, int tag,
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mem_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++*nprobs;
 		return;
 	}
@@ -1441,7 +1439,7 @@ t_taskpurge_x(	int sender, int type, int tag,
 	isc_result = isc_mutex_init(&T10_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_init failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mem_destroy(&mctx);
 		++*nprobs;
 		return;
@@ -1450,7 +1448,7 @@ t_taskpurge_x(	int sender, int type, int tag,
 	isc_result = isc_condition_init(&T10_cv);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_condition_init failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mem_destroy(&mctx);
 		isc_mutex_destroy(&T10_mx);
 		++*nprobs;
@@ -1461,7 +1459,7 @@ t_taskpurge_x(	int sender, int type, int tag,
 	isc_result = isc_taskmgr_create(mctx, workers, 0, &tmgr);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_taskmgr_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mem_destroy(&mctx);
 		isc_mutex_destroy(&T10_mx);
 		isc_condition_destroy(&T10_cv);
@@ -1470,10 +1468,10 @@ t_taskpurge_x(	int sender, int type, int tag,
 	}
 
 	task = NULL;
-	isc_result = isc_task_create(tmgr, mctx, 0, &task);
+	isc_result = isc_task_create(tmgr, 0, &task);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_taskmgr_destroy(&tmgr);
 		isc_mem_destroy(&mctx);
 		isc_mutex_destroy(&T10_mx);
@@ -1485,7 +1483,7 @@ t_taskpurge_x(	int sender, int type, int tag,
 	isc_result = isc_task_onshutdown(task, t10_sde, NULL);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_onshutdown returned %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_task_destroy(&task);
 		isc_taskmgr_destroy(&tmgr);
 		isc_mem_destroy(&mctx);
@@ -1495,38 +1493,39 @@ t_taskpurge_x(	int sender, int type, int tag,
 		return;
 	}
 
-	/* block the task on T10_cv */
-	event = isc_event_allocate(	mctx,
-					(void *) 1,
-					(isc_eventtype_t) T_CONTROL,
-					t10_event1,
-					NULL,
-					sizeof(*event));
+	/*
+	 * Block the task on T10_cv.
+	 */
+	event = isc_event_allocate(mctx, (void *)1, (isc_eventtype_t)T_CONTROL,
+				   t10_event1, NULL, sizeof(*event));
 
 	isc_task_send(task, &event);
 
 	/*
-	 * fill the task's queue with some messages with varying
-	 * sender, type, tag, and purgable attribute values
+	 * Fill the task's queue with some messages with varying
+	 * sender, type, tag, and purgable attribute values.
 	 */
 
 	event_cnt = 0;
 	for (sender_cnt = 0; sender_cnt < T10_SENDERCNT; ++sender_cnt) {
 		for (type_cnt = 0; type_cnt < T10_TYPECNT; ++type_cnt) {
 			for (tag_cnt = 0; tag_cnt < T10_TAGCNT; ++tag_cnt) {
-				eventtab[event_cnt] = isc_event_allocate(
-							mctx,
-							(void *) (sender + sender_cnt),
-							(isc_eventtype_t) (type + type_cnt),
-							t10_event2,
-							NULL,
-							sizeof(*event));
+				eventtab[event_cnt] =
+					isc_event_allocate(mctx,
+					    (void *)(sender + sender_cnt),
+					    (isc_eventtype_t)(type + type_cnt),
+					    t10_event2, NULL, sizeof(*event));
 				
-				eventtab[event_cnt]->tag = (void *)((int)tag + tag_cnt);
-
-				/* make all odd message non-purgable */
-				if ((sender_cnt % 2) && (type_cnt %2) && (tag_cnt %2))
-					eventtab[event_cnt]->attributes |= ISC_EVENTATTR_NOPURGE;
+				eventtab[event_cnt]->ev_tag =
+					(void *)((int)tag + tag_cnt);
+
+				/*
+				 * Make all odd message non-purgable.
+				 */
+				if ((sender_cnt % 2) && (type_cnt %2) &&
+				    (tag_cnt %2))
+					eventtab[event_cnt]->ev_attributes |=
+						ISC_EVENTATTR_NOPURGE;
 				++event_cnt;
 			}
 		}
@@ -1539,39 +1538,38 @@ t_taskpurge_x(	int sender, int type, int tag,
 		t_info("%d events queued\n", cnt);
 
 	if (testrange == 0) {
-		/* we're testing isc_task_purge */
-		nevents = isc_task_purge(task,
-					(void *) purge_sender,
-					(isc_eventtype_t) purge_type_first,
+		/*
+		 * We're testing isc_task_purge.
+		 */
+		nevents = isc_task_purge(task, (void *)purge_sender,
+					(isc_eventtype_t)purge_type_first,
 					purge_tag);
 		if (nevents != exp_nevents) {
 			t_info("*** isc_task_purge returned %d, expected %d\n",
 				nevents, exp_nevents);
 			++*nfails;
-		}
-		else if (T_debug)
+		} else if (T_debug)
 			t_info("isc_task_purge returned %d\n", nevents);
-	}
-	else {
-		/* we're testing isc_task_purgerange */
-		nevents = isc_task_purgerange(task,
-					(void *) purge_sender,
-					(isc_eventtype_t) purge_type_first,
-					(isc_eventtype_t) purge_type_last,
-					purge_tag);
+	} else {
+		/*
+		 * We're testing isc_task_purgerange.
+		 */
+		nevents = isc_task_purgerange(task, (void *)purge_sender,
+					     (isc_eventtype_t)purge_type_first,
+					     (isc_eventtype_t)purge_type_last,
+					     purge_tag);
 		if (nevents != exp_nevents) {
-			t_info("*** isc_task_purgerange returned %d, expected %d\n",
-				nevents, exp_nevents);
+			t_info("*** isc_task_purgerange returned %d, "
+			       "expected %d\n", nevents, exp_nevents);
 			++*nfails;
-		}
-		else if (T_debug)
+		} else if (T_debug)
 			t_info("isc_task_purgerange returned %d\n", nevents);
 	}
 
 	isc_result = isc_mutex_lock(&T10_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_task_destroy(&task);
 		isc_taskmgr_destroy(&tmgr);
 		isc_mem_destroy(&mctx);
@@ -1581,12 +1579,14 @@ t_taskpurge_x(	int sender, int type, int tag,
 		return;
 	}
 
-	/* unblock the task, allowing event processing */
+	/*
+	 * Unblock the task, allowing event processing.
+	 */
 	T10_startflag = 1;
 	isc_result = isc_condition_signal(&T10_cv);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_condition_signal failed %s\n",
-			isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++*nprobs;
 	}
 
@@ -1595,12 +1595,14 @@ t_taskpurge_x(	int sender, int type, int tag,
 	interval.seconds = 5;
 	interval.nanoseconds = 0;
 
-	/* wait for shutdown processing to complete */
+	/*
+	 * Wait for shutdown processing to complete.
+	 */
 	while (T10_shutdownflag == 0) {
 		isc_result = isc_time_nowplusinterval(&now, &interval);
 		if (isc_result != ISC_R_SUCCESS) {
 			t_info("isc_time_nowplusinterval failed %s\n",
-					isc_result_totext(isc_result));
+			       isc_result_totext(isc_result));
 			isc_task_detach(&task);
 			isc_taskmgr_destroy(&tmgr);
 			isc_mem_destroy(&mctx);
@@ -1613,7 +1615,7 @@ t_taskpurge_x(	int sender, int type, int tag,
 		isc_result = isc_condition_waituntil(&T10_cv, &T10_mx, &now);
 		if (isc_result != ISC_R_SUCCESS) {
 			t_info("isc_condition_waituntil returned %s\n",
-					isc_result_totext(isc_result));
+			       isc_result_totext(isc_result));
 			isc_task_detach(&task);
 			isc_taskmgr_destroy(&tmgr);
 			isc_mem_destroy(&mctx);
@@ -1627,7 +1629,7 @@ t_taskpurge_x(	int sender, int type, int tag,
 	isc_result = isc_mutex_unlock(&T10_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++*nprobs;
 	}
 
@@ -1642,7 +1644,7 @@ t_taskpurge_x(	int sender, int type, int tag,
 
 	if ((T10_eventcnt + nevents) != event_cnt) {
 		t_info("*** processed %d, purged %d, total %d\n",
-			T10_eventcnt, nevents, event_cnt);
+		       T10_eventcnt, nevents, event_cnt);
 		++*nfails;
 	}
 }
@@ -1654,23 +1656,36 @@ t_tasks10() {
 	T10_nprobs = 0;
 	T10_nfails = 0;
 
-	/* try purging on a specific sender */
+	/*
+	 * Try purging on a specific sender.
+	 */
 	t_info("testing purge on 2,4,8 expecting 1\n");
-	t_taskpurge_x( 1, 4, 7, 2, 4, 4, (void *) 8, 1, &T10_nfails, &T10_nprobs, 0);
+	t_taskpurge_x(1, 4, 7, 2, 4, 4, (void *)8, 1, &T10_nfails,
+		      &T10_nprobs, 0);
 
-	/* try purging on all senders */
+	/*
+	 * Try purging on all senders.
+	 */
 	t_info("testing purge on 0,4,8 expecting 3\n");
-	t_taskpurge_x( 1, 4, 7, 0, 4, 4, (void *) 8, 3, &T10_nfails, &T10_nprobs, 0);
+	t_taskpurge_x(1, 4, 7, 0, 4, 4, (void *)8, 3, &T10_nfails,
+		      &T10_nprobs, 0);
 
-	/* try purging on all senders, specified type, all tags */
+	/*
+	 * Try purging on all senders, specified type, all tags.
+	 */
 	t_info("testing purge on 0,4,0 expecting 15\n");
-	t_taskpurge_x( 1, 4, 7, 0, 4, 4, NULL, 15, &T10_nfails, &T10_nprobs, 0);
+	t_taskpurge_x(1, 4, 7, 0, 4, 4, NULL, 15, &T10_nfails, &T10_nprobs, 0);
 
-	/* try purging on a specified tag, no such type */
+	/*
+	 * Try purging on a specified tag, no such type.
+	 */
 	t_info("testing purge on 0,99,8 expecting 0\n");
-	t_taskpurge_x( 1, 4, 7, 0, 99, 99, (void *) 8, 0, &T10_nfails, &T10_nprobs, 0);
+	t_taskpurge_x(1, 4, 7, 0, 99, 99, (void *)8, 0, &T10_nfails,
+		      &T10_nprobs, 0);
 
-	/* try purging on specified sender, type, all tags */
+	/*
+	 * Try purging on specified sender, type, all tags.
+	 */
 	t_info("testing purge on 0,5,0 expecting 5\n");
 	t_taskpurge_x( 1, 4, 7, 3, 5, 5, NULL, 5, &T10_nfails, &T10_nprobs, 0);
 
@@ -1684,10 +1699,10 @@ t_tasks10() {
 	return(result);
 }
 
-static char	*a10 =	"A call to isc_task_purge(task, sender, type, tag) purges "
-			"all events of type 'type' and with tag 'tag' not marked as "
-			"unpurgable from sender from the task's queue and returns "
-			"the number of events purged.";
+static char	*a10 =	"A call to isc_task_purge(task, sender, type, tag) "
+			"purges all events of type 'type' and with tag 'tag' "
+			"not marked as unpurgable from sender from the task's "
+			"queue and returns the number of events purged.";
 
 void
 t10(void) {
@@ -1706,10 +1721,8 @@ static int		T11_eventcnt;
 static isc_mutex_t	T11_mx;
 static isc_condition_t	T11_cv;
 
-
 static void
 t11_event1(isc_task_t *task, isc_event_t *event) {
-
 	isc_result_t	isc_result;
 
 	task = task;
@@ -1717,7 +1730,7 @@ t11_event1(isc_task_t *task, isc_event_t *event) {
 	isc_result = isc_mutex_lock(&T11_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T11_nprobs;
 	}
 
@@ -1725,7 +1738,7 @@ t11_event1(isc_task_t *task, isc_event_t *event) {
 		isc_result = isc_condition_wait(&T11_cv, &T11_mx);
 		if (isc_result != ISC_R_SUCCESS) {
 			t_info("isc_mutex_lock failed %s\n",
-					isc_result_totext(isc_result));
+			       isc_result_totext(isc_result));
 			++T11_nprobs;
 		}
 	}
@@ -1733,7 +1746,7 @@ t11_event1(isc_task_t *task, isc_event_t *event) {
 	isc_result = isc_mutex_unlock(&T11_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T11_nprobs;
 	}
 
@@ -1742,8 +1755,8 @@ t11_event1(isc_task_t *task, isc_event_t *event) {
 
 static void
 t11_event2(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
 
-	task = task;
 	++T11_eventcnt;
 	isc_event_free(&event);
 }
@@ -1751,15 +1764,14 @@ t11_event2(isc_task_t *task, isc_event_t *event) {
 
 static void
 t11_sde(isc_task_t *task, isc_event_t *event) {
-
 	isc_result_t	isc_result;
 
-	task = task;
+	UNUSED(task);
 
 	isc_result = isc_mutex_lock(&T11_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T11_nprobs;
 	}
 
@@ -1768,14 +1780,14 @@ t11_sde(isc_task_t *task, isc_event_t *event) {
 	isc_result = isc_condition_signal(&T11_cv);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_condition_signal failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T11_nprobs;
 	}
 
 	isc_result = isc_mutex_unlock(&T11_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T11_nprobs;
 	}
 
@@ -1784,7 +1796,6 @@ t11_sde(isc_task_t *task, isc_event_t *event) {
 
 static int
 t_tasks11(int purgable) {
-
 	char		*p;
 	isc_mem_t	*mctx;
 	isc_taskmgr_t	*tmgr;
@@ -1812,14 +1823,14 @@ t_tasks11(int purgable) {
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mem_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		return(T_UNRESOLVED);
 	}
 
 	isc_result = isc_mutex_init(&T11_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_init failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -1827,7 +1838,7 @@ t_tasks11(int purgable) {
 	isc_result = isc_condition_init(&T11_cv);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_condition_init failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mem_destroy(&mctx);
 		isc_mutex_destroy(&T11_mx);
 		return(T_UNRESOLVED);
@@ -1837,7 +1848,7 @@ t_tasks11(int purgable) {
 	isc_result = isc_taskmgr_create(mctx, workers, 0, &tmgr);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_taskmgr_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mem_destroy(&mctx);
 		isc_mutex_destroy(&T11_mx);
 		isc_condition_destroy(&T11_cv);
@@ -1845,10 +1856,10 @@ t_tasks11(int purgable) {
 	}
 
 	task = NULL;
-	isc_result = isc_task_create(tmgr, mctx, 0, &task);
+	isc_result = isc_task_create(tmgr, 0, &task);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_taskmgr_destroy(&tmgr);
 		isc_mem_destroy(&mctx);
 		isc_mutex_destroy(&T11_mx);
@@ -1859,7 +1870,7 @@ t_tasks11(int purgable) {
 	isc_result = isc_task_onshutdown(task, t11_sde, NULL);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_onshutdown returned %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_task_destroy(&task);
 		isc_taskmgr_destroy(&tmgr);
 		isc_mem_destroy(&mctx);
@@ -1868,46 +1879,42 @@ t_tasks11(int purgable) {
 		return(T_UNRESOLVED);
 	}
 
-	/* block the task on T11_cv */
-	event1 = isc_event_allocate(	mctx,
-					(void *) 1,
-					(isc_eventtype_t) 1,
-					t11_event1,
-					NULL,
-					sizeof(*event1));
+	/*
+	 * Block the task on T11_cv.
+	 */
+	event1 = isc_event_allocate(mctx, (void *)1, (isc_eventtype_t)1,
+				    t11_event1, NULL, sizeof(*event1));
 
 	isc_task_send(task, &event1);
 
-	event2 = isc_event_allocate(	mctx,
-					(void *) 1,
-					(isc_eventtype_t) 1,
-					t11_event2,
-					NULL,
-					sizeof(*event2));
+	event2 = isc_event_allocate(mctx, (void *)1, (isc_eventtype_t)1,
+				    t11_event2, NULL, sizeof(*event2));
 	event2_clone = event2;
 	if (purgable)
-		event2->attributes &= ~ISC_EVENTATTR_NOPURGE;
+		event2->ev_attributes &= ~ISC_EVENTATTR_NOPURGE;
 	else
-		event2->attributes |= ISC_EVENTATTR_NOPURGE;
+		event2->ev_attributes |= ISC_EVENTATTR_NOPURGE;
 
 	isc_task_send(task, &event2);
 
 	rval = isc_task_purgeevent(task, event2_clone);
 	if (rval != (purgable ? ISC_TRUE : ISC_FALSE)) {
 		t_info("isc_task_purgeevent returned %s, expected %s\n",
-			(rval ? "ISC_TRUE" : "ISC_FALSE"),
-			(purgable ? "ISC_TRUE" : "ISC_FALSE"));
+		       (rval ? "ISC_TRUE" : "ISC_FALSE"),
+		       (purgable ? "ISC_TRUE" : "ISC_FALSE"));
 		++T11_nfails;
 	}
 
 	isc_result = isc_mutex_lock(&T11_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T11_nprobs;
 	}
 
-	/* unblock the task, allowing event processing */
+	/*
+	 * Unblock the task, allowing event processing.
+	 */
 	T11_startflag = 1;
 	isc_result = isc_condition_signal(&T11_cv);
 	if (isc_result != ISC_R_SUCCESS) {
@@ -1921,19 +1928,21 @@ t_tasks11(int purgable) {
 	interval.seconds = 5;
 	interval.nanoseconds = 0;
 
-	/* wait for shutdown processing to complete */
+	/*
+	 * Wait for shutdown processing to complete.
+	 */
 	while (T11_shutdownflag == 0) {
 		isc_result = isc_time_nowplusinterval(&now, &interval);
 		if (isc_result != ISC_R_SUCCESS) {
 			t_info("isc_time_nowplusinterval failed %s\n",
-					isc_result_totext(isc_result));
+			       isc_result_totext(isc_result));
 			++T11_nprobs;
 		}
 	
 		isc_result = isc_condition_waituntil(&T11_cv, &T11_mx, &now);
 		if (isc_result != ISC_R_SUCCESS) {
 			t_info("isc_condition_waituntil returned %s\n",
-					isc_result_totext(isc_result));
+			       isc_result_totext(isc_result));
 			++T11_nprobs;
 		}
 	}
@@ -1941,7 +1950,7 @@ t_tasks11(int purgable) {
 	isc_result = isc_mutex_unlock(&T11_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T11_nprobs;
 	}
 
@@ -1952,7 +1961,8 @@ t_tasks11(int purgable) {
 	isc_condition_destroy(&T11_cv);
 
 	if (T11_eventcnt != (purgable ? 0 : 1)) {
-		t_info("Event was %s purged\n", (purgable ? "not" : "unexpectedly"));
+		t_info("Event was %s purged\n",
+		       (purgable ? "not" : "unexpectedly"));
 		++T11_nfails;
 	}
 
@@ -1966,9 +1976,9 @@ t_tasks11(int purgable) {
 	return(result);
 }
 
-static char	*a11 =	"When the event is marked as purgable, a call to "
-			"isc_task_purgeevent(task, event) purges the event 'event' "
-			"from the task's queue and returns ISC_TRUE.";
+static char *a11 = "When the event is marked as purgable, a call to "
+		   "isc_task_purgeevent(task, event) purges the event 'event' "
+		   "from the task's queue and returns ISC_TRUE.";
 			
 void
 t11(void) {
@@ -1979,8 +1989,9 @@ t11(void) {
 }
 
 static char	*a12 =	"When the event is not marked as purgable, a call to "
-			"isc_task_purgeevent(task, event) does not purge the event 'event' "
-			"from the task's queue and returns ISC_FALSE.";
+			"isc_task_purgeevent(task, event) does not purge the "
+			"event 'event' from the task's queue and returns "
+			"ISC_FALSE.";
 
 static int
 t_tasks12() {
@@ -1998,10 +2009,12 @@ t12(void) {
 static int	T13_nfails;
 static int	T13_nprobs;
 
-static char	*a13 =	"A call to isc_event_purgerange(task, sender, first, last, tag) "
-			"purges all events not marked unpurgable from sender 'sender' and "
-			"of type within the range 'first' to 'last' inclusive from "
-			"the task's event queue and returns the number of tasks purged.";
+static char	*a13 =	"A call to "
+			"isc_event_purgerange(task, sender, first, last, tag) "
+			"purges all events not marked unpurgable from "
+			"sender 'sender' and of type within the range 'first' "
+			"to 'last' inclusive from the task's event queue and "
+			"returns the number of tasks purged.";
 			
 static int
 t_tasks13() {
@@ -2011,52 +2024,75 @@ t_tasks13() {
 	T13_nprobs = 0;
 
 	/*
-	 * first lets try the same cases we used in t10
+	 * First let's try the same cases we used in t10.
 	 */
 
-	/* try purging on a specific sender */
+	/*
+	 * Try purging on a specific sender.
+	 */
 	t_info("testing purge on 2,4,8 expecting 1\n");
-	t_taskpurge_x( 1, 4, 7, 2, 4, 4, (void *) 8, 1, &T13_nfails, &T13_nprobs, 1);
+	t_taskpurge_x(1, 4, 7, 2, 4, 4, (void *)8, 1,
+		      &T13_nfails, &T13_nprobs, 1);
 
-	/* try purging on all senders */
+	/*
+	 * Try purging on all senders.
+	 */
 	t_info("testing purge on 0,4,8 expecting 3\n");
-	t_taskpurge_x( 1, 4, 7, 0, 4, 4, (void *) 8, 3, &T13_nfails, &T13_nprobs, 1);
+	t_taskpurge_x(1, 4, 7, 0, 4, 4, (void *)8, 3,
+		      &T13_nfails, &T13_nprobs, 1);
 
-	/* try purging on all senders, specified type, all tags */
+	/*
+	 * Try purging on all senders, specified type, all tags.
+	 */
 	t_info("testing purge on 0,4,0 expecting 15\n");
-	t_taskpurge_x( 1, 4, 7, 0, 4, 4, NULL, 15, &T13_nfails, &T13_nprobs, 1);
+	t_taskpurge_x(1, 4, 7, 0, 4, 4, NULL, 15, &T13_nfails, &T13_nprobs, 1);
 
-	/* try purging on a specified tag, no such type */
+	/*
+	 * Try purging on a specified tag, no such type.
+	 */
 	t_info("testing purge on 0,99,8 expecting 0\n");
-	t_taskpurge_x( 1, 4, 7, 0, 99, 99, (void *) 8, 0, &T13_nfails, &T13_nprobs, 1);
+	t_taskpurge_x(1, 4, 7, 0, 99, 99, (void *)8, 0,
+		      &T13_nfails, &T13_nprobs, 1);
 
-	/* try purging on specified sender, type, all tags */
+	/*
+	 * Try purging on specified sender, type, all tags.
+	 */
 	t_info("testing purge on 3,5,0 expecting 5\n");
-	t_taskpurge_x( 1, 4, 7, 3, 5, 5, 0, 5, &T13_nfails, &T13_nprobs, 1);
+	t_taskpurge_x(1, 4, 7, 3, 5, 5, 0, 5, &T13_nfails, &T13_nprobs, 1);
 
 	/*
-	 * now lets try some ranges
+	 * Now let's try some ranges.
 	 */
 
 	t_info("testing purgerange on 2,4-5,8 expecting 2\n");
-	t_taskpurge_x( 1, 4, 7, 2, 4, 5, (void *) 8, 1, &T13_nfails, &T13_nprobs, 1);
+	t_taskpurge_x(1, 4, 7, 2, 4, 5, (void *)8, 1,
+		      &T13_nfails, &T13_nprobs, 1);
 
-	/* try purging on all senders */
+	/*
+	 * Try purging on all senders.
+	 */
 	t_info("testing purge on 0,4-5,8 expecting 5\n");
-	t_taskpurge_x( 1, 4, 7, 0, 4, 5, (void *) 8, 5, &T13_nfails, &T13_nprobs, 1);
+	t_taskpurge_x(1, 4, 7, 0, 4, 5, (void *)8, 5,
+		      &T13_nfails, &T13_nprobs, 1);
 
-	/* try purging on all senders, specified type, all tags */
+	/*
+	 * Try purging on all senders, specified type, all tags.
+	 */
 	t_info("testing purge on 0,5-6,0 expecting 28\n");
-	t_taskpurge_x( 1, 4, 7, 0, 5, 6, NULL, 28, &T13_nfails, &T13_nprobs, 1);
+	t_taskpurge_x(1, 4, 7, 0, 5, 6, NULL, 28, &T13_nfails, &T13_nprobs, 1);
 
-	/* try purging on a specified tag, no such type */
+	/*
+	 * Try purging on a specified tag, no such type.
+	 */
 	t_info("testing purge on 0,99-101,8 expecting 0\n");
-	t_taskpurge_x( 1, 4, 7, 0, 99, 101, (void *) 8, 0, &T13_nfails, &T13_nprobs, 1);
+	t_taskpurge_x(1, 4, 7, 0, 99, 101, (void *)8, 0,
+		      &T13_nfails, &T13_nprobs, 1);
 
-	/* try purging on specified sender, type, all tags */
+	/*
+	 * Try purging on specified sender, type, all tags.
+	 */
 	t_info("testing purge on 3,5-6,0 expecting 10\n");
-	t_taskpurge_x( 1, 4, 7, 3, 5, 6, NULL, 10, &T13_nfails, &T13_nprobs, 1);
-
+	t_taskpurge_x(1, 4, 7, 3, 5, 6, NULL, 10, &T13_nfails, &T13_nprobs, 1);
 
 	result = T_UNRESOLVED;
 
@@ -2065,10 +2101,9 @@ t_tasks13() {
 	else if (T13_nfails)
 		result = T_FAIL;
 
-	return(result);
+	return (result);
 }
 
-
 void
 t13(void) {
 	int	result;
diff --git a/bin/tests/timer_test.c b/bin/tests/timer_test.c
index 4f1a19a4..3a6261f1 100644
--- a/bin/tests/timer_test.c
+++ b/bin/tests/timer_test.c
@@ -17,18 +17,14 @@
 
 #include <config.h>
 
-#include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
-#include <string.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/mem.h>
 #include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/result.h>
+#include <isc/time.h>
 #include <isc/timer.h>
+#include <isc/util.h>
 
 isc_mem_t *mctx1, *mctx2, *mctx3;
 isc_task_t *t1, *t2, *t3;
@@ -37,18 +33,17 @@ int tick_count = 0;
 
 static void
 shutdown_task(isc_task_t *task, isc_event_t *event) {
-	char *name = event->arg;
+	char *name = event->ev_arg;
 
 	printf("task %p shutdown %s\n", task, name);
 	isc_event_free(&event);
 }
 
 static void
-tick(isc_task_t *task, isc_event_t *event)
-{
-	char *name = event->arg;
+tick(isc_task_t *task, isc_event_t *event) {
+	char *name = event->ev_arg;
 
-	INSIST(event->type == ISC_TIMEREVENT_TICK);
+	INSIST(event->ev_type == ISC_TIMEREVENT_TICK);
 
 	printf("task %s (%p) tick\n", name, task);
 
@@ -73,15 +68,14 @@ tick(isc_task_t *task, isc_event_t *event)
 }
 
 static void
-timeout(isc_task_t *task, isc_event_t *event)
-{
-	char *name = event->arg;
+timeout(isc_task_t *task, isc_event_t *event) {
+	char *name = event->ev_arg;
 	char *type;
 
-	INSIST(event->type == ISC_TIMEREVENT_IDLE || 
-	       event->type == ISC_TIMEREVENT_LIFE);
+	INSIST(event->ev_type == ISC_TIMEREVENT_IDLE || 
+	       event->ev_type == ISC_TIMEREVENT_LIFE);
 
-	if (event->type == ISC_TIMEREVENT_IDLE)
+	if (event->ev_type == ISC_TIMEREVENT_IDLE)
 		type = "idle";
 	else
 		type = "life";
@@ -112,17 +106,15 @@ main(int argc, char *argv[]) {
 	printf("%d workers\n", workers);
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx1) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx2) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx3) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_taskmgr_create(mctx1, workers, 0, &manager) ==
 		      ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_timermgr_create(mctx1, &timgr) == ISC_R_SUCCESS);
 
-	RUNTIME_CHECK(isc_task_create(manager, mctx1, 0, &t1) ==
+	RUNTIME_CHECK(isc_task_create(manager, 0, &t1) ==
 		      ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_task_create(manager, mctx2, 0, &t2) ==
+	RUNTIME_CHECK(isc_task_create(manager, 0, &t2) ==
 		      ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_task_create(manager, mctx3, 0, &t3) ==
+	RUNTIME_CHECK(isc_task_create(manager, 0, &t3) ==
 		      ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_task_onshutdown(t1, shutdown_task, "1") ==
 		      ISC_R_SUCCESS);
@@ -148,7 +140,8 @@ main(int argc, char *argv[]) {
 		      ISC_R_SUCCESS);
 				       
 	isc_interval_set(&interval, 10, 0);
-	isc_time_add(&now, &interval, &expires);
+	RUNTIME_CHECK(isc_time_add(&now, &interval, &expires) ==
+		      ISC_R_SUCCESS);
 	isc_interval_set(&interval, 2, 0);
 	RUNTIME_CHECK(isc_timer_create(timgr, isc_timertype_once, &expires,
 				       &interval, t3, timeout, "3", &ti3) ==
@@ -171,12 +164,6 @@ main(int argc, char *argv[]) {
 	printf("Statistics for mctx1:\n");
 	isc_mem_stats(mctx1, stdout);
 	isc_mem_destroy(&mctx1);
-	printf("Statistics for mctx2:\n");
-	isc_mem_stats(mctx2, stdout);
-	isc_mem_destroy(&mctx2);
-	printf("Statistics for mctx3:\n");
-	isc_mem_stats(mctx3, stdout);
-	isc_mem_destroy(&mctx3);
 
 	return (0);
 }
diff --git a/bin/tests/timers/Makefile.in b/bin/tests/timers/Makefile.in
index 64f5696d..fa90643a 100644
--- a/bin/tests/timers/Makefile.in
+++ b/bin/tests/timers/Makefile.in
@@ -24,16 +24,22 @@ CINCLUDES =	${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
 CDEFINES =
 CWARNINGS =
 
-DEPLIBS =	../../../lib/dns/libdns.@A@ \
-		../../../lib/isc/libisc.@A@
+DNSLIBS =	../../../lib/dns/libdns.@A@ @DNS_OPENSSL_LIBS@
+ISCLIBS =	../../../lib/isc/libisc.@A@
 
-LIBS =		${DEPLIBS} \
-		@LIBS@
+DNSDEPLIBS =	../../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../../lib/isc/libisc.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
 TLIB =		../../../lib/tests/libt_api.@A@
 
 TARGETS =	t_timers
 
+SRCS =		t_timers.c
+
 @BIND9_MAKE_RULES@
 
 t_timers: t_timers.@O@ ${DEPLIBS} ${TLIB}
diff --git a/bin/tests/timers/t_timers.c b/bin/tests/timers/t_timers.c
index 278802ab..b4d7b94f 100644
--- a/bin/tests/timers/t_timers.c
+++ b/bin/tests/timers/t_timers.c
@@ -17,30 +17,19 @@
 
 #include <config.h>
 
-#include <ctype.h>
-#include <stddef.h>
 #include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <sys/time.h>
-#include <unistd.h>
 
-#include <isc/assertions.h>
-#include <isc/boolean.h>
 #include <isc/condition.h>
-#include <isc/error.h>
-#include <isc/event.h>
 #include <isc/mem.h>
-#include <isc/mutex.h>
 #include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/result.h>
+#include <isc/time.h>
 #include <isc/timer.h>
+#include <isc/util.h>
 
 #include <tests/t_api.h>
 
-#define	Tx_FUDGE_SECONDS	0		/* in absence of clock_getres() */
-#define	Tx_FUDGE_NANOSECONDS	500000000	/* in absence of clock_getres() */
+#define	Tx_FUDGE_SECONDS	0	     /* in absence of clock_getres() */
+#define	Tx_FUDGE_NANOSECONDS	500000000    /* in absence of clock_getres() */
 
 static	isc_time_t	Tx_endtime;
 static	isc_time_t	Tx_lasttime;
@@ -51,37 +40,38 @@ static	isc_mutex_t	Tx_mx;
 static	isc_condition_t	Tx_cv;
 static	int		Tx_nfails;
 static	int		Tx_nprobs;
-static	isc_timer_t	*Tx_timer;
+static	isc_timer_t    *Tx_timer;
 static	int		Tx_seconds;
 static	int		Tx_nanoseconds;
 
 static void
 tx_sde(isc_task_t *task, isc_event_t *event) {
-
 	isc_result_t	isc_result;
 
 	task = task;
 	event = event;
 
-	/* signal shutdown processing complete */
+	/*
+	 * Signal shutdown processing complete.
+	 */
 	isc_result = isc_mutex_lock(&Tx_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++Tx_nprobs;
 	}
 
 	isc_result = isc_condition_signal(&Tx_cv);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_condition_signal failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++Tx_nprobs;
 	}
 
 	isc_result = isc_mutex_unlock(&Tx_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++Tx_nprobs;
 	}
 
@@ -90,7 +80,6 @@ tx_sde(isc_task_t *task, isc_event_t *event) {
 
 static void
 tx_te(isc_task_t *task, isc_event_t *event) {
-
 	isc_result_t	isc_result;
 	isc_time_t	now;
 	isc_time_t	base;
@@ -104,25 +93,52 @@ tx_te(isc_task_t *task, isc_event_t *event) {
 	t_info("tick %d\n", Tx_eventcnt);
 
 	expected_event_type = ISC_TIMEREVENT_LIFE;
-	if ((isc_timertype_t) event->arg == isc_timertype_ticker)
+	if ((isc_timertype_t) event->ev_arg == isc_timertype_ticker)
 		expected_event_type = ISC_TIMEREVENT_TICK;
 
-	if (event->type != expected_event_type) {
+	if (event->ev_type != expected_event_type) {
 		t_info("expected event type %d, got %d\n",
-			expected_event_type, (int) event->type);
+			expected_event_type, (int) event->ev_type);
 		++Tx_nfails;
 	}
 
 	isc_result = isc_time_now(&now);
 	if (isc_result == ISC_R_SUCCESS) {
-
 		interval.seconds = Tx_seconds;
 		interval.nanoseconds = Tx_nanoseconds;
-		isc_time_add(&Tx_lasttime, &interval, &base);
+		isc_result = isc_time_add(&Tx_lasttime, &interval, &base);
+		if (isc_result != ISC_R_SUCCESS) {
+			t_info("isc_time_add failed %s\n",
+			       isc_result_totext(isc_result));
+			++Tx_nprobs;
+		}
+	} else {
+		t_info("isc_time_now failed %s\n",
+			isc_result_totext(isc_result));
+		++Tx_nprobs;
+	}
+
+	if (isc_result == ISC_R_SUCCESS) {
 		interval.seconds = Tx_FUDGE_SECONDS;
 		interval.nanoseconds = Tx_FUDGE_NANOSECONDS;
-		isc_time_add(&base, &interval, &ulim);
-		isc_time_subtract(&base, &interval, &llim);
+		isc_result = isc_time_add(&base, &interval, &ulim);
+		if (isc_result != ISC_R_SUCCESS) {
+			t_info("isc_time_add failed %s\n",
+			       isc_result_totext(isc_result));
+			++Tx_nprobs;
+		}
+	}
+
+	if (isc_result == ISC_R_SUCCESS) {
+		isc_result = isc_time_subtract(&base, &interval, &llim);
+		if (isc_result != ISC_R_SUCCESS) {
+			t_info("isc_time_subtract failed %s\n",
+			       isc_result_totext(isc_result));
+			++Tx_nprobs;
+		}
+	}
+
+	if (isc_result == ISC_R_SUCCESS) {
 		if ((isc_time_compare(&llim, &now) > 0) ||
 		    (isc_time_compare(&ulim, &now) < 0)) {
 			t_info("timer range error\n");
@@ -130,11 +146,6 @@ tx_te(isc_task_t *task, isc_event_t *event) {
 		}
 		Tx_lasttime = now;
 	}
-	else {
-		t_info("isc_time_now failed %s\n",
-			isc_result_totext(isc_result));
-		++Tx_nprobs;
-	}
 
 	if (Tx_eventcnt == Tx_nevents) {
 		isc_result = isc_time_now(&Tx_endtime);
@@ -152,9 +163,9 @@ tx_te(isc_task_t *task, isc_event_t *event) {
 
 static void
 t_timers_x(isc_timertype_t timertype, isc_time_t *expires,
-		isc_interval_t *interval,
-		void (*action)(isc_task_t *, isc_event_t *)) {
-
+	   isc_interval_t *interval,
+	   void (*action)(isc_task_t *, isc_event_t *))
+{
 	char		*p;
 	isc_mem_t	*mctx;
 	isc_taskmgr_t	*tmgr;
@@ -176,7 +187,7 @@ t_timers_x(isc_timertype_t timertype, isc_time_t *expires,
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mem_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++Tx_nprobs;
 		return;
 	}
@@ -184,7 +195,7 @@ t_timers_x(isc_timertype_t timertype, isc_time_t *expires,
 	isc_result = isc_mutex_init(&Tx_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_init failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mem_destroy(&mctx);
 		++Tx_nprobs;
 		return;
@@ -193,7 +204,7 @@ t_timers_x(isc_timertype_t timertype, isc_time_t *expires,
 	isc_result = isc_condition_init(&Tx_cv);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_condition_init failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mutex_destroy(&Tx_mx);
 		isc_mem_destroy(&mctx);
 		++Tx_nprobs;
@@ -204,7 +215,7 @@ t_timers_x(isc_timertype_t timertype, isc_time_t *expires,
 	isc_result = isc_taskmgr_create(mctx, workers, 0, &tmgr);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_taskmgr_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mutex_destroy(&Tx_mx);
 		isc_condition_destroy(&Tx_cv);
 		isc_mem_destroy(&mctx);
@@ -216,7 +227,7 @@ t_timers_x(isc_timertype_t timertype, isc_time_t *expires,
 	isc_result = isc_timermgr_create(mctx, &timermgr);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_timermgr_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_taskmgr_destroy(&tmgr);
 		isc_mutex_destroy(&Tx_mx);
 		isc_condition_destroy(&Tx_cv);
@@ -228,7 +239,7 @@ t_timers_x(isc_timertype_t timertype, isc_time_t *expires,
 	isc_mutex_lock(&Tx_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-			isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_timermgr_destroy(&timermgr);
 		isc_taskmgr_destroy(&tmgr);
 		isc_mutex_destroy(&Tx_mx);
@@ -239,10 +250,10 @@ t_timers_x(isc_timertype_t timertype, isc_time_t *expires,
 	}
 
 	task = NULL;
-	isc_result = isc_task_create(tmgr, mctx, 0, &task);
+	isc_result = isc_task_create(tmgr, 0, &task);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_timermgr_destroy(&timermgr);
 		isc_taskmgr_destroy(&tmgr);
 		isc_mutex_destroy(&Tx_mx);
@@ -255,7 +266,7 @@ t_timers_x(isc_timertype_t timertype, isc_time_t *expires,
 	isc_result = isc_task_onshutdown(task, tx_sde, NULL);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_onshutdown failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_timermgr_destroy(&timermgr);
 		isc_task_destroy(&task);
 		isc_taskmgr_destroy(&tmgr);
@@ -279,14 +290,9 @@ t_timers_x(isc_timertype_t timertype, isc_time_t *expires,
 	}
 
 	Tx_timer = NULL;
-	isc_result = isc_timer_create(	timermgr,
-					timertype,
-					expires,
-					interval,
-					task,
-					action,
-					(void *) timertype,
-					&Tx_timer);
+	isc_result = isc_timer_create(timermgr, timertype, expires, interval,
+				      task, action, (void *)timertype,
+				      &Tx_timer);
 
 	if (isc_result != ISC_R_SUCCESS) {
 		isc_timermgr_destroy(&timermgr);
@@ -299,12 +305,14 @@ t_timers_x(isc_timertype_t timertype, isc_time_t *expires,
 		return;
 	}
 
-	/* wait for shutdown processing to complete */
+	/*
+	 * Wait for shutdown processing to complete.
+	 */
 	while (Tx_eventcnt != Tx_nevents) {
 		isc_result = isc_condition_wait(&Tx_cv, &Tx_mx);
 		if (isc_result != ISC_R_SUCCESS) {
 			t_info("isc_condition_waituntil failed %s\n",
-				isc_result_totext(isc_result));
+			       isc_result_totext(isc_result));
 			++Tx_nprobs;
 		}
 	}
@@ -312,7 +320,7 @@ t_timers_x(isc_timertype_t timertype, isc_time_t *expires,
 	isc_result = isc_mutex_unlock(&Tx_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-			isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++Tx_nprobs;
 	}
 
@@ -329,9 +337,9 @@ t_timers_x(isc_timertype_t timertype, isc_time_t *expires,
 #define	T1_NANOSECONDS	500000000
 
 static char *a1 =
-	"When type is isc_timertype_ticker, a call to isc_timer_create()  creates "
-	"a timer that posts an ISC_TIMEREVENT_TICK event to the specified "
-	"task every 'interval' seconds and returns ISC_R_SUCCESS.";
+	"When type is isc_timertype_ticker, a call to isc_timer_create() "
+	"creates a timer that posts an ISC_TIMEREVENT_TICK event to the "
+	"specified task every 'interval' seconds and returns ISC_R_SUCCESS.";
 
 static void
 t1() {
@@ -365,9 +373,10 @@ t1() {
 #define	T2_NANOSECONDS	300000000;
 
 static char *a2 =
-	"When type is isc_timertype_once, a call to isc_timer_create() creates "
-	"a timer that posts an ISC_TIMEEVENT_LIFE event to the specified "
-	"task when the current time reaches or exceeds the time specified by 'expires'.";
+	"When type is isc_timertype_once, a call to isc_timer_create() "
+	"creates a timer that posts an ISC_TIMEEVENT_LIFE event to the "
+	"specified task when the current time reaches or exceeds the time "
+	"specified by 'expires'.";
 
 static void
 t2() {
@@ -391,10 +400,9 @@ t2() {
 		isc_interval_set(&interval, 0, 0);
 		t_timers_x(isc_timertype_once, &expires, &interval, tx_te);
 
-	}
-	else {
+	} else {
 		t_info("isc_time_nowplusinterval failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 	}
 
 	result = T_UNRESOLVED;
@@ -409,7 +417,6 @@ t2() {
 
 static void
 t3_te(isc_task_t *task, isc_event_t *event) {
-
 	isc_result_t	isc_result;
 	isc_time_t	now;
 	isc_time_t	base;
@@ -422,15 +429,44 @@ t3_te(isc_task_t *task, isc_event_t *event) {
 	t_info("tick %d\n", Tx_eventcnt);
 
 	isc_result = isc_time_now(&now);
-	if (isc_result == ISC_R_SUCCESS) {
+	if (isc_result != ISC_R_SUCCESS) {
+		t_info("isc_time_now failed %s\n",
+		       isc_result_totext(isc_result));
+		++Tx_nprobs;
+	}
 
+	if (isc_result == ISC_R_SUCCESS) {
 		interval.seconds = Tx_seconds;
 		interval.nanoseconds = Tx_nanoseconds;
-		isc_time_add(&Tx_lasttime, &interval, &base);
+		isc_result = isc_time_add(&Tx_lasttime, &interval, &base);
+		if (isc_result != ISC_R_SUCCESS) {
+			t_info("isc_time_add failed %s\n",
+			       isc_result_totext(isc_result));
+			++Tx_nprobs;
+		}
+	}
+
+	if (isc_result == ISC_R_SUCCESS) {
 		interval.seconds = Tx_FUDGE_SECONDS;
 		interval.nanoseconds = Tx_FUDGE_NANOSECONDS;
-		isc_time_add(&base, &interval, &ulim);
-		isc_time_subtract(&base, &interval, &llim);
+		isc_result = isc_time_add(&base, &interval, &ulim);
+		if (isc_result != ISC_R_SUCCESS) {
+			t_info("isc_time_add failed %s\n",
+			       isc_result_totext(isc_result));
+			++Tx_nprobs;
+		}
+	}
+
+	if (isc_result == ISC_R_SUCCESS) {
+		isc_result = isc_time_subtract(&base, &interval, &llim);
+		if (isc_result != ISC_R_SUCCESS) {
+			t_info("isc_time_subtract failed %s\n",
+			       isc_result_totext(isc_result));
+			++Tx_nprobs;
+		}
+	}
+
+	if (isc_result == ISC_R_SUCCESS) {
 		if ((isc_time_compare(&llim, &now) > 0) ||
 		    (isc_time_compare(&ulim, &now) < 0)) {
 			t_info("timer range error\n");
@@ -438,15 +474,10 @@ t3_te(isc_task_t *task, isc_event_t *event) {
 		}
 		Tx_lasttime = now;
 	}
-	else {
-		t_info("isc_time_now failed %s\n",
-			isc_result_totext(isc_result));
-		++Tx_nprobs;
-	}
 
-	if (event->type != ISC_TIMEREVENT_IDLE) {
+	if (event->ev_type != ISC_TIMEREVENT_IDLE) {
 		t_info("received event type %d, expected type %d\n",
-				event->type, ISC_TIMEREVENT_IDLE);
+		       event->ev_type, ISC_TIMEREVENT_IDLE);
 		++Tx_nfails;
 	}
 
@@ -459,9 +490,9 @@ t3_te(isc_task_t *task, isc_event_t *event) {
 #define	T3_NANOSECONDS	400000000
 
 static char *a3 =
-	"When type is isc_timertype_once, a call to isc_timer_create() creates "
-	"a timer that posts an ISC_TIMEEVENT_IDLE event to the specified "
-	"task when the timer has been idle for 'interval' seconds.";
+	"When type is isc_timertype_once, a call to isc_timer_create() "
+	"creates a timer that posts an ISC_TIMEEVENT_IDLE event to the "
+	"specified task when the timer has been idle for 'interval' seconds.";
 
 static void
 t3() {
@@ -487,7 +518,7 @@ t3() {
 	}
 	else {
 		t_info("isc_time_nowplusinterval failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++Tx_nprobs;
 	}
 
@@ -519,18 +550,49 @@ t4_te(isc_task_t *task, isc_event_t *event) {
 
 	t_info("tick %d\n", Tx_eventcnt);
 
-	/* check expired time */
+	/*
+	 * Check expired time.
+	 */
 
 	isc_result = isc_time_now(&now);
-	if (isc_result == ISC_R_SUCCESS) {
+	if (isc_result != ISC_R_SUCCESS) {
+		t_info("isc_time_now failed %s\n",
+		       isc_result_totext(isc_result));
+		++Tx_nprobs;
+	}
 
+	if (isc_result == ISC_R_SUCCESS) {
 		interval.seconds = Tx_seconds;
 		interval.nanoseconds = Tx_nanoseconds;
-		isc_time_add(&Tx_lasttime, &interval, &base);
+		isc_result = isc_time_add(&Tx_lasttime, &interval, &base);
+		if (isc_result != ISC_R_SUCCESS) {
+			t_info("isc_time_add failed %s\n",
+			       isc_result_totext(isc_result));
+			++Tx_nprobs;
+		}
+	}
+
+	if (isc_result == ISC_R_SUCCESS) {
 		interval.seconds = Tx_FUDGE_SECONDS;
 		interval.nanoseconds = Tx_FUDGE_NANOSECONDS;
-		isc_time_add(&base, &interval, &ulim);
-		isc_time_subtract(&base, &interval, &llim);
+		isc_result = isc_time_add(&base, &interval, &ulim);
+		if (isc_result != ISC_R_SUCCESS) {
+			t_info("isc_time_add failed %s\n",
+			       isc_result_totext(isc_result));
+			++Tx_nprobs;
+		}
+	}
+
+	if (isc_result == ISC_R_SUCCESS) {
+		isc_result = isc_time_subtract(&base, &interval, &llim);
+		if (isc_result != ISC_R_SUCCESS) {
+			t_info("isc_time_subtract failed %s\n",
+			       isc_result_totext(isc_result));
+			++Tx_nprobs;
+		}
+	}
+
+	if (isc_result == ISC_R_SUCCESS) {
 		if ((isc_time_compare(&llim, &now) > 0) ||
 		    (isc_time_compare(&ulim, &now) < 0)) {
 			t_info("timer range error\n");
@@ -538,42 +600,40 @@ t4_te(isc_task_t *task, isc_event_t *event) {
 		}
 		Tx_lasttime = now;
 	}
-	else {
-		t_info("isc_time_now failed %s\n",
-			isc_result_totext(isc_result));
-		++Tx_nprobs;
-	}
 
 	if (Tx_eventcnt < 3) {
-		if (event->type != ISC_TIMEREVENT_TICK) {
+		if (event->ev_type != ISC_TIMEREVENT_TICK) {
 			t_info("received event type %d, expected type %d\n",
-					event->type, ISC_TIMEREVENT_IDLE);
+			       event->ev_type, ISC_TIMEREVENT_IDLE);
 			++Tx_nfails;
 		}
 		if (Tx_eventcnt == 2) {
-			isc_interval_set(&interval, T4_SECONDS, T4_NANOSECONDS);
-			isc_result = isc_time_nowplusinterval(&expires, &interval);
+			isc_interval_set(&interval, T4_SECONDS,
+					 T4_NANOSECONDS);
+			isc_result = isc_time_nowplusinterval(&expires,
+							      &interval);
 			if (isc_result == ISC_R_SUCCESS) {
 				isc_interval_set(&interval, 0, 0);
-				isc_result = isc_timer_reset(Tx_timer, isc_timertype_once,
-							&expires, &interval, ISC_FALSE);
+				isc_result =
+					isc_timer_reset(Tx_timer,
+							isc_timertype_once,
+							&expires, &interval,
+							ISC_FALSE);
 				if (isc_result != ISC_R_SUCCESS) {
 					t_info("isc_timer_reset failed %s\n",
-							isc_result_totext(isc_result));
+					       isc_result_totext(isc_result));
 					++Tx_nfails;
 				}
-			}
-			else {
+			} else {
 				t_info("isc_time_nowplusinterval failed %s\n",
-						isc_result_totext(isc_result));
+				       isc_result_totext(isc_result));
 				++Tx_nprobs;
 			}
 		}
-	}
-	else {
-		if (event->type != ISC_TIMEREVENT_LIFE) {
+	} else {
+		if (event->ev_type != ISC_TIMEREVENT_LIFE) {
 			t_info("received event type %d, expected type %d\n",
-					event->type, ISC_TIMEREVENT_IDLE);
+			       event->ev_type, ISC_TIMEREVENT_IDLE);
 			++Tx_nfails;
 		}
 
@@ -632,22 +692,21 @@ static	isc_task_t	*T5_task2;
 
 /*
  * T5_task1 blocks on T5_mx while events accumulate
- * in it's queue, until signaled by T5_task2
+ * in it's queue, until signaled by T5_task2.
  */
 
 static void
 t5_start_event(isc_task_t *task, isc_event_t *event) {
-
 	isc_result_t	isc_result;
 
-	task = task;
+	UNUSED(task);
 
 	t_info("t5_start_event\n");
 
 	isc_result = isc_mutex_lock(&T5_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T5_nprobs;
 	}
 
@@ -658,7 +717,7 @@ t5_start_event(isc_task_t *task, isc_event_t *event) {
 	isc_result = isc_mutex_unlock(&T5_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T5_nprobs;
 	}
 	isc_event_free(&event);
@@ -676,17 +735,18 @@ t5_tick_event(isc_task_t *task, isc_event_t *event) {
 	t_info("t5_tick_event %d\n", T5_eventcnt);
 
 	/*
-	 * on the first tick, purge all remaining tick events
-	 * and then shut down the task
+	 * On the first tick, purge all remaining tick events
+	 * and then shut down the task.
 	 */
 	if (T5_eventcnt == 1) {
 		isc_time_settoepoch(&expires);
 		isc_interval_set(&interval, T5_SECONDS, 0);
-		isc_result = isc_timer_reset(T5_tickertimer, isc_timertype_ticker,
-						&expires, &interval, ISC_TRUE);
+		isc_result = isc_timer_reset(T5_tickertimer,
+					     isc_timertype_ticker, &expires,
+					     &interval, ISC_TRUE);
 		if (isc_result != ISC_R_SUCCESS) {
 			t_info("isc_timer_reset failed %d\n",
-					isc_result_totext(isc_result));
+			       isc_result_totext(isc_result));
 			++T5_nfails;
 		}
 		isc_task_shutdown(task);
@@ -702,12 +762,12 @@ t5_once_event(isc_task_t *task, isc_event_t *event) {
 	t_info("t5_once_event\n");
 
 	/*
-	 * allow task1 to start processing events
+	 * Allow task1 to start processing events.
 	 */
 	isc_result = isc_mutex_lock(&T5_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T5_nprobs;
 	}
 
@@ -716,14 +776,14 @@ t5_once_event(isc_task_t *task, isc_event_t *event) {
 	isc_result = isc_condition_broadcast(&T5_cv);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_condition_broadcast failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T5_nprobs;
 	}
 
 	isc_result = isc_mutex_unlock(&T5_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T5_nprobs;
 	}
 
@@ -736,18 +796,18 @@ t5_shutdown_event(isc_task_t *task, isc_event_t *event) {
 
 	isc_result_t	isc_result;
 
-	task = task;
-	event = event;
+	UNUSED(task);
+	UNUSED(event);
 
 	t_info("t5_shutdown_event\n");
 
 	/*
-	 * signal shutdown processing complete
+	 * Signal shutdown processing complete.
 	 */
 	isc_result = isc_mutex_lock(&T5_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T5_nprobs;
 	}
 
@@ -756,14 +816,14 @@ t5_shutdown_event(isc_task_t *task, isc_event_t *event) {
 	isc_result = isc_condition_signal(&T5_cv);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_condition_signal failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T5_nprobs;
 	}
 
 	isc_result = isc_mutex_unlock(&T5_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T5_nprobs;
 	}
 	isc_event_free(&event);
@@ -796,14 +856,14 @@ t_timers5() {
 	isc_result = isc_mem_create(0, 0, &mctx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mem_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		return(T_UNRESOLVED);
 	}
 
 	isc_result = isc_mutex_init(&T5_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_init failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
 	}
@@ -811,7 +871,7 @@ t_timers5() {
 	isc_result = isc_condition_init(&T5_cv);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_condition_init failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mutex_destroy(&T5_mx);
 		isc_mem_destroy(&mctx);
 		return(T_UNRESOLVED);
@@ -821,7 +881,7 @@ t_timers5() {
 	isc_result = isc_taskmgr_create(mctx, workers, 0, &tmgr);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_taskmgr_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_mutex_destroy(&T5_mx);
 		isc_condition_destroy(&T5_cv);
 		isc_mem_destroy(&mctx);
@@ -832,7 +892,7 @@ t_timers5() {
 	isc_result = isc_timermgr_create(mctx, &timermgr);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_timermgr_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_taskmgr_destroy(&tmgr);
 		isc_mutex_destroy(&T5_mx);
 		isc_condition_destroy(&T5_cv);
@@ -841,10 +901,10 @@ t_timers5() {
 	}
 
 	T5_task1 = NULL;
-	isc_result = isc_task_create(tmgr, mctx, 0, &T5_task1);
+	isc_result = isc_task_create(tmgr, 0, &T5_task1);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_timermgr_destroy(&timermgr);
 		isc_taskmgr_destroy(&tmgr);
 		isc_mutex_destroy(&T5_mx);
@@ -856,7 +916,7 @@ t_timers5() {
 	isc_result = isc_task_onshutdown(T5_task1, t5_shutdown_event, NULL);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_onshutdown failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_timermgr_destroy(&timermgr);
 		isc_task_destroy(&T5_task1);
 		isc_taskmgr_destroy(&tmgr);
@@ -867,10 +927,10 @@ t_timers5() {
 	}
 
 	T5_task2 = NULL;
-	isc_result = isc_task_create(tmgr, mctx, 0, &T5_task2);
+	isc_result = isc_task_create(tmgr, 0, &T5_task2);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_task_create failed %s\n",
-				isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_timermgr_destroy(&timermgr);
 		isc_task_destroy(&T5_task1);
 		isc_taskmgr_destroy(&tmgr);
@@ -883,7 +943,7 @@ t_timers5() {
 	isc_result = isc_mutex_lock(&T5_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_lock failed %s\n",
-			isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		isc_timermgr_destroy(&timermgr);
 		isc_taskmgr_destroy(&tmgr);
 		isc_mutex_destroy(&T5_mx);
@@ -892,21 +952,17 @@ t_timers5() {
 		return(T_UNRESOLVED);
 	}
 
-	event = isc_event_allocate(mctx, (void *) 1 , (isc_eventtype_t) 1, t5_start_event, NULL, sizeof(*event));
+	event = isc_event_allocate(mctx, (void *)1 , (isc_eventtype_t)1,
+				   t5_start_event, NULL, sizeof(*event));
 	isc_task_send(T5_task1, &event);
 
 	isc_time_settoepoch(&expires);
 	isc_interval_set(&interval, T5_SECONDS, 0);
 
 	T5_tickertimer = NULL;
-	isc_result = isc_timer_create(	timermgr,
-					isc_timertype_ticker,
-					&expires,
-					&interval,
-					T5_task1,
-					t5_tick_event,
-					NULL,
-					&T5_tickertimer);
+	isc_result = isc_timer_create(timermgr, isc_timertype_ticker,
+				      &expires, &interval, T5_task1,
+				      t5_tick_event, NULL, &T5_tickertimer);
 
 	if (isc_result != ISC_R_SUCCESS) {
 		isc_timermgr_destroy(&timermgr);
@@ -927,8 +983,8 @@ t_timers5() {
 	if (isc_result != ISC_R_SUCCESS) {
 		isc_timer_detach(&T5_tickertimer);
 		isc_timermgr_destroy(&timermgr);
-		(void) isc_condition_signal(&T5_cv);
-		(void) isc_mutex_unlock(&T5_mx);
+		(void)isc_condition_signal(&T5_cv);
+		(void)isc_mutex_unlock(&T5_mx);
 		isc_task_destroy(&T5_task1);
 		isc_task_destroy(&T5_task2);
 		isc_taskmgr_destroy(&tmgr);
@@ -939,14 +995,9 @@ t_timers5() {
 	}
 
 	isc_interval_set(&interval, 0, 0);
-	isc_result = isc_timer_create(	timermgr,
-					isc_timertype_once,
-					&expires,
-					&interval,
-					T5_task2,
-					t5_once_event,
-					NULL,
-					&T5_oncetimer);
+	isc_result = isc_timer_create(timermgr, isc_timertype_once,
+				      &expires, &interval, T5_task2,
+				      t5_once_event, NULL, &T5_oncetimer);
 
 	if (isc_result != ISC_R_SUCCESS) {
 		isc_timer_detach(&T5_tickertimer);
@@ -963,12 +1014,14 @@ t_timers5() {
 		return(T_UNRESOLVED);
 	}
 
-	/* wait for shutdown processing to complete */
+	/*
+	 * Wait for shutdown processing to complete.
+	 */
 	while (! T5_shutdownflag) {
 		isc_result = isc_condition_wait(&T5_cv, &T5_mx);
 		if (isc_result != ISC_R_SUCCESS) {
 			t_info("isc_condition_waituntil failed %s\n",
-				isc_result_totext(isc_result));
+			       isc_result_totext(isc_result));
 			++T5_nprobs;
 		}
 	}
@@ -976,7 +1029,7 @@ t_timers5() {
 	isc_result = isc_mutex_unlock(&T5_mx);
 	if (isc_result != ISC_R_SUCCESS) {
 		t_info("isc_mutex_unlock failed %s\n",
-			isc_result_totext(isc_result));
+		       isc_result_totext(isc_result));
 		++T5_nprobs;
 	}
 
diff --git a/bin/tests/tkey_test.c b/bin/tests/tkey_test.c
index 2a8662cd..dda2e342 100644
--- a/bin/tests/tkey_test.c
+++ b/bin/tests/tkey_test.c
@@ -21,37 +21,28 @@
 
 #include <config.h>
 
-#include <stddef.h>
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
+#include <isc/app.h>
+#include <isc/base64.h>
 #include <isc/commandline.h>
-#include <isc/error.h>
+#include <isc/lex.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/socket.h>
 #include <isc/task.h>
 #include <isc/timer.h>
-#include <isc/app.h>
-#include <isc/mutex.h>
-#include <isc/boolean.h>
-#include <isc/net.h>
-#include <isc/socket.h>
-#include <isc/log.h>
 #include <isc/util.h>
-#include <isc/lex.h>
-#include <isc/base64.h>
 
-#include <dns/types.h>
-#include <dns/result.h>
+#include <dns/keyvalues.h>
 #include <dns/message.h>
-#include <dns/name.h>
-#include <dns/fixedname.h>
-#include <dns/resolver.h>
-#include <dns/events.h>
-#include <dns/tsig.h>
+#include <dns/result.h>
 #include <dns/tkey.h>
-#include <dns/keyvalues.h>
+#include <dns/tsig.h>
 #include <dns/view.h>
 
+#include <dst/result.h>
+
 #define CHECK(str, x) { \
 	if ((x) != ISC_R_SUCCESS) { \
 		printf("%s: %s\n", (str), isc_result_totext(x)); \
@@ -87,7 +78,7 @@ senddone(isc_task_t *task, isc_event_t *event) {
 	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
 
 	REQUIRE(sevent != NULL);
-	REQUIRE(sevent->type == ISC_SOCKEVENT_SENDDONE);
+	REQUIRE(sevent->ev_type == ISC_SOCKEVENT_SENDDONE);
 	REQUIRE(task == task1);
 
 	printf("senddone\n");
@@ -102,7 +93,7 @@ recvdone(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result;
 
 	REQUIRE(sevent != NULL);
-	REQUIRE(sevent->type == ISC_SOCKEVENT_RECVDONE);
+	REQUIRE(sevent->ev_type == ISC_SOCKEVENT_RECVDONE);
 	REQUIRE(task == task1);
 
 	printf("recvdone\n");
@@ -111,8 +102,7 @@ recvdone(isc_task_t *task, isc_event_t *event) {
 		exit(-1);
 	}
 
-	isc_buffer_init(&source, sevent->region.base, sevent->region.length,
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&source, sevent->region.base, sevent->region.length);
 	isc_buffer_add(&source, sevent->n);
 
 	response = NULL;
@@ -135,7 +125,7 @@ senddone2(isc_task_t *task, isc_event_t *event) {
 	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
 
 	REQUIRE(sevent != NULL);
-	REQUIRE(sevent->type == ISC_SOCKEVENT_SENDDONE);
+	REQUIRE(sevent->ev_type == ISC_SOCKEVENT_SENDDONE);
 	REQUIRE(task == task2);
 
 	printf("senddone2\n");
@@ -150,7 +140,7 @@ recvdone2(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result;
 
 	REQUIRE(sevent != NULL);
-	REQUIRE(sevent->type == ISC_SOCKEVENT_RECVDONE);
+	REQUIRE(sevent->ev_type == ISC_SOCKEVENT_RECVDONE);
 	REQUIRE(task == task2);
 
 	printf("recvdone2\n");
@@ -159,8 +149,7 @@ recvdone2(isc_task_t *task, isc_event_t *event) {
 		exit(-1);
 	}
 
-	isc_buffer_init(&source, sevent->region.base, sevent->region.length,
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&source, sevent->region.base, sevent->region.length);
 	isc_buffer_add(&source, sevent->n);
 
 	response = NULL;
@@ -197,7 +186,7 @@ buildquery(void) {
 	unsigned char keydata[3];
 
 	dns_fixedname_init(&keyname);
-	isc_buffer_init(&namestr, "tkeytest.", 9, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&namestr, "tkeytest.", 9);
 	isc_buffer_add(&namestr, 9);
 	result = dns_name_fromtext(dns_fixedname_name(&keyname), &namestr,
 				   NULL, ISC_FALSE, NULL);
@@ -206,16 +195,16 @@ buildquery(void) {
 	result = isc_lex_create(mctx, 1024, &lex);
 	CHECK("isc_lex_create", result);
 
-	isc_buffer_init(&keybufin, "1234", 4, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&keybufin, "1234", 4);
 	isc_buffer_add(&keybufin, 4);
 	result = isc_lex_openbuffer(lex, &keybufin);
 	CHECK("isc_lex_openbuffer", result);
 
-	isc_buffer_init(&keybuf, keydata, 3, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&keybuf, keydata, 3);
 	result = isc_base64_tobuffer(lex, &keybuf, -1);
 	CHECK("isc_base64_tobuffer", result);
 
-	isc_buffer_used(&keybuf, &r);
+	isc_buffer_usedregion(&keybuf, &r);
 
 	result = dns_tsigkey_create(dns_fixedname_name(&keyname),
 				    DNS_TSIG_HMACMD5_NAME,
@@ -223,7 +212,7 @@ buildquery(void) {
 				    NULL, 0, 0, mctx, ring, &key);
 	CHECK("dns_tsigkey_create", result);
 
-	result = isc_buffer_allocate(mctx, &nonce, 16, ISC_BUFFERTYPE_BINARY);
+	result = isc_buffer_allocate(mctx, &nonce, 16);
 	CHECK("isc_buffer_allocate", result);
 
 	result = dst_random_get(16, nonce);
@@ -239,7 +228,7 @@ buildquery(void) {
 				       DNS_TSIG_HMACMD5_NAME, nonce, 3600);
 	CHECK("dns_tkey_builddhquery", result);
 
-	isc_buffer_init(&qbuffer, qdata, sizeof(qdata), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&qbuffer, qdata, sizeof(qdata));
 
 	result = dns_message_renderbegin(query, &qbuffer);
 	CHECK("dns_message_renderbegin", result);
@@ -254,7 +243,7 @@ buildquery(void) {
 	result = dns_message_renderend(query);
 	CHECK("dns_message_renderend", result);
 
-	isc_buffer_used(&qbuffer, &r);
+	isc_buffer_usedregion(&qbuffer, &r);
 	result = isc_socket_sendto(s, &r, task1, senddone, NULL, &address,
 				   NULL);
 	CHECK("isc_socket_sendto", result);
@@ -279,7 +268,7 @@ buildquery2(void) {
 	result = dns_tkey_builddeletequery(query2, tsigkey);
 	CHECK("dns_tkey_builddeletequery", result);
 
-	isc_buffer_init(&qbuffer, qdata, sizeof(qdata), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&qbuffer, qdata, sizeof(qdata));
 
 	result = dns_message_renderbegin(query2, &qbuffer);
 	CHECK("dns_message_renderbegin", result);
@@ -294,7 +283,7 @@ buildquery2(void) {
 	result = dns_message_renderend(query2);
 	CHECK("dns_message_renderend", result);
 
-	isc_buffer_used(&qbuffer, &r);
+	isc_buffer_usedregion(&qbuffer, &r);
 	result = isc_socket_sendto(s, &r, task2, senddone2, NULL, &address,
 				   NULL);
 	CHECK("isc_socket_sendto", result);
@@ -345,10 +334,10 @@ main(int argc, char *argv[]) {
 	RUNTIME_CHECK(isc_taskmgr_create(mctx, workers, 0, &taskmgr) ==
 		      ISC_R_SUCCESS);
 	task1 = NULL;
-	RUNTIME_CHECK(isc_task_create(taskmgr, mctx, 0, &task1) ==
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &task1) ==
 		      ISC_R_SUCCESS);
 	task2 = NULL;
-	RUNTIME_CHECK(isc_task_create(taskmgr, mctx, 0, &task2) ==
+	RUNTIME_CHECK(isc_task_create(taskmgr, 0, &task2) ==
 		      ISC_R_SUCCESS);
 	timermgr = NULL;
 	RUNTIME_CHECK(isc_timermgr_create(mctx, &timermgr) == ISC_R_SUCCESS);
diff --git a/bin/tests/wire_test.c b/bin/tests/wire_test.c
index 326f6158..1c3ab60e 100644
--- a/bin/tests/wire_test.c
+++ b/bin/tests/wire_test.c
@@ -17,33 +17,19 @@
 
 #include <config.h>
 
-#include <ctype.h>
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/boolean.h>
-#include <isc/region.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
-#include <dns/types.h>
 #include <dns/result.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/compress.h>
-#include <dns/message.h>
 
 #include "printmsg.h"
 
 static inline void
-CHECKRESULT(isc_result_t result, char *msg)
-{
-	if (result != DNS_R_SUCCESS) {
+CHECKRESULT(isc_result_t result, char *msg) {
+	if (result != ISC_R_SUCCESS) {
 		printf("%s: %s\n", msg, dns_result_totext(result));
 
 		exit(1);
@@ -129,7 +115,7 @@ main(int argc, char *argv[]) {
 	if (need_close)
 		fclose(f);
 
-	isc_buffer_init(&source, b, sizeof b, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&source, b, sizeof(b));
 	isc_buffer_add(&source, bp - b);
 
 	message = NULL;
@@ -171,9 +157,6 @@ main(int argc, char *argv[]) {
 	result = dns_message_rendersection(message, DNS_SECTION_ADDITIONAL, 0);
 	CHECKRESULT(result, "dns_message_rendersection(ADDITIONAL) failed");
 
-	result = dns_message_rendersection(message, DNS_SECTION_TSIG, 0);
-	CHECKRESULT(result, "dns_message_rendersection(TSIG) failed");
-
 	dns_message_renderend(message);
 
 	message->from_to_wire = DNS_MESSAGE_INTENTPARSE;
diff --git a/bin/tests/zone2_test.c b/bin/tests/zone2_test.c
index 80e6e904..1a10f974 100644
--- a/bin/tests/zone2_test.c
+++ b/bin/tests/zone2_test.c
@@ -15,25 +15,29 @@
  * SOFTWARE.
  */
 
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
 #include <config.h>
 
+#include <stdlib.h>
+#include <unistd.h>
 
 #include <isc/app.h>
-#include <isc/error.h>
 #include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dns/confparser.h>
+#include <dns/journal.h>
+#include <dns/fixedname.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
 #include <dns/view.h>
 #include <dns/zone.h>
-#include <dns/journal.h>
+#include <dns/zoneconf.h>
+#include <dns/zt.h>
 
 #define ERRRET(result, function) \
 	do { \
-		if (result != DNS_R_SUCCESS) { \
+		if (result != ISC_R_SUCCESS) { \
 			fprintf(stdout, "%s() returned %s\n", \
 				function, dns_result_totext(result)); \
 			return; \
@@ -41,12 +45,130 @@
 	} while (0)
 
 #define ERRCONT(result, function) \
-		if (result != DNS_R_SUCCESS) { \
+		if (result != ISC_R_SUCCESS) { \
 			fprintf(stdout, "%s() returned %s\n", \
 				function, dns_result_totext(result)); \
 			continue; \
 		} else \
 			(void)NULL
+
+typedef struct dns_zone_callbackarg dns_zone_callbackarg_t;
+
+struct dns_zone_callbackarg {
+        isc_mem_t *mctx;
+	dns_viewlist_t oldviews;
+	dns_viewlist_t newviews;
+};
+
+static isc_result_t
+dns_zone_callback(dns_c_ctx_t *cfg, dns_c_zone_t *czone, dns_c_view_t *cview,
+		  void *uap) {
+	dns_zone_callbackarg_t *cba = uap;
+	dns_name_t *name = NULL;
+	dns_view_t *oldview = NULL;
+	dns_zone_t *oldzone = NULL;
+	dns_view_t *newview = NULL;
+	dns_zone_t *newzone = NULL;
+	dns_zone_t *tmpzone = NULL;
+	isc_result_t result;
+	isc_boolean_t boolean;
+	const char *viewname;
+
+	REQUIRE(czone != NULL);
+	REQUIRE(cba != NULL);
+
+	/*
+	 * Find views by name.
+	 */
+	if (cview != NULL)
+		dns_c_view_getname(cview, &viewname);
+	else
+		viewname = "default";
+
+	printf("view %s\n", viewname);
+
+	result = dns_viewlist_find(&cba->oldviews, viewname, czone->zclass,
+				   &oldview);
+	result = dns_viewlist_find(&cba->newviews, viewname, czone->zclass,
+				   &newview);
+
+	if (newview == NULL) {
+		result = dns_view_create(cba->mctx, czone->zclass, viewname,
+					 &newview);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		ISC_LIST_APPEND(cba->newviews, newview, link);
+	}
+
+	/*
+	 * Create and populate a new zone structure.
+	 */
+	result = dns_zone_create(&newzone, cba->mctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_zone_configure(cfg, NULL, czone, NULL, newzone);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+#if 0
+	/* XXX hints should be a zone */
+	if (dns_zone_gettype(newzone) == dns_zone_hint) {
+		dns_view_sethints(newview, newzone);
+		goto cleanup;
+	}
+#endif
+
+	/*
+	 * Find zone in mount table.
+	 */
+	name = dns_zone_getorigin(newzone);
+	dns_zone_print(newzone);
+
+	result = dns_zt_find(newview->zonetable, name, 0, NULL, &tmpzone);
+	if (result == ISC_R_SUCCESS) {
+		printf("zone already exists=\n");
+		result = ISC_R_EXISTS;
+		goto cleanup;
+	} else if (result != DNS_R_PARTIALMATCH && result != ISC_R_NOTFOUND)
+		goto cleanup;
+
+	if (oldview != NULL)
+		result = dns_zt_find(oldview->zonetable, name, 0, NULL,
+				     &oldzone);
+	else
+		result = ISC_R_NOTFOUND;
+
+	printf("dns_zt_find() returned %s\n", dns_result_totext(result));
+
+	if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) {
+		if (result == DNS_R_PARTIALMATCH) {
+			dns_zone_print(oldzone);
+		}
+		result = dns_view_addzone(newview, newzone);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	} else if (result == ISC_R_SUCCESS) {
+		dns_zone_print(oldzone);
+		/* Does the new configuration match the existing one? */
+		boolean = dns_zone_equal(newzone, oldzone);
+	printf("dns_zone_equal() returned %s\n", boolean ? "TRUE" : "FALSE");
+		if (boolean)
+			result = dns_view_addzone(newview, oldzone);
+		else
+			result = dns_view_addzone(newview, newzone);
+	}
+
+ cleanup:
+	if (tmpzone != NULL)
+		dns_zone_detach(&tmpzone);
+	if (newzone != NULL)
+		dns_zone_detach(&newzone);
+	if (oldzone != NULL)
+		dns_zone_detach(&oldzone);
+	return (result);
+}
+
 static void
 print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset) {
         isc_buffer_t text;
@@ -54,11 +176,11 @@ print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset) {
         isc_result_t result;
         isc_region_t r;
 
-        isc_buffer_init(&text, t, sizeof t, ISC_BUFFERTYPE_TEXT);
+        isc_buffer_init(&text, t, sizeof(t));
         result = dns_rdataset_totext(rdataset, name, ISC_FALSE, ISC_FALSE,
 				     &text);
-        isc_buffer_used(&text, &r);
-        if (result == DNS_R_SUCCESS)
+        isc_buffer_usedregion(&text, &r);
+        if (result == ISC_R_SUCCESS)
                 printf("%.*s", (int)r.length, (char *)r.base);
         else
                 printf("%s\n", dns_result_totext(result));
@@ -111,13 +233,13 @@ query(dns_view_t *view) {
 			continue;
 		}
 		if (strcasecmp(buf, "journal") == 0) {
-			dns_journal_print(view->mctx, "dv.isc.org.ixfr");
+			dns_journal_print(view->mctx, "dv.isc.org.ixfr", stdout);
 			reload = 0;
 			continue;
 		}
 
 		dns_fixedname_init(&name);
-		isc_buffer_init(&buffer, buf, strlen(buf), ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&buffer, buf, strlen(buf));
 		isc_buffer_add(&buffer, strlen(buf));
 		result = dns_name_fromtext(dns_fixedname_name(&name),
 				  &buffer, dns_rootname, ISC_FALSE, NULL);
@@ -126,9 +248,9 @@ query(dns_view_t *view) {
 		if (reload) {
 			dns_zone_t *zone = NULL;
 			result = dns_zt_find(view->zonetable,
-					     dns_fixedname_name(&name), NULL,
-					     &zone);
-			if (result != DNS_R_SUCCESS) {
+					     dns_fixedname_name(&name), 0,
+					     NULL, &zone);
+			if (result != ISC_R_SUCCESS) {
 				if (result == DNS_R_PARTIALMATCH)
 					dns_zone_detach(&zone);
 				reload = 0;
@@ -148,7 +270,7 @@ query(dns_view_t *view) {
 				"dns_view_simplefind",
 				dns_result_totext(result));
 			switch (result) {
-			case DNS_R_SUCCESS:
+			case ISC_R_SUCCESS:
 				print_rdataset(dns_fixedname_name(&name), 
 					       &rdataset);
 				break;
@@ -201,9 +323,9 @@ main(int argc, char **argv) {
 
 /*
 	RUNTIME_CHECK(dns_view_create(mctx, dns_rdataclass_in,
-				      "default/IN", &view1) == DNS_R_SUCCESS);
+				      "default/IN", &view1) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(dns_view_create(mctx, dns_rdataclass_in,
-				      "default/IN", &view2) == DNS_R_SUCCESS);
+				      "default/IN", &view2) == ISC_R_SUCCESS);
  */
 
 	cba.mctx = mctx;
@@ -215,11 +337,11 @@ main(int argc, char **argv) {
 	cbks.optscbk = NULL;
 	cbks.optscbkuap = NULL;
 
-	result = dns_c_parse_namedconf(NULL, conf, mctx, &configctx, &cbks);
+	result = dns_c_parse_namedconf(conf, mctx, &configctx, &cbks);
 	fprintf(stdout, "%s() returned %s\n", "dns_c_parse_namedconf",
 		dns_result_totext(result));
 	if (configctx != NULL)
-		dns_c_ctx_delete(NULL, &configctx);
+		dns_c_ctx_delete(&configctx);
 
 	view = ISC_LIST_HEAD(cba.newviews);
 
@@ -243,17 +365,17 @@ main(int argc, char **argv) {
 	}
 	*/
 
-	result = dns_c_parse_namedconf(NULL, conf, mctx, &configctx, &cbks);
+	result = dns_c_parse_namedconf(conf, mctx, &configctx, &cbks);
 	fprintf(stdout, "%s() returned %s\n", "dns_c_parse_namedconf",
 		dns_result_totext(result));
-	if (result == DNS_R_SUCCESS) {
-		result = dns_c_ctx_getdirectory(NULL, configctx, &dir);
-		if (result == DNS_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
+		result = dns_c_ctx_getdirectory(configctx, &dir);
+		if (result == ISC_R_SUCCESS)
 			chdir(dir);
 		view = ISC_LIST_HEAD(cba.newviews);
 		while (view != NULL) {
 			dns_zt_print(view->zonetable);
-			dns_zt_load(view->zonetable);
+			dns_zt_load(view->zonetable, ISC_FALSE);
 			dns_view_freeze(view);
 			view = ISC_LIST_NEXT(view, link);
 		}
@@ -289,7 +411,7 @@ main(int argc, char **argv) {
 	}
 
 	if (configctx != NULL)
-		dns_c_ctx_delete(NULL, &configctx);
+		dns_c_ctx_delete(&configctx);
 	if (view2 != NULL)
 		dns_view_detach(&view2);
 	if (view1 != NULL)
@@ -299,5 +421,5 @@ main(int argc, char **argv) {
 		isc_mem_stats(mctx, stdout);
 	isc_mem_destroy(&mctx);
 
-	exit(0);
+	return (0);
 }
diff --git a/bin/tests/zone_test.c b/bin/tests/zone_test.c
index b713a368..42bcc7fb 100644
--- a/bin/tests/zone_test.c
+++ b/bin/tests/zone_test.c
@@ -15,20 +15,25 @@
  * SOFTWARE.
  */
 
-#include <stdio.h>
+#include <config.h>
+
 #include <stdlib.h>
-#include <string.h>
 
+#include <isc/app.h>
 #include <isc/commandline.h>
-#include <isc/error.h>
 #include <isc/mem.h>
-#include <isc/app.h>
 #include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
 #include <isc/timer.h>
+#include <isc/util.h>
 
 #include <dns/db.h>
-#include <dns/zone.h>
+#include <dns/fixedname.h>
 #include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/zone.h>
 
 static int debug = 0;
 static int quiet = 0;
@@ -44,7 +49,7 @@ isc_sockaddr_t addr;
 
 #define ERRRET(result, function) \
 	do { \
-		if (result != DNS_R_SUCCESS) { \
+		if (result != ISC_R_SUCCESS) { \
 			fprintf(stderr, "%s() returned %s\n", \
 				function, dns_result_totext(result)); \
 			return; \
@@ -52,7 +57,7 @@ isc_sockaddr_t addr;
 	} while (0)
 
 #define ERRCONT(result, function) \
-		if (result != DNS_R_SUCCESS) { \
+		if (result != ISC_R_SUCCESS) { \
 			fprintf(stderr, "%s() returned %s\n", \
 				function, dns_result_totext(result)); \
 			continue; \
@@ -83,7 +88,7 @@ setup(char *zonename, char *filename, char *classname) {
 
 	dns_zone_settype(zone, zonetype);
 
-	isc_buffer_init(&buffer, zonename, strlen(zonename), ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&buffer, zonename, strlen(zonename));
 	isc_buffer_add(&buffer, strlen(zonename));
 	dns_fixedname_init(&fixorigin);
 	result = dns_name_fromtext(dns_fixedname_name(&fixorigin),
@@ -107,9 +112,8 @@ setup(char *zonename, char *filename, char *classname) {
 
 	dns_zone_setclass(zone, rdclass);
 
-	if (zonetype == dns_zone_slave) {
-		dns_zone_addmaster(zone, &addr);
-	}
+	if (zonetype == dns_zone_slave)
+		dns_zone_setmasters(zone, &addr, 1);
 
 	result = dns_zone_load(zone);
 	ERRRET(result, "dns_zone_load");
@@ -125,11 +129,11 @@ print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset) {
         isc_result_t result;
         isc_region_t r;
 
-        isc_buffer_init(&text, t, sizeof t, ISC_BUFFERTYPE_TEXT);
+        isc_buffer_init(&text, t, sizeof(t));
         result = dns_rdataset_totext(rdataset, name, ISC_FALSE, ISC_FALSE,
 				     &text);
-        isc_buffer_used(&text, &r);
-        if (result == DNS_R_SUCCESS)
+        isc_buffer_usedregion(&text, &r);
+        if (result == ISC_R_SUCCESS)
                 printf("%.*s", (int)r.length, (char *)r.base);
         else
                 printf("%s\n", dns_result_totext(result));
@@ -150,7 +154,7 @@ query(void) {
 
 	db = NULL;
 	result = dns_zone_getdb(zone, &db);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "%s() returned %s\n", "dns_zone_getdb",
 			dns_result_totext(result));
 		return;
@@ -186,7 +190,7 @@ query(void) {
 		if (strlen(buf) == 0)
 			continue;
 		dns_fixedname_init(&name);
-		isc_buffer_init(&buffer, buf, strlen(buf), ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&buffer, buf, strlen(buf));
 		isc_buffer_add(&buffer, strlen(buf));
 		result = dns_name_fromtext(dns_fixedname_name(&name),
 				  &buffer, dns_rootname, ISC_FALSE, NULL);
@@ -206,7 +210,7 @@ query(void) {
 		case DNS_R_DELEGATION:
 			print_rdataset(dns_fixedname_name(&found), &rdataset);
 			break;
-		case DNS_R_SUCCESS:
+		case ISC_R_SUCCESS:
 			print_rdataset(dns_fixedname_name(&name), &rdataset);
 			break;
 		default:
diff --git a/config.h.in b/config.h.in
index 74971035..71ec61f1 100644
--- a/config.h.in
+++ b/config.h.in
@@ -1,6 +1,6 @@
 /* config.h.in.  Generated automatically from configure.in by autoheader.  */
 /*
- * Copyright (C) 1999  Internet Software Consortium.
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
  * 
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -45,6 +45,9 @@
 /* define if your system has sigwait() */
 #undef HAVE_SIGWAIT
 
+/* define if sigwait() is the UnixWare flavor */
+#undef HAVE_UNIXWARE_SIGWAIT
+
 /* define on Solaris to get sigwait() to work using pthreads semantics */
 #undef _POSIX_PTHREAD_SEMANTICS
 
@@ -60,14 +63,21 @@
 /* define if chroot() is available */
 #undef HAVE_CHROOT
 
+/* Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
+#undef SHUTUP_SPUTAUX
+#ifdef SHUTUP_SPUTAUX
+struct __sFILE;
+extern __inline int __sputaux(int _c, struct __sFILE *_p);
+#endif
+
 /* Define if you have the <fcntl.h> header file.  */
 #undef HAVE_FCNTL_H
 
 /* Define if you have the <linux/capability.h> header file.  */
 #undef HAVE_LINUX_CAPABILITY_H
 
-/* Define if you have the <netinet6/in6.h> header file.  */
-#undef HAVE_NETINET6_IN6_H
+/* Define if you have the <linux/prctl.h> header file.  */
+#undef HAVE_LINUX_PRCTL_H
 
 /* Define if you have the <sys/sockio.h> header file.  */
 #undef HAVE_SYS_SOCKIO_H
@@ -78,9 +88,6 @@
 /* Define if you have the <unistd.h> header file.  */
 #undef HAVE_UNISTD_H
 
-/* Define if you have the c_r library (-lc_r).  */
-#undef HAVE_LIBC_R
-
 /* Define if you have the nsl library (-lnsl).  */
 #undef HAVE_LIBNSL
 
diff --git a/config.status.win32 b/config.status.win32
index f6b85cde..a74b2c18 100755
--- a/config.status.win32
+++ b/config.status.win32
@@ -141,9 +141,9 @@ s%@CPP@%cl /E%g
 s%@MKDEPCC@%gcc%g
 s%@MKDEPCFLAGS@%-M%g
 s%@MKDEPPROG@%%g
-s%@ISC_PLATFORM_HAVESALEN@%#undef ISC_NET_HAVESALEN%g
+s%@ISC_PLATFORM_HAVESALEN@%#undef ISC_PLATFORM_HAVESALEN%g
 s%@ISC_PLATFORM_MSGHDRFLAVOR@% XXX IRRELEVANT? XXX %g
-s%@ISC_PLATFORM_NEEDPORTT@%#define ISC_NET_NEEDPORTT 1%g
+s%@ISC_PLATFORM_NEEDPORTT@%#define ISC_PLATFORM_NEEDPORTT 1%g
 s%@build@%NONE%g
 s%@build_alias@%%g
 s%@build_cpu@%%g
diff --git a/configure b/configure
index 3b04089c..16da39de 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 
-# From configure.in Revision: 1.107 
+# From configure.in Revision: 1.137 
 
 
 
@@ -99,6 +99,7 @@
 
 
 
+
 # Guess values for system-dependent variables and create Makefiles.
 # Generated automatically using autoconf version 2.13 
 # Copyright (C) 1992, 93, 94, 95, 96 Free Software Foundation, Inc.
@@ -111,21 +112,19 @@ ac_help=
 ac_default_prefix=/usr/local
 # Any additions from configure.in:
 ac_help="$ac_help
-  --with-mit-pthreads	use the mit-pthreads thread library"
-ac_help="$ac_help
-  --with-ptl2		use the ptl2 thread library"
+  --with-ptl2		on NetBSD, use the ptl2 thread library (experimental)"
 ac_help="$ac_help
-  --with-libtool	use GNU libtool"
+  --with-libtool	use GNU libtool (following indented options supported)"
 ac_help="$ac_help
-  --enable-shared[=PKGS]  build shared libraries [default=yes]"
+    --enable-shared[=PKGS]  build shared libraries [default=yes]"
 ac_help="$ac_help
-  --enable-static[=PKGS]  build static libraries [default=yes]"
+    --enable-static[=PKGS]  build static libraries [default=yes]"
 ac_help="$ac_help
-  --enable-fast-install[=PKGS]  optimize for fast installation [default=yes]"
+    --enable-fast-install[=PKGS]  optimize for fast installation [default=yes]"
 ac_help="$ac_help
-  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]"
+    --with-gnu-ld           assume the C compiler uses GNU ld [default=no]"
 ac_help="$ac_help
-  --disable-libtool-lock  avoid locking (might break parallel builds)"
+    --disable-libtool-lock  avoid locking (might break parallel builds)"
 ac_help="$ac_help
   --enable-ipv6		use IPv6 [default=autodetect]"
 ac_help="$ac_help
@@ -668,7 +667,7 @@ else { echo "configure: error: can not run $ac_config_sub" 1>&2; exit 1; }
 fi
 
 echo $ac_n "checking host system type""... $ac_c" 1>&6
-echo "configure:672: checking host system type" >&5
+echo "configure:671: checking host system type" >&5
 
 host_alias=$host
 case "$host_alias" in
@@ -690,7 +689,7 @@ echo "$ac_t""$host" 1>&6
 
 
 echo $ac_n "checking whether ${MAKE-make} sets \${MAKE}""... $ac_c" 1>&6
-echo "configure:694: checking whether ${MAKE-make} sets \${MAKE}" >&5
+echo "configure:693: checking whether ${MAKE-make} sets \${MAKE}" >&5
 set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y%./+-%__p_%'`
 if eval "test \"`echo '$''{'ac_cv_prog_make_${ac_make}_set'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
@@ -719,7 +718,7 @@ fi
 # Extract the first word of "ranlib", so it can be a program name with args.
 set dummy ranlib; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:723: checking for $ac_word" >&5
+echo "configure:722: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -758,7 +757,7 @@ fi
 # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
 # ./install, which can be erroneously created by make from ./install.sh.
 echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6
-echo "configure:762: checking for a BSD compatible install" >&5
+echo "configure:761: checking for a BSD compatible install" >&5
 if test -z "$INSTALL"; then
 if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
@@ -811,9 +810,6 @@ test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}'
 test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
 
 
-STD_CINCLUDES=""
-STD_CDEFINES=""
-STD_CWARNINGS=""
 
 
 
@@ -821,7 +817,7 @@ STD_CWARNINGS=""
 # Extract the first word of "ar", so it can be a program name with args.
 set dummy ar; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:825: checking for $ac_word" >&5
+echo "configure:821: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_AR'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -857,12 +853,22 @@ ARFLAGS="cruv"
 
 
 
+case "$AR" in
+	"")
+		{ echo "configure: error: 
+ar program not found.  Please fix your PATH to include the directory in
+which ar resides, or set AR in the environment with the full path to ar.
+" 1>&2; exit 1; }
+
+		;;
+esac
+
 for ac_prog in etags emacs-etags
 do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:866: checking for $ac_word" >&5
+echo "configure:872: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_path_ETAGS'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1007,25 +1013,59 @@ if test "X$CC" = "X" ; then
 fi
 
 #
-# NetBSD has two alternative pthreads implementations.  Make the 
-# user choose one by saying --with-mit-pthreads or --with-ptl2
-# if necessary.
+# If the user didn't specify where openssl is, and we didn't find or it
+# is imcompatible with our code, use our internal one.
+# XXXMLG Implement this check!
+#
+echo $ac_n "checking for compatible OpenSSL library""... $ac_c" 1>&6
+echo "configure:1022: checking for compatible OpenSSL library" >&5
+
+DST_PRIVATEOPENSSL='-DDST_USE_PRIVATE_OPENSSL'
+dst_privateopenssl='openssl'
+DST_OPENSSL_INC='-I${srcdir}/../openssl/include'
+DST_OPENSSL_LIB=''
+DST_OPENSSL_OBJS='${OPENSSLOBJS}'
+echo "$ac_t""using private library" 1>&6
+
+
+
+
+
+
+
+#
+# This would include the system openssl path (and linker options to use
+# it as needed) if it is found.
+#
+
+DNS_OPENSSL_LIBS=""
+
+
+#
+# testing with alternate openssl libraries...  XXXMLG
+#
+# DNS_OPENSSL_LIBS="-L/usr/pkg/lib -lssl -lcrypto"
+# DST_PRIVATEOPENSSL=''
+# dst_privateopenssl=''
+# DST_OPENSSL_INC='-I/usr/pkg/include'
+# DST_OPENSSL_LIB=''
+#
+
+#
+# NetBSD has multiple pthreads implementations.  The recommended
+# one to use is "unproven-pthreads".  The older "mit-pthreads" 
+# may also work on some NetBSD versions.  The PTL2 thread
+# library does not currently work with bind9, but can be
+# chosen with the --with-ptl2 option for those who wish to
+# experiment with it.
 #
+
 case "$host" in
   *-netbsd*)
 	CC="gcc"
-	echo $ac_n "checking which thread library to use""... $ac_c" 1>&6
-echo "configure:1019: checking which thread library to use" >&5
-
-	# Check whether --with-mit-pthreads or --without-mit-pthreads was given.
-if test "${with_mit_pthreads+set}" = set; then
-  withval="$with_mit_pthreads"
-  use_mit_pthreads="$withval"
-else
-  use_mit_pthreads="no"
-fi
+	echo $ac_n "checking which NetBSD thread library to use""... $ac_c" 1>&6
+echo "configure:1068: checking which NetBSD thread library to use" >&5
 
-	
 	# Check whether --with-ptl2 or --without-ptl2 was given.
 if test "${with_ptl2+set}" = set; then
   withval="$with_ptl2"
@@ -1037,57 +1077,36 @@ fi
 
         : ${LOCALBASE:=/usr/pkg}
 
-        # If user did not choose a thread library explicitly,
-        # try to choose one automatically.  This will work when
-	# exactly one library is installed.
-
-	case "$use_mit_pthreads+$use_ptl2" in
-		no+no)
-			if test -d $LOCALBASE/pthreads
-			then
-				use_mit_pthreads="yes"
-			fi
-			if test -d $LOCALBASE/PTL
-			then
-				use_ptl2="yes"
-			fi
-			;;
-        esac
-
-	case "$use_mit_pthreads+$use_ptl2" in
-		yes+no)
-			echo "$ac_t""mit-pthreads" 1>&6
-			pkg="$LOCALBASE/pthreads"
-			lib1="-L$pkg/lib -Wl,-R$pkg/lib"
-			lib2="-lpthread -lm -lgcc -lpthread"
-			LIBS="$lib1 $lib2 $LIBS"
-			CPPFLAGS="-I$pkg/include $CPPFLAGS"
-			STD_CINCLUDES="-I$pkg/include"
-			;;
-		no+yes)
-			echo "$ac_t""PTL2" 1>&6
-#			pkg="$LOCALBASE/PTL"
-#			LIBS="-L$LOCALBASE/lib -lPTL $LIBS"
-#			STD_CINCLUDES="-nostdinc -idirafter $pkg/include"
-			CC=ptlgcc
-			;;
-		*)
-			{ echo "configure: error: no thread library.
+	if test "X$use_ptl2" = "Xyes"
+	then
+		echo "$ac_t""PTL2" 1>&6
+		echo "configure: warning: linking with PTL2 is highly experimental and not expected to work" 1>&2
+		CC=ptlgcc
+	else
+		echo "$ac_t""mit-pthreads/unproven-pthreads" 1>&6
 
-Please choose a thread library using one of 
+		if test ! -d $LOCALBASE/pthreads
+		then
+			{ echo "configure: error: no thread library found.
 
-   configure --with-mit-pthreads
-   configure --with-ptl2
+Please install the devel/unproven-pthreads package and rerun configure.
 " 1>&2; exit 1; }
-			;;
-		esac
-		;;
+		fi
+
+		pkg="$LOCALBASE/pthreads"
+		lib1="-L$pkg/lib -Wl,-R$pkg/lib"
+		lib2="-lpthread -lm -lgcc -lpthread"
+		LIBS="$lib1 $lib2 $LIBS"
+		CPPFLAGS="$CPPFLAGS -I$pkg/include"
+		STD_CINCLUDES="$STD_CINCLUDES -I$pkg/include"
+	fi
+	;;
 esac
 
 # Extract the first word of "gcc", so it can be a program name with args.
 set dummy gcc; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1091: checking for $ac_word" >&5
+echo "configure:1110: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1117,7 +1136,7 @@ if test -z "$CC"; then
   # Extract the first word of "cc", so it can be a program name with args.
 set dummy cc; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1121: checking for $ac_word" >&5
+echo "configure:1140: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1168,7 +1187,7 @@ fi
       # Extract the first word of "cl", so it can be a program name with args.
 set dummy cl; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1172: checking for $ac_word" >&5
+echo "configure:1191: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1200,7 +1219,7 @@ fi
 fi
 
 echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
-echo "configure:1204: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
+echo "configure:1223: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
 
 ac_ext=c
 # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
@@ -1211,12 +1230,12 @@ cross_compiling=$ac_cv_prog_cc_cross
 
 cat > conftest.$ac_ext << EOF
 
-#line 1215 "configure"
+#line 1234 "configure"
 #include "confdefs.h"
 
 main(){return(0);}
 EOF
-if { (eval echo configure:1220: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1239: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   ac_cv_prog_cc_works=yes
   # If we can't run a trivial program, we are probably using a cross compiler.
   if (./conftest; exit) 2>/dev/null; then
@@ -1242,12 +1261,12 @@ if test $ac_cv_prog_cc_works = no; then
   { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
 fi
 echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
-echo "configure:1246: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "configure:1265: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
 echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
 cross_compiling=$ac_cv_prog_cc_cross
 
 echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
-echo "configure:1251: checking whether we are using GNU C" >&5
+echo "configure:1270: checking whether we are using GNU C" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1256,7 +1275,7 @@ else
   yes;
 #endif
 EOF
-if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:1260: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:1279: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
   ac_cv_prog_gcc=yes
 else
   ac_cv_prog_gcc=no
@@ -1275,7 +1294,7 @@ ac_test_CFLAGS="${CFLAGS+set}"
 ac_save_CFLAGS="$CFLAGS"
 CFLAGS=
 echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
-echo "configure:1279: checking whether ${CC-cc} accepts -g" >&5
+echo "configure:1298: checking whether ${CC-cc} accepts -g" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1311,7 +1330,7 @@ do
 # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
-echo "configure:1315: checking for $ac_word" >&5
+echo "configure:1334: checking for $ac_word" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_YACC'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -1343,7 +1362,7 @@ test -n "$YACC" || YACC="yacc"
 
 
 echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
-echo "configure:1347: checking how to run the C preprocessor" >&5
+echo "configure:1366: checking how to run the C preprocessor" >&5
 # On Suns, sometimes $CPP names a directory.
 if test -n "$CPP" && test -d "$CPP"; then
   CPP=
@@ -1358,13 +1377,13 @@ else
   # On the NeXT, cc -E runs the code through the compiler's parser,
   # not just through cpp.
   cat > conftest.$ac_ext <<EOF
-#line 1362 "configure"
+#line 1381 "configure"
 #include "confdefs.h"
 #include <assert.h>
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:1368: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:1387: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :
@@ -1375,13 +1394,13 @@ else
   rm -rf conftest*
   CPP="${CC-cc} -E -traditional-cpp"
   cat > conftest.$ac_ext <<EOF
-#line 1379 "configure"
+#line 1398 "configure"
 #include "confdefs.h"
 #include <assert.h>
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:1385: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:1404: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :
@@ -1392,13 +1411,13 @@ else
   rm -rf conftest*
   CPP="${CC-cc} -nologo -E"
   cat > conftest.$ac_ext <<EOF
-#line 1396 "configure"
+#line 1415 "configure"
 #include "confdefs.h"
 #include <assert.h>
 Syntax Error
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:1402: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:1421: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   :
@@ -1423,12 +1442,12 @@ fi
 echo "$ac_t""$CPP" 1>&6
 
 echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
-echo "configure:1427: checking for ANSI C header files" >&5
+echo "configure:1446: checking for ANSI C header files" >&5
 if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 1432 "configure"
+#line 1451 "configure"
 #include "confdefs.h"
 #include <stdlib.h>
 #include <stdarg.h>
@@ -1436,7 +1455,7 @@ else
 #include <float.h>
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:1440: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:1459: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*
@@ -1453,7 +1472,7 @@ rm -f conftest*
 if test $ac_cv_header_stdc = yes; then
   # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
 cat > conftest.$ac_ext <<EOF
-#line 1457 "configure"
+#line 1476 "configure"
 #include "confdefs.h"
 #include <string.h>
 EOF
@@ -1471,7 +1490,7 @@ fi
 if test $ac_cv_header_stdc = yes; then
   # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
 cat > conftest.$ac_ext <<EOF
-#line 1475 "configure"
+#line 1494 "configure"
 #include "confdefs.h"
 #include <stdlib.h>
 EOF
@@ -1492,7 +1511,7 @@ if test "$cross_compiling" = yes; then
   :
 else
   cat > conftest.$ac_ext <<EOF
-#line 1496 "configure"
+#line 1515 "configure"
 #include "confdefs.h"
 #include <ctype.h>
 #define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
@@ -1503,7 +1522,7 @@ if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) exit(2);
 exit (0); }
 
 EOF
-if { (eval echo configure:1507: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:1526: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
 then
   :
 else
@@ -1526,21 +1545,22 @@ EOF
 
 fi
 
-for ac_hdr in fcntl.h sys/time.h unistd.h sys/sockio.h netinet6/in6.h
+
+for ac_hdr in fcntl.h sys/time.h unistd.h sys/sockio.h
 do
 ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
 echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:1534: checking for $ac_hdr" >&5
+echo "configure:1554: checking for $ac_hdr" >&5
 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 1539 "configure"
+#line 1559 "configure"
 #include "confdefs.h"
 #include <$ac_hdr>
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:1544: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:1564: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*
@@ -1567,29 +1587,13 @@ fi
 done
 
 
-#
-# HAVE_NETINET6_IN6_H needs to go in platform.h.
-#
-case "$ac_cv_header_netinet6_in6_h" in
-yes)
-	ISC_PLATFORM_HAVENETINET6IN6H="#define ISC_PLATFORM_HAVENETINET6IN6H 1"
-	LWRES_PLATFORM_HAVENETINET6IN6H="#define LWRES_PLATFORM_HAVENETINET6IN6H 1"
-	;;
-no)
-	ISC_PLATFORM_HAVENETINET6IN6H="#undef ISC_PLATFORM_HAVENETINET6IN6H"
-	LWRES_PLATFORM_HAVENETINET6IN6H="#undef LWRES_PLATFORM_HAVENETINET6IN6H"
-	;;
-esac
-
-
-
 echo $ac_n "checking for working const""... $ac_c" 1>&6
-echo "configure:1588: checking for working const" >&5
+echo "configure:1592: checking for working const" >&5
 if eval "test \"`echo '$''{'ac_cv_c_const'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 1593 "configure"
+#line 1597 "configure"
 #include "confdefs.h"
 
 int main() {
@@ -1638,7 +1642,7 @@ ccp = (char const *const *) p;
 
 ; return 0; }
 EOF
-if { (eval echo configure:1642: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:1646: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   ac_cv_c_const=yes
 else
@@ -1659,21 +1663,21 @@ EOF
 fi
 
 echo $ac_n "checking for inline""... $ac_c" 1>&6
-echo "configure:1663: checking for inline" >&5
+echo "configure:1667: checking for inline" >&5
 if eval "test \"`echo '$''{'ac_cv_c_inline'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   ac_cv_c_inline=no
 for ac_kw in inline __inline__ __inline; do
   cat > conftest.$ac_ext <<EOF
-#line 1670 "configure"
+#line 1674 "configure"
 #include "confdefs.h"
 
 int main() {
 } $ac_kw foo() {
 ; return 0; }
 EOF
-if { (eval echo configure:1677: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:1681: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   ac_cv_c_inline=$ac_kw; break
 else
@@ -1699,12 +1703,12 @@ EOF
 esac
 
 echo $ac_n "checking for size_t""... $ac_c" 1>&6
-echo "configure:1703: checking for size_t" >&5
+echo "configure:1707: checking for size_t" >&5
 if eval "test \"`echo '$''{'ac_cv_type_size_t'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 1708 "configure"
+#line 1712 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
 #if STDC_HEADERS
@@ -1732,12 +1736,12 @@ EOF
 fi
 
 echo $ac_n "checking whether time.h and sys/time.h may both be included""... $ac_c" 1>&6
-echo "configure:1736: checking whether time.h and sys/time.h may both be included" >&5
+echo "configure:1740: checking whether time.h and sys/time.h may both be included" >&5
 if eval "test \"`echo '$''{'ac_cv_header_time'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 1741 "configure"
+#line 1745 "configure"
 #include "confdefs.h"
 #include <sys/types.h>
 #include <sys/time.h>
@@ -1746,7 +1750,7 @@ int main() {
 struct tm *tp;
 ; return 0; }
 EOF
-if { (eval echo configure:1750: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:1754: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   ac_cv_header_time=yes
 else
@@ -1768,7 +1772,7 @@ fi
 
 
 echo $ac_n "checking for pthread_create in -lpthread""... $ac_c" 1>&6
-echo "configure:1772: checking for pthread_create in -lpthread" >&5
+echo "configure:1776: checking for pthread_create in -lpthread" >&5
 ac_lib_var=`echo pthread'_'pthread_create | sed 'y%./+-%__p_%'`
 if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
@@ -1776,7 +1780,7 @@ else
   ac_save_LIBS="$LIBS"
 LIBS="-lpthread  $LIBS"
 cat > conftest.$ac_ext <<EOF
-#line 1780 "configure"
+#line 1784 "configure"
 #include "confdefs.h"
 /* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
@@ -1787,7 +1791,7 @@ int main() {
 pthread_create()
 ; return 0; }
 EOF
-if { (eval echo configure:1791: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1795: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=yes"
 else
@@ -1813,7 +1817,7 @@ EOF
 else
   echo "$ac_t""no" 1>&6
 echo $ac_n "checking for __pthread_create in -lpthread""... $ac_c" 1>&6
-echo "configure:1817: checking for __pthread_create in -lpthread" >&5
+echo "configure:1821: checking for __pthread_create in -lpthread" >&5
 ac_lib_var=`echo pthread'_'__pthread_create | sed 'y%./+-%__p_%'`
 if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
@@ -1821,7 +1825,7 @@ else
   ac_save_LIBS="$LIBS"
 LIBS="-lpthread  $LIBS"
 cat > conftest.$ac_ext <<EOF
-#line 1825 "configure"
+#line 1829 "configure"
 #include "confdefs.h"
 /* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
@@ -1832,7 +1836,7 @@ int main() {
 __pthread_create()
 ; return 0; }
 EOF
-if { (eval echo configure:1836: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1840: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=yes"
 else
@@ -1860,7 +1864,7 @@ else
 fi
 
              echo $ac_n "checking for __pthread_create_system in -lpthread""... $ac_c" 1>&6
-echo "configure:1864: checking for __pthread_create_system in -lpthread" >&5
+echo "configure:1868: checking for __pthread_create_system in -lpthread" >&5
 ac_lib_var=`echo pthread'_'__pthread_create_system | sed 'y%./+-%__p_%'`
 if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
@@ -1868,7 +1872,7 @@ else
   ac_save_LIBS="$LIBS"
 LIBS="-lpthread  $LIBS"
 cat > conftest.$ac_ext <<EOF
-#line 1872 "configure"
+#line 1876 "configure"
 #include "confdefs.h"
 /* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
@@ -1879,7 +1883,7 @@ int main() {
 __pthread_create_system()
 ; return 0; }
 EOF
-if { (eval echo configure:1883: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1887: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=yes"
 else
@@ -1914,7 +1918,7 @@ fi
 # We'd like to use sigwait() too
 #
 echo $ac_n "checking for sigwait in -lc""... $ac_c" 1>&6
-echo "configure:1918: checking for sigwait in -lc" >&5
+echo "configure:1922: checking for sigwait in -lc" >&5
 ac_lib_var=`echo c'_'sigwait | sed 'y%./+-%__p_%'`
 if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
@@ -1922,7 +1926,7 @@ else
   ac_save_LIBS="$LIBS"
 LIBS="-lc  $LIBS"
 cat > conftest.$ac_ext <<EOF
-#line 1926 "configure"
+#line 1930 "configure"
 #include "confdefs.h"
 /* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
@@ -1933,7 +1937,7 @@ int main() {
 sigwait()
 ; return 0; }
 EOF
-if { (eval echo configure:1937: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1941: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=yes"
 else
@@ -1955,7 +1959,7 @@ EOF
 else
   echo "$ac_t""no" 1>&6
 echo $ac_n "checking for sigwait in -lpthread""... $ac_c" 1>&6
-echo "configure:1959: checking for sigwait in -lpthread" >&5
+echo "configure:1963: checking for sigwait in -lpthread" >&5
 ac_lib_var=`echo pthread'_'sigwait | sed 'y%./+-%__p_%'`
 if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
@@ -1963,7 +1967,7 @@ else
   ac_save_LIBS="$LIBS"
 LIBS="-lpthread  $LIBS"
 cat > conftest.$ac_ext <<EOF
-#line 1967 "configure"
+#line 1971 "configure"
 #include "confdefs.h"
 /* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
@@ -1974,7 +1978,7 @@ int main() {
 sigwait()
 ; return 0; }
 EOF
-if { (eval echo configure:1978: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:1982: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=yes"
 else
@@ -1996,7 +2000,7 @@ EOF
 else
   echo "$ac_t""no" 1>&6
 echo $ac_n "checking for _Psigwait in -lpthread""... $ac_c" 1>&6
-echo "configure:2000: checking for _Psigwait in -lpthread" >&5
+echo "configure:2004: checking for _Psigwait in -lpthread" >&5
 ac_lib_var=`echo pthread'_'_Psigwait | sed 'y%./+-%__p_%'`
 if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
@@ -2004,7 +2008,7 @@ else
   ac_save_LIBS="$LIBS"
 LIBS="-lpthread  $LIBS"
 cat > conftest.$ac_ext <<EOF
-#line 2008 "configure"
+#line 2012 "configure"
 #include "confdefs.h"
 /* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
@@ -2015,7 +2019,7 @@ int main() {
 _Psigwait()
 ; return 0; }
 EOF
-if { (eval echo configure:2019: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2023: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=yes"
 else
@@ -2045,7 +2049,7 @@ fi
 
 
 #
-# Additional OS-specific issues related to pthreads.
+# Additional OS-specific issues related to pthreads and sigwait.
 #
 case "$host" in
         #
@@ -2053,7 +2057,7 @@ case "$host" in
         #
 	*-freebsd*)
 		echo $ac_n "checking for sigwait in -lc_r""... $ac_c" 1>&6
-echo "configure:2057: checking for sigwait in -lc_r" >&5
+echo "configure:2061: checking for sigwait in -lc_r" >&5
 ac_lib_var=`echo c_r'_'sigwait | sed 'y%./+-%__p_%'`
 if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
@@ -2061,7 +2065,7 @@ else
   ac_save_LIBS="$LIBS"
 LIBS="-lc_r  $LIBS"
 cat > conftest.$ac_ext <<EOF
-#line 2065 "configure"
+#line 2069 "configure"
 #include "confdefs.h"
 /* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
@@ -2072,7 +2076,7 @@ int main() {
 sigwait()
 ; return 0; }
 EOF
-if { (eval echo configure:2076: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2080: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=yes"
 else
@@ -2124,18 +2128,27 @@ EOF
 EOF
 
 		;;
+        #
+        # UnixWare does things its own way.
+        #
+        *-UnixWare*)
+		cat >> confdefs.h <<\EOF
+#define HAVE_UNIXWARE_SIGWAIT 1
+EOF
+
+		;;
 esac
 
 #
 # NLS
 #
 echo $ac_n "checking for catgets""... $ac_c" 1>&6
-echo "configure:2134: checking for catgets" >&5
+echo "configure:2147: checking for catgets" >&5
 if eval "test \"`echo '$''{'ac_cv_func_catgets'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 2139 "configure"
+#line 2152 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
     which can conflict with char catgets(); below.  */
@@ -2158,7 +2171,7 @@ catgets();
 
 ; return 0; }
 EOF
-if { (eval echo configure:2162: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2175: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_func_catgets=yes"
 else
@@ -2196,7 +2209,7 @@ case "$host" in
 		;;
 	*)
 		echo $ac_n "checking for socket in -lsocket""... $ac_c" 1>&6
-echo "configure:2200: checking for socket in -lsocket" >&5
+echo "configure:2213: checking for socket in -lsocket" >&5
 ac_lib_var=`echo socket'_'socket | sed 'y%./+-%__p_%'`
 if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
@@ -2204,7 +2217,7 @@ else
   ac_save_LIBS="$LIBS"
 LIBS="-lsocket  $LIBS"
 cat > conftest.$ac_ext <<EOF
-#line 2208 "configure"
+#line 2221 "configure"
 #include "confdefs.h"
 /* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
@@ -2215,7 +2228,7 @@ int main() {
 socket()
 ; return 0; }
 EOF
-if { (eval echo configure:2219: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2232: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=yes"
 else
@@ -2243,7 +2256,7 @@ else
 fi
 
 		echo $ac_n "checking for inet_ntoa in -lnsl""... $ac_c" 1>&6
-echo "configure:2247: checking for inet_ntoa in -lnsl" >&5
+echo "configure:2260: checking for inet_ntoa in -lnsl" >&5
 ac_lib_var=`echo nsl'_'inet_ntoa | sed 'y%./+-%__p_%'`
 if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
@@ -2251,7 +2264,7 @@ else
   ac_save_LIBS="$LIBS"
 LIBS="-lnsl  $LIBS"
 cat > conftest.$ac_ext <<EOF
-#line 2255 "configure"
+#line 2268 "configure"
 #include "confdefs.h"
 /* Override any gcc2 internal prototype to avoid an error.  */
 /* We use char because int might match the return type of a gcc2
@@ -2262,7 +2275,7 @@ int main() {
 inet_ntoa()
 ; return 0; }
 EOF
-if { (eval echo configure:2266: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2279: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_lib_$ac_lib_var=yes"
 else
@@ -2307,6 +2320,9 @@ if test "X$GCC" = "Xyes"; then
 		*-solaris*)
 			LIBS="$LIBS -lthread"
 			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
 	esac
 else
 	case "$host" in
@@ -2323,6 +2339,17 @@ else
 			CC="$CC -Ae -z +w1"
 			MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>>$TMP'
 			;;
+                *-sgi-irix*)
+			STD_CWARNINGS="-fullwarn -woff 1209"
+                        ;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-UnixWare*)
+			CC="$CC -Kthread -w"
+			MKDEPCC="$CC"
+			YACC="yacc"	# bison calls alloca, avoid on UnixWare
+			;;
 	esac
 fi
 
@@ -2346,9 +2373,9 @@ esac
 # Look for a 4.4BSD-style sa_len member in struct sockaddr.
 #
 echo $ac_n "checking for sa_len in struct sockaddr""... $ac_c" 1>&6
-echo "configure:2350: checking for sa_len in struct sockaddr" >&5
+echo "configure:2377: checking for sa_len in struct sockaddr" >&5
 cat > conftest.$ac_ext <<EOF
-#line 2352 "configure"
+#line 2379 "configure"
 #include "confdefs.h"
 
 #include <sys/types.h>
@@ -2357,7 +2384,7 @@ int main() {
 struct sockaddr sa; sa.sa_len = 0; return (0);
 ; return 0; }
 EOF
-if { (eval echo configure:2361: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2388: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   echo "$ac_t""yes" 1>&6
 	ISC_PLATFORM_HAVESALEN="#define ISC_PLATFORM_HAVESALEN 1"
@@ -2378,9 +2405,9 @@ rm -f conftest*
 # Look for a 4.4BSD or 4.3BSD struct msghdr
 #
 echo $ac_n "checking for struct msghdr flavor""... $ac_c" 1>&6
-echo "configure:2382: checking for struct msghdr flavor" >&5
+echo "configure:2409: checking for struct msghdr flavor" >&5
 cat > conftest.$ac_ext <<EOF
-#line 2384 "configure"
+#line 2411 "configure"
 #include "confdefs.h"
 
 #include <sys/types.h>
@@ -2389,7 +2416,7 @@ int main() {
 struct msghdr msg; msg.msg_flags = 0; return (0);
 ; return 0; }
 EOF
-if { (eval echo configure:2393: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2420: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   echo "$ac_t""4.4BSD" 1>&6
 	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD44MSGHDR 1"
@@ -2407,9 +2434,9 @@ rm -f conftest*
 # Look for in_port_t.
 #
 echo $ac_n "checking for type in_port_t""... $ac_c" 1>&6
-echo "configure:2411: checking for type in_port_t" >&5
+echo "configure:2438: checking for type in_port_t" >&5
 cat > conftest.$ac_ext <<EOF
-#line 2413 "configure"
+#line 2440 "configure"
 #include "confdefs.h"
 
 #include <sys/types.h>
@@ -2418,7 +2445,7 @@ int main() {
 in_port_t port = 25; return (0);
 ; return 0; }
 EOF
-if { (eval echo configure:2422: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2449: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   echo "$ac_t""yes" 1>&6
 	ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT"
@@ -2436,9 +2463,9 @@ rm -f conftest*
 # Check for addrinfo
 #
 echo $ac_n "checking for struct addrinfo""... $ac_c" 1>&6
-echo "configure:2440: checking for struct addrinfo" >&5
+echo "configure:2467: checking for struct addrinfo" >&5
 cat > conftest.$ac_ext <<EOF
-#line 2442 "configure"
+#line 2469 "configure"
 #include "confdefs.h"
 
 #include <netdb.h>
@@ -2446,7 +2473,7 @@ int main() {
 struct addrinfo a; return (0);
 ; return 0; }
 EOF
-if { (eval echo configure:2450: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2477: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   echo "$ac_t""yes" 1>&6
 	ISC_LWRES_NEEDADDRINFO="#undef ISC_LWRES_NEEDADDRINFO"
@@ -2461,9 +2488,9 @@ rm -f conftest*
 
 
 echo $ac_n "checking for int sethostent""... $ac_c" 1>&6
-echo "configure:2465: checking for int sethostent" >&5
+echo "configure:2492: checking for int sethostent" >&5
 cat > conftest.$ac_ext <<EOF
-#line 2467 "configure"
+#line 2494 "configure"
 #include "confdefs.h"
 
 #include <netdb.h>
@@ -2471,7 +2498,7 @@ int main() {
 int i = sethostent(0); return(0);
 ; return 0; }
 EOF
-if { (eval echo configure:2475: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2502: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   echo "$ac_t""yes" 1>&6
 	ISC_LWRES_SETHOSTENTINT="#define ISC_LWRES_SETHOSTENTINT 1"
@@ -2486,9 +2513,9 @@ rm -f conftest*
 
 
 echo $ac_n "checking for int endhostent""... $ac_c" 1>&6
-echo "configure:2490: checking for int endhostent" >&5
+echo "configure:2517: checking for int endhostent" >&5
 cat > conftest.$ac_ext <<EOF
-#line 2492 "configure"
+#line 2519 "configure"
 #include "confdefs.h"
 
 #include <netdb.h>
@@ -2496,7 +2523,7 @@ int main() {
 int i = endhostent(); return(0);
 ; return 0; }
 EOF
-if { (eval echo configure:2500: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2527: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   echo "$ac_t""yes" 1>&6
 	ISC_LWRES_ENDHOSTENTINT="#define ISC_LWRES_ENDHOSTENTINT 1"
@@ -2511,9 +2538,9 @@ rm -f conftest*
 
 
 echo $ac_n "checking for getnetbyaddr(in_addr_t, ...)""... $ac_c" 1>&6
-echo "configure:2515: checking for getnetbyaddr(in_addr_t, ...)" >&5
+echo "configure:2542: checking for getnetbyaddr(in_addr_t, ...)" >&5
 cat > conftest.$ac_ext <<EOF
-#line 2517 "configure"
+#line 2544 "configure"
 #include "confdefs.h"
 
 #include <netdb.h>
@@ -2522,7 +2549,7 @@ int main() {
 
 ; return 0; }
 EOF
-if { (eval echo configure:2526: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2553: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   echo "$ac_t""yes" 1>&6
 	ISC_LWRES_GETNETBYADDRINADDR="#define ISC_LWRES_GETNETBYADDRINADDR 1"
@@ -2537,9 +2564,9 @@ rm -f conftest*
 
 
 echo $ac_n "checking for int setnetent""... $ac_c" 1>&6
-echo "configure:2541: checking for int setnetent" >&5
+echo "configure:2568: checking for int setnetent" >&5
 cat > conftest.$ac_ext <<EOF
-#line 2543 "configure"
+#line 2570 "configure"
 #include "confdefs.h"
 
 #include <netdb.h>
@@ -2547,7 +2574,7 @@ int main() {
 int i = setnetent(0); return(0);
 ; return 0; }
 EOF
-if { (eval echo configure:2551: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2578: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   echo "$ac_t""yes" 1>&6
 	ISC_LWRES_SETNETENTINT="#define ISC_LWRES_SETNETENTINT 1"
@@ -2562,9 +2589,9 @@ rm -f conftest*
 
 
 echo $ac_n "checking for int endnetent""... $ac_c" 1>&6
-echo "configure:2566: checking for int endnetent" >&5
+echo "configure:2593: checking for int endnetent" >&5
 cat > conftest.$ac_ext <<EOF
-#line 2568 "configure"
+#line 2595 "configure"
 #include "confdefs.h"
 
 #include <netdb.h>
@@ -2572,7 +2599,7 @@ int main() {
 int i = endnetent(); return(0);
 ; return 0; }
 EOF
-if { (eval echo configure:2576: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2603: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   echo "$ac_t""yes" 1>&6
 	ISC_LWRES_ENDNETENTINT="#define ISC_LWRES_ENDNETENTINT 1"
@@ -2587,9 +2614,9 @@ rm -f conftest*
 
 
 echo $ac_n "checking for gethostbyadd(const void *, size_t, ...)""... $ac_c" 1>&6
-echo "configure:2591: checking for gethostbyadd(const void *, size_t, ...)" >&5
+echo "configure:2618: checking for gethostbyadd(const void *, size_t, ...)" >&5
 cat > conftest.$ac_ext <<EOF
-#line 2593 "configure"
+#line 2620 "configure"
 #include "confdefs.h"
 
 #include <netdb.h>
@@ -2598,7 +2625,7 @@ int main() {
 return(0);
 ; return 0; }
 EOF
-if { (eval echo configure:2602: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2629: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   echo "$ac_t""yes" 1>&6
 	ISC_LWRES_GETHOSTBYADDRVOID="#define ISC_LWRES_GETHOSTBYADDRVOID 1"
@@ -2613,9 +2640,9 @@ rm -f conftest*
 
 
 echo $ac_n "checking for h_errno in netdb.h""... $ac_c" 1>&6
-echo "configure:2617: checking for h_errno in netdb.h" >&5
+echo "configure:2644: checking for h_errno in netdb.h" >&5
 cat > conftest.$ac_ext <<EOF
-#line 2619 "configure"
+#line 2646 "configure"
 #include "confdefs.h"
 
 #include <netdb.h>
@@ -2623,7 +2650,7 @@ int main() {
 h_errno = 1; return(0);
 ; return 0; }
 EOF
-if { (eval echo configure:2627: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:2654: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   echo "$ac_t""yes" 1>&6
 	ISC_LWRES_NEEDHERRNO="#undef ISC_LWRES_NEEDHERRNO"
@@ -2638,12 +2665,12 @@ rm -f conftest*
 
 
 echo $ac_n "checking for getipnodebyname""... $ac_c" 1>&6
-echo "configure:2642: checking for getipnodebyname" >&5
+echo "configure:2669: checking for getipnodebyname" >&5
 if eval "test \"`echo '$''{'ac_cv_func_getipnodebyname'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 2647 "configure"
+#line 2674 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
     which can conflict with char getipnodebyname(); below.  */
@@ -2666,7 +2693,7 @@ getipnodebyname();
 
 ; return 0; }
 EOF
-if { (eval echo configure:2670: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2697: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_func_getipnodebyname=yes"
 else
@@ -2687,12 +2714,12 @@ ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"
 fi
 
 echo $ac_n "checking for getnameinfo""... $ac_c" 1>&6
-echo "configure:2691: checking for getnameinfo" >&5
+echo "configure:2718: checking for getnameinfo" >&5
 if eval "test \"`echo '$''{'ac_cv_func_getnameinfo'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 2696 "configure"
+#line 2723 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
     which can conflict with char getnameinfo(); below.  */
@@ -2715,7 +2742,7 @@ getnameinfo();
 
 ; return 0; }
 EOF
-if { (eval echo configure:2719: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2746: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_func_getnameinfo=yes"
 else
@@ -2736,12 +2763,12 @@ ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"
 fi
 
 echo $ac_n "checking for getaddrinfo""... $ac_c" 1>&6
-echo "configure:2740: checking for getaddrinfo" >&5
+echo "configure:2767: checking for getaddrinfo" >&5
 if eval "test \"`echo '$''{'ac_cv_func_getaddrinfo'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 2745 "configure"
+#line 2772 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
     which can conflict with char getaddrinfo(); below.  */
@@ -2764,7 +2791,7 @@ getaddrinfo();
 
 ; return 0; }
 EOF
-if { (eval echo configure:2768: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:2795: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_func_getaddrinfo=yes"
 else
@@ -2792,9 +2819,9 @@ fi
 # Look for a sysctl call to get the list of network interfaces.
 #
 echo $ac_n "checking for interface list sysctl""... $ac_c" 1>&6
-echo "configure:2796: checking for interface list sysctl" >&5
+echo "configure:2823: checking for interface list sysctl" >&5
 cat > conftest.$ac_ext <<EOF
-#line 2798 "configure"
+#line 2825 "configure"
 #include "confdefs.h"
 
 #include <sys/param.h>
@@ -2904,7 +2931,7 @@ else
 fi
 
 echo $ac_n "checking build system type""... $ac_c" 1>&6
-echo "configure:2908: checking build system type" >&5
+echo "configure:2935: checking build system type" >&5
 
 build_alias=$build
 case "$build_alias" in
@@ -2933,7 +2960,7 @@ ac_prog=ld
 if test "$ac_cv_prog_gcc" = yes; then
   # Check if gcc -print-prog-name=ld gives a path.
   echo $ac_n "checking for ld used by GCC""... $ac_c" 1>&6
-echo "configure:2937: checking for ld used by GCC" >&5
+echo "configure:2964: checking for ld used by GCC" >&5
   ac_prog=`($CC -print-prog-name=ld) 2>&5`
   case "$ac_prog" in
     # Accept absolute paths.
@@ -2957,10 +2984,10 @@ echo "configure:2937: checking for ld used by GCC" >&5
   esac
 elif test "$with_gnu_ld" = yes; then
   echo $ac_n "checking for GNU ld""... $ac_c" 1>&6
-echo "configure:2961: checking for GNU ld" >&5
+echo "configure:2988: checking for GNU ld" >&5
 else
   echo $ac_n "checking for non-GNU ld""... $ac_c" 1>&6
-echo "configure:2964: checking for non-GNU ld" >&5
+echo "configure:2991: checking for non-GNU ld" >&5
 fi
 if eval "test \"`echo '$''{'ac_cv_path_LD'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
@@ -2996,7 +3023,7 @@ fi
 test -z "$LD" && { echo "configure: error: no acceptable ld found in \$PATH" 1>&2; exit 1; }
 
 echo $ac_n "checking if the linker ($LD) is GNU ld""... $ac_c" 1>&6
-echo "configure:3000: checking if the linker ($LD) is GNU ld" >&5
+echo "configure:3027: checking if the linker ($LD) is GNU ld" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_gnu_ld'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -3012,7 +3039,7 @@ echo "$ac_t""$ac_cv_prog_gnu_ld" 1>&6
 
 
 echo $ac_n "checking for BSD-compatible nm""... $ac_c" 1>&6
-echo "configure:3016: checking for BSD-compatible nm" >&5
+echo "configure:3043: checking for BSD-compatible nm" >&5
 if eval "test \"`echo '$''{'ac_cv_path_NM'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -3049,7 +3076,7 @@ echo "$ac_t""$NM" 1>&6
 
 
 echo $ac_n "checking whether ln -s works""... $ac_c" 1>&6
-echo "configure:3053: checking whether ln -s works" >&5
+echo "configure:3080: checking whether ln -s works" >&5
 if eval "test \"`echo '$''{'ac_cv_prog_LN_S'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
@@ -3093,8 +3120,8 @@ test x"$silent" = xyes && libtool_flags="$libtool_flags --silent"
 case "$host" in
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 3097 "configure"' > conftest.$ac_ext
-  if { (eval echo configure:3098: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  echo '#line 3124 "configure"' > conftest.$ac_ext
+  if { (eval echo configure:3125: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
     case "`/usr/bin/file conftest.o`" in
     *32-bit*)
       LD="${LD-ld} -32"
@@ -3115,19 +3142,19 @@ case "$host" in
   SAVE_CFLAGS="$CFLAGS"
   CFLAGS="$CFLAGS -belf"
   echo $ac_n "checking whether the C compiler needs -belf""... $ac_c" 1>&6
-echo "configure:3119: checking whether the C compiler needs -belf" >&5
+echo "configure:3146: checking whether the C compiler needs -belf" >&5
 if eval "test \"`echo '$''{'lt_cv_cc_needs_belf'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 3124 "configure"
+#line 3151 "configure"
 #include "confdefs.h"
 
 int main() {
 
 ; return 0; }
 EOF
-if { (eval echo configure:3131: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:3158: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   lt_cv_cc_needs_belf=yes
 else
@@ -3264,9 +3291,9 @@ fi
 case "$enable_ipv6" in
 	yes|''|autodetect)
 		echo $ac_n "checking for IPv6 structures""... $ac_c" 1>&6
-echo "configure:3268: checking for IPv6 structures" >&5
+echo "configure:3295: checking for IPv6 structures" >&5
 		cat > conftest.$ac_ext <<EOF
-#line 3270 "configure"
+#line 3297 "configure"
 #include "confdefs.h"
 
 #include <sys/types.h>
@@ -3276,7 +3303,7 @@ int main() {
 struct sockaddr_in6 sin6; return (0);
 ; return 0; }
 EOF
-if { (eval echo configure:3280: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:3307: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
   rm -rf conftest*
   echo "$ac_t""yes" 1>&6
 			 found_ipv6=yes
@@ -3294,24 +3321,112 @@ rm -f conftest*
 		;;
 esac
 
+#
+# See whether IPv6 support is provided via a Kame add-on.
+# This is done before other IPv6 linking tests to LIBS is properly set.
+#
+echo $ac_n "checking for Kame IPv6 support""... $ac_c" 1>&6
+echo "configure:3330: checking for Kame IPv6 support" >&5
+# Check whether --with-kame or --without-kame was given.
+if test "${with_kame+set}" = set; then
+  withval="$with_kame"
+  use_kame="$withval"
+else
+  use_kame="no"
+fi
+
+
+case "$use_kame" in
+	no)
+		;;
+	yes)
+		kame_path=/usr/local/v6
+		;;
+	*)
+		kame_path="$use_kame"
+		;;
+esac
+
+case "$use_kame" in
+	no)
+		echo "$ac_t""no" 1>&6
+		;;
+	*)
+		if test -f $kame_path/lib/libinet6.a; then
+			echo "$ac_t""$kame_path/lib/libinet6.a" 1>&6
+			LIBS="-L$kame_path/lib -linet6 $LIBS"
+		else
+			{ echo "configure: error: $kame_path/lib/libinet6.a not found.
+
+Please choose the proper path with the following command:
+
+    configure --with-kame=PATH
+" 1>&2; exit 1; }
+		fi
+		;;
+esac
+
+#
+# Whether netinet6/in6.h is needed has to be defined in isc/platform.h.
+# Including it on Kame-using platforms is very bad, though, because
+# Kame uses #error against direct inclusion.   So include it on only
+# the platform that is otherwise broken without it -- BSD/OS 4.0 through 4.1.
+# This is done before the in6_pktinfo check because that's what
+# netinet6/in6.h is needed for.
+#
+
+case "$host" in
+*-bsdi4.[01]*)
+	ISC_PLATFORM_NEEDNETINET6IN6H="#define ISC_PLATFORM_NEEDNETINET6IN6H 1"
+	LWRES_PLATFORM_NEEDNETINET6IN6H="#define LWRES_PLATFORM_NEEDNETINET6IN6H 1"
+	isc_netinet6in6_hack="#include <netinet6/in6.h>"
+	;;
+*)
+	ISC_PLATFORM_NEEDNETINET6IN6H="#undef ISC_PLATFORM_NEEDNETINET6IN6H"
+	LWRES_PLATFORM_NEEDNETINET6IN6H="#undef LWRES_PLATFORM_NEEDNETINET6IN6H"
+	isc_netinet6in6_hack=""
+	;;
+esac
+
+
+#
+# This is similar to the netinet6/in6.h issue.
+#
+case "$host" in
+*-UnixWare*)
+	ISC_PLATFORM_NEEDNETINETIN6H="#define ISC_PLATFORM_NEEDNETINETIN6H 1"
+	LWRES_PLATFORM_NEEDNETINETIN6H="#define LWRES_PLATFORM_NEEDNETINETIN6H 1"
+	isc_netinetin6_hack="#include <netinet/in6.h>"
+	;;
+*)
+	ISC_PLATFORM_NEEDNETINETIN6H="#undef ISC_PLATFORM_NEEDNETINETIN6H"
+	LWRES_PLATFORM_NEEDNETINETIN6H="#undef LWRES_PLATFORM_NEEDNETINETIN6H"
+	isc_netinetin6_hack=""
+	;;
+esac
+
+#
+# Now delve deeper into the suitability of the IPv6 support.
+#
 case "$found_ipv6" in
 	yes)
 		ISC_PLATFORM_HAVEIPV6="#define ISC_PLATFORM_HAVEIPV6 1"
 		LWRES_PLATFORM_HAVEIPV6="#define LWRES_PLATFORM_HAVEIPV6 1"
 		echo $ac_n "checking for in6addr_any""... $ac_c" 1>&6
-echo "configure:3303: checking for in6addr_any" >&5
+echo "configure:3417: checking for in6addr_any" >&5
 		cat > conftest.$ac_ext <<EOF
-#line 3305 "configure"
+#line 3419 "configure"
 #include "confdefs.h"
 
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
+$isc_netinetin6_hack
 int main() {
 struct in6_addr in6; in6 = in6addr_any; return (0);
 ; return 0; }
 EOF
-if { (eval echo configure:3315: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+if { (eval echo configure:3430: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   echo "$ac_t""yes" 1>&6
 			 ISC_PLATFORM_NEEDIN6ADDRANY="#undef ISC_PLATFORM_NEEDIN6ADDRANY"
@@ -3323,10 +3438,40 @@ else
 			 ISC_PLATFORM_NEEDIN6ADDRANY="#define ISC_PLATFORM_NEEDIN6ADDRANY 1"
 fi
 rm -f conftest*
+		echo $ac_n "checking for in6_pktinfo""... $ac_c" 1>&6
+echo "configure:3443: checking for in6_pktinfo" >&5
+		cat > conftest.$ac_ext <<EOF
+#line 3445 "configure"
+#include "confdefs.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+
+int main() {
+struct in6_pktinfo xyzzy; return (0);
+; return 0; }
+EOF
+if { (eval echo configure:3458: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+  rm -rf conftest*
+  echo "$ac_t""yes" 1>&6
+			 ISC_PLATFORM_HAVEIN6PKTINFO="#define ISC_PLATFORM_HAVEIN6PKTINFO 1"
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  echo "$ac_t""no -- disabling runtime ipv6 support" 1>&6
+			 ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
+fi
+rm -f conftest*
 		;;
 	no)
 		ISC_PLATFORM_HAVEIPV6="#undef ISC_PLATFORM_HAVEIPV6"
 		LWRES_PLATFORM_HAVEIPV6="#undef LWRES_PLATFORM_HAVEIPV6"
+		ISC_PLATFORM_NEEDIN6ADDRANY="#undef ISC_PLATFORM_NEEDIN6ADDRANY"
+		ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
 		ISC_IPV6_H="ipv6.h"
 		ISC_IPV6_O="ipv6.$O"
 		ISC_ISCIPV6_O="unix/ipv6.$O"
@@ -3342,49 +3487,9 @@ esac
 
 
 
-#
-# IPv6 support provided via Kame
-#
-echo $ac_n "checking for Kame IPv6 support""... $ac_c" 1>&6
-echo "configure:3350: checking for Kame IPv6 support" >&5
-# Check whether --with-kame or --without-kame was given.
-if test "${with_kame+set}" = set; then
-  withval="$with_kame"
-  use_kame="$withval"
-else
-  use_kame="no"
-fi
-
-
-case "$use_kame" in
-	no)
-		;;
-	yes)
-		kame_path=/usr/local/v6
-		;;
-	*)
-		kame_path="$use_kame"
-		;;
-esac
 
-case "$use_kame" in
-	no)
-		echo "$ac_t""no" 1>&6
-		;;
-	*)
-		if test -f $kame_path/lib/libinet6.a; then
-			echo "$ac_t""$kame_path/lib/libinet6.a" 1>&6
-			LIBS="-L$kame_path/lib -linet6 $LIBS"
-		else
-			{ echo "configure: error: $kame_path/lib/libinet6.a not found.
 
-Please choose the proper path with the following command:
 
-    configure --with-kame=PATH
-" 1>&2; exit 1; }
-		fi
-		;;
-esac
 
 
 #
@@ -3393,168 +3498,99 @@ esac
 # the files.
 #
 echo $ac_n "checking for inet_ntop""... $ac_c" 1>&6
-echo "configure:3397: checking for inet_ntop" >&5
-if eval "test \"`echo '$''{'ac_cv_func_inet_ntop'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 3402 "configure"
+echo "configure:3502: checking for inet_ntop" >&5
+cat > conftest.$ac_ext <<EOF
+#line 3504 "configure"
 #include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char inet_ntop(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char inet_ntop();
 
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
 int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_inet_ntop) || defined (__stub___inet_ntop)
-choke me
-#else
-inet_ntop();
-#endif
-
+inet_ntop(0, 0, 0, 0); return (0);
 ; return 0; }
 EOF
-if { (eval echo configure:3425: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:3514: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
-  eval "ac_cv_func_inet_ntop=yes"
+  echo "$ac_t""yes" 1>&6
+        ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"
 else
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
   rm -rf conftest*
-  eval "ac_cv_func_inet_ntop=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'inet_ntop`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"
-else
   echo "$ac_t""no" 1>&6
-ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-	       ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-	       ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"
-
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
+        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"
 fi
-
+rm -f conftest*
 echo $ac_n "checking for inet_pton""... $ac_c" 1>&6
-echo "configure:3449: checking for inet_pton" >&5
-if eval "test \"`echo '$''{'ac_cv_func_inet_pton'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 3454 "configure"
+echo "configure:3529: checking for inet_pton" >&5
+cat > conftest.$ac_ext <<EOF
+#line 3531 "configure"
 #include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char inet_pton(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char inet_pton();
 
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
 int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_inet_pton) || defined (__stub___inet_pton)
-choke me
-#else
-inet_pton();
-#endif
-
+inet_pton(0, 0, 0); return (0);
 ; return 0; }
 EOF
-if { (eval echo configure:3477: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:3541: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
-  eval "ac_cv_func_inet_pton=yes"
+  echo "$ac_t""yes" 1>&6
+        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"
 else
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
   rm -rf conftest*
-  eval "ac_cv_func_inet_pton=no"
-fi
-rm -f conftest*
-fi
-
-if eval "test \"`echo '$ac_cv_func_'inet_pton`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"
-else
   echo "$ac_t""no" 1>&6
-ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
-	       ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
-	       ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"
-
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
+        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"
 fi
-
+rm -f conftest*
 echo $ac_n "checking for inet_aton""... $ac_c" 1>&6
-echo "configure:3501: checking for inet_aton" >&5
-if eval "test \"`echo '$''{'ac_cv_func_inet_aton'+set}'`\" = set"; then
-  echo $ac_n "(cached) $ac_c" 1>&6
-else
-  cat > conftest.$ac_ext <<EOF
-#line 3506 "configure"
+echo "configure:3556: checking for inet_aton" >&5
+cat > conftest.$ac_ext <<EOF
+#line 3558 "configure"
 #include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char inet_aton(); below.  */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error.  */
-/* We use char because int might match the return type of a gcc2
-    builtin and then its argument prototype would still apply.  */
-char inet_aton();
 
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
 int main() {
-
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_inet_aton) || defined (__stub___inet_aton)
-choke me
-#else
-inet_aton();
-#endif
-
+struct in_addr in; inet_aton(0, &in); return (0);
 ; return 0; }
 EOF
-if { (eval echo configure:3529: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:3568: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
-  eval "ac_cv_func_inet_aton=yes"
+  echo "$ac_t""yes" 1>&6
+        ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"
 else
   echo "configure: failed program was:" >&5
   cat conftest.$ac_ext >&5
   rm -rf conftest*
-  eval "ac_cv_func_inet_aton=no"
+  echo "$ac_t""no" 1>&6
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
+        ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"
 fi
 rm -f conftest*
-fi
 
-if eval "test \"`echo '$ac_cv_func_'inet_aton`\" = yes"; then
-  echo "$ac_t""yes" 1>&6
-  ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"
-else
-  echo "$ac_t""no" 1>&6
-ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
-	       ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
-	       ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"
 
-fi
 
+
+
+# Check for some other useful functions that are not ever-present.
 echo $ac_n "checking for strsep""... $ac_c" 1>&6
-echo "configure:3553: checking for strsep" >&5
+echo "configure:3589: checking for strsep" >&5
 if eval "test \"`echo '$''{'ac_cv_func_strsep'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 3558 "configure"
+#line 3594 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
     which can conflict with char strsep(); below.  */
@@ -3577,7 +3613,7 @@ strsep();
 
 ; return 0; }
 EOF
-if { (eval echo configure:3581: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:3617: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_func_strsep=yes"
 else
@@ -3594,18 +3630,16 @@ if eval "test \"`echo '$ac_cv_func_'strsep`\" = yes"; then
   ISC_PLATFORM_NEEDSTRSEP="#undef ISC_PLATFORM_NEEDSTRSEP"
 else
   echo "$ac_t""no" 1>&6
-ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS strsep.$O"
-	 ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS strsep.c"
-	 ISC_PLATFORM_NEEDSTRSEP="#define ISC_PLATFORM_NEEDSTRSEP 1"
+ISC_PLATFORM_NEEDSTRSEP="#define ISC_PLATFORM_NEEDSTRSEP 1"
 fi
 
 echo $ac_n "checking for vsnprintf""... $ac_c" 1>&6
-echo "configure:3604: checking for vsnprintf" >&5
+echo "configure:3638: checking for vsnprintf" >&5
 if eval "test \"`echo '$''{'ac_cv_func_vsnprintf'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 3609 "configure"
+#line 3643 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
     which can conflict with char vsnprintf(); below.  */
@@ -3628,7 +3662,7 @@ vsnprintf();
 
 ; return 0; }
 EOF
-if { (eval echo configure:3632: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:3666: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_func_vsnprintf=yes"
 else
@@ -3656,19 +3690,18 @@ fi
 
 
 
-
 echo $ac_n "checking for sizeof(long long int) == sizeof(long int)""... $ac_c" 1>&6
-echo "configure:3662: checking for sizeof(long long int) == sizeof(long int)" >&5
+echo "configure:3695: checking for sizeof(long long int) == sizeof(long int)" >&5
 if test "$cross_compiling" = yes; then
   echo "$ac_t""default yes" 1>&6
 	ISC_PLATFORM_LONGLONGEQUALLONG="#define ISC_PLATFORM_LONGLONGEQUALLONG 1"
 else
   cat > conftest.$ac_ext <<EOF
-#line 3668 "configure"
+#line 3701 "configure"
 #include "confdefs.h"
 main() { exit(!(sizeof(long long int) == sizeof(long int))); }
 EOF
-if { (eval echo configure:3672: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+if { (eval echo configure:3705: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
 then
   echo "$ac_t""yes" 1>&6
 	ISC_PLATFORM_LONGLONGEQUALLONG="#define ISC_PLATFORM_LONGLONGEQUALLONG 1"
@@ -3688,12 +3721,12 @@ fi
 # Security Stuff
 #
 echo $ac_n "checking for chroot""... $ac_c" 1>&6
-echo "configure:3692: checking for chroot" >&5
+echo "configure:3725: checking for chroot" >&5
 if eval "test \"`echo '$''{'ac_cv_func_chroot'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 3697 "configure"
+#line 3730 "configure"
 #include "confdefs.h"
 /* System header to define __stub macros and hopefully few prototypes,
     which can conflict with char chroot(); below.  */
@@ -3716,7 +3749,7 @@ chroot();
 
 ; return 0; }
 EOF
-if { (eval echo configure:3720: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+if { (eval echo configure:3753: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
   rm -rf conftest*
   eval "ac_cv_func_chroot=yes"
 else
@@ -3742,17 +3775,57 @@ for ac_hdr in linux/capability.h
 do
 ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
 echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
-echo "configure:3746: checking for $ac_hdr" >&5
+echo "configure:3779: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  cat > conftest.$ac_ext <<EOF
+#line 3784 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:3789: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=yes"
+else
+  echo "$ac_err" >&5
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -rf conftest*
+  eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+  echo "$ac_t""yes" 1>&6
+    ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+  cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+ 
+else
+  echo "$ac_t""no" 1>&6
+fi
+done
+
+for ac_hdr in linux/prctl.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:3819: checking for $ac_hdr" >&5
 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
   echo $ac_n "(cached) $ac_c" 1>&6
 else
   cat > conftest.$ac_ext <<EOF
-#line 3751 "configure"
+#line 3824 "configure"
 #include "confdefs.h"
 #include <$ac_hdr>
 EOF
 ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
-{ (eval echo configure:3756: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+{ (eval echo configure:3829: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
 ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
 if test -z "$ac_err"; then
   rm -rf conftest*
@@ -3779,6 +3852,20 @@ fi
 done
 
 
+#
+# Random remaining OS-specific issues.
+#
+case "$host" in
+	*-bsdi3.1*|*-bsdi4.0*)
+                #
+                # Shut up a -Wmissing-prototypes warning from <stdio.h>.
+                #
+		cat >> confdefs.h <<\EOF
+#define SHUTUP_SPUTAUX 1
+EOF
+
+		;;
+esac
 
 #
 # Substitutions
@@ -3808,8 +3895,9 @@ BIND9_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
 
 BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
 
+. $srcdir/version
+BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
 
-BIND9_VERSION=$srcdir/version
 
 
 LIBISC_API=$srcdir/lib/isc/api
@@ -3969,6 +4057,7 @@ trap 'rm -fr `echo "make/rules
 	bin/named/unix/Makefile
 	bin/lwresd/Makefile
 	bin/rndc/Makefile
+	bin/dig/Makefile
 	bin/tests/Makefile
 	bin/tests/names/Makefile
 	bin/tests/master/Makefile
@@ -3979,6 +4068,8 @@ trap 'rm -fr `echo "make/rules
 	bin/tests/dst/Makefile
 	bin/tests/mem/Makefile
 	bin/tests/sockaddr/Makefile
+	bin/tests/headerdep_test.sh
+	bin/dnssec/Makefile
  config.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15
 EOF
 cat >> $CONFIG_STATUS <<EOF
@@ -4027,11 +4118,15 @@ s%@STD_CWARNINGS@%$STD_CWARNINGS%g
 s%@AR@%$AR%g
 s%@ARFLAGS@%$ARFLAGS%g
 s%@ETAGS@%$ETAGS%g
+s%@DST_PRIVATEOPENSSL@%$DST_PRIVATEOPENSSL%g
+s%@dst_privateopenssl@%$dst_privateopenssl%g
+s%@DST_OPENSSL_INC@%$DST_OPENSSL_INC%g
+s%@DST_OPENSSL_LIB@%$DST_OPENSSL_LIB%g
+s%@DST_OPENSSL_OBJS@%$DST_OPENSSL_OBJS%g
+s%@DNS_OPENSSL_LIBS@%$DNS_OPENSSL_LIBS%g
 s%@CC@%$CC%g
 s%@YACC@%$YACC%g
 s%@CPP@%$CPP%g
-s%@ISC_PLATFORM_HAVENETINET6IN6H@%$ISC_PLATFORM_HAVENETINET6IN6H%g
-s%@LWRES_PLATFORM_HAVENETINET6IN6H@%$LWRES_PLATFORM_HAVENETINET6IN6H%g
 s%@MKDEPCC@%$MKDEPCC%g
 s%@MKDEPCFLAGS@%$MKDEPCFLAGS%g
 s%@MKDEPPROG@%$MKDEPPROG%g
@@ -4064,7 +4159,12 @@ s%@A@%$A%g
 s%@SA@%$SA%g
 s%@ISC_PLATFORM_HAVEIPV6@%$ISC_PLATFORM_HAVEIPV6%g
 s%@LWRES_PLATFORM_HAVEIPV6@%$LWRES_PLATFORM_HAVEIPV6%g
+s%@ISC_PLATFORM_NEEDNETINETIN6H@%$ISC_PLATFORM_NEEDNETINETIN6H%g
+s%@LWRES_PLATFORM_NEEDNETINETIN6H@%$LWRES_PLATFORM_NEEDNETINETIN6H%g
+s%@ISC_PLATFORM_NEEDNETINET6IN6H@%$ISC_PLATFORM_NEEDNETINET6IN6H%g
+s%@LWRES_PLATFORM_NEEDNETINET6IN6H@%$LWRES_PLATFORM_NEEDNETINET6IN6H%g
 s%@ISC_PLATFORM_NEEDIN6ADDRANY@%$ISC_PLATFORM_NEEDIN6ADDRANY%g
+s%@ISC_PLATFORM_HAVEIN6PKTINFO@%$ISC_PLATFORM_HAVEIN6PKTINFO%g
 s%@ISC_IPV6_H@%$ISC_IPV6_H%g
 s%@ISC_IPV6_O@%$ISC_IPV6_O%g
 s%@ISC_ISCIPV6_O@%$ISC_ISCIPV6_O%g
@@ -4086,8 +4186,7 @@ s%@BIND9_LWRES_BUILDINCLUDE@%$BIND9_LWRES_BUILDINCLUDE%g
 s%@BIND9_INCLUDES@%%g
 /@BIND9_MAKE_RULES@/r $BIND9_MAKE_RULES
 s%@BIND9_MAKE_RULES@%%g
-/@BIND9_VERSION@/r $BIND9_VERSION
-s%@BIND9_VERSION@%%g
+s%@BIND9_VERSION@%$BIND9_VERSION%g
 /@LIBISC_API@/r $LIBISC_API
 s%@LIBISC_API@%%g
 /@LIBDNS_API@/r $LIBDNS_API
@@ -4182,6 +4281,7 @@ CONFIG_FILES=\${CONFIG_FILES-"make/rules
 	bin/named/unix/Makefile
 	bin/lwresd/Makefile
 	bin/rndc/Makefile
+	bin/dig/Makefile
 	bin/tests/Makefile
 	bin/tests/names/Makefile
 	bin/tests/master/Makefile
@@ -4192,6 +4292,8 @@ CONFIG_FILES=\${CONFIG_FILES-"make/rules
 	bin/tests/dst/Makefile
 	bin/tests/mem/Makefile
 	bin/tests/sockaddr/Makefile
+	bin/tests/headerdep_test.sh
+	bin/dnssec/Makefile
 "}
 EOF
 cat >> $CONFIG_STATUS <<\EOF
diff --git a/configure.in b/configure.in
index b1aef6ec..b89586f5 100644
--- a/configure.in
+++ b/configure.in
@@ -13,7 +13,7 @@ dnl PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
 dnl ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
 dnl SOFTWARE.
 
-AC_REVISION($Revision: 1.107 $)
+AC_REVISION($Revision: 1.138 $)
 
 AC_PREREQ(2.13)
 
@@ -26,9 +26,6 @@ AC_PROG_MAKE_SET
 AC_PROG_RANLIB
 AC_PROG_INSTALL
 
-STD_CINCLUDES=""
-STD_CDEFINES=""
-STD_CWARNINGS=""
 AC_SUBST(STD_CINCLUDES)
 AC_SUBST(STD_CDEFINES)
 AC_SUBST(STD_CWARNINGS)
@@ -38,6 +35,16 @@ ARFLAGS="cruv"
 AC_SUBST(AR)
 AC_SUBST(ARFLAGS)
 
+case "$AR" in
+	"")
+		AC_MSG_ERROR([
+ar program not found.  Please fix your PATH to include the directory in
+which ar resides, or set AR in the environment with the full path to ar.
+])
+
+		;;
+esac
+
 AC_PATH_PROGS(ETAGS, etags emacs-etags)
 AC_SUBST(ETAGS)
 
@@ -149,93 +156,96 @@ if test "X$CC" = "X" ; then
 fi
 
 #
-# NetBSD has two alternative pthreads implementations.  Make the 
-# user choose one by saying --with-mit-pthreads or --with-ptl2
-# if necessary.
+# If the user didn't specify where openssl is, and we didn't find or it
+# is imcompatible with our code, use our internal one.
+# XXXMLG Implement this check!
+#
+AC_MSG_CHECKING(for compatible OpenSSL library)
+
+DST_PRIVATEOPENSSL='-DDST_USE_PRIVATE_OPENSSL'
+dst_privateopenssl='openssl'
+DST_OPENSSL_INC='-I${srcdir}/../openssl/include'
+DST_OPENSSL_LIB=''
+DST_OPENSSL_OBJS='${OPENSSLOBJS}'
+AC_MSG_RESULT(using private library)
+
+AC_SUBST(DST_PRIVATEOPENSSL)
+AC_SUBST(dst_privateopenssl)
+AC_SUBST(DST_OPENSSL_INC)
+AC_SUBST(DST_OPENSSL_LIB)
+AC_SUBST(DST_OPENSSL_OBJS)
+
+#
+# This would include the system openssl path (and linker options to use
+# it as needed) if it is found.
 #
+
+DNS_OPENSSL_LIBS=""
+AC_SUBST(DNS_OPENSSL_LIBS)
+
+#
+# testing with alternate openssl libraries...  XXXMLG
+#
+# DNS_OPENSSL_LIBS="-L/usr/pkg/lib -lssl -lcrypto"
+# DST_PRIVATEOPENSSL=''
+# dst_privateopenssl=''
+# DST_OPENSSL_INC='-I/usr/pkg/include'
+# DST_OPENSSL_LIB=''
+#
+
+#
+# NetBSD has multiple pthreads implementations.  The recommended
+# one to use is "unproven-pthreads".  The older "mit-pthreads" 
+# may also work on some NetBSD versions.  The PTL2 thread
+# library does not currently work with bind9, but can be
+# chosen with the --with-ptl2 option for those who wish to
+# experiment with it.
+#
+
 case "$host" in
   *-netbsd*)
 	CC="gcc"
-	AC_MSG_CHECKING(which thread library to use)
+	AC_MSG_CHECKING(which NetBSD thread library to use)
 
-	AC_ARG_WITH(mit-pthreads, 
-	    [  --with-mit-pthreads	use the mit-pthreads thread library],
-	    use_mit_pthreads="$withval", use_mit_pthreads="no")
-	
 	AC_ARG_WITH(ptl2,
-	    [  --with-ptl2		use the ptl2 thread library],
+[  --with-ptl2		on NetBSD, use the ptl2 thread library (experimental)],
 	    use_ptl2="$withval", use_ptl2="no")
 
         : ${LOCALBASE:=/usr/pkg}
 
-        # If user did not choose a thread library explicitly,
-        # try to choose one automatically.  This will work when
-	# exactly one library is installed.
-
-	case "$use_mit_pthreads+$use_ptl2" in
-		no+no)
-			if test -d $LOCALBASE/pthreads
-			then
-				use_mit_pthreads="yes"
-			fi
-			if test -d $LOCALBASE/PTL
-			then
-				use_ptl2="yes"
-			fi
-			;;
-        esac
-
-	case "$use_mit_pthreads+$use_ptl2" in
-		yes+no)
-			AC_MSG_RESULT(mit-pthreads)
-			pkg="$LOCALBASE/pthreads"
-			lib1="-L$pkg/lib -Wl,-R$pkg/lib"
-			lib2="-lpthread -lm -lgcc -lpthread"
-			LIBS="$lib1 $lib2 $LIBS"
-			CPPFLAGS="-I$pkg/include $CPPFLAGS"
-			STD_CINCLUDES="-I$pkg/include"
-			;;
-		no+yes)
-			AC_MSG_RESULT(PTL2)
-#			pkg="$LOCALBASE/PTL"
-#			LIBS="-L$LOCALBASE/lib -lPTL $LIBS"
-#			STD_CINCLUDES="-nostdinc -idirafter $pkg/include"
-			CC=ptlgcc
-			;;
-		*)
-			AC_MSG_ERROR([no thread library.
+	if test "X$use_ptl2" = "Xyes"
+	then
+		AC_MSG_RESULT(PTL2)
+		AC_MSG_WARN(
+[linking with PTL2 is highly experimental and not expected to work])
+		CC=ptlgcc
+	else
+		AC_MSG_RESULT(mit-pthreads/unproven-pthreads)
 
-Please choose a thread library using one of 
+		if test ! -d $LOCALBASE/pthreads
+		then
+			AC_MSG_ERROR([no thread library found.
 
-   configure --with-mit-pthreads
-   configure --with-ptl2
+Please install the devel/unproven-pthreads package and rerun configure.
 ])
-			;;
-		esac
-		;;
+		fi
+
+		pkg="$LOCALBASE/pthreads"
+		lib1="-L$pkg/lib -Wl,-R$pkg/lib"
+		lib2="-lpthread -lm -lgcc -lpthread"
+		LIBS="$lib1 $lib2 $LIBS"
+		CPPFLAGS="$CPPFLAGS -I$pkg/include"
+		STD_CINCLUDES="$STD_CINCLUDES -I$pkg/include"
+	fi
+	;;
 esac
 
 AC_PROG_CC
 AC_PROG_YACC
 
 AC_HEADER_STDC
-AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h netinet6/in6.h)
 
-#
-# HAVE_NETINET6_IN6_H needs to go in platform.h.
-#
-case "$ac_cv_header_netinet6_in6_h" in
-yes)
-	ISC_PLATFORM_HAVENETINET6IN6H="#define ISC_PLATFORM_HAVENETINET6IN6H 1"
-	LWRES_PLATFORM_HAVENETINET6IN6H="#define LWRES_PLATFORM_HAVENETINET6IN6H 1"
-	;;
-no)
-	ISC_PLATFORM_HAVENETINET6IN6H="#undef ISC_PLATFORM_HAVENETINET6IN6H"
-	LWRES_PLATFORM_HAVENETINET6IN6H="#undef LWRES_PLATFORM_HAVENETINET6IN6H"
-	;;
-esac
-AC_SUBST(ISC_PLATFORM_HAVENETINET6IN6H)
-AC_SUBST(LWRES_PLATFORM_HAVENETINET6IN6H)
+AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h)
 
 AC_C_CONST
 AC_C_INLINE
@@ -259,7 +269,7 @@ AC_CHECK_LIB(c, sigwait,
 )
 
 #
-# Additional OS-specific issues related to pthreads.
+# Additional OS-specific issues related to pthreads and sigwait.
 #
 case "$host" in
         #
@@ -287,6 +297,12 @@ case "$host" in
 	*-solaris*)
 		AC_DEFINE(_POSIX_PTHREAD_SEMANTICS)
 		;;
+        #
+        # UnixWare does things its own way.
+        #
+        *-UnixWare*)
+		AC_DEFINE(HAVE_UNIXWARE_SIGWAIT)
+		;;
 esac
 
 #
@@ -328,6 +344,9 @@ if test "X$GCC" = "Xyes"; then
 		*-solaris*)
 			LIBS="$LIBS -lthread"
 			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
 	esac
 else
 	case "$host" in
@@ -344,6 +363,17 @@ else
 			CC="$CC -Ae -z +w1"
 			MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>>$TMP'
 			;;
+                *-sgi-irix*)
+			STD_CWARNINGS="-fullwarn -woff 1209"
+                        ;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-UnixWare*)
+			CC="$CC -Kthread -w"
+			MKDEPCC="$CC"
+			YACC="yacc"	# bison calls alloca, avoid on UnixWare
+			;;
 	esac
 fi
 AC_SUBST(MKDEPCC)
@@ -523,7 +553,7 @@ found_rt_iflist
 # GNU libtool support
 #
 AC_ARG_WITH(libtool,
-	    [  --with-libtool	use GNU libtool],
+	    [  --with-libtool	use GNU libtool (following indented options supported)],
 	    use_libtool="$withval", use_libtool="no")
 
 case $use_libtool in
@@ -576,41 +606,9 @@ case "$enable_ipv6" in
 		;;
 esac
 
-case "$found_ipv6" in
-	yes)
-		ISC_PLATFORM_HAVEIPV6="#define ISC_PLATFORM_HAVEIPV6 1"
-		LWRES_PLATFORM_HAVEIPV6="#define LWRES_PLATFORM_HAVEIPV6 1"
-		AC_MSG_CHECKING(for in6addr_any)
-		AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>],
-		[struct in6_addr in6; in6 = in6addr_any; return (0);],
-			[AC_MSG_RESULT(yes)
-			 ISC_PLATFORM_NEEDIN6ADDRANY="#undef ISC_PLATFORM_NEEDIN6ADDRANY"],
-			[AC_MSG_RESULT(no)
-			 ISC_PLATFORM_NEEDIN6ADDRANY="#define ISC_PLATFORM_NEEDIN6ADDRANY 1"])
-		;;
-	no)
-		ISC_PLATFORM_HAVEIPV6="#undef ISC_PLATFORM_HAVEIPV6"
-		LWRES_PLATFORM_HAVEIPV6="#undef LWRES_PLATFORM_HAVEIPV6"
-		ISC_IPV6_H="ipv6.h"
-		ISC_IPV6_O="ipv6.$O"
-		ISC_ISCIPV6_O="unix/ipv6.$O"
-		ISC_IPV6_C="ipv6.c"
-		;;
-esac
-
-AC_SUBST(ISC_PLATFORM_HAVEIPV6)
-AC_SUBST(LWRES_PLATFORM_HAVEIPV6)
-AC_SUBST(ISC_PLATFORM_NEEDIN6ADDRANY)
-AC_SUBST(ISC_IPV6_H)
-AC_SUBST(ISC_IPV6_O)
-AC_SUBST(ISC_ISCIPV6_O)
-AC_SUBST(ISC_IPV6_C)
-
 #
-# IPv6 support provided via Kame
+# See whether IPv6 support is provided via a Kame add-on.
+# This is done before other IPv6 linking tests to LIBS is properly set.
 #
 AC_MSG_CHECKING(for Kame IPv6 support)
 AC_ARG_WITH(kame,
@@ -647,47 +645,166 @@ Please choose the proper path with the following command:
 		;;
 esac
 
+#
+# Whether netinet6/in6.h is needed has to be defined in isc/platform.h.
+# Including it on Kame-using platforms is very bad, though, because
+# Kame uses #error against direct inclusion.   So include it on only
+# the platform that is otherwise broken without it -- BSD/OS 4.0 through 4.1.
+# This is done before the in6_pktinfo check because that's what
+# netinet6/in6.h is needed for.
+#
+changequote({, })
+case "$host" in
+*-bsdi4.[01]*)
+	ISC_PLATFORM_NEEDNETINET6IN6H="#define ISC_PLATFORM_NEEDNETINET6IN6H 1"
+	LWRES_PLATFORM_NEEDNETINET6IN6H="#define LWRES_PLATFORM_NEEDNETINET6IN6H 1"
+	isc_netinet6in6_hack="#include <netinet6/in6.h>"
+	;;
+*)
+	ISC_PLATFORM_NEEDNETINET6IN6H="#undef ISC_PLATFORM_NEEDNETINET6IN6H"
+	LWRES_PLATFORM_NEEDNETINET6IN6H="#undef LWRES_PLATFORM_NEEDNETINET6IN6H"
+	isc_netinet6in6_hack=""
+	;;
+esac
+changequote([, ])
+
+#
+# This is similar to the netinet6/in6.h issue.
+#
+case "$host" in
+*-UnixWare*)
+	ISC_PLATFORM_NEEDNETINETIN6H="#define ISC_PLATFORM_NEEDNETINETIN6H 1"
+	LWRES_PLATFORM_NEEDNETINETIN6H="#define LWRES_PLATFORM_NEEDNETINETIN6H 1"
+	isc_netinetin6_hack="#include <netinet/in6.h>"
+	;;
+*)
+	ISC_PLATFORM_NEEDNETINETIN6H="#undef ISC_PLATFORM_NEEDNETINETIN6H"
+	LWRES_PLATFORM_NEEDNETINETIN6H="#undef LWRES_PLATFORM_NEEDNETINETIN6H"
+	isc_netinetin6_hack=""
+	;;
+esac
+
+#
+# Now delve deeper into the suitability of the IPv6 support.
+#
+case "$found_ipv6" in
+	yes)
+		ISC_PLATFORM_HAVEIPV6="#define ISC_PLATFORM_HAVEIPV6 1"
+		LWRES_PLATFORM_HAVEIPV6="#define LWRES_PLATFORM_HAVEIPV6 1"
+		AC_MSG_CHECKING(for in6addr_any)
+		AC_TRY_LINK([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack],
+		[struct in6_addr in6; in6 = in6addr_any; return (0);],
+			[AC_MSG_RESULT(yes)
+			 ISC_PLATFORM_NEEDIN6ADDRANY="#undef ISC_PLATFORM_NEEDIN6ADDRANY"],
+			[AC_MSG_RESULT(no)
+			 ISC_PLATFORM_NEEDIN6ADDRANY="#define ISC_PLATFORM_NEEDIN6ADDRANY 1"])
+		AC_MSG_CHECKING(for in6_pktinfo)
+		AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+],
+		[struct in6_pktinfo xyzzy; return (0);],
+			[AC_MSG_RESULT(yes)
+			 ISC_PLATFORM_HAVEIN6PKTINFO="#define ISC_PLATFORM_HAVEIN6PKTINFO 1"],
+			[AC_MSG_RESULT(no -- disabling runtime ipv6 support)
+			 ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"])
+		;;
+	no)
+		ISC_PLATFORM_HAVEIPV6="#undef ISC_PLATFORM_HAVEIPV6"
+		LWRES_PLATFORM_HAVEIPV6="#undef LWRES_PLATFORM_HAVEIPV6"
+		ISC_PLATFORM_NEEDIN6ADDRANY="#undef ISC_PLATFORM_NEEDIN6ADDRANY"
+		ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
+		ISC_IPV6_H="ipv6.h"
+		ISC_IPV6_O="ipv6.$O"
+		ISC_ISCIPV6_O="unix/ipv6.$O"
+		ISC_IPV6_C="ipv6.c"
+		;;
+esac
+
+AC_SUBST(ISC_PLATFORM_HAVEIPV6)
+AC_SUBST(LWRES_PLATFORM_HAVEIPV6)
+AC_SUBST(ISC_PLATFORM_NEEDNETINETIN6H)
+AC_SUBST(LWRES_PLATFORM_NEEDNETINETIN6H)
+AC_SUBST(ISC_PLATFORM_NEEDNETINET6IN6H)
+AC_SUBST(LWRES_PLATFORM_NEEDNETINET6IN6H)
+AC_SUBST(ISC_PLATFORM_NEEDIN6ADDRANY)
+AC_SUBST(ISC_PLATFORM_HAVEIN6PKTINFO)
+AC_SUBST(ISC_IPV6_H)
+AC_SUBST(ISC_IPV6_O)
+AC_SUBST(ISC_ISCIPV6_O)
+AC_SUBST(ISC_IPV6_C)
 
 #
 # Check for network functions that are often missing.  We do this
 # after the libtool checking, so we can put the right suffix on
 # the files.
 #
-AC_CHECK_FUNC(inet_ntop,
-	      [ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"],
-	      [ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-	       ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-	       ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"]
-)
-AC_CHECK_FUNC(inet_pton,
-	      [ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
-	      [ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
-	       ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
-	       ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"]
-)
-AC_CHECK_FUNC(inet_aton,
-	      [ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"],
-	      [ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
-	       ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
-	       ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"]
-)
+AC_MSG_CHECKING([for inet_ntop])
+AC_TRY_LINK([
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>],
+        [inet_ntop(0, 0, 0, 0); return (0);],
+        [AC_MSG_RESULT(yes)
+        ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"],
+
+        [AC_MSG_RESULT(no)
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
+        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"])
+AC_MSG_CHECKING([for inet_pton])
+AC_TRY_LINK([
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>],
+        [inet_pton(0, 0, 0); return (0);],
+        [AC_MSG_RESULT(yes)
+        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
+
+        [AC_MSG_RESULT(no)
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
+        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"])
+AC_MSG_CHECKING([for inet_aton])
+AC_TRY_LINK([
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>],
+        [struct in_addr in; inet_aton(0, &in); return (0);],
+        [AC_MSG_RESULT(yes)
+        ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"],
+
+        [AC_MSG_RESULT(no)
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
+        ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"])
+
+AC_SUBST(ISC_PLATFORM_NEEDNTOP)
+AC_SUBST(ISC_PLATFORM_NEEDPTON)
+AC_SUBST(ISC_PLATFORM_NEEDATON)
+
+# Check for some other useful functions that are not ever-present.
 AC_CHECK_FUNC(strsep,
 	[ISC_PLATFORM_NEEDSTRSEP="#undef ISC_PLATFORM_NEEDSTRSEP"],
-	[ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS strsep.$O"
-	 ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS strsep.c"
-	 ISC_PLATFORM_NEEDSTRSEP="#define ISC_PLATFORM_NEEDSTRSEP 1"])
+	[ISC_PLATFORM_NEEDSTRSEP="#define ISC_PLATFORM_NEEDSTRSEP 1"])
 AC_CHECK_FUNC(vsnprintf,
 	[ISC_PLATFORM_NEEDVSNPRINTF="#undef ISC_PLATFORM_NEEDVSNPRINTF"],
 	[ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS print.$O"
 	 ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS print.c"
 	 ISC_PLATFORM_NEEDVSNPRINTF="#define ISC_PLATFORM_NEEDVSNPRINTF 1"])
-AC_SUBST(ISC_PLATFORM_NEEDNTOP)
-AC_SUBST(ISC_PLATFORM_NEEDPTON)
-AC_SUBST(ISC_PLATFORM_NEEDATON)
 AC_SUBST(ISC_PLATFORM_NEEDSTRSEP)
 AC_SUBST(ISC_PLATFORM_NEEDVSNPRINTF)
+
 AC_SUBST(ISC_EXTRA_OBJS)
 AC_SUBST(ISC_EXTRA_SRCS)
+
 AC_MSG_CHECKING(for sizeof(long long int) == sizeof(long int))
 AC_TRY_RUN([main() { exit(!(sizeof(long long int) == sizeof(long int))); }],
 	[AC_MSG_RESULT(yes)
@@ -703,7 +820,19 @@ AC_SUBST(ISC_PLATFORM_LONGLONGEQUALLONG)
 #
 AC_CHECK_FUNC(chroot, AC_DEFINE(HAVE_CHROOT))
 AC_CHECK_HEADERS(linux/capability.h)
+AC_CHECK_HEADERS(linux/prctl.h)
 
+#
+# Random remaining OS-specific issues.
+#
+case "$host" in
+	*-bsdi3.1*|*-bsdi4.0*)
+                #
+                # Shut up a -Wmissing-prototypes warning from <stdio.h>.
+                #
+		AC_DEFINE(SHUTUP_SPUTAUX)
+		;;
+esac
 
 #
 # Substitutions
@@ -733,8 +862,9 @@ BIND9_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
 AC_SUBST_FILE(BIND9_MAKE_RULES)
 BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
 
-AC_SUBST_FILE(BIND9_VERSION)
-BIND9_VERSION=$srcdir/version
+. $srcdir/version
+BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
+AC_SUBST(BIND9_VERSION)
 
 AC_SUBST_FILE(LIBISC_API)
 LIBISC_API=$srcdir/lib/isc/api
@@ -794,6 +924,7 @@ AC_OUTPUT(
 	bin/named/unix/Makefile
 	bin/lwresd/Makefile
 	bin/rndc/Makefile
+	bin/dig/Makefile
 	bin/tests/Makefile
 	bin/tests/names/Makefile
 	bin/tests/master/Makefile
@@ -804,4 +935,7 @@ AC_OUTPUT(
 	bin/tests/dst/Makefile
 	bin/tests/mem/Makefile
 	bin/tests/sockaddr/Makefile
+	bin/tests/system/Makefile
+	bin/tests/headerdep_test.sh
+	bin/dnssec/Makefile
 )
diff --git a/doc/arm/BV9ARM.PDF b/doc/arm/BV9ARM.PDF
deleted file mode 100644
index 0974407e..00000000
--- a/doc/arm/BV9ARM.PDF
+++ /dev/null
diff --git a/doc/arm/BV9ARM.1.html b/doc/arm/Bv9ARM.1.html
index 24e5fe4f..949b3790 100644..100755
--- a/doc/arm/BV9ARM.1.html
+++ b/doc/arm/Bv9ARM.1.html
@@ -2,7 +2,7 @@
 <HTML>
 <HEAD>
 <META NAME="GENERATOR" CONTENT="Adobe FrameMaker 5.5/HTML Export Filter">
-<LINK REL="STYLESHEET" HREF="BV9ARM.css">
+<LINK REL="STYLESHEET" HREF="Bv9ARM.css">
 <TITLE> Section 1.	Introduction </TITLE></HEAD>
 <BODY BGCOLOR="#ffffff">
 <OL>
@@ -34,30 +34,30 @@ The Berkeley Internet Name Domain (BIND) implements an Internet nameserver for a
  </A>
 1.2	Organization of This Document</H3>
 </OL>
-<P CLASS="2LevelContinued1">
+<P CLASS="2LevelContinued">
 <A NAME="pgfId=997355">
  </A>
-In this document, <EM CLASS="Emphasis">
+In this document, <EM CLASS="EquationVariables">
 Section 1</EM>
- introduces the basic DNS and BIND concepts. <EM CLASS="Emphasis">
+ introduces the basic DNS and BIND concepts. <EM CLASS="EquationVariables">
 Section 2</EM>
- describes resource requirements for running BIND in various environments. Information in <EM CLASS="Emphasis">
+ describes resource requirements for running BIND in various environments. Information in <EM CLASS="EquationVariables">
 Section 3</EM>
- is <EM CLASS="Emphasis">
+ is <EM CLASS="EquationVariables">
 task-oriented</EM>
- in its presentation and is organized functionally, to aid in the process of installing the BINDv9 software. The task-oriented section is followed by <EM CLASS="Emphasis">
+ in its presentation and is organized functionally, to aid in the process of installing the BINDv9 software. The task-oriented section is followed by <EM CLASS="EquationVariables">
 Section 4</EM>
-, which contains more advanced concepts that the system administrator may need for implementing certain options. The contents of <EM CLASS="Emphasis">
+, which contains more advanced concepts that the system administrator may need for implementing certain options. The contents of <EM CLASS="EquationVariables">
 Section 5</EM>
- are organized as in a reference manual to aid in the ongoing maintenance of the software.  <EM CLASS="Emphasis">
+ are organized as in a reference manual to aid in the ongoing maintenance of the software. <EM CLASS="EquationVariables">
 Section 6</EM>
- addresses security considerations, and <EM CLASS="Emphasis">
+ addresses security considerations, and <EM CLASS="EquationVariables">
 Section 7</EM>
- contains troubleshooting help. The main body of the document is followed by several <EM CLASS="Emphasis">
+ contains troubleshooting help. The main body of the document is followed by several <EM CLASS="EquationVariables">
 Appendices</EM>
- which contain useful reference information, such as a <EM CLASS="Emphasis">
+ which contain useful reference information, such as a <EM CLASS="EquationVariables">
 Glossary</EM>
- and a <EM CLASS="Emphasis">
+ and a <EM CLASS="EquationVariables">
 Bibliography</EM>
 , as well as historic information related to BIND and the Domain Name System.</P>
 </DIV>
@@ -71,20 +71,24 @@ Bibliography</EM>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997382">
  </A>
-In this document, the following general typographic conventions are used:</P>
+In this document, we use the following general typographic conventions:</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody">
+<P CLASS="CellBody3">
 <A NAME="pgfId=997359">
  </A>
-When describing:</P>
+<EM CLASS="EquationVariables">
+To describe:</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody">
+<P CLASS="CellBody3">
 <A NAME="pgfId=997361">
  </A>
-Style Used:</P>
+<EM CLASS="EquationVariables">
+Style:</EM>
+</P>
 </TD>
 </TR>
 <TR>
@@ -92,30 +96,14 @@ Style Used:</P>
 <P CLASS="CellBody">
 <A NAME="pgfId=997363">
  </A>
-A pathname, filename, URL, hostname, or mailing list name</P>
+a pathname, filename, URL, hostname, mailing list name, or new term or concept</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody1">
+<P CLASS="CellBody5">
 <A NAME="pgfId=997365">
  </A>
-<EM CLASS="Emphasis">
-Times Italic</EM>
-</P>
-</TD>
-</TR>
-<TR>
-<TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody">
-<A NAME="pgfId=997367">
- </A>
-A new term or concept</P>
-</TD>
-<TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody1">
-<A NAME="pgfId=997369">
- </A>
-<EM CLASS="Emphasis">
-Times Italic</EM>
+<EM CLASS="EquationVariables">
+Italic</EM>
 </P>
 </TD>
 </TR>
@@ -124,13 +112,14 @@ Times Italic</EM>
 <P CLASS="CellBody">
 <A NAME="pgfId=997371">
  </A>
-Literal user input</P>
+literal user input</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody2">
+<P CLASS="CellBody4">
 <A NAME="pgfId=997373">
  </A>
-Courier Bold
+<KBD CLASS="Literal-user-input">
+Fixed Width Bold</KBD>
 </P>
 </TD>
 </TR>
@@ -139,14 +128,14 @@ Courier Bold
 <P CLASS="CellBody">
 <A NAME="pgfId=997375">
  </A>
-Variable user input</P>
+variable user input</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody3">
-<A NAME="pgfId=997377">
+<P CLASS="CellBody5">
+<A NAME="pgfId=1034911">
  </A>
-<EM CLASS="Emphasis">
-Courier Italic</EM>
+<EM CLASS="Optional-meta-syntax">
+Fixed Width Italic</EM>
 </P>
 </TD>
 </TR>
@@ -155,14 +144,14 @@ Courier Italic</EM>
 <P CLASS="CellBody">
 <A NAME="pgfId=997379">
  </A>
-Program output</P>
+program output</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody4">
 <A NAME="pgfId=997381">
  </A>
-<KBD CLASS="Literal-user-input">
-Courier Plain</KBD>
+<CODE CLASS="Program-Process">
+Fixed Width</CODE>
 </P>
 </TD>
 </TR>
@@ -174,16 +163,20 @@ The following conventions are used in descriptions of the BIND configuration fil
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody">
+<P CLASS="CellBody3">
 <A NAME="pgfId=997385">
  </A>
-When describing:</P>
+<EM CLASS="EquationVariables">
+When describing:</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody">
+<P CLASS="CellBody3">
 <A NAME="pgfId=997387">
  </A>
-Style Used:</P>
+<EM CLASS="EquationVariables">
+Style Used:</EM>
+</P>
 </TD>
 </TR>
 <TR>
@@ -194,11 +187,11 @@ Style Used:</P>
 keywords</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody5">
+<P CLASS="CellBody6">
 <A NAME="pgfId=997391">
  </A>
-<KBD CLASS="Literal-user-input">
-Arial Bold</KBD>
+<EM CLASS="production_target">
+Sans Serif Bold</EM>
 </P>
 </TD>
 </TR>
@@ -210,12 +203,12 @@ Arial Bold</KBD>
 variables</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody6">
+<H6 CLASS="CellBody7">
 <A NAME="pgfId=997395">
  </A>
-<EM CLASS="Emphasis">
-Arial Italic</EM>
-</P>
+<EM CLASS="variable">
+Sans Serif Italic</EM>
+</H6>
 </TD>
 </TR>
 <TR>
@@ -226,11 +219,11 @@ Arial Italic</EM>
 &quot;meta-syntactic&quot; information (within brackets when optional)</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody3">
+<P CLASS="CellBody5">
 <A NAME="pgfId=997399">
  </A>
-<EM CLASS="Emphasis">
-Courier Italic</EM>
+<EM CLASS="Optional-meta-syntax">
+Fixed Width Italic</EM>
 </P>
 </TD>
 </TR>
@@ -242,11 +235,11 @@ Courier Italic</EM>
 Command line input</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody2">
+<P CLASS="CellBody4">
 <A NAME="pgfId=997403">
  </A>
 <KBD CLASS="Literal-user-input">
-Courier Bold</KBD>
+Fixed Width Bold</KBD>
 </P>
 </TD>
 </TR>
@@ -261,8 +254,8 @@ Program output</P>
 <P CLASS="CellBody4">
 <A NAME="pgfId=997407">
  </A>
-<KBD CLASS="Literal-user-input">
-Courier Plain</KBD>
+<CODE CLASS="Program-Process">
+Fixed Width</CODE>
 </P>
 </TD>
 </TR>
@@ -277,7 +270,7 @@ Optional input</P>
 <P CLASS="CellBody">
 <A NAME="pgfId=997411">
  </A>
-Text is enclosed in square brackets </P>
+Text is enclosed in square brackets</P>
 </TD>
 </TR>
 </TABLE>
@@ -292,15 +285,15 @@ Text is enclosed in square brackets </P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997414">
  </A>
-The purpose of this document is to explain the installation and basic upkeep of the BIND software package, and we begin by reviewing the fundamentals of the domain naming system as they relate to BIND. BIND consists of a <EM CLASS="Emphasis">
+The purpose of this document is to explain the installation and basic upkeep of the BIND software package, and we begin by reviewing the fundamentals of the domain naming system as they relate to BIND. BIND consists of a <EM CLASS="EquationVariables">
 nameserver</EM>
  (or &quot;daemon&quot;) called <CODE CLASS="Program-Process">
 named</CODE>
  and a <CODE CLASS="Program-Process">
 resolver</CODE>
- library. The BIND server runs in the background, servicing queries on a well known network port. The standard port for UDP and TCP, usually port 53,  is specified in<CODE CLASS="Program-Process">
+ library. The BIND server runs in the background, servicing queries on a well known network port. The standard port for UDP and TCP, usually port 53, is specified in<CODE CLASS="Program-Process">
  /etc/services</CODE>
-. The <EM CLASS="Emphasis">
+. The <EM CLASS="EquationVariables">
 resolver</EM>
  is a set of routines residing in a system library that provides the interface that programs can use to access the domain name services.</P>
 <DIV>
@@ -313,49 +306,49 @@ resolver</EM>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997416">
  </A>
-A nameserver (NS) is a program that stores information about named resources and responds to queries from programs called <EM CLASS="Emphasis">
+A nameserver (NS) is a program that stores information about named resources and responds to queries from programs called <EM CLASS="EquationVariables">
 resolvers</EM>
  which act as client processes. The basic function of an NS is to provide information about network objects by answering queries.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997417">
  </A>
-With the nameserver, the network can be broken into a hierarchy of domains. The name space is organized as a tree according to organizational or administrative boundaries. Each node of the tree, called a domain, is given a label. The name of the domain is the concatenation of all the labels of the domains from the root to the current domain. This is represented in written form as a string of labels listed from right to left and separated by dots. A label need only be unique within its domain. The whole name space is partitioned into areas called <EM CLASS="Emphasis">
+With the nameserver, the network can be broken into a hierarchy of domains. The name space is organized as a tree according to organizational or administrative boundaries. Each node of the tree, called a domain, is given a label. The name of the domain is the concatenation of all the labels of the domains from the root to the current domain. This is represented in written form as a string of labels listed from right to left and separated by dots. A label need only be unique within its domain. The whole name space is partitioned into areas called <EM CLASS="EquationVariables">
 zones</EM>
-, each starting at a domain and extending down to the leaf domains or to domains where other zones start. Zones usually represent administrative boundaries. For example, a domain name for a host at the company <EM CLASS="Emphasis">
+, each starting at a domain and extending down to the leaf domains or to domains where other zones start. Zones usually represent administrative boundaries. For example, a domain name for a host at the company <EM CLASS="EquationVariables">
 Example, Inc.</EM>
  would be:</P>
 <P CLASS="3LevelContinued1">
 <A NAME="pgfId=997418">
  </A>
-<EM CLASS="Emphasis">
+<EM CLASS="EquationVariables">
 ourhost.example.com</EM>
 </P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997419">
  </A>
-The top level domain for corporate organizations is <EM CLASS="Emphasis">
+The top level domain for corporate organizations is <EM CLASS="EquationVariables">
 com</EM>
-; <EM CLASS="Emphasis">
+; <EM CLASS="EquationVariables">
 example</EM>
- is a subdomain of <EM CLASS="Emphasis">
+ is a subdomain of <EM CLASS="EquationVariables">
 .com</EM>
-; and <EM CLASS="Emphasis">
+; and <EM CLASS="EquationVariables">
 ourhost</EM>
  is the name of the host.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997420">
  </A>
 The specifications for the domain nameserver are defined in RFC1034, RFC1035 and RFC974. These documents can be found in<BR>
-<EM CLASS="Emphasis">
+<EM CLASS="pathname">
 /usr/src/etc/named/doc</EM>
  in 4.4BSD or are available via <CODE CLASS="Program-Process">
 FTP</CODE>
  from<BR>
-<EM CLASS="Emphasis">
+<EM CLASS="URL">
 ftp://www.isi.edu/in-notes/</EM>
- or via the Web at <EM CLASS="Emphasis">
+ or via the Web at <EM CLASS="URL">
 http://www.ietf.org/rfc/</EM>
-.  (See Appendix C for complete information on finding and retrieving RFCs.) It is also recommended that you read the related <CODE CLASS="Program-Process">
+. (See Appendix C for complete information on finding and retrieving RFCs.) It is also recommended that you read the related <CODE CLASS="Program-Process">
 man</CODE>
  pages: <CODE CLASS="Program-Process">
 named</CODE>
@@ -377,31 +370,31 @@ As we stated previously, a zone is a point of delegation in the DNS tree. A zone
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997423">
  </A>
-To properly operate a nameserver, it is important to understand the difference between a <EM CLASS="Emphasis">
+To properly operate a nameserver, it is important to understand the difference between a <EM CLASS="EquationVariables">
 zone</EM>
- and a <EM CLASS="Emphasis">
+ and a <EM CLASS="EquationVariables">
 domain</EM>
 .</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997424">
  </A>
-As an example, consider the <EM CLASS="Emphasis">
+As an example, consider the <EM CLASS="EquationVariables">
 example.com</EM>
- domain, which includes names such as <EM CLASS="Emphasis">
+ domain, which includes names such as <EM CLASS="EquationVariables">
 host.aaa.example.com </EM>
-and <EM CLASS="Emphasis">
+and <EM CLASS="EquationVariables">
 host.bbb.example.com</EM>
- even though the <EM CLASS="Emphasis">
+ even though the <EM CLASS="EquationVariables">
 example.com</EM>
- zone includes only delegations for the <EM CLASS="Emphasis">
+ zone includes only delegations for the <EM CLASS="EquationVariables">
 aaa.example.com</EM>
- and <EM CLASS="Emphasis">
+ and <EM CLASS="EquationVariables">
 bbb.example.com</EM>
- zones. A zone can map exactly to a single domain, but could also include only part of a domain, the rest of which could be delegated to other nameservers. Every name in the DNS tree is a <EM CLASS="Emphasis">
+ zones. A zone can map exactly to a single domain, but could also include only part of a domain, the rest of which could be delegated to other nameservers. Every name in the DNS tree is a <EM CLASS="EquationVariables">
 domain</EM>
-, even if it is <EM CLASS="Emphasis">
+, even if it is <EM CLASS="EquationVariables">
 terminal</EM>
-, that is, has no <EM CLASS="Emphasis">
+, that is, has no <EM CLASS="EquationVariables">
 subdomains</EM>
 . Every subdomain is a domain and every domain except the root is also a subdomain. The terminology is not intuitive and it is suggested that you read RFCs 1033, 1034, and 1035 to gain a complete understanding of this difficult and subtle topic.</P>
 <P CLASS="3LevelContinued">
@@ -409,25 +402,25 @@ subdomains</EM>
  </A>
 Though BIND is a Domain Nameserver, it deals primarily in terms of zones. The primary and secondary declarations in the <CODE CLASS="Program-Process">
 named.conf</CODE>
- file specify zones, not domains. When you ask some other site if it is willing to be a secondary server for your <EM CLASS="Emphasis">
+ file specify zones, not domains. When you ask some other site if it is willing to be a secondary server for your <EM CLASS="EquationVariables">
 domain</EM>
 , you are actually asking for secondary service for some collection of zones.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997426">
  </A>
-Each zone will have one <EM CLASS="Emphasis">
+Each zone will have one <EM CLASS="EquationVariables">
 primary master</EM>
- (also called <EM CLASS="Emphasis">
+ (also called <EM CLASS="EquationVariables">
 primary</EM>
-) server which loads the zone contents from some local file edited by humans or perhaps generated mechanically from some other local file which is edited by humans. There there will be some number of <EM CLASS="Emphasis">
+) server which loads the zone contents from some local file edited by humans or perhaps generated mechanically from some other local file which is edited by humans. There there will be some number of <EM CLASS="EquationVariables">
 secondary master </EM>
-servers, which load the zone contents using the DNS protocol (that is, the secondary servers will contact the primary and fetch the zone data using TCP). This set of servers--the primary and all of its secondaries--should be listed in the NS records in the parent zone and will constitute a <EM CLASS="Emphasis">
+servers, which load the zone contents using the DNS protocol (that is, the secondary servers will contact the primary and fetch the zone data using TCP). This set of servers--the primary and all of its secondaries--should be listed in the NS records in the parent zone and will constitute a <EM CLASS="EquationVariables">
 delegation</EM>
 . This set of servers must also be listed in the zone file itself, usually under the <CODE CLASS="Program-Process">
 @</CODE>
- name which indicates the <EM CLASS="Emphasis">
+ name which indicates the <EM CLASS="EquationVariables">
 top level</EM>
- or <EM CLASS="Emphasis">
+ or <EM CLASS="EquationVariables">
 root</EM>
  of the current zone. You can list servers in the zone's top-level <CODE CLASS="Program-Process">
 @</CODE>
@@ -445,7 +438,7 @@ cuts around the bottom edge of the zone.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997430">
  </A>
-Adding a zone as a type master or type slave will tell the server to answer questions for the zone authoritatively. If the server is able to load the zone into memory without any errors it will set the AA bit when it replies to queries for the zone.  See RFCs 1034 and 1035 for more information about the AA bit.</P>
+Adding a zone as a type master or type slave will tell the server to answer questions for the zone authoritatively. If the server is able to load the zone into memory without any errors it will set the AA bit when it replies to queries for the zone. See RFCs 1034 and 1035 for more information about the AA bit.</P>
 </DIV>
 <DIV>
 <OL>
@@ -457,11 +450,11 @@ Adding a zone as a type master or type slave will tell the server to answer ques
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997432">
  </A>
-A DNS server can be master for some zones and slave for others or can be only a master, or only a slave, or can serve no zones and just answer queries via its <EM CLASS="Emphasis">
+A DNS server can be master for some zones and slave for others or can be only a master, or only a slave, or can serve no zones and just answer queries via its <EM CLASS="EquationVariables">
 cache</EM>
-. Master servers are often also called <EM CLASS="Emphasis">
+. Master servers are often also called <EM CLASS="EquationVariables">
 primaries</EM>
- and slave servers are often also called <EM CLASS="Emphasis">
+ and slave servers are often also called <EM CLASS="EquationVariables">
 secondaries</EM>
 . Both master/primary and slave/secondary servers are authoritative for a zone.</P>
 <P CLASS="3LevelContinued">
@@ -478,9 +471,9 @@ All servers keep data in their cache until the data expires, based on a TTL (Tim
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997435">
  </A>
-The <EM CLASS="Emphasis">
+The <EM CLASS="EquationVariables">
 primary master</EM>
- server is the ultimate source of information about a domain. The primary master is an authoritative server configured to be the source of zone transfer for one or  more secondary servers. The primary master server obtains data for the zone from a file on disk.</P>
+ server is the ultimate source of information about a domain. The primary master is an authoritative server configured to be the source of zone transfer for one or more secondary servers. The primary master server obtains data for the zone from a file on disk.</P>
 </DIV>
 <DIV>
 <OL>
@@ -492,9 +485,9 @@ primary master</EM>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997437">
  </A>
-A <EM CLASS="Emphasis">
+A <EM CLASS="EquationVariables">
 slave server</EM>
-, also called a <EM CLASS="Emphasis">
+, also called a <EM CLASS="EquationVariables">
 secondary server</EM>
 , is an authoritative server that uses zone transfers from the primary master server to retrieve the zone data. Optionally, the slave server obtains zone data from a cache on disk. Slave servers provide necessary redundancy. All secondary/slave servers are named in the NS resource records (RRs) for the zone.</P>
 </DIV>
@@ -508,7 +501,7 @@ secondary server</EM>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997439">
  </A>
-Some servers are <EM CLASS="Emphasis">
+Some servers are <EM CLASS="EquationVariables">
 caching only servers</EM>
 . This means that the server caches the information that it receives and uses it until the data expires. A caching only server is a server that is not authoritative for any zone. This server services queries and asks other servers, who have the authority, for the information it needs.</P>
 </DIV>
@@ -522,11 +515,11 @@ caching only servers</EM>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997441">
  </A>
-Instead of interacting with the nameservers for the root and other domains, a <EM CLASS="Emphasis">
+Instead of interacting with the nameservers for the root and other domains, a <EM CLASS="EquationVariables">
 forwarding server</EM>
- always forwards queries it cannot satisfy from its authoritative data or cache to a fixed list of other servers. The forwarded queries are also known as <EM CLASS="Emphasis">
+ always forwards queries it cannot satisfy from its authoritative data or cache to a fixed list of other servers. The forwarded queries are also known as <EM CLASS="EquationVariables">
 recursive queries, </EM>
-the same type as a client would send to a server.  There may be one or more servers forwarded to, and they are queried in turn until the list is exhausted or an answer is found. A forwarding server  is typically used when you do not wish all the servers at a given site to interact with the rest of the Internet servers. A typical scenario would involve a number of internal DNS servers, and an internet firewall. The servers which cannot pass packets through the firewall would forward to the server which can, which would ask the internet DNS servers on the internal server's behalf. An added benefit of using the forwarding feature is that the central machine develops a much more complete cache of information that all the workstations can take advantage of. </P>
+the same type as a client would send to a server. There may be one or more servers forwarded to, and they are queried in turn until the list is exhausted or an answer is found. A forwarding server is typically used when you do not wish all the servers at a given site to interact with the rest of the Internet servers. A typical scenario would involve a number of internal DNS servers, and an internet firewall. The servers which cannot pass packets through the firewall would forward to the server which can, which would ask the internet DNS servers on the internal server's behalf. An added benefit of using the forwarding feature is that the central machine develops a much more complete cache of information that all the workstations can take advantage of. </P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997442">
  </A>
@@ -539,30 +532,13 @@ There is no prohibition against declaring a server to be a forwarder even though
  </A>
 1.4.3.5	Stealth Server</H5>
 </OL>
-<!--
-[[P CLASS="comment"]]
-[[A NAME="pgfId=997445"]]
- [[/A]]
-A [[A NAME="marker=997444"]]
- [[/A]]
-stealth server is a primary master server that is neither listed in any root zone files nor advertised as being a server. It is set up to hide the true master server for a zone in order to provide some measure of security, or protect the zone from [[A NAME="marker=997446"]]
- [[/A]]
-Denial of Service ([[A NAME="marker=997447"]]
- [[/A]]
-DoS) attacks, or reduce the load on the main server, or any number of other reasons. It is also used to provide some measure of network redundancy. Slave servers load zone data from it.[[/P]]
-[[P CLASS="4LevelContinued"]]
-[[A NAME="pgfId=997347"]]
- [[/A]]
--->
 <P CLASS="4LevelContinued">
-A stealth server is a server that answers authoritatively for a zone, but is not listed in that zone's NS records. Stealth servers can be used as a way to centralise distribution of a zone, without having to edit the zone on a remote nameserver. Where the master file for a zone resides on a stealth server in this way,  it often referred to as a 'hidden primary' configuration. Stealth servers can also be a way to keep a local copy of a zone for rapid access to the zone's records, even if all 'official' nameservers for the zone are inaccessable.</P>
-<P CLASS="Body">
-<A NAME="pgfId=1007863">
+<A NAME="pgfId=1014846">
  </A>
-&nbsp;</P>
+A stealth server is a server that answers authoritatively for a zone, but is not listed in that zone's NS records. Stealth servers can be used as a way to centralize distribution of a zone, without having to edit the zone on a remote nameserver. Where the master file for a zone resides on a stealth server in this way, it is often referred to as a &quot;hidden primary&quot; configuration. Stealth servers can also be a way to keep a local copy of a zone for rapid access to the zone's records, even if all &quot;official&quot; nameservers for the zone are inaccessible.</P>
 </DIV>
 </DIV>
-<p>Return to <A href="BV9ARM.html">BINDv9 Administrator Reference Manual</A> table of contents.</p>
 </DIV>
+<p>Return to <A href="Bv9ARM.html">BINDv9 Administrator Reference Manual</A> 
 </BODY>
 </HTML>
diff --git a/doc/arm/BV9ARM.2.html b/doc/arm/Bv9ARM.2.html
index 748670f4..20a50567 100644..100755
--- a/doc/arm/BV9ARM.2.html
+++ b/doc/arm/Bv9ARM.2.html
@@ -2,99 +2,90 @@
 <HTML>
 <HEAD>
 <META NAME="GENERATOR" CONTENT="Adobe FrameMaker 5.5/HTML Export Filter">
-<LINK REL="STYLESHEET" HREF="BV9ARM.css">
+<LINK REL="STYLESHEET" HREF="Bv9ARM.css">
 <TITLE> Section 2.	BIND Resource Requirements</TITLE></HEAD>
 <BODY BGCOLOR="#ffffff">
 <OL>
 <H1 CLASS="1Level">
 <A NAME="pgfId=997350">
-</A>
+ </A>
 Section 2.	BIND Resource Requirements</H1>
 </OL>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997351">
-</A>
+ </A>
 2.1	Hardware requirements</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997352">
-</A>
+ </A>
 DNS hardware requirements have traditionally been quite modest. For many installations, servers that have been pensioned off from active duty have performed admirably as DNS servers.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997353">
-</A>
+ </A>
 The DNSSEC and IPv6 features of BINDv9 may prove to be quite CPU intensive however, so organizations that make heavy use of these features may wish to consider larger systems for these applications. BINDv9 is now fully multithreaded, allowing full utilization of multiprocessor systems, for installations that need it.</P>
 </DIV>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997354">
-</A>
+ </A>
 2.2	CPU Requirements</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997355">
-</A>
+ </A>
 CPU requirements for BINDv9 range from i486-class machines for serving of static zones without caching, to enterprise-class machines if you intend to process many dynamic updates and DNSSEC signed zones, serving many thousands of queries per second.</P>
 </DIV>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997356">
-</A>
+ </A>
 2.3	Memory Requirements </H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997357">
-</A>
+ </A>
 The memory of the server has to be large enough to fit the cache and zones loaded off disk. Future releases of BINDv9 will provide methods to limit the amount of memory used by the cache, at the expense of reducing cache hit rates and causing more DNS traffic. It is still good practice to have enough memory to load all zone and cache data into memory--unfortunately, the best way to determine this for a given installation is to watch the nameserver in operation. After a few weeks, the server process should reach a relatively stable size where entries are expiring from the cache as fast as they are being inserted. Ideally, the resource limits should be set higher than this stable size.</P>
 </DIV>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997358">
-</A>
+ </A>
 2.4	Nameserver Intensive Environment Issues</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997359">
-</A>
+ </A>
 For nameserver intensive environments, there are two alternative configurations that may be used. The first is where clients and any second-level internal nameservers query a main nameserver, which has enough memory to build a large cache. This approach minimizes the bandwidth used by external name lookups. The second alternative is to set up second-level internal nameservers to make queries independently. In this configuration, none of the individual machines needs to have as much memory or CPU power as in the first alternative, but this has the disadvantage of making many more external queries, as none of the nameservers share their cached data.</P>
 </DIV>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997360">
-</A>
+ </A>
 2.5	Operating Systems Supported by the Internet Software Consortium</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997361">
-</A>
+ </A>
 ISC BINDv9 compiles and runs on the following operating systems:</P>
-<PRE CLASS="2Level-fixed"><A NAME="pgfId=997362"></A>
-IBM AIX 4.3
-<PRE CLASS="2Level-fixed"><A NAME="pgfId=997363"></A>
-Compaq Digital/Tru64 UNIX 4.0D
-<PRE CLASS="2Level-fixed"><A NAME="pgfId=997364"></A>
-HP HP-UX 11
-<PRE CLASS="2Level-fixed"><A NAME="pgfId=997365"></A>
-IRIX64 6.5
-<PRE CLASS="2Level-fixed"><A NAME="pgfId=997366"></A>
-Red Hat Linux 6.0, 6.1
-<PRE CLASS="2Level-fixed"><A NAME="pgfId=997367"></A>
-Sun Solaris 2.6, 7, 8 (beta)
-<PRE CLASS="2Level-fixed"><A NAME="pgfId=997368"></A>
-FreeBSD 3.4-STABLE
-<PRE CLASS="2Level-fixed"><A NAME="pgfId=997369"></A>
-NetBSD-current with &quot;unproven&quot; pthreads</PRE>
-<P CLASS="Body">
-<A NAME="pgfId=997347">
-</A>
-&nbsp;</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=997362">
+ </A>
+IBM AIX 4.3<BR>
+Compaq Digital/Tru64 UNIX 4.0D<BR>
+HP HP-UX 11<BR>
+IRIX64 6.5<BR>
+Red Hat Linux 6.0, 6.1<BR>
+Sun Solaris 2.6, 7, 8 (beta)<BR>
+FreeBSD 3.4-STABLE<BR>
+NetBSD-current with &quot;unproven&quot; pthreads</P>
 </DIV>
-<p>Return to <A href="BV9ARM.html">BINDv9 Administrator Reference Manual</A> table of contents.</p>
+<p>Return to <A href="Bv9ARM.html">BINDv9 Administrator Reference Manual</A> 
 </BODY>
 </HTML>
diff --git a/doc/arm/BV9ARM.3.html b/doc/arm/Bv9ARM.3.html
index 90e0206c..a505907f 100644..100755
--- a/doc/arm/BV9ARM.3.html
+++ b/doc/arm/Bv9ARM.3.html
@@ -2,271 +2,259 @@
 <HTML>
 <HEAD>
 <META NAME="GENERATOR" CONTENT="Adobe FrameMaker 5.5/HTML Export Filter">
-<LINK REL="STYLESHEET" HREF="BV9ARM.css">
+<LINK REL="STYLESHEET" HREF="Bv9ARM.css">
 <TITLE> Section 3.	Nameserver Configuration</TITLE></HEAD>
 <BODY BGCOLOR="#ffffff">
 <OL>
 <H1 CLASS="1Level">
 <A NAME="pgfId=997350">
-</A>
+ </A>
 Section 3.	Nameserver Configuration</H1>
 </OL>
 <P CLASS="1LevelContinued">
 <A NAME="pgfId=997351">
-</A>
+ </A>
 In this section we provide some suggested configurations along with guidelines for their use. We also address the topic of reasonable option setting.</P>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997353">
-</A>
+ </A>
 3.1	<A NAME="30164">
-</A>
+ </A>
 Sample Configuration and Logging</H3>
 </OL>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997354"></A>
-logging {
-       channel named_log {
-           file &quot;logs/named.log&quot;;
-           print-time yes;
-           print-category yes;
-           print-severity yes;
-           severity info;
+<PRE CLASS="2Level-fixed"><A NAME="pgfId=997354"></A>
+
+<CODE>logging {
+        channel <VAR>named_log</VAR> {
+             file &quot;<EM>logs/named.log</EM>&quot;;
+             print-time <VAR>yes</VAR>;
+             print-category <VAR>yes</VAR>;
+             print-severity <VAR>yes</VAR>;
+             severity <VAR>info</VAR>;
 };
-       channel security_log {
-           file &quot;logs/security.log&quot; versions 7 ;
-           print-time yes;
+       channel <VAR>security_log</VAR> {
+             file &quot;<EM>logs/security.log</EM> &quot; <VAR>versions 7</VAR> ;
+             print-time <VAR>yes</VAR> ;
 };
-       category default { named_log; default_debug; };
-       category security { security_log };
+       category <VAR>default</VAR> { named_log; default_debug; };
+             category security { security_log };
 };
-// The two corporate subnets.  Use real IP numbers here in the real world.
+                                                    // The two corporate subnets.
+                                                    // Use real IP numbers
+                                                    // here in the real world.
 acl corpnet { 192.168.4.0/24; 192.168.7.0/24; };
-// The options statement.
+                              // The options statement.
 options {
-   directory &quot;/etc/namedb&quot;;    // Directory
-   pid-file &quot;named.pid&quot;;        // Put .pid file in named directory.
-   named-xfer &quot;/path/to/named-xfer&quot;;  // Where is our named-xfer ?
-   check-names master fail;												// Fail on db errors in master zones.
-   check-names slave warn;												// Warn about db errors
-                              // in slave zones.
-   check-names response warn;												// Warn about invalid responses
-   use-id-pool yes;												// Help prevent spoofing
-   host-statistics yes;												// Keep track of hosts/servers
-                               // we've talked to.
-   listen-on { 192.168.7.20; };       // Listen on this address.
+   directory &quot;<EM>/etc/namedb</EM>&quot;;      // Directory
+   pid-file &quot;<EM>named.pid</EM>&quot;;         // Put .pid file in named directory.
+   check-names master <VAR>fail</VAR>;              // Fail on db errors in master zones.
+   check-names slave <VAR>warn</VAR>;               // Warn about db errors
+                                                    // in slave zones.
+   check-names response <VAR>warn</VAR>;            // Warn about invalid responses
+   use-id-pool <VAR>yes</VAR>;                      // Help prevent spoofing
+   host-statistics <VAR>yes</VAR>;                  // Keep track of hosts/servers
+                                                    // we've talked to.
+   listen-on { 192.168.7.20; };                     // Listen on this address.
    query-source address 192.168.7.20 port 53 ;
-                                     // Source queries from port 53
-                                      // to get past firewall.
-   allow-transfer { none; };        // Don't allow anyone to
-                                      // transfer zones.
-   allow-query { corpnet; };        // Allow only corpnets to query server.
-                                      // Helps prevent DoS, spoofing.
-   allow-recursion { corpnet; };     // Same, except this is for recursion.
+                                                    // Source queries from port 53
+                                                    // to get past firewall.
+   allow-transfer { <VAR>none</VAR>; };             // Don't allow anyone to
+                                                    // transfer zones.
+   allow-query { corpnet; };                        // Allow only corpnets to query server.
+                                                    // Helps prevent DoS, spoofing.
+   allow-recursion { corpnet; };                    // Same, except this is for recursion.
 };
+
+   include &quot;<EM>keys.conf</EM>&quot;;                   // Include a keys.conf with
+                                                     // TSIG/DNSSEC keys.
+                                                     // Shouldn't be readable to anyone
+                                                     // except BIND user.
+   zone &quot;<EM>.</EM>&quot;{ type <VAR>hint</VAR>; file &quot;<EM>local/named.root</EM>&quot;;
+};                                                    // root hints
+
+   zone &quot;<EM>0.0.127.IN-ADDR.ARPA</EM>&quot; {
+   type <VAR>master</VAR>; file &quot;<EM>local/localhost.db</EM>&quot;; notify <VAR>no</VAR>;
+                                                     // localhost
+};
+
+   zone &quot;example.com&quot; {                      // Example zone for &quot;<EM>example.com</EM>&quot;.
+   type <VAR>master</VAR>;                             // It's a master zone.
+   file &quot;<EM>m/example.com.db</EM>&quot;;                 // The file is here.
+   allow-query { <VAR>any</VAR>; };                      // Allow anyone to query.
+   allow-transfer { corpnet; };                         // Only allow corp nets to transfer zone.
+}; 
+ 
+   zone &quot;<EM>offsite.example.com</EM>&quot; {              // Example zone for an off-site corp zone.
+   type <VAR>slave</VAR>;                                        // It's a slave zone.
+   masters { 192.168.4.12; };                                // The master is at this address.
+   file &quot;<EM>s/offsite.example.com.db</EM>&quot;;             // The file is here.
+   notify <VAR>no</VAR>;                                             // Don't worry about NOTIFYing.
+allow-query { <VAR>any</VAR>; };                                 // Allow anyone to query.
+};</CODE>
+
 </PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=1007322"></A>
-include &quot;keys.conf&quot;;                     // Include a keys.conf with
-                                         // TSIG/DNSSEC keys.
-                                         // Shouldn't be readable to anyone
-                                          // except BIND user.
-zone &quot;.&quot;{ type hint; file &quot;local/named.root&quot;; };
-                                          // root hints
-</PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997391"></A>
-zone &quot;0.0.127.IN-ADDR.ARPA&quot; {</PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997392"></A>
-        type master; file &quot;local/localhost.db&quot;; notify no;
-                                          // localhost
-};</PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997395"></A>
-&nbsp;</PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997396"></A>
-zone &quot;example.com&quot; {            // Example zone for &quot;example.com&quot;.
-type master;                    // It's a master zone.
-file &quot;m/example.com.db&quot;;        // The file is here.
-allow-query { any; };           // Allow anyone to query.
-allow-transfer { corpnet; };    // Only allow corp nets to transfer zone.
-};</PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997402"></A>
-&nbsp;</PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997403"></A>
-zone &quot;offsite.example.com&quot; {     // Example zone for an off-site corp zone.
-type slave;                      // It's a slave zone.
-masters { 192.168.4.12; };       // The master is at this address.
-file &quot;s/offsite.example.com.db&quot;; // The file is here.
-notify no;                       // Don't worry about <CODE CLASS="Program-Process">NOTIFY</CODE>
-ing.
-allow-query { any; };            // Allow anyone to query.
-;</PRE>
 </DIV>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997410">
-</A>
+ </A>
 3.2	Load Balancing and Round Robin</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997411">
-</A>
+ </A>
 Primitive load balancing can be achieved in DNS using multiple A records for one name.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997412">
-</A>
+ </A>
 For example, if you have three WWW servers with network addresses of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a record like the following means that clients will connect to each machine one third of the time:</P>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997454"></A>
+<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997454"> </A>
 &nbsp;</PRE>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997415">
-</A>
+ </A>
 Name</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997417">
-</A>
+ </A>
 TTL</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997419">
-</A>
+ </A>
 CLASS</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997421">
-</A>
+ </A>
 TYPE</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997423">
-</A>
+ </A>
 Resource Record (RR) Data</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997425">
-</A>
-<CODE CLASS="Program-Process">
-www</CODE>
-</P>
+ </A>
+www</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997427">
-</A>
+ </A>
 10m</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997429">
-</A>
-<CODE CLASS="Program-Process">
-IN</CODE>
-</P>
+ </A>
+IN</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997431">
-</A>
+ </A>
 A</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997433">
-</A>
+ </A>
 10.0.0.1</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG">
+<P CLASS="CellBody">
 <A NAME="pgfId=997435">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997437">
-</A>
+ </A>
 10m</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997439">
-</A>
-<CODE CLASS="Program-Process">
-IN</CODE>
-</P>
+ </A>
+IN</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997441">
-</A>
+ </A>
 A</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997443">
-</A>
+ </A>
 10.0.0.2</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG">
+<P CLASS="CellBody">
 <A NAME="pgfId=997445">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997447">
-</A>
+ </A>
 10m</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997449">
-</A>
-<CODE CLASS="Program-Process">
-IN</CODE>
-</P>
+ </A>
+IN</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997451">
-</A>
+ </A>
 A</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfontLG1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997453">
-</A>
+ </A>
 10.0.0.3</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997455">
-</A>
+ </A>
 When a resolver queries for these records, BIND will rotate them and respond to the query with the records in a different order. This is known as cyclic or round-robin ordering.In the example above, the first client will receive the records in the order 1,2,3; the second client will receive them in the order 2,3,1; and the third 3,1,2. Most clients will use the first record returned, and discard the rest.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997456">
-</A>
+ </A>
 For more detail on ordering responses, check the <CODE CLASS="Program-Process">
 rrset-order</CODE>
  substatement in the <CODE CLASS="Program-Process">
 options</CODE>
- statement in <A HREF="BV9ARM.5.html#22766" CLASS="XRef">
+ statement in <A HREF="Bv9ARM.5.html#22766" CLASS="XRef">
 RRset Ordering</A>
 .</P>
 </DIV>
@@ -274,54 +262,56 @@ RRset Ordering</A>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997460">
-</A>
+ </A>
 3.3	Notify</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997461">
-</A>
+ </A>
 DNS Notify is a mechanism that allows master nameservers to notify their slave servers of changes to a zone's data and that a query should be initiated to discover the new data. DNS Notify is turned on by default.</P>
 <P CLASS="2LevelContinued">
-<A NAME="pgfId=997462">
-</A>
+<A NAME="pgfId=1016466">
+ </A>
 DNS Notify is fully documented in RFC 1996. See also the description of the zone option <CODE CLASS="Program-Process">
 also-notify</CODE>
- in section 3.1.3.7, &quot;Zone transfers.&quot;</P>
+ on <A HREF="Bv9ARM.5.html#32057" CLASS="XRef">
+Zone Transfers</A>
+.</P>
 </DIV>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
-<A NAME="pgfId=997463">
-</A>
+<A NAME="pgfId=1016467">
+ </A>
 3.4	Nameserver Operations</H3>
 </OL>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997464">
-</A>
+ </A>
 3.4.1	Tools for Use With the Nameserver Daemon</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997465">
-</A>
+ </A>
 There are several indispensable diagnostic, administrative and monitoring tools available to the system administrator for controlling and debugging the nameserver daemon. We describe several in this section </P>
 <DIV>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997466">
-</A>
+ </A>
 3.4.1.1	Diagnostic Tools</H5>
 </OL>
 </DIV>
 <DIV>
 <H5 CLASS="Subhead4">
 <A NAME="pgfId=997467">
-</A>
+ </A>
 dig</H5>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997468">
-</A>
+ </A>
 The domain information groper (<CODE CLASS="Program-Process">
 dig</CODE>
 ) is a command line tool that can be used to gather information from the Domain Name System servers. Dig has two modes: simple interactive mode for a single query, and batch mode which executes a query for each in a list of several query lines. All query options are accessible from the command line.</P>
@@ -329,30 +319,30 @@ dig</CODE>
 <DIV>
 <H5 CLASS="Subhead4">
 <A NAME="pgfId=997469">
-</A>
+ </A>
 Usage</H5>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997470"></A>
+<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997470"> </A>
 dig [@server] domain [&lt;query-type&gt;] [&lt;query-class&gt;]
 [+&lt;query-option&gt;] [-&lt;dig-option&gt;] [%comment]</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997471">
-</A>
+ </A>
 The usual simple use of dig will take the form</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997472"></A>
+<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997472"> </A>
 dig @server domain query-type query-class</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997473">
-</A>
+ </A>
 For more information and a list of available commands and options, see the dig man page.</P>
 </DIV>
 <DIV>
 <H5 CLASS="Subhead4">
 <A NAME="pgfId=997474">
-</A>
+ </A>
 host</H5>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997475">
-</A>
+ </A>
 The<EM CLASS="pathname">
  </EM>
 <CODE CLASS="Program-Process">
@@ -364,113 +354,114 @@ utility provides a simple DNS lookup using a command-line interface for looking
 <DIV>
 <H5 CLASS="Subhead4">
 <A NAME="pgfId=997476">
-</A>
+ </A>
 Usage</H5>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997477"></A>
+<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997477"> </A>
 host [-l] [-v] [-w] [-r] [-d] [-t querytype] [-a] host [server]</PRE>
 </DIV>
 <DIV>
 <H5 CLASS="Subhead4">
 <A NAME="pgfId=997478">
-</A>
+ </A>
 nslookup</H5>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997479">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 nslookup</CODE>
- is a program used to query Internet domain nameservers. nslookup has two modes: interactive and non-interactive. Interactive mode allows the user to query nameservers for information about various hosts and domains or to print a list of hosts in a domain. Non-interactive mode is used to print just the name and requested information for a host or domain.</P>
+ is a program used to query Internet domain nameservers. <CODE CLASS="Program-Process">
+nslookup</CODE>
+ has two modes: interactive and non-interactive. Interactive mode allows the user to query nameservers for information about various hosts and domains or to print a list of hosts in a domain. Non-interactive mode is used to print just the name and requested information for a host or domain.</P>
 </DIV>
 <DIV>
 <H5 CLASS="Subhead4">
 <A NAME="pgfId=997480">
-</A>
+ </A>
 Usage</H5>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997481"></A>
+<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997481"> </A>
 nslookup [-option ...] [host-to-find | -[server]]</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997482">
-</A>
+ </A>
 Interactive mode is entered when no arguments are given (the default nameserver will be used) or when the first argument is a hyphen (-) and the second argument is the host name or Internet address of a nameserver.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997483">
-</A>
+ </A>
 Non-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a nameserver.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997484">
-</A>
-The options listed under the &quot;set&quot; command (see the nslookup man page for details) can be specified in the .nslookuprc file in the user's home directory if they are listed one per line. Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial time-out to 10 seconds, type:</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997485"></A>
+ </A>
+The options listed under the &quot;set&quot; command (see the <CODE CLASS="Program-Process">
+nslookup</CODE>
+ man page for details) can be specified in the <EM CLASS="pathname">
+.nslookuprc</EM>
+ file in the user's home directory if they are listed one per line. Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial time-out to 10 seconds, type:</P>
+<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997485"> </A>
 nslookup -query=hinfo -timeout=10</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997486">
-</A>
-For more information and a list of available commands and options, see the nslookup man page.</P>
+ </A>
+For more information and a list of available commands and options, see the <CODE CLASS="Program-Process">
+nslookup</CODE>
+ man page.</P>
 </DIV>
 <DIV>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997487">
-</A>
+ </A>
 3.4.1.2	Administrative Tools</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997488">
-</A>
+ </A>
 Administrative tools play an integral part in the management of a server.</P>
 </DIV>
 <DIV>
 <H5 CLASS="Subhead4">
 <A NAME="pgfId=997489">
-</A>
+ </A>
 rndc</H5>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997490">
-</A>
+ </A>
 The remote name daemon control (<CODE CLASS="Program-Process">
 rndc</CODE>
 ) program is a program that allows the system administrator to control the operation of a nameserver. If you run rndc without any options it will display a usage message.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1012780">
-</A>
+ </A>
 Usage:</P>
-<P CLASS="4LevelContinued">
-<A NAME="pgfId=1012777">
-</A>
-<CODE CLASS="Program-Process">
-rndc [-p port] [-m] server command [command ...]</CODE>
-</P>
+<PRE CLASS="4Level-fixed"><A NAME="pgfId=1012777"> </A>
+<CODE CLASS="Program-Process">rndc [-p port] [-m] server command [command ...]</CODE>
+</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997493">
-</A>
+ </A>
 For more information and a list of available commands and options, see the rndc man page.</P>
 </DIV>
 <DIV>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997494">
-</A>
+ </A>
 3.4.1.3	Monitoring Tools</H5>
 </OL>
 </DIV>
 <DIV>
 <H5 CLASS="Subhead4">
 <A NAME="pgfId=997495">
-</A>
+ </A>
 MRTG</H5>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997496">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 MRTG</CODE>
  is primarily a router traffic grapher, but can be used to monitor BIND DNS servers, as well. The `stat' script, supplied with MRTG in the MRTG `contrib/stat' directory, can be used to monitor numbers of queries, and counts of various sorts of responses.</P>
-<P CLASS="Body">
-<A NAME="pgfId=997347">
-</A>
-&nbsp;</P>
 </DIV>
 </DIV>
-<p>Return to <A href="BV9ARM.html">BINDv9 Administrator Reference Manual</A> table of contents.</p>
 </DIV>
+<p>Return to <A href="Bv9ARM.html">BINDv9 Administrator Reference Manual</A> 
 </BODY>
 </HTML>
diff --git a/doc/arm/BV9ARM.4.html b/doc/arm/Bv9ARM.4.html
index 3f23152d..1f066128 100644..100755
--- a/doc/arm/BV9ARM.4.html
+++ b/doc/arm/Bv9ARM.4.html
@@ -2,29 +2,29 @@
 <HTML>
 <HEAD>
 <META NAME="GENERATOR" CONTENT="Adobe FrameMaker 5.5/HTML Export Filter">
-<LINK REL="STYLESHEET" HREF="BV9ARM.css">
+<LINK REL="STYLESHEET" HREF="Bv9ARM.css">
 <TITLE> Section 4.	Advanced Concepts</TITLE></HEAD>
 <BODY BGCOLOR="#ffffff">
 <OL>
 <H1 CLASS="1Level">
 <A NAME="pgfId=997350">
-</A>
+ </A>
 Section 4.	Advanced Concepts</H1>
 </OL>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997351">
-</A>
+ </A>
 4.1	Dynamic Update</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997352">
-</A>
+ </A>
 Dynamic update is the term used for the ability under certain specified conditions to add, modify or delete records or RRsets in the master zone files. Dynamic update is fully described in RFC 2136.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997353">
-</A>
+ </A>
 Dynamic update is enabled on a zone-by-zone basis, by including an <CODE CLASS="Program-Process">
 allow-update</CODE>
  or <CODE CLASS="Program-Process">
@@ -34,40 +34,40 @@ zone</CODE>
  statement.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1008560">
-</A>
+ </A>
 Updating of secure zones (zones using DNSSEC) works as specified in the <EM CLASS="Emphasis">
 simple-secure-update</EM>
  proposal. SIG and NXT records affected by updates are automatically regenerated by the server using an online zone key. Update authorization is based on transaction signatures and an explicit server policy.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1008576">
-</A>
-The zone files of dynamic zones must not be edited by hand.  The zone file on disk at any given time may not contain the latest changes performed by dynamic update.  The zone file is written to disk only periodically, and changes that have occurred since the zone file was last written to disk are stored only in the zone's journal (<EM CLASS="pathname">
+ </A>
+The zone files of dynamic zones must not be edited by hand. The zone file on disk at any given time may not contain the latest changes performed by dynamic update. The zone file is written to disk only periodically, and changes that have occurred since the zone file was last written to disk are stored only in the zone's journal (<EM CLASS="pathname">
 .jnl</EM>
-) file.  BIND 9 currently does not update the zone file when it exits like BIND 8 does, so editing the zone file manually is unsafe even when the server has been shut down. </P>
+) file. BINDv9 currently does not update the zone file when it exits like BIND 8 does, so editing the zone file manually is unsafe even when the server has been shut down. </P>
 </DIV>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997356">
-</A>
+ </A>
 4.2	<A NAME="19780">
-</A>
+ </A>
 Incremental Zone Transfers (IXFR)</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1008466">
-</A>
-The incremental zone transfer protocol (IXFR, RFC1995--see the list of Proposed Standards in the <A HREF="BV9ARM.8.html">Appendices
-</A>
+ </A>
+The incremental zone transfer protocol (IXFR, RFC1995--see the list of proposed standards on in Appendix C on <A HREF="Bv9ARM.7.html#17631" CLASS="XRef">
+Proposed Standards</A>
 ) is a way for slave servers to transfer only changed data, instead of having to transfer the entire zone every time it changes.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1008471">
-</A>
-When acting as a master, BIND 9 supports IXFR for those zones where the necessary change history information is available.  These include master zones maintained by dynamic update and slave zones whose data was obtained by IXFR, but not manually maintained master zones nor slave zones obtained by AXFR.</P>
+ </A>
+When acting as a master, BINDv9 supports IXFR for those zones where the necessary change history information is available. These include master zones maintained by dynamic update and slave zones whose data was obtained by IXFR, but not manually maintained master zones nor slave zones obtained by AXFR.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1008502">
-</A>
-When acting as a slave, BIND 9 will attempt to use IXFR unless it is explicitly disabled.  For more information about disabling IXFR, see the description of the <CODE CLASS="Program-Process">
+ </A>
+When acting as a slave, BINDv9 will attempt to use IXFR unless it is explicitly disabled. For more information about disabling IXFR, see the description of the <CODE CLASS="Program-Process">
 request-ixfr</CODE>
  clause of the <CODE CLASS="Program-Process">
 server</CODE>
@@ -77,440 +77,480 @@ server</CODE>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997360">
-</A>
+ </A>
 4.3	Split DNS</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997361">
-</A>
-Setting up different views, or visibility, of DNS space to internal , as opposed to external, resolvers is usually referred to as a &quot;Split DNS&quot; or &quot;Split Brain DNS&quot; setup. There are several reasons an organization would want to set its DNS up this way.</P>
+ </A>
+Setting up different views, or visibility, of DNS space to internal, as opposed to external, resolvers is usually referred to as a &quot;Split DNS&quot; or &quot;Split Brain DNS&quot; setup. There are several reasons an organization would want to set its DNS up this way.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997362">
-</A>
-One common reason for setting up a DNS system this way is to hide &quot;internal&quot; DNS information from &quot;external&quot; clients on the Internet. There is some debate as to whether or not this is actually useful. Internal DNS information leaks out in many ways (via e-mail headers, for example) and most savvy &quot;attackers&quot; can find the information they need using  other means.</P>
+ </A>
+One common reason for setting up a DNS system this way is to hide &quot;internal&quot; DNS information from &quot;external&quot; clients on the Internet. There is some debate as to whether or not this is actually useful. Internal DNS information leaks out in many ways (via e-mail headers, for example) and most savvy &quot;attackers&quot; can find the information they need using other means.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997363">
-</A>
+ </A>
 Another common reason for setting up a Split DNS system is to allow internal networks that are behind filters or RFC1918 space (reserved IP space, as documented in RFC 1918) to resolve DNS on the Internet. Split DNS can also be used to allow mail from outside back in to the internal network.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997364">
-</A>
+ </A>
 Here is an example of a split DNS setup:</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997365">
-</A>
+ </A>
 Let's say a company named <EM CLASS="Emphasis">
 Example, Inc.</EM>
  (example.com) has several corporate sites that have an internal network with reserved IP space and an external DMZ (the demilitarized zone, or &quot;outside&quot; section of a network) that is available to the public.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997366">
-</A>
+ </A>
 <EM CLASS="Emphasis">
 Example, Inc.</EM>
  wants its internal clients to be able to resolve external hostnames and to exchange mail with people on the outside. The company also wants its internal resolvers to have access to certain internal-only zones that are not available at all outside of the internal network.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997367">
-</A>
+ </A>
 In order to accomplish this, the company will set up two sets of nameservers. One set will be on the inside network (in the reserved IP space) and the other set will be on bastion hosts, which are &quot;proxy&quot; hosts that can talk to both sides of its network, in the DMZ.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997368">
-</A>
-The internal servers will be configured to forward all queries, except queries for <EM CLASS="Emphasis">
+ </A>
+The internal servers will be configured to forward all queries, except queries for <EM CLASS="pathname">
 site1.example</EM>
-, <EM CLASS="Emphasis">
+, <EM CLASS="pathname">
 site2.example</EM>
-, <EM CLASS="Emphasis">
+, <EM CLASS="pathname">
 site1.example.com</EM>
-, and <EM CLASS="Emphasis">
+, and <EM CLASS="pathname">
 site2.example.com</EM>
-, to the servers in the DMZ. These internal servers will have complete sets of information for <EM CLASS="Emphasis">
+, to the servers in the DMZ. These internal servers will have complete sets of information for <EM CLASS="pathname">
 site1.example.com</EM>
-, <EM CLASS="Emphasis">
+, <EM CLASS="pathname">
 site2.example.com</EM>
 ,<EM CLASS="Emphasis">
- site1.internal</EM>
-, and <EM CLASS="Emphasis">
+ </EM>
+<EM CLASS="pathname">
+site1.internal</EM>
+, and <EM CLASS="pathname">
 site2.internal</EM>
 .</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997369">
-</A>
-To protect the <EM CLASS="Emphasis">
-site1.internal</EM>
+ </A>
+To protect the<EM CLASS="pathname">
+ site1.interna</EM>
+<EM CLASS="Emphasis">
+l</EM>
  and<EM CLASS="Emphasis">
- site2.internal</EM>
+ </EM>
+<EM CLASS="pathname">
+site2.internal</EM>
  domains, the internal nameservers must be configured to disallow all queries to these domains from any external hosts, including the bastion hosts.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997370">
-</A>
-The external servers, which are on the bastion hosts, will be configured to serve the &quot;public&quot; version of the <EM CLASS="Emphasis">
+ </A>
+The external servers, which are on the bastion hosts, will be configured to serve the &quot;public&quot; version of the <EM CLASS="pathname">
 site1</EM>
- and <EM CLASS="Emphasis">
+ and <EM CLASS="pathname">
 site2.example.com</EM>
- zones. This could include things such as the host records for public servers (<EM CLASS="Emphasis">
+ zones. This could include things such as the host records for public servers (<EM CLASS="pathname">
 www.example.com</EM>
-, <EM CLASS="Emphasis">
+, <EM CLASS="pathname">
 ftp.example.com</EM>
-), and mail exchanger records (<EM CLASS="Emphasis">
+), and mail exchanger records (<EM CLASS="pathname">
 a.mx.example.com</EM>
- and <EM CLASS="Emphasis">
+ and <EM CLASS="pathname">
 b.mx.example.com</EM>
 ).</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997371">
-</A>
-In addition, the public <EM CLASS="Emphasis">
+ </A>
+In addition, the public <EM CLASS="pathname">
 site1</EM>
- and <EM CLASS="Emphasis">
-site2 .example.com</EM>
- zones should have special MX records that contain wildcard (*) records pointing to the bastion hosts. This is needed because external mail servers do not have any other way of looking up how to deliver mail to those internal hosts. With the wildcard records, the mail will be delivered to the bastion host, which can then forward it on to internal hosts.</P>
+ and <EM CLASS="pathname">
+site2.example.com</EM>
+ zones should have special MX records that contain wildcard (&quot;*&quot;) records pointing to the bastion hosts. This is needed because external mail servers do not have any other way of looking up how to deliver mail to those internal hosts. With the wildcard records, the mail will be delivered to the bastion host, which can then forward it on to internal hosts.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997372">
-</A>
+ </A>
 Here's an example of a wildcard MX record:</P>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997373"></A>
+<PRE CLASS="2Level-fixed"><A NAME="pgfId=997373"> </A>
 *   IN MX 10 external1.example.com.</PRE>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997374">
-</A>
+ </A>
 Now that they accept mail on behalf of anything in the internal network, the bastion hosts will need to know how to deliver mail to internal hosts. In order for this to work properly, the resolvers on the bastion hosts will need to be configured to point to the internal nameservers for DNS resolution.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997375">
-</A>
+ </A>
 Queries for internal hostnames will be answered by the internal servers, and queries for external hostnames will be forwarded back out to the DNS servers on the bastion hosts.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997376">
-</A>
+ </A>
 In order for all this to work properly, internal clients will need to be configured to query <EM CLASS="Emphasis">
 only</EM>
  the internal nameservers for DNS queries. This could also be enforced via selective filtering on the network.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997377">
-</A>
+ </A>
 If everything has been set properly, <EM CLASS="Emphasis">
 Example, Inc.</EM>
 's internal clients will now be able to:</P>
 <UL>
 <LI CLASS="2Level-bullet1">
 <A NAME="pgfId=997378">
-</A>
-Look up any hostnames in the <EM CLASS="Emphasis">
+ </A>
+Look up any hostnames in the <EM CLASS="pathname">
 site1</EM>
- and <EM CLASS="Emphasis">
-site2 .example.com</EM>
+ and <EM CLASS="pathname">
+site2.example.com</EM>
  zones.</LI>
 <LI CLASS="2Level-bullet2">
 <A NAME="pgfId=997379">
-</A>
-Look up any hostnames in the <EM CLASS="Emphasis">
+ </A>
+Look up any hostnames in the <EM CLASS="pathname">
 site1.internal</EM>
- and <EM CLASS="Emphasis">
+ and <EM CLASS="pathname">
 site2.internal</EM>
  domains.</LI>
 <LI CLASS="2Level-bullet2">
 <A NAME="pgfId=997380">
-</A>
+ </A>
 Look up any hostnames on the Internet.</LI>
 <LI CLASS="2Level-bullet2">
 <A NAME="pgfId=997381">
-</A>
+ </A>
 Exchange mail with internal AND external people.</LI>
 </UL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997382">
-</A>
+ </A>
 Hosts on the Internet will be able to:</P>
 <UL>
 <LI CLASS="2Level-bullet1">
 <A NAME="pgfId=997383">
-</A>
-Look up any hostnames in the <EM CLASS="Emphasis">
+ </A>
+Look up any hostnames in the <EM CLASS="pathname">
 site1</EM>
- and <EM CLASS="Emphasis">
-site2 .example.com </EM>
+ and <EM CLASS="pathname">
+site2.example.com </EM>
 zones.</LI>
 <LI CLASS="2Level-bullet2">
 <A NAME="pgfId=997384">
-</A>
-Exchange mail with anyone in the <EM CLASS="Emphasis">
+ </A>
+Exchange mail with anyone in the <EM CLASS="pathname">
 site1</EM>
- and <EM CLASS="Emphasis">
-site2 .example.com</EM>
+ and <EM CLASS="pathname">
+site2.example.com</EM>
  zones.</LI>
 </UL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997385">
-</A>
-Here is an example configuration for the setup we just described above. Note that this is only configuration information; see <A HREF="BV9ARM.3.html#30164" CLASS="XRef">
-Sample Configuration and Logging</A>
- for information on how to configure your zone files.</P>
+ </A>
+Here is an example configuration for the setup we just described above. Note that this is only configuration information; for information on how to configure your zone files, see <A HREF="Bv9ARM.3.html#30164" CLASS="XRef">
+See Sample Configuration and Logging.</A>
+</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997389">
-</A>
+ </A>
 Internal DNS server config:</P>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997390"></A>
+<PRE CLASS="2Level-fixed"><A NAME="pgfId=997390"> </A>
+
+<CODE>
 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-acl externals { <EM CLASS="Emphasis">bastion-ips-go-here</EM>; };
+acl externals { bastion-ips-go-here; };
 options {
     ...
     ...
     forward only;
-    forwarders { <EM CLASS="Emphasis">bastion-ips-go-here</EM>; };  // forward to external servers
-    allow-transfer { none; };                    // sample allow-transfer (no one)
-    allow-query { internals; externals; };       // restrict query access
-    allow-recursion { internals; };              // restrict recursion
+    forwarders { <VAR>bastion-ips-go-here</VAR>; };			//forward to external servers
+    allow-transfer { <VAR>none</VAR>; };				// sample allow-transfer (no one)
+    allow-query { <VAR>internals</VAR>; <VAR>externals</VAR>; };			// restrict query access
+    allow-recursion { <VAR>internals</VAR>; };			// restrict recursion
     ...
     ...
-};</PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997402"></A>
-zone &quot;site1.example.com&quot; { // sample slave zone
-  type master;
-  file &quot;m/site1.example.com&quot;;
+};
+
+zone &quot;<EM>site1.example.com</EM>&quot; { // sample slave zone
+  type <VAR>master</VAR>;
+  file &quot;<EM>m/site1.example.com</EM>&quot;;
   forwarders { };          // do normal iterative resolution (do not forward)
-  allow-query { internals; externals; };
-  allow-transfer { internals; };
-};</PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997409"></A>
-zone &quot;site2.example.com&quot; {
-  type slave;
-  file &quot;s/site2.example.com&quot;;
+  allow-query { <VAR>internals</VAR>; <VAR>externals</VAR>; };
+  allow-transfer { <VAR>internals</VAR>; };
+};
+
+zone &quot;<EM>site2.example.com</EM>&quot; {
+  type <VAR>slave</VAR>;
+  file &quot;<EM>s/site2.example.com</EM>&quot;;
   masters { 172.16.72.3; };
   forwarders { };
-  allow-query { internals; externals; };
-  allow-transfer { internals; };
-};</PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997417"></A>
-zone &quot;site1.internal&quot; {
-  type master;
-  file &quot;m/site1.internal&quot;;
+  allow-query { <VAR>internals</VAR>; <VAR>externals</VAR>; };
+  allow-transfer { <VAR>internals</VAR>; };
+};
+
+zone &quot;<EM>site1.internal</EM>&quot; {
+  type <VAR>master</VAR>;
+  file &quot;<EM>m/site1.internal</EM>&quot;;
   forwarders { };
-  allow-query { internals; };
-  allow-transfer { internals; }
-};</PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997424"></A>
-zone &quot;site2.internal&quot; {
-  type slave;
-  file &quot;s/site2.internal&quot;;
+  allow-query { <VAR>internals</VAR>; };
+  allow-transfer { <VAR>internals</VAR>; }
+};
+
+zone &quot;<EM>site2.internal</EM>&quot; {
+  type <VAR>slave</VAR>;
+  file &quot;<EM>s/site2.internal</EM>&quot;;
   masters { 172.16.72.3; };
   forwarders { };
-  allow-query { internals };
-  allow-transfer { internals; }
-};</PRE>
-<P CLASS="2LevelContinued">
-<A NAME="pgfId=997431">
-</A>
-External (bastion host) DNS server config:</P>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997432"></A>
+  allow-query { <VAR>internals</VAR> };
+  allow-transfer { <VAR>internals</VAR>; }
+};
+</CODE>
+
+External (bastion host) DNS server config:
+ 
+<CODE>
 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-acl externals { <EM CLASS="Emphasis">bastion-ips-go-here</EM>; };
+acl externals { bastion-ips-go-here; };
 options {
   ...
   ...
-  allow-transfer { none; };                  // sample allow-transfer (no one)
-  allow-query { internals; externals; };     // restrict query access
-  allow-recursion { internals; externals; }; // restrict recursion
+  allow-transfer { <VAR>none</VAR>; };                  // sample allow-transfer (no one)
+  allow-query { <VAR>internals</VAR>; <VAR>externals</VAR>; };     // restrict query access
+  allow-recursion { <VAR>internals</VAR>; <VAR>externals</VAR>; }; // restrict recursion
   ...
   ...
-};</PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997443"></A>
-zone &quot;site1.example.com&quot; {        // sample slave zone
-  type master;
-  file &quot;m/site1.foo.com&quot;;
-  allow-query { any; };
-  allow-transfer { internals; externals; };
-};</PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997449"></A>
-zone &quot;site2.example.com&quot; {
-  type slave;
-  file &quot;s/site2.foo.com&quot;;
-  masters { another_bastion_host_maybe; };
-  allow-query { any; };
-  allow-transfer { internals; externals; }
-};</PRE>
-<P CLASS="2LevelContinued">
-<A NAME="pgfId=997456">
-</A>
-In the <EM CLASS="pathname">
-resolv.conf</EM>
- (or equivalent) on the bastion host(s):</P>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997457"></A>
-search ...
+};
+
+zone &quot;<EM>site1.example.com</EM>&quot; {        // sample slave zone
+  type <VAR>master</VAR>;
+  file &quot;<EM>m/site1.foo.com</EM>&quot;;
+  allow-query { <VAR>any</VAR>; };
+  allow-transfer { <VAR>internals</VAR>; <VAR>externals</VAR>; };
+};
+
+zone &quot;<EM>site2.example.com</EM>&quot; {
+  type <VAR>slave</VAR>;
+  file &quot;<EM>s/site2.foo.com</EM>&quot;;
+  masters { a<VAR>nother_bastion_host_maybe</VAR>; };
+  allow-query { <VAR>any</VAR>; };
+  allow-transfer { <VAR>internal</VAR>; <VAR>externals</VAR>; }
+};
+</CODE>
+
+In the <EM>resolv.conf</EM> (or equivalent) on the bastion host(s):
+ 
+<CODE>search ...
 nameserver 172.16.72.2
 nameserver 172.16.72.3
-nameserver 172.16.72.4</PRE>
+nameserver 172.16.72.4</CODE>
+</PRE>
+
 </DIV>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997461">
-</A>
+ </A>
 4.4	TSIG</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997462">
-</A>
-Information about TSIG in this section was provided by Brian Wellington of TISLabs. This is a short guide to setting up TSIG based transaction security in BIND. It describes changes to the configuration file as well as what changes are required for different features, including the process of creating transaction keys and using transaction signatures with BIND.</P>
+ </A>
+This is a short guide to setting up TSIG based transaction security in BIND. It describes changes to the configuration file as well as what changes are required for different features, including the process of creating transaction keys and using transaction signatures with BIND.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997463">
-</A>
+ </A>
 BIND primarily supports TSIG for server-server communication. This includes zone transfer, notify, and recursive query messages. The resolver bundled with BIND 8.2 has limited support for TSIG, but it is doubtful that support will be integrated into any client applications.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997464">
-</A>
+ </A>
 TSIG might be most useful for dynamic update. A primary server for a dynamic zone should use access control to control updates, but IP-based access control is insufficient. Key-based access control is far superior (see <EM CLASS="pathname">
 draft-ietf-dnsext-simple-secure-update-00.txt</EM>
- in<EM CLASS="pathname">
- </EM>
-<A HREF="BV9ARM.8.html#" CLASS="XRef">
-Internet Drafts</A>
+ in Appendix C on <A HREF="Bv9ARM.7.html#42144" CLASS="XRef">
+Request for Comments (RFCs)</A>
 ). The <CODE CLASS="Program-Process">
 nsupdate</CODE>
- program that is shipped with BIND 8 supports TSIG via the &quot;<CODE CLASS="Program-Process">
+ program that is shipped with BIND 8 supports TSIG via the<BR>
+&quot;<CODE CLASS="Program-Process">
 -k</CODE>
 &quot; command line option.</P>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997465">
-</A>
+ </A>
 4.4.1	Generate Shared Keys for Each Pair of Hosts</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997466">
-</A>
+ </A>
 A shared secret is generated to be shared between host1 and host2. The key name is chosen to be &quot;host1-host2.&quot;, which is arbitrary. The key name must be the same on both hosts.</P>
 <DIV>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997467">
-</A>
+ </A>
 4.4.1.1	Automatic Generation</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997468">
-</A>
+ </A>
 The following command will generate a 128 bit (16 byte) HMAC-MD5 key as described above. Longer keys are better, but shorter keys are easier to read. Note that the maximum key length is 512 bits; keys longer than that will be digested with MD5 to produce a 128 bit key.</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997469"></A>
+
+<PRE CLASS="4Level-fixed"><A NAME="pgfId=997469"></A>
 src/bin/dnskeygen/dnskeygen -H 128 -h -n host1-host2.</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997470">
-</A>
+ </A>
 The key is in the file &quot;Khost1-host2.+157+00000.private&quot;. Nothing actually uses this file, but the base64 encoded string following &quot;Key:&quot; can be extracted:</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997471"></A>
+<PRE CLASS="4Level-fixed"><A NAME="pgfId=997471"></A>
    La/E5CjG9O+os1jq0a2jdA==</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997472">
-</A>
+ </A>
 This string represents a shared secret.</P>
 </DIV>
 <DIV>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997473">
-</A>
+ </A>
 4.4.1.2	Manual Generation</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997474">
-</A>
+ </A>
 The shared secret is simply a random sequence of bits, encoded in base64. Most ASCII strings are valid base64 strings (assuming the length is a multiple of 4 and only valid characters are used), so the shared secret can be manually generated.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997475">
-</A>
-Also, a known string can be run through mmencode or a similar program to generate base64 encoded data.</P>
+ </A>
+Also, a known string can be run through <CODE CLASS="Program-Process">
+mmencode</CODE>
+ or a similar program to generate base64 encoded data.</P>
 </DIV>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997476">
-</A>
+ </A>
 4.4.2	Copying the Shared Secret to Both Machines</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997477">
-</A>
+ </A>
 This is beyond the scope of DNS. A secure transport mechanism should be used. This could be secure FTP, ssh, telephone, etc.</P>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997478">
-</A>
+ </A>
 4.4.3	Informing the Servers of the Key's Existence</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997479">
-</A>
-Imagine host1 and host 2 are both servers. The following is added to each server's named.conf file:</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997480"></A>
+ </A>
+Imagine <EM CLASS="Emphasis">
+host1</EM>
+ and <EM CLASS="Emphasis">
+host 2</EM>
+ are both servers. The following is added to each server's <CODE CLASS="Program-Process">
+named.conf</CODE>
+ file:</P>
+
+<PRE>
+<CODE> 
 key host1-host2. {
   algorithm hmac-md5;
   secret &quot;La/E5CjG9O+os1jq0a2jdA==&quot;;
-};</PRE>
+};
+</CODE>
+</PRE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997484">
-</A>
+ </A>
 The algorithm, hmac-md5, is the only one supported by BIND. The secret is the one generated above. Since this is a secret, it is recommended that either <CODE CLASS="Program-Process">
 named.conf</CODE>
  be non-world readable, or the key directive be added to a non-world readable file that's included by named.conf.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997485">
-</A>
+ </A>
 At this point, the key is recognized. This means that if the server receives a message signed by this key, it can verify the signature. If the signature succeeds, the response is signed by the same key.</P>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997486">
-</A>
+ </A>
 4.4.4	Instructing the Server to Use the Key</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997487">
-</A>
-Since keys are shared between two hosts only, the server must be told when keys are to be used. The following is added to host1's named.conf file, if host2's IP address is 10.1.2.3:</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997488"></A>
+ </A>
+Since keys are shared between two hosts only, the server must be told when keys are to be used. The following is added to the <CODE CLASS="Program-Process">
+named.conf</CODE>
+ file for <EM CLASS="Emphasis">
+host1</EM>
+, if the IP address of <EM CLASS="Emphasis">
+host2</EM>
+ is 10.1.2.3:</P>
+ 
+<PRE>
+<CODE>
 server 10.1.2.3 {
   keys {host1-host2.;};
-};</PRE>
+};</CODE>
+</PRE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997491">
-</A>
+ </A>
 Multiple keys may be present, but only the first is used. This directive does not contain any secrets, so it may be in a world-readable file.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997492">
-</A>
+ </A>
 If host1 sends a message that is a response to that address, the message will be signed with the specified key. host1 will expect any responses to signed messages to be signed with the same key.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997493">
-</A>
+ </A>
 A similar statement must be present in host2's configuration file (with host1's address) for host2 to sign non-response messages to host1.</P>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997494">
-</A>
+ </A>
 4.4.5	TSIG Key Based Access Control</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997495">
-</A>
+ </A>
 BIND allows IP addresses and ranges to be specified in ACL definitions and <CODE CLASS="Program-Process">
-allow-{query|transfer|update}</CODE>
+allow-{ query </CODE>
+<EM CLASS="Optional-meta-syntax">
+| </EM>
+<CODE CLASS="Program-Process">
+transfer </CODE>
+<EM CLASS="Optional-meta-syntax">
+| </EM>
+<CODE CLASS="Program-Process">
+update }</CODE>
  directives. This has been extended to allow TSIG keys also. The above key would be denoted <CODE CLASS="Program-Process">
 key host1-host2</CODE>
 .</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997496">
-</A>
+ </A>
 An example of an allow-update directive would be:</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997497"></A>
-allow-update {key host1-host2.;};</PRE>
+
+ 
+<PRE>
+<CODE>allow-update {key host1-host2.;};
+</CODE>
+</PRE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997498">
-</A>
+ </A>
 This allows dynamic updates to succeed only if the request was signed by a key named &quot;<CODE CLASS="Program-Process">
 host1-host2.</CODE>
 &quot;</P>
@@ -519,26 +559,30 @@ host1-host2.</CODE>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997499">
-</A>
+ </A>
 4.4.6	Errors</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997500">
-</A>
+ </A>
 The processing of TSIG signed messages can result in several errors. If a signed message is sent to a non-TSIG aware server, a FORMERR will be returned, since the server will not understand the record. This is a result of misconfiguration, since the server must be explicitly configured to send a TSIG signed message to a specific server.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997501">
-</A>
+ </A>
 If a TSIG aware server receives a message signed by an unknown key, the response will be unsigned with the TSIG extended error code set to BADKEY. If a TSIG aware server receives a message with a signature that does not validate, the response will be unsigned with the TSIG extended error code set to BADSIG. If a TSIG aware server receives a message with a time outside of the allowed range, the response will be signed with the TSIG extended error code set to BADTIME, and the time values will be adjusted so that the response can be successfully verified. In any of these cases, the message's rcode is set to NOTAUTH.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997502">
-</A>
+ </A>
 TSIG verification errors are logged by the server as</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997503"></A>
-&quot;ns_req: TSIG verify failed - (reason)&quot; </PRE>
+
+<PRE>
+<CODE>
+&quot;ns_req: TSIG verify failed - (reason)&quot;
+</CODE> 
+</PRE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997504">
-</A>
+ </A>
 which is printed at debug level 1.</P>
 </DIV>
 </DIV>
@@ -546,226 +590,325 @@ which is printed at debug level 1.</P>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997505">
-</A>
-4.5	DNSSEC</H3>
+ </A>
+4.5	TKEY</H3>
 </OL>
 <P CLASS="2LevelContinued">
-<A NAME="pgfId=997506">
-</A>
-Cryptographc authentication of DNS information is made possible through the DNS Security (DNSSEC) extension to the domain system. This describes the processing of creating and using DNSSEC signed zones. The zones used in this exercise will be <CODE CLASS="Program-Process">
-dnssec.example</CODE>
- and <CODE CLASS="Program-Process">
-sub.dnssec.example</CODE>
-.</P>
-<UL>
-<LI CLASS="Subhead2-noBullet">
-<A NAME="pgfId=997507">
-</A>
-Step 1: Generate zone keys.</LI>
-</UL>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997508">
-</A>
-The following commands generate 640 bit DSA keys to be used as zone keys for the zones:</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997509"></A>
-src/bin/dnskeygen/dnskeygen -D 640 -z -n dnssec.example.
-src/bin/dnskeygen/dnskeygen -D 640 -z -n sub.dnssec.example.</PRE>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997511">
-</A>
-In our example, keys with id 64555 and 39020 were generated.</P>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997512">
-</A>
-Four files were created on disk:</P>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=1007504">
-</A>
-<CODE CLASS="Program-Process">
-Kdnssec.example.+003+64555.key</CODE>
- (public key)</P>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=1007508">
-</A>
-<CODE CLASS="Program-Process">
-Kdnssec.example.+003+64555.private</CODE>
- (private key)</P>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=1007505">
-</A>
+<A NAME="pgfId=1021941">
+ </A>
 <CODE CLASS="Program-Process">
-Ksub.dnssec.example.+003+39020.key</CODE>
- (public key)</P>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997516">
-</A>
-<CODE CLASS="Program-Process">
-Ksub.dnssec.example.+003+39020.private</CODE>
- (private key)</P>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997517">
-</A>
+TKEY</CODE>
+ is a mechanism for automatically generating a shared secret between two hosts.  There are several &quot;modes&quot; of <CODE CLASS="Program-Process">
+TKEY</CODE>
+ that specify how the key is generated or assigned.  BIND implements only one of these modes, the Diffie-Hellman key exchange.  Both hosts are required to have a Diffie-Hellman KEY record (although this record is not required to be present in a zone).  The <CODE CLASS="Program-Process">
+TKEY</CODE>
+ process must use signed messages, signed either by TSIG or SIG(0).  The result of <CODE CLASS="Program-Process">
+TKEY</CODE>
+ is a shared secret that can be used to sign messages with TSIG.  <CODE CLASS="Program-Process">
+TKEY</CODE>
+ can also be used to delete shared secrets that it had previously generated.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1021952">
+ </A>
 The <CODE CLASS="Program-Process">
-.key</CODE>
- files contain public keys in DNS RR format, which is base 64. The <CODE CLASS="Program-Process">
-.private</CODE>
- files contain private keys, with each field encoded in base 64.</P>
-<UL>
-<LI CLASS="Subhead2-noBullet">
-<A NAME="pgfId=997518">
-</A>
-Step 2: Enter the keys into the zones.</LI>
-</UL>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997519">
-</A>
-The parent zone needs its own key and the child key (as glue). The child zone needs its own key.</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997520"></A>
-cat Kdnssec.example.+003+64555.key &gt;&gt; zone.dnssec.example
-cat Ksub.dnssec.example.+003+39020.key &gt;&gt; zone.dnssec.example
-cat Ksub.dnssec.example.+003+39020.key &gt;&gt; zone.sub.dnssec.example</PRE>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997523">
-</A>
-Edit the zone files if desired (to move and/or format KEY records, etc.). This is also a good time to add <CODE CLASS="Program-Process">
-$ORIGIN</CODE>
- directives to the zone files if they aren't present.</P>
-<UL>
-<LI CLASS="Subhead2-noBullet">
-<A NAME="pgfId=997524">
-</A>
-Step 3: Sign the parent zone.</LI>
-</UL>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997525">
-</A>
-The following command uses the zone.dnssec.example as input and creates the zone.dnssec.example.signed file. The key used is the dsa key for dnssec.example with id 64555 (<CODE CLASS="Program-Process">
--ki</CODE>
-), and statistics are printed (<CODE CLASS="Program-Process">
--st</CODE>
-). Parent files are generated for each child zone (<CODE CLASS="Program-Process">
--ps</CODE>
-), and no global parent file is produced (<CODE CLASS="Program-Process">
--no-p1</CODE>
-).</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997526"></A>
-contrib/dns_signer/signer/dnssigner -zi zone.dnssec.example \
--zo zone.dnssec.example.signed -st -k1 dnssec.example dsa 64555 -ps
--no-p1</PRE>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997528">
-</A>
-The following files are created:</P>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997529">
-</A>
-<CODE CLASS="Program-Process">
-zone.dnssec.example.signed</CODE>
- (signed zone)</P>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997530">
-</A>
-<CODE CLASS="Program-Process">
-sub.dnssec.example..PARENT</CODE>
- (parent file for sub.dnssec.example)</P>
-<UL>
-<LI CLASS="Subhead2-noBullet">
-<A NAME="pgfId=997531">
-</A>
-Step 4: Sign the child zone.</LI>
-</UL>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997532">
-</A>
-The following command is similar to the previous one. The main difference is that the input parent file sub.dnssec.example..PARENT is specified (<CODE CLASS="Program-Process">
--pi</CODE>
-) in addition to the input zone file; this file was generated by the previous call to the signer. Also, the -ps and -no-p1 options are omitted since there are no child zones of this zone. If this zone had child zones, these options should be present.</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997533"></A>
-contrib/dns_signer/signer/<CODE CLASS="Program-Process">dnssigner</CODE>
- -zi zone.sub.dnssec.example \
--pi sub.dnssec.example..PARENT -zo zone.sub.dnssec.example.signed \
--st -k1 sub.dnssec.example dsa 39020</PRE>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997534">
-</A>
-The following file is created:</P>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997535">
-</A>
-<CODE CLASS="Program-Process">
-zone.sub.dnssec.example.signed</CODE>
- (signed zone)</P>
-<UL>
-<LI CLASS="Subhead2-noBullet">
-<A NAME="pgfId=997536">
-</A>
-Step 5: Enter the top-level zone key in the named.conf file for the master server.</LI>
-</UL>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997537">
-</A>
-The public key for the top-level signed zone must be present in named.conf, so that the server can verify the data on load (it must be able to traverse a keychain and end at a trusted key). This key is added in a zone pubkey directive (which has a format similar to a KEY record, but not identical). Note that this is not needed for the subzone, as its key is signed by the trusted key in the parent zone.</P>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997538">
-</A>
-This uses the key from Kdnssec.example.+003+64555.key</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997539"></A>
-zone &quot;dnssec.example&quot; {
-type master;
-file &quot;zone.dnssec.example.signed&quot;;
-pubkey 16641 3 3 &quot;AuNiWOmzSHwrzLMWv1C1gbKQBNAHwMeX+C0owQkfmdxjoTJvnmbN
-       CdbGM/fnejQhEXsRT5l3NLy0H4UCX3ElGJT49n3nFb2jPuDYbkPh
-       VV4sLfLJzQs/RWeQmQnNFF2HNmwksWlPvUT66k4mqJDtIk60Dio6
-       1PML5sVDMQns7Zukq4aSn4jzRGkbDGhB9S3yzXVMVjYDwlM9frW9
-       Ayt0vqDa0zG+V52YiCSOdFGWJ0bSFa8sTwcp4BEVUt/Kg2Zo4VAy
-       +AeYLcQLb6vDZUX8x/BPByKKptfXirhNPv43xE6vT4xCxYPhvyDk
-       Y7Qlf4W+/sSNNKE7P/JAKmQxxXAVPoXtBpa6&quot;;
-};</PRE>
-<UL>
-<LI CLASS="Subhead2-noBullet">
-<A NAME="pgfId=997550">
-</A>
-Step 6: Enter the top-level zone key in the named.conf file for any other servers that will trust the key.</LI>
-</UL>
-<P CLASS="3LevelContinued">
-<A NAME="pgfId=997551">
-</A>
-This uses the same key as above.</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997552"></A>
-trusted-keys {
-		dnssec.example 16641 3 3
-       &quot;AuNiWOmzSHwrzLMWv1C1gbKQBNAHwMeX+C0owQkfmdxjoTJvnmbN
-       CdbGM/fnejQhEXsRT5l3NLy0H4UCX3ElGJT49n3nFb2jPuDYbkPh
-       VV4sLfLJzQs/RWeQmQnNFF2HNmwksWlPvUT66k4mqJDtIk60Dio6
-       1PML5sVDMQns7Zukq4aSn4jzRGkbDGhB9S3yzXVMVjYDwlM9frW9
-       Ayt0vqDa0zG+V52YiCSOdFGWJ0bSFa8sTwcp4BEVUt/Kg2Zo4VAy
-       +AeYLcQLb6vDZUX8x/BPByKKptfXirhNPv43xE6vT4xCxYPhvyDk
-       Y7Qlf4W+/sSNNKE7P/JAKmQxxXAVPoXtBpa6&quot;;
-}</PRE>
-<UL>
-<LI CLASS="Subhead2-noBullet">
-<A NAME="pgfId=997562">
-</A>
-Start named.</LI>
-</UL>
+TKEY</CODE>
+ process is initiated by a client or server by sending a signed <CODE CLASS="Program-Process">
+TKEY</CODE>
+ query (including any appropriate KEYs) to a TKEY-aware server.  The server response, if it indicates success, will contain a <CODE CLASS="Program-Process">
+TKEY</CODE>
+ record and any appropriate keys.  After this exchange, both participants have enough information to determine the shared secret; the exact process depends on the <CODE CLASS="Program-Process">
+TKEY</CODE>
+ mode.  When using the Diffie-Hellman <CODE CLASS="Program-Process">
+TKEY</CODE>
+ mode, Diffie-Hellman keys are exchanged, and the shared secret is derived by both participants.</P>
+</DIV>
+<DIV>
+<OL>
+<H3 CLASS="2Level">
+<A NAME="pgfId=1021928">
+ </A>
+4.6	DNSSEC Secured Zones</H3>
+</OL>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039857">
+ </A>
+Cryptographic authentication of DNS information is made possible through the DNS Security (<EM CLASS="Emphasis">
+DNSSEC</EM>
+) extension to the domain system. This describes the processing of creating and using DNSSEC signed zones.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039810">
+ </A>
+In order to set up a DNSSEC secure zone, there are a series of steps which must be followed.  BINDv9 ships with several tools that are used in this process, which are explained in more detail below.  In all cases, the &quot;<CODE CLASS="Program-Process">
+-h</CODE>
+&quot; option prints a full list of parameters.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039811">
+ </A>
+There must also be communication with the administrators of the parent and/or child zone to transmit keys and signatures.  A zone's security status must be indicated by the parent zone for a DNSSEC capable resolver to trust its data.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039812">
+ </A>
+For other servers to trust data in this zone, they must either be statically configured with this zone's zone key or the zone key of another zone above this one in the DNS tree.</P>
+<DIV>
+<OL>
+<H4 CLASS="3Level">
+<A NAME="pgfId=1039813">
+ </A>
+4.6.1	Generating Keys</H4>
+</OL>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039814">
+ </A>
+The <CODE CLASS="Program-Process">
+dnssec-keygen</CODE>
+ program is used to generate keys.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039815">
+ </A>
+A secure zone must contain one or more zone keys.  The zone keys will sign all other records in the zone, as well as the zone keys of any secure delegated zones.  Zone keys must have the same name as the zone, a name type of <CODE CLASS="Program-Process">
+ZONE</CODE>
+, and must be usable for authentication.  It is recommended that zone keys be mandatory to implement a cryptographic algorithm; currently the only key mandatory to implement an algorithm is DSA.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039816">
+ </A>
+The following command will generate a 768 bit DSA key for the <EM CLASS="pathname">
+child.example</EM>
+ zone:</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039817">
+ </A>
+<EM CLASS="grammar_literal">
+dnssec-keygen</EM>
+ <EM CLASS="grammar_literal">
+-a</EM>
+ <EM CLASS="variable">
+DSA</EM>
+ <EM CLASS="grammar_literal">
+-b</EM>
+ <EM CLASS="variable">
+768</EM>
+ <EM CLASS="grammar_literal">
+-n</EM>
+ <EM CLASS="variable">
+ZONE</EM>
+ <EM CLASS="pathname">
+child.example</EM>
+.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039818">
+ </A>
+Two output files will be produced: <EM CLASS="pathname">
+Kchild.example.+003+12345.key</EM>
+ and <EM CLASS="pathname">
+Kchild.example.+003+12345.private</EM>
+ (where 12345 is an example of a key identifier).  The key file names contain the key name (<EM CLASS="pathname">
+child.example</EM>
+), algorithm (3 is DSA, 1 is RSA, etc.), and the key identifier (12345 in this case).  The private key (in the <EM CLASS="pathname">
+.private</EM>
+ file) is used to generate signatures, and the public key (in the <EM CLASS="pathname">
+.key</EM>
+ file) is used for signature verification.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039819">
+ </A>
+To generate another key with the same properties, repeat the above command.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039820">
+ </A>
+The public keys should be inserted into the zone file with $<CODE CLASS="Program-Process">
+INCLUDE</CODE>
+ statements.</P>
+</DIV>
+<DIV>
+<OL>
+<H4 CLASS="3Level">
+<A NAME="pgfId=1039821">
+ </A>
+4.6.2	Creating a Keyset</H4>
+</OL>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039822">
+ </A>
+The <CODE CLASS="Program-Process">
+dnssec-makekeyset</CODE>
+ program is used to create a key set from one or more keys.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039823">
+ </A>
+Once the zone keys have been generated, a key set must be built for transmission to the administrator of the parent zone, so that the parent zone can sign the keys with its own zone key and correctly indicate the security status of this zone.  When building a key set, the list of keys to be included and the TTL of the set must be specified, and the desired signature validity period of the parent's signature may also be specified.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039824">
+ </A>
+The list of keys to be inserted into the key set may also included non-zone keys present at the apex.  <CODE CLASS="Program-Process">
+dnssec-makekeyset</CODE>
+ may also be used at non-apex names.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039825">
+ </A>
+The following command generates a key set containing the above key and another key similarly generated, with a TTL of 3600 and a signature validity period of 10 days starting from now.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039826">
+ </A>
+<EM CLASS="grammar_literal">
+dnssec-makekeyset</EM>
+ <EM CLASS="grammar_literal">
+-t</EM>
+ <EM CLASS="variable">
+3600</EM>
+ <EM CLASS="grammar_literal">
+-s</EM>
+ <EM CLASS="variable">
+now</EM>
+ <EM CLASS="grammar_literal">
+-e</EM>
+ <EM CLASS="variable">
+now+864000</EM>
+ <EM CLASS="pathname">
+Kchild.example.+003+12345</EM>
+<EM CLASS="Optional-meta-syntax">
+ \</EM>
+ <EM CLASS="pathname">
+Kchild.example.+003+23456</EM>
+</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039827">
+ </A>
+One output file is produced: <EM CLASS="pathname">
+child.example.keyset</EM>
+.  This file should be transmitted to the parent to be signed.  It includes the keys, as well as signatures over the key set generated by the zone keys themselves, which are used to prove ownership of the private keys and encode the desired validity period.</P>
+</DIV>
+<DIV>
+<OL>
+<H4 CLASS="3Level">
+<A NAME="pgfId=1039828">
+ </A>
+4.6.3	Signing the Child's Keyset</H4>
+</OL>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039829">
+ </A>
+The <CODE CLASS="Program-Process">
+dnssec-signkey</CODE>
+ program is used to sign one child's keyset.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039830">
+ </A>
+If the <EM CLASS="pathname">
+child.example</EM>
+ zone has any delegations which are secure, for example, <EM CLASS="pathname">
+grand.child.example</EM>
+, the <EM CLASS="pathname">
+child.example</EM>
+ administrator should receive keyset files for each secure subzone.  These keys must be signed by this zone's zone keys.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039831">
+ </A>
+The following command signs the child's key set with the zone keys:</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039832">
+ </A>
+<EM CLASS="grammar_literal">
+dnssec-signkey</EM>
+ <EM CLASS="pathname">
+grand.child.example.keyset</EM>
+ <EM CLASS="pathname">
+Kchild.example.+003+12345 </EM>
+<EM CLASS="Optional-meta-syntax">
+\ </EM>
+<EM CLASS="pathname">
+Kchild.example.+003+23456</EM>
+</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039833">
+ </A>
+One output file is produced: <EM CLASS="pathname">
+grand.child.example.signedkey</EM>
+. This file should be both transmitted back to the child and retained.  It includes all keys (the child's keys) from the keyset file and signatures generated by this zone's zone keys.</P>
+</DIV>
+<DIV>
+<OL>
+<H4 CLASS="3Level">
+<A NAME="pgfId=1040038">
+ </A>
+4.6.4	Signing the Zone</H4>
+</OL>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1040039">
+ </A>
+The <CODE CLASS="Program-Process">
+dnssec-signzone</CODE>
+ program is used to sign a zone.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1040040">
+ </A>
+Any <EM CLASS="pathname">
+signedkey</EM>
+ files corresponding to secure subzones should be present, as well as a <EM CLASS="pathname">
+signedkey</EM>
+ file for this zone generated by the parent (if there is one). The zone signer will generate <CODE CLASS="Program-Process">
+NXT</CODE>
+ and <CODE CLASS="Program-Process">
+SIG</CODE>
+ records for the zone, as well as incorporate the zone key signature from the parent and indicate the security status at all delegation points.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039837">
+ </A>
+The following command signs the zone, assuming it is in a file called <EM CLASS="pathname">
+zone.child.example</EM>
+.  By default, all zone keys which have an available private key are used to generate signatures.:</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039838">
+ </A>
+<EM CLASS="grammar_literal">
+dnssec-signzone</EM>
+ <EM CLASS="grammar_literal">
+-o</EM>
+ <EM CLASS="pathname">
+child.example zone.child.example</EM>
+</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039839">
+ </A>
+One output file is produced: <EM CLASS="pathname">
+zone.child.example.signed</EM>
+. This file should be referenced by <CODE CLASS="Program-Process">
+named.conf</CODE>
+ as the input file for the zone.</P>
+</DIV>
+<DIV>
+<OL>
+<H4 CLASS="3Level">
+<A NAME="pgfId=1039840">
+ </A>
+4.6.5	Configuring Servers</H4>
+</OL>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039841">
+ </A>
+Unlike in BIND 8, data is not verified on load in BINDv9, so zone keys for authoritative zones do not need to be specified in the configuration file.</P>
+<P CLASS="2LevelContinued">
+<A NAME="pgfId=1039842">
+ </A>
+The public key for any security root must be present in the configuration file's trusted-keys statement, as described later in this document. </P>
+</DIV>
 </DIV>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997563">
-</A>
-4.6	IPv6</H3>
+ </A>
+4.7	IPv6</H3>
 </OL>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997564">
-</A>
-4.6.1	IPv6 addresses (A6)</H4>
+ </A>
+4.7.1	IPv6 addresses (A6)</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997565">
-</A>
+ </A>
 IPv6 addresses are 128-bit identifiers for interfaces and sets of interfaces which were introduced in the DNS to facilitate scalable Internet routing. There are three types of addresses: <EM CLASS="Emphasis">
 Unicast</EM>
 , an identifier for a single interface; <EM CLASS="Emphasis">
@@ -775,208 +918,208 @@ Multicast</EM>
 , an identifier for a set of interfaces. Here we describe the global Unicast address scheme. For more information, see RFC 2374.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997566">
-</A>
+ </A>
 The aggregatable global Unicast address format is as follows:</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997628">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997569">
-</A>
+ </A>
 3</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997571">
-</A>
+ </A>
 13</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997573">
-</A>
+ </A>
 8</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997575">
-</A>
+ </A>
 24</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997577">
-</A>
+ </A>
 16</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997579">
-</A>
+ </A>
 64 bits</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997581">
-</A>
+ </A>
 FP</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997583">
-</A>
+ </A>
 TLA ID</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997585">
-</A>
+ </A>
 RES</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997587">
-</A>
+ </A>
 NLA ID</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997589">
-</A>
+ </A>
 SLA ID</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997591">
-</A>
+ </A>
 Interface ID</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="4">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997593">
-</A>
-&lt;------- Public Topology -------&gt;</P>
+ </A>
+&lt;------ Public Topology ------&gt;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997601">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997603">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997605">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997607">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997609">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997611">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997613">
-</A>
-&lt;--Site Topology--&gt;</P>
+ </A>
+&lt;-Site Topology-&gt;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997615">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997617">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997619">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997621">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997623">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997625">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=997627">
-</A>
+ </A>
 &lt;------ Interface Identifier ------&gt;</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997666">
-</A>
+ </A>
 Where</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997631">
-</A>
+ </A>
 FP</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997633">
-</A>
+ </A>
 =</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997635">
-</A>
+ </A>
 Format Prefix (001)</P>
 </TD>
 </TR>
@@ -984,19 +1127,19 @@ Format Prefix (001)</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997637">
-</A>
+ </A>
 TLA ID</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997639">
-</A>
+ </A>
 =</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997641">
-</A>
+ </A>
 Top-Level Aggregation Identifier</P>
 </TD>
 </TR>
@@ -1004,19 +1147,19 @@ Top-Level Aggregation Identifier</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997643">
-</A>
+ </A>
 RES</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997645">
-</A>
+ </A>
 =</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997647">
-</A>
+ </A>
 Reserved for future use</P>
 </TD>
 </TR>
@@ -1024,19 +1167,19 @@ Reserved for future use</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997649">
-</A>
+ </A>
 NLA ID</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997651">
-</A>
+ </A>
 =</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997653">
-</A>
+ </A>
 Next-Level Aggregation Identifier</P>
 </TD>
 </TR>
@@ -1044,19 +1187,19 @@ Next-Level Aggregation Identifier</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997655">
-</A>
+ </A>
 SLA ID</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997657">
-</A>
+ </A>
 =</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997659">
-</A>
+ </A>
 Site-Level Aggregation Identifier</P>
 </TD>
 </TR>
@@ -1064,63 +1207,71 @@ Site-Level Aggregation Identifier</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997661">
-</A>
+ </A>
 INTERFACE ID</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997663">
-</A>
+ </A>
 =</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997665">
-</A>
+ </A>
 Interface Identifier</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997667">
-</A>
-The `Public Topology' is provided by the upstream provider or ISP, and (roughly) corresponds to the IPv4 `network' section of the address range. The `Site Topology' is where you can subnet this space, much like subnetting an IPv4 class A or B network into class Cs. The `Interface Identifier' is the address of an individual interface on a given network. (With IPv6, addresses belong to interfaces rather than machines.)</P>
+ </A>
+The <EM CLASS="Emphasis">
+Public Topology</EM>
+ is provided by the upstream provider or ISP, and (roughly) corresponds to the IPv4 <EM CLASS="Emphasis">
+network</EM>
+ section of the address range. The <EM CLASS="Emphasis">
+Site Topology</EM>
+ is where you can subnet this space, much like subnetting an IPv4 class A or B network into class Cs. The <EM CLASS="Emphasis">
+Interface Identifier</EM>
+ is the address of an individual interface on a given network. (With IPv6, addresses belong to interfaces rather than machines.)</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997668">
-</A>
+ </A>
 The subnetting capability of IPv6 is much more flexible than that of IPv4: subnetting can now be carried out on bit boundaries, in much the same way as Classless InterDomain Routing (CIDR).</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997669">
-</A>
-The internal structure of the `Public Topology' for an A6 global unicast address consists of:</P>
+ </A>
+The internal structure of the Public Topology for an A6 global unicast address consists of:</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997687">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997672">
-</A>
+ </A>
 3</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997674">
-</A>
+ </A>
 13</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997676">
-</A>
+ </A>
 8</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997678">
-</A>
+ </A>
 24</P>
 </TD>
 </TR>
@@ -1128,379 +1279,380 @@ The internal structure of the `Public Topology' for an A6 global unicast address
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997680">
-</A>
+ </A>
 FP</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997682">
-</A>
+ </A>
 TLA ID</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997684">
-</A>
+ </A>
 RES</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997686">
-</A>
+ </A>
 NLA ID</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997688">
-</A>
+ </A>
 A 3 bit FP (Format Prefix) of 001 indicates this is a global unicast address. FP lengths for other types of addresses may vary.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997689">
-</A>
+ </A>
 13 TLA (Top Level Aggregator) bits give the prefix of your top-level IP backbone carrier.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997690">
-</A>
+ </A>
 8 Reserved bits</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997691">
-</A>
+ </A>
 24 bits for Next Level Aggregators. This allows organizations with a TLA to hand out portions of their IP space to client organizations, so that the client can then split up the network further by filling in more NLA bits, and hand out IPv6 prefixes to their clients, and so forth.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997692">
-</A>
-There is no particular structure for the `Site topology' section. Organizations can allocate these bits in any way they desire, in the same way as they would subnet an IPv4 class A (8 bit prefix) network.</P>
+ </A>
+There is no particular structure for the Site topology section. Organizations can allocate these bits in any way they desire, in the same way as they would subnet an IPv4 class A (8 bit prefix) network.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997693">
-</A>
-The Interface identifier must be unique on that network. On ethernet networks, one way to ensure this is to set the address to the first three bytes of the hardware address, `FFFE', then the last three bytes of the hardware address. The lowest significant bit of the first byte should then be complemented. Addresses are written as 32-bit blocks separated with a colon, and leading zeros of a block may be omitted, for example:</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997694"></A>
-3ffe:8050:201:9:a00:20ff:fe81:2b32</PRE>
+ </A>
+The Interface identifier must be unique on that network. On ethernet networks, one way to ensure this is to set the address to the first three bytes of the hardware address, &quot;FFFE&quot;, then the last three bytes of the hardware address. The lowest significant bit of the first byte should then be complemented. Addresses are written as 32-bit blocks separated with a colon, and leading zeros of a block may be omitted, for example:</P>
+ 
+<PRE>
+<CODE>3ffe:8050:201:9:a00:20ff:fe81:2b32
+</CODE>
+</PRE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997695">
-</A>
-IPv6 address specifications are likely to contain long strings of zeros, so the architects have included a shorthand for specifying them. The double colon `::' indicates the longest possible string of zeros that can fit, and can be used only once in an address.</P>
+ </A>
+IPv6 address specifications are likely to contain long strings of zeros, so the architects have included a shorthand for specifying them. The double colon (&quot;::&quot;) indicates the longest possible string of zeros that can fit, and can be used only once in an address.</P>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997696">
-</A>
-4.6.2	Name to Address Lookup</H4>
+ </A>
+4.7.2	Name to Address Lookup</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997697">
-</A>
+ </A>
 Forward name lookups (host name to IP address) under IPv6 do not necessarily return the complete IPv6 address of the host. Because the provider-assigned prefix may change, the A6 record can simply specify the locally assigned portion of the name, and refer to the provider for the remainder.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997698">
-</A>
+ </A>
 A complete IPv6 A6 record that provides the full 128 bit address looks like:</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997730">
-</A>
+ </A>
 &nbsp;</P>
+
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="5">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997701">
-</A>
+ </A>
 $ORIGIN example.com.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997711">
-</A>
+ </A>
 ; NAME</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997713">
-</A>
+ </A>
 TTL TYPE</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997715">
-</A>
+ </A>
 BITS IN REFERRAL</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997717">
-</A>
+ </A>
 ADDRESS</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997719">
-</A>
+ </A>
 REFERRAL</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997721">
-</A>
+ </A>
 host.example.com.</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997723">
-</A>
+ </A>
 1h IN A6</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997725">
-</A>
+ </A>
 0</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997727">
-</A>
+ </A>
 3ffe:8050:201:9:a00:20ff:fe81:2b32</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997729">
-</A>
+ </A>
 .</P>
 </TD>
 </TR>
 </TABLE>
-</TABLE>
-</TABLE>
-</TABLE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997731">
-</A>
+ </A>
 Note that the number preceding the address is the number of bits to be provided via the referral. This is probably the easiest way to roll out an IPv6 installation, though you may wish to provide a reference to your provider assigned prefix:</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997763">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="5">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997734">
-</A>
+ </A>
 $ORIGIN example.com.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997744">
-</A>
+ </A>
 ; NAME</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997746">
-</A>
+ </A>
 TTL TYPE</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997748">
-</A>
+ </A>
 BITS IN REFERRAL</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997750">
-</A>
+ </A>
 ADDRESS</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997752">
-</A>
+ </A>
 REFERRAL</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997754">
-</A>
+ </A>
 host.example.com.</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997756">
-</A>
+ </A>
 1h IN A6</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997758">
-</A>
+ </A>
 48</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997760">
-</A>
+ </A>
 ::9:a00:20ff:fe81:2b32</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997762">
-</A>
+ </A>
 prefix.example2.com.</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997764">
-</A>
+ </A>
 Then, in example2.com's zone:</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997796">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="5">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997767">
-</A>
+ </A>
 $ORIGIN example.com.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997777">
-</A>
+ </A>
 ; NAME</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997779">
-</A>
+ </A>
 TTL TYPE</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997781">
-</A>
+ </A>
 BITS IN REFERRAL</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997783">
-</A>
+ </A>
 ADDRESS</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997785">
-</A>
+ </A>
 REFERRAL</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997787">
-</A>
+ </A>
 prefix.example2.com.</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997789">
-</A>
+ </A>
 1h IN A6</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997791">
-</A>
+ </A>
 0</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997793">
-</A>
+ </A>
 3ffe:8050:201::</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody-fixedfont">
+<P CLASS="CellBody-fixedFontMed">
 <A NAME="pgfId=997795">
-</A>
+ </A>
 .</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997797">
-</A>
-The referral where there are no more bits is to `.', the root zone. Be warned that excessive use of this chaining can lead to extremely poor name resolution for people trying to access your hosts.</P>
+ </A>
+The referral where there are no more bits is to &quot;.&quot;, the root zone. Be warned that excessive use of this chaining can lead to extremely poor name resolution for people trying to access your hosts.</P>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997798">
-</A>
-4.6.3	Address to Name Lookup</H4>
+ </A>
+4.7.3	Address to Name Lookup</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997799">
-</A>
+ </A>
 Reverse IPv6 addresses may appear as one or more hex strings, known as &quot;bitstring labels,&quot; each followed by a number of valid bits. A full 128 bits may be specified at the ip6.int top level, or more likely, the provider will delegate you a smaller chunk of addresses for which you will need to supply reverse DNS.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997800">
-</A>
-The address can be split up along arbitrary boundaries, and is written with hex numbers in forward order, rather than in reverse order as IPv4 PTR records are written. The sections between dot separators are reversed as usual. If the number of valid bits in the hex string is less than the string specifies, it is the <EM CLASS="CharFmt">
+ </A>
+The address can be split up along arbitrary boundaries, and is written with hex numbers in forward order, rather than in reverse order as IPv4 PTR records are written. The sections between dot separators are reversed as usual. If the number of valid bits in the hex string is less than the string specifies, it is the <EM CLASS="Emphasis-underline">
 first N bits</EM>
  that are counted. Thus, \[x2/3] gives a bit pattern of 0010, the first three bits of which, 001, are valid.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997801">
-</A>
+ </A>
 The address above, then, is:</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997802">
-</A>
-<CODE CLASS="Program-Process">
-\[x3FFE8050020100090A0020FFFE812B32/128].ip6.int.</CODE>
+ </A>
+<EM CLASS="pathname">
+\[x3FFE8050020100090A0020FFFE812B32/128].ip6.int.</EM>
  (not divided)</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997803">
-</A>
-<CODE CLASS="Program-Process">
-\[x00090A0020FFFE812B32/80].\[xFFF402801008/45].\[x2/3].ip6.int.</CODE>
+ </A>
+<EM CLASS="pathname">
+\[x00090A0020FFFE812B32/80].\[xFFF402801008/45].\[x2/3].ip6.int.</EM>
  (divided into FP, TLA/RES/NLA, and local)</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997807">
-</A>
-<CODE CLASS="Program-Process">
-\[x00090A0020FFFE812B32/80].\[x80500201/32].\[xFFF0/13].\[x2/3].ip6.int.</CODE>
+ </A>
+<EM CLASS="pathname">
+\[x00090A0020FFFE812B32/80].\[x80500201/32].\[xFFF0/13].\[x2/3].ip6.int.</EM>
  (divided into FP, TLA, RES/NLA, and local)</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997808">
-</A>
+ </A>
 These strings are all equivalent. The combined TLA/RES/NLA in the second example bears no resemblance to any string in the address because it is offset by three bits.</P>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997809">
-</A>
-4.6.4	Using DNAME for Delegation of IPv6 Reverse Addresses</H4>
+ </A>
+4.7.4	Using DNAME for Delegation of IPv6 Reverse Addresses</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997810">
-</A>
+ </A>
 Delegation of reverse addresses is done through the new DNAME RR. In the example above, where <EM CLASS="Emphasis">
 \[x2/3].ip6.int.</EM>
  needs to delegate<CODE CLASS="Program-Process">
@@ -1514,45 +1666,51 @@ example2.com</EM>
 ), the domain administrator would insert a line similar to the following in the <EM CLASS="Emphasis">
 \[x2/3].ip6.int.</EM>
  zone:</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997811"></A>
+
+<PRE>
+CODE> 
 $ORIGIN \[x2/3].ip6.int.
-\[xFFF0/13] 1h IN DNAME ip6.example2.com.</PRE>
+\[xFFF0/13] 1h IN DNAME ip6.example2.com.
+</CODE>
+</PRE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997813">
-</A>
+ </A>
 <EM CLASS="Emphasis">
 example2.com</EM>
  would then place into the <EM CLASS="Emphasis">
 ip6 </EM>
 zone:</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997814"></A>
+ 
+<PRE>
+<CODE>
 $ORIGIN ip6.example.com.
-\[x80500201/32] 1h IN DNAME ip6.example.com.</PRE>
+\[x80500201/32] 1h IN DNAME ip6.example.com.
+</CODE>
+</PRE>
+
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997816">
-</A>
+ </A>
 Finally, <EM CLASS="Emphasis">
 example.com </EM>
 needs to include in the <EM CLASS="Emphasis">
 ip6.example.com</EM>
  zone:</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997817"></A>
+ 
+<PRE>
+<CODE>
 $ORIGIN ip6.example.com.
-\[x00090A0020FFFE812B32/80] 1h IN PTR host.example.com.</PRE>
+\[x00090A0020FFFE812B32/80] 1h IN PTR host.example.com.</CODE>
+</PRE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997819">
-</A>
+ </A>
 We suggest that the top of your administrative control (<EM CLASS="Emphasis">
 example.com</EM>
-, in this case) provide all the bits required for reverse and forward resolution to allow name resolution even if the network is disconnected from the Internet. This will also allow operation with DNSSEC if you set up a false trusted server for &quot;.&quot; containing only  delegations for your forward and reverse zones directly to the top of your administrative control. This should be signed with a key trusted by all of your clients, equivalent to the real key for &quot;<CODE CLASS="Program-Process">
-.</CODE>
-&quot;. </P>
-<P CLASS="Body">
-<A NAME="pgfId=997347">
-</A>
-&nbsp;</P>
+, in this case) provide all the bits required for reverse and forward resolution to allow name resolution even if the network is disconnected from the Internet. This will also allow operation with DNSSEC if you set up a false trusted server for &quot;.&quot; containing only  delegations for your forward and reverse zones directly to the top of your administrative control. This should be signed with a key trusted by all of your clients, equivalent to the real key for &quot;.&quot;. </P>
 </DIV>
 </DIV>
-<p>Return to <A href="BV9ARM.html">BINDv9 Administrator Reference Manual</A> table of contents.</p>
+<p>Return to <A href="Bv9ARM.html">BINDv9 Administrator Reference Manual</A> 
 </BODY>
 </HTML>
diff --git a/doc/arm/BV9ARM.5.html b/doc/arm/Bv9ARM.5.html
index 97433beb..1f64433a 100644..100755
--- a/doc/arm/BV9ARM.5.html
+++ b/doc/arm/Bv9ARM.5.html
@@ -1,57 +1,57 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML EXPERIMENTAL 970324//EN">
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML EXPERIMENTAL 970324//EN">
 <HTML>
 <HEAD>
 <META NAME="GENERATOR" CONTENT="Adobe FrameMaker 5.5/HTML Export Filter">
-<LINK REL="STYLESHEET" HREF="BV9ARM.css">
+<LINK REL="STYLESHEET" HREF="Bv9ARM.css">
 <TITLE> Section 5.	BINDv9 Configuration Reference</TITLE></HEAD>
 <BODY BGCOLOR="#ffffff">
 <OL>
 <H1 CLASS="1Level">
 <A NAME="pgfId=997350">
-</A>
+ </A>
 Section 5.	BINDv9 Configuration Reference</H1>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997351">
-</A>
-BINDv9 configuration is broadly similar to BIND 8.x; however, there are a few new areas of configuration, such as views. BIND 8.x configuration files should work with few alterations in BINDv9, although more complex configurations should be reviewed to check if they can be more efficiently implemented using the new features found in BIND 9.</P>
+ </A>
+BINDv9 configuration is broadly similar to BIND 8.x; however, there are a few new areas of configuration, such as views. BIND 8.x configuration files should work with few alterations in BINDv9, although more complex configurations should be reviewed to check if they can be more efficiently implemented using the new features found in BINDv9.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997352">
-</A>
-BIND 4.9.x configuration files can be converted to the new format by using the Perl script <CODE CLASS="Program-Process">
-src/bin/named/named-bootconf.pl</CODE>
+ </A>
+BIND 4.9.x configuration files can be converted to the new format by using the Perl script <EM CLASS="pathname">
+src/bin/named/named-bootconf.pl</EM>
  from the BIND 8 release kit.</P>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997353">
-</A>
+ </A>
 5.1	Configuration file elements</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997354">
-</A>
+ </A>
 Following is a list of elements used throughout the BIND configuration file documentation:</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997410">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1022979">
-</A>
-<CODE CLASS="Program-Process">
-acl_name</CODE>
-</H6>
+ </A>
+<EM CLASS="variable">
+acl_name</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1022981">
-</A>
-The name of an <CODE CLASS="Program-Process">
-address_match_list</CODE>
+ </A>
+The name of an <EM CLASS="variable">
+address_match_list</EM>
  as defined by the <CODE CLASS="Program-Process">
 acl</CODE>
  statement.</P>
@@ -59,58 +59,72 @@ acl</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1022983">
-</A>
-<CODE CLASS="Program-Process">
-address_match_list</CODE>
-</H6>
+ </A>
+<EM CLASS="variable">
+address_match_list</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1022985">
-</A>
-A list of one or more <CODE CLASS="Program-Process">
-ip_addr, ip_prefix, key_id, </CODE>
-or <CODE CLASS="Program-Process">
-acl_name</CODE>
- elements, as described in <A HREF="BV9ARM.5.html#28183" CLASS="XRef">
+ </A>
+A list of one or more <EM CLASS="variable">
+ip_addr</EM>
+<CODE CLASS="Program-Process">
+, </CODE>
+<EM CLASS="variable">
+ip_prefix</EM>
+<CODE CLASS="Program-Process">
+, </CODE>
+<EM CLASS="variable">
+key_id</EM>
+<CODE CLASS="Program-Process">
+, </CODE>
+or <EM CLASS="variable">
+acl_name</EM>
+ elements, as described in <A HREF="Bv9ARM.5.html#28183" CLASS="XRef">
 Address Match Lists</A>
 .</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1022990">
-</A>
-<CODE CLASS="Program-Process">
-domain_name</CODE>
-</H6>
+ </A>
+<EM CLASS="variable">
+domain_name</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1022992">
-</A>
-A quoted string which will be used as a DNS name, for example &quot;<EM CLASS="URL">
+ </A>
+A quoted string which will be used as a DNS name, for example <EM CLASS="grammar_literal">
+&quot;</EM>
+<EM CLASS="URL">
 my.test.domain</EM>
-&quot;.</P>
+<EM CLASS="grammar_literal">
+&quot;</EM>
+.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1022994">
-</A>
-<CODE CLASS="Program-Process">
-dotted_decimal</CODE>
-</H6>
+ </A>
+<EM CLASS="variable">
+dotted_decimal</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1022996">
-</A>
-One or more integers valued 0 through 255 separated only by dots (&quot;.&quot;), such as <CODE CLASS="Program-Process">
+ </A>
+One or more integers valued 0 through 255 separated only by dots (`.'), such as <CODE CLASS="Program-Process">
 123</CODE>
 , <CODE CLASS="Program-Process">
 45.67</CODE>
@@ -121,34 +135,35 @@ One or more integers valued 0 through 255 separated only by dots (&quot;.&quot;)
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1022998">
-</A>
-<CODE CLASS="Program-Process">
-ip4_addr</CODE>
-</H6>
+ </A>
+<EM CLASS="variable">
+ip4_addr</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023000">
-</A>
-An IPv4 address with exactly four elements in <CODE CLASS="Program-Process">
-dotted_decimal</CODE>
+ </A>
+An IPv4 address with exactly four elements in <EM CLASS="variable">
+dotted_decimal</EM>
  notation.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023033">
-</A>
-<CODE CLASS="Program-Process">
-ip6_addr</CODE></H6>
+ </A>
+<EM CLASS="variable">
+ip6_addr</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023035">
-</A>
+ </A>
 An IPv6 address, like <CODE CLASS="Program-Process">
 fe80::200:f8ff:fe01:9742</CODE>
 .</P>
@@ -156,59 +171,62 @@ fe80::200:f8ff:fe01:9742</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023098">
-</A>
-<CODE CLASS="Program-Process">
-ip_addr</CODE></H6>
+ </A>
+<EM CLASS="variable">
+ip_addr</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023100">
-</A>
-An <CODE CLASS="Program-Process">
-ip4_addr</CODE>
+ </A>
+An <EM CLASS="variable">
+ip4_addr</EM>
  or<CODE CLASS="Program-Process">
- ip6_addr</CODE>
+ </CODE>
+<EM CLASS="variable">
+ip6_addr</EM>
 .</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023002">
-</A>
-<CODE CLASS="Program-Process">
-ip_port</CODE>
-</H6>
+ </A>
+<EM CLASS="variable">
+ip_port</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023004">
-</A>
-An IP port <CODE CLASS="Program-Process">
-number</CODE>
-.  <CODE CLASS="Program-Process">
-number</CODE>
- is limited to 0 through 65535, with values below 1024 typically restricted to root-owned processes. In some cases an asterisk (*) character can be used as a placeholder to select a random high-numbered port.</P>
+ </A>
+An IP port <EM CLASS="variable">
+number</EM>
+.  <EM CLASS="variable">
+number</EM>
+ is limited to 0 through 65535, with values below 1024 typically restricted to root-owned processes. In some cases an asterisk (`*') character can be used as a placeholder to select a random high-numbered port.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023006">
-</A>
-<CODE CLASS="Program-Process">
-ip_prefix</CODE>
-</H6>
+ </A>
+<EM CLASS="variable">
+ip_prefix</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023008">
-</A>
-An IP network specified as an <CODE CLASS="Program-Process">
-ip_addr</CODE>
-, followed by &quot;/'' and then the number of bits in the netmask. E.g. <CODE CLASS="Program-Process">
+ </A>
+An IP network specified as an <EM CLASS="variable">
+ip_addr</EM>
+, followed by a slash (`/') and then the number of bits in the netmask. For example, <CODE CLASS="Program-Process">
 127/8</CODE>
  is the network <CODE CLASS="Program-Process">
 127.0.0.0</CODE>
@@ -225,135 +243,143 @@ ip_addr</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023010">
-</A>
-<CODE CLASS="Program-Process">
-key_name</CODE>
-</H6>
+ </A>
+<EM CLASS="variable">
+key_name</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023012">
-</A>
-A <CODE CLASS="Program-Process">
-domain_name</CODE>
+ </A>
+A <EM CLASS="variable">
+domain_name</EM>
  representing the name of a shared key, to be used for transaction security.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023014">
-</A>
-<CODE CLASS="Program-Process">
-number</CODE>
-</H6>
+ </A>
+<EM CLASS="variable">
+number</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023016">
-</A>
+ </A>
 A non-negative integer with an entire range limited by the range of a C language signed integer (2,147,483,647 on a machine with 32 bit integers). Its acceptable value might further be limited by the context in which it is used.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023018">
-</A>
-<CODE CLASS="Program-Process">
-path_name</CODE>
-</H6>
+ </A>
+<EM CLASS="variable">
+path_name</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023020">
-</A>
-A quoted string which will be used as a pathname, such as &quot;<EM CLASS="pathname">
+ </A>
+A quoted string which will be used as a pathname, such as <EM CLASS="grammar_literal">
+&quot;</EM>
+<EM CLASS="pathname">
 zones/master/my.test.domain</EM>
-&quot;.</P>
+<EM CLASS="grammar_literal">
+&quot;</EM>
+.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023022">
-</A>
-<CODE CLASS="Program-Process">
-size_spec</CODE>
-</H6>
+ </A>
+<EM CLASS="variable">
+size_spec</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023024">
-</A>
-A number, the word <CODE CLASS="Program-Process">
-unlimited</CODE>
-, or the word <CODE CLASS="Program-Process">
-default</CODE>
+ </A>
+A number, the word <EM CLASS="variable">
+unlimited</EM>
+, or the word <EM CLASS="variable">
+default</EM>
 .</P>
 <P CLASS="CellBody">
 <A NAME="pgfId=1023025">
-</A>
-The maximum value of <CODE CLASS="Program-Process">
-size_spec</CODE>
- is that of unsigned long integers on the machine.  <CODE CLASS="Program-Process">
-unlimited</CODE>
- requests unlimited use, or the maximum available amount. <CODE CLASS="Program-Process">
-default</CODE>
+ </A>
+The maximum value of <EM CLASS="variable">
+size_spec</EM>
+ is that of unsigned long integers on the machine. An <EM CLASS="variable">
+unlimited</EM>
+ <EM CLASS="variable">
+size_spec</EM>
+ requests unlimited use, or the maximum available amount. A <EM CLASS="variable">
+default size_spec</EM>
  uses the limit that was in force when the server was started.</P>
 <P CLASS="CellBody">
 <A NAME="pgfId=1023026">
-</A>
-A <CODE CLASS="Program-Process">
-number</CODE>
- can optionally be followed by a scaling factor: <CODE CLASS="Program-Process">
-K</CODE>
- or <CODE CLASS="Program-Process">
-k </CODE>
-for kilobytes, <CODE CLASS="Program-Process">
-M</CODE>
- or <CODE CLASS="Program-Process">
-m</CODE>
- for megabytes, and <CODE CLASS="Program-Process">
-G</CODE>
- or <CODE CLASS="Program-Process">
-g</CODE>
+ </A>
+A <EM CLASS="variable">
+number</EM>
+ can optionally be followed by a scaling factor: <EM CLASS="variable">
+K</EM>
+ or <EM CLASS="variable">
+k</EM>
+<CODE CLASS="Program-Process">
+ </CODE>
+for kilobytes, <EM CLASS="variable">
+M</EM>
+ or <EM CLASS="variable">
+m</EM>
+ for megabytes, and <EM CLASS="variable">
+G</EM>
+ or <EM CLASS="variable">
+g</EM>
  for gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</P>
 <P CLASS="CellBody">
 <A NAME="pgfId=1023027">
-</A>
-Integer storage overflow is currently silently ignored during conversion of scaled values, resulting in values less than intended, possibly even negative. Using <CODE CLASS="Program-Process">
-unlimited</CODE>
+ </A>
+Integer storage overflow is currently silently ignored during conversion of scaled values, resulting in values less than intended, possibly even negative. Using <EM CLASS="variable">
+unlimited</EM>
  is the best way to safely set a really large number.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023029">
-</A>
-<CODE CLASS="Program-Process">
-yes_or_no</CODE>
-</H6>
+ </A>
+<EM CLASS="variable">
+yes_or_no</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023031">
-</A>
-Either <CODE CLASS="Program-Process">
-yes</CODE>
- or <CODE CLASS="Program-Process">
-no</CODE>
-. The words <CODE CLASS="Program-Process">
-true</CODE>
- and <CODE CLASS="Program-Process">
-false</CODE>
- are also accepted, as are the numbers <CODE CLASS="Program-Process">
-1</CODE>
- and <CODE CLASS="Program-Process">
-0</CODE>
+ </A>
+Either <EM CLASS="variable">
+yes</EM>
+ or <EM CLASS="variable">
+no</EM>
+. The words <EM CLASS="variable">
+true</EM>
+ and <EM CLASS="variable">
+false</EM>
+ are also accepted, as are the numbers <EM CLASS="variable">
+1</EM>
+ and <EM CLASS="variable">
+0</EM>
 .</P>
 </TD>
 </TR>
@@ -362,94 +388,87 @@ false</CODE>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997412">
-</A>
+ </A>
 5.1.1	<A NAME="28183">
-</A>
+ </A>
 Address Match Lists</H4>
 </OL>
 <DIV>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997413">
-</A>
+ </A>
 5.1.1.1	Syntax</H5>
 </OL>
 
-<PRE CLASS="4Level-fixed"><A NAME="pgfId=997414"></A><EM CLASS="production_target">address_match_list</EM><EM CLASS="Optional-meta-syntax"> = </EM><EM CLASS="variable">address_match_list_element</EM><EM CLASS="Optional-meta-syntax"> </EM><KBD CLASS="Literal-user-input">;</KBD><EM CLASS="Optional-meta-syntax"> [</EM><EM CLASS="variable">address_match_list_element</EM><KBD CLASS="Literal-user-input">;</KBD><EM CLASS="Optional-meta-syntax"> ... ]</EM>
-</PRE>
-<PRE CLASS="4Level-fixed"><A NAME="pgfId=1018549"></A><EM CLASS="production_target">address_match_list_element </EM><EM CLASS="Optional-meta-syntax">= [ </EM><KBD CLASS="Literal-user-input">!</KBD><EM CLASS="Optional-meta-syntax"> ]</EM><EM CLASS="production_target"> </EM><EM CLASS="Optional-meta-syntax">(</EM><EM CLASS="variable">ip_address</EM><EM CLASS="production_target"> </EM><EMCLASS="Optional-meta-syntax">[</EM><KBD CLASS="Literal-user-input">/</KBD><EM CLASS="variable">length</EM><EM CLASS="Optional-meta-syntax">] | </EM><KBD CLASS="Literal-user-input">key</KBD><EM CLASS="production_target"> </EM><EM CLASS="variable">key_id</EM><EM CLASS="Optional-meta-syntax"> |</EM><EM CLASS="production_target"> </EM><EM CLASS="variable">acl_name</EM><EM CLASS="production_target"> </EM><EM CLASS="Optional-meta-syntax">| </EM><KBD CLASS="Literal-user-input">{</KBD><EM CLASS="variable">address_match_list</EM><KBDCLASS="Literal-user-input">}</KBD><EMCLASS="Optional-meta-syntax">)</EM>
+<PRE>
+<CODE>
+address_match_list = <VAR>address_match_list_element</VAR> ;
+  [ <VAR>address_match_list_element</VAR>; ... ]
+address_match_list_element = [ <STRONG>!</STRONG> ] (<VAR>ip_address</VAR> [<STRONG>/</STRONG><VAR>length</VAR>] |
+   key <VAR>key_id</VAR> | <VAR>acl_name</VAR> | { <VAR>address_match_list</VAR> } )</CODE>
 </PRE>
 </DIV>
 <DIV>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997415">
-</A>
+ </A>
 5.1.1.2	Definition and Usage</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997416">
-</A>
-Address match lists are primarily used to determine access control for various server operations. They are also used to define priorities for querying other nameservers and to set the addresses on which named will listen for queries. The elements which constitute an address match list can be any of the following:</P>
+ </A>
+Address match lists are primarily used to determine access control for various server operations. They are also used to define priorities for querying other nameservers and to set the addresses on which <CODE CLASS="Program-Process">
+named</CODE>
+ will listen for queries. The elements which constitute an address match list can be any of the following:</P>
 <UL>
 <LI CLASS="4Level-bullet1">
 <A NAME="pgfId=997417">
-</A>
+ </A>
 an IP address (IPv4 or IPv6)</LI>
 <LI CLASS="4Level-bullet2">
 <A NAME="pgfId=997418">
-</A>
-an IP prefix (in the '/'-notation)</LI>
+ </A>
+an IP prefix (in the &quot;/&quot;-notation)</LI>
 <LI CLASS="4Level-bullet2">
 <A NAME="pgfId=997419">
-</A>
+ </A>
 a key ID, as defined by the key statement</LI>
 <LI CLASS="4Level-bullet2">
 <A NAME="pgfId=997420">
-</A>
+ </A>
 the name of an address match list previously defined with the <CODE CLASS="Program-Process">
 acl</CODE>
  statment</LI>
 <LI CLASS="4Level-bullet2">
 <A NAME="pgfId=997421">
-</A>
+ </A>
 a nested address match list enclosed in braces</LI>
 </UL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997422">
-</A>
-Elements can be negated with a leading exclamation mark (&quot;<CODE CLASS="Program-Process">
-!</CODE>
-&quot;), and the match list names &quot;<CODE CLASS="Program-Process">
-any</CODE>
-&quot;, &quot;<CODE CLASS="Program-Process">
-none</CODE>
-&quot;, &quot;<CODE CLASS="Program-Process">
-localhost</CODE>
-&quot; and &quot;<CODE CLASS="Program-Process">
-localnets</CODE>
-&quot; are predefined. More information on those names can be found in the description of the <CODE CLASS="Program-Process">
-acl</CODE>
- statement.</P>
+ </A>
+Elements can be negated with a leading exclamation mark (&quot;!&quot;), and the match list names &quot;any&quot;, &quot;none&quot;, &quot;localhost&quot; and &quot;localnets&quot; are predefined. More information on those names can be found in the description of the acl statement.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997423">
-</A>
+ </A>
 The addition of the key clause made the name of this syntactic element something of a misnomer, since security keys can be used to validate access without regard to a host or network address. Nonetheless, the term &quot;address match list&quot; is still used throughout the documentation.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997424">
-</A>
+ </A>
 When a given IP address or prefix is compared to an address match list, the list is traversed in order until an element matches. The interpretation of a match depends on whether the list is being used for access control, defining listen-on ports, or as a topology, and whether the element was negated.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997425">
-</A>
+ </A>
 When used as an access control list, a non-negated match allows access and a negated match denies access. If there is no match, access is denied. The clauses allow-query, allow-transfer, allow-update and blackhole all use address match lists like this. Similarly, the listen-on option will cause the server to not accept queries on any of the machine's addresses which do not match the list.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997426">
-</A>
+ </A>
 When used with the topology clause, a non-negated match returns a distance based on its position on the list (the closer the match is to the start of the list, the shorter the distance is between it and the server). A negated match will be assigned the maximum distance from the server. If there is no match, the address will get a distance which is further than any non-negated list element, and closer than any negated element.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997427">
-</A>
+ </A>
 Because of the first-match aspect of the algorithm, an element that defines a subset of another element in the list should come before the broader element, regardless of whether either is negated. For example, in<BR>
 <CODE CLASS="Program-Process">
 1.2.3/24; ! 1.2.3.13;</CODE>
@@ -462,23 +481,23 @@ Because of the first-match aspect of the algorithm, an element that defines a su
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997428">
-</A>
+ </A>
 5.1.2	Comment Syntax</H4>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997429">
-</A>
+ </A>
 The BINDv9 comment syntax allows for comments to appear anywhere that white space may appear in a BIND configuration file. To appeal to programmers of all kinds, they can be written in C, C++, or shell/perl constructs.</P>
 <DIV>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997430">
-</A>
+ </A>
 5.1.2.1	Syntax</H5>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997431">
-</A>
+ </A>
 /* This is a BIND comment as in C */<BR>
 // This is a BIND comment as in C++<BR>
 # This is a BIND comment as in common UNIX shells and perl</P>
@@ -487,60 +506,60 @@ The BINDv9 comment syntax allows for comments to appear anywhere that white spac
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997432">
-</A>
+ </A>
 5.1.2.2	Definition and Usage</H5>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997433">
-</A>
+ </A>
 Comments may appear anywhere that whitespace may appear in a BIND configuration file.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997434">
-</A>
+ </A>
 C-style comments start with the two characters /* (slash, star) and end with */ (star, slash). Because they are completely delimited with these characters, they can be used to comment only a portion of a line or to span multiple lines.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997435">
-</A>
+ </A>
 C-style comments cannot be nested. For example, the following is not valid because the entire comment ends with the first */:</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997436">
-</A>
+ </A>
 /* This is the start of a comment.<BR>
    This is still part of the comment.<BR>
 /* This is an incorrect attempt at nesting a comment. */<BR>
    This is no longer in any comment. */</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997437">
-</A>
+ </A>
 C++-style comments start with the two characters // (slash, slash) and continue to the end of the physical line. They cannot be continued across multiple physical lines; to have one logical comment span multiple lines, each line must use the // pair.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997438">
-</A>
+ </A>
 For example:</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997439">
-</A>
+ </A>
 // This is the start of a comment.  The next line<BR>
 // is a new comment, even though it is logically<BR>
 // part of the previous comment.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997440">
-</A>
+ </A>
 Shell-style (or perl-style, if you prefer) comments start with the character # (number sign) and continue to the end of the physical line, like C++ comments.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997441">
-</A>
+ </A>
 For example:</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997442">
-</A>
+ </A>
 # This is the start of a comment.  The next line<BR>
 # is a new comment, even though it is logically<BR>
 # part of the previous comment.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997443">
-</A>
-WARNING: you cannot use the &quot;;&quot; (semicolon) character to start a comment such as you would in a zone file. The semicolon indicates the end of a configuration statement.</P>
+ </A>
+WARNING: you cannot use the semicolon (&quot;;&quot;) character to start a comment such as you would in a zone file. The semicolon indicates the end of a configuration statement.</P>
 </DIV>
 </DIV>
 </DIV>
@@ -548,53 +567,53 @@ WARNING: you cannot use the &quot;;&quot; (semicolon) character to start a comme
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997445">
-</A>
+ </A>
 5.2	<A NAME="40894">
-</A>
+ </A>
 Configuration File Grammar</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997446">
-</A>
+ </A>
 A BINDv9 configuration consists of statements and comments. Statements end with a semicolon. Statements and comments are the only elements that can appear without enclosing braces. Many statements contain a block of substatements, which are also terminated with a semicolon.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997447">
-</A>
+ </A>
 The following statements are supported:</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1023879">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023840">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 acl</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023842">
-</A>
+ </A>
 defines a named IP address matching list, for access control and other uses</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023844">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 controls</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023846">
-</A>
+ </A>
 declares control channels to be used by the <CODE CLASS="Program-Process">
 rndc</CODE>
  utility</P>
@@ -602,33 +621,33 @@ rndc</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023848">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 include</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023850">
-</A>
+ </A>
 includes a file</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023852">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 key</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023854">
-</A>
+ </A>
 specifies key information for use in authentication and authorization using TSIG. See <EM CLASS="pathname">
 draft-ietf-dnsind-tsig-13.txt</EM>
  for more information.</P>
@@ -636,104 +655,104 @@ draft-ietf-dnsind-tsig-13.txt</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023856">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 logging</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023858">
-</A>
+ </A>
 specifies what the server logs, and where the log messages are sent</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023860">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 options</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023862">
-</A>
+ </A>
 controls global server configuration options and sets defaults for other statements</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023864">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 server</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023866">
-</A>
+ </A>
 sets certain configuration options on a per-server basis</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023868">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 trusted-keys</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023870">
-</A>
+ </A>
 defines keys that are preconfigured into the server and implicitly trusted. See RFC 2535 for more information.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023872">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 view</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023874">
-</A>
+ </A>
 defines a view</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023876">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 zone</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023878">
-</A>
+ </A>
 defines a zone</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1023880">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 logging</CODE>
  and <CODE CLASS="Program-Process">
@@ -743,53 +762,56 @@ options</CODE>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=1023881">
-</A>
+ </A>
 5.2.1	<CODE CLASS="Program-Process">
 acl</CODE>
  Statement Grammar</H4>
 </OL>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997492"></A>
-acl <EM CLASS="variable">acl-name</EM> { 
-    <EM CLASS="variable">address_match_list</EM>
- };</PRE>
+ 
+<PRE>
+<CODE>
+acl <VAR>acl-name</VAR> { 
+    <VAR>address_match_list</VAR> 
+};</CODE>
+</PRE>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997496">
-</A>
+ </A>
 5.2.2	<CODE CLASS="Program-Process">
 acl</CODE>
 <A NAME="14672">
-</A>
+ </A>
  Statement Definition and Usage</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997497">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 acl</CODE>
  statement assigns a symbolic name to an address match list. It gets its name from a primary use of address match lists: Access Control Lists (ACLs).</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997498">
-</A>
+ </A>
 Note that an address match list's name must be defined with <CODE CLASS="Program-Process">
 acl</CODE>
  before it can be used elsewhere; no forward references are allowed.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997499">
-</A>
+ </A>
 The following ACLs are built-in:</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997517">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
 <H6 CLASS="CellBody21">
 <A NAME="pgfId=997502">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 any</CODE>
 </H6>
@@ -797,7 +819,7 @@ any</CODE>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997504">
-</A>
+ </A>
 Matches all hosts.</P>
 </TD>
 </TR>
@@ -805,7 +827,7 @@ Matches all hosts.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <H6 CLASS="CellBody21">
 <A NAME="pgfId=997506">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 none</CODE>
 </H6>
@@ -813,7 +835,7 @@ none</CODE>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997508">
-</A>
+ </A>
 Matches no hosts.</P>
 </TD>
 </TR>
@@ -821,7 +843,7 @@ Matches no hosts.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <H6 CLASS="CellBody21">
 <A NAME="pgfId=997510">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 localhost</CODE>
 </H6>
@@ -829,7 +851,7 @@ localhost</CODE>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997512">
-</A>
+ </A>
 Matches the IP addresses of all interfaces on the system.</P>
 </TD>
 </TR>
@@ -837,7 +859,7 @@ Matches the IP addresses of all interfaces on the system.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <H6 CLASS="CellBody21">
 <A NAME="pgfId=997514">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 localnets</CODE>
 </H6>
@@ -845,7 +867,7 @@ localnets</CODE>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997516">
-</A>
+ </A>
 Matches any host on a network for which the system has an interface.</P>
 </TD>
 </TR>
@@ -855,29 +877,35 @@ Matches any host on a network for which the system has an interface.</P>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997518">
-</A>
+ </A>
 5.2.3	<CODE CLASS="Program-Process">
-controls</CODE>
+control</CODE>
  Statement Grammar</H4>
 </OL>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997519"></A>
+ 
+<PRE>
+<CODE>
 controls {
-       <EM CLASS="Optional-meta-syntax">[</EM> inet <EM CLASS="Optional-meta-syntax">(</EM> <EM CLASS="variable">ip_addr</EM><EM CLASS="Optional-meta-syntax">|</EM>*<EM CLASS="Optional-meta-syntax">)</EM> port <EM CLASS="variable">ip_port</EM> allow { <EMCLASS="variable">address_match_list</EM>} ; <EM CLASS="Optional-meta-syntax">[</EM>inet...;<EM CLASS="Optional-meta-syntax">[...]]]</EM>
-       <EM CLASS="Optional-meta-syntax">[</EM> unix <EM CLASS="variable">string</EM> permission <EM CLASS="variable">number</EM> owner <EM CLASS="variable">number</EM> group <EM CLASS="variable">number</EM> ; <EM CLASS="Optional-meta-syntax">[</EM>unix...;<EM CLASS="Optional-meta-syntax">[..]]]</EM>
-};</PRE>
+   [ inet (<VAR>ip_addr</VAR>|*) port <VAR>ip_port</VAR> allow { <VAR>address_match_list</VAR> } ;
+      [ inet...;[...]]]
+   [ unix <VAR>string</VAR> permission <VAR>number</VAR> owner <VAR>number</VAR> group <VAR>number</VAR> ;
+      [ unix...;[..]]]
+};</CODE>
+</PRE>
+
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997523">
-</A>
+ </A>
 5.2.4	<CODE CLASS="Program-Process">
 controls</CODE>
  Statement Definition and Usage</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997524">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 controls</CODE>
  statement declares control channels to be used by system administrators to affect the operation of the local nameserver. These control channels are used by the <CODE CLASS="Program-Process">
@@ -885,7 +913,7 @@ ndc</CODE>
  utility to send commands to and retrieve non-DNS results from a nameserver.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997525">
-</A>
+ </A>
 A UNIX control channel is a &quot;first in first out&quot; (FIFO) named pipe in the file system, and access to it is controlled by normal file system permissions. It is created by <CODE CLASS="Program-Process">
 named</CODE>
  with the specified file mode bits (see the <CODE CLASS="Program-Process">
@@ -899,7 +927,7 @@ permission</CODE>
  so the number is interpreted as octal. Also note that the user and group ownership specified as owner and group must be given as numbers, not names. It is recommended that the permissions be restricted to administrative personnel only to prevent random users on the system from having the ability to manage the local nameserver.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997526">
-</A>
+ </A>
 An <CODE CLASS="Program-Process">
 inet</CODE>
  control channel is a TCP/IP socket accessible to the Internet, created at the specified <CODE CLASS="Program-Process">
@@ -911,7 +939,7 @@ ip_addr</CODE>
  used, and this only if you trust all non-privileged users on the local host to manage your nameserver.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=1023964">
-</A>
+ </A>
 <EM CLASS="Emphasis">
 The </EM>
 <CODE CLASS="Program-Process">
@@ -924,26 +952,30 @@ controls</CODE>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997527">
-</A>
+ </A>
 5.2.5	<CODE CLASS="Program-Process">
 include</CODE>
  Statement Grammar</H4>
 </OL>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997528"></A>
-include &quot;<EM CLASS="variable">filename</EM>&quot;;</PRE>
+
+<PRE>
+<CODE>
+include <VAR>filename</VAR>;
+</CODE>
+</PRE>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997529">
-</A>
+ </A>
 5.2.6	<CODE CLASS="Program-Process">
 include</CODE>
  Statement Definition and Usage</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997530">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 include</CODE>
  statement inserts the specified file at the point that the <CODE CLASS="Program-Process">
@@ -956,51 +988,54 @@ include</CODE>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997531">
-</A>
+ </A>
 5.2.7	<CODE CLASS="Program-Process">
 key</CODE>
  Statement Grammar</H4>
 </OL>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997532"></A>
-key <EM CLASS="variable">key_id</EM> {
-    algorithm <EM CLASS="variable">string</EM>;
-    secret <EM CLASS="variable">string</EM>;
-};</PRE>
+ 
+<PRE>
+<CODE>key <VAR>key_id</VAR> {
+    algorithm <VAR>string</VAR>;
+    secret <VAR>string</VAR>;
+};
+</CODE>
+</PRE>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997536">
-</A>
+ </A>
 5.2.8	<CODE CLASS="Program-Process">
 key</CODE>
  Statement Definition and Usage</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997537">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 key</CODE>
  statement defines a key ID which can be used in a server statement to associate an authentication method with a particular nameserver.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997538">
-</A>
+ </A>
 A key ID must be created with the <CODE CLASS="Program-Process">
 key</CODE>
  statement before it can be used in a server definition or an address match list.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997539">
-</A>
-The <CODE CLASS="Program-Process">
-algorithm_id</CODE>
- is a string that specifies a security/authentication algorithm. The only algorithm currently supported with tsig authentication is <CODE CLASS="Program-Process">
-hmac-md5</CODE>
-. The <CODE CLASS="Program-Process">
-secret_string</CODE>
+ </A>
+The <EM CLASS="variable">
+algorithm_id</EM>
+ is a string that specifies a security/authentication algorithm. The only algorithm currently supported with tsig authentication is <EM CLASS="variable">
+hmac-md5</EM>
+. The <EM CLASS="variable">
+secret_string</EM>
  is the secret to be used by the algorithm, and is treated as a base-64 encoded string.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997540">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 key</CODE>
  statement is intended for use in transaction security. Unless included in a server statement, it is not used to sign any requests. It is used to verify requests matching the <CODE CLASS="Program-Process">
@@ -1013,42 +1048,50 @@ algorithm_id</CODE>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997541">
-</A>
+ </A>
 5.2.9	<CODE CLASS="Program-Process">
 logging</CODE>
- statement grammar</H4>
+ Statement Grammar</H4>
 </OL>
-<pre>
+ 
+<PRE>
+<CODE>
 logging {
-   [ channel channel_name {
-     ( file path name
-         [ versions (number | unlimited ) ]
-         [ size size spec ]
-       | syslog ( syslog_facility )
-       | null );
+   [ channel <VAR>channel_name</VAR> {
+     ( file <VAR>path name</VAR>
+         [ versions ( <VAR>number</VAR> | unlimited ) ]
+         [ size <VAR>size spec</VAR> ]
+       | syslog ( <STRONG>syslog_facility</STRONG> )
+       | <VAR>null</VAR> );
 
-     [ severity (critical | error | warning | notice |
-                 info | debug [ level ] | dynamic ); ]
-     [ print-category yes or no; ]
-     [ print-severity yes or no; ]
-     [ print-time yes or no; ]
+     [ severity (<VAR>critical</VAR> | <VAR>error</VAR> | <VAR>warning</VAR> | <VAR>notice</VAR> |
+                 <VAR>info</VAR> | <VAR>debug</VAR> [ level ] | <VAR>dynamic</VAR> ); ]
+     [ print-category <VAR>yes or no</VAR>; ]
+     [ print-severity <VAR>yes or no</VAR>; ]
+     [ print-time <VAR>yes or no</VAR>; ] 
    }; ]
 
-   [ category category_name {
-     channel_name ; [channel_name ; ... ]
+   [ category <VAR>category_name</VAR> { 
+     channel_name ; [ <VAR>channel_name</VAR> ; ... ] 
    }; ]
-   ...
-};
-</pre>
 
+   ... 
+};</CODE>
+</PRE>
 
+</DIV>
+<DIV>
+<OL>
+<H4 CLASS="3Level">
+<A NAME="pgfId=997554">
+ </A>
 5.2.10	<CODE CLASS="Program-Process">
 logging</CODE>
- statement definition and usage</H4>
+ Statement Definition and Usage</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997555">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 logging</CODE>
  statement configures a wide variety of logging options for the nameserver. Its <CODE CLASS="Program-Process">
@@ -1070,13 +1113,16 @@ logging</CODE>
  statement, the logging configuration will be:</P>
 <PRE CLASS="3Level-fixed"><A NAME="pgfId=997558"></A>
 &nbsp;</PRE>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=1023128"></A>
-logging {
+ 
+<PRE>
+<CODE>logging {
      category default { default_syslog; default_debug; };
-};</PRE>
+};</CODE>
+</PRE>
+
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997565">
-</A>
+ </A>
 In BINDv9, the logging configuration is only established when the entire configuration file has been parsed.  In BIND 8, it was established as soon as the <CODE CLASS="Program-Process">
 logging</CODE>
  statement was parsed. When the server is starting up, all logging messages regarding syntax errors in the configuration file go to the default channels, or to standard error if the <CODE CLASS="Program-Process">
@@ -1086,40 +1132,38 @@ logging</CODE>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=1022605">
-</A>
+ </A>
 5.2.10.1	The <CODE CLASS="Program-Process">
 channel</CODE>
  Phrase</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022606">
-</A>
+ </A>
 All log output goes to one or more &quot;channels&quot;; you can make as many of them as you want.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022607">
-</A>
-Every <CODE CLASS="Program-Process">
-channel</CODE>
- definition must include a clause that says whether messages selected for the channel go to a file, to a particular syslog facility, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (default is <CODE CLASS="Program-Process">
+ </A>
+Every channel definition must include a clause that says whether messages selected for the channel go to a file, to a particular syslog facility, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (the default is <CODE CLASS="Program-Process">
 info</CODE>
 ), and whether to include a <CODE CLASS="Program-Process">
 named</CODE>
--generated time stamp, the category name and/or severity level (default is not to include any).</P>
+-generated time stamp, the category name and/or severity level (the default is not to include any).</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022608">
-</A>
+ </A>
 The word <CODE CLASS="Program-Process">
 null</CODE>
  as the destination option for the channel will cause all messages sent to it to be discarded; in that case, other options for the channel are meaningless.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022609">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 file</CODE>
  clause can include limitations both on how large the file is allowed to become, and how many versions of the file will be saved each time the file is opened.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022610">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 size</CODE>
  option for files is simply a hard ceiling on log growth. If the file ever exceeds the size, then <CODE CLASS="Program-Process">
@@ -1127,7 +1171,7 @@ named</CODE>
  will not write anything more to it until the file is reopened; exceeding the size does not automatically trigger a reopen. The default behavior is not to limit the size of the file.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022611">
-</A>
+ </A>
 If you use the <CODE CLASS="Program-Process">
 version</CODE>
  log file option, then <CODE CLASS="Program-Process">
@@ -1153,22 +1197,27 @@ unlimited</CODE>
  in current BIND releases.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022612">
-</A>
+ </A>
 Example usage of the size and versions options:</P>
-<PRE CLASS="4Level-fixed"><A NAME="pgfId=1022613"></A>
-    channel an_example_level {
-        file &quot;lamers.log&quot; versions 3 size 20m;
-        print-time yes;
-        print-category yes;
-    };</PRE>
+
+ 
+<PRE>
+<CODE>
+    channel <VAR>an_example_level</VAR> {
+        file &quot;<EM>lamers.log</EM>&quot; versions 3 size 20m;
+        print-time <VAR>yes</VAR>;
+        print-category <VAR>yes</VAR>;
+    };</CODE>
+</PRE>
+
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022614">
-</A>
+ </A>
 The argument for the <CODE CLASS="Program-Process">
 syslog</CODE>
  clause is a syslog facility as described in the <CODE CLASS="Program-Process">
 syslog</CODE>
- manual page. How <CODE CLASS="Program-Process">
+ man page. How <CODE CLASS="Program-Process">
 syslog</CODE>
  will handle messages sent to this facility is described in the <CODE CLASS="Program-Process">
 syslog.conf</CODE>
@@ -1179,7 +1228,7 @@ openlog()</CODE>
  function, then this clause is silently ignored.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022615">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 severity</CODE>
  clause works like <CODE CLASS="Program-Process">
@@ -1189,7 +1238,7 @@ syslog</CODE>
 . Messages which are not at least of the severity level given will not be selected for the channel; messages of higher severity levels will be accepted.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022616">
-</A>
+ </A>
 If you are using <CODE CLASS="Program-Process">
 syslog</CODE>
 , then the <CODE CLASS="Program-Process">
@@ -1215,7 +1264,7 @@ syslogd</CODE>
  would print all messages it received from the channel.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022617">
-</A>
+ </A>
 The server can supply extensive debugging information when it is in debugging mode. If the server's global debug level is greater than zero, then debugging mode will be active. The global debug level is set either by starting the <CODE CLASS="Program-Process">
 named</CODE>
  server with the &quot;<CODE CLASS="Program-Process">
@@ -1227,20 +1276,22 @@ the latter method is not yet implemented</EM>
 ). The global debug level can be set to zero, and debugging mode turned off, by running <CODE CLASS="Program-Process">
 ndc notrace</CODE>
 . All debugging messages in the server have a debug level, and higher debug levels give more detailed output. Channels that specify a specific debug severity, e.g.</P>
-<PRE CLASS="4Level-fixed"><A NAME="pgfId=1022618"></A>
-  channel specific_debug_level {
-      file &quot;foo&quot;;
+ 
+<PRE>
+<CODE>  channel <VAR>specific_debug_level</VAR> {
+      file &quot;<EM>foo</EM>&quot;;
       severity debug 3;
-  };</PRE>
+        };</CODE>
+</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022619">
-</A>
+ </A>
 will get debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debugging level. Channels with <CODE CLASS="Program-Process">
 dynamic</CODE>
  severity use the server's global level to determine what messages to print.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022620">
-</A>
+ </A>
 If <CODE CLASS="Program-Process">
 print-time</CODE>
  has been turned on, then the date and time will be logged. <CODE CLASS="Program-Process">
@@ -1260,108 +1311,143 @@ print-</CODE>
  options are on:</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022621">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 28-Feb-2000 15:05:32.863 general: notice: running</CODE>
 </P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022622">
-</A>
+ </A>
 There are four predefined channels that are used for <CODE CLASS="Program-Process">
 named</CODE>
-'s default logging as follows. How they are used is described in the section <A HREF="BV9ARM.5.html#36082" CLASS="XRef">
+'s default logging as follows. How they are used is described in the section <A HREF="Bv9ARM.5.html#36082" CLASS="XRef">
 The category Phrase</A>
 .</P>
-<PRE CLASS="4Level-fixedSmall"><A NAME="pgfId=1022813"></A>
+
+<PRE>
+<CODE>
     channel default_syslog {
-        syslog daemon;     # send to syslog's daemon facility
-        severity info;     # only send priority info and higher
+        syslog daemon;    // end to syslog's daemon facility
+        severity info;    // only send priority info and higher
     };
     channel default_debug {
-        file &quot;named.run&quot;;  # write to named.run in the working directory
-                           # Note: stderr is used instead of &quot;named.run&quot;
-                          # if the server is started with the &quot;-f&quot;
-                          # option.
-        severity dynamic  # log at the server's current debug level
+        file &quot;named.run&quot;;  // write to named.run in
+                          // the working directory
+                          // Note: stderr is used instead of
+                          // &quot;named.run&quot;
+                          // if the server is started
+                          // with the &quot;-f&quot; option.
+        severity dynamic  // log at the server's
+                          // current debug level
     };
-    channel default_stderr {     # writes to stderr
-        file &quot;&lt;stderr&gt;&quot;;         # this is illustrative only;
-                                 # there's currently no way of
-                                 # specifying an internal file
-                                 # descriptor in the configuration
-                                 # language.
-        severity info;           # only send priority info and higher
+    channel default_stderr {  // writes to stderr
+        file &quot;&lt;stderr&gt;&quot;;   // this is illustrative only;
+                          // there's currently no way of
+                          // specifying an internal file
+                          // descriptor in the configuration
+                          // language.
+        severity info;    // only send priority info and higher
     };
     channel null {
-       null;                     # toss anything sent to this channel
-    };</PRE>
+       null;                // toss anything sent to this channel
+    };</CODE>
+</PRE>
+
 <P CLASS="4LevelContinued">
-<A NAME="pgfId=1022627">
-</A>
+<A NAME="pgfId=1038366">
+ </A>
+The <CODE CLASS="Program-Process">
+default_debug</CODE>
+ channel normally writes to a file <EM CLASS="pathname">
+named.run</EM>
+ in the server's working directory.  For security reasons, when the &quot;<CODE CLASS="Program-Process">
+-u</CODE>
+&quot;command line option is used, the <EM CLASS="pathname">
+named.run</EM>
+ file is created only after <CODE CLASS="Program-Process">
+named</CODE>
+ has changed to the new UID, and any debug output generated while <CODE CLASS="Program-Process">
+named</CODE>
+ is starting up and still running as root is discarded.  If you need to capture this output, you must run the server with the <CODE CLASS="Program-Process">
+-g</CODE>
+ option and redirect standard error to a file.</P>
+<P CLASS="4LevelContinued">
+<A NAME="pgfId=1038348">
+ </A>
 Once a channel is defined, it cannot be redefined. Thus you cannot alter the built-in channels directly, but you can modify the default logging by pointing categories at channels you have defined.</P>
 </DIV>
 <DIV>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=1022629">
-</A>
+ </A>
 5.2.10.2	<A NAME="36082">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 category</CODE>
  Phrase</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022630">
-</A>
+ </A>
 There are many categories, so you can send the logs you want to see wherever you want, without seeing logs you don't want. If you don't specify a list of channels for a category, then log messages in that category will be sent to the <CODE CLASS="Program-Process">
 default</CODE>
  category instead. If you don't specify a default category, the following &quot;default default&quot; is used:</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=1022631"></A>
-    category default { default_syslog; default_debug; };</PRE>
+ 
+<PRE>
+<CODE>    category default { default_syslog; default_debug; };
+</CODE>
+</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022632">
-</A>
+ </A>
 As an example, let's say you want to log security events to a file, but you also want keep the default logging behavior. You'd specify the following:</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=1022633"></A>
-channel my_security_channel {
-    file &quot;my_security_file&quot;;
-    severity info;
+ 
+<PRE>
+<CODE>
+channel <VAR>my_security_channel</VAR> {
+    file &quot;<EM>my_security_file</EM>&quot;;
+    severity <VAR>info</VAR>;
 };
-category security {
-    my_security_channel;
+category <VAR>security</VAR> {
+    <VAR>my_security_channel</VAR>;
     default_syslog;
     default_debug;
-};</PRE>
+};
+</CODE>
+</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1022634">
-</A>
+ </A>
 To discard all messages in a category, specify the <CODE CLASS="Program-Process">
 null</CODE>
  channel:</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=1022635"></A>
-category lame-servers { null; };
-category cname { null; };</PRE>
+<PRE>
+<CODE>
+category lame-<VAR>servers</VAR> { <VAR>null</VAR>; };
+category <VAR>cname</VAR> { <VAR>null</VAR>; };
+</CODE>
+</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1024497">
-</A>
+ </A>
 Following are the available categories and brief descriptions of the types of log information they contain.  <EM CLASS="Emphasis">
 This list is still subject to change.</EM>
  </P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024500">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 default</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024502">
-</A>
+ </A>
 The default category defines the logging options for those categories where no specific configuration has been defined. If you do not define a default category, the following definition is used:<BR>
 <EM CLASS="Command">
 category default { default_syslog; default_debug; };</EM>
@@ -1370,173 +1456,177 @@ category default { default_syslog; default_debug; };</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024504">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
-general</CODE></H6>
+general</CODE>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024506">
-</A>
+ </A>
 The catch-all. Many things still aren't classified into categories, and they all end up here.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024508">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
-database</CODE></H6>
+database</CODE>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024510">
-</A>
+ </A>
 Messages relating to the databases used internally by the name server to store zone and cache data.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024512">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
-security</CODE></H6>
+security</CODE>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024514">
-</A>
+ </A>
 Approval and denial of requests.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024516">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 config</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024518">
-</A>
+ </A>
 Configuration file parsing and processing.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024520">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
-resolver</CODE></H6>
+resolver</CODE>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024522">
-</A>
+ </A>
 DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024524">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 xfer-in</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024526">
-</A>
+ </A>
 Zone transfers the server is receiving.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024528">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 xfer-out</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024530">
-</A>
+ </A>
 Zone transfers the server is sending.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024532">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 notify</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024534">
-</A>
+ </A>
 The NOTIFY protocol.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024536">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 client</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024538">
-</A>
+ </A>
 Processing of client requests.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024540">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 network</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024542">
-</A>
+ </A>
 Network operations.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024544">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 update</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024546">
-</A>
+ </A>
 Dynamic updates.</P>
 </TD>
 </TR>
@@ -1547,96 +1637,99 @@ Dynamic updates.</P>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=1024547">
-</A>
+ </A>
 5.2.11	<CODE CLASS="Program-Process">
 options</CODE>
  Statement Grammar</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=1024267">
-</A>
+ </A>
 This is the grammar of the <CODE CLASS="Program-Process">
-options</CODE>
- statement in the <CODE CLASS="Program-Process">
-named.conf</CODE>
+option</CODE>
+ statement in the <EM CLASS="pathname">
+named.conf</EM>
  file:</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997568"></A>
-options {
-    <EM CLASS="Optional-meta-syntax">[</EM>version <EM CLASS="variable">version_string</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM>directory <EM CLASS="variable">path_name</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> named-xfer <EM CLASS="variable">path_name</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM>tkey-domain <EM CLASS="variable">string</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM>tkey-dhkey <EM CLASS="variable">string number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM>dump-file <EM CLASS="variable">path_name</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM>memstatistics-file <EM CLASS="variable">path_name</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM>pid-file <EM CLASS="variable">path_name</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM>statistics-file <EM CLASS="variable">path_name</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM>auth-nxdomain <EM CLASS="variable">yes_or_no</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> deallocate-on-exit <EM CLASS="variable">yes_or_no</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> dialup <EM CLASS="variable">yes_or_no</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> fake-iquery <EM CLASS="variable">yes_or_no</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> fetch-glue <EM CLASS="variable">yes_or_no</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> has-old-clients <EM CLASS="variable">yes_or_no</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> host-statistics <EM CLASS="variable">yes_or_no</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> multiple-cnames <EM CLASS="variable">yes_or_no</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> notify <EM CLASS="variable">yes_or_no</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> recursion <EM CLASS="variable">yes_or_no</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> rfc2308-type1 <EM CLASS="variable">yes_or_no</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> use-id-pool <EM CLASS="variable">yes_or_no</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> maintain-ixfr-base <EM CLASS="variable">yes_or_no</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> forward <EM CLASS="Optional-meta-syntax">(</EM> only <EM CLASS="Optional-meta-syntax">|</EM> first <EM CLASS="Optional-meta-syntax">)</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> forwarders { <EM CLASS="Optional-meta-syntax">[</EM> <EM CLASS="variable">in_addr</EM> ; <EM CLASS="Optional-meta-syntax">[</EM> <EM CLASS="variable">in_addr</EM> ; ... <EM CLASS="Optional-meta-syntax">] ]</EM> }; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> check-names <EM CLASS="Optional-meta-syntax">(</EM> master <EM CLASS="Optional-meta-syntax">|</EM> slave <EM CLASS="Optional-meta-syntax">|</EM> response <EM CLASS="Optional-meta-syntax">) (</EM> warn <EM CLASS="Optional-meta-syntax">|</EM> fail <EM CLASS="Optional-meta-syntax">|</EM> ignore<EM CLASS="Optional-meta-syntax">)</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> allow-query { <EM CLASS="variable">address_match_list</EM> }; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> allow-transfer { <EM CLASS="variable">address_match_list</EM> }; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> allow-recursion { <EM CLASS="variable">address_match_list</EM> }; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> blackhole { <EM CLASS="variable">address_match_list</EM> }; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> listen-on <EM CLASS="Optional-meta-syntax">[</EM> <EM CLASS="variable">port ip_port</EM> <EM CLASS="Optional-meta-syntax">]</EM> { <EM CLASS="variable">address_match_list</EM> }; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> query-source <EM CLASS="Optional-meta-syntax">[</EM> address <EM CLASS="Optional-meta-syntax">(</EM> <EM CLASS="variable">ip_addr</EM> <EM CLASS="Optional-meta-syntax">|</EM> * <EM CLASS="Optional-meta-syntax">) ] [</EM> port <EM CLASS="Optional-meta-syntax">(</EM> <EM CLASS="variable">ip_port</EM> <EM CLASS="Optional-meta-syntax">|</EM> * <EM CLASS="Optional-meta-syntax">) ]</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> max-transfer-time-in <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> max-transfer-time-out <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> max-transfer-idle-in <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> max-transfer-idle-out <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> tcp-clients <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> recursive-clients <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> serial-queries <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> transfer-format <EM CLASS="Optional-meta-syntax">(</EM> one-answer <EM CLASS="Optional-meta-syntax">|</EM> many-answers <EM CLASS="Optional-meta-syntax">)</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> transfers-in  <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> transfers-out <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> transfers-per-ns <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> transfer-source <EM CLASS="variable">ip_addr</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> also-notify { <EM CLASS="variable">ip_addr</EM>; <EM CLASS="Optional-meta-syntax">[</EM> <EM CLASS="variable">ip_addr</EM>; ... <EM CLASS="Optional-meta-syntax">]</EM> };
-    <EM CLASS="Optional-meta-syntax">[</EM> max-ixfr-log-size <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> coresize <EM CLASS="variable">size_spec</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> datasize <EM CLASS="variable">size_spec</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> files <EM CLASS="variable">size_spec</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> stacksize <EM CLASS="variable">size_spec</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> cleaning-interval <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> heartbeat-interval <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> interface-interval <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> statistics-interval <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> topology { <EM CLASS="variable">address_match_list</EM> }; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> sortlist { <EM CLASS="variable">address_match_list</EM> }; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> rrset-order { <EM CLASS="variable">order_spec</EM> ; <EM CLASS="Optional-meta-syntax">[</EM> <EM CLASS="variable">order_spec</EM> ; ... <EM CLASS="Optional-meta-syntax">] ]</EM> };
-    <EM CLASS="Optional-meta-syntax">[</EM> lame-ttl <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> max-ncache-ttl <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> min-roots <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> use-ixfr <EM CLASS="variable">yes_or_no</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> treat-cr-as-space <EM CLASS="variable">yes_or_no</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-};</PRE>
+
+<PRE>
+<CODE>options {
+    [ version <VAR>version_string</VAR>; ]
+    [ directory <VAR>path_name</VAR>; ]
+    [ named-xfer <VAR>path_name</VAR>; ]
+    [ tkey-domain <VAR>domainname</VAR>; ]
+    [ tkey-dhkey <VAR>keyname</VAR> <VAR>keyid</VAR>; ]
+    [ dump-file <VAR>path_name</VAR>; ]
+    [ memstatistics-file <VAR>path_name</VAR>; ]
+    [ pid-file <VAR>path_name</VAR>; ]
+    [ statistics-file <VAR>path_name</VAR>; ]
+    [ auth-nxdomain <VAR>yes_or_no</VAR>; ]
+    [ deallocate-on-exit <VAR>yes_or_no</VAR>; ]
+    [ dialup <VAR>yes_or_no</VAR>; ]
+    [ fake-iquery <VAR>yes_or_no</VAR>; ]
+    [ fetch-glue <VAR>yes_or_no</VAR>; ]
+    [ has-old-clients <VAR>yes_or_no</VAR>; ]
+    [ host-statistics <VAR>yes_or_no</VAR>; ]
+    [ multiple-cnames <VAR>yes_or_no</VAR>; ]
+    [ notify <VAR>yes_or_no</VAR>; ]
+    [ recursion <VAR>yes_or_no</VAR>; ]
+    [ rfc2308-type1 <VAR>yes_or_no</VAR>; ]
+    [ use-id-pool <VAR>yes_or_no</VAR>; ]
+    [ maintain-ixfr-base <VAR>yes_or_no</VAR>; ]
+    [ forward ( only | first ); ]
+    [ forwarders { [ <VAR>in_addr</VAR> ; [ <VAR>in_addr</VAR> ; ... ] ] }; ]
+    [ check-names ( master | slave | response )( warn | fail | ignore ); ]
+    [ allow-query { <VAR>address_match_list</VAR> }; ]
+    [ allow-transfer { <VAR>address_match_list</VAR> }; ]
+    [ allow-recursion { <VAR>address_match_list</VAR> }; ]
+    [ blackhole { <VAR>address_match_list</VAR> }; ]
+    [ listen-on [ port <VAR>ip_port</VAR> ] { <VAR>address_match_list</VAR> }; ]
+    [ query-source [ address ( <VAR>ip_addr</VAR> | * ) ] [ port ( <VAR>ip_port</VAR> | * ) ]; ]
+    [ max-transfer-time-in <VAR>number</VAR>; ]
+    [ max-transfer-time-out <VAR>number</VAR>; ]
+    [ max-transfer-idle-in <VAR>number</VAR>; ]
+    [ max-transfer-idle-out <VAR>number</VAR>; ]
+    [ tcp-clients <VAR>number</VAR>; ]
+    [ recursive-clients <VAR>number</VAR>; ]
+    [ serial-queries <VAR>number</VAR>; ]
+    [ transfer-format ( one-answer | many-answers ); ]
+    [ transfers-in  <VAR>number</VAR>; ]
+    [ transfers-out <VAR>number</VAR>; ]
+    [ transfers-per-ns <VAR>number</VAR>; ]
+    [ transfer-source <VAR>ip_addr</VAR>; ]
+    [ also-notify { <VAR>ip_addr</VAR>; [ <VAR>ip_addr</VAR>; ... ] }; ]
+    [ max-ixfr-log-size <VAR>number</VAR>; ]
+    [ coresize <VAR>size_spec</VAR> ; ]
+    [ datasize <VAR>size_spec</VAR> ; ]
+    [ files <VAR>size_spec</VAR> ; ]
+    [ stacksize <VAR>size_spec</VAR> ; ]
+    [ cleaning-interval <VAR>number</VAR>; ]
+    [ heartbeat-interval <VAR>number</VAR>; ]
+    [ interface-interval <VAR>number</VAR>; ]
+    [ statistics-interval <VAR>number</VAR>; ]
+    [ topology { <VAR>address_match_list</VAR> }; ]
+    [ sortlist { <VAR>address_match_list</VAR> };]
+    [ rrset-order { <VAR>order_spec</VAR> ; [ <VAR>order_spec</VAR> ; ... ] ] };
+    [ lame-ttl <VAR>number</VAR>; ]
+    [ max-ncache-ttl <VAR>number</VAR>; ]
+    [ min-roots <VAR>number</VAR>; ]
+    [ use-ixfr <VAR>yes_or_no</VAR> ; ]
+    [ treat-cr-as-space <VAR>yes_or_no</VAR> ; ]
+};
+</CODE>
+</PRE>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997632">
-</A>
+ </A>
 5.2.12	<CODE CLASS="Program-Process">
 options</CODE>
  Statement Definition and Usage</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997633">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 options</CODE>
  statement sets up global options to be used by BIND. This statement may appear only once in a configuration file. If more than one occurrence is found, the first occurrence determines the actual options used, and a warning will be generated. If there is no <CODE CLASS="Program-Process">
@@ -1645,19 +1738,19 @@ options</CODE>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997636">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 version</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997638">
-</A>
-The version the server should report via a query of name <CODE CLASS="Program-Process">
-version.bind</CODE>
+ </A>
+The version the server should report via a query of name <EM CLASS="pathname">
+version.bind</EM>
  in class <CODE CLASS="Program-Process">
 chaos</CODE>
 . The default is the real version number of this server.</P>
@@ -1665,35 +1758,37 @@ chaos</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997640">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 directory</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997642">
-</A>
-The working directory of the server. Any non-absolute pathnames in the configuration file will be taken as relative to this directory. The default location for most server output files (e.g. &quot;<CODE CLASS="Program-Process">
-named.run</CODE>
-&quot;) is this directory. If a directory is not specified, the working directory defaults to &quot;.&quot;, the directory from which the server was started. The directory specified should be an absolute path.</P>
+ </A>
+The working directory of the server. Any non-absolute pathnames in the configuration file will be taken as relative to this directory. The default location for most server output files (e.g. <EM CLASS="pathname">
+named.run</EM>
+) is this directory. If a directory is not specified, the working directory defaults to `<EM CLASS="pathname">
+.</EM>
+', the directory from which the server was started. The directory specified should be an absolute path.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997644">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 named-xfer</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997646">
-</A>
+ </A>
 <EM CLASS="Emphasis">
 This option is obsolete.</EM>
   It was used in BIND 8 to specify the pathname to the <CODE CLASS="Program-Process">
@@ -1705,62 +1800,111 @@ named-xfer</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
+<A NAME="pgfId=1038439">
+ </A>
+<CODE CLASS="Program-Process">
+tkey-domain</CODE>
+</P>
+</TD>
+<TD ROWSPAN="1" COLSPAN="1">
+<P CLASS="CellBody">
+<A NAME="pgfId=1038441">
+ </A>
+The domain appended to the names of all shared keys generated with <CODE CLASS="Program-Process">
+TKEY</CODE>
+. When a client requests a <CODE CLASS="Program-Process">
+TKEY</CODE>
+ exchange, it may or may not specify the desired name for the key. If present, the name of the shared key will be &quot;<EM CLASS="variable">
+client specified part</EM>
+&quot; + &quot;<EM CLASS="variable">
+tkey-domain</EM>
+&quot;. Otherwise, the name of the shared key will be &quot;<EM CLASS="variable">
+random hex digits</EM>
+&quot; + &quot;<EM CLASS="variable">
+tkey-domain</EM>
+&quot;. In most cases, the <CODE CLASS="Program-Process">
+domainname</CODE>
+ should be the server's domain name.</P>
+</TD>
+</TR>
+<TR>
+<TD ROWSPAN="1" COLSPAN="1">
+<P CLASS="CellBody">
+<A NAME="pgfId=1038443">
+ </A>
+<CODE CLASS="Program-Process">
+tkey-dhkey</CODE>
+</P>
+</TD>
+<TD ROWSPAN="1" COLSPAN="1">
+<P CLASS="CellBody">
+<A NAME="pgfId=1038445">
+ </A>
+The Diffie-Hellman key used by the server to generate shared keys with clients using the Diffie-Hellman mode of <CODE CLASS="Program-Process">
+TKEY</CODE>
+. The server must be able to load the public and private keys from files in the working directory. In most cases, the keyname should be the server's host name.</P>
+</TD>
+</TR>
+<TR>
+<TD ROWSPAN="1" COLSPAN="1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997648">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 dump-file</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997650">
-</A>
+ </A>
 The pathname of the file the server dumps the database to when it receives <CODE CLASS="Program-Process">
 SIGINT</CODE>
  signal (<CODE CLASS="Program-Process">
 ndc dumpdb</CODE>
-). If not specified, the default is &quot;<CODE CLASS="Program-Process">
-named_dump.db</CODE>
-&quot;. <EM CLASS="Emphasis">
+). If not specified, the default is <EM CLASS="pathname">
+named_dump.db</EM>
+. <EM CLASS="Emphasis">
 Not yet implemented in BINDv9.</EM>
 </P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997652">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 memstatistics-file</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997654">
-</A>
-The pathname of the file the server writes memory usage statistics to on exit.  If not specified, the default is &quot;<CODE CLASS="Program-Process">
-named.memstats</CODE>
-&quot;. <EM CLASS="Emphasis">
+ </A>
+The pathname of the file the server writes memory usage statistics to on exit.  If not specified, the default is <EM CLASS="pathname">
+named.memstats</EM>
+. <EM CLASS="Emphasis">
 Not yet implemented in BINDv9.</EM>
 </P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997656">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 pid-file</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997658">
-</A>
-The pathname of the file the server writes its process ID in. If not specified, the default is operating system dependent, but is usually <EM CLASS="pathname">
+ </A>
+The pathname of the file the server writes its process ID in. If not specified, the default is operating system dependent, but is usually<BR>
+<EM CLASS="pathname">
 /var/run/named.pid</EM>
  or <EM CLASS="pathname">
 /etc/named.pid</EM>
@@ -1769,20 +1913,20 @@ The pathname of the file the server writes its process ID in. If not specified,
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997660">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 statistics-file</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997662">
-</A>
-The pathname of the file the server appends statistics to. If not specified, the default is &quot;<CODE CLASS="Program-Process">
-named.stats</CODE>
-&quot;. <EM CLASS="Emphasis">
+ </A>
+The pathname of the file the server appends statistics to. If not specified, the default is <EM CLASS="pathname">
+named.stats</EM>
+. <EM CLASS="Emphasis">
 Not yet implemented in BINDv9</EM>
 .</P>
 </TD>
@@ -1792,79 +1936,79 @@ Not yet implemented in BINDv9</EM>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997664">
-</A>
+ </A>
 5.2.12.1	<A NAME="12205">
-</A>
+ </A>
 Boolean Options</H5>
 </OL>
-<P CLASS="4LevelContinued">
+<P CLASS="CellBody">
 <A NAME="pgfId=997722">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997667">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 auth-nxdomain</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997669">
-</A>
-If <CODE CLASS="Program-Process">
-yes</CODE>
+ </A>
+If <EM CLASS="variable">
+yes</EM>
 , then the <CODE CLASS="Program-Process">
 AA</CODE>
- bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is <CODE CLASS="Program-Process">
-no</CODE>
-; this is a change from BIND 8. If you are using very old DNS software, you may need to set it to <CODE CLASS="Program-Process">
-yes</CODE>
+ bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is <EM CLASS="variable">
+no</EM>
+; this is a change from BIND 8. If you are using very old DNS software, you may need to set it to <EM CLASS="variable">
+yes</EM>
 .</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997671">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 deallocate-on-exit</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997673">
-</A>
+ </A>
 This option was used in BIND 8 to enable checking for memory leaks on exit. BINDv9 ignores the option and always performs the checks.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997675">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 dialup</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997677">
-</A>
-If <CODE CLASS="Program-Process">
-yes</CODE>
+ </A>
+If <EM CLASS="variable">
+yes</EM>
 , then the server treats all zones as if they are doing zone transfers across a dial on demand dialup link, which can be brought up by traffic originating from this server. This has different effects according to zone type and concentrates the zone maintenance so that it all happens in a short interval, once every <CODE CLASS="Program-Process">
 heartbeat-interval</CODE>
- and hopefully during the one call. It also suppresses some of the normal zone maintenance traffic. The default is <CODE CLASS="Program-Process">
-no</CODE>
+ and hopefully during the one call. It also suppresses some of the normal zone maintenance traffic. The default is <EM CLASS="variable">
+no</EM>
 .</P>
 <P CLASS="CellBody">
 <A NAME="pgfId=997678">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 dialup</CODE>
  option may also be specified in the <CODE CLASS="Program-Process">
@@ -1874,20 +2018,12 @@ options dialup </CODE>
 statement.</P>
 <P CLASS="CellBody">
 <A NAME="pgfId=997679">
-</A>
-If the zone is a <CODE CLASS="Program-Process">
-master</CODE>
- then the server will send out a NOTIFY request to all the slaves. This will trigger the zone serial number check in the slave (providing it supports NOTIFY) allowing the <CODE CLASS="Program-Process">
-slave</CODE>
- to verify the zone while the connection is active.</P>
+ </A>
+If the zone is a master then the server will send out a NOTIFY request to all the slaves. This will trigger the zone serial number check in the slave (providing it supports NOTIFY) allowing the slave to verify the zone while the connection is active.</P>
 <P CLASS="CellBody">
 <A NAME="pgfId=997680">
-</A>
-If the zone is a <CODE CLASS="Program-Process">
-slave</CODE>
- or <CODE CLASS="Program-Process">
-stub</CODE>
- then the server will suppress the regular &quot;zone up to date&quot; queries and only perform them when the<BR>
+ </A>
+If the zone is a slave or stub then the server will suppress the regular &quot;zone up to date&quot; queries and only perform them when the<BR>
 <CODE CLASS="Program-Process">
 heartbeat-interval</CODE>
  expires.  <EM CLASS="Emphasis">
@@ -1897,40 +2033,38 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997682">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 fake-iquery</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997684">
-</A>
+ </A>
 In BIND 8, this option was used to enable simulating the obsolete DNS query type IQUERY. BINDv9 never does IQUERY simulation.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997686">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 fetch-glue</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997688">
-</A>
+ </A>
 If <CODE CLASS="Program-Process">
 yes</CODE>
  (the default), the server will fetch &quot;glue&quot; resource records it doesn't have when constructing the additional data section of a response. (Information present outside of the authoritative nodes in the zone is called &quot;glue&quot; information). <CODE CLASS="Program-Process">
-fetch-glue</CODE>
- <CODE CLASS="Program-Process">
-no</CODE>
- can be used in conjunction with <CODE CLASS="Program-Process">
+fetch-glue no </CODE>
+can be used in conjunction with <CODE CLASS="Program-Process">
 recursion no </CODE>
 to prevent the server's cache from growing or becoming corrupted (at the cost of requiring more work from the client). <EM CLASS="Emphasis">
 Not yet implemented in BINDv9.</EM>
@@ -1939,18 +2073,19 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997690">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 has-old-clients</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997692">
-</A>
-This option was incorrectly implemented in BIND 8, and is ignored by BINDv9.  To achieve the intended effect of <CODE CLASS="Program-Process">
+ </A>
+This option was incorrectly implemented in BIND 8, and is ignored by BINDv9.  To achieve the intended effect of<BR>
+<CODE CLASS="Program-Process">
 has-old-clients yes</CODE>
 , specify the two separate options <CODE CLASS="Program-Process">
 auth-nxdomain yes</CODE>
@@ -1961,21 +2096,21 @@ rfc2308-type-1 no</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997695">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 host-statistics</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997697">
-</A>
-If <CODE CLASS="Program-Process">
-yes</CODE>
-, then statistics are kept for every host that the nameserver interacts with. The default is <CODE CLASS="Program-Process">
-no</CODE>
+ </A>
+If <EM CLASS="variable">
+yes</EM>
+, then statistics are kept for every host that the nameserver interacts with. The default is <EM CLASS="variable">
+no</EM>
 . Note: turning on <CODE CLASS="Program-Process">
 host-statistics</CODE>
  can consume huge amounts of memory. <EM CLASS="Emphasis">
@@ -1985,17 +2120,17 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997699">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 maintain-ixfr-base</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997701">
-</A>
+ </A>
 <EM CLASS="Emphasis">
 This option is obsolete</EM>
 .  It was used in BIND 8 to determine whether a transaction log was kept for Incremental Zone Transfer. BINDv9 maintains a transaction log whenever possible.  If you need to disable outgoing incremental zone transfers, use <CODE CLASS="Program-Process">
@@ -2005,35 +2140,35 @@ provide-ixfr no</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997703">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 multiple-cnames</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997705">
-</A>
+ </A>
 This option was used in BIND 8 to allow a domain name to allow multiple CNAME records in violation of the DNS standards.  BINDv9 currently does not check for multiple CNAMEs in zone data loaded from master files, but such checks may be introduced in a later release.  BINDv9 always strictly enforces the CNAME rules in dynamic updates.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997707">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 notify</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997709">
-</A>
-If <CODE CLASS="Program-Process">
-yes</CODE>
+ </A>
+If <EM CLASS="variable">
+yes</EM>
  (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for changes. The use of NOTIFY speeds synchronization between the master and its slaves. Slave servers that receive a NOTIFY message and understand it will contact the master server for the zone and see if they need to do a zone transfer, and if they do, they will initiate it immediately. The <CODE CLASS="Program-Process">
 notify</CODE>
  option may also be specified in the <CODE CLASS="Program-Process">
@@ -2047,21 +2182,21 @@ Not yet supported in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997711">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 recursion</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997713">
-</A>
-If <CODE CLASS="Program-Process">
-yes</CODE>
-, and a DNS query requests recursion, then the server will attempt to do all the work required to answer the query. If recursion is not on, the server will return a referral to the client if it doesn't know the answer. The default is <CODE CLASS="Program-Process">
-yes</CODE>
+ </A>
+If <EM CLASS="variable">
+yes</EM>
+, and a DNS query requests recursion, then the server will attempt to do all the work required to answer the query. If recursion is not on, the server will return a referral to the client if it doesn't know the answer. The default is <EM CLASS="variable">
+yes</EM>
 . See also <CODE CLASS="Program-Process">
 fetch-glue</CODE>
  above.</P>
@@ -2069,23 +2204,23 @@ fetch-glue</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997715">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 rfc2308-type1</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997717">
-</A>
-If <CODE CLASS="Program-Process">
-yes</CODE>
-, the server will send NS records along with the SOA record for negative answers. You need to set this to <CODE CLASS="Program-Process">
-no</CODE>
- if you have an old BIND server using you as a forwarder that does not understand negative answers which contain both SOA and NS records or you have an old version of sendmail. The correct fix is to upgrade the broken server or sendmail. The default is <CODE CLASS="Program-Process">
-no</CODE>
+ </A>
+If <EM CLASS="variable">
+yes</EM>
+, the server will send NS records along with the SOA record for negative answers. You need to set this to <EM CLASS="variable">
+no</EM>
+ if you have an old BIND server using you as a forwarder that does not understand negative answers which contain both SOA and NS records or you have an old version of sendmail. The correct fix is to upgrade the broken server or sendmail. The default is <EM CLASS="variable">
+no</EM>
 . <EM CLASS="Emphasis">
 Not yet implemented in BINDv9</EM>
 .</P>
@@ -2093,16 +2228,17 @@ Not yet implemented in BINDv9</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023686">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
-use-id-pool</CODE></H6>
+use-id-pool</CODE>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023688">
-</A>
+ </A>
 <EM CLASS="Emphasis">
 This option is obsolete</EM>
 .  BINDv9 always allocates query IDs from a pool.</P>
@@ -2110,24 +2246,24 @@ This option is obsolete</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997719">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 treat-cr-as-space</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997721">
-</A>
+ </A>
 This option was used in BIND 8 to make the server treat `<CODE CLASS="Program-Process">
 \r</CODE>
 ' characters the same way as <CODE CLASS="Program-Process">
 &lt;space&gt; </CODE>
-&quot;<CODE CLASS="Program-Process">
+`<CODE CLASS="Program-Process">
  </CODE>
-&quot; or `<CODE CLASS="Program-Process">
+` or `<CODE CLASS="Program-Process">
 \t</CODE>
 ', to facilitate loading of zone files on a UNIX system that were generated on an NT or DOS machine. In BINDv9, both UNIX `<CODE CLASS="Program-Process">
 \n</CODE>
@@ -2142,61 +2278,61 @@ This option was used in BIND 8 to make the server treat `<CODE CLASS="Program-Pr
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997723">
-</A>
+ </A>
 5.2.12.2	Forwarding</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997724">
-</A>
+ </A>
 The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external nameservers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997734">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997727">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 forward</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997729">
-</A>
-This option is only meaningful if the forwarders list is not empty. A value of <CODE CLASS="Program-Process">
-first</CODE>
-, the default, causes the server to query the forwarders first, and if that doesn't answer the question the server will then look for the answer itself. If <CODE CLASS="Program-Process">
-only</CODE>
+ </A>
+This option is only meaningful if the forwarders list is not empty. A value of <EM CLASS="variable">
+first</EM>
+, the default, causes the server to query the forwarders first, and if that doesn't answer the question the server will then look for the answer itself. If <EM CLASS="variable">
+only</EM>
  is specified, the server will only query the forwarders.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997731">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 forwarders</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997733">
-</A>
+ </A>
 Specifies the IP addresses to be used for forwarding. The default is the empty list (no forwarding).</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997735">
-</A>
+ </A>
 Forwarding can also be configured on a per-domain basis, allowing for the global forwarding options to be overridden in a variety of ways. You can set particular domains to use different forwarders, or have different <CODE CLASS="Program-Process">
 forward only/first behavior</CODE>
-, or not forward at all. See <A HREF="BV9ARM.5.html#20328" CLASS="XRef">
+, or not forward at all. See <A HREF="Bv9ARM.5.html#20328" CLASS="XRef">
 zone Statement Grammar</A>
  for more information.</P>
 </DIV>
@@ -2204,90 +2340,92 @@ zone Statement Grammar</A>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997741">
-</A>
+ </A>
 5.2.12.3	<A NAME="30910">
-</A>
+ </A>
 Name Checking</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997742">
-</A>
+ </A>
 The server can check domain names based upon their expected client contexts. For example, a domain name used as a hostname can be checked for compliance with the RFCs defining valid hostnames.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997743">
-</A>
+ </A>
 Three checking methods are available:</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997757">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997746">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 ignore</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997748">
-</A>
+ </A>
 No checking is done.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997750">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 warn</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997752">
-</A>
+ </A>
 Names are checked against their expected client contexts. Invalid names are logged, but processing continues normally.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997754">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 fail</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997756">
-</A>
+ </A>
 Names are checked against their expected client contexts. Invalid names are logged, and the offending data is rejected.</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997758">
-</A>
+ </A>
 The server can check names in three areas: master zone files, slave zone files, and in responses to queries the server has initiated. If <CODE CLASS="Program-Process">
 check-names response fail</CODE>
  has been specified, and answering the client's question would require sending an invalid name to the client, the server will send a REFUSED response code to the client.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997759">
-</A>
+ </A>
 The defaults are:</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997760"></A>
-    check-names master fail;
+ 
+<PRE>
+<CODE>    check-names master fail;
     check-names slave warn;
-    check-names response ignore;</PRE>
+    check-names response ignore;</CODE>
+</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997763">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 check-names</CODE>
  may also be specified in the <CODE CLASS="Program-Process">
@@ -2299,7 +2437,7 @@ zone</CODE>
  statement, the area is not specified (because it can be deduced from the zone type).</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1023294">
-</A>
+ </A>
 <EM CLASS="Emphasis">
 Name checking is not yet implemented in BINDv9.</EM>
 </P>
@@ -2308,35 +2446,35 @@ Name checking is not yet implemented in BINDv9.</EM>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997765">
-</A>
+ </A>
 5.2.12.4	<A NAME="40536">
-</A>
+ </A>
 Access Control</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997766">
-</A>
-Access to the server can be restricted based on the IP address of the requesting system. See <A HREF="BV9ARM.5.html#28183" CLASS="XRef">
+ </A>
+Access to the server can be restricted based on the IP address of the requesting system. See <A HREF="Bv9ARM.5.html#28183" CLASS="XRef">
 Address Match Lists</A>
  for details on how to specify IP address lists.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997787">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997772">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 allow-query</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997774">
-</A>
+ </A>
 Specifies which hosts are allowed to ask ordinary questions. <CODE CLASS="Program-Process">
 allow-query</CODE>
  may also be specified in the <CODE CLASS="Program-Process">
@@ -2348,33 +2486,33 @@ options allow-query</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997776">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 allow-recursion</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997778">
-</A>
+ </A>
 Specifies which hosts are allowed to make recursive queries through this server. If not specified, the default is to allow recursive queries from all hosts. </P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997780">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 allow-transfer</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997782">
-</A>
+ </A>
 Specifies which hosts are allowed to receive zone transfers from the server. <CODE CLASS="Program-Process">
 allow-transfer</CODE>
  may also be specified in the <CODE CLASS="Program-Process">
@@ -2386,17 +2524,17 @@ options allow-transfer</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997784">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 blackhole</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997786">
-</A>
+ </A>
 Specifies a list of addresses that the server will not accept queries from or use to resolve a query. Queries from these addresses will not be responded to. The default is <CODE CLASS="Program-Process">
 none</CODE>
 .  <EM CLASS="Emphasis">
@@ -2410,12 +2548,12 @@ Not yet implemented in BINDv9.</EM>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997788">
-</A>
+ </A>
 5.2.12.5	Interfaces</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997789">
-</A>
+ </A>
 The interfaces and ports that the server will answer queries from may be specified using the <CODE CLASS="Program-Process">
 listen-on</CODE>
  option. <CODE CLASS="Program-Process">
@@ -2425,24 +2563,26 @@ address_match_list</CODE>
 . The server will listen on all interfaces allowed by the address match list. If a port is not specified, port 53 will be used.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997790">
-</A>
+ </A>
 Multiple listen-on statements are allowed. For example,</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997791"></A>
-listen-on { 5.6.7.8; };
-listen-on port 1234 { !1.2.3.4; 1.2/16; };</PRE>
+ 
+<PRE>
+<CODE>listen-on { 5.6.7.8; };
+listen-on port 1234 { !1.2.3.4; 1.2/16; };</CODE>
+</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997793">
-</A>
+ </A>
 will enable the nameserver on port 53 for the IP address 5.6.7.8, and on port 1234 of an address on the machine in net 1.2 that is not 1.2.3.4.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997794">
-</A>
+ </A>
 If no <CODE CLASS="Program-Process">
 listen-on</CODE>
  is specified, the server will listen on port 53 on all interfaces.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1023295">
-</A>
+ </A>
 The listen-on option only applies to IPv4.  Currently, the server always listens for IPv6 requests on a wildcard address and port 53.  A separate <CODE CLASS="Program-Process">
 listen-on-v6</CODE>
  option may be added in a later release.</P>
@@ -2451,12 +2591,12 @@ listen-on-v6</CODE>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997795">
-</A>
+ </A>
 5.2.12.6	Query Address</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997796">
-</A>
+ </A>
 If the server doesn't know the answer to a question, it will query other nameservers. <CODE CLASS="Program-Process">
 query-source</CODE>
  specifies the address and port used for such queries. For queries sent over IPv6, there is a separate <CODE CLASS="Program-Process">
@@ -2472,12 +2612,14 @@ port</CODE>
  is <CODE CLASS="Program-Process">
 *</CODE>
  or is omitted, a random unprivileged port will be used. The defaults are</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997797"></A>
-query-source address * port *;
-query-source-v6 address * port *</PRE>
+ 
+<PRE>
+<CODE>query-source address * port *;
+query-source-v6 address * port *</CODE>
+</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997798">
-</A>
+ </A>
 Note: <CODE CLASS="Program-Process">
 query-source</CODE>
  currently applies only to UDP queries; TCP queries always use a wildcard IP address and a random unprivileged port.</P>
@@ -2486,94 +2628,151 @@ query-source</CODE>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997800">
-</A>
+ </A>
 5.2.12.7	<A NAME="32057">
-</A>
+ </A>
 Zone Transfers</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997801">
-</A>
+ </A>
 BIND has mechanisms in place to facilitate zone transfers and set limits on the amount of load that transfers place on the system. The following options apply to zone transfers.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997835">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
+<A NAME="pgfId=1040036">
+ </A>
+<CODE CLASS="Program-Process">
+also-notify</CODE>
+</P>
+</TD>
+<TD ROWSPAN="1" COLSPAN="1">
+<P CLASS="CellBody">
+<A NAME="pgfId=1040039">
+ </A>
+Defines a global list of IP addresses that are also sent NOTIFY messages whenever a fresh copy of the zone is loaded. This helps to ensure that copies of the zones will quickly converge on &quot;stealth&quot; servers. If an <CODE CLASS="Program-Process">
+also-notify</CODE>
+ list is given in a <CODE CLASS="Program-Process">
+zone</CODE>
+ statement, it will override the <CODE CLASS="Program-Process">
+options also-notify</CODE>
+ statement. When a <CODE CLASS="Program-Process">
+zone notify</CODE>
+ statement is set to <CODE CLASS="Program-Process">
+no</CODE>
+, the IP addresses in the global <CODE CLASS="Program-Process">
+also-notify</CODE>
+ list will not be sent NOTIFY messages for that zone. The default is the empty list (no global notification list). <EM CLASS="Emphasis">
+Not yet implemented in BINDv9.</EM>
+</P>
+</TD>
+</TR>
+<TR>
+<TD ROWSPAN="1" COLSPAN="1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997804">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 max-transfer-time-in</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997806">
-</A>
+ </A>
 Inbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours).</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023326">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
-max-transfer-idle-in</CODE></H6>
+max-transfer-idle-in</CODE>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023328">
-</A>
+ </A>
 Inbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 hour).</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023322">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
-max-transfer-time-out</CODE></H6>
+max-transfer-time-out</CODE>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023324">
-</A>
+ </A>
 Outbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours).</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023318">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
-max-transfer-idle-out</CODE></H6>
+max-transfer-idle-out</CODE>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023320">
-</A>
-Outbound zone transfers making no progress in this many minutes will be terminated.  The default is 60 minutes (1 hour).</P>
+ </A>
+Outbound zone transfers making no progress in this many minutes will be terminated.  The default is 60 minutes</P>
+<P CLASS="CellBody">
+<A NAME="pgfId=1059994">
+ </A>
+(1 hour).</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
+<A NAME="pgfId=1040047">
+ </A>
+<CODE CLASS="Program-Process">
+serial-queries</CODE>
+</P>
+</TD>
+<TD ROWSPAN="1" COLSPAN="1">
+<P CLASS="CellBody">
+<A NAME="pgfId=1040049">
+ </A>
+Slave servers will periodically query master servers to find out if zone serial numbers have changed. Each such query uses a minute amount of the slave server's network bandwidth, but more importantly each query uses a small amount of memory in the slave server while waiting for the master server to respond. The <CODE CLASS="Program-Process">
+serial-queries </CODE>
+option sets the maximum number of concurrent serial-number queries allowed to be outstanding at any given time. The default is 4. Note: If a server loads a large (tens or hundreds of thousands) number of slave zones, then this limit should be raised to the high hundreds or low thousands -- otherwise the slave server may never actually become aware of zone changes in the master servers. Beware, though, that setting this limit arbitrarily high can spend a considerable amount of your slave server's network, CPU, and memory resources. As with all tunable limits, this one should be changed gently and monitored for its effects. <EM CLASS="Emphasis">
+Not yet implemented in BINDv9.</EM>
+</P>
+</TD>
+</TR>
+<TR>
+<TD ROWSPAN="1" COLSPAN="1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997808">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 transfer-format</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997810">
-</A>
+ </A>
 The server supports two zone transfer methods. <CODE CLASS="Program-Process">
 one-answer</CODE>
  uses one DNS message per resource record transferred. <CODE CLASS="Program-Process">
@@ -2591,17 +2790,17 @@ server</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997812">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 transfers-in</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997814">
-</A>
+ </A>
 The maximum number of inbound zone transfers that can be running concurrently. The default value is 10. Increasing <CODE CLASS="Program-Process">
 transfers-in</CODE>
  may speed up the convergence of slave zones, but it also may increase the load on the local system.</P>
@@ -2609,33 +2808,33 @@ transfers-in</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997816">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 transfers-out</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997818">
-</A>
+ </A>
 The maximum number of outbound zone transfers that can be running concurrently. Zone transfer requests in excess of the limit will be refused. The default value is 10.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997820">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 transfers-per-ns</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997822">
-</A>
+ </A>
 The maximum number of inbound zone transfers that can be concurrently transferring from a given remote nameserver. The default value is 2. Increasing <CODE CLASS="Program-Process">
 transfers-per-ns</CODE>
  may speed up the convergence of slave zones, but it also may increase the load on the remote nameserver. <CODE CLASS="Program-Process">
@@ -2649,17 +2848,17 @@ server</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997824">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 transfer-source</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997826">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 transfer-source</CODE>
  determines which local address will be bound to IPv4 TCP connections used to fetch zones transferred inbound by the server. If not set, it defaults to a system controlled value which will usually be the address of the interface &quot;closest to&quot; the remote end. This address must appear in the remote end's <CODE CLASS="Program-Process">
@@ -2676,87 +2875,38 @@ zone</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023338">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
-transfer-source-v6</CODE></H6>
+transfer-source-v6</CODE>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023340">
-</A>
+ </A>
 Like <CODE CLASS="Program-Process">
 transfer-source</CODE>
 , but for zone transfers performed using IPv6.</P>
 </TD>
 </TR>
-<TR>
-<TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=997828">
-</A>
-<CODE CLASS="Program-Process">
-serial-queries</CODE>
-</H6>
-</TD>
-<TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody">
-<A NAME="pgfId=997830">
-</A>
-Slave servers will periodically query master servers to find out if zone serial numbers have changed. Each such query uses a minute amount of the slave server's network bandwidth, but more importantly each query uses a small amount of memory in the slave server while waiting for the master server to respond. The <CODE CLASS="Program-Process">
-serial-queries </CODE>
-option sets the maximum number of concurrent serial-number queries allowed to be outstanding at any given time. The default is 4. Note: If a server loads a large (tens or hundreds of thousands) number of slave zones, then this limit should be raised to the high hundreds or low thousands -- otherwise the slave server may never actually become aware of zone changes in the master servers. Beware, though, that setting this limit arbitrarily high can spend a considerable amount of your slave server's network, CPU, and memory resources. As with all tunable limits, this one should be changed gently and monitored for its effects. <EM CLASS="Emphasis">
-Not yet implemented in BINDv9.</EM>
-</P>
-</TD>
-</TR>
-<TR>
-<TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=997832">
-</A>
-<CODE CLASS="Program-Process">
-also-notify</CODE>
-</H6>
-</TD>
-<TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody">
-<A NAME="pgfId=997834">
-</A>
-Defines a global list of IP addresses that are also sent NOTIFY messages whenever a fresh copy of the zone is loaded. This helps to ensure that copies of the zones will quickly converge on &quot;stealth&quot; servers. If an <CODE CLASS="Program-Process">
-also-notify</CODE>
- list is given in a <CODE CLASS="Program-Process">
-zone</CODE>
- statement, it will override the <CODE CLASS="Program-Process">
-options also-notify</CODE>
- statement. When a <CODE CLASS="Program-Process">
-zone notify</CODE>
- statement is set to <CODE CLASS="Program-Process">
-no</CODE>
-, the IP addresses in the global <CODE CLASS="Program-Process">
-also-notify</CODE>
- list will not be sent NOTIFY messages for that zone. The default is the empty list (no global notification list). <EM CLASS="Emphasis">
-Not yet implemented in BINDv9.</EM>
-</P>
-</TD>
-</TR>
 </TABLE>
 </DIV>
 <DIV>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997836">
-</A>
+ </A>
 5.2.12.8	Resource Limits</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997837">
-</A>
+ </A>
 The server's usage of many system resources can be limited. Some operating systems don't support some of the limits. On such systems, a warning will be issued if the unsupported limit is used. Some operating systems don't support limiting resources.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997838">
-</A>
+ </A>
 Scaled values are allowed when specifying resource limits. For example, <CODE CLASS="Program-Process">
 1G</CODE>
  can be used instead of <CODE CLASS="Program-Process">
@@ -2767,29 +2917,29 @@ unlimited</CODE>
 default</CODE>
  uses the limit that was in force when the server was started. See the description of <CODE CLASS="Program-Process">
 size_spec</CODE>
- in <A HREF="BV9ARM.5.html#40894" CLASS="XRef">
+ in <A HREF="Bv9ARM.5.html#40894" CLASS="XRef">
 Configuration File Grammar</A>
  for more details.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997863">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997844">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 coresize</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997846">
-</A>
-The maximum size of a core dump. The default is <CODE CLASS="Program-Process">
-default</CODE>
+ </A>
+The maximum size of a core dump. The default is <EM CLASS="variable">
+default</EM>
 . <EM CLASS="Emphasis">
 Not yet implemented in BINDv9.</EM>
 </P>
@@ -2797,19 +2947,19 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997848">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 datasize</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997850">
-</A>
-The maximum amount of data memory the server may use. The default is <CODE CLASS="Program-Process">
-default</CODE>
+ </A>
+The maximum amount of data memory the server may use. The default is <EM CLASS="variable">
+default</EM>
 . <EM CLASS="Emphasis">
 Not yet implemented in BINDv9.</EM>
 </P>
@@ -2817,21 +2967,21 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997852">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 files</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997854">
-</A>
-The maximum number of files the server may have open concurrently. The default is <CODE CLASS="Program-Process">
-unlimited</CODE>
-. Note: on some operating systems the server cannot set an unlimited value and cannot determine the maximum number of open files the kernel can support. On such systems, choosing <CODE CLASS="Program-Process">
-unlimited</CODE>
+ </A>
+The maximum number of files the server may have open concurrently. The default is <EM CLASS="variable">
+unlimited</EM>
+. Note: on some operating systems the server cannot set an unlimited value and cannot determine the maximum number of open files the kernel can support. On such systems, choosing <EM CLASS="variable">
+unlimited</EM>
  will cause the server to use the larger of the <CODE CLASS="Program-Process">
 rlim_max</CODE>
  for <CODE CLASS="Program-Process">
@@ -2847,17 +2997,17 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997856">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 max-ixfr-log-size</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997858">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 max-ixfr-log-size</CODE>
  will be used in a future release of the server to limit the size of the transaction log kept for Incremental Zone Transfer. <EM CLASS="Emphasis">
@@ -2867,19 +3017,35 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
+<A NAME="pgfId=1040060">
+ </A>
+<CODE CLASS="Program-Process">
+recursive-clients</CODE>
+</P>
+</TD>
+<TD ROWSPAN="1" COLSPAN="1">
+<P CLASS="CellBody">
+<A NAME="pgfId=1040062">
+ </A>
+The maximum number of simultaneous recursive lookup the server will perform on behalf of clients.  The default is 100.</P>
+</TD>
+</TR>
+<TR>
+<TD ROWSPAN="1" COLSPAN="1">
+<P CLASS="CellBody">
 <A NAME="pgfId=997860">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 stacksize</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997862">
-</A>
-The maximum amount of stack memory the server may use. The default is <CODE CLASS="Program-Process">
-default</CODE>
+ </A>
+The maximum amount of stack memory the server may use. The default is <EM CLASS="variable">
+default</EM>
 . <EM CLASS="Emphasis">
 Not yet implemented in BINDv9.</EM>
 </P>
@@ -2887,37 +3053,24 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023744">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
-tcp-clients</CODE></H6>
+tcp-clients</CODE>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023746">
-</A>
+ </A>
 The maximum number of simultaneous client TCP connections that the server will accept. The default is 100.</P>
 </TD>
 </TR>
-<TR>
-<TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1023740">
-</A>
-<CODE CLASS="Program-Process">recursive-clients</CODE></H6>
-</TD>
-<TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody">
-<A NAME="pgfId=1023742">
-</A>
-The maximum number of simultaneous recursive lookup the server will perform on behalf of clients.  The default is 100.</P>
-</TD>
-</TR>
 </TABLE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1023396">
-</A>
+ </A>
 <EM CLASS="Emphasis">
 Resource limits are not yet implemented in BINDv9.</EM>
 </P>
@@ -2926,27 +3079,27 @@ Resource limits are not yet implemented in BINDv9.</EM>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=1023375">
-</A>
+ </A>
 5.2.12.9	Periodic Task Intervals</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1023393">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023378">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 cleaning-interval</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023380">
-</A>
+ </A>
 The server will remove expired resource records from the cache every <CODE CLASS="Program-Process">
 cleaning-interval </CODE>
 minutes. The default is 60 minutes. If set to 0, no  periodic cleaning will occur.</P>
@@ -2954,17 +3107,17 @@ minutes. The default is 60 minutes. If set to 0, no  periodic cleaning will occu
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023382">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 heartbeat-interval</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023384">
-</A>
+ </A>
 The server will perform zone maintenance tasks for all zones marked  <CODE CLASS="Program-Process">
 dialup yes</CODE>
  whenever this interval expires. The default is 60 minutes.  Reasonable values are up to 1 day (1440 minutes). If set to 0, no zone maintenance for these zones will occur. <EM CLASS="Emphasis">
@@ -2974,17 +3127,17 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023386">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 interface-interval</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023388">
-</A>
+ </A>
 The server will scan the network interface list every <CODE CLASS="Program-Process">
 interface-interval</CODE>
  minutes. The default is 60 minutes. If set to 0,  interface scanning will only occur when the configuration file is  loaded. After the scan, listeners will be started on any new interfaces (provided they are allowed by the <CODE CLASS="Program-Process">
@@ -2994,17 +3147,17 @@ listen-on</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=1023390">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 statistics-interval</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1023392">
-</A>
+ </A>
 Nameserver statistics will be logged every <CODE CLASS="Program-Process">
 statistics-interval</CODE>
  minutes. The default is 60. If set to 0, no statistics will be logged. <EM CLASS="Emphasis">
@@ -3018,38 +3171,43 @@ Not yet implemented in BINDv9.</EM>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997884">
-</A>
+ </A>
 5.2.12.10	<A NAME="15119">
-</A>
+ </A>
 Topology</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997885">
-</A>
+ </A>
 All other things being equal, when the server chooses a nameserver to query from a list of nameservers, it prefers the one that is topologically closest to itself. The <CODE CLASS="Program-Process">
 topology</CODE>
  statement takes an <CODE CLASS="Program-Process">
 address_match_list</CODE>
  and interprets it in a special way. Each top-level list element is assigned a distance. Non-negated elements get a distance based on their position in the list, where the closer the match is to the start of the list, the shorter the distance is between it and the server. A negated match will be assigned the maximum distance from the server. If there is no match, the address will get a distance which is further than any non-negated list element, and closer than any negated element. For example,</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997886"></A>
-    topology {
+ 
+<PRE>
+<CODE>    topology {
     10/8;
     !1.2.3/24;
     { 1.2/16; 3/8; };
-    };</PRE>
+    };</CODE>
+</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997891">
-</A>
+ </A>
 will prefer servers on network 10 the most, followed by hosts on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception of hosts on network 1.2.3 (netmask 255.255.255.0), which is preferred least of all.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997892">
-</A>
+ </A>
 The default topology is</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=1023414"></A>
-    topology { localhost; localnets; };</PRE>
+ 
+<PRE>
+CODE>    topology { localhost; localnets; };
+</CODE>
+</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1023427">
-</A>
+ </A>
 <EM CLASS="Emphasis">
 The </EM>
 <CODE CLASS="Program-Process">
@@ -3062,16 +3220,16 @@ topology</CODE>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=1023411">
-</A>
+ </A>
 5.2.12.11	<A NAME="39491">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 sortlist</CODE>
  Statement</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997896">
-</A>
+ </A>
 Resource Records (RRs) are the data associated with the names in a  domain name space. The data is maintained in the form of sets of RRs. The order of RRs in a set is, by default, not significant. Therefore, to control the sorting of records in a set resource records, or <EM CLASS="Optional-meta-syntax">
 RRset</EM>
 , you must use the <CODE CLASS="Program-Process">
@@ -3079,26 +3237,26 @@ sortlist</CODE>
  statement.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997899">
-</A>
-RRs are explained more fully in <A HREF="BV9ARM.5.html#29114" CLASS="XRef">
+ </A>
+RRs are explained more fully in <A HREF="Bv9ARM.5.html#29114" CLASS="XRef">
 See Types of Resource Records and When to Use Them.</A>
 . Specifications for RRs are documented in RFC 1035.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997901">
-</A>
-When returning multiple RRs, the nameserver will normally return them in <EM CLASS="Optional-meta-syntax">
-Round Robin</EM>
- order, i.e. after each request, the first RR is put at the end of the list. The client resolver code should rearrange the RRs as appropriate, i.e. using any addresses on the local net in preference to other addresses. However, not all resolvers can do this or are correctly configured. When a client is using a local server the sorting can be performed in the server, based on the client's address. This only requires configuring the nameservers, not all the clients.</P>
+ </A>
+When returning multiple RRs, the nameserver will normally return them in <EM CLASS="Emphasis">
+Round Robin </EM>
+order, i.e. after each request, the first RR is put at the end of the list. The client resolver code should rearrange the RRs as appropriate, i.e. using any addresses on the local net in preference to other addresses. However, not all resolvers can do this or are correctly configured. When a client is using a local server the sorting can be performed in the server, based on the client's address. This only requires configuring the nameservers, not all the clients.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997902">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 sortlist</CODE>
  statement (see below) takes an <CODE CLASS="Program-Process">
 address_match_list </CODE>
 and interprets it even more specifically than the <CODE CLASS="Program-Process">
 topology</CODE>
- statement does (see <A HREF="BV9ARM.5.html#15119" CLASS="XRef">
+ statement does (see <A HREF="Bv9ARM.5.html#15119" CLASS="XRef">
 Topology</A>
 ). Each top level statement in the <CODE CLASS="Program-Process">
 sortlist</CODE>
@@ -3109,7 +3267,7 @@ address_match_list</CODE>
 ) of each top level list is checked against the source address of the query until a match is found.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997906">
-</A>
+ </A>
 Once the source address of the query has been matched, if the top level statement contains only one element, the actual primitive element that matched the source address is used to select the address in the response to move to the beginning of the response. If the statement is a list of two elements, then the second element is treated like the <CODE CLASS="Program-Process">
 address_match_list</CODE>
  in a <CODE CLASS="Program-Process">
@@ -3117,12 +3275,13 @@ topology</CODE>
  statement. Each top level element is assigned a distance and the address in the response with the minimum distance is moved to the beginning of the response.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997907">
-</A>
+ </A>
 In the following example, any queries received from any of the addresses of the host itself will get responses preferring addresses on any of the locally connected networks. Next most preferred are addresses on the 192.168.1/24 network, and after that either the 192.168.2/24 or<BR>
 192.168.3/24 network with no preference shown between these two networks. Queries received from a host on the 192.168.1/24 network will prefer other addresses on that network to the 192.168.2/24 and<BR>
 192.168.3/24 networks. Queries received from a host on the 192.168.4/24 or the 192.168.5/24 network will only prefer other addresses on their directly connected networks.</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997908"></A>
-sortlist {
+ 
+<PRE>
+<CODE>sortlist {
     { localhost;            // IF   the local host
         { localnets;        // THEN first fit on the
             192.168.1/24;   //   following nets
@@ -3139,19 +3298,25 @@ sortlist {
     { { 192.168.4/24; 192.168.5/24; };
                           // if .4 or .5, prefer that net
     };
-};</PRE>
+};</CODE>
+</PRE>
+
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997923">
-</A>
+ </A>
 The following example will give reasonable behavior for the local host and hosts on directly connected networks. It is similar to the behavior of the address sort in BIND 8.x. Responses sent to queries from the local host will favor any of the directly connected networks. Responses sent to queries from any other hosts on a directly connected network will prefer addresses on that same network. Responses to other queries will not be sorted.</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997924"></A>
+ 
+<PRE>
+<CODE>
 sortlist {
            { localhost; localnets; };
            { localnets; };
-};</PRE>
+};</CODE>
+</PRE>
+
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1023426">
-</A>
+ </A>
 <EM CLASS="Emphasis">
 The </EM>
 <CODE CLASS="Program-Process">
@@ -3164,108 +3329,115 @@ sortlist</CODE>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997929">
-</A>
+ </A>
 5.2.12.12	<A NAME="22766">
-</A>
+ </A>
 RRset Ordering</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997930">
-</A>
+ </A>
 When multiple records are returned in an answer it may be useful to configure the order of the records placed into the response. For example, the records for a zone might be configured always to be returned in the order they are defined in the zone file. Or perhaps a random shuffle of the records as they are returned is wanted. The <CODE CLASS="Program-Process">
 rrset-order</CODE>
  statement permits configuration of the ordering made of the records in a multiple record response. The default, if no ordering is defined, is a cyclic ordering (round robin).</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997931">
-</A>
+ </A>
 An <CODE CLASS="Program-Process">
 order_spec</CODE>
  is defined as follows:</P>
-<PRE CLASS="4Level-fixedSmall"><A NAME="pgfId=997932"></A>
-[ class <EM CLASS="variable">class_name</EM> ][ type <EM CLASS="variable">type_name</EM> ][ name &quot;<EM CLASS="variable">domain_name</EM>&quot;] order <EM CLASS="variable">ordering</EM>
+ 
+<PRE>
+<CODE>
+[ class <VAR>class_name</VAR> ][ type <VAR>type_name</VAR> ][ name &quot;<EM>domain_name</EM>&quot;]
+      order <VAR>ordering</VAR></CODE>
 </PRE>
+
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997933">
-</A>
+ </A>
 If no class is specified, the default is <CODE CLASS="Program-Process">
 ANY</CODE>
 . If no type is specified, the default is <CODE CLASS="Program-Process">
 ANY</CODE>
-. If no name is specified, the default is &quot;<CODE CLASS="Program-Process">
+. If no name is specified, the default is `<CODE CLASS="Program-Process">
 *</CODE>
-&quot;.</P>
+'.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997934">
-</A>
+ </A>
 The legal values for <CODE CLASS="Program-Process">
 ordering</CODE>
  are:</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997948">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997937">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 fixed</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997939">
-</A>
+ </A>
 Records are returned in the order they are defined in the zone file.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997941">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 random</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997943">
-</A>
+ </A>
 Records are returned in some random order.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997945">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 cyclic</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997947">
-</A>
+ </A>
 Records are returned in a round-robin order.</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997949">
-</A>
+ </A>
 For example:</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997950"></A>
-    rrset-order {
-        class IN type A name &quot;host.example.com&quot; order random;
-        order cyclic;
-    };</PRE>
+ 
+<PRE>
+<CODE>    rrset-order {
+        class <VAR>IN</VAR> type <VAR>A</VAR> name &quot;<EM>host.example.com</EM>&quot; order <VAR>random</VAR>;
+        order <VAR>cyclic</VAR>;
+    };
+</CODE>
+</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997954">
-</A>
+ </A>
 will cause any responses for type <EM CLASS="Optional-meta-syntax">
 A</EM>
  records in class <EM CLASS="Optional-meta-syntax">
@@ -3273,25 +3445,29 @@ IN</EM>
  that have &quot;host.example.com&quot; as a suffix, to always be returned in random order. All other records are returned in cyclic order.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997955">
-</A>
+ </A>
 If multiple <CODE CLASS="Program-Process">
 rrset-order</CODE>
  statements appear, they are not combined--the last one applies.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997956">
-</A>
+ </A>
 If no <CODE CLASS="Program-Process">
 rrset-order</CODE>
  statement is specified, then a default one of:</P>
-<PRE CLASS="4Level-fixed1"><A NAME="pgfId=997957"></A>
-    rrset-order { class ANY type ANY name &quot;*&quot;; order cyclic ; };</PRE>
+ 
+<PRE>
+<CODE>    rrset-order { class <VAR>ANY</VAR> type <VAR>ANY</VAR> name &quot;<EM>*</EM>&quot;; order <VAR>cyclic</VAR> 
+     };</CODE>
+</PRE>
+
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997958">
-</A>
+ </A>
 is used.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1023432">
-</A>
+ </A>
 <EM CLASS="Emphasis">
 The </EM>
 <CODE CLASS="Program-Process">
@@ -3304,27 +3480,27 @@ rrset-order</CODE>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997959">
-</A>
+ </A>
 5.2.12.13	Tuning</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=997973">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997962">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 lame-ttl</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997964">
-</A>
+ </A>
 Sets the number of seconds to cache a lame server indication. 0 disables caching. (This is NOT recommended.) Default is 600 (10 minutes). Maximum value is 1800 (30 minutes). <EM CLASS="Emphasis">
 Not yet implemented in BINDv9.</EM>
 </P>
@@ -3332,17 +3508,17 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997966">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 max-ncache-ttl</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997968">
-</A>
+ </A>
 To reduce network traffic and increase performance the server stores negative answers. <CODE CLASS="Program-Process">
 max-ncache-ttl</CODE>
  is used to set a maximum retention time for these answers in the server in seconds. The default<BR>
@@ -3358,17 +3534,17 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=997970">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 min-roots</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=997972">
-</A>
+ </A>
 The minimum number of root servers that is required for a request for the root servers to be accepted. Default is 2. <EM CLASS="Emphasis">
 Not yet implemented in BINDv9.</EM>
 </P>
@@ -3380,59 +3556,65 @@ Not yet implemented in BINDv9.</EM>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=997974">
-</A>
+ </A>
 5.2.12.14	Deprecated Features</H5>
 </OL>
 <P CLASS="4LevelContinued">
-<A NAME="pgfId=997975">
-</A>
+<A NAME="pgfId=1038290">
+ </A>
 <CODE CLASS="Program-Process">
 use-ixfr</CODE>
  is deprecated in BINDv9. If you need to disable IXFR to a particular server or servers see information on the  <CODE CLASS="Program-Process">
 provide-ixfr</CODE>
- option in the Server Statement description (<A HREF="BV9ARM.5.html#34774" CLASS="XRef">
+ option in the Server Statement description (<A HREF="Bv9ARM.5.html#34774" CLASS="XRef">
 server Statement Grammar</A>
- , below) and  in the description of Incremental Transfer (IXFR) (<A HREF="BV9ARM.4.html#19780" CLASS="XRef">
-Incremental Transfer (IXFR)</A>
-).</P>
+ , below) and  in the description of Incremental Transfer (IXFR) in the section <A HREF="Bv9ARM.4.html#19780" CLASS="XRef">
+Incremental Zone Transfers (IXFR)</A>
+.</P>
 </DIV>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
-<A NAME="pgfId=997983">
-</A>
+<A NAME="pgfId=1038295">
+ </A>
 5.2.13	<CODE CLASS="Program-Process">
 server</CODE>
 <A NAME="34774">
-</A>
+ </A>
  Statement Grammar</H4>
 </OL>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997984"></A>
-server <EM CLASS="URL">ip_addr</EM>{
-    <EM CLASS="Optional-meta-syntax">[</EM>bogus <EM CLASS="variable">yes_or_no</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> provide-ixfr <EM CLASS="variable">yes_or_no</EM> ; <EM CLASS="Optional-meta-syntax">]   [</EM> request-ixfr <EM CLASS="variable">yes_or_no</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> transfers <EM CLASS="variable">number</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> transfer-format <EM CLASS="Optional-meta-syntax">(</EM>one-answer <EM CLASS="Optional-meta-syntax">|</EM> many-answers<EM CLASS="Optional-meta-syntax">)</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-    <EM CLASS="Optional-meta-syntax">[</EM> keys { <EM CLASS="variable">string</EM> ; <EM CLASS="Optional-meta-syntax">[</EM> <EM CLASS="variable">string</EM> ; <EM CLASS="Optional-meta-syntax">[...]]</EM> } ; <EM CLASS="Optional-meta-syntax">]</EM>
-};</PRE>
+<PRE>
+<CODE> 
+<PRE>
+server <VAR>ip_addr</VAR> {
+    [ bogus <VAR>yes_or_no</VAR> ; ]
+    [ provide-ixfr <VAR>yes_or_no</VAR> ; ]
+    [ request-ixfr <VAR>yes_or_no</VAR> ; ]
+    [ transfers <VAR>number</VAR> ; ]
+    [ transfer-format (one-answer | many-answers) ; ]
+    [ keys { <VAR>string</VAR> ; [ <VAR>string</VAR> ; [...]] } ; ]
+};
+</CODE>
+</PRE>
+</PRE>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997991">
-</A>
+ </A>
 5.2.14	<CODE CLASS="Program-Process">
 server</CODE>
  Statement Definition and Usage</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997992">
-</A>
+ </A>
 The server statement defines the characteristics to be associated with a remote nameserver.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997993">
-</A>
+ </A>
 If you discover that a remote server is giving out bad data, marking it as bogus will prevent further queries to it. The default value of <CODE CLASS="Program-Process">
 bogus</CODE>
  is <CODE CLASS="Program-Process">
@@ -3446,7 +3628,7 @@ bogus</CODE>
 </P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997994">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 provide-ixfr</CODE>
  clause determines whether the local server, acting as master, will respond with an incremental zone transfer when the given remote server, a slave, requests it. If set to <CODE CLASS="Program-Process">
@@ -3458,7 +3640,7 @@ provide-ixfr </CODE>
 option in the global options block is used as a default.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=1023455">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 request-ixfr</CODE>
  clause determines whether the local server, acting as a slave, will request incremental zone transfers from the given remote server, a master. If not set, the value of the <CODE CLASS="Program-Process">
@@ -3466,7 +3648,7 @@ request-ixfr</CODE>
  option in the global options block is used as a default.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=1023490">
-</A>
+ </A>
 IXFR requests to servers that do not support IXFR will automatically fall back to AXFR.  Therefore, there is no need to manually list which servers support IXFR and which ones do not; the global default of <CODE CLASS="Program-Process">
 yes</CODE>
  should always work. The purpose of the <CODE CLASS="Program-Process">
@@ -3476,14 +3658,14 @@ request-ixfr</CODE>
  clauses is to make it possible to disable the use of IXFR even when both master and slave claim to support it, for example if one of the servers is buggy and crashes or corrupts data when IXFR is used.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=1023509">
-</A>
+ </A>
 The server supports two zone transfer methods. The first, <CODE CLASS="Program-Process">
 one-answer</CODE>
 , uses one DNS message per resource record transferred. <CODE CLASS="Program-Process">
 many-answers</CODE>
  packs as many resource records as possible into a message. <CODE CLASS="Program-Process">
 many-answers</CODE>
- is more efficient, but is only known to be understood by BIND 9, BIND 8.x, and patched versions of BIND 4.9.5. You can specify which method to use for a server with the <CODE CLASS="Program-Process">
+ is more efficient, but is only known to be understood by BINDv9, BIND 8.x, and patched versions of BIND 4.9.5. You can specify which method to use for a server with the <CODE CLASS="Program-Process">
 transfer-format </CODE>
 option. If <CODE CLASS="Program-Process">
 transfer-format </CODE>
@@ -3494,13 +3676,13 @@ options</CODE>
  statement will be used.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997995">
-</A>
+ </A>
 <CODE CLASS="Program-Process">
 transfers</CODE>
  is used to limit the number of concurrent in-bound zone transfers from the specified server.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997996">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 keys</CODE>
  clause is used to identify a <CODE CLASS="Program-Process">
@@ -3514,7 +3696,7 @@ server</CODE>
  statement that references it. When a request is sent to the remote server, a request signature will be generated using the key specified here and appended to the message. A request originating from the remote server is not required to be signed by this key.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=1023566">
-</A>
+ </A>
 Although the grammar of the <CODE CLASS="Program-Process">
 keys</CODE>
  clause allows for multiple keys, only a single key per server is currently supported.</P>
@@ -3523,129 +3705,222 @@ keys</CODE>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997997">
-</A>
+ </A>
 5.2.15	<CODE CLASS="Program-Process">
 trusted-keys</CODE>
  Statement Grammar</H4>
 </OL>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=997998"></A>
-trusted-keys {
-    <EM CLASS="variable">string number number number string</EM> ;
-      [<EM CLASS="variable">string number number number string</EM> ; [...]]
-};</PRE>
+ 
+<PRE>
+<CODE>trusted-keys {
+    <VAR>string number number number string</VAR> ;
+    [ <VAR>string number number number string</VAR> ; [...]]
+};
+</CODE>
+</PRE>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=998002">
-</A>
+ </A>
 5.2.16	<CODE CLASS="Program-Process">
 trusted-keys</CODE>
  Statement Definition and Usage</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998003">
-</A>
-The trusted-keys statement is for use with DNSSEC-style security, originally specified in RFC 2065. DNSSEC is meant to provide three distinct services: key distribution, data origin authentication, and transaction and request authentication. A complete description of DNSSEC and its use is beyond the scope of this document, and readers interested in more information should start with RFC 2065 and then continue with the relevant <EM CLASS="Optional-meta-syntax">
-Internet Drafts</EM>
- (IDs) documents. A list of the Internet Drafts pertaining to DNSSEC can be found in <A HREF="BV9ARM.8.html#" CLASS="XRef">
+ </A>
+The trusted-keys statement is for use with DNSSEC-style security, originally specified in RFC 2065. DNSSEC is meant to provide three distinct services: key distribution, data origin authentication, and transaction and request authentication. A complete description of DNSSEC and its use is beyond the scope of this document, and readers interested in more information should start with RFC 2065 and then continue with the relevant <EM CLASS="Emphasis">
+Internet Drafts </EM>
+(IDs) documents. A list of the IDs pertaining to DNSSEC can be found in <A HREF="Bv9ARM.7.html#" CLASS="XRef">
 Internet Drafts</A>
- in Appendix C of this document. (Their filenames begin with &quot;draft-ietf-dnssec.&quot;). IDs are RFCs in their preliminary stages of development--they are the working drafts of IETF working groups--and can be obtained via anonymous <CODE CLASS="Program-Process">
-FTP</CODE>
- from<BR>
+  in Appendix C of this document. (Their filenames begin with &quot;<EM CLASS="pathname">
+draft-ietf-dnssec</EM>
+.&quot;). IDs are RFCs in the preliminary stages of development--they are the working drafts of IETF working groups--and can be obtained via anonymous FTP from<BR>
 <EM CLASS="URL">
 ftp://www.isi.edu/internet-drafts/ or ftp://www.ietf.org/rfcs/</EM>
 . </P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998007">
-</A>
+ </A>
 Each trusted key is associated with a domain name. Its attributes are the non-negative integral flags, protocol, and algorithm, as well as a base-64 encoded string representing the key.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998008">
-</A>
+ </A>
 A trusted key is added when a public key for a non-authoritative zone is known, but cannot be securely obtained through DNS. This occurs when a signed zone is a child of an unsigned zone. Adding the trusted key here allows data signed by that zone to be considered secure.</P>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=998162">
-</A>
+ </A>
 5.2.17	<CODE CLASS="Program-Process">
 view</CODE>
  Statement Grammar</H4>
 </OL>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=998163"></A>
-view &quot;name&quot; {
-      <EM CLASS="Optional-meta-syntax">... </EM>
-      <EM CLASS="Optional-meta-syntax"> [</EM><EM CLASS="variable">zone_statement</EM; <EM CLASS="Optional-meta-syntax">[</EM><EM CLASS="variable">zone_statement</EM>; <EM CLASS="Optional-meta-syntax">[....]]</EM>
-};</PRE>
+<PRE>
+<CODE> 
+view <VAR>view name</VAR> {
+      match_clients { <VAR>address_match_list</VAR> } ;
+      [view_option; ...]
+     [zone_statement; ...]]
+};
+</CODE>
+</PRE>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
-<A NAME="pgfId=998166">
-</A>
+<A NAME="pgfId=1038533">
+ </A>
 5.2.18	<CODE CLASS="Program-Process">
 view</CODE>
  Statement Definition and Usage</H4>
 </OL>
 <P CLASS="3LevelContinued">
-<A NAME="pgfId=998167">
-</A>
-<CODE CLASS="Program-Process">
+<A NAME="pgfId=1038546">
+ </A>
+The <CODE CLASS="Program-Process">
 view</CODE>
- statements are used to provide a different view of the same namespace to different clients.  <EM CLASS="Emphasis">
-They are not yet fully implemented.</EM>
-<CODE CLASS="Program-Process">
-</CODE>
-<A NAME="25091">
-</A>
-</P>
+ statement is a powerful new feature of BINDv9 that lets a name server answer a DNS query differently depending on who is asking. It is particularly useful for implementing split DNS setups without having to run multiple servers.</P>
+<P CLASS="3LevelContinued">
+<A NAME="pgfId=1038875">
+ </A>
+Each <CODE CLASS="Program-Process">
+view</CODE>
+ statement defines a view of the DNS namespace that will be seen by those clients whose IP addresses match the <CODE CLASS="Program-Process">
+address_match_list</CODE>
+ of the view's <CODE CLASS="Program-Process">
+match-clients</CODE>
+ clause.  The order of the <CODE CLASS="Program-Process">
+view</CODE>
+ statements is significant--a client query will be resolved in the context of the first <CODE CLASS="Program-Process">
+view</CODE>
+ whose <CODE CLASS="Program-Process">
+match-clients </CODE>
+list matches the client's IP address.</P>
+<P CLASS="3LevelContinued">
+<A NAME="pgfId=1038605">
+ </A>
+Zones defined within a <CODE CLASS="Program-Process">
+view</CODE>
+ statement will be only be accessible to clients that match the <CODE CLASS="Program-Process">
+view</CODE>
+.  By defining a zone of the same name in multiple views, different zone data can be given to different clients, e.g. &quot;internal&quot; and &quot;external&quot; clients in a split DNS setup.</P>
+<P CLASS="3LevelContinued">
+<A NAME="pgfId=1038606">
+ </A>
+Many of the options given in the <CODE CLASS="Program-Process">
+options</CODE>
+ statement can also be used within a <CODE CLASS="Program-Process">
+view</CODE>
+ statement, and then apply only when resolving queries with that view.  When no a view-specific value is given, the value in the <CODE CLASS="Program-Process">
+options</CODE>
+ statement is used as a default.  Also, zone options can have default values specified in the <CODE CLASS="Program-Process">
+view</CODE>
+ statement; these view-specific defaults take precedence over those in the <CODE CLASS="Program-Process">
+options</CODE>
+ statement. </P>
+<P CLASS="3LevelContinued">
+<A NAME="pgfId=1038571">
+ </A>
+Views are class specific.  If no class is given, class IN is assumed.</P>
+<P CLASS="3LevelContinued">
+<A NAME="pgfId=1038607">
+ </A>
+If there are no <CODE CLASS="Program-Process">
+view</CODE>
+ statements in the config file, a default view that matches any client is automatically created in class IN, and any <CODE CLASS="Program-Process">
+zone</CODE>
+ statements specified on the top level of the configuration file are considered to be part of this default view.  If any explicit <CODE CLASS="Program-Process">
+view</CODE>
+ statements are present, all <CODE CLASS="Program-Process">
+zone</CODE>
+ statements must occur inside <CODE CLASS="Program-Process">
+view</CODE>
+ statements.</P>
+<P CLASS="3LevelContinued">
+<A NAME="pgfId=1038608">
+ </A>
+Here is an example of a typical split DNS setup implemented using <CODE CLASS="Program-Process">
+view</CODE>
+ statements.</P>
+ 
+<PRE>
+<CODE>
+view &quot;internal&quot; {               // This should match our internal networks.
+      match-clients { 10.0.0.0/8; };      // Provide recursive service to internal clients only.
+      recursion yes;
+                         // Provide a complete view of the example.com zone
+                         // including addresses of internal hosts.
+      zone &quot;e<EM>xample.com</EM>&quot; {
+            type <VAR>master</VAR>;
+            file &quot;<EM>example-internal.db</EM>&quot;;
+      };
+};
+ 
+view &quot;external&quot; {
+      match-clients { <VAR>any</VAR>; };
+                          // Refuse recursive service to external clients.
+      recursion no;
+                         // Provide a restricted view of the example.com zone
+                         // containing only publicly accessible hosts.
+      zone &quot;<EM>example.com</EM>&quot; {
+           type <VAR>master</VAR>;
+           file &quot;<EM>example-external.db</EM>&quot;;
+      };
+};</CODE>
+</PRE>
+
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
-<A NAME="pgfId=998170">
-</A>
+<A NAME="pgfId=1038536">
+ </A>
 5.2.19	<CODE CLASS="Program-Process">
 zone</CODE>
 <A NAME="20328">
-</A>
+ </A>
  Statement Grammar</H4>
 </OL>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=998171"></A>
-zone <EM CLASS="variable"> string</EM> <EM CLASS="Optional-meta-syntax">[</EM><EM CLASS="variable">class</EM><EM CLASS="Optional-meta-syntax">] [</EM>{ 
-    type <EM CLASS="Optional-meta-syntax">(</EM> master<EM CLASS="Optional-meta-syntax">|</EM>slave<EM CLASS="Optional-meta-syntax">|</EM>hint<EM CLASS="Optional-meta-syntax">|</EM>stub<EM CLASS="Optional-meta-syntax">|</EM>forward<EM CLASS="Optional-meta-syntax">)</EM> ;
-   <EM CLASS="Optional-meta-syntax">[</EM> allow-query { <EM CLASS="variable">address_match_list</EM> } ;<EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> allow-transfer { <EM CLASS="variable">address_match_list</EM> } ;<EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> allow-update { <EM CLASS="variable">address_match_list</EM> } ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> update-policy { <EM CLASS="variable">update_policy_rule </EM><EM CLASS="Optional-meta-syntax">[...]</EM> } ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> allow-update-forwarding { <EM CLASS="variable">address_match_list</EM> } ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> also-notify { <EM CLASS="Optional-meta-syntax">[</EM> <EM CLASS="variable">ip_addr</EM> ; <EM CLASS="Optional-meta-syntax">[</EM>   <EM CLASS="variable">ip_addr</EM> ; <EM CLASS="Optional-meta-syntax">[...]]]</EM> } ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> check-names <EM CLASS="Optional-meta-syntax">(</EM>warn<EM CLASS="Optional-meta-syntax">|</EM>fail<EM CLASS="Optional-meta-syntax">|</EM>ignore<EM CLASS="Optional-meta-syntax">)</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> dialup <EM CLASS="variable">true_or_false</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> file <EM CLASS="variable">string</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> forward <EM CLASS="Optional-meta-syntax">(</EM>only<EM CLASS="Optional-meta-syntax">|</EM>first<EM CLASS="Optional-meta-syntax">)</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> forwarders { <EM CLASS="Optional-meta-syntax">[</EM> <EM CLASS="variable">ip_addr</EM> ; <EM CLASS="Optional-meta-syntax">[</EM> <EM CLASS="variable">ip_addr</EM> ; <EM CLASS="Optional-meta-syntax">[...]]]</EM> } ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> ixfr-base <EM CLASS="variable">string</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> ixfr-tmp-file <EM CLASS="variable">string</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> maintain-ixfr-base <EM CLASS="variable">true_or_false</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> masters <EM CLASS="Optional-meta-syntax">[</EM>port <EM CLASS="variable">number</EM><EM CLASS="Optional-meta-syntax">]</EM> { <EM CLASS="variable">ip_addr</EM> ; <EM CLASS="Optional-meta-syntax">[</EM><EM CLASS="variable">ip_addr</EM> ; <EM CLASS="Optional-meta-syntax">[...]]</EM> } ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> max-ixfr-log-size <EM CLASS="variable">number</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> max-transfer-idle-in <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> max-transfer-idle-out <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> max-transfer-time-in <EM CLASS="variable">number</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> max-transfer-time-out <EM CLASS="variable">number</EM>; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> notify <EM CLASS="variable">true_or_false</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> pubkey <EM CLASS="variable">number number number</EM> <EM CLASS="variable">string</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>
-   <EM CLASS="Optional-meta-syntax">[</EM> transfer-source <EM CLASS="Optional-meta-syntax">(</EM><EM CLASS="variable">ip_addr</EM> <EM CLASS="Optional-meta-syntax">|</EM> *<EM CLASS="Optional-meta-syntax">)</EM> ; <EM CLASS="Optional-meta-syntax">]</EM>}<EM CLASS="Optional-meta-syntax">]</EM>
-;</PRE>
+ 
+<PRE>
+<CODE>
+zone <VAR>zone name</VAR> [<VAR>class</VAR>] [{ 
+    type ( master|slave|hint|stub|forward ) ;
+    [ allow-query { <VAR>address_match_list</VAR> } ; ]
+    [ allow-transfer { <VAR>address_match_list</VAR> } ; ]
+    [ allow-update { <VAR>address_match_list</VAR> } ; ]
+    [ update-policy { <VAR>update_policy_rule</VAR> [...] } ; ]
+    [ allow-update-forwarding { <VAR>address_match_list</VAR> } ; ]
+    [ also-notify { [ <VAR>ip_addr</VAR> ; [<VAR>ip_addr</VAR> ; [...]]] } ; ]
+    [ check-names (warn|fail|ignore) ; ]
+    [ dialup <VAR>true_or_false</VAR> ; ]
+    [ file <VAR>string</VAR> ; ]
+    [ forward (only|first) ; ]
+    [ forwarders { [ <VAR>ip_addr</VAR> ; [ <VAR>ip_addr</VAR> ; [...]]] } ; ]
+    [ ixfr-base <VAR>string</VAR> ; ]
+    [ ixfr-tmp-file <VAR>string</VAR> ; ]
+    [ maintain-ixfr-base <VAR>true_or_false</VAR> ; ]
+    [ masters [port number] { <VAR>ip_addr</VAR> ; [<VAR>ip_addr</VAR> ; [...]] } ; ]
+    [ max-ixfr-log-size <VAR>number</VAR> ; ]
+    [ max-transfer-idle-in <VAR>number</VAR> ; ]
+    [ max-transfer-idle-out <VAR>number</VAR> ; ]
+    [ max-transfer-time-in <VAR>number</VAR> ; ]
+    [ max-transfer-time-out <VAR>number</VAR> ; ]
+    [ notify <VAR>true_or_false</VAR> ; ]
+    [ pubkey <VAR>number</VAR> <VAR>number</VAR> <VAR>number</VAR> <VAR>string</VAR> ; ]
+    [ transfer-source (<VAR>ip_addr</VAR> | *) ; ]
+}];</CODE>
+</PRE>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=998197">
-</A>
+ </A>
 5.2.20	<CODE CLASS="Program-Process">
 zone</CODE>
  Statement Definition and Usage</H4>
@@ -3654,38 +3929,38 @@ zone</CODE>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=998221">
-</A>
+ </A>
 5.2.20.1	Zone Types</H5>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=998200">
-</A>
-<CODE CLASS="Program-Process">
-master</CODE>
-</H6>
+ </A>
+<EM CLASS="Emphasis">
+master</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998202">
-</A>
+ </A>
 The server has a master copy of the data for the zone and will be able to provide authoritative answers for it.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=998204">
-</A>
-<CODE CLASS="Program-Process">
-slave</CODE>
-</H6>
+ </A>
+<EM CLASS="Emphasis">
+slave</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998206">
-</A>
+ </A>
 A slave zone is a replica of a master zone. The masters list specifies one or more IP addresses that the slave contacts to update its copy of the zone. If a port is specified, the slave then checks to see if the zone is current and zone transfers will be done to the port given. If a file is specified, then the replica will be written to this file whenever the zone is changed, and reloaded from this file on a server restart. Use of a file is recommended, since it often speeds server start-up and eliminates a needless waste of bandwidth. Note that for large numbers (in the tens or hundreds of thousands) of zones per server, it is best to use a two level naming scheme for zone file names. For example, a slave server for the zone <EM CLASS="Optional-meta-syntax">
 example.com</EM>
  might place the zone contents into a file called<BR>
@@ -3698,33 +3973,33 @@ ex/</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=998208">
-</A>
-<CODE CLASS="Program-Process">
-stub</CODE>
-</H6>
+ </A>
+<EM CLASS="Emphasis">
+stub</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998210">
-</A>
+ </A>
 A stub zone is like a slave zone, except that it replicates only the NS records of a master zone instead of the entire zone.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=998212">
-</A>
-<CODE CLASS="Program-Process">
-forward</CODE>
-</H6>
+ </A>
+<EM CLASS="Emphasis">
+forward</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998214">
-</A>
+ </A>
 A &quot;forward zone&quot; is a way to configure forwarding on a per-domain basis.  A <CODE CLASS="Program-Process">
 zone</CODE>
  statement of type <CODE CLASS="Program-Process">
@@ -3741,22 +4016,22 @@ forwarders</CODE>
 options</CODE>
  statement. Thus if you want to use this type of zone to change the behavior of the global <CODE CLASS="Program-Process">
 forward</CODE>
- option (i.e., &quot;forward first to, &quot; then &quot;forward only,&quot; or vice versa, but want to use the same servers as set globally) you need to respecify the global forwarders.</P>
+ option (i.e., &quot;forward first to&quot;, then &quot;forward only&quot;, or vice versa, but want to use the same servers as set globally) you need to respecify the global forwarders.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=998218">
-</A>
-<CODE CLASS="Program-Process">
-hint</CODE>
-</H6>
+ </A>
+<EM CLASS="Emphasis">
+hint</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998220">
-</A>
+ </A>
 The initial set of root nameservers is specified using a &quot;hint zone&quot;. When the server starts up, it uses the root hints to find a root nameserver and get the most recent list of root nameservers.</P>
 </TD>
 </TR>
@@ -3767,12 +4042,12 @@ The initial set of root nameservers is specified using a &quot;hint zone&quot;.
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=998222">
-</A>
+ </A>
 5.2.20.2	Class</H5>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998223">
-</A>
+ </A>
 The zone's name may optionally be followed by a class. If a class is not specified, class <CODE CLASS="Program-Process">
 in</CODE>
  (for <EM CLASS="Optional-meta-syntax">
@@ -3780,16 +4055,16 @@ internet</EM>
 ), is assumed. This is correct for the vast majority of cases.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998224">
-</A>
+ </A>
 The <EM CLASS="Optional-meta-syntax">
 hesiod </EM>
-class is for an information service from MIT's Project Athena. It is used to share information about various systems databases, such as users, groups, printers and so on. The keyword <CODE CLASS="Program-Process">
+class is named for an information service from MIT's Project Athena. It is used to share information about various systems databases, such as users, groups, printers and so on. The keyword <CODE CLASS="Program-Process">
 hs</CODE>
  is a synonym for hesiod.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=1024705">
-</A>
-Another MIT development was CHAOSnet, a LAN protocol created in the mid-1970s. Zone data for it can be specified with the <CODE CLASS="Program-Process">
+ </A>
+Another MIT development is CHAOSnet, a LAN protocol created in the mid-1970s. Zone data for it can be specified with the <CODE CLASS="Program-Process">
 chaos</CODE>
  class.</P>
 </DIV>
@@ -3797,92 +4072,94 @@ chaos</CODE>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=1024807">
-</A>
+ </A>
 5.2.20.3	Zone Options</H5>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024708">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031068">
+ </A>
 <CODE CLASS="Program-Process">
 allow-query</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024710">
-</A>
+<A NAME="pgfId=1031070">
+ </A>
 See the description of <CODE CLASS="Program-Process">
 allow-query</CODE>
- under <A HREF="BV9ARM.5.html#40536" CLASS="XRef">
+ under <A HREF="Bv9ARM.5.html#40536" CLASS="XRef">
 Access Control</A>
 .</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024715">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031075">
+ </A>
 <CODE CLASS="Program-Process">
 allow-transfer</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024717">
-</A>
+<A NAME="pgfId=1031077">
+ </A>
 See the description of <CODE CLASS="Program-Process">
 allow-transfer</CODE>
- under <A HREF="BV9ARM.5.html#40536" CLASS="XRef">
+ under <A HREF="Bv9ARM.5.html#40536" CLASS="XRef">
 Access Control</A>
 .</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024722">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031082">
+ </A>
 <CODE CLASS="Program-Process">
 allow-update</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024724">
-</A>
+<A NAME="pgfId=1031084">
+ </A>
 Specifies which hosts are allowed to submit Dynamic DNS updates for master zones. The default is to deny updates from all hosts.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024726">
-</A>
-update-policy</H6>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031086">
+ </A>
+<CODE CLASS="Program-Process">
+update-policy</CODE>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024728">
-</A>
+<A NAME="pgfId=1031088">
+ </A>
 Specifies a &quot;Simple Secure Update&quot; policy. See description below.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024730">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031090">
+ </A>
 <CODE CLASS="Program-Process">
 allow-update-forwarding</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024732">
-</A>
+<A NAME="pgfId=1031092">
+ </A>
 Specifies which hosts are allowed to submit Dynamic DNS updates to slave zones to be forwarded to the master. The default is to deny update forwarding from all hosts. <EM CLASS="Emphasis">
 Update forwarding is not yet implemented.</EM>
 </P>
@@ -3890,17 +4167,17 @@ Update forwarding is not yet implemented.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024734">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031094">
+ </A>
 <CODE CLASS="Program-Process">
 also-notify</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024736">
-</A>
+<A NAME="pgfId=1031096">
+ </A>
 Only meaningful if <CODE CLASS="Program-Process">
 notify</CODE>
  is active for this zone. The set of machines that will receive a <EM CLASS="Optional-meta-syntax">
@@ -3918,18 +4195,18 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024738">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031098">
+ </A>
 <CODE CLASS="Program-Process">
 check-names</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024743">
-</A>
-See <A HREF="BV9ARM.5.html#30910" CLASS="XRef">
+<A NAME="pgfId=1031103">
+ </A>
+See <A HREF="Bv9ARM.5.html#30910" CLASS="XRef">
 Name Checking</A>
 .<BR>
 <EM CLASS="Emphasis">
@@ -3939,20 +4216,20 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024745">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031105">
+ </A>
 <CODE CLASS="Program-Process">
 dialup</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024749">
-</A>
+<A NAME="pgfId=1031107">
+ </A>
 See the description of <CODE CLASS="Program-Process">
 dialup</CODE>
- under <A HREF="BV9ARM.5.html#12205" CLASS="XRef">
+ under <A HREF="Bv9ARM.5.html#12205" CLASS="XRef">
 Boolean Options</A>
 .<BR>
 <EM CLASS="Emphasis">
@@ -3962,17 +4239,17 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024752">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031112">
+ </A>
 <CODE CLASS="Program-Process">
 forward</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024754">
-</A>
+<A NAME="pgfId=1031114">
+ </A>
 Only meaningful if the zone has a forwarders list. The <CODE CLASS="Program-Process">
 only</CODE>
  value causes the lookup to fail after trying the forwarders and getting no answer, while <CODE CLASS="Program-Process">
@@ -3985,23 +4262,23 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024756">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031116">
+ </A>
 <CODE CLASS="Program-Process">
 forwarders</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024758">
-</A>
+<A NAME="pgfId=1031118">
+ </A>
 Used to override the list of global forwarders. If it is not specified in a zone of type <CODE CLASS="Program-Process">
 forward</CODE>
 , no forwarding is done for the zone; the global options are not used.</P>
 <P CLASS="CellBody">
-<A NAME="pgfId=1024759">
-</A>
+<A NAME="pgfId=1031119">
+ </A>
 <EM CLASS="Emphasis">
 Not yet implemented in BINDv9.</EM>
 </P>
@@ -4009,149 +4286,153 @@ Not yet implemented in BINDv9.</EM>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024761">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031121">
+ </A>
 <CODE CLASS="Program-Process">
 ixfr-base</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024763">
-</A>
+<A NAME="pgfId=1031123">
+ </A>
 Specifies the file name for the transaction log file used for dynamic update and IXFR.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024765">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031125">
+ </A>
 <CODE CLASS="Program-Process">
 max-transfer-time-in</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024767">
-</A>
-See the description of <CODE CLASS="Program-Process">
+<A NAME="pgfId=1031127">
+ </A>
+See the description of<BR>
+<CODE CLASS="Program-Process">
 max-transfer-time-in</CODE>
- under <A HREF="BV9ARM.5.html#32057" CLASS="XRef">
+ under <A HREF="Bv9ARM.5.html#32057" CLASS="XRef">
 Zone Transfers</A>
 .</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024772">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031132">
+ </A>
 <CODE CLASS="Program-Process">
 max-transfer-idle-in</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024774">
-</A>
-See the description of <CODE CLASS="Program-Process">
+<A NAME="pgfId=1031134">
+ </A>
+See the description of<BR>
+<CODE CLASS="Program-Process">
 max-transfer-idle-in</CODE>
- under <A HREF="BV9ARM.5.html#32057" CLASS="XRef">
+ under <A HREF="Bv9ARM.5.html#32057" CLASS="XRef">
 Zone Transfers</A>
 .</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024779">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031139">
+ </A>
 <CODE CLASS="Program-Process">
 max-transfer-time-out</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024781">
-</A>
-See the description of <CODE CLASS="Program-Process">
+<A NAME="pgfId=1031141">
+ </A>
+See the description of<BR>
+<CODE CLASS="Program-Process">
 max-transfer-time-outn</CODE>
- under <A HREF="BV9ARM.5.html#32057" CLASS="XRef">
+ under <A HREF="Bv9ARM.5.html#32057" CLASS="XRef">
 Zone Transfers</A>
 .</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024786">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031146">
+ </A>
 <CODE CLASS="Program-Process">
 max-transfer-idle-out</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024788">
-</A>
-See the description of <CODE CLASS="Program-Process">
+<A NAME="pgfId=1031148">
+ </A>
+See the description of<BR>
+<CODE CLASS="Program-Process">
 max-transfer-idle-out</CODE>
- under <A HREF="BV9ARM.5.html#32057" CLASS="XRef">
+ under <A HREF="Bv9ARM.5.html#32057" CLASS="XRef">
 Zone Transfers</A>
 .</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024793">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031153">
+ </A>
 <CODE CLASS="Program-Process">
 notify</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024797">
-</A>
+<A NAME="pgfId=1031155">
+ </A>
 See the description of <CODE CLASS="Program-Process">
 notify</CODE>
- under <A HREF="BV9ARM.5.html#12205" CLASS="XRef">
+ under <A HREF="Bv9ARM.5.html#12205" CLASS="XRef">
 Boolean Options</A>
 .</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024800">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031160">
+ </A>
 <CODE CLASS="Program-Process">
 pubkey</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024802">
-</A>
+<A NAME="pgfId=1031162">
+ </A>
 Represents a public key for this zone. It is needed when this is the top level authoritative zone served by this server and there is no chain of trust to a trusted key. It is considered secure, so that data that it signs will be considered secure. The DNSSEC flags, protocol, and algorithm are specified, as well as a base-64 encoded string representing the key.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024804">
-</A>
+<P CLASS="CellBody">
+<A NAME="pgfId=1031164">
+ </A>
 <CODE CLASS="Program-Process">
 transfer-source</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024806">
-</A>
+<A NAME="pgfId=1031166">
+ </A>
 Determines which local address will be bound to the TCP connection used to fetch this zone. If not set, it defaults to a system controlled value which will usually be the address of the interface <EM CLASS="Optional-meta-syntax">
 closest to</EM>
  the remote end. This address must appear in the remote end's <CODE CLASS="Program-Process">
@@ -4166,12 +4447,12 @@ allow-transfer</CODE>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=1024815">
-</A>
+ </A>
 5.2.20.4	Dynamic Update Policies</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1025001">
-</A>
+ </A>
 BINDv9 supports two alternative methods of granting clients the right to perform dynamic updates to a zone, configured by the <CODE CLASS="Program-Process">
 allow-update</CODE>
  and <CODE CLASS="Program-Process">
@@ -4179,19 +4460,19 @@ update-policy</CODE>
  option, respectively.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1024859">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 allow-update</CODE>
  clause works the same way as in previous versions of BIND. It grants given clients the permission to update any record of any name in the zone.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1024862">
-</A>
+ </A>
 The <CODE CLASS="Program-Process">
 update-policy</CODE>
  clause is new in BINDv9 and allows more fine-grained control over what updates are allowed. A set of rules is specified, where each rule either grants or denies permissions for one or more names to be updated by one or more identities.  If the dynamic update request message is signed (that is, it includes either a TSIG or SIG(0) record), the identity of the signer can be determined.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1024826">
-</A>
+ </A>
 Rules are specified in the <CODE CLASS="Program-Process">
 update-policy</CODE>
  zone option, and are only meaninful for master zones.  When the <CODE CLASS="Program-Process">
@@ -4203,45 +4484,20 @@ update-policy</CODE>
  statement only examines the signer of a message; the source address is not relevant.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1024827">
-</A>
-A rule defition looks like:</P>
-<P CLASS="4LevelContinued">
-<A NAME="pgfId=1024828">
-</A>
-(<EM CLASS="Optional-meta-syntax">
- </EM>
-<CODE CLASS="Program-Process">
-grant</CODE>
-<EM CLASS="Optional-meta-syntax">
- | </EM>
-<CODE CLASS="Program-Process">
-deny</CODE>
-<EM CLASS="Optional-meta-syntax">
- ) </EM>
-<EM CLASS="variable">
-identity</EM>
-<EM CLASS="Optional-meta-syntax">
- </EM>
-<EM CLASS="variable">
-nametype</EM>
-<EM CLASS="Optional-meta-syntax">
- </EM>
-<EM CLASS="variable">
-name</EM>
-<EM CLASS="Optional-meta-syntax">
- [ </EM>
-<EM CLASS="variable">
-types</EM>
-<EM CLASS="Optional-meta-syntax">
- ]</EM>
-</P>
+ </A>
+A rule definition looks like:</P>
+ 
+<PRE>
+<CODE>( grant | deny ) identity nametype nam [ types ]
+</CODE>
+</PRE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1024829">
-</A>
+ </A>
 Each rule grants or denies privileges.  Once a messages has successfully matched a rule, the operation is immediately granted or denied - no further rules are examined.  A rule is matched when the signer matches the identity field, the name matches the name field, and the type is specified in the type field.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1024969">
-</A>
+ </A>
 The identity field specifies a name or a wildcard name.  The nametype field has 4 values: <EM CLASS="Emphasis">
 name</EM>
 , <EM CLASS="Emphasis">
@@ -4254,65 +4510,73 @@ self</EM>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody1">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024972">
-</A>
-name</P>
+ </A>
+<EM CLASS="variable">
+name</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024974">
-</A>
+ </A>
 Matches when the updated name is the same as the name in the name field.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody1">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024976">
-</A>
-subdomain</P>
+ </A>
+<EM CLASS="variable">
+subdomain</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024978">
-</A>
+ </A>
 Matches when the updated name is a subdomain of the name in the name field.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody1">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024980">
-</A>
-wildcard</P>
+ </A>
+<EM CLASS="variable">
+wildcard</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024982">
-</A>
+ </A>
 Matches when the updated name is a valid expansion of the wildcard name in the name field.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<P CLASS="CellBody1">
+<P CLASS="CellBody">
 <A NAME="pgfId=1024984">
-</A>
-self</P>
+ </A>
+<EM CLASS="variable">
+self</EM>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=1024986">
-</A>
+ </A>
 Matches when the updated name is the same as the message signer. The name field is ignored.</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=1025025">
-</A>
-If no types are specified, the rule matches all types except SIG, NS, SOA, and NXT. Types may be specified by name, including &quot;any&quot; (which matches all types except NXT, which can never be updated).</P>
+ </A>
+If no types are specified, the rule matches all types except SIG, NS, SOA, and NXT. Types may be specified by name, including &quot;ANY&quot; (ANY matches all types except NXT, which can never be updated).</P>
 </DIV>
 </DIV>
 </DIV>
@@ -4320,53 +4584,53 @@ If no types are specified, the rule matches all types except SIG, NS, SOA, and N
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=1024987">
-</A>
+ </A>
 5.3	 Zone File</H3>
 </OL>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=1024701">
-</A>
+ </A>
 5.3.1	<A NAME="29114">
-</A>
+ </A>
 Types of Resource Records and When to Use Them</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=1024991">
-</A>
+ </A>
 This section, largely borrowed from RFC 1034, describes the concept of a Resource Record (RR) and explains when each is used. Since the publication of RFC 1034, several new RRs have been identified and implemented in the DNS. These are also included.</P>
 <DIV>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=998303">
-</A>
+ </A>
 5.3.1.1	Resource Records</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998304">
-</A>
-A domain name identifies a node.  Each node has a set of resource information, which may be empty.  The set of resource information associated with a particular name is composed of separate RRs.  The order of RRs in a set is not significant and need not be preserved by nameservers, resolvers, or other parts of the DNS. However, sorting of multiple RRs is permitted for optimization purposes, for example, to specify that a particular nearby server be tried first. See <A HREF="BV9ARM.5.html#39491" CLASS="XRef">
+ </A>
+A domain name identifies a node.  Each node has a set of resource information, which may be empty.  The set of resource information associated with a particular name is composed of separate RRs.  The order of RRs in a set is not significant and need not be preserved by nameservers, resolvers, or other parts of the DNS. However, sorting of multiple RRs is permitted for optimization purposes, for example, to specify that a particular nearby server be tried first. See <A HREF="Bv9ARM.5.html#39491" CLASS="XRef">
 The sortlist Statement</A>
- and <A HREF="BV9ARM.5.html#22766" CLASS="XRef">
+ and <A HREF="Bv9ARM.5.html#22766" CLASS="XRef">
 RRset Ordering</A>
  for details.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998332">
-</A>
+ </A>
 The components of a RR are</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998313">
-</A>
+ </A>
 owner name</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998315">
-</A>
+ </A>
 the domain name where the RR is found.</P>
 </TD>
 </TR>
@@ -4374,13 +4638,13 @@ the domain name where the RR is found.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998317">
-</A>
+ </A>
 type</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998319">
-</A>
+ </A>
 an encoded 16 bit value that specifies the type of the resource in this resource record. Types refer to abstract resources.</P>
 </TD>
 </TR>
@@ -4388,13 +4652,13 @@ an encoded 16 bit value that specifies the type of the resource in this resource
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998321">
-</A>
+ </A>
 TTL</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998323">
-</A>
+ </A>
 the time to live of the RR. This field is a 32 bit integer in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded.</P>
 </TD>
 </TR>
@@ -4402,13 +4666,13 @@ the time to live of the RR. This field is a 32 bit integer in units of seconds,
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998325">
-</A>
+ </A>
 class</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998327">
-</A>
+ </A>
 an encoded 16 bit value that identifies a protocol family or instance of a protocol.</P>
 </TD>
 </TR>
@@ -4416,20 +4680,20 @@ an encoded 16 bit value that identifies a protocol family or instance of a proto
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998329">
-</A>
+ </A>
 RDATA</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998331">
-</A>
+ </A>
 the type and sometimes class-dependent data that describes the resource.</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998333">
-</A>
+ </A>
 The following are <EM CLASS="Optional-meta-syntax">
 types</EM>
  of valid RRs (some of these listed, although not obsolete, are experimental (x) or historical (h) and no longer in general use):</P>
@@ -4438,13 +4702,13 @@ types</EM>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998336">
-</A>
+ </A>
 A</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998338">
-</A>
+ </A>
 a host address.</P>
 </TD>
 </TR>
@@ -4452,13 +4716,13 @@ a host address.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998340">
-</A>
+ </A>
 A6</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998342">
-</A>
+ </A>
 an IPv6 address.</P>
 </TD>
 </TR>
@@ -4466,13 +4730,13 @@ an IPv6 address.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998344">
-</A>
+ </A>
 AAAA</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998346">
-</A>
+ </A>
 Obsolete format of IPv6 address</P>
 </TD>
 </TR>
@@ -4480,13 +4744,13 @@ Obsolete format of IPv6 address</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998348">
-</A>
+ </A>
 AFSDB</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998350">
-</A>
+ </A>
 (x) location of AFS database servers. Experimental.</P>
 </TD>
 </TR>
@@ -4494,13 +4758,13 @@ AFSDB</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998352">
-</A>
+ </A>
 CNAME</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998354">
-</A>
+ </A>
 identifies the canonical name of an alias.</P>
 </TD>
 </TR>
@@ -4508,13 +4772,13 @@ identifies the canonical name of an alias.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998356">
-</A>
+ </A>
 DNAME</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998358">
-</A>
+ </A>
 for delegation of reverse addresses. Replaces the domain name specified with another name to be looked up. Described in RFC 2672.</P>
 </TD>
 </TR>
@@ -4522,13 +4786,13 @@ for delegation of reverse addresses. Replaces the domain name specified with ano
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998360">
-</A>
+ </A>
 HINFO</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998362">
-</A>
+ </A>
 identifies the CPU and OS used by a host.</P>
 </TD>
 </TR>
@@ -4536,13 +4800,13 @@ identifies the CPU and OS used by a host.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998364">
-</A>
+ </A>
 ISDN</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998366">
-</A>
+ </A>
 (x) representation of ISDN addresses. Experimental.</P>
 </TD>
 </TR>
@@ -4550,13 +4814,13 @@ ISDN</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998368">
-</A>
+ </A>
 KEY</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998370">
-</A>
+ </A>
 stores a public key associated with a DNS name.</P>
 </TD>
 </TR>
@@ -4564,13 +4828,13 @@ stores a public key associated with a DNS name.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998372">
-</A>
+ </A>
 LOC</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998374">
-</A>
+ </A>
 (x) for storing GPS info. See RFC 1876. Experimental.</P>
 </TD>
 </TR>
@@ -4578,13 +4842,13 @@ LOC</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998376">
-</A>
+ </A>
 MX</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998378">
-</A>
+ </A>
 identifies a mail exchange for the domain.  See RFC 974 for details.</P>
 </TD>
 </TR>
@@ -4592,13 +4856,13 @@ identifies a mail exchange for the domain.  See RFC 974 for details.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998380">
-</A>
+ </A>
 NS</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998382">
-</A>
+ </A>
 the authoritative nameserver for the domain.</P>
 </TD>
 </TR>
@@ -4606,13 +4870,13 @@ the authoritative nameserver for the domain.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998384">
-</A>
+ </A>
 NXT</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998386">
-</A>
+ </A>
 used in DNSSEC to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. See RFC 2535 for details.</P>
 </TD>
 </TR>
@@ -4620,13 +4884,13 @@ used in DNSSEC to securely indicate that RRs with an owner name in a certain nam
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998388">
-</A>
+ </A>
 PTR</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998390">
-</A>
+ </A>
 a pointer to another part of the domain name space.</P>
 </TD>
 </TR>
@@ -4634,13 +4898,13 @@ a pointer to another part of the domain name space.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998392">
-</A>
+ </A>
 RP</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998394">
-</A>
+ </A>
 (x) information on persons responsible for the domain. Experimental.</P>
 </TD>
 </TR>
@@ -4648,13 +4912,13 @@ RP</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998396">
-</A>
+ </A>
 RT</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998398">
-</A>
+ </A>
 (x) route-through binding for hosts that do not have their own direct wide area network addresses. Experimental.</P>
 </TD>
 </TR>
@@ -4662,13 +4926,13 @@ RT</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998400">
-</A>
+ </A>
 SIG</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998402">
-</A>
+ </A>
 (&quot;signature&quot;) contains data authenticated in the secure DNS. See RFC 2535 for details.</P>
 </TD>
 </TR>
@@ -4676,13 +4940,13 @@ SIG</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998404">
-</A>
+ </A>
 SOA</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998406">
-</A>
+ </A>
 identifies the start of a zone of authority.</P>
 </TD>
 </TR>
@@ -4690,13 +4954,13 @@ identifies the start of a zone of authority.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998408">
-</A>
+ </A>
 SRV</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998410">
-</A>
+ </A>
 information about well known network services (replaces WKS).</P>
 </TD>
 </TR>
@@ -4704,13 +4968,13 @@ information about well known network services (replaces WKS).</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998412">
-</A>
+ </A>
 WKS</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998414">
-</A>
+ </A>
 (h) information about which well known network services, such as SMTP, that a domain supports. Historical, replaced by newer RR SRV.</P>
 </TD>
 </TR>
@@ -4718,20 +4982,20 @@ WKS</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998416">
-</A>
+ </A>
 X25</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998418">
-</A>
+ </A>
 (x) representation of X.25 network addresses. Experimental.</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998431">
-</A>
+ </A>
 The following <EM CLASS="Optional-meta-syntax">
 classes</EM>
  of resource records are currently valid in the DNS:</P>
@@ -4740,30 +5004,30 @@ classes</EM>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998421">
-</A>
+ </A>
 IN</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998423">
-</A>
+ </A>
 the Internet system.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="2">
 <P CLASS="CellBody">
-<A NAME="pgfId=998427">
-</A>
-For information about other, older classes of RRs, <A HREF="BV9ARM.8.html#13688" CLASS="XRef">
-See Historical DNS Information.</A>
-.</P>
+<A NAME="pgfId=1030860">
+ </A>
+For information about other, older classes of RRs, see <A HREF="Bv9ARM.7.html#13688" CLASS="XRef">
+Historical DNS Information</A>
+ of Appendix B .</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998432">
-</A>
+ </A>
 <EM CLASS="Optional-meta-syntax">
 RDATA</EM>
  is the type-dependent or class-dependent data that describes the resource:</P>
@@ -4772,13 +5036,13 @@ RDATA</EM>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998435">
-</A>
+ </A>
 A</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998437">
-</A>
+ </A>
 for the IN class, a 32 bit IP address</P>
 </TD>
 </TR>
@@ -4786,13 +5050,13 @@ for the IN class, a 32 bit IP address</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998439">
-</A>
+ </A>
 A6</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998441">
-</A>
+ </A>
 maps a domain name to an IPv6 address, with a provision for indirection for leading &quot;prefix&quot; bits.</P>
 </TD>
 </TR>
@@ -4800,13 +5064,13 @@ maps a domain name to an IPv6 address, with a provision for indirection for lead
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998443">
-</A>
+ </A>
 CNAME</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998445">
-</A>
+ </A>
 a domain name</P>
 </TD>
 </TR>
@@ -4814,13 +5078,13 @@ a domain name</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998447">
-</A>
+ </A>
 DNAME</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998449">
-</A>
+ </A>
 provides alternate naming to an entire subtree of the domain name space, rather than to a single node.  It causes some suffix of a queried name to be substituted with a name from the DNAME record's RDATA.</P>
 </TD>
 </TR>
@@ -4828,13 +5092,13 @@ provides alternate naming to an entire subtree of the domain name space, rather
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998451">
-</A>
+ </A>
 MX</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998453">
-</A>
+ </A>
 a 16 bit preference value (lower is better) followed by a host name willing to act as a mail exchange for the owner domain.</P>
 </TD>
 </TR>
@@ -4842,13 +5106,13 @@ a 16 bit preference value (lower is better) followed by a host name willing to a
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998455">
-</A>
+ </A>
 NS</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998457">
-</A>
+ </A>
 a fully qualified domain name.</P>
 </TD>
 </TR>
@@ -4856,13 +5120,13 @@ a fully qualified domain name.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998459">
-</A>
+ </A>
 PTR</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998461">
-</A>
+ </A>
 a fully qualified doman name.</P>
 </TD>
 </TR>
@@ -4870,75 +5134,75 @@ a fully qualified doman name.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998463">
-</A>
+ </A>
 SOA</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998465">
-</A>
+ </A>
 several fields.</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998466">
-</A>
+ </A>
 The owner name is often implicit, rather than forming an integral part of the RR.  For example, many nameservers internally form tree or hash structures for the name space, and chain RRs off nodes.  The remaining RR parts are the fixed header (type, class, TTL) which is consistent for all RRs, and a variable part (RDATA) that fits the needs of the resource being described.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998467">
-</A>
+ </A>
 The meaning of the TTL field is a time limit on how long an RR can be kept in a cache.  This limit does not apply to authoritative data in zones; it is also timed out, but by the refreshing policies for the zone.  The TTL is assigned by the administrator for the zone where the data originates.  While short TTLs can be used to minimize caching, and a zero TTL prohibits caching, the realities of Internet performance suggest that these times should be on the order of days for the typical host.  If a change can be anticipated, the TTL can be reduced prior to the change to minimize inconsistency during the change, and then increased back to its former value following the change.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998468">
-</A>
+ </A>
 The data in the RDATA section of RRs is carried as a combination of binary strings and domain names.  The domain names are frequently used as &quot;pointers&quot; to other data in the DNS.</P>
 </DIV>
 <DIV>
 <OL>
 <H5 CLASS="4Level">
 <A NAME="pgfId=998469">
-</A>
+ </A>
 5.3.1.2	Textual expression of RRs</H5>
 </OL>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998470">
-</A>
+ </A>
 RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form when stored in a nameserver or resolver.  In the examples provided in RFC 1034, a style similar to that used in master files was employed in order to show the contents of RRs.  In this format, most RRs are shown on a single line, although continuation lines are possible using parentheses.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998471">
-</A>
+ </A>
 The start of the line gives the owner of the RR.  If a line begins with a blank, then the owner is assumed to be the same as that of the previous RR.  Blank lines are often included for readability.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998472">
-</A>
+ </A>
 Following the owner, we list the TTL, type, and class of the RR.  Class and type use the mnemonics defined above, and TTL is an integer before the type field.  In order to avoid ambiguity in parsing, type and class mnemonics are disjoint, TTLs are integers, and the type mnemonic is always last. The IN class and TTL values are often omitted from examples in the interests of clarity.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998473">
-</A>
+ </A>
 The resource data or RDATA section of the RR are given using knowledge of the typical representation for the data.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998511">
-</A>
+ </A>
 For example, we might show the RRs carried in a message as: </P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998476">
-</A>
+ </A>
 ISI.EDU.</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998478">
-</A>
+ </A>
 MX</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998480">
-</A>
+ </A>
 10 VENERA.ISI.EDU.</P>
 </TD>
 </TR>
@@ -4946,19 +5210,19 @@ MX</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998482">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998484">
-</A>
+ </A>
 MX</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998486">
-</A>
+ </A>
 10 VAXA.ISI.EDU</P>
 </TD>
 </TR>
@@ -4966,19 +5230,19 @@ MX</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998488">
-</A>
+ </A>
 VENERA.ISI.EDU</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998490">
-</A>
+ </A>
 A</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998492">
-</A>
+ </A>
 128.9.0.32</P>
 </TD>
 </TR>
@@ -4986,19 +5250,19 @@ A</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998494">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998496">
-</A>
+ </A>
 A</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998498">
-</A>
+ </A>
 10.1.0.52</P>
 </TD>
 </TR>
@@ -5006,19 +5270,19 @@ A</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998500">
-</A>
+ </A>
 VAXA.ISI.EDU</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998502">
-</A>
+ </A>
 A</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998504">
-</A>
+ </A>
 10.2.0.27</P>
 </TD>
 </TR>
@@ -5026,53 +5290,53 @@ A</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998506">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998508">
-</A>
+ </A>
 A</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998510">
-</A>
+ </A>
 128.9.0.33</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998512">
-</A>
+ </A>
 The MX RRs have an RDATA section which consists of a 16 bit number followed by a domain name.  The address RRs use a standard IP address format to contain a 32 bit internet address.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998513">
-</A>
+ </A>
 This example shows six RRs, with two RRs at each of three domain names.</P>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998527">
-</A>
+ </A>
 Similarly we might see:</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998516">
-</A>
+ </A>
 XX.LCS.MIT.EDU. IN</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998518">
-</A>
+ </A>
 A</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998520">
-</A>
+ </A>
 10.0.0.44</P>
 </TD>
 </TR>
@@ -5080,27 +5344,27 @@ A</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998522">
-</A>
+ </A>
 CH</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998524">
-</A>
+ </A>
 A</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998526">
-</A>
+ </A>
 MIT.EDU. 2420</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="4LevelContinued">
 <A NAME="pgfId=998528">
-</A>
-This example shows two addresses for <EM CLASS="URL">
+ </A>
+This example shows two addresses for <EM CLASS="pathname">
 XX.LCS.MIT.EDU</EM>
 , each of a different class.</P>
 </DIV>
@@ -5109,57 +5373,57 @@ XX.LCS.MIT.EDU</EM>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=998529">
-</A>
+ </A>
 5.3.2	Discussion of MX Records</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998530">
-</A>
+ </A>
 As described above, domain servers store information as a series of resource records, each of which contains a particular piece of information about a given domain name (which is usually, but not always, a host). The simplest way to think of a RR is as a typed pair of datum, a domain name matched with relevant data, and stored with some additional type information to help systems determine when the RR is relevant.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998531">
-</A>
+ </A>
 MX records are used to control delivery of email. The data specified in the record is a priority and a domain name. The priority controls the order in which email delivery is attempted, with the lowest number first. If two priorities are the same, a server is chosen randomly. If no servers at a given priority are responding, the mail transport agent will fall back to the next largest priority. Priority numbers do not have any absolute meaning - they are relevant only respective to other MX records for that domain name. The domain name given is the machine to which the mail will be delivered. It <EM CLASS="Optional-meta-syntax">
 must</EM>
  have an associated A record--a CNAME is not sufficient.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998532">
-</A>
+ </A>
 For a given domain, if there is both a CNAME record and an MX record, the MX record is in error, and will be ignored. Instead, the mail will be delivered to the server specified in the MX record pointed to by the CNAME.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998584">
-</A>
+ </A>
 For example:</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998535">
-</A>
+ </A>
 example.com.</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998537">
-</A>
+ </A>
 IN</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998539">
-</A>
+ </A>
 MX</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998541">
-</A>
+ </A>
 10</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998543">
-</A>
+ </A>
 mail.foo.com.</P>
 </TD>
 </TR>
@@ -5167,31 +5431,31 @@ mail.foo.com.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998545">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998547">
-</A>
+ </A>
 IN</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998549">
-</A>
+ </A>
 MX</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998551">
-</A>
+ </A>
 10</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998553">
-</A>
+ </A>
 mail2.foo.com.</P>
 </TD>
 </TR>
@@ -5199,31 +5463,31 @@ mail2.foo.com.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998555">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998557">
-</A>
+ </A>
 IN</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998559">
-</A>
+ </A>
 MX</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998561">
-</A>
+ </A>
 20</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998563">
-</A>
+ </A>
 mail.backup.org.</P>
 </TD>
 </TR>
@@ -5231,31 +5495,31 @@ mail.backup.org.</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998565">
-</A>
+ </A>
 mail.example.com.</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998567">
-</A>
+ </A>
 IN</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998569">
-</A>
+ </A>
 A</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998571">
-</A>
+ </A>
 10.0.0.1</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998573">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 </TR>
@@ -5263,71 +5527,73 @@ A</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998575">
-</A>
+ </A>
 mail2.example.com.</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998577">
-</A>
+ </A>
 IN</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998579">
-</A>
+ </A>
 A</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998581">
-</A>
+ </A>
 10.0.0.2</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody-fixedfontLG">
 <A NAME="pgfId=998583">
-</A>
+ </A>
 &nbsp;</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998585">
-</A>
+ </A>
 Mail delivery will be attempted to mail.foo.com and mail2.foo.com (in any order), and if neither of those succeed, delivery to mail.backup.org will be attempted.</P>
 </DIV>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=998586">
-</A>
-5.3.3	Setting TTLs</H4>
+ </A>
+5.3.3	<A NAME="19693">
+ </A>
+Setting TTLs</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998587">
-</A>
+ </A>
 The time to live of the RR field is a 32 bit integer represented in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded. The following three types of TTL are currently used in a zone file.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998602">
-</A>
+ </A>
 &nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998590">
-</A>
+ </A>
 SOA</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998592">
-</A>
+ </A>
 The last field in the SOA is the negative caching TTL. This controls how long other servers will cache no-such-domain (NXDOMAIN) responses from you.</P>
 <P CLASS="CellBody">
 <A NAME="pgfId=998593">
-</A>
+ </A>
 The maximum time for negative caching is 3 hours (3h).</P>
 </TD>
 </TR>
@@ -5335,13 +5601,13 @@ The maximum time for negative caching is 3 hours (3h).</P>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998595">
-</A>
+ </A>
 $TTL</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998597">
-</A>
+ </A>
 The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.</P>
 </TD>
 </TR>
@@ -5349,20 +5615,20 @@ The $TTL directive at the top of the zone file (before the SOA) gives a default
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998599">
-</A>
+ </A>
 RR TTLs</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
 <A NAME="pgfId=998601">
-</A>
+ </A>
 Each RR can have a TTL as the second field in the RR, which will control how long other servers can cache the it.</P>
 </TD>
 </TR>
 </TABLE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998603">
-</A>
+ </A>
 All of these TTLs default to units of seconds, though units can be explicitly specified, e.g. <EM CLASS="Optional-meta-syntax">
 1h30m</EM>
 . </P>
@@ -5371,12 +5637,12 @@ All of these TTLs default to units of seconds, though units can be explicitly sp
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=998604">
-</A>
+ </A>
 5.3.4	Inverse Mapping in IPv4</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998605">
-</A>
+ </A>
 Reverse name resolution (i.e., translation from IP address to name) is achieved by means of the in-addr.arpa domain and PTR records. Entries in the in-addr.arpa domain are made in least-to-most significant order, read left to right. This is the opposite order to the way IP addresses are usually written. Thus, a machine with an IP address of 10.1.2.3 would have a corresponding in-addr.arpa name of<BR>
 3.2.1.10.in-addr.arpa. This name should have a PTR resource record whose data field is the name of the machine or, optionally, multiple PTR records if the machine has more than one name. For example, in the <EM CLASS="Optional-meta-syntax">
 example.com</EM>
@@ -5386,7 +5652,7 @@ $ORIGIN      2.1.10.in-addr.arpa
 3            IN PTR foo.example.com.</PRE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998607">
-</A>
+ </A>
 (Note: The <CODE CLASS="Program-Process">
 $ORIGIN</CODE>
  lines in the examples are for providing context to the examples only--they do not necessarily appear in the actual usage. They are only used here to indicate that the example is relative to the listed origin.)</P>
@@ -5395,16 +5661,16 @@ $ORIGIN</CODE>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=998608">
-</A>
+ </A>
 5.3.5	Other Zone File Directives</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998609">
-</A>
+ </A>
 The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format itself is class independent all records in a Master File must be of the same class.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998610">
-</A>
+ </A>
 Master File Directives include <CODE CLASS="Program-Process">
 $ORIGIN</CODE>
 , <CODE CLASS="Program-Process">
@@ -5424,8 +5690,7 @@ $ORIGIN</CODE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998612">
 </A>
-Syntax: <CODE CLASS="Program-Process">
-$ORIGIN &lt;domain-name&gt; [&lt;comment&gt;]</CODE>
+Syntax: <CODE>$ORIGIN &lt; <EM>domain-name</EM> &gt; [&lt;<EM>comment</EM>&gt;]</CODE>
 </P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998613">
@@ -5434,22 +5699,29 @@ $ORIGIN &lt;domain-name&gt; [&lt;comment&gt;]</CODE>
 $ORIGIN </CODE>
 sets the domain name that will be appended to any unqualified records. When a zone is first read in there is an implicit <CODE CLASS="Program-Process">
 $ORIGIN </CODE>
-&lt;zone-name&gt;<CODE CLASS="Program-Process">
+&lt;<EM CLASS="variable">
+zone-name</EM>
+&gt;<CODE CLASS="Program-Process">
 .</CODE>
  The current <CODE CLASS="Program-Process">
 $ORIGIN</CODE>
  is appended to the domain specified in the <CODE CLASS="Program-Process">
 $ORIGIN</CODE>
  argument if it is not absolute.</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=998614"></A>
-$ORIGIN EXAMPLE.COM
-WWW     CNAME   MAIN-SERVER</PRE>
+ 
+<PRE>
+<CODE>$ORIGIN example.com
+WWW     CNAME   MAIN-SERVER</CODE>
+</PRE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998615">
 </A>
 is equivalent to</P>
-<PRE CLASS="3Level-fixed"><A NAME="pgfId=998616"></A>
-WWW.EXAMPLE.COM CNAME MAIN-SERVER.EXAMPLE.COM.</PRE>
+ 
+<PRE>
+<CODE>WWW.EXAMPLE.COM CNAME MAIN-SERVER.EXAMPLE.COM.
+</CODE>
+</PRE>
 </DIV>
 <DIV>
 <OL>
@@ -5463,14 +5735,15 @@ $INCLUDE</CODE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998618">
 </A>
-Syntax: <CODE CLASS="Program-Process">
-$INCLUDE &lt;filename&gt; [&lt;origin&gt;] [&lt;comment&gt;]</CODE>
+<PRE>
+Syntax: <CODE>$INCLUDE &lt filename&gt; [&lt; origin&gt;] [&lt;comment&gt;]</CODE>
+</PRE>
 </P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998619">
 </A>
-Read and process the file <CODE CLASS="Program-Process">
-filename</CODE>
+Read and process the file <EM CLASS="pathname">
+filename</EM>
  as if it were included into the file at this point.  If <CODE CLASS="Program-Process">
 origin</CODE>
  is specified the file is processed with <CODE CLASS="Program-Process">
@@ -5481,9 +5754,9 @@ $ORIGIN</CODE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998620">
 </A>
-<EM CLASS="Optional-meta-syntax">
-NOTE</EM>
-: The behavior when <CODE CLASS="Program-Process">
+<EM CLASS="Emphasis">
+NOTE:</EM>
+ The behavior when <CODE CLASS="Program-Process">
 origin</CODE>
  is specified differs from that described in RFC&nbsp;1035. The origin and current domain revert to the values they were prior to the <CODE CLASS="Program-Process">
 $INCLUDE</CODE>
@@ -5501,8 +5774,10 @@ $TTL</CODE>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998622">
 </A>
-Syntax: <CODE CLASS="Program-Process">
-$TTL &lt;default-ttl&gt; [&lt;comment&gt;]</CODE>
+<PRE>
+<CODE>Syntax: $TTL &lt;default-ttl&gt; [&lt;comment&gt;]
+</CODE>
+</PRE>
 </P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998623">
@@ -5531,7 +5806,33 @@ $GENERATE</PRE>
 <A NAME="pgfId=998627">
 </A>
 Syntax: <CODE CLASS="Program-Process">
-$GENERATE &lt;range&gt; &lt;lhs&gt; &lt;type&gt; &lt;rhs&gt; [&lt;comment&gt;]</CODE>
+$GENERATE &lt;</CODE>
+<EM CLASS="variable">
+range</EM>
+<CODE CLASS="Program-Process">
+&gt; &lt;</CODE>
+<EM CLASS="variable">
+lhs</EM>
+<CODE CLASS="Program-Process">
+&gt; &lt;</CODE>
+<EM CLASS="variable">
+type</EM>
+<CODE CLASS="Program-Process">
+&gt; &lt;</CODE>
+<EM CLASS="variable">
+rhs</EM>
+<CODE CLASS="Program-Process">
+&gt; </CODE>
+<EM CLASS="Optional-meta-syntax">
+[</EM>
+<CODE CLASS="Program-Process">
+&lt;</CODE>
+<EM CLASS="variable">
+comment</EM>
+<CODE CLASS="Program-Process">
+&gt;</CODE>
+<EM CLASS="Optional-meta-syntax">
+]</EM>
 </P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=998628">
@@ -5566,12 +5867,12 @@ is equivalent to</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=998634">
 </A>
 <CODE CLASS="Program-Process">
 range</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
@@ -5582,12 +5883,12 @@ This can be one of two forms: start-stop or start-stop/step. If the first form i
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=998638">
 </A>
 <CODE CLASS="Program-Process">
 lhs</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
@@ -5612,12 +5913,12 @@ is appended to the name.</P>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=998642">
 </A>
 <CODE CLASS="Program-Process">
 type</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
@@ -5628,12 +5929,12 @@ At present the only supported types are PTR, CNAME and NS.</P>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
+<P CLASS="CellBody">
 <A NAME="pgfId=998646">
 </A>
 <CODE CLASS="Program-Process">
 rhs</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
@@ -5665,23 +5966,23 @@ It is not yet implemented in BINDv9.</EM>
 Certain UNIX signals cause the name server to take specific actions, as described in the following table.  These signals can be sent using the <CODE CLASS="Program-Process">
 kill</CODE>
  command.</P>
-<P CLASS="Body">
-<A NAME="pgfId=997347">
+<P CLASS="3LevelContinued">
+<A NAME="pgfId=1073295">
 </A>
- &nbsp;</P>
+&nbsp;</P>
 <TABLE>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=998654">
+<P CLASS="CellBody">
+<A NAME="pgfId=1073306">
 </A>
 <CODE CLASS="Program-Process">
 SIGHUP</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=998656">
+<A NAME="pgfId=1073308">
 </A>
 Causes the server to read <CODE CLASS="Program-Process">
 named.conf</CODE>
@@ -5690,51 +5991,55 @@ named.conf</CODE>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=998658">
+<P CLASS="CellBody">
+<A NAME="pgfId=1073310">
 </A>
 <CODE CLASS="Program-Process">
 SIGTERM</CODE>
-</H6>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=998660">
+<A NAME="pgfId=1073312">
 </A>
 Causes the server to clean up and exit.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024021">
-</A>
-SIGINT</H6>
+<P CLASS="CellBody">
+<A NAME="pgfId=1073322">
+ </A>
+<CODE CLASS="Program-Process">
+SIGINT</CODE>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024023">
+<A NAME="pgfId=1073324">
 </A>
 Causes the server to clean up and exit.</P>
 </TD>
 </TR>
 <TR>
 <TD ROWSPAN="1" COLSPAN="1">
-<H6 CLASS="CellBody21">
-<A NAME="pgfId=1024017">
+<P CLASS="CellBody">
+<A NAME="pgfId=1073326">
 </A>
-SIGQUIT</H6>
+<CODE CLASS="Program-Process">
+SIGQUIT</CODE>
+</P>
 </TD>
 <TD ROWSPAN="1" COLSPAN="1">
 <P CLASS="CellBody">
-<A NAME="pgfId=1024019">
-</A>
+<A NAME="pgfId=1073328">
+ </A>
 Causes the server to clean up and exit.</P>
 </TD>
 </TR>
 </TABLE>
 </DIV>
 </DIV>
-<p>Return to <A href="BV9ARM.html">BINDv9 Administrator Reference Manual</A> table of contents.</p>
+<p>Return to <A href="Bv9ARM.html">BINDv9 Administrator Reference Manual</A> 
 </BODY>
 </HTML>
diff --git a/doc/arm/BV9ARM.6.html b/doc/arm/Bv9ARM.6.html
index 1e0348a3..9b70e597 100644..100755
--- a/doc/arm/BV9ARM.6.html
+++ b/doc/arm/Bv9ARM.6.html
@@ -2,27 +2,27 @@
 <HTML>
 <HEAD>
 <META NAME="GENERATOR" CONTENT="Adobe FrameMaker 5.5/HTML Export Filter">
-<LINK REL="STYLESHEET" HREF="BV9ARM.css">
+<LINK REL="STYLESHEET" HREF="Bv9ARM.css">
 <TITLE> Section 6.	Security Considerations</TITLE></HEAD>
 <BODY BGCOLOR="#ffffff">
 <OL>
 <H1 CLASS="1Level">
 <A NAME="pgfId=997350">
-</A>
+ </A>
 Section 6.	Security Considerations</H1>
 </OL>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997352">
-</A>
+ </A>
 6.1	<A NAME="32222">
-</A>
+ </A>
 Access Control Lists</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997353">
-</A>
+ </A>
 Access Control Lists (ACLs), are address match lists that you can set up and nickname for future use in <CODE CLASS="Program-Process">
 allow-query</CODE>
 , <CODE CLASS="Program-Process">
@@ -34,58 +34,63 @@ allow-transfer</CODE>
 , etc.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997354">
-</A>
+ </A>
 Using ACLs allows you to have finer control over who can access your nameserver, without cluttering up your config files with huge lists of IP addresses.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997355">
-</A>
+ </A>
 It is a <EM CLASS="Emphasis">
 good idea</EM>
  to use ACLs, and to control access to your server. Limiting access to your server by outside parties can help prevent spoofing and DoS attacks against your server.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997356">
-</A>
+ </A>
 Here is an example of how to properly apply ACLs:</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997357">
-</A>
+ </A>
 // Set up an ACL named &quot;bogusnets&quot; that will block RFC1918 space,<BR>
 // which is commonly used in spoofing attacks.</P>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997358"></A>
-acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };</PRE>
+ 
+<PRE>
+<CODE>acl bogusnets{ 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
+</CODE>
+</PRE>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997359">
-</A>
-// Set up an ACL called our-nets.  Replace this with the real IP numbers.</P>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997360"></A>
-acl our-nets { x.x.x.x/24; x.x.x.x/21; }; </PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997361"></A>
+ </A>
+// Set up an ACL called our-nets. Replace this with the real IP numbers.</P>
+ 
+<PRE>
+<CODE>acl our-nets { x.x.x.x/24; x.x.x.x/21; };  
 options {
   ...
   ...
-  allow-query { our-nets; };
-  allow-recursion { our-nets; };
+  allow-query { <VAR>our-nets</VAR>; };
+  allow-recursion { <VAR>our-nets</VAR>; };
   ...
   blackhole { bogusnets; };
   ...
-};</PRE>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997362"></A>
-zone &quot;example.com&quot; {
-  type master;
-  file &quot;m/example.com&quot;;
-  allow-query { any; };
-};</PRE>
+};
+
+zone &quot;<EM>example.com</EM>&quot; {
+  type <VAR>master</VAR>;
+  file &quot;<EM>m/example.com</EM>&quot;;
+  allow-query { <VAR>any</VAR>; };
+};</CODE>
+</PRE>
+
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997363">
-</A>
+ </A>
 This allows recursive queries of the server from the outside unless recursion has been previously disabled.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997364">
-</A>
+ </A>
 For more information on how to use ACLs to protect your server, see the <EM CLASS="Emphasis">
 AUSCERT</EM>
  advisory at<BR>
-<EM CLASS="Emphasis">
+<EM CLASS="URL">
 ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</EM>
 </P>
 </DIV>
@@ -93,7 +98,7 @@ ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</EM>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997365">
-</A>
+ </A>
 6.2	<CODE CLASS="Program-Process">
 chroot</CODE>
  and <CODE CLASS="Program-Process">
@@ -102,7 +107,7 @@ setuid</CODE>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997366">
-</A>
+ </A>
 On UNIX servers, it is possible to run BIND in a <EM CLASS="Emphasis">
 chrooted</EM>
  environment (<CODE CLASS="Program-Process">
@@ -112,15 +117,17 @@ chroot()</CODE>
 &quot; option. This can help improve system security by placing BIND in a &quot;sandbox,&quot; which will limit the damage done if a server is compromised.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997367">
-</A>
+ </A>
 Another useful feature in the UNIX version of BIND is the ability to run the daemon as a nonprivileged user ( <CODE CLASS="Program-Process">
 -u</CODE>
- &lt;user&gt; ). We suggest running as a nonprivileged user when using the <CODE CLASS="Program-Process">
+ &lt;<EM CLASS="variable">
+user</EM>
+&gt; ). We suggest running as a nonprivileged user when using the <CODE CLASS="Program-Process">
 chroot</CODE>
  feature.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997368">
-</A>
+ </A>
 Here is an example command line to load BIND in a <CODE CLASS="Program-Process">
 chroot()</CODE>
  sandbox, <BR>
@@ -131,35 +138,36 @@ named</CODE>
  <CODE CLASS="Program-Process">
 setuid</CODE>
  to user 202:</P>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997369"></A>
-/usr/local/bin/named -u 202 -t /var/named</PRE>
+<PRE CLASS="2Level-fixed"><A NAME="pgfId=997369"></A>
+<KBD CLASS="Literal-user-input">/usr/local/bin/named -u 202 -t /var/named</KBD>
+</PRE>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997370">
-</A>
+ </A>
 6.2.1	The <CODE CLASS="Program-Process">
 chroot</CODE>
- environment</H4>
+ Environment</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997371">
-</A>
+ </A>
 In order for a <CODE CLASS="Program-Process">
 chroot()</CODE>
- environment to work properly in a particular directory (e.g. <EM CLASS="pathname">
+ environment to work properly in a particular directory (e.g., <EM CLASS="pathname">
 /var/named</EM>
 ), you will need to set up an environment that includes everything BIND needs to run. From BIND's point of view, <EM CLASS="pathname">
 /var/named</EM>
  is the root of the filesystem. You will need <EM CLASS="pathname">
 /dev/null</EM>
-, and any library directories and files that BIND needs to run on your system.  Please consult your operating system's instructions if you need help figuring out which library files you need to copy over to the <CODE CLASS="Program-Process">
+, and any library directories and files that BIND needs to run on your system. Please consult your operating system's instructions if you need help figuring out which library files you need to copy over to the <CODE CLASS="Program-Process">
 chroot()</CODE>
  sandbox.</P>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997372">
-</A>
-If you are running an operating system that supports static binaries, you can also compile BIND staticly and avoid the need to copy system libraries over to your <CODE CLASS="Program-Process">
+ </A>
+If you are running an operating system that supports static binaries, you can also compile BIND statically and avoid the need to copy system libraries over to your <CODE CLASS="Program-Process">
 chroot()</CODE>
  sandbox.</P>
 </DIV>
@@ -167,14 +175,14 @@ chroot()</CODE>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997373">
-</A>
-6.2.2	Using <CODE CLASS="Program-Process">
+ </A>
+6.2.2	Using the <CODE CLASS="Program-Process">
 setuid</CODE>
-</H4>
+ Function </H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997374">
-</A>
+ </A>
 Prior to running the <CODE CLASS="Program-Process">
 named</CODE>
  daemon, use the <CODE CLASS="Program-Process">
@@ -188,18 +196,18 @@ chown</CODE>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997375">
-</A>
-6.3	Dynamic updates</H3>
+ </A>
+6.3	Dynamic Updates</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997376">
-</A>
+ </A>
 Access to the dynamic update facility should be strictly limited. In earlier versions of BIND the only way to do this was based on the IP address of the host requesting the update. BINDv9 also supports authenticating updates cryptographically by means of transaction signatures (TSIG). The use of TSIG is strongly recommended.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1006806">
-</A>
+ </A>
 Some sites choose to keep all dynamically updated DNS data in a subdomain and delegate that subdomain to a separate zone. This way, the top-level zone containing critical data such as the IP addresses of public web and mail servers need not allow dynamic update at all.</P>
 </DIV>
-<p>Return to <A href="BV9ARM.html">BINDv9 Administrator Reference Manual</A> table of contents.</p>
+<p>Return to <A href="Bv9ARM.html">BINDv9 Administrator Reference Manual</A> 
 </BODY>
 </HTML>
diff --git a/doc/arm/BV9ARM.7.html b/doc/arm/Bv9ARM.7.html
index 322ee560..ece6c8f6 100644..100755
--- a/doc/arm/BV9ARM.7.html
+++ b/doc/arm/Bv9ARM.7.html
@@ -2,177 +2,225 @@
 <HTML>
 <HEAD>
 <META NAME="GENERATOR" CONTENT="Adobe FrameMaker 5.5/HTML Export Filter">
-<LINK REL="STYLESHEET" HREF="BV9ARM.css">
+<LINK REL="STYLESHEET" HREF="Bv9ARM.css">
 <TITLE> Section 7.	Troubleshooting</TITLE></HEAD>
 <BODY BGCOLOR="#ffffff">
 <OL>
 <H1 CLASS="1Level">
 <A NAME="pgfId=997350">
-</A>
+ </A>
 Section 7.	Troubleshooting</H1>
 </OL>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997351">
-</A>
+ </A>
 7.1	Common Log Messages and What They Mean</H3>
 </OL>
 <DIV>
 <UL>
 <H6 CLASS="Subhead2">
 <A NAME="pgfId=997352">
-</A>
+ </A>
 lame server</H6>
 </UL>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997353"></A>
-ns named[111]: Lame server on 'www.foo.com' (in 'foo.com'?): [192.168.0.2].53 'ns2.foo.com'</PRE>
+<PRE CLASS="2Level-fixed"><A NAME="pgfId=997353"> </A>
+<EM CLASS="grammar_literal">ns named[111]: Lame server on 'www.foo.com' (in 'foo.com'?): [192.168.0.2].53 'ns2.foo.com'</EM>
+</PRE>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997354">
-</A>
-This is a harmless error message. It means that the server at 192.168.0.2 (ns2.foo.com) is listed as a nameserver for &quot;foo.com&quot;, but it doesn't really know anything about foo.com.</P>
+ </A>
+This is a harmless error message. It means that the server at 192.168.0.2 (<EM CLASS="pathname">
+ns2.foo.com</EM>
+) is listed as a nameserver for &quot;<EM CLASS="pathname">
+foo.com</EM>
+&quot;, but it doesn't really know anything about <EM CLASS="pathname">
+foo.com</EM>
+.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997355">
-</A>
+ </A>
 If this is a zone under your control, check each of the nameservers to ensure that they are configured to answer questions properly.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997356">
-</A>
+ </A>
 If it's a zone out on the Internet, it would be nice to notify the owners of the domain in question so that they can take a look at it. In practice, though, not many people have time to do this.</P>
 </DIV>
 <DIV>
 <UL>
 <H6 CLASS="Subhead2">
 <A NAME="pgfId=997357">
-</A>
+ </A>
 bad referral</H6>
 </UL>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997358"></A>
-ns named[111]: bad referral (other.com !&lt; subdomain.other.com)</PRE>
+<PRE CLASS="2Level-fixed"><A NAME="pgfId=997358"> </A>
+<EM CLASS="grammar_literal">ns named[111]: bad referral (other.com !&lt; subdomain.other.com)</EM>
+</PRE>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997359">
-</A>
-This indicates that your nameserver (ns.foo.com) queried the nameserver for foo2.com to find out how to get to subdomain.foo2.com. foo2.com told your nameserver that subdomain.foo2.com was delegated to some other.foo2.com, so your nameserver queried that.</P>
+ </A>
+This indicates that your nameserver (<EM CLASS="pathname">
+ns.foo.com</EM>
+) queried the nameserver for <EM CLASS="pathname">
+foo2.com</EM>
+ to find out how to get to <EM CLASS="pathname">
+subdomain.foo2.com</EM>
+. <EM CLASS="pathname">
+foo2.com</EM>
+ told your nameserver that <EM CLASS="pathname">
+subdomain.foo2.com</EM>
+ was delegated to some <EM CLASS="pathname">
+other.foo2.com</EM>
+, so your nameserver queried that.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997360">
-</A>
-someother.foo2.com didn't think that subdomain.foo2.com had been delegated to it, so it referred your server (ns.foo.com) back to the foo2.com nameserver.</P>
+ </A>
+<EM CLASS="pathname">
+someother.foo2.com</EM>
+ didn't think that <EM CLASS="pathname">
+subdomain.foo2.com</EM>
+ had been delegated to it, so it referred your server (<EM CLASS="pathname">
+ns.foo.com</EM>
+) back to the <EM CLASS="pathname">
+foo2.com</EM>
+ nameserver.</P>
 </DIV>
 <DIV>
 <UL>
 <H6 CLASS="Subhead2">
 <A NAME="pgfId=997361">
-</A>
+ </A>
 not authoritative for</H6>
 </UL>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997362"></A>
-ns named-xfer[111]: [192.168.0.1] not authoritative for foo.com, SOA query got rcode 0, aa 0, ancount 1, aucount 0</PRE>
+<PRE CLASS="2Level-fixed"><A NAME="pgfId=997362"> </A>
+<EM CLASS="grammar_literal">ns named-xfer[111]: [192.168.0.1] not authoritative for foo.com, SOA query got rcode 0, aa 0, ancount 1, aucount 0</EM>
+</PRE>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997363">
-</A>
+ </A>
 This error usually shows up on a slave server. It indicates that the master server is not answering authoritatively for the zone. This usually happens when the zone is rejected (while named is loading) on the master server. Check the logs on the master server. If ancount -- 0, you may be pointing at the wrong master server for the zone.</P>
 </DIV>
 <DIV>
 <UL>
 <H6 CLASS="Subhead2">
 <A NAME="pgfId=997364">
-</A>
+ </A>
 rejected zone</H6>
 </UL>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997365"></A>
-ns named[111]: master zone &quot;foo.com&quot; (IN) rejected due to errors (serial111)</PRE>
+<PRE CLASS="2Level-fixed"><A NAME="pgfId=997365"> </A>
+<EM CLASS="grammar_literal">ns named[111]: master zone &quot;foo.com&quot; (IN) rejected due to errors (serial111)</EM>
+</PRE>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997366">
-</A>
-This indicates that the foo.com zone was rejected because of an error in the zone file. Check the lines above this error -- named will usually tell you what it didn't like and where to find it in the zone file.</P>
+ </A>
+This indicates that the <EM CLASS="pathname">
+foo.com</EM>
+ zone was rejected because of an error in the zone file. Check the lines above this error. <CODE CLASS="Program-Process">
+named</CODE>
+ will usually tell you what it didn't like and where to find it in the zone file.</P>
 </DIV>
 <DIV>
 <UL>
 <H6 CLASS="Subhead2">
 <A NAME="pgfId=997367">
-</A>
+ </A>
 no NS RRs found</H6>
 </UL>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997368"></A>
-ns named[111]: Zone &quot;foo.com&quot; (file foo.com.db): no NS RRs found at zonetop</PRE>
+<PRE CLASS="2Level-fixed"><A NAME="pgfId=997368"> </A>
+<EM CLASS="grammar_literal">ns named[111]: Zone &quot;foo.com&quot; (file foo.com.db): no NS RRs found at zonetop</EM>
+</PRE>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997369">
-</A>
-The foo.com.db file is missing NS records at the top of the zone (in the SOA section). Check to make sure they exist and that there is white space (spaces or tabs) in front of them. White spaces matter here.</P>
+ </A>
+The <EM CLASS="pathname">
+foo.com.db</EM>
+ file is missing NS records at the top of the zone (in the SOA section). Check to make sure they exist and that there is white space (spaces or tabs) in front of them. White spaces matter here.</P>
 </DIV>
 <DIV>
 <UL>
 <H6 CLASS="Subhead2">
 <A NAME="pgfId=997370">
-</A>
+ </A>
 no default TTL set</H6>
 </UL>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997371"></A>
-ns named[111]: Zone &quot;foo.com&quot; (file foo.com.db): No default TTL set using SOA minimum instead</PRE>
+<PRE CLASS="2Level-fixed"><A NAME="pgfId=997371"> </A>
+<EM CLASS="grammar_literal">ns named[111]: Zone &quot;foo.com&quot; (file foo.com.db): No default TTL set using SOA minimum instead</EM>
+</PRE>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997372">
-</A>
-You need to add a $TTL to the top of the foo.com.db zone file. See RFC2308, or section 3.2.3, &quot;Setting TTLs&quot; in this document, for information on how to use $TTL.</P>
+ </A>
+You need to add a $TTL to the top of the <EM CLASS="pathname">
+foo.com.db</EM>
+ zone file. See RFC2308, or <A HREF="Bv9ARM.5.html#19693" CLASS="XRef">
+Setting TTLs</A>
+ in this document, for information on how to use $TTL.</P>
 </DIV>
 <DIV>
 <UL>
 <H6 CLASS="Subhead2">
 <A NAME="pgfId=997373">
-</A>
+ </A>
 no root nameserver for class</H6>
 </UL>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997374"></A>
-findns: No root nameservers for class IN?</PRE>
+<PRE CLASS="2Level-fixed"><A NAME="pgfId=997374"> </A>
+<EM CLASS="grammar_literal">findns: No root nameservers for class IN?</EM>
+</PRE>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997375">
-</A>
+ </A>
 Your nameserver is having problems finding the root nameservers. Check your root hints file to make sure it is not corrupted. Also, make sure that your nameserver can reach the Internet.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997376">
-</A>
-If you are running an internal root nameserver, make sure it's configured properly and is answering queries.</P>
+ </A>
+If you are running an internal root nameserver, make sure it is configured properly and is answering queries.</P>
 </DIV>
 <DIV>
 <UL>
 <H6 CLASS="Subhead2">
 <A NAME="pgfId=997377">
-</A>
+ </A>
 address already in use</H6>
 </UL>
-<PRE CLASS="2Level-fixed1"><A NAME="pgfId=997378"></A>
-ctl_server: bind: Address already in use</PRE>
+<PRE CLASS="2Level-fixed"><A NAME="pgfId=997378"> </A>
+<EM CLASS="grammar_literal">ctl_server: bind: Address already in use</EM>
+</PRE>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997379">
-</A>
+ </A>
 This usually indicates that another copy of BIND is already running. Verify that you have killed old copies of the daemon.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997380">
-</A>
+ </A>
 This can also pop up if you originally ran named as &quot;root&quot; and now run it as a regular user. named may have left behind an ndc control socket that is owned by root if it crashed, or was not killed gracefully.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997381">
-</A>
-This means that the regular user wouldn't be able to delete it, so it would think named is still running. The solution is to remove any ndc sockets in /usr/local/etc, or /var/run, etc.</P>
+ </A>
+This means that the regular user wouldn't be able to delete it, so it would think named is still running. The solution is to remove any ndc sockets in <EM CLASS="pathname">
+/usr/local/etc</EM>
+, or <EM CLASS="pathname">
+/var/run</EM>
+, etc.</P>
 </DIV>
 </DIV>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997382">
-</A>
+ </A>
 7.2	Common Problems</H3>
 </OL>
 <DIV>
 <OL>
 <H4 CLASS="3Level">
 <A NAME="pgfId=997383">
-</A>
+ </A>
 7.2.1	It's not working; how can I figure out what's wrong?</H4>
 </OL>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=997384">
-</A>
-The best solution to solving installation and configuration issues is to take preventative measures by setting up logging files beforehand (see the sample configurations in <A HREF="BvARM.3.html#30164" CLASS="XRef">
+ </A>
+The best solution to solving installation and configuration issues is to take preventative measures by setting up logging files beforehand (see the sample configurations in <A HREF="Bv9ARM.3.html#30164" CLASS="XRef">
 Sample Configuration and Logging</A>
 ). The log files provide a source of hints and information that can be used to figure out what went wrong and how to fix the problem.</P>
 </DIV>
@@ -181,49 +229,49 @@ Sample Configuration and Logging</A>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997388">
-</A>
+ </A>
 7.3	Incrementing and Changing the Serial Number</H3>
 </OL>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1001230">
-</A>
+ </A>
 Zone serial numbers are just numbers--they aren't date related. A lot of people set them to a number that represents a date, usually of the form YYYYMMDDRR. A number of people have been testing these numbers for Y2K compliance and have set the number to the year 2000 to see if it will work. They then try to restore the old serial number. This will cause problems, because serial numbers are used to indicate that a zone has been updated. If the serial number on the secondary server is lower than the serial number on the primary, the secondary server will attempt to update its copy of the zone.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997390">
-</A>
+ </A>
 Setting the serial number to a lower number on the primary server than the secondary server means that the secondary will not perform updates to its copy of the zone.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997391">
-</A>
+ </A>
 The solution to this is to add 2147483647 (2^31-1) to the number, reload the zone and make sure all secondaries have updated to the new zone serial number, then reset the number to what you want it to be, and reload the zone again.</P>
 </DIV>
 <DIV>
 <OL>
 <H3 CLASS="2Level">
 <A NAME="pgfId=997392">
-</A>
+ </A>
 7.4	Where Can I Get Help?</H3>
 </OL>
 <P CLASS="2LevelContinued">
-<A NAME="pgfId=997393">
-</A>
+<A NAME="pgfId=1001264">
+ </A>
 The Internet Software Consortium (ISC) offers a wide range of support and service agreements for BIND, DHCP and INN servers. Four levels of premium support are available and each level includes support for all ISC programs, significant discounts on products and training, and a recognized priority on bug fixes and non-funded feature requests. In addition, ISC offers a standard support agreement package which includes services ranging from bug fix announcements to remote support. It also includes training in BIND, DHCP or INN.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=997394">
-</A>
-To discuss arrangements for support, contact
-<a href="mailto: info@isc.org">info@isc.org</A></CODE>
-or visit the ISC web page at 
-<a href="http://www.isc.org/services/support/">the ISC web site</A></EM>
+ </A>
+To discuss arrangements for support, contact <EM CLASS="pathname">
+info@isc.org</EM>
+<CODE CLASS="Program-Process">
+ </CODE>
+or visit the ISC web page at<BR>
+<EM CLASS="URL">
+http://www.isc.org/services/support/</EM>
  to read more.</P>
-<P CLASS="Body">
-<A NAME="pgfId=997347">
-</A>
-&nbsp;</P>
-
+<DIV>
+<p>Return to <A href="Bv9ARM.html">BINDv9 Administrator Reference Manual</A> 
+</DIV>
 </DIV>
 </DIV>
-<p>Return to <A href="BV9ARM.html">BINDv9 Administrator Reference Manual</A> table of contents.</p>
 </DIV>
 </BODY>
 </HTML>
diff --git a/doc/arm/BV9ARM.8.html b/doc/arm/Bv9ARM.8.html
index e6fc8cdf..2193ce6a 100644..100755
--- a/doc/arm/BV9ARM.8.html
+++ b/doc/arm/Bv9ARM.8.html
@@ -2,121 +2,135 @@
 <HTML>
 <HEAD>
 <META NAME="GENERATOR" CONTENT="Adobe FrameMaker 5.5/HTML Export Filter">
-<LINK REL="STYLESHEET" HREF="BV9ARM.css">
+<LINK REL="STYLESHEET" HREF="Bv9ARM.css">
 <TITLE> Appendices</TITLE></HEAD>
 <BODY BGCOLOR="#ffffff">
-<OL>
-<H1 CLASS="1Level">
-<A NAME="pgfId=997350">
-</A>
-Appendices</H1>
-</OL>
-
 <DIV>
-<H3 CLASS="AppendixLevel1">
+<H6 CLASS="Title">
+<A NAME="pgfId=997347">
+ </A>
+Appendices</H6>
+<DIV>
+<H6 CLASS="AppendixLevel1">
 <A NAME="pgfId=999043">
-</A>
-Appendix A. Acknowledgements</H3>
+ </A>
+Appendix A. Acknowledgements</H6>
 <DIV>
-<H4 CLASS="AppendixLevel2">
+<H6 CLASS="AppendixLevel2">
 <A NAME="pgfId=1000953">
-</A>
-A Brief History of the DNS and BIND</H4>
+ </A>
+A Brief History of the DNS and BIND</H6>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1000944">
-</A>
+ </A>
 Although the &quot;official&quot; beginning of the Domain Name System occurred in 1984 with the publication of RFC 920, the core of the new system was described in 1983 in RFCs 882 and 883. From 1984 to 1987, the ARPAnet (the precursor to today's Internet) became a testbed of experimentation for developing the new naming/addressing scheme in an rapidly expanding, operational network environment. New RFCs were written and published in 1987 that modified the original documents to incorporate improvements based on the working model. RFC 1034, &quot;Domain Names-Concepts and Facilities,&quot; and RFC 1035, &quot;Domain Names-Implementation and Specification&quot; were published and became the standards upon which all DNS implementations are built.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1000945">
-</A>
+ </A>
 The first working domain name server, called &quot;Jeeves,&quot; was written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20 machines located at the University of Southern California's Information Sciences Institute (USC-ISI) and SRI International's Network Information Center (SRI-NIC). A DNS server for Unix machines, the Berkeley Internet Name Domain (BIND) package, was written soon after by a group of graduate students at the University of California at Berkeley under a grant from the US Defense Advanced Research Projects Administration (DARPA). Versions of BIND through 4.8.3 were maintained by the Computer Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark Painter, David Riggle and Songnian Zhou made up the initial BIND project team. After that, additional work on the software package was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation employee on loan to the CSRG, worked on BIND for 2 years, from 1985 to 1987. Many other people also contributed to BIND development during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell, Mike Muuss, Jim Bloom and Mike Schwartz. BIND maintenance was subsequently handled by Mike Karels and O. Kure.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1000946">
-</A>
+ </A>
 BIND versions 4.9 and 4.9.1 were released by Digital Equipment Corporation (now Compaq Computer Corporation). Paul Vixie, then a DEC employee, became BIND's primary caretaker. Paul was assisted by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe Wolfhugel, and others.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1000947">
-</A>
+ </A>
 BIND Version 4.9.2 was sponsored by Vixie Enterprises. Paul Vixie became BIND's principal architect/programmer.</P>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1000948">
-</A>
+ </A>
 BIND versions from 4.9.3 onward have been developed and maintained by the Internet Software Consortium with support being provided by ISC's sponsors. As co-architects/programmers, Bob Halley and Paul Vixie released the first production-ready version of BIND version 8 in May 1997.</P>
-<P CLASS="2LevelContinued1">
+<P CLASS="2LevelContinued">
 <A NAME="pgfId=1000986">
-</A>
-BIND development work is made possible today by the sponsorship of several corporations, and by the tireless work efforts of numerous individuals.
-</P>
+ </A>
+BIND development work is made possible today by the sponsorship of several corporations, and by the tireless work efforts of numerous individuals.</P>
 </DIV>
 </DIV>
 <DIV>
-<H3 CLASS="AppendixLevel1">
+<H6 CLASS="AppendixLevel1">
 <A NAME="pgfId=1001064">
-</A>
+ </A>
 <A NAME="13688">
-</A>
-Appendix B. Historical DNS Information</H3>
+ </A>
+Appendix B. Historical DNS Information</H6>
 <DIV>
-<H4 CLASS="AppendixLevel2">
+<H6 CLASS="AppendixLevel2">
 <A NAME="pgfId=1001089">
-</A>
-Classes of resource records</H4>
+ </A>
+Classes of resource records</H6>
 <DIV>
 <H6 CLASS="AppendixLevel3">
-<A NAME="pgfId=1001093">
-</A>
+<A NAME="pgfId=1029256">
+ </A>
 HS = hesiod</H6>
+<P CLASS="3LevelContinued">
+<A NAME="pgfId=1029267">
+ </A>
+The <EM CLASS="Optional-meta-syntax">
+hesiod </EM>
+class is an information service developed by MIT's Project Athena. It is used to share information about various systems databases, such as users, groups, printers and so on. The keyword <CODE CLASS="Program-Process">
+hs</CODE>
+ is a synonym for hesiod.</P>
 </DIV>
 <DIV>
 <H6 CLASS="AppendixLevel3">
-<A NAME="pgfId=1001097">
-</A>
+<A NAME="pgfId=1029289">
+ </A>
 CH = chaos</H6>
+<P CLASS="3LevelContinued">
+<A NAME="pgfId=1029290">
+ </A>
+The <CODE CLASS="Program-Process">
+chaos</CODE>
+ class is used to specify zone data for the MIT-developed CHAOSnet, a LAN protocol created in the mid-1970s.</P>
 </DIV>
 </DIV>
-<p>Return to <A href="BV9ARM.html">BINDv9 Administrator Reference Manual</A> table of contents.</p>
 </DIV>
 <DIV>
-<H3 CLASS="AppendixLevel1">
-<A NAME="pgfId=1000908">
-</A>
-Appendix C. Bibliography (and Suggested Reading)</H3>
+<H6 CLASS="AppendixLevel1">
+<A NAME="pgfId=1029291">
+ </A>
+<A NAME="35452">
+ </A>
+Appendix C. Bibliography (and Suggested Reading)</H6>
 <DIV>
-<H4 CLASS="AppendixLevel2">
+<H6 CLASS="AppendixLevel2">
 <A NAME="pgfId=999193">
-</A>
-Request for Comments (RFCs)</H4>
+ </A>
+<A NAME="42144">
+ </A>
+C.1 Request for Comments (RFCs)</H6>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=999780">
-</A>
+ </A>
 Specification documents for the Internet protocol suite, including the DNS, are published as part of the Request for Comments (RFCs) series of technical notes. The standards themselvers are defined by the Internet Engineering Task Force (IETF) and the Internet Engineering Steering Group (IESG). RFCs can be obtained online via FTP at <BR>
 <EM CLASS="URL">
 ftp://www.isi.edu/in-notes/RFCxxx.txt</EM>
  (where <EM CLASS="URL">
 xxx</EM>
  is the number of the RFC). RFCs are also available via the Web at <EM CLASS="URL">
-<a href="http://www.ietf.org/rfc/"> http://www.ietf.org/rfc/</A></EM>
+http://www.ietf.org/rfc/</EM>
 .</P>
 <DIV>
 <H6 CLASS="AppendixLevel3">
 <A NAME="pgfId=999212">
-</A>
+ </A>
 Standards</H6>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999776">
-</A>
+ </A>
 RFC974. Partridge, C. <EM CLASS="doc-title">
 Mail Routing and the Domain System</EM>
-. January 1986. (Standard </P>
-<P CLASS="Bib3">
+. January 1986.</P>
+<P CLASS="Biblio">
 <A NAME="pgfId=999777">
-</A>
+ </A>
 RFC1034.  Mockapetris, P.V.  <EM CLASS="doc-title">
 Domain Names - Concepts and Facilities</EM>
 . P.V. November 1987.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=1000013">
-</A>
+ </A>
 RFC1035.  Mockapetris, P. V. <EM CLASS="doc-title">
 Domain Names - Implementation and Specification</EM>
 . November 1987.</P>
@@ -124,35 +138,37 @@ Domain Names - Implementation and Specification</EM>
 <DIV>
 <H6 CLASS="AppendixLevel3">
 <A NAME="pgfId=999218">
-</A>
+ </A>
+<A NAME="17631">
+ </A>
 Proposed Standards</H6>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999220">
-</A>
+ </A>
 RFC2181. Elz, R., R. Bush. <EM CLASS="doc-title">
 Clarifications to the DNS Specification</EM>
 . July 1997.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999221">
-</A>
+ </A>
 RFC2308. Andrews, M. <EM CLASS="doc-title">
 Negative Caching of DNS Queries</EM>
 . March 1998.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999222">
-</A>
+ </A>
 RFC1995. Ohta, M. <EM CLASS="doc-title">
 Incremental Zone Transfer in DNS</EM>
 . August 1996.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999223">
-</A>
+ </A>
 RFC1996. Vixie, P. <EM CLASS="doc-title">
 A Mechanism for Prompt Notification of Zone Changes</EM>
 . August 1996.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999747">
-</A>
+ </A>
 RFC2136. Vixie, P., S. Thomson, Y. Rekhter, J. Bound. <EM CLASS="doc-title">
 Dynamic Updates in the Domain Name System</EM>
 . April 1997.</P>
@@ -160,31 +176,29 @@ Dynamic Updates in the Domain Name System</EM>
 <DIV>
 <H6 CLASS="AppendixLevel3">
 <A NAME="pgfId=999227">
-</A>
+ </A>
 Proposed Standards Still Under Development</H6>
 <P CLASS="3LevelContinued">
 <A NAME="pgfId=999436">
-</A>
-<EM CLASS="doc-title1">
+ </A>
+<EM CLASS="Emphasis">
 Note:</EM>
- the following list of RFCs are undergoing major revision by the IETF. (See the Internet Drafts section below
-for current versions.)
-</P>
-<P CLASS="Bib3">
+ the following list of RFCs are undergoing major revision by the IETF. (See the Internet Drafts section, below, for current versions).</P>
+<P CLASS="Biblio">
 <A NAME="pgfId=999230">
-</A>
+ </A>
 RFC1886. Thomson, S., C. Huitema. <EM CLASS="doc-title">
 DNS Extensions to support IP version 6</EM>
 . S. December 1995.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999231">
-</A>
+ </A>
 RFC2065. Eastlake, 3rd, D., C. Kaufman. <EM CLASS="doc-title">
 Domain Name System Security Extensions</EM>
 . January 1997.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999232">
-</A>
+ </A>
 RFC2137. Eastlake, 3rd,  D. <EM CLASS="doc-title">
 Secure Domain Name System Dynamic Update</EM>
 . April 1997.</P>
@@ -192,23 +206,23 @@ Secure Domain Name System Dynamic Update</EM>
 <DIV>
 <H6 CLASS="AppendixLevel3">
 <A NAME="pgfId=999235">
-</A>
+ </A>
 Other Important RFCs About DNS Implementation</H6>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999237">
-</A>
+ </A>
 RFC1535. Gavron, E. <EM CLASS="doc-title">
 A Security Problem and Proposed Correction With Widely Deployed DNS Software.</EM>
  October 1993.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=1000173">
-</A>
+ </A>
 RFC1536. Kumar, A., J. Postel, C. Neuman, P. Danzig, S. Miller. <EM CLASS="doc-title">
 Common DNS Implementation Errors and Suggested Fixes</EM>
 . October 1993.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999239">
-</A>
+ </A>
 RFC1982. Elz, R., R. Bush. <EM CLASS="doc-title">
 Serial Number Arithmetic</EM>
 . August 1996.</P>
@@ -216,53 +230,47 @@ Serial Number Arithmetic</EM>
 <DIV>
 <H6 CLASS="AppendixLevel3">
 <A NAME="pgfId=999242">
-</A>
+ </A>
 Resource Record Types</H6>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999244">
-</A>
+ </A>
 RFC1183. Everhart, C.F., L. A. Mamakos, R. Ullmann, P. Mockapetris.  <EM CLASS="doc-title">
 New DNS RR Definitions</EM>
 . October 1990.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999249">
-</A>
+ </A>
 RFC1706. Manning, B., R. Colella. <EM CLASS="doc-title">
 DNS NSAP Resource Records</EM>
 . October 1994.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999253">
-</A>
+ </A>
 RFC2168. Danie1,R.,  M. Mealling. <EM CLASS="doc-title">
 Resolution of Uniform Resource Identifiers using the Domain Name System. June 1997.</EM>
 </P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999254">
-</A>
+ </A>
 RFC1876. Davis, C., P. Vixie, T. Goodwin, I. Dickinson. <EM CLASS="doc-title">
 A Means for Expressing Location Information in the Domain Name System</EM>
 . January 1996.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999255">
-</A>
+ </A>
 RFC2052. Gulbrandsen,A., P. Vixie. <EM CLASS="doc-title">
 A DNS RR for Specifying the Location of Services.</EM>
  October 1996.</P>
 <P CLASS="Bib31">
 <A NAME="pgfId=1000261">
-</A>
-<EM CLASS="CharFmt">
-RFC2163. Allocchio, A. U</EM>
-<EM CLASS="doc-title">
+ </A>
+RFC2163. Allocchio, A. U<EM CLASS="doc-title">
 sing the Internet DNS to Distribute MIXER Conformant Global Address Mapping</EM>
-<EM CLASS="CharFmt1">
-.</EM>
-<EM CLASS="CharFmt">
-January 1998.</EM>
-</P>
-<P CLASS="Bib3">
+.January 1998.</P>
+<P CLASS="Biblio">
 <A NAME="pgfId=1000251">
-</A>
+ </A>
 RFC2230. Atkinson, R. <EM CLASS="doc-title">
 Key Exchange Delegation Record for the DNS</EM>
 .  October 1997.</P>
@@ -270,29 +278,29 @@ Key Exchange Delegation Record for the DNS</EM>
 <DIV>
 <H6 CLASS="AppendixLevel3">
 <A NAME="pgfId=999260">
-</A>
+ </A>
 DNS and the Internet</H6>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999262">
-</A>
+ </A>
 RFC1101. Mockapetris, P. V. <EM CLASS="doc-title">
 Dns Encoding of Network Names and Other Types</EM>
 . April 1989.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999263">
-</A>
+ </A>
 RFC1123.  Braden, R. <EM CLASS="doc-title">
 Requirements for Internet Hosts - Application and Support</EM>
 . October 1989.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999264">
-</A>
+ </A>
 RFC1591. Postel, J. D<EM CLASS="doc-title">
 omain Name System Structure and Delegation</EM>
 . March 1994.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999265">
-</A>
+ </A>
 RFC2317. Eidnes, H., G. de Groot, P. Vixie. <EM CLASS="doc-title">
 Classless IN-ADDR.ARPA Delegation</EM>
 . March 1998.</P>
@@ -300,29 +308,29 @@ Classless IN-ADDR.ARPA Delegation</EM>
 <DIV>
 <H6 CLASS="AppendixLevel3">
 <A NAME="pgfId=999274">
-</A>
+ </A>
 DNS Operations</H6>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999276">
-</A>
+ </A>
 RFC1537. Beertema, P. <EM CLASS="doc-title">
 Common DNS Data File Configuration Errors</EM>
 . October 1993.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999277">
-</A>
+ </A>
 RFC1912. Barr, D. <EM CLASS="doc-title">
 Common DNS Operational and Configuration Errors</EM>
 . February 1996.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=1000360">
-</A>
+ </A>
 RFC2182. Elz, R. R. Bush, S. Bradner, M. Patton. <EM CLASS="doc-title">
 Selection and Operation of Secondary DNS Servers</EM>
 . July 1997.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=1000361">
-</A>
+ </A>
 RFC2219. Hamilton, M., R. Wright. <EM CLASS="doc-title">
 Use of DNS Aliases for Network Services.</EM>
  October 1997.</P>
@@ -330,86 +338,90 @@ Use of DNS Aliases for Network Services.</EM>
 <DIV>
 <H6 CLASS="AppendixLevel3">
 <A NAME="pgfId=999282">
-</A>
+ </A>
 Other DNS-related RFCs</H6>
-<P CLASS="3LevelContinued1">
+</DIV>
+</DIV>
+</DIV>
+</DIV>
+<DIV>
+<H6 CLASS="3LevelContinued1">
 <A NAME="pgfId=999409">
-</A>
+ </A>
 <EM CLASS="doc-title">
 Note:</EM>
- the following list of RFCs, although DNS-related, are not concerned with implementing software.</P>
-<P CLASS="Bib3">
+ the following list of RFCs, although DNS-related, are not concerned with implementing software.</H6>
+<P CLASS="Biblio">
 <A NAME="pgfId=999284">
-</A>
+ </A>
 RFC1464. Rosenbaum, R. <EM CLASS="doc-title">
 Using the Domain Name System To Store Arbitrary String Attributes</EM>
 . May 1993.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999285">
-</A>
+ </A>
 RFC1713. Romao, A. <EM CLASS="doc-title">
 Tools for DNS Debugging</EM>
 . November 1994.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999286">
-</A>
+ </A>
 RFC1794. Brisco, T. <EM CLASS="doc-title">
 DNS Support for Load Balancing</EM>
 . April 1995.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999287">
-</A>
+ </A>
 RFC2240. Vaughan, O. <EM CLASS="doc-title">
 A Legal Basis for Domain Name Allocation</EM>
 . November1997.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999288">
-</A>
+ </A>
 RFC2345. Klensin, J., T. Wolf, G. Oglesby. <EM CLASS="doc-title">
 Domain Names and Company Name Retrieval</EM>
 . May 1998.</P>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999289">
-</A>
+ </A>
 RFC2352. Vaughan, O. <EM CLASS="doc-title">
 A Convention For Using Legal Names as Domain Names</EM>
 . May 1998.</P>
-</DIV>
 <DIV>
 <H6 CLASS="AppendixLevel3">
 <A NAME="pgfId=999292">
-</A>
+ </A>
 Obsolete and Unimplemented Experimental RRs</H6>
-<P CLASS="Bib3">
+<P CLASS="Biblio">
 <A NAME="pgfId=999294">
-</A>
+ </A>
 RFC1712. Farrell, C., M. Schulze, S. Pleitner, D. Baldoni. <EM CLASS="doc-title">
 DNS Encoding of Geographical Location</EM>
 . November 1994.</P>
 </DIV>
-</DIV>
 <DIV>
 <H6 CLASS="AppendixLevel2">
 <A NAME="pgfId=999195">
-</A>
+ </A>
 <A NAME="">
-</A>
-Internet Drafts</H6>
+ </A>
+C.2 Internet Drafts</H6>
 <P CLASS="2LevelContinued">
 <A NAME="pgfId=1000609">
-</A>
+ </A>
 Internet Drafts (IDs) are rough-draft working documents of the Internet Engineering Task Force. They are, in essence, RFCs in the preliminary stages of development. Implementors are cautioned not to regard IDs as archival, and they should not be quoted or cited in any formal documents unless accompanied by the disclaimer that they are &quot;works in progress.&quot; IDs have a lifespan of six months after which they are deleted unless updated by their authors.</P>
-<P CLASS="2LevelContinued1">
+<P CLASS="2LevelContinued">
 <A NAME="pgfId=1000433">
-</A>
-IDs can be obtained via FTP from
-<a href="ftp://www.isi.edu/internet-drafts/">ftp://www.isi.edu/internet-drafts/</A>
- or from
-<a href="http://www.ietf.org/1id-abstracts.html">http://www.ietf.org/1id-abstracts.html</A>.
-</P>
-<P CLASS="2LevelContinued2">
+ </A>
+IDs can be obtained via FTP from<BR>
+<EM CLASS="URL">
+ftp://www.isi.edu/internet-drafts/</EM>
+ or from <EM CLASS="URL">
+http://www.ietf.org/1id-abstracts.html</EM>
+.</P>
+<P CLASS="2LevelContinued">
 <A NAME="pgfId=1000877">
-</A>
+ </A>
 <EM CLASS="doc-title">
 draft-duerst-dns-i18n-01.txt<BR>
 draft-ietf-dhc-dhcp-dns-10.txt<BR>
@@ -448,17 +460,17 @@ draft-skwan-utf8-dns-02.txt</EM>
 <DIV>
 <H6 CLASS="AppendixLevel2">
 <A NAME="pgfId=999464">
-</A>
-Electronic Mail Communication</H6>
+ </A>
+C.3 Electronic Mail Communication</H6>
 <P CLASS="Bib2">
 <A NAME="pgfId=1001024">
-</A>
+ </A>
 Wellington, Brian (bwellington@tislabs.com). <EM CLASS="doc-title">
 DNSSEC usage document</EM>
 . E-mail to David Conrad (David_Conrad@isc.org). 15 March 1999.</P>
 <P CLASS="Bib2">
 <A NAME="pgfId=1001025">
-</A>
+ </A>
 Wellington, Brian (bwellington@tislabs.com). <EM CLASS="doc-title">
 TSIG guide for BIND 8.2+</EM>
 . E-mail to private mailing list (private communication). 22 April 1999.</P>
@@ -466,16 +478,17 @@ TSIG guide for BIND 8.2+</EM>
 <DIV>
 <H6 CLASS="AppendixLevel2">
 <A NAME="pgfId=1000764">
-</A>
-Other BIND Documents</H6>
+ </A>
+C.4 Other BIND Documents</H6>
 <P CLASS="Bib2">
-<A NAME="pgfId=999522">
-</A>
+<A NAME="pgfId=1039827">
+ </A>
 Albitz, Paul and Cricket Liu. 1998. <EM CLASS="doc-title">
 DNS and BIND</EM>
 . Sebastopol, CA: O'Reilly and Associates.</P>
 
-<p>Return to <A href="BV9ARM.html">BINDv9 Administrator Reference Manual</A> table of contents.</p>
+<p>Return to <A href="Bv9ARM.html">BINDv9 Administrator Reference Manual</A> table of contents.</p>
+
 </DIV>
 </DIV>
 </BODY>
diff --git a/doc/arm/BV9ARM.css b/doc/arm/Bv9ARM.css
index 0b2bed39..7b74b2ac 100644..100755
--- a/doc/arm/BV9ARM.css
+++ b/doc/arm/Bv9ARM.css
@@ -24,7 +24,7 @@ H1.1Level, H2.1Level, H3.1Level, H4.1Level, H5.1Level, H6.1Level {
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Helvetica;
+	font-family: Arial;
 }
 P.1LevelContinued {
 	text-align: left;
@@ -40,23 +40,7 @@ P.1LevelContinued {
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times New Roman;
-}
-THROW AWAY.1LevelTOC {
-	text-align: left;
-	text-indent: 0.000000pt;
-	margin-top: 14.000000pt;
-	margin-bottom: 0.000000pt;
-	margin-right: 0.000000pt;
-	margin-left: 0.000000pt;
-	font-size: 12.000000pt;
-	font-weight: Bold;
-	font-style: Regular;
-	color: #000000;
-	text-decoration: none;
-	vertical-align: baseline;
-	text-transform: none;
-	font-family: Helvetica;
+	font-family: Times;
 }
 H1.2Level, H2.2Level, H3.2Level, H4.2Level, H5.2Level, H6.2Level {
 	text-align: left;
@@ -72,7 +56,7 @@ H1.2Level, H2.2Level, H3.2Level, H4.2Level, H5.2Level, H6.2Level {
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Helvetica;
+	font-family: Arial;
 }
 LI.2Level-bullet1 {
 	text-align: left;
@@ -106,37 +90,21 @@ LI.2Level-bullet2 {
 	text-transform: none;
 	font-family: Times;
 }
-PRE.2Level-fixed {
+P.2Level-fixed {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 3.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 63.000000pt;
-	font-size: 10.000000pt;
-	font-weight: Bold;
+	font-size: 11.000000pt;
+	font-weight: medium;
 	font-style: Regular;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Courier;
-}
-PRE.2Level-fixed1 {
-	text-align: left;
-	text-indent: 0.000000pt;
-	margin-top: 3.000000pt;
-	margin-bottom: 0.000000pt;
-	margin-right: 0.000000pt;
-	margin-left: 63.000000pt;
-	font-size: 10.000000pt;
-	font-weight: Bold;
-	font-style: Regular;
-	color: #ff00ff;
-	text-decoration: none;
-	vertical-align: baseline;
-	text-transform: none;
-	font-family: Helvetica;
+	font-family: Courier New;
 }
 LI.2Level-numList1 {
 	text-align: left;
@@ -184,54 +152,6 @@ P.2LevelContinued {
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times New Roman;
-}
-P.2LevelContinued1 {
-	text-align: left;
-	text-indent: 0.000000pt;
-	margin-top: 13.000000pt;
-	margin-bottom: 0.000000pt;
-	margin-right: 0.000000pt;
-	margin-left: 63.000000pt;
-	font-size: 11.000000pt;
-	font-weight: medium;
-	font-style: Regular;
-	color: #000000;
-	text-decoration: none;
-	vertical-align: baseline;
-	text-transform: none;
-	font-family: Times New Roman;
-}
-P.2LevelContinued2 {
-	text-align: left;
-	text-indent: 0.000000pt;
-	margin-top: 13.000000pt;
-	margin-bottom: 0.000000pt;
-	margin-right: 0.000000pt;
-	margin-left: 63.000000pt;
-	font-size: 11.000000pt;
-	font-weight: medium;
-	font-style: Italic;
-	color: #000000;
-	text-decoration: none;
-	vertical-align: baseline;
-	text-transform: none;
-	font-family: Times;
-}
-THROW AWAY.2LevelTOC {
-	text-align: left;
-	text-indent: 0.000000pt;
-	margin-top: 0.000000pt;
-	margin-bottom: 0.000000pt;
-	margin-right: 0.000000pt;
-	margin-left: 0.000000pt;
-	font-size: 12.000000pt;
-	font-weight: medium;
-	font-style: Regular;
-	color: #000000;
-	text-decoration: none;
-	vertical-align: baseline;
-	text-transform: none;
 	font-family: Times;
 }
 H1.3Level, H2.3Level, H3.3Level, H4.3Level, H5.3Level, H6.3Level {
@@ -248,39 +168,39 @@ H1.3Level, H2.3Level, H3.3Level, H4.3Level, H5.3Level, H6.3Level {
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Helvetica;
+	font-family: Arial;
 }
-PRE.3Level-fixed {
+P.3Level-fixed {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 3.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 99.000000pt;
-	font-size: 10.000000pt;
-	font-weight: Bold;
+	font-size: 9.000000pt;
+	font-weight: medium;
 	font-style: Regular;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Courier;
+	font-family: Courier New;
 }
-P.3Level-fixed1 {
+P.3Level-fixed-special {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 3.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 99.000000pt;
-	font-size: 10.000000pt;
+	font-size: 9.000000pt;
 	font-weight: medium;
 	font-style: Regular;
-	color: #ff00ff;
+	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Courier;
+	font-family: Courier New;
 }
 P.3LevelContinued {
 	text-align: left;
@@ -296,9 +216,9 @@ P.3LevelContinued {
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times New Roman;
+	font-family: Times;
 }
-P.3LevelContinued1 {
+H1.3LevelContinued1, H2.3LevelContinued1, H3.3LevelContinued1, H4.3LevelContinued1, H5.3LevelContinued1, H6.3LevelContinued1 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 13.000000pt;
@@ -312,55 +232,7 @@ P.3LevelContinued1 {
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times;
-}
-P.3LevelContinued2 {
-	text-align: left;
-	text-indent: 0.000000pt;
-	margin-top: 11.000000pt;
-	margin-bottom: 0.000000pt;
-	margin-right: 0.000000pt;
-	margin-left: 99.000000pt;
-	font-size: 10.000000pt;
-	font-weight: medium;
-	font-style: Regular;
-	color: #ff00ff;
-	text-decoration: none;
-	vertical-align: baseline;
-	text-transform: none;
-	font-family: Helvetica;
-}
-P.3LevelContinued21 {
-	text-align: left;
-	text-indent: 0.000000pt;
-	margin-top: 11.000000pt;
-	margin-bottom: 0.000000pt;
-	margin-right: 0.000000pt;
-	margin-left: 99.000000pt;
-	font-size: 10.000000pt;
-	font-weight: Bold;
-	font-style: Regular;
-	color: #000000;
-	text-decoration: none;
-	vertical-align: baseline;
-	text-transform: none;
-	font-family: Courier New;
-}
-THROW AWAY.3LevelTOC {
-	text-align: left;
-	text-indent: 0.000000pt;
-	margin-top: 0.000000pt;
-	margin-bottom: 0.000000pt;
-	margin-right: 0.000000pt;
-	margin-left: 0.000000pt;
-	font-size: 12.000000pt;
-	font-weight: medium;
-	font-style: Regular;
-	color: #000000;
-	text-decoration: none;
-	vertical-align: baseline;
-	text-transform: none;
-	font-family: Times;
+	font-family: Times New Roman;
 }
 H1.4Level, H2.4Level, H3.4Level, H4.4Level, H5.4Level, H6.4Level {
 	text-align: left;
@@ -376,9 +248,9 @@ H1.4Level, H2.4Level, H3.4Level, H4.4Level, H5.4Level, H6.4Level {
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Helvetica;
+	font-family: Arial;
 }
-LI.4Level-bullet1 {
+H1.4Level-bullet1, H2.4Level-bullet1, H3.4Level-bullet1, H4.4Level-bullet1, H5.4Level-bullet1, H6.4Level-bullet1 {
 	text-align: left;
 	text-indent: 72.000000pt;
 	margin-top: 13.000000pt;
@@ -410,53 +282,37 @@ LI.4Level-bullet2 {
 	text-transform: none;
 	font-family: Times;
 }
-PRE.4Level-fixed {
+P.4Level-fixed {
 	text-align: left;
 	text-indent: 0.000000pt;
-	margin-top: 3.000000pt;
-	margin-bottom: 0.000000pt;
-	margin-right: 0.000000pt;
-	margin-left: 144.000000pt;
-	font-size: 10.000000pt;
-	font-weight: Bold;
-	font-style: Regular;
-	color: #000000;
-	text-decoration: none;
-	vertical-align: baseline;
-	text-transform: none;
-	font-family: Helvetica;
-}
-PRE.4Level-fixed1 {
-	text-align: left;
-	text-indent: 0.000000pt;
-	margin-top: 3.000000pt;
+	margin-top: 2.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 144.000000pt;
-	font-size: 10.000000pt;
-	font-weight: Bold;
+	font-size: 9.000000pt;
+	font-weight: medium;
 	font-style: Regular;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Courier;
+	font-family: Courier New;
 }
-PRE.4Level-fixedSmall {
+P.4Level-fixedSmall {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 2.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
-	margin-left: 144.000000pt;
-	font-size: 10.000000pt;
-	font-weight: Bold;
+	margin-left: 126.000000pt;
+	font-size: 9.000000pt;
+	font-weight: medium;
 	font-style: Regular;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Courier;
+	font-family: Courier New;
 }
 P.4LevelContinued {
 	text-align: left;
@@ -472,25 +328,9 @@ P.4LevelContinued {
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times New Roman;
-}
-THROW AWAY.4LevelTOC {
-	text-align: left;
-	text-indent: 0.000000pt;
-	margin-top: 0.000000pt;
-	margin-bottom: 0.000000pt;
-	margin-right: 0.000000pt;
-	margin-left: 0.000000pt;
-	font-size: 12.000000pt;
-	font-weight: medium;
-	font-style: Regular;
-	color: #000000;
-	text-decoration: none;
-	vertical-align: baseline;
-	text-transform: none;
 	font-family: Times;
 }
-THROW AWAY.ActiveTOC {
+P.ActiveTOC {
 	text-align: justify;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
@@ -504,7 +344,7 @@ THROW AWAY.ActiveTOC {
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times New Roman;
+	font-family: Times;
 }
 H1.AppendixLevel1, H2.AppendixLevel1, H3.AppendixLevel1, H4.AppendixLevel1, H5.AppendixLevel1, H6.AppendixLevel1 {
 	text-align: left;
@@ -522,7 +362,7 @@ H1.AppendixLevel1, H2.AppendixLevel1, H3.AppendixLevel1, H4.AppendixLevel1, H5.A
 	text-transform: none;
 	font-family: Arial;
 }
-THROW AWAY.AppendixLevel1TOC {
+P.AppendixLevel1TOC {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 14.000000pt;
@@ -554,7 +394,7 @@ H1.AppendixLevel2, H2.AppendixLevel2, H3.AppendixLevel2, H4.AppendixLevel2, H5.A
 	text-transform: none;
 	font-family: Arial;
 }
-THROW AWAY.AppendixLevel2TOC {
+P.AppendixLevel2TOC {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
@@ -586,7 +426,7 @@ H1.AppendixLevel3, H2.AppendixLevel3, H3.AppendixLevel3, H4.AppendixLevel3, H5.A
 	text-transform: none;
 	font-family: Arial;
 }
-THROW AWAY.AppendixLevel3TOC {
+P.AppendixLevel3TOC {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
@@ -618,7 +458,7 @@ P.Bib2 {
 	text-transform: none;
 	font-family: Times New Roman;
 }
-P.Bib3 {
+P.Bib31 {
 	text-align: left;
 	text-indent: -9.000000pt;
 	margin-top: 4.000000pt;
@@ -634,7 +474,7 @@ P.Bib3 {
 	text-transform: none;
 	font-family: Times New Roman;
 }
-P.Bib31 {
+P.Biblio {
 	text-align: left;
 	text-indent: -9.000000pt;
 	margin-top: 4.000000pt;
@@ -648,7 +488,7 @@ P.Bib31 {
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times;
+	font-family: Times New Roman;
 }
 P.Body {
 	text-align: left;
@@ -669,6 +509,22 @@ P.Body {
 P.Body1 {
 	text-align: left;
 	text-indent: 0.000000pt;
+	margin-top: 0.000000pt;
+	margin-bottom: 0.000000pt;
+	margin-right: 0.000000pt;
+	margin-left: 0.000000pt;
+	font-size: 10.000000pt;
+	font-weight: medium;
+	font-style: Regular;
+	color: #000000;
+	text-decoration: none;
+	vertical-align: baseline;
+	text-transform: none;
+	font-family: Courier New;
+}
+P.Body11 {
+	text-align: left;
+	text-indent: 0.000000pt;
 	margin-top: 6.000000pt;
 	margin-bottom: 6.000000pt;
 	margin-right: 0.000000pt;
@@ -696,7 +552,7 @@ P.CellBody {
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times New Roman;
+	font-family: Times;
 }
 P.CellBody-fixedfont {
 	text-align: left;
@@ -705,14 +561,14 @@ P.CellBody-fixedfont {
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 10.000000pt;
-	font-weight: Medium;
+	font-size: 6.000000pt;
+	font-weight: Bold;
 	font-style: Regular;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Courier;
+	font-family: Courier New;
 }
 P.CellBody-fixedfontLG {
 	text-align: left;
@@ -721,32 +577,32 @@ P.CellBody-fixedfontLG {
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 10.000000pt;
-	font-weight: Medium;
+	font-size: 8.000000pt;
+	font-weight: medium;
 	font-style: Regular;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Courier;
+	font-family: Courier New;
 }
-P.CellBody-fixedfontLG1 {
+H1.CellBody1, H2.CellBody1, H3.CellBody1, H4.CellBody1, H5.CellBody1, H6.CellBody1 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 10.000000pt;
-	font-weight: Medium;
+	font-size: 9.000000pt;
+	font-weight: medium;
 	font-style: Regular;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Courier;
+	font-family: Courier New;
 }
-P.CellBody1 {
+H1.CellBody2, H2.CellBody2, H3.CellBody2, H4.CellBody2, H5.CellBody2, H6.CellBody2 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
@@ -756,13 +612,13 @@ P.CellBody1 {
 	font-size: 11.000000pt;
 	font-weight: medium;
 	font-style: Italic;
-	color: #000000;
+	color: #ff00ff;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
 	font-family: Times;
 }
-P.CellBody11 {
+H1.CellBody3, H2.CellBody3, H3.CellBody3, H4.CellBody3, H5.CellBody3, H6.CellBody3 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
@@ -771,78 +627,78 @@ P.CellBody11 {
 	margin-left: 0.000000pt;
 	font-size: 11.000000pt;
 	font-weight: medium;
-	font-style: Regular;
+	font-style: Italic;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Helvetica;
+	font-family: Times;
 }
-P.CellBody2 {
+H1.CellBody4, H2.CellBody4, H3.CellBody4, H4.CellBody4, H5.CellBody4, H6.CellBody4 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 11.000000pt;
+	font-size: 9.000000pt;
 	font-weight: Bold;
 	font-style: Regular;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Courier;
+	font-family: Courier New;
 }
-H1.CellBody21, H2.CellBody21, H3.CellBody21, H4.CellBody21, H5.CellBody21, H6.CellBody21 {
+H1.CellBody5, H2.CellBody5, H3.CellBody5, H4.CellBody5, H5.CellBody5, H6.CellBody5 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 11.000000pt;
-	font-weight: Medium;
-	font-style: Regular;
+	font-size: 9.000000pt;
+	font-weight: medium;
+	font-style: Italic;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Courier;
+	font-family: Courier New;
 }
-P.CellBody3 {
+H1.CellBody6, H2.CellBody6, H3.CellBody6, H4.CellBody6, H5.CellBody6, H6.CellBody6 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 11.000000pt;
-	font-weight: medium;
-	font-style: Oblique;
+	font-size: 9.000000pt;
+	font-weight: Bold;
+	font-style: Regular;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Courier;
+	font-family: Arial;
 }
-P.CellBody4 {
+P.CellBody7 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 11.000000pt;
+	font-size: 9.000000pt;
 	font-weight: medium;
-	font-style: Regular;
+	font-style: Italic;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Courier;
+	font-family: Arial;
 }
-P.CellBody5 {
+P.CellBody8 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
@@ -850,64 +706,48 @@ P.CellBody5 {
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
 	font-size: 11.000000pt;
-	font-weight: Bold;
+	font-weight: medium;
 	font-style: Regular;
 	color: #000000;
-	text-decoration: none;
+	text-decoration: underline ;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Helvetica;
+	font-family: Times;
 }
-P.CellBody6 {
+THROW AWAY.Footer {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 10.000000pt;
-	font-weight: medium;
-	font-style: Oblique;
-	color: #000000;
-	text-decoration: none;
-	vertical-align: baseline;
-	text-transform: none;
-	font-family: Helvetica;
-}
-P.comment {
-	text-align: left;
-	text-indent: 0.000000pt;
-	margin-top: 13.000000pt;
-	margin-bottom: 0.000000pt;
-	margin-right: 0.000000pt;
-	margin-left: 144.000000pt;
-	font-size: 11.000000pt;
+	font-size: 9.000000pt;
 	font-weight: medium;
 	font-style: Regular;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times New Roman;
+	font-family: Arial;
 }
-P.Comment {
+P.Footer1 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 10.000000pt;
+	font-size: 9.000000pt;
 	font-weight: medium;
 	font-style: Regular;
-	color: #ff00ff;
+	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
 	font-family: Helvetica;
 }
-THROW AWAY.Footer {
-	text-align: justify;
+P.Header {
+	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
@@ -916,69 +756,69 @@ THROW AWAY.Footer {
 	font-size: 10.000000pt;
 	font-weight: medium;
 	font-style: Regular;
-	color: #ffffff;
+	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times New Roman;
+	font-family: Arial;
 }
-THROW AWAY.Footer1 {
+P.Mapping-Table-Cell {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 10.000000pt;
+	font-size: 12.000000pt;
 	font-weight: medium;
 	font-style: Regular;
-	color: #000000;
+	color: #ffffff;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Helvetica;
+	font-family: Times;
 }
-THROW AWAY.Header {
+P.Mapping-Table-Cell1 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 10.000000pt;
-	font-weight: medium;
+	font-size: 18.000000pt;
+	font-weight: Bold;
 	font-style: Regular;
-	color: #000000;
+	color: #ffffff;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Helvetica;
+	font-family: Times;
 }
-H1.Header1, H2.Header1, H3.Header1, H4.Header1, H5.Header1, H6.Header1 {
+P.Mapping-Table-Cell11 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 10.000000pt;
-	font-weight: medium;
+	font-size: 18.000000pt;
+	font-weight: Bold;
 	font-style: Regular;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Helvetica;
+	font-family: Arial;
 }
-P.Mapping-Table-Cell {
+P.Mapping-Table-Cell2 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 12.000000pt;
-	font-weight: medium;
+	font-size: 14.000000pt;
+	font-weight: Bold;
 	font-style: Regular;
 	color: #ffffff;
 	text-decoration: none;
@@ -986,14 +826,14 @@ P.Mapping-Table-Cell {
 	text-transform: none;
 	font-family: Times;
 }
-P.Mapping-Table-Cell1 {
+P.Mapping-Table-Cell3 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 18.000000pt;
+	font-size: 12.000000pt;
 	font-weight: Bold;
 	font-style: Regular;
 	color: #ffffff;
@@ -1002,56 +842,56 @@ P.Mapping-Table-Cell1 {
 	text-transform: none;
 	font-family: Times;
 }
-P.Mapping-Table-Cell10 {
-	text-align: justify;
+P.Mapping-Table-Cell31 {
+	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 10.000000pt;
+	font-size: 14.000000pt;
 	font-weight: Bold;
 	font-style: Regular;
 	color: #ffffff;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Arial;
+	font-family: Helvetica;
 }
-P.Mapping-Table-Cell11 {
-	text-align: justify;
+P.Mapping-Table-Cell310 {
+	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 11.000000pt;
+	font-size: 9.000000pt;
 	font-weight: Bold;
 	font-style: Regular;
 	color: #ffffff;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Arial;
+	font-family: Courier;
 }
-P.Mapping-Table-Cell12 {
-	text-align: justify;
+P.Mapping-Table-Cell311 {
+	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 10.000000pt;
+	font-size: 11.000000pt;
 	font-weight: medium;
 	font-style: Regular;
 	color: #ffffff;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Arial;
+	font-family: Times;
 }
-P.Mapping-Table-Cell13 {
-	text-align: justify;
+P.Mapping-Table-Cell312 {
+	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
@@ -1060,77 +900,77 @@ P.Mapping-Table-Cell13 {
 	font-size: 10.000000pt;
 	font-weight: medium;
 	font-style: Regular;
-	color: #ffffff;
+	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Arial;
+	font-family: Helvetica;
 }
-P.Mapping-Table-Cell14 {
-	text-align: justify;
+P.Mapping-Table-Cell313 {
+	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 14.000000pt;
+	font-size: 10.000000pt;
 	font-weight: Bold;
 	font-style: Regular;
-	color: #ffffff;
+	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times New Roman;
+	font-family: Times;
 }
-P.Mapping-Table-Cell15 {
-	text-align: justify;
+P.Mapping-Table-Cell314 {
+	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 12.000000pt;
+	font-size: 14.000000pt;
 	font-weight: Bold;
 	font-style: Regular;
-	color: #ffffff;
+	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times New Roman;
+	font-family: Arial;
 }
-P.Mapping-Table-Cell16 {
-	text-align: justify;
+P.Mapping-Table-Cell315 {
+	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 18.000000pt;
+	font-size: 11.000000pt;
 	font-weight: Bold;
 	font-style: Regular;
-	color: #ffffff;
+	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
 	font-family: Arial;
 }
-P.Mapping-Table-Cell2 {
+P.Mapping-Table-Cell316 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 14.000000pt;
+	font-size: 9.000000pt;
 	font-weight: Bold;
 	font-style: Regular;
-	color: #ffffff;
+	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times;
+	font-family: Courier New;
 }
-P.Mapping-Table-Cell3 {
+P.Mapping-Table-Cell32 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
@@ -1144,25 +984,9 @@ P.Mapping-Table-Cell3 {
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times;
-}
-P.Mapping-Table-Cell31 {
-	text-align: left;
-	text-indent: 0.000000pt;
-	margin-top: 0.000000pt;
-	margin-bottom: 0.000000pt;
-	margin-right: 0.000000pt;
-	margin-left: 0.000000pt;
-	font-size: 14.000000pt;
-	font-weight: Bold;
-	font-style: Regular;
-	color: #000000;
-	text-decoration: none;
-	vertical-align: baseline;
-	text-transform: none;
 	font-family: Helvetica;
 }
-P.Mapping-Table-Cell32 {
+P.Mapping-Table-Cell33 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
@@ -1170,15 +994,15 @@ P.Mapping-Table-Cell32 {
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
 	font-size: 11.000000pt;
-	font-weight: Bold;
-	font-style: Regular;
-	color: #000000;
+	font-weight: medium;
+	font-style: Italic;
+	color: #ffffff;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Helvetica;
+	font-family: Times;
 }
-P.Mapping-Table-Cell33 {
+P.Mapping-Table-Cell34 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
@@ -1186,22 +1010,22 @@ P.Mapping-Table-Cell33 {
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
 	font-size: 10.000000pt;
-	font-weight: medium;
+	font-weight: Bold;
 	font-style: Regular;
-	color: #000000;
+	color: #ffffff;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
 	font-family: Helvetica;
 }
-P.Mapping-Table-Cell4 {
+P.Mapping-Table-Cell35 {
 	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 10.000000pt;
+	font-size: 11.000000pt;
 	font-weight: Bold;
 	font-style: Regular;
 	color: #ffffff;
@@ -1210,72 +1034,72 @@ P.Mapping-Table-Cell4 {
 	text-transform: none;
 	font-family: Courier;
 }
-P.Mapping-Table-Cell5 {
-	text-align: justify;
+P.Mapping-Table-Cell36 {
+	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 14.000000pt;
-	font-weight: Bold;
-	font-style: Regular;
+	font-size: 11.000000pt;
+	font-weight: medium;
+	font-style: Oblique;
 	color: #ffffff;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Arial;
+	font-family: Courier;
 }
-P.Mapping-Table-Cell6 {
-	text-align: justify;
+P.Mapping-Table-Cell37 {
+	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 12.000000pt;
-	font-weight: Bold;
+	font-size: 11.000000pt;
+	font-weight: medium;
 	font-style: Regular;
 	color: #ffffff;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Arial;
+	font-family: Courier;
 }
-P.Mapping-Table-Cell7 {
-	text-align: justify;
+P.Mapping-Table-Cell38 {
+	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
 	font-size: 11.000000pt;
-	font-weight: medium;
+	font-weight: Bold;
 	font-style: Regular;
 	color: #ffffff;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Times New Roman;
+	font-family: Helvetica;
 }
-P.Mapping-Table-Cell8 {
-	text-align: justify;
+P.Mapping-Table-Cell39 {
+	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
 	margin-right: 0.000000pt;
 	margin-left: 0.000000pt;
-	font-size: 10.000000pt;
-	font-weight: Bold;
-	font-style: Italic;
+	font-size: 9.000000pt;
+	font-weight: medium;
+	font-style: Oblique;
 	color: #ffffff;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Courier;
+	font-family: Helvetica;
 }
-P.Mapping-Table-Cell9 {
-	text-align: justify;
+P.Mapping-Table-Cell4 {
+	text-align: left;
 	text-indent: 0.000000pt;
 	margin-top: 0.000000pt;
 	margin-bottom: 0.000000pt;
@@ -1306,7 +1130,7 @@ P.Mapping-Table-Title {
 	text-transform: none;
 	font-family: Times;
 }
-H1.Subhead2, H2.Subhead2, H3.Subhead2, H4.Subhead2, H5.Subhead2, H6.Subhead2 {
+LI.Subhead2 {
 	text-align: left;
 	text-indent: 63.000000pt;
 	margin-top: 12.000000pt;
@@ -1320,39 +1144,7 @@ H1.Subhead2, H2.Subhead2, H3.Subhead2, H4.Subhead2, H5.Subhead2, H6.Subhead2 {
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Helvetica;
-}
-LI.Subhead2-noBullet {
-	text-align: left;
-	text-indent: -55.799988pt;
-	margin-top: 12.000000pt;
-	margin-bottom: 0.000000pt;
-	margin-right: 0.000000pt;
-	margin-left: 118.799988pt;
-	font-size: 10.000000pt;
-	font-weight: medium;
-	font-style: Regular;
-	color: #0000ff;
-	text-decoration: none;
-	vertical-align: baseline;
-	text-transform: none;
-	font-family: Helvetica;
-}
-H1.Subhead4, H2.Subhead4, H3.Subhead4, H4.Subhead4, H5.Subhead4, H6.Subhead4 {
-	text-align: left;
-	text-indent: 0.000000pt;
-	margin-top: 12.000000pt;
-	margin-bottom: 0.000000pt;
-	margin-right: 0.000000pt;
-	margin-left: 144.000000pt;
-	font-size: 12.000000pt;
-	font-weight: Bold;
-	font-style: Regular;
-	color: #000000;
-	text-decoration: none;
-	vertical-align: baseline;
-	text-transform: none;
-	font-family: Times;
+	font-family: Arial;
 }
 H1.Title, H2.Title, H3.Title, H4.Title, H5.Title, H6.Title {
 	text-align: center;
@@ -1370,15 +1162,17 @@ H1.Title, H2.Title, H3.Title, H4.Title, H5.Title, H6.Title {
 	text-transform: none;
 	font-family: Arial;
 }
-EM.CharFmt {
-	text-decoration: underline ;
-}
 EM.CharFmt1 {
-	font-family: Courier;
 }
 EM.Command {
-	font-size: 7.000000pt;
-	font-family: Courier;
+	font-size: 9.000000pt;
+	font-weight: medium;
+	font-style: Regular;
+	color: #000000;
+	text-decoration: none;
+	vertical-align: baseline;
+	text-transform: none;
+	font-family: Courier New;
 }
 EM.Comment {
 	font-size: 11.000000pt;
@@ -1390,71 +1184,103 @@ EM.Comment {
 	text-transform: none;
 	font-family: Times;
 }
-EM.Comment21 {
+EM.doc-title {
 	font-size: 10.000000pt;
+	font-weight: medium;
 	font-style: Italic;
-	color: #ff00ff;
-	font-family: Arial;
+	color: #000000;
+	text-decoration: none;
+	vertical-align: baseline;
+	text-transform: none;
+	font-family: Times;
 }
-EM.doc-title {
+EM.Emphasis {
 	font-style: Italic;
 }
-EM.doc-title1 {
-	font-style: Italic;
-	font-family: Times New Roman;
+EM.Emphasis-underline {
+	font-size: 11.000000pt;
+	font-weight: medium;
+	font-style: Regular;
+	color: #000000;
+	text-decoration: underline ;
+	vertical-align: baseline;
+	text-transform: none;
+	font-family: Times;
 }
-EM.Emphasis {
+EM.EquationVariables {
 	font-style: Italic;
 }
 EM.grammar_literal {
-	font-size: 10.000000pt;
+	font-size: 9.000000pt;
 	font-weight: Bold;
 	font-style: Regular;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Courier;
+	font-family: Courier New;
 }
-KBD.Literal-user-input {
+TT.Literal-user-input {
+	font-size: 9.000000pt;
+	font-weight: Bold;
+	font-style: Regular;
+	color: #000000;
+	text-decoration: none;
+	vertical-align: baseline;
+	text-transform: none;
+	font-family: Courier New;
 }
 EM.Optional-meta-syntax {
-	font-size: 11.000000pt;
+	font-size: 9.000000pt;
 	font-weight: medium;
 	font-style: Italic;
+	color: #000000;
+	text-decoration: none;
+	vertical-align: baseline;
+	text-transform: none;
+	font-family: Courier New;
 }
 EM.pathname {
 	font-size: 10.000000pt;
 	font-style: Italic;
 }
 EM.production_target {
-	font-size: 10.000000pt;
+	font-size: 9.000000pt;
 	font-weight: Bold;
 	font-style: Regular;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Helvetica;
+	font-family: Arial;
 }
 CODE.Program-Process {
-	font-size: 12.000000pt;
+	font-size: 9.000000pt;
 	font-weight: Bold;
-	font-family: Courier;
+	font-style: Regular;
+	color: #000000;
+	text-decoration: none;
+	vertical-align: baseline;
+	text-transform: none;
+	font-family: Courier New;
 }
 EM.URL {
 	font-size: 11.000000pt;
 	font-weight: medium;
 	font-style: Italic;
-	font-family: Times New Roman;
+	color: #000000;
+	text-decoration: none;
+	vertical-align: baseline;
+	text-transform: none;
+	font-family: Times;
 }
 EM.variable {
-	font-size: 11.000000pt;
+	font-size: 9.000000pt;
 	font-weight: medium;
-	font-style: Oblique;
+	font-style: Italic;
 	color: #000000;
 	text-decoration: none;
 	vertical-align: baseline;
 	text-transform: none;
-	font-family: Helvetica;
+	font-family: Arial;
 }
diff --git a/doc/arm/BV9ARM.html b/doc/arm/Bv9ARM.html
index c16274a7..e2296cb5 100644..100755
--- a/doc/arm/BV9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -2,19 +2,19 @@
 <HTML>
 <HEAD>
 <META NAME="GENERATOR" CONTENT="Adobe FrameMaker 5.5/HTML Export Filter">
-<LINK REL="STYLESHEET" HREF="BV9ARM.css">
-<TITLE> </TITLE></HEAD>
+<LINK REL="STYLESHEET" HREF="Bv9ARM.css">
+<TITLE>BINDv9 Administrator Reference Manual</TITLE></HEAD>
 <BODY BGCOLOR="#ffffff">
+<DIV>
 
 <DIV ALIGN="left">
-<IMG SRC="isc.color.gif" ALT="ISC logo" WIDTH="144" HEIGHT="90" ALIGN="left" HSPACE=30>
+<A HREF="http://www.isc.org/"><IMG SRC="isc.color.gif" ALT="ISC logo" WIDTH="144" HEIGHT="90" ALIGN="left" HSPACE="30" BORDER="0"></A>
 </DIV>
-
 <DIV ALIGN="left">
 <H2>BIND version 9<BR>Administrator Reference Manual</H2>
 <H2>DRAFT
 <br>
-March 19, 2000</H2>
+May, 2000</H2>
 </DIV>
 
 <HR ALIGN="center">
@@ -22,39 +22,46 @@ March 19, 2000</H2>
 <H4>Warning! This DRAFT document is the property of the Internet Software Consortium (ISC) and contains proprietary ISC information. The information in this document is subject to change.</H4>
 </DIV>
 <HR ALIGN="center">
+
+<H6 CLASS="Title">
+<A NAME="pgfId=21862">
+ </A>
+Table of Contents</H6>
+</DIV>
 <OL>
 <H1 CLASS="1LevelTOC">
-<A HREF="BV9ARM.1.html#pgfId=1007883" CLASS="Hypertext">
+<A HREF="Bv9ARM.1.html#pgfId=1007883" CLASS="Hypertext">
 Section 1.	Introduction </A>
 </H1>
 <H1 CLASS="1LevelTOC">
-<A HREF="BV9ARM.2.html#pgfId=997350" CLASS="Hypertext">
+<A HREF="Bv9ARM.2.html#pgfId=997350" CLASS="Hypertext">
 Section 2.	BIND Resource Requirements</A>
 </H1>
 <H1 CLASS="1LevelTOC">
-<A HREF="BV9ARM.3.html#pgfId=997350" CLASS="Hypertext">
+<A HREF="Bv9ARM.3.html#pgfId=997350" CLASS="Hypertext">
 Section 3.	Nameserver Configuration</A>
 </H1>
 <H1 CLASS="1LevelTOC">
-<A HREF="BV9ARM.4.html#pgfId=997350" CLASS="Hypertext">
+<A HREF="Bv9ARM.4.html#pgfId=997350" CLASS="Hypertext">
 Section 4.	Advanced Concepts</A>
 </H1>
 <H1 CLASS="1LevelTOC">
-<A HREF="BV9ARM.5.html#pgfId=997350" CLASS="Hypertext">
+<A HREF="Bv9ARM.5.html#pgfId=997350" CLASS="Hypertext">
 Section 5.	BINDv9 Configuration Reference</A>
 </H1>
 <H1 CLASS="1LevelTOC">
-<A HREF="BV9ARM.6.html#pgfId=997350" CLASS="Hypertext">
+<A HREF="Bv9ARM.6.html#pgfId=997350" CLASS="Hypertext">
 Section 6.	Security Considerations</A>
 </H1>
 <H1 CLASS="1LevelTOC">
-<A HREF="BV9ARM.7.html#pgfId=997350" CLASS="Hypertext">
+<A HREF="Bv9ARM.7.html#pgfId=997350" CLASS="Hypertext">
 Section 7.	Troubleshooting</A>
 </H1>
 <H1 CLASS="1LevelTOC">
-<A HREF="BV9ARM.8.html#pgfId=997350" CLASS="Hypertext">
+<A HREF="Bv9ARM.8.html#pgfId=997350" CLASS="Hypertext">
 Appendices</A>
-</H1>
-</OL>
+</H1></OL>
+<HR ALIGN="center">
+
 </BODY>
 </HTML>
diff --git a/doc/draft/draft-duerst-dns-i18n-02.txt b/doc/draft/draft-duerst-dns-i18n-02.txt
deleted file mode 100644
index a4298163..00000000
--- a/doc/draft/draft-duerst-dns-i18n-02.txt
+++ /dev/null
@@ -1,905 +0,0 @@
-
-
-
-
-
-
-Internet Draft                                                M. Duerst
-<draft-duerst-dns-i18n-02.txt>                          Keio University
-Expires in six months                                         July 1998
-
-
-                  Internationalization of Domain Names
-
-
-Status of this Memo
-
-   This document is an Internet-Draft.  Internet-Drafts are working doc-
-   uments of the Internet Engineering Task Force (IETF), its areas, and
-   its working groups. Note that other groups may also distribute work-
-   ing documents as Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six
-   months. Internet-Drafts may be updated, replaced, or obsoleted by
-   other documents at any time.  It is not appropriate to use Internet-
-   Drafts as reference material or to cite them other than as a "working
-   draft" or "work in progress".
-
-   To learn the current status of any Internet-Draft, please check the
-   1id-abstracts.txt listing contained in the Internet-Drafts Shadow
-   Directories on ftp.ietf.org (US East Coast), nic.nordu.net
-   (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
-   Rim).
-
-   Distribution of this document is unlimited.  Please send comments to
-   the author at <mduerst@w3.org>.
-
-
-Abstract
-
-   Internet domain names are currently limited to a very restricted
-   character set. This document proposes the introduction of a new
-   "zero-level" domain (ZLD) to allow the use of arbitrary characters
-   from the Universal Character Set (ISO 10646/Unicode) in domain names.
-   The proposal is fully backwards compatible and does not need any
-   changes to DNS. Version 02 is reissued without changes just to
-   keep this draft available.
-
-Table of contents
-
-   0. Change History ................................................. 2
-     0.8 Changes Made from Version 01 to Version 02 .................. 2
-     0.9 Changes Made from Version 00 to Version 01 .................. 2
-   1. Introduction ................................................... 3
-     1.1 Motivation .................................................. 3
-
-
-
-                       Expires End of January 1998      [Page 1]
-
-Internet Draft    Internationalization of Domain Names         July 1997
-
-
-     1.2 Notational Conventions ...................................... 4
-   2. The Hidden Zero Level Domain ................................... 4
-   3. Encoding International Characters .............................. 5
-     3.1 Encoding Requirements ....................................... 5
-     3.2 Encoding Definition ......................................... 5
-     3.3 Encoding Example ............................................ 7
-     3.4 Length Considerations ....................................... 8
-   4. Usage Considerations ........................................... 8
-     4.1 General Usage ............................................... 8
-     4.2 Usage Restrictions .......................................... 9
-     4.3 Domain Name Creation ....................................... 10
-     4.4 Usage in URLs .............................................. 12
-   5. Alternate Proposals ........................................... 13
-     5.1 The Dillon Proposal ........................................ 13
-     5.2 Using a Separate Lookup Service ............................ 13
-   6. Generic Considerations ........................................ 14
-     5.1 Security Considerations .................................... 14
-     5.2 Internationalization Considerations ........................ 14
-   Acknowledgements ................................................. 14
-   Bibliography ..................................................... 15
-   Author's Address .................................................=
- 16
-
-
-
-
-0. Change History
-
-
-
-0.8 Changes Made from Version 01 to Version 02
-
-   No significant changes; reissued to make it available officially.
-   Changed author's address.
-
-   Changes deferred to future versions (if ever):
-   -  Decide on ZLD name (.i or .i18n.int or something else)
-   -  Decide on casing solution
-   -  Decide on exact syntax
-   -  Proposals for experimental setup
-
-
-
-
-0.9 Changes Made from Version 00 to Version 01
-
-
-
-
-
-
-
-                       Expires End of January 1998      [Page 2]
-
-Internet Draft    Internationalization of Domain Names         July 1997
-
-
-   -  Minor rewrites and clarifications
-
-   -  Added the following references: [RFC1730], [Kle96], [ISO3166],
-      [iNORM]
-
-   -  Slightly expanded discussion about casing
-
-   -  Added some variant proposals for syntax
-
-   -  Added some explanations about different kinds of name parallelism
-
-   -  Added some explanation about independent addition of internation-
-      alized names in subdomains without bothering higher-level domains
-
-   -  Added some explanations about tools needed for support, and the
-      MX/CNAME problem
-
-   -  Change to RFC1123 (numbers allowed at beginning of labels)
-
-
-
-
-1. Introduction
-
-
-1.1 Motivation
-
-
-   The lower layers of the Internet do not discriminate any language or
-   script. On the application level, however, the historical dominance
-   of the US and the ASCII character set [ASCII] as a lowest common
-   denominator have led to limitations. The process of removing these
-   limitations is called internationalization (abbreviated i18n).  One
-   example of the abovementioned limitations are domain names [RFC1034,
-   RFC1035], where only the letters of the basic Latin alphabet (case-
-   insensitive), the decimal digits, and the hyphen are allowed.
-
-   While such restrictions are convenient if a domain name is intended
-   to be used by arbitrary people around the globe, there may be very
-   good reasons for using aliases that are more easy to remember or type
-   in a local context. This is similar to traditional mail addresses,
-   where both local scripts and conventions and the Latin script can be
-   used.
-
-   There are many good reasons for domain name i18n, and some arguments
-   that are brought forward against such an extension. This document,
-   however, does not discuss the pros and cons of domain name i18n. It
-   proposes and discusses a solution and therefore eliminates one of the
-
-
-
-                       Expires End of January 1998      [Page 3]
-
-Internet Draft    Internationalization of Domain Names         July 1997
-
-
-   most often heard arguments agains, namely "it cannot be done".
-
-   The solution proposed in this document consists of the introduction
-   of a new "zero-level" domain building the root of a new domain
-   branch, and an encoding of the Universal Character Set (UCS)
-   [ISO10646] into the limited character set of domain names.
-
-
-
-1.2 Notational Conventions
-
-   In the domain name examples in this document, characters of the basic
-   Latin alphabet (expressible in ASCII) are denoted with lower case
-   letters. Upper case letters are used to represent characters outside
-   ASCII, such as accented characters of the Latin alphabet, characters
-   of other alphabets and syllabaries, ideographic characters, and vari-
-   ous signs.
-
-
-2. The Hidden Zero Level Domain
-
-   The domain name system uses the domain "in-addr.arpa" to convert
-   internet addresses back to domain names. One way to view this is to
-   say that in-addr.arpa forms the root of a separate hierarchy.  This
-   hierarchy has been made part of the main domain name hierarchy just
-   for implementation convenience. While syntactically, in-addr.arpa is
-   a second level domain (SLD), functionally it is a zero level domain
-   (ZLD) in the same way as "." is a ZLD.  A similar example of a ZLD is
-   the domain tpc.int, which provides a hierarchy of the global phone
-   numbering system [RFC1530] for services such as paging and printing
-   to fax machines.
-
-   For domain name i18n to work inside the tight restrictions of domain
-   name syntax, one has to define an encoding that maps strings of UCS
-   characters to strings of characters allowable in domain names, and a
-   means to distinguish domain names that are the result of such an
-   encoding from ordinary domain names.
-
-   This document proposes to create a new ZLD to distinguish encoded
-   i18n domain names from traditional domain names.  This domain would
-   be hidden from the user in the same way as a user does not see in-
-   addr.arpa.  This domain could be called "i18n.arpa" (although the use
-   of arpa in this context is definitely not appropriate), simply
-   "i18n", or even just "i". Below, we are using "i" for shortness,
-   while we leave the decision on the actual name to further=
- discussion.
-
-
-
-
-
-
-                       Expires End of January 1998      [Page 4]
-
-Internet Draft    Internationalization of Domain Names         July=
- 1997
-
-
-3. Encoding International Characters
-
-
-
-
-3.1 Encoding Requirements
-
-
-   Until quite recently, the thought of going beyond ASCII for something
-   such as domain names failed because of the lack of a single encom-
-   passing character set for the scripts and languages of the world.
-   Tagging techniques such as those used in MIME headers [RFC1522] would
-   be much too clumsy for domain names.
-
-   The definition of ISO 10646 [ISO10646], codepoint by codepoint iden-
-   tical with Unicode [Unicode], provides a single Universal Character
-   Set (UCS).  A recent report [RFCIAB] clearly recommends to base the
-   i18n of the Internet on these standards.
-
-   An encoding for i18n domain names therefore has to take the charac-
-   ters of ISO 10646/Unicode as a starting point.  The full four-byte
-   (31 bit) form of UCS, called UCS4, should be used. A limitation to
-   the two-byte form (UCS2), which allows only for the encoding of the
-   Base Multilingual Plane, is too restricting.
-
-   For the mapping between UCS4 and the strongly limited character set
-   of domain names, the following constraints have to be considered:
-
-   -  The structure of domain names, and therefore the "dot", have to be
-      conserved. Encoding is done for individual labels.
-
-   -  Individual labels in domain names allow the basic Latin alphabet
-      (monocase, 26 letters), decimal digits, and the "-" inside the
-      label.  The capacity per octet is therefore limited to somewhat
-      above 5 bits.
-
-   -  There is no need nor possibility to preserve any characters.
-
-   -  Frequent characters (i.e. ASCII, alphabetic, UCS2, in that order)
-      should be encoded relatively compactly. A variable-length encoding
-      (similar to UTF-8) seems desirable.
-
-
-
-3.2 Encoding Definition
-
-
-   Several encodings for UCS, so called UCS Transform Formats, exist
-
-
-
-                       Expires End of January 1998      [Page 5]
-
-Internet Draft    Internationalization of Domain Names         July 1997
-
-
-   already, namely UTF-8 [RFC2044], UTF-7 [RFC1642], and UTF-16 [Uni-
-   code]. Unfortunately, none of them is suitable for our purposes. We
-   therefore use the following encoding:
-
-   -  To accommodate the slanted probability distribution of characters
-      in UCS4, a variable-length encoding is used.
-
-   -  Each target letter encodes 5 bits of information.  Four bits of
-      information encode character data, the fifth bit is used to indi-
-      cate continuation of the variable-length encoding.
-
-   -  Continuation is indicated by distinguishing the initial letter
-      from the subsequent letter.
-
-   -  Leading four-bit groups of binary value 0000 of UCS4 characters
-      are discarded, except for the last TWO groups (i.e. the last
-      octet).  This means that ASCII and Latin-1 characters need two
-      target letters, the main alphabets up to and including Tibetan
-      need three target letters, the rest of the characters in the BMP
-      need four target letters, all except the last (private) plane in
-      the UTF-16/Surrogates area [Unicode] need five target letters, and
-      so on.
-
-   -  The letters representing the various bit groups in the various
-      positions are chosen according to the following table:
-
-
-        Nibble Value   Initial        Subsequent
-        Hex  Binary
-        0    0000 G         0
-        1    0001 H         1
-        2    0010 I         2
-        3    0011 J         3
-        4    0100 K         4
-        5    0101 L         5
-        6    0110 M         6
-        7    0111 N         7
-        8    1000 O         8
-        9    1001 P         9
-        A    1010 Q         A
-        B    1011 R         B
-        C    1100 S         C
-        D    1101 T         D
-        E    1110 U         E
-        F    1111 V         F
-
-
-   [Should we try to eliminate "I" and "O" from initial? "I" might be
-
-
-
-                       Expires End of January 1998      [Page 6]
-
-Internet Draft    Internationalization of Domain Names         July 1997
-
-
-   eliminated because then an algorithm can more easily detect ".i". "O"
-   could lead to some confusion with "0".  What other protocols are
-   there that might be able to use a similar solution, but that might
-   have other restrictions for the initial letters? Proposal to run ini-
-   tial range from H to X. Extracting the initial bits then becomes ^
-   'H'.  Proposal to have a special convention for all-ASCII labels
-   (start label with one of the letters not used above).]
-
-   Please note that this solution has the following interesting proper-
-   ties:
-
-   -  For subsequent positions, there is an equivalence between the hex-
-      adecimal value of the character code and the target letter used.
-      This assures easy conversion and checking.
-
-   -  The absence of digits from the "initial" column, and the fact that
-      the hyphen is not used, assures that the resulting string conforms
-      to domain name syntax.
-
-   -  Raw sorting of encoded and unencoded domain names is equivalent.
-
-   -  The boundaries of characters can always be detected easily.
-      (While this is important for representations that are used inter-
-      nally for text editing, it is actually not very important here,
-      because tools for editing can be assumed to use a more straight-
-      forward representation internally.)
-
-   -  Unless control characters are allowed, the target string will
-      never actually contain a G.
-
-
-
-3.3 Encoding Example
-
-
-   As an example, the current domain
-
-        is.s.u-tokyo.ac.jp
-
-   with the components standing for information science, science, the
-   University of Tokyo, academic, and Japan, might in future be repre-
-   sented by
-
-        JOUHOU.RI.TOUDAI.GAKU.NIHON
-
-   (a transliteration of the kanji that might probably be chosen to rep-
-   resent the same domain). Writing each character in U+HHHH notation as
-   in [Unicode], this results in the following (given for reference
-
-
-
-                       Expires End of January 1998      [Page 7]
-
-Internet Draft    Internationalization of Domain Names         July 1997
-
-
-   only, not the actual encoding or something being typed in by the
-   user):
-
-        U+60c5U+5831.U+7406.U+6771U+5927.U+5b66.U+65e5U+672c
-
-   The software handling internationalized domain names will translate
-   this, according to the above specifications, before submitting it to
-   the DNS resolver, to:
-
-        M0C5L831.N406.M771L927.LB66.M5E5M72C.i
-
-
-
-3.4 Length Considerations
-
-
-   DNS allows for a maximum of 63 positions in each part, and for 255
-   positions for the overall domain name including dots.  This allows up
-   to 15 ideographs, or up to 21 letters e.g.  from the Hebrew or Arabic
-   alphabet, in a label.  While this does not allow for the same margin
-   as in the case of ASCII domain names, it should still be quite suffi-
-   cient.  [Problems could only surface for languages that use very long
-   words or terms and don't know any kind of abbreviations or similar
-   shortening devices. Do these exist?  Islandic expert asserted
-   Islandic is not a problem.]  DNS contains a compression scheme that
-   avoids sending the same trailing portion of a domain name twice in
-   the same transmission. Long domain names are therefore not that much
-   of a concern.
-
-
-4. Usage Considerations
-
-
-
-4.1 General Usage
-
-
-   To implement this proposal, neither DNS servers nor resolvers need
-   changes.  These programs will only deal with the encoded form of the
-   domain name with the .i suffix. Software that wants to offer an
-   internationalized user interface (for example a web browser) is
-   responsible for the necessary conversions. It will analyze the domain
-   name, call the resolver directly if the domain name conforms to the
-   domain name syntax restrictions, and otherwise encode the name
-   according to the specifications of Section 3.2 and append the .i suf-
-   fix before calling the resolver.  New implementations of resolvers
-   will of course offer a companion function to gethostbyname accepting
-   a ISO10646/Unicode string as input.
-
-
-
-                       Expires End of January 1998      [Page 8]
-
-Internet Draft    Internationalization of Domain Names         July 1997
-
-
-   For domain name administrators, them main tool that will be needed is
-   a program to compile files configuring zones from an UTF-8 notation
-   (or any other suitable encoding) to the encoding described in Section
-   3.3. Utility tools will include a corresponding decompiler, checkers
-   for various kinds of internationalization-related errors, and tools
-   for managing syntactic parallelism (see Section 4.3).
-
-
-4.2 Usage Restrictions
-
-
-   While this proposal in theory allows to have control characters such
-   as BEL or NUL or symbols such as arrows and smilies in domain names,
-   such characters should clearly be excluded from domain names. Whether
-   this has to be explicitly specified or whether the difficulty to type
-   these characters on any keyboard of the world will limit their use
-   has to be discussed. One approach is to start with a very restricted
-   subset and gradually relax it; the other is to allow almost anything
-   and to rely on common sense. Anyway, such specifications should go
-   into a separate document to allow easy updates.
-
-   A related point is the question of equivalence. For historical rea-
-   sons, ISO 10646/Unicode contain considerable number of compatibility
-   characters and allow more than one representation for characters with
-   diacritics. To guarantee smooth interoperability in these and related
-   cases, additional restrictions or the definition of some form of nor-
-   malization seem necessary.  However, this is a general problem
-   affecting all areas where ISO 10646/Unicode is used in identifiers,
-   and should therefore be addressed in a generic way.  See [iNORM] for
-   an initial proposal.
-
-   Equally related is the problem of case equivalence.  Users can very
-   well distinguish between upper case and lower case.  Also, casing in
-   an i18n context is not as straightforward as for ASCII, so that case
-   equivalence is best avoided.  Problems therefore result not from the
-   fact that case is distinguished for i18n domain names, but from the
-   fact that existing domain names do not distinguish case. Where it is
-   impossible to distinguish between next.com and NeXT.com, the same two
-   subdomains would easily be distinguishable if subordinate to a i18n
-   domain.  There are several possible solutions. One is to try to grad-
-   ually migrate from a case-insensitive solution to a case-sensitive
-   solution even for ASCII. Another is to allow case-sensitivity only
-   beyond ASCII. Another is to restrict anything beyond ASCII to lower-
-   case only (lowercase distinguishes better than uppercase, and is also
-   generally used for ASCII domain names).
-
-   A problem that also has to be discussed and solved is bidirectional-
-   ity.  Arabic and Hebrew characters are written right-to-left, and the
-
-
-
-                       Expires End of January 1998      [Page 9]
-
-Internet Draft    Internationalization of Domain Names         July 1997
-
-
-   mixture with other characters results in a divergence between logical
-   and graphical sequence. See [HTML-I18N] for more explanations.  The
-   proposal of [Yer96] for dealing with bidirectionality in URLs could
-   probably be applied to domain names. Anyway, there should be a gen-
-   eral solution for identifiers, not a DNS-specific solution.
-
-
-4.3 Domain Name Creation
-
-
-   The ".i" ZLD should be created as such to allow the internationaliza-
-   tion of domain names. Rules for creating subdomains inside ".i"
-   should follow the established rules for the creation of functionally
-   equivalent domains in the existing domain hierarchy, and should
-   evolve in parallel.
-
-   For the actual domain hierarchy, the amount of parallelism between
-   the current ASCII-oriented hierarchy and some internationalized hier-
-   archy depends on various factors.  In some cases, two fully parallel
-   hierarchies may emerge.  In other cases, if more than one script or
-   language is used locally, more than two parallel hierarchies may
-   emerge.  Some nodes, e.g. in intranets, may only appear in an i18n
-   hierarchy, whereas others may only appear in the current hierarchy.
-   In some cases, the pecularities of scripts, languages, cultures, and
-   the local marketplace may lead to completely different hierarchies.
-
-   Also, one has to be aware that there may be several kinds of paral-
-   lelisms. The first one is called syntactic parallelism.  If there is
-   a domain XXXX.yy.zz and a domain vvvv.yy.zz, then the domain yy.zz
-   will have to exist both in the traditional DNS hierarchy as well as
-   within the hierarchy starting at the .i ZLD, with appropriate encod-
-   ing.
-
-   The second type of parallelism is called transcription parallelism.
-   It results by transcribing or transliterating relations between ASCII
-   domain names and domain names in other scripts.
-
-   The third type of parallelism is called semantic parallelism.  It
-   results from translating elements of a domain name from one language
-   to another, possibly also changing the script or set of used charac-
-   ters.
-
-   On the host level, parallelism means that there are two names for the
-   same host. Conventions should exist to decide whether the parallel
-   names should have separate IP addresses or not (A record or CNAME
-   record).  With separate IP addresses, address to name lookup is easy,
-   otherwise it needs special precautions to be able to find all names
-   corresponding to a given host address.  Another detail entering this
-
-
-
-                       Expires End of January 1998     [Page 10]
-
-Internet Draft    Internationalization of Domain Names         July 1997
-
-
-   consideration is that MX records only work for  hostnames/domains,
-   not for CNAME aliases.  This at least has the consequence that alias
-   resolution for internationalized mail addresses has to occur before
-   MX record lookup.
-
-   When discussing and applying the rules for creating domain names,
-   some peculiarities of i18n domain names should be carefully consid-
-   ered:
-
-   -  Depending on the script, reasonable lengths for domain name parts
-      may differ greatly. For ideographic scripts, a part may often be
-      only a one-letter code. Established rules for lengths may need
-      adaptation. For example, a rule for country TLDs could read: one
-      ideographic character or two other characters.
-
-   -  If the number of generic TLDs (.com, .edu, .org, .net) is kept
-      low, then it may be feasible to restrict i18n TLDs to country
-      TLDs.
-
-   -  There are no ISO 3166 [ISO3166] two-letter codes in scripts other
-      than Latin.  I18n domain names for countries will have to be
-      designed from scratch.
-
-   -  The names of some countries or regions may pose greater political
-      problems when expressed in the native script than when expressed
-      in 2-letter ISO 3166 codes.
-
-   -  I18n country domain names should in principle only be created in
-      those scripts that are used locally. There is probably little use
-      in creating an Arabic domain name for China, for example.
-
-   -  In those cases where domain names are open to a wide range of
-      applicants, a special procedure for accepting applications should
-      be used so that a reasonable-quality fit between ASCII domain
-      names and i18n domain names results where desired.  This would
-      probably be done by establishing a period of about a month for
-      applications inside a i18n domain newly created as a parallel for
-      an existing domain, and resolving the detected conflicts.  For
-      syntactically parallel domain names, the owners should always be
-      the same. Administration may be split in some cases to account for
-      the necessary linguistic knowledge.  For domain names with tran-
-      scription parallelism and semantic parallelism, the question of
-      owner identity should depend on the real-life situation (trade-
-      marks,...).
-
-   -  It will be desirable to have internationalized subdomains in non-
-      internationalized TLDs. As an example, many companies in France
-      may want to register an accented version of their company name,
-
-
-
-                       Expires End of January 1998     [Page 11]
-
-Internet Draft    Internationalization of Domain Names         July 1997
-
-
-      while remaining under the .fr TLD. For this, .fr would have to be
-      reregistered as .M6N2.i. Accented and other internationalized sub-
-      domains would go below .M6N2.i, whereas unaccented ones would go
-      below .fr in its plain form.
-
-   -  To generalize the above case, one may need to create a requirement
-      that any domain name registry would have to register and manage
-      syntactically parallel domain names below the .i ZLD upon request
-      to allow registration of i18n domain names in arbitrary subdo-
-      mains.  An alternative to this is to organize domain name search
-      so that e.g. in a search for XXXXXX.fr, if M6N2.i is not found in
-      .i, the name server for .fr is queried for XXXXXX.M6N2.i (with
-      XXXXXX appropriately encoded).  This convention would allow lower-
-      level domains to introduce internationalized subdomains without
-      depending on higher-level domains.
-
-
-
-4.4 Usage in URLs
-
-   According to current definitions, URLs encode sequences of octets
-   into a sequence of characters from a character set that is almost as
-   limited as the character set of domain names [RFC1738].  This is
-   clearly not satisfying for i18n.
-
-   Internationalizing URLs, i.e. assigning character semantics to the
-   encoded octets, can either be done separately for each part and/or
-   scheme, or in an uniform way. Doing it separately has the serious
-   disadvantage that software providing user interfaces for URLs in gen-
-   eral would have to know about all the different i18n solutions of the
-   different parts and schemes. Many of these solutions may not even be
-   known yet.
-
-   It is therefore definitely more advantageous to decide on a single
-   and consistent solution for URL internationalization. The most valu-
-   able candidate [Yer96], for many reasons, is UTF-8 [RFC2044], an
-   ASCII-compatible encoding of UCS4.
-
-   Therefore, an URL containing the domain name of the example of Sec-
-   tion 3.3 should not be written as:
-
-        ftp://M0C5L831.N406.M771L927.LB66.M5E5M72C.i
-
-   (although this will also work) but rather
-
-        ftp://%e6%83%85%e5%a0%b1.%e7%90%86.%e6%9d%b1%e5%a4%a7.
-             %e5%ad%a6.%e6%97%a5%e6%9c%ac
-
-
-
-
-                       Expires End of January 1998     [Page 12]
-
-Internet Draft    Internationalization of Domain Names         July 1997
-
-
-   In this canonical form, the trailing .i is absent, and the octets can
-   be reconstructed from the %HH-encoding and interpreted as UTF-8 by
-   generic URL software. The software part dealing with domain names
-   will carry out the conversion to the .i form.
-
-
-5. Alternate Proposals
-
-
-
-5.1 The Dillon Proposal
-
-   The proposal of Michael Dillon [Dillon96] is also based on encoding
-   Unicode into the limited character set of domain names. Distinction
-   is done for each part, using the hyphen in initial position. Because
-   this does not fully conform to the syntax of existing domain names,
-   it is questionable whether it is backwards-compatible. On the other
-   hand, this has the advantage that local i18n domain names can be
-   installed easily without cooperation by the manager of the superdo-
-   main.
-
-   A variable-length scheme with base 36 is used that can encode up to
-   1610 characters, absolutely insufficient for Chinese or Japanese.
-   Characters assumed not to be used in i18n domain names are excluded,
-   i.e. only one case is allowed for basic Latin characters.  This means
-   that large tables have to be worked out carefully to convert between
-   ISO 10646/Unicode and the actual number that is encoded with base=
- 36.
-
-
-5.2 Using a Separate Lookup Service
-
-   Instead of using a special encoding and burdening DNS with i18n, one
-   could build and use a separate lookup service for i18n domain names.
-   Instead of converting to UCS4 and encoding according to Section 3.2,
-   and then calling the DNS resolver, a program would contact this new
-   service when seeing a domain name with characters outside the allowed
-   range.
-
-   Such solutions have various problems. There are many directory ser-
-   vices and proposals for how to use them in a way similar to DNS. For
-   an overview and a specific proposal, see [Kle96].  However, while
-   there are many proposals, a real service containing the necessary
-   data and providing the wide installed base and distributed updating
-   is in DNS does not exist.
-
-   Most directory service proposals also do not offer uniqueness.
-   Defining unique names again for a separate service will duplicate
-   much of the work done for DNS. If uniqueness is not guaranteed, the
-
-
-
-                       Expires End of January 1998     [Page 13]
-
-Internet Draft    Internationalization of Domain Names         July 1997
-
-
-   user is bundened with additional selection steps.
-
-   Using a separate lookup service for the internationalization of
-   domain names also results in more complex implementations than the
-   proposal made in this draft. Contrary to what some people might
-   expect, the use of a separate lookup service also does not solve a
-   capacity problem with DNS, because there is no such problem, nor will
-   one be created with the introduction of i18n domain names.
-
-
-6. Generic Considerations
-
-
-
-6.1 Security Considerations
-
-   This proposal is believed not to raise any other security considera-
-   tions than the current use of the domain name system.
-
-
-6.2 Internationalization Considerations
-
-   This proposal addresses internationalization as such. The main addi-
-   tional consideration with respect to internationalization may be the
-   indication of language. However, for concise identifiers such as
-   domain names, language tagging would be too much of a burden and
-   would create complex dependencies with semantics.
-
-
-        NOTE -- This section is introduced based on a recommenda-
-        tion in [RFCIAB]. A similar section addressing internation-
-        alization should be included in all application level
-        internet drafts and RFCs.
-
-
-
-
-
-Acknowledgements
-
-   I am grateful in particular to the following persons for their advice
-   or criticism: Bert Bos, Lori Brownell, Michael Dillon, Donald E.
-   Eastlake 3rd, David Goldsmith, Larry Masinter, Ryan Moats, Keith
-   Moore, Thorvardur Kari Olafson, Erik van der Poel, Jurgen Schwertl,
-   Paul A. Vixie, Francois Yergeau, and others.
-
-
-
-
-
-
-                       Expires End of January 1998     [Page 14]
-
-Internet Draft    Internationalization of Domain Names         July=
- 1997
-
-
-Bibliography
-
-   [ASCII]        Coded Character Set -- 7-Bit American Standard Code
-                  for Information Interchange, ANSI X3.4-1986.
-
-   [Dillon96]     M. Dillon, "Multilingual Domain Names", Memra Software
-                  Inc., November 1996 (circulated Dec. 6, 1996 on iahc-
-                  discuss@iahc.org).
-
-   [HTML-I18N]    F. Yergeau, G. Nicol, G. Adams, and M. Duerst, "Inter-
-                  nationalization of the Hypertext Markup Language",
-                  Work in progress (draft-ietf-html-i18n-05.txt), August
-                  1996.
-
-   [iNORM]        M. Duerst, "Normalization of Internationalized Identi-
-                  fiers", draft-duerst-i18n-norm-00.txt, July 1997.
-
-   [ISO3166]      ISO 3166, "Code for the representation of names of
-                  countries", ISO 3166:1993.
-
-   [ISO10646]     ISO/IEC 10646-1:1993. International standard -- Infor-
-                  mation technology -- Universal multiple-octet coded
-                  character Set (UCS) -- Part 1: Architecture and basic
-                  multilingual plane.
-
-   [Kle96]        J. Klensin and T. Wolf, Jr., "Domain Names and Company
-                  Name Retrieval", Work in progress (draft-klensin-tld-
-                  whois-01.txt), November 1996.
-
-   [RFC1034]      P. Mockapetris, "Domain Names - Concepts and Facili-
-                  ties", ISI, Nov. 1987.
-
-   [RFC1035]      P. Mockapetris, "Domain Names - Implementation and
-                  Specification", ISI, Nov. 1987.
-
-   [RFC1522]      K. Moore, "MIME (Multipurpose Internet Mail Exten-
-                  sions) Part Two: Message Header Extensions for Non-
-                  ASCII Text", University of Tennessee, September 1993.
-
-   [RFC1642]      D. Goldsmith, M. Davis, "UTF-7: A Mail-safe Transfor-
-                  mation Format of Unicode", Taligent Inc., July 1994.
-
-   [RFC1730]      C. Malamud and M. Rose, "Principles of Operation for
-                  the TPC.INT Subdomain: General Principles and Policy",
-                  Internet Multicasting Service, October 1993.
-
-   [RFC1738]      T. Berners-Lee, L. Masinter, and M. McCahill,
-                   "Uniform Resource Locators (URL)", CERN, Dec. 1994.
-
-
-
-                       Expires End of January 1998     [Page 15]
-
-Internet Draft    Internationalization of Domain Names         July 1997
-
-
-   [RFC2044]      F. Yergeau, "UTF-8, A Transformation Format of Unicode
-                  and ISO 10646", Alis Technologies, October 1996.
-
-   [RFCIAB]       C. Weider, C. Preston, K. Simonsen, H. Alvestrand, R.
-                  Atkinson, M. Crispin, P. Svanberg, "Report from the
-                  IAB Character Set Workshop", October 1996 (currently
-                  available as draft-weider-iab-char-wrkshop-00.txt).
-
-   [Unicode]      The Unicode Consortium, "The Unicode Standard, Version
-                  2.0", Addison-Wesley, Reading, MA, 1996.
-
-   [Yer96]        F. Yergeau, "Internationalization of URLs", Alis Tech-
-                  nologies,
-                 =
- <http://www.alis.com:8085/~yergeau/url-00.html>.
-
-
-
-Author's Address
-
-   Martin J. Duerst
-   World Wide Web Consortium
-   Keio Research Institute at SFC
-   Keio University
-   5322 Endo
-   Fujisawa
-   252-8520 Japan
-
-   Tel: +81 466 49 11 70
-   E-mail: mduerst@w3.org
-
-
-     NOTE -- Please write the author's name with u-Umlaut wherever
-     possible, e.g. in HTML as D&uuml;rst.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-                       Expires End of January 1998     [Page 16]
-
diff --git a/doc/draft/draft-duerst-dns-i18n-03.txt b/doc/draft/draft-duerst-dns-i18n-03.txt
new file mode 100644
index 00000000..d09a2ded
--- /dev/null
+++ b/doc/draft/draft-duerst-dns-i18n-03.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on March 20, 2000.
diff --git a/doc/draft/draft-ietf-dnsext-axfr-clarify-00.txt b/doc/draft/draft-ietf-dnsext-axfr-clarify-00.txt
new file mode 100644
index 00000000..b9988762
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-axfr-clarify-00.txt
@@ -0,0 +1,278 @@
+
+INTERNET-DRAFT                                      Andreas Gustafsson
+draft-ietf-dnsext-axfr-clarify-00.txt                     Nominum Inc.
+                                                            March 2000
+
+
+               DNS Zone Transfer Protocol Clarifications
+
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+Abstract
+
+   In the Domain Name System, zone data is replicated among
+   authoritative DNS servers by means of the "zone transfer" protocol,
+   also known as the "AXFR" protocol.  This memo clarifies, updates, and
+   adds missing detail to the original AXFR protocol specification in
+   RFC1034.
+
+1. Introduction
+
+   The original definition of the DNS zone transfer protocol consists of
+   a single paragraph in [RFC1034] section 4.3.5 and some additional
+   notes in [RFC1035] section 6.3.  It is not sufficiently detailed to
+   serve as the sole basis for constructing interoperable
+   implementations.  This document is an attempt to provide a more
+   complete definition of the protocol.  Where the text in RFC1034
+   conflicts with existing practice, the existing practice has been
+   codified in the interest of interoperability.
+
+
+
+
+Expires September 2000                                          [Page 1]
+
+draft-ietf-dnsext-axfr-clarify-00.txt                         March 2000
+
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC 2119].
+
+2. The zone transfer request
+
+   To initiate a zone transfer, the slave server sends a zone transfer
+   request to the master server over a reliable transport such as TCP.
+   The form of this request is specified in sufficient detail in RFC1034
+   and needs no further clarification.
+
+3. The zone transfer response
+
+   If the master server is unable or unwilling to provide a zone
+   transfer, it MUST respond with a single DNS message containing an
+   appropriate RCODE other than NOERROR.
+
+   If a zone transfer can be provided, the master server sends one or
+   more DNS messages containing the zone data as described below.
+
+3.1. Multiple answers per message
+
+   The zone data in a zone transfer response is a sequence of answer
+   RRs.  These RRs are transmitted in the answer section(s) of one or
+   more DNS response messages.
+
+   The AXFR protocol definition in RFC1034 does not make a clear
+   distinction between response messages and answer RRs.  Historically,
+   DNS servers always transmitted a single answer RR per message.  This
+   encoding is wasteful due to the overhead of repeatedly sending DNS
+   message headers and the loss of domain name compression
+   opportunities.  To improve efficiency, some newer servers support a
+   mode where multiple RRs are transmitted in a single DNS response
+   message.
+
+   A master MAY transmit multiple answer RRs per response message up to
+   the largest number that will fit within the 65535 byte limit on TCP
+   DNS message size.  In the case of a small zone, this can cause the
+   entire transfer to be transmitted in a single response message.
+
+   Slaves MUST accept messages containing any number of answer RRs.  For
+   compatibility with old slaves, masters that support sending multiple
+   answers per message SHOULD be configurable to revert to the
+   historical mode of one answer per message, and the configuration
+   SHOULD be settable on a per-slave basis.
+
+3.2. DNS message header contents
+
+
+
+
+Expires September 2000                                          [Page 2]
+
+draft-ietf-dnsext-axfr-clarify-00.txt                         March 2000
+
+
+   RFC1034 does not specify the contents of the DNS message header of
+   the zone transfer response messages.  The header of each message MUST
+   be as follows:
+
+       ID      Copy from request
+       QR      1
+       OPCODE  QUERY
+       AA      1 (but MAY be 0 when RCODE is nonzero)
+       TC      0
+       RD      Copy from request
+       RA      Set according to availability of recursion
+       Z       000
+       RCODE   0 or error code
+
+   The slave MUST check the RCODE and abort the transfer if it is
+   nonzero.  It SHOULD check the ID of the first message received and
+   abort the transfer if it does not match the ID of the request.  The
+   ID SHOULD be ignored in subsequent messages, and fields other than
+   RCODE and ID SHOULD be ignored in all messages, to ensure
+   interoperability with certain older implementations which transmit
+   incorrect or arbitrary values in these fields.
+
+3.3. Additional section and SIG processing
+
+   Zone transfer responses are not subject to any kind of additional
+   section processing or automatic inclusion of SIG records.  SIG RRs in
+   the zone data are treated exactly the same as any other RR type.
+
+3.4. The question section
+
+   RFC1034 does not specify whether zone transfer response messages have
+   a question section or not.  The initial message of a zone transfer
+   response SHOULD have a question section identical to that in the
+   request.  Subsequent messages SHOULD NOT have a question section,
+   though the final message MAY.  The receiving slave server MUST accept
+   any combination of messages with and without a question section.
+
+3.5. The authority section
+
+   The master server MUST transmit messages with an empty authority
+   section.  Slaves MUST ignore any authority section contents they may
+   receive from masters that do not comply with this requirement.
+
+3.6. The additional section
+
+   The additional section MAY contain additional RRs such as transaction
+   signatures.  The slave MUST ignore any unexpected RRs in the
+   additional section.
+
+
+
+Expires September 2000                                          [Page 3]
+
+draft-ietf-dnsext-axfr-clarify-00.txt                         March 2000
+
+
+4. Glue
+
+   Zone transfers MAY contain glue RRs pertaining to NS records in the
+   zone.  An RR is considered a glue RR when it is not within the zone
+   being transferred.  A slave MUST recognize glue RRs as such; it MUST
+   NOT treat them as authoritative data.
+
+   Note that classifying an RR as glue or non-glue may not be possible
+   until the entire zone has been received so that the zone cuts defined
+   by the zone's NS records can be determined.
+
+5. Transmission order
+
+   RFC1034 states that "The first and last messages must contain the
+   data for the top authoritative node of the zone".  This is not
+   consistent with existing practice.  All known master implementations
+   send, and slave implementations expect to receive, the zone's SOA RR
+   as the first and last record of the transfer.  Any other RRs at the
+   zone's apex are transmitted only once.
+
+   Therefore, the quoted sentence is hereby changed to read "The first
+   and last RR transmitted must be the SOA record of the zone".
+
+   The initial and final SOA record MUST be identical, with the possible
+   exception of case and compression.  In particular, they MUST have the
+   same serial number.
+
+   The transmission order of all other RRs in the zone, including glue
+   records, is undefined.
+
+References
+
+   [RFC1034] - Domain Names - Concepts and Facilities, P. Mockapetris,
+   November 1987.
+
+   [RFC1035] - Domain Names - Implementation and Specifications, P.
+   Mockapetris, November 1987.
+
+   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+   Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+Author's Address
+
+   Andreas Gustafsson
+   Nominum Inc.
+   950 Charter Street
+   Redwood City, CA 94063
+   USA
+
+
+
+Expires September 2000                                          [Page 4]
+
+draft-ietf-dnsext-axfr-clarify-00.txt                         March 2000
+
+
+   Phone: +1 650 779 6004
+
+   Email: gson@nominum.com
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implmentation may be prepared, copied, published and
+   distributed, in whole or in part, without restriction of any kind,
+   provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Expires September 2000                                          [Page 5]
+
diff --git a/doc/draft/draft-ietf-dnsext-ixfr-00.txt b/doc/draft/draft-ietf-dnsext-ixfr-00.txt
new file mode 100644
index 00000000..f81b5521
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-ixfr-00.txt
@@ -0,0 +1,557 @@
+INTERNET DRAFT                                                   M. Ohta
+draft-ietf-dnsext-ixfr-00.txt              Tokyo Institute of Technology
+                                                              March 2000
+
+                    Incremental Zone Transfer in DNS
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   Copyright (C) The Internet Society (March/5/2000).  All Rights
+   Reserved.
+
+Abstract
+
+   This document proposes extensions to the DNS protocols to provide an
+   incremental zone transfer (IXFR) mechanism.
+
+1. Introduction
+
+   For rapid propagation of changes to a DNS database [STD13], it is
+   necessary to reduce latency by actively notifying servers of the
+   change.  This is accomplished by the NOTIFY extension of the DNS
+   [NOTIFY].
+
+   The current full zone transfer mechanism (AXFR) is not an efficient
+   means to propagate changes to a small part of a zone, as it transfers
+   the entire zone file.
+
+   Incremental transfer (IXFR) as proposed is a more efficient
+   mechanism, as it transfers only the changed portion(s) of a zone.
+
+
+
+M. Ohta               Expires on September 5, 2000              [Page 1]
+
+INTERNET DRAFT      Incremental Zone Transfer in DNS          March 2000
+
+
+   In this document, a secondary name server which requests IXFR is
+   called an IXFR client and a primary or secondary name server which
+   responds to the request is called an IXFR server.
+
+   The AXFR specification is very terse, and in practice it does not
+   contain sufficient information to construct interoperable
+   implementations.  [XFRCLARIFY] gives the clarification on the AXFR
+   specification based on existing practice, which is, unless otherwise
+   noted, also applicable to IXFR.
+
+2. Brief Description of the Protocol
+
+   If an IXFR client, which likely has an older version of a zone,
+   thinks it needs new information about the zone (typically through SOA
+   refresh timeout or the NOTIFY mechanism), it sends an IXFR message
+   containing the SOA serial number of its, presumably outdated, copy of
+   the zone.
+
+   An IXFR server should keep record of the newest version of the zone
+   and the differences between that copy and several older versions.
+   When an IXFR request with an older version number is received, the
+   IXFR server needs to send only the differences required to make that
+   version current.  Alternatively, the server may choose to transfer
+   the entire zone just as in a normal full zone transfer.
+
+   When a zone has been updated, it should be saved in stable storage
+   before the new version is used to respond to IXFR (or AXFR) queries.
+   Otherwise, if the server crashes, data which is no longer available
+   may have been distributed to secondary servers, which can cause
+   persistent database inconsistencies.
+
+   If an IXFR query with the same or newer version number than that of
+   the server is received, it is replied to with a single SOA record of
+   the server's current version, just as a SOA query before TCP AXFR.
+
+   Transport of a query may be by either UDP or TCP.  If an IXFR query
+   is via UDP, the IXFR server may attempt to reply using UDP if the
+   entire response can be contained in a single UDP packet.  If the UDP
+   reply does not fit, the query is responded to with a single SOA
+   record of the server's current version to inform the client that a
+   TCP query should be initiated.
+
+   Thus, a client should first make an IXFR query using UDP.  If the
+   query type or other part of the query is not recognized by the
+   server, an AXFR (preceded by a UDP SOA query) should be tried,
+   ensuring backward compatibility.  If the query response is a single
+   packet with the entire new zone, or if the server does not have a
+   newer version than the client, everything is done.  Otherwise, a TCP
+
+
+
+M. Ohta               Expires on September 5, 2000              [Page 2]
+
+INTERNET DRAFT      Incremental Zone Transfer in DNS          March 2000
+
+
+   IXFR query should be tried.
+
+   To ensure integrity, servers should use UDP checksums for all UDP
+   responses.  A cautious client which receives a UDP packet with a
+   checksum value of zero should ignore the result and try a TCP IXFR
+   instead.
+
+   The query type value of IXFR assigned by IANA is 251.
+
+3. Query Format
+
+   The IXFR query packet format is the same as that of a normal DNS
+   query, but with the query type being IXFR and the authority section
+   containing the SOA record of client's version of the zone.
+
+4. Response Format
+
+   If incremental zone transfer is not available, the entire zone is
+   returned.  The first and the last RR of the response is the SOA
+   record of the zone.  I.e. the behavior is the same as an AXFR
+   response except the query type is IXFR.
+
+   If incremental zone transfer is available, one or more difference
+   sequences is returned.  The list of difference sequences is preceded
+   and followed by a copy of the server's current version of the SOA.
+
+   Each difference sequence represents one update to the zone (one SOA
+   serial change) consisting of deleted RRs and added RRs.  The first RR
+   of the deleted RRs is the older SOA RR and the first RR of the added
+   RRs is the newer SOA RR.
+
+   Modification of an RR is performed first by removing the original RR
+   and then adding the modified one.
+
+   A difference sequence which indicates the removal of a non-existent
+   RR is an indication of an error that the IXFR client is out-of-sync
+   with the IXFR server. The IXFR SHOULD be aborted, and an AXFR
+   requested from the same server.  A difference sequence which
+   indicates the addition of a seemingly duplicate (through a node may
+   have multiple TXT RRs of the duplicated content) or conflicting RR
+   may just be a result of malformed zone ando should be treated just as
+   a AXFR with malformed zone content.
+
+   The sequences of differential information are ordered oldest first
+   newest last.  Thus, the differential sequences are the history of
+   changes made since the version known by the IXFR client up to the
+   server's current version.
+
+
+
+
+M. Ohta               Expires on September 5, 2000              [Page 3]
+
+INTERNET DRAFT      Incremental Zone Transfer in DNS          March 2000
+
+
+   RR sets (RRs of the same RR types) in the incremental transfer
+   messages may be partial.  For examle, if a single RR of multiple RRs
+   of the same RR type changes, only the changed RR needs to be
+   transferred.
+
+   An IXFR client, should only replace an older version with a newer
+   version after all the differences have been successfully processed.
+
+   An incremental response is different from that of a non-incremental
+   response in that it begins with two SOA RRs, the server's current SOA
+   followed by the SOA of the client's version which is about to be
+   replaced.
+
+   To determine whether an IXFR response received over TCP is
+   incremental or not, it is necessary to try to receive the first two
+   answer RRs in the answer stream (which may or may not involve
+   receiving two TCP DNS messages).  The first RR is always an SOA.  If
+   the second RR does not exist, the client copy of the zone is up to
+   date and no zone transfer is necessary.  If the second RR is an SOA
+   with a serial number different from the first SOA, the response is
+   incremental, in IXFR format.  If it is a non-SOA RR or a SOA RR with
+   the same serial number as the initial SOA RR, it is a nonincremental
+   response in AXFR format.  The last case cannot arise unless the zone
+   is malformed containing only the SOA record without NS records.
+
+   This is the only way to identify an incremental response.  A slave
+   cannot reliably identify an incremental response based on the
+   presence or absence of a question section, the QTYPE field of a
+   possible question section, or the number of response RRs per message,
+
+5. Purging Strategy
+
+   An IXFR server can not be required to hold all previous versions
+   forever and may delete them anytime. In general, there is a trade-off
+   between the size of storage space and the possibility of using IXFR.
+
+   Information about older versions should be purged if the total length
+   of an IXFR response would be longer than that of an AXFR response.
+   Given that the purpose of IXFR is to reduce AXFR overhead, this
+   strategy is quite reasonable.  The strategy assures that the amount
+   of storage required is at most twice that of the current zone
+   information.
+
+   Information older than the SOA expire period should also be purged.
+
+6. Optional Condensation of Multiple Versions
+
+   An IXFR server may optionally condense multiple difference sequences
+
+
+
+M. Ohta               Expires on September 5, 2000              [Page 4]
+
+INTERNET DRAFT      Incremental Zone Transfer in DNS          March 2000
+
+
+   into a single difference sequence, thus, dropping information on
+   intermediate versions.
+
+   This may be beneficial if a lot of versions, not all of which are
+   useful, are generated. For example, if multiple ftp servers share a
+   single DNS name and the IP address associated with the name is
+   changed once a minute to balance load between the ftp servers, it is
+   not so important to keep track of all the history of changes.
+
+   But, this feature may not be so useful if an IXFR client has access
+   to two IXFR servers: A and B, with inconsistent condensation results.
+   The current version of the IXFR client, received from server A, may
+   be unknown to server B. In such a case, server B can not provide
+   incremental data from the unknown version and a full zone transfer is
+   necessary.
+
+   Condensation is completely optional. Clients can't detect from the
+   response whether the server has condensed the reply or not.
+
+   For interoperability, IXFR servers, including those without the
+   condensation feature, should not flag an error even if it receives a
+   client's IXFR request with a version number known not to exist (which
+   means that the server has versions with version numbers newer and
+   older than, but not equal to, the version number) and should,
+   instead, attempt to perform a full zone transfer by replying with a
+   single SOA record of the server's current version (UDP case) or with
+   a full zone content (UDP or TCP case).
+
+7. Example
+
+   Given the following three generations of data with the current serial
+   number of 3,
+
+      JAIN.AD.JP.         IN SOA NS.JAIN.AD.JP. mohta.jain.ad.jp. (
+                                        1 600 600 3600000 604800)
+                          IN NS  NS.JAIN.AD.JP.
+      NS.JAIN.AD.JP.      IN A   133.69.136.1
+      NEZU.JAIN.AD.JP.    IN A   133.69.136.5
+
+   NEZU.JAIN.AD.JP. is removed and JAIN-BB.JAIN.AD.JP. is added.
+
+      jain.ad.jp.         IN SOA ns.jain.ad.jp. mohta.jain.ad.jp. (
+                                        2 600 600 3600000 604800)
+                          IN NS  NS.JAIN.AD.JP.
+      NS.JAIN.AD.JP.      IN A   133.69.136.1
+      JAIN-BB.JAIN.AD.JP. IN A   133.69.136.4
+                          IN A   192.41.197.2
+
+
+
+
+M. Ohta               Expires on September 5, 2000              [Page 5]
+
+INTERNET DRAFT      Incremental Zone Transfer in DNS          March 2000
+
+
+   One of the IP addresses of JAIN-BB.JAIN.AD.JP. is changed.
+
+      JAIN.AD.JP.         IN SOA ns.jain.ad.jp. mohta.jain.ad.jp. (
+                                        3 600 600 3600000 604800)
+                          IN NS  NS.JAIN.AD.JP.
+      NS.JAIN.AD.JP.      IN A   133.69.136.1
+      JAIN-BB.JAIN.AD.JP. IN A   133.69.136.3
+                          IN A   192.41.197.2
+
+   The following IXFR query
+
+                 +---------------------------------------------------+
+      Header     | OPCODE=SQUERY                                     |
+                 +---------------------------------------------------+
+      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
+                 +---------------------------------------------------+
+      Answer     | <empty>                                           |
+                 +---------------------------------------------------+
+      Authority  | JAIN.AD.JP.         IN SOA serial=1               |
+                 +---------------------------------------------------+
+      Additional | <empty>                                           |
+                 +---------------------------------------------------+
+
+   could be replied to with the following full zone transfer message:
+
+                 +---------------------------------------------------+
+      Header     | OPCODE=SQUERY, RESPONSE                           |
+                 +---------------------------------------------------+
+      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
+                 +---------------------------------------------------+
+      Answer     | JAIN.AD.JP.         IN SOA serial=3               |
+                 | JAIN.AD.JP.         IN NS  NS.JAIN.AD.JP.         |
+                 | NS.JAIN.AD.JP.      IN A   133.69.136.1           |
+                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.3           |
+                 | JAIN-BB.JAIN.AD.JP. IN A   192.41.197.2           |
+                 | JAIN.AD.JP.         IN SOA serial=3               |
+                 +---------------------------------------------------+
+      Authority  | <empty>                                           |
+                 +---------------------------------------------------+
+      Additional | <empty>                                           |
+                 +---------------------------------------------------+
+
+   or with the following incremental message:
+
+                 +---------------------------------------------------+
+      Header     | OPCODE=SQUERY, RESPONSE                           |
+                 +---------------------------------------------------+
+      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
+
+
+
+M. Ohta               Expires on September 5, 2000              [Page 6]
+
+INTERNET DRAFT      Incremental Zone Transfer in DNS          March 2000
+
+
+                 +---------------------------------------------------+
+      Answer     | JAIN.AD.JP.         IN SOA serial=3               |
+                 | JAIN.AD.JP.         IN SOA serial=1               |
+                 | NEZU.JAIN.AD.JP.    IN A   133.69.136.5           |
+                 | JAIN.AD.JP.         IN SOA serial=2               |
+                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.4           |
+                 | JAIN-BB.JAIN.AD.JP. IN A   192.41.197.2           |
+                 | JAIN.AD.JP.         IN SOA serial=2               |
+                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.4           |
+                 | JAIN.AD.JP.         IN SOA serial=3               |
+                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.3           |
+                 | JAIN.AD.JP.         IN SOA serial=3               |
+                 +---------------------------------------------------+
+      Authority  | <empty>                                           |
+                 +---------------------------------------------------+
+      Additional | <empty>                                           |
+                 +---------------------------------------------------+
+
+   or with the following condensed incremental message:
+
+                 +---------------------------------------------------+
+      Header     | OPCODE=SQUERY, RESPONSE                           |
+                 +---------------------------------------------------+
+      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
+                 +---------------------------------------------------+
+      Answer     | JAIN.AD.JP.         IN SOA serial=3               |
+                 | JAIN.AD.JP.         IN SOA serial=1               |
+                 | NEZU.JAIN.AD.JP.    IN A   133.69.136.5           |
+                 | JAIN.AD.JP.         IN SOA serial=3               |
+                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.3           |
+                 | JAIN-BB.JAIN.AD.JP. IN A   192.41.197.2           |
+                 | JAIN.AD.JP.         IN SOA serial=3               |
+                 +---------------------------------------------------+
+      Authority  | <empty>                                           |
+                 +---------------------------------------------------+
+      Additional | <empty>                                           |
+                 +---------------------------------------------------+
+
+   or, if UDP packet overflow occurs, with the following message:
+
+
+
+
+
+
+
+
+
+
+
+
+M. Ohta               Expires on September 5, 2000              [Page 7]
+
+INTERNET DRAFT      Incremental Zone Transfer in DNS          March 2000
+
+
+                 +---------------------------------------------------+
+      Header     | OPCODE=SQUERY, RESPONSE                           |
+                 +---------------------------------------------------+
+      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
+                 +---------------------------------------------------+
+      Answer     | JAIN.AD.JP.         IN SOA serial=3               |
+                 +---------------------------------------------------+
+      Authority  | <empty>                                           |
+                 +---------------------------------------------------+
+      Additional | <empty>                                           |
+                 +---------------------------------------------------+
+
+8. Acknowledgements
+
+   The original idea of IXFR was conceived by Anant Kumar, Steve Hotz
+   and Jon Postel.
+
+   For the refinement of the protocol and documentation, many people
+   have contributed including, but not limited to, Anant Kumar, Robert
+   Austein, Paul Vixie, Randy Bush, Mark Andrews, Robert Elz, Andreas
+   Gustafsson, Josh Littlefield, Olafur Gudmundsson, William King and
+   the members of the IETF DNSEXT working group.
+
+9. References
+
+   [NOTIFY] Vixie, P., "A Mechanism for Prompt Notification of Zone
+   Changes (DNS NOTIFY)", RFC1996, August 1996.
+
+   [STD13] Mockapetris, P., "Domain Name System" (RFC1034 and RFC1035),
+   November 1987.
+
+   [XFRCLARIFY]
+
+10. Security Considerations
+
+   Though DNS is related to several security problems, no attempt is
+   made to fix them in this document.
+
+   This document is believed to introduce no additional security
+   problems to the current DNS protocol.
+
+11. Author's Address
+
+   Masataka Ohta
+   Computer Center, Tokyo Institute of Technology
+   2-12-1, O-okayama, Meguro-ku, Tokyo 152-8550, JAPAN
+
+   Phone: +81-3-5734-3299, Fax: +81-3-5734-3415
+
+
+
+M. Ohta               Expires on September 5, 2000              [Page 8]
+
+INTERNET DRAFT      Incremental Zone Transfer in DNS          March 2000
+
+
+   EMail: mohta@necom830.hpcl.titech.ac.jp
+
+   Comments should be directed to DNSEXT WG <namedroppers@ops.ietf.org>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+M. Ohta               Expires on September 5, 2000              [Page 9]
+
+INTERNET DRAFT      Incremental Zone Transfer in DNS          March 2000
+
+
+12. Full Copyright Statement
+
+   "Copyright (C) The Internet Society (March/5/2000).  All Rights
+   Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+M. Ohta               Expires on September 5, 2000             [Page 10]
+
diff --git a/doc/draft/draft-ietf-dnsext-sig-zero-00.txt b/doc/draft/draft-ietf-dnsext-sig-zero-01.txt
index 8052d1f7..971b13d3 100644
--- a/doc/draft/draft-ietf-dnsext-sig-zero-00.txt
+++ b/doc/draft/draft-ietf-dnsext-sig-zero-01.txt
@@ -1,24 +1,23 @@
+
 INTERNET-DRAFT                                    Donald E. Eastlake 3rd
 UPDATES RFC 2535                                                Motorola
 
-Expires: September 2000                                       March 2000
+Expires: October 2000                                         April 2000
 
 
 
            DNS Request and Transaction Signatures ( SIG(0)s )
            --- ------- --- ----------- ---------- - ------- -
-                     draft-ietf-dnsext-sig-zero-00.txt
+                  <draft-ietf-dnsext-sig-zero-01.txt>
 
 
 
 Status of This Document
 
-   This draft, file name draft-ietf-dnsext-sig-zero-00.txt, is intended
-   to become a Proposed Standard RFC updating Proposed Standard [RFC
-   2535].  Distribution of this document is unlimited. Comments should
-   be sent to the DNS Working Group mailing list
-   <namedroppers@internic.net> or to the author.  [This is the successor
-   to draft-ietf-dnsind-sig-zero-01.txt.]
+   This draft is intended to become a Proposed Standard RFC updating
+   Proposed Standard [RFC 2535].  Distribution of this document is
+   unlimited. Comments should be sent to the DNS Working Group mailing
+   list <namedroppers@internic.net> or to the author.
 
    This document is an Internet-Draft and is in full conformance with
    all provisions of Section 10 of RFC2026.  Internet-Drafts are working
@@ -26,10 +25,11 @@ Status of This Document
    and its working groups.  Note that other groups may also distribute
    working documents as Internet-Drafts.
 
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet- Drafts as reference
-   material or to cite them other than as "work in progress."
+   Internet-Drafts are draft documents valid for a maximum of six
+   months.  Internet-Drafts may be updated, replaced, or obsoleted by
+   other documents at any time.  It is not appropriate to use Internet-
+   Drafts as reference material or to cite them other than as a
+   ``working draft'' or ``work in progress.''
 
    The list of current Internet-Drafts can be accessed at
    http://www.ietf.org/ietf/1id-abstracts.txt
@@ -57,7 +57,7 @@ Abstract
 D. Eastlake 3rd                                                 [Page 1]
 
 
-INTERNET-DRAFT                 DNS SIG(0)                     March 2000
+INTERNET-DRAFT                 DNS SIG(0)                     April 2000
 
 
 Acknowledgments
@@ -67,6 +67,7 @@ Acknowledgments
    acknowledged:
 
         Olafur Gudmundsson
+        Ed Lewis
         Brian Wellington
 
 
@@ -111,11 +112,10 @@ Table of Contents
 
 
 
-
 D. Eastlake 3rd                                                 [Page 2]
 
 
-INTERNET-DRAFT                 DNS SIG(0)                     March 2000
+INTERNET-DRAFT                 DNS SIG(0)                     April 2000
 
 
 1. Introduction
@@ -127,8 +127,8 @@ INTERNET-DRAFT                 DNS SIG(0)                     March 2000
    transactions / responses.  Such a resource record, because it has a
    type covered field of zero, is frequently called a SIG(0). The
    changes are based on implementation and attempted implementation
-   experience with TSIG [draft-ietf-{dnsind|dnsext}-tsig-*.txt] and the
-   [RFC 2535] specification for SIG(0).
+   experience with TSIG [draft-ietf-dnsext-tsig-*.txt] and the [RFC
+   2535] specification for SIG(0).
 
    Sections of [RFC 2535] updated are all of 4.1.8.1 and parts of 4.2
    and 4.3.  No changes are made herein related to the KEY or NXT RRs or
@@ -143,17 +143,14 @@ INTERNET-DRAFT                 DNS SIG(0)                     March 2000
 
 2. SIG(0) Design Rationale
 
-   The authenticated data origin and data existence denial services of
-   secure DNS protect only regular data resource records (RRs) or
-   authenticatably deny their nonexistence.  These services provide no
-   protection for glue records, DNS requests, no protection for message
-   headers on requests or responses, and no protection of the overall
-   integrity of a response.
-
-   If header bits are falsely set or the like by a bad server, there is
-   little that can be done.  However, it is possible to add transaction
-   and query authentication to be sure that queries and responses and
-   not tampered with in transit.
+   SIG(0) provides protection for DNS transactions and requests that is
+   not provided by the regular SIG, KEY, and NXT RRs specified in [RFC
+   2535].  The authenticated data origin services of secure DNS either
+   provide protected data resource records (RRs) or authenticatably deny
+   their nonexistence.  These services provide no protection for glue
+   records, DNS requests, no protection for message headers on requests
+   or responses, and no protection of the overall integrity of a
+   response.
 
 
 
@@ -161,19 +158,22 @@ INTERNET-DRAFT                 DNS SIG(0)                     March 2000
 
    Transaction authentication means that a requester can be sure it is
    at least getting the messages from the server it queried and that the
-   response is from the request it sent (i.e., that these messages have
-   not been diddled in transit).  This is accomplished by optionally
-   adding either a TSIG RR [draft-ietf-{dnsind|dnsext}-tsig-*.txt] or,
-   as described herein, a SIG(0) resource record at the end of the
-   response which digitally signs the concatenation of the server's
-   response and the corresponding resolver query.
+   received messages are in response to me query it sent.  This is
+   accomplished by optionally adding either a TSIG RR [draft-ietf-
+   dnsext-tsig-*.txt] or, as described herein, a SIG(0) resource record
+   at the end of the response which digitally signs the concatenation of
+   the server's response and the corresponding resolver query.
+
+
+
+
 
 
 
 D. Eastlake 3rd                                                 [Page 3]
 
 
-INTERNET-DRAFT                 DNS SIG(0)                     March 2000
+INTERNET-DRAFT                 DNS SIG(0)                     April 2000
 
 
 2.2 Request Authentication
@@ -214,43 +214,41 @@ INTERNET-DRAFT                 DNS SIG(0)                     March 2000
 
    Because TSIG involves secret keys installed at both the requester and
    server the presence of such a key implies that the other party
-   understands TSIG and likely has the same key installed.  Furthermore,
-   TSIG uses keyed hash authentication codes which are relatively
-   inexpensive to compute.  Thus it is common to authenticate requests
-   with TSIG and responses are authenticated with TSIG if the
+   understands TSIG and very likely has the same key installed.
+   Furthermore, TSIG uses keyed hash authentication codes which are
+   relatively inexpensive to compute.  Thus it is common to authenticate
+   requests with TSIG and responses are authenticated with TSIG if the
    corresponding request is authenticated.
 
    SIG(0) on the other hand, uses public key authentication, where the
-   public keys are stored in DNS as KEY RRs.  Thus, existence of such a
-   KEY RR does not necessarily imply implementation of SIG(0).  In
-   addition, SIG(0) involves relatively expensive public key
-   cryptographic operations that should be minimized and the
-   verification of a SIG(0) involves obtaining and verifying the
+   public keys are stored in DNS as KEY RRs and a private key is stored
+   at the signer.  Existence of such a KEY RR does not necessarily imply
+   implementation of SIG(0).  In addition, SIG(0) involves relatively
+   expensive public key cryptographic operations that should be
+   minimized and the verification of a SIG(0) involves obtaining and
 
 
 D. Eastlake 3rd                                                 [Page 4]
 
 
-INTERNET-DRAFT                 DNS SIG(0)                     March 2000
+INTERNET-DRAFT                 DNS SIG(0)                     April 2000
 
 
-   corresponding KEY which can be an expensive and lengthy operation.
-   Indeed, a policy of using SIG(0) on all requests and verifying it
-   before responding would, for some configurations, lead to a deadly
-   embrace with the attempt to obtain and verify the KEY needed to
-   authenticate the request SIG(0) resulting in additional requests
-   accompanied by a SIG(0) leading to further requests accompanied by a
-   SIG(0), etc.  Furthermore, omitting SIG(0)s when not required on
-   requests halves the number of public key operations required by the
-   transaction.
+   verifying the corresponding KEY which can be an expensive and lengthy
+   operation.  Indeed, a policy of using SIG(0) on all requests and
+   verifying it before responding would, for some configurations, lead
+   to a deadly embrace with the attempt to obtain and verify the KEY
+   needed to authenticate the request SIG(0) resulting in additional
+   requests accompanied by a SIG(0) leading to further requests
+   accompanied by a SIG(0), etc.  Furthermore, omitting SIG(0)s when not
+   required on requests halves the number of public key operations
+   required by the transaction.
 
    For these reasons, SIG(0)s SHOULD only be used on requests when
    necessary to authenticate that the requester has some required
    privilege or identity.  SIG(0)s on replies are defined in such a way
    as to not require a SIG(0) on the corresponding request and still
-   provide transaction protection.  Some responses, such as those
-   involving TKEY [draft-ietf-dnsext-tkey-*.txt], MUST be authenticated
-   with TSIG or SIG(0).  For other replies, whether they are
+   provide transaction protection.  For other replies, whether they are
    authenticated by the server or required to be authenticated by the
    requester SHOULD be a local configuration option.
 
@@ -265,14 +263,15 @@ INTERNET-DRAFT                 DNS SIG(0)                     March 2000
    2535] and this document concerning SIG(0) RRs should be resolved in
    favor of this document.
 
-   For all transaction SIG(0)s, the signer field MUST be the name of the
-   originating server host and there MUST be a KEY RR at that name with
-   the public key corresponding to the private key used to calculate the
-   signature.  (The inverse IP address mapping name for an IP address of
-   the server MAY be used if the relevant KEY is stored there.)
+   For all transaction SIG(0)s, the signer field MUST be a name of the
+   originating host and there MUST be a KEY RR at that name with the
+   public key corresponding to the private key used to calculate the
+   signature.  (The host domain name used may be the inverse IP address
+   mapping name for an IP address of the host if the relevant KEY is
+   stored there.)
 
    For all SIG(0) RRs, the owner name, class, TTL, and original TTL, are
-   meaningless.  The TTL fields SHOULD be zero and the CLASS filed
+   meaningless.  The TTL fields SHOULD be zero and the CLASS field
    SHOULD be ANY.  To conserve space, the owner name SHOULD be root (a
    single zero octet).  When SIG(0) authentication on a response is
    desired, that SIG RR must be considered the highest priority of any
@@ -286,32 +285,29 @@ INTERNET-DRAFT                 DNS SIG(0)                     March 2000
 
 
 
+
 D. Eastlake 3rd                                                 [Page 5]
 
 
-INTERNET-DRAFT                 DNS SIG(0)                     March 2000
+INTERNET-DRAFT                 DNS SIG(0)                     April 2000
 
 
 3.1 Calculating Request and Transaction SIGs
 
-   A DNS request may be optionally signed by including one or more
-   SIG(0)s at the end of the query additional information section.  Such
-   SIGs are identified by having a "type covered" field of zero. They
-   sign the preceding DNS request message including DNS header but not
-   including the UDP/IP header or any request SIG(0)s at the end and
-   before the request RR counts have been adjusted for the inclusions of
-   any request SIG(0)s.
+   A DNS request may be optionally signed by including one SIG(0)s at
+   the end of the query additional information section.  Such a SIG is
+   identified by having a "type covered" field of zero. It signs the
+   preceding DNS request message including DNS header but not including
+   the UDP/IP header and before the request RR counts have been adjusted
+   for the inclusions of the request SIG(0).
 
-   Note: requests and response can either have a single TSIG or one or
-   more SIG(0)s but not both a TSIG and a SIG(0).
+   It is calculated by using a "data" (see [RFC 2535], Section 4.1.8) of
+   (1) the SIG's RDATA section omitting the signature subfield itself,
+   (2) the entire DNS query messages, including DNS header, but not the
+   UDP/IP header and before the reply RR counts have been adjusted for
+   the inclusion of the SIG(0).  That is
 
-   They are calculated by using a "data" (see [RFC 2535], Section 4.1.8)
-   of (1) the SIG's RDATA section omitting the signature subfield
-   itself, (2) the entire DNS query messages, including DNS header, but
-   not the UDP/IP header or any SIG(0) and before the reply RR counts
-   have been adjusted for the inclusion of any SIG(0).  That is
-
-      data = RDATA | request - SIG(0)s
+      data = RDATA | request - SIG(0)
 
    where "|" is concatenation and RDATA is the RDATA of the SIG(0) being
    calculated less the signature itself.
@@ -320,14 +316,14 @@ INTERNET-DRAFT                 DNS SIG(0)                     March 2000
    that produced it.  Such transaction signatures are calculated by
    using a "data" of (1) the SIG's RDATA section omitting the signature
    itself, (2) the entire DNS query message that produced this response,
-   including the query's DNS header and any SIG(0)s but not its UDP/IP
-   header, and (3) the entire DNS response message, including DNS header
-   but not the UDP/IP header or any SIG(0) and before the response RR
-   counts have been adjusted for the inclusion of any SIG(0).
+   including the query's DNS header but not its UDP/IP header, and (3)
+   the entire DNS response message, including DNS header but not the
+   UDP/IP header and before the response RR counts have been adjusted
+   for the inclusion of the SIG(0).
 
    That is
 
-      data = RDATA | full query | response - SIG(0)s
+      data = RDATA | full query | response - SIG(0)
 
    where "|" is concatenation and RDATA is the RDATA of the SIG(0) being
    calculated less the signature itself.
@@ -342,24 +338,28 @@ INTERNET-DRAFT                 DNS SIG(0)                     March 2000
    packet is calculated with "data" as above and for each subsequent
    packet, it is calculated as follows:
 
+      data = RDATA | DNS payload - SIG(0) | previous packet
+
+   where "|" is concatenations, RDATA is as above, and previous packet
+   is the previous DNS payload including DNS header and the SIG(0) but
 
 
 D. Eastlake 3rd                                                 [Page 6]
 
 
-INTERNET-DRAFT                 DNS SIG(0)                     March 2000
-
+INTERNET-DRAFT                 DNS SIG(0)                     April 2000
 
-      data = RDATA | DNS payload - SIG(0)s | previous packet
 
-   where "|" is concatenations, RDATA is as above, and previous packet
-   is the previous DNS payload including DNS header and any SIG(0)s but
    not the TCP/IP header.  Support of SIG(0) for TCP is OPTIONAL.  As an
    alternative, TSIG may be used after, if necessary, setting up a key
    with TKEY [draft-ietf-dnsext-tkey-*.txt].
 
    Except where needed to authenticate an update, TKEY, or similar
-   privileged request, servers are not required to check request SIGs.
+   privileged request, servers are not required to check a request
+   SIG(0).
+
+   Note: requests and response can either have a single TSIG or one
+   SIG(0) but not both a TSIG and a SIG(0).
 
 
 
@@ -373,7 +373,7 @@ INTERNET-DRAFT                 DNS SIG(0)                     March 2000
    mode in use.  For all other responses, it MAY be checked and the
    message rejected if the checks fail.
 
-   If a response SIG(0) checks succeed, such a transaction
+   If a responses SIG(0) check succeed, such a transaction
    authentication SIG does NOT directly authenticate the validity any
    data-RRs in the message.  However, it authenticates that they were
    sent by the queried server and have not been diddled.  (Only a proper
@@ -405,7 +405,7 @@ INTERNET-DRAFT                 DNS SIG(0)                     March 2000
 D. Eastlake 3rd                                                 [Page 7]
 
 
-INTERNET-DRAFT                 DNS SIG(0)                     March 2000
+INTERNET-DRAFT                 DNS SIG(0)                     April 2000
 
 
    The inclusion of the SIG(0) inception and expiration time under the
@@ -415,7 +415,8 @@ INTERNET-DRAFT                 DNS SIG(0)                     March 2000
 
 5. IANA Considerations
 
-   No new fields are created or field values assigned by the document.
+   No new parameters are created or parameter values assigned by the
+   document.
 
 
 
@@ -433,13 +434,12 @@ References
    [RFC 2535] - D. Eastlake, "Domain Name System Security Extensions",
    March 1999.
 
-   [draft-ietf-{dnsind|dnsext}-tsig-*.txt] - P. Vixie, O. Gudmundsson,
-   D. Eastlake, B. Wellington, "Secret Key Transaction Signatures for
-   DNS (TSIG)".
+   [draft-ietf-dnsext-tsig-*.txt] - P. Vixie, O. Gudmundsson, D.
+   Eastlake, B. Wellington, "Secret Key Transaction Signatures for DNS
+   (TSIG)".
 
    [draft-ietf-dnsext-tkey-*.txt] - D. Eastlake, "Secret Key
-   Establishment for DNS  (RR)"
-
+   Establishment for DNS  (RR)".
 
 
 
@@ -463,7 +463,7 @@ References
 D. Eastlake 3rd                                                 [Page 8]
 
 
-INTERNET-DRAFT                 DNS SIG(0)                     March 2000
+INTERNET-DRAFT                 DNS SIG(0)                     April 2000
 
 
 Author's Address
@@ -483,9 +483,9 @@ Author's Address
 
 Expiration and File Name
 
-   This draft expires September 2000.
+   This draft expires October 2000.
 
-   Its file name is draft-ietf-dnsext-sig-zero-00.txt.
+   Its file name is draft-ietf-dnsext-sig-zero-01.txt.
 
 
 
diff --git a/doc/draft/draft-ietf-dnsext-signing-auth-00.txt b/doc/draft/draft-ietf-dnsext-signing-auth-01.txt
index a7468bc0..9fbe1497 100644
--- a/doc/draft/draft-ietf-dnsext-signing-auth-00.txt
+++ b/doc/draft/draft-ietf-dnsext-signing-auth-01.txt
@@ -1,8 +1,8 @@
 
-DNSIND Working Group                          Brian Wellington (NAILabs)
-INTERNET-DRAFT                                              January 2000
+DNSIND Working Group                          Brian Wellington (Nominum)
+INTERNET-DRAFT                                                  May 2000
 
-<draft-ietf-dnsext-signing-auth-00.txt>
+<draft-ietf-dnsext-signing-auth-01.txt>
 
 Updates: RFC 2535
 
@@ -35,7 +35,7 @@ Status of this Memo
    Comments should be sent to the authors or the DNSIND WG mailing list
    namedroppers@internic.net.
 
-   This draft expires on July 31, 2000.
+   This draft expires on November 12, 2000.
 
    Copyright Notice
 
@@ -50,9 +50,9 @@ Abstract
 
 
 
-Expires July 2000                                               [Page 1]
+Expires November 2000                                           [Page 1]
 
-INTERNET-DRAFT          DNSSEC Signing Authority            January 2000
+INTERNET-DRAFT          DNSSEC Signing Authority                May 2000
 
 
    secure resolution process.  Specifically, this affects the
@@ -64,8 +64,8 @@ INTERNET-DRAFT          DNSSEC Signing Authority            January 2000
 This document defines additional restrictions on DNSSEC signatures (SIG)
 records relating to their authority to sign associated data.  The intent
 is to establish a standard policy followed by a secure resolver; this
-policy can be augmented by local rules.  This builds upon [RFC2535] and
-updates section 2.3.6.
+policy can be augmented by local rules.  This builds upon [RFC2535],
+updating section 2.3.6 of that document.
 
 The most significant change is that in a secure zone, zone data is
 required to be signed by the zone key.
@@ -90,7 +90,8 @@ necessary.
 
 SIGs may also be used for transaction security.  In this case, a SIG
 record with a type covered field of 0 is attached to a message, and is
-used to protect message integrity.  This is referred to as a SIG(0).
+used to protect message integrity.  This is referred to as a SIG(0)
+[RFC2535].
 
 The following sections define requirements for all of the fields of a
 SIG record.  These requirements MUST be met in order for a DNSSEC
@@ -105,10 +106,9 @@ SIG, there are requirements that it MUST meet.
 
 
 
-
-Expires July 2000                                               [Page 2]
+Expires November 2000                                           [Page 2]
 
-INTERNET-DRAFT          DNSSEC Signing Authority            January 2000
+INTERNET-DRAFT          DNSSEC Signing Authority                May 2000
 
 
 2.1 - Type Covered
@@ -153,8 +153,8 @@ that future algorithms will impose contraints.
 The signer's name field of a data SIG MUST contain the name of the zone
 to which the data and signature belong.  The combination of signer's
 name, key tag, and algorithm MUST identify a zone key if the SIG is to
-be considered material.  As this document defines a standard policy,
-this can be overriden by local configuration.
+be considered material.  This document defines a standard policy for
+DNSSEC validation; local policy may override the standard policy.
 
 There are no restrictions on the signer field of a SIG(0) record.  The
 combination of signer's name, key tag, and algorithm MUST identify a key
@@ -162,15 +162,15 @@ if this SIG(0) is to be processed.
 
 
 
-Expires July 2000                                               [Page 3]
+Expires November 2000                                           [Page 3]
 
-INTERNET-DRAFT          DNSSEC Signing Authority            January 2000
+INTERNET-DRAFT          DNSSEC Signing Authority                May 2000
 
 
 2.8 - Signature
 
 There are no restrictions on the signature field.  The signature will be
-verified at some point, but does not need to be examined prior to pre-
+verified at some point, but does not need to be examined prior to
 verification unless a future algorithm imposes constraints.
 
 3 - The Signing KEY Record
@@ -189,9 +189,9 @@ generated the signature until the verification is performed.
 3.1 - Type Flags
 
 The signing KEY record MUST have a flags value of 00 or 01
-(authentication allowed, confidentiality optional) [RFC2535, 3.1.2].  If
-a key is not permitted to authenticate data, a DNSSEC resolver MUST NOT
-trust any signature that it generates.
+(authentication allowed, confidentiality optional) [RFC2535, 3.1.2].  A
+DNSSEC resolver MUST only trust signatures generated by keys that are
+permitted to authenticate data.
 
 
 3.2 - Name Flags
@@ -208,29 +208,29 @@ MUST be 01 (zone) [RFC2535, 3.1.2].  This updates RFC 2535, section
 ignore all keys that are not zone keys unless local policy dictates
 otherwise.
 
-The primary reason that host and/or user keys were allowed to generate
-material DNSSEC signatures was to allow dynamic update without online
-zone keys.  The desire to avoid online signing keys cannot be achieved,
-though, because they are necessary to sign NXT and SOA sets [SSU].
-These online zone keys can sign any incoming data, thus removing the
-need for host/user key signatures stored in the DNS.
-
+The primary reason that RFC 2535 allows host and user keys to generate
+material DNSSEC signatures is to allow dynamic update without online
+zone keys; that is, avoid storing private keys in an online server.  The
+desire to avoid online signing keys cannot be achieved, though, because
+they are necessary to sign NXT and SOA sets [SSU].  These online zone
+keys can sign any incoming data.  Removing the goal of having no online
+keys removes the reason to allow host and user keys to generate material
 
 
 
-Expires July 2000                                               [Page 4]
+Expires November 2000                                           [Page 4]
 
-INTERNET-DRAFT          DNSSEC Signing Authority            January 2000
+INTERNET-DRAFT          DNSSEC Signing Authority                May 2000
 
 
-This simplifies the validation process.  If data must be signed by a
-zone key, determining whether a key is authorized to sign an RRset
-requires finding the enclosing zone of the RRset, and following a chain
-of trusted zone keys to a known trusted key (which may be the DNS root
-key).  If host and user keys were permitted to generate material
-signatures, following a chain of trust to a trusted DNSSEC key could
-involve any number of non-zone keys and a non-trivial amount of work to
-determine if all such keys have the proper authority.
+signatures.  in the DNS.
+
+Limiting material signatures to zone keys simplifies the validation
+process.  The length of the verification chain is bounded by the name's
+label depth.  The authority of a key is clearly defined; a resolver does
+not need to make a potentially complicated decision to determine whether
+a key can sign data.  amount of work to determine if all such keys have
+the proper authority.
 
 Finally, there is no additional flexibility granted by allowing
 host/user key generated material signatures.  As long as users and hosts
@@ -274,9 +274,9 @@ record.
 
 
 
-Expires July 2000                                               [Page 5]
+Expires November 2000                                           [Page 5]
 
-INTERNET-DRAFT          DNSSEC Signing Authority            January 2000
+INTERNET-DRAFT          DNSSEC Signing Authority                May 2000
 
 
 4 - Security considerations
@@ -317,7 +317,7 @@ informative comments (in alphabetical order):
 
 [SSU]      B. Wellington, ``Simple Secure Domain Name System (DNS)
            Dynamic Update,'' draft-ietf-dnsext-simple-secure-
-           update-00.txt, NAILabs, January 2000.
+           update-01.txt, Nominum, May 2000.
 
 
 
@@ -330,21 +330,20 @@ informative comments (in alphabetical order):
 
 
 
-Expires July 2000                                               [Page 6]
+Expires November 2000                                           [Page 6]
 
-INTERNET-DRAFT          DNSSEC Signing Authority            January 2000
+INTERNET-DRAFT          DNSSEC Signing Authority                May 2000
 
 
 7 - Author's Address
 
 
    Brian Wellington
-       NAILabs
-       Network Associates
-       3060 Washington Road (Rt. 97)
-       Glenwood, MD 21738
-       +1 443 259 2369
-       <bwelling@tislabs.com>
+       Nominum, Inc.
+       950 Charter Street
+       Redwood City, CA 94063
+       +1 650 779 6022
+       <Brian.Wellington@nominum.com>
 
 
 8 - Full Copyright Statement
@@ -386,5 +385,6 @@ FITNESS FOR A PARTICULAR PURPOSE."
 
 
 
-Expires July 2000                                               [Page 7]
+
+Expires November 2000                                           [Page 7]
 
diff --git a/doc/draft/draft-ietf-dnsext-simple-secure-update-00.txt b/doc/draft/draft-ietf-dnsext-simple-secure-update-01.txt
index cd49664e..1034426a 100644
--- a/doc/draft/draft-ietf-dnsext-simple-secure-update-00.txt
+++ b/doc/draft/draft-ietf-dnsext-simple-secure-update-01.txt
@@ -1,14 +1,14 @@
 DNSIND Working Group                          Brian Wellington (NAILabs)
-INTERNET-DRAFT                                              January 2000
+INTERNET-DRAFT                                                  May 2000
 
-<draft-ietf-dnsext-simple-secure-update-00.txt>
+<draft-ietf-dnsext-simple-secure-update-01.txt>
 
 Updates: RFC 2535, RFC 2136,
 Replaces: RFC 2137, [update2]
 
 
 
-         Simple Secure Domain Name System (DNS) Dynamic Update
+             Secure Domain Name System (DNS) Dynamic Update
 
 
 Status of this Memo
@@ -35,7 +35,7 @@ Status of this Memo
    Comments should be sent to the authors or the DNSIND WG mailing list
    namedroppers@internic.net.
 
-   This draft expires on July 31, 2000.
+   This draft expires on November 12, 2000.
 
    Copyright Notice
 
@@ -49,9 +49,9 @@ Abstract
 
 
 
-Expires July 2000                                               [Page 1]
+Expires November 2000                                           [Page 1]
 
-INTERNET-DRAFT        Simple Secure Dynamic Update          January 2000
+INTERNET-DRAFT            Secure Dynamic Update                 May 2000
 
 
    to be flexible and useful while requiring as few changes to the
@@ -105,42 +105,39 @@ SIG(0), is more scalable as the public keys are stored in DNS.
 
 
 
-Expires July 2000                                               [Page 2]
+Expires November 2000                                           [Page 2]
 
-INTERNET-DRAFT        Simple Secure Dynamic Update          January 2000
+INTERNET-DRAFT            Secure Dynamic Update                 May 2000
 
 
 1.3 - Comparison of data authentication and message authentication
 
+Message based authentication, using TSIG or SIG(0), provides protection
+for the entire message with a single signing and single verification
+which, in the case of TSIG, is a relatively inexpensive MAC creation and
+check.  For update requests, this signature can establish, based on
+policy or key negotation, the authority to make the request.
+
 DNSSEC SIG records can be used to protect the integrity of individual
-RRs or RRsets in an update message.  However, this cannot sufficiently
-protect the dynamic update request.
+RRs or RRsets in a DNS message with the authority of the zone owner.
+However, this cannot sufficiently protect the dynamic update request.
+
+Using SIG records to secure RRsets in an update request is incompatible
+with the design of update, as described below, and would in any case
+require multiple expensive public key signatures and verifcations.
 
 SIG records do not cover the message header, which includes record
 counts.  Therefore, it is possibly to maliciously insert or remove
-RRsets without causing a verification failure.
-
-A SIG record can be used to protect the contents of the zone section (an
-SOA record).  Including such a SIG record in the zone section violates
-the dynamic update protocol.
+RRsets in an update request without causing a verification failure.
 
 If SIG records were used to protect the prerequisite section, it would
 be impossible to determine whether the SIGs themselves were a
 prerequisite or simply used for validation.
 
-In the update section, signing requests to add an RRset is
-straightforward, and this signature could be permanently used to protect
-the data, as specified in [RFC2535].  However, if an RRset is deleted,
-there is no data for a SIG to cover.
-
-Requiring SIGs in the zone, prerequisite, and update sections might be a
-feasible solution.  Multiple signatures would be generated and verified
-for each update, though, which requires considerable processing time.
-
-Message based authentication, using TSIG or SIG(0), avoids all of these
-problems.  Only one signature/MAC is generated for the entire message,
-and it protects the integrity of the message header and all sections, as
-well as having the advantage that only one verification is performed.
+In the update section of an update request, signing requests to add an
+RRset is straightforward, and this signature could be permanently used
+to protect the data, as specified in [RFC2535].  However, if an RRset is
+deleted, there is no data for a SIG to cover.
 
 
 1.4 - Data and message signatures
@@ -158,16 +155,15 @@ user keys MAY be used to generate SIG(0) records to authenticate updates
 and MAY be used in the TKEY [TKEY] process to generate TSIG shared
 secrets.  In both cases, no SIG records generated by non-zone keys will
 be used in a DNSSEC validation process unless local policy dictates.
+Authentication of data, once it is present in DNS, only involves DNSSEC
+zone keys and signatures generated by them.
 
 
 
-Expires July 2000                                               [Page 3]
-
-INTERNET-DRAFT        Simple Secure Dynamic Update          January 2000
 
-
-Authentication of data, once it is present in DNS, only involves DNSSEC
-zone keys and signatures generated by them.
+Expires November 2000                                           [Page 3]
+
+INTERNET-DRAFT            Secure Dynamic Update                 May 2000
 
 
 1.5 - Signatory strength
@@ -203,25 +199,6 @@ server MUST indicate failure by returning a message with RCODE REFUSED.
 Other TSIG, SIG(0), or dynamic update errors are returned as specified
 in the appropriate protocol description.
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Expires July 2000                                               [Page 4]
-
-INTERNET-DRAFT        Simple Secure Dynamic Update          January 2000
-
-
 3 - Policy
 
 All policy is configured by the zone administrator and enforced by the
@@ -236,6 +213,15 @@ sign the update is permitted to perform the requested updates.  By
 default, a principal MUST NOT be permitted to make any changes to zone
 data; any permissions MUST be enabled though configuration.
 
+
+
+
+
+Expires November 2000                                           [Page 4]
+
+INTERNET-DRAFT            Secure Dynamic Update                 May 2000
+
+
 The policy is fully implemented in the primary zone server's
 configuration for several reasons.  This removes limitations imposed by
 encoding policy into a fixed number of bits (such as the KEY RR's
@@ -270,14 +256,6 @@ of DNS itself.
 
 User types include all data types except SOA, NS, SIG, and NXT.  SOA and
 NS SHOULD NOT be modified by normal users, since these types create or
-
-
-
-Expires July 2000                                               [Page 5]
-
-INTERNET-DRAFT        Simple Secure Dynamic Update          January 2000
-
-
 modify delegation points.  The addition of SIG records can lead to
 attacks resulting in additional workload for resolvers, and the deletion
 of SIG records could lead to extra work for the server if the zone SIG
@@ -292,6 +270,14 @@ Issues concerning updates of KEY records are discussed in the Security
 Considerations section.
 
 
+
+
+
+Expires November 2000                                           [Page 5]
+
+INTERNET-DRAFT            Secure Dynamic Update                 May 2000
+
+
 3.2 - Additional policies
 
 Users are free to implement any policies.  Policies may be as specific
@@ -326,17 +312,27 @@ the server.
 
 The server MUST also, if necessary, generate a new SOA record and new
 NXT records, and sign these with the appropriate zone keys.  NXT records
+are explicitly forbidden.  SOA updates are allowed, since the
+maintenance of SOA parameters is outside of the scope of the DNS
+protocol.
+
+
+
+
+
 
 
 
-Expires July 2000                                               [Page 6]
-
-INTERNET-DRAFT        Simple Secure Dynamic Update          January 2000
 
 
-are explicitly forbidden.  SOA updates are allowed, since the
-maintenance of SOA parameters is outside of the scope of the DNS
-protocol.
+
+
+
+
+Expires November 2000                                           [Page 6]
+
+INTERNET-DRAFT            Secure Dynamic Update                 May 2000
+
 
 5 - Security considerations
 
@@ -382,37 +378,35 @@ informative comments (in alphabetical order):
 [RFC2535]  D. Eastlake, ``Domain Name System Security Extensions,'' RFC
            2065, IBM, March 1999.
 
+[TSIG]     P. Vixie (Ed.), O. Gudmundsson, D. Eastlake, B. Wellington
+           ``Secret Key Transaction Signatures for DNS (TSIG),'' draft-
+           ietf-dnsext-tsig-00.txt, ISC & NAILabs & IBM & NAILabs, March
+           2000.
 
 
 
-Expires July 2000                                               [Page 7]
+Expires November 2000                                           [Page 7]
 
-INTERNET-DRAFT        Simple Secure Dynamic Update          January 2000
+INTERNET-DRAFT            Secure Dynamic Update                 May 2000
 
 
-[TSIG]     P. Vixie (Ed.), O. Gudmundsson, D. Eastlake, B. Wellington
-           ``Secret Key Transaction Signatures for DNS (TSIG),'' draft-
-           ietf-dnsind-tsig-13.txt, ISC & NAILabs & IBM & NAILabs,
-           December 1999.
-
 [TKEY]     D. Eastlake ``Secret Key Establishment for DNS (TKEY RR),''
-           draft-ietf-dnsind-tkey-03.txt, IBM, December 1999.
+           draft-ietf-dnsext-tkey-02.txt, IBM, April 2000.
 
 [signing-auth]
            B. Wellington ``Domain Name System Security (DNSSEC) Signing
-           Authority,'' draft-ietf-dnsext-signing-auth-00.txt, NAILabs,
-           January 2000.
+           Authority,'' draft-ietf-dnsext-signing-auth-01.txt, Nominum,
+           May 2000.
 
 8 - Author's Address
 
 
    Brian Wellington
-       NAILabs
-       Network Associates
-       3060 Washington Road (Rt. 97)
-       Glenwood, MD 21738
-       +1 443 259 2369
-       <bwelling@tislabs.com>
+       Nominum, Inc.
+       950 Charter Street
+       Redwood City, CA 94063
+       +1 650 779 6022
+       <Brian.Wellington@nominum.com>
 
 
 9 - Full Copyright Statement
@@ -438,14 +432,6 @@ revoked by the Internet Society or its successors or assigns.
 This document and the information contained herein is provided on an "AS
 IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK
 FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
-
-
-
-Expires July 2000                                               [Page 8]
-
-INTERNET-DRAFT        Simple Secure Dynamic Update          January 2000
-
-
 LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
 INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR
 FITNESS FOR A PARTICULAR PURPOSE."
@@ -455,47 +441,5 @@ FITNESS FOR A PARTICULAR PURPOSE."
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Expires July 2000                                               [Page 9]
+Expires November 2000                                           [Page 8]
 
diff --git a/doc/draft/draft-ietf-dnsext-tkey-01.txt b/doc/draft/draft-ietf-dnsext-tkey-02.txt
index 6f9b3cc2..5cee98b5 100644
--- a/doc/draft/draft-ietf-dnsext-tkey-01.txt
+++ b/doc/draft/draft-ietf-dnsext-tkey-02.txt
@@ -1,24 +1,22 @@
 
 DNSEXT Working Group                             Donald E. Eastlake, 3rd
 INTERNET-DRAFT                                                  Motorola
-Expires: September 2000                                       March 2000
+Expires: October 2000                                         April 2000
 
 
 
                Secret Key Establishment for DNS (TKEY RR)
                ------ --- ------------- --- --- ----- ---
-                      draft-ietf-dnsext-tkey-01.txt
-
-                         Donald E. Eastlake 3rd
+                    <draft-ietf-dnsext-tkey-02.txt>
 
 
 
 Status of This Document
 
-   This draft, file name draft-ietf-dnsext-tkey-01.txt, is intended to
-   be become a Proposed Standard RFC.  Distribution of this document is
-   unlimited. Comments should be sent to the DNS working group mailing
-   list <namedroppers@ops.ietf.org> or to the author.
+   This draft is intended to be become a Proposed Standard RFC.
+   Distribution of this document is unlimited. Comments should be sent
+   to the DNS working group mailing list <namedroppers@ops.ietf.org> or
+   to the author.
 
    This document is an Internet-Draft and is in full conformance with
    all provisions of Section 10 of RFC2026.  Internet-Drafts are working
@@ -26,10 +24,11 @@ Status of This Document
    and its working groups.  Note that other groups may also distribute
    working documents as Internet-Drafts.
 
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet- Drafts as reference
-   material or to cite them other than as "work in progress."
+   Internet-Drafts are draft documents valid for a maximum of six
+   months.  Internet-Drafts may be updated, replaced, or obsoleted by
+   other documents at any time.  It is not appropriate to use Internet-
+   Drafts as reference material or to cite them other than as a
+   ``working draft'' or ``work in progress.''
 
    The list of current Internet-Drafts can be accessed at
    http://www.ietf.org/ietf/1id-abstracts.txt
@@ -55,21 +54,21 @@ Status of This Document
 
 
 
-Donald E. Eastlake 3rd                                          [Page 1]
+Donald Eastlake 3rd                                             [Page 1]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
 
 
 Abstract
 
-   [draft-ietf-{dnsind|dnsext}-tsig-*.txt] provides a means of
-   authenticating Domain Name System (DNS) queries and responses using
-   shared secret keys via the TSIG resource record (RR).  However, it
-   provides no mechanism for setting up such keys other than manual
-   exchange. This document describes a TKEY RR that can be used in a
-   number of different modes to establish shared secret keys between a
-   DNS resolver and server.
+   [draft-ietf-dnsext-tsig-*.txt] provides a means of authenticating
+   Domain Name System (DNS) queries and responses using shared secret
+   keys via the TSIG resource record (RR).  However, it provides no
+   mechanism for setting up such keys other than manual exchange. This
+   document describes a TKEY RR that can be used in a number of
+   different modes to establish shared secret keys between a DNS
+   resolver and server.
 
 
 
@@ -113,10 +112,10 @@ Acknowledgments
 
 
 
-Donald E. Eastlake 3rd                                          [Page 2]
+Donald Eastlake 3rd                                             [Page 2]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
 
 
 Table of Contents
@@ -148,7 +147,6 @@ Table of Contents
       4.5 Query for Resolver Assigned Keying....................12
       5. Spontaneous Server Inclusion...........................13
       5.1 Spontaneous Server Key Deletion.......................13
-      5.2 Spontaneous GSS-API Exchange..........................14
       6. Methods of Encryption..................................14
       7. IANA Considerations....................................14
       8. Security Considerations................................15
@@ -171,10 +169,11 @@ Table of Contents
 
 
 
-Donald E. Eastlake 3rd                                          [Page 3]
+
+Donald Eastlake 3rd                                             [Page 3]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
 
 
 1. Introduction
@@ -186,12 +185,12 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
    security and dynamic update [RFC 2535, RFC 2136].  Familiarity with
    these RFCs is assumed.
 
-   [draft-ietf-{dnsind|dnsext}-tsig-*.txt] provides a means of
-   efficiently authenticating DNS messages using shared secret keys via
-   the TSIG resource record (RR) but provides no mechanism for setting
-   up such keys other than manual exchange. This document specifies a
-   TKEY RR that can be used in a number of different modes to establish
-   and delete such shared secret keys between a DNS resolver and server.
+   [draft-ietf-dnsext-tsig-*.txt] provides a means of efficiently
+   authenticating DNS messages using shared secret keys via the TSIG
+   resource record (RR) but provides no mechanism for setting up such
+   keys other than manual exchange. This document specifies a TKEY RR
+   that can be used in a number of different modes to establish and
+   delete such shared secret keys between a DNS resolver and server.
 
    Note that TKEY established keying material and TSIGs that use it are
    associated with DNS servers or resolvers.  They are not associated
@@ -229,13 +228,13 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
    Section 5 discusses spontaneous inclusion of TKEY RRs in responses by
 
 
-Donald E. Eastlake 3rd                                          [Page 4]
+Donald Eastlake 3rd                                             [Page 4]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
 
 
-   servers.
+   servers which is currently used only for key deletion.
 
    Section 6 describes encryption methods for transmitting secret key
    information. In this document these are used only for the server
@@ -287,10 +286,10 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
    For a TKEY with a non-root name appearing in a query, the TKEY RR
 
 
-Donald E. Eastlake 3rd                                          [Page 5]
+Donald Eastlake 3rd                                             [Page 5]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
 
 
    name SHOULD be a domain locally unique at the resolver, less than 128
@@ -305,30 +304,30 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
         its owner name, then the server SHOULD create a globally unique
         domain name, to be the key name, by suffixing a pseudo-random
         [RFC 1750] label with a domain name of the server.  For example
-        89n3mDgX072pp.server.example.com.  If generation of a new
+        89n3mDgX072pp.server1.example.com.  If generation of a new
         pseudo-random name in each case is an excessive computation load
         or entropy drain, a serial number prefix can be added to a fixed
         pseudo-random name generated an DNS server start time, such as
-        1001.89n3mDgX072pp.server.example.com.
+        1001.89n3mDgX072pp.server1.example.com.
 
         If the key is generated as the result of a query with a non-root
         name, say 789.resolver.example.net, then use the concatenation
         of that with a name of the server.  For example
-        789.resolver.example.net.server.example.com.
+        789.resolver.example.net.server1.example.com.
 
 
 
 2.2 The TTL Field
 
-   The TTL field is meaningless. It SHOULD always be zero to be sure
-   that older DNS implementations do not cache TKEY RRs.
+   The TTL field is meaningless in TKEY RRs. It SHOULD always be zero to
+   be sure that older DNS implementations do not cache TKEY RRs.
 
 
 
 2.3 The Algorithm Field
 
    The algorithm name is in the form of a domain name with the same
-   meaning as in [draft-ietf-{dnsind|dnsext}-tsig-*.txt].  The algorithm
+   meaning as in [draft-ietf-dnsext-tsig-*.txt].  The algorithm
    determines how the secret keying material agreed to using the TKEY RR
    is actually used to derive the algorithm specific key.
 
@@ -345,10 +344,10 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
    material provided.
 
 
-Donald E. Eastlake 3rd                                          [Page 6]
+Donald Eastlake 3rd                                             [Page 6]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
 
 
    To avoid different interpretations of the inception and expiration
@@ -403,10 +402,10 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
    possible if a TKEY is spontaneously included in a response the TKEY
 
 
-Donald E. Eastlake 3rd                                          [Page 7]
+Donald Eastlake 3rd                                             [Page 7]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
 
 
    RR and DNS header error field could have unrelated non-zero error
@@ -418,7 +417,7 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
 
    The key data size field is an unsigned 16 bit integer in network
    order which specifies the size of the key exchange data field in
-   octets. The meaning of the key data depends on the mode.
+   octets. The meaning of this data depends on the mode.
 
 
 
@@ -461,10 +460,10 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
 
 
 
-Donald E. Eastlake 3rd                                          [Page 8]
+Donald Eastlake 3rd                                             [Page 8]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
 
 
    TKEY queries MUST be authenticated for all modes except GSS-API and,
@@ -478,6 +477,9 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
    a public (SIG(0)) key signature.  It MUST NOT use any key that the
    query is itself providing.
 
+   In the absence of required TKEY authentication, a NOTAUTH error MUST
+   be returned.
+
    To avoid replay attacks, it is necessary that a TKEY response or
    query not be valid if replayed on the order of 2**32 second (about
    136 years), or a multiple thereof, later.  To accomplish this, the
@@ -514,17 +516,17 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
    the additional information section specifying the Diffie-Hellman mode
    and accompanied by a KEY RR also in the additional information
    section specifying a resolver Diffie-Hellman key.  The TKEY RR
-   algorithm field is set to the authentication algorithm the resolver
-   plans to use. The "key data" provided in the TKEY is used as a random
-   [RFC 1750] nonce to avoid always deriving the same keying material
 
 
-Donald E. Eastlake 3rd                                          [Page 9]
+Donald Eastlake 3rd                                             [Page 9]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
 
 
+   algorithm field is set to the authentication algorithm the resolver
+   plans to use. The "key data" provided in the TKEY is used as a random
+   [RFC 1750] nonce to avoid always deriving the same keying material
    for the same pair of DH KEYs.
 
    The server response contains a TKEY in its answer section with the
@@ -572,17 +574,17 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
    toss keys, although it may have to go through another key exchange if
    it later needs one.  Similarly, the server can discard keys although
    that will result in an error on receiving a query with a TSIG using
-   the discarded key.
 
-   To avoid attempted reliance in requests on keys no longer in effect,
 
-
-Donald E. Eastlake 3rd                                         [Page 10]
+Donald Eastlake 3rd                                            [Page 10]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
+
 
+   the discarded key.
 
+   To avoid attempted reliance in requests on keys no longer in effect,
    servers MUST implement key deletion whereby the server "discards" a
    key on receipt from a resolver of an authenticated delete request for
    a TKEY RR with the key's name.  If the server has no record of a key
@@ -605,8 +607,7 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
    should be seen for the full description.  Basically the resolver and
    server can exchange queries and responses for type TKEY with a TKEY
    RR specifying the GSS-API mode in the additional information section
-   and a GSS-API token in the key data portion of the TKEY RR. See also
-   section 5.2.
+   and a GSS-API token in the key data portion of the TKEY RR.
 
    Any issues of possible encryption of parts the GSS-API token data
    being transmitted are handled by the GSS-API level.  In addition, the
@@ -631,23 +632,23 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
    algorithm the resolver plans to use.  It is RECOMMENDED that any "key
    data" provided in the query TKEY RR by the resolver be strongly mixed
    by the server with server generated randomness [RFC 1750] to derive
-   the keying material to be used.  The KEY RR that appears in the query
-   need not be accompanied by a SIG(KEY) RR.  If the query is
 
 
-Donald E. Eastlake 3rd                                         [Page 11]
+Donald Eastlake 3rd                                            [Page 11]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
 
 
-   authenticated by the resolver with a TSIG RR [draft-ietf-
-   {dnsind|dnsext}-tsig-*.txt] or SIG(0) RR and that authentication is
-   verified, then any SIG(KEY) provided in the query SHOULD be ignored.
-   The KEY RR in such a query SHOULD have a name that corresponds to the
-   resolver but it is only essential that it be a public key for which
-   the resolver has the corresponding private key so it can decrypt the
-   response data.
+   the keying material to be used.  The KEY RR that appears in the query
+   need not be accompanied by a SIG(KEY) RR.  If the query is
+   authenticated by the resolver with a TSIG RR [draft-ietf-dnsext-
+   tsig-*.txt] or SIG(0) RR and that authentication is verified, then
+   any SIG(KEY) provided in the query SHOULD be ignored.  The KEY RR in
+   such a query SHOULD have a name that corresponds to the resolver but
+   it is only essential that it be a public key for which the resolver
+   has the corresponding private key so it can decrypt the response
+   data.
 
    The server response contains a TKEY RR in its answer section with the
    server assigned mode and echoes the KEY RR provided in the query in
@@ -689,19 +690,19 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
    section.  The name of the key and the keying data are completely
    controlled by the sending resolver so a globally unique key name
    SHOULD be used.  The KEY RR used MUST be one for which the server has
-   the corresponding private key, or it will not be able to decrypt the
-   keying material and will return a FORMERR, and no untrusted party
 
 
-Donald E. Eastlake 3rd                                         [Page 12]
+Donald Eastlake 3rd                                            [Page 12]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
 
 
-   (preferably no other party than the server) has the private key, or
-   the untrusted private key holder can capture the messages to the
-   server, learn the shared secret, and spoof valid TSIGs.
+   the corresponding private key, or it will not be able to decrypt the
+   keying material and will return a FORMERR, and for which no untrusted
+   party (preferably no other party than the server) has the private
+   key, or the untrusted private key holder can capture the messages to
+   the server, learn the shared secret, and spoof valid TSIGs.
 
    The query TKEY RR inception and expiry give the time period the
    querier intends to consider the keying material valid.  The server
@@ -720,16 +721,17 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
    A DNS server may include a TKEY RR spontaneously as additional
    information in responses.  This SHOULD only be done if the server
    knows the querier understands TKEY and has this option implemented.
-   This technique can be used for GSS-API exchange, and to delete a key.
-   A disadvantage of this technique is that there is no way for the
-   server to get any error or success indication back and, in the case
-   of UDP, no way to even know if the DNS response reached the resolver.
+   This technique can be used to delete a key and may be specified for
+   modes defined in the future.  A disadvantage of this technique is
+   that there is no way for the server to get any error or success
+   indication back and, in the case of UDP, no way to even know if the
+   DNS response reached the resolver.
 
 
 
 5.1 Spontaneous Server Key Deletion
 
-   A server can optionally tell a client that it has deleted a symmetric
+   A server can optionally tell a client that it has deleted a secret
    key by spontaneously including a TKEY RR in the additional
    information section of a response with the key's name and specifying
    the key deletion mode.  Such a response SHOULD be authenticated.  If
@@ -748,28 +750,10 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
 
 
 
-
-
-
-Donald E. Eastlake 3rd                                         [Page 13]
+Donald Eastlake 3rd                                            [Page 13]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
-
-
-5.2 Spontaneous GSS-API Exchange
-
-   A server can spontaneously include in the additional information
-   section of a response, a GSS-API mode TKEY RR.  The information in
-   the key data section of such a TKEY is a GSS-API token which SHOULD
-   be fed by the resolver to its local GSS-API implementation.  If such
-   a response is authenticated, the authentication MAY be verify before
-   processing the data.  To the extent that GSS-API provides its own
-   security, such a response need not be authenticated.  To the extent
-   that GSS-API handles duplicated messages, such a spontaneous TKEY
-   could be sent repeatedly, until, for example, a response via a GSS-
-   API mode TKEY query is received. See also section 4.3.
-
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
 
 
 6. Methods of Encryption
@@ -788,16 +772,17 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
    symmetric algorithms.
 
    If the KEY RR specifies the RSA algorithm, then the keying material
-   is encrypted as per the description of RSA encryption in PKCS#1 [RFC
-   2437].  (Note, the secret keying material being sent is directly RSA
-   encrypted in PKCS#1 format, It is not "enveloped" under some other
-   symmetric algorithm.)  In the unlikely event that the keying material
-   will not fit within one RSA modulus of the chosen public key,
-   additional RSA encryption blocks are included.  The length of each
-   block is clear from the public RSA key specified and the PKCS#1
-   padding makes it clear what part of the encrypted data is actually
-   keying material and what part is formatting or the required at least
-   eight bytes of random [RFC 1750] padding.
+   is encrypted as per the description of RSAES-PKCS1-v1_5 encryption in
+   PKCS#1 [RFC 2437].  (Note, the secret keying material being sent is
+   directly RSA encrypted in PKCS#1 format. It is not "enveloped" under
+   some other symmetric algorithm.)  In the unlikely event that the
+   keying material will not fit within one RSA modulus of the chosen
+   public key, additional RSA encryption blocks are included.  The
+   length of each block is clear from the public RSA key specified and
+   the RSAES-PKCS1-v1_5 padding makes it clear what part of the
+   encrypted data is actually keying material and what part is
+   formatting or the required at least eight bytes of random [RFC 1750]
+   padding.
 
 
 
@@ -807,14 +792,6 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
 
    Mode field values 0x0000 through 0x00FF, and 0XFF00 through 0XFFFF
    can only be assigned by an IETF standards action.  Special
-
-
-Donald E. Eastlake 3rd                                         [Page 14]
-
-
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
-
-
    consideration should be given before the allocation of meaning for
    Mode field values 0x0000 and 0xFFFF.
 
@@ -829,6 +806,14 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
    Standard should not be changed later just because that standard's
    status is changed to Proposed.
 
+
+
+Donald Eastlake 3rd                                            [Page 14]
+
+
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
+
+
    The following assignments are documented herein:
 
        RR Type 249 for TKEY.
@@ -844,7 +829,7 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
 
    The entirety of this specification is concerned with the secure
    establishment of a shared secret between DNS clients and servers in
-   support of TSIG.
+   support of TSIG [draft-ietf-dnsext-tsig-*.txt].
 
    Protection against denial of service via the use of TKEY is not
    provided.
@@ -867,10 +852,24 @@ INTERNET-DRAFT              The DNS TKEY RR                   March 2000
 
 
 
-Donald E. Eastlake 3rd                                         [Page 15]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Donald Eastlake 3rd                                            [Page 15]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
 
 
 References
@@ -917,7 +916,7 @@ References
    RFC 2539 - D. Eastlake, "Storage of Diffie-Hellman Keys in the Domain
    Name System (DNS)", March 1999.
 
-   draft-ietf-{dnsind|dnsext}-tsig-*.txt - P. Vixie, O. Gudmundsson, D.
+   draft-ietf-dnsext-tsig-*.txt - P. Vixie, O. Gudmundsson, D.
    Eastlake, "Secret Key Transaction Signatures for DNS (TSIG)".
 
 
@@ -925,10 +924,10 @@ References
 
 
 
-Donald E. Eastlake 3rd                                         [Page 16]
+Donald Eastlake 3rd                                            [Page 16]
 
 
-INTERNET-DRAFT              The DNS TKEY RR                   March 2000
+INTERNET-DRAFT              The DNS TKEY RR                   April 2000
 
 
 Author's Address
@@ -940,16 +939,16 @@ Author's Address
 
    Telephone:   +1 914-276-2668 (h)
                 +1 508-261-5434 (w)
-   FAX:         +1 914-276-2947 (h)
+   FAX:         +1 508-261-4447 (w)
    email:       Donald.Eastlake@motorola.com
 
 
 
 Expiration and File Name
 
-   This draft expires August 2000.
+   This draft expires October 2000.
 
-   Its file name is draft-ietf-dnsext-tkey-01.txt.
+   Its file name is draft-ietf-dnsext-tkey-02.txt.
 
 
 
@@ -983,5 +982,5 @@ Expiration and File Name
 
 
 
-Donald E. Eastlake 3rd                                         [Page 17]
+Donald Eastlake 3rd                                            [Page 17]
 
diff --git a/doc/draft/draft-ietf-dnsext-zone-status-00.txt b/doc/draft/draft-ietf-dnsext-zone-status-01.txt
index e6b788b5..af7c85bb 100644
--- a/doc/draft/draft-ietf-dnsext-zone-status-00.txt
+++ b/doc/draft/draft-ietf-dnsext-zone-status-01.txt
@@ -1,10 +1,9 @@
-DNSEXT WG                                           Edward Lewis
-INTERNET DRAFT                                      NAI Labs
-Category:I-D                                        Feburary 1, 2000
+DNSEXT WG                                               Edward Lewis
+INTERNET DRAFT                                          NAI Labs
+Category:I-D                                            April 13, 2000
 
-
-           DNS Security Extension Clarification on Zone Status
-                <draft-ietf-dnsext-zone-status-00.txt>
+       DNS Security Extension Clarification on Zone Status
+             <draft-ietf-dnsext-zone-status-01.txt>
 
 Status of this Memo
 
@@ -29,7 +28,7 @@ http://www.ietf.org/shadow.html.
 Comments should be sent to the authors or the DNSIND WG mailing list
 namedroppers@internic.net.
 
-This draft expires on August 1, 2000.
+This draft expires on October 13, 2000.
 
 Copyright Notice
 
@@ -38,7 +37,7 @@ Copyright (C) The Internet Society (1999, 2000).  All rights reserved.
 Abstract
 
 The definition of a secured zone is presented, updating RFC 2535.  The
-new definition has consequences which alter the interpretation of the
+new definition has consequences that alter the interpretation of the
 NXT record, obsolete NULL keys, and the designation of "experimentally
 secure."
 
@@ -54,11 +53,11 @@ asks the question upon receipt of data belonging to the zone.
 
 A zone administrator needs to be able to determine what steps are
 needed to make the zone as secure as it can be.  Realizing that due to
+the distributed nature of DNS and its administration, any single zone
 
-Expires August 1, 2000                                       [Page  1]
-DNS Security Extension Clarification on Zone Status   February 1, 2000
+Expires October 13, 2000                                     [Page  1]
+DNS Security Extension Clarification on Zone Status     April 13, 2000
 
-the distributed nature of DNS and its administration, any single zone
 is at the mercy of other zones when it comes to the appearance of
 security.  This document will define what makes a zone qualify as
 secure (absent interaction with other zones).
@@ -89,44 +88,65 @@ secured.
 This document updates several sections of RFC 2535.  The definition of
 a secured zone is an update to section 3.4 of the RFC.  The document
 updates section 2.3.4, by specifying a replacement for the NULL zone
-keys.  The document also updates section 3.4 to eliminate the
-definition of experimental keys and illustrate a way to still achieve
-the functionality they were designed to provide.
+keys.  Section 3.4 is updated to eliminate the definition of
+experimental keys and illustrate a way to still achieve the
+functionality they were designed to provide.  Section 3.1.3 is updated
+by the specifying the value of the protocol octet in a zone key.
 
 2 Status of a Zone
 
 In this section, rules governing a zone's DNSSEC status are presented.
-There are three levels of security defined; full, private, and
+There are three levels of security defined: full, private, and
 unsecured.  A zone is fully secure when it complies with the strictest
 set of DNSSEC processing rules.  A zone is privately secured when it
 is configured in such a way that only resolvers that are appropriately
 configured see the zone as secured.  All other zones are unsecured.
 
-Note: there currently is no other document completely defining DNSSEC
-processing rules.  For the purposes of this document, the strictest
+Note: there currently is no document completely defining DNSSEC
+verification rules.  For the purposes of this document, the strictest
 rules are assumed to state that the verification chain of zone keys
 parallels the delegation tree up to the root zone.  This is not
 intended to disallow alternate verification paths, just to establish a
 baseline definition.
 
-To avoid repetition in the rules below, the following term is defined.
+To avoid repetition in the rules below, the following terms are
+defined.
 
-2.a. Zone signing KEY RR - A KEY RR whose flag field has the value 01
 
-Expires August 1, 2000                                       [Page  2]
-DNS Security Extension Clarification on Zone Status   February 1, 2000
+Expires October 13, 2000                                     [Page  2]
+DNS Security Extension Clarification on Zone Status     April 13, 2000
 
+2.a. Zone signing KEY RR - A KEY RR whose flag field has the value 01
 for name type (indicating a zone key) and either value 00 or value 01
 for key type (indicating a key permitted to authenticate data).  (See
 RFC 2535, section 3.1.2).  The KEY RR also has a protocol octet value
 of DNSSEC (3) or All (255).
 
+The definition updates RFC 2535's definition of a zone key.  The
+requirement that the protocol field be either DNSSEC or All is a new
+requirement.
+
+2.b On-tree Validation - The authorization model in which only the
+parent zone can is recognized to supply a DNSSEC-meaningful signature
+that is used by a resolver to build a chain of trust from the child's
+keys to a recognized root of security.  The term "on-tree" refers to
+following up the DNS domain hierarchy to reach a trusted key,
+presumably the root key if no other key is available.  The term
+"validation" refers to the digital signature by the parent to prove
+the integrity, authentication and authorization of the child' key to
+sign the child's zone data.
+
+2.c Off-tree Validation - Any authorization model that permits domain
+names other than the parent's to provide a signature over a child's
+zone keys that will enable a resolver to trust the keys.
+
 2.1 Fully Secured
 
 A fully secured zone, in a nutshell, is a zone that uses only
 mandatory to implement algorithms (RFC 2535, section 3.2) and relies
-on a key certification chain that parallels the delegation tree. Fully
-secured zones are defined by the following rules.
+on a key certification chain that parallels the delegation tree
+(on-tree validation).  Fully secured zones are defined by the
+following rules.
 
 2.1.a. The zone's apex MUST have a KEY RR set.  There MUST be at least
 one zone signing KEY RR (2.a) of a mandatory to implement algorithm in
@@ -138,7 +158,8 @@ be a zone signing KEY RR (2.a) of a mandatory to implement algorithm
 and owned by the parent's apex.
 
 If a zone cannot get a conforming signature from the parent zone, the
-child zone cannot be considered fully secured.
+child zone cannot be considered fully secured.  The only exception to
+this is the root zone, for which there is no parent zone.
 
 2.1.c. NXT records MUST be deployed throughout the zone. (Updates RFC
 2535, section 2.3.2.)  Note: there is some operational discomfort with
@@ -149,30 +170,43 @@ using an alternate method.
 
 2.1.d. Each RR set that qualifies for zone membership MUST be signed
 by a key that is in the apex's KEY RR set and is a zone signing KEY RR
+
+Expires October 13, 2000                                     [Page  3]
+DNS Security Extension Clarification on Zone Status     April 13, 2000
+
 (2.a) of a mandatory to implement algorithm.  (Updates 2535, section
 2.3.1.)
 
+Mentioned earlier, the root zone is a special case.  Defining what
+constitutes a secure root zone is difficult, as the discussion on
+securing the root zone has not come to a consensus in an open forum. 
+However, the security of the root zone will be determined by the
+preconfiguration of a trusted key in resolvers.  Who generates and
+distributes the trusted key is an open issue.
+
 2.2 Privately Secured
 
+Note that the term "privately" is open to debate...
+
 A privately secured zone is a zone that complies with rules like those
-for fully secured, with the following exceptions.  The signing keys
-may be of an algorithm that is not mandatory to implement and/or the
-verification of the zone keys in use may rely on a verification chain
-that is not parallel to the delegation tree.
+for a fully secured zone with the following exceptions.  The signing
+keys may be of an algorithm that is not mandatory to implement and/or
+the verification of the zone keys in use may rely on a verification
+chain that is not parallel to the delegation tree (off-tree
+validation).
 
 2.2.a. The zone's apex MUST have a KEY RR set.  There MUST be at least
 one zone signing KEY RR (2.a) in the set.
 
 2.2.b. The zone's apex KEY RR set MUST be signed by a private key and
-one of the following two sentences MUST hold true.  The private key's
-public companion MUST be preconfigured in all the resolvers of
-interest.  The private key's public component MUST be a zone signing
-KEY RR (2.a) authorized to provide validation of the zone's apex KEY
-RR set, as recognized by resolvers of interest.
+one of the following two subclauses MUST hold true.
 
+2.2.b.1 The private key's public companion MUST be preconfigured in
+all the resolvers of interest.
 
-Expires August 1, 2000                                       [Page  3]
-DNS Security Extension Clarification on Zone Status   February 1, 2000
+2.2.b.2 The private key's public component MUST be a zone signing KEY
+RR (2.a) authorized to provide validation of the zone's apex KEY RR
+set, as recognized by resolvers of interest.
 
 The previous sentence is trying to convey the notion of using a
 trusted third party to provide validation of keys.  If the domain name
@@ -184,7 +218,7 @@ represent someone the resolver trusts to provide validation.
 
 2.2.d. Each RR set that qualifies for zone membership MUST be signed
 by a key that is in the apex's KEY RR set and is a zone signing KEY RR
-(2.a).  (Updates 2535, section 2.3.1.)
+(2.a)..  (Updates 2535, section 2.3.1.)
 
 2.3 Unsecured
 
@@ -192,6 +226,12 @@ All other zones qualify as unsecured.  This includes zones that are
 designed to be experimentally secure, as defined in a later section on
 that topic.
 
+
+
+
+Expires October 13, 2000                                     [Page  4]
+DNS Security Extension Clarification on Zone Status     April 13, 2000
+
 2.4 Wrap up
 
 The designation of fully secured, privately secured, and unsecured are
@@ -202,7 +242,7 @@ a zone as secured or unsecured.
 Resolvers that follow the most restrictive DNSSEC verification rules
 will only see fully secured zones as secured, and all others as
 unsecured, including zones which are privately secured.  Resolvers
-which are not as restrictive, such as those that implement algorithms
+that are not as restrictive, such as those that implement algorithms
 in addition to the mandatory to implement algorithms, will see some
 privately secured zones as secured.
 
@@ -216,7 +256,7 @@ security standards.
 3 Parental Notification
 
 For a resolver to come to a definitive answer concerning a zone's
-security status, there is a requirement that the parent of a zone
+security status there is a requirement that the parent of a zone
 signify whether the child zone is signed or not.  The justification of
 this requirement requires a discussion of the resolver's activity,
 which is described in RFC 2535.
@@ -224,24 +264,32 @@ which is described in RFC 2535.
 In RFC 2535, a parent is required to hold a NULL key for an unsigned
 child (a bone of contention here is how this works in light of
 multiple algorithms).  The parent has the option to hold the keys of
-the child if the child is signed. The parent may also hold nothing
+the child if the child is signed.  The parent may also hold nothing
 cryptographic if the child is signed.  This, of course, assumes the
 parent is a signed zone.
 
-
-Expires August 1, 2000                                       [Page  4]
-DNS Security Extension Clarification on Zone Status   February 1, 2000
+RFC 2535 does permit the following case, a child zone that uses DNSSEC
+capable software yet chooses to remain unsecured could hold a signed
+NULL key delivered from the parent.  This is considered to be a rare
+condition, a zone administrator that goes to the trouble to get the
+keys from the parent and have it signed will likely just sign the
+whole zone, or leave the NULL key to the parent.
 
 There is a strong case for discouraging a parent from holding keys of
-a signed child.  These include concrete concerns about performance and
-more abstract concerns about the liability of the parent.
+a signed child, or an unsigned child for that matter.  These include
+concrete concerns about performance and more abstract concerns about
+the liability of the parent.
 
 DNS [RFC 1034 and 1035] requires a parent to hold NS records for a
 child zone, this signifies the delegation.  RFC 2535 requires a
 secured parent to also have signed NXT records for the child, and
-possibly a signed KEY RR set (required for NULL key situations).
+possibly a signed KEY RR set (required for some NULL key situations).
 
 By redefining the security status of a zone to be per zone and not per
+
+Expires October 13, 2000                                     [Page  5]
+DNS Security Extension Clarification on Zone Status     April 13, 2000
+
 algorithm, there is an opportunity to completely remove the need for a
 KEY RR set in the parent.  Because the question of whether the zone is
 secure or not is a yes-or-no question, the notification needs just one
@@ -256,10 +304,10 @@ supposed to hold.  (E.g., if a parent zone's name server caches the
 SOA for the child, the SOA is not in the parent zone, but is in the
 server's cache.)
 
-3.1 Child Is Secured Bit
+3.1 Child Has Keys Bit
 
-This section is written assuming the current definition of NXT holds. 
-There is some controversy surrounding the NXT record which may result
+This section is written assuming the current definition of NXT holds.
+There is some controversy surrounding the NXT record, which may result
 in a complete replacement of it for proof of non-existence.  The
 current NXT definition provides an extension bit in the types present
 bit map, whose use is remains incompletely defined.  The following
@@ -267,40 +315,53 @@ text largely ignores these uncertainties, and should be rewritten to
 accommodate these uncertainties in revisions.
 
 In the parent's half of the delegation point, there will be an NXT
-record.  According to the rules for a delegation point, only the NS,
-NXT, and SIG bits will be turned on in the types present field,
-assuming we drop the KEY set altogether.
+record, called an "upper" NXT.  According to the rules for a
+delegation point, only the NS, NXT, and SIG bits will be turned on in
+the types present field, assuming we drop the KEY set altogether.
 
 The KEY bit in the parent's NXT types present bit map is hereby
-redefined to have the following meaning.
-
-If the bit corresponding to the KEY RR set in a parent NXT is set, the
-parent has signed a KEY RR set for the child that includes a zone
-signing KEY RR (2.a).  Furthermore, the validity period on the SIG
-(KEY) RR covers the current time and the public component of the key
-used to generate the SIG (KEY) RR is validly available from the
-parent.
-
-E.g., Assume the zone "test." signs a key for "zone1.test.," with the
-signature valid from May 1st to June 1st and a public key from "test."
-available from April 1st until July 1st.  The NXT record for
-"zone1.test." will have the KEY RR bit set from May 1st to June 1st.
-
-
-Expires August 1, 2000                                       [Page  5]
-DNS Security Extension Clarification on Zone Status   February 1, 2000
-
-This constraint may be enforced in the SIG (NXT) RR validity period,
-timely editing of the master file, or whatever other mechanism "test."
-chooses to implement.
-
-Conversely, if the bit is 0, then the child is not secured.  Note that
-for a fully secured zone (section 2.1), the bit is on (1).  For all
-unsecured zones (section 2.3) the bit is off (0).  For privately
-secured zones (section 2.2), the setting of the bit is determined by
-whether the parent signs the child's keys or not.  Hence, for
-privately secured zones, the parent may have no responsibility.  A
-child wishing to have the parent set the bit must contact the parent.
+redefined to have the following meaning.  (Note that this applies to
+just delegation points.)
+
+If the bit corresponding to the KEY RR set in an upper NXT is set, the
+parent has generated and issued a currently valid SIG (KEY) RR
+validating the child's apex KEY RR set.  Note that this does not
+require the child to include either a zone signing KEY RR (2.a) or a
+NULL zone KEY RR.  This does assume that only on-tree validation (2.b)
+is in use.
+
+The temporal validity of the bit's setting may be enforced in the SIG
+(NXT) RR validity period, timely editing of the master file, dynamic
+updates, or whatever another mechanism.
+
+If a child submits a key set to the parent for validation that does
+not include a zone signing KEY RR (2.a), then the child will remain
+unsecured although the upper NXT KEY RR bit will be set to 1 by the
+parent.  A resolver seeing this will know to look for a child key set,
+and see that there is no zone signing KEY RR (2.a) and know to treat
+the child as unsecured.
+
+If a NULL zone KEY RR is seen, the resolver ignores it.  If a NULL key
+is the only zone key, then the resolver will deduce the child is
+unsecured as in the previous paragraph.  If there is both a NULL and
+
+Expires October 13, 2000                                     [Page  6]
+DNS Security Extension Clarification on Zone Status     April 13, 2000
+
+one or more zone signing KEY RR (2.a), then the zone is considered
+signed in the algorithm(s) identified in the signing capable key(s).
+
+If the bit is 0 then the child has not submitted a KEY RR set for
+validation, hence is to be considered unsigned.
+
+Note that for a fully secured zone (section 2.1), the bit is on (1). 
+For all unsecured zones (section 2.3) the bit is either off (0) or on
+(1) with a NULL KEY and no zone signing KEY RR at the apex.  For
+privately secured zones (section 2.2), the setting of the bit is
+determined by whether the parent signs the child's keys or not. 
+Hence, for privately secured zones, the parent may have no
+responsibility.  A child wishing to have the parent set the bit must
+contact the parent.
 
 3.2 Rules Governing the Bit
 
@@ -310,15 +371,15 @@ the NXT.  This is in anticipation of a change in the way NXT indicates
 types present (e.g., if bit 0 of the field is defined) or a successor
 to the NXT is defined.
 
-3.2.a. At a delegation point, a parent zone MUST have a mechanism in
-place to indicate which RR sets are present.  The mechanism MUST
-indicate that the NS, SIG, and the type(s) corresponding to the
-mechanism itself are present (of course, with these types actually
-being present).  With the exception of the KEY RR type, all other
-types MUST be indicated as not present, and, in accordance with
-delegation rules, actually be absent from the zone.  If, in the
-future, other data is permitted to be present at a delegation point,
-this requirement MUST be amended.
+3.2.a. At a delegation point, a secured parent zone MUST have a
+mechanism in place to indicate which RR sets are present.  The
+mechanism MUST indicate that the NS, SIG, and the type(s)
+corresponding to the mechanism itself are present (of course, with
+these types actually being present).  With the exception of the KEY RR
+type, all other types MUST be indicated as not present, and, in
+accordance with delegation rules, actually be absent from the zone. 
+If, in the future, other data is permitted to be present at a
+delegation point, this requirement MUST be amended.
 
 Assuming the NXT record, the above requirement reads as follows.  At a
 delegation point, a parent zone must have a secured NXT record.  This
@@ -337,33 +398,30 @@ If the parent has issued signatures with discontinuous validity spans,
 then the presence of the KEY set will flip from present to not present
 and back as time progresses.
 
-If the parent is aware that the child's keys are becoming valid or
-will be becoming invalid at a certain point in time, it is recommended
-that this be reflected in the NXT's signature validity period.
-
 3.2.c. When signing a child's KEY RR set, a parent SHOULD carefully
 consider the algorithm of the key used to generate the signature.  The
 parent SHOULD make clear to child zones what steps are to be taken to
 
-Expires August 1, 2000                                       [Page  6]
-DNS Security Extension Clarification on Zone Status   February 1, 2000
+
+Expires October 13, 2000                                     [Page  7]
+DNS Security Extension Clarification on Zone Status     April 13, 2000
 
 get the parent to indicate that the child is signed.  This document
 will go no further in specifying operational considerations.
 
 (Let's say the parent signs the child's key set with an algorithm the
 child can't process.  The child could elect not to advertise this
-signature as it cannot verify that the signature covers the real key
+signature, as it cannot verify that the signature covers the real key
 set.  If this happens, is the parent justified in claiming that the
 child is secured?)
 
-3.2.d. The parent MUST allow the child, through some trusted, probably
-non-DNS mechanism, to request that the indication of the KEY set in
-the NXT be turned off.  This allows a child to revert to an unsigned
-state.
+3.2.d. The parent MUST have the capability to allow the child, through
+some trusted, probably non-DNS mechanism, to request that the
+indication of the KEY set to be turned off.  This allows a child to
+revert to an unsigned state.
 
 3.2.e. The parent SHOULD NOT allow the child to request that the KEY
-set be indicated in the absence of a key signing request.
+set be indicated as present in the absence of a key signing request.
 
 3.3 Operational Considerations
 
@@ -385,13 +443,16 @@ query for the upper NXT may be confused for a lower NXT query.  This
 is akin to the issue of the ANY query, where a server with some cached
 data will answer with just that and not seek the rest of the data.
 
+Note that distinguishing between an upper and lower NXT is a trivial
+operation, especially so if the SIG RR is available.
+
 A resolver may know the child's server's addresses and the parent zone
 may not be sharing servers with the child.  In this case the resolver
 will need to be able to locate the parent zones (possibly having to go
 to the root servers and descend) in order to obtain the upper NXT
 record.
 
-A potential solution to this is to define an NXT meta-query which will
+A potential solution to this is to define an NXT meta-query that will
 force a recursive server to find all available NXT RR sets for a given
 name.  Details of this have not been examined.
 
@@ -399,13 +460,14 @@ name.  Details of this have not been examined.
 
 Dynamic update [RFC 2136, draft-ietf-dnsext-simple-secure-update-
 xy.txt] defines a means by which a zone can change without undergoing
+
+Expires October 13, 2000                                     [Page  8]
+DNS Security Extension Clarification on Zone Status     April 13, 2000
+
 a full reload.  This combination of dynamic update and the proposed
 use of the NXT record to signify a child's status raises some
 concerns.
 
-Expires August 1, 2000                                       [Page  7]
-DNS Security Extension Clarification on Zone Status   February 1, 2000
-
 First a few elements need to be labeled.  There is an off-line signer,
 which is the process that signs zone data files away from the name
 server.  There is an on-line signer, part of a name server, that the
@@ -415,12 +477,12 @@ requests for parent signatures over each child zone's keys.
 
 The proposal depicted in this draft relies upon the on-line key
 validator informing the on-line and off-line signers of the status of
-a child, recall that the status of a child has a temporal element. 
+a child, recall that the status of a child has a temporal element.
 E.g., a signature may be generated for just the month of July, so the
-child is secured for the month of July, but not August.
+child is secured for the month of July, but not the month of August.
 
-The first issues pertain to the way in which a validation is encoded
-in an NXT record by the off-line signer.  There is a need for the
+The first issues pertain to the way in which an off-line signer comes
+to encode a validation in an NXT record.  There is a need for the
 status information to flow from the on-line validator to the off-line
 signer and then be used as input to the signing process.  The way that
 this information makes the transition is an issue.  The second issue
@@ -456,13 +518,12 @@ needed is not currently covered by a valid signature?
 
 Through the use of the types present to indicate the existence of a
 signature validating the KEY set of a child, the need for NULL keys
-effectively disappears.  NULL keys are left as a defined entity, but
-are rendered meaningless in DNSSEC.
-
 
+Expires October 13, 2000                                     [Page  9]
+DNS Security Extension Clarification on Zone Status     April 13, 2000
 
-Expires August 1, 2000                                       [Page  8]
-DNS Security Extension Clarification on Zone Status   February 1, 2000
+effectively disappears.  NULL keys are left as a defined entity, but
+are rendered meaningless in DNSSEC.
 
 5 Experimental Status
 
@@ -515,12 +576,12 @@ RFC 1034, November 1987.
 [RFC1035] P. Mockapetris, "Domain Names - Implementation and
 Specification," RFC 1034, November 1987.
 
-[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
-Requirement Levels," RFC 2119, March 1997
 
+Expires October 13, 2000                                     [Page 10]
+DNS Security Extension Clarification on Zone Status     April 13, 2000
 
-Expires August 1, 2000                                       [Page  9]
-DNS Security Extension Clarification on Zone Status   February 1, 2000
+[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
+Requirement Levels," RFC 2119, March 1997
 
 [RFC2136] P. Vixie (Ed.), S. Thomson, Y. Rekhter, J. Bound "Dynamic
 Updates in the Domain Name System," RFC 2136, April 1997.
@@ -529,7 +590,7 @@ Updates in the Domain Name System," RFC 2136, April 1997.
 2535, March 1999.
 
 [draft-ietf-dnsext-simple-secure-update-xy.txt] B. Wellington, "Simple
-Secure Domain Name System (DNS) Dynamic Update", version 00, February
+Secure Domain Name System (DNS) Dynamic Update," version 00, February
 2000.
 
 10 Author Information
@@ -574,7 +635,6 @@ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
 
 
 
+Expires October 13, 2000                                     [Page 11]
 
 
-
-Expires August 1, 2000                                       [Page 10]
diff --git a/doc/draft/draft-ietf-dnsind-dddd-01.txt b/doc/draft/draft-ietf-dnsind-dddd-01.txt
deleted file mode 100644
index 0d3b429c..00000000
--- a/doc/draft/draft-ietf-dnsind-dddd-01.txt
+++ /dev/null
@@ -1,334 +0,0 @@
-
-DNSIND Working Group                          Brian Wellington (TISLabs)
-INTERNET-DRAFT                              Olafur Gudmundsson (TISLabs)
-                                                              April 1999
-
-<draft-ietf-dnsind-dddd-01.txt>
-
-Updates: RFC 2136
-
-
-
-      Deferred Dynamic Domain Name System (DNS) Delete Operations
-
-
-Status of this Memo
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as ``work in progress.''
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-Abstract
-
-   This document proposes a mechanism for notifying a dynamic DNS server
-   that a delete operation should be performed at a certain point in the
-   future.  This works within the framework of the current DNS dynamic
-   update protocol, and provides needed functionality for clients with
-   leased dynamic addresses.
-
-
-
-
-
-
-
-
-
-Expires October 1999                                            [Page 1]
-
-INTERNET-DRAFT        Deferred Dynamic DNS Deletes         February 1999
-
-
-1 - Introduction
-
-Dynamic update operations for the Domain Name System [RFC1034, RFC1035]
-are defined in [RFC2136], but there is no automated method of specifying
-that records should have a fixed lifetime, or lease.
-
-1.1 - Overview of DNS Dynamic Update
-
-DNS dynamic update defines a new DNS opcode and a new interpretation of
-the DNS message if that opcode is used.  An update can specify
-insertions or deletions of data, along with prerequisites necessary for
-the updates to occur.  All tests and changes for a DNS update request
-are restricted to a single zone, and are performed at the primary server
-for the zone.  The primary server for a dynamic zone must increment the
-zone SOA serial number when an update occurs or before the next
-retrieval of the SOA.
-
-1.2 - Overview of DHCP leases
-
-DHCP [RFC2131] provides a means for a host to obtain a network address
-from a DHCP server.  The server may ``lease'' this address to the host,
-meaning that it is valid only for the period of time specified in the
-lease.  The host may may extend its lease with subsequent requests, or
-may issue a message to release the address back to the server when it is
-no longer needed.
-
-2 - Background
-
-When a host receives dynamic addresses with associated dynamic DNS
-records, the records can be updated by either the host or the DHCP
-server.  In many cases, update by the server is recommended, since the
-server maintains lease information for each address.  In some cases,
-though, the server cannot update some or all of the DNS records.  This
-happens when the DNS and DHCP server are under different administration,
-for example.
-
-A host can easily update its own DNS records when receiving information
-from the DHCP server.  It can also delete its records when shutting
-down.  If the host unexpectedly goes down, though, it cannot delete the
-records.  When the DHCP lease on the address expires and is not renewed,
-the DHCP server may reassign the address.  The DNS records now point to
-an assigned address, but not the correct address.  Until the host
-updates its records again, DNS will contain bad information.
-
-Since the DHCP and DNS servers are often not co-located with the
-clients, the possibility of a host unexpectedly going down and not
-communicating with the servers is non-trivial.
-
-
-
-
-Expires October 1999                                            [Page 2]
-
-INTERNET-DRAFT        Deferred Dynamic DNS Deletes         February 1999
-
-
-If the host could set a lease on the DNS records similar to that on its
-address, the DNS records would lose validity at the same time as the
-address.  This would prevent bad information from remaining in DNS.  DNS
-has no such provision for leases, though, since this would require
-storing a lease time along with each record (or each record in a dynamic
-zone).
-
-An alternative method is suggested.  A ``delete'' update is sent along
-with the ``add'' update, but the delete is marked in such a way that it
-will not be exectuted immediately.  Instead, it will be stored for the
-specified amount of time before being applied.  If the host wishes to
-extend or shorten the lifetime of the DNS record(s), it can replace the
-``deferred delete'' record, which will reset the lease time of the
-record(s).  The ``deferred delete'' record would, of course, also be
-removed if a normal delete update was received.
-
-3 - Protocol changes
-
-When doing a delete update operation as defined in [RFC2136] (deleting
-an RR, an RRset, or all RRset from a name), the TTL field MUST be
-specified as 0.  An [RFC2136] compliant server will silently ignore (*)
-an update record with a non-zero TTL.  This document overloads the TTL
-field.  If TTL is non-zero, the value represents the number of seconds
-(a 32 bit unsigned integer) before which the delete will be applied to
-the zone.  Thus, the delete operation will be deferred for that number
-of seconds, where the number of seconds indicates the lease time.  A 32
-bit integer provides for a lease time of over 136 years, which should be
-long enough for most uses.
-
-3.1 - Storage and execution
-
-Deferred delete records are stored, persistently, by the name server.
-The name server SHOULD attempt to evaluate the deletes in a timely
-manner.  If multiple deferred deletes are sent in the same DNS message
-with the same TTL value, they MUST be processed atomically if processed
-as planned (that is, none of the deferred deletes are updated or
-cancelled).
-
-3.2 - Processing of deferred deletes
-
-When a deferred delete is received, the server must check to see if it
-matches an existing deferred delete records, where matching indicates
-the same name, type, class, and rdata.  If a match is found, the new
-deferred delete MUST replace the old one.  If the deferred delete does
-not refer to any record in the server, it should fail as a normal delete
-would.
-
-
-
-
-
-Expires October 1999                                            [Page 3]
-
-INTERNET-DRAFT        Deferred Dynamic DNS Deletes         February 1999
-
-
-3.3 - Processing of normal deletes
-
-When a normal delete is received and accepted, the server SHOULD purge
-any matching deferred delete records.
-
-3.4 - Processing of cancellations
-
-The value 0xFFFFFFFF (the largest unsigned 32 bit integer) in the TTL
-field has a special meaning.  If a delete containing this lease time is
-received, the server will unconditionally remove any matching deferred
-deletes.  If no deferred delete matches, this request will be silently
-ignored.
-
-3.5 - Processing of adds
-
-When data is added through a dynamic update which matches a deferred
-delete, there is no additional processing done.
-
-4 - TTL handling
-
-Any record that may be deleted SHOULD have a short TTL compared to its
-lease time, to prevent deleted data from being cached past its
-expiration.
-
-When the time until an RR is deleted becomes low enough, the server MAY
-modify the TTL of the RRset.  Whenever the TTL is automatically reduced
-by this process, the zone will be considered ``changed'' for the purpose
-of automatic SOA SERIAL increment (as in [RFC2136]) and real time zone
-slave notification [RFC1996].  As these operations can potentially be
-expensive (more so if DNSSEC [RFC2535] signatures must be regenerated),
-the specific limits and effects are left to the implementation.
-
-If the TTL is modified by the server, it is not reset if the lease is
-renewed.  Therefore, the original RR SHOULD be sent with the lease
-renewal if the client expects that the server has modified the TTL.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Expires October 1999                                            [Page 4]
-
-INTERNET-DRAFT        Deferred Dynamic DNS Deletes         February 1999
-
-
-5 - Usage
-
-Normally, a deferred delete update will initially be sent along with an
-add, although this is not required.  Further updates to the deferred
-delete may be sent independently, although the add should be sent again.
-If the deferred delete is associated with a leased address, the lease
-time of the update SHOULD be approximately equal to the lease time of
-the address.
-
-6 - Protocol robustness
-
-This protocol has no inherent protection against replayed messages,
-which can either originate from an attack or faulty hardware.  To
-prevent this problem, prerequisites should be used in the update
-message, such as a test for the existence of a TXT record describing the
-lease, which would be added along with the other records (see [RFC2136],
-section 5).
-
-7 - Security considerations
-
-This addition to the dynamic DNS protocol does not affect the security
-of the protocol.  If security is desired, TSIG [TSIG] and/or DNSSEC
-[RFC2535] authentication should be used, as specified in [simple-update]
-or [RFC2137, update2].  The authors strongly recommend using security
-along with this protocol.
-
-If a DNSSEC signed-zone is modified with deferred deletes, the server
-must resign any affected records when the delete is executed.  No
-special processing is required when the delete is received.
-
-8 - IANA Considerations
-
-None.
-
-9 - References
-
-[RFC1034]  P. Mockapetris, ``Domain Names - Concepts and Facilities,''
-           RFC 1034, ISI, November 1987.
-
-[RFC1035]  P. Mockapetris, ``Domain Names - Implementation and
-           Specification,'' RFC 1035, ISI, November 1987.
-
-[RFC1996]  P. Vixie ``A Mechanism for Prompt Notification of Zone
-           Changes (DNS NOTIFY),'' RFC 1996, ISC, August 1996.
-
-[RFC2136]  P. Vixie (Ed.), S. Thomson, Y. Rekhter, J. Bound ``Dynamic
-           Updates in the Domain Name System,'' RFC 2136, ISC & Bellcore
-           & Cisco & DEC, April 1997.
-
-
-
-Expires October 1999                                            [Page 5]
-
-INTERNET-DRAFT        Deferred Dynamic DNS Deletes         February 1999
-
-
-[RFC2137]  D. Eastlake ``Secure Domain Name System Dynamic Update,'' RFC
-           2137, CyberCash, April 1997.
-
-[RFC2535]  D. Eastlake ``Domain Name System Security Extensions,'' RFC
-           2535, IBM, March 1999.
-
-[TSIG]     P. Vixie (ed), O. Gudmundsson, D. Eastlake, B. Wellington
-           ``Secret Key Transaction Signatures for DNS (TSIG),'' draft-
-           ietf-dnsind-tsig-08.txt, ISC & TISLabs & IBM & TISLabs,
-           February 1999.
-
-[simple-update]
-           B. Wellington ``Simple Secure Domain Name System (DNS)
-           Dynamic Update,'' draft-ietf-dnssec-simple-update-00.txt,
-           TISLabs, November 1998.
-
-[update2]  D. Eastlake ``Secure Domain Name System (DNS) Dynamic
-           Update,'' draft-ietf-dnssec-update2-00.txt, Transfinite
-           Systems Company, August 1998.
-
-8 - Author's Address
-
-
-   Brian Wellington                          Olafur Gudmundsson
-       TISLabs at Network Associates             TISLabs at Network Associates
-       3060 Washington Road, Route 97            3060 Washington Road, Route 97
-       Glenwood, MD 21738                      Glenwood, MD 21738
-       +1 443 259 2369                           +1 443 259 2389
-       <bwelling@tislabs.com>                    <ogud@tislabs.com>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Expires October 1999                                            [Page 6]
-
diff --git a/doc/draft/draft-ietf-dnsind-dddd-02.txt b/doc/draft/draft-ietf-dnsind-dddd-02.txt
new file mode 100644
index 00000000..d09a2ded
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsind-dddd-02.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on March 20, 2000.
diff --git a/doc/draft/draft-ietf-dnsind-edns1-03.txt b/doc/draft/draft-ietf-dnsind-edns1-03.txt
deleted file mode 100644
index b300eed2..00000000
--- a/doc/draft/draft-ietf-dnsind-edns1-03.txt
+++ /dev/null
@@ -1,249 +0,0 @@
-   DNSIND Working Group                                         Paul Vixie
-   INTERNET-DRAFT                                                      ISC
-   <draft-ietf-dnsind-edns1-03.txt>                                  June, 1999
-
-                          Extensions to DNS (EDNS1)
-
-   Status of this Memo
-
-      This document is an Internet-Draft and is in full conformance with
-      all provisions of Section 10 of RFC2026.
-
-      Internet-Drafts are working documents of the Internet Engineering
-      Task Force (IETF), its areas, and its working groups.  Note that
-      other groups may also distribute working documents as Internet-
-      Drafts.
-
-      Internet-Drafts are draft documents valid for a maximum of six months
-      and may be updated, replaced, or obsoleted by other documents at any
-      time.  It is inappropriate to use Internet-Drafts as reference
-      material or to cite them other than as "work in progress."
-
-      The list of current Internet-Drafts can be accessed at
-      http://www.ietf.org/ietf/1id-abstracts.txt
-
-      The list of Internet-Draft Shadow Directories can be accessed at
-      http://www.ietf.org/shadow.html.
-
-   Abstract
-
-      This document specifies a number of extensions within the Extended
-      DNS framework defined by [EDNS0], including several new extended
-      label types and the ability to ask multiple questions in a single
-      request.
-
-   1 - Rationale and Scope
-
-   1.1. EDNS (see [EDNS0]) specifies an extension mechanism to DNS (see
-   [RFC1035]) which provides for larger message sizes, additional label
-   types, and new message flags.
-
-   1.2. This document makes use of the EDNS extension mechanisms to add
-   several new extended label types and message options, and the ability to
-   ask multiple questions in a single request.
-
-   Expires December 1999                                           [Page 1]
-
-   INTERNET-DRAFT                    EDNS1                        June 1999
-
-   2 - Affected Protocol Elements
-
-   2.1. Compression pointers are 14 bits in size and are relative to the
-   start of the DNS Message, which can be 64KB in length.  14 bits restrict
-   pointers to the first 16KB of the message, which makes labels introduced
-   in the last 48KB of the message unreachable by compression pointers.  A
-   longer pointer format is needed.
-
-   2.2. DNS Messages are limited to 65535 octets in size when sent over
-   TCP.  This acts as an effective maximum on RRset size, since multiple
-   TCP messages are only possible in the case of zone transfers.  Some
-   mechanism must be created to allow normal DNS responses (other than zone
-   transfers) to span multiple DNS Messages when TCP is used.
-
-   2.3. Multiple queries in a question section have not been supported in
-   DNS due the applicability of some DNS Message Header flags (such as AA)
-   and of the RCODE field only to a single QNAME, QTYPE, and QCLASS.
-   Multiple questions per request are desirable, and some way of asking
-   them must be made available.
-
-   3 - Extended Label Types
-
-   3.1. In [EDNS0], the ``0 1'' label type was specified to denote an
-   extended label type, whose value is encoded in the lower six bits of the
-   first octet of a label, and an extended label type of ``1 1 1 1 1 1''
-   was further reserved for use in future multibyte extended label types.
-
-   3.2. The ``0 0 0 0 0 0'' extended label type will indicate an extended
-   compression pointer, such that the following two octets comprise a
-   16-bit compression pointer in network byte order.  Like the normal
-   compression pointer, this pointer is relative to the start of the DNS
-   Message.
-
-   3.3. The ``0 0 0 0 0 1'' extended label type will indicate a counted bit
-   string label as described in [CRAW98].
-
-   3.4. The ``0 0 0 0 1 0'' extended label type will indicate a ``long
-   local compression pointer'' as described in [KOCH98].
-
-   Expires December 1999                                           [Page 2]
-
-   INTERNET-DRAFT                    EDNS1                        June 1999
-
-   4 - OPT pseudo-RR Flags and Options 4.1. The extended RCODE and flags
-   are structured as follows:
-
-                    +0 (MSB)                            +1 (LSB)
-         +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-      0: |         EXTENDED-RCODE        |            VERSION            |
-         +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-      2: |MD |FM |RRD|LM |                       Z                       |
-         +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-
-   EXTENDED-RCODE  Forms upper 8 bits of extended 12-bit RCODE.  (As
-                   defined by [EDNS0].)
-
-   VERSION         Indicates the implementation level of whoever sets it.
-                   Full conformance with the draft standard version of this
-                   specification is version ``1.''  Note that both
-                   requestors and responders should set this to the highest
-                   level they implement, that responders should send back
-                   RCODE=BADVERS and that requestors should be prepared to
-                   probe using lower version numbers if they receive an
-                   RCODE=BADVERS.
-
-   MD              ``More data'' flag.  Valid only in TCP streams where
-                   message ordering and reliability are guaranteed.  This
-                   flag indicates that the current message is not the
-                   complete request or response, and should be aggregated
-                   with the following message(s) before being considered
-                   complete.  Such messages are called ``segmented.''  It
-                   is an error for the RCODE (including the EXTENDED-
-                   RCODE), AA flag, or DNS Message ID to differ among
-                   segments of a segmented message.  It is an error for TC
-                   to be set on any message of a segmented message.  Any
-                   given RR must fit completely within a message, and all
-                   messages will both begin and end on RR boundaries.  Each
-                   section in a multipart message must appear in normal
-                   message order, and each section must be complete before
-                   later sections are added.  All segments of a message
-                   must be transmitted contiguously, without interleaving
-                   of other messages.
-
-   FM              ``First match'' flag.  Notable only when multiple
-                   questions are present.  If set in a request, questions
-                   will be processed in wire order and the first question
-                   whose answer would have NOERROR AND ANCOUNT>0 is treated
-
-   Expires December 1999                                           [Page 3]
-
-   INTERNET-DRAFT                    EDNS1                        June 1999
-
-                   as if it were the only question in the query message.
-                   Otherwise, questions can be processed in any order and
-                   all possible answer records will be included in the
-                   response.  Response FM should be ignored by requestors.
-
-   RRD             ``Recursion really desired'' flag.  Notable only when a
-                   request is processed by an intermediate name server
-                   (``forwarder'') who is not authoritative for the zone
-                   containing QNAME, and where QTYPE=ANY or QDCOUNT>1.  If
-                   set in a request, the intermediate name server can only
-                   answer using unexpired cached answers (either positive
-                   or negative) which were atomically acquired using (a)
-                   the same QTYPE or set of QTYPEs present in the current
-                   question and whose TTLs were each minimized to the
-                   smallest among them when first cached, and (b) the same
-                   FM and LM settings present in the current question.
-
-   LM              ``Longest match'' flag.  If this flag is present in a
-                   query message, then for any question whose QNAME is not
-                   fully matched by zone or cache data, the longest
-                   trailing label-bounded suffix of the QNAME for which
-                   zone or cache data is present will be eligible for use
-                   as an answer.  Note that an intervening wildcard name
-                   shall supercede this behaviour and the rules described
-                   in [RFC1034 4.3.2, 4.3.3] shall apply, except that the
-                   owner name of the answer will be the wildcard name
-                   rather than the QNAME.  Any of: QTYPE=ANY, or
-                   QCLASS=ANY, or QCOUNT>1, shall be considered an error if
-                   the LM flag is set.
-
-                   If LM is set in a request, then LM has meaning in the
-                   response as follows: If the content of the response
-                   would have been different without the LM flag being set
-                   on the request, then the response LM will be set; If the
-                   content of the response was not determined or affected
-                   by the request LM, then the response LM will be cleared.
-                   If the request LM was not set, then the response LM is
-                   not meaningful and should be set to zero by responders
-                   and ignored by requestors.
-
-   Z               Set to zero by senders and ignored by receivers, unless
-                   modified in a subsequent specification.
-
-   Expires December 1999                                           [Page 4]
-
-   INTERNET-DRAFT                    EDNS1                        June 1999
-
-   5 - Multiple Questions for QUERY
-
-   5.1. If QDCOUNT>1, multiple questions are present.  All questions must
-   be for the same QNAME and QCLASS; only the QTYPE is allowed to vary.  It
-   is an error for QDCOUNT>1 and any QTYPE=ANY or QCLASS=ANY.
-
-   5.2. RCODE and AA apply to all RRs in the answer section having the
-   QNAME that is shared by all questions in the question section.  AA
-   applies to all matching answers, and will not be set unless the exact
-   original request was processed by an authoritative server and the
-   response forwarded in its entirety.
-
-   5.3. If a multiple question request is processed by an intermediate
-   server and the authority server does not support multiple questions, the
-   intermediate server must generate an answer iteratively by making
-   multiple requests of the authority server.  In this case, AA must never
-   be set in the final answer due to lack of atomicity of the contributing
-   authoritative responses.
-
-   5.4. If iteratively processing a multiple question request using an
-   authority server which can only process single question requests, if any
-   contributing request generates a SERVFAIL response, then the final
-   response's RCODE should be SERVFAIL.
-
-   6 - Acknowledgements
-
-   Paul Mockapetris, Mark Andrews, Robert Elz, Don Lewis, Bob Halley,
-   Donald Eastlake, Rob Austein, Matt Crawford, Randy Bush, Michael Patton,
-   and Michael Graff were each instrumental in creating this specification.
-
-   7 - References
-
-   [RFC1035]  P. Mockapetris, ``Domain Names - Implementation and
-              Specification,'' RFC 1035, USC/Information Sciences
-              Institute, November 1987.
-
-   [EDNS0]    P. Vixie, ``Extension mechanisms for DNS (EDNS0),'' Draft
-              draft-ietf-dnsind-edns0-XX, IETF DNSIND, September 1998
-
-   [CRAW98]   M. Crawford, ``Binary Labels in the Domain Name System,''
-              Draft draft-ietf-dnsind-binary-labels-XX, IETF DNSIND, March
-              1998.
-
-   [KOCH98]   P. Koch, ``A New Scheme for the Compression of Domain
-              Names,'' Draft draft-ietf-dnsind-local-compression-XX.txt.
-
-   Expires December 1999                                           [Page 5]
-
-   INTERNET-DRAFT                    EDNS1                        June 1999
-
-              IETF DNSIND, March 1998.
-
-   8 - Author's Address
-
-                 Paul Vixie
-                    Internet Software Consortium
-                    950 Charter Street
-                    Redwood City, CA 94063
-                    +1 650 779 7001
-                    <vixie@isc.org>
-
-   Expires December 1999                                           [Page 6]
diff --git a/doc/draft/draft-ietf-dnsind-edns1-04.txt b/doc/draft/draft-ietf-dnsind-edns1-04.txt
new file mode 100644
index 00000000..d09a2ded
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsind-edns1-04.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on March 20, 2000.
diff --git a/doc/draft/draft-ietf-dnsind-keyreferral-00.txt b/doc/draft/draft-ietf-dnsind-keyreferral-00.txt
deleted file mode 100644
index 7670b4c6..00000000
--- a/doc/draft/draft-ietf-dnsind-keyreferral-00.txt
+++ /dev/null
@@ -1,440 +0,0 @@
-
-DNSIND WG                                                Edward Lewis
-INTERNET DRAFT                                           TIS Labs
-May Update: RFC 2535                                     Jerry Scharf
-Catagory: I-D                                            ISC
-                                                         April 1, 1999
-
-                             The Zone Key Referral
-                     <draft-ietf-dnsind-keyreferral-00.txt>
-
-Status of this Memo
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   Comments should be sent to the authors or the DNSIND WG mailing list
-   <namedroppers@internic.net>.
-
-   This draft expires on October 1, 1999
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1999).  All rights
-   reserved.
-
-Notes on this document
-
-This section will only appear in the -00.txt edition of this draft.
-
-This document originated in the DNSSEC working group in June 1998.  The
-discussion of the issues in this draft were tabled until the publication
-of the then current DNSSEC drafts as RFCs.
-
-The first version of this document lists a third author, John Gilmore.
-He is listed as an author because he was one of the initiators of what is
-proposed.  In this and following versions he is only listed in the
-Acknowledgements (as opposed to being an author) as he has not been
-involved in the writing/editing of the draft.  This has been done to
-avoid assigning his name to a document he may not have a chance to read,
-this is not intended as a slight on his efforts.
-
-When commenting on this draft, please be aware that some terms used here
-are up for negotiation before progressing - such as "thief" and "road
-block" appearing later in the draft.  Comments which are left justified
-were added during the re-issuing of the draft, they add context that
-may have been lost over time.
-
-  Abstract
-
-    A new type of key is defined to address the problems of
-    performance in large delegeted zones and issues of liability of
-    registrars with regards to the storing of public keys belonging
-    to zone cuts.  This new key type also brings DNSSEC more in line
-    with the DNS treatment of zone cuts and speeds recovery in
-    handling privatekey exposure.
-
-    The new type of key is a referral record that is stored, signed,
-    at the parent zone's place for the delegation point.  A resolver
-    receiving this record is being informed that there are genuine
-    public keys at the child's authoritative name servers.  The
-    parent no longer needs to store the child's public keys locally.
-
-1 Introduction
-
-    There are a number of different reasons for the proposal of this
-    new key type.  Reasons include:
-     o the performance impact that RFC 2535 has on name servers
-     o the problem of updating a widely delegated parent zone on demand
-     o statements in RFC 2181 on authoritative data at delegations
-     o perceived liability of the operator of a name server or registry
-
-    To address these issues, which are expanded upon below, a new
-    key type is proposed - a "zone key referral" - to join the user
-    key, host key, and zone key types defined in RFC 2535.
-
-1.1 Performance Issues
-
-    A sample zone will be used to illustrate the problem.  The
-    example will part from reality mostly in the length of zone
-    names, which changes the size of the owner and resource record
-    data fields.
-
-        # $ORIGIN test.
-        # @         IN SOA   <SOA data>
-        #           IN SIG   SOA <by test.>
-        #           IN KEY   <1024 bit zone key>
-        #           IN SIG   KEY <by test.>
-        #           IN SIG   KEY <by .>
-        #           IN NS    ns.test.
-        #           IN SIG   NS <by test.>
-        #           IN NXT   my-org.test. NS SOA SIG KEY NXT
-        #           IN SIG   NXT <by test.>
-        #
-        # my-org    IN KEY   <1024 bit zone key>
-        #           IN KEY   <1024 bit zone key>
-        #           IN SIG   KEY <by test.>
-        #           IN NS    ns1.my-org.test.
-        #           IN NS    ns2.my-org.test.
-        #           IN NXT   them.test. NS SIG KEY NXT
-        #           IN SIG   NXT <by test.>
-        #
-        # them      IN KEY   0xC100 3 1
-        #           IN SIG   KEY <by test.>
-        #           IN NS    ns1.them.test.
-        #           IN NS    ns2.them.test.
-        #           IN NXT   test. NS SIG KEY NXT
-        #           IN SIG   NXT <by test.>
-
-    In this zone file fragment, "my-org" is a delegation point of
-    interest with two registered public keys.  Presumably, one key
-    is for signatures generated currently and the other is for still
-    living and valid but older signatures.  "them" is another
-    delegation point, with a NULL key. This signifies that this zone
-    is unsecured.
-
-    To analyze the performance impact of the storing of keys, the
-    number of bytes used to represent the RRs in the procotol format
-    is used.  The actual number of bytes stored will likely be
-    higher, accounting for data structure overhead and alignment.
-    The actual number of bytes transferred will be lower due to DNS
-    name compression.
-
-    The number of bytes for my-org's two 1024-bit keys, two NS
-    records, NXT and the associated signatures is 526.  The bytes
-    needed for them (with the NULL key) is 346.  Currently, there
-    are close to 2 million entries in com., so if we take my-org as
-    a typical domain, over 1GB on memory will be needed for com.
-
-    The zone keys used in the example are set to 1024 bits.  This
-    number may range from as low as 512 bits upwards to over 3000
-    bits.  To scale the above numbers to a different key size,
-    multiply the difference in key sizes by 4 for my-org and by 2
-    for them, and adjust the numbers accordingly.
-
-    The increased size of the data held for the zone cuts will have
-    two impacts at the transport and below layers.  Bandwidth beyond
-    that currently needed will be used to carry the KEY records.
-    The inclusion of all of the child's keys will also push DNS over
-    the UDP size limit and start using TCP - which could cause
-    critical problems for current heavily used name servers, like
-    the roots.
-
-    Another impact, not illustrated by the example, is the frequency
-    of updates.  If each time a public key for my-org is added or
-    deleted, the SOA serial number will have to increase, and the
-    SOA signed again.  If an average zone changes its keys(s) once
-    per month, there will be on average 45 updates per minute in a
-    zone of 2 million delegations.
-
-(The multiple algorithms issue is an extension of multiple keys.  The
-example should be updated to show at least a DSS key as well as an RSA
-key.)
-
-1.2 Security Incident Recovery (w/ respect to keys only)
-
-    Once a zone administrator is alerted that any key's private
-    counterpart has been discovered (exposed), the first action to
-    be taken is to stop advertising the public key in DNS.  This
-    doesn't end the availability of the key - it will be residing in
-    caches - but is the closest action resembling revokation
-    available in DNS.
-
-    Stopping the advertisement in the zone's name servers is as
-    quick as altering the master file and restarting the name
-    server.  Having to do this in two places will will only delay
-    the time until the recovery is complete.
-
-    For example, a registrar of a top level domain has decided to
-    update its zone only on Mondays and Fridays due to the size of
-    the zone.  A customer/delegatee is the victim of a break in, in
-    which one of the items taken is the file of private keys used to
-    sign DNS data. If this occurs on a Tuesday, the thief has until
-    Friday to use the keys before they disappear from the DNS, even
-    if the child stops publishing them immediately.
-
-    If the public key set is in the parent zone, and the parent zone
-    is not able to make the change quickly, the public key cannot be
-    revoked quickly.  If the parent only refers to there being a key
-    at the child zone, then the child has the agility to change the
-    keys - even issue a NULL key, which will force all signatures in
-    the zone to become suspect.
-
-1.3 DNS Clarifications
-
-    RFC 2181, section 6, clarifies the status of data appearing at a
-    zone cut.  Data at a zone cut is served authoritatively from the
-    servers listed in the NS set present at the zone cut.  The data
-    is not (necessarily) served authoritatively from the parent.
-    (The exception is in servers handling both the parent and child
-    zone.)
-
-    Section 6 also mentions that there are two exceptions created by
-    DNSSEC, the NXT single record set and the KEY set.  This
-    proposal addresses the exception relating to the KEY set,
-    limiting its severity (but falling short of removing it
-    altogether).  By limiting the exception, we will be simplifying
-    DNS.
-
-1.4 Liability
-
-    Liability is a legal concept, so it is not wise to attempt an
-    engineering solution to it.  However, the perceived liability
-    incurred in using DNSSEC by registrars may prevent the adoption
-    of DNSSEC.  Hence DNSSEC should be engineered in such a away to
-    address the concern.
-
-    One source of liability is the notion that by advertising a
-    public key for a child zone, a parent zone is providing a
-    service of security.  With that comes responsibility.  By having
-    the parent merely indicate that a child has a key (or has no
-    key), the parent is providing less in the way of security.  If
-    the parent is wrong, the potential loss is less.  Instead of
-    falsely authenticated data, configuration errors will be
-    apparent to the resolving client.
-
-2 The Proposal
-
-    The proposal is to introduce a new key type which indicates
-    whether the delegated zone is running secured or not.  Running
-    secured is either a zone signed with at least one key, an
-    experimental zone, or a zone with only NULL keys published.
-
-    The Zone Referral Key will resemble the NULL key in syntax.
-    There will be a flags field, an algorithm field, and a protocol
-    field, but no public key material.  The Referral Key is signed
-    by the parent zone, as was the public key set in RFC 2065.
-    There is only one Referral Key RR present.
-
-    The Referral Key flags field will have the following values:
-     Field      Bit(s)     Value      Meaning
-
-      A/C        0- 1      0b01       indicates a key will be found
-                           0b11       indicates a key will not be found
-                           0b?0       error (referral cannot encrypt)
-      XT          2        0          no extended flags are needed
-      Z          4- 5      0          must be zero for all keys
-      NAMTYP     6- 7      0b11       this is a referral to a zone key
-      Z          8-11      0          must be zero for all keys
-      SIG       12-15      0          must be zero for a referral key
-
-    The legal values of the flags field are (in summary):
-
-      Hex Value    Indicates
-      0x4300       The delegation has a key record set
-      0xC300       The delegation has no key record
-
-    Other values are not valid for Referral Keys (but may be valid
-    for other keys).
-
-    The Protocol field must be set to 3, the DNSSEC protocol value.
-
-    The Algorithm field must be 0.
-
-The algorithm is not important at this point.  So long as the searcher
-knows to expect a key set at the delegated zone's apex, a secure chain
-is possible.  One the key set is retrieved and verified, then the
-algorithms used in the delegated zone are known.  (The issue is that a
-zone may be signed in algorithm 1 and not 3, 3 and not 1, both, etc.,
-and a secure resolver must know this in order to set signature arrival
-expectations.
-
-2.1 Example
-
-    The Referral key for my-org.test. and them.test. would appear as
-    the following in the zone master file:
-
-          my-org.test. IN KEY   0x4300 3 0
-          them.test.   IN KEY   0xC300 3 0
-
-    In the example introduced earlier, the master file would change
-    to the following.
-
-        # $ORIGIN test.
-        # @         IN SOA   <SOA data>
-        #           IN SIG   SOA <by test.>
-        #           IN KEY   <1024 bit zone key>
-        #           IN SIG   KEY <by test.>
-        #           IN SIG   KEY <by .>
-        #           IN NS    ns.test.
-        #           IN SIG   NS <by test.>
-        #           IN NXT   my-org.test. NS SOA SIG KEY NXT
-        #           IN SIG   NXT <by test.>
-        #
-        # my-org    IN KEY   0x4300 3 0
-        #           IN SIG   KEY <by test.>
-        #           IN NS    ns1.my-org.test.
-        #           IN NS    ns2.my-org.test.
-        #           IN NXT   them.test. NS SIG KEY NXT
-        #           IN SIG   NXT <by test.>
-        #
-        # them      IN KEY   0xC300 3 1
-        #           IN SIG   KEY <by test.>
-        #           IN NS    ns1.them.test.
-        #           IN NS    ns2.them.test.
-        #           IN NXT   test. NS SIG KEY NXT
-        #           IN SIG   NXT <by test.>
-
-3 Analysis
-
-    By removing the public keys from the parent's master file, the
-    parent is no longer a road block during an emergency removal of
-    keys.  A parent zone is unchanged as a zone changes from NULL
-    keys to experimental keys to fully signed.  The parent is also
-    not providing a security service, other than to authentically
-    claim the existence of a KEY record set - akin to the "hints" of
-    the name servers.
-
-    The change also improves the prospect for performance.  The need
-    for multiple KEY RR's, each one on the order of 100 bytes, is
-    removed and replaced by a single KEY RR of the order of 25
-    bytes.  Saving bytes reduces the need to use TCP to avoid
-    truncated responses.  Also, the need for updating the zone drops
-    - no longer will there be updates for each key change.
-
-    As far as the statements by RFC 2181 conerning authority levels,
-    the Referral Key is not authortative and would be superseeded by
-    a verified set of the real zone keys.  The only caveat is that
-    once the verified set of keys expire (assuming the parent has to
-    learn the keys from another server), the Referal Key must
-    reappear.  This is an example of what has been labelled "mount-
-    like semantics."
-
-    [No reference for mount-like semantics has yet been found.]
-
-    The last point is important.  This requires the "mount-like
-    semantics" that have been discussed for the BIND name servers.
-    Once hints are overridden by learned, authorititative and
-    verified data, the hints are not discarded.  Hints in this state
-    are stored and become visible when the learned data expires.
-
-4 IANA Considerations
-
-    Other than using a new value in the flags field of the KEY RR,
-    no new number assignments are needed.  The flags field is not
-    under the control of IANA as of yet.  There are no requirements
-    placed on IANA by this draft.
-
-5 Security Considerations
-
-    There has been some debate about whether the Referral key should
-    be treated as a hint - just like the NS records.  If so, then
-    there is no need to sign the Referral Key, and an unsigned
-    (hence non-authenticated) security record is of little value.
-    So, is the Referral Key even needed?
-
-    Authentication in DNSSEC is done from the data "back" towards a
-    trusted point - e.g., "up" to the root.  Since the
-    authentication is done by going repeatedly from child to parent,
-    why bother having the parent indicate the status of the child?
-
-    The answer is in the scenario in which a resolver somewhere has
-    obtained data which fails the verification process.  Perhaps the
-    signature is wrong, a key in the chain of trust is unavailable,
-    the set should have had a signature, but none is found (or vice
-    versa), or the trail of signed-by names is not acceptable.  In
-    this case, the resolver needs to find the authoritative zone,
-    its status and its name server set.
-
-    If a zone is being attacked by a masquerader, and parents do not
-    make any statements about the security of child zones, then an
-    easy and successfull attack may occur.  An attacker only needs
-    to supply either fake name server records or glue records to
-    redirect queries.
-
-    While this attack will not be stopped as far as denial of
-    service, the masquerader can be stopped from being accepted as
-    an authoritative source if the parent of the zone claims the
-    child is secure and signs the public keys of the true child and
-    not the masquerader.
-
-    The masquerader cannot successfully claim that the zone is
-    unsigned, because it must have a zone key signed by the parent.
-    NULL or not, the key would not be trusted by the resolver,
-    assuming the parent has not also been duped.  The resolver,
-    sensing this, should report an error or security incident, and
-    not accept data.
-
-6 Acknowledgements
-
-    John Gilmore originally raised the issues that have led to this
-    document.
-
-7 Author's addresses
-
-Edward Lewis                 Jerry Scharf
-<lewis@tislabs.com>          <scharf@vix.com>
-3060 Washinton Rd (Rte 97)
-Glenwood, MD 21738
-+1(443)259-2352
-
-8 References
-
-RFC 2181 "Clarifications to the DNS Specification", Elz and Bush
-RFC 2535 "Domain Name System Security Extensions", Eastlake
-
-9 Full Copyright Statement
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implmentation may be prepared, copied, published and
-   distributed, in whole or in part, without restriction of any kind,
-   provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
-
-This draft expires on October 1, 1999
diff --git a/doc/draft/draft-ietf-dnsind-keyreferral-01.txt b/doc/draft/draft-ietf-dnsind-keyreferral-01.txt
new file mode 100644
index 00000000..d09a2ded
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsind-keyreferral-01.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on March 20, 2000.
diff --git a/doc/draft/draft-ietf-dnsind-local-compression-05.txt b/doc/draft/draft-ietf-dnsind-local-compression-05.txt
deleted file mode 100644
index ec27e3ac..00000000
--- a/doc/draft/draft-ietf-dnsind-local-compression-05.txt
+++ /dev/null
@@ -1,420 +0,0 @@
-INTERNET-DRAFT                                                Peter Koch
-Expires: December 1999                            Universitaet Bielefeld
-Updates: 1035, 1183, 2163, 2168, 2535                          June 1999
-
-            A New Scheme for the Compression of Domain Names
-               draft-ietf-dnsind-local-compression-05.txt
-
-Status of this Memo
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   Comments should be sent to the author or the DNSIND WG mailing list
-   <namedroppers@internic.net>.
-
-Abstract
-
-   The compression of domain names in DNS messages was introduced in
-   [RFC1035].  Although some remarks were made about applicability to
-   future defined resource record types, no method has been deployed yet
-   to support interoperable DNS compression for RR types specified since
-   then.
-
-   This document summarizes current problems and proposes a new
-   compression scheme to be applied to future RR types which supports
-   interoperability.  Also, suggestions are made how to deal with RR
-   types defined so far.
-
-1. Conventions used in this document
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-
-Koch                     Expires December 1999                  [Page 1]
-
-INTERNET-DRAFT              DNS Compression                    June 1999
-
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-   Domain names herein are for explanatory purposes only and should not
-   be expected to lead to useful information in real life [RFC2606].
-
-2. Background
-
-   Domain name compression was introduced in [RFC1035], section 4.1.4,
-   as an optional protocol feature and later mandated by [RFC1123],
-   section 6.1.2.4.  The intent was to reduce the message length,
-   especially that of UDP datagrams, by avoiding repetition of domain
-   names or even parts thereof.
-
-   A domain name is internally represented by the concatenation of label
-   strings, where the first octet denotes the string length, not
-   including itself.  The null string, consisting of a single octet of
-   zeroes, is the representation of the root domain name and also
-   terminates every domain name.
-
-   As labels may be at most 63 characters long, the two most significant
-   bits in the length octet will always be zero. Compression works by
-   overloading the length octet with a second meaning. If the two MSB
-   have the value '1', the remainder of the length octet and the next
-   octet form a compression pointer, which denotes the position of the
-   next label of the current domain name in the message:
-
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-          | 1  1|                OFFSET                   |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   It is important that these pointers always point backwards.
-
-   Compression may occur in several places. First, the owner name of an
-   RR may be compressed. The compression target may be another owner
-   name or a domain name in the RDATA section of a previous RR.  Second,
-   any domain name within the RDATA section may be compressed and the
-   target may be part of the same RR, being the owner name or another
-   domain name in the RDATA section, or it may live in a previous RR,
-   either as its owner or as a domain name in its RDATA section.  In
-   fact, due to the chaining feature, combinations of the above may
-   occur.
-
-3. Problems
-
-   While implementations shall use and must understand compressed domain
-   names in the RDATA section of "well known" RR types (those initially
-   defined in [RFC1035]), there is no interoperable way of applying
-
-Koch                     Expires December 1999                  [Page 2]
-
-INTERNET-DRAFT              DNS Compression                    June 1999
-
-   compression to the RDATA section of newer RRs:
-
-   Quote from [RFC1123], section 6.1.3.5:
-        Compression relies on knowledge of the format of data inside a
-        particular RR.  Hence compression must only be used for the
-        contents of well-known, class-independent RRs, and must never be
-        used for class-specific RRs or RR types that are not well-known.
-        The owner name of an RR is always eligible for compression.
-
-   DNS records in messages may travel through caching resolvers not
-   aware of the particular RR's type and format. These caches cannot
-   rearrange compression pointers in the RDATA section simply because
-   they do not recognize them. Handing out these RRs in a different
-   context later will lead to confusion if the target resolver tries to
-   uncompress the domain names using wrong information.  This is not
-   restricted to intermediate caching but affects any modification to
-   the order of RRs in the DNS message.
-
-4. Local Compression
-
-   We often observe a certain locality in the domain names used as owner
-   and occuring in the RDATA section, e.g. in MX or NS RRs but also in
-   newer RR types [RFC1183]:
-
-      host.foo.bar.example  RP  adm.foo.bar.example  adm.persons.bar.example
-
-   So, to still profit from compression without putting interoperability
-   at risk, a new scheme is defined which limits the effect of
-   compression to a single RR.
-
-   In contrast to the usual method of using offsets relative to the
-   start of a DNS packet we start counting at the RR owner or calculate
-   pointers relative to the start of the RDATA to avoid context
-   sensitivity.  We use an additional compression indicator for a two
-   octet local pointer:
-
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-          | 1  0|                OFFSET                   |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   The "10" bits will indicate the use of local compression and
-   distinguish it from conventional compression, plain labels and EDNS
-   label codes [EDNS0].  Two types of pointers need to be specified:
-   those pointing into the owner name and those pointing into RDATA.
-
-   A) Pointers into the owner name are interpreted as the ordinal label
-      number (starting at 0 for the topmost label, the TLD). This way we
-      avoid the need for extra decompression of the owner name during
-
-Koch                     Expires December 1999                  [Page 3]
-
-INTERNET-DRAFT              DNS Compression                    June 1999
-
-      message composition or decomposition.
-
-      The highest possible value of a compression pointer pointing into
-      the owner name is 254. The value 255 is reserved for future use.
-
-   B) Pointers into the RDATA section start at the fixed value 256 for
-      the first octet and have a maximum value of 16383 limiting
-      possible targets to the first 16128 octets. The actual offset
-      relative to the start of RDATA is determined by subtracting 256
-      from the value of the pointer.
-
-   Local pointers MUST point to a previous occurence of the same name in
-   the same RR.  Even domain names in another RR of the same type cannot
-   serve as compression targets since the order of RRs in an RRSet is
-   not necessarily stable.  The length of the compressed name(s) MUST be
-   used in the length calculation for the RDLENGTH field.
-
-Example
-
-   Consider a DNS message containing two resource records, one CNAME RR
-   and one XMPL RR, undefined and meaningless so far, with an RDATA
-   section consisting of two domain names:
-
-      ab.foo.example  IN  CNAME  bar.example
-      bar.example     IN  XMPL   a.foo.example  foo.example
-
-   In a message this appears as follows (randomly starting at octet 12):
-
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       12 |           2           |           a           |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       14 |           b           |           3           |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       16 |           f           |           o           |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       18 |           o           |           7           |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       20 |           e           |           x           |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       22 |           a           |           m           |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       24 |           p           |           l           |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       26 |           e           |           0           |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-       10 octets skipped (TYPE, CLASS, TTL, RDLENGTH)
-
-Koch                     Expires December 1999                  [Page 4]
-
-INTERNET-DRAFT              DNS Compression                    June 1999
-
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       38 |           3           |           b           |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       40 |           a           |           r           |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       42 | 1  1|                 19                      |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   The XMPL RR with local compression applied:
-
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       44 | 1 1 |                 38                      |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-       10 octets skipped (TYPE, CLASS, TTL, RDLENGTH)
-
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       56 |           1           |           a           |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       58 |           3           |           f           |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       60 |           o           |           o           |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       62 | 1  0|                 0                       |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       64 | 1  0|               258                       |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   The first local pointer at position 62 points to the topmost label
-   "example" of the XMPL RR's owner.
-
-   The second local pointer at position 64 represents the "foo.example"
-   and points backwards into the RDATA section, third octet, at absolute
-   position 58.  Note that with conventional compression this example
-   message would have occupied less space.
-
-5. Interaction with DNSSEC
-
-   The security extensions to DNS [RFC2535] mandate that domain names in
-   RDATA be signed only in expanded, lower case format. For RR types
-   using local compression the specification is changed as follows:
-
-      Resource Records subject to local compression MUST be stored,
-      signed, transmitted and verified in locally compressed form.  Name
-      expansion or canonicalization MUST NOT be performed on the RDATA
-      section for signing or verification.
-
-   This way RR type transparency can be achieved, since domain names in
-
-Koch                     Expires December 1999                  [Page 5]
-
-INTERNET-DRAFT              DNS Compression                    June 1999
-
-   the RDATA section are treated as arbitrary data and can be cached and
-   verified by resolvers not aware of the particular RR type. Old RR
-   types subject to conventional or no compression are not affected by
-   this change.
-
-   Wildcard owners may serve as compression targets only in their fixed
-   part.  Even if a particular query asks for a domain name which could
-   be used to compress the RDATA part more efficiently, this MUST NOT be
-   done. Otherwise signatures would be invalidated.
-
-   Currently slave servers store zones in text format and re-encode the
-   data into wire format, e.g. after a restart. This encoding must be
-   unique to ensure signature validity. To achieve this, local
-   compression MUST be applied optimally, i.e. every domain name must be
-   compressed as far as possible and each local compression pointer must
-   point to the earliest available target (including the owner).
-
-6. Interaction with Binary Labels
-
-   When constructing local compression pointers into the owner name,
-   every one-bit label is counted as a label. This way the compression
-   and decompression is independent of the actual bit-string
-   representation.
-
-   For local compression pointers into the RDATA section, only bit-
-   string labels may serve as targets, not single one-bit labels. Bit-
-   string labels may be adjusted to increase compression efficiency
-   [BINLABELS, section 3.1]
-
-   The internal representation of a domain name has a maximum length of
-   255 [RFC 1035].  Any label consists of at least two octets, leading
-   to at most 127 labels per domain name plus the terminating zero
-   octet, which does not qualify as a compression target. With the
-   introduction of binary labels a domain name can consist of up to 1904
-   labels (all one-bit labels). This document restricts the possible
-   compression targets in an owner name to the topmost 255 labels. This
-   limit was chosen to be consistent with [RFC2535], section 4.1.3.
-
-7. Old RR types and deployment
-
-   Although differences in RDATA sections by class have not yet been
-   reported and the concept of classes did not really spread, we are
-   just considering the IN class here.
-
-   The following RR types with domain names in the RDATA section have
-   been defined since [RFC1035] (Standards Track, Experimental and
-   Informational RFCs, ignoring withdrawn types):  RP [RFC1183], AFSDB
-   [RFC1183], RT [RFC1183], SIG [RFC2535], PX [RFC2163], NXT [RFC2535],
-
-Koch                     Expires December 1999                  [Page 6]
-
-INTERNET-DRAFT              DNS Compression                    June 1999
-
-   SRV [RFC2052], NAPTR [RFC2168], KX [RFC2230].  Some specifications do
-   not mention DNS compression at all, others explicitly suggest it and
-   only in part identify interoperability issues.  Only the KX and SRV
-   RR types are safe as their specifications prohibit compression.
-
-   The specification of RP, AFSDB, RT, PX, and NAPTR is hereby changed
-   in that domain names in the RDATA section MUST NOT be compressed and
-   MUST NOT be compression targets.
-
-   Local compression MUST NOT be used for owner names and it MUST NOT be
-   applied to domain names in RDATA sections of any RR type defined so
-   far.
-
-   The specification of future RR types should explicitly select the use
-   of local compression or forbid RDATA domain name compression at all.
-
-8. Security Considerations
-
-   The usual caveats for using unauthenticated DNS apply. This scheme is
-   believed not to introduce any new security problems.  However,
-   implementors should be aware of problems caused by blindly following
-   compression pointers of any kind. [RFC1035] and this document limit
-   compression targets to previous occurences and this MUST be followed
-   in constructing and decoding messages. Otherwise applications might
-   be vulnerable to denial of service attacks launched by sending DNS
-   messages with infinite compression pointer loops. In addition,
-   pointers should be verified to really point to the start of a label
-   (for conventional and local RDATA pointers) and not beyond the end of
-   the domain name (for local owner name pointers).
-
-   The maximum length of 255 applies to domain names in uncompressed
-   wire format, so care must be taken during decompression not to exceed
-   this limit to avoid buffer overruns.
-
-9. Acknowledgements
-
-   The author would like to thank Andreas Gustafsson, Paul Vixie, Bob
-   Halley, Mark Andrews and Thomas Narten for their review and
-   constructive comments.
-
-10. References
-
-   [RFC1034]     Mockapetris,P., "Domain Names - Concepts and Facilities",
-                 RFC 1034, STD 13, November 1987
-
-Koch                     Expires December 1999                  [Page 7]
-
-INTERNET-DRAFT              DNS Compression                    June 1999
-
-   [RFC1035]     Mockapetris,P., "Domain Names - Implementation and
-                 Specification", RFC 1035, STD 13, November 1987
-
-   [RFC1123]     Braden,R., "Requirements for Internet Hosts -- Application
-                 and Support", RFC 1123, STD 3, October 1989
-
-   [RFC1183]     Everhart,C., Mamakos,L., Ullmann,R., Mockapetris,P., "New
-                 DNS RR Definitions", RFC 1183, October 1990
-
-   [RFC2052]     Gulbrandsen,A., Vixie,P. "A DNS RR for specifying the
-                 location of services (DNS SRV)", RFC 2052, October 1996
-
-   [RFC2119]     Bradner,S., "Key words for use in RFCs to Indicate
-                 Requirement Levels", RFC 2119, BCP 14, March 1997
-
-   [RFC2163]     Allocchio,C., "Using the Internet DNS to Distribute MIXER
-                 Conformant Global Address Mapping (MCGAM)", RFC 2163,
-                 January 1998
-
-   [RFC2168]     Daniel,R., Mealling,M., "Resolution of Uniform Resource
-                 Identifiers using the Domain Name System", RFC 2168, June
-                 1997
-
-   [RFC2230]     Atkinson,R., "Key Exchange Delegation Record for the DNS",
-                 RFC 2230, November 1997
-
-   [RFC2535]     Eastlake,D., "Domain Name System Security Extensions", RFC
-                 2535, March 1999
-
-   [RFC2606]     Eastlake,D., Panitz,A., "Reserved Top Level DNS Names",
-                 RFC 2606, BCP 32, June 1999
-
-   [EDNS0]       Vixie,P., "Extension mechanisms for DNS (EDNS0)", draft-
-                 ietf-dnsind-edns0-XX.txt, work in progress
-
-   [BINLABELS]   Crawford,M., "Binary Labels in the Domain Name System",
-                 draft-ietf-dnsind-binary-labels-XX.txt, work in progress
-
-11. Author's Address
-
-   Peter Koch
-   Universitaet Bielefeld
-   Technische Fakultaet
-   Postfach 10 01 31
-   D-33501 Bielefeld
-   Germany
-
-Koch                     Expires December 1999                  [Page 8]
-
-INTERNET-DRAFT              DNS Compression                    June 1999
-
-   +49 521 106 2902
-   <pk@TechFak.Uni-Bielefeld.DE>
-
-Koch                     Expires December 1999                  [Page 9]
diff --git a/doc/draft/draft-ietf-dnsind-local-compression-06.txt b/doc/draft/draft-ietf-dnsind-local-compression-06.txt
new file mode 100644
index 00000000..d09a2ded
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsind-local-compression-06.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on March 20, 2000.
diff --git a/doc/draft/draft-ietf-dnsind-rollover-00.txt b/doc/draft/draft-ietf-dnsind-rollover-00.txt
deleted file mode 100644
index 8d8cef1c..00000000
--- a/doc/draft/draft-ietf-dnsind-rollover-00.txt
+++ /dev/null
@@ -1,648 +0,0 @@
-INTERNET-DRAFT           			     DNSIND Key Rollover
-UPDATES RFC 1996                                              April 1999
-                                                    Expires October 1999
-draft-ietf-dnsind-rollover-00.txt
-
-
-
-             Domain Name System (DNS) Security Key Rollover
-             ------ ---- ------ ----- -------- --- --------
-
-                  Donald E. Eastlake 3rd, Mark Andrews
-
-
-
-Status of This Document
-
-   This draft, file name draft-ietf-dnsind-rollover-00.txt, is intended
-   to be become a Proposed Standard RFC.  Distribution of this document
-   is unlimited. Comments should be sent to the DNS working group
-   mailing list <namedroppers@internic.net> or to the authors.
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
-   documents of the Internet Engineering Task Force (IETF), its areas,
-   and its working groups.  Note that other groups may also distribute
-   working documents as Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six
-   months.  Internet-Drafts may be updated, replaced, or obsoleted by
-   other documents at any time.  It is not appropriate to use Internet-
-   Drafts as reference material or to cite them other than as a
-   ``working draft'' or ``work in progress.''
-   
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-
-
-Abstract
-
-   Deployment of Domain Name System (DNS) security with good cryptologic
-   practice will involve large volumes of key rollover traffic.  A
-   standard format and protocol for such messages will be necessary for
-   this to be practical and is specified herein.
-
-   [Note: this draft has been moved to dnsind from dnssec as part of the
-   ongoing combination of these working groups.  It would have been
-   draft-ietf-dnssec-rollover-01.txt otherwise.]
-
-
-
-
-D. Eastlake 3rd, M. Andrews                                     [Page 1]
-
-
-
-INTERNET-DRAFT                 April 1999            DNSSEC Key Rollover
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Abstract...................................................1
-
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-      2. Key Rollover Scenario...................................3
-      3. Rollover Operation......................................5
-      3.1 Rollover to Parent.....................................5
-      3.2 Rollover to Children...................................6
-      4. Secure Zone Cuts and Joinders...........................7
-      5. Security Considerations.................................8
-      6. IANA Considerations.....................................9
-
-      References................................................10
-      Authors Address...........................................10
-      Expiration and File Name..................................11
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd, M. Andrews                                     [Page 2]
-
-
-
-INTERNET-DRAFT                 April 1999            DNSSEC Key Rollover
-
-
-1. Introduction
-
-   The Domain Name System (DNS) [RFC 1034, 1035] is the global
-   hierarchical replicated distributed database system for Internet
-   addressing, mail proxy, and other information.  The DNS has been
-   extended to include digital signatures and cryptographic keys as
-   described in [RFC 2535].
-
-   The principle security service provided for DNS data is data origin
-   authentication.  The owner of each zone signs the data in that zone
-   with a private key known only to the zone owner.  Anyone that knows
-   the corresponding public key can then authenticate that zone data is
-   from the zone owner.  To avoid having to preconfigure resolvers with
-   all zone's public keys, keys are stored in the DNS with each zone's
-   key signed by its parent (if the parent is secure).
-
-   To obtain high levels of security, keys must be periodically changed,
-   or "rolled over".  The longer a private key is used, the more likely
-   it is to be compromised due to cryptanalysis, accident, or treachery
-   [RFC 2541].
-
-   In a widely deployed DNS security system, the volume of update
-   traffic will be large.  Just consider the .com zone.  If only 10% of
-   its children are secure and change their keys only once a year, you
-   are talking about hundreds of thousands of new child public keys that
-   must be securely sent to the .com manager to sign and return with
-   their new parent signature.  And when .com rolls over its private
-   key, it will needs to send hundred of thousands of new signatures on
-   the existing child public keys to the child zones.
-
-   It will be impractical to handle such update volumes manually on a
-   case by case basis.  The bulk of such key rollover updates must be
-   automated.
-
-   The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED",  and "MAY"
-   in this document are to be interpreted as described in [RFC 2119].
-
-
-
-2. Key Rollover Scenario
-
-   Although DNSSEC provides for the storage of other keys in the DNS for
-   other purposes, DNSSEC zone keys are included solely for the purpose
-   of being retrieved to authenticate DNSSEC signatures.  Thus, when a
-   zone key is being rolled over, the old public key should be left in
-   the zone, along with the addition of the new public key, for as long
-   as it will reasonably be needed to authenticate old signatures that
-   have been cached or are held by applications.  Similarly, old parent
-   SIGs should be retained for a short time after a parent KEY(s) roll
-   over and new parent SIGs have been installed.
-
-
-D. Eastlake 3rd, M. Andrews                                     [Page 3]
-
-
-
-INTERNET-DRAFT                 April 1999            DNSSEC Key Rollover
-
-
-   If DNSSEC were universally deployed and all DNS server's clocks were
-   synchronized and zone transfers were instantaneous etc., it might be
-   possible to avoid ever having duplicate old/new KEY/SIG RRsets due to
-   simultaneous expiration of SIGs everywhere in the DNS.  But these
-   assumptions do not hold.  Security aware DNS servers decrease the TTL
-   of secure RRs served as the expiration of their authenticating SIG(s)
-   approaches but some dithered fudge must generally be left due to
-   clock skew, RR retention by applications, and the like.  Retaining
-   old KEYs for a while after rolling over to new KEYs will be necessary
-   in practical cases.
-
-   Assume a middle zone with a secure parent and a secure child wishes
-   to role over its KEY RRset.  This RRset would probably be one KEY RR
-   per crypto algorithm used to secure the zone, but for this scenario,
-   we will simply assume it is one KEY RR.  The old KEY RR and two SIG
-   RRs will exist at the apex of the middle zone.  (These RRs may also
-   exist at the leaf node for this zone in its parent if the parent
-   chooses to store them there.) The contents of the middle zone and the
-   zone KEY RRs of its secure child will have SIGs under the old key.
-
-   The middle zone owner needs to communicate with its parent to obtain
-   a new parental signature covering both the old and new KEY RRs and
-   covering just the new KEY RR.  The signature on both is needed so the
-   old KEY can be retain for the period it might be needed to
-   authenticate old SIGs.  The middle zone would probably want to obtain
-   these in advance so that it can install them at the right time along
-   with its new SIG RRs covering the content of its zone.  Finally, it
-   needs to give new SIG RRs to its child that cover its KEY RRs so it
-   must signal its children to ask for such SIG RRs.
-
-          BEFORE ROLLOVER        SHORTLY AFTER             AFTER ROLLOVER
-
-       p.x     KEY      P1     p.x     KEY      P1     p.x     KEY      P1
-       p.x     SIG(KEY) P1     p.x     SIG(KEY) P1     p.x     SIG(KEY) P1
-       p.x     SIG(KEY) GP     p.x     SIG(KEY) GP     p.x     SIG(KEY) GP
-
-       m.p.x   KEY      M1     m.p.x   KEY      M2     m.p.x   KEY      M2
-       m.p.x   SIG(KEY) P1     m.p.x   KEY      M1     m.p.x   SIG(KEY) P1
-       m.p.x   SIG(KEY) M1     m.p.x   SIG(KEY) P1     m.p.x   SIG(KEY) M2
-                               m.p.x   SIG(KEY) M2
-
-       c.m.p.x KEY      C1     c.m.p.x KEY      C1     c.m.p.x KEY      C1
-       c.m.p.x SIG(KEY) M1     c.m.p.x SIG(KEY) M2     c.m.p.x SIG(KEY) M2
-       c.m.p.x SIG(KEY) C1     c.m.p.x SIG(KEY) M1     c.m.p.x SIG(KEY) C1
-                               c.m.p.x SIG(KEY) C1
-
-         p = parent, m = middle, c = child, GP = grandparent key
-         P* = parent key, M* = middle zone key, C* = child key
-
-
-
-
-D. Eastlake 3rd, M. Andrews                                     [Page 4]
-
-
-
-INTERNET-DRAFT                 April 1999            DNSSEC Key Rollover
-
-
-3. Rollover Operation
-
-   Rollover operations use a DNS request syntactically identical to the
-   UPDATE request [RFC 2136] (except that the operation code is ROLLOVER
-   which is equal to (TBD)) and use a new form of NOTIFY [RFC 1996].
-   Considerations for such requests to the parent and children of a zone
-   are givens below.
-
-   All rollover operations involve significant amounts of cryptographic
-   calculations.  Appropriate rate limiting SHOULD be applied to avoid
-   denial of service attacks.
-
-   [This draft does not consider cross-certification key rollover.]
-
-
-
-3.1 Rollover to Parent
-
-   A zone rolling over its KEY RRset sends an upward ROLLOVER request to
-   its parent.  Actually, it will normally do two upward ROLLOVERs, one
-   for a combined KEY RRset of its old and new KEYs and one for just its
-   new KEY RRset, as discussed above.
-
-   The server selection algorithm in [RFC 2136] section 4 should be
-   used.  A child needs to be configured with or determine the name of
-   its parent but SHOULD NOT remember the location of its parent other
-   than via normal DNS caching of address RRs so that rollover will
-   continue to work if its parent servers are moved.
-
-   The ROLLOVER request Zone should be specified as the parent zone.
-   The request Update section has the new KEY RRset on which the parent
-   signature is requested along with the requesting zone's SIG(s) under
-   its old KEY(s) as RRs to be "added" to the parent zone.  The
-   inception and expiration times in this child SIG or SIGs are the
-   requested inception and expiration times for the new parent SIG(s).
-   The "prerequisites" section has the old child KEY RRset with the
-   parent SIG (see next paragraph).
-
-   An upward ROLLOVER request MUST be signed and if not signed a BADAUTH
-   response generated. The signature MUST be under the previous zone
-   KEY, so the parent can validate it, or under a valid TSIG key
-   [draft-ietf-dnsind-tsig-*.txt] arranged with the parent.  Including
-   the "prerequisite" section as specified above enables a parent that
-   keeps no record of its children's KEYs to still authenticate a
-   child's ROLLOVER request based on the old child KEY because the
-   parent is presented with its own SIG on the old KEY.
-
-   If the ROLLOVER command is erroneous or violates parental policy, an
-   Error response is returned.  If a parent retains copies of its
-   children's KEYs, it may use that knowledge to validate ROLLOVER
-
-
-D. Eastlake 3rd, M. Andrews                                     [Page 5]
-
-
-
-INTERNET-DRAFT                 April 1999            DNSSEC Key Rollover
-
-
-   request SIGs and ignore the "prerequisites" section.
-
-   If the ROLLOVER command is OK and the parent can sign online, its
-   response MAY include the new parent SIG(s) in the response Update
-   section.  This response MUST be sent to the originator of the
-   request.
-
-   If the parent can not sign online, it should return a response with
-   an empty Update section and queue the SIG(s) calculation request.
-   This response MUST be sent to the originator of the request.
-
-   ROLLOVER response messages MUST always include the actual parent's
-   SOA signed with a key the child should recognize in the Additional
-   Information section (see section 4 below).
-
-   Regardless of whether the server has sent the new signatures above,
-   it MUST, once it has calculated the new SIG(s), send a ROLLOVER to
-   the child zone using the DNS port (53) and the server selection
-   algorithm defined in RFC 2136, Section 4.  This ROLLOVER reqeust
-   contains the KEY RRset that triggered it and the new SIG(s).  There
-   are several reasons for sending the ROLLOVER response regardless of
-   whether the new SIG RR(s) were sent in the original response.  One is
-   to provide an indication to the operators of the zone in the event
-   someone is trying to hijack the zone.  Another is that this maximizes
-   the probability of the response getting through.
-
-   Although the parent zone need not hold or serve the child's key, if
-   it does the ROLLOVER command REQUEST SHOULD NOT automatically update
-   the parent zone.  A later UPDATE command can be used to actually put
-   the new KEY into the parent zone if desired and supported by parent
-   policy.
-
-   This document does not cover the question of parental policy on key
-   rollovers.  Parents may have restrictions on how far into the future
-   they will sign KEY RRsets, what algorithms or key lengths they will
-   support, might require payment for the service, etc.  The signing of
-   a future KEY by a parent is, to some extent, a granting of future
-   authoritative existence to the controller of the child private key
-   even if the child zone ownership should change.  The only effective
-   way of invalidating such future signed child public keys would be for
-   the parent to roll over its key(s), which might be an expensive
-   operation.
-
-
-
-3.2 Rollover to Children
-
-   When a secure zone is going to rollover its key(s), it needs to re-
-   sign the zone keys of any secure children under its new key(s).  The
-   parent simply notifIES the child via a rollover NOTIFY [RFC 1996]
-
-
-D. Eastlake 3rd, M. Andrews                                     [Page 6]
-
-
-
-INTERNET-DRAFT                 April 1999            DNSSEC Key Rollover
-
-
-   that the parent KEY(s) have changed.  The child then proceeds to do
-   an upward ROLLOVER request, as described in 3.1 above to obtain the
-   new parental SIG(s).
-
-   A rollover NOTIFY is a NOTIFY request [RFC 1996] that has a QTYPE of
-   SIG and the owner name of the child zone.  The answer section has the
-   current parent SOA signed by a key the child will know (see section
-   4).
-
-   A rollover NOTIFY MUST be signed and if not signed a BADAUTH response
-   generated. The signature MUST be under the previous parental zone
-   KEY, so the child can validate it, or under a valid TSIG key [draft-
-   ietf-dnsind-tsig-*.txt] negotiated between parent and child.
-
-   The rollover NOTIFY can be sent to any of the nameservers for the
-   child using the nameserver selection algorithm defined in RFC 2136,
-   Section 4.  Nameservers for the child zone receiving a rollover
-   NOTIFY query will forward the rollover NOTIFY in the same manner as
-   an UPDATE is forwarded.
-
-   Unless the master server is configured to initiate an automatic
-   ROLLOVER it MUST seek to inform its operators that a rollover NOTIFY
-   request has been received.  This could be done by a number of methods
-   including generating a log message, generating an email request to
-   the child zone's SOA RNAME or any other method defined in the
-   server's configuration for the zone.  The default SHOULD be to send
-   mail to the zone's SOA RNAME.  As with all rollover operations, care
-   should be taken to rate limit these messages so prevent them being
-   used to facilitate a denial of service attack.
-
-   Once the message has been sent (or suppressed if so configured) to
-   the child zone's administrator the master server for the child zone
-   is free to respond to the rollover NOTIFY request.
-
-
-
-4. Secure Zone Cuts and Joinders
-
-   There are two other events that have some similarity to key rollover.
-
-   The first is when a secure zone the is more than one level deep has a
-   zone cut introduced inside it.  For example, assume zone example.com
-   has a.b.c.example.com, d.b.c.example.com and e.example.com in it.  A
-   zone cut could be introduced such that b.c.example.com became a
-   separate child zone of example.com.  A real world exampe would be a
-   company that structures its DNS as host.branch.company.example.  It
-   might start out will all of these names in one zone but later decide
-   to delegate all or some of the branches to branch zone file
-   maintainers.
-
-
-
-D. Eastlake 3rd, M. Andrews                                     [Page 7]
-
-
-
-INTERNET-DRAFT                 April 1999            DNSSEC Key Rollover
-
-
-   The second is when a secure zone absorbs a child zone eliminating a
-   zone cut.  This is simply the inverse of the previous paragraph.
-
-   From the point of view of the parent zone above the splitting zone or
-   above the upper of the two combining zones, there is no change.
-
-   When a zone is split by introducing a cut, the newly created child
-   must be properly configured.
-
-   However, from the point of view of a child of the splitting zone
-   which becomes a grandchild or a grandchild that becomes a child due
-   to joinder, there is a change in parent name.  Therefore, in general,
-   there is a change in parent KEY(s).  Unless the entity that handles
-   rollovers for the zone whose parent name has changed is appropriately
-   updated, future automated rollover will fail because it will be sent
-   to the old parent.
-
-   For this reason and so that other consistency checks can be made, the
-   parent SOA and SIG(SOA) are always included in the Answer section of
-   rollover NOTIFY requests and in ROLLOVER responsess.  For automated
-   rollover to the new cut or joined state to work, these SOAs must be
-   signed with old KEY(s) of the former parent so the signatures can be
-   validated by the zone whose parent name is changing.  In the case of
-   a joinder, if the private key of the pinched out middle zone is not
-   available, then manual update of the former grandchild, now child,
-   will be necessary.  In the case of introducing a cut, operational
-   coordination with the former parent, now grandparent, signing the
-   initial updates to the former child, now grandchild, will be needed
-   to automate the reconfiguration of the zones.
-
-
-
-5. Security Considerations
-
-   The security of ROLLOVER or UPDATE requests is essential, otherwise
-   false children could steal parental authorization or a false parent
-   could cause a child to install an invalid signature on its zone key,
-   etc.
-
-   A ROLLOVER request can be authenticated by request SIG(s)under the
-   old zone KEY(s) of the requestor [RFC 2535].  The response SHOULD
-   have transaction SIG(s) under the old zone KEY(s) of the responder.
-   (This public key security could be used to rollover a zone to the
-   unsecured state but at that point it would generally not be possible
-   to roll back without manual intervention.)
-
-   Alternatively, if there is a prior arrangement between a child and a
-   parent, ROLLOVER requests and responses can be secured and
-   authenticated using TSIG [draft-ietf-dnsind-tsig-*.txt].  (TSIG
-   security could be used to rollover a zone to unsecured and to
-
-
-D. Eastlake 3rd, M. Andrews                                     [Page 8]
-
-
-
-INTERNET-DRAFT                 April 1999            DNSSEC Key Rollover
-
-
-   rollover an unsecured zone to the secured state.)
-
-   A server that implements online signing SHOULD have the ability to
-   black list a zone and force manual processing or demand that a
-   particular signature be used to generate the ROLLOVER request.  This
-   it to allow ROLLOVER to be used even after a private key has been
-   compromised.
-
-
-
-6. IANA Considerations
-
-   The DNS operation code (TBD) is assigned to ROLLOVER.  There are no
-   other IANA considerations in this document.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd, M. Andrews                                     [Page 9]
-
-
-
-INTERNET-DRAFT                 April 1999            DNSSEC Key Rollover
-
-
-References
-
-   [RFC 1034] - "Domain names - concepts and facilities", P.
-   Mockapetris, 11/01/1987.
-
-   [RFC 1035] - "Domain names - implementation and specification", P.
-   Mockapetris, 11/01/1987.
-
-   [RFC 1996] - "A Mechanism for Prompt Notification of Zone Changes
-   (DNS NOTIFY)", P. Vixie, August 1996.
-
-   [RFC 2119] - "Key words for use in RFCs to Indicate Requirement
-   Levels", S.  Bradner. March 1997.
-
-   [RFC 2136] - "Dynamic Updates in the Domain Name System (DNS
-   UPDATE)", P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound. April
-   1997.
-
-   [draft-ietf-dnsind-tsig-*.txt]
-
-   [RFC 2535] - "Domain Name System Security Extensions", D. Eastlake.
-   March 1999.
-
-   [RFC 2541] - "DNS Security Operational Considerations", D. Eastlake.
-   March 1999.
-
-
-
-Authors Address
-
-   Donald E. Eastlake 3rd
-   IBM
-   65 Sindegan Hill Road, RR #1
-   Carmel, NY 10512
-
-   Telephone:   +1 914-276-2668 (h)
-                +1 914-784-7913 (w)
-   FAX:         +1 914-784-3833 (w)
-   EMail:       dee3@us.ibm.com
-
-
-   Mark Andrews
-   Internet Software Consortium
-   1 Seymour Street
-   Dundas Valley, NSW 2117
-   AUSTRALIA
-
-   Telephone:   +61-2-9871-4742
-   Email:       marka@isc.org
-
-
-
-D. Eastlake 3rd, M. Andrews                                    [Page 10]
-
-
-
-INTERNET-DRAFT                 April 1999            DNSSEC Key Rollover
-
-
-Expiration and File Name
-
-   This draft expires in October 1999.
-
-   Its file name is draft-ietf-dnsind-rollover-00.txt.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd, M. Andrews                                    [Page 11]
-
-
diff --git a/doc/draft/draft-ietf-dnsind-rollover-01.txt b/doc/draft/draft-ietf-dnsind-rollover-01.txt
new file mode 100644
index 00000000..d09a2ded
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsind-rollover-01.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on March 20, 2000.
diff --git a/doc/draft/draft-ietf-dnsind-sec-rr-00.txt b/doc/draft/draft-ietf-dnsind-sec-rr-00.txt
deleted file mode 100644
index 81ab5155..00000000
--- a/doc/draft/draft-ietf-dnsind-sec-rr-00.txt
+++ /dev/null
@@ -1,663 +0,0 @@
-DNSIND WG                                           Edward Lewis
-INTERNET DRAFT                                      NAI Labs
-Category: I-D                                       Jerry Scharf
-                                                    ISC
-                                                    Olafur Gudmundsson
-                                                    NAI Labs
-                                                    June 25, 1999
-                       The SEC Resource Record
-                   <draft-ietf-dnsind-sec-rr-00.txt>
-
-Status of this Memo
-
-This document is an Internet-Draft and is in full conformance with all
-provisions of Section 10 of RFC2026.
-
-Internet-Drafts are working documents of the Internet Engineering Task
-Force (IETF), its areas, and its working groups.  Note that other
-groups may also distribute working documents as Internet- Drafts.
-
-Internet-Drafts are draft documents valid for a maximum of six months
-and may be updated, replaced, or obsoleted by other documents at any
-time.  It is inappropriate to use Internet-Drafts as reference
-material or to cite them other than as "work in progress."
-
-The list of current Internet-Drafts can be accessed at
-http://www.ietf.org/ietf/1id-abstracts.txt
-
-The list of Internet-Draft Shadow Directories can be accessed at
-http://www.ietf.org/shadow.html.
-
-Comments should be sent to the authors or the DNSIND WG mailing list
-namedroppers@internic.net.
-
-This draft expires on December 25, 1999.
-
-Copyright Notice
-
-Copyright (C) The Internet Society (1999).  All rights reserved.
-
-Abstract
-
-A new DNS reseource record, the SECurity RR, is defined to address
-concerns about the parent zone's holding of the child zone's KEY RR
-set.  These concerns are addressed in a manner that retains the
-information needed by a secure resolver when asking a parent zone
-about the child zone.  This proposal updates RFC 2535 and RFC 2181.
-
-1. Introduction
-
-DNS security extensions require a signed zone to hold KEY RR sets for
-each of its delegations.  This requirement has four negative
-implications for the top level domains, which, for the most part,
-consist of delegation points.  (These issues also impact other
-delegating zones, these problems are not unique to the TLDs.)
-Addressing these concerns by removing the requirement for the KEY RR
-in the parent has an adverse effect on secure resolution of DNS
-
-Expires December 25, 1999                                   [Page  1]
-Internet Draft                                          June 25, 1999
-
-signatures.  A new DNS reseource record, the SECurity RR, is defined
-to address these concerns.
-
-The Zone Key Referral, described in another draft by the same authors,
-is one proposed response to the concerns about parent's holding child
-keys.  However, that proposal has two drawbacks.  One, it results in
-two KEY RR sets at a delegation, one in the parent and one in the
-child, which differ.  It also does not address the expression of
-security parameters, such as whether or not the child zone uses the
-NXT record (which is currently mandatory).
-
-This document will begin by repeating the arguments against the
-holding of keys at the parent as presented in the Zone Key Referral.
-The document will then present the need for information about the
-child to be held in parent.  Following this, the SEC RR will be
-defined, its master file representation discussed, and implications on
-name servers.
-
-(Editorial note.  Sections 1.1 through 1.5 are copied nearly verbatim
-from the Zone Key Referral so that retirement of that draft will not
-cause a problem.)
-
-1.1 Reasons for removing the KEY data from the parent
-
-There are a number of different reasons for the removal of the KEY RR
-from the parent.  Reasons include:
-
-  o the performance impact that holding keys has on name servers
-  o the problem of updating a widely delegated parent zone on demand
-  o statements in RFC 2181 on authoritative data at delegations
-  o perceived liability of the operator of a name server or registry
-
-1.2 Performance Issues
-
-A sample zone will be used to illustrate the problem.  The example
-will part from reality mostly in the length of zone names, which
-changes the size of the owner and resource record data fields.
-
-Expires December 25, 1999                                   [Page  2]
-Internet Draft                                          June 25, 1999
-
-        # $ORIGIN test.
-        # @         IN SOA   <SOA data>
-        #           IN SIG   SOA <by test.>
-        #           IN KEY   <1024 bit zone key>
-        #           IN SIG   KEY <by test.>
-        #           IN SIG   KEY <by .>
-        #           IN NS    ns.test.
-        #           IN SIG   NS <by test.>
-        #           IN NXT   my-org.test. NS SOA SIG KEY NXT
-        #           IN SIG   NXT <by test.>
-        #
-        # my-org    IN KEY   <1024 bit zone key>
-        #           IN KEY   <1024 bit zone key>
-        #           IN SIG   KEY <by test.>
-        #           IN NS    ns1.my-org.test.
-        #           IN NS    ns2.my-org.test.
-        #           IN NXT   that-org.test. NS SIG KEY NXT
-        #           IN SIG   NXT <by test.>
-        #
-        # that-org  IN KEY   0xC100 3 255
-        #           IN SIG   KEY <by test.>
-        #           IN NS    ns1.that-org.test.
-        #           IN NS    ns2.that-org.test.
-        #           IN NXT   test. NS SIG KEY NXT
-        #           IN SIG   NXT <by test.>
-
-In this zone file, "my-org" is a delegation point of interest with two
-registered public keys.  Presumably, one key is for signatures
-generated currently and the other is for still living and valid but
-older signatures.  "that-org" is another delegation point, with a NULL
-key.  This signifies that this zone is unsecured.
-
-To analyze the performance impact of the storing of keys, the number
-of bytes used to represent the RRs in the procotol format is used.
-The actual number of bytes stored will likely be higher, accounting
-for data structure overhead and alignment. The actual number of bytes
-transferred will be lower due to DNS name compression.
-
-The number of bytes for my-org's two 1024-bit keys, two NS records,
-NXT and the associated signatures is 526.  (1024 bit RSA/MD5 keys were
-used for the calculation.)  The bytes needed for that-org (with the
-NULL key) is 346.  Currently, there are close to 2 million entries in
-com., so if we take my-org as a typical domain, over 1GB on memory
-will be needed for com.  The zone keys used in the example are set to
-1024 bits.  This number may range from as low as 512 bits upwards to
-over 3000 bits.
-
-The increased size of the data held for the zone cuts will have two
-impacts at the transport and below layers.  Bandwidth beyond that
-currently needed will be used to carry the KEY records. The inclusion
-of all of the child's keys will also push DNS over the UDP size limit
-and start using TCP - which could cause critical problems for current
-
-Expires December 25, 1999                                   [Page  3]
-Internet Draft                                          June 25, 1999
-
-heavily used name servers, like the root and TLD name servers.  EDNS0
-[RFC-to-be] addresses expansion of UDP message size, which alleviates
-this problem.
-
-Another impact, not illustrated by the example, is the frequency of
-updates.  If each time a public key for my-org is added or deleted,
-the SOA serial number will have to increase, and the SOA signed again.
-If an average zone changes the contents of its key RR set once per
-month, there will be on average 45 updates per minute in a zone of 2
-million delegations.  (This estimate does not address the fact that
-signatures also expire, requiring a new signing of the zone
-periodically.)
-
-1.3 Security Incident Recovery (w/ respect to keys only)
-
-Once a zone administrator is alerted that any key's private
-counterpart has been discovered (exposed), the first action to be
-taken is to stop advertising the public key in DNS.  This doesn't end
-the availability of the key - it will be residing in caches and given
-in answers from those caches - but is the closest action resembling
-revokation available in DNS.
-
-Stopping the advertisement in the zone's name servers is as quick as
-altering the master file and restarting the name server.  Having to do
-this in two places will will only delay the time until the recovery is
-complete.
-
-For example, a registrar of a top level domain has decided to update
-its zone only on Mondays and Fridays due to the size of the zone.  A
-customer/delegatee is the victim of a break in, in which one of the
-items taken is the file of private keys used to sign DNS data. If this
-occurs on a Tuesday, the thief has until Friday to use the keys before
-they disappear from the DNS, even if the child stops publishing them
-immediately.
-
-If the public key set is in the parent zone, and the parent zone is
-not able to make the change quickly, the public key cannot be revoked
-quickly.  If the parent only refers to there being a key at the child
-zone, then the child has the agility to change the keys - even issue a
-NULL key, which will force all signatures in the zone to become
-suspect.
-
-1.4 DNS Clarifications
-
-RFC 2181, section 6, clarifies the status of data appearing at a zone
-cut.  Data at a zone cut is served authoritatively from the servers
-listed in the NS set present at the zone cut.  The data is not
-(necessarily) served authoritatively from the parent. (The exception
-is in servers handling both the parent and child zone.)
-
-Section 6 also mentions that there are two exceptions created by
-DNSSEC, the NXT single record set and the KEY set.  This proposal
-addresses the exception relating to the KEY set, by removing the set
-
-Expires December 25, 1999                                   [Page  4]
-Internet Draft                                          June 25, 1999
-
-from the parent.  The SEC RR is introduced and belongs in the parent
-zone, there is no counterpart in the child (at the apex).
-
-1.5 Liability
-
-Liability is a legal concept, so it is not wise to attempt an
-engineering solution to it.  However, the perceived liability incurred
-in using DNSSEC by registrars may prevent the adoption of DNSSEC.
-Hence DNSSEC should be engineered in such a way to address the
-concern.
-
-One source of liability is the notion that by advertising a public key
-for a child zone, a parent zone is providing a service of security.
-With that comes responsibility.  By having the parent merely indicate
-that a child has a key (or has no key), the parent is providing less
-in the way of security.  If the parent is wrong, the potential loss is
-less.  Instead of falsely authenticated data, configuration errors
-will be apparent to the resolving client.
-
-Whether or not the KEY RR remains advertised in the parent zone or the
-SEC RR is in place, the parent zone administrators still have to
-adhere to proper key handling practices, which are being documented in
-DNSOP draft.  In particular, the parent has to be sure that the keys
-it is signing for a child have been submitted by the true
-administrator of the the child zone, and not submitted by an imposter.
-
-1.6 The needs of the resolver
-
-Now that the reasons for removing the child's keys from the parent
-zone have been presented, reasons why something must take their place
-are presented.  A "secure" resolver is a DNS resolver that receives an
-answer and, if a signature arrives, verifies the signature.  Most
-often, this operation will happen in resolvers that are part of name
-servers, as opposed to general purpose hosts.
-
-The first step in authenticating a DNS response is to see if the data
-is accompanied by a signature.  There are five possible outcomes.
-Three results are not desirable, a signature may arrive but shouldn't,
-no signature arrives but should,  or a signature arrives but uses the
-wrong cryptographic algorthm  Two outcomes can be considered
-successful, a signature arriving with the correct algorithm or no
-signature arrives and shouldn't.  (There is one other case - a
-signature generated with an inappropriate key - which is a matter
-beyond the scope of this draft.)
-
-Since the resolver can not instantly know whether a signature is
-expected, the resolver must start a discovery process.  This process
-can be done by the resolver querying zones between the root and the
-desired domain for information about the next successive zones.
-(Optimizing this search is not presented here.)  For this search to be
-successful, the parent must hold something that indicates the status
-of the child's security, so the resolver may search with certainty.
-While refraining from using the word "policy" to describe the data,
-the phrase "security parameters" is used.
-
-Expires December 25, 1999                                   [Page  5]
-Internet Draft                                          June 25, 1999
-
-The security parameters of a zone are not entirely defined yet, and
-will remain open until a critical mass of operations experience is
-gained.  Initially, the following information is known to be needed.
-
-The set of algorithms in use by the zone.
-KEY RRs and SIG RRs have protocol fields indicating how the key is
-made.  For now, two are in distribution, a value of 1 for RSA/MD5 and
-3 for DSA.  Unfortunately, the value are numeric in 8 bits, so a
-bitmap representation cannot be used.
-
-The mechanism for negative answers.
-Currently, the NXT is mandatory, liked by some administrators and
-disliked by other administrators.  NXTs cannot be made optional, doing
-so makes them obsolete.  (An attacker can make the responses look like
-a zone doesn't use NXTs, even if the zone does.)  If the choice of NXT
-or no NXT can be securely indicated, then this is solved.  There have
-been discussions on alternatives to the NXT record.  By allowing a
-zone to indicate the style of negative answer in use, alternatives can
-be installed in experimental zones.
-
-Signature policy.
-This is an untested issue.  Expressing a policy, such as whether
-multiple algorithms are used, whether verification of one signature
-needed or all signatures, etc., has not been fully studied.
-
-2. The SEC RR
-
-The SEC RR is a record that describes the DNS security parameters of
-the owner.  The owner MUST also have an NS RR set, i.e., the owner
-MUST be a cut point.  A signed zone MUST have a SEC RR set for each
-delegation point.
-
-    0                   1                   2                   3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |   Negative Answer Bitmap      |                               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
-   |                                                               |
-   ~                     Security Parameters                       ~
-   |                                                               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-                       The RDATA of the SEC RR
-
-The SEC RR RDATA contains two data fields.  One is a 16-bit field
-acting as a bitmap to indicate the means used to signify a negative
-answer.  The other field is an unbounded field of option-value pairs
-indicating other salient settings for the zone.  The latter field is
-not padded to any particular byte boundary.
-
-The SEC RR is answered authoritatively from the parent zone, and is
-signed by the parent.  A properly configured delegation point in the
-parent would have just an SEC RR, records used for negative answering,
-and a glue NS set.  The corresponding point in the child (the zone's
-apex) would have the SOA, KEY set, NS records, negative answer
-
-Expires December 25, 1999                                   [Page  6]
-Internet Draft                                          June 25, 1999
-
-records, and other desired and legal RR sets.  SIG RR's appear in both
-the parent and child side of the delegation.
-
-There is no other special processing of the SEC RR set.  It is used in
-a reply as an answer when it is the subject of a direct query (QTYPE
-IS SEC) or when a QTYPE=ANY reaches the delegating zone.  If a name
-server is authoritative for both the parent and child, the SEC is
-included in the ANY reply for the delegation point.
-
-(Editorial note: this region is in particular need of careful review.)
-
-The SEC RR for a name SHOULD be supplied optionally in the additional
-data section if the CD bit is not set whenever a zone's NS or KEY set
-is requested.  If a request for a KEY set is sent to a parent-only
-server and the server is not recursive, the server should add the SEC
-record to the additional section of the referral message.
-
-If a name server authoritative for a child zone is asked for its SEC
-RR and the server has never learned the SEC RR (whether through
-caching the record or by also loading the parent zone), the server MAY
-answer with a negative answer.  The resolver seeking a SEC RR SHOULD
-know to ask for this from a parent-serving name server.
-
-2.1 Negative Answer Bitmap
-
-The Negative Answer Bitmap indicates the mechanism for use in denying
-the existance of data.  The bitmap is 16 bits, the most significant
-bit called 0, least significant is 15.
-
-   Bit  0 = The parent doesn't know what the child uses (1=Yes)
-   Bit  1 = The child signs its negative answers (1=Yes)
-   Bit  2 = The child follows traditional DNS rules (1=yes)
-   Bit  3 = The child uses the NXT record (1=yes)
-   Bit 14 = The child uses a locally defined mechanism (1=yes)
-   Bit 15 = The length of the bit field has been extended (1=yes)
-
-Bits 4 through 14 are currently unassigned, and are under the purview
-of IANA.  Bit 15 MUST BE zero.  (This specification must be
-superceeded to define an extension mechanism.)
-
-A zone may use multiple mechanisms to indicate a negative answer.  A
-zone SHOULD expect that a resolver finding any one of the mechanisms
-used in a reply indicates a negative answer, i.e. the mechanisms are
-OR'd together.
-
-The only illegal values for this bit field are:
-   Bit 0 = 1 and any other bit turned on
-   Bit 0 = 0, Bit 1 = 1, and no other bit turned on
-   Bit 15 = 1
-
-2.1.1 Bit 0 (Better titles will be attached later)
-
-The situation in which this bit is on should not arise, but it is
-defined to be safe.  The philosophy behind this is that security
-
-Expires December 25, 1999                                   [Page  7]
-Internet Draft                                          June 25, 1999
-
-parameters should always be made explicit, including when a sitation
-is unclear.
-
-2.1.2 Bit 1
-
-This bit indicates that the child attachs SIG records to the resource
-records used in the negative answer.  For example, this may indicate
-that the reslover should expect to see a SIG (NXT) when an NXT is
-returned.
-
-2.1.3 Bit 2
-
-The child will answer with an SOA or any of the other means used in
-the past to indicate a negative answer.  (I think a reference to the
-negative answer/cache document should go here.)
-
-2.1.4. Bit 3
-
-The child uses the NXT as defined in RFC 2535.  This document declares
-that the use of the NXT is optional, a deviation from RFC 2535.
-
-2.1.5 Bit 14
-
-The child is using a mechanism that is not globally defined.  A zone
-should be in such a state for only experimental reasons and realize
-that in this state, the negative answers it gives may not be useful to
-the general population of resolvers.
-
-2.1.6 Bit 15
-
-As of this specification, this bit must be 0 (zero).
-
-2.1.7 Unallocated bits
-
-The remainder of the bits must also be zero.  A procedure will be
-defined for allocating them.
-
-2.2 Security Parameters
-
-The Security parameters is a sequence of options and values.  An
-option is a numeric indicatior of the parameter.  The value is usually
-either a yes or no, or a enumerated value.  In rare instances, an
-option may require variable length data, in this case a triplet of
-option-length-value is used.  The presence of the length field is
-indicated by the most significant bit in the option field being 1.
-Due to the nature of the SEC RR, the length field is not commonly
-used.
-
-The option field is 8 bits.  The most significant bit of the options
-field is turned on if there is a length field.  The value field is
-also 8 bits.  If the option-length-value is needed, the length is 8
-bits and contains the number of octets comprising the value.  No
-padding is used.
-
-Expires December 25, 1999                                   [Page  8]
-Internet Draft                                          June 25, 1999
-
-An option may appear multiple times in the Security Parameters.  The
-sequencing of the options is not significant.  If two options
-
-contradict each other, this is an error, and is noted by the resolver.
-A self-contradictory SEC RR is a security error and data from the zone
-covered by it SHOULD be considered at risk.
-
-Option Values are
-          0            Reserved
-          1            Zone is unsigned
-          2            Key Algorithm in use
-          3            Signing policy
-      0x70-0x7F      Locally defined (no length field)
-      0xF0-0xFF      Locally defined (uses length field)
-
-All unassigned option values are under the control of IANA.  Values 0
-to 127 do not use the length field, values 128 to 255 do use the
-length field.  The option value is to be treated as unsigned.
-
-2.2.1 Option 0
-
-This option is reserved for future definition.
-
-2.2.2 Option 1
-
-The parent has not signed a KEY RR for the child, therefore the child
-zone has no DNSSEC approved signing keys.  If this option is not
-present, then the resolver SHOULD assume that there are zone keys in
-the child zone.
-
-If the value of this is non-zero, this assertion is true.  If the
-value is zero, this assertion is false.  If the parent has signed keys
-for the child, the value is zero, however, in this case, the parent
-SHOULD NOT include this option in the security parameters.
-
-It is tempting to exclude an unsigned zone option from this list,
-relying on the absence of any in use key algorithms (option 2) to
-imply that the zone is unsigned.  The unsigned option is included to
-make this information explicit, so that when analyzing a running zone,
-it is obvious to an administrator that a zone is unsigned.
-
-2.2.3 Option 2
-
-The parent has signed a key for the child which claims a particular
-algorithm.  This value field is equal to that of the algorithm field
-of the triggering KEY RR.
-
-Option 2 can be repeated for different algorithms.  It is not
-necessary to have multiple Option 2 entries with the same key
-algorithm value.
-
-If Option 1 and Option 2 appear in the same SEC RR, this is a
-self-contradictory record.  If neither Option 1 nor Option 2 appear,
-this also constitues a self-contradictory record.
-
-Expires December 25, 1999                                   [Page  9]
-Internet Draft                                          June 25, 1999
-
-2.2.4 Option 3
-
-The child has the option to require that all material signatures
-(those generated by DNSSEC-approved signing keys) must be validated
-(within any temporal constraints) for the data to be considered valid.
-The child may instead require that just one of the signatures be
-validated.  This may be a reflection of the manner in which a zone's
-administration is shared amongst organizations.
-
-If Option 3 is not present (and Option 2 is), the resolver SHOULD
-assume that ALL (temporally valid) signatures are required.  If the
-parent includes at least one Option 2, it SHOULD specify an Option 3,
-with a value indicated by the child.
-
-Values for Option 3 are
-          0            Reserved
-          1            All signatures are required
-          2            One signature is required
-        256            Locally defined
-
-All remaining values are under the control of IANA.
-
-(Editorial note: whether the assumption that all signatures are
-necessary or just one is sufficient in the absence of this option is
-open to WG debate.)
-
-2.2.5 Options 0x70-0x7F
-
-This option is reserved for an organization to use locally, in an
-experimental fashion.  This option does not use the length field.
-Global interpretation of this option is undefined.
-
-2.2.6 Options 0xF0-0xFF
-
-This option is reserved for an organization to use locally, in an
-experimental fashion.  This option uses the length field. Global
-interpretation of this option is undefined.
-
-3. Master File Representation
-
-The SEC RR fields are to be represented as hexidecimal fields, with a
-preceeding '0x', or in decimal format.  Hexidecimal SHOULD be used.
-
-For example, the SEC RR representing a zone that use signed NXT
-records, and has one or more DSA keys, one or more RSA keys, and
-requires that just one signature be verified would be:
-
-myzone.test.   3500 IN SEC 0x5000 0x0201 0203 0302
-
-(0x020102030302 is one field, hence one 0x prefix.)
-
-Hex values for the security parameters MAY BE separated by
-whitespace, as shown.  DNS data display routines SHOULD substitute
-
-Expires December 25, 1999                                   [Page 10]
-Internet Draft                                          June 25, 1999
-
-mnemonics for these values, but MUST write the numeric form in master
-files.
-
-4. Signature Policy
-
-The SEC RR must be signed by one or more zone keys of the parent
-(delgating) zone, and the signatures must adhere to the parent's
-policy.
-
-The SEC RR for the root zone is the lone exception, it appears at the
-apex of the root zone, and must be signed sufficiently by the root's
-zone key or keys.
-
-5. Cache Considerations
-
-When a SEC RR set for a name is held in a cache, it will have a
-credibility rating indicating that the data came from the parent
-(unless the parent and child share servers).  When data about the same
-name arrives from the child, with a higher credibility, the newly
-arrived data MUST NOT cause the cache to remove the SEC RR.
-
-6. IANA Considerations
-
-IANA is requested to assign this RR an type parameter for DNS, and to
-assign the indicated option numbers and values when requests are
-approved.  The procedure for requesting new options and values will be
-defined in future versions of this specfication.
-
-7. Security Considerations
-
-This record is designed to address the concerns of securing delegation
-points and resolving the security of DNS answers.  This record is
-important to the security because it supplies needed information and
-eases the burden of security on the DNS.
-
-The SEC RR does require one piece of additional information not
-addressed to date to be communicated from the parent to the child.
-This is the signature policy.  This will be needed in the operations
-documents.
-
-Editorial Note: This document would benefit by a companion document
-describing the process of evaluating the signatures in DNS.  Such a
-document would provide clearer input to the security parameters field.
-
-8. Editorial Considerations
-
-Although somewhat detailed in this current description, this record is
-still in the formative state.  The -00 document has been quickly
-written to test the waters for interest.
-
-9. References
-
-RFC 2535 is the prime DNSSEC definition.  RFC 2181 is the Clarify
-document.  EDNS0 reference needed...
-
-Expires December 25, 1999                                   [Page 11]
-Internet Draft                                          June 25, 1999
-
-10. Acknowledgements
-
-This record is a successor to the Zone Key Referral, originally
-promoted by John Gilmore and Jerry Scharf.  A DNSSEC workshop
-sponsored by the NIC-SE in May 1999 provided the enlightenment that
-expanded the Zone Key Referral into the SEC RR proposal.
-
-11. Author's Addresses
-
-Edward Lewis                Jerry Scharf           Olafur Gudmundsson
-NAI Labs             Internet Software Consortium            NAI Labs
-3060 Washington Road        950 Charter St         3060 Washington Rd
-Glenwood, MD 21738      Redwood City, CA 94063     Glenwood, MD 21738
-+1 443 259 2352            +1 650 779 7060            +1 443 259 2389
-<lewis@tislabs.com>        <scharf@vix.com>        <ogud@tislabs.com>
-
-12. Full Copyright Statement
-
-Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-This document and translations of it may be copied and furnished to
-others, and derivative works that comment on or otherwise explain it
-or assist in its implmentation may be prepared, copied, published and
-distributed, in whole or in part, without restriction of any kind,
-provided that the above copyright notice and this paragraph are
-included on all such copies and derivative works.  However, this
-document itself may not be modified in any way, such as by removing
-the copyright notice or references to the Internet Society or other
-Internet organizations, except as needed for the purpose of
-developing Internet standards in which case the procedures for
-copyrights defined in the Internet Standards process must be
-followed, or as required to translate it into languages other than
-English.
-
-The limited permissions granted above are perpetual and will not be
-revoked by the Internet Society or its successors or assigns.
-
-This document and the information contained herein is provided on an
-"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
-
-Expires December 25, 1999                                   [Page 12]
diff --git a/doc/draft/draft-ietf-dnsind-sec-rr-01.txt b/doc/draft/draft-ietf-dnsind-sec-rr-01.txt
new file mode 100644
index 00000000..d09a2ded
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsind-sec-rr-01.txt
@@ -0,0 +1,5 @@
+This Internet-Draft has expired and is no longer available.
+
+Unrevised documents placed in the Internet-Drafts directories have a
+maximum life of six months. After that time, they must be updated, or
+they will be deleted. This document was deleted on March 20, 2000.
diff --git a/doc/misc/dnssec b/doc/misc/dnssec
new file mode 100644
index 00000000..949c44d8
--- /dev/null
+++ b/doc/misc/dnssec
@@ -0,0 +1,72 @@
+
+
+
+DNSSEC Release Notes
+
+
+
+This document summarizes the state of the DNSSEC implementation in
+this release of BIND9.
+
+
+Key generation and signing
+
+The tools for generating DNSSEC keys and signatures are now in the
+bin/dnssec directory.  Documentation for these programs can be found
+in doc/arm/Bv9ARM.4.html.
+
+The random data used in generating DNSSEC keys and signatures
+currently contains a significant pseudo-random component and is
+therefore not cryptographically strong.  We do not recommend that keys
+generated by the key generation tools in this distribution be used in
+production.
+
+
+Serving secure zones
+
+When acting as an authoritative name server, BIND9 includes KEY, SIG
+and NXT records in responses as specified in RFC2535.
+
+Response generation for wildcard records in secure zones is not fully
+supported.  Responses indicating the nonexistence of a name include a
+NXT record proving the nonexistence of the name itself, but do not
+include any NXT records to prove the nonexistence of a matching
+wildcard record.  Positive responses resulting from wildcard expansion
+do not include the NXT records to prove the nonexistence of a
+non-wildcard match or a more specific wildcard match.
+
+
+Secure resolution
+
+Basic support for validation of DNSSEC signatures in responses has
+been implemented but should still be considered experimental.
+
+When acting as a caching name server, BIND9 is capable of performing
+basic DNSSEC validation of positive as well as nonexistence responses.
+This functionality is enabled by including a "trusted-keys" clause
+in the configuration file, containing the top-level zone key of the
+the DNSSEC tree.
+
+Validation of wildcard responses is not currently supported.  In
+particular, a "name does not exist" response will validate
+successfully even if it does not contain the NXT records to prove the
+nonexistence of a matching wildcard.
+
+Proof of insecure status for insecure zones delegated from secure
+zones has been partially implemented but should not yet be expected to
+work in all cases.
+
+Handling of the CD bit in queries is not yet fully implemented;
+validation is currently attempted for all recursive queries, even if
+CD is set.
+
+
+Secure dynamic update
+
+Dynamic update of secure zones has been implemented, but may not be
+complete.  Affected NXT and SIG records are updated by the server when
+an update occurs.  Advanced access control is possible using the
+"update-policy" statement in the zone definition.
+
+
+$Id: dnssec,v 1.2 2000/05/23 16:41:25 gson Exp $
diff --git a/doc/misc/ipv6 b/doc/misc/ipv6
new file mode 100644
index 00000000..eb5d541e
--- /dev/null
+++ b/doc/misc/ipv6
@@ -0,0 +1,98 @@
+
+Currently, there are multiple interesting problems with ipv6
+implementations on various platforms.  These problems range from not
+being able to use ipv6 with bind9 (or in particular the ISC socket
+library, contained in libisc) to listen-on lists not being respected,
+to strange warnings but seemingly correct behavior of named.
+
+
+COMPILE-TIME ISSUES
+-------------------
+
+The socket library requires a certain level of support from the
+operating system.  In particular, it must follow the advanced ipv6
+socket API to be usable.  The systems which do not follow this will
+currently not get any warnings or errors, but ipv6 will simply not
+function on them.
+
+These systems currently include, but are not limited to:
+
+	AIX 3.4 (with ipv6 patches)
+
+
+RUN-TIME ISSUES
+---------------
+
+In the original drafts of the ipv6 RFC documents, binding an ipv6
+socket to the ipv6 wildcard address would also cause the socket to
+accept ipv4 connections and datagrams.  When an ipv4 packet is
+received on these systems, it is mapped into an ipv6 address.  For
+example, 1.2.3.4 would be mapped into ffff::1.2.3.4.  The intent of
+this mapping was to make transition from an ipv4-only application into
+ipv6 easier, by only requiring one socket to be open on a given port.
+
+Later, it was discovered that this was generally a bad idea.  For one,
+many firewalls will block connection to 1.2.3.4, but will let through
+ffff::1.2.3.4.  This, of course, is bad.  Also, access control lists
+written to accept only ipv4 addresses were suddenly ignored unless
+they were rewritten to handle the ipv6 mapped addresses as well.
+
+In bind9, we always bind to the ipv6 wildcard port for both TCP and
+UDP, and specific addresses for ipv4 sockets.  This causes some
+interesting behavior depending on the system implementation of ipv6.
+
+
+IPV6 Sockets Accept IPV4, Specific IPV4 Addresses Bindings Fail
+---------------------------------------------------------------
+
+The only OS which seems to do this is linux.  If an ipv6 socket is
+bound to the ipv6 wildcard socket, and a specific ipv4 socket is
+later bound (say, to 1.2.3.4 port 53) the ipv4 binding will fail.
+
+What this means to bind9 is that the application will log warnings
+about being unable to bind to a socket because the address is already
+in use.  Since the ipv6 socket will accept ipv4 packets and map them,
+however, the ipv4 addresses continue to function.
+
+The effect is that the config file listen-on directive will not be
+respected on these systems.
+
+
+IPV6 Sockets Accept IPV4, Specific IPV4 Address Bindings Succeed
+----------------------------------------------------------------
+
+In this case, the system allows opening an ipv6 wildcard address
+socket and then binding to a more specific ipv4 address later.  An
+example of this type of system is Digital Unix with ipv6 patches
+applied.
+
+What this means to bind9 is that the application will respect
+listen-on in regards to ipv4 sockets, but it will use mapped ipv6
+addresses for any that do not match the listen-on list.  This, in
+effect, makes listen-on useless for these machines as well.
+
+
+IPV6 Sockets Do Not Accept IPV4
+-------------------------------
+
+On these systems, opening an IPV6 socket does not implicitly open any
+ipv4 sockets.  An example of these systems are NetBSD-current with the
+latest KAME patch, and other systems which use the latest KAME patches
+as their ipv6 implementation.
+
+On these systems, listen-on is fully functional, as the ipv6 socket
+only accepts ipv6 packets, and the ipv4 sockets will handle the ipv4
+packets.
+
+
+RELEVANT RFCs
+-------------
+
+2373:  IP Version 6 Addressing Architecture
+
+2553:  Basic Socket Interface Extensions for IPv6
+
+draft-ietf-ipngwg-rfc2292bis-01:  Advanced Sockets API for IPv6 (draft)
+
+
+$Id: ipv6,v 1.2 2000/05/23 22:42:00 gson Exp $
diff --git a/doc/misc/options b/doc/misc/options
index bd6e8c12..f27d06a9 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -5,28 +5,28 @@ options in BIND 9.
 
 Legend:
 
-  Yes       Implemented in this release.
+  Yes	    Implemented in this release.
 
-  No        Not implemented, may be implemented in a later release.
+  No	    Not implemented, may be implemented in a later release.
 
   Obsolete  Obsolete, not applicable to BIND 9, or just evil.  
-            Will not be implemented.
+	    Will not be implemented.
 
-  *         New in BIND 9.
+  *	    New in BIND 9.
 
-  + 	    The option is now always enabled.
+  +	    The option is now always enabled.
 
-  -         The option is now always disabled.
+  -	    The option is now always disabled.
 
-  %         The default value has changed since BIND 8.
+  %	    The default value has changed since BIND 8.
 
   @	    Semantics of certain pathological address match lists, in
 	    particular those involving double negation, have changed.  
 	    The new semantics are generally safer.  IPv6 addresses
-            are supported, but the predefined ACLs "localhost" and 
-            "localnets" match IPv4 addresses only.
+	    are supported, but the predefined ACLs "localhost" and 
+	    "localnets" match IPv4 addresses only.
 
-  #         BIND 9 accepts both LF and CRLF as end-of-line markers.
+  #	    BIND 9 accepts both LF and CRLF as end-of-line markers.
 
 
 options {
@@ -45,27 +45,28 @@ options {
   [ has-old-clients yes_or_no; ]			    Obsolete
   [ host-statistics yes_or_no; ]			    No
   [ multiple-cnames yes_or_no; ]			    Obsolete-
-  [ notify yes_or_no; ]					    No
+  [ notify yes_or_no; ]					    Yes
   [ recursion yes_or_no; ]				    Yes
   [ rfc2308-type1 yes_or_no; ]				    No
   [ use-id-pool yes_or_no; ]				    Obsolete+
   [ treat-cr-as-space yes_or_no; ]			    Obsolete#
-  [ also-notify { ip_addr; [ ip_addr; ... ] };		    No
+  [ also-notify { ip_addr; [ ip_addr; ... ] }; ]	    Yes
   [ forward ( only | first ); ]				    Yes
   [ forwarders { [ in_addr ; [ in_addr ; ... ] ] }; ]	    Yes
-  [ check-names ... ]				            No
+  [ check-names ... ]					    No
   [ allow-query { address_match_list }; ]		    Yes@
   [ allow-transfer { address_match_list }; ]		    Yes@
   [ allow-recursion { address_match_list }; ]		    Yes@
   [ blackhole { address_match_list }; ]			    No
   [ listen-on [ port ip_port ] { address_match_list }; ]    Yes@ (IPv4 only)
-  [ query-source .... ]                                     Yes
-  [ query-source-v6 .... ]                                  Yes*
+  [ query-source ... ]					    Yes
+  [ query-source-v6 ... ]				    Yes*
   [ lame-ttl number; ]					    No
   [ max-transfer-time-in number; ]			    Yes
   [ max-transfer-idle-in number; ]			    Yes*
   [ max-transfer-time-out number; ]			    Yes*
   [ max-transfer-idle-out number; ]			    Yes*
+  [ max-cache-ttl number; ]				    No*
   [ max-ncache-ttl number; ]				    No
   [ min-roots number; ]					    No
   [ serial-queries number; ]				    No
@@ -89,20 +90,22 @@ options {
   [ statistics-interval number; ]			    No
   [ topology { address_match_list }; ]			    No
   [ sortlist { address_match_list }; ]			    No
-  [ rrset-order { order_spec ; [ order_spec ; ... ] ] };    No
+  [ rrset-order { order_spec ; [ order_spec ; ... ] }; ]    No
   [ recursive-clients number; ]				    Yes*
   [ tcp-clients number; ]				    Yes*
+  [ tkey-domain ... ]					    Yes*
+  [ tkey-dhkey ... ]					    Yes*
 };
 
-acl 						            Yes@
+acl							    Yes@
 
-include                                                     Yes
+include							    Yes
 
 key							    Yes
 
-logging						            Yes
+logging							    Yes
 
-controls                                                    No
+controls						    No
 
 server ip_addr {
   [ bogus yes_or_no; ]					    No
@@ -111,13 +114,13 @@ server ip_addr {
   [ support-ixfr yes_or_no; ]				    Obsolete
   [ transfers number; ]					    Yes
   [ transfer-format ( one-answer | many-answers ); ]	    Yes
-  [ keys { key_id [key_id ... ] }; ]                        Yes
+  [ keys { key_id [key_id ... ] }; ]			    Yes
 };
 
-trusted-keys                                                No
+trusted-keys						    Yes
 
-zone domain_name [ ( in | hs | hesiod | chaos ) ] { 
-  type master;					            Yes
+zone "domain_name" [ ( in | hs | hesiod | chaos ) ] { 
+  type master;						    Yes
   file path_name;					    Yes
   [ forward ( only | first ); ]				    No
   [ forwarders { [ ip_addr ; [ ip_addr ; ... ] ] }; ]	    No
@@ -128,17 +131,17 @@ zone domain_name [ ( in | hs | hesiod | chaos ) ] {
   [ dialup yes_or_no; ]					    No
   [ max-transfer-time-out number; ]			    Yes*
   [ max-transfer-idle-out number; ]			    Yes*
-  [ notify yes_or_no; ]					    No
-  [ also-notify { ip_addr; [ ip_addr; ... ] };		    No
+  [ notify yes_or_no; ]					    Yes
+  [ also-notify { ip_addr; [ ip_addr; ... ] };		    Yes
   [ ixfr-base  path_name; ]				    Obsolete
   [ pubkey number number number string; ]		    No
 };
 
-zone domain_name [ ( in | hs | hesiod | chaos ) ] { 	    
+zone "domain_name" [ ( in | hs | hesiod | chaos ) ] {	    
   type stub;						    No
 };
 
-zone domain_name [ ( in | hs | hesiod | chaos ) ] { 	    
+zone "domain_name" [ ( in | hs | hesiod | chaos ) ] {	    
   type slave;						    Yes
   [ file path_name; ]					    Yes
   [ ixfr-base  path_name; ]				    Obsolete
@@ -157,17 +160,53 @@ zone domain_name [ ( in | hs | hesiod | chaos ) ] {
   [ max-transfer-idle-in number; ]			    Yes*
   [ max-transfer-time-out number; ]			    Yes*
   [ max-transfer-idle-out number; ]			    Yes*
-  [ notify yes_or_no; ]					    No
-  [ also-notify { ip_addr; [ ip_addr; ... ] };		    No
+  [ notify yes_or_no; ]					    Yes
+  [ also-notify { ip_addr; [ ip_addr; ... ] };		    Yes
   [ pubkey number number number string; ]		    No
 };
 
-zone domain_name [ ( in | hs | hesiod | chaos ) ] { 	    
+zone "domain_name" [ ( in | hs | hesiod | chaos ) ] {	    
   type forward;						    No
 };
 
-zone "." [ ( in | hs | hesiod | chaos ) ] { 		    
+zone "." [ ( in | hs | hesiod | chaos ) ] {		    
   type hint;						    Yes
   file path_name;					    Yes
   [ check-names ( warn | fail | ignore ); ]		    No
 };
+
+view "view_name" [ ( in | hs | hesiod | chaos ) ] {	    Yes*
+  match-clients { address_match_list };			    Yes*
+  [ zone ... ]						    Yes
+  [ auth-nxdomain yes_or_no; ]				    Yes
+  [ fetch-glue yes_or_no; ]				    No
+  [ notify yes_or_no; ]					    Yes
+  [ recursion yes_or_no; ]				    Yes
+  [ rfc2308-type1 yes_or_no; ]				    No
+  [ also-notify { ip_addr; [ ip_addr; ... ] }; ]	    No
+  [ forward ( only | first ); ]				    Yes
+  [ forwarders { [ in_addr ; [ in_addr ; ... ] ] }; ]	    Yes
+  [ check-names ... ]					    No
+  [ allow-query { address_match_list }; ]		    Yes
+  [ allow-transfer { address_match_list }; ]		    Yes
+  [ allow-recursion { address_match_list }; ]		    Yes
+  [ query-source ... ]					    Yes
+  [ query-source-v6 ... ]				    Yes
+  [ lame-ttl number; ]					    No
+  [ max-transfer-time-out number; ]			    Yes*
+  [ max-transfer-idle-out number; ]			    Yes*
+  [ max-ncache-ttl number; ]				    No
+  [ min-roots number; ]					    No
+  [ transfer-format ( one-answer | many-answers ); ]	    Yes
+  [ transfer-source ip_addr; ]				    Yes
+  [ transfer-source-v6 ip_addr; ]			    Yes*
+  [ request-ixfr yes_or_no; ]				    Yes*
+  [ provide-ixfr yes_or_no;]				    Yes*
+  [ cleaning-interval number; ]				    Yes
+  [ topology { address_match_list }; ]			    No
+  [ sortlist{ address_match_list }; ]			    No
+  [ rrset-order { order_spec ; [ order_spec ; ... ] }; ]    No
+  [ key ... ]						    No
+  [ server ... ]					    No
+  [ trusted-keys ... ]					    No
+};
diff --git a/doc/rfc/rfc952.txt b/doc/rfc/rfc952.txt
new file mode 100644
index 00000000..7df339a2
--- /dev/null
+++ b/doc/rfc/rfc952.txt
@@ -0,0 +1,340 @@
+Network Working Group                               K. Harrenstien (SRI)
+Request for Comments: 952                                 M. Stahl (SRI)
+                                                        E. Feinler (SRI)
+Obsoletes:  RFC 810, 608                                    October 1985
+
+                 DOD INTERNET HOST TABLE SPECIFICATION
+
+
+STATUS OF THIS MEMO
+
+   This RFC is the official specification of the format of the Internet
+   Host Table.  This edition of the specification includes minor
+   revisions to RFC-810 which brings it up to date. Distribution of this
+   memo is unlimited.
+
+INTRODUCTION
+
+   The DoD Host Table is utilized by the DoD Hostname Server maintained
+   by the DDN Network Information Center (NIC) on behalf of the Defense
+   Communications Agency (DCA) [See RFC-953].
+
+LOCATION OF THE STANDARD DOD ONLINE HOST TABLE
+
+   A machine-translatable ASCII text version of the DoD Host Table is
+   online in the file NETINFO:HOSTS.TXT on the SRI-NIC host.  It can be
+   obtained via FTP from your local host by connecting to host
+   SRI-NIC.ARPA (26.0.0.73 or 10.0.0.51), logging in as user =
+   ANONYMOUS, password = GUEST, and retrieving the file
+   "NETINFO:HOSTS.TXT".  The same table may also be obtained via the NIC
+   Hostname Server, as described in RFC-953.  The latter method is
+   faster and easier, but requires a user program to make the necessary
+   connection to the Name Server.
+
+ASSUMPTIONS
+
+   1. A "name" (Net, Host, Gateway, or Domain name) is a text string up
+   to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus
+   sign (-), and period (.).  Note that periods are only allowed when
+   they serve to delimit components of "domain style names". (See
+   RFC-921, "Domain Name System Implementation Schedule", for
+   background).  No blank or space characters are permitted as part of a
+   name. No distinction is made between upper and lower case.  The first
+   character must be an alpha character.  The last character must not be
+   a minus sign or period.  A host which serves as a GATEWAY should have
+   "-GATEWAY" or "-GW" as part of its name.  Hosts which do not serve as
+   Internet gateways should not use "-GATEWAY" and "-GW" as part of
+   their names. A host which is a TAC should have "-TAC" as the last
+   part of its host name, if it is a DoD host.  Single character names
+   or nicknames are not allowed.
+
+   2. Internet Addresses are 32-bit addresses [See RFC-796].  In the
+
+
+Harrenstien & Stahl & Feinler                                   [Page 1]
+
+
+
+RFC 952                                                     October 1985
+DOD INTERNET HOST TABLE SPECIFICATION
+
+
+   host table described herein each address is represented by four
+   decimal numbers separated by a period.  Each decimal number
+   represents 1 octet.
+
+   3. If the first bit of the first octet of the address is 0 (zero),
+   then the next 7 bits of the first octet indicate the network number
+   (Class A Address).  If the first two bits are 1,0 (one,zero), then
+   the next 14 bits define the net number (Class B Address).  If the
+   first 3 bits are 1,1,0 (one,one,zero), then the next 21 bits define
+   the net number (Class C Address) [See RFC-943].
+
+      This is depicted in the following diagram:
+
+      +-+------------+--------------+--------------+--------------+
+      |0|  NET <-7-> |         LOCAL ADDRESS <-24->               |
+      +-+------------+--------------+--------------+--------------+
+
+      +---+----------+--------------+--------------+--------------+
+      |1 0|      NET  <-14->        |  LOCAL ADDRESS <-16->       |
+      +---+----------+--------------+--------------+--------------+
+
+      +-----+--------+--------------+--------------+--------------+
+      |1 1 0|            NET  <-21->               | LOCAL ADDRESS|
+      +-----+--------+--------------+--------------+--------------+
+
+   4. The LOCAL ADDRESS portion of the internet address identifies a
+   host within the network specified by the NET portion of the address.
+
+   5. The ARPANET and MILNET are both Class A networks.  The NET portion
+   is 10 decimal for ARPANET, 26 decimal for MILNET, and the LOCAL
+   ADDRESS maps as follows: the second octet identifies the physical
+   host, the third octet identifies the logical host, and the fourth
+   identifies the Packet Switching Node (PSN), formerly known as an
+   Interface Message Processor (IMP).
+
+      +-+------------+--------------+--------------+--------------+
+      |0|  10 or 26  |    HOST      | LOGICAL HOST |   PSN (IMP)  |
+      +-+------------+--------------+--------------+--------------+
+
+      (NOTE:  RFC-796 also describes the local address mappings for
+      several other networks.)
+
+   6. It is the responsibility of the users of this host table to
+   translate it into whatever format is needed for their purposes.
+
+   7. Names and addresses for DoD hosts and gateways will be negotiated
+   and registered with the DDN PMO, and subsequently with the NIC,
+
+
+Harrenstien & Stahl & Feinler                                   [Page 2]
+
+
+
+RFC 952                                                     October 1985
+DOD INTERNET HOST TABLE SPECIFICATION
+
+
+   before being used and before traffic is passed by a DoD host.  Names
+   and addresses for domains and networks are to be registered with the
+   DDN Network Information Center (HOSTMASTER@SRI-NIC.ARPA) or
+   800-235-3155.
+
+   The NIC will attempt to keep similar information for non-DoD networks
+   and hosts, if this information is provided, and as long as it is
+   needed, i.e., until intercommunicating network name servers are in
+   place.
+
+EXAMPLE OF HOST TABLE FORMAT
+
+   NET : 10.0.0.0 : ARPANET :
+   NET : 128.10.0.0 : PURDUE-CS-NET :
+   GATEWAY : 10.0.0.77, 18.10.0.4 : MIT-GW.ARPA,MIT-GATEWAY : PDP-11 :
+             MOS : IP/GW,EGP :
+   HOST : 26.0.0.73, 10.0.0.51 : SRI-NIC.ARPA,SRI-NIC,NIC : DEC-2060 :
+          TOPS20 :TCP/TELNET,TCP/SMTP,TCP/TIME,TCP/FTP,TCP/ECHO,ICMP :
+   HOST : 10.2.0.11 : SU-TAC.ARPA,SU-TAC : C/30 : TAC : TCP :
+
+SYNTAX AND CONVENTIONS
+
+   ; (semicolon)   is used to denote the beginning of a comment.
+                   Any text on a given line following a ';' is a
+                   comment, and not part of the host table.
+
+   NET             keyword introducing a network entry
+
+   GATEWAY         keyword introducing a gateway entry
+
+   HOST            keyword introducing a host entry
+
+   DOMAIN          keyword introducing a domain entry
+
+   :(colon)        is used as a field delimiter
+
+   ::(2 colons)    indicates a null field
+
+   ,(comma)        is used as a data element delimiter
+
+   XXX/YYY         indicates protocol information of the type
+                   TRANSPORT/SERVICE.
+
+      where TRANSPORT/SERVICE options are specified as
+
+         "FOO/BAR"       both transport and service known
+
+
+
+Harrenstien & Stahl & Feinler                                   [Page 3]
+
+
+
+RFC 952                                                     October 1985
+DOD INTERNET HOST TABLE SPECIFICATION
+
+
+         "FOO"           transport known; services not known
+
+         "BAR"           service is known, transport not known
+
+         NOTE:  See "Assigned Numbers" for specific options and acronyms
+         for machine types, operating systems, and protocol/services.
+
+   Each host table entry is an ASCII text string comprised of 6 fields,
+   where
+
+      Field 1         KEYWORD indicating whether this entry pertains to
+                      a NET, GATEWAY, HOST, or DOMAIN.  NET entries are
+                      assigned and cannot have alternate addresses or
+                      nicknames.  DOMAIN entries do not use fields 4, 5,
+                      or 6.
+
+      Field 2         Internet Address of Network, Gateway, or Host
+                      followed by alternate addresses.  Addresses for a
+                      Domain are those where a Domain Name Server exists
+                      for that domain.
+
+      Field 3         Official Name of Network, Gateway, Host, or Domain
+                      (with optional nicknames, where permitted).
+
+      Field 4         Machine Type
+
+      Field 5         Operating System
+
+      Field 6         Protocol List
+
+   Fields 4, 5 and 6 are optional.  For a Domain they are not used.
+
+   Fields 3-6, if included, pertain to the first address in Field 2.
+
+   'Blanks' (spaces and tabs) are ignored between data elements or
+   fields, but are disallowed within a data element.
+
+   Each entry ends with a colon.
+
+   The entries in the table are grouped by types in the order Domain,
+   Net, Gateway, and Host.  Within each type the ordering is
+   unspecified.
+
+   Note that although optional nicknames are allowed for hosts, they are
+   discouraged, except in the case where host names have been changed
+
+
+
+
+Harrenstien & Stahl & Feinler                                   [Page 4]
+
+
+
+RFC 952                                                     October 1985
+DOD INTERNET HOST TABLE SPECIFICATION
+
+
+   and both the new and the old names are maintained for a suitable
+   period of time to effect a smooth transition.  Nicknames are not
+   permitted for NET names.
+
+GRAMMATICAL HOST TABLE SPECIFICATION
+
+   A. Parsing grammar
+
+      <entry> ::= <keyword> ":" <addresses> ":" <names> [":" [<cputype>]
+         [":" [<opsys>]  [":" [<protocol list>] ]]] ":"
+      <addresses> ::= <address> *["," <address>]
+      <address> ::= <octet> "." <octet> "." <octet> "." <octet>
+      <octet> ::= <0 to 255 decimal>
+      <names> ::= <netname> | <gatename> | <domainname> *[","
+         <nicknames>]
+         | <official hostname> *["," <nicknames>]
+      <netname>  ::= <name>
+      <gatename> ::= <hname>
+      <domainname> ::= <hname>
+      <official hostname> ::= <hname>
+      <nickname> ::= <hname>
+      <protocol list> ::= <protocol spec> *["," <protocol spec>]
+      <protocol spec> ::= <transport name> "/" <service name>
+         | <raw protocol name>
+
+   B. Lexical grammar
+
+      <entry-field> ::= <entry-text> [<cr><lf> <blank> <entry-field>]
+      <entry-text>  ::= <print-char> *<text>
+      <blank> ::= <space-or-tab> [<blank>]
+      <keyword> ::= NET | GATEWAY | HOST | DOMAIN
+      <hname> ::= <name>*["."<name>]
+      <name>  ::= <let>[*[<let-or-digit-or-hyphen>]<let-or-digit>]
+      <cputype> ::= PDP-11/70 | DEC-1080 | C/30 | CDC-6400...etc.
+      <opsys>   ::= ITS | MULTICS | TOPS20 | UNIX...etc.
+      <transport name> ::= TCP | NCP | UDP | IP...etc.
+      <service name> ::= TELNET | FTP | SMTP | MTP...etc.
+      <raw protocol name> ::= <name>
+      <comment> ::= ";" <text><cr><lf>
+      <text>    ::= *[<print-char> | <blank>]
+      <print-char>  ::= <any printing char (not space or tab)>
+
+   Notes:
+
+      1. Zero or more 'blanks' between separators " , : " are allowed.
+      'Blanks' are spaces and tabs.
+
+
+
+Harrenstien & Stahl & Feinler                                   [Page 5]
+
+
+
+RFC 952                                                     October 1985
+DOD INTERNET HOST TABLE SPECIFICATION
+
+
+      2. Continuation lines are lines that begin with at least one
+      blank.  They may be used anywhere 'blanks' are legal to split an
+      entry across lines.
+
+BIBLIOGRAPHY
+
+   1. Feinler, E., Harrenstien, K., Su, Z. and White, V., "Official DoD
+      Internet Host Table Specification", RFC-810, Network Information
+      Center, SRI International, March 1982.
+
+   2. Harrenstien, K., Stahl, M., and Feinler, E., "Hostname Server",
+      RFC-953, Network Information Center, SRI International, October
+      1985.
+
+   3. Kudlick, M. "Host Names Online", RFC-608, Network Information
+      Center, SRI International, January 1973.
+
+   4. Postel, J., "Internet Protocol", RFC-791, Information Sciences
+      Institute, University of Southern California, Marina del Rey,
+      September 1981.
+
+   5. Postel, J., "Address Mappings", RFC-796, Information Sciences
+      Institute, University of Southern California, Marina del Rey,
+      September 1981.
+
+   6. Postel, J., "Domain Name System Implementation Schedule", RFC-921,
+      Information Sciences Institute, University of Southern California,
+      Marina del Rey, October 1984.
+
+   7. Reynolds, J. and Postel, J., "Assigned Numbers", RFC-943,
+      Information Sciences Institute, University of Southern California,
+      Marina del Rey, April 1985.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Harrenstien & Stahl & Feinler                                   [Page 6]
+
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
index fa533049..9a997bb2 100644
--- a/lib/dns/Makefile.in
+++ b/lib/dns/Makefile.in
@@ -128,7 +128,7 @@ OBJS =		a6.@O@ acl.@O@ aclconf.@O@ adb.@O@ byaddr.@O@ \
 		tcpmsg.@O@ time.@O@ tkey.@O@ tkeyconf.@O@ \
 		tsig.@O@ tsigconf.@O@ ttl.@O@ validator.@O@ \
 		version.@O@ view.@O@ xfrin.@O@ zone.@O@ zoneconf.@O@ zt.@O@ \
-		${DSTOBJS} ${OPENSSLOBJS} ${DNSSAFEOBJS} ${CONFOBJS}
+		${DSTOBJS} @DST_OPENSSL_OBJS@ ${DNSSAFEOBJS} ${CONFOBJS}
 
 # Alphabetically
 SRCS =		a6.c acl.c aclconf.c adb.c byaddr.c \
diff --git a/lib/dns/a6.c b/lib/dns/a6.c
index da65d351..479f5468 100644
--- a/lib/dns/a6.c
+++ b/lib/dns/a6.c
@@ -17,21 +17,15 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/bitstring.h>
-#include <isc/net.h>
+#include <isc/util.h>
 
-#include <dns/types.h>
 #include <dns/a6.h>
 #include <dns/name.h>
 #include <dns/rdata.h>
 #include <dns/rdataset.h>
-#include <dns/result.h>
 
-#define A6CONTEXT_MAGIC			0x41365858U	/* A6XX. */
-#define VALID_A6CONTEXT(ac)		((ac) != NULL && \
-					 (ac)->magic == A6CONTEXT_MAGIC)
-						
+#define A6CONTEXT_MAGIC		0x41365858U	/* A6XX. */
+#define VALID_A6CONTEXT(ac)	ISC_MAGIC_VALID(ac, A6CONTEXT_MAGIC)
 
 #define MAX_CHAINS	8
 #define MAX_DEPTH	16
@@ -110,7 +104,7 @@ foreach(dns_a6context_t *a6ctx, dns_rdataset_t *parent, unsigned int depth,
 					maybe_disassociate(&childsig);
 					if (result != ISC_R_SUCCESS)
 						break;
-				} else if (result == DNS_R_NOTFOUND &&
+				} else if (result == ISC_R_NOTFOUND &&
 					   a6ctx->missing != NULL) {
 					/*
 					 * We can't follow this chain, because
@@ -163,7 +157,7 @@ foreach(dns_a6context_t *a6ctx, dns_rdataset_t *parent, unsigned int depth,
 				return (ISC_R_QUOTA);
 		}
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		return (result);
 	return (ISC_R_SUCCESS);
 }
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index d8d86ff7..882b2c4c 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -17,27 +17,20 @@
 
 #include <config.h>
 
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/mem.h>
-#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dns/acl.h>
-#include <dns/log.h>
-#include <dns/result.h>
-#include <dns/types.h>
 
 isc_result_t
-dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target)
-{
+dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
 	isc_result_t result;
 	dns_acl_t *acl;
 
-	 /*
-	  * Work around silly limitation of isc_mem_get().
-	  */
+	/*
+	 * Work around silly limitation of isc_mem_get().
+	 */
 	if (n == 0)
 		n = 1;
 	
@@ -52,7 +45,9 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target)
 	acl->length = 0;
 	
 	ISC_LINK_INIT(acl, nextincache);
-	/* Must set magic early because we use dns_acl_detach() to clean up. */
+	/*
+	 * Must set magic early because we use dns_acl_detach() to clean up.
+	 */
 	acl->magic = DNS_ACL_MAGIC; 
 
 	acl->elements = isc_mem_get(mctx, n * sizeof(dns_aclelement_t));
@@ -71,8 +66,7 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target)
 }
 
 isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt)
-{
+dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt) {
 	if (acl->length + 1 > acl->alloc) {
 		/*
 		 * Resize the ACL.
@@ -103,8 +97,7 @@ dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt)
 }
 		       
 static isc_result_t
-dns_acl_anyornone(isc_mem_t *mctx, isc_boolean_t neg, dns_acl_t **target)
-{
+dns_acl_anyornone(isc_mem_t *mctx, isc_boolean_t neg, dns_acl_t **target) {
 	isc_result_t result;
 	dns_acl_t *acl = NULL;
 	result = dns_acl_create(mctx, 1, &acl);
@@ -221,8 +214,7 @@ dns_acl_match(isc_netaddr_t *reqaddr,
 }
 
 void
-dns_acl_attach(dns_acl_t *source, dns_acl_t **target)
-{
+dns_acl_attach(dns_acl_t *source, dns_acl_t **target) {
 	REQUIRE(DNS_ACL_VALID(source));
 	INSIST(source->refcount > 0);
 	source->refcount++;
@@ -230,8 +222,7 @@ dns_acl_attach(dns_acl_t *source, dns_acl_t **target)
 }
 
 static void
-destroy(dns_acl_t *dacl)
-{
+destroy(dns_acl_t *dacl) {
 	unsigned int i;
 	for (i = 0; i < dacl->length; i++) {
 		dns_aclelement_t *de = &dacl->elements[i];
@@ -254,8 +245,7 @@ destroy(dns_acl_t *dacl)
 }
 
 void
-dns_acl_detach(dns_acl_t **aclp)
-{
+dns_acl_detach(dns_acl_t **aclp) {
 	dns_acl_t *acl = *aclp;
 	REQUIRE(DNS_ACL_VALID(acl));
 	INSIST(acl->refcount > 0);
@@ -266,8 +256,7 @@ dns_acl_detach(dns_acl_t **aclp)
 }
 
 isc_boolean_t
-dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb)
-{
+dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb) {
 	if (ea->type != eb->type)
 		return (ISC_FALSE);
 	switch (ea->type) {
@@ -307,8 +296,7 @@ dns_acl_equal(dns_acl_t *a, dns_acl_t *b) {
 }
 
 isc_result_t
-dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env)
-{
+dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) {
 	isc_result_t result;
 	env->localhost = NULL;
 	env->localnets = NULL;
@@ -326,14 +314,16 @@ dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env)
 	return (result);
 }
 
-void dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s) {
+void
+dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s) {
 	dns_acl_detach(&t->localhost);
 	dns_acl_attach(s->localhost, &t->localhost);
 	dns_acl_detach(&t->localnets);
 	dns_acl_attach(s->localnets, &t->localnets);
 }
 
-void dns_aclenv_destroy(dns_aclenv_t *env) {
+void
+dns_aclenv_destroy(dns_aclenv_t *env) {
 	dns_acl_detach(&env->localhost);
 	dns_acl_detach(&env->localnets);
 }
diff --git a/lib/dns/aclconf.c b/lib/dns/aclconf.c
index ab58902e..46116f91 100644
--- a/lib/dns/aclconf.c
+++ b/lib/dns/aclconf.c
@@ -17,22 +17,21 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/mem.h>
-#include <isc/result.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
 
+#include <dns/acl.h>
 #include <dns/aclconf.h>
 #include <dns/fixedname.h>
 #include <dns/log.h>
-#include <dns/types.h>
 
-void dns_aclconfctx_init(dns_aclconfctx_t *ctx)
-{
+void
+dns_aclconfctx_init(dns_aclconfctx_t *ctx) {
 	ISC_LIST_INIT(ctx->named_acl_cache);
 }
 
-void dns_aclconfctx_destroy(dns_aclconfctx_t *ctx)
-{
+void
+dns_aclconfctx_destroy(dns_aclconfctx_t *ctx) {
      	dns_acl_t *dacl, *next;	
 	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
 	     dacl != NULL;
@@ -65,14 +64,14 @@ convert_named_acl(char *aclname, dns_c_ctx_t *cctx,
 	}
 	/* Not yet converted.  Convert now. */
 	result = dns_c_acltable_getacl(cctx->acls, aclname, &cacl);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_SECURITY,
 			      DNS_LOGMODULE_ACL, ISC_LOG_WARNING,
 			      "undefined ACL '%s'", aclname);
 		return (result);
 	}
 	result = dns_acl_fromconfig(cacl->ipml, cctx, ctx, mctx, &dacl);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	dacl->name = aclname;
 	ISC_LIST_APPEND(ctx->named_acl_cache, dacl, nextincache);
@@ -88,7 +87,7 @@ convert_keyname(char *txtname, isc_mem_t *mctx, dns_name_t *dnsname) {
 	unsigned int keylen;
 
 	keylen = strlen(txtname);
-	isc_buffer_init(&buf, txtname, keylen, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&buf, txtname, keylen);
 	isc_buffer_add(&buf, keylen);
 	dns_fixedname_init(&fixname);
 	result = dns_name_fromtext(dns_fixedname_name(&fixname), &buf,
@@ -145,14 +144,16 @@ dns_acl_fromconfig(dns_c_ipmatchlist_t *caml,
 		case dns_c_ipmatch_key:
 			de->type = dns_aclelementtype_keyname;
 			dns_name_init(&de->u.keyname, NULL);
-			result = convert_keyname(ce->u.key, mctx, &de->u.keyname);
+			result = convert_keyname(ce->u.key, mctx,
+						 &de->u.keyname);
 			if (result != ISC_R_SUCCESS)
 				goto cleanup;
 			break;
 		case dns_c_ipmatch_indirect:
 			de->type = dns_aclelementtype_nestedacl;
-			result = dns_acl_fromconfig(ce->u.indirect.list, cctx,
-						   ctx, mctx, &de->u.nestedacl);
+			result = dns_acl_fromconfig(ce->u.indirect.list,
+						    cctx, ctx, mctx,
+						    &de->u.nestedacl);
 			if (result != ISC_R_SUCCESS)
 				goto cleanup;
 			break;
@@ -169,8 +170,9 @@ dns_acl_fromconfig(dns_c_ipmatchlist_t *caml,
 			break;
 		case dns_c_ipmatch_acl:
 			de->type = dns_aclelementtype_nestedacl;
-			result = convert_named_acl(ce->u.aclname, cctx,
-						   ctx, mctx, &de->u.nestedacl);
+			result = convert_named_acl(ce->u.aclname,
+						   cctx, ctx, mctx,
+						   &de->u.nestedacl);
 			if (result != ISC_R_SUCCESS)
 				goto cleanup;
 			break;
diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index 87f1ea32..b0ffa564 100644
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -33,17 +33,11 @@
 #include <config.h>
 
 #include <limits.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/condition.h>
-#include <isc/event.h>
-#include <isc/log.h>
-#include <isc/magic.h>
-#include <isc/mutex.h>
+
 #include <isc/mutexblock.h>
 #include <isc/random.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/task.h>
 #include <isc/timer.h>
 #include <isc/util.h>
 
@@ -51,14 +45,11 @@
 #include <dns/adb.h>
 #include <dns/db.h>
 #include <dns/events.h>
-#include <dns/fixedname.h>
 #include <dns/log.h>
-#include <dns/name.h>
 #include <dns/rdata.h>
 #include <dns/rdataset.h>
 #include <dns/resolver.h>
-#include <dns/types.h>
-#include <dns/view.h>
+#include <dns/result.h>
 
 #define DNS_ADB_MAGIC		  0x44616462	/* Dadb. */
 #define DNS_ADB_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADB_MAGIC)
@@ -107,8 +98,8 @@
 #define CLEAN_SECONDS		1
 #endif
 
-#define FREE_ITEMS		16	/* free count for memory pools */
-#define FILL_COUNT		 8	/* fill count for memory pools */
+#define FREE_ITEMS		64	/* free count for memory pools */
+#define FILL_COUNT		16	/* fill count for memory pools */
 
 #define DNS_ADB_INVALIDBUCKET (-1)	/* invalid bucket address */
 
@@ -347,8 +338,8 @@ static isc_result_t dbfind_a6(dns_adbname_t *, isc_stdtime_t);
 #define NAME_GLUE_OK		DNS_ADBFIND_GLUEOK
 #define NAME_DEAD(n)		(((n)->flags & NAME_IS_DEAD) != 0)
 #define NAME_NEEDSPOKE(n)	(((n)->flags & NAME_NEEDS_POKE) != 0)
-#define NAME_HINTOK(n)		(((n)->flags & NAME_HINT_OK) != 0)
 #define NAME_GLUEOK(n)		(((n)->flags & NAME_GLUE_OK) != 0)
+#define NAME_HINTOK(n)		(((n)->flags & NAME_HINT_OK) != 0)
 
 /*
  * To the name, address classes are all that really exist.  If it has a
@@ -565,8 +556,7 @@ import_rdataset(dns_adbname_t *adbname, dns_rdataset_t *rdataset,
 }
 
 static void
-import_a6(dns_a6context_t *a6ctx)
-{
+import_a6(dns_a6context_t *a6ctx) {
 	dns_adbname_t *name;
 	dns_adb_t *adb;
 	dns_adbnamehook_t *nh;
@@ -636,8 +626,7 @@ import_a6(dns_a6context_t *a6ctx)
  * Requires the name's bucket be locked.
  */
 static void
-kill_name(dns_adbname_t **n, isc_eventtype_t ev)
-{
+kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
 	dns_adbname_t *name;
 	dns_adb_t *adb;
 
@@ -686,8 +675,7 @@ kill_name(dns_adbname_t **n, isc_eventtype_t ev)
  * Requires the name's bucket be locked and no entry buckets be locked.
  */
 static void
-check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now)
-{
+check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now) {
 	dns_adb_t *adb;
 
 	INSIST(DNS_ADBNAME_VALID(name));
@@ -731,8 +719,7 @@ check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now)
  * Requires the name's bucket be locked.
  */
 static inline void
-link_name(dns_adb_t *adb, int bucket, dns_adbname_t *name)
-{
+link_name(dns_adb_t *adb, int bucket, dns_adbname_t *name) {
 	INSIST(name->lock_bucket == DNS_ADB_INVALIDBUCKET);
 
 	ISC_LIST_PREPEND(adb->names[bucket], name, plink);
@@ -744,8 +731,7 @@ link_name(dns_adb_t *adb, int bucket, dns_adbname_t *name)
  * Requires the name's bucket be locked.
  */
 static inline void
-unlink_name(dns_adb_t *adb, dns_adbname_t *name)
-{
+unlink_name(dns_adb_t *adb, dns_adbname_t *name) {
 	int bucket;
 
 	bucket = name->lock_bucket;
@@ -763,8 +749,7 @@ unlink_name(dns_adb_t *adb, dns_adbname_t *name)
  * Requires the entry's bucket be locked.
  */
 static inline void
-link_entry(dns_adb_t *adb, int bucket, dns_adbentry_t *entry)
-{
+link_entry(dns_adb_t *adb, int bucket, dns_adbentry_t *entry) {
 	ISC_LIST_PREPEND(adb->entries[bucket], entry, plink);
 	entry->lock_bucket = bucket;
 	adb->entry_refcnt[bucket]++;
@@ -774,8 +759,7 @@ link_entry(dns_adb_t *adb, int bucket, dns_adbentry_t *entry)
  * Requires the entry's bucket be locked.
  */
 static inline void
-unlink_entry(dns_adb_t *adb, dns_adbentry_t *entry)
-{
+unlink_entry(dns_adb_t *adb, dns_adbentry_t *entry) {
 	int bucket;
 
 	bucket = entry->lock_bucket;
@@ -790,8 +774,7 @@ unlink_entry(dns_adb_t *adb, dns_adbentry_t *entry)
 }
 
 static inline void
-violate_locking_hierarchy(isc_mutex_t *have, isc_mutex_t *want)
-{
+violate_locking_hierarchy(isc_mutex_t *have, isc_mutex_t *want) {
 	if (isc_mutex_trylock(want) != ISC_R_SUCCESS) {
 		UNLOCK(have);
 		LOCK(want);
@@ -804,8 +787,7 @@ violate_locking_hierarchy(isc_mutex_t *have, isc_mutex_t *want)
  * checked after calling this function.
  */
 static void
-shutdown_names(dns_adb_t *adb)
-{
+shutdown_names(dns_adb_t *adb) {
 	int bucket;
 	dns_adbname_t *name;
 	dns_adbname_t *next_name;
@@ -845,8 +827,7 @@ shutdown_names(dns_adb_t *adb)
  * checked after calling this function.
  */
 static void
-shutdown_entries(dns_adb_t *adb)
-{
+shutdown_entries(dns_adb_t *adb) {
 	int bucket;
 	dns_adbentry_t *entry;
 	dns_adbentry_t *next_entry;
@@ -887,8 +868,7 @@ shutdown_entries(dns_adb_t *adb)
  * Name bucket must be locked
  */
 static void
-cancel_fetches_at_name(dns_adbname_t *name)
-{
+cancel_fetches_at_name(dns_adbname_t *name) {
 	dns_adbfetch6_t *fetch6;
 
 	if (NAME_FETCH_A(name))
@@ -910,8 +890,7 @@ cancel_fetches_at_name(dns_adbname_t *name)
  * Assumes the name bucket is locked.
  */
 static void
-clean_namehooks(dns_adb_t *adb, dns_adbnamehooklist_t *namehooks)
-{
+clean_namehooks(dns_adb_t *adb, dns_adbnamehooklist_t *namehooks) {
 	dns_adbentry_t *entry;
 	dns_adbnamehook_t *namehook;
 	int addr_bucket;
@@ -1033,17 +1012,16 @@ set_target(dns_adb_t *adb, dns_name_t *name, dns_name_t *fname,
  * Assumes nothing is locked, since this is called by the client.
  */
 static void
-event_free(isc_event_t *event)
-{
+event_free(isc_event_t *event) {
 	dns_adbfind_t *find;
 
 	INSIST(event != NULL);
-	find = event->destroy_arg;
+	find = event->ev_destroy_arg;
 	INSIST(DNS_ADBFIND_VALID(find));
 
 	LOCK(&find->lock);
 	find->flags |= FIND_EVENT_FREED;
-	event->destroy_arg = NULL;
+	event->ev_destroy_arg = NULL;
 	UNLOCK(&find->lock);
 }
 
@@ -1110,11 +1088,11 @@ clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
 			INSIST(!FIND_EVENTSENT(find));
 
 			ev = &find->event;
-			task = ev->sender;
-			ev->sender = find;
-			ev->type = evtype;
-			ev->destroy = event_free;
-			ev->destroy_arg = find;
+			task = ev->ev_sender;
+			ev->ev_sender = find;
+			ev->ev_type = evtype;
+			ev->ev_destroy = event_free;
+			ev->ev_destroy_arg = find;
 
 			DP(DEF_LEVEL,
 			   "Sending event %p to task %p for find %p",
@@ -1133,9 +1111,8 @@ clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
 }
 
 static inline void
-check_exit(dns_adb_t *adb)
-{
-	isc_event_t *event, *next_event;
+check_exit(dns_adb_t *adb) {
+	isc_event_t *event;
 	isc_task_t *etask;
 	isc_boolean_t zeroirefcnt;
 
@@ -1155,15 +1132,15 @@ check_exit(dns_adb_t *adb)
 		/*
 		 * We're now shutdown.  Send any whenshutdown events.
 		 */
-		for (event = ISC_LIST_HEAD(adb->whenshutdown);
-		     event != NULL;
-		     event = next_event) {
-			next_event = ISC_LIST_NEXT(event, link);
-			ISC_LIST_UNLINK(adb->whenshutdown, event, link);
-			etask = event->sender;
-			event->sender = adb;
+		event = ISC_LIST_HEAD(adb->whenshutdown);
+		while (event != NULL) {
+			ISC_LIST_UNLINK(adb->whenshutdown, event, ev_link);
+			etask = event->ev_sender;
+			event->ev_sender = adb;
 			isc_task_sendanddetach(&etask, &event);
+			event = ISC_LIST_HEAD(adb->whenshutdown);
 		}
+
 		/*
 		 * If there aren't any external references either, we're
 		 * done.  Send the control event to initiate shutdown.
@@ -1178,8 +1155,7 @@ check_exit(dns_adb_t *adb)
 }
 
 static inline void
-dec_adb_irefcnt(dns_adb_t *adb)
-{
+dec_adb_irefcnt(dns_adb_t *adb) {
 	LOCK(&adb->ilock);
 
 	INSIST(adb->irefcnt > 0);
@@ -1189,8 +1165,7 @@ dec_adb_irefcnt(dns_adb_t *adb)
 }
 
 static inline void
-inc_adb_erefcnt(dns_adb_t *adb, isc_boolean_t lock)
-{
+inc_adb_erefcnt(dns_adb_t *adb, isc_boolean_t lock) {
 	if (lock)
 		LOCK(&adb->lock);
 
@@ -1201,8 +1176,7 @@ inc_adb_erefcnt(dns_adb_t *adb, isc_boolean_t lock)
 }
 
 static inline void
-dec_adb_erefcnt(dns_adb_t *adb, isc_boolean_t lock)
-{
+dec_adb_erefcnt(dns_adb_t *adb, isc_boolean_t lock) {
 	if (lock)
 		LOCK(&adb->lock);
 
@@ -1217,8 +1191,7 @@ dec_adb_erefcnt(dns_adb_t *adb, isc_boolean_t lock)
 }
 
 static inline void
-inc_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock)
-{
+inc_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock) {
 	int bucket;
 
 	bucket = entry->lock_bucket;
@@ -1233,8 +1206,7 @@ inc_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock)
 }
 
 static inline void
-dec_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock)
-{
+dec_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock) {
 	int bucket;
 	isc_boolean_t destroy_entry;
 
@@ -1265,8 +1237,7 @@ dec_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock)
 }
 
 static inline dns_adbname_t *
-new_adbname(dns_adb_t *adb, dns_name_t *dnsname)
-{
+new_adbname(dns_adb_t *adb, dns_name_t *dnsname) {
 	dns_adbname_t *name;
 
 	name = isc_mempool_get(adb->nmp);
@@ -1300,8 +1271,7 @@ new_adbname(dns_adb_t *adb, dns_name_t *dnsname)
 }
 
 static inline void
-free_adbname(dns_adb_t *adb, dns_adbname_t **name)
-{
+free_adbname(dns_adb_t *adb, dns_adbname_t **name) {
 	dns_adbname_t *n;
 
 	INSIST(name != NULL && DNS_ADBNAME_VALID(*name));
@@ -1323,8 +1293,7 @@ free_adbname(dns_adb_t *adb, dns_adbname_t **name)
 }
 
 static inline dns_adbnamehook_t *
-new_adbnamehook(dns_adb_t *adb, dns_adbentry_t *entry)
-{
+new_adbnamehook(dns_adb_t *adb, dns_adbentry_t *entry) {
 	dns_adbnamehook_t *nh;
 
 	nh = isc_mempool_get(adb->nhmp);
@@ -1339,8 +1308,7 @@ new_adbnamehook(dns_adb_t *adb, dns_adbentry_t *entry)
 }
 
 static inline void
-free_adbnamehook(dns_adb_t *adb, dns_adbnamehook_t **namehook)
-{
+free_adbnamehook(dns_adb_t *adb, dns_adbnamehook_t **namehook) {
 	dns_adbnamehook_t *nh;
 
 	INSIST(namehook != NULL && DNS_ADBNAMEHOOK_VALID(*namehook));
@@ -1355,8 +1323,7 @@ free_adbnamehook(dns_adb_t *adb, dns_adbnamehook_t **namehook)
 }
 
 static inline dns_adbzoneinfo_t *
-new_adbzoneinfo(dns_adb_t *adb, dns_name_t *zone)
-{
+new_adbzoneinfo(dns_adb_t *adb, dns_name_t *zone) {
 	dns_adbzoneinfo_t *zi;
 
 	zi = isc_mempool_get(adb->zimp);
@@ -1377,8 +1344,7 @@ new_adbzoneinfo(dns_adb_t *adb, dns_name_t *zone)
 }
 
 static inline void
-free_adbzoneinfo(dns_adb_t *adb, dns_adbzoneinfo_t **zoneinfo)
-{
+free_adbzoneinfo(dns_adb_t *adb, dns_adbzoneinfo_t **zoneinfo) {
 	dns_adbzoneinfo_t *zi;
 
 	INSIST(zoneinfo != NULL && DNS_ADBZONEINFO_VALID(*zoneinfo));
@@ -1395,8 +1361,7 @@ free_adbzoneinfo(dns_adb_t *adb, dns_adbzoneinfo_t **zoneinfo)
 }
 
 static inline dns_adbentry_t *
-new_adbentry(dns_adb_t *adb)
-{
+new_adbentry(dns_adb_t *adb) {
 	dns_adbentry_t *e;
 	isc_uint32_t r;
 
@@ -1421,8 +1386,7 @@ new_adbentry(dns_adb_t *adb)
 }
 
 static inline void
-free_adbentry(dns_adb_t *adb, dns_adbentry_t **entry)
-{
+free_adbentry(dns_adb_t *adb, dns_adbentry_t **entry) {
 	dns_adbentry_t *e;
 	dns_adbzoneinfo_t *zi;
 
@@ -1447,8 +1411,7 @@ free_adbentry(dns_adb_t *adb, dns_adbentry_t **entry)
 }
 
 static inline dns_adbfind_t *
-new_adbfind(dns_adb_t *adb)
-{
+new_adbfind(dns_adb_t *adb) {
 	dns_adbfind_t *h;
 	isc_result_t result;
 
@@ -1457,7 +1420,7 @@ new_adbfind(dns_adb_t *adb)
 		return (NULL);
 
 	/*
-	 * public members
+	 * Public members.
 	 */
 	h->magic = 0;
 	h->adb = adb;
@@ -1489,8 +1452,7 @@ new_adbfind(dns_adb_t *adb)
 }
 
 static inline dns_adbfetch_t *
-new_adbfetch(dns_adb_t *adb)
-{
+new_adbfetch(dns_adb_t *adb) {
 	dns_adbfetch_t *f;
 
 	f = isc_mempool_get(adb->afmp);
@@ -1526,8 +1488,7 @@ new_adbfetch(dns_adb_t *adb)
 }
 
 static inline void
-free_adbfetch(dns_adb_t *adb, dns_adbfetch_t **fetch)
-{
+free_adbfetch(dns_adb_t *adb, dns_adbfetch_t **fetch) {
 	dns_adbfetch_t *f;
 
 	INSIST(fetch != NULL && DNS_ADBFETCH_VALID(*fetch));
@@ -1608,8 +1569,7 @@ a6missing(dns_a6context_t *a6ctx, dns_name_t *a6name) {
 }
 
 static inline dns_adbfetch6_t *
-new_adbfetch6(dns_adb_t *adb, dns_adbname_t *name, dns_a6context_t *a6ctx)
-{
+new_adbfetch6(dns_adb_t *adb, dns_adbname_t *name, dns_a6context_t *a6ctx) {
 	dns_adbfetch6_t *f;
 
 	f = isc_mempool_get(adb->af6mp);
@@ -1651,8 +1611,7 @@ new_adbfetch6(dns_adb_t *adb, dns_adbname_t *name, dns_a6context_t *a6ctx)
 }
 
 static inline void
-free_adbfetch6(dns_adb_t *adb, dns_adbfetch6_t **fetch)
-{
+free_adbfetch6(dns_adb_t *adb, dns_adbfetch6_t **fetch) {
 	dns_adbfetch6_t *f;
 
 	INSIST(fetch != NULL && DNS_ADBFETCH6_VALID(*fetch));
@@ -1673,8 +1632,7 @@ free_adbfetch6(dns_adb_t *adb, dns_adbfetch6_t **fetch)
 }
 
 static inline void
-free_adbfind(dns_adb_t *adb, dns_adbfind_t **findp)
-{
+free_adbfind(dns_adb_t *adb, dns_adbfind_t **findp) {
 	dns_adbfind_t *find;
 
 	INSIST(findp != NULL && DNS_ADBFIND_VALID(*findp));
@@ -1699,8 +1657,7 @@ free_adbfind(dns_adb_t *adb, dns_adbfind_t **findp)
  * if this function returns a valid pointer.
  */
 static inline dns_adbaddrinfo_t *
-new_adbaddrinfo(dns_adb_t *adb, dns_adbentry_t *entry)
-{
+new_adbaddrinfo(dns_adb_t *adb, dns_adbentry_t *entry) {
 	dns_adbaddrinfo_t *ai;
 
 	ai = isc_mempool_get(adb->aimp);
@@ -1720,8 +1677,7 @@ new_adbaddrinfo(dns_adb_t *adb, dns_adbentry_t *entry)
 }
 
 static inline void
-free_adbaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **ainfo)
-{
+free_adbaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **ainfo) {
 	dns_adbaddrinfo_t *ai;
 
 	INSIST(ainfo != NULL && DNS_ADBADDRINFO_VALID(*ainfo));
@@ -1786,8 +1742,7 @@ find_name_and_lock(dns_adb_t *adb, dns_name_t *name,
  * the bucket changes.
  */
 static inline dns_adbentry_t *
-find_entry_and_lock(dns_adb_t *adb, isc_sockaddr_t *addr, int *bucketp)
-{
+find_entry_and_lock(dns_adb_t *adb, isc_sockaddr_t *addr, int *bucketp) {
 	dns_adbentry_t *entry;
 	int bucket;
 
@@ -1940,13 +1895,12 @@ copy_namehook_lists(dns_adb_t *adb, dns_adbfind_t *find, dns_name_t *zone,
 }
 
 static void
-shutdown_task(isc_task_t *task, isc_event_t *ev)
-{
+shutdown_task(isc_task_t *task, isc_event_t *ev) {
 	dns_adb_t *adb;
 
-	(void)task;  /* not used */
+	UNUSED(task);
 
-	adb = ev->arg;
+	adb = ev->ev_arg;
 	INSIST(DNS_ADB_VALID(adb));
 
 	/*
@@ -1966,8 +1920,7 @@ shutdown_task(isc_task_t *task, isc_event_t *ev)
  * name bucket must be locked; adb may be locked; no other locks held.
  */
 static void
-check_expire_name(dns_adbname_t **namep, isc_stdtime_t now)
-{
+check_expire_name(dns_adbname_t **namep, isc_stdtime_t now) {
 	dns_adbname_t *name;
 
 	INSIST(namep != NULL && DNS_ADBNAME_VALID(*namep));
@@ -2026,8 +1979,7 @@ check_expire_entry(dns_adb_t *adb, dns_adbentry_t **entryp, isc_stdtime_t now)
  * ADB must be locked, and no other locks held.
  */
 static void
-cleanup_names(dns_adb_t *adb, int bucket, isc_stdtime_t now)
-{
+cleanup_names(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
 	dns_adbname_t *name;
 	dns_adbname_t *next_name;
 
@@ -2053,8 +2005,7 @@ cleanup_names(dns_adb_t *adb, int bucket, isc_stdtime_t now)
  * ADB must be locked, and no other locks held.
  */
 static void
-cleanup_entries(dns_adb_t *adb, int bucket, isc_stdtime_t now)
-{
+cleanup_entries(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
 	dns_adbentry_t *entry, *next_entry;
 	int freq;
 
@@ -2086,16 +2037,14 @@ cleanup_entries(dns_adb_t *adb, int bucket, isc_stdtime_t now)
 }
 
 static void
-timer_cleanup(isc_task_t *task, isc_event_t *ev)
-{
+timer_cleanup(isc_task_t *task, isc_event_t *ev) {
 	dns_adb_t *adb;
-	isc_result_t result;
 	isc_stdtime_t now;
 	unsigned int i;
 
 	UNUSED(task);
 
-	adb = ev->arg;
+	adb = ev->ev_arg;
 	INSIST(DNS_ADB_VALID(adb));
 
 	LOCK(&adb->lock);
@@ -2123,9 +2072,12 @@ timer_cleanup(isc_task_t *task, isc_event_t *ev)
 
 	/*
 	 * Reset the timer.
+	 * XXXDCL isc_timer_reset might return ISC_R_UNEXPECTED or
+	 * ISC_R_NOMEMORY, but it isn't clear what could be done here
+	 * if either one of those things happened.
 	 */
-	result = isc_timer_reset(adb->timer, isc_timertype_once, NULL,
-				 &adb->tick_interval, ISC_FALSE);
+	(void)isc_timer_reset(adb->timer, isc_timertype_once, NULL,
+			      &adb->tick_interval, ISC_FALSE);
 
 	UNLOCK(&adb->lock);
 
@@ -2133,8 +2085,7 @@ timer_cleanup(isc_task_t *task, isc_event_t *ev)
 }
 
 static void
-destroy(dns_adb_t *adb)
-{
+destroy(dns_adb_t *adb) {
 	adb->magic = 0;
 
 	/*
@@ -2257,32 +2208,31 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	/*
 	 * Memory pools
 	 */
-#define MPINIT(t, p, l, n) do { \
+#define MPINIT(t, p, n) do { \
 	result = isc_mempool_create(mem, sizeof (t), &(p)); \
 	if (result != ISC_R_SUCCESS) \
 		goto fail3; \
 	isc_mempool_setfreemax((p), FREE_ITEMS); \
 	isc_mempool_setfillcount((p), FILL_COUNT); \
 	isc_mempool_setname((p), n); \
-	if (l) \
-		isc_mempool_associatelock((p), &adb->mplock); \
+	isc_mempool_associatelock((p), &adb->mplock); \
 } while (0)
 
-	MPINIT(dns_adbname_t, adb->nmp, ISC_TRUE, "adbname");
-	MPINIT(dns_adbnamehook_t, adb->nhmp, ISC_TRUE, "adbnamehook");
-	MPINIT(dns_adbzoneinfo_t, adb->zimp, ISC_TRUE, "adbzoneinfo");
-	MPINIT(dns_adbentry_t, adb->emp, ISC_TRUE, "adbentry");
-	MPINIT(dns_adbfind_t, adb->ahmp, ISC_TRUE, "adbfind");
-	MPINIT(dns_adbaddrinfo_t, adb->aimp, ISC_TRUE, "adbaddrinfo");
-	MPINIT(dns_adbfetch_t, adb->afmp, ISC_TRUE, "adbfetch");
-	MPINIT(dns_adbfetch6_t, adb->af6mp, ISC_TRUE, "adbfetch6");
+	MPINIT(dns_adbname_t, adb->nmp, "adbname");
+	MPINIT(dns_adbnamehook_t, adb->nhmp, "adbnamehook");
+	MPINIT(dns_adbzoneinfo_t, adb->zimp, "adbzoneinfo");
+	MPINIT(dns_adbentry_t, adb->emp, "adbentry");
+	MPINIT(dns_adbfind_t, adb->ahmp, "adbfind");
+	MPINIT(dns_adbaddrinfo_t, adb->aimp, "adbaddrinfo");
+	MPINIT(dns_adbfetch_t, adb->afmp, "adbfetch");
+	MPINIT(dns_adbfetch6_t, adb->af6mp, "adbfetch6");
 
 #undef MPINIT
 
 	/*
 	 * Allocate a timer and a task for our periodic cleanup.
 	 */
-	result = isc_task_create(adb->taskmgr, adb->mctx, 0, &adb->task);
+	result = isc_task_create(adb->taskmgr, 0, &adb->task);
 	if (result != ISC_R_SUCCESS)
 		goto fail3;
 	isc_task_setname(adb->task, "ADB", adb);
@@ -2352,8 +2302,17 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 }
 
 void
-dns_adb_detach(dns_adb_t **adbx)
-{
+dns_adb_attach(dns_adb_t *adb, dns_adb_t **adbx) {
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(adbx != NULL && *adbx == NULL);
+
+	inc_adb_erefcnt(adb, ISC_TRUE);
+	*adbx = adb;
+}
+
+void
+dns_adb_detach(dns_adb_t **adbx) {
 	dns_adb_t *adb;
 
 	REQUIRE(adbx != NULL && DNS_ADB_VALID(*adbx));
@@ -2369,8 +2328,7 @@ dns_adb_detach(dns_adb_t **adbx)
 }
 
 void
-dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp)
-{
+dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp) {
 	isc_task_t *clone;
 	isc_event_t *event;
 	isc_boolean_t zeroirefcnt = ISC_FALSE;
@@ -2399,13 +2357,13 @@ dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp)
 		/*
 		 * We're already shutdown.  Send the event.
 		 */
-		event->sender = adb;
+		event->ev_sender = adb;
 		isc_task_send(task, &event);
 	} else {
 		clone = NULL;
 		isc_task_attach(task, &clone);
-		event->sender = clone;
-		ISC_LIST_APPEND(adb->whenshutdown, event, link);
+		event->ev_sender = clone;
+		ISC_LIST_APPEND(adb->whenshutdown, event, ev_link);
 	}
 	
 	UNLOCK(&adb->lock);
@@ -2722,9 +2680,9 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 			INSIST((find->flags & DNS_ADBFIND_ADDRESSMASK) != 0);
 			taskp = NULL;
 			isc_task_attach(task, &taskp);
-			find->event.sender = taskp;
-			find->event.action = action;
-			find->event.arg = arg;
+			find->event.ev_sender = taskp;
+			find->event.ev_action = action;
+			find->event.ev_arg = arg;
 		}
 	}
 
@@ -2735,8 +2693,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 }
 
 void
-dns_adb_destroyfind(dns_adbfind_t **findp)
-{
+dns_adb_destroyfind(dns_adbfind_t **findp) {
 	dns_adbfind_t *find;
 	dns_adbentry_t *entry;
 	dns_adbaddrinfo_t *ai;
@@ -2792,8 +2749,7 @@ dns_adb_destroyfind(dns_adbfind_t **findp)
 }
 
 void
-dns_adb_cancelfind(dns_adbfind_t *find)
-{
+dns_adb_cancelfind(dns_adbfind_t *find) {
 	isc_event_t *ev;
 	isc_task_t *task;
 	dns_adb_t *adb;
@@ -2832,11 +2788,11 @@ dns_adb_cancelfind(dns_adbfind_t *find)
 
 	if (!FIND_EVENTSENT(find)) {
 		ev = &find->event;
-		task = ev->sender;
-		ev->sender = find;
-		ev->type = DNS_EVENT_ADBCANCELED;
-		ev->destroy = event_free;
-		ev->destroy_arg = find;
+		task = ev->ev_sender;
+		ev->ev_sender = find;
+		ev->ev_type = DNS_EVENT_ADBCANCELED;
+		ev->ev_destroy = event_free;
+		ev->ev_destroy_arg = find;
 
 		DP(DEF_LEVEL, "Sending event %p to task %p for find %p",
 		   ev, task, find);
@@ -2848,8 +2804,7 @@ dns_adb_cancelfind(dns_adbfind_t *find)
 }
 
 void
-dns_adb_dump(dns_adb_t *adb, FILE *f)
-{
+dns_adb_dump(dns_adb_t *adb, FILE *f) {
 	REQUIRE(DNS_ADB_VALID(adb));
 	REQUIRE(f != NULL);
 
@@ -2866,8 +2821,7 @@ dns_adb_dump(dns_adb_t *adb, FILE *f)
 }
 
 static void
-dump_adb(dns_adb_t *adb, FILE *f)
-{
+dump_adb(dns_adb_t *adb, FILE *f) {
 	int i;
 	isc_sockaddr_t *sa;
 	dns_adbname_t *name;
@@ -2985,8 +2939,7 @@ dump_adb(dns_adb_t *adb, FILE *f)
 }
 
 void
-dns_adb_dumpfind(dns_adbfind_t *find, FILE *f)
-{
+dns_adb_dumpfind(dns_adbfind_t *find, FILE *f) {
 	char tmp[512];
 	const char *tmpp;
 	dns_adbaddrinfo_t *ai;
@@ -3004,7 +2957,7 @@ dns_adb_dumpfind(dns_adbfind_t *find, FILE *f)
 		find->query_pending, find->partial_result,
 		find->options, find->flags);
 	fprintf(f, "\tname_bucket %d, name %p, event sender %p\n",
-		find->name_bucket, find->adbname, find->event.sender);
+		find->name_bucket, find->adbname, find->event.ev_sender);
 
 	ai = ISC_LIST_HEAD(find->list);
 	if (ai != NULL)
@@ -3039,25 +2992,23 @@ dns_adb_dumpfind(dns_adbfind_t *find, FILE *f)
 }
 
 static void
-print_dns_name(FILE *f, dns_name_t *name)
-{
+print_dns_name(FILE *f, dns_name_t *name) {
 	char buf[1024];
 	isc_buffer_t b;
 	isc_region_t r;
 
 	INSIST(f != NULL);
 
-	isc_buffer_init(&b, buf, sizeof buf, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&b, buf, sizeof(buf));
 
 	if (dns_name_totext(name, ISC_FALSE, &b) == ISC_R_SUCCESS) {
-		isc_buffer_used(&b, &r);
+		isc_buffer_usedregion(&b, &r);
 		fprintf(f, "%.*s", (int)r.length, r.base);
 	}
 }
 
 static void
-print_namehook_list(FILE *f, dns_adbname_t *n)
-{
+print_namehook_list(FILE *f, dns_adbname_t *n) {
 	dns_adbnamehook_t *nh;
 
 	nh = ISC_LIST_HEAD(n->v4);
@@ -3073,22 +3024,19 @@ print_namehook_list(FILE *f, dns_adbname_t *n)
 }
 
 static inline void
-print_fetch(FILE *f, dns_adbfetch_t *ft, char *type)
-{
+print_fetch(FILE *f, dns_adbfetch_t *ft, char *type) {
 	fprintf(f, "\t\tFetch(%s): %p -> { nh %p, entry %p, fetch %p }\n",
 		type, ft, ft->namehook, ft->entry, ft->fetch);
 }
 
 static inline void
-print_fetch6(FILE *f, dns_adbfetch6_t *ft)
-{
+print_fetch6(FILE *f, dns_adbfetch6_t *ft) {
 	fprintf(f, "\t\tFetch(A6): %p -> { nh %p, entry %p, fetch %p }\n",
 		ft, ft->namehook, ft->entry, ft->fetch);
 }
 
 static void
-print_fetch_list(FILE *f, dns_adbname_t *n)
-{
+print_fetch_list(FILE *f, dns_adbname_t *n) {
 	dns_adbfetch6_t *fetch6;
 
 	if (NAME_FETCH_A(n))
@@ -3104,8 +3052,7 @@ print_fetch_list(FILE *f, dns_adbname_t *n)
 }
 
 static void
-print_find_list(FILE *f, dns_adbname_t *name)
-{
+print_find_list(FILE *f, dns_adbname_t *name) {
 	dns_adbfind_t *find;
 
 	find = ISC_LIST_HEAD(name->finds);
@@ -3116,8 +3063,7 @@ print_find_list(FILE *f, dns_adbname_t *name)
 }
 
 static isc_result_t
-dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now,
-	    dns_rdatatype_t rdtype)
+dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype)
 {
 	isc_result_t result;
 	dns_rdataset_t rdataset;
@@ -3135,13 +3081,14 @@ dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now,
 	dns_rdataset_init(&rdataset);
 
 	result = dns_view_find(adb->view, &adbname->name, rdtype, now,
-			       NAME_GLUEOK(adbname), NAME_HINTOK(adbname),
+			       NAME_GLUEOK(adbname),
+			       ISC_TF(NAME_HINTOK(adbname)),
 			       fname, &rdataset, NULL);
 
 	switch (result) {
 	case DNS_R_GLUE:
 	case DNS_R_HINT:
-	case DNS_R_SUCCESS:
+	case ISC_R_SUCCESS:
 		/*
 		 * Found in the database.  Even if we can't copy out
 		 * any information, return success, or else a fetch
@@ -3220,8 +3167,7 @@ dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now,
 }
 
 static isc_result_t
-dbfind_a6(dns_adbname_t *adbname, isc_stdtime_t now)
-{
+dbfind_a6(dns_adbname_t *adbname, isc_stdtime_t now) {
 	isc_result_t result;
 	dns_rdataset_t rdataset;
 	dns_adb_t *adb;
@@ -3241,13 +3187,14 @@ dbfind_a6(dns_adbname_t *adbname, isc_stdtime_t now)
 	dns_rdataset_init(&rdataset);
 
 	result = dns_view_find(adb->view, &adbname->name, dns_rdatatype_a6,
-			       now, NAME_GLUEOK(adbname), NAME_HINTOK(adbname),
+			       now, NAME_GLUEOK(adbname),
+			       ISC_TF(NAME_HINTOK(adbname)),
 			       fname, &rdataset, NULL);
 
 	switch (result) {
 	case DNS_R_GLUE:
 	case DNS_R_HINT:
-	case DNS_R_SUCCESS:
+	case ISC_R_SUCCESS:
 		/*
 		 * Start a6 chain follower.  There is no need to poke people
 		 * who might be waiting, since this is call requires there
@@ -3309,8 +3256,7 @@ dbfind_a6(dns_adbname_t *adbname, isc_stdtime_t now)
 }
 
 static void
-fetch_callback(isc_task_t *task, isc_event_t *ev)
-{
+fetch_callback(isc_task_t *task, isc_event_t *ev) {
 	dns_fetchevent_t *dev;
 	dns_adbname_t *name;
 	dns_adb_t *adb;
@@ -3324,9 +3270,9 @@ fetch_callback(isc_task_t *task, isc_event_t *ev)
 
 	(void)task;
 
-	INSIST(ev->type == DNS_EVENT_FETCHDONE);
+	INSIST(ev->ev_type == DNS_EVENT_FETCHDONE);
 	dev = (dns_fetchevent_t *)ev;
-	name = ev->arg;
+	name = ev->ev_arg;
 	INSIST(DNS_ADBNAME_VALID(name));
 	adb = name->adb;
 	INSIST(DNS_ADB_VALID(adb));
@@ -3469,8 +3415,7 @@ fetch_callback(isc_task_t *task, isc_event_t *ev)
 }
 
 static void
-fetch_callback_a6(isc_task_t *task, isc_event_t *ev)
-{
+fetch_callback_a6(isc_task_t *task, isc_event_t *ev) {
 	dns_fetchevent_t *dev;
 	dns_adbname_t *name;
 	dns_adb_t *adb;
@@ -3482,9 +3427,9 @@ fetch_callback_a6(isc_task_t *task, isc_event_t *ev)
 
 	(void)task;
 
-	INSIST(ev->type == DNS_EVENT_FETCHDONE);
+	INSIST(ev->ev_type == DNS_EVENT_FETCHDONE);
 	dev = (dns_fetchevent_t *)ev;
-	name = ev->arg;
+	name = ev->ev_arg;
 	INSIST(DNS_ADBNAME_VALID(name));
 	adb = name->adb;
 	INSIST(DNS_ADB_VALID(adb));
@@ -3662,8 +3607,7 @@ fetch_callback_a6(isc_task_t *task, isc_event_t *ev)
 }
 
 static isc_result_t
-fetch_name_v4(dns_adbname_t *adbname, isc_boolean_t start_at_root)
-{
+fetch_name_v4(dns_adbname_t *adbname, isc_boolean_t start_at_root) {
 	isc_result_t result;
 	dns_adbfetch_t *fetch;
 	dns_adb_t *adb;
@@ -3720,8 +3664,7 @@ fetch_name_v4(dns_adbname_t *adbname, isc_boolean_t start_at_root)
 }
 
 static isc_result_t
-fetch_name_aaaa(dns_adbname_t *adbname)
-{
+fetch_name_aaaa(dns_adbname_t *adbname) {
 	isc_result_t result;
 	dns_adbfetch_t *fetch;
 	dns_adb_t *adb;
@@ -3758,8 +3701,7 @@ fetch_name_aaaa(dns_adbname_t *adbname)
 }
 
 static isc_result_t
-fetch_name_a6(dns_adbname_t *adbname, isc_boolean_t start_at_root)
-{
+fetch_name_a6(dns_adbname_t *adbname, isc_boolean_t start_at_root) {
 	isc_result_t result;
 	dns_adbfetch6_t *fetch;
 	dns_adb_t *adb;
@@ -4000,8 +3942,7 @@ dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa,
 }
 
 void
-dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp)
-{
+dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp) {
 	dns_adbaddrinfo_t *addr;
 	dns_adbentry_t *entry;
 	int bucket;
diff --git a/lib/dns/byaddr.c b/lib/dns/byaddr.c
index 550bee95..418d4e37 100644
--- a/lib/dns/byaddr.c
+++ b/lib/dns/byaddr.c
@@ -17,27 +17,19 @@
 
 #include <config.h>
 
-#include <stdio.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/buffer.h>
-#include <isc/error.h>
-#include <isc/event.h>
 #include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/result.h>
+#include <isc/netaddr.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/task.h>
 #include <isc/util.h>
 
 #include <dns/byaddr.h>
 #include <dns/db.h>
 #include <dns/events.h>
-#include <dns/fixedname.h>
-#include <dns/name.h>
 #include <dns/rdata.h>
 #include <dns/rdataset.h>
 #include <dns/resolver.h>
+#include <dns/result.h>
 #include <dns/view.h>
 
 /*
@@ -125,10 +117,10 @@ address_to_ptr_name(dns_byaddr_t *byaddr, isc_netaddr_t *address) {
 			strcpy(cp, "].ip6.int.");
 		}
 	} else
-		return (DNS_R_NOTIMPLEMENTED);
+		return (ISC_R_NOTIMPLEMENTED);
 
 	len = (unsigned int)strlen(textname);
-	isc_buffer_init(&buffer, textname, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&buffer, textname, len);
 	isc_buffer_add(&buffer, len);
 	return (dns_name_fromtext(dns_fixedname_name(&byaddr->name),
 				  &buffer, dns_rootname, ISC_FALSE, NULL));
@@ -165,7 +157,7 @@ copy_ptr_targets(dns_byaddr_t *byaddr) {
 		ISC_LIST_APPEND(byaddr->event->names, name, link);
 		result = dns_rdataset_next(&byaddr->rdataset);
 	}
-	if (result == DNS_R_NOMORE)
+	if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;
 	
 	return (result);
@@ -173,10 +165,11 @@ copy_ptr_targets(dns_byaddr_t *byaddr) {
 
 static void
 fetch_done(isc_task_t *task, isc_event_t *event) {
-	dns_byaddr_t *byaddr = event->arg;
+	dns_byaddr_t *byaddr = event->ev_arg;
 	dns_fetchevent_t *fevent;
 
-	REQUIRE(event->type == DNS_EVENT_FETCHDONE);
+	UNUSED(task);
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
 	REQUIRE(VALID_BYADDR(byaddr));
 	REQUIRE(byaddr->task == task);
 	fevent = (dns_fetchevent_t *)event;
@@ -240,7 +233,7 @@ byaddr_find(dns_byaddr_t *byaddr, dns_fetchevent_t *event) {
 					       dns_rdatatype_ptr, 0, 0,
 					       ISC_FALSE, fname,
 					       &byaddr->rdataset, NULL);
-			if (result == DNS_R_NOTFOUND) {
+			if (result == ISC_R_NOTFOUND) {
 				/*
 				 * We don't know anything about the name.
 				 * Launch a fetch.
@@ -351,7 +344,7 @@ byaddr_find(dns_byaddr_t *byaddr, dns_fetchevent_t *event) {
 
 	if (send_event) {
 		byaddr->event->result = result;
-		byaddr->event->sender = byaddr;
+		byaddr->event->ev_sender = byaddr;
 		ievent = (isc_event_t *)byaddr->event;
 		byaddr->event = NULL;
 		isc_task_sendanddetach(&byaddr->task, &ievent);
@@ -367,8 +360,8 @@ bevent_destroy(isc_event_t *event) {
 	dns_name_t *name, *next_name;
 	isc_mem_t *mctx;
 
-	REQUIRE(event->type == DNS_EVENT_BYADDRDONE);
-	mctx = event->destroy_arg;
+	REQUIRE(event->ev_type == DNS_EVENT_BYADDRDONE);
+	mctx = event->ev_destroy_arg;
 	bevent = (dns_byaddrevent_t *)event;
 
 	for (name = ISC_LIST_HEAD(bevent->names);
@@ -378,7 +371,7 @@ bevent_destroy(isc_event_t *event) {
 		dns_name_free(name, mctx);
 		isc_mem_put(mctx, name, sizeof *name);
 	}
-	isc_mem_put(mctx, event, event->size);
+	isc_mem_put(mctx, event, event->ev_size);
 }
 
 isc_result_t
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index b238c51f..82798f5f 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -15,14 +15,14 @@
  * SOFTWARE.
  */
 
-/* $Id: cache.c,v 1.14 2000/03/17 17:45:00 gson Exp $ */
+/* $Id: cache.c,v 1.21 2000/05/08 14:34:26 tale Exp $ */
 
 #include <config.h>
-#include <limits.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/mutex.h>
+#include <isc/mem.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
 #include <isc/util.h>
 
 #include <dns/cache.h>
@@ -30,11 +30,10 @@
 #include <dns/dbiterator.h>
 #include <dns/events.h>
 #include <dns/log.h>
-#include <dns/rdata.h>
-#include <dns/types.h>
+#include <dns/result.h>
 
-#define CACHE_MAGIC	0x24242424U 	/* $$$$. */
-#define VALID_CACHE(cache) ((cache) != NULL && (cache)->magic == CACHE_MAGIC)
+#define CACHE_MAGIC		0x24242424U 	/* $$$$. */
+#define VALID_CACHE(cache)	ISC_MAGIC_VALID(cache, CACHE_MAGIC)
 
 /***
  ***	Types
@@ -52,7 +51,9 @@ typedef enum {
 	cleaner_s_busy	/* Currently cleaning. */
 } cleaner_state_t;
 
-/* Convenience macros for comprehensive assertion checking. */
+/*
+ * Convenience macros for comprehensive assertion checking.
+ */
 #define CLEANER_IDLE(c) ((c)->state == cleaner_s_idle && \
 		         (c)->iterator == NULL && \
 			 (c)->resched_event != NULL)
@@ -133,7 +134,9 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	if (cache == NULL)
 		return (ISC_R_NOMEMORY);
 
-	cache->mctx = mctx;
+	cache->mctx = NULL;
+	isc_mem_attach(mctx, &cache->mctx);
+
 	result = isc_mutex_init(&cache->lock);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -159,7 +162,7 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 
 	result = cache_cleaner_init(cache, taskmgr, timermgr,
 				    &cache->cleaner);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_db;
 
 	*cachep = cache;
@@ -170,12 +173,15 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
  cleanup_mutex:
 	isc_mutex_destroy(&cache->lock);
  cleanup_mem:
-	isc_mem_put(cache->mctx, cache, sizeof *cache);
+	isc_mem_put(mctx, cache, sizeof *cache);
+	isc_mem_detach(&mctx);
 	return (result);
 }
 
 static void 
 cache_free(dns_cache_t *cache) {
+	isc_mem_t *mctx;
+
 	REQUIRE(VALID_CACHE(cache));
 	REQUIRE(cache->references == 0);
 
@@ -198,7 +204,9 @@ cache_free(dns_cache_t *cache) {
 
 	isc_mutex_destroy(&cache->lock);
 	cache->magic = 0;	
+	mctx = cache->mctx;
 	isc_mem_put(cache->mctx, cache, sizeof *cache);	
+	isc_mem_detach(&mctx);
 }	
 
 
@@ -252,9 +260,9 @@ dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp) {
 
 #ifdef NOTYET
 
+/* ARGSUSED */
 isc_result_t
-dns_cache_setfilename(dns_cache_t *cahce, char *filename) /* ARGSUSED */
-{
+dns_cache_setfilename(dns_cache_t *cahce, char *filename) {
 	char *newname = isc_mem_strdup(filename);
 	if (newname == NULL)
 		return (ISC_R_NOMEMORY);
@@ -291,12 +299,14 @@ dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int t) {
 	LOCK(&cache->lock);
 	cache->cleaner.cleaning_interval = t;
 	if (t == 0) {
-		isc_timer_reset(cache->cleaner.cleaning_timer, isc_timertype_inactive,
-				NULL, NULL, ISC_TRUE);
+		isc_timer_reset(cache->cleaner.cleaning_timer,
+				isc_timertype_inactive, NULL, NULL, ISC_TRUE);
 	} else {
 		isc_interval_t interval;
-		isc_interval_set(&interval, cache->cleaner.cleaning_interval, 0);
-		isc_timer_reset(cache->cleaner.cleaning_timer, isc_timertype_ticker,
+		isc_interval_set(&interval, cache->cleaner.cleaning_interval,
+				 0);
+		isc_timer_reset(cache->cleaner.cleaning_timer,
+				isc_timertype_ticker,
 				NULL, &interval, ISC_FALSE);
 	}
 	UNLOCK(&cache->lock);	
@@ -323,8 +333,7 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
 	cleaner->resched_event = NULL;
 	
 	if (taskmgr != NULL && timermgr != NULL) {
-		result = isc_task_create(taskmgr, cache->mctx,
-					  1, &cleaner->task);
+		result = isc_task_create(taskmgr, 1, &cleaner->task);
 		if (result != ISC_R_SUCCESS) {
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "isc_task_create() failed: %s",
@@ -443,9 +452,11 @@ end_cleaning(cache_cleaner_t *cleaner, isc_event_t *event) {
  */
 static void
 cleaning_timer_action(isc_task_t *task, isc_event_t *event) {
-	cache_cleaner_t *cleaner = event->arg;
+	cache_cleaner_t *cleaner = event->ev_arg;
+	UNUSED(task);
 	INSIST(task == cleaner->task);
-	INSIST(event->type == ISC_TIMEREVENT_TICK);
+	INSIST(event->ev_type == ISC_TIMEREVENT_TICK);
+
 	if (cleaner->state == cleaner_s_idle) {
 		begin_cleaning(cleaner);
 	} else {
@@ -464,11 +475,13 @@ cleaning_timer_action(isc_task_t *task, isc_event_t *event) {
 static void
 incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result;
-	cache_cleaner_t *cleaner = event->arg;
+	cache_cleaner_t *cleaner = event->ev_arg;
 	isc_stdtime_t now;
 	int n_names;
-	INSIST(event->type == DNS_EVENT_CACHECLEAN);
+
+	INSIST(event->ev_type == DNS_EVENT_CACHECLEAN);
 	INSIST(CLEANER_BUSY(cleaner));
+
 	n_names = cleaner->increment;
 	isc_stdtime_get(&now);
 
@@ -583,12 +596,14 @@ dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now) {
  */
 static void
 cleaner_shutdown_action(isc_task_t *task, isc_event_t *event) {
-	dns_cache_t *cache = event->arg;
+	dns_cache_t *cache = event->ev_arg;
 	isc_boolean_t should_free = ISC_FALSE;	
+
 	UNUSED(task);
+
 	LOCK(&cache->lock);
 
-	INSIST(event->type == ISC_TASKEVENT_SHUTDOWN);
+	INSIST(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
 	isc_event_free(&event);
 	
 	cache->live_tasks--;
diff --git a/lib/dns/callbacks.c b/lib/dns/callbacks.c
index 8f5483d5..737580a3 100644
--- a/lib/dns/callbacks.c
+++ b/lib/dns/callbacks.c
@@ -15,13 +15,10 @@
  * SOFTWARE.
  */
 
-/* $Id: callbacks.c,v 1.6 2000/03/17 17:49:37 gson Exp $ */
+/* $Id: callbacks.c,v 1.7 2000/05/08 14:34:27 tale Exp $ */
 
 #include <config.h>
 
-#include <stdarg.h>
-
-#include <isc/assertions.h>
 #include <isc/util.h>
 
 #include <dns/callbacks.h>
@@ -73,9 +70,7 @@ isclog_warn_callback(dns_rdatacallbacks_t *callbacks, char *fmt, ...) {
 }
 
 static void
-dns_rdatacallbacks_initcommon(dns_rdatacallbacks_t *callbacks)
-
-{
+dns_rdatacallbacks_initcommon(dns_rdatacallbacks_t *callbacks) {
 	REQUIRE(callbacks != NULL);
 
 	callbacks->add = NULL;
diff --git a/lib/dns/compress.c b/lib/dns/compress.c
index 8119d753..f74714a2 100644
--- a/lib/dns/compress.c
+++ b/lib/dns/compress.c
@@ -15,40 +15,45 @@
  * SOFTWARE.
  */
 
-/* $Id: compress.c,v 1.22 2000/03/23 05:18:41 tale Exp $ */
+/* $Id: compress.c,v 1.33 2000/05/08 14:34:28 tale Exp $ */
+
+#define DNS_NAME_USEINLINE 1
 
 #include <config.h>
-#include <string.h>
 
-#include <isc/types.h>
-#include <isc/assertions.h>
-#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dns/compress.h>
 #include <dns/fixedname.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
 
 #define CCTX_MAGIC	0x43435458U	/* CCTX */
-#define VALID_CCTX(x)	((x) != NULL && (x)->magic == CCTX_MAGIC)
+#define VALID_CCTX(x)	ISC_MAGIC_VALID(x, CCTX_MAGIC)
 
 #define DCTX_MAGIC	0x44435458U	/* DCTX */
-#define VALID_DCTX(x)	((x) != NULL && (x)->magic == DCTX_MAGIC)
+#define VALID_DCTX(x)	ISC_MAGIC_VALID(x, DCTX_MAGIC)
+
+static void
+free_offset(void *offset, void *mctx);
 
-static void		free_offset(void *offset, void *mctx);
-isc_boolean_t		compress_find(dns_rbt_t *root, dns_name_t *name,
-				      dns_name_t *prefix, dns_name_t *suffix,
-				      isc_uint16_t *offset,
-				      isc_buffer_t *workspace);
-void			compress_add(dns_rbt_t *root, dns_name_t *prefix,
-				     dns_name_t *suffix, isc_uint16_t offset,
-				     isc_boolean_t global16, isc_mem_t *mctx);
+static isc_boolean_t
+compress_find(dns_rbt_t *root, dns_name_t *name, dns_name_t *prefix,
+	      dns_name_t *suffix, isc_uint16_t *offset,
+	      isc_buffer_t *workspace);
+
+static void
+compress_add(dns_rbt_t *root, dns_name_t *prefix, dns_name_t *suffix,
+	     isc_uint16_t offset, isc_boolean_t global16, isc_mem_t *mctx);
 
 /***
  ***	Compression
  ***/
 
 isc_result_t
-dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx)
-{
+dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx) {
 	isc_result_t result;
 
 	REQUIRE(cctx != NULL);
@@ -56,15 +61,15 @@ dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx)
 
 	cctx->allowed = 0;
 	cctx->rdata = 0;
-	cctx->global16 = (edns >= 1) ? ISC_TRUE : ISC_FALSE;
+	cctx->global16 = ISC_FALSE;
 	cctx->edns = edns;
 	cctx->global = NULL;
 	result = dns_rbt_create(mctx, free_offset, mctx, &cctx->global);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	cctx->mctx = mctx;
 	cctx->magic = CCTX_MAGIC;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 void
@@ -85,8 +90,6 @@ void
 dns_compress_setmethods(dns_compress_t *cctx, unsigned int allowed) {
 	REQUIRE(VALID_CCTX(cctx));
 
-	if (cctx->edns >= 1 && (allowed & DNS_COMPRESS_GLOBAL14) != 0)
-		allowed |= DNS_COMPRESS_GLOBAL16;
 	cctx->allowed = allowed;
 }
 
@@ -154,11 +157,11 @@ dns_compress_rollback(dns_compress_t *cctx, isc_uint16_t offset) {
 	result = dns_rbtnodechain_first(&chain, cctx->global, foundname,
 					origin);
 
-	while (result == DNS_R_NEWORIGIN || result == DNS_R_SUCCESS) {
+	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
 		result = dns_rbtnodechain_current(&chain, foundname,
 						  origin, &node);
 
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			break;
 
 		if (node->data != NULL &&
@@ -168,12 +171,12 @@ dns_compress_rollback(dns_compress_t *cctx, isc_uint16_t offset) {
 						      NULL : origin,
 						      fullname, NULL);
 
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				break;
 
 			result = dns_rbt_deletename(cctx->global, fullname,
 						    ISC_FALSE);
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				break;
 			/*
 			 * If the delete is successful the chain is broken.
@@ -217,7 +220,10 @@ dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed) {
 
 	REQUIRE(VALID_DCTX(dctx));
 
-	dctx->allowed = allowed;
+	if (dns_decompress_strict(dctx))
+		dctx->allowed = allowed;
+	else
+		dctx->allowed = DNS_COMPRESS_ALL;
 }
 
 unsigned int
@@ -258,7 +264,7 @@ free_offset(void *offset, void *mctx) {
 /*
  *	Add the labels in prefix to RBT.
  */
-void
+static void
 compress_add(dns_rbt_t *root, dns_name_t *prefix, dns_name_t *suffix,
 	     isc_uint16_t offset, isc_boolean_t global16, isc_mem_t *mctx)
 {
@@ -268,7 +274,7 @@ compress_add(dns_rbt_t *root, dns_name_t *prefix, dns_name_t *suffix,
 	dns_label_t label;
 	unsigned int count;
 	unsigned int start;
-	unsigned int limit;
+	unsigned int n;
 	isc_uint16_t *data;
 	isc_result_t result;
 	unsigned char buffer[255];
@@ -276,31 +282,33 @@ compress_add(dns_rbt_t *root, dns_name_t *prefix, dns_name_t *suffix,
 	dns_offsets_t offsets;
 
 	count = dns_name_countlabels(prefix);
-	limit = dns_name_isabsolute(prefix) ? 1 : 0;
+	if (dns_name_isabsolute(prefix))
+		count--;
 	start = 0;
 	dns_name_init(&full, offsets);
 	dns_name_init(&name, NULL);
-	while (count > limit) {
+	isc_buffer_init(&target, buffer, sizeof(buffer));
+	result = dns_name_concatenate(prefix, suffix, &full, &target);
+	if (result != ISC_R_SUCCESS)
+		return;
+	n = dns_name_countlabels(&full);
+	while (count > 0) {
 		if (offset >= 16384 && !global16)
 			break;
-		dns_name_getlabelsequence(prefix, start, count, &name);
-		isc_buffer_init(&target, buffer, sizeof buffer,
-				ISC_BUFFERTYPE_BINARY);
-		result = dns_name_concatenate(&name, suffix, &full, &target);
-		if (result != DNS_R_SUCCESS)
-			return;
+		dns_name_getlabelsequence(&full, start, n, &name);
 		data = isc_mem_get(mctx, sizeof *data);
 		if (data == NULL)
 			return;
 		*data = offset;
-		result = dns_rbt_addname(root, &full, data);
-		if (result != DNS_R_SUCCESS) {
+		result = dns_rbt_addname(root, &name, data);
+		if (result != ISC_R_SUCCESS) {
 			isc_mem_put(mctx, data, sizeof *data);
 			return;
 		}
 		dns_name_getlabel(&name, 0, &label);
 		offset += label.length;
 		start++;
+		n--;
 		count--;
 	}
 }
@@ -312,7 +320,7 @@ compress_add(dns_rbt_t *root, dns_name_t *prefix, dns_name_t *suffix,
  *	If no match is found return ISC_FALSE.
  */
 
-isc_boolean_t
+static isc_boolean_t
 compress_find(dns_rbt_t *root, dns_name_t *name, dns_name_t *prefix,
 	      dns_name_t *suffix, isc_uint16_t *offset,
 	      isc_buffer_t *workspace)
@@ -338,8 +346,14 @@ compress_find(dns_rbt_t *root, dns_name_t *name, dns_name_t *prefix,
 
 	dns_fixedname_init(&found);
 	foundname = dns_fixedname_name(&found);
-	result = dns_rbt_findname(root, name, foundname, (void *)&data);
-	if (result != DNS_R_SUCCESS && result != DNS_R_PARTIALMATCH)
+	/*
+	 * Getting rid of the offsets table for foundname improves
+	 * perfomance, since the offsets table is not needed and maintaining
+	 * it has costs.
+	 */
+	foundname->offsets = NULL;
+	result = dns_rbt_findname(root, name, 0, foundname, (void *)&data);
+	if (result != ISC_R_SUCCESS && result != DNS_R_PARTIALMATCH)
 		return (ISC_FALSE);
 	if (data == NULL)		/* root label */
 		return (ISC_FALSE);
@@ -368,7 +382,7 @@ compress_find(dns_rbt_t *root, dns_name_t *name, dns_name_t *prefix,
 			dns_name_getlabelsequence(name, 0, prefixlen, prefix);
 		result = dns_name_concatenate(NULL, foundname, suffix,
 					     workspace);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (ISC_FALSE);
 		*offset = *data;
 		return (ISC_TRUE);
@@ -380,7 +394,7 @@ compress_find(dns_rbt_t *root, dns_name_t *name, dns_name_t *prefix,
 	 */
 	INSIST(result == DNS_R_PARTIALMATCH);
 	result = dns_name_concatenate(NULL, foundname, suffix, workspace);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (ISC_FALSE);
 	prefixlen = namelabels - foundlabels;
 	dns_name_init(&tmpprefix, NULL);
@@ -409,7 +423,7 @@ compress_find(dns_rbt_t *root, dns_name_t *name, dns_name_t *prefix,
 	dns_name_fromregion(&tmpsuffix, &region);
 	result = dns_name_concatenate(&tmpprefix, &tmpsuffix, prefix,
 				      workspace);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (ISC_FALSE);
 	*offset = *data;
 	return (ISC_TRUE);
diff --git a/lib/dns/config/confacl.c b/lib/dns/config/confacl.c
index 6ad1fa1e..293ab5ae 100644
--- a/lib/dns/config/confacl.c
+++ b/lib/dns/config/confacl.c
@@ -15,25 +15,22 @@
  * SOFTWARE.
  */
 
-#include <config.h>
+/* $Id: confacl.c,v 1.17 2000/05/08 19:23:24 tale Exp $ */
 
-#include <string.h>
+#include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
 
 #include <dns/log.h>
 #include <dns/confacl.h>
-#include <dns/confcommon.h>
-
-
-static isc_result_t acl_delete(dns_c_acl_t **aclptr);
-
 
+static isc_result_t
+acl_delete(dns_c_acl_t **aclptr);
 
 isc_result_t
-dns_c_acltable_new(isc_mem_t *mem, dns_c_acltable_t **newtable)
-{
+dns_c_acltable_new(isc_mem_t *mem, dns_c_acltable_t **newtable) {
 	dns_c_acltable_t *table;
 	
 	REQUIRE(mem != NULL);
@@ -57,10 +54,8 @@ dns_c_acltable_new(isc_mem_t *mem, dns_c_acltable_t **newtable)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_acltable_delete(dns_c_acltable_t **table)
-{
+dns_c_acltable_delete(dns_c_acltable_t **table) {
 	dns_c_acltable_t *acltable;
 	isc_mem_t *mem;
 
@@ -84,10 +79,8 @@ dns_c_acltable_delete(dns_c_acltable_t **table)
 	return (ISC_R_SUCCESS);
 }
 
-
 void
-dns_c_acltable_print(FILE *fp, int indent, dns_c_acltable_t *table)
-{
+dns_c_acltable_print(FILE *fp, int indent, dns_c_acltable_t *table) {
 	dns_c_acl_t *acl;
 	dns_c_acl_t *acltmp;
 
@@ -113,10 +106,8 @@ dns_c_acltable_print(FILE *fp, int indent, dns_c_acltable_t *table)
 	}
 }
 
-
 isc_result_t
-dns_c_acltable_clear(dns_c_acltable_t *table)
-{
+dns_c_acltable_clear(dns_c_acltable_t *table) {
 	dns_c_acl_t *elem;
 	dns_c_acl_t *tmpelem;
 	isc_result_t r;
@@ -174,8 +165,7 @@ dns_c_acltable_getacl(dns_c_acltable_t *table,
 
 
 isc_result_t
-dns_c_acltable_removeacl(dns_c_acltable_t *table, const char *aclname)
-{
+dns_c_acltable_removeacl(dns_c_acltable_t *table, const char *aclname) {
 	dns_c_acl_t *acl;
 	dns_c_acl_t *tmpacl;
 
@@ -241,8 +231,7 @@ dns_c_acl_new(dns_c_acltable_t *table, const char *aclname,
 
 
 void
-dns_c_acl_print(FILE *fp, int indent, dns_c_acl_t *acl)
-{
+dns_c_acl_print(FILE *fp, int indent, dns_c_acl_t *acl) {
 	REQUIRE(DNS_C_CONFACL_VALID(acl));
 	
 	dns_c_printtabs(fp, indent);
@@ -320,9 +309,7 @@ dns_c_acl_getipmlexpanded(isc_mem_t *mem, dns_c_acl_t *acl,
 /* XXX this should really be a function in the confip module */
 
 isc_result_t
-dns_c_acl_expandacls(dns_c_acltable_t *table,
-		     dns_c_ipmatchlist_t *list)
-{
+dns_c_acl_expandacls(dns_c_acltable_t *table, dns_c_ipmatchlist_t *list) {
 	dns_c_ipmatchelement_t *elem;
 	dns_c_ipmatchelement_t *tmpelem;
 	dns_c_acl_t *acl;
@@ -377,12 +364,8 @@ dns_c_acl_expandacls(dns_c_acltable_t *table,
 	return (ISC_R_SUCCESS);
 }
 
-
-
-
 static isc_result_t
-acl_delete(dns_c_acl_t **aclptr)
-{
+acl_delete(dns_c_acl_t **aclptr) {
 	dns_c_acl_t *acl;
 	isc_result_t res;
 	isc_mem_t *mem;
diff --git a/lib/dns/config/confcache.c b/lib/dns/config/confcache.c
index 5bdb7092..fa8e6c5f 100644
--- a/lib/dns/config/confcache.c
+++ b/lib/dns/config/confcache.c
@@ -15,16 +15,17 @@
  * SOFTWARE.
  */
 
+/* $Id: confcache.c,v 1.6 2000/05/02 03:54:04 tale Exp $ */
+
 #include <config.h>
 
 #include <dns/confcache.h>
-#include <dns/result.h>
+#include <isc/result.h>
 
 #include "confpvt.h"
 
 isc_result_t
-dns_c_cache_new(isc_mem_t *mem, dns_c_cache_t **cfgcache)
-{
+dns_c_cache_new(isc_mem_t *mem, dns_c_cache_t **cfgcache) {
 
 	(void) mem ; (void) cfgcache; /* lint */
 
@@ -33,12 +34,10 @@ dns_c_cache_new(isc_mem_t *mem, dns_c_cache_t **cfgcache)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_cache_delete(dns_c_cache_t **cfgcache)
-{
+dns_c_cache_delete(dns_c_cache_t **cfgcache) {
 	(void) cfgcache ;	/* lint */
-	
+
 	/* XXX nothin yet */
 
 	return (ISC_R_SUCCESS);
diff --git a/lib/dns/config/confcommon.c b/lib/dns/config/confcommon.c
index e0d45394..2d92de70 100644
--- a/lib/dns/config/confcommon.c
+++ b/lib/dns/config/confcommon.c
@@ -15,31 +15,25 @@
  * SOFTWARE.
  */
 
-#include <config.h>
+/* $Id: confcommon.c,v 1.28 2000/05/15 12:36:19 brister Exp $ */
 
-#include <sys/types.h>	/* XXXRTH */
+#include <config.h>
 
-#include <limits.h>
-#include <syslog.h>	/* XXXRTH */
 #include <ctype.h>
-#include <string.h>
+#include <syslog.h>	/* XXXRTH */
 
-#include <isc/assertions.h>
 #include <isc/buffer.h>
-#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/socket.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
 
+#include <dns/confcommon.h>
 #include <dns/name.h>
 #include <dns/peer.h>
-
-/* XXX this next include is needed by <dns/rdataclass.h>  */
-#include <dns/result.h>
-#include <dns/name.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatatype.h>
 #include <dns/ssu.h>
-#include <dns/confcommon.h>
-
-
 
 /***
  *** TYPES
@@ -144,10 +138,6 @@ static const char *category_nametable[] = {
  *** DATA
  ***/
 
-isc_boolean_t debug_mem_print;
-FILE *debug_mem_print_stream;
-
-
 
 /***
  *** FUNCTIONS
@@ -161,8 +151,7 @@ static void default_cfgerror(isc_result_t result, const char *fmt,
 
 
 void
-dns_c_printinunits(FILE *fp, isc_uint32_t val)
-{
+dns_c_printinunits(FILE *fp, isc_uint32_t val) {
 	isc_uint32_t one_gig = (1024 * 1024 * 1024);
 	isc_uint32_t one_meg = (1024 * 1024);
 	isc_uint32_t one_k = 1024;
@@ -185,46 +174,41 @@ dns_c_printinunits(FILE *fp, isc_uint32_t val)
 
 
 void
-dns_c_dataclass_tostream(FILE *fp, dns_rdataclass_t rclass)
-{
+dns_c_dataclass_tostream(FILE *fp, dns_rdataclass_t rclass) {
 	char buffer[64];
 	isc_buffer_t sourceb;
 
-	isc_buffer_init(&sourceb, buffer, sizeof buffer,
-			ISC_BUFFERTYPE_GENERIC);
+	isc_buffer_init(&sourceb, buffer, sizeof(buffer));
 	
-	if (dns_rdataclass_totext(rclass, &sourceb) == DNS_R_SUCCESS) {
-		INSIST(sourceb.used + 1 < sizeof buffer);
+	if (dns_rdataclass_totext(rclass, &sourceb) == ISC_R_SUCCESS) {
+		INSIST(sourceb.used + 1 < sizeof(buffer));
 		buffer[sourceb.used] = '\0';
 		fputs(buffer, fp);
 	} else {
-		fprintf(fp, "UNKNOWN-CLASS(%d)",(int) rclass);
+		fprintf(fp, "UNKNOWN-CLASS(%d)", (int)rclass);
 	}
 }
 
 
 void
-dns_c_datatype_tostream(FILE *fp, dns_rdatatype_t rtype)
-{
+dns_c_datatype_tostream(FILE *fp, dns_rdatatype_t rtype) {
 	char buffer[64];
 	isc_buffer_t sourceb;
 
-	isc_buffer_init(&sourceb, buffer, sizeof buffer,
-			ISC_BUFFERTYPE_GENERIC);
+	isc_buffer_init(&sourceb, buffer, sizeof(buffer));
 
-	if (dns_rdatatype_totext(rtype, &sourceb) == DNS_R_SUCCESS) {
+	if (dns_rdatatype_totext(rtype, &sourceb) == ISC_R_SUCCESS) {
 		INSIST(sourceb.used + 1 < sizeof buffer);
 		buffer[sourceb.used] = '\0';
 		fputs(buffer, fp);
 	} else {
-		fprintf(fp, "UNKNOWN-RDATATYPE(%d)",(int) rtype);
+		fprintf(fp, "UNKNOWN-RDATATYPE(%d)", (int)rtype);
 	}
 }
 
 
 void
-dns_c_printtabs(FILE *fp, int count)
-{
+dns_c_printtabs(FILE *fp, int count) {
 
 	while (count > 0) {
 		fputc('\t', fp);
@@ -235,8 +219,7 @@ dns_c_printtabs(FILE *fp, int count)
 
 
 isc_result_t
-dns_c_string2ordering(char *name, dns_c_ordering_t *ordering)
-{
+dns_c_string2ordering(char *name, dns_c_ordering_t *ordering) {
 	unsigned int i;
 	isc_result_t rval = ISC_R_FAILURE;
 
@@ -353,8 +336,7 @@ dns_c_string2category(const char *string,
 
 
 const char *
-dns_c_facility2string(int facility, isc_boolean_t printable)
-{
+dns_c_facility2string(int facility, isc_boolean_t printable) {
 	int i;
 	const char *rval = NULL;
 
@@ -370,8 +352,7 @@ dns_c_facility2string(int facility, isc_boolean_t printable)
 
 
 isc_result_t
-dns_c_string2facility(const char *string, int *result)
-{
+dns_c_string2facility(const char *string, int *result) {
 	int i;
 	isc_result_t rval = ISC_R_FAILURE;
 
@@ -486,9 +467,33 @@ dns_c_forward2string(dns_c_forw_t forw,
 
 
 
-int
-dns_c_isanyaddr(isc_sockaddr_t *inaddr)
+const char *
+dns_c_addata2string(dns_c_addata_t addata,
+		    isc_boolean_t printable)
 {
+	const char *rval = NULL;
+
+	switch (addata) {
+	case dns_c_ad_internal:
+		rval = "internal";
+		break;
+
+	case dns_c_ad_minimal:
+		rval = "minimal";
+		break;
+
+	case dns_c_ad_maximal:
+		rval = "maximal";
+		break;
+	}
+
+	return (rval == NULL && printable ? "UNKNOWN_ADDITIONAL_DATA" : rval);
+}
+
+
+
+int
+dns_c_isanyaddr(isc_sockaddr_t *inaddr) {
 	int result = 0;
 
 	if (inaddr->type.sa.sa_family == AF_INET) {
@@ -508,8 +513,7 @@ dns_c_isanyaddr(isc_sockaddr_t *inaddr)
 
 	
 void
-dns_c_print_ipaddr(FILE *fp, isc_sockaddr_t *inaddr)
-{
+dns_c_print_ipaddr(FILE *fp, isc_sockaddr_t *inaddr) {
 	const char *p;
 	char tmpaddrstr[64];
 	int family = inaddr->type.sa.sa_family;
@@ -537,8 +541,7 @@ dns_c_print_ipaddr(FILE *fp, isc_sockaddr_t *inaddr)
 
 
 isc_boolean_t
-dns_c_netaddrisanyaddr(isc_netaddr_t *inaddr)
-{
+dns_c_netaddrisanyaddr(isc_netaddr_t *inaddr) {
 	isc_boolean_t result = ISC_FALSE;
 	
 	if (inaddr->family == AF_INET) {
@@ -559,8 +562,7 @@ dns_c_netaddrisanyaddr(isc_netaddr_t *inaddr)
 
 
 void
-dns_c_netaddrprint(FILE *fp, isc_netaddr_t *inaddr)
-{
+dns_c_netaddrprint(FILE *fp, isc_netaddr_t *inaddr) {
 	const char *p;
 	char tmpaddrstr[64];
 	int family = inaddr->family;
@@ -589,8 +591,7 @@ dns_c_netaddrprint(FILE *fp, isc_netaddr_t *inaddr)
 
 
 isc_boolean_t
-dns_c_need_quote(const char *string)
-{
+dns_c_need_quote(const char *string) {
 	isc_boolean_t rval = ISC_FALSE;
 
 	while (string != NULL && *string != '\0') {
@@ -608,7 +609,7 @@ dns_c_need_quote(const char *string)
 		
 void
 dns_c_peerlist_print(FILE *fp, int indent,
-		   dns_peerlist_t *servers)
+		     dns_peerlist_t *servers)
 {
 	dns_peer_t *server;
 	
@@ -629,8 +630,7 @@ dns_c_peerlist_print(FILE *fp, int indent,
 
 
 void
-dns_c_peer_print(FILE *fp, int indent, dns_peer_t *peer)
-{
+dns_c_peer_print(FILE *fp, int indent, dns_peer_t *peer) {
 	isc_boolean_t bval;
 	isc_result_t res;
 	dns_transfer_format_t tval;
@@ -680,7 +680,7 @@ dns_c_peer_print(FILE *fp, int indent, dns_peer_t *peer)
 	if (res == ISC_R_SUCCESS) {
 		REQUIRE(name != NULL);
 		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "key { \"");
+		fprintf(fp, "keys { \"");
 		dns_name_print(peer->key, fp);
 		fprintf(fp, "\"; };\n");
 	}
@@ -693,8 +693,7 @@ dns_c_peer_print(FILE *fp, int indent, dns_peer_t *peer)
 
 
 isc_result_t
-dns_c_charptoname(isc_mem_t *mem, const char *keyval, dns_name_t **name)
-{
+dns_c_charptoname(isc_mem_t *mem, const char *keyval, dns_name_t **name) {
 	dns_name_t newkey;
 	isc_buffer_t *b1 = NULL;
 	isc_buffer_t b2;
@@ -708,13 +707,12 @@ dns_c_charptoname(isc_mem_t *mem, const char *keyval, dns_name_t **name)
 	len = strlen(keyval);
 	
 	dns_name_init(&newkey, NULL);
-	res = isc_buffer_allocate(mem, &b1, len + 2,
-				  ISC_BUFFERTYPE_BINARY);
+	res = isc_buffer_allocate(mem, &b1, len + 2);
 	REQUIRE(res == ISC_R_SUCCESS);
 	
 	dns_name_setbuffer(&newkey, b1);
 	
-	isc_buffer_init(&b2, (char *)keyval, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&b2, (char *)keyval, len);
 	isc_buffer_add(&b2, len);
 	
 	res = dns_name_fromtext(&newkey, &b2, NULL, ISC_FALSE, NULL);
@@ -734,8 +732,7 @@ dns_c_charptoname(isc_mem_t *mem, const char *keyval, dns_name_t **name)
 }
 
 void
-dns_c_ssutable_print(FILE *fp, int indent, dns_ssutable_t *ssutable)
-{
+dns_c_ssutable_print(FILE *fp, int indent, dns_ssutable_t *ssutable) {
 	dns_ssurule_t *rule = NULL;
 	dns_ssurule_t *tmprule = NULL;
 	isc_result_t res;
@@ -749,8 +746,11 @@ dns_c_ssutable_print(FILE *fp, int indent, dns_ssutable_t *ssutable)
 	}
 
 	fputc('\n', fp);
+	dns_c_printtabs(fp, indent);
+	fprintf(fp, "update-policy {\n");
+	
 	do {
-		dns_c_printtabs(fp, indent);
+		dns_c_printtabs(fp, indent + 1);
 
 		fputs ((dns_ssurule_isgrant(rule) ? "grant" : "deny"), fp);
 		fputc(' ', fp);
@@ -786,7 +786,9 @@ dns_c_ssutable_print(FILE *fp, int indent, dns_ssutable_t *ssutable)
 
 		tcount = dns_ssurule_types(rule, &types);
 		for(i = 0 ; i < tcount ; i++) {
+			fputc('\"', fp);
 			dns_c_datatype_tostream(fp, types[i]);
+			fputc('\"', fp);
 			fputc(' ', fp);
 		}
 
@@ -795,19 +797,20 @@ dns_c_ssutable_print(FILE *fp, int indent, dns_ssutable_t *ssutable)
 		rule = NULL;
 	} while (dns_ssutable_nextrule(tmprule, &rule) == ISC_R_SUCCESS);
 	fputc('\n', fp);
+	dns_c_printtabs(fp, indent);
+	fprintf(fp, "};\n");
 }
 
 
 isc_result_t
-dns_c_checkcategory(const char *name)
-{
+dns_c_checkcategory(const char *name) {
 	unsigned int i;
 
 	REQUIRE (name != NULL);
 	REQUIRE(*name != '\0');
 
 	/*
-	 * this function isn't called very often, so no need for fancy
+	 * This function isn't called very often, so no need for fancy
 	 * searches.
 	 */
 	for (i = 0 ; category_nametable[i] != NULL ; i++) {
diff --git a/lib/dns/config/confctl.c b/lib/dns/config/confctl.c
index 5e8e7009..8d66cd0f 100644
--- a/lib/dns/config/confctl.c
+++ b/lib/dns/config/confctl.c
@@ -15,21 +15,17 @@
  * SOFTWARE.
  */
 
-#include <config.h>
+/* $Id: confctl.c,v 1.20 2000/05/13 19:44:53 tale Exp $ */
 
-#include <sys/types.h>
+#include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/net.h>
-#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/util.h>
 
 #include <dns/confctl.h>
-#include <dns/confcommon.h>
-
 
 isc_result_t
-dns_c_ctrllist_new(isc_mem_t *mem, dns_c_ctrllist_t **newlist)
-{
+dns_c_ctrllist_new(isc_mem_t *mem, dns_c_ctrllist_t **newlist) {
 	dns_c_ctrllist_t *newl;
 	
 	REQUIRE(mem != NULL);
@@ -50,12 +46,9 @@ dns_c_ctrllist_new(isc_mem_t *mem, dns_c_ctrllist_t **newlist)
 
 	return (ISC_R_SUCCESS);
 }
-	
 		
-	
 void
-dns_c_ctrllist_print(FILE *fp, int indent, dns_c_ctrllist_t *cl)
-{
+dns_c_ctrllist_print(FILE *fp, int indent, dns_c_ctrllist_t *cl) {
 	dns_c_ctrl_t *ctl;
 
 	if (cl == NULL) {
@@ -79,11 +72,8 @@ dns_c_ctrllist_print(FILE *fp, int indent, dns_c_ctrllist_t *cl)
 	fprintf(fp, "};\n");
 }
 
-
-
 isc_result_t
-dns_c_ctrllist_delete(dns_c_ctrllist_t **list)
-{
+dns_c_ctrllist_delete(dns_c_ctrllist_t **list) {
 	dns_c_ctrl_t	       *ctrl;
 	dns_c_ctrl_t	       *tmpctrl;
 	dns_c_ctrllist_t      *clist;
@@ -110,7 +100,6 @@ dns_c_ctrllist_delete(dns_c_ctrllist_t **list)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
 dns_c_ctrlinet_new(isc_mem_t *mem, dns_c_ctrl_t **control,
 		   isc_sockaddr_t addr, in_port_t port,
@@ -149,7 +138,6 @@ dns_c_ctrlinet_new(isc_mem_t *mem, dns_c_ctrl_t **control,
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
 dns_c_ctrlunix_new(isc_mem_t *mem, dns_c_ctrl_t **control,
 		   const char *path, int perm, uid_t uid, gid_t gid)
@@ -183,12 +171,9 @@ dns_c_ctrlunix_new(isc_mem_t *mem, dns_c_ctrl_t **control,
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_ctrl_delete(dns_c_ctrl_t **control)
-{
+dns_c_ctrl_delete(dns_c_ctrl_t **control) {
 	isc_result_t res = ISC_R_SUCCESS;
-	isc_result_t rval;
 	isc_mem_t *mem;
 	dns_c_ctrl_t *ctrl;
 	
@@ -204,7 +189,8 @@ dns_c_ctrl_delete(dns_c_ctrl_t **control)
 	switch (ctrl->control_type) {
 	case dns_c_inet_control:
 		if (ctrl->u.inet_v.matchlist != NULL)
-			res = dns_c_ipmatchlist_detach(&ctrl->u.inet_v.matchlist);
+			res = dns_c_ipmatchlist_detach(&ctrl->
+						       u.inet_v.matchlist);
 		else
 			res = ISC_R_SUCCESS;
 		break;
@@ -215,8 +201,6 @@ dns_c_ctrl_delete(dns_c_ctrl_t **control)
 		break;
 	}
 
-	rval = res;
-
 	ctrl->magic = 0;
 	
 	isc_mem_put(mem, ctrl, sizeof *ctrl);
@@ -226,10 +210,8 @@ dns_c_ctrl_delete(dns_c_ctrl_t **control)
 	return (res);
 }
 
-
 void
-dns_c_ctrl_print(FILE *fp, int indent, dns_c_ctrl_t *ctl)
-{
+dns_c_ctrl_print(FILE *fp, int indent, dns_c_ctrl_t *ctl) {
 	in_port_t port;
 	dns_c_ipmatchlist_t *iml;
 
diff --git a/lib/dns/config/confctx.c b/lib/dns/config/confctx.c
index 68f5c55e..13618dc7 100644
--- a/lib/dns/config/confctx.c
+++ b/lib/dns/config/confctx.c
@@ -15,346 +15,545 @@
  * SOFTWARE.
  */
 
-#include <config.h>
+/* $Id: confctx.c,v 1.57 2000/05/15 12:36:20 brister Exp $ */
 
-#include <syslog.h>	/* XXXRTH */
-#include <string.h>
+#include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
 
 #include <dns/confctx.h>
-#include <dns/confcommon.h>
 #include <dns/log.h>
+#include <dns/peer.h>
 
 #include "confpvt.h"
 
+#define SETBOOL(FUNC, FIELD) SETBYTYPE(isc_boolean_t, FUNC, FIELD)
+#define GETBOOL(FUNC, FIELD) GETBYTYPE(isc_boolean_t, FUNC, FIELD)
+#define UNSETBOOL(FUNC, FIELD) UNSETBYTYPE(isc_boolean_t, FUNC, FIELD)
 
+#define SETINT32(FUNC, FIELD) SETBYTYPE(isc_int32_t, FUNC, FIELD)
+#define GETINT32(FUNC, FIELD) GETBYTYPE(isc_int32_t, FUNC, FIELD)
+#define UNSETINT32(FUNC, FIELD) UNSETBYTYPE(isc_int32_t, FUNC, FIELD)
 
-/*
- * Bit positions in the flags fields of the dns_c_options_t structure.
- */
-#define MAX_NCACHE_TTL_BIT		0 
-#define TRANSFERS_IN_BIT		1 
-#define TRANSFERS_PER_NS_BIT		2 
-#define TRANSFERS_OUT_BIT		3 
-#define MAX_LOG_SIZE_IXFR_BIT		4 
-#define CLEAN_INTERVAL_BIT		5 
-#define INTERFACE_INTERVAL_BIT		6 
-#define STATS_INTERVAL_BIT		7 
-#define HEARTBEAT_INTERVAL_BIT		8 
-#define MAX_TRANSFER_TIME_IN_BIT	9 
-#define MAX_TRANSFER_TIME_OUT_BIT	10
-#define MAX_TRANSFER_IDLE_IN_BIT	11
-#define MAX_TRANSFER_IDLE_OUT_BIT	12
-#define DATA_SIZE_BIT			13
-#define STACK_SIZE_BIT			14
-#define CORE_SIZE_BIT			15
-#define FILES_BIT			16
-#define QUERY_SOURCE_BIT		17
-#define QUERY_SOURCE_V6_BIT		18
-#define FAKE_IQUERY_BIT			19
-#define RECURSION_BIT			20
-#define FETCH_GLUE_BIT			21
-#define NOTIFY_BIT			22
-#define HOST_STATISTICS_BIT		23
-#define DEALLOC_ON_EXIT_BIT		24
-#define USE_IXFR_BIT			25
-#define MAINTAIN_IXFR_BASE_BIT		26
-#define HAS_OLD_CLIENTS_BIT		27
-#define AUTH_NX_DOMAIN_BIT		28
-#define MULTIPLE_CNAMES_BIT		29
-#define USE_ID_POOL_BIT			30
-#define DIALUP_BIT			31
-#define CHECKNAME_PRIM_BIT		32
-#define CHECKNAME_SEC_BIT		33
-#define CHECKNAME_RESP_BIT		34
-#define OPTIONS_TRANSFER_FORMAT_BIT	35
-#define FORWARD_BIT			36
-#define EXPERT_MODE_BIT			37
-#define RFC2308_TYPE1_BIT		38
-#define TCP_CLIENTS_BIT			39
-#define RECURSIVE_CLIENTS_BIT		40
-#define TRANSFER_SOURCE_BIT		41
-#define TRANSFER_SOURCE_V6_BIT		42
-#define REQUEST_IXFR_BIT		43
-#define PROVIDE_IXFR_BIT		44
+#define SETUINT32(FUNC, FIELD) SETBYTYPE(isc_uint32_t, FUNC, FIELD)
+#define GETUINT32(FUNC, FIELD) GETBYTYPE(isc_uint32_t, FUNC, FIELD)
+#define UNSETUINT32(FUNC, FIELD) UNSETBYTYPE(isc_uint32_t, FUNC, FIELD)
+
+#define SETSOCKADDR(FUNC, FIELD) SETBYTYPE(isc_sockaddr_t, FUNC, FIELD)
+#define GETSOCKADDR(FUNC, FIELD) GETBYTYPE(isc_sockaddr_t, FUNC, FIELD)
+#define UNSETSOCKADDR(FUNC, FIELD) UNSETBYTYPE(isc_sockaddr_t, FUNC, FIELD)
+
+#ifdef PVT_CONCAT
+#undef PVT_CONCAT
+#endif
+
+#define PVT_CONCAT(x,y) x ## y
+
+#define SETBYTYPE(TYPE, FUNCNAME, FIELDNAME)				\
+isc_result_t								\
+PVT_CONCAT(dns_c_ctx_set, FUNCNAME)(dns_c_ctx_t *cfg, TYPE newval)	\
+{									\
+	isc_result_t result;						\
+	isc_boolean_t existed = ISC_FALSE;				\
+	dns_c_options_t *options;					\
+									\
+	REQUIRE(DNS_C_CONFCTX_VALID(cfg));				\
+	if (cfg->options == NULL) {					\
+		result = dns_c_ctx_optionsnew(cfg->mem, &cfg->options);	\
+		if (result != ISC_R_SUCCESS) {				\
+			return (result);				\
+		}							\
+	}								\
+									\
+	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));                     \
+	options = cfg->options;						\
+									\
+	if (options->FIELDNAME == NULL) {				\
+		options->FIELDNAME = isc_mem_get(options->mem,		\
+						 sizeof (TYPE));	\
+		if (options->FIELDNAME == NULL) {			\
+			return (ISC_R_NOMEMORY);			\
+		}							\
+	} else {							\
+		existed = ISC_TRUE;					\
+	}								\
+									\
+	*options->FIELDNAME = newval;					\
+									\
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);		\
+}
+
+#define GETBYTYPE(TYPE, FUNCNAME, FIELDNAME)				\
+isc_result_t								\
+PVT_CONCAT(dns_c_ctx_get, FUNCNAME)(dns_c_ctx_t *cfg, TYPE *retval)	\
+{									\
+	dns_c_options_t *options;					\
+									\
+	REQUIRE(DNS_C_CONFCTX_VALID(cfg));				\
+	REQUIRE(retval != NULL);					\
+									\
+	options = cfg->options;						\
+									\
+	if (options == NULL) {						\
+		return (ISC_R_NOTFOUND);				\
+	}								\
+									\
+	REQUIRE(DNS_C_CONFOPT_VALID(options));				\
+									\
+	if (options->FIELDNAME == NULL) {				\
+		return (ISC_R_NOTFOUND);				\
+	} else {							\
+		*retval = *options->FIELDNAME;				\
+		return (ISC_R_SUCCESS);					\
+	}								\
+}
+
+#define UNSETBYTYPE(TYPE, FUNCNAME, FIELDNAME)			\
+isc_result_t							\
+PVT_CONCAT(dns_c_ctx_unset, FUNCNAME)(dns_c_ctx_t *cfg)		\
+{								\
+	dns_c_options_t *options;				\
+								\
+	REQUIRE(DNS_C_CONFCTX_VALID(cfg));			\
+								\
+	options = cfg->options;					\
+								\
+	if (options == NULL) {					\
+		return (ISC_R_NOTFOUND);			\
+	}							\
+								\
+	REQUIRE(DNS_C_CONFOPT_VALID(options));			\
+								\
+	if (options->FIELDNAME == NULL) {			\
+		return (ISC_R_NOTFOUND);			\
+	} else {						\
+		isc_mem_put(options->mem, options->FIELDNAME,	\
+			    sizeof (options->FIELDNAME));	\
+		options->FIELDNAME = NULL;			\
+								\
+		return (ISC_R_SUCCESS);				\
+	}							\
+}
+
+
+
+#define SETSTRING(FUNC, FIELD)						     \
+isc_result_t								     \
+PVT_CONCAT(dns_c_ctx_set, FUNC)(dns_c_ctx_t *cfg, const char *newval)	     \
+{									     \
+	isc_result_t res;						     \
+									     \
+	REQUIRE(DNS_C_CONFCTX_VALID(cfg));				     \
+	REQUIRE(newval != NULL);					     \
+	REQUIRE(*newval != '\0');					     \
+									     \
+	res = make_options(cfg);					     \
+	if (res != ISC_R_SUCCESS) {					     \
+		return (res);						     \
+	}								     \
+									     \
+	return (cfg_set_string(cfg->options, &cfg->options->FIELD, newval)); \
+}
+
+
+#define GETSTRING(FUNC, FIELD)						\
+isc_result_t								\
+PVT_CONCAT(dns_c_ctx_get, FUNC)(dns_c_ctx_t *cfg, char **retval)	\
+{									\
+	REQUIRE(DNS_C_CONFCTX_VALID(cfg));				\
+	REQUIRE(retval != NULL);					\
+									\
+	if (cfg->options == NULL) {					\
+		return (ISC_R_NOTFOUND);				\
+	}								\
+									\
+	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));			\
+									\
+	*retval = cfg->options->FIELD;					\
+									\
+	return (*retval == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);	\
+}
+
+
+#define UNSETSTRING(FUNC, FIELD)				\
+isc_result_t							\
+PVT_CONCAT(dns_c_ctx_unset, FUNC)(dns_c_ctx_t *cfg)		\
+{								\
+	REQUIRE(DNS_C_CONFCTX_VALID(cfg));			\
+								\
+	if (cfg->options == NULL) {				\
+		return (ISC_R_NOTFOUND);			\
+	}							\
+								\
+	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));		\
+								\
+	if (cfg->options->FIELD == NULL) {			\
+		return (ISC_R_NOTFOUND);			\
+	}							\
+								\
+	isc_mem_free(cfg->options->mem, cfg->options->FIELD);	\
+								\
+	return (ISC_R_SUCCESS);					\
+}
 
 
 static isc_result_t cfg_set_iplist(dns_c_options_t *options,
 				   dns_c_iplist_t **fieldaddr,
 				   dns_c_iplist_t *newval,
 				   isc_boolean_t copy);
-static isc_result_t cfg_set_ipmatchlist(dns_c_options_t *options,
-					dns_c_ipmatchlist_t **fieldaddr,
-					dns_c_ipmatchlist_t *newval,
-					isc_boolean_t copy);
-static isc_result_t cfg_set_boolean(dns_c_options_t *options,
-				    isc_boolean_t *fieldaddr,
-				    isc_boolean_t newval,
-				    dns_c_setbits_t *setfield,
-				    isc_uint32_t bitnumber);
-static isc_result_t cfg_set_int32(dns_c_options_t *options,
-				  isc_int32_t *fieldaddr,
-				  isc_int32_t newval,
-				  dns_c_setbits_t *setfield,
-				  isc_uint32_t bitnumber);
-static isc_result_t cfg_set_uint32(dns_c_options_t *options,
-				   isc_uint32_t *fieldaddr,
-				   isc_uint32_t newval,
-				   dns_c_setbits_t *setfield,
-				   isc_uint32_t bitnumber);
 static isc_result_t cfg_set_string(dns_c_options_t *options,
 				   char **field,
 				   const char *newval);
 
-static isc_result_t cfg_get_uint32(dns_c_options_t *options,
-				   isc_uint32_t *field,
-				   isc_uint32_t *result,
-				   dns_c_setbits_t *setfield,
-				   isc_uint32_t bitnumber);
-static isc_result_t cfg_get_int32(dns_c_options_t *options,
-				  isc_int32_t *field,
-				  isc_int32_t *result,
-				  dns_c_setbits_t *setfield,
-				  isc_uint32_t bitnumber);
-static isc_result_t cfg_get_boolean(dns_c_options_t *options,
-				    isc_boolean_t *field,
-				    isc_boolean_t *result,
-				    dns_c_setbits_t *setfield,
-				    isc_uint32_t bitnumber);
-static isc_result_t cfg_get_ipmatchlist(dns_c_options_t *options,
-					dns_c_ipmatchlist_t *field,
-					dns_c_ipmatchlist_t **resval);
+
 static isc_result_t cfg_get_iplist(dns_c_options_t *options,
 				   dns_c_iplist_t *field,
 				   dns_c_iplist_t **resval);
 static isc_result_t acl_init(dns_c_ctx_t *cfg);
 static isc_result_t logging_init (dns_c_ctx_t *cfg);
-static isc_result_t  make_options(dns_c_ctx_t *cfg);
+static isc_result_t make_options(dns_c_ctx_t *cfg);
 
 
 
 isc_result_t
-dns_c_checkconfig(dns_c_ctx_t *ctx)
+dns_c_checkconfig(dns_c_ctx_t *cfg)
 {
 	isc_boolean_t 		bval;
 	char     	       *cpval;
 	dns_severity_t	severity;
 	isc_int32_t		intval;
+	isc_uint32_t		uintval;
 	dns_c_ipmatchlist_t    *ipml;
+	isc_result_t 		result = ISC_R_SUCCESS;
+	isc_result_t		tmpres;
+	dns_c_rrsolist_t       *olist;
 
-	if (dns_c_ctx_getnamedxfer(ctx, &cpval) != ISC_R_NOTFOUND) {
+	
+	if (dns_c_ctx_getnamedxfer(cfg, &cpval) != ISC_R_NOTFOUND) {
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "named-xfer is now obsolete");
+			      "option 'named-xfer' is now obsolete");
 	}
 
 	
-	if (dns_c_ctx_getdumpfilename(ctx, &cpval) != ISC_R_NOTFOUND) {
+	if (dns_c_ctx_getdumpfilename(cfg, &cpval) != ISC_R_NOTFOUND) {
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "dump-file is not yet implemented.");
+			      "option 'dump-file' is not yet implemented.");
 	}
 	
 		
-	if (dns_c_ctx_getmemstatsfilename(ctx, &cpval) != ISC_R_NOTFOUND) {
+	if (dns_c_ctx_getmemstatsfilename(cfg, &cpval) != ISC_R_NOTFOUND) {
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "memstatistics-file is not yet implemented.");
+			      "option 'memstatistics-file' is not yet "
+			      "implemented.");
 	}
 	
 
-	if ((dns_c_ctx_getauthnxdomain(ctx, &bval)) == ISC_R_NOTFOUND) {
+	if (dns_c_ctx_getauthnxdomain(cfg, &bval) == ISC_R_NOTFOUND) {
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "the default for auth-nxdomain is now 'no'");
+			      "the default for the 'auth-nxdomain' option "
+			      "is now 'no'");
 	}
 
 
-	if (dns_c_ctx_getdealloconexit(ctx, &bval) != ISC_R_NOTFOUND) {
+	if (dns_c_ctx_getdealloconexit(cfg, &bval) != ISC_R_NOTFOUND) {
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "deallocate-on-exit is obsolete.");
+			      "option 'deallocate-on-exit' is obsolete.");
 	}
 
 	
-	if (dns_c_ctx_getfakeiquery(ctx, &bval) != ISC_R_NOTFOUND) {
+	if (dns_c_ctx_getdialup(cfg, &bval) != ISC_R_NOTFOUND) {
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "fake-iquery is obsolete.");
+			      "option 'dialup' is not yet implemented.");
 	}
 
+	
+	if (dns_c_ctx_getfakeiquery(cfg, &bval) != ISC_R_NOTFOUND) {
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'fake-iquery' is obsolete.");
+	}
 
-	if (dns_c_ctx_getfetchglue(ctx, &bval) != ISC_R_NOTFOUND) {
+
+	if (dns_c_ctx_getfetchglue(cfg, &bval) != ISC_R_NOTFOUND) {
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "fetch-glue is not yet implemented.");
+			      "option 'fetch-glue' is not yet implemented.");
 	}
 
 
-	if (dns_c_ctx_gethasoldclients(ctx, &bval) != ISC_R_NOTFOUND) {
+	if (dns_c_ctx_gethasoldclients(cfg, &bval) != ISC_R_NOTFOUND) {
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "has-old-clients is obsolete.");
+			      "option 'has-old-clients' is obsolete.");
 	}
 
 
-	if (dns_c_ctx_gethoststatistics(ctx, &bval) != ISC_R_NOTFOUND) {
+	if (dns_c_ctx_gethoststatistics(cfg, &bval) != ISC_R_NOTFOUND) {
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "host-statistics is not yet implemented.");
+			      "option 'host-statistics' is not yet "
+			      "implemented.");
 	}
 
 	
-	if (dns_c_ctx_getmultiplecnames(ctx, &bval) != ISC_R_NOTFOUND) {
+	if (dns_c_ctx_getmultiplecnames(cfg, &bval) != ISC_R_NOTFOUND) {
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "multiple-cnames is obsolete.");
+			      "option 'multiple-cnames' is obsolete.");
 	}
 
 
-	if (dns_c_ctx_getuseidpool(ctx, &bval) != ISC_R_NOTFOUND) {
+	if (dns_c_ctx_getrfc2308type1(cfg, &bval) != ISC_R_NOTFOUND) {
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "use-id-pool is obsolete.");
+			      "option 'rfc2308-type-1' is not yet "
+			      "implemented.");
 	}
 
+	if (dns_c_ctx_getuseidpool(cfg, &bval) != ISC_R_NOTFOUND) {
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'use-id-pool' is obsolete.");
+	}
 
-	if ((dns_c_ctx_getchecknames(ctx, dns_trans_primary,
+
+	if (dns_c_ctx_gettreatcrasspace(cfg, &bval) != ISC_R_NOTFOUND) {
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'treat-cr-as-space' is obsolete.");
+	}
+
+
+	if ((dns_c_ctx_getchecknames(cfg, dns_trans_primary,
 				     &severity) != ISC_R_NOTFOUND) ||
-	    (dns_c_ctx_getchecknames(ctx, dns_trans_secondary,
+	    (dns_c_ctx_getchecknames(cfg, dns_trans_secondary,
 				     &severity) != ISC_R_NOTFOUND) ||
-	    (dns_c_ctx_getchecknames(ctx, dns_trans_response,
+	    (dns_c_ctx_getchecknames(cfg, dns_trans_response,
 				     &severity) != ISC_R_NOTFOUND)) {
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "check-names are not yet implemented.");
+			      "option 'check-names' is not yet implemented.");
+	}
+	
+
+	if (dns_c_ctx_getblackhole(cfg, &ipml) != ISC_R_NOTFOUND) {
+		dns_c_ipmatchlist_detach(&ipml);
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'blackhole' is not yet implemented.");
+	}
+
+
+	if (dns_c_ctx_getlamettl(cfg, &intval) != ISC_R_NOTFOUND) {
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'lame-ttl' is not yet "
+			      "implemented.");
+	}
+	
+
+	if (dns_c_ctx_getmaxncachettl(cfg, &uintval) != ISC_R_NOTFOUND) {
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'max-ncache-ttl' is not yet "
+			      "implemented.");
 	}
 	
 
-	if (dns_c_ctx_getmaxlogsizeixfr(ctx, &intval) != ISC_R_NOTFOUND) {
+	if (dns_c_ctx_getmaxcachettl(cfg, &uintval) != ISC_R_NOTFOUND) {
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "max-ixfr-log-size is not yet implemented.");
+			      "option 'max-cache-ttl' is not yet "
+			      "implemented.");
 	}
 	
 
-	if (dns_c_ctx_getstatsinterval(ctx, &intval) != ISC_R_NOTFOUND) {
+	if (dns_c_ctx_getminroots(cfg, &intval) != ISC_R_NOTFOUND) {
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "statistics-interval is not yet implemented.");
+			      "option 'min-roots' is not yet "
+			      "implemented.");
 	}
+	
 
+	if (dns_c_ctx_getserialqueries(cfg, &intval) != ISC_R_NOTFOUND) {
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'serial-queries' is not yet "
+			      "implemented.");
+	}
 	
-	if (dns_c_ctx_gettopology(ctx, &ipml) != ISC_R_NOTFOUND) {
+
+	if (dns_c_ctx_getmaxlogsizeixfr(cfg, &intval) != ISC_R_NOTFOUND) {
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'max-ixfr-log-size' is not yet "
+			      "implemented.");
+	}
+	
+
+	if (dns_c_ctx_getcoresize(cfg, &uintval) != ISC_R_NOTFOUND) {
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'coresize' is not yet "
+			      "implemented.");
+	}
+	
+
+	if (dns_c_ctx_getdatasize(cfg, &uintval) != ISC_R_NOTFOUND) {
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'datasize' is not yet "
+			      "implemented.");
+	}
+	
+
+	if (dns_c_ctx_getfiles(cfg, &uintval) != ISC_R_NOTFOUND) {
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'files' is not yet "
+			      "implemented.");
+	}
+
+	
+	if (dns_c_ctx_getstacksize(cfg, &uintval) != ISC_R_NOTFOUND) {
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'stacksize' is not yet "
+			      "implemented.");
+	}
+	
+
+	if (dns_c_ctx_getheartbeatinterval(cfg, &intval) != ISC_R_NOTFOUND) {
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'heartbeat-interval' is not yet "
+			      "implemented.");
+	}
+
+	
+	if (dns_c_ctx_getstatsinterval(cfg, &intval) != ISC_R_NOTFOUND) {
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'statistics-interval' is not yet "
+			      "implemented.");
+	}
+
+	
+	if (dns_c_ctx_gettopology(cfg, &ipml) != ISC_R_NOTFOUND) {
 		dns_c_ipmatchlist_detach(&ipml);
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "topology is not yet implemented.");
+			      "option 'topology' is deprecated.");
 	}
 
-	if (dns_c_ctx_getsortlist(ctx, &ipml) != ISC_R_NOTFOUND) {
+
+	if (dns_c_ctx_getsortlist(cfg, &ipml) != ISC_R_NOTFOUND) {
 		dns_c_ipmatchlist_detach(&ipml);
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "sortlist is not yet implemented.");
+			      "option 'sortlist' is not yet implemented.");
 	}
 
+	
+	if (dns_c_ctx_getrrsetorderlist(cfg, &olist) != ISC_R_NOTFOUND) {
+		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+			      "option 'rrset-order' is not yet implemented.");
+	}
+		
 
-	if (dns_c_ctx_getrfc2308type1(ctx, &bval) != ISC_R_NOTFOUND) {
+	if (dns_c_ctx_getallowupdateforwarding(cfg, &ipml) != ISC_R_NOTFOUND) {
+		dns_c_ipmatchlist_detach(&ipml);
 		isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "rfc2308-type-1 is not yet implemented.");
-	}
-
-	/* XXX need to check all zones and views for
-	 * 'allow-update-forwarding' (not yet implemented)
-	 */
-
-
-	/*
-  	named-xfer              obsolete
-	dump-file               not yet implemented
-	memstatistics-file      not yet implemented
-	auth-nxdomain           default changed (to "no")
-	deallocate-on-exit      obsolete (always "yes")
-	fake-iquery             obsolete (always "no")
-	fetch-glue              not yet implemented (always "no")
-	has-old-clients         obsolete (always "no")
-	host-statistics         not yet implemented
-	multiple-cnames         obsolete (always "no")
-	use-id-pool             obosolete (always "yes")
-	maintain-ixfr-base      obosolete (always "yes")
-	check-names             not yet implemented
-	max-ixfr-log-size       not yet implemented
-	statistics-interval     not yet implemented
-	topology                not yet implemented
-	sortlist                not yet implemented
-	*/
+			      "option 'allow-update-forwarding' is not "
+			      "yet implemented.");
+	}
 
+
+	if (cfg->zlist != NULL) {
+		tmpres = dns_c_zonelist_checkzones(cfg->zlist);
+		if (tmpres != ISC_R_SUCCESS) {
+			result = tmpres;
+		}
+	}
+
+	if (cfg->views != NULL) {
+		tmpres = dns_c_viewtable_checkviews(cfg->views);
+		if (tmpres != ISC_R_SUCCESS) {
+			result = tmpres;
+		}
+	}
 	
-	return (ISC_R_SUCCESS);
+	return (result);
 }
 
 
 /* ************************************************************************ */
 
 isc_result_t
-dns_c_ctx_new(isc_mem_t *mem, dns_c_ctx_t **ctx)
+dns_c_ctx_new(isc_mem_t *mem, dns_c_ctx_t **cfg)
 {
-	dns_c_ctx_t *cfg;
+	dns_c_ctx_t *tmpcfg;
 	isc_result_t r;
 	
 	REQUIRE(mem != NULL);
 
-	cfg = isc_mem_get(mem, sizeof *cfg);
-	if (cfg == NULL) {
+	tmpcfg = isc_mem_get(mem, sizeof *tmpcfg);
+	if (tmpcfg == NULL) {
 		return (ISC_R_NOMEMORY);
 	}
 
-	cfg->magic = DNS_C_CONFIG_MAGIC;
-	cfg->mem = mem;
-	cfg->warnings = 0;
-	cfg->errors = 0;
-	cfg->acls = NULL;
-	cfg->options = NULL;
-	cfg->zlist = NULL;
-	cfg->peers = NULL;
-	cfg->acls = NULL;
-	cfg->keydefs = NULL;
-	cfg->trusted_keys = NULL;
-	cfg->logging = NULL;
-	cfg->resolver = NULL;
-	cfg->cache = NULL;
-	cfg->views = NULL;
-
-	cfg->currview = NULL;
-	cfg->currzone = NULL;
-	
-	r = acl_init(cfg);
+	tmpcfg->magic = DNS_C_CONFIG_MAGIC;
+	tmpcfg->mem = mem;
+	tmpcfg->warnings = 0;
+	tmpcfg->errors = 0;
+	tmpcfg->acls = NULL;
+	tmpcfg->options = NULL;
+	tmpcfg->zlist = NULL;
+	tmpcfg->peers = NULL;
+	tmpcfg->acls = NULL;
+	tmpcfg->keydefs = NULL;
+	tmpcfg->trusted_keys = NULL;
+	tmpcfg->logging = NULL;
+	tmpcfg->resolver = NULL;
+	tmpcfg->cache = NULL;
+	tmpcfg->views = NULL;
+
+	tmpcfg->currview = NULL;
+	tmpcfg->currzone = NULL;
+	
+	r = acl_init(tmpcfg);
 	if (r != ISC_R_SUCCESS) {
 		return (r);
 	}
 
-	r = logging_init(cfg);
+	r = logging_init(tmpcfg);
 	if (r != ISC_R_SUCCESS) {
 		return (r);
 	}
 	
 	
 #if 1					/* XXX brister */
-	cfg->controls = NULL;
+	tmpcfg->controls = NULL;
 #else	
-	r = dns_c_ctrllist_new(mem, &cfg->controls);
+	r = dns_c_ctrllist_new(mem, &tmpcfg->controls);
 	if (r != ISC_R_SUCCESS) {
-		dns_c_ctx_delete(&cfg);
+		dns_c_ctx_delete(&tmpcfg);
 		return r;
 	}
 #endif	
 
-	*ctx = cfg;
+	*cfg = tmpcfg;
 
 	return (ISC_R_SUCCESS);
 }
@@ -486,7 +685,54 @@ dns_c_ctx_getcurrview(dns_c_ctx_t *cfg)
 	return (cfg->currview);
 }
 
+
+
+isc_result_t
+dns_c_ctx_getpeerlist(dns_c_ctx_t *cfg, dns_peerlist_t **retval)
+{
+	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+	REQUIRE(retval != NULL);
 	
+	if (cfg->peers == NULL) {
+		*retval = NULL;
+		return (ISC_R_NOTFOUND);
+	} else {
+		dns_peerlist_attach(cfg->peers, retval);
+		return (ISC_R_SUCCESS);
+	}
+}
+
+
+isc_result_t
+dns_c_ctx_unsetpeerlist(dns_c_ctx_t *cfg)
+{
+	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+
+	if (cfg->peers != NULL) {
+		dns_peerlist_detach(&cfg->peers);
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_FAILURE);
+	}
+}
+	
+
+isc_result_t
+dns_c_ctx_setpeerlist(dns_c_ctx_t *cfg, dns_peerlist_t *newval)
+{
+	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+
+	if (cfg->peers != NULL) {
+		dns_peerlist_detach(&cfg->peers);
+	}
+
+	dns_peerlist_attach(newval, &cfg->peers);
+
+	return (ISC_R_SUCCESS);
+}
+
+
+
 
 void
 dns_c_ctx_print(FILE *fp, int indent, dns_c_ctx_t *cfg)
@@ -555,6 +801,242 @@ dns_c_ctx_print(FILE *fp, int indent, dns_c_ctx_t *cfg)
 }
 
 
+
+void
+dns_c_ctx_optionsprint(FILE *fp, int indent, dns_c_options_t *options)
+{
+	dns_severity_t nameseverity;
+	in_port_t port;
+	
+	REQUIRE(fp != NULL);
+
+	if (options == NULL) {
+		return;
+	}
+	
+	REQUIRE(DNS_C_CONFOPT_VALID(options));
+
+#define PRINT_INTEGER(FIELD, NAME)					\
+	if (options->FIELD != NULL) {					\
+		dns_c_printtabs(fp, indent + 1);			\
+		fprintf(fp, "%s %d;\n",NAME,(int)*options->FIELD);	\
+	}
+	
+#define PRINT_AS_MINUTES(FIELD, NAME)				\
+	if (options->FIELD != NULL) {				\
+		dns_c_printtabs(fp, indent + 1);		\
+		fprintf(fp, "%s %lu;\n",NAME,			\
+			(unsigned long)(*options->FIELD / 60));	\
+	}
+
+#define PRINT_AS_BOOLEAN(FIELD, NAME)				\
+	if (options->FIELD != NULL) {				\
+		dns_c_printtabs(fp, indent + 1);		\
+		fprintf(fp, "%s %s;\n",NAME,			\
+			(*options->FIELD ? "true" : "false"));	\
+	}
+
+#define PRINT_AS_SIZE_CLAUSE(FIELD, NAME)				\
+	if (options->FIELD != NULL) {					\
+		dns_c_printtabs(fp, indent + 1);			\
+		fprintf(fp, "%s ",NAME);				\
+		if (*options->FIELD == DNS_C_SIZE_SPEC_DEFAULT) {	\
+			fprintf(fp, "default");				\
+		} else {						\
+			dns_c_printinunits(fp, *options->FIELD);	\
+		}							\
+		fprintf(fp, ";\n");					\
+	}
+
+#define PRINT_CHAR_P(FIELD, NAME)					\
+	if (options->FIELD != NULL) {					\
+		dns_c_printtabs(fp, indent + 1);			\
+		fprintf(fp, "%s \"%s\";\n", NAME, options->FIELD);	\
+	}
+	
+#define PRINT_IPANDPORT(FIELD, NAME)				\
+	if (options->FIELD != NULL) {				\
+		port = isc_sockaddr_getport(options->FIELD);	\
+								\
+		dns_c_printtabs(fp, indent + 1);		\
+		fprintf(fp, NAME " address ");			\
+								\
+		dns_c_print_ipaddr(fp, options->FIELD);		\
+								\
+		if (port == 0) {				\
+			fprintf(fp, " port *");			\
+		} else {					\
+			fprintf(fp, " port %d", port);		\
+		}						\
+		fprintf(fp, " ;\n");				\
+	}
+
+#define	 PRINT_IP(FIELD, NAME)				\
+	if (options->FIELD != NULL) {			\
+		dns_c_printtabs(fp, indent + 1);	\
+		fprintf(fp, NAME " ");			\
+		dns_c_print_ipaddr(fp, options->FIELD);	\
+		fprintf(fp, ";\n");			\
+	}
+
+#define PRINT_CHECKNAME(INDEX)						    \
+	if (options->check_names[INDEX] != NULL) {			    \
+		nameseverity = *options->check_names[INDEX];		    \
+		dns_c_printtabs(fp, indent + 1);			    \
+		fprintf(fp, "check-names %s %s;\n",			    \
+			dns_c_transport2string(INDEX, ISC_TRUE),	    \
+			dns_c_nameseverity2string(nameseverity, ISC_TRUE)); \
+	}
+		
+
+#define PRINT_IPMLIST(FIELD, NAME)					 \
+	if (options->FIELD != NULL) {					 \
+		dns_c_printtabs(fp, indent + 1);			 \
+		fprintf(fp, NAME " ");					 \
+		dns_c_ipmatchlist_print(fp, indent + 2, options->FIELD); \
+		fprintf(fp, ";\n");					 \
+	}
+
+
+	dns_c_printtabs(fp, indent);
+	fprintf (fp, "options {\n");
+
+	PRINT_CHAR_P(version, "version");
+	PRINT_CHAR_P(directory, "directory");
+	PRINT_CHAR_P(dump_filename, "dump-file");
+	PRINT_CHAR_P(pid_filename, "pid-file");
+	PRINT_CHAR_P(stats_filename, "statistics-file");
+	PRINT_CHAR_P(memstats_filename, "memstatistics-file");
+	PRINT_CHAR_P(named_xfer, "named-xfer");
+
+	PRINT_INTEGER(transfers_in, "transfers-in");
+	PRINT_INTEGER(transfers_per_ns, "transfers-per-ns");
+	PRINT_INTEGER(transfers_out, "transfers-out");
+	PRINT_INTEGER(max_log_size_ixfr, "max-ixfr-log-size");
+	
+	
+	PRINT_AS_MINUTES(clean_interval, "cleaning-interval");
+	PRINT_AS_MINUTES(interface_interval, "interface-interval");
+	PRINT_AS_MINUTES(stats_interval, "statistics-interval");
+	PRINT_AS_MINUTES(heartbeat_interval, "heartbeat-interval");
+
+	PRINT_AS_MINUTES(max_transfer_time_in, "max-transfer-time-in");
+	PRINT_AS_MINUTES(max_transfer_time_out, "max-transfer-time-out");
+	PRINT_AS_MINUTES(max_transfer_idle_in, "max-transfer-idle-in");
+	PRINT_AS_MINUTES(max_transfer_idle_out, "max-transfer-idle-out");
+
+	/* XXX LAMETTL ??? */
+	
+	PRINT_INTEGER(tcp_clients, "tcp-clients");
+	PRINT_INTEGER(recursive_clients, "recursive-clients");
+	PRINT_INTEGER(min_roots, "min-roots");
+	PRINT_INTEGER(serial_queries, "serial-queries");
+
+	
+	PRINT_AS_SIZE_CLAUSE(data_size, "datasize");	
+	PRINT_AS_SIZE_CLAUSE(stack_size, "stacksize");	
+	PRINT_AS_SIZE_CLAUSE(core_size, "coresize");	
+	PRINT_AS_SIZE_CLAUSE(files, "files");
+
+	PRINT_INTEGER(max_ncache_ttl, "max-ncache-ttl");
+	PRINT_INTEGER(max_cache_ttl, "max-cache-ttl");
+
+	PRINT_AS_BOOLEAN(expert_mode, "expert-mode");
+	PRINT_AS_BOOLEAN(fake_iquery, "fake-iquery");
+	PRINT_AS_BOOLEAN(recursion, "recursion");
+	PRINT_AS_BOOLEAN(fetch_glue, "fetch-glue");
+	PRINT_AS_BOOLEAN(notify, "notify");
+	PRINT_AS_BOOLEAN(host_statistics, "host-statistics");
+	PRINT_AS_BOOLEAN(dealloc_on_exit, "deallocate-on-exit");
+	PRINT_AS_BOOLEAN(use_ixfr, "use-ixfr");
+	PRINT_AS_BOOLEAN(maintain_ixfr_base, "maintain-ixfr-base");
+	PRINT_AS_BOOLEAN(has_old_clients, "has-old-clients");
+	PRINT_AS_BOOLEAN(auth_nx_domain, "auth-nxdomain");
+	PRINT_AS_BOOLEAN(multiple_cnames, "multiple-cnames");
+	PRINT_AS_BOOLEAN(use_id_pool, "use-id-pool");
+	PRINT_AS_BOOLEAN(dialup, "dialup");
+	PRINT_AS_BOOLEAN(rfc2308_type1, "rfc2308-type1");
+	PRINT_AS_BOOLEAN(request_ixfr, "request-ixfr");
+	PRINT_AS_BOOLEAN(provide_ixfr, "provide-ixfr");
+	PRINT_AS_BOOLEAN(treat_cr_as_space, "treat-cr-as-space");
+
+	if (options->transfer_format != NULL) {
+		dns_c_printtabs(fp, indent + 1);
+		fprintf(fp, "transfer-format %s;\n",
+			dns_c_transformat2string(*options->transfer_format,
+						 ISC_TRUE));
+	}
+	
+	PRINT_IP(transfer_source, "transfer-source");
+	PRINT_IP(transfer_source_v6, "transfer-source-v6");
+	
+	PRINT_IPANDPORT(query_source, "query-source");
+	PRINT_IPANDPORT(query_source_v6, "query-source-v6");
+
+	if (options->additional_data != NULL) {
+		dns_c_printtabs(fp, indent + 1);
+		fprintf(fp, "additional_data %s;\n",
+			dns_c_addata2string(*options->additional_data,
+					    ISC_TRUE));
+	}
+		
+	PRINT_CHECKNAME(dns_trans_primary);
+	PRINT_CHECKNAME(dns_trans_secondary);
+	PRINT_CHECKNAME(dns_trans_response);
+	
+	fprintf(fp, "\n");
+
+	PRINT_IPMLIST(queryacl, "allow-query");
+	PRINT_IPMLIST(transferacl, "allow-transfer");
+	PRINT_IPMLIST(recursionacl, "allow-recursion");
+	PRINT_IPMLIST(blackhole, "blackhole");
+	PRINT_IPMLIST(topology, "topology");
+	PRINT_IPMLIST(sortlist, "sortlist");
+	PRINT_IPMLIST(allowupdateforwarding, "allow-update-forwarding");
+	
+	if (options->listens != NULL) {
+		dns_c_lstnlist_print(fp, indent + 1,
+				     options->listens);
+	}
+	
+	dns_c_ctx_forwarderprint(fp, indent + 1, options);
+
+	if (options->ordering != NULL) {
+		dns_c_rrsolist_print(fp, indent + 1, options->ordering);
+	}
+
+	if (options->also_notify != NULL) {
+		dns_c_printtabs(fp, indent + 1);
+		fprintf(fp, "also-notify ") ;
+		dns_c_iplist_printfully(fp, indent + 2, ISC_TRUE,
+					options->also_notify);
+		fprintf(fp, ";\n");
+	}
+	
+	PRINT_CHAR_P(tkeydomain, "tkey-domain");
+
+	if (options->tkeydhkeycp != NULL) {
+		dns_c_printtabs(fp, indent + 1);
+		fprintf(fp, "tkey-dhkey \"%s\" %d ;\n",
+			options->tkeydhkeycp, options->tkeydhkeyi);
+	}
+	
+
+	dns_c_printtabs(fp, indent);
+	fprintf(fp,"};\n");
+
+#undef PRINT_INTEGER
+#undef PRINT_AS_MINUTES
+#undef PRINT_AS_BOOLEAN
+#undef PRINT_AS_SIZE_CLAUSE
+#undef PRINT_CHAR_P
+#undef PRINT_IPMLIST
+#undef PRINT_IPANDPORT
+#undef PRINT_IP	
+#undef PRINT_CHECKNAME
+	
+}
+
 void
 dns_c_ctx_forwarderprint(FILE *fp, int indent, dns_c_options_t *options)
 {
@@ -567,10 +1049,10 @@ dns_c_ctx_forwarderprint(FILE *fp, int indent, dns_c_options_t *options)
 
 	REQUIRE(DNS_C_CONFOPT_VALID(options));
 
-	if (DNS_C_CHECKBIT(FORWARD_BIT, &options->setflags1)) {
+	if (options->forward != NULL) {
 		dns_c_printtabs(fp, indent);
 		fprintf(fp, "forward %s;\n",
-			dns_c_forward2string(options->forward, ISC_TRUE));
+			dns_c_forward2string(*options->forward, ISC_TRUE));
 	}
 
 	if (options->forwarders != NULL) {
@@ -583,6 +1065,8 @@ dns_c_ctx_forwarderprint(FILE *fp, int indent, dns_c_options_t *options)
 }
 
 
+
+
 isc_result_t
 dns_c_ctx_getoptions(dns_c_ctx_t *cfg, dns_c_options_t **options)
 {
@@ -598,6 +1082,23 @@ dns_c_ctx_getoptions(dns_c_ctx_t *cfg, dns_c_options_t **options)
 	return (cfg->options == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
 }
 
+isc_result_t
+dns_c_ctx_unsetoptions(dns_c_ctx_t *cfg)
+{
+	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+
+	if (cfg->options == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
+	
+	dns_c_ctx_optionsdelete(&cfg->options);
+
+	return (ISC_R_SUCCESS);
+}
+
+
 
 
 isc_result_t
@@ -639,6 +1140,20 @@ dns_c_ctx_setlogging(dns_c_ctx_t *cfg, dns_c_logginglist_t *newval,
 
 
 isc_result_t
+dns_c_ctx_unsetlogging(dns_c_ctx_t *cfg)
+{
+	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+
+	if (cfg->logging == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	return (dns_c_logginglist_delete(&cfg->logging));
+}
+
+	
+
+isc_result_t
 dns_c_ctx_getkdeflist(dns_c_ctx_t *cfg,
                       dns_c_kdeflist_t **retval)
 {
@@ -845,737 +1360,515 @@ dns_c_ctx_currcategory(dns_c_ctx_t *cfg, dns_c_logcat_t **category)
 }
 
 
-/*
- * Modifiers for options.
- *
- */
-
-
-isc_result_t
-dns_c_ctx_setdirectory(dns_c_ctx_t *cfg, const char *newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_string(cfg->options,
-			       &cfg->options->directory,
-			       newval));
-}
+/* ***************************************************************** */
+/* ***********                    OPTIONS                *********** */
+/* ***************************************************************** */
 
 
 isc_result_t
-dns_c_ctx_setversion(dns_c_ctx_t *cfg, const char *newval)
+dns_c_ctx_optionsnew(isc_mem_t *mem, dns_c_options_t **options)
 {
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_string(cfg->options,
-			       &cfg->options->version,
-			       newval));
-}
+	dns_c_options_t *opts = NULL;
 
+	REQUIRE(mem != NULL);
+	REQUIRE(options != NULL);
 
-isc_result_t
-dns_c_ctx_setdumpfilename(dns_c_ctx_t *cfg, const char *newval)
-{
-	isc_result_t res;
+	*options = NULL;
 	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
+	opts = isc_mem_get(mem, sizeof *opts);
+	if (opts == NULL) {
+		return (ISC_R_NOMEMORY);
 	}
-	
-	return (cfg_set_string(cfg->options,
-			       &cfg->options->dump_filename,
-			       newval));
-}
-
 
-isc_result_t
-dns_c_ctx_setpidfilename(dns_c_ctx_t *cfg, const char *newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_string(cfg->options,
-			       &cfg->options->pid_filename,
-			       newval));
-}
+	opts->mem = mem;
+	opts->magic = DNS_C_OPTION_MAGIC;
 
+	opts->directory = NULL;
+	opts->version = NULL;
+	opts->dump_filename = NULL;
+	opts->pid_filename = NULL;
+	opts->stats_filename = NULL;
+	opts->memstats_filename = NULL;
+	opts->named_xfer = NULL;
 
-isc_result_t
-dns_c_ctx_setstatsfilename(dns_c_ctx_t *cfg, const char *newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+	opts->transfers_in = NULL;
+	opts->transfers_per_ns = NULL;
+	opts->transfers_out = NULL;
+	opts->max_log_size_ixfr = NULL;
+	opts->clean_interval = NULL;
+	opts->interface_interval = NULL;
+	opts->stats_interval = NULL;
+	opts->heartbeat_interval = NULL;
+	
+	opts->max_transfer_time_in = NULL;
+	opts->max_transfer_time_out = NULL;
+	opts->max_transfer_idle_in = NULL;
+	opts->max_transfer_idle_out = NULL;
+	opts->lamettl = NULL;
+	opts->tcp_clients = NULL;
+	opts->recursive_clients = NULL;
+	opts->min_roots = NULL;
+	opts->serial_queries = NULL;
+	
+	opts->data_size = NULL;
+	opts->stack_size = NULL;
+	opts->core_size = NULL;
+	opts->files = NULL;
+	opts->max_ncache_ttl = NULL;
+	opts->max_cache_ttl = NULL;
+	
+	opts->expert_mode = NULL;
+	opts->fake_iquery = NULL;
+	opts->recursion = NULL;
+	opts->fetch_glue = NULL;
+	opts->notify = NULL;
+	opts->host_statistics = NULL;
+	opts->dealloc_on_exit = NULL;
+	opts->use_ixfr = NULL;
+	opts->maintain_ixfr_base = NULL;
+	opts->has_old_clients = NULL;
+	opts->auth_nx_domain = NULL;
+	opts->multiple_cnames = NULL;
+	opts->use_id_pool = NULL;
+	opts->dialup = NULL;
+	opts->rfc2308_type1 = NULL;
+	opts->request_ixfr = NULL;
+	opts->provide_ixfr = NULL;
+	opts->treat_cr_as_space = NULL;
+
+	opts->transfer_source = NULL;
+	opts->transfer_source_v6 = NULL;
+	opts->query_source = NULL;
+	opts->query_source_v6 = NULL;
+
+	opts->additional_data = NULL;
+	opts->forward = NULL;
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
+	opts->tkeydhkeycp = NULL;
+	opts->tkeydhkeyi = 0;
+	opts->tkeydomain = NULL;
 	
-	return (cfg_set_string(cfg->options,
-			       &cfg->options->stats_filename,
-			       newval));
-}
+	opts->also_notify = NULL;
 
+	opts->check_names[dns_trans_primary] = NULL;
+	opts->check_names[dns_trans_secondary] = NULL;
+	opts->check_names[dns_trans_response] = NULL;
 
-isc_result_t
-dns_c_ctx_setmemstatsfilename(dns_c_ctx_t *cfg, const char *newval)
-{
-	isc_result_t res;
+	opts->transfer_format = NULL;
 	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
+	opts->queryacl = NULL;
+	opts->transferacl = NULL;
+	opts->recursionacl = NULL;
+	opts->blackhole = NULL;
+	opts->topology = NULL;
+	opts->sortlist = NULL;
+	opts->allowupdateforwarding = NULL;
 	
-	return (cfg_set_string(cfg->options,
-			       &cfg->options->memstats_filename,
-			       newval));
-}
-
+	opts->listens = NULL;
+	opts->ordering = NULL;
 
-isc_result_t
-dns_c_ctx_setnamedxfer(dns_c_ctx_t *cfg, const char *newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+	opts->forwarders = NULL;
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
+	*options = opts;
 	
-	return (cfg_set_string(cfg->options,
-			       &cfg->options->named_xfer,
-			       newval));
+	return (ISC_R_SUCCESS);
 }
 
 
 isc_result_t
-dns_c_ctx_settkeydomain(dns_c_ctx_t *cfg, const char *newval)
+dns_c_ctx_optionsdelete(dns_c_options_t **opts)
 {
-	isc_result_t res;
+	dns_c_options_t *options;
+	isc_result_t r, result;
 	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+	REQUIRE(opts != NULL);
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
+	options = *opts;
+	if (options == NULL) {
+		return (ISC_R_SUCCESS);
 	}
 	
-	return (cfg_set_string(cfg->options,
-			       &cfg->options->tkeydomain,
-			       newval));
-}
+	REQUIRE(DNS_C_CONFOPT_VALID(options));
 
 
-isc_result_t
-dns_c_ctx_settkeydhkey(dns_c_ctx_t *cfg,
-		       const char *charval, isc_int32_t intval)
-{
-	isc_result_t res;
+#define FREEFIELD(FIELD)					\
+	do { if (options->FIELD != NULL) {			\
+		isc_mem_put(options->mem, options->FIELD,	\
+			    sizeof (*options->FIELD));		\
+		options->FIELD = NULL;				\
+	} } while (0)
+
+#define FREESTRING(FIELD)					\
+        do { if (options->FIELD != NULL) {			\
+		isc_mem_free(options->mem, options->FIELD);	\
+	} } while (0)
+
+#define FREEIPMLIST(FIELD)						\
+	do { if (options->FIELD != NULL) {				\
+		(void)dns_c_ipmatchlist_detach(&options->FIELD);	\
+	} } while (0)
+	
+	
+
+	FREESTRING(directory);
+	FREESTRING(version);
+	FREESTRING(dump_filename);
+	FREESTRING(pid_filename);
+	FREESTRING(stats_filename);
+	FREESTRING(memstats_filename);
+	FREESTRING(named_xfer);
+
+	
+	FREEFIELD(expert_mode);
+	FREEFIELD(fake_iquery);
+	FREEFIELD(recursion);
+	FREEFIELD(fetch_glue);
+	FREEFIELD(notify);
+	FREEFIELD(host_statistics);
+	FREEFIELD(dealloc_on_exit);
+	FREEFIELD(use_ixfr);
+	FREEFIELD(maintain_ixfr_base);
+	FREEFIELD(has_old_clients);
+	FREEFIELD(auth_nx_domain);
+	FREEFIELD(multiple_cnames);
+	FREEFIELD(use_id_pool);
+	FREEFIELD(dialup);
+	FREEFIELD(rfc2308_type1);
+	FREEFIELD(request_ixfr);
+	FREEFIELD(provide_ixfr);
+	FREEFIELD(treat_cr_as_space);
+
+	
+	FREEFIELD(transfers_in);
+	FREEFIELD(transfers_per_ns);
+	FREEFIELD(transfers_out);
+	FREEFIELD(max_log_size_ixfr);
+	FREEFIELD(clean_interval);
+	FREEFIELD(interface_interval);
+	FREEFIELD(stats_interval);
+	FREEFIELD(heartbeat_interval);
+	FREEFIELD(max_transfer_time_in);
+	FREEFIELD(max_transfer_time_out);
+	FREEFIELD(max_transfer_idle_in);
+	FREEFIELD(max_transfer_idle_out);
+	FREEFIELD(lamettl);
+	FREEFIELD(tcp_clients);
+	FREEFIELD(recursive_clients);
+	FREEFIELD(min_roots);
+	FREEFIELD(serial_queries);
+
+
+	FREEFIELD(data_size);
+	FREEFIELD(stack_size);
+	FREEFIELD(core_size);
+	FREEFIELD(files);
+	FREEFIELD(max_ncache_ttl);
+	FREEFIELD(max_cache_ttl);
+
+	FREEFIELD(transfer_source);
+	FREEFIELD(transfer_source_v6);
+	FREEFIELD(query_source);
+	FREEFIELD(query_source_v6);
+
+	FREEFIELD(additional_data);
+	FREEFIELD(forward);
+	
+	FREESTRING(tkeydomain);
+	FREESTRING(tkeydhkeycp);
 	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
+	if (options->also_notify != NULL) {
+		dns_c_iplist_detach(&options->also_notify);
 	}
 
-	cfg->options->tkeydhkeyi = intval;
-	return (cfg_set_string(cfg->options,
-			       &cfg->options->tkeydhkeycp,
-			       charval));
-}
+	FREEFIELD(check_names[dns_trans_primary]);
+	FREEFIELD(check_names[dns_trans_secondary]);
+	FREEFIELD(check_names[dns_trans_response]);
 
+	FREEFIELD(transfer_format);
 
-isc_result_t
-dns_c_ctx_setmaxncachettl(dns_c_ctx_t *cfg, isc_uint32_t newval)
-{
-	isc_result_t res;
+	FREEIPMLIST(queryacl);
+	FREEIPMLIST(transferacl);
+	FREEIPMLIST(recursionacl);
+	FREEIPMLIST(blackhole);
+	FREEIPMLIST(topology);
+	FREEIPMLIST(sortlist);
+	FREEIPMLIST(allowupdateforwarding);
 	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+	result = ISC_R_SUCCESS;
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
+	if (options->listens != NULL) {
+		r = dns_c_lstnlist_delete(&options->listens);
+		if (r != ISC_R_SUCCESS)
+			result = r;
 	}
 	
-	return (cfg_set_uint32(cfg->options, 
-			       &cfg->options->max_ncache_ttl,
-			       newval,
-			       &cfg->options->setflags1,
-			       MAX_NCACHE_TTL_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_settransfersin(dns_c_ctx_t *cfg, isc_int32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
+	if (options->ordering != NULL) {
+		r = dns_c_rrsolist_delete(&options->ordering);
+		if (r != ISC_R_SUCCESS)
+			result = r;
 	}
 	
-	return (cfg_set_int32(cfg->options, 
-			      &cfg->options->transfers_in,
-			      newval,
-			      &cfg->options->setflags1,
-			      TRANSFERS_IN_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_settransfersperns(dns_c_ctx_t *cfg, isc_int32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
+	if (options->forwarders != NULL) {
+		r = dns_c_iplist_detach(&options->forwarders);
+		if (r != ISC_R_SUCCESS)
+			result = r;
 	}
 	
-	return (cfg_set_int32(cfg->options, 
-			      &cfg->options->transfers_per_ns,
-			      newval,
-			      &cfg->options->setflags1,
-			      TRANSFERS_PER_NS_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_settransfersout(dns_c_ctx_t *cfg, isc_int32_t newval)
-{
-	isc_result_t res;
+	*opts = NULL;
+	options->magic = 0;
 	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
+	isc_mem_put(options->mem, options, sizeof *options);
 	
-	return (cfg_set_int32(cfg->options,
-			      &cfg->options->transfers_out,
-			      newval,
-			      &cfg->options->setflags1,
-			      TRANSFERS_OUT_BIT));
-}
-
+	return (result);
 
-isc_result_t
-dns_c_ctx_setmaxlogsizeixfr(dns_c_ctx_t *cfg, isc_int32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+#undef FREEFIELD
+#undef FREESTRING
+#undef FREEIPMLIST
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_int32(cfg->options,
-			      &cfg->options->max_log_size_ixfr,
-			      newval,
-			      &cfg->options->setflags1,
-			      MAX_LOG_SIZE_IXFR_BIT));
 }
 
 
-isc_result_t
-dns_c_ctx_setcleaninterval(dns_c_ctx_t *cfg, isc_int32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_int32(cfg->options,
-			      &cfg->options->clean_interval,
-			      newval,
-			      &cfg->options->setflags1,
-			      CLEAN_INTERVAL_BIT));
-}
+SETSTRING(directory, directory)
+GETSTRING(directory, directory)
+UNSETSTRING(directory, directory)
 
+SETSTRING(version, version)
+GETSTRING(version, version)
+UNSETSTRING(version, version)
 
-isc_result_t
-dns_c_ctx_setinterfaceinterval(dns_c_ctx_t *cfg, isc_int32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+SETSTRING(dumpfilename, dump_filename)
+GETSTRING(dumpfilename, dump_filename)
+UNSETSTRING(dumpfilename, dump_filename)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_int32(cfg->options,
-			      &cfg->options->interface_interval,
-			      newval,
-			      &cfg->options->setflags1,
-			      INTERFACE_INTERVAL_BIT));
-}
+SETSTRING(pidfilename, pid_filename)
+GETSTRING(pidfilename, pid_filename)
+UNSETSTRING(pidfilename, pid_filename)
 
+SETSTRING(statsfilename, stats_filename)
+GETSTRING(statsfilename, stats_filename)
+UNSETSTRING(statsfilename, stats_filename)
 
-isc_result_t
-dns_c_ctx_setstatsinterval(dns_c_ctx_t *cfg, isc_int32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+SETSTRING(memstatsfilename, memstats_filename)
+GETSTRING(memstatsfilename, memstats_filename)
+UNSETSTRING(memstatsfilename, memstats_filename)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_int32(cfg->options,
-			      &cfg->options->stats_interval,
-			      newval,
-			      &cfg->options->setflags1,
-			      STATS_INTERVAL_BIT));
-}
+SETSTRING(namedxfer, named_xfer)
+GETSTRING(namedxfer, named_xfer)
+UNSETSTRING(namedxfer, named_xfer)
 
 
-isc_result_t
-dns_c_ctx_setheartbeat_interval(dns_c_ctx_t *cfg, isc_int32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_int32(cfg->options,
-			      &cfg->options->heartbeat_interval,
-			      newval,
-			      &cfg->options->setflags1,
-			      HEARTBEAT_INTERVAL_BIT));
-}
+GETBOOL(expertmode, expert_mode)
+SETBOOL(expertmode, expert_mode)
+UNSETBOOL(expertmode, expert_mode)
 
+GETBOOL(fakeiquery, fake_iquery)
+SETBOOL(fakeiquery, fake_iquery)
+UNSETBOOL(fakeiquery, fake_iquery)
 
-isc_result_t
-dns_c_ctx_setmaxtransfertimein(dns_c_ctx_t *cfg, isc_int32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETBOOL(recursion, recursion)
+SETBOOL(recursion, recursion)
+UNSETBOOL(recursion, recursion)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_int32(cfg->options,
-			      &cfg->options->max_transfer_time_in,
-			      newval,
-			      &cfg->options->setflags1,
-			      MAX_TRANSFER_TIME_IN_BIT));
-}
+GETBOOL(fetchglue, fetch_glue)
+SETBOOL(fetchglue, fetch_glue)
+UNSETBOOL(fetchglue, fetch_glue)
 
+GETBOOL(notify, notify)
+SETBOOL(notify, notify)
+UNSETBOOL(notify, notify)
 
-isc_result_t
-dns_c_ctx_setmaxtransfertimeout(dns_c_ctx_t *cfg, isc_int32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETBOOL(hoststatistics, host_statistics)
+SETBOOL(hoststatistics, host_statistics)
+UNSETBOOL(hoststatistics, host_statistics)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_int32(cfg->options,
-			      &cfg->options->max_transfer_time_out,
-			      newval,
-			      &cfg->options->setflags1,
-			      MAX_TRANSFER_TIME_OUT_BIT));
-}
+GETBOOL(dealloconexit, dealloc_on_exit)
+SETBOOL(dealloconexit, dealloc_on_exit)
+UNSETBOOL(dealloconexit, dealloc_on_exit)
 
+GETBOOL(useixfr, use_ixfr)
+SETBOOL(useixfr, use_ixfr)
+UNSETBOOL(useixfr, use_ixfr)
 
-isc_result_t
-dns_c_ctx_setmaxtransferidlein(dns_c_ctx_t *cfg, isc_int32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETBOOL(maintainixfrbase, maintain_ixfr_base)
+SETBOOL(maintainixfrbase, maintain_ixfr_base)
+UNSETBOOL(maintainixfrbase, maintain_ixfr_base)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_int32(cfg->options,
-			      &cfg->options->max_transfer_idle_in,
-			      newval,
-			      &cfg->options->setflags1,
-			      MAX_TRANSFER_IDLE_IN_BIT));
-}
+GETBOOL(hasoldclients, has_old_clients)
+SETBOOL(hasoldclients, has_old_clients)
+UNSETBOOL(hasoldclients, has_old_clients)
 
+GETBOOL(authnxdomain, auth_nx_domain)
+SETBOOL(authnxdomain, auth_nx_domain)
+UNSETBOOL(authnxdomain, auth_nx_domain)
 
-isc_result_t
-dns_c_ctx_setmaxtransferidleout(dns_c_ctx_t *cfg, isc_int32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETBOOL(multiplecnames, multiple_cnames)
+SETBOOL(multiplecnames, multiple_cnames)
+UNSETBOOL(multiplecnames, multiple_cnames)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_int32(cfg->options,
-			      &cfg->options->max_transfer_idle_out,
-			      newval,
-			      &cfg->options->setflags1,
-			      MAX_TRANSFER_IDLE_OUT_BIT));
-}
+GETBOOL(useidpool, use_id_pool)
+SETBOOL(useidpool, use_id_pool)
+UNSETBOOL(useidpool, use_id_pool)
 
+GETBOOL(dialup, dialup)
+SETBOOL(dialup, dialup)
+UNSETBOOL(dialup, dialup)
 
-isc_result_t
-dns_c_ctx_settcpclients(dns_c_ctx_t *cfg, isc_int32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETBOOL(rfc2308type1, rfc2308_type1)
+SETBOOL(rfc2308type1, rfc2308_type1)
+UNSETBOOL(rfc2308type1, rfc2308_type1)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_int32(cfg->options,
-			      &cfg->options->tcp_clients,
-			      newval,
-			      &cfg->options->setflags1,
-			      TCP_CLIENTS_BIT));
-}
+GETBOOL(requestixfr, request_ixfr)
+SETBOOL(requestixfr, request_ixfr)
+UNSETBOOL(requestixfr, request_ixfr)
 
-isc_result_t
-dns_c_ctx_setrecursiveclients(dns_c_ctx_t *cfg, isc_int32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETBOOL(provideixfr, provide_ixfr)
+SETBOOL(provideixfr, provide_ixfr)
+UNSETBOOL(provideixfr, provide_ixfr)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_int32(cfg->options,
-			      &cfg->options->recursive_clients,
-			      newval,
-			      &cfg->options->setflags1,
-			      RECURSIVE_CLIENTS_BIT));
-}
+GETBOOL(treatcrasspace, treat_cr_as_space)
+SETBOOL(treatcrasspace, treat_cr_as_space)
+UNSETBOOL(treatcrasspace, treat_cr_as_space)
 
 
-isc_result_t
-dns_c_ctx_setdatasize(dns_c_ctx_t *cfg, isc_uint32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETUINT32(maxncachettl, max_ncache_ttl)
+SETUINT32(maxncachettl, max_ncache_ttl)
+UNSETUINT32(maxncachettl, max_ncache_ttl)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_uint32(cfg->options,
-			       &cfg->options->data_size,
-			       newval,
-			       &cfg->options->setflags1,
-			       DATA_SIZE_BIT));
-}
+GETUINT32(maxcachettl, max_cache_ttl)
+SETUINT32(maxcachettl, max_cache_ttl)
+UNSETUINT32(maxcachettl, max_cache_ttl)
 
+GETINT32(transfersin, transfers_in)
+SETINT32(transfersin, transfers_in)
+UNSETINT32(transfersin, transfers_in)
 
-isc_result_t
-dns_c_ctx_setstacksize(dns_c_ctx_t *cfg, isc_uint32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETINT32(transfersperns, transfers_per_ns)
+SETINT32(transfersperns, transfers_per_ns)
+UNSETINT32(transfersperns, transfers_per_ns)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_uint32(cfg->options,
-			       &cfg->options->stack_size,
-			       newval,
-			       &cfg->options->setflags1,
-			       STACK_SIZE_BIT));
-}
+GETINT32(transfersout, transfers_out)
+SETINT32(transfersout, transfers_out)
+UNSETINT32(transfersout, transfers_out)
 
+GETINT32(maxlogsizeixfr, max_log_size_ixfr)
+SETINT32(maxlogsizeixfr, max_log_size_ixfr)
+UNSETINT32(maxlogsizeixfr, max_log_size_ixfr)
 
-isc_result_t
-dns_c_ctx_setcoresize(dns_c_ctx_t *cfg, isc_uint32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETINT32(cleaninterval, clean_interval)
+SETINT32(cleaninterval, clean_interval)
+UNSETINT32(cleaninterval, clean_interval)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_uint32(cfg->options,
-			       &cfg->options->core_size,
-			       newval,
-			       &cfg->options->setflags1,
-			       CORE_SIZE_BIT));
-}
+GETINT32(interfaceinterval, interface_interval)
+SETINT32(interfaceinterval, interface_interval)
+UNSETINT32(interfaceinterval, interface_interval)
 
+GETINT32(statsinterval, stats_interval)
+SETINT32(statsinterval, stats_interval)
+UNSETINT32(statsinterval, stats_interval)
 
-isc_result_t
-dns_c_ctx_setfiles(dns_c_ctx_t *cfg, isc_uint32_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETINT32(heartbeatinterval, heartbeat_interval)
+SETINT32(heartbeatinterval, heartbeat_interval)
+UNSETINT32(heartbeatinterval, heartbeat_interval)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_uint32(cfg->options,
-			       &cfg->options->files,
-			       newval,
-			       &cfg->options->setflags1,
-			       FILES_BIT));
-}
+GETINT32(maxtransfertimein, max_transfer_time_in)
+SETINT32(maxtransfertimein, max_transfer_time_in)
+UNSETINT32(maxtransfertimein, max_transfer_time_in)
 
+GETINT32(maxtransfertimeout, max_transfer_time_out)
+SETINT32(maxtransfertimeout, max_transfer_time_out)
+UNSETINT32(maxtransfertimeout, max_transfer_time_out)
 
-isc_result_t
-dns_c_ctx_setexpertmode(dns_c_ctx_t *cfg, isc_boolean_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETINT32(maxtransferidlein, max_transfer_idle_in)
+SETINT32(maxtransferidlein, max_transfer_idle_in)
+UNSETINT32(maxtransferidlein, max_transfer_idle_in)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->expert_mode,
-				newval,
-				&cfg->options->setflags1,
-				EXPERT_MODE_BIT));
-}
+GETINT32(maxtransferidleout, max_transfer_idle_out)
+SETINT32(maxtransferidleout, max_transfer_idle_out)
+UNSETINT32(maxtransferidleout, max_transfer_idle_out)
 
+GETINT32(lamettl, lamettl)
+SETINT32(lamettl, lamettl)
+UNSETINT32(lamettl, lamettl)
 
-isc_result_t
-dns_c_ctx_setfakeiquery(dns_c_ctx_t *cfg, isc_boolean_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETINT32(tcpclients, tcp_clients)
+SETINT32(tcpclients, tcp_clients)
+UNSETINT32(tcpclients, tcp_clients)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->fake_iquery,
-				newval,
-				&cfg->options->setflags1,
-				FAKE_IQUERY_BIT));
-}
+GETINT32(recursiveclients, recursive_clients)
+SETINT32(recursiveclients, recursive_clients)
+UNSETINT32(recursiveclients, recursive_clients)
 
+GETINT32(minroots, min_roots)
+SETINT32(minroots, min_roots)
+UNSETINT32(minroots, min_roots)
 
-isc_result_t
-dns_c_ctx_setrecursion(dns_c_ctx_t *cfg, isc_boolean_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETINT32(serialqueries, serial_queries)
+SETINT32(serialqueries, serial_queries)
+UNSETINT32(serialqueries, serial_queries)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->recursion,
-				newval,
-				&cfg->options->setflags1,
-				RECURSION_BIT));
-}
+GETUINT32(datasize, data_size)
+SETUINT32(datasize, data_size)
+UNSETUINT32(datasize, data_size)
 
+GETUINT32(stacksize, stack_size)
+SETUINT32(stacksize, stack_size)
+UNSETUINT32(stacksize, stack_size)
 
-isc_result_t
-dns_c_ctx_setfetchglue(dns_c_ctx_t *cfg, isc_boolean_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETUINT32(coresize, core_size)
+SETUINT32(coresize, core_size)
+UNSETUINT32(coresize, core_size)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->fetch_glue,
-				newval,
-				&cfg->options->setflags1,
-				FETCH_GLUE_BIT));
-}
+GETUINT32(files, files)
+SETUINT32(files, files)
+UNSETUINT32(files, files)
 
+GETSOCKADDR(transfersource, transfer_source)
+SETSOCKADDR(transfersource, transfer_source)
+UNSETSOCKADDR(transfersource, transfer_source)
 
-isc_result_t
-dns_c_ctx_setnotify(dns_c_ctx_t *cfg, isc_boolean_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETSOCKADDR(transfersourcev6, transfer_source_v6)
+SETSOCKADDR(transfersourcev6, transfer_source_v6)
+UNSETSOCKADDR(transfersourcev6, transfer_source_v6)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->notify,
-				newval,
-				&cfg->options->setflags1,
-				NOTIFY_BIT));
-}
+GETSOCKADDR(querysource, query_source)
+SETSOCKADDR(querysource, query_source)
+UNSETSOCKADDR(querysource, query_source)
 
+GETSOCKADDR(querysourcev6, query_source_v6)
+SETSOCKADDR(querysourcev6, query_source_v6)
+UNSETSOCKADDR(querysourcev6, query_source_v6)
 
-isc_result_t
-dns_c_ctx_sethoststatistics(dns_c_ctx_t *cfg, isc_boolean_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+GETBYTYPE(dns_c_forw_t, forward, forward)
+SETBYTYPE(dns_c_forw_t, forward, forward)
+UNSETBYTYPE(dns_c_forw_t, forward, forward)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->host_statistics,
-				newval,
-				&cfg->options->setflags1,
-				HOST_STATISTICS_BIT));
-}
+GETBYTYPE(dns_transfer_format_t, transferformat, transfer_format)
+SETBYTYPE(dns_transfer_format_t, transferformat, transfer_format)
+UNSETBYTYPE(dns_transfer_format_t, transferformat, transfer_format)
 
+GETBYTYPE(dns_c_addata_t, additionaldata, additional_data)
+SETBYTYPE(dns_c_addata_t, additionaldata, additional_data)
+UNSETBYTYPE(dns_c_addata_t, additionaldata, additional_data)
 
-isc_result_t
-dns_c_ctx_setdealloconexit(dns_c_ctx_t *cfg, isc_boolean_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->dealloc_on_exit,
-				newval,
-				&cfg->options->setflags1,
-				DEALLOC_ON_EXIT_BIT));
-}
 
 
-isc_result_t
-dns_c_ctx_setuseixfr(dns_c_ctx_t *cfg, isc_boolean_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
 	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->use_ixfr,
-				newval,
-				&cfg->options->setflags1,
-				USE_IXFR_BIT));
-}
 
 
-isc_result_t
-dns_c_ctx_setmaintainixfrbase(dns_c_ctx_t *cfg, isc_boolean_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+/*
+ * Modifiers for options.
+ *
+ */
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->maintain_ixfr_base,
-				newval,
-				&cfg->options->setflags1,
-				MAINTAIN_IXFR_BASE_BIT));
-}
 
 
 isc_result_t
-dns_c_ctx_sethasoldclients(dns_c_ctx_t *cfg, isc_boolean_t newval)
+dns_c_ctx_settkeydomain(dns_c_ctx_t *cfg, const char *newval)
 {
 	isc_result_t res;
 	
@@ -1586,16 +1879,15 @@ dns_c_ctx_sethasoldclients(dns_c_ctx_t *cfg, isc_boolean_t newval)
 		return (res);
 	}
 	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->has_old_clients,
-				newval,
-				&cfg->options->setflags1,
-				HAS_OLD_CLIENTS_BIT));
+	return (cfg_set_string(cfg->options,
+			       &cfg->options->tkeydomain,
+			       newval));
 }
 
 
 isc_result_t
-dns_c_ctx_setauthnxdomain(dns_c_ctx_t *cfg, isc_boolean_t newval)
+dns_c_ctx_settkeydhkey(dns_c_ctx_t *cfg,
+		       const char *charval, isc_int32_t intval)
 {
 	isc_result_t res;
 	
@@ -1605,79 +1897,26 @@ dns_c_ctx_setauthnxdomain(dns_c_ctx_t *cfg, isc_boolean_t newval)
 	if (res != ISC_R_SUCCESS) {
 		return (res);
 	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->auth_nx_domain,
-				newval,
-				&cfg->options->setflags1,
-				AUTH_NX_DOMAIN_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_setmultiplecnames(dns_c_ctx_t *cfg, isc_boolean_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->multiple_cnames,
-				newval,
-				&cfg->options->setflags1,
-				MULTIPLE_CNAMES_BIT));
+	cfg->options->tkeydhkeyi = intval;
+	return (cfg_set_string(cfg->options,
+			       &cfg->options->tkeydhkeycp,
+			       charval));
 }
 
 
-isc_result_t
-dns_c_ctx_setuseidpool(dns_c_ctx_t *cfg, isc_boolean_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->use_id_pool,
-				newval,
-				&cfg->options->setflags1,
-				USE_ID_POOL_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_setrfc2308type1(dns_c_ctx_t *cfg, isc_boolean_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->rfc2308_type1,
-				newval,
-				&cfg->options->setflags1,
-				RFC2308_TYPE1_BIT));
-}
 
 
 isc_result_t
-dns_c_ctx_setrequestixfr(dns_c_ctx_t *cfg, isc_boolean_t newval)
+dns_c_ctx_setchecknames(dns_c_ctx_t *cfg,
+			dns_c_trans_t transtype,
+			dns_severity_t newval)
 {
+	isc_boolean_t existed = ISC_FALSE;
 	isc_result_t res;
+	dns_severity_t **ptr = NULL;
 	
 	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
@@ -1685,134 +1924,79 @@ dns_c_ctx_setrequestixfr(dns_c_ctx_t *cfg, isc_boolean_t newval)
 	if (res != ISC_R_SUCCESS) {
 		return (res);
 	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->request_ixfr,
-				newval,
-				&cfg->options->setflags1,
-				REQUEST_IXFR_BIT));
-}
-
 
-isc_result_t
-dns_c_ctx_setprovideixfr(dns_c_ctx_t *cfg, isc_boolean_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+	switch(transtype) {
+	case dns_trans_primary:
+	case dns_trans_secondary:
+	case dns_trans_response:
+		ptr = &cfg->options->check_names[transtype];
+		existed = ISC_TF(*ptr != NULL);
+		break;
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
+	default:
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
+			      "bad transport value: %d", transtype);
+		return (ISC_R_FAILURE);
 	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->provide_ixfr,
-				newval,
-				&cfg->options->setflags1,
-				PROVIDE_IXFR_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_setdialup(dns_c_ctx_t *cfg, isc_boolean_t newval)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
+	if (!existed) {
+		*ptr = isc_mem_get(cfg->options->mem,
+				   sizeof (**ptr));
 	}
-	
-	return (cfg_set_boolean(cfg->options,
-				&cfg->options->dialup,
-				newval,
-				&cfg->options->setflags1,
-				DIALUP_BIT));
-}
 
-
-isc_result_t
-dns_c_ctx_setquerysource(dns_c_ctx_t *cfg, isc_sockaddr_t addr)
-{
-	isc_boolean_t existed;
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(addr.type.sa.sa_family == AF_INET); /* XXX too strong? */
-
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
+	**ptr = newval;
 	
-	existed = DNS_C_CHECKBIT(QUERY_SOURCE_BIT,
-				 &cfg->options->setflags1);
-	DNS_C_SETBIT(QUERY_SOURCE_BIT, &cfg->options->setflags1);
-	
-	cfg->options->query_source = addr;
-
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
 
 isc_result_t
-dns_c_ctx_setquerysourcev6(dns_c_ctx_t *cfg, isc_sockaddr_t addr)
+dns_c_ctx_getchecknames(dns_c_ctx_t *cfg,
+			dns_c_trans_t transtype,
+			dns_severity_t *retval)
 {
-	isc_boolean_t existed;
-	isc_result_t res;
-	
+	isc_result_t result;
+	dns_severity_t **ptr = NULL;	
 	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(addr.type.sa.sa_family == AF_INET6);	/* XXX too strong? */
-	
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
+
+	if (cfg->options == NULL) {
+		return (ISC_R_NOTFOUND);
 	}
 	
-	existed = DNS_C_CHECKBIT(QUERY_SOURCE_V6_BIT,
-				 &cfg->options->setflags1);
-	DNS_C_SETBIT(QUERY_SOURCE_V6_BIT, &cfg->options->setflags1);
-	
-	cfg->options->query_source_v6 = addr;
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
+	REQUIRE(retval != NULL);
 
-isc_result_t
-dns_c_ctx_settransferformat(dns_c_ctx_t *cfg,
-			    dns_transfer_format_t newval)
-{
-	isc_boolean_t existed;
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+	switch (transtype) {
+	case dns_trans_primary:
+	case dns_trans_secondary:
+	case dns_trans_response:
+		ptr = &cfg->options->check_names[transtype];
+		break;
+		
+	default:
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
+			      "bad transport value: %d", transtype);
+		return (ISC_R_FAILURE);
+	}
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
+	if (*ptr != NULL) {
+		*retval = *cfg->options->check_names[transtype];
+		result = ISC_R_SUCCESS;
+	} else {
+		result = ISC_R_NOTFOUND;
 	}
-	
-	existed = DNS_C_CHECKBIT(OPTIONS_TRANSFER_FORMAT_BIT,
-				 &cfg->options->setflags1);
-	DNS_C_SETBIT(OPTIONS_TRANSFER_FORMAT_BIT, &cfg->options->setflags1);
-	
-	cfg->options->transfer_format = newval;
 
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+	return (result);
 }
 
 
 isc_result_t
-dns_c_ctx_setchecknames(dns_c_ctx_t *cfg,
-			dns_c_trans_t transtype,
-			dns_severity_t sever)
+dns_c_ctx_unsetchecknames(dns_c_ctx_t *cfg,
+			  dns_c_trans_t transtype)
 {
-	isc_boolean_t existed = ISC_FALSE;
 	isc_result_t res;
+	dns_severity_t **ptr = NULL;
 	
 	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
@@ -1820,24 +2004,12 @@ dns_c_ctx_setchecknames(dns_c_ctx_t *cfg,
 	if (res != ISC_R_SUCCESS) {
 		return (res);
 	}
-	
+
 	switch(transtype) {
 	case dns_trans_primary:
-		existed = DNS_C_CHECKBIT(CHECKNAME_PRIM_BIT,
-					 &cfg->options->setflags1);
-		DNS_C_SETBIT(CHECKNAME_PRIM_BIT, &cfg->options->setflags1);
-		break;
-
 	case dns_trans_secondary:
-		existed = DNS_C_CHECKBIT(CHECKNAME_SEC_BIT,
-					 &cfg->options->setflags1);
-		DNS_C_SETBIT(CHECKNAME_SEC_BIT, &cfg->options->setflags1);
-		break;
-
 	case dns_trans_response:
-		existed = DNS_C_CHECKBIT(CHECKNAME_RESP_BIT,
-					 &cfg->options->setflags1);
-		DNS_C_SETBIT(CHECKNAME_RESP_BIT, &cfg->options->setflags1);
+		ptr = &cfg->options->check_names[transtype];
 		break;
 
 	default:
@@ -1846,185 +2018,120 @@ dns_c_ctx_setchecknames(dns_c_ctx_t *cfg,
 			      "bad transport value: %d", transtype);
 		return (ISC_R_FAILURE);
 	}
-	
-	cfg->options->check_names[transtype] = sever;
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_ctx_setqueryacl(dns_c_ctx_t *cfg, isc_boolean_t copy,
-		      dns_c_ipmatchlist_t *iml)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
+	if (*ptr == NULL) {
+		return (ISC_R_NOTFOUND);
 	}
 	
-	REQUIRE(iml != NULL);
+	isc_mem_put(cfg->options->mem, *ptr, sizeof (**ptr));
 
-	res = cfg_set_ipmatchlist(cfg->options, &cfg->options->queryacl,
-				  iml, copy);
-
-	return (res);
+	return (ISC_R_SUCCESS);
 }
 
 
-isc_result_t
-dns_c_ctx_settransferacl(dns_c_ctx_t *cfg, isc_boolean_t copy,
-			 dns_c_ipmatchlist_t *iml)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	REQUIRE(iml != NULL);
 
-	res = cfg_set_ipmatchlist(cfg->options, &cfg->options->transferacl,
-			     iml, copy);
+#define SETIPMLIST(FUNCNAME, FIELD)					\
+isc_result_t								\
+PVT_CONCAT(dns_c_ctx_set, FUNCNAME)(dns_c_ctx_t *cfg,			\
+				    dns_c_ipmatchlist_t *newval)	\
+{									\
+	isc_result_t res;						\
+									\
+	REQUIRE(DNS_C_CONFCTX_VALID(cfg));				\
+									\
+	res = make_options(cfg);					\
+	if (res != ISC_R_SUCCESS) {					\
+		return (res);						\
+	}								\
+									\
+	REQUIRE(newval != NULL);					\
+									\
+	if (cfg->options->FIELD != NULL) {				\
+		dns_c_ipmatchlist_detach(&cfg->options->FIELD);		\
+	}								\
+									\
+	dns_c_ipmatchlist_attach(newval, &cfg->options->FIELD);		\
+	return (ISC_R_SUCCESS);						\
+}									\
 
-	return (res);
-}
 
 
-isc_result_t
-dns_c_ctx_setrecursionacl(dns_c_ctx_t *cfg, isc_boolean_t copy,
-			  dns_c_ipmatchlist_t *iml)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	REQUIRE(iml != NULL);
-
-	res = cfg_set_ipmatchlist(cfg->options, &cfg->options->recursionacl,
-			     iml, copy);
-
-	return (res);
+#define GETIPMLIST(FUNC, FIELD)						\
+isc_result_t								\
+PVT_CONCAT(dns_c_ctx_get, FUNC)(dns_c_ctx_t *cfg,			\
+				dns_c_ipmatchlist_t **retval)		\
+{									\
+	REQUIRE(DNS_C_CONFCTX_VALID(cfg));				\
+									\
+	if (cfg->options == NULL) {					\
+		return (ISC_R_NOTFOUND);				\
+	}								\
+									\
+	REQUIRE(retval != NULL);					\
+									\
+	if (cfg->options->FIELD != NULL) {				\
+		dns_c_ipmatchlist_attach(cfg->options->FIELD, retval);	\
+		return (ISC_R_SUCCESS);					\
+	} else {							\
+		return (ISC_R_NOTFOUND);				\
+	}								\
 }
 
 
-isc_result_t
-dns_c_ctx_setblackhole(dns_c_ctx_t *cfg, isc_boolean_t copy,
-		       dns_c_ipmatchlist_t *iml)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	REQUIRE(iml != NULL);
 
-	res = cfg_set_ipmatchlist(cfg->options, &cfg->options->blackhole,
-			     iml, copy);
-
-	return (res);
+#define UNSETIPMLIST(FUNC, FIELD)			\
+isc_result_t						\
+PVT_CONCAT(dns_c_ctx_unset, FUNC)(dns_c_ctx_t *cfg)	\
+{							\
+	REQUIRE(DNS_C_CONFCTX_VALID(cfg));		\
+							\
+	if (cfg->options == NULL) {			\
+		return (ISC_R_NOTFOUND);		\
+	}						\
+							\
+	dns_c_ipmatchlist_detach(&cfg->options->FIELD);	\
+							\
+	return (ISC_R_SUCCESS);				\
 }
 
 
-isc_result_t
-dns_c_ctx_settopology(dns_c_ctx_t *cfg, isc_boolean_t copy,
-		      dns_c_ipmatchlist_t *iml)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+SETIPMLIST(allowquery, queryacl)
+UNSETIPMLIST(allowquery, queryacl)
+GETIPMLIST(allowquery, queryacl)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
 	
-	REQUIRE(iml != NULL);
-
-	res = cfg_set_ipmatchlist(cfg->options, &cfg->options->topology,
-			     iml, copy);
+SETIPMLIST(allowtransfer, transferacl)
+UNSETIPMLIST(allowtransfer, transferacl)
+GETIPMLIST(allowtransfer, transferacl)
 
-	return (res);
-}
 
+SETIPMLIST(allowrecursion, recursionacl)
+UNSETIPMLIST(allowrecursion, recursionacl)
+GETIPMLIST(allowrecursion, recursionacl)
 
-isc_result_t
-dns_c_ctx_setsortlist(dns_c_ctx_t *cfg, isc_boolean_t copy,
-		      dns_c_ipmatchlist_t *iml)
-{
-	isc_result_t res;
 	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+SETIPMLIST(blackhole, blackhole)
+UNSETIPMLIST(blackhole, blackhole)
+GETIPMLIST(blackhole, blackhole)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
 	
-	REQUIRE(iml != NULL);
-
-	res = cfg_set_ipmatchlist(cfg->options, &cfg->options->sortlist,
-			     iml, copy);
+SETIPMLIST(topology, topology)
+UNSETIPMLIST(topology, topology)
+GETIPMLIST(topology, topology)
 
-	return (res);
-}
 
+SETIPMLIST(sortlist, sortlist)
+UNSETIPMLIST(sortlist, sortlist)
+GETIPMLIST(sortlist, sortlist)
 
-isc_result_t
-dns_c_ctx_setforward(dns_c_ctx_t *cfg, dns_c_forw_t forw)
-{
-	isc_boolean_t existed;
-	isc_result_t res;
 
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
+SETIPMLIST(allowupdateforwarding, allowupdateforwarding)
+UNSETIPMLIST(allowupdateforwarding, allowupdateforwarding)
+GETIPMLIST(allowupdateforwarding, allowupdateforwarding)
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
 	
-	existed = DNS_C_CHECKBIT(FORWARD_BIT, &cfg->options->setflags1);
-	DNS_C_SETBIT(FORWARD_BIT, &cfg->options->setflags1);
-	
-	cfg->options->forward = forw;
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_ctx_setforwarders(dns_c_ctx_t *cfg, isc_boolean_t copy,
-			dns_c_iplist_t *ipl)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	res = cfg_set_iplist(cfg->options, &cfg->options->forwarders,
-			     ipl, copy);
-
-	return (res);
-}
 
 
 isc_result_t
@@ -2166,136 +2273,6 @@ dns_c_ctx_settrustedkeys(dns_c_ctx_t *cfg, dns_c_tkeylist_t *list,
  ** Accessors
  **/
 
-isc_result_t
-dns_c_ctx_getdirectory(dns_c_ctx_t *cfg, char **retval)
-{
-
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
-
-	*retval = cfg->options->directory;
-
-	return (*retval == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_ctx_getversion(dns_c_ctx_t *cfg, char **retval)
-{
-
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
-
-	*retval = cfg->options->version;
-
-	return (*retval == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_ctx_getdumpfilename(dns_c_ctx_t *cfg, char **retval)
-{
-
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
-
-	*retval = cfg->options->dump_filename;
-
-	return (*retval == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_ctx_getpidfilename(dns_c_ctx_t *cfg, char **retval)
-{
-
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
-
-	*retval = cfg->options->pid_filename;
-
-	return (*retval == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_ctx_getstatsfilename(dns_c_ctx_t *cfg, char **retval)
-{
-
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
-
-	*retval = cfg->options->stats_filename;
-
-	return (*retval == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_ctx_getmemstatsfilename(dns_c_ctx_t *cfg, char **retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
-
-	*retval = cfg->options->memstats_filename;
-
-	return (*retval == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_ctx_getnamedxfer(dns_c_ctx_t *cfg, char **retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
-
-	*retval = cfg->options->named_xfer;
-
-	return (*retval == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-
 
 isc_result_t
 dns_c_ctx_gettkeydomain(dns_c_ctx_t *cfg, char **retval)
@@ -2343,900 +2320,51 @@ dns_c_ctx_gettkeydhkey(dns_c_ctx_t *cfg,
 }
 
 
-isc_result_t
-dns_c_ctx_getmaxncachettl(dns_c_ctx_t *cfg, isc_uint32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
-	
-	return (cfg_get_uint32(cfg->options, 
-			       &cfg->options->max_ncache_ttl,
-			       retval,
-			       &cfg->options->setflags1,
-			       MAX_NCACHE_TTL_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_gettransfersin(dns_c_ctx_t *cfg, isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
-
-	
-	return (cfg_get_int32(cfg->options, 
-			      &cfg->options->transfers_in,
-			      retval,
-			      &cfg->options->setflags1,
-			      TRANSFERS_IN_BIT));
-}
-
 
 isc_result_t
-dns_c_ctx_gettransfersperns(dns_c_ctx_t *cfg, isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-		
-	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
-	
-	return (cfg_get_int32(cfg->options, 
-			      &cfg->options->transfers_per_ns,
-			      retval,
-			      &cfg->options->setflags1,
-			      TRANSFERS_PER_NS_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_gettransfersout(dns_c_ctx_t *cfg, isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-
-	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
-	
-	return (cfg_get_int32(cfg->options, 
-			      &cfg->options->transfers_out,
-			      retval,
-			      &cfg->options->setflags1,
-			      TRANSFERS_OUT_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getmaxlogsizeixfr(dns_c_ctx_t *cfg, isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
-
-	return (cfg_get_int32(cfg->options, 
-			      &cfg->options->max_log_size_ixfr,
-			      retval,
-			      &cfg->options->setflags1,
-			      MAX_LOG_SIZE_IXFR_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getcleaninterval(dns_c_ctx_t *cfg, isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
-
-	return (cfg_get_int32(cfg->options, 
-			      &cfg->options->clean_interval,
-			      retval,
-			      &cfg->options->setflags1,
-			      CLEAN_INTERVAL_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getinterfaceinterval(dns_c_ctx_t *cfg, isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_int32(cfg->options, 
-			      &cfg->options->interface_interval,
-			      retval,
-			      &cfg->options->setflags1,
-			      INTERFACE_INTERVAL_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getstatsinterval(dns_c_ctx_t *cfg, isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_int32(cfg->options, 
-			      &cfg->options->stats_interval,
-			      retval,
-			      &cfg->options->setflags1,
-			      STATS_INTERVAL_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getheartbeatinterval(dns_c_ctx_t *cfg, isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_int32(cfg->options, 
-			      &cfg->options->heartbeat_interval,
-			      retval,
-			      &cfg->options->setflags1,
-			      HEARTBEAT_INTERVAL_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getmaxtransfertimein(dns_c_ctx_t *cfg, isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_int32(cfg->options, 
-			      &cfg->options->max_transfer_time_in,
-			      retval,
-			      &cfg->options->setflags1,
-			      MAX_TRANSFER_TIME_IN_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getmaxtransfertimeout(dns_c_ctx_t *cfg, isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_int32(cfg->options, 
-			      &cfg->options->max_transfer_time_out,
-			      retval,
-			      &cfg->options->setflags1,
-			      MAX_TRANSFER_TIME_OUT_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getmaxtransferidlein(dns_c_ctx_t *cfg, isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_int32(cfg->options, 
-			      &cfg->options->max_transfer_idle_in,
-			      retval,
-			      &cfg->options->setflags1,
-			      MAX_TRANSFER_IDLE_IN_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getmaxtransferidleout(dns_c_ctx_t *cfg, isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_int32(cfg->options, 
-			      &cfg->options->max_transfer_idle_out,
-			      retval,
-			      &cfg->options->setflags1,
-			      MAX_TRANSFER_IDLE_OUT_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_gettcpclients(dns_c_ctx_t *cfg, isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_int32(cfg->options, 
-			      &cfg->options->tcp_clients,
-			      retval,
-			      &cfg->options->setflags1,
-			      TCP_CLIENTS_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getrecursiveclients(dns_c_ctx_t *cfg, isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_int32(cfg->options, 
-			      &cfg->options->recursive_clients,
-			      retval,
-			      &cfg->options->setflags1,
-			      RECURSIVE_CLIENTS_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getdatasize(dns_c_ctx_t *cfg, isc_uint32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_uint32(cfg->options, 
-			       &cfg->options->data_size,
-			       retval,
-			       &cfg->options->setflags1,
-			       DATA_SIZE_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getstacksize(dns_c_ctx_t *cfg, isc_uint32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_uint32(cfg->options, 
-			       &cfg->options->stack_size,
-			       retval,
-			       &cfg->options->setflags1,
-			       STACK_SIZE_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getcoresize(dns_c_ctx_t *cfg, isc_uint32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_uint32(cfg->options, 
-			       &cfg->options->core_size,
-			       retval,
-			       &cfg->options->setflags1,
-			       CORE_SIZE_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getfiles(dns_c_ctx_t *cfg, isc_uint32_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_uint32(cfg->options, 
-			       &cfg->options->files,
-			       retval,
-			       &cfg->options->setflags1,
-			       FILES_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getexpertmode(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-			       &cfg->options->expert_mode,
-			       retval,
-			       &cfg->options->setflags1,
-			       EXPERT_MODE_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getfakeiquery(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->fake_iquery,
-				retval,
-				&cfg->options->setflags1,
-				FAKE_IQUERY_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getrecursion(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->recursion,
-				retval,
-				&cfg->options->setflags1,
-				RECURSION_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getfetchglue(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->fetch_glue,
-				retval,
-				&cfg->options->setflags1,
-				FETCH_GLUE_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getnotify(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->notify,
-				retval,
-				&cfg->options->setflags1,
-				NOTIFY_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_gethoststatistics(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->host_statistics,
-				retval,
-				&cfg->options->setflags1,
-				HOST_STATISTICS_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getdealloconexit(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->dealloc_on_exit,
-				retval,
-				&cfg->options->setflags1,
-				DEALLOC_ON_EXIT_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getuseixfr(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->use_ixfr,
-				retval,
-				&cfg->options->setflags1,
-				USE_IXFR_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getmaintainixfrbase(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->maintain_ixfr_base,
-				retval,
-				&cfg->options->setflags1,
-				MAINTAIN_IXFR_BASE_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_gethasoldclients(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->has_old_clients,
-				retval,
-				&cfg->options->setflags1,
-				HAS_OLD_CLIENTS_BIT));
-}
-
-
-
-isc_result_t
-dns_c_ctx_getauthnxdomain(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->auth_nx_domain,
-				retval,
-				&cfg->options->setflags1,
-				AUTH_NX_DOMAIN_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getmultiplecnames(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->multiple_cnames,
-				retval,
-				&cfg->options->setflags1,
-				MULTIPLE_CNAMES_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getuseidpool(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->use_id_pool,
-				retval,
-				&cfg->options->setflags1,
-				USE_ID_POOL_BIT));
-}
-
-
-isc_result_t
-dns_c_ctx_getrfc2308type1(dns_c_ctx_t *cfg, isc_boolean_t *retval)
+dns_c_ctx_getlistenlist(dns_c_ctx_t *cfg, dns_c_lstnlist_t **ll)
 {
 	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
 
 	if (cfg->options == NULL) {
 		return (ISC_R_NOTFOUND);
 	}
 	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->rfc2308_type1,
-				retval,
-				&cfg->options->setflags1,
-				RFC2308_TYPE1_BIT));
-}
-
+	REQUIRE(ll != NULL);
 
-isc_result_t
-dns_c_ctx_getrequestixfr(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
+	*ll = NULL;
 
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
+	if (cfg->options->listens != NULL) {
+		*ll = cfg->options->listens;
 	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->request_ixfr,
-				retval,
-				&cfg->options->setflags1,
-				REQUEST_IXFR_BIT));
-}
-
 
-isc_result_t
-dns_c_ctx_getprovideixfr(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->provide_ixfr,
-				retval,
-				&cfg->options->setflags1,
-				PROVIDE_IXFR_BIT));
+	return (*ll == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
 }
 
 
-isc_result_t
-dns_c_ctx_getdialup(dns_c_ctx_t *cfg, isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	
-	return (cfg_get_boolean(cfg->options, 
-				&cfg->options->dialup,
-				retval,
-				&cfg->options->setflags1,
-				DIALUP_BIT));
-}
-
 
 isc_result_t
-dns_c_ctx_getquerysource(dns_c_ctx_t *cfg, isc_sockaddr_t *addr)
-{
-	isc_result_t res;
-
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(addr != NULL);
-
-	if (DNS_C_CHECKBIT(QUERY_SOURCE_BIT, &cfg->options->setflags1)) {
-		*addr = cfg->options->query_source;
-		res = ISC_R_SUCCESS;
-	} else {
-		res = ISC_R_NOTFOUND;
-	}
-
-	return (res);
-}
-
-
-isc_result_t
-dns_c_ctx_getquerysourcev6(dns_c_ctx_t *cfg, isc_sockaddr_t *addr)
+dns_c_ctx_setforwarders(dns_c_ctx_t *cfg, isc_boolean_t copy,
+			dns_c_iplist_t *ipl)
 {
 	isc_result_t res;
-
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
 	
-	REQUIRE(addr != NULL);
-
-	if (DNS_C_CHECKBIT(QUERY_SOURCE_V6_BIT, &cfg->options->setflags1)) {
-		*addr = cfg->options->query_source_v6;
-		res = ISC_R_SUCCESS;
-	} else {
-		res = ISC_R_NOTFOUND;
-	}
-
-	return (res);
-}
-
-
-isc_result_t
-dns_c_ctx_gettransferformat(dns_c_ctx_t *cfg,
-			    dns_transfer_format_t *retval)
-{
 	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(retval != NULL);
 
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-
-	if (DNS_C_CHECKBIT(OPTIONS_TRANSFER_FORMAT_BIT,
-			   &cfg->options->setflags1)) {
-		*retval = cfg->options->transfer_format;
-		return (ISC_R_SUCCESS);
-	} else {
-		return (ISC_R_NOTFOUND);
-	}
-}
-
-
-isc_result_t
-dns_c_ctx_getchecknames(dns_c_ctx_t *cfg,
-			dns_c_trans_t transtype,
-			dns_severity_t *sever)
-{
-	isc_boolean_t isset = ISC_FALSE;
-	isc_result_t res;
-
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
+	res = make_options(cfg);
+	if (res != ISC_R_SUCCESS) {
+		return (res);
 	}
 	
-	REQUIRE(sever != NULL);
-
-	switch (transtype) {
-	case dns_trans_primary:
-		isset = DNS_C_CHECKBIT(CHECKNAME_PRIM_BIT,
-				       &cfg->options->setflags1);
-		break;
-
-	case dns_trans_secondary:
-		isset = DNS_C_CHECKBIT(CHECKNAME_SEC_BIT,
-				       &cfg->options->setflags1);
-		break;
-
-	case dns_trans_response:
-		isset = DNS_C_CHECKBIT(CHECKNAME_RESP_BIT,
-				       &cfg->options->setflags1);
-		break;
-
-	default:
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
-			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
-			      "bad transport value: %d", transtype);
-		return (ISC_R_FAILURE);
-	}
-
-	if (isset) {
-		*sever = cfg->options->check_names[transtype];
-		res = ISC_R_SUCCESS;
-	} else {
-		res = ISC_R_NOTFOUND;
-	}
+	res = cfg_set_iplist(cfg->options, &cfg->options->forwarders,
+			     ipl, copy);
 
 	return (res);
 }
 
 
 isc_result_t
-dns_c_ctx_getqueryacl(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t **list)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(list != NULL);
-
-	return (cfg_get_ipmatchlist(cfg->options, cfg->options->queryacl,
-				    list));
-}
-
-
-isc_result_t
-dns_c_ctx_gettransferacl(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t **list)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(list != NULL);
-
-	return (cfg_get_ipmatchlist(cfg->options,
-				    cfg->options->transferacl, list));
-}
-
-
-isc_result_t
-dns_c_ctx_getrecursionacl(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t **list)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(list != NULL);
-
-	return (cfg_get_ipmatchlist(cfg->options, cfg->options->recursionacl,
-				    list));
-}
-
-
-isc_result_t
-dns_c_ctx_getblackhole(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t **list)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(list != NULL);
-
-	return (cfg_get_ipmatchlist(cfg->options,
-				    cfg->options->blackhole, list));
-}
-
-
-isc_result_t
-dns_c_ctx_gettopology(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t **list)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(list != NULL);
-
-	return (cfg_get_ipmatchlist(cfg->options,
-				    cfg->options->topology, list));
-}
-
-
-isc_result_t
-dns_c_ctx_getsortlist(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t **list)
+dns_c_ctx_getforwarders(dns_c_ctx_t *cfg, dns_c_iplist_t **list)
 {
 	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
@@ -3246,71 +2374,28 @@ dns_c_ctx_getsortlist(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t **list)
 	
 	REQUIRE(list != NULL);
 
-	return (cfg_get_ipmatchlist(cfg->options,
-				    cfg->options->sortlist, list));
-}
-
-
-isc_result_t
-dns_c_ctx_getlistenlist(dns_c_ctx_t *cfg, dns_c_lstnlist_t **ll)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(ll != NULL);
-
-	*ll = NULL;
-
-	if (cfg->options->listens != NULL) {
-		*ll = cfg->options->listens;
-	}
-
-	return (*ll == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
+	return (cfg_get_iplist(cfg->options,
+			       cfg->options->forwarders, list));
 }
 
 
 isc_result_t
-dns_c_ctx_getforward(dns_c_ctx_t *cfg, dns_c_forw_t *forw)
+dns_c_ctx_unsetforwarders(dns_c_ctx_t *cfg)
 {
-	isc_result_t res;
-
 	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
 	if (cfg->options == NULL) {
 		return (ISC_R_NOTFOUND);
 	}
-	
-	REQUIRE(forw != NULL);
 
-	if (DNS_C_CHECKBIT(FORWARD_BIT, &cfg->options->setflags1)) {
-		*forw = cfg->options->forward;
-		res = ISC_R_SUCCESS;
+	if (cfg->options->forwarders != NULL) {
+		return (dns_c_iplist_detach(&cfg->options->forwarders));
 	} else {
-		return (ISC_R_NOTFOUND);
+		return (ISC_R_SUCCESS);
 	}
-
-	return (res);
 }
 
 
-isc_result_t
-dns_c_ctx_getforwarders(dns_c_ctx_t *cfg, dns_c_iplist_t **list)
-{
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
-	
-	REQUIRE(list != NULL);
-
-	return (cfg_get_iplist(cfg->options,
-			       cfg->options->forwarders, list));
-}
-
 
 isc_result_t
 dns_c_ctx_getrrsetorderlist(dns_c_ctx_t *cfg, dns_c_rrsolist_t **retval)
@@ -3342,580 +2427,31 @@ dns_c_ctx_gettrustedkeys(dns_c_ctx_t *cfg, dns_c_tkeylist_t **retval)
 }
 
 
-
-isc_result_t
-dns_c_ctx_optionsnew(isc_mem_t *mem, dns_c_options_t **options)
-{
-	int i;
-	dns_c_options_t *opts = NULL;
-
-	REQUIRE(mem != NULL);
-	REQUIRE(options != NULL);
-
-	*options = NULL;
-	
-	opts = isc_mem_get(mem, sizeof *opts);
-	if (opts == NULL) {
-		return (ISC_R_NOMEMORY);
-	}
-
-	opts->directory = NULL;
-	opts->version = NULL;
-	opts->dump_filename = NULL;
-	opts->pid_filename = NULL;
-	opts->stats_filename = NULL;
-	opts->memstats_filename = NULL;
-	opts->named_xfer = NULL;
-	opts->tkeydomain = NULL;
-	opts->also_notify = NULL;
-	opts->tkeydhkeycp = NULL;
-	opts->tkeydhkeyi = 0;
-
-	opts->mem = mem;
-	opts->magic = DNS_C_OPTION_MAGIC;
-	opts->flags = 0;
-	opts->max_ncache_ttl = 0;
-	
-	opts->transfers_in = 0;
-	opts->transfers_per_ns = 0;
-	opts->transfers_out = 0;
-	opts->max_log_size_ixfr = 0;
-	opts->clean_interval = 0;
-	opts->interface_interval = 0;
-	opts->stats_interval = 0;
-	opts->heartbeat_interval = 0;
-	
-	opts->fake_iquery = ISC_FALSE;
-	opts->recursion = ISC_FALSE;
-	opts->fetch_glue = ISC_FALSE;
-	opts->notify = ISC_FALSE;
-	opts->host_statistics = ISC_FALSE;
-	opts->dealloc_on_exit = ISC_FALSE;
-	opts->use_ixfr = ISC_FALSE;
-	opts->maintain_ixfr_base = ISC_FALSE;
-	opts->has_old_clients = ISC_FALSE;
-	opts->expert_mode = ISC_FALSE;
-	opts->auth_nx_domain = ISC_FALSE;
-	opts->multiple_cnames = ISC_FALSE;
-	opts->use_id_pool = ISC_FALSE;
-	opts->rfc2308_type1 = ISC_FALSE;
-	opts->request_ixfr = ISC_FALSE;
-	opts->provide_ixfr = ISC_FALSE;
-	opts->dialup = ISC_FALSE;
-
-	opts->tcp_clients = 0;
-	opts->recursive_clients = 0;
-
-	opts->max_transfer_time_in = 0;
-	opts->max_transfer_time_out = 0;
-	opts->max_transfer_idle_in = 0;
-	opts->max_transfer_idle_out = 0;
-
-	opts->data_size = 0;
-	opts->stack_size = 0;
-	opts->core_size = 0;
-	opts->files = 0;
-	
-	opts->transfer_format = dns_one_answer;
-	
-	for (i = 0 ; i < DNS_C_TRANSCOUNT ; i++) {
-		opts->check_names[i] = dns_severity_fail;
-	}
-
-	opts->queryacl = NULL;
-	opts->transferacl = NULL;
-	opts->recursionacl = NULL;
-	opts->blackhole = NULL;
-	opts->topology = NULL;
-	opts->sortlist = NULL;
-	opts->listens = NULL;
-	opts->ordering = NULL;
-
-	opts->forward = dns_c_forw_only;
-	opts->forwarders = NULL;
-
-	memset(&opts->setflags1, 0x0, sizeof opts->setflags1);
-	
-	*options = opts;
-	
-	return (ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_ctx_optionsdelete(dns_c_options_t **opts)
-{
-	dns_c_options_t *options;
-	isc_result_t r, result;
-	
-	REQUIRE(opts != NULL);
-
-	options = *opts;
-	if (options == NULL) {
-		return (ISC_R_SUCCESS);
-	}
-	
-	REQUIRE(DNS_C_CONFOPT_VALID(options));
-
-	if (options->directory != NULL) {
-		isc_mem_free(options->mem, options->directory);
-	}
-
-	if (options->version != NULL) {
-		isc_mem_free(options->mem, options->version);
-	}
-
-	if (options->dump_filename != NULL) {
-		isc_mem_free(options->mem, options->dump_filename);
-	}
-
-	if (options->pid_filename != NULL) {
-		isc_mem_free(options->mem, options->pid_filename);
-	}
-
-	if (options->stats_filename != NULL) {
-		isc_mem_free(options->mem, options->stats_filename);
-	}
-
-	if (options->memstats_filename != NULL) {
-		isc_mem_free(options->mem, options->memstats_filename);
-	}
-
-	if (options->named_xfer != NULL) {
-		isc_mem_free(options->mem, options->named_xfer);
-	}
-
-	if (options->also_notify != NULL) {
-		dns_c_iplist_detach(&options->also_notify);
-	}
-
-	if (options->tkeydomain != NULL) {
-		isc_mem_free(options->mem, options->tkeydomain);
-	}
-	
-	if (options->tkeydhkeycp != NULL) {
-		isc_mem_free(options->mem, options->tkeydhkeycp);
-	}
-
-	result = ISC_R_SUCCESS;
-	
-	if (options->queryacl != NULL) {
-		r = dns_c_ipmatchlist_detach(&options->queryacl);
-		if (r != ISC_R_SUCCESS)
-			result = r;
-	}
-	
-	if (options->transferacl != NULL) {
-		r = dns_c_ipmatchlist_detach(&options->transferacl);
-		if (r != ISC_R_SUCCESS)
-			result = r;
-	}
-	
-	if (options->recursionacl != NULL) {
-		r = dns_c_ipmatchlist_detach(&options->recursionacl);
-		if (r != ISC_R_SUCCESS)
-			result = r;
-	}
-	
-	if (options->blackhole != NULL) {
-		r = dns_c_ipmatchlist_detach(&options->blackhole);
-		if (r != ISC_R_SUCCESS)
-			result = r;
-	}
-	
-	if (options->topology != NULL) {
-		r = dns_c_ipmatchlist_detach(&options->topology);
-		if (r != ISC_R_SUCCESS)
-			result = r;
-	}
-	
-	if (options->sortlist != NULL) {
-		r = dns_c_ipmatchlist_detach(&options->sortlist);
-		if (r != ISC_R_SUCCESS)
-			result = r;
-	}
-	
-	if (options->listens != NULL) {
-		r = dns_c_lstnlist_delete(&options->listens);
-		if (r != ISC_R_SUCCESS)
-			result = r;
-	}
-	
-	if (options->ordering != NULL) {
-		r = dns_c_rrsolist_delete(&options->ordering);
-		if (r != ISC_R_SUCCESS)
-			result = r;
-	}
-	
-	if (options->forwarders != NULL) {
-		r = dns_c_iplist_detach(&options->forwarders);
-		if (r != ISC_R_SUCCESS)
-			result = r;
-	}
-	
-	*opts = NULL;
-	options->magic = 0;
-	
-	isc_mem_put(options->mem, options, sizeof *options);
-	
-	return (result);
-}
-
-
-void
-dns_c_ctx_optionsprint(FILE *fp, int indent, dns_c_options_t *options)
-{
-	dns_severity_t nameseverity;
-	in_port_t port;
-	
-	REQUIRE(fp != NULL);
-
-	if (options == NULL) {
-		return;
-	}
-	
-	REQUIRE(DNS_C_CONFOPT_VALID(options));
-
-#define PRINT_INTEGER(field, bit, name, bitfield)			\
-	if (DNS_C_CHECKBIT(bit, &options->bitfield)) {			\
-		dns_c_printtabs(fp, indent + 1);			\
-		fprintf(fp, "%s %d;\n",name,(int)options->field);	\
-	}
-	
-#define PRINT_AS_MINUTES(field, bit, name, bitfield)		\
-	if (DNS_C_CHECKBIT(bit, &options->bitfield)) {		\
-		dns_c_printtabs(fp, indent + 1);		\
-		fprintf(fp, "%s %lu;\n",name,			\
-			(unsigned long)options->field / 60);	\
-	}
-
-#define PRINT_AS_BOOLEAN(field, bit, name, bitfield)		\
-	if (DNS_C_CHECKBIT(bit, &options->bitfield)) {		\
-		dns_c_printtabs(fp, indent + 1);		\
-		fprintf(fp, "%s %s;\n",name,			\
-			(options->field ? "true" : "false"));	\
-	}
-
-#define PRINT_AS_SIZE_CLAUSE(field, bit, name, bitfield)	\
-	if (DNS_C_CHECKBIT(bit, &options->bitfield)) {		\
-		dns_c_printtabs(fp, indent + 1);		\
-		fprintf(fp, "%s ",name);			\
-		if (options->field == DNS_C_SIZE_SPEC_DEFAULT) { \
-			fprintf(fp, "default");			\
-		} else {					\
-			dns_c_printinunits(fp, options->field); \
-		}						\
-		fprintf(fp, ";\n");				\
-	}
-
-#define PRINT_CHAR_P(field, name)					\
-	if (options->field != NULL) {					\
-		dns_c_printtabs(fp, indent + 1);			\
-		fprintf(fp, "%s \"%s\";\n", name, options->field);	\
-	}
-	
-
-
-	dns_c_printtabs(fp, indent);
-	fprintf (fp, "options {\n");
-
-	PRINT_CHAR_P(version, "version");
-	PRINT_CHAR_P(directory, "directory");
-	PRINT_CHAR_P(dump_filename, "dump-file");
-	PRINT_CHAR_P(pid_filename, "pid-file");
-	PRINT_CHAR_P(stats_filename, "statistics-file");
-	PRINT_CHAR_P(memstats_filename, "memstatistics-file");
-	PRINT_CHAR_P(named_xfer, "named-xfer");
-	PRINT_CHAR_P(tkeydomain, "tkey-domain");
-
-	if (options->tkeydhkeycp != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "tkey-dhkey \"%s\" %d ;\n",
-			options->tkeydhkeycp, options->tkeydhkeyi);
-	}
-	
-	PRINT_INTEGER(transfers_in, TRANSFERS_IN_BIT,
-		      "transfers-in", setflags1);
-	PRINT_INTEGER(transfers_per_ns, TRANSFERS_PER_NS_BIT,
-		      "transfers-per-ns", setflags1);
-	PRINT_INTEGER(transfers_out, TRANSFERS_OUT_BIT,
-		      "transfers-out", setflags1);
-	PRINT_INTEGER(max_log_size_ixfr, MAX_LOG_SIZE_IXFR_BIT,
-		      "max-ixfr-log-size", setflags1);
-	PRINT_INTEGER(tcp_clients, TCP_CLIENTS_BIT,
-		      "tcp-clients", setflags1);
-	PRINT_INTEGER(recursive_clients, RECURSIVE_CLIENTS_BIT,
-		      "recursive-clients", setflags1);
-	
-	
-	PRINT_INTEGER(max_ncache_ttl, MAX_NCACHE_TTL_BIT,
-		      "max-ncache-ttl", setflags1);
-	
-	PRINT_AS_MINUTES(clean_interval, CLEAN_INTERVAL_BIT,
-			 "cleaning-interval", setflags1);
-	PRINT_AS_MINUTES(interface_interval, INTERFACE_INTERVAL_BIT,
-			 "interface-interval", setflags1);
-	PRINT_AS_MINUTES(stats_interval, STATS_INTERVAL_BIT,
-			 "statistics-interval", setflags1);
-	PRINT_AS_MINUTES(heartbeat_interval, HEARTBEAT_INTERVAL_BIT,
-			 "heartbeat-interval", setflags1);
-	PRINT_AS_MINUTES(max_transfer_time_in, MAX_TRANSFER_TIME_IN_BIT,
-			 "max-transfer-time-in", setflags1);
-	PRINT_AS_MINUTES(max_transfer_time_out, MAX_TRANSFER_TIME_OUT_BIT,
-			 "max-transfer-time-out", setflags1);
-	PRINT_AS_MINUTES(max_transfer_idle_in, MAX_TRANSFER_IDLE_IN_BIT,
-			 "max-transfer-idle-in", setflags1);
-	PRINT_AS_MINUTES(max_transfer_idle_out, MAX_TRANSFER_IDLE_OUT_BIT,
-			 "max-transfer-idle-out", setflags1);
-
-	PRINT_AS_SIZE_CLAUSE(data_size, DATA_SIZE_BIT, "datasize",
-			     setflags1);	
-	PRINT_AS_SIZE_CLAUSE(stack_size, STACK_SIZE_BIT, "stacksize",
-			     setflags1);	
-	PRINT_AS_SIZE_CLAUSE(core_size, CORE_SIZE_BIT, "coresize",
-			     setflags1);	
-	PRINT_AS_SIZE_CLAUSE(files, FILES_BIT, "files",
-			     setflags1);
-
-	PRINT_AS_BOOLEAN(expert_mode, EXPERT_MODE_BIT,
-			 "expert-mode", setflags1);
-	PRINT_AS_BOOLEAN(fake_iquery, FAKE_IQUERY_BIT,
-			 "fake-iquery", setflags1);
-	PRINT_AS_BOOLEAN(recursion, RECURSION_BIT,
-			 "recursion", setflags1);
-	PRINT_AS_BOOLEAN(fetch_glue, FETCH_GLUE_BIT,
-			 "fetch-glue", setflags1);
-	PRINT_AS_BOOLEAN(notify, NOTIFY_BIT,
-			 "notify", setflags1);
-	PRINT_AS_BOOLEAN(host_statistics, HOST_STATISTICS_BIT,
-			 "host-statistics", setflags1);
-	PRINT_AS_BOOLEAN(dealloc_on_exit, DEALLOC_ON_EXIT_BIT,
-			 "deallocate-on-exit", setflags1);
-	PRINT_AS_BOOLEAN(use_ixfr, USE_IXFR_BIT,
-			 "use-ixfr", setflags1);
-	PRINT_AS_BOOLEAN(maintain_ixfr_base, MAINTAIN_IXFR_BASE_BIT,
-			 "maintain-ixfr-base", setflags1);
-	PRINT_AS_BOOLEAN(has_old_clients, HAS_OLD_CLIENTS_BIT,
-			 "has-old-clients", setflags1);
-	PRINT_AS_BOOLEAN(auth_nx_domain, AUTH_NX_DOMAIN_BIT,
-			 "auth-nxdomain", setflags1);
-	PRINT_AS_BOOLEAN(multiple_cnames, MULTIPLE_CNAMES_BIT,
-			 "multiple-cnames", setflags1);
-	PRINT_AS_BOOLEAN(use_id_pool, USE_ID_POOL_BIT,
-			 "use-id-pool", setflags1);
-	PRINT_AS_BOOLEAN(rfc2308_type1, RFC2308_TYPE1_BIT,
-			 "rfc2308-type1", setflags1);
-	PRINT_AS_BOOLEAN(request_ixfr, REQUEST_IXFR_BIT,
-			 "request-ixfr", setflags1);
-	PRINT_AS_BOOLEAN(provide_ixfr, PROVIDE_IXFR_BIT,
-			 "provide-ixfr", setflags1);
-	PRINT_AS_BOOLEAN(dialup, DIALUP_BIT,
-			 "dialup", setflags1);
-
-#undef PRINT_INTEGER
-#undef PRINT_AS_MINUTES
-#undef PRINT_AS_BOOLEAN
-#undef PRINT_AS_SIZE_CLAUSE
-#undef PRINT_CHAR_P
-
-
-	if (DNS_C_CHECKBIT(OPTIONS_TRANSFER_FORMAT_BIT, &options->setflags1)) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "transfer-format %s;\n",
-			dns_c_transformat2string(options->transfer_format,
-						 ISC_TRUE));
-	}
-	
-	
-	if (DNS_C_CHECKBIT(QUERY_SOURCE_BIT, &options->setflags1)) {
-		port = isc_sockaddr_getport(&options->query_source);
-
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "query-source address ");
-
-		dns_c_print_ipaddr(fp, &options->query_source);
-
-		if (port == 0) {
-			fprintf(fp, " port *");
-		} else {
-			fprintf(fp, " port %d", port);
-		}
-		fprintf(fp, " ;\n");
-	}
-
-
-	if (DNS_C_CHECKBIT(QUERY_SOURCE_V6_BIT, &options->setflags1)) {
-		port = isc_sockaddr_getport(&options->query_source_v6);
-
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "query-source-v6 address ");
-
-		dns_c_print_ipaddr(fp, &options->query_source_v6);
-
-		if (port == 0) {
-			fprintf(fp, " port *");
-		} else {
-			fprintf(fp, " port %d", port);
-		}
-		fprintf(fp, " ;\n");
-	}
-
-
-	if (DNS_C_CHECKBIT(CHECKNAME_PRIM_BIT, &options->setflags1)) {
-		nameseverity = options->check_names[dns_trans_primary];
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "check-names %s %s;\n",
-			dns_c_transport2string(dns_trans_primary,
-					       ISC_TRUE),
-			dns_c_nameseverity2string(nameseverity,
-						  ISC_TRUE));
-	}
-		
-	if (DNS_C_CHECKBIT(CHECKNAME_SEC_BIT, &options->setflags1)) {
-		nameseverity = options->check_names[dns_trans_secondary];
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "check-names %s %s;\n",
-			dns_c_transport2string(dns_trans_secondary,
-					       ISC_TRUE),
-			dns_c_nameseverity2string(nameseverity,
-						  ISC_TRUE));
-	}
-		
-	if (DNS_C_CHECKBIT(CHECKNAME_RESP_BIT, &options->setflags1)) {
-		nameseverity = options->check_names[dns_trans_response];
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "check-names %s %s;\n",
-			dns_c_transport2string(dns_trans_response,
-					       ISC_TRUE),
-			dns_c_nameseverity2string(nameseverity,
-						  ISC_TRUE));
-	}
-
-	fprintf(fp, "\n");
-	
-	if (options->queryacl != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "allow-query ");
-		dns_c_ipmatchlist_print(fp, 2, options->queryacl);
-		fprintf(fp, ";\n");
-	}
-
-	if (options->transferacl != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "allow-transfer ");
-		dns_c_ipmatchlist_print(fp, 2, options->transferacl);
-		fprintf(fp, ";\n");
-	}
-
-	if (options->recursionacl != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "allow-recursion ");
-		dns_c_ipmatchlist_print(fp, 2, options->recursionacl);
-		fprintf(fp, ";\n");
-	}
-
-	if (options->blackhole != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "blackhole ");
-		dns_c_ipmatchlist_print(fp, 2, options->blackhole);
-		fprintf(fp, ";\n");
-	}
-
-	if (options->topology != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "topology ");
-		dns_c_ipmatchlist_print(fp, 2, options->topology);
-		fprintf(fp, ";\n");
-	}
-
-	if (options->sortlist != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "sortlist ");
-		dns_c_ipmatchlist_print(fp, 2, options->sortlist);
-		fprintf(fp, ";\n");
-	}
-
-	if (options->listens != NULL) {
-		dns_c_lstnlist_print(fp, indent + 1,
-				     options->listens);
-	}
-	
-	dns_c_ctx_forwarderprint(fp, indent + 1, options);
-
-	if (options->ordering != NULL) {
-		dns_c_rrsolist_print(fp, indent + 1, options->ordering);
-	}
-
-	if (options->also_notify != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "also-notify ") ;
-		dns_c_iplist_print(fp, indent + 2, options->also_notify);
-		fprintf(fp, ";\n");
-	}
-
-	if (DNS_C_CHECKBIT(TRANSFER_SOURCE_BIT, &options->setflags1)) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "transfer-source ");
-		dns_c_print_ipaddr(fp, &options->transfer_source);
-		fprintf(fp, ";\n");
-	}
-	
-
-	if (DNS_C_CHECKBIT(TRANSFER_SOURCE_V6_BIT, &options->setflags1)) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "transfer-source-v6 ");
-		dns_c_print_ipaddr(fp, &options->transfer_source_v6);
-		fprintf(fp, ";\n");
-	}
-	
-
-	dns_c_printtabs(fp, indent);
-	fprintf(fp,"};\n");
-}
-
-
-isc_boolean_t
-dns_c_ctx_keydefinedp(dns_c_ctx_t *ctx, const char *keyname)
-{
-	dns_c_kdef_t *keyid;
-	isc_result_t res;
-	isc_boolean_t rval = ISC_FALSE;
-
-	REQUIRE(DNS_C_CONFCTX_VALID(ctx));
-	REQUIRE(keyname != NULL);
-	REQUIRE(*keyname != '\0');
-	
-	if (ctx->keydefs != NULL) {
-		res = dns_c_kdeflist_find(ctx->keydefs, keyname, &keyid);
-		if (res == ISC_R_SUCCESS) {
-			rval = ISC_TRUE;
-		}
-	}
-
-	return rval;
-}
-
+/*
+**
+*/
 
 isc_result_t
 dns_c_ctx_setalsonotify(dns_c_ctx_t *cfg,
-			dns_c_iplist_t *iml,
-			isc_boolean_t copy)
+			dns_c_iplist_t *iml)
 {
-	isc_result_t res;
+	isc_result_t result;
 	
 	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
+	result = make_options(cfg);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
 	}
 	
 	REQUIRE(iml != NULL);
 
-	res = cfg_set_iplist(cfg->options, &cfg->options->also_notify,
-			     iml, copy);
+	if (cfg->options->also_notify != NULL)
+		dns_c_iplist_detach(&cfg->options->also_notify);
 
-	return (res);
+	dns_c_iplist_attach(iml, &cfg->options->also_notify);
+
+	return (ISC_R_SUCCESS);
 }
 	
 
@@ -3924,110 +2460,66 @@ dns_c_ctx_getalsonotify(dns_c_ctx_t *cfg, dns_c_iplist_t **ret)
 {
 	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
-	if (cfg->options == NULL) {
+	if (cfg->options == NULL || cfg->options->also_notify == NULL) {
 		return (ISC_R_NOTFOUND);
 	}
 	
 	REQUIRE(ret != NULL);
 
-	return (cfg_get_iplist(cfg->options, cfg->options->also_notify, ret));
-}
+	dns_c_iplist_attach(cfg->options->also_notify, ret);
 
-
-isc_result_t
-dns_c_ctx_settransfersource(dns_c_ctx_t *cfg, isc_sockaddr_t newval)
-{
-	isc_boolean_t existed;
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	existed = DNS_C_CHECKBIT(TRANSFER_SOURCE_BIT,
-				 &cfg->options->setflags1);
-	DNS_C_SETBIT(TRANSFER_SOURCE_BIT, &cfg->options->setflags1);
-	
-	cfg->options->transfer_source = newval;
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 
+
 isc_result_t
-dns_c_ctx_gettransfersource(dns_c_ctx_t *cfg, isc_sockaddr_t *retval)
+dns_c_ctx_unsetalsonotify(dns_c_ctx_t *cfg)
 {
-	isc_result_t res;
-
 	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 
 	if (cfg->options == NULL) {
 		return (ISC_R_NOTFOUND);
 	}
-	
-	REQUIRE(retval != NULL);
 
-	if (DNS_C_CHECKBIT(TRANSFER_SOURCE_BIT, &cfg->options->setflags1)) {
-		*retval = cfg->options->transfer_source;
-		res = ISC_R_SUCCESS;
+	REQUIRE(DNS_C_CONFOPT_VALID(cfg->options));
+	
+	if (cfg->options->also_notify != NULL) {
+		dns_c_iplist_detach(&cfg->options->also_notify);
+		return (ISC_R_SUCCESS);
 	} else {
-		res = ISC_R_NOTFOUND;
+		return (ISC_R_NOTFOUND);
 	}
-
-	return (res);
 }
-	
 
-isc_result_t
-dns_c_ctx_settransfersourcev6(dns_c_ctx_t *cfg, isc_sockaddr_t newval)
-{
-	isc_boolean_t existed;
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-	REQUIRE(newval.type.sa.sa_family == AF_INET6);	/* XXX too strong? */
-
-	res = make_options(cfg);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	
-	existed = DNS_C_CHECKBIT(TRANSFER_SOURCE_V6_BIT,
-				 &cfg->options->setflags1);
-	DNS_C_SETBIT(TRANSFER_SOURCE_V6_BIT, &cfg->options->setflags1);
-	
-	cfg->options->transfer_source_v6 = newval;
 
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
+/*
+**
+*/
 
 
-isc_result_t
-dns_c_ctx_gettransfersourcev6(dns_c_ctx_t *cfg, isc_sockaddr_t *retval)
+isc_boolean_t
+dns_c_ctx_keydefinedp(dns_c_ctx_t *cfg, const char *keyname)
 {
+	dns_c_kdef_t *keyid;
 	isc_result_t res;
+	isc_boolean_t rval = ISC_FALSE;
 
 	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
-
-	if (cfg->options == NULL) {
-		return (ISC_R_NOTFOUND);
-	}
+	REQUIRE(keyname != NULL);
+	REQUIRE(*keyname != '\0');
 	
-	REQUIRE(retval != NULL);
-
-	if (DNS_C_CHECKBIT(TRANSFER_SOURCE_V6_BIT, &cfg->options->setflags1)) {
-		*retval = cfg->options->transfer_source_v6;
-		res = ISC_R_SUCCESS;
-	} else {
-		res = ISC_R_NOTFOUND;
+	if (cfg->keydefs != NULL) {
+		res = dns_c_kdeflist_find(cfg->keydefs, keyname, &keyid);
+		if (res == ISC_R_SUCCESS) {
+			rval = ISC_TRUE;
+		}
 	}
 
-	return (res);
+	return rval;
 }
-	
+
+
 
 
 
@@ -4124,147 +2616,9 @@ cfg_set_iplist(dns_c_options_t *options,
 }
 
 
-static isc_result_t
-cfg_set_ipmatchlist(dns_c_options_t *options,
-		    dns_c_ipmatchlist_t **fieldaddr,
-		    dns_c_ipmatchlist_t *newval,
-		    isc_boolean_t copy)
-{
-        isc_result_t res;
-        isc_boolean_t existed = ISC_FALSE;
-        
-        REQUIRE(DNS_C_CONFOPT_VALID(options));
-        REQUIRE(fieldaddr != NULL);
-
-        if (*fieldaddr != NULL) {
-                existed = ISC_TRUE;
-        }
-        
-        if (newval == NULL) {
-                res = dns_c_ipmatchlist_new(options->mem, fieldaddr);
-        } else if (copy) {
-                if (*fieldaddr != NULL) {
-                        res = dns_c_ipmatchlist_empty(*fieldaddr);
-                        if (res == ISC_R_SUCCESS && newval != NULL) {
-                                res = dns_c_ipmatchlist_append(*fieldaddr,
-                                                               newval,
-                                                               ISC_FALSE);
-                        }
-                } else {
-                        res = dns_c_ipmatchlist_copy(options->mem,
-                                                     fieldaddr, newval);
-                }
-        } else {
-                if (*fieldaddr != NULL) {
-                        res = dns_c_ipmatchlist_detach(fieldaddr);
-                        if (res != ISC_R_SUCCESS) {
-                                return (res);
-                        }
-                } 
-
-                res = ISC_R_SUCCESS;
-                
-                *fieldaddr = newval;
-        }
-
-        if (res == ISC_R_SUCCESS && existed) {
-                res = ISC_R_EXISTS;
-        }
-        
-        return (res);
-}
-
 
 
-static isc_result_t
-cfg_set_boolean(dns_c_options_t *options,
-		isc_boolean_t *fieldaddr,
-		isc_boolean_t newval,
-		dns_c_setbits_t *setfield,
-		isc_uint32_t bitnumber)
-{
-	isc_boolean_t existed;
 
-	REQUIRE(DNS_C_CONFOPT_VALID(options));
-	REQUIRE(setfield != NULL);
-	REQUIRE(fieldaddr != NULL);
-	REQUIRE(bitnumber < DNS_C_SETBITS_SIZE);
-
-	*fieldaddr = newval;
-
-	existed = DNS_C_CHECKBIT(bitnumber, setfield);
-	DNS_C_SETBIT(bitnumber, setfield);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-
-static isc_result_t
-cfg_set_int32(dns_c_options_t *options,
-	      isc_int32_t *fieldaddr,
-	      isc_int32_t newval,
-	      dns_c_setbits_t *setfield,
-	      isc_uint32_t bitnumber)
-{
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_C_CONFOPT_VALID(options));
-	REQUIRE(setfield != NULL);
-	REQUIRE(fieldaddr != NULL);
-	REQUIRE(bitnumber < DNS_C_SETBITS_SIZE);
-
-	*fieldaddr = newval;
-
-	existed = DNS_C_CHECKBIT(bitnumber, setfield);
-	DNS_C_SETBIT(bitnumber, setfield);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-
-static isc_result_t
-cfg_set_uint32(dns_c_options_t *options,
-	       isc_uint32_t *fieldaddr,
-	       isc_uint32_t newval,
-	       dns_c_setbits_t *setfield,
-	       isc_uint32_t bitnumber)
-{
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_C_CONFOPT_VALID(options));
-	REQUIRE(setfield != NULL);
-	REQUIRE(fieldaddr != NULL);
-	REQUIRE(bitnumber < DNS_C_SETBITS_SIZE);
-
-	*fieldaddr = newval;
-
-	existed = DNS_C_CHECKBIT(bitnumber, setfield);
-	DNS_C_SETBIT(bitnumber, setfield);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-
-static isc_result_t
-cfg_get_ipmatchlist(dns_c_options_t *options,
-		    dns_c_ipmatchlist_t *field,
-		    dns_c_ipmatchlist_t **resval)
-{
-	isc_result_t res;
-
-	REQUIRE(DNS_C_CONFOPT_VALID(options));
-	REQUIRE(resval != NULL);
-
-	if (field != NULL && !ISC_LIST_EMPTY(field->elements)) {
-		dns_c_ipmatchlist_attach(field, resval);
-		res = ISC_R_SUCCESS;
-	} else {
-		*resval = NULL;
-		res = ISC_R_NOTFOUND;
-	}
-
-	return (res);
-}
 
 
 static isc_result_t
@@ -4274,6 +2628,8 @@ cfg_get_iplist(dns_c_options_t *options,
 {
 	isc_result_t res;
 
+	UNUSED(options);
+	
 	REQUIRE(DNS_C_CONFOPT_VALID(options));
 	REQUIRE(resval != NULL);
 
@@ -4289,83 +2645,6 @@ cfg_get_iplist(dns_c_options_t *options,
 }
 
 
-static isc_result_t
-cfg_get_boolean(dns_c_options_t *options,
-		isc_boolean_t *field,
-		isc_boolean_t *result,
-		dns_c_setbits_t *setfield,
-		isc_uint32_t bitnumber)
-{
-	isc_result_t res;
-
-	REQUIRE(DNS_C_CONFOPT_VALID(options));
-	REQUIRE(result != NULL);
-	REQUIRE(field != NULL);
-	REQUIRE(setfield != NULL);
-	REQUIRE(bitnumber < DNS_C_SETBITS_SIZE);
-
-	if (DNS_C_CHECKBIT(bitnumber,setfield)) {
-		*result = *field;
-		res = ISC_R_SUCCESS;
-	} else {
-		res = ISC_R_NOTFOUND;
-	}
-
-	return (res);
-}
-
-
-static isc_result_t
-cfg_get_int32(dns_c_options_t *options,
-	      isc_int32_t *field,
-	      isc_int32_t *result,
-	      dns_c_setbits_t *setfield,
-	      isc_uint32_t bitnumber)
-{
-	isc_result_t res;
-
-	REQUIRE(DNS_C_CONFOPT_VALID(options));
-	REQUIRE(result != NULL);
-	REQUIRE(field != NULL);
-	REQUIRE(setfield != NULL);
-	REQUIRE(bitnumber < DNS_C_SETBITS_SIZE);
-
-	if (DNS_C_CHECKBIT(bitnumber,setfield)) {
-		*result = *field;
-		res = ISC_R_SUCCESS;
-	} else {
-		res = ISC_R_NOTFOUND;
-	}
-
-	return (res);
-}
-
-
-static isc_result_t
-cfg_get_uint32(dns_c_options_t *options,
-	       isc_uint32_t *field,
-	       isc_uint32_t *result,
-	       dns_c_setbits_t *setfield,
-	       isc_uint32_t bitnumber)
-{
-	isc_result_t res;
-
-	REQUIRE(DNS_C_CONFOPT_VALID(options));
-	REQUIRE(result != NULL);
-	REQUIRE(field != NULL);
-	REQUIRE(setfield != NULL);
-	REQUIRE(bitnumber < DNS_C_SETBITS_SIZE);
-
-	if (DNS_C_CHECKBIT(bitnumber,setfield)) {
-		*result = *field;
-		res = ISC_R_SUCCESS;
-	} else {
-		res = ISC_R_NOTFOUND;
-	}
-
-	return (res);
-}
-
 
 static isc_result_t
 acl_init(dns_c_ctx_t *cfg)
@@ -4386,10 +2665,6 @@ static isc_result_t
 logging_init (dns_c_ctx_t *cfg)
 {
 	isc_result_t res;
-#if 0
-	dns_c_logcat_t *cat;
-	dns_c_logchan_t *chan;
-#endif
 	
 	REQUIRE(DNS_C_CONFCTX_VALID(cfg));
 	REQUIRE(cfg->logging == NULL);
@@ -4399,89 +2674,6 @@ logging_init (dns_c_ctx_t *cfg)
 		return (res);
 	}
 
-#if 0
-	/* default_syslog channel */
-	chan = NULL;
-	res = dns_c_ctx_addsyslogchannel(cfg, DNS_C_DEFAULT_SYSLOG,
-					 &chan);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	dns_c_logchan_setpredef(chan, ISC_TRUE);
-	dns_c_logchan_setfacility(chan, LOG_DAEMON);
-	dns_c_logchan_setseverity(chan, dns_c_log_info);
-
-	
-	/* default_debug channel */
-	chan = NULL;
-	res = dns_c_ctx_addfile_channel(cfg, DNS_C_DEFAULT_DEBUG, &chan);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	dns_c_logchan_setpredef(chan, ISC_TRUE);
-	dns_c_logchan_setpath(chan, DNS_C_DEFAULT_DEBUG_PATH);
-	dns_c_logchan_setseverity(chan, dns_c_log_dynamic);
-
-
-	/* null channel */
-	chan = NULL;
-	res = dns_c_ctx_addnullchannel(cfg, DNS_C_NULL, &chan);
-	dns_c_logchan_setpredef(chan, ISC_TRUE);
-
-
-	/* default_stderr channel */
-	chan = NULL;
-	res = dns_c_ctx_addfile_channel(cfg, DNS_C_DEFAULT_STDERR,
-					&chan);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	dns_c_logchan_setpredef(chan, ISC_TRUE);
-	dns_c_logchan_setpath(chan, DNS_C_STDERR_PATH);
-	dns_c_logchan_setseverity(chan, dns_c_log_info);
-
-
-	/* default category */
-	cat = NULL;
-	res = dns_c_ctx_addcategory(cfg, "default", &cat);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	dns_c_logcat_setpredef(cat, ISC_TRUE);
-	dns_c_logcat_addname(cat, DNS_C_DEFAULT_SYSLOG);
-	dns_c_logcat_addname(cat, DNS_C_DEFAULT_DEBUG);
-	
-
-	/* panic category */
-	cat = NULL;
-	res = dns_c_ctx_addcategory(cfg, "panic", &cat);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	dns_c_logcat_setpredef(cat, ISC_TRUE);
-	dns_c_logcat_addname(cat, DNS_C_DEFAULT_SYSLOG);
-	dns_c_logcat_addname(cat, DNS_C_DEFAULT_DEBUG);
-
-	
-	/* eventlib category */
-	cat = NULL;
-	res = dns_c_ctx_addcategory(cfg, "eventlib", &cat);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	dns_c_logcat_setpredef(cat, ISC_TRUE);
-	dns_c_logcat_addname(cat, DNS_C_DEFAULT_DEBUG);
-
-
-	/* packet category */
-	cat = NULL;
-	res = dns_c_ctx_addcategory(cfg, "packet", &cat);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
-	}
-	dns_c_logcat_setpredef(cat, ISC_TRUE);
-	dns_c_logcat_addname(cat, DNS_C_DEFAULT_DEBUG);
-#endif
 	return (ISC_R_SUCCESS);
 }
 
@@ -4504,5 +2696,3 @@ make_options(dns_c_ctx_t *cfg)
 
 	return (res);
 }
-
-
diff --git a/lib/dns/config/confip.c b/lib/dns/config/confip.c
index b3e9e09d..e2fa05b5 100644
--- a/lib/dns/config/confip.c
+++ b/lib/dns/config/confip.c
@@ -15,19 +15,21 @@
  * SOFTWARE.
  */
 
+/* $Id: confip.c,v 1.24 2000/05/08 14:35:27 tale Exp $ */
+
 #include <config.h>
 
-#include <string.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dns/confip.h>
-#include <dns/confcommon.h>
 #include <dns/log.h>
 
-/* Flag for dns_c_ipmatch_element */
+/*
+ * Flag for dns_c_ipmatch_element.
+ */
 #define DNS_C_IPMATCH_NEGATE	0x01	/* match means deny access */
 
 
@@ -35,8 +37,7 @@ static isc_result_t checkmask(isc_sockaddr_t *address, isc_uint32_t bits);
 static isc_result_t bits2v6mask(struct in6_addr *addr, isc_uint32_t bits);
 
 isc_result_t
-dns_c_ipmatchelement_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result)
-{
+dns_c_ipmatchelement_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result) {
 	dns_c_ipmatchelement_t *ime ;
 
 	REQUIRE(result != NULL);
@@ -60,10 +61,8 @@ dns_c_ipmatchelement_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_boolean_t
-dns_c_ipmatchelement_isneg(dns_c_ipmatchelement_t *elem)
-{
+dns_c_ipmatchelement_isneg(dns_c_ipmatchelement_t *elem) {
 
 	REQUIRE(DNS_C_IPMELEM_VALID(elem));
 	
@@ -71,10 +70,8 @@ dns_c_ipmatchelement_isneg(dns_c_ipmatchelement_t *elem)
 			DNS_C_IPMATCH_NEGATE));
 }
 
-
 isc_result_t
-dns_c_ipmatchelement_delete(isc_mem_t *mem, dns_c_ipmatchelement_t **ipme)
-{
+dns_c_ipmatchelement_delete(isc_mem_t *mem, dns_c_ipmatchelement_t **ipme) {
 	dns_c_ipmatchelement_t *elem;
 	
 	REQUIRE(mem != NULL);
@@ -105,7 +102,7 @@ dns_c_ipmatchelement_delete(isc_mem_t *mem, dns_c_ipmatchelement_t **ipme)
 		break;
 
 	case dns_c_ipmatch_key:
-		isc_mem_free(mem, elem->u.key );
+		isc_mem_free(mem, elem->u.key);
 		break;
 
 	case dns_c_ipmatch_acl:
@@ -131,7 +128,6 @@ dns_c_ipmatchelement_delete(isc_mem_t *mem, dns_c_ipmatchelement_t **ipme)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
 dns_c_ipmatchelement_copy(isc_mem_t *mem,
 			  dns_c_ipmatchelement_t **dest,
@@ -193,8 +189,6 @@ dns_c_ipmatchelement_copy(isc_mem_t *mem,
 	return (ISC_R_SUCCESS);
 }
 
-
-
 isc_boolean_t
 dns_c_ipmatchelement_equal(dns_c_ipmatchelement_t *e1,
 			   dns_c_ipmatchelement_t *e2)
@@ -238,8 +232,7 @@ dns_c_ipmatchelement_equal(dns_c_ipmatchelement_t *e1,
 }
 
 isc_result_t
-dns_c_ipmatchlocalhost_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result)
-{
+dns_c_ipmatchlocalhost_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result) {
 	dns_c_ipmatchelement_t *ime = NULL;
 	isc_result_t res;
 
@@ -258,11 +251,8 @@ dns_c_ipmatchlocalhost_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result)
 	return (res);
 }
 
-
 isc_result_t
-dns_c_ipmatchlocalnets_new(isc_mem_t *mem,
-			   dns_c_ipmatchelement_t **result)
-{
+dns_c_ipmatchlocalnets_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result) {
 	dns_c_ipmatchelement_t *ime = NULL;
 	isc_result_t res;
 
@@ -281,10 +271,8 @@ dns_c_ipmatchlocalnets_new(isc_mem_t *mem,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_ipmatchany_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result)
-{
+dns_c_ipmatchany_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result) {
 	dns_c_ipmatchelement_t *ime = NULL;
 	isc_result_t res;
 
@@ -303,7 +291,6 @@ dns_c_ipmatchany_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result)
 	return (res);
 }
 
-
 isc_result_t
 dns_c_ipmatchindirect_new(isc_mem_t *mem,
 			  dns_c_ipmatchelement_t **result,
@@ -346,7 +333,6 @@ dns_c_ipmatchindirect_new(isc_mem_t *mem,
 	return (res);
 }
 
-
 isc_result_t
 dns_c_ipmatchpattern_new(isc_mem_t *mem,
 			 dns_c_ipmatchelement_t **result,
@@ -381,7 +367,6 @@ dns_c_ipmatchpattern_new(isc_mem_t *mem,
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
 dns_c_ipmatchkey_new(isc_mem_t *mem,
 		     dns_c_ipmatchelement_t **result,
@@ -409,7 +394,6 @@ dns_c_ipmatchkey_new(isc_mem_t *mem,
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
 dns_c_ipmatch_aclnew(isc_mem_t *mem,
 		     dns_c_ipmatchelement_t **result,
@@ -438,10 +422,8 @@ dns_c_ipmatch_aclnew(isc_mem_t *mem,
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_ipmatch_negate(dns_c_ipmatchelement_t *ipe)
-{
+dns_c_ipmatch_negate(dns_c_ipmatchelement_t *ipe) {
 	REQUIRE(DNS_C_IPMELEM_VALID(ipe));
 
 	if ((ipe->flags & DNS_C_IPMATCH_NEGATE) == DNS_C_IPMATCH_NEGATE) {
@@ -453,10 +435,8 @@ dns_c_ipmatch_negate(dns_c_ipmatchelement_t *ipe)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_ipmatchlist_new(isc_mem_t *mem, dns_c_ipmatchlist_t **ptr)
-{
+dns_c_ipmatchlist_new(isc_mem_t *mem, dns_c_ipmatchlist_t **ptr) {
 	dns_c_ipmatchlist_t *newlist;
 
 	REQUIRE(ptr != NULL);
@@ -478,10 +458,8 @@ dns_c_ipmatchlist_new(isc_mem_t *mem, dns_c_ipmatchlist_t **ptr)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_ipmatchlist_detach(dns_c_ipmatchlist_t **ml)
-{
+dns_c_ipmatchlist_detach(dns_c_ipmatchlist_t **ml) {
 	dns_c_ipmatchelement_t *ime;
 	dns_c_ipmatchelement_t *iptr;
 	dns_c_ipmatchlist_t *iml;
@@ -517,7 +495,6 @@ dns_c_ipmatchlist_detach(dns_c_ipmatchlist_t **ml)
 	return (ISC_R_SUCCESS);
 }
 
-
 void
 dns_c_ipmatchlist_attach(dns_c_ipmatchlist_t *source,
 			 dns_c_ipmatchlist_t **target)
@@ -531,10 +508,8 @@ dns_c_ipmatchlist_attach(dns_c_ipmatchlist_t *source,
 	*target = source;
 }
 
-
 isc_result_t
-dns_c_ipmatchlist_empty(dns_c_ipmatchlist_t *ipml)
-{
+dns_c_ipmatchlist_empty(dns_c_ipmatchlist_t *ipml) {
 	dns_c_ipmatchelement_t *ime ;
 	dns_c_ipmatchelement_t *imptmp;
 	isc_result_t res = ISC_R_SUCCESS;
@@ -554,7 +529,6 @@ dns_c_ipmatchlist_empty(dns_c_ipmatchlist_t *ipml)
 	return (res);
 }
 
-
 isc_result_t
 dns_c_ipmatchlist_copy(isc_mem_t *mem,
 		       dns_c_ipmatchlist_t **dest, dns_c_ipmatchlist_t *src)
@@ -619,7 +593,6 @@ dns_c_ipmatchlist_equal(dns_c_ipmatchlist_t *l1, dns_c_ipmatchlist_t *l2) {
 	return (ISC_TRUE);
 }
 
-
 isc_result_t
 dns_c_ipmatchlist_append(dns_c_ipmatchlist_t *dest,
 			 dns_c_ipmatchlist_t *src,
@@ -653,10 +626,8 @@ dns_c_ipmatchlist_append(dns_c_ipmatchlist_t *dest,
 	return (result);
 }
 
-
 isc_result_t
-dns_c_ipmatchelement_print(FILE *fp, int indent,
-			   dns_c_ipmatchelement_t *ipme)
+dns_c_ipmatchelement_print(FILE *fp, int indent, dns_c_ipmatchelement_t *ipme)
 {
 	int bits;
 
@@ -729,10 +700,8 @@ dns_c_ipmatchelement_print(FILE *fp, int indent,
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_ipmatchlist_print(FILE *fp, int indent, dns_c_ipmatchlist_t *ml)
-{
+dns_c_ipmatchlist_print(FILE *fp, int indent, dns_c_ipmatchlist_t *ml) {
 	dns_c_ipmatchelement_t *ipme ;
 
 	REQUIRE(DNS_C_IPMLIST_VALID(ml));
@@ -761,10 +730,8 @@ dns_c_ipmatchlist_print(FILE *fp, int indent, dns_c_ipmatchlist_t *ml)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_iplist_new(isc_mem_t *mem, int length, dns_c_iplist_t **newlist)
-{
+dns_c_iplist_new(isc_mem_t *mem, int length, dns_c_iplist_t **newlist) {
 	dns_c_iplist_t *list;
 	size_t bytes;
 
@@ -797,10 +764,8 @@ dns_c_iplist_new(isc_mem_t *mem, int length, dns_c_iplist_t **newlist)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_iplist_detach(dns_c_iplist_t **list)
-{
+dns_c_iplist_detach(dns_c_iplist_t **list) {
 	dns_c_iplist_t *l ;
 
 	REQUIRE(list != NULL);
@@ -823,11 +788,8 @@ dns_c_iplist_detach(dns_c_iplist_t **list)
 	return (ISC_R_SUCCESS);
 }
 
-
 void
-dns_c_iplist_attach(dns_c_iplist_t *source,
-		    dns_c_iplist_t **target)
-{
+dns_c_iplist_attach(dns_c_iplist_t *source, dns_c_iplist_t **target) {
 	REQUIRE(DNS_C_IPLIST_VALID(source));
 	INSIST(source->refcount > 0);
 
@@ -835,11 +797,8 @@ dns_c_iplist_attach(dns_c_iplist_t *source,
 	*target = source;
 }
 
-
-
 isc_result_t
-dns_c_iplist_copy(isc_mem_t *mem, dns_c_iplist_t **dest, dns_c_iplist_t *src)
-{
+dns_c_iplist_copy(isc_mem_t *mem, dns_c_iplist_t **dest, dns_c_iplist_t *src) {
 	dns_c_iplist_t *newl;
 	isc_result_t res;
 	isc_uint32_t i;
@@ -880,35 +839,66 @@ dns_c_iplist_equal(dns_c_iplist_t *list1, dns_c_iplist_t *list2) {
 	return (ISC_TRUE);
 }
 
-
 void
-dns_c_iplist_print(FILE *fp, int indent, dns_c_iplist_t *list)
+dns_c_iplist_printfully(FILE *fp, int indent, isc_boolean_t porttoo,
+			dns_c_iplist_t *list)
 {
 	isc_uint32_t i;
+	in_port_t port;
+	in_port_t tmpport;
+	isc_boolean_t athead = ISC_TRUE;
 
 	REQUIRE(DNS_C_IPLIST_VALID(list));
 		
-	fprintf(fp, "{\n");
-
 	if (list->nextidx == 0) {
+		fputc('{', fp);
+		fputc('\n', fp);
 		dns_c_printtabs(fp, indent);
 		fprintf(fp, "/* no ip addresses defined */\n");
+		dns_c_printtabs(fp, indent - 1); 
+		fputc('}', fp);
 	} else {
+		if (porttoo) {
+			port = isc_sockaddr_getport(&list->ips[0]);
+			
+			for (i = 0 ; i < list->nextidx ; i++) {
+				tmpport = isc_sockaddr_getport(&list->ips[i]);
+				if (tmpport != port) {
+					athead = ISC_FALSE;
+				}
+			}
+
+			if (athead) {
+				fprintf(fp, "port %d ", port);
+			}
+		}
+
+		fputc('{', fp);
+		fputc('\n', fp);
+
 		for (i = 0 ; i < list->nextidx ; i++) {
 			dns_c_printtabs(fp, indent);
 			dns_c_print_ipaddr(fp, &list->ips[i]);
+			if (!athead) {
+				fprintf(fp, " port %d",
+					isc_sockaddr_getport(&list->ips[i]));
+			}
 			fprintf(fp, ";\n");
 		}
+		dns_c_printtabs(fp, indent - 1);
+		fputc('}', fp);
 	}
-	
-	dns_c_printtabs(fp, indent - 1);
-	fprintf(fp, "}");
+
+	fputc('\n', fp);
 }
 
+void
+dns_c_iplist_print(FILE *fp, int indent, dns_c_iplist_t *list) {
+	dns_c_iplist_printfully(fp, indent, ISC_FALSE, list);
+}
 
 isc_result_t
-dns_c_iplist_append(dns_c_iplist_t *list, isc_sockaddr_t newaddr)
-{
+dns_c_iplist_append(dns_c_iplist_t *list, isc_sockaddr_t newaddr) {
 	isc_uint32_t i;
 
 	REQUIRE(DNS_C_IPLIST_VALID(list));
@@ -949,10 +939,8 @@ dns_c_iplist_append(dns_c_iplist_t *list, isc_sockaddr_t newaddr)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_iplist_remove(dns_c_iplist_t *list, isc_sockaddr_t newaddr)
-{
+dns_c_iplist_remove(dns_c_iplist_t *list, isc_sockaddr_t newaddr) {
 	isc_uint32_t i;
 
 	REQUIRE(DNS_C_IPLIST_VALID(list));
@@ -975,16 +963,12 @@ dns_c_iplist_remove(dns_c_iplist_t *list, isc_sockaddr_t newaddr)
 	return (ISC_R_SUCCESS);
 }
 
-
-
-
 /*
  * Check that the address given is a network address with the given number
  * of high order bits.
  */
 static isc_result_t
-checkmask(isc_sockaddr_t *address, isc_uint32_t bits)
-{
+checkmask(isc_sockaddr_t *address, isc_uint32_t bits) {
 	if (bits > 0) {
 		if (address->type.sa.sa_family == AF_INET) {
 			isc_uint32_t mask;
@@ -1026,16 +1010,13 @@ checkmask(isc_sockaddr_t *address, isc_uint32_t bits)
 	return (ISC_R_SUCCESS);
 }
 
-
-
 /*
  * Create a 128 bits mask in network byte order in the the IPv6 address
  * section of the sockaddr. The bits argument is the number of high bits
  * that are to be set to 1.
  */
 static isc_result_t
-bits2v6mask(struct in6_addr *addr, isc_uint32_t bits)
-{
+bits2v6mask(struct in6_addr *addr, isc_uint32_t bits) {
 	int i;
 	isc_uint32_t bitmask[4];
 	char addrbuff [ sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff" + 1 ];
diff --git a/lib/dns/config/confkeys.c b/lib/dns/config/confkeys.c
index 4de6f4a3..f96f30aa 100644
--- a/lib/dns/config/confkeys.c
+++ b/lib/dns/config/confkeys.c
@@ -15,23 +15,22 @@
  * SOFTWARE.
  */
 
-#include <config.h>
+/* $Id: confkeys.c,v 1.22 2000/05/08 19:23:28 tale Exp $ */
 
-#include <string.h>
+#include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
 
-#include <dns/result.h>
 #include <dns/confkeys.h>
 #include <dns/confcommon.h>
 
-static isc_result_t keyid_delete(dns_c_kid_t **ki);
-
+static isc_result_t
+keyid_delete(dns_c_kid_t **ki);
 
 isc_result_t
-dns_c_kdeflist_new(isc_mem_t *mem, dns_c_kdeflist_t **list)
-{
+dns_c_kdeflist_new(isc_mem_t *mem, dns_c_kdeflist_t **list) {
 	dns_c_kdeflist_t *newlist;
 
 	REQUIRE(mem != NULL);
@@ -229,33 +228,30 @@ dns_c_kdeflist_print(FILE *fp, int indent, dns_c_kdeflist_t *list)
 
 
 isc_result_t
-dns_c_kdef_new(dns_c_kdeflist_t *list, const char *name,
-	       dns_c_kdef_t **keyid)
+dns_c_kdef_new(isc_mem_t *mem, const char *name, dns_c_kdef_t **keyid)
 {
 	dns_c_kdef_t *kd;
 
-	REQUIRE(DNS_C_KDEFLIST_VALID(list));
 	REQUIRE(keyid != NULL);
 	REQUIRE(name != NULL);
 	REQUIRE(*name != '\0');
 	
-	kd = isc_mem_get(list->mem, sizeof *kd);
+	kd = isc_mem_get(mem, sizeof *kd);
 	if (kd == NULL) {
 		return (ISC_R_NOMEMORY);
 	}
 
-	kd->keyid = isc_mem_strdup(list->mem, name);
+	kd->keyid = isc_mem_strdup(mem, name);
 	if (kd->keyid == NULL) {
-		isc_mem_put(list->mem, kd, sizeof *kd);
+		isc_mem_put(mem, kd, sizeof *kd);
 	}
 
 	kd->magic = DNS_C_KDEF_MAGIC;
-	kd->mylist = list;
+	kd->mem = mem;
+	
 	kd->algorithm = NULL;
 	kd->secret = NULL;
 
-	ISC_LIST_APPEND(list->keydefs, kd, next);
-
 	*keyid = kd;
 	
 	return (ISC_R_SUCCESS);
@@ -273,7 +269,7 @@ dns_c_kdef_delete(dns_c_kdef_t **keydef)
 
 	kd = *keydef;
 
-	mem = kd->mylist->mem;
+	mem = kd->mem;
 	
 	isc_mem_free(mem, kd->keyid);
 
@@ -287,7 +283,7 @@ dns_c_kdef_delete(dns_c_kdef_t **keydef)
 
 	kd->magic = 0;
 	kd->keyid = NULL;
-	kd->mylist = NULL;
+	kd->mem = NULL;
 	kd->algorithm = NULL;
 	kd->secret = NULL;
 
@@ -344,17 +340,11 @@ dns_c_kdef_copy(isc_mem_t *mem,
 void
 dns_c_kdef_print(FILE *fp, int indent, dns_c_kdef_t *keydef)
 {
-	const char *quote = "";
-	
 	REQUIRE(fp != NULL);
 	REQUIRE(DNS_C_KDEF_VALID(keydef));
 
-	if (dns_c_need_quote(keydef->keyid)) {
-		quote = "\"";
-	}
-
 	dns_c_printtabs(fp, indent);
-	fprintf(fp, "key %s%s%s {\n",quote, keydef->keyid, quote);
+	fprintf(fp, "key \"%s\" {\n", keydef->keyid);
 
 	dns_c_printtabs(fp, indent + 1);
 	fprintf(fp, "algorithm \"%s\";\n",keydef->algorithm);
@@ -375,11 +365,10 @@ dns_c_kdef_setalgorithm(dns_c_kdef_t *keydef, const char *algorithm)
 	REQUIRE(*algorithm != '\0');
 
 	if (keydef->algorithm != NULL) {
-		isc_mem_free(keydef->mylist->mem, keydef->algorithm);
+		isc_mem_free(keydef->mem, keydef->algorithm);
 	}
 	
-	keydef->algorithm = isc_mem_strdup(keydef->mylist->mem,
-					   algorithm);
+	keydef->algorithm = isc_mem_strdup(keydef->mem, algorithm);
 	if (keydef->algorithm == NULL) {
 		return (ISC_R_NOMEMORY);
 	}
@@ -396,10 +385,10 @@ dns_c_kdef_setsecret(dns_c_kdef_t *keydef, const char *secret)
 	REQUIRE(*secret != '\0');
 	
 	if (keydef->secret != NULL) {
-		isc_mem_free(keydef->mylist->mem, keydef->secret);
+		isc_mem_free(keydef->mem, keydef->secret);
 	}
 	
-	keydef->secret = isc_mem_strdup(keydef->mylist->mem, secret);
+	keydef->secret = isc_mem_strdup(keydef->mem, secret);
 	if (keydef->secret == NULL) {
 		return (ISC_R_NOMEMORY);
 	}
@@ -471,10 +460,10 @@ keyid_delete(dns_c_kid_t **keyid)
 	
 	ki = *keyid;
 
-	isc_mem_free(ki->mylist->mem, ki->keyid);
+	isc_mem_free(ki->mem, ki->keyid);
 
 	ki->magic = 0;
-	isc_mem_put(ki->mylist->mem, ki, sizeof *ki);
+	isc_mem_put(ki->mem, ki, sizeof *ki);
 
 	*keyid = NULL;
 	
@@ -532,11 +521,20 @@ dns_c_kidlist_find(dns_c_kidlist_t *list, const char *keyid,
 
 
 void
+dns_c_kidlist_append(dns_c_kidlist_t *list, dns_c_kid_t *keyid)
+{
+	REQUIRE(DNS_C_KEYIDLIST_VALID(list));
+	REQUIRE(DNS_C_KEYID_VALID(keyid));
+
+	ISC_LIST_APPEND(list->keyids, keyid, next);
+}
+
+
+void
 dns_c_kidlist_print(FILE *fp, int indent,
 		    dns_c_kidlist_t *list)
 {
 	dns_c_kid_t *iter;
-	const char *quote;
 
 	REQUIRE(fp != NULL);
 	REQUIRE(DNS_C_KEYIDLIST_VALID(list));
@@ -553,13 +551,8 @@ dns_c_kidlist_print(FILE *fp, int indent,
 		fprintf(fp, "/* no keys defined */\n");
 	} else {
 		while (iter != NULL) {
-			if (dns_c_need_quote(iter->keyid)) {
-				quote = "\"";
-			} else {
-				quote = "";
-			}
 			dns_c_printtabs(fp, indent + 1);
-			fprintf(fp, "%s%s%s;\n", quote, iter->keyid, quote);
+			fprintf(fp, "\"%s\";\n", iter->keyid);
 			iter = ISC_LIST_NEXT(iter, next);
 		}
 	}
@@ -570,26 +563,24 @@ dns_c_kidlist_print(FILE *fp, int indent,
 
 
 isc_result_t
-dns_c_kid_new(dns_c_kidlist_t *list, const char *name, dns_c_kid_t **keyid)
+dns_c_kid_new(isc_mem_t *mem, const char *name, dns_c_kid_t **keyid)
 {
 	dns_c_kid_t *ki;
 
-	REQUIRE(DNS_C_KEYIDLIST_VALID(list));
 	REQUIRE(name != NULL);
 	REQUIRE(*name != '\0');
 	REQUIRE(keyid != NULL);
 	
-	ki = isc_mem_get(list->mem, sizeof *ki);
+	ki = isc_mem_get(mem, sizeof *ki);
 	if (ki == NULL) {
 		return (ISC_R_NOMEMORY);
 	}
 
 	ki->magic = DNS_C_KEYID_MAGIC;
-	ki->mylist = list;
-	ki->keyid = isc_mem_strdup(list->mem, name);
+	ki->mem = mem;
+	ki->keyid = isc_mem_strdup(mem, name);
 
 	ISC_LINK_INIT(ki, next);
-	ISC_LIST_APPEND(list->keyids, ki, next);
 
 	*keyid = ki;
 
diff --git a/lib/dns/config/conflog.c b/lib/dns/config/conflog.c
index af132714..ea7f267e 100644
--- a/lib/dns/config/conflog.c
+++ b/lib/dns/config/conflog.c
@@ -15,18 +15,17 @@
  * SOFTWARE.
  */
 
-#include <config.h>
+/* $Id: conflog.c,v 1.15 2000/05/08 18:42:38 brister Exp $ */
 
-#include <string.h>
+#include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dns/conflog.h>
-#include <dns/confcommon.h>
 #include <dns/log.h>
 
-
 #include "confpvt.h"
 
 
@@ -44,20 +43,17 @@
 #define CHAN_PTIME_BIT			6
 #define CHAN_FACILITY_BIT		7
 
+static void
+print_log_facility(FILE *fp, int value);
 
+static void
+print_log_severity(FILE *fp, dns_c_logseverity_t severity);
 
-static void		print_log_facility(FILE *fp,
-					   int value);
-static void		print_log_severity(FILE *fp,
-					   dns_c_logseverity_t severity);
-static isc_boolean_t	logginglist_empty(dns_c_logginglist_t *ll);
-
-
+static isc_boolean_t
+logginglist_empty(dns_c_logginglist_t *ll);
 
 isc_result_t
-dns_c_logginglist_new(isc_mem_t *mem,
-		      dns_c_logginglist_t **list)
-{
+dns_c_logginglist_new(isc_mem_t *mem, dns_c_logginglist_t **list) {
 	dns_c_logginglist_t *newl;
 
 	REQUIRE(list != NULL);
@@ -79,8 +75,7 @@ dns_c_logginglist_new(isc_mem_t *mem,
 
 
 isc_result_t
-dns_c_logginglist_delete(dns_c_logginglist_t **list)
-{
+dns_c_logginglist_delete(dns_c_logginglist_t **list) {
 	dns_c_logginglist_t *l;
 	dns_c_logchan_t *chan, *tmpchan;
 	dns_c_logcat_t *cat, *tmpcat;
@@ -167,13 +162,14 @@ dns_c_logginglist_copy(isc_mem_t *mem,
 		logcat = ISC_LIST_NEXT(logcat, next);
 	}
 
+	*dest = newl;
+
 	return (ISC_R_SUCCESS);
 }
 
 
 static isc_boolean_t
-logginglist_empty(dns_c_logginglist_t *ll)
-{
+logginglist_empty(dns_c_logginglist_t *ll) {
 	dns_c_logchan_t *logchan;
 	dns_c_logcat_t *logcat;
 
@@ -529,8 +525,7 @@ dns_c_logchan_new(isc_mem_t *mem, const char *name,
 
 
 isc_result_t
-dns_c_logchan_delete(dns_c_logchan_t **channel)
-{
+dns_c_logchan_delete(dns_c_logchan_t **channel) {
 	dns_c_logchan_t *logc;
 
 	REQUIRE(channel != NULL);
@@ -686,8 +681,7 @@ dns_c_logchan_print(FILE *fp, int indent, dns_c_logchan_t *logchan,
 
 
 isc_result_t
-dns_c_logchan_setpath(dns_c_logchan_t *channel, const char *path)
-{
+dns_c_logchan_setpath(dns_c_logchan_t *channel, const char *path) {
 	isc_boolean_t existed = ISC_FALSE;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -717,8 +711,7 @@ dns_c_logchan_setpath(dns_c_logchan_t *channel, const char *path)
 
 
 isc_result_t
-dns_c_logchan_setversions(dns_c_logchan_t *channel, isc_uint32_t versions)
-{
+dns_c_logchan_setversions(dns_c_logchan_t *channel, isc_uint32_t versions) {
 	isc_boolean_t existed;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -741,8 +734,7 @@ dns_c_logchan_setversions(dns_c_logchan_t *channel, isc_uint32_t versions)
 
 
 isc_result_t
-dns_c_logchan_setsize(dns_c_logchan_t *channel, isc_uint32_t size)
-{
+dns_c_logchan_setsize(dns_c_logchan_t *channel, isc_uint32_t size) {
 	isc_boolean_t existed;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -765,8 +757,7 @@ dns_c_logchan_setsize(dns_c_logchan_t *channel, isc_uint32_t size)
 
 
 isc_result_t
-dns_c_logchan_setfacility(dns_c_logchan_t *channel, int facility)
-{
+dns_c_logchan_setfacility(dns_c_logchan_t *channel, int facility) {
 	isc_boolean_t existed;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -816,8 +807,7 @@ dns_c_logchan_setseverity(dns_c_logchan_t *channel,
 
 
 isc_result_t
-dns_c_logchan_setdebuglevel(dns_c_logchan_t *channel, isc_int32_t level)
-{
+dns_c_logchan_setdebuglevel(dns_c_logchan_t *channel, isc_int32_t level) {
 	isc_boolean_t existed;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -837,8 +827,7 @@ dns_c_logchan_setdebuglevel(dns_c_logchan_t *channel, isc_int32_t level)
 
 
 isc_result_t
-dns_c_logchan_setprintcat(dns_c_logchan_t *channel, isc_boolean_t newval)
-{
+dns_c_logchan_setprintcat(dns_c_logchan_t *channel, isc_boolean_t newval) {
 	isc_boolean_t existed;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -853,8 +842,7 @@ dns_c_logchan_setprintcat(dns_c_logchan_t *channel, isc_boolean_t newval)
 
 
 isc_result_t
-dns_c_logchan_setprintsev(dns_c_logchan_t *channel, isc_boolean_t newval)
-{
+dns_c_logchan_setprintsev(dns_c_logchan_t *channel, isc_boolean_t newval) {
 	isc_boolean_t existed;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -869,8 +857,7 @@ dns_c_logchan_setprintsev(dns_c_logchan_t *channel, isc_boolean_t newval)
 
 
 isc_result_t
-dns_c_logchan_setprinttime(dns_c_logchan_t *channel, isc_boolean_t newval)
-{
+dns_c_logchan_setprinttime(dns_c_logchan_t *channel, isc_boolean_t newval) {
 	isc_boolean_t existed;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -884,8 +871,7 @@ dns_c_logchan_setprinttime(dns_c_logchan_t *channel, isc_boolean_t newval)
 }
 
 isc_result_t
-dns_c_logchan_setpredef(dns_c_logchan_t *channel, isc_boolean_t newval)
-{
+dns_c_logchan_setpredef(dns_c_logchan_t *channel, isc_boolean_t newval) {
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
 
 	channel->predefined = newval;
@@ -898,8 +884,7 @@ dns_c_logchan_setpredef(dns_c_logchan_t *channel, isc_boolean_t newval)
 
 
 isc_result_t
-dns_c_logchan_getpath(dns_c_logchan_t *channel, const char **path)
-{
+dns_c_logchan_getpath(dns_c_logchan_t *channel, const char **path) {
 	isc_result_t res;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -920,8 +905,7 @@ dns_c_logchan_getpath(dns_c_logchan_t *channel, const char **path)
 
 
 isc_result_t
-dns_c_logchan_getversions(dns_c_logchan_t *channel, isc_uint32_t *retval)
-{
+dns_c_logchan_getversions(dns_c_logchan_t *channel, isc_uint32_t *retval) {
 	isc_result_t res;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -942,8 +926,7 @@ dns_c_logchan_getversions(dns_c_logchan_t *channel, isc_uint32_t *retval)
 
 
 isc_result_t
-dns_c_logchan_getsize(dns_c_logchan_t *channel, isc_uint32_t *retval)
-{
+dns_c_logchan_getsize(dns_c_logchan_t *channel, isc_uint32_t *retval) {
 	isc_result_t res;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -964,8 +947,7 @@ dns_c_logchan_getsize(dns_c_logchan_t *channel, isc_uint32_t *retval)
 
 
 isc_result_t
-dns_c_logchan_getfacility(dns_c_logchan_t *channel, int *retval)
-{
+dns_c_logchan_getfacility(dns_c_logchan_t *channel, int *retval) {
 	isc_result_t res;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -1007,8 +989,7 @@ dns_c_logchan_getseverity(dns_c_logchan_t *channel,
 
 
 isc_result_t
-dns_c_logchan_getdebuglevel(dns_c_logchan_t *channel, isc_int32_t *retval)
-{
+dns_c_logchan_getdebuglevel(dns_c_logchan_t *channel, isc_int32_t *retval) {
 	isc_result_t res;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -1026,8 +1007,7 @@ dns_c_logchan_getdebuglevel(dns_c_logchan_t *channel, isc_int32_t *retval)
 
 
 isc_result_t
-dns_c_logchan_getprintcat(dns_c_logchan_t *channel, isc_boolean_t *retval)
-{
+dns_c_logchan_getprintcat(dns_c_logchan_t *channel, isc_boolean_t *retval) {
 	isc_result_t res;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -1045,8 +1025,7 @@ dns_c_logchan_getprintcat(dns_c_logchan_t *channel, isc_boolean_t *retval)
 
 
 isc_result_t
-dns_c_logchan_getprintsev(dns_c_logchan_t *channel, isc_boolean_t *retval)
-{
+dns_c_logchan_getprintsev(dns_c_logchan_t *channel, isc_boolean_t *retval) {
 	isc_result_t res;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -1065,8 +1044,7 @@ dns_c_logchan_getprintsev(dns_c_logchan_t *channel, isc_boolean_t *retval)
 
 
 isc_result_t
-dns_c_logchan_getprinttime(dns_c_logchan_t *channel, isc_boolean_t *retval)
-{
+dns_c_logchan_getprinttime(dns_c_logchan_t *channel, isc_boolean_t *retval) {
 	isc_result_t res;
 
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
@@ -1084,8 +1062,7 @@ dns_c_logchan_getprinttime(dns_c_logchan_t *channel, isc_boolean_t *retval)
 
 
 isc_result_t
-dns_c_logchan_getpredef(dns_c_logchan_t *channel, isc_boolean_t *retval)
-{
+dns_c_logchan_getpredef(dns_c_logchan_t *channel, isc_boolean_t *retval) {
 	REQUIRE(DNS_C_LOGCHAN_VALID(channel));
 	REQUIRE(retval != NULL);
 
@@ -1099,8 +1076,7 @@ dns_c_logchan_getpredef(dns_c_logchan_t *channel, isc_boolean_t *retval)
  * Logging category
  */
 isc_result_t
-dns_c_logcat_new(isc_mem_t *mem, const char *name, dns_c_logcat_t **newlc)
-{
+dns_c_logcat_new(isc_mem_t *mem, const char *name, dns_c_logcat_t **newlc) {
 	dns_c_logcat_t *newc;
 	unsigned int i;
 
@@ -1135,8 +1111,7 @@ dns_c_logcat_new(isc_mem_t *mem, const char *name, dns_c_logcat_t **newlc)
 
 
 isc_result_t
-dns_c_logcat_delete(dns_c_logcat_t **logcat)
-{
+dns_c_logcat_delete(dns_c_logcat_t **logcat) {
 	dns_c_logcat_t *logc;
 	unsigned int i;
 
@@ -1167,8 +1142,7 @@ dns_c_logcat_delete(dns_c_logcat_t **logcat)
 
 
 isc_result_t
-dns_c_logcat_copy(isc_mem_t *mem, dns_c_logcat_t **dest, dns_c_logcat_t *src)
-{
+dns_c_logcat_copy(isc_mem_t *mem, dns_c_logcat_t **dest, dns_c_logcat_t *src) {
 	unsigned int i;
 	dns_c_logcat_t *newc;
 	isc_result_t res;
@@ -1189,6 +1163,8 @@ dns_c_logcat_copy(isc_mem_t *mem, dns_c_logcat_t **dest, dns_c_logcat_t *src)
 		}
 	}
 
+	*dest = newc;
+
 	return (ISC_R_SUCCESS);
 }
 
@@ -1220,8 +1196,7 @@ dns_c_logcat_print(FILE *fp, int indent, dns_c_logcat_t *logcat,
 
 
 isc_result_t
-dns_c_logcat_addname(dns_c_logcat_t *logcat, const char *name)
-{
+dns_c_logcat_addname(dns_c_logcat_t *logcat, const char *name) {
 	unsigned int i;
 
 	REQUIRE(DNS_C_LOGCAT_VALID(logcat));
@@ -1265,8 +1240,7 @@ dns_c_logcat_addname(dns_c_logcat_t *logcat, const char *name)
 
 
 isc_result_t
-dns_c_logcat_delname(dns_c_logcat_t *logcat, const char *name)
-{
+dns_c_logcat_delname(dns_c_logcat_t *logcat, const char *name) {
 	unsigned int i ;
 	isc_result_t res;
 
@@ -1299,8 +1273,7 @@ dns_c_logcat_delname(dns_c_logcat_t *logcat, const char *name)
 
 
 isc_result_t
-dns_c_logcat_setpredef(dns_c_logcat_t *logcat,isc_boolean_t newval)
-{
+dns_c_logcat_setpredef(dns_c_logcat_t *logcat,isc_boolean_t newval) {
 	REQUIRE(DNS_C_LOGCAT_VALID(logcat));
 
 	logcat->predefined = newval;
@@ -1310,8 +1283,7 @@ dns_c_logcat_setpredef(dns_c_logcat_t *logcat,isc_boolean_t newval)
 
 
 isc_result_t
-dns_c_logcat_getpredef(dns_c_logcat_t *logcat, isc_boolean_t *retval)
-{
+dns_c_logcat_getpredef(dns_c_logcat_t *logcat, isc_boolean_t *retval) {
 	REQUIRE(DNS_C_LOGCAT_VALID(logcat));
 	REQUIRE(retval != NULL);
 
@@ -1327,8 +1299,7 @@ dns_c_logcat_getpredef(dns_c_logcat_t *logcat, isc_boolean_t *retval)
 
 
 static void
-print_log_facility(FILE *fp, int value)
-{
+print_log_facility(FILE *fp, int value) {
 	REQUIRE(fp != NULL);
 	
 	fputs(dns_c_facility2string(value, ISC_TRUE), fp);
@@ -1336,8 +1307,7 @@ print_log_facility(FILE *fp, int value)
 
 
 static void
-print_log_severity(FILE *fp, dns_c_logseverity_t severity)
-{
+print_log_severity(FILE *fp, dns_c_logseverity_t severity) {
 	REQUIRE(fp != NULL);
 	
 	fputs(dns_c_logseverity2string(severity, ISC_TRUE), fp);
diff --git a/lib/dns/config/conflsn.c b/lib/dns/config/conflsn.c
index 35ef6a8d..c078db11 100644
--- a/lib/dns/config/conflsn.c
+++ b/lib/dns/config/conflsn.c
@@ -15,20 +15,19 @@
  * SOFTWARE.
  */
 
+/* $Id: conflsn.c,v 1.13 2000/05/08 14:35:30 tale Exp $ */
+
 #include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/util.h>
 
 #include <dns/conflsn.h>
-#include <dns/confcommon.h>
 
 #include "confpvt.h"
 
-
 isc_result_t
-dns_c_lstnon_new(isc_mem_t *mem, dns_c_lstnon_t **listen)
-{
+dns_c_lstnon_new(isc_mem_t *mem, dns_c_lstnon_t **listen) {
 	dns_c_lstnon_t *ll;
 	isc_result_t result;
 
@@ -54,10 +53,8 @@ dns_c_lstnon_new(isc_mem_t *mem, dns_c_lstnon_t **listen)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_lstnon_delete(dns_c_lstnon_t **listen)
-{
+dns_c_lstnon_delete(dns_c_lstnon_t **listen) {
 	dns_c_lstnon_t *lo;
 	isc_result_t r;
 
@@ -80,7 +77,6 @@ dns_c_lstnon_delete(dns_c_lstnon_t **listen)
 	return (r);
 }
 
-
 isc_result_t
 dns_c_lstnon_setiml(dns_c_lstnon_t *listen,
 		    dns_c_ipmatchlist_t *iml, isc_boolean_t deepcopy)
@@ -110,15 +106,8 @@ dns_c_lstnon_setiml(dns_c_lstnon_t *listen,
 	return (result);
 }
 
-	
-		
-
-
-
-
 isc_result_t
-dns_c_lstnlist_new(isc_mem_t *mem, dns_c_lstnlist_t **llist)
-{
+dns_c_lstnlist_new(isc_mem_t *mem, dns_c_lstnlist_t **llist) {
 	dns_c_lstnlist_t *ll;
 
 	REQUIRE(llist != NULL);
@@ -140,10 +129,8 @@ dns_c_lstnlist_new(isc_mem_t *mem, dns_c_lstnlist_t **llist)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_lstnlist_delete(dns_c_lstnlist_t **llist)
-{
+dns_c_lstnlist_delete(dns_c_lstnlist_t **llist) {
 	dns_c_lstnlist_t *ll;
 	dns_c_lstnon_t *lo, *lotmp;
 	isc_result_t r;
@@ -173,11 +160,8 @@ dns_c_lstnlist_delete(dns_c_lstnlist_t **llist)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_lstnlist_print(FILE *fp, int indent,
-		     dns_c_lstnlist_t *ll)
-{
+dns_c_lstnlist_print(FILE *fp, int indent, dns_c_lstnlist_t *ll) {
 	dns_c_lstnon_t *lo;
 
 	REQUIRE(DNS_C_LISTENLIST_VALID(ll));
@@ -193,10 +177,8 @@ dns_c_lstnlist_print(FILE *fp, int indent,
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_lstnon_print(FILE *fp, int indent, dns_c_lstnon_t *lo)
-{
+dns_c_lstnon_print(FILE *fp, int indent, dns_c_lstnon_t *lo) {
 	REQUIRE(lo != NULL);
 	REQUIRE(DNS_C_LISTEN_VALID(lo));
 	
diff --git a/lib/dns/config/confndc.c b/lib/dns/config/confndc.c
index abea5926..a966ff68 100644
--- a/lib/dns/config/confndc.c
+++ b/lib/dns/config/confndc.c
@@ -15,10 +15,11 @@
  * SOFTWARE.
  */
 
+/* $Id: confndc.c,v 1.14 2000/05/13 19:45:13 tale Exp $ */
 
 /*
 **	options {
-**	  [ default-server  server_name; ]
+**	  [ default-server server_name; ]
 **	  [ default-key key_name; ]
 **	};
 **	
@@ -37,38 +38,21 @@
 
 #include <config.h>
 
-#include <config.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
 #include <ctype.h>
-#include <errno.h> 
-#include <limits.h>
-#include <string.h>
-#include <sys/types.h> 
-
-#include <syslog.h>
+#include <stdlib.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/mutex.h>
-#include <isc/lex.h>
-#include <isc/symtab.h>
-#include <isc/error.h>
-#include <isc/once.h>
+#include <isc/string.h>
 #include <isc/dir.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
 #include <isc/net.h>
+#include <isc/print.h>
+#include <isc/symtab.h>
+#include <isc/util.h>
 
 #include <dns/confndc.h>
 #include <dns/log.h>
  
-#include <dns/result.h>
-#include <dns/rdatatype.h>
-#include <dns/rdataclass.h>
-
-#include <dns/types.h>
-
 /* Type keys for symtab lookup */
 #define KEYWORD_SYM_TYPE 0x1
 #define CLASS_SYM_TYPE 0x2
@@ -394,6 +378,30 @@ dns_c_ndcctx_addserver(dns_c_ndcctx_t *ctx, dns_c_ndcserver_t **server) {
 }
 
 isc_result_t
+dns_c_ndcctx_getserver(dns_c_ndcctx_t *ctx, const char *name,
+		       dns_c_ndcserver_t **server)
+{
+	dns_c_ndcserver_t *s;
+
+	REQUIRE(DNS_C_NDCCTX_VALID(ctx));
+	REQUIRE(name != NULL);
+	REQUIRE(server != NULL && *server == NULL);
+
+	if (ctx->servers != NULL) {
+		for (s = ISC_LIST_HEAD(ctx->servers->list); s != NULL;
+		     s = ISC_LIST_NEXT(s, next)) {
+			INSIST(s->name != NULL);
+			if (strcasecmp(s->name, name) == 0) {
+				*server = s;
+				return (ISC_R_SUCCESS);
+			}
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
 dns_c_ndcctx_getkeys(dns_c_ndcctx_t *ctx, dns_c_kdeflist_t **keys) {
 	REQUIRE(DNS_C_NDCCTX_VALID(ctx));
 	REQUIRE(keys != NULL);
@@ -843,8 +851,7 @@ parse_file(ndcpcontext *pctx, dns_c_ndcctx_t **context) {
 }
 
 static isc_result_t
-parse_statement(ndcpcontext *pctx)
-{
+parse_statement(ndcpcontext *pctx) {
 	isc_result_t result;
 	dns_c_ndcctx_t *ctx = pctx->thecontext;
 	dns_c_ndcopts_t *opts = NULL;
@@ -860,7 +867,7 @@ parse_statement(ndcpcontext *pctx)
 			result = dns_c_ndcctx_setoptions(ctx, opts);
 			if (result == ISC_R_EXISTS) {
 				parser_warn(pctx, ISC_FALSE,
-					    "redefining `options'");
+					    "redefining 'options'");
 				result = ISC_R_SUCCESS;
 				dns_c_ndcopts_destroy(&tmpopts);
 			}
@@ -1035,7 +1042,7 @@ parse_serverstmt(ndcpcontext *pctx, dns_c_ndcserver_t **server) {
 
 			if (keyname != NULL) {
 				parser_warn(pctx, ISC_FALSE,
-					    "multiple `key' definitions");
+					    "multiple 'key' definitions");
 				isc_mem_free(pctx->themem, keyname);
 			}
 
@@ -1056,7 +1063,7 @@ parse_serverstmt(ndcpcontext *pctx, dns_c_ndcserver_t **server) {
 
 			if (hostname != NULL) {
 				parser_warn(pctx, ISC_FALSE,
-					    "multiple `host' definitions");
+					    "multiple 'host' definitions");
 				isc_mem_free(pctx->themem, hostname);
 			}
 
@@ -1139,7 +1146,6 @@ parse_keystmt(ndcpcontext *pctx, dns_c_kdeflist_t *keys) {
 	isc_result_t result = ISC_R_FAILURE;
 	dns_c_ndcctx_t *ctx = pctx->thecontext;
 	dns_c_kdef_t *key = NULL;
-	isc_mem_t *mem;
 	char *keyname = NULL;
 	char *algorithm = NULL;
 	char *secret = NULL;
@@ -1147,8 +1153,6 @@ parse_keystmt(ndcpcontext *pctx, dns_c_kdeflist_t *keys) {
 	REQUIRE(DNS_C_NDCCTX_VALID(ctx));
 	REQUIRE(DNS_C_KDEFLIST_VALID(keys));
 
-	mem = ctx->mem;
-	
 	if (!eat(pctx, L_KEY))
 		return (ISC_R_FAILURE);
 
@@ -1190,7 +1194,7 @@ parse_keystmt(ndcpcontext *pctx, dns_c_kdeflist_t *keys) {
 			
 			if (algorithm != NULL) {
 				parser_warn(pctx, ISC_FALSE,
-					    "multiple `algorithm' values.");
+					    "multiple 'algorithm' values.");
 				isc_mem_free(pctx->themem, algorithm);
 			}
 
@@ -1209,7 +1213,7 @@ parse_keystmt(ndcpcontext *pctx, dns_c_kdeflist_t *keys) {
 			
 			if (secret != NULL) {
 				parser_warn(pctx, ISC_FALSE,
-					    "multiple `secret' values.");
+					    "multiple 'secret' values.");
 				isc_mem_free(pctx->themem, secret);
 			}
 
@@ -1240,28 +1244,29 @@ parse_keystmt(ndcpcontext *pctx, dns_c_kdeflist_t *keys) {
 	}
 
 	if (algorithm == NULL) {
-		parser_error(pctx, ISC_FALSE, "missing `algorithm'");
+		parser_error(pctx, ISC_FALSE, "missing 'algorithm'");
 		result = ISC_R_FAILURE;
 
 	} else if (*algorithm == '\0') {
-		parser_error(pctx, ISC_FALSE, "zero length `algorithm'");
+		parser_error(pctx, ISC_FALSE, "zero length 'algorithm'");
 		result = ISC_R_FAILURE;
 	}
 	
 	if (secret == NULL) {
-		parser_error(pctx, ISC_FALSE, "missing `secret'");
+		parser_error(pctx, ISC_FALSE, "missing 'secret'");
 		result = ISC_R_FAILURE;
 	} else if (*secret == '\0') {
-		parser_error(pctx, ISC_FALSE, "zero length `secret'");
+		parser_error(pctx, ISC_FALSE, "zero length 'secret'");
 		result = ISC_R_FAILURE;
 	}
 
 	if (result != ISC_R_SUCCESS)
 		goto done;
 	
-	result = dns_c_kdef_new(keys, keyname, &key);
+	result = dns_c_kdef_new(keys->mem, keyname, &key);
 	if (result != ISC_R_SUCCESS)
 		goto done;
+	dns_c_kdeflist_append(keys, key, ISC_FALSE);
 
 	result = dns_c_kdef_setalgorithm(key, algorithm);
 	if (result != ISC_R_SUCCESS)
@@ -1313,7 +1318,7 @@ looking_at(ndcpcontext *pctx, isc_uint32_t token) {
 	isc_boolean_t rval = ISC_TRUE;
 	
 	if (pctx->currtok != token) {
-		parser_error(pctx, ISC_TRUE, "expected a ``%s''",
+		parser_error(pctx, ISC_TRUE, "expected a '%s'",
 			     keyword2str(token));
 		rval = ISC_FALSE;
 	}
@@ -1350,10 +1355,8 @@ eat_eos(ndcpcontext *pctx) {
 /* *************      PRIVATE STUFF      ************ */
 /* ************************************************** */
 
-
 static isc_result_t
-parser_setup(ndcpcontext *pctx, isc_mem_t *mem, const char *filename)
-{
+parser_setup(ndcpcontext *pctx, isc_mem_t *mem, const char *filename) {
 	isc_result_t result;
 	isc_lexspecials_t specials;
         struct keywordtoken *tok;
@@ -1468,11 +1471,11 @@ parser_complain(isc_boolean_t is_warning, isc_boolean_t print_last_token,
 		if (dns_lctx != NULL)
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
 				       DNS_LOGMODULE_CONFIG, level,
-				       "%s%s near `%s'", where, message,
+				       "%s%s near '%s'", where, message,
 				      pctx->tokstr);
 
 		else
-			fprintf(stderr, "%s%s near `%s'\n", where, message,
+			fprintf(stderr, "%s%s near '%s'\n", where, message,
 				pctx->tokstr);
 
         } else {
@@ -1744,6 +1747,6 @@ getnexttoken(ndcpcontext *pctx) {
 
 static void
 syntax_error(ndcpcontext *pctx, isc_uint32_t keyword) {
-	parser_error(pctx, ISC_FALSE, "syntax error near ``%s''",
+	parser_error(pctx, ISC_FALSE, "syntax error near '%s'",
 		     keyword2str(keyword));
 }
diff --git a/lib/dns/config/confparser.y b/lib/dns/config/confparser.y
index 0ffc5454..6f7481d6 100644
--- a/lib/dns/config/confparser.y
+++ b/lib/dns/config/confparser.y
@@ -16,60 +16,59 @@
  * SOFTWARE.
  */
 
-/* $Id: confparser.y,v 1.54 2000/03/23 19:35:14 halley Exp $ */
+/* $Id: confparser.y,v 1.82 2000/05/18 23:20:18 brister Exp $ */
 
 #include <config.h>
 
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <ctype.h>
-#include <errno.h> 
-#include <limits.h>
-#include <string.h>
-#include <sys/types.h> 
-
 #include <syslog.h>
 
-#include <isc/assertions.h>
+#include <sys/types.h>
+
+#include <isc/dir.h>
 #include <isc/error.h>
-#include <isc/mutex.h>
 #include <isc/lex.h>
-#include <isc/symtab.h>
-#include <isc/error.h>
-#include <isc/once.h>
-#include <isc/dir.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
 #include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/once.h>
+#include <isc/string.h>
+#include <isc/symtab.h>
+#include <isc/util.h>
 
-#include <dns/confparser.h>
+#include <dns/confcommon.h>
 #include <dns/confctx.h>
+#include <dns/confparser.h>
 #include <dns/log.h>
-#include <dns/name.h> 
- 
-#include <dns/result.h>
-#include <dns/rdatatype.h>
+#include <dns/name.h>
+#include <dns/peer.h>
 #include <dns/rdataclass.h>
-#include <dns/ssu.h> 
-
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/ssu.h>
 #include <dns/types.h>
 
-#include <dns/confcommon.h>
-
 
 /* Type keys for symtab lookup */
 #define KEYWORD_SYM_TYPE 0x1
 #define CLASS_SYM_TYPE 0x2
 #define ACL_SYM_TYPE 0x3
 
- 
+
 static isc_mutex_t yacc_mutex;
 
 /* used for holding a list of dns_rdatatype_t on the stack */
 struct confrdtype_s {
-	dns_rdatatype_t types[256];
+	dns_rdatatype_t *types;
 	isc_uint32_t idx;
 };
- 
+
 /* used for holding ssu data on the stack */
 struct confssu_s {
 	isc_boolean_t grant;
@@ -79,6 +78,11 @@ struct confssu_s {
 	struct confrdtype_s rdatatypes;
 };
 
+struct keydetails_s {
+	char *algorithm;
+	char *secret;
+};
+
 
 /* All these statics are protected by the above yacc_mutex */
 static dns_c_ctx_t	       *currcfg;
@@ -91,29 +95,93 @@ static isc_lexspecials_t	specials;
 #define CONF_MAX_IDENT 1024
 
 /* This should be sufficient to permit multiple parsers and lexers if needed */
-#define yyparse dns_yyparse
+#define yyparse dns__yyparse
+
+#define YYDEBUG 1
+
+/*
+ * Specify a small parser stack size.  This is needed when
+ * using bison the generate the parser, because it puts
+ * the parser stack in a local variable, and the default
+ * initial stack size of 200 is big enough to cause a
+ * thread stack overflow.  Berkeley yacc does not suffer
+ * from this problem as it allocates the parser stack
+ * using malloc.
+ */
+
+#define YYMAXDEPTH 200
+#define YYINITDEPTH 200
 
-#define YYDEBUG 1 
 
 static isc_result_t	tmpres;
 static int		debug_lexer;
- 
+
+int			yyparse(void);
 static int		yylex(void);
-static int		yyparse(void);
-static void             parser_error(isc_boolean_t lasttoken,
-                                     const char *fmt, ...);
-static void             parser_warning(isc_boolean_t lasttoken,
-                                       const char *fmt, ...);
-static void             parser_complain(isc_boolean_t is_warning,
-                                        isc_boolean_t last_token,
-                                        const char *format, va_list args);
-static isc_boolean_t    unit_to_uint32(char *in, isc_uint32_t *out);
+static void		parser_error(isc_boolean_t lasttoken,
+				     const char *fmt, ...);
+static void		parser_warning(isc_boolean_t lasttoken,
+				       const char *fmt, ...);
+static void		parser_complain(isc_boolean_t is_warning,
+					isc_boolean_t last_token,
+					const char *format, va_list args);
+static isc_boolean_t	unit_to_uint32(char *in, isc_uint32_t *out);
 static char *		token_to_keyword(int token);
-static void             yyerror(const char *);
+static void		yyerror(const char *);
+static dns_peerlist_t	*currentpeerlist(dns_c_ctx_t *cfg,
+					 isc_boolean_t createIfNeeded);
+static isc_boolean_t	keydefinedinscope(dns_c_ctx_t *cfg,
+					  const char *name);
+
+
 
 /* returns true if (base * mult) would be too big.*/
 static isc_boolean_t	int_too_big(isc_uint32_t base, isc_uint32_t mult);
- 
+
+/*
+ * #define global symbols that various versions of YACC export into our
+ * namespace.  This won't work for all versions, but we hope to cover
+ * the popular ones.
+ */
+
+/*
+ * All YACCs
+ */
+#define yychar		dns__yychar
+#define yydebug		dns__yydebug
+#define yylval		dns__yylval
+#define yynerrs		dns__yynerrs
+/*
+ * BYACC
+ */
+#define yyerrflag	dns__yyerrflag
+#define yyss		dns__yyss
+#define yyssp		dns__yyssp
+#define yyval		dns__yyval
+#define yyvs		dns__yyvs
+#define yyvsp		dns__yyvsp
+/*
+ * AIX
+ */
+#define yyps		dns__yyps
+#define yypv		dns__yypv
+#define yypvt		dns__yypvt
+#define yys		dns__yys
+#define yystate		dns__yystate
+#define yytmp		dns__yytmp
+#define yyv		dns__yyv
+#define yyval		dns__yyval
+#define yyact		dns__yyact
+#define yychk		dns__yychk
+#define yydef		dns__yydef
+#define yyexca		dns__yyexca
+#define yypact		dns__yypact
+#define yypgo		dns__yypgo
+#define yyr1		dns__yyr1
+#define yyr2		dns__yyr2
+#define yyreds		dns__yyreds
+#define yytoks		dns__yytoks
+
 %}
 
 %union {
@@ -127,22 +195,24 @@ static isc_boolean_t	int_too_big(isc_uint32_t base, isc_uint32_t mult);
 	struct in6_addr		ip6_addr;
 	isc_sockaddr_t		ipaddress;
 
+	struct keydetails_s	keydetails;
 	struct confssu_s	ssu;
 	struct confrdtype_s	rdatatypelist;
 	dns_rdatatype_t		rdatatype;
-	
+	dns_c_addata_t		addata;
+
 	isc_boolean_t		boolean;
 	dns_rdataclass_t	rrclass;
-	dns_severity_t	      	severity;
+	dns_severity_t		severity;
 	dns_c_trans_t		transport;
 	dns_transfer_format_t	tformat;
-	
+
 	dns_c_ipmatchelement_t	*ime;
 	dns_c_ipmatchlist_t	*iml;
 
 	dns_c_forw_t		forward;
 	dns_c_rrso_t	       *rrorder;
-	dns_c_rrsolist_t      *rrolist;
+	dns_c_rrsolist_t       *rrolist;
 	dns_rdatatype_t		ordertype;
 	dns_rdataclass_t	orderclass;
 	dns_c_ordering_t	ordering;
@@ -156,219 +226,213 @@ static isc_boolean_t	int_too_big(isc_uint32_t base, isc_uint32_t mult);
 %token <ip4_addr>	L_IP4ADDR
 %token <ip6_addr>	L_IP6ADDR
 
-%token		L_LBRACE
-%token		L_RBRACE
-%token		L_EOS
-%token		L_SLASH
-%token		L_BANG
-%token		L_QUOTE
-
-%token		L_MASTER
-%token		L_SLAVE
-%token		L_SORTLIST
-%token		L_HINT
-%token		L_STUB
-%token		L_FORWARD
-
-%token		L_INCLUDE
-%token		L_END_INCLUDE
-
-%token		L_OPTIONS
-%token		L_DIRECTORY
-%token		L_PIDFILE
-%token		L_NAMED_XFER
-%token		L_TKEY_DOMAIN
-%token		L_TKEY_DHKEY
-%token		L_DUMP_FILE
-%token		L_STATS_FILE
-%token		L_MEMSTATS_FILE
-%token		L_FAKE_IQUERY
-%token		L_RECURSION
-%token		L_FETCH_GLUE
-%token		L_QUERY_SOURCE
-%token		L_QUERY_SOURCE_V6
-%token		L_LISTEN_ON
-%token		L_PORT
 %token		L_ACL
+%token		L_ADDITIONAL_DATA
 %token		L_ADDRESS
 %token		L_ALGID
+%token		L_ALLOW
 %token		L_ALLOW_QUERY
+%token		L_ALLOW_RECURSION
 %token		L_ALLOW_TRANSFER
 %token		L_ALLOW_UPDATE
 %token		L_ALLOW_UPDATE_FORWARDING
-%token		L_ALLOW_RECURSION
 %token		L_ALSO_NOTIFY
+%token		L_AUTH_NXDOMAIN
+%token		L_BANG
 %token		L_BLACKHOLE
 %token		L_BOGUS
 %token		L_CATEGORY
 %token		L_CHANNEL
 %token		L_CHECK_NAMES
+%token		L_CLASS
+%token		L_CLEAN_INTERVAL
+%token		L_CONTROLS
+%token		L_CORESIZE
+%token		L_DATASIZE
+%token		L_DATABASE
+%token		L_DEALLOC_ON_EXIT
 %token		L_DEBUG
+%token		L_DEFAULT
+%token		L_DENY
 %token		L_DIALUP
+%token		L_DIRECTORY
+%token		L_DUMP_FILE
 %token		L_DYNAMIC
+%token		L_ENABLE_ZONE
+%token		L_END_INCLUDE
+%token		L_EOS
+%token		L_EXPERT_MODE
 %token		L_FAIL
+%token		L_FAKE_IQUERY
+%token		L_FALSE
+%token		L_FETCH_GLUE
+%token		L_FILE
+%token		L_FILES
+%token		L_FILE_IXFR
 %token		L_FIRST
+%token		L_FORWARD
 %token		L_FORWARDERS
+%token		L_GRANT
+%token		L_GROUP
+%token		L_HAS_OLD_CLIENTS
+%token		L_HEARTBEAT
+%token		L_HINT
+%token		L_HOSTSTATS
 %token		L_IF_NO_ANSWER
 %token		L_IF_NO_DOMAIN
 %token		L_IGNORE
-%token		L_FILE_IXFR
+%token		L_INCLUDE
+%token		L_INET
+%token		L_INTERFACE_INTERVAL
+%token		L_INTERNAL
 %token		L_IXFR_TMP
-%token		L_SEC_KEY
 %token		L_KEYS
+%token		L_LAME_TTL
+%token		L_LBRACE
+%token		L_LISTEN_ON
 %token		L_LOGGING
+%token		L_MAINTAIN_IXFR_BASE
+%token		L_MANY_ANSWERS
+%token		L_MASTER
 %token		L_MASTERS
+%token		L_MATCH_CLIENTS
+%token		L_MAX_LOG_SIZE_IXFR
+%token		L_MAX_CACHE_TTL
+%token		L_MAX_NCACHE_TTL
+%token		L_MAX_TRANSFER_IDLE_IN
+%token		L_MAX_TRANSFER_IDLE_OUT
+%token		L_MAX_TRANSFER_TIME_IN
+%token		L_MAX_TRANSFER_TIME_OUT
+%token		L_MAXIMAL
+%token		L_MEMSTATS_FILE
+%token		L_MIN_ROOTS
+%token		L_MINIMAL
+%token		L_MULTIPLE_CNAMES
+%token		L_NAME
+%token		L_NAMED_XFER
+%token		L_NO
+%token		L_NOTIFY
 %token		L_NULL_OUTPUT
+%token		L_ONE_ANSWER
 %token		L_ONLY
+%token		L_OPTIONS
+%token		L_ORDER
+%token		L_OWNER
+%token		L_PERM
+%token		L_PIDFILE
+%token		L_PORT
 %token		L_PRINT_CATEGORY
 %token		L_PRINT_SEVERITY
 %token		L_PRINT_TIME
+%token		L_PROVIDE_IXFR
 %token		L_PUBKEY
+%token		L_QUERY_SOURCE
+%token		L_QUERY_SOURCE_V6
+%token		L_RBRACE
+%token		L_RECURSION
+%token		L_RECURSIVE_CLIENTS
+%token		L_REQUEST_IXFR
 %token		L_RESPONSE
+%token		L_RFC2308_TYPE1
+%token		L_RRSET_ORDER
 %token		L_SECRET
+%token		L_SEC_KEY
+%token		L_SELF
+%token		L_SERIAL_QUERIES
 %token		L_SERVER
 %token		L_SEVERITY
 %token		L_SIZE
+%token		L_SLASH
+%token		L_SLAVE
+%token		L_SORTLIST
+%token		L_STACKSIZE
+%token		L_STATS_FILE
+%token		L_STATS_INTERVAL
+%token		L_STUB
+%token		L_SUBDOMAIN
 %token		L_SUPPORT_IXFR
 %token		L_SYSLOG
+%token		L_TCP_CLIENTS
+%token		L_TKEY_DHKEY
+%token		L_TKEY_DOMAIN
 %token		L_TOPOLOGY
-%token		L_TRANSFER_SOURCE
-%token		L_TRANSFER_SOURCE_V6
 %token		L_TRANSFERS
-%token		L_TRUSTED_KEYS
-%token		L_VERSIONS
-%token		L_WARN
-%token		L_RRSET_ORDER
-%token		L_ORDER
-%token		L_NAME
-%token		L_CLASS
-%token		L_CONTROLS
-%token		L_INET
-%token		L_UNIX
-%token		L_PERM
-%token		L_OWNER
-%token		L_GROUP
-%token		L_ALLOW
-%token		L_DATASIZE
-%token		L_STACKSIZE
-%token		L_CORESIZE
-%token		L_DEFAULT
-%token		L_UNLIMITED
-%token		L_FILES
-%token		L_VERSION
-%token		L_HOSTSTATS
-%token		L_DEALLOC_ON_EXIT
 %token		L_TRANSFERS_IN
 %token		L_TRANSFERS_OUT
 %token		L_TRANSFERS_PER_NS
 %token		L_TRANSFER_FORMAT
-%token		L_MAX_TRANSFER_TIME_IN
-%token		L_MAX_TRANSFER_TIME_OUT
-%token		L_MAX_TRANSFER_IDLE_IN
-%token		L_MAX_TRANSFER_IDLE_OUT
-%token		L_TCP_CLIENTS
-%token		L_RECURSIVE_CLIENTS
-%token		L_ONE_ANSWER
-%token		L_MANY_ANSWERS
-%token		L_NOTIFY
-%token		L_AUTH_NXDOMAIN
-%token		L_MULTIPLE_CNAMES
-%token		L_USE_IXFR
-%token		L_MAINTAIN_IXFR_BASE
-%token		L_CLEAN_INTERVAL
-%token		L_INTERFACE_INTERVAL
-%token		L_STATS_INTERVAL
-%token		L_MAX_LOG_SIZE_IXFR
-%token		L_HEARTBEAT
-%token		L_USE_ID_POOL
-%token		L_MAX_NCACHE_TTL
-%token		L_HAS_OLD_CLIENTS
-%token		L_EXPERT_MODE
-%token		L_ZONE
-%token		L_TYPE
-%token		L_FILE
-%token		L_YES
+%token		L_TRANSFER_SOURCE
+%token		L_TRANSFER_SOURCE_V6
+%token		L_TREAT_CR_AS_SPACE
 %token		L_TRUE
-%token		L_NO
-%token		L_FALSE
+%token		L_TRUSTED_KEYS
+%token		L_TYPE
+%token		L_UNIX
+%token		L_UNLIMITED
+%token		L_UPDATE_POLICY
+%token		L_USE_ID_POOL
+%token		L_USE_IXFR
+%token		L_VERSION
+%token		L_VERSIONS
 %token		L_VIEW
-%token		L_RFC2308_TYPE1
-%token		L_PROVIDE_IXFR
-%token		L_REQUEST_IXFR
-
-%token		L_GRANT
-%token		L_DENY
-%token		L_SUBDOMAIN
-%token		L_DOMAIN
-%token		L_SELF
+%token		L_WARN
 %token		L_WILDCARD
+%token		L_YES
+%token		L_ZONE
 
-%type <ssu>		grant_stmt
-%type <ul_int>		grant_match_type
-%type <rdatatypelist>	rdatatype_list
-%type <rdatatype>	rdatatype
+
+%type <addata>		additional_data
 %type <boolean>		grantp
 %type <boolean>		yea_or_nay
-
 %type <forward>		forward_opt
 %type <forward>		zone_forward_opt
-
 %type <ime>		address_match_element
 %type <ime>		address_match_simple
 %type <ime>		address_name
-
 %type <iml>		address_match_list
-
 %type <ipaddress>	in_addr_elem
 %type <ipaddress>	ip4_address
 %type <ipaddress>	ip6_address
 %type <ipaddress>	ip_address
-%type <ipaddress>	maybe_wild_addr 
-%type <ipaddress>	maybe_wild_ip4_only_addr 
+%type <ipaddress>	maybe_wild_addr
+%type <ipaddress>	maybe_wild_ip4_only_addr
 %type <ipaddress>	maybe_wild_ip6_only_addr
-%type <ipaddress>	query_source_v6
 %type <ipaddress>	query_source_v4
-
+%type <ipaddress>	query_source_v6
+%type <ipaddress>	ip_and_port_element
 %type <iplist>		in_addr_list
-%type <iplist>		master_in_addr_list
-%type <iplist>		notify_in_addr_list
 %type <iplist>		opt_in_addr_list
 %type <iplist>		opt_zone_forwarders_list
-
-%type <text>		category_name
-
+%type <iplist>		port_ip_list
+%type <iplist>		ip_and_port_list
 %type <number>		facility_name
 %type <number>		maybe_syslog_facility
-
 %type <orderclass>	ordering_class
-
 %type <ordertype>	ordering_type
-
 %type <port_int>	in_port
 %type <port_int>	maybe_port
 %type <port_int>	maybe_wild_port
 %type <port_int>	maybe_zero_port
-
+%type <rdatatype>	rdatatype
+%type <rdatatypelist>	rdatatype_list
 %type <rrclass>		class_name
+%type <rrclass>		wild_class_name
 %type <rrclass>		optional_class
-
-%type <severity>	check_names_opt;
-
-/* %type <text>		optional_string */
+%type <severity>	check_names_opt
+%type <keydetails>	key_definition
+%type <ssu>		grant_stmt
 %type <text>		algorithm_id
 %type <text>		any_string
+%type <text>		category_name
 %type <text>		channel_name
 %type <text>		domain_name
+%type <text>		key_value
 %type <text>		ordering_name
 %type <text>		secret
-%type <text>		key_value
-
 %type <tformat>		transfer_format
-
 %type <transport>	check_names_type;
-
+%type <ul_int>		grant_match_type
 %type <ul_int>		size_spec
-
 %type <ztype>		zone_type
 
 /* Miscellaneous items (used in several places): */
@@ -382,7 +446,7 @@ statement_list: statement
 	| statement_list statement
 	;
 
-statement: include_stmt L_EOS
+statement: include_stmt
 	| options_stmt L_EOS
 	| controls_stmt L_EOS
 	| logging_stmt L_EOS
@@ -395,8 +459,11 @@ statement: include_stmt L_EOS
 	| L_END_INCLUDE
 	;
 
-
-include_stmt: L_INCLUDE L_QSTRING
+/*
+ * Note that we must consume the semicolon ending the
+ * include statement before switching input streams.
+ */
+include_stmt: L_INCLUDE L_QSTRING L_EOS
 	{
 		if (isc_lex_openfile(mylexer, $2) != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE ,"can't open file %s", $2);
@@ -411,6 +478,13 @@ options_stmt: L_OPTIONS
 	{
 		dns_c_options_t *options;
 
+		if (currcfg->zlist != NULL || currcfg->views != NULL) {
+			parser_error(ISC_FALSE,
+				     "options must come before all "
+				     "zones and views");
+			YYABORT;
+		}
+		
 		tmpres = dns_c_ctx_getoptions(currcfg, &options);
 		if (tmpres == ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "cannot redefine options");
@@ -429,7 +503,7 @@ options_stmt: L_OPTIONS
 				     isc_result_totext(tmpres));
 			YYABORT;
 		}
-		
+
 	} L_LBRACE options L_RBRACE {
 		if (callbacks != NULL && callbacks->optscbk != NULL) {
 			tmpres = callbacks->optscbk(currcfg,
@@ -439,7 +513,8 @@ options_stmt: L_OPTIONS
 					      DNS_LOGCATEGORY_CONFIG,
 					      DNS_LOGMODULE_CONFIG,
 					      ISC_LOG_ERROR,
-				      "options configuration failed: %s",
+					      "options configuration "
+					      "failed: %s",
 					      isc_result_totext(tmpres));
 				YYABORT;
 			}
@@ -457,184 +532,200 @@ option: /* Empty */
 	{
 		tmpres = dns_c_ctx_setversion(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining version.");
+			parser_error(ISC_FALSE, "cannot redefine version.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
-			parser_error(ISC_FALSE,
-				     "set version error %s: %s",
+			parser_error(ISC_FALSE, "set version error %s: %s",
 				     isc_result_totext(tmpres), $2);
 			YYABORT;
 		}
-		
+
 		isc_mem_free(memctx, $2);
 	}
 	| L_DIRECTORY L_QSTRING
 	{
 		tmpres = dns_c_ctx_setdirectory(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining directory");
+			parser_error(ISC_FALSE, "cannot redefine directory");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "error setting directory: %s: %s",
 				     isc_result_totext(tmpres), $2);
 			YYABORT;
 		}
-		
+
 		isc_mem_free(memctx, $2);
 	}
 	| L_NAMED_XFER L_QSTRING
 	{
 		tmpres = dns_c_ctx_setnamedxfer(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining named-xfer");
+			parser_error(ISC_FALSE, "cannot redefine named-xfer");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "set named-xfer error: %s: %s",
 				     isc_result_totext(tmpres), $2);
 			YYABORT;
 		}
-		
+
 		isc_mem_free(memctx, $2);
 	}
 	| L_TKEY_DOMAIN L_QSTRING
 	{
 		tmpres = dns_c_ctx_settkeydomain(currcfg, $2);
-		
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining tkey-domain");
+			parser_error(ISC_FALSE, "cannot redefine tkey-domain");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "set tkey-domain error: %s: %s",
 				     isc_result_totext(tmpres), $2);
 			YYABORT;
 		}
-		
+
 		isc_mem_free(memctx, $2);
 	}
 	| L_TKEY_DHKEY L_QSTRING L_INTEGER
 	{
 		tmpres = dns_c_ctx_settkeydhkey(currcfg, $2, $3);
-		
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining tkey-dhkey");
+			parser_error(ISC_FALSE, "cannot redefine tkey-dhkey");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "set tkey-dhkey error: %s: %s",
 				     isc_result_totext(tmpres), $2);
 			YYABORT;
 		}
-		
+
 		isc_mem_free(memctx, $2);
 	}
 	| L_PIDFILE L_QSTRING
 	{
 		tmpres = dns_c_ctx_setpidfilename(currcfg, $2);
-		
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining pid-file");
+			parser_error(ISC_FALSE, "cannot redefine pid-file");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "set pidfile error %s: %s",
 				     isc_result_totext(tmpres), $2);
 			YYABORT;
 		}
-		
+
 		isc_mem_free(memctx, $2);
 	}
 	| L_STATS_FILE L_QSTRING
 	{
 		tmpres = dns_c_ctx_setstatsfilename(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining statistics-file");
+			parser_error(ISC_FALSE,
+				     "cannot redefine statistics-file");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "set statsfile error %s: %s",
 				     isc_result_totext(tmpres), $2);
 			YYABORT;
 		}
-		
+
 		isc_mem_free(memctx, $2);
 	}
 	| L_MEMSTATS_FILE L_QSTRING
 	{
 		tmpres = dns_c_ctx_setmemstatsfilename(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining memstatistics-file");
+			parser_error(ISC_FALSE,
+				     "cannot redefine memstatistics-file");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "set memstatsfile error %s: %s",
 				     isc_result_totext(tmpres), $2);
 			YYABORT;
 		}
-		
+
 		isc_mem_free(memctx, $2);
 	}
 	| L_DUMP_FILE L_QSTRING
 	{
 		tmpres = dns_c_ctx_setdumpfilename(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining dump-file");
+			parser_error(ISC_FALSE, "cannot redefine dump-file");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "set dumpfile error %s: %s",
 				     isc_result_totext(tmpres), $2);
 			YYABORT;
 		}
-		
+
 		isc_mem_free(memctx, $2);
 	}
 	| L_EXPERT_MODE yea_or_nay
 	{
 		tmpres = dns_c_ctx_setexpertmode(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining expert-mode.");
+			parser_error(ISC_FALSE, "cannot redefine expert-mode.");
+			YYABORT;
 		}
 	}
 	| L_FAKE_IQUERY yea_or_nay
 	{
 		tmpres = dns_c_ctx_setfakeiquery(currcfg, ISC_FALSE);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining fake-iquery.");
+			parser_error(ISC_FALSE, "cannot redefine fake-iquery.");
+			YYABORT;
 		}
 	}
 	| L_RECURSION yea_or_nay
 	{
 		tmpres = dns_c_ctx_setrecursion(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining recursion");
+			parser_error(ISC_FALSE, "cannot redefine recursion");
+			YYABORT;
 		}
 	}
 	| L_FETCH_GLUE yea_or_nay
 	{
 		tmpres = dns_c_ctx_setfetchglue(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining fetch-glue.");
+			parser_error(ISC_FALSE, "cannot redefine fetch-glue.");
+			YYABORT;
 		}
 	}
 	| L_NOTIFY yea_or_nay
 	{
 		tmpres = dns_c_ctx_setnotify(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining notify.");
+			parser_error(ISC_FALSE, "cannot redefine notify.");
+			YYABORT;
 		}
 	}
 	| L_HOSTSTATS yea_or_nay
 	{
 		tmpres = dns_c_ctx_sethoststatistics(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining host-statistics.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine host-statistics.");
+			YYABORT;
 		}
 	}
 	| L_DEALLOC_ON_EXIT yea_or_nay
 	{
 		tmpres = dns_c_ctx_setdealloconexit(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining deallocate-on-exit.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine deallocate-on-exit.");
+			YYABORT;
 		}
 	}
 	| L_USE_IXFR yea_or_nay
 	{
 		tmpres = dns_c_ctx_setuseixfr(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining use-ixfr.");
+			parser_error(ISC_FALSE, "cannot redefine use-ixfr.");
+			YYABORT;
 		}
 	}
 	| L_MAINTAIN_IXFR_BASE yea_or_nay
@@ -645,65 +736,83 @@ option: /* Empty */
 		 */
 		tmpres = dns_c_ctx_setprovideixfr(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining provide-ixfr.");
+			parser_error(ISC_FALSE, "cannot redefine provide-ixfr.");
+			YYABORT;
 		}
 	}
 	| L_HAS_OLD_CLIENTS yea_or_nay
 	{
 		tmpres = dns_c_ctx_sethasoldclients(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining has-old-clients.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine has-old-clients.");
+			YYABORT;
 		}
 	}
 	| L_AUTH_NXDOMAIN yea_or_nay
 	{
 		tmpres = dns_c_ctx_setauthnxdomain(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining auth-nxdomain.");
+			parser_error(ISC_FALSE, "cannot redefine auth-nxdomain.");
+			YYABORT;
 		}
 	}
 	| L_MULTIPLE_CNAMES yea_or_nay
 	{
 		tmpres = dns_c_ctx_setmultiplecnames(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining multiple-cnames.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine multiple-cnames.");
+			YYABORT;
 		}
 	}
 	| L_CHECK_NAMES check_names_type check_names_opt
 	{
 		tmpres = dns_c_ctx_setchecknames(currcfg, $2, $3);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining check-names.");
+			parser_error(ISC_FALSE, "cannot redefine check-names.");
+			YYABORT;
 		}
 	}
 	| L_USE_ID_POOL yea_or_nay
 	{
 		tmpres = dns_c_ctx_setuseidpool(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining use-id-pool.");
+			parser_error(ISC_FALSE, "cannot redefine use-id-pool.");
+			YYABORT;
 		}
 	}
 	| L_RFC2308_TYPE1 yea_or_nay
 	{
 		tmpres = dns_c_ctx_setrfc2308type1(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining rfc2308-type.");
+			parser_error(ISC_FALSE, "cannot redefine rfc2308-type.");
+			YYABORT;
 		}
 	}
 	| L_PROVIDE_IXFR yea_or_nay
 	{
 		tmpres = dns_c_ctx_setprovideixfr(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining provide-ixfr.");
+			parser_error(ISC_FALSE, "cannot redefine provide-ixfr.");
+			YYABORT;
 		}
 	}
 	| L_REQUEST_IXFR yea_or_nay
 	{
 		tmpres = dns_c_ctx_setrequestixfr(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining request-ixfr.");
+			parser_error(ISC_FALSE, "cannot redefine request-ixfr.");
+			YYABORT;
+		}
+	}
+	| L_TREAT_CR_AS_SPACE yea_or_nay
+	{
+		tmpres = dns_c_ctx_settreatcrasspace(currcfg, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine treat-cr-as-space.");
+			YYABORT;
 		}
 	}
 	| L_LISTEN_ON maybe_port L_LBRACE address_match_list L_RBRACE
@@ -727,7 +836,8 @@ option: /* Empty */
 	{
 		tmpres = dns_c_ctx_setforward(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining forward");
+			parser_error(ISC_FALSE, "cannot redefine forward");
+			YYABORT;
 		}
 	}
 	| L_FORWARDERS {
@@ -736,18 +846,17 @@ option: /* Empty */
 		tmpres = dns_c_ctx_getforwarders(currcfg, &forwarders);
 		if (tmpres != ISC_R_NOTFOUND) {
 			parser_warning(ISC_FALSE,
-				     "redefining options forwarders");
+				       "cannot redefine options forwarders");
 			dns_c_iplist_detach(&forwarders);
-		} 
+		}
 
 		tmpres = dns_c_iplist_new(currcfg->mem, 5, &forwarders);
 		if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
-				     "failed to create "
-				     "forwarders list");
+				     "failed to create forwarders list");
 			YYABORT;
 		}
-		
+
 		tmpres = dns_c_ctx_setforwarders(currcfg, ISC_FALSE,
 						 forwarders);
 		if (tmpres != ISC_R_SUCCESS) {
@@ -760,8 +869,9 @@ option: /* Empty */
 	{
 		tmpres = dns_c_ctx_setquerysource(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining query-source.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine query-source.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set query-source.");
@@ -772,8 +882,9 @@ option: /* Empty */
 	{
 		tmpres = dns_c_ctx_setquerysourcev6(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining query-source-v6.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine query-source-v6.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set query-source-v6.");
@@ -784,8 +895,9 @@ option: /* Empty */
 	{
 		tmpres = dns_c_ctx_settransfersource(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining transfer-source");
+			parser_error(ISC_FALSE,
+				     "cannot redefine transfer-source");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set transfer-source");
@@ -796,8 +908,9 @@ option: /* Empty */
 	{
 		tmpres = dns_c_ctx_settransfersourcev6(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining transfer-source-v6");
+			parser_error(ISC_FALSE,
+				     "cannot redefine transfer-source-v6");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set transfer-source-v6");
@@ -808,10 +921,14 @@ option: /* Empty */
 	{
 		if ($3 == NULL)
 			YYABORT;
-		tmpres = dns_c_ctx_setqueryacl(currcfg, ISC_FALSE, $3);
+
+		tmpres = dns_c_ctx_setallowquery(currcfg, $3);
+		dns_c_ipmatchlist_detach(&$3);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining allow-query list");
+			parser_error(ISC_FALSE,
+				     "cannot redefine allow-query list");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "failed to set allow-query");
 			YYABORT;
@@ -819,10 +936,13 @@ option: /* Empty */
 	}
 	| L_ALLOW_TRANSFER L_LBRACE address_match_list L_RBRACE
 	{
-		tmpres = dns_c_ctx_settransferacl(currcfg, ISC_FALSE, $3);
+		tmpres = dns_c_ctx_setallowtransfer(currcfg, $3);
+		dns_c_ipmatchlist_detach(&$3);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining allow-transfer list");
+			parser_error(ISC_FALSE,
+				     "cannot redefine allow-transfer list");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set allow-transfer");
@@ -831,10 +951,13 @@ option: /* Empty */
 	}
 	| L_ALLOW_RECURSION L_LBRACE address_match_list L_RBRACE
 	{
-		tmpres = dns_c_ctx_setrecursionacl(currcfg, ISC_FALSE, $3);
+		tmpres = dns_c_ctx_setallowrecursion(currcfg, $3);
+		dns_c_ipmatchlist_detach(&$3);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining allow-recursion list");
+			parser_error(ISC_FALSE,
+				     "cannot redefine allow-recursion list");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set allow-recursion");
@@ -843,19 +966,25 @@ option: /* Empty */
 	}
 	| L_SORTLIST  L_LBRACE address_match_list L_RBRACE
 	{
-		tmpres = dns_c_ctx_setsortlist(currcfg, ISC_FALSE, $3);
+		tmpres = dns_c_ctx_setsortlist(currcfg, $3);
+		dns_c_ipmatchlist_detach(&$3);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining sortlist.");
+			parser_error(ISC_FALSE, "cannot redefine sortlist.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "failed to set sortlist");
 			YYABORT;
 		}
 	}
-	| L_ALSO_NOTIFY L_LBRACE notify_in_addr_list L_RBRACE
+	| L_ALSO_NOTIFY port_ip_list
 	{
-		tmpres = dns_c_ctx_setalsonotify(currcfg, $3, ISC_FALSE);
+		tmpres = dns_c_ctx_setalsonotify(currcfg, $2);
+		dns_c_iplist_detach(&$2);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining also-notify.");
+			parser_error(ISC_FALSE, "cannot redefine also-notify.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "failed to set also-notify");
 			YYABORT;
@@ -863,9 +992,12 @@ option: /* Empty */
 	}
 	| L_BLACKHOLE L_LBRACE address_match_list L_RBRACE
 	{
-		tmpres = dns_c_ctx_setblackhole(currcfg, ISC_FALSE, $3);
+		tmpres = dns_c_ctx_setblackhole(currcfg, $3);
+		dns_c_ipmatchlist_detach(&$3);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining blackhole.");
+			parser_error(ISC_FALSE, "cannot redefine blackhole.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "failed to set blackhole");
 			YYABORT;
@@ -873,9 +1005,12 @@ option: /* Empty */
 	}
 	| L_TOPOLOGY L_LBRACE address_match_list L_RBRACE
 	{
-		tmpres = dns_c_ctx_settopology(currcfg, ISC_FALSE, $3);
+		tmpres = dns_c_ctx_settopology(currcfg, $3);
+		dns_c_ipmatchlist_detach(&$3);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining topology.");
+			parser_error(ISC_FALSE, "cannot redefine topology.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "failed to set topology.");
 			YYABORT;
@@ -887,8 +1022,9 @@ option: /* Empty */
 	{
 		tmpres = dns_c_ctx_settransferformat(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining transfer-format.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine transfer-format.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set transfer-format.");
@@ -902,11 +1038,12 @@ option: /* Empty */
 				     "integer value too big: %u", $2);
 			YYABORT;
 		}
-		
+
 		tmpres = dns_c_ctx_setmaxtransfertimein(currcfg, $2 * 60);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining max-transfer-time-in.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine max-transfer-time-in.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set max-transfer-time-in.");
@@ -920,11 +1057,12 @@ option: /* Empty */
 				     "integer value too big: %u", $2);
 			YYABORT;
 		}
-		
+
 		tmpres = dns_c_ctx_setmaxtransfertimeout(currcfg, $2 * 60);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining max-transfer-time-out.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine max-transfer-time-out.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set max-transfer-time-out.");
@@ -938,11 +1076,12 @@ option: /* Empty */
 				     "integer value too big: %u", $2);
 			YYABORT;
 		}
-		
+
 		tmpres = dns_c_ctx_setmaxtransferidlein(currcfg, $2 * 60);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining max-transfer-idle-in.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine max-transfer-idle-in.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set max-transfer-idle-in.");
@@ -956,11 +1095,12 @@ option: /* Empty */
 				     "integer value too big: %u", $2);
 			YYABORT;
 		}
-		
+
 		tmpres = dns_c_ctx_setmaxtransferidleout(currcfg, $2 * 60);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining max-transfer-idle-out.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine max-transfer-idle-out.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set max-transfer-idle-out.");
@@ -971,26 +1111,65 @@ option: /* Empty */
 	{
 		tmpres = dns_c_ctx_settcpclients(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining tcp-clients.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine tcp-clients.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set tcp-clients.");
 			YYABORT;
 		}
 	}
+	| L_LAME_TTL L_INTEGER
+	{
+		tmpres = dns_c_ctx_setlamettl(currcfg, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE, "cannot redefine lame-ttl.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE, "failed to set lame-ttl.");
+			YYABORT;
+		}
+	}
 	| L_RECURSIVE_CLIENTS L_INTEGER
 	{
 		tmpres = dns_c_ctx_setrecursiveclients(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining recursive-clients.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine recursive-clients.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set recursive-clients.");
 			YYABORT;
 		}
 	}
+	| L_MIN_ROOTS L_INTEGER
+	{
+		tmpres = dns_c_ctx_setminroots(currcfg, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine min-roots.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set min-roots.");
+			YYABORT;
+		}
+	}
+	| L_SERIAL_QUERIES L_INTEGER
+	{
+		tmpres = dns_c_ctx_setserialqueries(currcfg, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine serial-queries.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set serial-queries.");
+			YYABORT;
+		}
+	}
 	| L_CLEAN_INTERVAL L_INTEGER
 	{
 		if ( int_too_big($2, 60) ) {
@@ -998,11 +1177,12 @@ option: /* Empty */
 				     "integer value too big: %u", $2);
 			YYABORT;
 		}
-		
+
 		tmpres = dns_c_ctx_setcleaninterval(currcfg, $2 * 60);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining cleaning-interval.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine cleaning-interval.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set cleaning-interval.");
@@ -1016,11 +1196,12 @@ option: /* Empty */
 				     "integer value too big: %u", $2);
 			YYABORT;
 		}
-		
+
 		tmpres = dns_c_ctx_setinterfaceinterval(currcfg, $2 * 60);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining interface-interval.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine interface-interval.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set interface-interval.");
@@ -1034,11 +1215,12 @@ option: /* Empty */
 				     "integer value too big: %u", $2);
 			YYABORT;
 		}
-		
+
 		tmpres = dns_c_ctx_setstatsinterval(currcfg, $2 * 60);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining statistics-interval.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine statistics-interval.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set statistics-interval.");
@@ -1049,8 +1231,9 @@ option: /* Empty */
 	{
 		tmpres = dns_c_ctx_setmaxlogsizeixfr(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining max-ixfr-log-size.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine max-ixfr-log-size.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set max-ixfr-log-size.");
@@ -1061,14 +1244,28 @@ option: /* Empty */
 	{
 		tmpres = dns_c_ctx_setmaxncachettl(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining max-ncache-ttl.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine max-ncache-ttl.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set max-ncache-ttl.");
 			YYABORT;
 		}
 	}
+	| L_MAX_CACHE_TTL L_INTEGER
+	{
+		tmpres = dns_c_ctx_setmaxcachettl(currcfg, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine max-cache-ttl.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set max-cache-ttl.");
+			YYABORT;
+		}
+	}
 	| L_HEARTBEAT L_INTEGER
 	{
 		if ( int_too_big($2, 60) ) {
@@ -1076,11 +1273,12 @@ option: /* Empty */
 				     "integer value too big: %u", $2);
 			YYABORT;
 		}
-		
-		tmpres = dns_c_ctx_setheartbeat_interval(currcfg, $2 * 60);
+
+		tmpres = dns_c_ctx_setheartbeatinterval(currcfg, $2 * 60);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining heartbeat-interval.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine heartbeat-interval.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set heartbeat-interval.");
@@ -1091,7 +1289,8 @@ option: /* Empty */
 	{
 		tmpres = dns_c_ctx_setdialup(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining dialup.");
+			parser_error(ISC_FALSE, "cannot redefine dialup.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "failed to set dialup.");
 			YYABORT;
@@ -1104,7 +1303,7 @@ option: /* Empty */
 		tmpres = dns_c_ctx_getrrsetorderlist(currcfg, &ordering);
 		if (tmpres != ISC_R_NOTFOUND) {
 			parser_warning(ISC_FALSE,
-				     "redefining rrset-order list");
+				       "cannot redefine rrset-order list");
 			dns_c_rrsolist_clear(ordering);
 		} else {
 			tmpres = dns_c_rrsolist_new(currcfg->mem, &ordering);
@@ -1124,6 +1323,34 @@ option: /* Empty */
 			}
 		}
 	} L_LBRACE rrset_ordering_list L_RBRACE
+	| L_ALLOW_UPDATE_FORWARDING L_LBRACE address_match_list L_RBRACE
+	{
+		tmpres = dns_c_ctx_setallowupdateforwarding(currcfg, $3);
+		dns_c_ipmatchlist_detach(&$3);
+
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine allow-update-forwarding.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set allow-update-forwarding.");
+			YYABORT;
+		}
+	}
+	| L_ADDITIONAL_DATA additional_data
+	{
+		tmpres = dns_c_ctx_setadditionaldata(currcfg, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine additional-data.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set additional-data.");
+			YYABORT;
+		}
+	}
 	;
 
 
@@ -1133,10 +1360,10 @@ option: /* Empty */
 controls_stmt: L_CONTROLS
 	{
 		if (currcfg->controls != NULL) {
-			parser_warning(ISC_FALSE, "redefining controls");
+			parser_warning(ISC_FALSE, "cannot redefine controls");
 			dns_c_ctrllist_delete(&currcfg->controls);
 		}
-		
+
 		tmpres = dns_c_ctrllist_new(currcfg->mem,
 					    &currcfg->controls);
 		if (tmpres != ISC_R_SUCCESS) {
@@ -1159,7 +1386,7 @@ control: /* Empty */
 					    $2, $4, $7, ISC_FALSE);
 		if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
-				    "failed to build inet control structure");
+				     "failed to build inet control structure");
 			YYABORT;
 		}
 
@@ -1191,7 +1418,7 @@ ordering_class: /* nothing */
 	{
 		$$ = dns_rdataclass_any;
 	}
-	| L_CLASS class_name
+	| L_CLASS wild_class_name
 	{
 		$$ = $2;
 	}
@@ -1211,15 +1438,15 @@ ordering_type: /* nothing */
 		} else {
 			reg.base = $2;
 			reg.length = strlen($2);
-		
+
 			tmpres = dns_rdatatype_fromtext(&ty, &reg);
-			if (tmpres != DNS_R_SUCCESS) {
+			if (tmpres != ISC_R_SUCCESS) {
 				parser_warning(ISC_TRUE,
-					       "unknown type. Assuming ``*''");
+					       "unknown type, assuming '*'");
 				ty = dns_rdatatype_any;
 			}
 		}
-		
+
 		isc_mem_free(memctx, $2);
 		$$ = ty;
 	}
@@ -1250,7 +1477,7 @@ rrset_ordering_element: ordering_class ordering_type ordering_name
 		tmpres = dns_c_string2ordering($5, &o);
 		if (tmpres != ISC_R_SUCCESS) {
 			parser_warning(ISC_FALSE,
-				       "unknown ordering type ``%s''."
+				       "unknown ordering type '%s'."
 				       " Using default", $5);
 			o = DNS_DEFAULT_ORDERING;
 		}
@@ -1294,13 +1521,13 @@ maybe_wild_addr: ip4_address
 
 		if (strcmp($1, "*") != 0) {
 			parser_error(ISC_TRUE,
-				     "bad ip-address. using ipv4 ``*''");
+				     "bad ip-address. using ipv4 '*'");
 		}
 
 		isc_mem_free(memctx, $1);
 	}
 	;
-	
+
 maybe_wild_ip4_only_addr: ip4_address
 	{
 		$$ = $1;
@@ -1321,7 +1548,7 @@ maybe_wild_ip4_only_addr: ip4_address
 
 		if (strcmp($1, "*") != 0) {
 			parser_error(ISC_TRUE,
-				     "bad IPv4-address. using ``*''");
+				     "bad IPv4-address. using '*'");
 		}
 
 		isc_mem_free(memctx, $1);
@@ -1344,7 +1571,7 @@ maybe_wild_ip6_only_addr: ip6_address
 
 		if (strcmp($1, "*") != 0) {
 			parser_error(ISC_TRUE,
-				     "bad IPv6-address. using ``*''");
+				     "bad IPv6-address. using '*'");
 		}
 
 		isc_mem_free(memctx, $1);
@@ -1361,13 +1588,75 @@ maybe_wild_port: in_port
 
 		if (strcmp ($1, "*") != 0) {
 			parser_error(ISC_TRUE,
-				     "bad port specification. Using ``*''");
+				     "bad port specification. Using '*'");
 		}
 
 		isc_mem_free(memctx, $1);
 	}
 	;
 
+
+port_ip_list: maybe_zero_port L_LBRACE ip_and_port_list L_RBRACE
+	{
+		in_port_t port = $1;
+		dns_c_iplist_t *list = $3;
+		unsigned int i;
+
+		if (port == 0)
+			port = DNS_C_DEFAULTPORT;
+
+		for (i = 0 ; i < list->nextidx ; i++) {
+			if (isc_sockaddr_getport(&list->ips[i]) == 0) {
+				isc_sockaddr_setport(&list->ips[i], port);
+			}
+		}
+
+		$$ = list;
+	};
+
+
+ip_and_port_element: ip_address maybe_zero_port
+	{
+		isc_sockaddr_setport(&$1, $2);
+		$$ = $1;
+	};
+
+
+ip_and_port_list: ip_and_port_element L_EOS
+	{
+		dns_c_iplist_t *list;
+
+		tmpres = dns_c_iplist_new(currcfg->mem, 5, &list);
+		if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_TRUE,
+				     "failed to create new iplist");
+			YYABORT;
+		}
+
+		tmpres = dns_c_iplist_append(list, $1);
+		if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_TRUE,
+				     "failed to append master address");
+			YYABORT;
+		}
+
+		$$ = list;
+	}
+	| ip_and_port_list ip_and_port_element L_EOS
+	{
+		tmpres = dns_c_iplist_append($1, $2);
+		if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_TRUE,
+				     "failed to append master address");
+			YYABORT;
+		}
+
+		$$ = $1;
+	}
+	;
+
+
+
 query_source_v6: L_ADDRESS maybe_wild_ip6_only_addr
 	{
 		isc_sockaddr_setport(&$2, 0); /* '0' is wild port  */
@@ -1438,6 +1727,19 @@ maybe_zero_port : /* nothing */
 	}
 	;
 
+additional_data: L_INTERNAL
+	{
+		$$ = dns_c_ad_internal;
+	}
+	| L_MINIMAL
+	{
+		$$ = dns_c_ad_minimal;
+	}
+	| L_MAXIMAL
+	{
+		$$ = dns_c_ad_maximal;
+	};
+
 yea_or_nay: L_YES
 	{
 		$$ = isc_boolean_true;
@@ -1462,7 +1764,7 @@ yea_or_nay: L_YES
 			$$ = isc_boolean_false;
 		} else {
 			parser_warning(ISC_TRUE,
-				       "number should be 0 or 1; assuming 1");
+				       "number should be 0 or 1, assuming 1");
 			$$ = isc_boolean_true;
 		}
 	}
@@ -1520,7 +1822,8 @@ size_clause: L_DATASIZE size_spec
 	{
 		tmpres = dns_c_ctx_setdatasize(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining datasize.");
+			parser_error(ISC_FALSE, "cannot redefine datasize.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "failed to set datasize.");
 			YYABORT;
@@ -1530,7 +1833,8 @@ size_clause: L_DATASIZE size_spec
 	{
 		tmpres = dns_c_ctx_setstacksize(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining stacksize.");
+			parser_error(ISC_FALSE, "cannot redefine stacksize.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "failed to set stacksize.");
 			YYABORT;
@@ -1540,7 +1844,8 @@ size_clause: L_DATASIZE size_spec
 	{
 		tmpres = dns_c_ctx_setcoresize(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining coresize.");
+			parser_error(ISC_FALSE, "cannot redefine coresize.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "failed to set coresize.");
 			YYABORT;
@@ -1550,7 +1855,8 @@ size_clause: L_DATASIZE size_spec
 	{
 		tmpres = dns_c_ctx_setfiles(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining files.");
+			parser_error(ISC_FALSE, "cannot redefine files.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "failed to set files.");
 			YYABORT;
@@ -1609,7 +1915,8 @@ transfer_clause: L_TRANSFERS_IN L_INTEGER
 	{
 		tmpres = dns_c_ctx_settransfersin(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining transfers-in.");
+			parser_error(ISC_FALSE, "cannot redefine transfers-in.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE, "failed to set transfers-in.");
 			YYABORT;
@@ -1619,8 +1926,9 @@ transfer_clause: L_TRANSFERS_IN L_INTEGER
 	{
 		tmpres = dns_c_ctx_settransfersout(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining transfers-out.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine transfers-out.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set transfers-out.");
@@ -1631,8 +1939,9 @@ transfer_clause: L_TRANSFERS_IN L_INTEGER
 	{
 		tmpres = dns_c_ctx_settransfersperns(currcfg, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				     "redefining transfers-per-ns.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine transfers-per-ns.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set transfers-per-ns.");
@@ -1688,12 +1997,13 @@ logging_opt: category_stmt
 channel_stmt:
 	L_CHANNEL channel_name L_LBRACE L_FILE L_QSTRING {
 		dns_c_logchan_t *newc;
-		
+
 		tmpres = dns_c_ctx_addfile_channel(currcfg,
 						   $2, &newc);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefing channel %s", $2);
+			parser_error(ISC_FALSE,
+				     "redefing channel %s", $2);
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to add new file channel.");
@@ -1714,11 +2024,12 @@ channel_stmt:
 	}  maybe_file_modifiers L_EOS optional_channel_opt_list L_RBRACE
 	| L_CHANNEL channel_name L_LBRACE L_SYSLOG maybe_syslog_facility {
 		dns_c_logchan_t *newc;
-		
+
 		tmpres = dns_c_ctx_addsyslogchannel(currcfg,
 						    $2, &newc);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining channel %s", $2);
+			parser_error(ISC_FALSE, "cannot redefine channel %s", $2);
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to add new syslog channel.");
@@ -1735,14 +2046,15 @@ channel_stmt:
 	} L_EOS optional_channel_opt_list L_RBRACE
 	| L_CHANNEL channel_name L_LBRACE L_NULL_OUTPUT {
 		dns_c_logchan_t *newc;
-		
+
 		tmpres = dns_c_ctx_addnullchannel(currcfg,
 						  $2, &newc);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining channel %s", $2);
+			parser_error(ISC_FALSE, "cannot redefine channel %s", $2);
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
-				     "failed to add new channel ``%s''", $2);
+				     "failed to add new channel '%s'", $2);
 			YYABORT;
 		}
 
@@ -1751,7 +2063,7 @@ channel_stmt:
 	| L_CHANNEL channel_name L_LBRACE logging_non_type_keywords {
 		parser_error(ISC_FALSE,
 			     "first statment inside a channel definition "
-			     "must be ``file'' or ``syslog'' or ``null''.");
+			     "must be 'file' or 'syslog' or 'null'.");
 		YYABORT;
 	}
 	;
@@ -1761,18 +2073,19 @@ logging_non_type_keywords: L_SEVERITY | L_PRINT_TIME | L_PRINT_CATEGORY |
 	L_PRINT_SEVERITY
 	;
 
-	
+
 optional_channel_opt_list: /* empty */
 	| channel_opt_list
 	;
-	
+
 category_stmt: L_CATEGORY category_name {
 		dns_c_logcat_t *cat;
-		
+
 		tmpres = dns_c_ctx_addcategory(currcfg, $2, &cat);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining category ``%s''", $2);
+			parser_error(ISC_FALSE,
+				     "cannot redefine category '%s'", $2);
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to add new logging category.");
@@ -1792,7 +2105,7 @@ channel_severity: any_string
 		tmpres = dns_c_string2logseverity($1, &severity);
 		if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
-				     "unknown severity ``%s''", $1);
+				     "unknown severity '%s'", $1);
 			YYABORT;
 		}
 
@@ -1805,7 +2118,8 @@ channel_severity: any_string
 
 		tmpres = dns_c_logchan_setseverity(chan, severity);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining severity.");
+			parser_error(ISC_FALSE, "cannot redefine severity.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "can't get set channel severity.");
@@ -1828,7 +2142,8 @@ channel_severity: any_string
 		tmpres = dns_c_logchan_setseverity(chan,
 						   dns_c_log_debug);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining severity.");
+			parser_error(ISC_FALSE, "cannot redefine severity.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "can't get set channel severity(debug).");
@@ -1849,7 +2164,8 @@ channel_severity: any_string
 		tmpres = dns_c_logchan_setseverity(chan,
 						   dns_c_log_debug);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining severity.");
+			parser_error(ISC_FALSE, "cannot redefine severity.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "can't get set channel "
@@ -1879,7 +2195,8 @@ channel_severity: any_string
 		tmpres = dns_c_logchan_setseverity(chan,
 						   dns_c_log_dynamic);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining severity.");
+			parser_error(ISC_FALSE, "cannot redefine severity.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "can't get set channel "
@@ -1902,7 +2219,8 @@ version_modifier: L_VERSIONS L_INTEGER
 
 		tmpres = dns_c_logchan_setversions(chan, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining versions.");
+			parser_error(ISC_FALSE, "cannot redefine versions.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "can't get set channel versions.");
@@ -1920,9 +2238,10 @@ version_modifier: L_VERSIONS L_INTEGER
 			YYABORT;
 		}
 
-		tmpres = dns_c_logchan_setversions(chan, -1);
+		tmpres = dns_c_logchan_setversions(chan, 0xffffffffU);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining versions.");
+			parser_error(ISC_FALSE, "cannot redefine versions.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "can't get set channel "
@@ -1945,7 +2264,8 @@ size_modifier: L_SIZE size_spec
 
 		tmpres = dns_c_logchan_setsize(chan, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining size.");
+			parser_error(ISC_FALSE, "cannot redefine size.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "can't get set channel size.");
@@ -2006,7 +2326,8 @@ channel_opt: L_SEVERITY channel_severity { /* nothing to do */ }
 
 		tmpres = dns_c_logchan_setprinttime(chan, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE, "redefining print-time.");
+			parser_error(ISC_FALSE, "cannot redefine print-time.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "can't get set channel print-time.");
@@ -2025,8 +2346,9 @@ channel_opt: L_SEVERITY channel_severity { /* nothing to do */ }
 
 		tmpres = dns_c_logchan_setprintcat(chan, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining print-category.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine print-category.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "can't get set channel print-category.");
@@ -2045,8 +2367,9 @@ channel_opt: L_SEVERITY channel_severity { /* nothing to do */ }
 
 		tmpres = dns_c_logchan_setprintsev(chan, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining print-severity.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine print-severity.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "can't get set channel print-severity.");
@@ -2097,12 +2420,6 @@ channel_list: channel L_EOS
 
 category_name: any_string
 	{
-		tmpres = dns_c_checkcategory($1);
-		if (tmpres != ISC_R_SUCCESS) {
-			parser_warning(ISC_FALSE,
-				       "unknown category ``%s''", $1);
-		}
-
 		$$ = $1;
 	}
 	| L_DEFAULT
@@ -2110,7 +2427,7 @@ category_name: any_string
 		char *name = token_to_keyword(L_DEFAULT);
 
 		REQUIRE(name != NULL);
-		
+
 		$$ = isc_mem_strdup(memctx, name);
 	}
 	| L_NOTIFY
@@ -2118,7 +2435,7 @@ category_name: any_string
 		char *name = token_to_keyword(L_NOTIFY);
 
 		REQUIRE(name != NULL);
-		
+
 		$$ = isc_mem_strdup(memctx, name);
 	}
 	;
@@ -2129,22 +2446,11 @@ category_name: any_string
 
 server_stmt: L_SERVER ip_address
 	{
-		dns_peer_t *peer;
-		dns_peerlist_t *peers = currcfg->peers;
 		isc_netaddr_t netaddr;
+		dns_peer_t *peer = NULL;
+		dns_peerlist_t *peers = currentpeerlist(currcfg, ISC_TRUE);
 
 		isc_netaddr_fromsockaddr(&netaddr, &$2);
-		
-		if (peers == NULL) {
-			tmpres = dns_peerlist_new(currcfg->mem,
-						  &currcfg->peers);
-			if (tmpres != ISC_R_SUCCESS) {
-				parser_error(ISC_FALSE,
-					     "failed to create peer list");
-				YYABORT;
-			}
-			peers = currcfg->peers;
-		}
 
 		/*
 		 * Check that this IP hasn't already been used.
@@ -2152,10 +2458,10 @@ server_stmt: L_SERVER ip_address
 		tmpres = dns_peerlist_peerbyaddr(peers, &netaddr, &peer);
 		if (tmpres == ISC_R_SUCCESS) {
 			dns_peer_detach(&peer);
-			parser_error(ISC_TRUE, "redefining peer");
+			parser_error(ISC_TRUE, "cannot redefine peer");
 			YYABORT;
 		}
-		
+
 		tmpres = dns_peer_new(currcfg->mem, &netaddr, &peer);
 		if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
@@ -2163,7 +2469,8 @@ server_stmt: L_SERVER ip_address
 			YYABORT;
 		}
 
-		dns_peerlist_addpeer(currcfg->peers, peer);
+		dns_peerlist_addpeer(peers, peer);
+		dns_peerlist_detach(&peers);
 		dns_peer_detach(&peer);
 	}
 	L_LBRACE server_info_list L_RBRACE
@@ -2176,21 +2483,28 @@ server_info_list: server_info L_EOS
 server_info: L_BOGUS yea_or_nay
 	{
 		dns_peer_t *peer = NULL;
+		dns_peerlist_t *peerlist = currentpeerlist(currcfg, ISC_FALSE);
+
+		REQUIRE(peerlist != NULL);
+
+		dns_peerlist_currpeer(peerlist, &peer);
 
-		dns_peerlist_currpeer(currcfg->peers, &peer);
 		INSIST(peer != NULL);
 
 		tmpres = dns_peer_setbogus(peer, $2);
 		dns_peer_detach(&peer);
+		dns_peerlist_detach(&peerlist);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining server bogus value");
+			parser_error(ISC_FALSE,
+				     "cannot redefine server bogus value");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "error setting server bogus value");
 			YYABORT;
 		}
-		
+
 	}
 	| L_SUPPORT_IXFR yea_or_nay
 	{
@@ -2198,15 +2512,22 @@ server_info: L_BOGUS yea_or_nay
 		 * Backwards compatibility, equivalent to request-ixfr.
 		 */
 		dns_peer_t *peer = NULL;
+		dns_peerlist_t *peerlist = currentpeerlist(currcfg, ISC_FALSE);
+
+		REQUIRE(peerlist != NULL);
+
+		dns_peerlist_currpeer(peerlist, &peer);
 
-		dns_peerlist_currpeer(currcfg->peers, &peer);
 		INSIST(peer != NULL);
 
 		tmpres = dns_peer_setrequestixfr(peer, $2);
 		dns_peer_detach(&peer);
+		dns_peerlist_detach(&peerlist);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining peer request-ixfr value");
+			parser_error(ISC_FALSE,
+				     "cannot redefine peer request-ixfr value");
+			YYABORT;
 		} else if(tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "error setting peer "
@@ -2217,15 +2538,22 @@ server_info: L_BOGUS yea_or_nay
 	| L_PROVIDE_IXFR yea_or_nay
 	{
 		dns_peer_t *peer = NULL;
+		dns_peerlist_t *peerlist = currentpeerlist(currcfg, ISC_FALSE);
+
+		REQUIRE(peerlist != NULL);
+
+		dns_peerlist_currpeer(peerlist, &peer);
 
-		dns_peerlist_currpeer(currcfg->peers, &peer);
 		INSIST(peer != NULL);
 
 		tmpres = dns_peer_setprovideixfr(peer, $2);
 		dns_peer_detach(&peer);
+		dns_peerlist_detach(&peerlist);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining peer provide-ixfr value");
+			parser_error(ISC_FALSE,
+				     "cannot redefine peer provide-ixfr value");
+			YYABORT;
 		} else if(tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "error setting peer "
@@ -2236,15 +2564,22 @@ server_info: L_BOGUS yea_or_nay
 	| L_REQUEST_IXFR yea_or_nay
 	{
 		dns_peer_t *peer = NULL;
+		dns_peerlist_t *peerlist = currentpeerlist(currcfg, ISC_FALSE);
+
+		REQUIRE(peerlist != NULL);
+
+		dns_peerlist_currpeer(peerlist, &peer);
 
-		dns_peerlist_currpeer(currcfg->peers, &peer);
 		INSIST(peer != NULL);
 
 		tmpres = dns_peer_setrequestixfr(peer, $2);
 		dns_peer_detach(&peer);
+		dns_peerlist_detach(&peerlist);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining peer request-ixfr value");
+			parser_error(ISC_FALSE,
+				     "cannot redefine peer request-ixfr value");
+			YYABORT;
 		} else if(tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "error setting peer "
@@ -2255,15 +2590,22 @@ server_info: L_BOGUS yea_or_nay
 	| L_TRANSFERS L_INTEGER
 	{
 		dns_peer_t *peer = NULL;
+		dns_peerlist_t *peerlist = currentpeerlist(currcfg, ISC_FALSE);
+
+		REQUIRE(peerlist != NULL);
+
+		dns_peerlist_currpeer(peerlist, &peer);
 
-		dns_peerlist_currpeer(currcfg->peers, &peer);
 		INSIST(peer != NULL);
 
 		tmpres = dns_peer_settransfers(peer, $2);
 		dns_peer_detach(&peer);
+		dns_peerlist_detach(&peerlist);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining peer transfers value");
+			parser_error(ISC_FALSE,
+				     "cannot redefine peer transfers value");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "error setting peer transfers value");
@@ -2273,16 +2615,23 @@ server_info: L_BOGUS yea_or_nay
 	| L_TRANSFER_FORMAT transfer_format
 	{
 		dns_peer_t *peer = NULL;
+		dns_peerlist_t *peerlist = currentpeerlist(currcfg, ISC_FALSE);
+
+		REQUIRE(peerlist != NULL);
+
+		dns_peerlist_currpeer(peerlist, &peer);
 
-		dns_peerlist_currpeer(currcfg->peers, &peer);
 		INSIST(peer != NULL);
 
 		tmpres = dns_peer_settransferformat(peer, $2);
 		dns_peer_detach(&peer);
+		dns_peerlist_detach(&peerlist);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining peer transfer-format "
-				       "value");
+			parser_error(ISC_FALSE,
+				     "cannot redefine peer transfer-format "
+				     "value");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "error setting peer transfer-format "
@@ -2291,29 +2640,38 @@ server_info: L_BOGUS yea_or_nay
 		}
 	}
 	| L_KEYS key_value {
-		dns_peer_t *peer = NULL;
 		dns_name_t *name = NULL;
+		dns_peer_t *peer = NULL;
+		dns_peerlist_t *peerlist = currentpeerlist(currcfg, ISC_FALSE);
+
+		REQUIRE(peerlist != NULL);
+
+		dns_peerlist_currpeer(peerlist, &peer);
 
-		/* XXX need to validate key exists */
-		
-		dns_peerlist_currpeer(currcfg->peers, &peer);
 		INSIST(peer != NULL);
 
+		if (!keydefinedinscope(currcfg, $2)) {
+			parser_error(ISC_FALSE,
+				     "undefined key '%s' referenced.", $2);
+			YYABORT;
+		}
+
 		tmpres = dns_c_charptoname(peer->mem, $2, &name);
 		if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "error creating key name value");
 			YYABORT;
 		}
-		
+
 		tmpres = dns_peer_setkey(peer, &name);
 		isc_mem_free(memctx, $2);
 		dns_peer_detach(&peer);
-		
+		dns_peerlist_detach(&peerlist);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining peer key "
-				       "value");
+			parser_error(ISC_FALSE,
+				     "cannot redefine peer key value");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "error setting peer key value");
@@ -2349,16 +2707,16 @@ address_match_list: address_match_element L_EOS
 							    &$1);
 				YYABORT;
 			}
-			
+
 			ISC_LIST_APPEND(ml->elements, $1, next);
 		}
-		
+
 		$$ = ml;
 	}
 	| address_match_list address_match_element L_EOS
 	{
 		dns_c_ipmatchlist_t *ml = $1;
-		
+
 		if (ml == NULL && $2 != NULL) {
 			tmpres = dns_c_ipmatchlist_new(currcfg->mem, &ml);
 			if (tmpres != ISC_R_SUCCESS) {
@@ -2372,7 +2730,7 @@ address_match_list: address_match_element L_EOS
 		if ($2 != NULL) {
 			ISC_LIST_APPEND(ml->elements, $2, next);
 		}
-		
+
 		$$ = ml;
 	}
 	;
@@ -2389,7 +2747,7 @@ address_match_element: address_match_simple
 	{
 		dns_c_ipmatchelement_t *ime = NULL;
 
-		if (!dns_c_ctx_keydefinedp(currcfg, $2)) {
+		if (!keydefinedinscope(currcfg, $2)) {
 			parser_error(ISC_FALSE,
 				     "address match key element (%s) "
 				     "referenced before defined", $2);
@@ -2403,7 +2761,7 @@ address_match_element: address_match_simple
 				YYABORT;
 			}
 		}
-		
+
 		isc_mem_free(memctx, $2);
 		$$ = ime;
 	}
@@ -2413,7 +2771,7 @@ address_match_simple: ip_address
 	{
 		dns_c_ipmatchelement_t *ime = NULL;
 		unsigned int prefixlen = 0;
-		
+
 		switch ($1.type.sa.sa_family) {
 		case AF_INET:
 			prefixlen = 32;
@@ -2435,7 +2793,7 @@ address_match_simple: ip_address
 
 		case ISC_R_NOMEMORY:
 			parser_error(ISC_FALSE,
-				    "insufficient memory available.");
+				     "insufficient memory available.");
 			YYABORT;
 			break;
 
@@ -2468,8 +2826,7 @@ address_match_simple: ip_address
 
 			case ISC_R_NOMEMORY:
 				parser_error(ISC_FALSE,
-					    "insufficient memory "
-					    "available.");
+					     "insufficient memory available.");
 				YYABORT;
 				break;
 
@@ -2499,7 +2856,7 @@ address_match_simple: ip_address
 			} else {
 				ia.s_addr = htonl(($1 & 0xff) << 24);
 				isc_sockaddr_fromin(&address, &ia, 0);
-				
+
 				tmpres =
 					dns_c_ipmatchpattern_new(currcfg->mem,
 								 &ime,
@@ -2515,8 +2872,8 @@ address_match_simple: ip_address
 
 				case ISC_R_NOMEMORY:
 					parser_error(ISC_FALSE,
-						    "insufficient memory "
-						    "available.");
+						     "insufficient memory "
+						     "available.");
 					YYABORT;
 					break;
 
@@ -2532,14 +2889,14 @@ address_match_simple: ip_address
 	| L_LBRACE address_match_list L_RBRACE
 	{
 		dns_c_ipmatchelement_t *ime = NULL;
-		
+
 		if ($2 != NULL) {
 			tmpres = dns_c_ipmatchindirect_new(currcfg->mem, &ime,
 							   $2, NULL);
 			if (tmpres != ISC_R_SUCCESS) {
 				parser_error(ISC_FALSE,
-					    "failed to create indirect "
-					    "ipmatch list.");
+					     "failed to create indirect "
+					     "ipmatch list.");
 				YYABORT;
 			}
 		}
@@ -2559,7 +2916,7 @@ address_name: any_string
 			tmpres = dns_c_ipmatchany_new(currcfg->mem, &elem);
 			if (tmpres != ISC_R_SUCCESS) {
 				parser_error(ISC_FALSE,
-					     "failed to create ``any''"
+					     "failed to create 'any'"
 					     " ipmatch element");
 				YYABORT;
 			}
@@ -2567,7 +2924,7 @@ address_name: any_string
 			tmpres = dns_c_ipmatchany_new(currcfg->mem, &elem);
 			if (tmpres != ISC_R_SUCCESS) {
 				parser_error(ISC_FALSE,
-					     "failed to create ``none''"
+					     "failed to create 'none'"
 					     " ipmatch element");
 				YYABORT;
 			}
@@ -2577,7 +2934,7 @@ address_name: any_string
 							    &elem);
 			if (tmpres != ISC_R_SUCCESS) {
 				parser_error(ISC_FALSE,
-					     "failed to create ``localhost''"
+					     "failed to create 'localhost'"
 					     " ipmatch element");
 				YYABORT;
 			}
@@ -2586,7 +2943,7 @@ address_name: any_string
 							    &elem);
 			if (tmpres != ISC_R_SUCCESS) {
 				parser_error(ISC_FALSE,
-					     "failed to create ``localnets''"
+					     "failed to create 'localnets'"
 					     " ipmatch element");
 				YYABORT;
 			}
@@ -2595,7 +2952,7 @@ address_name: any_string
 						       $1, &acl);
 			if (tmpres == ISC_R_NOTFOUND) {
 				parser_warning(ISC_FALSE,
-					       "undefined acl ``%s'' "
+					       "undefined acl '%s' "
 					       "referenced", $1);
 				elem = NULL;
 			} else {
@@ -2620,62 +2977,90 @@ address_name: any_string
  */
 
 
-key_stmt: L_SEC_KEY any_string
+key_stmt: L_SEC_KEY any_string L_LBRACE key_definition L_RBRACE
 	{
 		dns_c_kdef_t *keydef;
-		
-		if (currcfg->keydefs == NULL) {
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+		dns_c_kdeflist_t *list = NULL;
+
+		if (view == NULL) {
+			tmpres = dns_c_ctx_getkdeflist(currcfg, &list);
+		} else {
+			tmpres = dns_c_view_getkeydefs(view, &list);
+		}
+
+		if (tmpres == ISC_R_NOTFOUND) {
 			tmpres = dns_c_kdeflist_new(currcfg->mem,
-						    &currcfg->keydefs);
+						    &list);
 			if (tmpres != ISC_R_SUCCESS) {
 				parser_error(ISC_FALSE,
 					     "failed to create keylist");
+				isc_mem_free(memctx, $2);
+				isc_mem_free(memctx, $4.algorithm);
+				isc_mem_free(memctx, $4.secret);
+
+				YYABORT;
+			}
+
+			if (view == NULL) {
+				tmpres = dns_c_ctx_setkdeflist(currcfg,
+							       list,
+							       ISC_FALSE);
+			} else {
+				tmpres = dns_c_view_setkeydefs(view, list);
+			}
+
+			if (tmpres != ISC_R_SUCCESS) {
+				parser_error(ISC_FALSE,
+					     "failed to set keylist");
+				dns_c_kdeflist_delete(&list);
+				isc_mem_free(memctx, $2);
+				isc_mem_free(memctx, $4.algorithm);
+				isc_mem_free(memctx, $4.secret);
+
 				YYABORT;
 			}
 		}
-		
-		tmpres = dns_c_kdef_new(currcfg->keydefs,
-					$2, &keydef);
+
+		tmpres = dns_c_kdef_new(currcfg->mem, $2, &keydef);
 		if (tmpres != ISC_R_SUCCESS) {
-			parser_error(ISC_FALSE,
-				     "failed to create key definition");
+			parser_error(ISC_FALSE, "failed to create key");
+			isc_mem_free(memctx, $2);
+			isc_mem_free(memctx, $4.algorithm);
+			isc_mem_free(memctx, $4.secret);
 			YYABORT;
 		}
 
+		tmpres = dns_c_kdef_setalgorithm(keydef, $4.algorithm);
+		if (tmpres == ISC_R_SUCCESS) {
+			tmpres = dns_c_kdef_setsecret(keydef, $4.secret);
+		}
+
+		if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set key details.");
+			isc_mem_free(memctx, $2);
+			isc_mem_free(memctx, $4.algorithm);
+			isc_mem_free(memctx, $4.secret);
+		}
+
+		dns_c_kdeflist_append(list, keydef, ISC_FALSE);
+
 		isc_mem_free(memctx, $2);
+		isc_mem_free(memctx, $4.algorithm);
+		isc_mem_free(memctx, $4.secret);
 	}
-	L_LBRACE key_definition L_RBRACE
 	;
 
 key_definition: algorithm_id secret
 	{
-		dns_c_kdef_t *keydef;
-
-		INSIST(currcfg->keydefs != NULL);
-
-		keydef = ISC_LIST_TAIL(currcfg->keydefs->keydefs);
-		INSIST(keydef != NULL);
-
-		dns_c_kdef_setalgorithm(keydef, $1);
-		dns_c_kdef_setsecret(keydef, $2);
-
-		isc_mem_free(memctx, $1);
-		isc_mem_free(memctx, $2);
+		$$.algorithm = $1;
+		$$.secret = $2;
 	}
 	| secret algorithm_id
 	{
-		dns_c_kdef_t *keydef;
-
-		INSIST(currcfg->keydefs != NULL);
-
-		keydef = ISC_LIST_TAIL(currcfg->keydefs->keydefs);
-		INSIST(keydef != NULL);
-
-		dns_c_kdef_setsecret(keydef, $1);
-		dns_c_kdef_setalgorithm(keydef, $2);
-
-		isc_mem_free(memctx, $1);
-		isc_mem_free(memctx, $2);
+		$$.algorithm = $2;
+		$$.secret = $1;
 	}
 	;
 
@@ -2697,7 +3082,7 @@ secret: L_SECRET any_string L_EOS
  */
 
 
-view_stmt: L_VIEW any_string L_LBRACE 
+view_stmt: L_VIEW any_string optional_class L_LBRACE
 	{
 		dns_c_view_t *view;
 
@@ -2710,8 +3095,8 @@ view_stmt: L_VIEW any_string L_LBRACE
 				YYABORT;
 			}
 		}
-		
-		tmpres = dns_c_view_new(currcfg->mem, $2, &view);
+
+		tmpres = dns_c_view_new(currcfg->mem, $2, $3, &view);
 		if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to create view %s", $2);
@@ -2734,54 +3119,57 @@ view_options_list: view_option L_EOS
 	| view_options_list view_option L_EOS;
 
 
-view_option: L_ALLOW_QUERY L_LBRACE address_match_list L_RBRACE
+view_option: L_FORWARD zone_forward_opt
 	{
 		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
 
 		INSIST(view != NULL);
 
-		tmpres = dns_c_view_setallowquery(view, $3,
-						  ISC_FALSE);
+		tmpres = dns_c_view_setforward(view, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining view allow-query.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine view forward.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
-				     "failed to set view allow-query.");
+				     "failed to set view forward.");
 			YYABORT;
 		}
 	}
-	| L_ALLOW_TRANSFER L_LBRACE address_match_list L_RBRACE
+	| L_FORWARDERS L_LBRACE opt_in_addr_list L_RBRACE
 	{
 		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
 
 		INSIST(view != NULL);
 
-		tmpres = dns_c_view_setallowtransfer(view,
-						     $3, ISC_FALSE);
+		tmpres = dns_c_view_setforwarders(view,
+						  $3, ISC_FALSE);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining view allow-transfer.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine view forwarders.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
-				     "failed to set view allow-transfer.");
+				     "failed to set view forwarders.");
 			YYABORT;
 		}
 	}
-	| L_ALLOW_RECURSION L_LBRACE address_match_list L_RBRACE
+	| L_ALLOW_QUERY L_LBRACE address_match_list L_RBRACE
 	{
 		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
 
 		INSIST(view != NULL);
 
-		tmpres = dns_c_view_setallowrecursion(view,
-						      $3, ISC_FALSE);
+		tmpres = dns_c_view_setallowquery(view, $3);
+		dns_c_ipmatchlist_detach(&$3);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining view allow-recursion.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine view allow-query.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
-				     "failed to set view allow-recursion.");
+				     "failed to set view allow-query.");
 			YYABORT;
 		}
 	}
@@ -2791,12 +3179,14 @@ view_option: L_ALLOW_QUERY L_LBRACE address_match_list L_RBRACE
 
 		INSIST(view != NULL);
 
-		tmpres = dns_c_view_setallowupdateforwarding(view,
-							     $3, ISC_FALSE);
+		tmpres = dns_c_view_setallowupdateforwarding(view, $3);
+		dns_c_ipmatchlist_detach(&$3);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining view "
-				       "allow-update-forwarding.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine view "
+				     "allow-update-forwarding.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set view "
@@ -2804,37 +3194,41 @@ view_option: L_ALLOW_QUERY L_LBRACE address_match_list L_RBRACE
 			YYABORT;
 		}
 	}
-	| L_BLACKHOLE L_LBRACE address_match_list L_RBRACE
+	| L_ALLOW_TRANSFER L_LBRACE address_match_list L_RBRACE
 	{
 		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
 
 		INSIST(view != NULL);
 
-		tmpres = dns_c_view_setblackhole(view,
-						 $3, ISC_FALSE);
+		tmpres = dns_c_view_settransferacl(view, $3);
+		dns_c_ipmatchlist_detach(&$3);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining view blackhole.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine view allow-transfer.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
-				     "failed to set view blackhole.");
+				     "failed to set view allow-transfer.");
 			YYABORT;
 		}
 	}
-	| L_FORWARDERS L_LBRACE opt_in_addr_list L_RBRACE
+	| L_ALLOW_RECURSION L_LBRACE address_match_list L_RBRACE
 	{
 		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
 
 		INSIST(view != NULL);
 
-		tmpres = dns_c_view_setforwarders(view,
-						  $3, ISC_FALSE);
+		tmpres = dns_c_view_setrecursionacl(view, $3);
+		dns_c_ipmatchlist_detach(&$3);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining view forwarders.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine view allow-recursion.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
-				     "failed to set view forwarders.");
+				     "failed to set view allow-recursion.");
 			YYABORT;
 		}
 	}
@@ -2844,11 +3238,13 @@ view_option: L_ALLOW_QUERY L_LBRACE address_match_list L_RBRACE
 
 		INSIST(view != NULL);
 
-		tmpres = dns_c_view_setsortlist(view,
-						$3, ISC_FALSE);
+		tmpres = dns_c_view_setsortlist(view, $3);
+		dns_c_ipmatchlist_detach(&$3);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining view sortlist.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine view sortlist.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set view sortlist.");
@@ -2861,47 +3257,427 @@ view_option: L_ALLOW_QUERY L_LBRACE address_match_list L_RBRACE
 
 		INSIST(view != NULL);
 
-		tmpres = dns_c_view_settopology(view,
-						$3, ISC_FALSE);
+		tmpres = dns_c_view_settopology(view, $3);
+		dns_c_ipmatchlist_detach(&$3);
+
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining view topology.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine view topology.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set view topology.");
 			YYABORT;
 		}
 	}
-	| L_LISTEN_ON maybe_port L_LBRACE address_match_list L_RBRACE
+	| L_MATCH_CLIENTS L_LBRACE address_match_list L_RBRACE
 	{
 		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
 
 		INSIST(view != NULL);
-		
-		if ($4 == NULL) {
-			parser_warning(ISC_FALSE,
-				       "address-match-list empty. "
-				       "listen statement ignored.");
-		} else {
-			tmpres = dns_c_view_addlisten_on(view, $2, $4,
-							 ISC_FALSE);
 
-			if (tmpres != ISC_R_SUCCESS) {
-				parser_error(ISC_FALSE,
-					     "failed to add listen statement");
-				YYABORT;
-			}
+		tmpres = dns_c_view_setmatchclients(view, $3);
+		dns_c_ipmatchlist_detach(&$3);
+
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view match-clients.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view match-clients.");
+			YYABORT;
+		}
+	}
+	| L_CHECK_NAMES check_names_type check_names_opt
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setchecknames(view, $2, $3);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view check-names.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view check-names.");
+			YYABORT;
+		}
+	}
+	| L_AUTH_NXDOMAIN yea_or_nay
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setauthnxdomain(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view auth-nxdomain.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view auth-nxdomain.");
+			YYABORT;
+		}
+	}
+	| L_RECURSION yea_or_nay
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setrecursion(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view recursion.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view recursion.");
+			YYABORT;
+		}
+	}
+	| L_PROVIDE_IXFR yea_or_nay
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setprovideixfr(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view provide-ixfr.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view provide-ixfr.");
+			YYABORT;
+		}
+	}
+	| L_REQUEST_IXFR yea_or_nay
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setrequestixfr(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view request-ixfr.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view request-ixfr.");
+			YYABORT;
+		}
+	}
+	| L_FETCH_GLUE yea_or_nay
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setfetchglue(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view fetch-glue.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view fetch-glue.");
+			YYABORT;
+		}
+	}
+	| L_NOTIFY yea_or_nay
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setnotify(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view notify.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view notify.");
+			YYABORT;
+		}
+	}
+	| L_RFC2308_TYPE1 yea_or_nay
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setrfc2308type1(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view rfc2308-type1.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view rfc2308-type1.");
+			YYABORT;
+		}
+	}
+	| L_QUERY_SOURCE query_source_v4
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setquerysource(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view query-source.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view query-source.");
+			YYABORT;
+		}
+	}
+	| L_QUERY_SOURCE_V6 query_source_v6
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setquerysourcev6(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view query-source-v6.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view query-source-v6.");
+			YYABORT;
+		}
+	}
+	| L_TRANSFER_SOURCE maybe_wild_ip4_only_addr
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_settransfersource(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view transfer-source");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view transfer-source");
+			YYABORT;
+		}
+	}
+	| L_TRANSFER_SOURCE_V6 maybe_wild_ip6_only_addr
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_settransfersourcev6(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view transfer-source-v6");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view transfer-source-v6");
+			YYABORT;
+		}
+	}
+	| L_MAX_TRANSFER_TIME_OUT L_INTEGER
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		if ( int_too_big($2, 60) ) {
+			parser_error(ISC_FALSE,
+				     "integer value too big: %u", $2);
+			YYABORT;
+		}
+
+		tmpres = dns_c_view_setmaxtransfertimeout(view, $2 * 60);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view max-transfer-time-out.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view "
+				     "max-transfer-time-out.");
+			YYABORT;
+		}
+	}
+	| L_MAX_TRANSFER_IDLE_OUT L_INTEGER
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		if ( int_too_big($2, 60) ) {
+			parser_error(ISC_FALSE,
+				     "integer value too big: %u", $2);
+			YYABORT;
+		}
+
+		tmpres = dns_c_view_setmaxtransferidleout(view, $2 * 60);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view max-transfer-idle-out.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view "
+				     "max-transfer-idle-out.");
+			YYABORT;
+		}
+	}
+	| L_CLEAN_INTERVAL L_INTEGER
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		if ( int_too_big($2, 60) ) {
+			parser_error(ISC_FALSE,
+				     "integer value too big: %u", $2);
+			YYABORT;
+		}
+
+		tmpres = dns_c_view_setcleaninterval(view, $2 * 60);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view cleaning-interval.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view cleaning-interval.");
+			YYABORT;
+		}
+	}
+	| L_MIN_ROOTS L_INTEGER
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setminroots(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view min-roots.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view min-roots.");
+			YYABORT;
+		}
+	}
+	| L_LAME_TTL L_INTEGER
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setlamettl(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view lame-ttl.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view lame-ttl.");
+			YYABORT;
+		}
+	}
+	| L_MAX_NCACHE_TTL L_INTEGER
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setmaxncachettl(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view max-ncache-ttl.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view max-ncache-ttl.");
+			YYABORT;
+		}
+	}
+	| L_MAX_CACHE_TTL L_INTEGER
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setmaxcachettl(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view max-cache-ttl.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view max-cache-ttl.");
+			YYABORT;
+		}
+	}
+	| L_ADDITIONAL_DATA additional_data
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_setadditionaldata(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view additional-data.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view additional-data.");
+			YYABORT;
+		}
+	}
+	| L_TRANSFER_FORMAT transfer_format
+	{
+		dns_c_view_t *view = dns_c_ctx_getcurrview(currcfg);
+
+		INSIST(view != NULL);
+
+		tmpres = dns_c_view_settransferformat(view, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine view transfer-format.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set view transfer-format.");
+			YYABORT;
 		}
 	}
-/* XXX not implemented yet
-	| L_RRSET_ORDER L_LBRACE rrset_ordering_list L_RBRACE 
-	| L_CHECK_NAMES 
-	| L_TRANSFER_FORMAT
-*/
-        | zone_stmt
+	| key_stmt
+	| zone_stmt
+	| server_stmt
 	;
 
 
+zone_update_policy: L_UPDATE_POLICY L_LBRACE {
+
+	} zone_grant_stmt_list L_RBRACE;
+
+zone_grant_stmt_list: /* nothing */ | zone_grant_stmt_list zone_ssu_stmt L_EOS;
+
 zone_ssu_stmt: grant_stmt {
 		dns_ssutable_t *ssutable = NULL;
 		isc_boolean_t ok = ISC_TRUE;
@@ -2916,7 +3692,7 @@ zone_ssu_stmt: grant_stmt {
 				     "statements.");
 			ok = ISC_FALSE;
 			break;
-			
+
 		case dns_c_zone_forward:
 			parser_error(ISC_FALSE,
 				     "forward zones do not have grant/deny "
@@ -2953,17 +3729,20 @@ zone_ssu_stmt: grant_stmt {
 					      $1.ident, $1.matchtype,
 					      $1.name,
 					      $1.rdatatypes.idx,
-					      &$1.rdatatypes.types[0]);
+					      $1.rdatatypes.types);
 		if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "error creating ssu "
 				     "identity value");
 			ok = ISC_FALSE;
 		}
-		
+
 		dns_name_free($1.ident, memctx);
 		dns_name_free($1.name, memctx);
 
+		isc_mem_put(memctx, $1.rdatatypes.types,
+			    sizeof ($1.rdatatypes.types[0]) * 256);
+
 		isc_mem_put(memctx, $1.ident, sizeof (*$1.ident));
 		isc_mem_put(memctx, $1.name, sizeof (*$1.name));
 
@@ -2977,7 +3756,7 @@ grant_stmt: grantp any_string grant_match_type any_string rdatatype_list
 		dns_name_t *name = NULL;
 		dns_name_t *identity = NULL;
 		isc_boolean_t ok = ISC_TRUE;
-		
+
 		tmpres = dns_c_charptoname(memctx, $4, &name);
 		if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
@@ -3043,6 +3822,11 @@ grant_stmt: grantp any_string grant_match_type any_string rdatatype_list
 				isc_mem_put(memctx, name, sizeof *name);
 			}
 
+			REQUIRE($5.types != NULL);
+
+			isc_mem_put(memctx, $5.types,
+				    sizeof (dns_rdatatype_t) * 256);
+
 			YYABORT;
 		}
 	};
@@ -3069,6 +3853,7 @@ grant_match_type: L_NAME {
 
 rdatatype_list: /* nothing */
 	{
+		$$.types = isc_mem_get(memctx, sizeof(dns_rdatatype_t) * 256);
 		$$.idx = 0;
 	}
 	| rdatatype_list rdatatype {
@@ -3082,38 +3867,20 @@ rdatatype: any_string {
 
 		reg.base = $1;
 		reg.length = strlen($1);
-		
+
 		tmpres = dns_rdatatype_fromtext(&ty, &reg);
-		if (tmpres != DNS_R_SUCCESS) {
+		if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_TRUE, "unknown rdatatype.");
 			YYABORT;
 		}
-		
+
 		isc_mem_free(memctx, $1);
 		$$ = ty;
 	};
 
-	       
-	
-
-	
 
 
 /*
-  key
-  trusted-keys
-  server
-  options {
-     forwarders
-     blackhole
-     lame-ttl
-     max-ncache-ttl
-     min-roots
-     cleaning-interval
-  }		 
-*/
-		
-/*
  * ACLs
  */
 
@@ -3122,7 +3889,7 @@ acl_stmt: L_ACL any_string L_LBRACE address_match_list L_RBRACE
 		dns_c_acl_t *acl;
 
 		INSIST(currcfg->acls != NULL);
-			
+
 		tmpres = dns_c_acl_new(currcfg->acls,
 				       $2, ISC_FALSE, &acl);
 		if (tmpres != ISC_R_SUCCESS) {
@@ -3130,9 +3897,9 @@ acl_stmt: L_ACL any_string L_LBRACE address_match_list L_RBRACE
 				     "failed to create acl %s", $2);
 			YYABORT;
 		}
-		
+
 		dns_c_acl_setipml(acl, $4, ISC_FALSE);
-			
+
 		isc_mem_free(memctx, $2);
 	}
 	;
@@ -3149,58 +3916,58 @@ domain_name: L_QSTRING
 	;
 
 /*
- * ``type'' is no longer optional and must be the first statement in the 
+ * 'type' is no longer optional and must be the first statement in the
  * zone block.
  */
 zone_stmt: L_ZONE domain_name optional_class L_LBRACE L_TYPE zone_type L_EOS
 	{
 		dns_c_zone_t *zone;
 
-                if (currcfg->zlist == NULL) {
-                        tmpres = dns_c_zonelist_new(currcfg->mem,
-                                                    &currcfg->zlist);
-                        if (tmpres != ISC_R_SUCCESS) {
-                                isc_log_write(dns_lctx,
-                                              DNS_LOGCATEGORY_CONFIG,
-                                              DNS_LOGMODULE_CONFIG,
-                                              ISC_LOG_ERROR,
-                                              "Failed to create zone list");
-                                YYABORT;
-                        }
-                }
+		if (currcfg->zlist == NULL) {
+			tmpres = dns_c_zonelist_new(currcfg->mem,
+						    &currcfg->zlist);
+			if (tmpres != ISC_R_SUCCESS) {
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_CONFIG,
+					      DNS_LOGMODULE_CONFIG,
+					      ISC_LOG_ERROR,
+					      "Failed to create zone list");
+				YYABORT;
+			}
+		}
 
 		/* XXX internal name support needed! */
-                tmpres = dns_c_zone_new(currcfg->mem,
-                                        $6, $3, $2, $2, &zone);
-                if (tmpres != ISC_R_SUCCESS) {
-                        isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
-                                      DNS_LOGMODULE_CONFIG,
-                                      ISC_LOG_ERROR,
-                                      "Error creating new zone.");
-                        YYABORT;
-                }
-
-                if (currcfg->options != NULL) {
-                        zone->afteropts = ISC_TRUE;
-                }
+		tmpres = dns_c_zone_new(currcfg->mem,
+					$6, $3, $2, $2, &zone);
+		if (tmpres != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG,
+				      ISC_LOG_ERROR,
+				      "Error creating new zone.");
+			YYABORT;
+		}
+
+		if (currcfg->options != NULL) {
+			zone->afteropts = ISC_TRUE;
+		}
 
 		tmpres = dns_c_zonelist_addzone(currcfg->zlist, zone);
 		if (tmpres != ISC_R_SUCCESS) {
 			dns_c_zone_detach(&zone);
-                        isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
-                                      DNS_LOGMODULE_CONFIG,
-                                      ISC_LOG_ERROR,
-                                      "Error adding new zone to list.");
-                        YYABORT;
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG,
+				      ISC_LOG_ERROR,
+				      "Error adding new zone to list.");
+			YYABORT;
 		}
 
 		dns_c_ctx_setcurrzone(currcfg, zone);
-		
+
 		isc_mem_free(memctx, $2);
 	} optional_zone_options_list L_RBRACE {
 		dns_c_zone_t *zone;
 		dns_c_view_t *view;
-		
+
 		zone = dns_c_ctx_getcurrzone(currcfg);
 		view = dns_c_ctx_getcurrview(currcfg);
 
@@ -3212,7 +3979,13 @@ zone_stmt: L_ZONE domain_name optional_class L_LBRACE L_TYPE zone_type L_EOS
 
 		dns_c_ctx_setcurrzone(currcfg, NULL);
 
-		if (callbacks != NULL && callbacks->zonecbk != NULL) {
+		if (zone != NULL &&
+		    callbacks != NULL && callbacks->zonecbk != NULL) {
+			tmpres = dns_c_zone_validate(zone);
+			if (tmpres != ISC_R_SUCCESS) {
+				YYABORT;
+			}
+			
 			tmpres = callbacks->zonecbk(currcfg,
 						    zone,
 						    view,
@@ -3221,7 +3994,8 @@ zone_stmt: L_ZONE domain_name optional_class L_LBRACE L_TYPE zone_type L_EOS
 				isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
 					      DNS_LOGMODULE_CONFIG,
 					      ISC_LOG_ERROR,
-				      "zone configuration for '%s' failed: %s",
+					      "zone configuration "
+					      "for '%s' failed: %s",
 					      zone->name,
 					      isc_result_totext(tmpres));
 				YYABORT;
@@ -3234,7 +4008,7 @@ zone_stmt: L_ZONE domain_name optional_class L_LBRACE L_TYPE zone_type L_EOS
 	{
 		parser_error(ISC_FALSE,
 			     "first statement in a zone definition must "
-			     "be ``type''");
+			     "be 'type'");
 		YYABORT;
 	}
 	| L_ZONE domain_name
@@ -3245,7 +4019,7 @@ zone_stmt: L_ZONE domain_name optional_class L_LBRACE L_TYPE zone_type L_EOS
 	;
 
 optional_zone_options_list: /* Empty */
-	| zone_option_list 
+	| zone_option_list
 	;
 
 class_name: any_string
@@ -3253,20 +4027,38 @@ class_name: any_string
 		isc_textregion_t reg;
 		dns_rdataclass_t cl;
 
+		reg.base = $1;
+		reg.length = strlen($1);
+
+		tmpres = dns_rdataclass_fromtext(&cl, &reg);
+		if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_TRUE, "unknown class.");
+			YYABORT;
+		}
+
+		isc_mem_free(memctx, $1);
+		$$ = cl;
+	}
+
+wild_class_name: any_string
+	{
+		isc_textregion_t reg;
+		dns_rdataclass_t cl;
+
 		if (strcmp($1, "*") == 0) {
 			cl = dns_rdataclass_any;
 		} else {
 			reg.base = $1;
 			reg.length = strlen($1);
-			
+
 			tmpres = dns_rdataclass_fromtext(&cl, &reg);
-			if (tmpres != DNS_R_SUCCESS) {
+			if (tmpres != ISC_R_SUCCESS) {
 				parser_error(ISC_TRUE,
-					     "unknown class assuming ``*''.");
+					     "unknown class, assuming '*'.");
 				cl = dns_rdataclass_any;
 			}
 		}
-		
+
 		isc_mem_free(memctx, $1);
 		$$ = cl;
 	}
@@ -3315,10 +4107,11 @@ zone_non_type_keywords: L_FILE | L_FILE_IXFR | L_IXFR_TMP | L_MASTERS |
 	L_TRANSFER_SOURCE | L_CHECK_NAMES | L_ALLOW_UPDATE |
 	L_ALLOW_UPDATE_FORWARDING | L_ALLOW_QUERY |
 	L_ALLOW_TRANSFER | L_FORWARD | L_FORWARDERS | L_MAX_TRANSFER_TIME_IN |
-	L_TCP_CLIENTS | L_RECURSIVE_CLIENTS | L_GRANT | L_DENY |
+	L_TCP_CLIENTS | L_RECURSIVE_CLIENTS | L_UPDATE_POLICY | L_DENY |
 	L_MAX_TRANSFER_TIME_OUT | L_MAX_TRANSFER_IDLE_IN |
 	L_MAX_TRANSFER_IDLE_OUT | L_MAX_LOG_SIZE_IXFR | L_NOTIFY |
-	L_MAINTAIN_IXFR_BASE | L_PUBKEY | L_ALSO_NOTIFY | L_DIALUP
+	L_MAINTAIN_IXFR_BASE | L_PUBKEY | L_ALSO_NOTIFY | L_DIALUP |
+	L_ENABLE_ZONE | L_DATABASE
 	;
 
 
@@ -3330,8 +4123,9 @@ zone_option: L_FILE L_QSTRING
 
 		tmpres = dns_c_zone_setfile(zone, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone filename.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone filename.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone file name");
@@ -3347,8 +4141,9 @@ zone_option: L_FILE L_QSTRING
 
 		tmpres = dns_c_zone_setixfrbase(zone, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining ixfr-base.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine ixfr-base.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone ixfr_base.");
@@ -3364,8 +4159,9 @@ zone_option: L_FILE L_QSTRING
 
 		tmpres = dns_c_zone_setixfrtmp(zone, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining ixfr-tmp-file.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine ixfr-tmp-file.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone ixfr_tmp-file.");
@@ -3373,28 +4169,17 @@ zone_option: L_FILE L_QSTRING
 		}
 		isc_mem_free(memctx, $2);
 	}
-	| L_MASTERS maybe_zero_port L_LBRACE master_in_addr_list L_RBRACE
+	| L_MASTERS port_ip_list
 	{
 		dns_c_zone_t *zone = dns_c_ctx_getcurrzone(currcfg);
 
 		INSIST(zone != NULL);
 
-		tmpres = dns_c_zone_setmasterport(zone, $2);
+		tmpres = dns_c_zone_setmasterips(zone, $2, ISC_FALSE);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone master's port.");
-		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
-				     "failed to set zone master port.");
+				     "cannot redefine zone masters ips.");
 			YYABORT;
-		}
-		
-
-		tmpres = dns_c_zone_setmasterips(zone,
-						 $4, ISC_FALSE);
-		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone masters ips.");
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone masters ips.");
@@ -3409,8 +4194,9 @@ zone_option: L_FILE L_QSTRING
 
 		tmpres = dns_c_zone_settransfersource(zone, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone transfer-source.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone transfer-source.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone transfer-source.");
@@ -3425,8 +4211,9 @@ zone_option: L_FILE L_QSTRING
 
 		tmpres = dns_c_zone_settransfersourcev6(zone, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone transfer-source-v6.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone transfer-source-v6.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone transfer-source-v6.");
@@ -3441,8 +4228,9 @@ zone_option: L_FILE L_QSTRING
 
 		tmpres = dns_c_zone_setchecknames(zone, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone check-names.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone check-names.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone check-names.");
@@ -3458,8 +4246,9 @@ zone_option: L_FILE L_QSTRING
 		tmpres = dns_c_zone_setallowupd(zone,
 						$3, ISC_FALSE);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone allow-update.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone allow-update.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone allow-update.");
@@ -3475,9 +4264,10 @@ zone_option: L_FILE L_QSTRING
 		tmpres = dns_c_zone_setallowupdateforwarding(zone,
 							     $3, ISC_FALSE);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone "
-				       "allow-update-forwarding.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone "
+				     "allow-update-forwarding.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone "
@@ -3494,8 +4284,9 @@ zone_option: L_FILE L_QSTRING
 		tmpres = dns_c_zone_setallowquery(zone,
 						  $3, ISC_FALSE);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone allow-query.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone allow-query.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone allow-query.");
@@ -3511,8 +4302,9 @@ zone_option: L_FILE L_QSTRING
 		tmpres = dns_c_zone_setallowtransfer(zone,
 						     $3, ISC_FALSE);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone allow-transfer.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone allow-transfer.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone allow-transfer.");
@@ -3527,8 +4319,9 @@ zone_option: L_FILE L_QSTRING
 
 		tmpres = dns_c_zone_setforward(zone, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone forward.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone forward.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone forward.");
@@ -3539,7 +4332,7 @@ zone_option: L_FILE L_QSTRING
 	{
 		dns_c_zone_t *zone = dns_c_ctx_getcurrzone(currcfg);
 		dns_c_iplist_t *iplist;
-		
+
 		INSIST(zone != NULL);
 
 		if ($3 == NULL) {	/* user defined empty list */
@@ -3554,12 +4347,13 @@ zone_option: L_FILE L_QSTRING
 		} else {
 			iplist = $3;
 		}
-		
+
 		tmpres = dns_c_zone_setforwarders(zone,
 						  iplist, ISC_FALSE);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone forwarders.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone forwarders.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone forwarders.");
@@ -3577,12 +4371,13 @@ zone_option: L_FILE L_QSTRING
 				     "integer value too big: %u", $2);
 			YYABORT;
 		}
-		
+
 		tmpres = dns_c_zone_setmaxtranstimein(zone, $2 * 60);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone "
-				       "max-transfer-time-in.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone "
+				     "max-transfer-time-in.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone "
@@ -3601,12 +4396,13 @@ zone_option: L_FILE L_QSTRING
 				     "integer value too big: %u", $2);
 			YYABORT;
 		}
-		
+
 		tmpres = dns_c_zone_setmaxtranstimeout(zone, $2 * 60);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone "
-				       "max-transfer-time-out.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone "
+				     "max-transfer-time-out.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone "
@@ -3625,12 +4421,13 @@ zone_option: L_FILE L_QSTRING
 				     "integer value too big: %u", $2);
 			YYABORT;
 		}
-		
+
 		tmpres = dns_c_zone_setmaxtransidlein(zone, $2 * 60);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone "
-				       "max-transfer-idle-in.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone "
+				     "max-transfer-idle-in.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone "
@@ -3649,12 +4446,13 @@ zone_option: L_FILE L_QSTRING
 				     "integer value too big: %u", $2);
 			YYABORT;
 		}
-		
+
 		tmpres = dns_c_zone_setmaxtransidleout(zone, $2 * 60);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone "
-				       "max-transfer-idle-out.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone "
+				     "max-transfer-idle-out.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone "
@@ -3670,8 +4468,9 @@ zone_option: L_FILE L_QSTRING
 
 		tmpres = dns_c_zone_setmaxixfrlog(zone, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone	 max-ixfr-log-size.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone	 max-ixfr-log-size.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone max-ixfr-log-size.");
@@ -3686,8 +4485,9 @@ zone_option: L_FILE L_QSTRING
 
 		tmpres = dns_c_zone_setnotify(zone, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone notify.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone notify.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone notify.");
@@ -3702,8 +4502,9 @@ zone_option: L_FILE L_QSTRING
 
 		tmpres = dns_c_zone_setmaintixfrbase(zone, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone maintain-ixfr-base.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone maintain-ixfr-base.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone maintain-ixfr-base.");
@@ -3714,7 +4515,7 @@ zone_option: L_FILE L_QSTRING
 	{
 		dns_c_zone_t *zone = dns_c_ctx_getcurrzone(currcfg);
 		dns_c_pubkey_t *pubkey;
-		
+
 		INSIST(zone != NULL);
 
 		tmpres = dns_c_pubkey_new(currcfg->mem, $2,
@@ -3724,7 +4525,7 @@ zone_option: L_FILE L_QSTRING
 				     "failed to create a zone pubkey");
 			YYABORT;
 		}
-		
+
 		tmpres = dns_c_zone_addpubkey(zone, pubkey,
 					      ISC_FALSE);
 		if (tmpres != ISC_R_SUCCESS) {
@@ -3736,17 +4537,17 @@ zone_option: L_FILE L_QSTRING
 
 		isc_mem_free(memctx, $5);
 	}
-	| L_ALSO_NOTIFY L_LBRACE notify_in_addr_list L_RBRACE
+	| L_ALSO_NOTIFY port_ip_list
 	{
 		dns_c_zone_t *zone = dns_c_ctx_getcurrzone(currcfg);
 
 		INSIST(zone != NULL);
 
-		tmpres = dns_c_zone_setalsonotify(zone, $3,
-						  ISC_FALSE);
+		tmpres = dns_c_zone_setalsonotify(zone, $2, ISC_FALSE);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone also-notify.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone also-notify.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone also-notify.");
@@ -3761,24 +4562,61 @@ zone_option: L_FILE L_QSTRING
 
 		tmpres = dns_c_zone_setdialup(zone, $2);
 		if (tmpres == ISC_R_EXISTS) {
-			parser_warning(ISC_FALSE,
-				       "redefining zone dialup.");
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone dialup.");
+			YYABORT;
 		} else if (tmpres != ISC_R_SUCCESS) {
 			parser_error(ISC_FALSE,
 				     "failed to set zone dialup.");
 			YYABORT;
 		}
 	}
-	| zone_ssu_stmt
-	;
+	| L_ENABLE_ZONE yea_or_nay
+	{
+		dns_c_zone_t *zone = dns_c_ctx_getcurrzone(currcfg);
 
+		INSIST(zone != NULL);
 
-master_in_addr_list: in_addr_list
-	;
+		tmpres = dns_c_zone_setenabled(zone, $2);
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine enable-zone.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set enable-zone.");
+			YYABORT;
+		}
+
+		if ($2 == ISC_FALSE) {
+			parser_warning(ISC_FALSE, "zone '%s' is disabled",
+				       zone->name);
+		}
+	}
+	| L_DATABASE L_QSTRING
+	{
+		dns_c_zone_t *zone = dns_c_ctx_getcurrzone(currcfg);
+
+		INSIST(zone != NULL);
+
+		tmpres = dns_c_zone_setdatabase(zone, $2);
+		isc_mem_free(memctx, $2);
+
+		if (tmpres == ISC_R_EXISTS) {
+			parser_error(ISC_FALSE,
+				     "cannot redefine zone database.");
+			YYABORT;
+		} else if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE,
+				     "failed to set zone database.");
+			YYABORT;
+		}
 
-notify_in_addr_list: opt_in_addr_list
+	}
+	| zone_update_policy
 	;
 
+
 ip4_address: L_IP4ADDR
 	{
 		isc_sockaddr_fromin(&$$, &$1, 0);
@@ -3793,7 +4631,7 @@ ip6_address: L_IP6ADDR
 
 ip_address: ip4_address | ip6_address
 	;
-	
+
 in_addr_elem: ip_address
 	;
 
@@ -3830,7 +4668,7 @@ in_addr_list: in_addr_elem L_EOS
 				     "failed to append master address");
 			YYABORT;
 		}
-		
+
 		$$ = list;
 	}
 	| in_addr_list in_addr_elem L_EOS
@@ -3864,35 +4702,35 @@ opt_zone_forwarders_list: opt_in_addr_list
  */
 
 trusted_keys_stmt: L_TRUSTED_KEYS
-        {
-                dns_c_tkeylist_t *newlist;
-                
-                tmpres = dns_c_ctx_gettrustedkeys(currcfg,
-                                                  &newlist);
-                if (tmpres == ISC_R_NOTFOUND) {
-                        tmpres = dns_c_tkeylist_new(currcfg->mem, &newlist);
-                        if (tmpres != ISC_R_SUCCESS) {
-                                isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
-                                              DNS_LOGMODULE_CONFIG,
-                                              ISC_LOG_ERROR,
-                                              "Failed to create trusted key"
-                                              " list.");
-                                YYABORT;
-                        }
-
-                        tmpres = dns_c_ctx_settrustedkeys(currcfg,
-                                                          newlist,
-                                                          ISC_FALSE);
-                        if (tmpres != ISC_R_SUCCESS) {
-                                isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
-                                              DNS_LOGMODULE_CONFIG,
-                                              ISC_LOG_ERROR,
-                                              "Failed to set trusted keys");
-                                YYABORT;
-                        }
-                }
-        } L_LBRACE trusted_keys_list L_RBRACE
-        ;
+	{
+		dns_c_tkeylist_t *newlist;
+
+		tmpres = dns_c_ctx_gettrustedkeys(currcfg,
+						  &newlist);
+		if (tmpres == ISC_R_NOTFOUND) {
+			tmpres = dns_c_tkeylist_new(currcfg->mem, &newlist);
+			if (tmpres != ISC_R_SUCCESS) {
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+					      DNS_LOGMODULE_CONFIG,
+					      ISC_LOG_ERROR,
+					      "Failed to create trusted key"
+					      " list.");
+				YYABORT;
+			}
+
+			tmpres = dns_c_ctx_settrustedkeys(currcfg,
+							  newlist,
+							  ISC_FALSE);
+			if (tmpres != ISC_R_SUCCESS) {
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+					      DNS_LOGMODULE_CONFIG,
+					      ISC_LOG_ERROR,
+					      "Failed to set trusted keys");
+				YYABORT;
+			}
+		}
+	} L_LBRACE trusted_keys_list L_RBRACE
+	;
 
 trusted_keys_list: trusted_key L_EOS
 	| trusted_keys_list trusted_key L_EOS
@@ -3900,43 +4738,43 @@ trusted_keys_list: trusted_key L_EOS
 
 
 trusted_key: domain_name L_INTEGER L_INTEGER L_INTEGER L_QSTRING
-        {
-                dns_c_tkey_t *tkey;
-                dns_c_tkeylist_t *list;
-
-                tmpres = dns_c_ctx_gettrustedkeys(currcfg, &list);
-                if (tmpres != ISC_R_SUCCESS) {
-                        isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
-                                      DNS_LOGMODULE_CONFIG,
-                                      ISC_LOG_ERROR,
-                                      "No trusted key list defined!");
-                        YYABORT;
-                }
-
-                tmpres = dns_c_tkey_new(currcfg->mem, $1, $2, $3,
-                                        $4, $5, &tkey);
-                if (tmpres != ISC_R_SUCCESS) {
-                        isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
-                                      DNS_LOGMODULE_CONFIG,
-                                      ISC_LOG_ERROR,
-                                      "Failed to create trusted key");
-                        YYABORT;
-                }
-
-                tmpres = dns_c_tkeylist_append(list,
-                                               tkey, ISC_FALSE);
-                if (tmpres != ISC_R_SUCCESS) {
-                        isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
-                                      DNS_LOGMODULE_CONFIG,
-                                      ISC_LOG_ERROR,
-                                      "Failed to append trusted key.");
-                        YYABORT;
-                }
-
-                isc_mem_free(memctx, $1);
-                isc_mem_free(memctx, $5);
-        }
-        ;
+	{
+		dns_c_tkey_t *tkey;
+		dns_c_tkeylist_t *list;
+
+		tmpres = dns_c_ctx_gettrustedkeys(currcfg, &list);
+		if (tmpres != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG,
+				      ISC_LOG_ERROR,
+				      "No trusted key list defined!");
+			YYABORT;
+		}
+
+		tmpres = dns_c_tkey_new(currcfg->mem, $1, $2, $3,
+					$4, $5, &tkey);
+		if (tmpres != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG,
+				      ISC_LOG_ERROR,
+				      "Failed to create trusted key");
+			YYABORT;
+		}
+
+		tmpres = dns_c_tkeylist_append(list,
+					       tkey, ISC_FALSE);
+		if (tmpres != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG,
+				      ISC_LOG_ERROR,
+				      "Failed to append trusted key.");
+			YYABORT;
+		}
+
+		isc_mem_free(memctx, $1);
+		isc_mem_free(memctx, $5);
+	}
+	;
 
 
 
@@ -3948,8 +4786,8 @@ in_port: L_INTEGER
 	{
 		if ($1 < 0 || $1 > 65535) {
 			parser_warning(ISC_TRUE,
-			  "invalid IP port number '%d'; setting port to 0",
-				       (int)$1);
+				       "invalid IP port number '%d'; "
+				       "setting port to 0", (int)$1);
 			$1 = 0;
 		} else {
 			$$ = $1;
@@ -3982,7 +4820,7 @@ static int		lasttoken;
 
 /*
  * Definition of all unique keyword tokens to be recognised by the
- * lexer. All the ``L_'' tokens defined in parser.y must be defined here too.
+ * lexer. All the 'L_' tokens defined in parser.y must be defined here too.
  */
 struct token
 {
@@ -3998,6 +4836,7 @@ static struct token keyword_tokens [] = {
 	{ "!",				L_BANG },
 
 	{ "acl",			L_ACL },
+	{ "additional-data",		L_ADDITIONAL_DATA },
 	{ "address",			L_ADDRESS },
 	{ "algorithm",			L_ALGID },
 	{ "allow",			L_ALLOW },
@@ -4017,6 +4856,7 @@ static struct token keyword_tokens [] = {
 	{ "cleaning-interval",		L_CLEAN_INTERVAL },
 	{ "controls",			L_CONTROLS },
 	{ "coresize",			L_CORESIZE },
+	{ "database",			L_DATABASE },
 	{ "datasize",			L_DATASIZE },
 	{ "deallocate-on-exit",		L_DEALLOC_ON_EXIT },
 	{ "debug",			L_DEBUG },
@@ -4025,6 +4865,7 @@ static struct token keyword_tokens [] = {
 	{ "directory",			L_DIRECTORY },
 	{ "dump-file",			L_DUMP_FILE },
 	{ "dynamic",			L_DYNAMIC },
+	{ "enable-zone",		L_ENABLE_ZONE },
 	{ "expert-mode",		L_EXPERT_MODE },
 	{ "fail",			L_FAIL },
 	{ "fake-iquery",		L_FAKE_IQUERY },
@@ -4035,12 +4876,11 @@ static struct token keyword_tokens [] = {
 	{ "first",			L_FIRST },
 	{ "forward",			L_FORWARD },
 	{ "forwarders",			L_FORWARDERS },
-	{ "grant", 			L_GRANT },
-	{ "deny", 			L_DENY },
-	{ "subdomain", 			L_SUBDOMAIN },
-	{ "domain", 			L_DOMAIN },
-	{ "self", 			L_SELF },
-	{ "wildcard", 			L_WILDCARD },
+	{ "grant",			L_GRANT },
+	{ "deny",			L_DENY },
+	{ "subdomain",			L_SUBDOMAIN },
+	{ "self",			L_SELF },
+	{ "wildcard",			L_WILDCARD },
 	{ "group",			L_GROUP },
 	{ "has-old-clients",		L_HAS_OLD_CLIENTS },
 	{ "heartbeat-interval",		L_HEARTBEAT },
@@ -4052,24 +4892,31 @@ static struct token keyword_tokens [] = {
 	{ "include",			L_INCLUDE },
 	{ "inet",			L_INET },
 	{ "interface-interval",		L_INTERFACE_INTERVAL },
+	{ "internal",			L_INTERNAL },
 	{ "ixfr-base",			L_FILE_IXFR },
 	{ "ixfr-tmp-file",		L_IXFR_TMP },
 	{ "key",			L_SEC_KEY },
 	{ "keys",			L_KEYS },
+	{ "lame-ttl",			L_LAME_TTL },
 	{ "listen-on",			L_LISTEN_ON },
 	{ "logging",			L_LOGGING },
 	{ "maintain-ixfr-base",		L_MAINTAIN_IXFR_BASE },
 	{ "many-answers",		L_MANY_ANSWERS },
 	{ "master",			L_MASTER },
 	{ "masters",			L_MASTERS },
+	{ "match-clients",		L_MATCH_CLIENTS },
 	{ "max-ixfr-log-size",		L_MAX_LOG_SIZE_IXFR },
+	{ "max-cache-ttl",		L_MAX_CACHE_TTL },
 	{ "max-ncache-ttl",		L_MAX_NCACHE_TTL },
 	{ "max-transfer-time-in",	L_MAX_TRANSFER_TIME_IN },
 	{ "max-transfer-time-out",	L_MAX_TRANSFER_TIME_OUT },
 	{ "max-transfer-idle-in",	L_MAX_TRANSFER_IDLE_IN },
 	{ "max-transfer-idle-out",	L_MAX_TRANSFER_IDLE_OUT },
+	{ "maximal",			L_MAXIMAL },
 	{ "memstatistics-file",		L_MEMSTATS_FILE },
 	{ "multiple-cnames",		L_MULTIPLE_CNAMES },
+	{ "min-roots",			L_MIN_ROOTS },
+	{ "minimal",			L_MINIMAL },
 	{ "name",			L_NAME },
 	{ "named-xfer",			L_NAMED_XFER },
 	{ "no",				L_NO },
@@ -4086,7 +4933,7 @@ static struct token keyword_tokens [] = {
 	{ "print-category",		L_PRINT_CATEGORY },
 	{ "print-severity",		L_PRINT_SEVERITY },
 	{ "print-time",			L_PRINT_TIME },
-        { "provide-ixfr", 		L_PROVIDE_IXFR },
+	{ "provide-ixfr",		L_PROVIDE_IXFR },
 	{ "pubkey",			L_PUBKEY },
 	{ "query-source",		L_QUERY_SOURCE },
 	{ "query-source-v6",		L_QUERY_SOURCE_V6 },
@@ -4098,6 +4945,7 @@ static struct token keyword_tokens [] = {
 	{ "response",			L_RESPONSE },
 	{ "secret",			L_SECRET },
 	{ "server",			L_SERVER },
+	{ "serial-queries",		L_SERIAL_QUERIES },
 	{ "severity",			L_SEVERITY },
 	{ "size",			L_SIZE },
 	{ "slave",			L_SLAVE },
@@ -4119,11 +4967,13 @@ static struct token keyword_tokens [] = {
 	{ "transfers-in",		L_TRANSFERS_IN },
 	{ "transfers-out",		L_TRANSFERS_OUT },
 	{ "transfers-per-ns",		L_TRANSFERS_PER_NS },
+	{ "treat-cr-as-space",		L_TREAT_CR_AS_SPACE },
 	{ "true",			L_TRUE },
 	{ "trusted-keys",		L_TRUSTED_KEYS },
 	{ "type",			L_TYPE },
 	{ "unix",			L_UNIX },
 	{ "unlimited",			L_UNLIMITED },
+	{ "update-policy",		L_UPDATE_POLICY },
 	{ "use-id-pool",		L_USE_ID_POOL },
 	{ "use-ixfr",			L_USE_IXFR },
 	{ "version",			L_VERSION },
@@ -4161,11 +5011,11 @@ init_action(void)
 
 
 /*
- * XXX Need a parameter to specify where error messages should go (syslog, 
- * FILE, /dev/null etc.) Also some way to tell the function to obey logging 
+ * XXX Need a parameter to specify where error messages should go (syslog,
+ * FILE, /dev/null etc.) Also some way to tell the function to obey logging
  * statments as appropriate.
  */
-  
+
 isc_result_t
 dns_c_parse_namedconf(const char *filename, isc_mem_t *mem,
 		      dns_c_ctx_t **configctx, dns_c_cbks_t *cbks)
@@ -4174,7 +5024,7 @@ dns_c_parse_namedconf(const char *filename, isc_mem_t *mem,
 	const char *funcname = "dns_parse_namedconf";
 
 	RUNTIME_CHECK(isc_once_do(&once, init_action) == ISC_R_SUCCESS);
-	
+
 	/* Lock down whole parser. */
 	if (isc_mutex_lock(&yacc_mutex) != ISC_R_SUCCESS) {
 		return (ISC_R_UNEXPECTED);
@@ -4193,7 +5043,7 @@ dns_c_parse_namedconf(const char *filename, isc_mem_t *mem,
 	if (getenv("DEBUG_LEXER") != NULL) { /* XXX debug */
 		debug_lexer++;
 	}
-#endif	
+#endif
 
 	specials['{'] = 1;
 	specials['}'] = 1;
@@ -4207,7 +5057,7 @@ dns_c_parse_namedconf(const char *filename, isc_mem_t *mem,
 
 
 	/*
-	 * This memory context is only used by the lexer routines (and must 
+	 * This memory context is only used by the lexer routines (and must
 	 * stay that way). Any memory that must live past the return of
 	 * yyparse() must be allocated via the 'mem' parameter to this
 	 * function.
@@ -4247,37 +5097,38 @@ dns_c_parse_namedconf(const char *filename, isc_mem_t *mem,
 			      funcname);
 		goto done;
 	}
-	
+
 	isc_lex_setspecials(mylexer, specials);
 	isc_lex_setcomments(mylexer, (ISC_LEXCOMMENT_C |
 				      ISC_LEXCOMMENT_CPLUSPLUS |
 				      ISC_LEXCOMMENT_SHELL));
 
-	res = isc_lex_openfile(mylexer, (char *)filename) ; /* remove const */
+	res = isc_lex_openfile(mylexer, (char *)filename); /* remove const */
 	if (res != ISC_R_SUCCESS) {
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
-			      "%s: Error opening file %s.",
-			      funcname, filename);
+			      "%s: open: %s", filename,
+			      isc_result_totext(res));
 		goto done;
 	}
 
 	callbacks = cbks;
-	
+
 	if (yyparse() != 0) {
 		res = ISC_R_FAILURE;
 
-		/* Syntax errors in the config file make it very difficult
+		/*
+		 * Syntax errors in the config file make it very difficult
 		 * to clean up memory properly (which causes assertion
 		 * failure when the memory manager is destroyed).
 		 */
-		isc_mem_destroy_check(memctx, ISC_FALSE);
+		isc_mem_setdestroycheck(memctx, ISC_FALSE);
 
-                dns_c_ctx_delete(&currcfg);
-                currcfg = NULL;
-        } else {
-                res = ISC_R_SUCCESS;
-        }
+		dns_c_ctx_delete(&currcfg);
+		currcfg = NULL;
+	} else {
+		res = ISC_R_SUCCESS;
+	}
 
 
  done:
@@ -4294,7 +5145,7 @@ dns_c_parse_namedconf(const char *filename, isc_mem_t *mem,
 			dns_c_ctx_delete(&currcfg);
 		}
 	}
-	
+
 	*configctx = currcfg;
 
 	callbacks = NULL;
@@ -4479,7 +5330,7 @@ static char *
 token_to_keyword(int token)
 {
 	int i;
-	
+
 	for (i = 0 ; keyword_tokens[i].token != NULL ; i++) {
 		if (keyword_tokens[i].yaccval == token) {
 			break;
@@ -4488,27 +5339,27 @@ token_to_keyword(int token)
 
 	return (keyword_tokens[i].token);
 }
-	
+
 
 
 static void
 parser_complain(isc_boolean_t is_warning, isc_boolean_t print_last_token,
 		const char *format, va_list args)
 {
-        static char where[ISC_DIR_PATHMAX + 100];
-        static char message[2048];
+	static char where[ISC_DIR_PATHMAX + 100];
+	static char message[2048];
 	int level = ISC_LOG_ERROR;
-        const char *filename = isc_lex_getsourcename(mylexer);
-        int lineno = isc_lex_getsourceline(mylexer);
-
-        /*
-         * We can't get a trace of the include files we may be nested in
-         * (lex.c has the structures hidden). So we only report the current
-         * file.
-         */
-        if (filename == NULL) {
-                filename = "(none)";
-        }
+	const char *filename = isc_lex_getsourcename(mylexer);
+	int lineno = isc_lex_getsourceline(mylexer);
+
+	/*
+	 * We can't get a trace of the include files we may be nested in
+	 * (lex.c has the structures hidden). So we only report the current
+	 * file.
+	 */
+	if (filename == NULL) {
+		filename = "(none)";
+	}
 
 	if (is_warning) {
 		level = ISC_LOG_WARNING;
@@ -4523,17 +5374,17 @@ parser_complain(isc_boolean_t is_warning, isc_boolean_t print_last_token,
 		if (dns_lctx != NULL) {
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
 				       DNS_LOGMODULE_CONFIG, level,
-				       "%s%s near `%s'", where, message,
+				      "%s%s near '%s'", where, message,
 				       token_to_text(lasttoken, lastyylval));
 		} else {
-			fprintf(stderr, "%s%s near `%s'\n", where, message,
+			fprintf(stderr, "%s%s near '%s'\n", where, message,
 				token_to_text(lasttoken, lastyylval));
 		}
 	} else {
 		if (dns_lctx != NULL) {
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
 				       DNS_LOGMODULE_CONFIG, level,
-				       "%s%s", where, message);
+				      "%s%s", where, message);
 		} else {
 			fprintf(stderr, "%s%s\n", where, message);
 		}
@@ -4747,7 +5598,7 @@ unit_to_uint32(char *in, isc_uint32_t *out) {
 	for (; (c = *in) != '\0'; in++) {
 		if (units_done)
 			return (ISC_FALSE);
-		if (isdigit(c)) {
+		if (isdigit((unsigned char)c)) {
 			result *= 10;
 			result += (c - '0');
 		} else {
@@ -4829,9 +5680,70 @@ is_ip4addr(const char *string, struct in_addr *addr)
 	} else {
 		return (ISC_FALSE);
 	}
-	
+
 	if (inet_pton(AF_INET, addrbuf, addr) != 1) {
 		return ISC_FALSE;
 	}
 	return ISC_TRUE;
 }
+
+
+
+static dns_peerlist_t *
+currentpeerlist(dns_c_ctx_t *cfg, isc_boolean_t createIfNeeded)
+{
+	dns_peerlist_t *peers = NULL;
+	dns_c_view_t *view = NULL;
+	isc_result_t result;
+
+	view = dns_c_ctx_getcurrview(cfg);
+
+	if (view == NULL) {
+		result = dns_c_ctx_getpeerlist(cfg, &peers);
+	} else {
+		result = dns_c_view_getpeerlist(view, &peers);
+	}
+
+	if (result == ISC_R_NOTFOUND && createIfNeeded) {
+		result = dns_peerlist_new(currcfg->mem, &peers);
+		if (tmpres != ISC_R_SUCCESS) {
+			parser_error(ISC_FALSE, "failed to create peer list");
+			return NULL;
+		}
+
+		if (view == NULL) {
+			dns_c_ctx_setpeerlist(currcfg, peers);
+		} else {
+			dns_c_view_setpeerlist(view, peers);
+		}
+	} else if (result == ISC_R_NOTFOUND) {
+		/* nothing */
+	} else if (result != ISC_R_SUCCESS) {
+		REQUIRE(result == ISC_R_SUCCESS);
+	}
+
+	return peers;
+}
+
+
+
+static isc_boolean_t
+keydefinedinscope(dns_c_ctx_t *cfg, const char *name)
+{
+	dns_c_view_t *view = dns_c_ctx_getcurrview(cfg);
+	isc_boolean_t rval = ISC_FALSE;
+
+	if (view != NULL) {
+		rval = dns_c_view_keydefinedp(view, name);
+	}
+
+	if (!rval) {
+		rval = dns_c_ctx_keydefinedp(cfg, name);
+	}
+
+	return (rval);
+}
+
+
+
+
diff --git a/lib/dns/config/confpvt.h b/lib/dns/config/confpvt.h
index 402054d2..3c9463cd 100644
--- a/lib/dns/config/confpvt.h
+++ b/lib/dns/config/confpvt.h
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFPVT_H
-#define DNS_CONFIG_CONFPVT_H 1
+#ifndef CONFIG_CONFPVT_H
+#define CONFIG_CONFPVT_H 1
 
 /*****
  ***** Module Info
  *****/
 
+#include <isc/boolean.h>
+
 /*
  * Some private definitions for config module internal use.
  */
@@ -36,6 +38,7 @@
 #define DNS_C_CLEARBIT(bit, flags) \
      (*(flags) &= ~((dns_c_setbits_t)1 << (bit)))
 #define DNS_C_CHECKBIT(bit,flags) \
-     ISC_TF((*(flags) & ((dns_c_setbits_t)1 << (bit))) == ((dns_c_setbits_t)1 << (bit)))
+     ISC_TF((*(flags) & ((dns_c_setbits_t)1 << (bit))) == \
+	    ((dns_c_setbits_t)1 << (bit)))
 
-#endif
+#endif /* CONFIG_CONFPVT_H */
diff --git a/lib/dns/config/confresolv.c b/lib/dns/config/confresolv.c
index fff0609d..dc31e67b 100644
--- a/lib/dns/config/confresolv.c
+++ b/lib/dns/config/confresolv.c
@@ -15,18 +15,20 @@
  * SOFTWARE.
  */
 
+/* $Id: confresolv.c,v 1.7 2000/05/08 14:35:34 tale Exp $ */
+
 #include <config.h>
 
-#include <dns/confresolv.h>
-#include <dns/result.h>
+#include <isc/util.h>
 
+#include <dns/confresolv.h>
 
 #include "confpvt.h"
 
 isc_result_t
-dns_c_resolv_new(isc_mem_t *mem, dns_c_resolv_t **cfgres)
-{
-	(void) mem; (void) cfgres;
+dns_c_resolv_new(isc_mem_t *mem, dns_c_resolv_t **cfgres) {
+	UNUSED(mem);
+	UNUSED(cfgres);
 	
 	/* XXX nothing yet */
 
@@ -35,9 +37,9 @@ dns_c_resolv_new(isc_mem_t *mem, dns_c_resolv_t **cfgres)
 
 
 isc_result_t
-dns_c_resolv_delete(dns_c_resolv_t **cfgres)
-{
-	(void) cfgres;
+dns_c_resolv_delete(dns_c_resolv_t **cfgres) {
+	UNUSED(cfgres);
+
 	/* XXX nothin yet */
 
 	return (ISC_R_SUCCESS);
diff --git a/lib/dns/config/confrrset.c b/lib/dns/config/confrrset.c
index 177ab77d..3746892c 100644
--- a/lib/dns/config/confrrset.c
+++ b/lib/dns/config/confrrset.c
@@ -15,18 +15,17 @@
  * SOFTWARE.
  */
 
+/* $Id: confrrset.c,v 1.13 2000/05/08 14:35:35 tale Exp $ */
+
 #include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/util.h>
 
 #include <dns/confrrset.h>
-#include <dns/confcommon.h>
-
 
 isc_result_t
-dns_c_rrsolist_clear(dns_c_rrsolist_t *olist)
-{
+dns_c_rrsolist_clear(dns_c_rrsolist_t *olist) {
 	dns_c_rrso_t *elem;
 	
 	REQUIRE(DNS_C_RRSOLIST_VALID(olist));
@@ -41,11 +40,8 @@ dns_c_rrsolist_clear(dns_c_rrsolist_t *olist)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_rrsolist_append(dns_c_rrsolist_t *dest,
-		      dns_c_rrsolist_t *src)
-{
+dns_c_rrsolist_append(dns_c_rrsolist_t *dest, dns_c_rrsolist_t *src) {
 	dns_c_rrso_t *oldelem;
 	dns_c_rrso_t *newelem;
 	isc_result_t res;
@@ -67,10 +63,8 @@ dns_c_rrsolist_append(dns_c_rrsolist_t *dest,
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_rrsolist_new(isc_mem_t *mem, dns_c_rrsolist_t **rval)
-{
+dns_c_rrsolist_new(isc_mem_t *mem, dns_c_rrsolist_t **rval) {
 	dns_c_rrsolist_t *ro;
 
 	ro = isc_mem_get(mem, sizeof *ro);
@@ -87,7 +81,6 @@ dns_c_rrsolist_new(isc_mem_t *mem, dns_c_rrsolist_t **rval)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
 dns_c_rrso_new(isc_mem_t *mem, dns_c_rrso_t **res,
 	       dns_rdataclass_t oclass,
@@ -126,10 +119,8 @@ dns_c_rrso_new(isc_mem_t *mem, dns_c_rrso_t **res,
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_rrsolist_delete(dns_c_rrsolist_t **list)
-{
+dns_c_rrsolist_delete(dns_c_rrsolist_t **list) {
 	dns_c_rrso_t *elem, *q;
 	dns_c_rrsolist_t *l;
 	isc_result_t r;
@@ -159,10 +150,8 @@ dns_c_rrsolist_delete(dns_c_rrsolist_t **list)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_rrso_delete(dns_c_rrso_t **order)
-{
+dns_c_rrso_delete(dns_c_rrso_t **order) {
 	dns_c_rrso_t *oldo;
 
 	REQUIRE(order != NULL);
@@ -181,11 +170,8 @@ dns_c_rrso_delete(dns_c_rrso_t **order)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_rrso_copy(isc_mem_t *mem, dns_c_rrso_t **dest,
-		dns_c_rrso_t *source)
-{
+dns_c_rrso_copy(isc_mem_t *mem, dns_c_rrso_t **dest, dns_c_rrso_t *source) {
 	dns_c_rrso_t *newo;
 	isc_result_t res;
 
@@ -204,7 +190,6 @@ dns_c_rrso_copy(isc_mem_t *mem, dns_c_rrso_t **dest,
 	return (res);
 }
 
-
 isc_result_t
 dns_c_rrsolist_copy(isc_mem_t *mem, dns_c_rrsolist_t **dest,
 		    dns_c_rrsolist_t *source)
@@ -219,14 +204,14 @@ dns_c_rrsolist_copy(isc_mem_t *mem, dns_c_rrsolist_t **dest,
 	REQUIRE(dest != NULL);
 	
 	res = dns_c_rrsolist_new(mem, &nlist);
-	if (res != DNS_R_SUCCESS) {
+	if (res != ISC_R_SUCCESS) {
 		return (res);
 	}
 	
 	elem = ISC_LIST_HEAD(source->elements);
 	while (elem != NULL) {
 		res = dns_c_rrso_copy(mem, &newe, elem);
-		if (res != DNS_R_SUCCESS) {
+		if (res != ISC_R_SUCCESS) {
 			dns_c_rrsolist_delete(&nlist);
 			return (res);
 		}
@@ -241,11 +226,8 @@ dns_c_rrsolist_copy(isc_mem_t *mem, dns_c_rrsolist_t **dest,
 	return (ISC_R_SUCCESS);
 }
 
-
 void
-dns_c_rrsolist_print(FILE *fp, int indent,
-		     dns_c_rrsolist_t *rrlist)
-{
+dns_c_rrsolist_print(FILE *fp, int indent, dns_c_rrsolist_t *rrlist) {
 	dns_c_rrso_t *or;
 
 	REQUIRE(DNS_C_RRSOLIST_VALID(rrlist));
@@ -268,10 +250,8 @@ dns_c_rrsolist_print(FILE *fp, int indent,
 	
 }
 
-
 void
-dns_c_rrso_print(FILE *fp, int indent, dns_c_rrso_t *order)
-{
+dns_c_rrso_print(FILE *fp, int indent, dns_c_rrso_t *order) {
 	REQUIRE(DNS_C_RRSO_VALID(order));
 	
 	dns_c_printtabs(fp, indent);
diff --git a/lib/dns/config/confserv.c b/lib/dns/config/confserv.c
deleted file mode 100644
index b689a4a3..00000000
--- a/lib/dns/config/confserv.c
+++ /dev/null
@@ -1,417 +0,0 @@
-#if 0 /* XXX FILE IS GONE. */
-
-/*
- * Copyright (C) 1999, 2000  Internet Software Consortium.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#include <config.h>
-
-#include <sys/types.h>	/* XXXRTH */
-
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/magic.h>
-#include <isc/net.h>
-
-#include <dns/confserv.h>
-#include <dns/confcommon.h>
-#include "confpvt.h"
-
-
-/*
- * Bit positions in the dns_c_srv_t structure flags field
- */
-#define BOGUS_BIT			0
-#define SERVER_TRANSFER_FORMAT_BIT	1
-#define TRANSFERS_BIT			2
-#define SUPPORT_IXFR_BIT		3
-
-isc_result_t
-dns_c_srvlist_new(isc_mem_t *mem, dns_c_srvlist_t **list)
-{
-	dns_c_srvlist_t *l;
-
-	REQUIRE(list != NULL);
-
-	l = isc_mem_get(mem, sizeof *l);
-	if (l == NULL) {
-		return (ISC_R_NOMEMORY);
-	}
-	
-	ISC_LIST_INIT(l->elements);
-	l->mem = mem;
-	l->magic = DNS_C_SRVLIST_MAGIC;
-
-	*list = l;
-
-	return (ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_srvlist_delete(dns_c_srvlist_t **list)
-{
-	dns_c_srvlist_t *l;
-	dns_c_srv_t *server, *stmp;
-	isc_result_t r;
-	
-	REQUIRE(list != NULL);
-	REQUIRE(DNS_C_SRVLIST_VALID(*list));
-
-	l = *list;
-
-	server = ISC_LIST_HEAD(l->elements);
-	while (server != NULL) {
-		stmp = ISC_LIST_NEXT(server, next);
-		ISC_LIST_UNLINK(l->elements, server, next);
-		r = dns_c_srv_delete(&server);
-		if (r != ISC_R_SUCCESS) {
-			return (r);
-		}
-		
-		server = stmp;
-	}
-
-	l->magic = 0;
-	isc_mem_put(l->mem, l, sizeof *l);
-
-	*list = NULL;
-
-	return (ISC_R_SUCCESS);
-}
-
-
-void
-dns_c_srvlist_print(FILE *fp, int indent,
-		    dns_c_srvlist_t *servers)
-{
-	dns_c_srv_t *server;
-	
-	REQUIRE(fp != NULL);
-	REQUIRE(DNS_C_SRVLIST_VALID(servers));
-
-	server = ISC_LIST_HEAD(servers->elements);
-	while (server != NULL) {
-		dns_c_srv_print(fp, indent, server);
-		server = ISC_LIST_NEXT(server, next);
-		if (server != NULL) {
-			fprintf(fp, "\n");
-		}
-	}
-
-	return;
-}
-
-
-isc_result_t
-dns_c_srvlist_servbyaddr(dns_c_srvlist_t *servers,
-			 isc_sockaddr_t addr, dns_c_srv_t **retval)
-{
-	dns_c_srv_t *server;
-	isc_result_t res;
-
-	REQUIRE(retval != NULL);
-	REQUIRE(DNS_C_SRVLIST_VALID(servers));
-
-	server = ISC_LIST_HEAD(servers->elements);
-	while (server != NULL) {
-		if (isc_sockaddr_eqaddr(&addr, &server->address)) {
-			break;
-		}
-		
-		server = ISC_LIST_NEXT(server, next);
-	}
-
-	if (server != NULL) {
-		*retval = server;
-		res = ISC_R_SUCCESS;
-	} else {
-		res = ISC_R_NOTFOUND;
-	}
-
-	return (res);
-}
-
-
-
-
-isc_result_t
-dns_c_srv_new(isc_mem_t *mem, isc_sockaddr_t addr,
-	      dns_c_srv_t **server)
-{
-	dns_c_srv_t *serv;
-
-	REQUIRE(server != NULL);
-
-	serv = isc_mem_get(mem, sizeof *serv);
-	if (serv == NULL) {
-		return (ISC_R_NOMEMORY);
-	}
-
-	serv->magic = DNS_C_SRV_MAGIC;
-	serv->address = addr;
-	serv->mem = mem;
-	serv->bogus = ISC_FALSE;
-	serv->transfer_format = dns_one_answer;
-	serv->transfers = 0;
-	serv->support_ixfr = ISC_FALSE;
-	serv->keys = NULL;
-
-	memset(&serv->bitflags, 0x0, sizeof serv->bitflags);
-	
-	ISC_LINK_INIT(serv, next);
-
-	*server = serv;
-	
-	return (ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_srv_delete(dns_c_srv_t **server)
-{
-	dns_c_srv_t *serv;
-	isc_mem_t *mem;
-	
-	REQUIRE(server != NULL);
-	REQUIRE(DNS_C_SRV_VALID(*server));
-
-	serv = *server;
-
-	mem = serv->mem;
-	serv->mem = NULL;
-	serv->magic = 0;
-
-	if (serv->keys != NULL)
-		dns_c_kidlist_delete(&serv->keys);
-
-	isc_mem_put(mem, serv, sizeof *serv);
-
-	*server = NULL;
-
-	return (ISC_R_SUCCESS);
-}
-
-
-void
-dns_c_srv_print(FILE *fp, int indent, dns_c_srv_t *server)
-{
-	REQUIRE(DNS_C_SRV_VALID(server));
-	REQUIRE(fp != NULL);
-
-	dns_c_printtabs(fp, indent);
-	fprintf(fp, "server ");
-	dns_c_print_ipaddr(fp, &server->address);
-	fprintf(fp, " {\n");
-
-	if (DNS_C_CHECKBIT(BOGUS_BIT, &server->bitflags)) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "bogus %s;\n",
-			(server->bogus ? "true" : "false"));
-	}
-
-	if (DNS_C_CHECKBIT(SERVER_TRANSFER_FORMAT_BIT, &server->bitflags)) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "transfer-format %s;\n",
-			dns_c_transformat2string(server->transfer_format,
-						 ISC_TRUE));
-	}
-
-	if (DNS_C_CHECKBIT(TRANSFERS_BIT, &server->bitflags)) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "transfers %d;\n", server->transfers);
-	}
-
-	if (DNS_C_CHECKBIT(SUPPORT_IXFR_BIT,&server->bitflags)) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "support-ixfr %s;\n",
-			(server->support_ixfr ? "true" : "false"));
-	}
-
-	if (server->keys != NULL) {
-		dns_c_kidlist_print(fp, indent + 1, server->keys);
-	}
-
-	dns_c_printtabs(fp, indent);
-	fprintf(fp, "};\n");
-}
-
-
-isc_result_t
-dns_c_srv_setbogus(dns_c_srv_t *server, isc_boolean_t newval)
-{
-	isc_boolean_t existed;
-		
-	REQUIRE(DNS_C_SRV_VALID(server));
-
-	existed = DNS_C_CHECKBIT(BOGUS_BIT, &server->bitflags);
-	
-	server->bogus = newval;
-	DNS_C_SETBIT(BOGUS_BIT, &server->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_srv_getbogus(dns_c_srv_t *server,
-		   isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_SRV_VALID(server));
-	REQUIRE(retval != NULL);
-
-	if (DNS_C_CHECKBIT(BOGUS_BIT, &server->bitflags)) {
-		*retval = server->bogus;
-		return (ISC_R_SUCCESS);
-	} else {
-		return (ISC_R_NOTFOUND);
-	}
-}
-
-
-isc_result_t
-dns_c_srv_setsupportixfr(dns_c_srv_t *server,
-			 isc_boolean_t newval)
-{
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_C_SRV_VALID(server));
-
-	existed = DNS_C_CHECKBIT(SUPPORT_IXFR_BIT, &server->bitflags);
-	
-	server->support_ixfr = newval;
-	DNS_C_SETBIT(SUPPORT_IXFR_BIT, &server->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_srv_getsupportixfr(dns_c_srv_t *server,
-			 isc_boolean_t *retval)
-{
-	REQUIRE(DNS_C_SRV_VALID(server));
-	REQUIRE(retval != NULL);
-
-	if (DNS_C_CHECKBIT(SUPPORT_IXFR_BIT, &server->bitflags)) {
-		*retval = server->support_ixfr;
-		return (ISC_R_SUCCESS);
-	} else {
-		return (ISC_R_NOTFOUND);
-	}
-}
-
-
-isc_result_t
-dns_c_srv_settransfers(dns_c_srv_t *server,
-		       isc_int32_t newval)
-{
-	isc_boolean_t existed;
-	
-	REQUIRE(DNS_C_SRV_VALID(server));
-
-	existed = DNS_C_CHECKBIT(TRANSFERS_BIT, &server->bitflags);
-
-	server->transfers = newval;
-	DNS_C_SETBIT(TRANSFERS_BIT, &server->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_srv_gettransfers(dns_c_srv_t *server,
-		       isc_int32_t *retval)
-{
-	REQUIRE(DNS_C_SRV_VALID(server));
-	REQUIRE(retval != NULL);
-
-	if (DNS_C_CHECKBIT(TRANSFERS_BIT, &server->bitflags)) {
-		*retval = server->transfers;
-		return (ISC_R_SUCCESS);
-	} else {
-		return (ISC_R_NOTFOUND);
-	}
-}
-
-
-isc_result_t
-dns_c_srv_settransferformat(dns_c_srv_t *server,
-			    dns_transfer_format_t newval)
-{
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_C_SRV_VALID(server));
-
-	existed = DNS_C_CHECKBIT(SERVER_TRANSFER_FORMAT_BIT,
-				 &server->bitflags);
-
-	server->transfer_format = newval;
-	DNS_C_SETBIT(SERVER_TRANSFER_FORMAT_BIT, &server->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_srv_gettransferformat(dns_c_srv_t *server,
-			    dns_transfer_format_t *retval)
-{
-	REQUIRE(DNS_C_SRV_VALID(server));
-	REQUIRE(retval != NULL);
-	
-	if (DNS_C_CHECKBIT(SERVER_TRANSFER_FORMAT_BIT, &server->bitflags)) {
-		*retval = server->transfer_format;
-		return (ISC_R_SUCCESS);
-	} else {
-		return (ISC_R_NOTFOUND);
-	}
-}
-
-
-isc_result_t
-dns_c_srv_getkeys(dns_c_srv_t *server, dns_c_kidlist_t **retval)
-{
-	REQUIRE(DNS_C_SRV_VALID(server));
-	REQUIRE(retval != NULL);
-	
-	*retval = server->keys;
-
-	return (server->keys == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_c_srv_setkeys(dns_c_srv_t *server, dns_c_kidlist_t *newval)
-{
-	isc_boolean_t existed = ISC_FALSE;
-	
-	REQUIRE(DNS_C_SRV_VALID(server));
-	REQUIRE(DNS_C_KEYIDLIST_VALID(newval));
-	
-	if (server->keys != NULL) {
-		dns_c_kidlist_delete(&server->keys);
-		existed = ISC_TRUE;
-	}
-	
-	server->keys = newval;
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-
-#endif
diff --git a/lib/dns/config/confview.c b/lib/dns/config/confview.c
index e973cedf..bd2993a4 100644
--- a/lib/dns/config/confview.c
+++ b/lib/dns/config/confview.c
@@ -15,56 +15,161 @@
  * SOFTWARE.
  */
 
-#include <config.h>
+/* $Id: confview.c,v 1.28 2000/05/15 12:36:26 brister Exp $ */
 
-#include <sys/types.h>
+#include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/magic.h>
-#include <isc/net.h>
+#include <isc/mem.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
 
-#include <dns/confacl.h>
-#include <dns/confzone.h>
-#include <dns/confcommon.h>
 #include <dns/confview.h>
-#include <dns/confzone.h>
 #include <dns/log.h>
+#include <dns/peer.h>
 
 #include "confpvt.h"
 
-#define CHECKNAME_PRIM_BIT                       1
-#define CHECKNAME_SEC_BIT                        2
-#define CHECKNAME_RESP_BIT                       3
-#define MULTIPLE_CNAMES_BIT                      4
-#define DIALUP_BIT                               5
-#define FETCH_GLUE_BIT                           6
-#define HAS_OLD_CLIENTS_BIT                      7
-#define HOST_STATISTICS_BIT                      8
-#define MAINTAIN_IXFR_BASE_BIT                   9
-#define NOTIFY_BIT                               11
-#define RECURSION_BIT                            12
-#define RFC2308_TYPE1_BIT                        13
-#define USE_ID_POOL_BIT                          14
-#define FAKE_IQUERY_BIT                          15
-#define USE_IXFR_BIT                             16
-#define TCP_CLIENTS_BIT                          17
-#define RECURSIVE_CLIENTS_BIT                    18
-#define CLEAN_INTERVAL_BIT                       19
-#define MAX_LOG_SIZE_IXFR_BIT                    20
-#define MAX_NCACHE_TTL_BIT                       21
-#define MAX_TRANSFER_TIME_IN_BIT                 22
-#define MAX_TRANSFER_TIME_OUT_BIT                23
-#define MAX_TRANSFER_IDLE_IN_BIT                 24
-#define MAX_TRANSFER_IDLE_OUT_BIT                25
-#define STATS_INTERVAL_BIT                       26
-#define TRANSFERS_IN_BIT                         27
-#define TRANSFERS_OUT_BIT                        28
-#define TRANSFERS_PER_NS_BIT                     29
-#define TRANSFER_FORMAT_BIT			 30
+/*
+** Due to the repetive nature of the fields in a view
+** we have here a collection of macros to used in defining
+** accessor/modifier functions for most of the fields in a view.
+** Three functions are created: set, get and unset.
+**
+** In all the macros FUNC is a character sequence that is used in
+** constructing the final function name. FIELD is the field in the view.
+ */
+
+#define SETBOOL(FUNC, FIELD) SETBYTYPE(isc_boolean_t, FUNC, FIELD)
+#define GETBOOL(FUNC, FIELD) GETBYTYPE(isc_boolean_t, FUNC, FIELD)
+#define UNSETBOOL(FUNC, FIELD) UNSETBYTYPE(isc_boolean_t, FUNC, FIELD)
+
+#define SETINT32(FUNC, FIELD) SETBYTYPE(isc_int32_t, FUNC, FIELD)
+#define GETINT32(FUNC, FIELD) GETBYTYPE(isc_int32_t, FUNC, FIELD)
+#define UNSETINT32(FUNC, FIELD) UNSETBYTYPE(isc_int32_t, FUNC, FIELD)
+
+#define SETSOCKADDR(FUNC, FIELD) SETBYTYPE(isc_sockaddr_t, FUNC, FIELD)
+#define GETSOCKADDR(FUNC, FIELD) GETBYTYPE(isc_sockaddr_t, FUNC, FIELD)
+#define UNSETSOCKADDR(FUNC, FIELD) UNSETBYTYPE(isc_sockaddr_t, FUNC, FIELD)
+
+#ifdef PVT_CONCAT
+#undef PVT_CONCAT
+#endif
+
+#define PVT_CONCAT(x,y) x ## y
+
+/*
+** The SET, GET and UNSETBYTYPE macros are all used whene the field in the
+** view is a pointer to a fundamental type that requires no special copying,
+** such as integers or booleans.
+*/
+
+#define SETBYTYPE(TYPE, FUNCNAME, FIELDNAME)				    \
+isc_result_t								    \
+PVT_CONCAT(dns_c_view_set, FUNCNAME)(dns_c_view_t *view, TYPE newval) {	    \
+	isc_boolean_t existed = ISC_FALSE;				    \
+									    \
+	REQUIRE(DNS_C_VIEW_VALID(view));				    \
+									    \
+	if (view->FIELDNAME == NULL) {					    \
+		view->FIELDNAME = isc_mem_get(view->mem, sizeof (TYPE));    \
+		if (view->FIELDNAME == NULL) {				    \
+			return (ISC_R_NOMEMORY);			    \
+		}							    \
+	} else {							    \
+		existed = ISC_TRUE;					    \
+	}								    \
+									    \
+	*view->FIELDNAME = newval;					    \
+									    \
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);		    \
+}
+
+#define GETBYTYPE(TYPE, FUNCNAME, FIELDNAME)				\
+isc_result_t								\
+PVT_CONCAT(dns_c_view_get, FUNCNAME)(dns_c_view_t *view, TYPE *retval) {\
+	REQUIRE(DNS_C_VIEW_VALID(view));				\
+	REQUIRE(retval != NULL);					\
+									\
+	if (view->FIELDNAME == NULL) {					\
+		return (ISC_R_NOTFOUND);				\
+	} else {							\
+		*retval = *view->FIELDNAME;				\
+		return (ISC_R_SUCCESS);					\
+	}								\
+}
+
+#define UNSETBYTYPE(TYPE, FUNCNAME, FIELDNAME)			\
+isc_result_t							\
+PVT_CONCAT(dns_c_view_unset, FUNCNAME)(dns_c_view_t *view) {	\
+	REQUIRE(DNS_C_VIEW_VALID(view));			\
+								\
+	if (view->FIELDNAME == NULL) {				\
+		return (ISC_R_NOTFOUND);			\
+	} else {						\
+		isc_mem_put(view->mem, view->FIELDNAME,		\
+			    sizeof (view->FIELDNAME));		\
+		view->FIELDNAME = NULL;				\
+								\
+		return (ISC_R_SUCCESS);				\
+	}							\
+}
+
+/*
+** Now SET, GET and UNSET for dns_c_ipmatchlist_t fields
+*/
+
+#define SETIPMLIST(FUNCNAME, FIELDNAME)					\
+isc_result_t								\
+PVT_CONCAT(dns_c_view_set, FUNCNAME)(dns_c_view_t *view,		\
+				     dns_c_ipmatchlist_t *newval)	\
+{									\
+	REQUIRE(DNS_C_VIEW_VALID(view));				\
+	REQUIRE(DNS_C_IPMLIST_VALID(newval));				\
+									\
+	if (view->FIELDNAME != NULL) {					\
+		dns_c_ipmatchlist_detach(&view->FIELDNAME);		\
+	}								\
+									\
+	dns_c_ipmatchlist_attach(newval, &view->FIELDNAME);		\
+	return (ISC_R_SUCCESS);						\
+}
+
+
+
+#define UNSETIPMLIST(FUNCNAME, FIELDNAME)			\
+isc_result_t							\
+PVT_CONCAT(dns_c_view_unset, FUNCNAME)(dns_c_view_t *view) {	\
+	REQUIRE(DNS_C_VIEW_VALID(view));			\
+								\
+	if (view->FIELDNAME != NULL) {				\
+		dns_c_ipmatchlist_detach(&view->FIELDNAME);	\
+		return (ISC_R_SUCCESS);				\
+	} else {						\
+		return (ISC_R_NOTFOUND);			\
+	}							\
+}
+	
+
+#define GETIPMLIST(FUNCNAME, FIELDNAME)					\
+isc_result_t								\
+PVT_CONCAT(dns_c_view_get, FUNCNAME)(dns_c_view_t *view,		\
+				     dns_c_ipmatchlist_t **retval)	\
+{									\
+	REQUIRE(DNS_C_VIEW_VALID(view));				\
+	REQUIRE(retval != NULL);					\
+									\
+	*retval = NULL;							\
+									\
+	if (view->FIELDNAME != NULL) {					\
+		dns_c_ipmatchlist_attach(view->FIELDNAME, retval);	\
+		return (ISC_R_SUCCESS);					\
+	} else {							\
+		return (ISC_R_NOTFOUND);				\
+	}								\
+}
 
 isc_result_t
-dns_c_viewtable_new(isc_mem_t *mem, dns_c_viewtable_t **viewtable)
-{
+dns_c_viewtable_new(isc_mem_t *mem, dns_c_viewtable_t **viewtable) {
 	dns_c_viewtable_t *table;
 	
 	REQUIRE(viewtable != NULL);
@@ -89,8 +194,7 @@ dns_c_viewtable_new(isc_mem_t *mem, dns_c_viewtable_t **viewtable)
 
 
 isc_result_t
-dns_c_viewtable_delete(dns_c_viewtable_t **viewtable)
-{
+dns_c_viewtable_delete(dns_c_viewtable_t **viewtable) {
 	dns_c_viewtable_t *table;
 	
 	REQUIRE(viewtable != NULL);
@@ -108,9 +212,29 @@ dns_c_viewtable_delete(dns_c_viewtable_t **viewtable)
 }
 
 
+
 void
-dns_c_viewtable_addview(dns_c_viewtable_t *viewtable, dns_c_view_t *view)
+dns_c_viewtable_print(FILE *fp, int indent,
+		      dns_c_viewtable_t *table)
 {
+	dns_c_view_t *view;
+
+	REQUIRE(fp != NULL);
+	REQUIRE(indent >= 0);
+	REQUIRE(DNS_C_VIEWTABLE_VALID(table));
+
+	view = ISC_LIST_HEAD(table->views);
+	while (view != NULL) {
+		dns_c_view_print(fp, indent, view);
+		fprintf(fp, "\n");
+
+		view  = ISC_LIST_NEXT(view, next);
+	}
+}
+
+
+void
+dns_c_viewtable_addview(dns_c_viewtable_t *viewtable, dns_c_view_t *view) {
 	REQUIRE(DNS_C_VIEWTABLE_VALID(viewtable));
 	REQUIRE(DNS_C_VIEW_VALID(view));
 	
@@ -120,8 +244,7 @@ dns_c_viewtable_addview(dns_c_viewtable_t *viewtable, dns_c_view_t *view)
 
 
 void
-dns_c_viewtable_rmview(dns_c_viewtable_t *viewtable, dns_c_view_t *view)
-{
+dns_c_viewtable_rmview(dns_c_viewtable_t *viewtable, dns_c_view_t *view) {
 	REQUIRE(DNS_C_VIEWTABLE_VALID(viewtable));
 	REQUIRE(DNS_C_VIEW_VALID(view));
 	
@@ -131,8 +254,7 @@ dns_c_viewtable_rmview(dns_c_viewtable_t *viewtable, dns_c_view_t *view)
 
 
 isc_result_t
-dns_c_viewtable_clear(dns_c_viewtable_t *table)
-{
+dns_c_viewtable_clear(dns_c_viewtable_t *table) {
 	dns_c_view_t *elem;
 	dns_c_view_t *tmpelem;
 	isc_result_t r;
@@ -210,13 +332,93 @@ dns_c_viewtable_rmviewbyname(dns_c_viewtable_t *viewtable,
 }
 
 	
+isc_result_t
+dns_c_viewtable_checkviews(dns_c_viewtable_t *viewtable) {
+	dns_c_view_t *elem;
+	isc_boolean_t bbval;
+	isc_int32_t bival;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_c_rrsolist_t *boval;
+	
+	REQUIRE(DNS_C_VIEWTABLE_VALID(viewtable));
+
+	elem = ISC_LIST_HEAD(viewtable->views);
+	while (elem != NULL) {
+		if (dns_c_view_getfetchglue(elem, &bbval) != ISC_R_NOTFOUND)
+			isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+				      "view 'fetch-glue' is not yet "
+				      "implemented.");
+
+
+		if (dns_c_view_getnotify(elem, &bbval) != ISC_R_NOTFOUND)
+			isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+				      "view 'notify' is not yet "
+				      "implemented.");
+
+
+		if (dns_c_view_getrfc2308type1(elem, &bbval) != ISC_R_NOTFOUND)
+			isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+				      "view 'rfc2308-type1' is not yet "
+				      "implemented.");
+
+		if (dns_c_view_getrfc2308type1(elem, &bbval) != ISC_R_NOTFOUND)
+			isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+				      "view 'rfc2308-type1' is not yet "
+				      "implemented.");
+
+		if (dns_c_view_getmaxncachettl(elem, &bival) != ISC_R_NOTFOUND)
+			isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+				      "view 'max-ncache-ttl' is not yet "
+				      "implemented.");
+
+		if (dns_c_view_getmaxcachettl(elem, &bival) != ISC_R_NOTFOUND)
+			isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+				      "view 'max-cache-ttl' is not yet "
+				      "implemented.");
+
+		if (dns_c_view_getlamettl(elem, &bival) != ISC_R_NOTFOUND)
+			isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+				      "view 'lame-ttl' is not yet "
+				      "implemented.");
+
+		if (dns_c_view_getminroots(elem, &bival) != ISC_R_NOTFOUND)
+			isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+				      "view 'min-roots' is not yet "
+				      "implemented.");
+
+
+		if (dns_c_view_getordering(elem, &boval) != ISC_R_NOTFOUND)
+			isc_log_write(dns_lctx,DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
+				      "view 'rrset-order' is not yet "
+				      "implemented.");
+		
+
+		elem = ISC_LIST_NEXT(elem, next);
+	}
+	
+	return (result);
+}
+
+
+/* ***************************************************************** */
+/* ***************************************************************** */
+/* ***************************************************************** */
+/* ***************************************************************** */
 
 isc_result_t
-dns_c_view_new(isc_mem_t *mem, const char *name, dns_c_view_t **newview)
+dns_c_view_new(isc_mem_t *mem, const char *name, dns_rdataclass_t viewclass,
+	       dns_c_view_t **newview)
 {
 	dns_c_view_t *view;
-	int i;
-	
 
 	REQUIRE(name != NULL);
 	REQUIRE(*name != '\0');
@@ -227,141 +429,152 @@ dns_c_view_new(isc_mem_t *mem, const char *name, dns_c_view_t **newview)
 		return (ISC_R_NOMEMORY);
 	}
 
-	/* XXXJAB not portable -- should set each field */
-	memset(view, 0x0, sizeof *view); 
-
-	memset(&view->setflags, 0x0, sizeof (view->setflags));
-	
 	view->magic = DNS_C_VIEW_MAGIC;
 	view->mem = mem;
+	view->viewclass = viewclass;
 
-	view->allowquery = NULL;
-	view->transferacl = NULL;
-	view->recursionacl = NULL;
-	view->blackhole = NULL;
-	view->sortlist = NULL;
-	view->topology = NULL;
-	view->forwarders = NULL;
-	view->listens = NULL;
-	view->ordering = NULL;
-	
-	for (i = 0 ; i < DNS_C_TRANSCOUNT ; i++) {
-		view->check_names[i] = dns_severity_fail;
-	}
-
-	view->transfer_format = dns_one_answer;
-
-	view->auth_nx_domain = ISC_FALSE;
-	view->dialup = ISC_FALSE;
-	view->fetch_glue = ISC_FALSE;
-	view->has_old_clients = ISC_FALSE;
-	view->host_statistics = ISC_FALSE;
-	view->maintain_ixfr_base = ISC_FALSE;
-	view->multiple_cnames = ISC_FALSE;
-	view->notify = ISC_FALSE;
-	view->recursion = ISC_FALSE;
-	view->rfc2308_type1 = ISC_FALSE;
-	view->use_id_pool = ISC_FALSE;
-	view->fake_iquery = ISC_FALSE;
-	view->use_ixfr = ISC_FALSE;
-
-	view->clean_interval = 0;
-	view->lamettl = 0;		/* XXX not implemented */
-	view->max_log_size_ixfr = 0;
-	view->max_ncache_ttl = 0;
-	view->max_transfer_time_in = 0;
-	view->max_transfer_time_out = 0;
-	view->max_transfer_idle_in = 0;
-	view->max_transfer_idle_out = 0;
-	view->stats_interval = 0;
-	view->transfers_in = 0;
-	view->transfers_out = 0;
-	view->transfers_per_ns = 0;
-
-	view->zonelist = NULL;
 	view->name = isc_mem_strdup(mem, name);
 	if (view->name == NULL) {
 		isc_mem_put(mem, view, sizeof *view);
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
 			      "Insufficient memory");
+		return (ISC_R_NOMEMORY);
 	}
 
-	*newview = view;
-
-	return (ISC_R_SUCCESS);
-}
+	view->zonelist = NULL;
 
+	view->forward = NULL;
+	view->forwarders = NULL;
 
-void
-dns_c_viewtable_print(FILE *fp, int indent,
-		      dns_c_viewtable_t *table)
-{
-	dns_c_view_t *view;
+	view->allowquery = NULL;
+	view->allowupdateforwarding = NULL;
+	view->transferacl = NULL;
+	view->recursionacl = NULL;
+	view->sortlist = NULL;
+	view->topology = NULL;
+	view->matchclients = NULL;
 
-	REQUIRE(fp != NULL);
-	REQUIRE(indent >= 0);
-	REQUIRE(DNS_C_VIEWTABLE_VALID(table));
+	view->ordering = NULL;
 
-	view = ISC_LIST_HEAD(table->views);
-	while (view != NULL) {
-		dns_c_view_print(fp, indent, view);
-		fprintf(fp, "\n");
+	view->check_names[dns_trans_primary] = NULL;
+	view->check_names[dns_trans_secondary] = NULL;
+	view->check_names[dns_trans_response] = NULL;
+
+	view->auth_nx_domain = NULL;
+	view->recursion = NULL;
+	view->provide_ixfr = NULL;
+	view->request_ixfr = NULL;
+	view->fetch_glue = NULL;
+	view->notify = NULL;
+	view->rfc2308_type1 = NULL;
+	
+	view->transfer_source = NULL;
+	view->transfer_source_v6 = NULL;
+	view->query_source = NULL;
+	view->query_source_v6 = NULL;
+
+	view->max_transfer_time_out = NULL;
+	view->max_transfer_idle_out = NULL;
+	view->clean_interval = NULL;
+	view->min_roots = NULL;
+	view->lamettl = NULL;
+	view->max_ncache_ttl = NULL;
+	view->max_cache_ttl = NULL;
+
+	view->additional_data = NULL;
+	view->transfer_format = NULL;
+	view->keydefs = NULL;
+	view->peerlist = NULL;
+	
+#if 0
+	view->max_transfer_time_in = NULL;
+	view->max_transfer_idle_in = NULL;
+	view->transfers_per_ns = NULL;
+	view->serial_queries = NULL;
+#endif
+
+	ISC_LINK_INIT(view, next);
+	
+	*newview = view;
 
-		view  = ISC_LIST_NEXT(view, next);
-	}
+	return (ISC_R_SUCCESS);
 }
 
+
 void
-dns_c_view_print(FILE *fp, int indent, dns_c_view_t *view)
-{
+dns_c_view_print(FILE *fp, int indent, dns_c_view_t *view) {
 	dns_severity_t nameseverity;
+	in_port_t port;
 
 	REQUIRE(DNS_C_VIEW_VALID(view));
 	
 	dns_c_printtabs(fp, indent);
-	fprintf(fp, "view \"%s\" {\n", view->name);
+	fprintf(fp, "view \"%s\"", view->name);
 
-	if (view->allowquery != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "allow-query ");
-		dns_c_ipmatchlist_print(fp, indent + 2,
-					view->allowquery);
-		fprintf(fp, ";\n");
+	if (view->viewclass != dns_rdataclass_in) {
+		fputc(' ', fp);
+		dns_c_dataclass_tostream(fp, view->viewclass);
 	}
 
-	if (view->transferacl != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "allow-transfer ");
-		dns_c_ipmatchlist_print(fp, indent + 2,
-					view->transferacl);
-		fprintf(fp, ";\n");
+	fprintf(fp, " {\n");
+
+#define PRINT_IPANDPORT(FIELD, NAME)				\
+	if (view->FIELD != NULL) {				\
+		port = isc_sockaddr_getport(view->FIELD);	\
+								\
+		dns_c_printtabs(fp, indent + 1);		\
+		fprintf(fp, NAME " address ");			\
+								\
+		dns_c_print_ipaddr(fp, view->FIELD);		\
+								\
+		if (port == 0) {				\
+			fprintf(fp, " port *");			\
+		} else {					\
+			fprintf(fp, " port %d", port);		\
+		}						\
+		fprintf(fp, " ;\n");				\
 	}
 
-	if (view->recursionacl != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "allow-recursion ");
-		dns_c_ipmatchlist_print(fp, indent + 2,
-					view->recursionacl);
-		fprintf(fp, ";\n");
+#define	 PRINT_IP(FIELD, NAME)				\
+	if (view->FIELD != NULL) {			\
+		dns_c_printtabs(fp, indent + 1);	\
+		fprintf(fp, NAME " ");			\
+		dns_c_print_ipaddr(fp, view->FIELD);	\
+		fprintf(fp, ";\n");			\
 	}
 
-	if (view->allowupdateforwarding != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "allow-update-forwarding ");
-		dns_c_ipmatchlist_print(fp, indent + 2,
-					view->allowupdateforwarding);
-		fprintf(fp, ";\n");
+#define PRINT_IPMLIST(FIELD, NAME)				\
+	if (view->FIELD != NULL) {				\
+		dns_c_printtabs(fp, indent + 1);		\
+		fprintf(fp, NAME " ");				\
+		dns_c_ipmatchlist_print(fp, indent + 2,		\
+					view->FIELD);	\
+		fprintf(fp, ";\n");				\
 	}
 
-	if (view->blackhole != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "blackhole ");
-		dns_c_ipmatchlist_print(fp, indent + 2,
-					view->blackhole);
-		fprintf(fp, ";\n");
+#define PRINT_AS_BOOLEAN(FIELD, NAME)				\
+	if (view->FIELD != NULL) {				\
+		dns_c_printtabs(fp, indent + 1);		\
+		fprintf(fp, "%s %s;\n", NAME,			\
+			(*view->FIELD ? "true" : "false"));	\
+	}
+
+
+#define PRINT_INT32(FIELD, NAME)				\
+	if (view->FIELD != NULL) {				\
+		dns_c_printtabs(fp, indent + 1);		\
+		fprintf(fp, "%s %d;\n",NAME,(int)*view->FIELD);	\
+	}
+		
+#define PRINT_AS_MINUTES(FIELD, NAME)				\
+	if (view->FIELD != NULL) {				\
+		dns_c_printtabs(fp, indent + 1);		\
+		fprintf(fp, "%s %lu;\n",NAME,			\
+			(unsigned long)(*view->FIELD / 60));	\
 	}
 
+	/* XXX print forward field */
 	if (view->forwarders != NULL) {
 		dns_c_printtabs(fp, indent + 1);
 		fprintf(fp, "forwarders ");
@@ -370,492 +583,261 @@ dns_c_view_print(FILE *fp, int indent, dns_c_view_t *view)
 		fprintf(fp, ";\n");
 	}
 
-	if (view->sortlist != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "sortlist ");
-		dns_c_ipmatchlist_print(fp, indent + 2,
-					view->sortlist);
-		fprintf(fp, ";\n");
-	}
+	PRINT_IPMLIST(allowquery, "allow-query");
+	PRINT_IPMLIST(allowupdateforwarding, "allow-update-forwarding");
+	PRINT_IPMLIST(transferacl, "alllow-transfer");
+	PRINT_IPMLIST(recursionacl, "allow-recursion");
+	PRINT_IPMLIST(sortlist, "sortlist");
+	PRINT_IPMLIST(topology, "topology");
+	PRINT_IPMLIST(matchclients, "match-clients");
 
-	if (view->topology != NULL) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "topology ");
-		dns_c_ipmatchlist_print(fp, indent + 2,
-					view->topology);
-		fprintf(fp, ";\n");
-	}
-
-	if (view->listens != NULL) {
-		dns_c_lstnlist_print(fp, indent + 1, view->listens);
-	}
+	fprintf(fp, "\n");
 
 	if (view->ordering != NULL) {
 		dns_c_rrsolist_print(fp, indent + 1, view->ordering);
 	}
 
-	if (DNS_C_CHECKBIT(CHECKNAME_PRIM_BIT, &view->setflags)) {
-		nameseverity = view->check_names[dns_trans_primary];
+	if (view->check_names[dns_trans_primary] != NULL) {
+		nameseverity = *view->check_names[dns_trans_primary];
 		dns_c_printtabs(fp, indent + 1);
 		fprintf(fp, "check-names %s %s;\n",
-			dns_c_transport2string(dns_trans_primary,
-					       ISC_TRUE),
-			dns_c_nameseverity2string(nameseverity,
-						  ISC_TRUE));
+			dns_c_transport2string(dns_trans_primary, ISC_TRUE),
+			dns_c_nameseverity2string(nameseverity, ISC_TRUE));
 	}
 		
-	if (DNS_C_CHECKBIT(CHECKNAME_SEC_BIT, &view->setflags)) {
-		nameseverity = view->check_names[dns_trans_secondary];
+	if (view->check_names[dns_trans_secondary] != NULL) {
+		nameseverity = *view->check_names[dns_trans_secondary];
 		dns_c_printtabs(fp, indent + 1);
 		fprintf(fp, "check-names %s %s;\n",
-			dns_c_transport2string(dns_trans_secondary,
-					       ISC_TRUE),
-			dns_c_nameseverity2string(nameseverity,
-						  ISC_TRUE));
+			dns_c_transport2string(dns_trans_secondary, ISC_TRUE),
+			dns_c_nameseverity2string(nameseverity, ISC_TRUE));
 	}
 		
-	if (DNS_C_CHECKBIT(CHECKNAME_RESP_BIT, &view->setflags)) {
-		nameseverity = view->check_names[dns_trans_response];
+	if (view->check_names[dns_trans_response] != NULL) {
+		nameseverity = *view->check_names[dns_trans_response];
 		dns_c_printtabs(fp, indent + 1);
 		fprintf(fp, "check-names %s %s;\n",
-			dns_c_transport2string(dns_trans_response,
-					       ISC_TRUE),
-			dns_c_nameseverity2string(nameseverity,
-						  ISC_TRUE));
+			dns_c_transport2string(dns_trans_response, ISC_TRUE),
+			dns_c_nameseverity2string(nameseverity, ISC_TRUE));
 	}
 
 
-	if (DNS_C_CHECKBIT(TRANSFER_FORMAT_BIT, &view->setflags)) {
-		dns_c_printtabs(fp, indent + 1);
-		fprintf(fp, "transfer-format %s;\n",
-			dns_c_transformat2string(view->transfer_format,
-						 ISC_TRUE));
-	}
-		
+	PRINT_AS_BOOLEAN(auth_nx_domain, "auth-nxdomain");
+	PRINT_AS_BOOLEAN(recursion, "recursion");
+	PRINT_AS_BOOLEAN(provide_ixfr, "provide-ixfr");
+	PRINT_AS_BOOLEAN(request_ixfr, "request-ixfr");
+	PRINT_AS_BOOLEAN(fetch_glue, "fetch-glue");
+	PRINT_AS_BOOLEAN(notify, "notify");
+	PRINT_AS_BOOLEAN(rfc2308_type1, "rfc2308-type1");
 
-	fprintf(fp, "\n");
+
+	PRINT_IP(transfer_source, "transfer-source");
+	PRINT_IP(transfer_source_v6, "transfer-source-v6");
 	
+	PRINT_IPANDPORT(query_source, "query-source");
+	PRINT_IPANDPORT(query_source_v6, "query-source-v6");
 
+	PRINT_AS_MINUTES(max_transfer_time_out, "max-transfer-time-out");
+	PRINT_AS_MINUTES(max_transfer_idle_out, "max-transfer-idle-out");
+	PRINT_AS_MINUTES(clean_interval, "cleaning-interval");
 
-	/* XXXJAB rest of view fields */
+	PRINT_INT32(min_roots, "min-roots");
+	PRINT_INT32(lamettl, "lame-ttl");
+	PRINT_INT32(max_ncache_ttl, "max-ncache-ttl");
+	PRINT_INT32(max_cache_ttl, "max-cache-ttl");
 
-	if (view->zonelist != NULL) {
-		dns_c_zonelist_print(fp, indent + 1, view->zonelist);
+	if (view->additional_data != NULL) {
+		dns_c_printtabs(fp, indent + 1);
+		fprintf(fp, "additional-data %s;\n",
+			dns_c_addata2string(*view->additional_data, ISC_TRUE));
 	}
-
-	dns_c_printtabs(fp, indent);
-	fprintf(fp, "};\n");
-}
-
-
-isc_result_t
-dns_c_view_setallowquery(dns_c_view_t *view,
-			 dns_c_ipmatchlist_t *ipml,
-			 isc_boolean_t deepcopy)
-{
-	isc_result_t res;
 	
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(DNS_C_IPMLIST_VALID(ipml));
-
-	if (view->allowquery != NULL) {
-		dns_c_ipmatchlist_detach(&view->allowquery);
-	}
-
-	if (deepcopy) {
-		res = dns_c_ipmatchlist_copy(view->mem,
-					     &view->allowquery, ipml);
-	} else {
-		view->allowquery = ipml;
-		res = ISC_R_SUCCESS;
+	if (view->transfer_format != NULL) {
+		dns_c_printtabs(fp, indent + 1);
+		fprintf(fp, "transfer-format %s;\n",
+			dns_c_transformat2string(*view->transfer_format,
+						 ISC_TRUE));
 	}
-
-	return (res);
-}
-	
-
-isc_result_t
-dns_c_view_setallowtransfer(dns_c_view_t *view,
-			    dns_c_ipmatchlist_t *ipml,
-			    isc_boolean_t deepcopy)
-{
-	isc_result_t res;
 	
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(DNS_C_IPMLIST_VALID(ipml));
 
-	if (view->transferacl != NULL) {
-		dns_c_ipmatchlist_detach(&view->transferacl);
+	if (view->keydefs != NULL) {
+		dns_c_kdeflist_print(fp, indent + 1, view->keydefs);
 	}
 
-	if (deepcopy) {
-		res = dns_c_ipmatchlist_copy(view->mem,
-					     &view->transferacl, ipml);
-	} else {
-		view->transferacl = ipml;
-		res = ISC_R_SUCCESS;
+	if (view->peerlist != NULL) {
+		dns_c_peerlist_print(fp, indent + 1, view->peerlist);
 	}
 
-	return (res);
-}
-	
 
-isc_result_t
-dns_c_view_setallowrecursion(dns_c_view_t *view,
-			     dns_c_ipmatchlist_t *ipml,
-			     isc_boolean_t deepcopy)
-{
-	isc_result_t res;
+#if 0	
+	PRINT_INT32(max_transfer_time_in, "max-transfer-time-in");
+	PRINT_INT32(max_transfer_idle_in, "max-transfer-idle-in");
+	PRINT_INT32(transfers_per_ns, "transfers-per-ns");
+	PRINT_INT32(serialqueries, "serial-queries");
+#endif
 	
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(DNS_C_IPMLIST_VALID(ipml));
-
-	if (view->recursionacl != NULL) {
-		dns_c_ipmatchlist_detach(&view->recursionacl);
-	}
+	fprintf(fp, "\n");
 
-	if (deepcopy) {
-		res = dns_c_ipmatchlist_copy(view->mem,
-					     &view->recursionacl, ipml);
-	} else {
-		view->recursionacl = ipml;
-		res = ISC_R_SUCCESS;
+	if (view->zonelist != NULL) {
+		dns_c_zonelist_print(fp, indent + 1, view->zonelist);
 	}
 
-	return (res);
-}
-	
+	dns_c_printtabs(fp, indent);
+	fprintf(fp, "};\n");
 
-isc_result_t
-dns_c_view_setallowupdateforwarding(dns_c_view_t *view,
-				    dns_c_ipmatchlist_t *ipml,
-				    isc_boolean_t deepcopy)
-{
-	isc_result_t res;
+#undef PRINT_IPMLIST
+#undef PRINT_AS_BOOLEAN
+#undef PRINT_INT32
+#undef PRINT_IP
+#undef PRINT_IPANDPORT
 	
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(DNS_C_IPMLIST_VALID(ipml));
-
-	if (view->allowupdateforwarding != NULL) {
-		dns_c_ipmatchlist_detach(&view->allowupdateforwarding);
-	}
-
-	if (deepcopy) {
-		res = dns_c_ipmatchlist_copy(view->mem,
-					     &view->allowupdateforwarding,
-					     ipml);
-	} else {
-		view->allowupdateforwarding = ipml;
-		res = ISC_R_SUCCESS;
-	}
-
-	return (res);
 }
-	
 
-isc_result_t
-dns_c_view_setblackhole(dns_c_view_t *view,
-			dns_c_ipmatchlist_t *ipml,
-			isc_boolean_t deepcopy)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(DNS_C_IPMLIST_VALID(ipml));
 
-	if (view->blackhole != NULL) {
-		dns_c_ipmatchlist_detach(&view->blackhole);
-	}
 
-	if (deepcopy) {
-		res = dns_c_ipmatchlist_copy(view->mem,
-					     &view->blackhole, ipml);
-	} else {
-		view->blackhole = ipml;
-		res = ISC_R_SUCCESS;
-	}
 
-	return (res);
-}
-	
 
 isc_result_t
-dns_c_view_setforwarders(dns_c_view_t *view,
-			 dns_c_iplist_t *ipl,
-			 isc_boolean_t deepcopy)
-{
-	isc_boolean_t existed = ISC_FALSE;
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(DNS_C_IPLIST_VALID(ipl));
-
-	if (view->forwarders != NULL) {
-		existed = ISC_TRUE;
-		dns_c_iplist_detach(&view->forwarders);
-	}
+dns_c_view_delete(dns_c_view_t **viewptr) {
+	dns_c_view_t *view;
 
-	if (deepcopy) {
-		res = dns_c_iplist_copy(view->mem, &view->forwarders, ipl);
-	} else {
-		view->forwarders = ipl;
-		res = ISC_R_SUCCESS;
-	}
+#define FREEIPMLIST(FIELD)				\
+	do { if (view->FIELD != NULL) {			\
+		dns_c_ipmatchlist_detach(&view->FIELD);	\
+	} } while (0)
 
-	if (res == ISC_R_SUCCESS) {
-		return (existed ? ISC_R_EXISTS : res);
-	} else {
-		return (res);
-	}
-}
-		
+#define FREEFIELD(FIELD)						   \
+	do { if (view->FIELD != NULL) {					   \
+		isc_mem_put(view->mem, view->FIELD, sizeof (*view->FIELD)); \
+		view->FIELD = NULL;					   \
+	} } while (0)
 	
+	REQUIRE(viewptr != NULL);
+	REQUIRE(DNS_C_VIEW_VALID(*viewptr));
 
-isc_result_t
-dns_c_view_setsortlist(dns_c_view_t *view,
-		       dns_c_ipmatchlist_t *ipml,
-		       isc_boolean_t deepcopy)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(DNS_C_IPMLIST_VALID(ipml));
-
-	if (view->sortlist != NULL) {
-		dns_c_ipmatchlist_detach(&view->sortlist);
-	}
-
-	if (deepcopy) {
-		res = dns_c_ipmatchlist_copy(view->mem,
-					     &view->sortlist, ipml);
-	} else {
-		view->sortlist = ipml;
-		res = ISC_R_SUCCESS;
-	}
+	view = *viewptr;
 
-	return (res);
-}
+	isc_mem_free(view->mem, view->name);
 	
+	if (view->zonelist != NULL) {
+		dns_c_zonelist_delete(&view->zonelist);
+	}
 
-isc_result_t
-dns_c_view_settopology(dns_c_view_t *view,
-		       dns_c_ipmatchlist_t *ipml,
-		       isc_boolean_t deepcopy)
-{
-	isc_result_t res;
-	
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(DNS_C_IPMLIST_VALID(ipml));
+	FREEFIELD(forward);
 
-	if (view->topology != NULL) {
-		dns_c_ipmatchlist_detach(&view->topology);
+	if (view->forwarders != NULL) {
+		dns_c_iplist_detach(&view->forwarders);
 	}
+		
+	FREEIPMLIST(allowquery);
+	FREEIPMLIST(allowupdateforwarding);
+	FREEIPMLIST(transferacl);
+	FREEIPMLIST(recursionacl);
+	FREEIPMLIST(sortlist);
+	FREEIPMLIST(topology);
+	FREEIPMLIST(matchclients);
 
-	if (deepcopy) {
-		res = dns_c_ipmatchlist_copy(view->mem,
-					     &view->topology, ipml);
-	} else {
-		view->topology = ipml;
-		res = ISC_R_SUCCESS;
+	if (view->ordering != NULL) {
+		dns_c_rrsolist_delete(&view->ordering);
 	}
 
-	return (res);
-}
-
-
-isc_result_t
-dns_c_view_getallowquery(dns_c_view_t *view, dns_c_ipmatchlist_t **ipml)
-{
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(ipml != NULL);
-	
-	*ipml = view->allowquery;
 
-	return (*ipml == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
+	FREEFIELD(check_names[dns_trans_primary]);
+	FREEFIELD(check_names[dns_trans_secondary]);
+	FREEFIELD(check_names[dns_trans_response]);
 
-isc_result_t dns_c_view_getallowtransfer(dns_c_view_t *view,
-					 dns_c_ipmatchlist_t **ipml)
-{
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(ipml != NULL);
-	
-	*ipml = view->transferacl;
+	FREEFIELD(auth_nx_domain);
+	FREEFIELD(recursion);
+	FREEFIELD(provide_ixfr);
+	FREEFIELD(request_ixfr);
+	FREEFIELD(fetch_glue);
+	FREEFIELD(notify);
+	FREEFIELD(rfc2308_type1);
 
-	return (*ipml == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-	
-isc_result_t dns_c_view_getallowrecursion(dns_c_view_t *view,
-					  dns_c_ipmatchlist_t **ipml)
-{
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(ipml != NULL);
-	
-	*ipml = view->recursionacl;
+	FREEFIELD(transfer_source);
+	FREEFIELD(transfer_source_v6);
+	FREEFIELD(query_source);
+	FREEFIELD(query_source_v6);
 
-	return (*ipml == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-	
-isc_result_t dns_c_view_getallowupdateforwarding(dns_c_view_t *view,
-						 dns_c_ipmatchlist_t **ipml)
-{
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(ipml != NULL);
-	
-	*ipml = view->allowupdateforwarding;
+	FREEFIELD(max_transfer_time_out);
+	FREEFIELD(max_transfer_idle_out);
+	FREEFIELD(clean_interval);
+	FREEFIELD(min_roots);
+	FREEFIELD(lamettl);
+	FREEFIELD(max_ncache_ttl);
+	FREEFIELD(max_cache_ttl);
 
-	return (*ipml == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-	
-isc_result_t dns_c_view_getblackhole(dns_c_view_t *view,
-				     dns_c_ipmatchlist_t **ipml)
-{
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(ipml != NULL);
-	
-	*ipml = view->blackhole;
+	FREEFIELD(additional_data);
+	FREEFIELD(transfer_format);
 
-	return (*ipml == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-	
-isc_result_t dns_c_view_getforwarders(dns_c_view_t *view,
-				      dns_c_iplist_t **ipl)
-{
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(ipl != NULL);
-	
-	*ipl = view->forwarders;
+	dns_c_view_unsetkeydefs(view);
+	dns_c_view_unsetpeerlist(view);
 
-	return (*ipl == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-	
-isc_result_t dns_c_view_getsortlist(dns_c_view_t *view,
-				    dns_c_ipmatchlist_t **ipml)
-{
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(ipml != NULL);
+#if 0	
+	FREEFIELD(max_transfer_time_in);
+	FREEFIELD(max_transfer_idle_in);
+	FREEFIELD(transfers_per_ns);
+	FREEFIELD(serial_queries);
+#endif
 	
-	*ipml = view->sortlist;
-
-	return (*ipml == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
 	
-isc_result_t dns_c_view_gettopology(dns_c_view_t *view,
-				    dns_c_ipmatchlist_t **ipml)
-{
-	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(ipml != NULL);
+	view->magic = 0;
+	isc_mem_put(view->mem, view, sizeof *view);
 	
-	*ipml = view->topology;
-
-	return (*ipml == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
-	
 
 
-isc_result_t
-dns_c_view_getallowqueryexpanded(isc_mem_t *mem,
-				 dns_c_view_t *view,
-				 dns_c_acltable_t *acltable,
-				 dns_c_ipmatchlist_t **retval)
-{
-	dns_c_ipmatchlist_t *newlist;
-	isc_result_t r;
+isc_boolean_t
+dns_c_view_keydefinedp(dns_c_view_t *view, const char *keyname) {
+	dns_c_kdef_t *keyid;
+	isc_result_t res;
+	isc_boolean_t rval = ISC_FALSE;
 
 	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(DNS_C_CONFACLTABLE_VALID(acltable));
-	REQUIRE(retval != NULL);
+	REQUIRE(keyname != NULL);
+	REQUIRE(*keyname != '\0');
 	
-	if (view->allowquery == NULL) {
-		newlist = NULL;
-		r = ISC_R_SUCCESS;
-	} else {
-		r = dns_c_ipmatchlist_copy(mem, &newlist, view->allowquery);
-		if (r != ISC_R_SUCCESS) {
-			return (r);
+	if (view->keydefs != NULL) {
+		res = dns_c_kdeflist_find(view->keydefs, keyname, &keyid);
+		if (res == ISC_R_SUCCESS) {
+			rval = ISC_TRUE;
 		}
-
-		r = dns_c_acl_expandacls(acltable, newlist);
 	}
 
-	*retval = newlist;
-	
-	return (r);
+	return rval;
 }
 
-
-
 isc_result_t
-dns_c_view_delete(dns_c_view_t **viewptr)
-{
-	dns_c_view_t *view;
-	
-	REQUIRE(viewptr != NULL);
-	REQUIRE(DNS_C_VIEW_VALID(*viewptr));
-
-	view = *viewptr;
-
-	isc_mem_free(view->mem, view->name);
-	
-	if (view->allowquery != NULL)
-		dns_c_ipmatchlist_detach(&view->allowquery);
-
-	if (view->transferacl != NULL)
-		dns_c_ipmatchlist_detach(&view->transferacl);
-
-	if (view->recursionacl != NULL)
-		dns_c_ipmatchlist_detach(&view->recursionacl);
-
-	if (view->allowupdateforwarding != NULL)
-		dns_c_ipmatchlist_detach(&view->allowupdateforwarding);
-
-	if (view->blackhole != NULL)
-		dns_c_ipmatchlist_detach(&view->blackhole);
-
-	if (view->forwarders != NULL)
-		dns_c_iplist_detach(&view->forwarders);
-
-	if (view->sortlist != NULL)
-		dns_c_ipmatchlist_detach(&view->sortlist);
-
-	if (view->topology != NULL)
-		dns_c_ipmatchlist_detach(&view->topology);
+dns_c_view_getname(dns_c_view_t *view, const char **retval) {
+	REQUIRE(DNS_C_VIEW_VALID(view));
+	REQUIRE(retval != NULL);
 
-	if (view->listens != NULL) {
-		dns_c_lstnlist_delete(&view->listens);
-	}
-	
-	if (view->ordering != NULL) {
-		dns_c_rrsolist_delete(&view->ordering);
-	}
-		
-	if (view->zonelist != NULL) {
-		dns_c_zonelist_delete(&view->zonelist);
-	}
+	*retval = view->name;
 
-	view->magic = 0;
-	isc_mem_put(view->mem, view, sizeof *view);
-	
 	return (ISC_R_SUCCESS);
 }
 
-	
+
 isc_result_t
-dns_c_view_getname(dns_c_view_t *view, const char **retval)
-{
+dns_c_view_getviewclass(dns_c_view_t *view, dns_rdataclass_t *retval) {
 	REQUIRE(DNS_C_VIEW_VALID(view));
 	REQUIRE(retval != NULL);
 
-	*retval = view->name;
+	*retval = view->viewclass;
 
 	return (ISC_R_SUCCESS);
 }
 
 
 
+/*
+**
+*/
+
+
 isc_result_t
-dns_c_view_addzone(dns_c_view_t *view, dns_c_zone_t *zone)
-{
+dns_c_view_addzone(dns_c_view_t *view, dns_c_zone_t *zone) {
 	isc_result_t res;
 	dns_c_zone_t *attached;
 	
@@ -873,66 +855,125 @@ dns_c_view_addzone(dns_c_view_t *view, dns_c_zone_t *zone)
 	
 	return (dns_c_zonelist_addzone(view->zonelist, attached));
 }
+
+
+isc_result_t
+dns_c_view_getzonelist(dns_c_view_t *view, dns_c_zonelist_t **zonelist) {
+	REQUIRE(DNS_C_VIEW_VALID(view));
+	REQUIRE(zonelist != NULL);
+
+	*zonelist = view->zonelist;
 	
+	if (view->zonelist == NULL) {
+		return (ISC_R_NOTFOUND);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
 
 isc_result_t
-dns_c_view_addlisten_on(dns_c_view_t *view, in_port_t port,
-			dns_c_ipmatchlist_t *ml,
-		       isc_boolean_t copy)
+dns_c_view_unsetzonelist(dns_c_view_t *view) {
+	REQUIRE(DNS_C_VIEW_VALID(view));
+
+	if (view->zonelist == NULL) {
+		return (ISC_R_NOTFOUND);
+	} else {
+		dns_c_zonelist_delete(&view->zonelist);
+		return (ISC_R_SUCCESS);
+	}
+}
+
+
+/*
+**
+*/
+
+
+SETBYTYPE(dns_c_forw_t, forward, forward)
+UNSETBYTYPE(dns_c_forw_t, forward, forward)
+GETBYTYPE(dns_c_forw_t, forward, forward)
+
+	
+/*
+**
+*/
+
+isc_result_t
+dns_c_view_setforwarders(dns_c_view_t *view,
+			 dns_c_iplist_t *ipl,
+			 isc_boolean_t deepcopy)
 {
-	dns_c_lstnon_t *lo;
+	isc_boolean_t existed = ISC_FALSE;
 	isc_result_t res;
-
+	
 	REQUIRE(DNS_C_VIEW_VALID(view));
+	REQUIRE(DNS_C_IPLIST_VALID(ipl));
 
-	if (view->listens == NULL) {
-		res = dns_c_lstnlist_new(view->mem, &view->listens);
-		if (res != ISC_R_SUCCESS) {
-			return (res);
-		}
+	if (view->forwarders != NULL) {
+		existed = ISC_TRUE;
+		dns_c_iplist_detach(&view->forwarders);
 	}
 
-	res = dns_c_lstnon_new(view->mem, &lo);
-	if (res != ISC_R_SUCCESS) {
-		return (res);
+	if (deepcopy) {
+		res = dns_c_iplist_copy(view->mem, &view->forwarders, ipl);
+	} else {
+		dns_c_iplist_attach(ipl, &view->forwarders);
+		res = ISC_R_SUCCESS;
 	}
-	
-	lo->port = port;
-	res = dns_c_lstnon_setiml(lo, ml, copy);
 
-	ISC_LIST_APPEND(view->listens->elements, lo, next);
-
-	return (res);
+	if (res == ISC_R_SUCCESS) {
+		return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+	} else {
+		return (res);
+	}
 }
+		
 
 
+isc_result_t
+dns_c_view_unsetforwarders(dns_c_view_t *view) {
+	REQUIRE(DNS_C_VIEW_VALID(view));
+
+	if (view->forwarders != NULL) {
+		dns_c_iplist_detach(&view->forwarders);
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+		
+	
 
 isc_result_t
-dns_c_view_getlistenlist(dns_c_view_t *view, dns_c_lstnlist_t **ll)
+dns_c_view_getforwarders(dns_c_view_t *view,
+			 dns_c_iplist_t **ipl)
 {
 	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(ll != NULL);
+	REQUIRE(ipl != NULL);
+	
+	*ipl = view->forwarders;
 
-	*ll = NULL;
+	return (*ipl == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
+}
 
-	if (view->listens != NULL) {
-		*ll = view->listens;
-	}
 
-	return (*ll == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
+/*
+**
+*/
 
-isc_result_t dns_c_view_setrrsetorderlist(dns_c_view_t *view,
-					  isc_boolean_t copy,
-					  dns_c_rrsolist_t *olist)
+isc_result_t
+dns_c_view_setordering(dns_c_view_t *view,
+		       isc_boolean_t copy,
+		       dns_c_rrsolist_t *olist)
 {
 	isc_boolean_t existed;
 	isc_result_t res;
 
 	REQUIRE(DNS_C_VIEW_VALID(view));
 
-	existed = (view->ordering == NULL ? ISC_FALSE : ISC_TRUE);
-	
+	existed = ISC_TF(view->ordering != NULL);
+
 	if (copy) {
 		if (view->ordering == NULL) {
 			res = dns_c_rrsolist_new(view->mem,
@@ -964,48 +1005,55 @@ isc_result_t dns_c_view_setrrsetorderlist(dns_c_view_t *view,
 					  
 
 
-isc_result_t dns_c_view_getrrsetorderlist(dns_c_view_t *view,
-					  dns_c_rrsolist_t **olist)
+isc_result_t
+dns_c_view_getordering(dns_c_view_t *view,
+		       dns_c_rrsolist_t **olist)
 {
 	REQUIRE(DNS_C_VIEW_VALID(view));
 	REQUIRE(olist != NULL);
 
-	if (view->ordering != NULL) {
-		*olist = view->ordering;
-	}
+	*olist = view->ordering;
 
 	return (*olist == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
 }
 
-	
+
+isc_result_t
+dns_c_view_unsetordering(dns_c_view_t *view)
+{
+	REQUIRE(DNS_C_VIEW_VALID(view));
+
+	if (view->ordering != NULL) {
+		dns_c_rrsolist_delete(&view->ordering);
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
 
 
+/*
+**
+**
+*/
+
 isc_result_t
 dns_c_view_setchecknames(dns_c_view_t *view,
-			 dns_c_trans_t transtype,
-			 dns_severity_t sever)
+			dns_c_trans_t transtype,
+			dns_severity_t newval)
 {
 	isc_boolean_t existed = ISC_FALSE;
+	dns_severity_t **ptr = NULL;
 	
 	REQUIRE(DNS_C_VIEW_VALID(view));
 
 	switch(transtype) {
 	case dns_trans_primary:
-		existed = DNS_C_CHECKBIT(CHECKNAME_PRIM_BIT,
-					 &view->setflags);
-		DNS_C_SETBIT(CHECKNAME_PRIM_BIT, &view->setflags);
-		break;
-
 	case dns_trans_secondary:
-		existed = DNS_C_CHECKBIT(CHECKNAME_SEC_BIT,
-					 &view->setflags);
-		DNS_C_SETBIT(CHECKNAME_SEC_BIT, &view->setflags);
-		break;
-
 	case dns_trans_response:
-		existed = DNS_C_CHECKBIT(CHECKNAME_RESP_BIT,
-					 &view->setflags);
-		DNS_C_SETBIT(CHECKNAME_RESP_BIT, &view->setflags);
+		ptr = &view->check_names[transtype];
+		existed = ISC_TF(*ptr != NULL);
 		break;
 
 	default:
@@ -1014,42 +1062,33 @@ dns_c_view_setchecknames(dns_c_view_t *view,
 			      "bad transport value: %d", transtype);
 		return (ISC_R_FAILURE);
 	}
-	
-	view->check_names[transtype] = sever;
 
+	if (!existed) {
+		*ptr = isc_mem_get(view->mem, sizeof (**ptr));
+	}
+
+	**ptr = newval;
+	
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
 
-
 isc_result_t
 dns_c_view_getchecknames(dns_c_view_t *view,
-			 dns_c_trans_t transtype,
-			 dns_severity_t *sever)
+			dns_c_trans_t transtype,
+			dns_severity_t *retval)
 {
-	isc_boolean_t isset = ISC_FALSE;
-	isc_result_t res;
-
+	isc_result_t result;
+	dns_severity_t **ptr = NULL;	
 	REQUIRE(DNS_C_VIEW_VALID(view));
 
-	REQUIRE(sever != NULL);
-
 	switch (transtype) {
 	case dns_trans_primary:
-		isset = DNS_C_CHECKBIT(CHECKNAME_PRIM_BIT,
-				       &view->setflags);
-		break;
-
 	case dns_trans_secondary:
-		isset = DNS_C_CHECKBIT(CHECKNAME_SEC_BIT,
-				       &view->setflags);
-		break;
-
 	case dns_trans_response:
-		isset = DNS_C_CHECKBIT(CHECKNAME_RESP_BIT,
-				       &view->setflags);
+		ptr = &view->check_names[transtype];
 		break;
-
+		
 	default:
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
@@ -1057,49 +1096,278 @@ dns_c_view_getchecknames(dns_c_view_t *view,
 		return (ISC_R_FAILURE);
 	}
 
-	if (isset) {
-		*sever = view->check_names[transtype];
-		res = ISC_R_SUCCESS;
+	if (*ptr != NULL) {
+		*retval = *view->check_names[transtype];
+		result = ISC_R_SUCCESS;
 	} else {
-		res = ISC_R_NOTFOUND;
+		result = ISC_R_NOTFOUND;
 	}
 
-	return (res);
+	return (result);
 }
 
 
-isc_result_t dns_c_view_settransferformat(dns_c_view_t *view,
-					  dns_transfer_format_t format)
+isc_result_t
+dns_c_view_unsetchecknames(dns_c_view_t *view,
+			  dns_c_trans_t transtype)
 {
-	isc_boolean_t existed = ISC_FALSE;
+	dns_severity_t **ptr = NULL;
 	
 	REQUIRE(DNS_C_VIEW_VALID(view));
 
-	existed = DNS_C_CHECKBIT(TRANSFER_FORMAT_BIT,
-				 &view->setflags);
-	DNS_C_SETBIT(TRANSFER_FORMAT_BIT, &view->setflags);
+	switch(transtype) {
+	case dns_trans_primary:
+	case dns_trans_secondary:
+	case dns_trans_response:
+		ptr = &view->check_names[transtype];
+		break;
+
+	default:
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
+			      "bad transport value: %d", transtype);
+		return (ISC_R_FAILURE);
+	}
+
+	if (*ptr == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
 	
-	view->transfer_format = format;
+	isc_mem_put(view->mem, *ptr, sizeof (**ptr));
 
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 
-isc_result_t dns_c_view_gettransferformat(dns_c_view_t *view,
-					  dns_transfer_format_t *format)
-{
+isc_result_t
+dns_c_view_getkeydefs(dns_c_view_t *view, dns_c_kdeflist_t **retval) {
 	REQUIRE(DNS_C_VIEW_VALID(view));
-	REQUIRE(format != NULL);
+	REQUIRE(retval != NULL);
+
+	*retval = view->keydefs;
 	
+	if (view->keydefs == NULL) {
+		return (ISC_R_NOTFOUND);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+
+isc_result_t
+dns_c_view_setkeydefs(dns_c_view_t *view, dns_c_kdeflist_t *newval) {
+	REQUIRE(DNS_C_VIEW_VALID(view));
+	REQUIRE(DNS_C_KDEFLIST_VALID(newval));
+
+	if (view->keydefs != NULL) {
+		dns_c_view_unsetkeydefs(view);
+	}
+
+	view->keydefs = newval;
+
+	return (ISC_R_SUCCESS);
+}
+
+
+isc_result_t
+dns_c_view_unsetkeydefs(dns_c_view_t *view) {
+	REQUIRE(DNS_C_VIEW_VALID(view));
+
+	if (view->keydefs != NULL) {
+		dns_c_kdeflist_delete(&view->keydefs);
+		view->keydefs = NULL;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
 
-	if (!DNS_C_CHECKBIT(TRANSFER_FORMAT_BIT, &view->setflags)) {
+/*
+**
+*/
+
+isc_result_t
+dns_c_view_getpeerlist(dns_c_view_t *view, dns_peerlist_t **retval) {
+	REQUIRE(DNS_C_VIEW_VALID(view));
+	REQUIRE(retval != NULL);
+	
+	if (view->peerlist == NULL) {
+		*retval = NULL;
 		return (ISC_R_NOTFOUND);
+	} else {
+		dns_peerlist_attach(view->peerlist, retval);
+		return (ISC_R_SUCCESS);
 	}
+}
 
-	*format = view->transfer_format;
+
+isc_result_t
+dns_c_view_unsetpeerlist(dns_c_view_t *view) {
+	REQUIRE(DNS_C_VIEW_VALID(view));
+
+	if (view->peerlist != NULL) {
+		dns_peerlist_detach(&view->peerlist);
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_FAILURE);
+	}
+}
+	
+
+isc_result_t
+dns_c_view_setpeerlist(dns_c_view_t *view, dns_peerlist_t *newval) {
+	REQUIRE(DNS_C_VIEW_VALID(view));
+
+	if (view->peerlist != NULL) {
+		dns_peerlist_detach(&view->peerlist);
+	}
+
+	dns_peerlist_attach(newval, &view->peerlist);
 
 	return (ISC_R_SUCCESS);
 }
 
-		
+GETIPMLIST(allowquery, allowquery)
+SETIPMLIST(allowquery, allowquery)
+UNSETIPMLIST(allowquery, allowquery)
+
+GETIPMLIST(allowupdateforwarding, allowupdateforwarding)
+SETIPMLIST(allowupdateforwarding, allowupdateforwarding)
+UNSETIPMLIST(allowupdateforwarding, allowupdateforwarding)
+
+GETIPMLIST(transferacl, transferacl)
+SETIPMLIST(transferacl, transferacl)
+UNSETIPMLIST(transferacl, transferacl)
+
+GETIPMLIST(recursionacl, recursionacl)
+SETIPMLIST(recursionacl, recursionacl)
+UNSETIPMLIST(recursionacl, recursionacl)
+
+GETIPMLIST(sortlist, sortlist)
+SETIPMLIST(sortlist, sortlist)
+UNSETIPMLIST(sortlist, sortlist)
+
+GETIPMLIST(topology, topology)
+SETIPMLIST(topology, topology)
+UNSETIPMLIST(topology, topology)
+
+GETIPMLIST(matchclients, matchclients)
+SETIPMLIST(matchclients, matchclients)
+UNSETIPMLIST(matchclients, matchclients)
+
+
+SETBOOL(authnxdomain, auth_nx_domain)
+GETBOOL(authnxdomain, auth_nx_domain)
+UNSETBOOL(authnxdomain, auth_nx_domain)
+
+SETBOOL(recursion, recursion)
+GETBOOL(recursion, recursion)
+UNSETBOOL(recursion, recursion)
+
+SETBOOL(provideixfr, provide_ixfr)
+GETBOOL(provideixfr, provide_ixfr)
+UNSETBOOL(provideixfr, provide_ixfr)
+
+SETBOOL(requestixfr, request_ixfr)
+GETBOOL(requestixfr, request_ixfr)
+UNSETBOOL(requestixfr, request_ixfr)
+
+SETBOOL(fetchglue, fetch_glue)
+GETBOOL(fetchglue, fetch_glue)
+UNSETBOOL(fetchglue, fetch_glue)
+
+SETBOOL(notify, notify)
+GETBOOL(notify, notify)
+UNSETBOOL(notify, notify)
+
+SETBOOL(rfc2308type1, rfc2308_type1)
+GETBOOL(rfc2308type1, rfc2308_type1)
+UNSETBOOL(rfc2308type1, rfc2308_type1)
+
+GETSOCKADDR(transfersource, transfer_source)
+SETSOCKADDR(transfersource, transfer_source)
+UNSETSOCKADDR(transfersource, transfer_source)
+
+GETSOCKADDR(transfersourcev6, transfer_source_v6)
+SETSOCKADDR(transfersourcev6, transfer_source_v6)
+UNSETSOCKADDR(transfersourcev6, transfer_source_v6)
+
+GETSOCKADDR(querysource, query_source)
+SETSOCKADDR(querysource, query_source)
+UNSETSOCKADDR(querysource, query_source)
+
+GETSOCKADDR(querysourcev6, query_source_v6)
+SETSOCKADDR(querysourcev6, query_source_v6)
+UNSETSOCKADDR(querysourcev6, query_source_v6)
+
+SETINT32(maxtransfertimeout, max_transfer_time_out)
+GETINT32(maxtransfertimeout, max_transfer_time_out)
+UNSETINT32(maxtransfertimeout, max_transfer_time_out)
+
+SETINT32(maxtransferidleout, max_transfer_idle_out)
+GETINT32(maxtransferidleout, max_transfer_idle_out)
+UNSETINT32(maxtransferidleout, max_transfer_idle_out)
+
+SETINT32(cleaninterval, clean_interval)
+GETINT32(cleaninterval, clean_interval)
+UNSETINT32(cleaninterval, clean_interval)
+
+SETINT32(minroots, min_roots)
+GETINT32(minroots, min_roots)
+UNSETINT32(minroots, min_roots)
+
+SETINT32(lamettl, lamettl)
+GETINT32(lamettl, lamettl)
+UNSETINT32(lamettl, lamettl)
+
+SETINT32(maxncachettl, max_ncache_ttl)
+GETINT32(maxncachettl, max_ncache_ttl)
+UNSETINT32(maxncachettl, max_ncache_ttl)
+
+SETINT32(maxcachettl, max_cache_ttl)
+GETINT32(maxcachettl, max_cache_ttl)
+UNSETINT32(maxcachettl, max_cache_ttl)
+
+
+GETBYTYPE(dns_c_addata_t, additionaldata, additional_data)
+SETBYTYPE(dns_c_addata_t, additionaldata, additional_data)
+UNSETBYTYPE(dns_c_addata_t, additionaldata, additional_data)
+
+GETBYTYPE(dns_transfer_format_t, transferformat, transfer_format)
+SETBYTYPE(dns_transfer_format_t, transferformat, transfer_format)
+UNSETBYTYPE(dns_transfer_format_t, transferformat, transfer_format)
+
+
+#if 0
+
+/*
+ * XXX waiting for implementation in server to turn these on.
+ */
+SETINT32(maxtransfertimein, max_transfer_time_in)
+GETINT32(maxtransfertimein, max_transfer_time_in)
+UNSETINT32(maxtransfertimein, max_transfer_time_in)
+
+SETINT32(maxtransferidlein, max_transfer_idle_in)
+GETINT32(maxtransferidlein, max_transfer_idle_in)
+UNSETINT32(maxtransferidlein, max_transfer_idle_in)
+
+SETINT32(transfersperns, transfers_per_ns)
+GETINT32(transfersperns, transfers_per_ns)
+UNSETINT32(transfersperns, transfers_per_ns)
+
+SETINT32(serialqueries, serial_queries)
+GETINT32(serialqueries, serial_queries)
+UNSETINT32(serialqueries, serial_queries)
+
+#endif
+
+
+
+
+
+
+
+
+
 
diff --git a/lib/dns/config/confzone.c b/lib/dns/config/confzone.c
index ae9612d1..5151dc2f 100644
--- a/lib/dns/config/confzone.c
+++ b/lib/dns/config/confzone.c
@@ -15,12 +15,15 @@
  * SOFTWARE.
  */
 
+/* $Id: confzone.c,v 1.43 2000/05/18 23:20:19 brister Exp $ */
+
 #include <config.h>
 
-#include <isc/assertions.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dns/confzone.h>
-#include <dns/confcommon.h>
 #include <dns/log.h>
 #include <dns/ssu.h>
 
@@ -88,11 +91,17 @@
 
 typedef enum { zones_preopts, zones_postopts, zones_all } zone_print_type;
 
-static isc_result_t master_zone_init(dns_c_masterzone_t *mzone);
-static isc_result_t slave_zone_init(dns_c_slavezone_t *szone);
-static isc_result_t stub_zone_init(dns_c_stubzone_t *szone);
-static isc_result_t hint_zone_init(dns_c_hintzone_t *hzone);
-static isc_result_t forward_zone_init(dns_c_forwardzone_t *fzone);
+static void
+master_zone_init(dns_c_masterzone_t *mzone);
+static void
+slave_zone_init(dns_c_slavezone_t *szone);
+static void
+stub_zone_init(dns_c_stubzone_t *szone);
+static void
+hint_zone_init(dns_c_hintzone_t *hzone);
+static void
+forward_zone_init(dns_c_forwardzone_t *fzone);
+
 static isc_result_t zone_delete(dns_c_zone_t **zone);
 static isc_result_t master_zone_clear(isc_mem_t *mem,
 				      dns_c_masterzone_t *mzone);
@@ -127,11 +136,8 @@ static isc_result_t set_ipmatch_list_field(isc_mem_t *mem,
 static void zone_list_print(zone_print_type zpt,
 			    FILE *fp, int indent, dns_c_zonelist_t *list);
 
-
-
 isc_result_t
-dns_c_zonelist_new(isc_mem_t *mem, dns_c_zonelist_t **zlist)
-{
+dns_c_zonelist_new(isc_mem_t *mem, dns_c_zonelist_t **zlist) {
 	dns_c_zonelist_t *list;
 
 	REQUIRE(zlist != NULL);
@@ -151,10 +157,8 @@ dns_c_zonelist_new(isc_mem_t *mem, dns_c_zonelist_t **zlist)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_zonelist_delete(dns_c_zonelist_t **zlist)
-{
+dns_c_zonelist_delete(dns_c_zonelist_t **zlist) {
 	dns_c_zonelist_t *list;
 	dns_c_zonelem_t *zoneelem;
 	dns_c_zonelem_t *tmpelem;
@@ -189,9 +193,27 @@ dns_c_zonelist_delete(dns_c_zonelist_t **zlist)
 }
 
 isc_result_t
-dns_c_zonelist_addzone(dns_c_zonelist_t *zlist,
-		       dns_c_zone_t *zone)
-{
+dns_c_zonelist_checkzones(dns_c_zonelist_t *list) {
+	dns_c_zone_t *zone;
+	isc_result_t tmpres;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_C_ZONELIST_VALID(list));
+
+	for (zone = dns_c_zonelist_firstzone(list) ;
+	     zone != NULL ;
+	     zone = dns_c_zonelist_nextzone(list, zone)) {
+		tmpres = dns_c_zone_validate(zone);
+		if (result == ISC_R_SUCCESS) {
+			result = tmpres;
+		}
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_c_zonelist_addzone(dns_c_zonelist_t *zlist, dns_c_zone_t *zone) {
 	dns_c_zonelem_t *zoneelem;
 
 	REQUIRE(DNS_C_ZONELIST_VALID(zlist));
@@ -210,8 +232,6 @@ dns_c_zonelist_addzone(dns_c_zonelist_t *zlist,
 
 	return (ISC_R_SUCCESS);
 }
-	
-	
 
 isc_result_t
 dns_c_zonelist_find(dns_c_zonelist_t *zlist, const char *name,
@@ -240,11 +260,8 @@ dns_c_zonelist_find(dns_c_zonelist_t *zlist, const char *name,
 	return (zoneelem == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_zonelist_rmbyname(dns_c_zonelist_t *zlist,
-			const char *name)
-{
+dns_c_zonelist_rmbyname(dns_c_zonelist_t *zlist, const char *name) {
 	dns_c_zonelem_t *zoneelem;
 	isc_result_t res;
 
@@ -272,11 +289,8 @@ dns_c_zonelist_rmbyname(dns_c_zonelist_t *zlist,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zonelist_rmzone(dns_c_zonelist_t *zlist,
-		      dns_c_zone_t *zone)
-{
+dns_c_zonelist_rmzone(dns_c_zonelist_t *zlist, dns_c_zone_t *zone) {
 	dns_c_zonelem_t *zoneelem;
 	isc_result_t res;
 	
@@ -290,6 +304,8 @@ dns_c_zonelist_rmzone(dns_c_zonelist_t *zlist,
 		if (zone == zoneelem->thezone) {
 			break;
 		}
+
+		zoneelem = ISC_LIST_NEXT(zoneelem, next);
 	}
 
 	if (zoneelem != NULL) {
@@ -303,34 +319,64 @@ dns_c_zonelist_rmzone(dns_c_zonelist_t *zlist,
 	return (res);
 }
 
-
 void
-dns_c_zonelist_print(FILE *fp, int indent,
-		     dns_c_zonelist_t *list)
-{
+dns_c_zonelist_print(FILE *fp, int indent, dns_c_zonelist_t *list) {
 	REQUIRE(DNS_C_ZONELIST_VALID(list));
 	zone_list_print(zones_all, fp, indent, list);
 }
 
-
 void
-dns_c_zonelist_printpreopts(FILE *fp, int indent,
-			    dns_c_zonelist_t *list)
-{
+dns_c_zonelist_printpreopts(FILE *fp, int indent, dns_c_zonelist_t *list) {
 	REQUIRE(DNS_C_ZONELIST_VALID(list));
 	zone_list_print(zones_preopts, fp, indent, list);
 }
 
-
 void
-dns_c_zonelist_printpostopts(FILE *fp, int indent,
-			     dns_c_zonelist_t *list)
-{
+dns_c_zonelist_printpostopts(FILE *fp, int indent, dns_c_zonelist_t *list) {
 	REQUIRE(DNS_C_ZONELIST_VALID(list));
 	zone_list_print(zones_postopts, fp, indent, list);
 }
 
+dns_c_zone_t *
+dns_c_zonelist_firstzone(dns_c_zonelist_t *list) {
+	dns_c_zonelem_t *zoneelem;
+
+	REQUIRE(DNS_C_ZONELIST_VALID(list));
+
+	zoneelem = ISC_LIST_HEAD(list->zones);
+
+	if (zoneelem != NULL) {
+		return (zoneelem->thezone);
+	} else {
+		return (NULL);
+	}
+}
+
+dns_c_zone_t *
+dns_c_zonelist_nextzone(dns_c_zonelist_t *list, dns_c_zone_t *zone) {
+	dns_c_zonelem_t *zoneelem;
+	
+	REQUIRE(DNS_C_ZONELIST_VALID(list));
+
+	zoneelem = ISC_LIST_HEAD(list->zones);
+
+	while (zoneelem != NULL && zoneelem->thezone != zone) {
+		zoneelem = ISC_LIST_NEXT(zoneelem, next);
+	}
+
+	/* XXX
+	 * should REQUIRE or return NULL if zone was no on list?
+	 */
+	REQUIRE(zoneelem != NULL);
 
+	zoneelem = ISC_LIST_NEXT(zoneelem, next);
+
+	if (zoneelem == NULL) {
+		return (NULL);
+	} else {
+		return (zoneelem->thezone);
+	}
+}
 
 static void
 zone_list_print(zone_print_type zpt, FILE *fp, int indent,
@@ -368,7 +414,6 @@ zone_list_print(zone_print_type zpt, FILE *fp, int indent,
 	return;
 }
 
-
 /* ************************************************************************ */
 /* ******************************** ZONEs ********************************* */
 /* ************************************************************************ */
@@ -380,7 +425,6 @@ dns_c_zone_new(isc_mem_t *mem,
 	       dns_c_zone_t **zone)
 {
 	dns_c_zone_t *newzone;
-	isc_result_t res;
 
 	REQUIRE(mem != NULL);
 	REQUIRE(name != NULL);
@@ -397,31 +441,33 @@ dns_c_zone_new(isc_mem_t *mem,
 	newzone->ztype = ztype;
 	newzone->zclass = zclass;
 	newzone->view = NULL;
+	newzone->enabled = NULL;
 	newzone->afteropts = ISC_FALSE;
 	newzone->name = isc_mem_strdup(mem, name);
 	newzone->internalname = (internalname == NULL ?
 				 isc_mem_strdup(mem, name) :
 				 isc_mem_strdup(mem, internalname));
-
+	newzone->database = NULL;
+	
 	switch (ztype) {
 	case dns_c_zone_master:
-		res = master_zone_init(&newzone->u.mzone);
+		master_zone_init(&newzone->u.mzone);
 		break;
 		
 	case dns_c_zone_slave:
-		res = slave_zone_init(&newzone->u.szone);
+		slave_zone_init(&newzone->u.szone);
 		break;
 
 	case dns_c_zone_stub:
-		res = stub_zone_init(&newzone->u.tzone);
+		stub_zone_init(&newzone->u.tzone);
 		break;
 		
 	case dns_c_zone_hint:
-		res = hint_zone_init(&newzone->u.hzone);
+		hint_zone_init(&newzone->u.hzone);
 		break;
 		
 	case dns_c_zone_forward:
-		res = forward_zone_init(&newzone->u.fzone);
+		forward_zone_init(&newzone->u.fzone);
 		break;
 	}
 	
@@ -430,10 +476,8 @@ dns_c_zone_new(isc_mem_t *mem,
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_zone_detach(dns_c_zone_t **zone)
-{
+dns_c_zone_detach(dns_c_zone_t **zone) {
 	dns_c_zone_t *zoneptr;
 	isc_result_t res = ISC_R_SUCCESS;
 
@@ -453,11 +497,8 @@ dns_c_zone_detach(dns_c_zone_t **zone)
 	return (res);
 }
 
-
 void
-dns_c_zone_attach(dns_c_zone_t *source,
-		  dns_c_zone_t **target)
-{
+dns_c_zone_attach(dns_c_zone_t *source, dns_c_zone_t **target) {
 	REQUIRE(DNS_C_ZONE_VALID(source));
 	REQUIRE(target != NULL);
 
@@ -465,12 +506,9 @@ dns_c_zone_attach(dns_c_zone_t *source,
 
 	*target = source;
 }
-		
-
 
 void
-dns_c_zone_print(FILE *fp, int indent, dns_c_zone_t *zone)
-{
+dns_c_zone_print(FILE *fp, int indent, dns_c_zone_t *zone) {
 	REQUIRE(fp != NULL);
 	REQUIRE(DNS_C_ZONE_VALID(zone));
 
@@ -482,7 +520,7 @@ dns_c_zone_print(FILE *fp, int indent, dns_c_zone_t *zone)
 	}
 
 	fprintf(fp, " {\n");
-
+		
 	switch (zone->ztype) {
 	case dns_c_zone_master:
 		dns_c_printtabs(fp, indent + 1);
@@ -515,14 +553,23 @@ dns_c_zone_print(FILE *fp, int indent, dns_c_zone_t *zone)
 		break;
 	}
 
+	if (zone->database != NULL) {
+		dns_c_printtabs(fp, indent + 1);
+		fprintf(fp, "database \"%s\";\n", zone->database);
+	}
+
+	if (zone->enabled != NULL) {
+		dns_c_printtabs(fp, indent + 1);
+		fprintf(fp, "enable-zone %s;\n",
+			(*zone->enabled ? "true" : "false"));
+	}
+	
 	dns_c_printtabs(fp, indent);
 	fprintf(fp, "};\n");
 }
 
-
 isc_result_t
-dns_c_zone_setfile(dns_c_zone_t *zone, const char *newfile)
-{
+dns_c_zone_setfile(dns_c_zone_t *zone, const char *newfile) {
 	char **p = NULL;
 	isc_result_t res;
 	
@@ -569,11 +616,8 @@ dns_c_zone_setfile(dns_c_zone_t *zone, const char *newfile)
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_setchecknames(dns_c_zone_t *zone,
-			 dns_severity_t severity)
-{
+dns_c_zone_setchecknames(dns_c_zone_t *zone, dns_severity_t severity) {
 	dns_severity_t *p = NULL;
 	dns_c_setbits_t *bits = NULL;
 	int bit = 0;
@@ -625,7 +669,6 @@ dns_c_zone_setchecknames(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
 dns_c_zone_setallowupd(dns_c_zone_t *zone,
 		       dns_c_ipmatchlist_t *ipml,
@@ -676,6 +719,46 @@ dns_c_zone_setallowupd(dns_c_zone_t *zone,
 	return (res);
 }
 
+isc_result_t
+dns_c_zone_unsetallowupd(dns_c_zone_t *zone) {
+	dns_c_ipmatchlist_t **p = NULL;
+	
+	REQUIRE(DNS_C_ZONE_VALID(zone));
+
+	switch (zone->ztype) {
+	case dns_c_zone_master:
+		p = &zone->u.mzone.allow_update;
+		break;
+			
+	case dns_c_zone_slave:
+		p = &zone->u.szone.allow_update;
+		break;
+		
+	case dns_c_zone_stub:
+		p = &zone->u.tzone.allow_update;
+		break;
+		
+	case dns_c_zone_hint:
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
+			      "Hint zones do not have an allow_update field");
+		return (ISC_R_FAILURE);
+			
+	case dns_c_zone_forward:
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
+			      "Forward zones do not have an "
+			      "allow_update field");
+		return (ISC_R_FAILURE);
+	}
+
+	if (*p != NULL) {
+		dns_c_ipmatchlist_detach(p);
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
 
 isc_result_t
 dns_c_zone_setallowupdateforwarding(dns_c_zone_t *zone,
@@ -728,10 +811,8 @@ dns_c_zone_setallowupdateforwarding(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_setssuauth(dns_c_zone_t *zone, dns_ssutable_t *ssu)
-{
+dns_c_zone_setssuauth(dns_c_zone_t *zone, dns_ssutable_t *ssu) {
 	dns_ssutable_t **p = NULL;
 	isc_boolean_t existed;
 	
@@ -775,7 +856,6 @@ dns_c_zone_setssuauth(dns_c_zone_t *zone, dns_ssutable_t *ssu)
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
 dns_c_zone_setallowquery(dns_c_zone_t *zone,
 			 dns_c_ipmatchlist_t *ipml,
@@ -826,7 +906,6 @@ dns_c_zone_setallowquery(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
 dns_c_zone_setallowtransfer(dns_c_zone_t *zone,
 			    dns_c_ipmatchlist_t *ipml,
@@ -878,10 +957,8 @@ dns_c_zone_setallowtransfer(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_setdialup(dns_c_zone_t *zone, isc_boolean_t newval)
-{
+dns_c_zone_setdialup(dns_c_zone_t *zone, isc_boolean_t newval) {
 	isc_boolean_t existed = ISC_FALSE;
 
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -924,10 +1001,8 @@ dns_c_zone_setdialup(dns_c_zone_t *zone, isc_boolean_t newval)
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_zone_setnotify(dns_c_zone_t *zone, isc_boolean_t newval)
-{
+dns_c_zone_setnotify(dns_c_zone_t *zone, isc_boolean_t newval) {
 	isc_boolean_t existed = ISC_FALSE;
 	
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -969,11 +1044,8 @@ dns_c_zone_setnotify(dns_c_zone_t *zone, isc_boolean_t newval)
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_zone_setmaintixfrbase(dns_c_zone_t *zone,
-			    isc_boolean_t newval)
-{
+dns_c_zone_setmaintixfrbase(dns_c_zone_t *zone, isc_boolean_t newval) {
 	isc_boolean_t existed = ISC_FALSE;
 	
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -1018,7 +1090,6 @@ dns_c_zone_setmaintixfrbase(dns_c_zone_t *zone,
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
 dns_c_zone_setalsonotify(dns_c_zone_t *zone,
 			 dns_c_iplist_t *newval,
@@ -1068,10 +1139,8 @@ dns_c_zone_setalsonotify(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_setixfrbase(dns_c_zone_t *zone, const char *newval)
-{
+dns_c_zone_setixfrbase(dns_c_zone_t *zone, const char *newval) {
 	isc_boolean_t existed ;
 	char **p = NULL;
 	
@@ -1122,10 +1191,8 @@ dns_c_zone_setixfrbase(dns_c_zone_t *zone, const char *newval)
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_zone_setixfrtmp(dns_c_zone_t *zone, const char *newval)
-{
+dns_c_zone_setixfrtmp(dns_c_zone_t *zone, const char *newval) {
 	isc_boolean_t existed;
 	char **p = NULL;
 
@@ -1176,7 +1243,6 @@ dns_c_zone_setixfrtmp(dns_c_zone_t *zone, const char *newval)
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
 dns_c_zone_addpubkey(dns_c_zone_t *zone,
 		     dns_c_pubkey_t *pubkey,
@@ -1230,10 +1296,8 @@ dns_c_zone_addpubkey(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_setmasterport(dns_c_zone_t *zone, in_port_t port)
-{
+dns_c_zone_setmasterport(dns_c_zone_t *zone, in_port_t port) {
 	isc_boolean_t existed = ISC_FALSE;
 	
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -1277,7 +1341,6 @@ dns_c_zone_setmasterport(dns_c_zone_t *zone, in_port_t port)
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
 dns_c_zone_setmasterips(dns_c_zone_t *zone,
 			dns_c_iplist_t *newval,
@@ -1329,11 +1392,8 @@ dns_c_zone_setmasterips(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_settransfersource(dns_c_zone_t *zone,
-			     isc_sockaddr_t newval)
-{
+dns_c_zone_settransfersource(dns_c_zone_t *zone, isc_sockaddr_t newval) {
 	isc_boolean_t existed = ISC_FALSE;
 	
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -1378,11 +1438,8 @@ dns_c_zone_settransfersource(dns_c_zone_t *zone,
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_zone_settransfersourcev6(dns_c_zone_t *zone,
-			       isc_sockaddr_t newval)
-{
+dns_c_zone_settransfersourcev6(dns_c_zone_t *zone, isc_sockaddr_t newval) {
 	isc_boolean_t existed = ISC_FALSE;
 	
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -1429,11 +1486,8 @@ dns_c_zone_settransfersourcev6(dns_c_zone_t *zone,
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_zone_setmaxtranstimein(dns_c_zone_t *zone,
-			     isc_int32_t newval)
-{
+dns_c_zone_setmaxtranstimein(dns_c_zone_t *zone, isc_int32_t newval) {
 	isc_boolean_t existed = ISC_FALSE;
 	
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -1480,11 +1534,8 @@ dns_c_zone_setmaxtranstimein(dns_c_zone_t *zone,
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_zone_setmaxtranstimeout(dns_c_zone_t *zone,
-			      isc_int32_t newval)
-{
+dns_c_zone_setmaxtranstimeout(dns_c_zone_t *zone, isc_int32_t newval) {
 	isc_boolean_t existed = ISC_FALSE;
 	
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -1531,11 +1582,8 @@ dns_c_zone_setmaxtranstimeout(dns_c_zone_t *zone,
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_zone_setmaxtransidlein(dns_c_zone_t *zone,
-			     isc_int32_t newval)
-{
+dns_c_zone_setmaxtransidlein(dns_c_zone_t *zone, isc_int32_t newval) {
 	isc_boolean_t existed = ISC_FALSE;
 	
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -1582,11 +1630,8 @@ dns_c_zone_setmaxtransidlein(dns_c_zone_t *zone,
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_zone_setmaxtransidleout(dns_c_zone_t *zone,
-			      isc_int32_t newval)
-{
+dns_c_zone_setmaxtransidleout(dns_c_zone_t *zone, isc_int32_t newval) {
 	isc_boolean_t existed = ISC_FALSE;
 	
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -1633,11 +1678,8 @@ dns_c_zone_setmaxtransidleout(dns_c_zone_t *zone,
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_zone_setmaxixfrlog(dns_c_zone_t *zone,
-			 isc_int32_t newval)
-{
+dns_c_zone_setmaxixfrlog(dns_c_zone_t *zone, isc_int32_t newval) {
 	dns_c_setbits_t *bits = NULL;
 	isc_int32_t *p = NULL;
 	int bit = 0;
@@ -1690,10 +1732,8 @@ dns_c_zone_setmaxixfrlog(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_setforward(dns_c_zone_t *zone, dns_c_forw_t newval)
-{
+dns_c_zone_setforward(dns_c_zone_t *zone, dns_c_forw_t newval) {
 	isc_boolean_t existed = ISC_FALSE;
 	
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -1737,7 +1777,6 @@ dns_c_zone_setforward(dns_c_zone_t *zone, dns_c_forw_t newval)
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
 dns_c_zone_setforwarders(dns_c_zone_t *zone,
 			 dns_c_iplist_t *ipl,
@@ -1786,10 +1825,8 @@ dns_c_zone_setforwarders(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getname(dns_c_zone_t *zone, const char **retval)
-{
+dns_c_zone_getname(dns_c_zone_t *zone, const char **retval) {
 	REQUIRE(DNS_C_ZONE_VALID(zone));
 	REQUIRE(retval != NULL);
 
@@ -1798,11 +1835,8 @@ dns_c_zone_getname(dns_c_zone_t *zone, const char **retval)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_zone_getinternalname(dns_c_zone_t *zone,
-			   const char **retval)
-{
+dns_c_zone_getinternalname(dns_c_zone_t *zone, const char **retval) {
 	REQUIRE(DNS_C_ZONE_VALID(zone));
 	REQUIRE(retval != NULL);
 
@@ -1811,10 +1845,8 @@ dns_c_zone_getinternalname(dns_c_zone_t *zone,
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_c_zone_getfile(dns_c_zone_t *zone, const char **retval)
-{
+dns_c_zone_getfile(dns_c_zone_t *zone, const char **retval) {
 	const char *p = NULL;
 	isc_result_t res;
 	
@@ -1855,11 +1887,8 @@ dns_c_zone_getfile(dns_c_zone_t *zone, const char **retval)
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getchecknames(dns_c_zone_t *zone,
-			 dns_severity_t *retval)
-{
+dns_c_zone_getchecknames(dns_c_zone_t *zone, dns_severity_t *retval) {
 	dns_severity_t *p = NULL;
 	dns_c_setbits_t *bits = NULL;
 	int bit = 0;
@@ -1910,11 +1939,8 @@ dns_c_zone_getchecknames(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getallowupd(dns_c_zone_t *zone,
-		       dns_c_ipmatchlist_t **retval)
-{
+dns_c_zone_getallowupd(dns_c_zone_t *zone, dns_c_ipmatchlist_t **retval) {
 	dns_c_ipmatchlist_t *p = NULL;
 	isc_result_t res;
 	
@@ -1958,10 +1984,8 @@ dns_c_zone_getallowupd(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getssuauth(dns_c_zone_t *zone, dns_ssutable_t **retval)
-{
+dns_c_zone_getssuauth(dns_c_zone_t *zone, dns_ssutable_t **retval) {
 	dns_ssutable_t *p = NULL;
 	isc_result_t res;
 	
@@ -2009,7 +2033,6 @@ dns_c_zone_getssuauth(dns_c_zone_t *zone, dns_ssutable_t **retval)
 	return (res);
 }
 
-
 isc_result_t
 dns_c_zone_getallowupdateforwarding(dns_c_zone_t *zone,
 				    dns_c_ipmatchlist_t **retval)
@@ -2058,11 +2081,8 @@ dns_c_zone_getallowupdateforwarding(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getallowquery(dns_c_zone_t *zone,
-			 dns_c_ipmatchlist_t **retval)
-{
+dns_c_zone_getallowquery(dns_c_zone_t *zone, dns_c_ipmatchlist_t **retval) {
 	dns_c_ipmatchlist_t *p = NULL;
 	isc_result_t res;
 	
@@ -2106,11 +2126,8 @@ dns_c_zone_getallowquery(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getallowtransfer(dns_c_zone_t *zone,
-			    dns_c_ipmatchlist_t **retval)
-{
+dns_c_zone_getallowtransfer(dns_c_zone_t *zone, dns_c_ipmatchlist_t **retval) {
 	dns_c_ipmatchlist_t *p = NULL;
 	isc_result_t res;
 	
@@ -2155,11 +2172,8 @@ dns_c_zone_getallowtransfer(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getdialup(dns_c_zone_t *zone,
-		     isc_boolean_t *retval)
-{
+dns_c_zone_getdialup(dns_c_zone_t *zone, isc_boolean_t *retval) {
 	isc_result_t res = ISC_R_SUCCESS;
 	
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -2209,11 +2223,8 @@ dns_c_zone_getdialup(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getnotify(dns_c_zone_t *zone,
-		     isc_boolean_t *retval)
-{
+dns_c_zone_getnotify(dns_c_zone_t *zone, isc_boolean_t *retval) {
 	isc_result_t res;
 	dns_c_setbits_t *bits = NULL;
 	isc_boolean_t val = ISC_FALSE;
@@ -2225,13 +2236,13 @@ dns_c_zone_getnotify(dns_c_zone_t *zone,
 	switch (zone->ztype) {
 	case dns_c_zone_master:
 		val = zone->u.mzone.notify;
-		bit = MZ_DIALUP_BIT;
+		bit = MZ_NOTIFY_BIT;
 		bits = &zone->u.mzone.setflags;
 		break;
 			
 	case dns_c_zone_slave:
 		val = zone->u.szone.notify;
-		bit = SZ_DIALUP_BIT;
+		bit = SZ_NOTIFY_BIT;
 		bits = &zone->u.szone.setflags;
 		break;
 		
@@ -2264,11 +2275,8 @@ dns_c_zone_getnotify(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getmaintixfrbase(dns_c_zone_t *zone,
-			    isc_boolean_t *retval)
-{
+dns_c_zone_getmaintixfrbase(dns_c_zone_t *zone, isc_boolean_t *retval) {
 	isc_result_t res;
 	dns_c_setbits_t *bits = NULL;
 	isc_boolean_t val = ISC_FALSE;
@@ -2319,11 +2327,8 @@ dns_c_zone_getmaintixfrbase(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getalsonotify(dns_c_zone_t *zone,
-			 dns_c_iplist_t **retval)
-{
+dns_c_zone_getalsonotify(dns_c_zone_t *zone, dns_c_iplist_t **retval) {
 	dns_c_iplist_t *p = NULL;
 	isc_result_t res;
 
@@ -2368,11 +2373,8 @@ dns_c_zone_getalsonotify(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getixfrbase(dns_c_zone_t *zone,
-		       const char **retval)
-{
+dns_c_zone_getixfrbase(dns_c_zone_t *zone, const char **retval) {
 	char *p = NULL;
 	isc_result_t res;
 	
@@ -2417,10 +2419,8 @@ dns_c_zone_getixfrbase(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getixfrtmp(dns_c_zone_t *zone, const char **retval)
-{
+dns_c_zone_getixfrtmp(dns_c_zone_t *zone, const char **retval) {
 	char *p = NULL;
 	isc_result_t res;
 	
@@ -2465,11 +2465,8 @@ dns_c_zone_getixfrtmp(dns_c_zone_t *zone, const char **retval)
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getpubkeylist(dns_c_zone_t *zone,
-			 dns_c_pklist_t **retval)
-{
+dns_c_zone_getpubkeylist(dns_c_zone_t *zone, dns_c_pklist_t **retval) {
 	dns_c_pklist_t *p = NULL;
 	isc_result_t res;
 	
@@ -2516,11 +2513,8 @@ dns_c_zone_getpubkeylist(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getmasterport(dns_c_zone_t *zone,
-			 in_port_t *retval)
-{
+dns_c_zone_getmasterport(dns_c_zone_t *zone, in_port_t *retval) {
 	isc_result_t res = ISC_R_SUCCESS;
 	
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -2571,11 +2565,8 @@ dns_c_zone_getmasterport(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getmasterips(dns_c_zone_t *zone,
-			dns_c_iplist_t **retval)
-{
+dns_c_zone_getmasterips(dns_c_zone_t *zone, dns_c_iplist_t **retval) {
 	isc_result_t res = ISC_R_SUCCESS;
 
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -2622,11 +2613,8 @@ dns_c_zone_getmasterips(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_gettransfersource(dns_c_zone_t *zone,
-			     isc_sockaddr_t *retval)
-{
+dns_c_zone_gettransfersource(dns_c_zone_t *zone, isc_sockaddr_t *retval) {
 	isc_result_t res = ISC_R_SUCCESS;
 
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -2680,11 +2668,8 @@ dns_c_zone_gettransfersource(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_gettransfersourcev6(dns_c_zone_t *zone,
-			     isc_sockaddr_t *retval)
-{
+dns_c_zone_gettransfersourcev6(dns_c_zone_t *zone, isc_sockaddr_t *retval) {
 	isc_result_t res = ISC_R_SUCCESS;
 
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -2738,11 +2723,8 @@ dns_c_zone_gettransfersourcev6(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getmaxtranstimein(dns_c_zone_t *zone,
-			     isc_int32_t *retval)
-{
+dns_c_zone_getmaxtranstimein(dns_c_zone_t *zone, isc_int32_t *retval) {
 	isc_result_t res = ISC_R_SUCCESS;
 
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -2794,11 +2776,8 @@ dns_c_zone_getmaxtranstimein(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getmaxtranstimeout(dns_c_zone_t *zone,
-			     isc_int32_t *retval)
-{
+dns_c_zone_getmaxtranstimeout(dns_c_zone_t *zone, isc_int32_t *retval) {
 	isc_result_t res = ISC_R_SUCCESS;
 
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -2850,12 +2829,8 @@ dns_c_zone_getmaxtranstimeout(dns_c_zone_t *zone,
 	return (res);
 }
 
-
-
 isc_result_t
-dns_c_zone_getmaxtransidlein(dns_c_zone_t *zone,
-			     isc_int32_t *retval)
-{
+dns_c_zone_getmaxtransidlein(dns_c_zone_t *zone, isc_int32_t *retval) {
 	isc_result_t res = ISC_R_SUCCESS;
 
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -2907,11 +2882,8 @@ dns_c_zone_getmaxtransidlein(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getmaxtransidleout(dns_c_zone_t *zone,
-			     isc_int32_t *retval)
-{
+dns_c_zone_getmaxtransidleout(dns_c_zone_t *zone, isc_int32_t *retval) {
 	isc_result_t res = ISC_R_SUCCESS;
 
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -2964,12 +2936,8 @@ dns_c_zone_getmaxtransidleout(dns_c_zone_t *zone,
 	return (res);
 }
 
-
-
 isc_result_t
-dns_c_zone_getmaxixfrlog(dns_c_zone_t *zone,
-			 isc_int32_t *retval)
-{
+dns_c_zone_getmaxixfrlog(dns_c_zone_t *zone, isc_int32_t *retval) {
 	isc_result_t res;
 	dns_c_setbits_t *bits = NULL;
 	int bit = 0;
@@ -3022,11 +2990,8 @@ dns_c_zone_getmaxixfrlog(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getforward(dns_c_zone_t *zone,
-		      dns_c_forw_t *retval)
-{
+dns_c_zone_getforward(dns_c_zone_t *zone, dns_c_forw_t *retval) {
 	isc_result_t res = ISC_R_SUCCESS;
 	
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -3079,11 +3044,8 @@ dns_c_zone_getforward(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 isc_result_t
-dns_c_zone_getforwarders(dns_c_zone_t *zone,
-			 dns_c_iplist_t **retval)
-{
+dns_c_zone_getforwarders(dns_c_zone_t *zone, dns_c_iplist_t **retval) {
 	isc_result_t res = ISC_R_SUCCESS;
 	
 	REQUIRE(DNS_C_ZONE_VALID(zone));
@@ -3140,15 +3102,12 @@ dns_c_zone_getforwarders(dns_c_zone_t *zone,
 	return (res);
 }
 
-
 /*
  * Zone privates
  */
 
 static void
-master_zone_print(FILE *fp, int indent,
-		  dns_c_masterzone_t *mzone)
-{
+master_zone_print(FILE *fp, int indent, dns_c_masterzone_t *mzone) {
 	REQUIRE(mzone != NULL);
 	
 	if (mzone->file != NULL) {
@@ -3224,7 +3183,8 @@ master_zone_print(FILE *fp, int indent,
 	if (mzone->also_notify != NULL) {
 		dns_c_printtabs(fp, indent);
 		fprintf(fp, "also-notify ");
-		dns_c_iplist_print(fp, indent + 1, mzone->also_notify);
+		dns_c_iplist_printfully(fp, indent + 1, ISC_TRUE,
+					mzone->also_notify);
 		fprintf(fp, ";\n");
 	}
 
@@ -3270,11 +3230,8 @@ master_zone_print(FILE *fp, int indent,
 	}
 }
 
-
 static void
-slave_zone_print(FILE *fp, int indent,
-		 dns_c_slavezone_t *szone)
-{
+slave_zone_print(FILE *fp, int indent, dns_c_slavezone_t *szone) {
 	REQUIRE(szone != NULL);
 	
 	if (szone->file != NULL) {
@@ -3311,7 +3268,8 @@ slave_zone_print(FILE *fp, int indent,
 		    szone->master_ips->nextidx == 0) {
 			fprintf(fp, "{ /* none defined */ }");
 		} else {
-			dns_c_iplist_print(fp, indent + 1, szone->master_ips);
+			dns_c_iplist_printfully(fp, indent + 1,
+						ISC_TRUE, szone->master_ips);
 		}
 		fprintf(fp, ";\n");
 	}
@@ -3427,7 +3385,8 @@ slave_zone_print(FILE *fp, int indent,
 	if (szone->also_notify != NULL) {
 		dns_c_printtabs(fp, indent);
 		fprintf(fp, "also-notify ");
-		dns_c_iplist_print(fp, indent + 1, szone->also_notify);
+		dns_c_iplist_printfully(fp, indent + 1,
+					ISC_TRUE, szone->also_notify);
 		fprintf(fp, ";\n");
 	}
 
@@ -3437,10 +3396,8 @@ slave_zone_print(FILE *fp, int indent,
 	}
 }
 
-
 static void
-stub_zone_print(FILE *fp, int indent, dns_c_stubzone_t *tzone)
-{
+stub_zone_print(FILE *fp, int indent, dns_c_stubzone_t *tzone) {
 	REQUIRE(tzone != NULL);
 	
 	if (tzone->file != NULL) {
@@ -3462,7 +3419,8 @@ stub_zone_print(FILE *fp, int indent, dns_c_stubzone_t *tzone)
 		    tzone->master_ips->nextidx == 0) {
 			fprintf(fp, "{ /* none defined */ }");
 		} else {
-			dns_c_iplist_print(fp, indent + 1, tzone->master_ips);
+			dns_c_iplist_printfully(fp, indent + 1,
+						ISC_TRUE, tzone->master_ips);
 		}
 		fprintf(fp, ";\n");
 	}
@@ -3562,10 +3520,8 @@ stub_zone_print(FILE *fp, int indent, dns_c_stubzone_t *tzone)
 	}
 }
 
-
 static void
-hint_zone_print(FILE *fp, int indent, dns_c_hintzone_t *hzone)
-{
+hint_zone_print(FILE *fp, int indent, dns_c_hintzone_t *hzone) {
 	REQUIRE(hzone != NULL);
 	
 	if (hzone->file != NULL) {
@@ -3586,11 +3542,8 @@ hint_zone_print(FILE *fp, int indent, dns_c_hintzone_t *hzone)
 	}
 }
 
-
 static void
-forward_zone_print(FILE *fp, int indent,
-		   dns_c_forwardzone_t *fzone)
-{
+forward_zone_print(FILE *fp, int indent, dns_c_forwardzone_t *fzone) {
 	REQUIRE(fzone != NULL);
 	
 	if (DNS_C_CHECKBIT(FZ_FORWARD_BIT, &fzone->setflags)) {
@@ -3615,10 +3568,8 @@ forward_zone_print(FILE *fp, int indent,
 	}
 }
 
-
-static isc_result_t
-master_zone_init(dns_c_masterzone_t *mzone)
-{
+static void
+master_zone_init(dns_c_masterzone_t *mzone) {
 	REQUIRE(mzone != NULL);
 	
 	mzone->file = NULL;
@@ -3634,14 +3585,10 @@ master_zone_init(dns_c_masterzone_t *mzone)
 	mzone->forwarders = NULL;
 
 	memset(&mzone->setflags, 0x0, sizeof (mzone->setflags));
-
-	return (ISC_R_SUCCESS);
 }
 
-
-static isc_result_t
-slave_zone_init(dns_c_slavezone_t *szone)
-{
+static void
+slave_zone_init(dns_c_slavezone_t *szone) {
 	REQUIRE(szone != NULL);
 
 	szone->file = NULL;
@@ -3657,14 +3604,10 @@ slave_zone_init(dns_c_slavezone_t *szone)
 	szone->forwarders = NULL;
 
 	memset(&szone->setflags, 0x0, sizeof (szone->setflags));
-
-	return (ISC_R_SUCCESS);
 }
 
-
-static isc_result_t
-stub_zone_init(dns_c_stubzone_t *tzone)
-{
+static void
+stub_zone_init(dns_c_stubzone_t *tzone) {
 	REQUIRE(tzone != NULL);
 
 	tzone->file = NULL;
@@ -3677,39 +3620,27 @@ stub_zone_init(dns_c_stubzone_t *tzone)
 	tzone->forwarders = NULL;
 
 	memset(&tzone->setflags, 0x0, sizeof (tzone->setflags));
-
-	return (ISC_R_SUCCESS);
 }
 
-
-static isc_result_t
-hint_zone_init(dns_c_hintzone_t *hzone)
-{
+static void
+hint_zone_init(dns_c_hintzone_t *hzone) {
 	REQUIRE(hzone != NULL);
 
 	hzone->file = NULL;
 	hzone->pubkeylist = NULL;
 	memset(&hzone->setflags, 0x0, sizeof (hzone->setflags));
-
-	return (ISC_R_SUCCESS);
 }
 
-
-static isc_result_t
-forward_zone_init(dns_c_forwardzone_t *fzone)
-{
+static void
+forward_zone_init(dns_c_forwardzone_t *fzone) {
 	REQUIRE(fzone != NULL);
 
 	fzone->forwarders = NULL;
 	memset(&fzone->setflags, 0x0, sizeof (fzone->setflags));
-
-	return (ISC_R_SUCCESS);
 }
 
-
 static isc_result_t
-zone_delete(dns_c_zone_t **zone)
-{
+zone_delete(dns_c_zone_t **zone) {
 	dns_c_zone_t *z;
 	isc_result_t res = ISC_R_SUCCESS;
 	
@@ -3720,6 +3651,16 @@ zone_delete(dns_c_zone_t **zone)
 
 	isc_mem_free(z->mem, z->name);
 	isc_mem_free(z->mem, z->internalname);
+
+	if (z->database != NULL) {
+		isc_mem_free(z->mem, z->database);
+		z->database = NULL;
+	}
+
+	if (z->enabled != NULL) {
+		isc_mem_put(z->mem, z->enabled, sizeof (z->enabled));
+		z->enabled = NULL;
+	}
 	
 	switch(z->ztype) {
 	case dns_c_zone_master:
@@ -3750,10 +3691,8 @@ zone_delete(dns_c_zone_t **zone)
 	return (res);
 }
 
-
 static isc_result_t
-master_zone_clear(isc_mem_t *mem, dns_c_masterzone_t *mzone)
-{
+master_zone_clear(isc_mem_t *mem, dns_c_masterzone_t *mzone) {
 	REQUIRE(mzone != NULL);
 	
 	if (mzone == NULL) {
@@ -3799,10 +3738,8 @@ master_zone_clear(isc_mem_t *mem, dns_c_masterzone_t *mzone)
 	return (ISC_R_SUCCESS);
 }
 
-
 static isc_result_t
-slave_zone_clear(isc_mem_t *mem, dns_c_slavezone_t *szone)
-{
+slave_zone_clear(isc_mem_t *mem, dns_c_slavezone_t *szone) {
 	REQUIRE(szone != NULL);
 	
 	if (szone == NULL) {
@@ -3848,11 +3785,8 @@ slave_zone_clear(isc_mem_t *mem, dns_c_slavezone_t *szone)
 	return (ISC_R_SUCCESS);
 }
 
-
-
 static isc_result_t
-stub_zone_clear(isc_mem_t *mem, dns_c_stubzone_t *tzone)
-{
+stub_zone_clear(isc_mem_t *mem, dns_c_stubzone_t *tzone) {
 	REQUIRE(tzone != NULL);
 	
 	if (tzone == NULL) {
@@ -3887,10 +3821,8 @@ stub_zone_clear(isc_mem_t *mem, dns_c_stubzone_t *tzone)
 	return (ISC_R_SUCCESS);
 }
 
-
 static isc_result_t
-forward_zone_clear(isc_mem_t *mem, dns_c_forwardzone_t *fzone)
-{
+forward_zone_clear(isc_mem_t *mem, dns_c_forwardzone_t *fzone) {
 	REQUIRE(fzone != NULL);
 	
 	if (fzone == NULL) {
@@ -3905,10 +3837,8 @@ forward_zone_clear(isc_mem_t *mem, dns_c_forwardzone_t *fzone)
 	return (ISC_R_SUCCESS);
 }
 
-
 static isc_result_t
-hint_zone_clear(isc_mem_t *mem, dns_c_hintzone_t *hzone)
-{
+hint_zone_clear(isc_mem_t *mem, dns_c_hintzone_t *hzone) {
 	REQUIRE(hzone != NULL);
 	
 	if (hzone == NULL) {
@@ -3977,3 +3907,171 @@ set_iplist_field(isc_mem_t *mem,
 	return (res);
 }
 
+
+isc_result_t
+dns_c_zone_setdatabase(dns_c_zone_t *zone, const char *database)
+{
+	isc_boolean_t existed = ISC_FALSE;
+
+	REQUIRE(DNS_C_ZONE_VALID(zone));
+	REQUIRE(database != NULL);
+	REQUIRE(database[0] != '\0');
+
+	if (zone->database != NULL) {
+		existed = ISC_TRUE;
+		isc_mem_free(zone->mem, zone->database);
+	}
+	
+	zone->database = isc_mem_strdup(zone->mem, database);
+	if (zone->database == NULL) {
+		return (ISC_R_NOMEMORY);
+	} else if (existed) {
+		return (ISC_R_EXISTS);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+	
+
+isc_result_t
+dns_c_zone_getdatabase(dns_c_zone_t *zone, char **retval)
+{
+	REQUIRE(DNS_C_ZONE_VALID(zone));
+	REQUIRE(retval != NULL);
+
+	*retval = zone->database;
+	if (zone->database == NULL) {
+		return (ISC_R_NOTFOUND);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+	
+
+isc_result_t
+dns_c_zone_unsetdatabase(dns_c_zone_t *zone)
+{
+	REQUIRE(DNS_C_ZONE_VALID(zone));
+
+	if (zone->database == NULL) {
+		return (ISC_R_NOTFOUND);
+	} else {
+		isc_mem_free(zone->mem, zone->database);
+		zone->database = NULL;
+		return (ISC_R_SUCCESS);
+	}
+}
+
+
+
+
+
+isc_result_t
+dns_c_zone_setenabled(dns_c_zone_t *zone, isc_boolean_t enabled)
+{
+	isc_boolean_t existed = ISC_FALSE;
+
+	REQUIRE(DNS_C_ZONE_VALID(zone));
+
+	if (zone->enabled != NULL) {
+		existed = ISC_TRUE;
+	} else {
+		zone->enabled = isc_mem_get(zone->mem, sizeof (zone->enabled));
+	}
+	
+	*zone->enabled = enabled;
+
+	if (existed) {
+		return (ISC_R_EXISTS);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+
+isc_result_t
+dns_c_zone_getenabled(dns_c_zone_t *zone, isc_boolean_t *retval)
+{
+	REQUIRE(DNS_C_ZONE_VALID(zone));
+	REQUIRE(retval != NULL);
+
+	if (zone->enabled == NULL) {
+		return (ISC_R_NOTFOUND);
+	} else {
+		*retval = *zone->enabled;
+		return (ISC_R_SUCCESS);
+	}
+}
+
+	
+
+isc_result_t
+dns_c_zone_unsetenabled(dns_c_zone_t *zone)
+{
+	REQUIRE(DNS_C_ZONE_VALID(zone));
+
+	if (zone->enabled == NULL) {
+		return (ISC_R_NOTFOUND);
+	} else {
+		isc_mem_put(zone->mem, zone->enabled, sizeof (zone->enabled));
+		zone->enabled = NULL;
+		return (ISC_R_SUCCESS);
+	}
+}
+	
+
+isc_result_t
+dns_c_zone_validate(dns_c_zone_t *zone)
+{
+	dns_c_ipmatchlist_t *ipmlist = NULL;
+	dns_c_iplist_t *iplist = NULL;
+	dns_ssutable_t *ssutable = NULL;
+	isc_result_t tmpres;
+	isc_result_t result = ISC_R_SUCCESS;
+	const char *autherr = "zone '%s': allow-update is ignored when "
+		"update-policy is also used";
+	const char *nomasterserr = "zone '%s': missing 'masters' entry";
+	const char *emptymasterserr = "zone '%s': 'masters' value is empty";
+
+	/*
+	 * Check for allow-update and update-policty together
+	 */
+	if (zone->ztype == dns_c_zone_master) {
+		tmpres = dns_c_zone_getallowupd(zone, &ipmlist);
+		if (tmpres == ISC_R_SUCCESS) {
+			tmpres = dns_c_zone_getssuauth(zone,
+						       &ssutable);
+			if (tmpres == ISC_R_SUCCESS) {
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_CONFIG,
+					      DNS_LOGMODULE_CONFIG,
+					      ISC_LOG_WARNING, autherr,
+					      zone->name);
+				dns_c_zone_unsetallowupd(zone);
+			}
+			dns_c_ipmatchlist_detach(&ipmlist);
+		}
+	} else if (zone->ztype == dns_c_zone_slave) {
+		iplist = NULL;
+		tmpres = dns_c_zone_getmasterips(zone, &iplist);
+		if (tmpres != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx,
+				      DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG,
+				      ISC_LOG_WARNING, nomasterserr,
+				      zone->name);
+			result = ISC_R_FAILURE;
+		} else if (iplist->nextidx == 0) {
+			isc_log_write(dns_lctx,
+				      DNS_LOGCATEGORY_CONFIG,
+				      DNS_LOGMODULE_CONFIG,
+				      ISC_LOG_WARNING, emptymasterserr,
+				      zone->name);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	return (result);
+}
diff --git a/lib/dns/db.c b/lib/dns/db.c
index 8a25990b..24529cae 100644
--- a/lib/dns/db.c
+++ b/lib/dns/db.c
@@ -21,14 +21,13 @@
 
 #include <config.h>
 
-#include <stddef.h>
-#include <string.h>
+#include <isc/buffer.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
-#include <isc/assertions.h>
-#include <isc/ondestroy.h>
-
-#include <dns/db.h>
+#include <dns/callbacks.h>
 #include <dns/master.h>
+#include <dns/rdata.h>
 #include <dns/rdataset.h>
 
 /***
@@ -57,7 +56,7 @@ typedef struct {
 #include "rbtdb.h"
 #include "rbtdb64.h"
 
-impinfo_t implementations[] = {
+static impinfo_t implementations[] = {
 	{ "rbt", dns_rbtdb_create },
 	{ "rbt64", dns_rbtdb64_create },
 	{ NULL, NULL }
@@ -86,7 +85,7 @@ dns_db_create(isc_mem_t *mctx, char *db_type, dns_name_t *origin,
 			return ((impinfo->create)(mctx, origin, cache, rdclass,
 						  argc, argv, dbp));
 
-	return (DNS_R_NOTFOUND);
+	return (ISC_R_NOTFOUND);
 }
 
 void
@@ -238,7 +237,7 @@ dns_db_load(dns_db_t *db, const char *filename) {
 	dns_rdatacallbacks_init(&callbacks);
 
 	result = dns_db_beginload(db, &callbacks.add, &callbacks.add_private);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	result = dns_master_loadfile(filename, &db->origin, &db->origin,
 				     db->rdclass, age_ttl, &soacount, &nscount,
@@ -371,10 +370,11 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	REQUIRE(nodep == NULL || (nodep != NULL && *nodep == NULL));
 	REQUIRE(dns_name_hasbuffer(foundname));
 	REQUIRE(rdataset == NULL ||
-		(DNS_RDATASET_VALID(rdataset) && rdataset->methods == NULL));
+		(DNS_RDATASET_VALID(rdataset) &&
+		 ! dns_rdataset_isassociated(rdataset)));
 	REQUIRE(sigrdataset == NULL ||
 		(DNS_RDATASET_VALID(sigrdataset) &&
-		 sigrdataset->methods == NULL));
+		 ! dns_rdataset_isassociated(sigrdataset)));
 
 	return ((db->methods->find)(db, name, version, type, options, now,
 				    nodep, foundname, rdataset, sigrdataset));
@@ -396,7 +396,7 @@ dns_db_findzonecut(dns_db_t *db, dns_name_t *name,
 	REQUIRE(dns_name_hasbuffer(foundname));
 	REQUIRE(sigrdataset == NULL ||
 		(DNS_RDATASET_VALID(sigrdataset) &&
-		 sigrdataset->methods == NULL));
+		 ! dns_rdataset_isassociated(sigrdataset)));
 
 	return ((db->methods->findzonecut)(db, name, options, now, nodep,
 					   foundname, rdataset, sigrdataset));
@@ -494,12 +494,12 @@ dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	REQUIRE(DNS_DB_VALID(db));
 	REQUIRE(node != NULL);
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods == NULL);
+	REQUIRE(! dns_rdataset_isassociated(rdataset));
 	REQUIRE(covers == 0 || type == dns_rdatatype_sig);
 	REQUIRE(type != dns_rdatatype_any);
 	REQUIRE(sigrdataset == NULL ||
 		(DNS_RDATASET_VALID(sigrdataset) &&
-		 sigrdataset->methods == NULL));
+		 ! dns_rdataset_isassociated(sigrdataset)));
 
 	return ((db->methods->findrdataset)(db, node, version, type, covers,
 					    now, rdataset, sigrdataset));
@@ -536,11 +536,11 @@ dns_db_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		((db->attributes & DNS_DBATTR_CACHE) != 0 &&
 		 version == NULL && (options & DNS_DBADD_MERGE) == 0));
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
+	REQUIRE(dns_rdataset_isassociated(rdataset));
 	REQUIRE(rdataset->rdclass == db->rdclass);
 	REQUIRE(addedrdataset == NULL ||
 		(DNS_RDATASET_VALID(addedrdataset) &&
-		 addedrdataset->methods == NULL));
+		 ! dns_rdataset_isassociated(addedrdataset)));
 
 	return ((db->methods->addrdataset)(db, node, version, now, rdataset,
 					   options, addedrdataset));
@@ -560,11 +560,11 @@ dns_db_subtractrdataset(dns_db_t *db, dns_dbnode_t *node,
 	REQUIRE(node != NULL);
 	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL);
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
+	REQUIRE(dns_rdataset_isassociated(rdataset));
 	REQUIRE(rdataset->rdclass == db->rdclass);
 	REQUIRE(newrdataset == NULL ||
 		(DNS_RDATASET_VALID(newrdataset) &&
-		 newrdataset->methods == NULL));
+		 ! dns_rdataset_isassociated(newrdataset)));
 
 	return ((db->methods->subtractrdataset)(db, node, version, rdataset,
 						newrdataset));
@@ -585,5 +585,48 @@ dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
 	REQUIRE(((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL)||
 		((db->attributes & DNS_DBATTR_CACHE) != 0 && version == NULL));
 
-	return ((db->methods->deleterdataset)(db, node, version, type, covers));
+	return ((db->methods->deleterdataset)(db, node, version,
+					      type, covers));
+}
+
+isc_result_t
+dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata;
+	isc_buffer_t buffer;
+
+	REQUIRE(dns_db_iszone(db));
+		
+	result = dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+ 	if (result != ISC_R_SUCCESS)
+		goto freenode;
+	
+	result = dns_rdataset_first(&rdataset);
+ 	if (result != ISC_R_SUCCESS)
+		goto freerdataset;
+	dns_rdataset_current(&rdataset, &rdata);
+
+	INSIST(rdata.length > 20);
+	isc_buffer_init(&buffer, rdata.data, rdata.length);
+	isc_buffer_add(&buffer, rdata.length);
+	isc_buffer_forward(&buffer, rdata.length - 20);
+	*serialp = isc_buffer_getuint32(&buffer);
+
+	result = ISC_R_SUCCESS;
+
+ freerdataset:
+	dns_rdataset_disassociate(&rdataset);
+	
+ freenode:
+	dns_db_detachnode(db, &node);
+	return (result);
 }
diff --git a/lib/dns/dbiterator.c b/lib/dns/dbiterator.c
index 8b857289..33b7ee53 100644
--- a/lib/dns/dbiterator.c
+++ b/lib/dns/dbiterator.c
@@ -17,9 +17,7 @@
 
 #include <config.h>
 
-#include <stddef.h>
-
-#include <isc/assertions.h>
+#include <isc/util.h>
 
 #include <dns/dbiterator.h>
 #include <dns/name.h>
diff --git a/lib/dns/dbtable.c b/lib/dns/dbtable.c
index e21d5792..13550925 100644
--- a/lib/dns/dbtable.c
+++ b/lib/dns/dbtable.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dbtable.c,v 1.13 2000/02/03 23:43:46 halley Exp $
+ * $Id: dbtable.c,v 1.18 2000/05/08 14:34:31 tale Exp $
  */
 
 /*
@@ -25,13 +25,14 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
+#include <isc/mem.h>
 #include <isc/rwlock.h>
 #include <isc/util.h>
 
 #include <dns/dbtable.h>
 #include <dns/db.h>
 #include <dns/rbt.h>
+#include <dns/result.h>
 
 struct dns_dbtable {
 	/* Unlocked. */
@@ -73,11 +74,11 @@ dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 
 	dbtable = (dns_dbtable_t *)isc_mem_get(mctx, sizeof(*dbtable));
 	if (dbtable == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	dbtable->rbt = NULL;
 	result = dns_rbt_create(mctx, dbdetach, NULL, &dbtable->rbt);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto clean1;
 
 	iresult = isc_mutex_init(&dbtable->lock);
@@ -85,7 +86,7 @@ dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_lock_init() failed: %s",
 				 isc_result_totext(result));
-		result = DNS_R_UNEXPECTED;
+		result = ISC_R_UNEXPECTED;
 		goto clean2;
 	}
 
@@ -94,7 +95,7 @@ dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_rwlock_init() failed: %s",
 				 isc_result_totext(result));
-		result = DNS_R_UNEXPECTED;
+		result = ISC_R_UNEXPECTED;
 		goto clean3;
 	}
 
@@ -106,7 +107,7 @@ dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 
 	*dbtablep = dbtable;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
  clean3:
 	(void)isc_mutex_destroy(&dbtable->lock);
@@ -123,8 +124,7 @@ dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 static inline void
 dbtable_free(dns_dbtable_t *dbtable) {
 	/*
-	 * Caller must ensure that it is safe to
-	 * call.
+	 * Caller must ensure that it is safe to call.
 	 */
 
 	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
@@ -216,14 +216,15 @@ dns_dbtable_remove(dns_dbtable_t *dbtable, dns_db_t *db) {
 	 * be verified.  With the current rbt.c this is expensive to do,
 	 * because effectively two find operations are being done, but
 	 * deletion is relatively infrequent.
+	 * XXXDCL ... this could be cheaper now with dns_rbt_deletenode.
 	 */
 
 	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
 
-	result = dns_rbt_findname(dbtable->rbt, name, NULL,
+	result = dns_rbt_findname(dbtable->rbt, name, 0, NULL,
 				  (void **)&stored_data);
 
-	if (result == DNS_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS) {
 		INSIST(stored_data == db);
 
 		dns_rbt_deletename(dbtable->rbt, name, ISC_FALSE);
@@ -270,24 +271,30 @@ dns_dbtable_removedefault(dns_dbtable_t *dbtable) {
 }
 
 isc_result_t
-dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name, dns_db_t **dbp) {
+dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name,
+		 unsigned int options, dns_db_t **dbp)
+{
 	dns_db_t *stored_data = NULL;
 	isc_result_t result;
+	unsigned int rbtoptions = 0;
 
 	REQUIRE(dbp != NULL && *dbp == NULL);
 
+	if ((options & DNS_DBTABLEFIND_NOEXACT) != 0)
+		rbtoptions |= DNS_RBTFIND_NOEXACT;
+
 	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
 
-	result = dns_rbt_findname(dbtable->rbt, name, NULL,
+	result = dns_rbt_findname(dbtable->rbt, name, rbtoptions, NULL,
 				  (void **)&stored_data);
 
-	if (result == DNS_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
 		dns_db_attach(stored_data, dbp);
 	else if (dbtable->default_db != NULL) {
 		dns_db_attach(dbtable->default_db, dbp);
 		result = DNS_R_PARTIALMATCH;
 	} else
-		result = DNS_R_NOTFOUND;
+		result = ISC_R_NOTFOUND;
 
 	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
 
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index 87b0cb78..de1d4369 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -17,34 +17,48 @@
 
 #include <config.h>
 
-#include <ctype.h>
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/lfsr.h>
 #include <isc/mem.h>
 #include <isc/mutex.h>
-#include <isc/socket.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/task.h>
 #include <isc/util.h>
 
-#include <dns/events.h>
-#include <dns/types.h>
-#include <dns/result.h>
 #include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/log.h>
 #include <dns/message.h>
 #include <dns/tcpmsg.h>
+#include <dns/types.h>
 
-#ifdef DISPATCH_DEBUG
-#define XDEBUG(x) printf x
-#else
-#define XDEBUG(x)
-#endif
+struct dns_dispatchmgr {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mem_t		       *mctx;
+
+	/* Locked by "lock". */
+	isc_mutex_t			lock;
+	unsigned int			state;
+	ISC_LIST(dns_dispatch_t)	list;
+
+	/* Locked internally. */
+	isc_mutex_t			pool_lock;
+	isc_mempool_t		       *epool;	/* memory pool for events */
+	isc_mempool_t		       *rpool;	/* memory pool request/reply */
+	isc_mempool_t		       *dpool;  /* dispatch allocations */
+};
+
+#define MGR_SHUTTINGDOWN		0x00000001U
+#define MGR_IS_SHUTTINGDOWN(l)	(((l)->state & MGR_SHUTTINGDOWN) != 0)
+
+#define IS_PRIVATE(d)	(((d)->attributes & DNS_DISPATCHATTR_PRIVATE) != 0)
 
 struct dns_dispentry {
 	unsigned int			magic;
+	dns_dispatch_t		       *disp;
 	isc_uint32_t			id;
 	unsigned int			bucket;
 	isc_sockaddr_t			host;
@@ -63,31 +77,35 @@ typedef ISC_LIST(dns_dispentry_t)	dns_displist_t;
 struct dns_dispatch {
 	/* Unlocked. */
 	unsigned int		magic;		/* magic */
-	isc_mem_t	       *mctx;		/* memory context */
+	dns_dispatchmgr_t      *mgr;		/* dispatch manager */
 	isc_task_t	       *task;		/* internal task */
 	isc_socket_t	       *socket;		/* isc socket attached to */
+	isc_sockaddr_t		local;		/* local address */
 	unsigned int		buffersize;	/* size of each buffer */
 	unsigned int		maxrequests;	/* max requests */
 	unsigned int		maxbuffers;	/* max buffers */
 
-	/* Locked. */
+	/* Locked by mgr->lock. */
+	ISC_LINK(dns_dispatch_t) link;
+
+	/* Locked by "lock". */
 	isc_mutex_t		lock;		/* locks all below */
+	unsigned int		attributes;
 	unsigned int		refcount;	/* number of users */
-	isc_mempool_t	       *epool;		/* memory pool for events */
 	isc_mempool_t	       *bpool;		/* memory pool for buffers */
-	isc_mempool_t	       *rpool;		/* memory pool request/reply */
 	dns_dispatchevent_t    *failsafe_ev;	/* failsafe cancel event */
 	unsigned int		recvs;		/* recv() calls outstanding */
 	unsigned int		recvs_wanted;	/* recv() calls wanted */
 	unsigned int		shutting_down : 1,
-				shutdown_out : 1;
+				shutdown_out : 1,
+				connected : 1,
+				tcpmsg_valid : 1;
 	isc_result_t		shutdown_why;
 	unsigned int		requests;	/* how many requests we have */
 	unsigned int		buffers;	/* allocated buffers */
 	ISC_LIST(dns_dispentry_t) rq_handlers;	/* request handler list */
 	ISC_LIST(dns_dispatchevent_t) rq_events; /* holder for rq events */
 	dns_tcpmsg_t		tcpmsg;		/* for tcp streams */
-	dns_dispatchmethods_t	methods;	/* methods to use */
 	isc_lfsr_t		qid_lfsr1;	/* state generator info */
 	isc_lfsr_t		qid_lfsr2;	/* state generator info */
 	unsigned int		qid_nbuckets;	/* hash table size */
@@ -95,28 +113,32 @@ struct dns_dispatch {
 	dns_displist_t	        *qid_table;	/* the table itself */
 };
 
-#define REQUEST_MAGIC	0x53912051 /* "random" value */
-#define VALID_REQUEST(e)  ((e) != NULL && (e)->magic == REQUEST_MAGIC)
+#define REQUEST_MAGIC		ISC_MAGIC('D', 'r', 'q', 's')
+#define VALID_REQUEST(e)	ISC_MAGIC_VALID((e), REQUEST_MAGIC)
+
+#define RESPONSE_MAGIC		ISC_MAGIC('D', 'r', 's', 'p')
+#define VALID_RESPONSE(e)	ISC_MAGIC_VALID((e), RESPONSE_MAGIC)
 
-#define RESPONSE_MAGIC	0x15021935 /* "random" value */
-#define VALID_RESPONSE(e)  ((e) != NULL && (e)->magic == RESPONSE_MAGIC)
+#define DISPATCH_MAGIC		ISC_MAGIC('D', 'i', 's', 'p')
+#define VALID_DISPATCH(e)	ISC_MAGIC_VALID((e), DISPATCH_MAGIC)
 
-#define DISPATCH_MAGIC	0x69385829 /* "random" value */
-#define VALID_DISPATCH(e)  ((e) != NULL && (e)->magic == DISPATCH_MAGIC)
+#define DNS_DISPATCHMGR_MAGIC	ISC_MAGIC('D', 'M', 'g', 'r')
+#define VALID_DISPATCHMGR(e)	ISC_MAGIC_VALID((e), DNS_DISPATCHMGR_MAGIC)
 
 /*
- * statics.
+ * Statics.
  */
 static dns_dispentry_t *bucket_search(dns_dispatch_t *, isc_sockaddr_t *,
 				      dns_messageid_t, unsigned int);
-static void destroy(dns_dispatch_t *);
+static isc_boolean_t destroy_disp_ok(dns_dispatch_t *);
+static void destroy_disp(dns_dispatch_t **);
 static void udp_recv(isc_task_t *, isc_event_t *);
 static void tcp_recv(isc_task_t *, isc_event_t *);
 static inline void startrecv(dns_dispatch_t *);
 static isc_uint32_t dns_randomid(dns_dispatch_t *);
 static isc_uint32_t dns_hash(dns_dispatch_t *, isc_sockaddr_t *, isc_uint32_t);
 static void free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len);
-static void *allocate_buffer(dns_dispatch_t *disp, unsigned int len);
+static void *allocate_udp_buffer(dns_dispatch_t *disp, unsigned int len);
 static inline void free_event(dns_dispatch_t *disp, dns_dispatchevent_t *ev);
 static inline dns_dispatchevent_t *allocate_event(dns_dispatch_t *disp);
 static void do_next_request(dns_dispatch_t *disp, dns_dispentry_t *resp);
@@ -125,6 +147,90 @@ static void do_cancel(dns_dispatch_t *disp, dns_dispentry_t *resp);
 static dns_dispentry_t *linear_first(dns_dispatch_t *disp);
 static dns_dispentry_t *linear_next(dns_dispatch_t *disp,
 				    dns_dispentry_t *resp);
+static void dispatch_free(dns_dispatch_t **dispp);
+static isc_result_t dispatch_createudp(dns_dispatchmgr_t *mgr,
+				       isc_socketmgr_t *sockmgr,
+				       isc_taskmgr_t *taskmgr,
+				       isc_sockaddr_t *localaddr,
+				       unsigned int buffersize,
+				       unsigned int maxbuffers,
+				       unsigned int maxrequests,
+				       unsigned int buckets,
+				       unsigned int increment,
+				       unsigned int attributes,
+				       dns_dispatch_t **dispp);
+static isc_boolean_t destroy_mgr_ok(dns_dispatchmgr_t *mgr);
+static void destroy_mgr(dns_dispatchmgr_t **mgrp);
+
+#define LVL(x) ISC_LOG_DEBUG(x)
+
+static inline void
+violate_locking_hierarchy(isc_mutex_t *have, isc_mutex_t *want) {
+	if (isc_mutex_trylock(want) != ISC_R_SUCCESS) {
+		UNLOCK(have);
+		LOCK(want);
+		LOCK(have);
+	}
+}
+
+static void
+mgr_log(dns_dispatchmgr_t *mgr, int level, const char *fmt, ...) {
+	char msgbuf[2048];
+	va_list ap;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(dns_lctx,
+		      DNS_LOGCATEGORY_DISPATCH, DNS_LOGMODULE_DISPATCH,
+		      level, "dispatchmgr %p: %s", mgr, msgbuf);
+}
+
+static void
+dispatch_log(dns_dispatch_t *disp, int level, const char *fmt, ...) {
+	char msgbuf[2048];
+	va_list ap;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(dns_lctx,
+		      DNS_LOGCATEGORY_DISPATCH, DNS_LOGMODULE_DISPATCH,
+		      level, "dispatch %p: %s", disp, msgbuf);
+}
+
+static void
+request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
+	    int level, const char *fmt, ...)
+{
+	char msgbuf[2048];
+	char peerbuf[256];
+	va_list ap;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	if (VALID_RESPONSE(resp)) {
+		isc_sockaddr_format(&resp->host, peerbuf, sizeof peerbuf);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
+			      DNS_LOGMODULE_DISPATCH, level,
+			      "dispatch %p request %p %s: %s", disp, resp,
+			      peerbuf, msgbuf);
+	} else if (VALID_REQUEST(resp)) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
+			      DNS_LOGMODULE_DISPATCH, level,
+			      "dispatch %p response %p: %s", disp, resp,
+			      msgbuf);
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
+			      DNS_LOGMODULE_DISPATCH, level,
+			      "dispatch %p req/resp %p: %s", disp, resp,
+			      msgbuf);
+	}
+}
 
 static void
 reseed_lfsr(isc_lfsr_t *lfsr, void *arg)
@@ -140,8 +246,7 @@ reseed_lfsr(isc_lfsr_t *lfsr, void *arg)
  * Return an unpredictable message ID.
  */
 static isc_uint32_t
-dns_randomid(dns_dispatch_t *disp)
-{
+dns_randomid(dns_dispatch_t *disp) {
 	isc_uint32_t id;
 
 	id = isc_lfsr_generate32(&disp->qid_lfsr1, &disp->qid_lfsr2);
@@ -153,8 +258,7 @@ dns_randomid(dns_dispatch_t *disp)
  * Return a hash of the destination and message id.
  */
 static isc_uint32_t
-dns_hash(dns_dispatch_t *disp, isc_sockaddr_t *dest, isc_uint32_t id)
-{
+dns_hash(dns_dispatch_t *disp, isc_sockaddr_t *dest, isc_uint32_t id) {
 	unsigned int ret;
 
 	ret = isc_sockaddr_hash(dest, ISC_TRUE);
@@ -166,14 +270,8 @@ dns_hash(dns_dispatch_t *disp, isc_sockaddr_t *dest, isc_uint32_t id)
 	return (ret);
 }
 
-static dns_dispatchmethods_t dns_wire_methods = {
-	dns_randomid,
-	dns_hash
-};
-
 static dns_dispentry_t *
-linear_first(dns_dispatch_t *disp)
-{
+linear_first(dns_dispatch_t *disp) {
 	dns_dispentry_t *ret;
 	unsigned int bucket;
 
@@ -190,8 +288,7 @@ linear_first(dns_dispatch_t *disp)
 }
 
 static dns_dispentry_t *
-linear_next(dns_dispatch_t *disp, dns_dispentry_t *resp)
-{
+linear_next(dns_dispatch_t *disp, dns_dispentry_t *resp) {
 	dns_dispentry_t *ret;
 	unsigned int bucket;
 
@@ -211,48 +308,49 @@ linear_next(dns_dispatch_t *disp, dns_dispentry_t *resp)
 }
 
 /*
- * Called when refcount reaches 0 (and safe to destroy)
+ * The dispatch must be locked.
  */
-static void
-destroy(dns_dispatch_t *disp)
+static isc_boolean_t
+destroy_disp_ok(dns_dispatch_t *disp)
 {
-	dns_dispatchevent_t *ev;
+	if (disp->refcount != 0)
+		return (ISC_FALSE);
 
-	disp->magic = 0;
+	if (disp->recvs > 0)
+		return (ISC_FALSE);
 
-	dns_tcpmsg_invalidate(&disp->tcpmsg);
+	if (disp->shutting_down == 0)
+		return (ISC_FALSE);
 
-	XDEBUG(("dispatch::destroy:  detaching from sock %p and task %p\n",
-		disp->socket, disp->task));
+	return (ISC_TRUE);
+}
 
-	/*
-	 * Final cleanup of packets on the request list.
-	 */
-	ev = ISC_LIST_HEAD(disp->rq_events);
-	while (ev != NULL) {
-		ISC_LIST_UNLINK(disp->rq_events, ev, link);
-		free_buffer(disp, ev->buffer.base, ev->buffer.length);
-		free_event(disp, ev);
-		ev = ISC_LIST_HEAD(disp->rq_events);
-	}
 
-	INSIST(disp->buffers == 0);
-	INSIST(disp->requests == 0);
-	INSIST(disp->recvs == 0);
+/*
+ * Called when refcount reaches 0 (and safe to destroy).
+ *
+ * The dispatcher must not be locked.
+ * The manager must be locked.
+ */
+static void
+destroy_disp(dns_dispatch_t **dispp) {
+	dns_dispatchmgr_t *mgr;
+	dns_dispatch_t *disp;
 
-	isc_socket_detach(&disp->socket);
-	isc_task_detach(&disp->task);
+	disp = *dispp;
+	*dispp = NULL;
+	mgr = disp->mgr;
 
-	isc_mempool_put(disp->epool, disp->failsafe_ev);
-	disp->failsafe_ev = NULL;
+	ISC_LIST_UNLINK(mgr->list, disp, link);
 
-	isc_mempool_destroy(&disp->rpool);
-	isc_mempool_destroy(&disp->bpool);
-	isc_mempool_destroy(&disp->epool);
-	isc_mem_put(disp->mctx, disp->qid_table,
-		    disp->qid_nbuckets * sizeof(dns_displist_t));
+	dispatch_log(disp, LVL(90),
+		     "shutting down; detaching from sock %p, task %p",
+		     disp->socket, disp->task);
 
-	isc_mem_put(disp->mctx, disp, sizeof(dns_dispatch_t));
+	isc_socket_detach(&disp->socket);
+	isc_task_detach(&disp->task);
+
+	dispatch_free(&disp);
 }
 
 
@@ -269,9 +367,6 @@ bucket_search(dns_dispatch_t *disp, isc_sockaddr_t *dest, dns_messageid_t id,
 	while (res != NULL) {
 		if ((res->id == id) && isc_sockaddr_equal(dest, &res->host))
 			return (res);
-		XDEBUG(("lengths (%d, %d), ids (%d, %d)\n",
-			dest->length, res->host.length,
-			res->id, id));
 		res = ISC_LIST_NEXT(res, link);
 	}
 
@@ -279,8 +374,7 @@ bucket_search(dns_dispatch_t *disp, isc_sockaddr_t *dest, dns_messageid_t id,
 }
 
 static void
-free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len)
-{
+free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len) {
 	isc_sockettype_t socktype;
 
 	INSIST(buf != NULL && len != 0);
@@ -291,17 +385,11 @@ free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len)
 
 	switch (socktype) {
 	case isc_sockettype_tcp:
-		isc_mem_put(disp->mctx, buf, len);
+		isc_mem_put(disp->mgr->mctx, buf, len);
 		break;
 	case isc_sockettype_udp:
-		XDEBUG(("Freeing buffer %p, length %d, into %s, %d remain\n",
-			buf, len,
-			(len == disp->buffersize ? "mempool" : "mctx"),
-			disp->buffers));
-		if (len == disp->buffersize)
-			isc_mempool_put(disp->bpool, buf);
-		else
-			isc_mem_put(disp->mctx, buf, len);
+		INSIST(len == disp->buffersize);
+		isc_mempool_put(disp->bpool, buf);
 		break;
 	default:
 		INSIST(0);
@@ -310,48 +398,36 @@ free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len)
 }
 
 static void *
-allocate_buffer(dns_dispatch_t *disp, unsigned int len)
-{
+allocate_udp_buffer(dns_dispatch_t *disp, unsigned int len) {
 	void *temp;
 
-	INSIST(len > 0);
+	INSIST(len > 0 && len == disp->buffersize);
 
-	if (len == disp->buffersize)
-		temp = isc_mempool_get(disp->bpool);
-	else
-		temp = isc_mem_get(disp->mctx, len);
+	temp = isc_mempool_get(disp->bpool);
 
-	if (temp != NULL) {
+	if (temp != NULL)
 		disp->buffers++;
 
-		XDEBUG(("Allocated buffer %p, length %d, from %s, %d total\n",
-			temp, len,
-			(len == disp->buffersize ? "mempool" : "mctx"),
-			disp->buffers));
-	}
-
 	return (temp);
 }
 
 static inline void
-free_event(dns_dispatch_t *disp, dns_dispatchevent_t *ev)
-{
+free_event(dns_dispatch_t *disp, dns_dispatchevent_t *ev) {
 	if (disp->failsafe_ev == ev) {
 		INSIST(disp->shutdown_out == 1);
 		disp->shutdown_out = 0;
-		XDEBUG(("Returning failsafe event to dispatcher\n"));
+
 		return;
 	}
 
-	isc_mempool_put(disp->epool, ev);
+	isc_mempool_put(disp->mgr->epool, ev);
 }
 
 static inline dns_dispatchevent_t *
-allocate_event(dns_dispatch_t *disp)
-{
+allocate_event(dns_dispatch_t *disp) {
 	dns_dispatchevent_t *ev;
 
-	ev = isc_mempool_get(disp->epool);
+	ev = isc_mempool_get(disp->mgr->epool);
 
 	return (ev);
 }
@@ -380,10 +456,9 @@ allocate_event(dns_dispatch_t *disp)
  *	restart.
  */
 static void
-udp_recv(isc_task_t *task, isc_event_t *ev_in)
-{
+udp_recv(isc_task_t *task, isc_event_t *ev_in) {
 	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
-	dns_dispatch_t *disp = ev_in->arg;
+	dns_dispatch_t *disp = ev_in->ev_arg;
 	dns_messageid_t id;
 	isc_result_t dres;
 	isc_buffer_t source;
@@ -394,43 +469,45 @@ udp_recv(isc_task_t *task, isc_event_t *ev_in)
 	isc_boolean_t killit;
 	isc_boolean_t queue_request;
 	isc_boolean_t queue_response;
-	unsigned int attributes;
-
-	(void)task;  /* shut up compiler */
+	dns_dispatchmgr_t *mgr;
 
-	XDEBUG(("Got packet!\n"));
+	UNUSED(task);
 
 	LOCK(&disp->lock);
 
-	XDEBUG(("requests:  %d, buffers:  %d, recvs:  %d\n",
-		disp->requests, disp->buffers, disp->recvs));
+	mgr = disp->mgr;
+
+	dispatch_log(disp, LVL(90),
+		     "Got packet: requests %d, buffers %d, recvs %d",
+		     disp->requests, disp->buffers, disp->recvs);
 
 	INSIST(disp->recvs > 0);
 	disp->recvs--;
 
-	if (disp->refcount == 0) {
+	if (disp->shutting_down) {
 		/*
 		 * This dispatcher is shutting down.
 		 */
 		free_buffer(disp, ev->region.base, ev->region.length);
 
-		killit = ISC_FALSE;
-		if (disp->recvs == 0 && disp->refcount == 0)
-			killit = ISC_TRUE;
+		isc_event_free(&ev_in);
+		ev = NULL;
 
+		killit = destroy_disp_ok(disp);
 		UNLOCK(&disp->lock);
+		if (killit) {
+			LOCK(&mgr->lock);
+			destroy_disp(&disp);
+			killit = destroy_mgr_ok(mgr);
+			UNLOCK(&mgr->lock);
+			if (killit)
+				destroy_mgr(&mgr);
+		}
 
-		if (killit)
-			destroy(disp);
-
-		isc_event_free(&ev_in);
 		return;
 	}
 
 	if (ev->result != ISC_R_SUCCESS) {
-		XDEBUG(("recv result %d (%s)\n", ev->result,
-			isc_result_totext(ev->result)));
-
 		free_buffer(disp, ev->region.base, ev->region.length);
 
 		/*
@@ -449,26 +526,21 @@ udp_recv(isc_task_t *task, isc_event_t *ev_in)
 		goto restart;
 	}
 
-	XDEBUG(("length == %d, buflen = %d, addr = %p\n",
-		ev->n, ev->region.length, ev->region.base));
-
 	/*
 	 * Peek into the buffer to see what we can see.
 	 */
-	isc_buffer_init(&source, ev->region.base, ev->region.length,
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&source, ev->region.base, ev->region.length);
 	isc_buffer_add(&source, ev->n);
 	dres = dns_message_peekheader(&source, &id, &flags);
-	if (dres != DNS_R_SUCCESS) {
+	if (dres != ISC_R_SUCCESS) {
 		free_buffer(disp, ev->region.base, ev->region.length);
-		XDEBUG(("dns_message_peekheader(): %s\n",
-			isc_result_totext(dres)));
-		/* XXXMLG log something here... */
+		dispatch_log(disp, LVL(10), "Got garbage packet");
 		goto restart;
 	}
 
-	XDEBUG(("Got valid DNS message header, /QR %c, id %d\n",
-		((flags & DNS_MESSAGEFLAG_QR) ? '1' : '0'), id));
+	dispatch_log(disp, LVL(92),
+		     "Got valid DNS message header, /QR %c, id %u",
+		     ((flags & DNS_MESSAGEFLAG_QR) ? '1' : '0'), id);
 
 	/*
 	 * Look at flags.  If query, check to see if we have someone handling
@@ -493,10 +565,11 @@ udp_recv(isc_task_t *task, isc_event_t *ev_in)
 		/* query */
 	} else {
  		/* response */
-		bucket = disp->methods.hash(disp, &ev->address, id);
+		bucket = dns_hash(disp, &ev->address, id);
 		resp = bucket_search(disp, &ev->address, id, bucket);
-		XDEBUG(("Search for response in bucket %d: %s\n",
-			bucket, (resp == NULL ? "NOT FOUND" : "FOUND")));
+		dispatch_log(disp, LVL(90),
+			     "Search for response in bucket %d: %s",
+			     bucket, (resp == NULL ? "NOT FOUND" : "FOUND"));
 
 		if (resp == NULL) {
 			free_buffer(disp, ev->region.base, ev->region.length);
@@ -515,30 +588,25 @@ udp_recv(isc_task_t *task, isc_event_t *ev_in)
 	 * resp contains the information on the place to send it to.
 	 * Send the event off.
 	 */
-	isc_buffer_init(&rev->buffer, ev->region.base, ev->region.length,
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&rev->buffer, ev->region.base, ev->region.length);
 	isc_buffer_add(&rev->buffer, ev->n);
-	rev->result = DNS_R_SUCCESS;
+	rev->result = ISC_R_SUCCESS;
 	rev->id = id;
 	rev->addr = ev->address;
-	attributes = 0;
-	if ((ev->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0) {
-		rev->pktinfo = ev->pktinfo;
-		attributes |= DNS_DISPATCHATTR_PKTINFO;
-	} else {
-		attributes &= ~DNS_DISPATCHATTR_PKTINFO;
-	}
+	rev->pktinfo = ev->pktinfo;
+	rev->attributes = ev->attributes;
 	if (queue_request) {
-		ISC_LIST_APPEND(disp->rq_events, rev, link);
+		ISC_LIST_APPEND(disp->rq_events, rev, ev_link);
 	} else if (queue_response) {
-		ISC_LIST_APPEND(resp->items, rev, link);
+		ISC_LIST_APPEND(resp->items, rev, ev_link);
 	} else {
-		ISC_EVENT_INIT(rev, sizeof(*rev), attributes, NULL,
+		ISC_EVENT_INIT(rev, sizeof(*rev), 0, NULL,
 			       DNS_EVENT_DISPATCH,
 			       resp->action, resp->arg, resp, NULL, NULL);
-		XDEBUG(("Sent event %p buffer %p len %d to task %p, resp %p\n",
-			rev, rev->buffer.base, rev->buffer.length,
-			resp->task, resp));
+		request_log(disp, resp, LVL(90),
+			    "[a] Sent event %p buffer %p len %d to task %p",
+			    rev, rev->buffer.base, rev->buffer.length,
+			    resp->task);
 		resp->item_out = ISC_TRUE;
 		isc_task_send(resp->task, (isc_event_t **)&rev);
 	}
@@ -578,9 +646,9 @@ udp_recv(isc_task_t *task, isc_event_t *ev_in)
  *	restart.
  */
 static void
-tcp_recv(isc_task_t *task, isc_event_t *ev_in)
-{
-	dns_dispatch_t *disp = ev_in->arg;
+tcp_recv(isc_task_t *task, isc_event_t *ev_in) {
+	dns_dispatch_t *disp = ev_in->ev_arg;
+	dns_dispatchmgr_t *mgr;
 	dns_tcpmsg_t *tcpmsg = &disp->tcpmsg;
 	dns_messageid_t id;
 	isc_result_t dres;
@@ -592,11 +660,15 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in)
 	isc_boolean_t queue_request;
 	isc_boolean_t queue_response;
 
-	(void)task;  /* shut up compiler */
+	UNUSED(task);
 
 	REQUIRE(VALID_DISPATCH(disp));
 
-	XDEBUG(("Got TCP packet!\n"));
+	mgr = disp->mgr;
+
+	dispatch_log(disp, LVL(90),
+		     "Got TCP packet: requests %d, buffers %d, recvs %d",
+		     disp->requests, disp->buffers, disp->recvs);
 
 	LOCK(&disp->lock);
 
@@ -615,30 +687,34 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in)
 		break;
 
 	case ISC_R_EOF:
-		XDEBUG(("Shutting down on EOF\n"));
+		dispatch_log(disp, LVL(90), "Shutting down on EOF");
 		disp->shutdown_why = ISC_R_EOF;
 		disp->shutting_down = 1;
 		do_cancel(disp, NULL);
 		/* FALLTHROUGH */
-	case ISC_R_CANCELED:
-		/*
-		 * If the recv() was canceled pass the word on.
-		 */
-		killit = ISC_FALSE;
-		if (disp->recvs == 0 && disp->refcount == 0)
-			killit = ISC_TRUE;
-
-		UNLOCK(&disp->lock);
 
+	case ISC_R_CANCELED:
 		/*
 		 * The event is statically allocated in the tcpmsg	
-		 * structure, and destroy() frees the tcpmsg, so we must
-		 * free the event *before* calling destroy().
+		 * structure, and destroy_disp() frees the tcpmsg, so we must
+		 * free the event *before* calling destroy_disp().
 		 */
 		isc_event_free(&ev_in);
+		disp->shutting_down = 1;
 
-		if (killit)
-			destroy(disp);
+		/*
+		 * If the recv() was canceled pass the word on.
+		 */
+		killit = destroy_disp_ok(disp);
+		UNLOCK(&disp->lock);
+		if (killit) {
+			LOCK(&mgr->lock);
+			destroy_disp(&disp);
+			killit = destroy_mgr_ok(mgr);
+			UNLOCK(&mgr->lock);
+			if (killit)
+				destroy_mgr(&mgr);
+		}
 
 		return;
 
@@ -650,23 +726,22 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in)
 		goto restart;
 	}
 
-	XDEBUG(("result %d, length == %d, addr = %p\n",
-		tcpmsg->result,
-		tcpmsg->buffer.length, tcpmsg->buffer.base));
+	dispatch_log(disp, LVL(90), "result %d, length == %d, addr = %p",
+		     tcpmsg->result,
+		     tcpmsg->buffer.length, tcpmsg->buffer.base);
 
 	/*
 	 * Peek into the buffer to see what we can see.
 	 */
 	dres = dns_message_peekheader(&tcpmsg->buffer, &id, &flags);
-	if (dres != DNS_R_SUCCESS) {
-		XDEBUG(("dns_message_peekheader(): %s\n",
-			isc_result_totext(dres)));
-		/* XXXMLG log something here... */
+	if (dres != ISC_R_SUCCESS) {
+		dispatch_log(disp, LVL(10), "Got garbage packet");
 		goto restart;
 	}
 
-	XDEBUG(("Got valid DNS message header, /QR %c, id %d\n",
-		((flags & DNS_MESSAGEFLAG_QR) ? '1' : '0'), id));
+	dispatch_log(disp, LVL(92),
+		     "Got valid DNS message header, /QR %c, id %u",
+		     ((flags & DNS_MESSAGEFLAG_QR) ? '1' : '0'), id);
 
 	/*
 	 * Allocate an event to send to the query or response client, and
@@ -694,10 +769,11 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in)
 		/* query */
 	} else {
  		/* response */
-		bucket = disp->methods.hash(disp, &tcpmsg->address, id);
+		bucket = dns_hash(disp, &tcpmsg->address, id);
 		resp = bucket_search(disp, &tcpmsg->address, id, bucket);
-		XDEBUG(("Search for response in bucket %d: %s\n",
-			bucket, (resp == NULL ? "NOT FOUND" : "FOUND")));
+		dispatch_log(disp, LVL(90),
+			     "Search for response in bucket %d: %s",
+			     bucket, (resp == NULL ? "NOT FOUND" : "FOUND"));
 
 		if (resp == NULL)
 			goto restart;
@@ -714,19 +790,20 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in)
 	 */
 	dns_tcpmsg_keepbuffer(tcpmsg, &rev->buffer);
 	disp->buffers++;
-	rev->result = DNS_R_SUCCESS;
+	rev->result = ISC_R_SUCCESS;
 	rev->id = id;
 	rev->addr = tcpmsg->address;
 	if (queue_request) {
-		ISC_LIST_APPEND(disp->rq_events, rev, link);
+		ISC_LIST_APPEND(disp->rq_events, rev, ev_link);
 	} else if (queue_response) {
-		ISC_LIST_APPEND(resp->items, rev, link);
+		ISC_LIST_APPEND(resp->items, rev, ev_link);
 	} else {
 		ISC_EVENT_INIT(rev, sizeof(*rev), 0, NULL, DNS_EVENT_DISPATCH,
 			       resp->action, resp->arg, resp, NULL, NULL);
-		XDEBUG(("Sent event %p buffer %p len %d to task %p, resp %p\n",
-			rev, rev->buffer.base, rev->buffer.length,
-			resp->task, resp));
+		request_log(disp, resp, LVL(90),
+			    "[b] Sent event %p buffer %p len %d to task %p",
+			    rev, rev->buffer.base, rev->buffer.length,
+			    resp->task);
 		resp->item_out = ISC_TRUE;
 		isc_task_send(resp->task, (isc_event_t **)&rev);
 	}
@@ -743,11 +820,10 @@ tcp_recv(isc_task_t *task, isc_event_t *ev_in)
 }
 
 /*
- * disp must be locked
+ * disp must be locked.
  */
 static void
-startrecv(dns_dispatch_t *disp)
-{
+startrecv(dns_dispatch_t *disp) {
 	isc_sockettype_t socktype;
 	isc_result_t res;
 	isc_region_t region;
@@ -775,11 +851,10 @@ startrecv(dns_dispatch_t *disp)
 			 */
 		case isc_sockettype_udp:
 			region.length = disp->buffersize;
-			region.base = allocate_buffer(disp, disp->buffersize);
+			region.base = allocate_udp_buffer(disp,
+							  disp->buffersize);
 			if (region.base == NULL)
 				return;
-			XDEBUG(("Recv into %p, length %d\n", region.base,
-				region.length));
 			res = isc_socket_recv(disp->socket, &region, 1,
 					      disp->task, udp_recv, disp);
 			if (res != ISC_R_SUCCESS) {
@@ -792,7 +867,6 @@ startrecv(dns_dispatch_t *disp)
 			break;
 
 		case isc_sockettype_tcp:
-			XDEBUG(("Starting tcp receive\n"));
 			res = dns_tcpmsg_readmessage(&disp->tcpmsg,
 						     disp->task, tcp_recv,
 						     disp);
@@ -809,71 +883,310 @@ startrecv(dns_dispatch_t *disp)
 }
 
 /*
+ * Mgr must be locked when calling this function.
+ */
+static isc_boolean_t
+destroy_mgr_ok(dns_dispatchmgr_t *mgr) {
+	mgr_log(mgr, LVL(90),
+		"destroy_mgr_ok: shuttingdown=%d, listnonempty=%d, "
+		"epool=%d, rpool=%d, dpool=%d",
+		MGR_IS_SHUTTINGDOWN(mgr), !ISC_LIST_EMPTY(mgr->list),
+		isc_mempool_getallocated(mgr->epool),
+		isc_mempool_getallocated(mgr->rpool),
+		isc_mempool_getallocated(mgr->dpool));
+	if (!MGR_IS_SHUTTINGDOWN(mgr))
+		return (ISC_FALSE);
+	if (!ISC_LIST_EMPTY(mgr->list))
+		return (ISC_FALSE);
+	if (isc_mempool_getallocated(mgr->epool) != 0)
+		return (ISC_FALSE);
+	if (isc_mempool_getallocated(mgr->rpool) != 0)
+		return (ISC_FALSE);
+	if (isc_mempool_getallocated(mgr->dpool) != 0)
+		return (ISC_FALSE);
+
+	return (ISC_TRUE);
+}
+
+/*
+ * Mgr must be unlocked when calling this function.
+ */
+static void
+destroy_mgr(dns_dispatchmgr_t **mgrp) {
+	isc_mem_t *mctx;
+	dns_dispatchmgr_t *mgr;
+
+	mgr = *mgrp;
+	*mgrp = NULL;
+
+	mctx = mgr->mctx;
+
+	mgr->magic = 0;
+	mgr->mctx = 0;
+	isc_mutex_destroy(&mgr->lock);
+	mgr->state = 0;
+
+	isc_mempool_destroy(&mgr->epool);
+	isc_mempool_destroy(&mgr->rpool);
+	isc_mempool_destroy(&mgr->dpool);
+
+	isc_mutex_destroy(&mgr->pool_lock);
+
+	isc_mem_put(mctx, mgr, sizeof(dns_dispatchmgr_t));
+	isc_mem_detach(&mctx);
+}
+
+static isc_result_t
+create_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
+	      isc_socket_t **sockp)
+{
+	isc_socket_t *sock;
+	isc_result_t result;
+
+	sock = NULL;
+	result = isc_socket_create(mgr, isc_sockaddr_pf(local),
+				   isc_sockettype_udp, &sock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_socket_bind(sock, local);
+	if (result != ISC_R_SUCCESS) {
+		isc_socket_detach(&sock);
+		return (result);
+	}
+
+	*sockp = sock;
+	return (ISC_R_SUCCESS);
+}
+
+/*
  * Publics.
  */
 
 isc_result_t
-dns_dispatch_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
-		    unsigned int maxbuffersize,
-		    unsigned int maxbuffers, unsigned int maxrequests,
-		    unsigned int buckets, unsigned int increment,
-		    dns_dispatchmethods_t *methods,
-		    dns_dispatch_t **dispp)
+dns_dispatchmgr_create(isc_mem_t *mctx, dns_dispatchmgr_t **mgrp) {
+	dns_dispatchmgr_t *mgr;
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(mgrp != NULL && *mgrp == NULL);
+
+	mgr = isc_mem_get(mctx, sizeof(dns_dispatchmgr_t));
+	if (mgr == NULL)
+		return (ISC_R_NOMEMORY);
+
+	mgr->mctx = NULL;
+	isc_mem_attach(mctx, &mgr->mctx);
+
+	result = isc_mutex_init(&mgr->lock);
+	if (result != ISC_R_SUCCESS)
+		goto deallocate;
+
+	result = isc_mutex_init(&mgr->pool_lock);
+	if (result != ISC_R_SUCCESS)
+		goto kill_lock;
+
+	mgr->epool = NULL;
+	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispatchevent_t),
+			       &mgr->epool) != ISC_R_SUCCESS) {
+		result = ISC_R_NOMEMORY;
+		goto kill_pool_lock;
+	}
+
+	mgr->rpool = NULL;
+	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispentry_t),
+			       &mgr->rpool) != ISC_R_SUCCESS) {
+		result = ISC_R_NOMEMORY;
+		goto kill_epool;
+	}
+
+	mgr->dpool = NULL;
+	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispatch_t),
+			       &mgr->dpool) != ISC_R_SUCCESS) {
+		result = ISC_R_NOMEMORY;
+		goto kill_rpool;
+	}
+
+	isc_mempool_setname(mgr->epool, "dispmgr_epool");
+	isc_mempool_setfreemax(mgr->epool, 1024);
+	isc_mempool_associatelock(mgr->epool, &mgr->pool_lock);
+
+	isc_mempool_setname(mgr->rpool, "dispmgr_rpool");
+	isc_mempool_setfreemax(mgr->rpool, 1024);
+	isc_mempool_associatelock(mgr->rpool, &mgr->pool_lock);
+
+	isc_mempool_setname(mgr->dpool, "dispmgr_dpool");
+	isc_mempool_setfreemax(mgr->dpool, 1024);
+	isc_mempool_associatelock(mgr->dpool, &mgr->pool_lock);
+
+	mgr->magic = DNS_DISPATCHMGR_MAGIC;
+	mgr->state = 0;
+	ISC_LIST_INIT(mgr->list);
+
+	*mgrp = mgr;
+	return (ISC_R_SUCCESS);
+
+#if 0
+ kill_dpool:
+	isc_mempool_destroy(&mgr->dpool);
+#endif
+ kill_rpool:
+	isc_mempool_destroy(&mgr->rpool);
+ kill_epool:
+	isc_mempool_destroy(&mgr->epool);
+ kill_pool_lock:
+	isc_mutex_destroy(&mgr->pool_lock);
+ kill_lock:
+	isc_mutex_destroy(&mgr->lock);
+ deallocate:
+	isc_mem_put(mctx, mgr, sizeof(dns_dispatchmgr_t));
+	isc_mem_detach(&mgr->mctx);
+
+	return (result);
+}
+
+
+void
+dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp) {
+	dns_dispatchmgr_t *mgr;
+	isc_boolean_t killit;
+
+	REQUIRE(mgrp != NULL);
+	REQUIRE(VALID_DISPATCHMGR(*mgrp));
+
+	mgr = *mgrp;
+	*mgrp = NULL;
+
+	LOCK(&mgr->lock);
+	mgr->state |= MGR_SHUTTINGDOWN;
+
+	killit = destroy_mgr_ok(mgr);
+	UNLOCK(&mgr->lock);
+
+	mgr_log(mgr, LVL(90), "destroy: killit=%d", killit);
+	
+	if (killit)
+		destroy_mgr(&mgr);
+}
+
+
+#define ATTRMATCH(_a1, _a2, _mask) (((_a1) & (_mask)) == ((_a2) & (_mask)))
+
+static isc_boolean_t
+local_addr_match(dns_dispatch_t *disp, isc_sockaddr_t *addr) {
+	in_port_t port;
+
+	if (addr == NULL)
+		return (ISC_TRUE);
+
+	port = isc_sockaddr_getport(addr);
+	if (port == 0)
+		return (isc_sockaddr_eqaddr(&disp->local, addr));
+	else
+		return (isc_sockaddr_equal(&disp->local, addr));
+}
+
+/*
+ * Requires mgr be locked.
+ *
+ * No dispatcher can be locked by this thread when calling this function.
+ *
+ *
+ * NOTE:
+ *	If a matching dispatcher is found, it is locked after this function
+ *	returns, and must be unlocked by the caller.
+ */
+static isc_result_t
+dispatch_find(dns_dispatchmgr_t *mgr, isc_sockaddr_t *local,
+	      unsigned int attributes, unsigned int mask,
+	      dns_dispatch_t **dispp)
 {
 	dns_dispatch_t *disp;
-	isc_result_t res;
-	isc_sockettype_t socktype;
+	isc_result_t result;
+
+	/*
+	 * Make certain that we will not match a private dispatch.
+	 */
+	attributes &= ~DNS_DISPATCHATTR_PRIVATE;
+	mask |= DNS_DISPATCHATTR_PRIVATE;
+
+	disp = ISC_LIST_HEAD(mgr->list);
+	while (disp != NULL) {
+		LOCK(&disp->lock);
+		if ((disp->shutting_down == 0)
+		    && ATTRMATCH(disp->attributes, attributes, mask)
+		    && local_addr_match(disp, local))
+			break;
+		UNLOCK(&disp->lock);
+		disp = ISC_LIST_NEXT(disp, link);
+	}
+
+	if (disp == NULL) {
+		result = ISC_R_NOTFOUND;
+		goto out;
+	}
+
+	*dispp = disp;
+	result = ISC_R_SUCCESS;
+ out:
+
+	return (result);
+}
+
+/*
+ * Allocate and set important limits.
+ */
+static isc_result_t
+dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int buffersize,
+		  unsigned int maxbuffers, unsigned int maxrequests,
+		  unsigned int buckets, unsigned int increment,
+		  dns_dispatch_t **dispp)
+{
 	unsigned int i;
+	dns_dispatch_t *disp;
+	isc_result_t res;
 
-	REQUIRE(mctx != NULL);
-	REQUIRE(sock != NULL);
-	REQUIRE(task != NULL);
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(buffersize >= 512 && buffersize < (64 * 1024));
+	REQUIRE(maxbuffers > 0);
 	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
 	REQUIRE(increment > buckets);
-	REQUIRE(maxbuffersize >= 512 && maxbuffersize < (64 * 1024));
-	REQUIRE(maxbuffers > 0);
 	REQUIRE(dispp != NULL && *dispp == NULL);
 
-	socktype = isc_socket_gettype(sock);
-	REQUIRE(socktype == isc_sockettype_udp ||
-		socktype == isc_sockettype_tcp);
-
-	res = DNS_R_SUCCESS;
+	/*
+	 * Set up the dispatcher, mostly.  Don't bother setting some of
+	 * the options that are controlled by tcp vs. udp, etc.
+	 */
 
-	disp = isc_mem_get(mctx, sizeof(dns_dispatch_t));
+	disp = isc_mempool_get(mgr->dpool);
 	if (disp == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	disp->magic = 0;
-	disp->mctx = mctx;
-	disp->buffersize = maxbuffersize;
+	disp->mgr = mgr;
+	disp->buffersize = buffersize;
 	disp->maxrequests = maxrequests;
 	disp->maxbuffers = maxbuffers;
+	disp->attributes = 0;
+	ISC_LINK_INIT(disp, link);
 	disp->refcount = 1;
 	disp->recvs = 0;
-	if (socktype == isc_sockettype_udp) {
-		disp->recvs_wanted = 4; /* XXXMLG config option */
-	} else {
-		disp->recvs_wanted = 1;
-	}
+	memset(&disp->local, 0, sizeof disp->local);
 	disp->shutting_down = 0;
 	disp->shutdown_out = 0;
+	disp->connected = 0;
+	disp->tcpmsg_valid = 0;
 	disp->shutdown_why = ISC_R_UNEXPECTED;
 	disp->requests = 0;
 	disp->buffers = 0;
 	ISC_LIST_INIT(disp->rq_handlers);
 	ISC_LIST_INIT(disp->rq_events);
 
-	if (methods == NULL)
-		disp->methods = dns_wire_methods;
-	else
-		disp->methods = *methods;
-
-	disp->qid_table = isc_mem_get(disp->mctx,
+	disp->qid_table = isc_mem_get(mgr->mctx,
 				      buckets * sizeof(dns_displist_t));
 	if (disp->qid_table == NULL) {
-		res = DNS_R_NOMEMORY;
-		goto out1;
+		res = ISC_R_NOMEMORY;
+		goto deallocate;
 	}
 
 	for (i = 0 ; i < buckets ; i++)
@@ -883,36 +1196,20 @@ dns_dispatch_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
 	disp->qid_increment = increment;
 
 	if (isc_mutex_init(&disp->lock) != ISC_R_SUCCESS) {
-		res = DNS_R_UNEXPECTED;
+		res = ISC_R_UNEXPECTED;
 		UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_mutex_init failed");
-		goto out2;
+		goto deallocate_qidtable;
 	}
 
-	disp->epool = NULL;
-	if (isc_mempool_create(mctx, sizeof(dns_dispatchevent_t),
-			       &disp->epool) != ISC_R_SUCCESS) {
-		res = DNS_R_NOMEMORY;
-		goto out3;
-	}
-	isc_mempool_setname(disp->epool, "disp_epool");
-
 	disp->bpool = NULL;
-	if (isc_mempool_create(mctx, maxbuffersize,
+	if (isc_mempool_create(mgr->mctx, buffersize,
 			       &disp->bpool) != ISC_R_SUCCESS) {
-		res = DNS_R_NOMEMORY;
-		goto out4;
+		res = ISC_R_NOMEMORY;
+		goto kill_lock;
 	}
 	isc_mempool_setmaxalloc(disp->bpool, maxbuffers);
 	isc_mempool_setname(disp->bpool, "disp_bpool");
 
-	disp->rpool = NULL;
-	if (isc_mempool_create(mctx, sizeof(dns_dispentry_t),
-			       &disp->rpool) != ISC_R_SUCCESS) {
-		res = DNS_R_NOMEMORY;
-		goto out5;
-	}
-	isc_mempool_setname(disp->rpool, "disp_rpool");
-
 	/*
 	 * Keep some number of items around.  This should be a config
 	 * option.  For now, keep 8, but later keep at least two even
@@ -925,14 +1222,12 @@ dns_dispatch_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
 	 *
 	 * XXXMLG
 	 */
-	isc_mempool_setfreemax(disp->epool, 8);
 	isc_mempool_setfreemax(disp->bpool, 8);
-	isc_mempool_setfreemax(disp->rpool, 8);
 
 	disp->failsafe_ev = allocate_event(disp);
 	if (disp->failsafe_ev == NULL) {
-		res = DNS_R_NOMEMORY;
-		goto out6;
+		res = ISC_R_NOMEMORY;
+		goto kill_bpool;
 	}
 
 	/*
@@ -952,62 +1247,313 @@ dns_dispatch_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
 
 	disp->magic = DISPATCH_MAGIC;
 
-	disp->task = NULL;
-	isc_task_attach(task, &disp->task);
-	XDEBUG(("dns_dispatch_create: attaching to task %p\n", disp->task));
+	*dispp = disp;
+	return (ISC_R_SUCCESS);
+
+	/*
+	 * error returns
+	 */
+ kill_bpool:
+	isc_mempool_destroy(&disp->bpool);
+ kill_lock:
+	isc_mutex_destroy(&disp->lock);
+ deallocate_qidtable:
+	isc_mem_put(mgr->mctx, disp->qid_table,
+		    disp->qid_nbuckets * sizeof(dns_displist_t));
+ deallocate:
+	isc_mempool_put(mgr->dpool, disp);
+
+	return (res);
+}
+
+
+/*
+ * MUST be unlocked, and not used by anthing.
+ */
+static void
+dispatch_free(dns_dispatch_t **dispp)
+{
+	dns_dispatch_t *disp;
+	dns_dispatchmgr_t *mgr;
+	dns_dispatchevent_t *ev;
+
+	REQUIRE(VALID_DISPATCH(*dispp));
+	disp = *dispp;
+	*dispp = NULL;
+
+	mgr = disp->mgr;
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+
+	if (disp->tcpmsg_valid) {
+		dns_tcpmsg_invalidate(&disp->tcpmsg);
+		disp->tcpmsg_valid = 0;
+	}
+
+	/*
+	 * Final cleanup of packets on the request list.
+	 */
+	ev = ISC_LIST_HEAD(disp->rq_events);
+	while (ev != NULL) {
+		ISC_LIST_UNLINK(disp->rq_events, ev, ev_link);
+		free_buffer(disp, ev->buffer.base, ev->buffer.length);
+		free_event(disp, ev);
+		ev = ISC_LIST_HEAD(disp->rq_events);
+	}
+
+	INSIST(disp->buffers == 0);
+	INSIST(disp->requests == 0);
+	INSIST(disp->recvs == 0);
+
+	isc_mempool_put(mgr->epool, disp->failsafe_ev);
+	disp->failsafe_ev = NULL;
+
+	isc_mempool_destroy(&disp->bpool);
+	isc_mutex_destroy(&disp->lock);
+	isc_mem_put(mgr->mctx, disp->qid_table,
+		    disp->qid_nbuckets * sizeof(dns_displist_t));
+	disp->mgr = NULL;
+	disp->magic = 0;
+	isc_mempool_put(mgr->dpool, disp);
+}
+
+
+isc_result_t
+dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+		       isc_taskmgr_t *taskmgr, unsigned int buffersize,
+		       unsigned int maxbuffers, unsigned int maxrequests,
+		       unsigned int buckets, unsigned int increment,
+		       unsigned int attributes, dns_dispatch_t **dispp)
+{
+	isc_result_t result;
+	dns_dispatch_t *disp;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(isc_socket_gettype(sock) == isc_sockettype_tcp);
+	REQUIRE((attributes & DNS_DISPATCHATTR_TCP) != 0);
+
+	attributes |= DNS_DISPATCHATTR_PRIVATE;  /* XXXMLG */
+
+	LOCK(&mgr->lock);
+
+	/*
+	 * dispatch_allocate() checks mgr, buffersize, maxbuffers,
+	 * buckets, and increment for us.
+	 */
+	disp = NULL;
+	result = dispatch_allocate(mgr, buffersize, maxbuffers, maxrequests,
+				   buckets, increment, &disp);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&mgr->lock);
+		return (result);
+	}
+
 	disp->socket = NULL;
 	isc_socket_attach(sock, &disp->socket);
-	XDEBUG(("dns_dispatch_create:  attaching to socket %p\n",
-		disp->socket));
 
-	dns_tcpmsg_init(disp->mctx, disp->socket, &disp->tcpmsg);
+	disp->recvs_wanted = 1;
+
+	disp->task = NULL;
+	result = isc_task_create(taskmgr, 0, &disp->task);
+	if (result != ISC_R_SUCCESS)
+		goto kill_socket;
+
+	dns_tcpmsg_init(mgr->mctx, disp->socket, &disp->tcpmsg);
+	disp->tcpmsg_valid = 1;
+
+	attributes &= ~DNS_DISPATCHATTR_UDP;
+	attributes |= DNS_DISPATCHATTR_TCP;
+	disp->attributes = attributes;
+
+	/*
+	 * Append it to the dispatcher list.
+	 */
+	ISC_LIST_APPEND(mgr->list, disp, link);
+	UNLOCK(&mgr->lock);
+
+	mgr_log(mgr, LVL(90), "created TCP dispatcher %p", disp);
+	dispatch_log(disp, LVL(90), "created task %p", disp->task);
 
 	*dispp = disp;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
 	/*
-	 * error returns
+	 * Error returns.
 	 */
- out6:
-	isc_mempool_destroy(&disp->rpool);
- out5:
-	isc_mempool_destroy(&disp->bpool);
- out4:
-	isc_mempool_destroy(&disp->epool);
- out3:
-	isc_mutex_destroy(&disp->lock);
- out2:
-	isc_mem_put(mctx, disp->mctx, disp->qid_nbuckets * sizeof(void *));
- out1:
-	isc_mem_put(mctx, disp, sizeof(dns_dispatch_t));
+ kill_socket:
+	isc_socket_detach(&disp->socket);
+	dispatch_free(&disp);
 
-	return (res);
+	UNLOCK(&mgr->lock);
+
+	return (result);
 }
 
-void
-dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp)
+isc_result_t
+dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
+		    unsigned int buffersize,
+		    unsigned int maxbuffers, unsigned int maxrequests,
+		    unsigned int buckets, unsigned int increment,
+		    unsigned int attributes, unsigned int mask,
+		    dns_dispatch_t **dispp)
 {
+	isc_result_t result;
+	dns_dispatch_t *disp;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(sockmgr != NULL);
+	REQUIRE(localaddr != NULL);
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(buffersize >= 512 && buffersize < (64 * 1024));
+	REQUIRE(maxbuffers > 0);
+	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
+	REQUIRE(increment > buckets);
+	REQUIRE(dispp != NULL && *dispp == NULL);
+	REQUIRE((attributes & DNS_DISPATCHATTR_TCP) == 0);
+
+	LOCK(&mgr->lock);
+
+	/*
+	 * First, see if we have a dispatcher that matches.
+	 */
+	disp = NULL;
+	result = dispatch_find(mgr, localaddr, attributes, mask, &disp);
+	if (result == ISC_R_SUCCESS) {
+		disp->refcount++;
+
+		if (disp->maxbuffers < maxbuffers) {
+			isc_mempool_setmaxalloc(disp->bpool, maxbuffers);
+			disp->maxbuffers = maxbuffers;
+		}
+
+		if (disp->maxrequests < maxrequests)
+			disp->maxrequests = maxrequests;
+
+		UNLOCK(&disp->lock);
+		UNLOCK(&mgr->lock);
+
+		*dispp = disp;
+
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Nope, create one.
+	 */
+	result = dispatch_createudp(mgr, sockmgr, taskmgr, localaddr,
+				    buffersize, maxbuffers, maxrequests,
+				    buckets, increment, attributes, &disp);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&mgr->lock);
+		return (result);
+	}
+
+	UNLOCK(&mgr->lock);
+	*dispp = disp;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * mgr should be locked.
+ */
+static isc_result_t
+dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		   isc_taskmgr_t *taskmgr,
+		   isc_sockaddr_t *localaddr, unsigned int buffersize,
+		   unsigned int maxbuffers, unsigned int maxrequests,
+		   unsigned int buckets, unsigned int increment,
+		   unsigned int attributes, dns_dispatch_t **dispp)
+{
+	isc_result_t result;
+	dns_dispatch_t *disp;
+	isc_socket_t *sock;
+
+	/*
+	 * dispatch_allocate() checks mgr, buffersize, maxbuffers,
+	 * buckets, and increment for us.
+	 */
+	disp = NULL;
+	result = dispatch_allocate(mgr, buffersize, maxbuffers, maxrequests,
+				   buckets, increment, &disp);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = create_socket(sockmgr, localaddr, &sock);
+	if (result != ISC_R_SUCCESS)
+		goto deallocate_dispatch;
+
+	disp->local = *localaddr;
+	disp->socket = sock;
+
+	disp->recvs_wanted = 4; /* XXXMLG config option */
+
+
+	disp->task = NULL;
+	result = isc_task_create(taskmgr, 0, &disp->task);
+	if (result != ISC_R_SUCCESS)
+		goto kill_socket;
+
+	attributes &= ~DNS_DISPATCHATTR_TCP;
+	attributes |= DNS_DISPATCHATTR_UDP;
+	disp->attributes = attributes;
+
+	/*
+	 * Append it to the dispatcher list.
+	 */
+	ISC_LIST_APPEND(mgr->list, disp, link);
+
+	mgr_log(mgr, LVL(90), "created UDP dispatcher %p", disp);
+	dispatch_log(disp, LVL(90), "created task %p", disp->task);
+	dispatch_log(disp, LVL(90), "created socket %p", disp->socket);
+
+	*dispp = disp;
+
+	return (ISC_R_SUCCESS);
+
+	/*
+	 * Error returns.
+	 */
+ kill_socket:
+	isc_socket_detach(&disp->socket);
+ deallocate_dispatch:
+	dispatch_free(&disp);
+
+	return (result);
+}
+
+void
+dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp) {
 	REQUIRE(VALID_DISPATCH(disp));
 	REQUIRE(dispp != NULL && *dispp == NULL);
 
+	LOCK(&disp->lock);
 	disp->refcount++;
+	UNLOCK(&disp->lock);
 
 	*dispp = disp;
 }
 
-
+/*
+ * It is important to lock the manager while we are deleting the dispatch,
+ * since dns_dispatch_getudp will call dispatch_find, which returns to
+ * the caller a dispatch but does not attach to it until later.  _getudp
+ * locks the manager, however, so locking it here will keep us from attaching
+ * to a dispatcher that is in the process of going away.
+ */
 void
-dns_dispatch_detach(dns_dispatch_t **dispp)
-{
+dns_dispatch_detach(dns_dispatch_t **dispp) {
 	dns_dispatch_t *disp;
 	isc_boolean_t killit;
+	dns_dispatchmgr_t *mgr;
 
 	REQUIRE(dispp != NULL && VALID_DISPATCH(*dispp));
 
 	disp = *dispp;
 	*dispp = NULL;
 
+	mgr = disp->mgr;
+
 	LOCK(&disp->lock);
 
 	INSIST(disp->refcount > 0);
@@ -1017,16 +1563,21 @@ dns_dispatch_detach(dns_dispatch_t **dispp)
 		if (disp->recvs > 0)
 			isc_socket_cancel(disp->socket, NULL,
 					  ISC_SOCKCANCEL_RECV);
-		else
-			killit = ISC_TRUE;
+		disp->shutting_down = 1;
 	}
 
-	XDEBUG(("dns_dispatch_detach:  refcount = %d\n", disp->refcount));
+	dispatch_log(disp, LVL(90), "detach: refcount %d", disp->refcount);
 
+	killit = destroy_disp_ok(disp);
 	UNLOCK(&disp->lock);
-
-	if (killit)
-		destroy(disp);
+	if (killit) {
+		LOCK(&mgr->lock);
+		destroy_disp(&disp);
+		killit = destroy_mgr_ok(mgr);
+		UNLOCK(&mgr->lock);
+		if (killit)
+			destroy_mgr(&mgr);
+	}
 }
 
 isc_result_t
@@ -1053,7 +1604,7 @@ dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 		return (ISC_R_SHUTTINGDOWN);
 	}
 
-	if (disp->requests == disp->maxrequests) {
+	if (disp->requests >= disp->maxrequests) {
 		UNLOCK(&disp->lock);
 		return (ISC_R_QUOTA);
 	}
@@ -1061,8 +1612,8 @@ dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 	/*
 	 * Try somewhat hard to find an unique ID.
 	 */
-	id = disp->methods.randomid(disp);
-	bucket = disp->methods.hash(disp, dest, id);
+	id = dns_randomid(disp);
+	bucket = dns_hash(disp, dest, id);
 	ok = ISC_FALSE;
 	for (i = 0 ; i < 64 ; i++) {
 		if (bucket_search(disp, dest, id, bucket) == NULL) {
@@ -1071,28 +1622,25 @@ dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 		}
 		id += disp->qid_increment;
 		id &= 0x0000ffff;
-		bucket = disp->methods.hash(disp, dest, id);
+		bucket = dns_hash(disp, dest, id);
 	}
 
 	if (!ok) {
 		UNLOCK(&disp->lock);
-		return (DNS_R_NOMORE);
+		return (ISC_R_NOMORE);
 	}
 
-	res = isc_mempool_get(disp->rpool);
+	res = isc_mempool_get(disp->mgr->rpool);
 	if (res == NULL) {
 		UNLOCK(&disp->lock);
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	}
 
 	disp->refcount++;
 	disp->requests++;
 	res->task = NULL;
 	isc_task_attach(task, &res->task);
-	XDEBUG(("dns_dispatch_addresponse:  attaching to task %p\n",
-		res->task));
-
-	res->magic = RESPONSE_MAGIC;
+	res->disp = disp;
 	res->id = id;
 	res->bucket = bucket;
 	res->host = *dest;
@@ -1101,9 +1649,11 @@ dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 	res->item_out = ISC_FALSE;
 	ISC_LIST_INIT(res->items);
 	ISC_LINK_INIT(res, link);
+	res->magic = RESPONSE_MAGIC;
 	ISC_LIST_APPEND(disp->qid_table[bucket], res, link);
 
-	XDEBUG(("Inserted response into bucket %d\n", bucket));
+	request_log(disp, res, LVL(90),
+		    "attached to task %p", res->task);
 
 	startrecv(disp);
 
@@ -1112,13 +1662,15 @@ dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 	*idp = id;
 	*resp = res;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 void
-dns_dispatch_removeresponse(dns_dispatch_t *disp, dns_dispentry_t **resp,
+dns_dispatch_removeresponse(dns_dispentry_t **resp,
 			    dns_dispatchevent_t **sockevent)
 {
+	dns_dispatchmgr_t *mgr;
+	dns_dispatch_t *disp;
 	dns_dispentry_t *res;
 	dns_dispatchevent_t *ev;
 	unsigned int bucket;
@@ -1126,13 +1678,17 @@ dns_dispatch_removeresponse(dns_dispatch_t *disp, dns_dispentry_t **resp,
 	unsigned int n;
 	isc_eventlist_t events;
 
-	REQUIRE(VALID_DISPATCH(disp));
 	REQUIRE(resp != NULL);
 	REQUIRE(VALID_RESPONSE(*resp));
 
 	res = *resp;
 	*resp = NULL;
 
+	disp = res->disp;
+	REQUIRE(VALID_DISPATCH(disp));
+	mgr = disp->mgr;
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+
 	if (sockevent != NULL) {
 		REQUIRE(*sockevent != NULL);
 		ev = *sockevent;
@@ -1152,11 +1708,9 @@ dns_dispatch_removeresponse(dns_dispatch_t *disp, dns_dispentry_t **resp,
 		if (disp->recvs > 0)
 			isc_socket_cancel(disp->socket, NULL,
 					  ISC_SOCKCANCEL_RECV);
-		else
-			killit = ISC_TRUE;
+		disp->shutting_down = 1;
 	}
 
-	res->magic = 0;
 	bucket = res->bucket;
 
 	ISC_LIST_UNLINK(disp->qid_table[bucket], res, link);
@@ -1184,8 +1738,7 @@ dns_dispatch_removeresponse(dns_dispatch_t *disp, dns_dispentry_t **resp,
 		free_event(disp, ev);
 	}
 
-	XDEBUG(("dns_dispatch_removeresponse:  detaching from task %p\n",
-		res->task));
+	request_log(disp, res, LVL(90), "detaching from task %p", res->task);
 	isc_task_detach(&res->task);
 
 	/*
@@ -1193,22 +1746,28 @@ dns_dispatch_removeresponse(dns_dispatch_t *disp, dns_dispentry_t **resp,
 	 */
 	ev = ISC_LIST_HEAD(res->items);
 	while (ev != NULL) {
-		ISC_LIST_UNLINK(res->items, ev, link);
+		ISC_LIST_UNLINK(res->items, ev, ev_link);
 		if (ev->buffer.base != NULL)
 			free_buffer(disp, ev->buffer.base, ev->buffer.length);
 		free_event(disp, ev);
 		ev = ISC_LIST_HEAD(res->items);
 	}
-	isc_mempool_put(disp->rpool, res);
+	res->magic = 0;
+	isc_mempool_put(disp->mgr->rpool, res);
 	if (disp->shutting_down == 1)
 		do_cancel(disp, NULL);
 	else
 		startrecv(disp);
 
+	killit = destroy_disp_ok(disp);
 	UNLOCK(&disp->lock);
-
-	if (killit)
-		destroy(disp);
+	if (killit) {
+		destroy_disp(&disp);
+		killit = destroy_mgr_ok(mgr);
+		UNLOCK(&mgr->lock);
+		if (killit)
+			destroy_mgr(&mgr);
+	}
 }
 
 isc_result_t
@@ -1229,25 +1788,23 @@ dns_dispatch_addrequest(dns_dispatch_t *disp,
 		return (ISC_R_SHUTTINGDOWN);
 	}
 
-	if (disp->requests == disp->maxrequests) {
+	if (disp->requests >= disp->maxrequests) {
 		UNLOCK(&disp->lock);
 		return (ISC_R_QUOTA);
 	}
 
-	res = isc_mempool_get(disp->rpool);
+	res = isc_mempool_get(disp->mgr->rpool);
 	if (res == NULL) {
 		UNLOCK(&disp->lock);
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	}
 
 	disp->refcount++;
 	disp->requests++;
 	res->task = NULL;
 	isc_task_attach(task, &res->task);
-	XDEBUG(("dns_dispatch_addrequest:  attaching to task %p\n",
-		res->task));
-
 	res->magic = REQUEST_MAGIC;
+	res->disp = disp;
 	res->bucket = INVALID_BUCKET;
 	res->action = action;
 	res->arg = arg;
@@ -1256,6 +1813,8 @@ dns_dispatch_addrequest(dns_dispatch_t *disp,
 	ISC_LINK_INIT(res, link);
 	ISC_LIST_APPEND(disp->rq_handlers, res, link);
 
+	request_log(disp, res, LVL(90), "attaching task %p", res->task);
+
 	/*
 	 * If there are queries waiting to be processed, give this critter
 	 * one of them.
@@ -1268,26 +1827,32 @@ dns_dispatch_addrequest(dns_dispatch_t *disp,
 
 	*resp = res;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 void
-dns_dispatch_removerequest(dns_dispatch_t *disp, dns_dispentry_t **resp,
+dns_dispatch_removerequest(dns_dispentry_t **resp,
 			   dns_dispatchevent_t **sockevent)
 {
+	dns_dispatchmgr_t *mgr;
+	dns_dispatch_t *disp;
 	dns_dispentry_t *res;
 	dns_dispatchevent_t *ev;
 	isc_boolean_t killit;
 	unsigned int n;
 	isc_eventlist_t events;
 
-	REQUIRE(VALID_DISPATCH(disp));
 	REQUIRE(resp != NULL);
 	REQUIRE(VALID_REQUEST(*resp));
 
 	res = *resp;
 	*resp = NULL;
 
+	disp = res->disp;
+	REQUIRE(VALID_DISPATCH(disp));
+	mgr = disp->mgr;
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+
 	if (sockevent != NULL) {
 		REQUIRE(*sockevent != NULL);
 		ev = *sockevent;
@@ -1307,12 +1872,9 @@ dns_dispatch_removerequest(dns_dispatch_t *disp, dns_dispentry_t **resp,
 		if (disp->recvs > 0)
 			isc_socket_cancel(disp->socket, NULL,
 					  ISC_SOCKCANCEL_RECV);
-		else
-			killit = ISC_TRUE;
+		disp->shutting_down = 1;
 	}
 
-	res->magic = 0;
-
 	ISC_LIST_UNLINK(disp->rq_handlers, res, link);
 
 	if (ev == NULL && res->item_out) {
@@ -1338,20 +1900,25 @@ dns_dispatch_removerequest(dns_dispatch_t *disp, dns_dispentry_t **resp,
 		free_event(disp, ev);
 	}
 
-	XDEBUG(("dns_dispatch_removerequest:  detaching from task %p\n",
-		res->task));
+	request_log(disp, res, LVL(90), "detaching from task %p", res->task);
 	isc_task_detach(&res->task);
 
-	isc_mempool_put(disp->rpool, res);
+	res->magic = 0;
+	isc_mempool_put(disp->mgr->rpool, res);
 	if (disp->shutting_down == 1)
 		do_cancel(disp, NULL);
 	else
 		startrecv(disp);
 
+	killit = destroy_disp_ok(disp);
 	UNLOCK(&disp->lock);
-
-	if (killit)
-		destroy(disp);
+	if (killit) {
+		destroy_disp(&disp);
+		killit = destroy_mgr_ok(mgr);
+		UNLOCK(&mgr->lock);
+		if (killit)
+			destroy_mgr(&mgr);
+	}
 }
 
 void
@@ -1396,8 +1963,7 @@ dns_dispatch_freeevent(dns_dispatch_t *disp, dns_dispentry_t *resp,
 }
 
 static void
-do_next_response(dns_dispatch_t *disp, dns_dispentry_t *resp)
-{
+do_next_response(dns_dispatch_t *disp, dns_dispentry_t *resp) {
 	dns_dispatchevent_t *ev;
 
 	INSIST(resp->item_out == ISC_FALSE);
@@ -1405,23 +1971,24 @@ do_next_response(dns_dispatch_t *disp, dns_dispentry_t *resp)
 	ev = ISC_LIST_HEAD(resp->items);
 	if (ev == NULL) {
 		if (disp->shutting_down == 1)
-			do_cancel(disp, NULL); /* was resp */
+			do_cancel(disp, NULL);
 		return;
 	}
 
-	ISC_LIST_UNLINK(disp->rq_events, ev, link);
+	ISC_LIST_UNLINK(disp->rq_events, ev, ev_link);
 
 	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, DNS_EVENT_DISPATCH,
 		       resp->action, resp->arg, resp, NULL, NULL);
 	resp->item_out = ISC_TRUE;
-	XDEBUG(("Sent event %p for buffer %p (len %d) to task %p, resp %p\n",
-		ev, ev->buffer.base, ev->buffer.length, resp->task, resp));
+	request_log(disp, resp, LVL(90),
+		    "[c] Sent event %p buffer %p len %d to task %p",
+		    ev, ev->buffer.base, ev->buffer.length,
+		    resp->task);
 	isc_task_send(resp->task, (isc_event_t **)&ev);
 }
 
 static void
-do_next_request(dns_dispatch_t *disp, dns_dispentry_t *resp)
-{
+do_next_request(dns_dispatch_t *disp, dns_dispentry_t *resp) {
 	dns_dispatchevent_t *ev;
 
 	INSIST(resp->item_out == ISC_FALSE);
@@ -1429,30 +1996,27 @@ do_next_request(dns_dispatch_t *disp, dns_dispentry_t *resp)
 	ev = ISC_LIST_HEAD(disp->rq_events);
 	if (ev == NULL) {
 		if (disp->shutting_down == 1)
-			do_cancel(disp, NULL); /* was resp */
+			do_cancel(disp, NULL);
 		return;
 	}
 
-	ISC_LIST_UNLINK(disp->rq_events, ev, link);
+	ISC_LIST_UNLINK(disp->rq_events, ev, ev_link);
 
 	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, DNS_EVENT_DISPATCH,
 		       resp->action, resp->arg, resp, NULL, NULL);
 	resp->item_out = ISC_TRUE;
-	XDEBUG(("Sent event %p for buffer %p (len %d) to task %p, resp %p\n",
-		ev, ev->buffer.base, ev->buffer.length, resp->task, resp));
+	request_log(disp, resp, LVL(90),
+		    "[d] Sent event %p buffer %p len %d to task %p",
+		    ev, ev->buffer.base, ev->buffer.length, resp->task);
 	isc_task_send(resp->task, (isc_event_t **)&ev);
 }
 
 static void
-do_cancel(dns_dispatch_t *disp, dns_dispentry_t *resp)
-{
+do_cancel(dns_dispatch_t *disp, dns_dispentry_t *resp) {
 	dns_dispatchevent_t *ev;
 
-	if (disp->shutdown_out == 1) {
-		XDEBUG(("do_cancel() call ignored\n"));
+	if (disp->shutdown_out == 1)
 		return;
-	}
-	XDEBUG(("do_cancel:  disp = %p, resp = %p\n", disp, resp));
 
 	/*
 	 * If no target given, find the first request handler.  If
@@ -1460,14 +2024,9 @@ do_cancel(dns_dispatch_t *disp, dns_dispentry_t *resp)
 	 * kill them.
 	 */
 	if (resp == NULL) {
-		XDEBUG(("do_cancel:  passed a NULL response, searching...\n"));
 		if (ISC_LIST_EMPTY(disp->rq_events)) {
-			XDEBUG(("do_cancel:  non-empty request list.\n"));
 			resp = ISC_LIST_HEAD(disp->rq_handlers);
 			while (resp != NULL) {
-				XDEBUG(("do_cancel:  resp %p, item_out %s\n",
-					resp,
-					(resp->item_out ? "TRUE" : "FALSE")));
 				if (resp->item_out == ISC_FALSE)
 					break;
 				resp = ISC_LIST_NEXT(resp, link);
@@ -1506,23 +2065,22 @@ do_cancel(dns_dispatch_t *disp, dns_dispentry_t *resp)
 	ev->buffer.base = NULL;
 	ev->buffer.length = 0;
 	disp->shutdown_out = 1;
-	XDEBUG(("Sending failsafe event %p to task %p, resp %p\n",
-		ev, resp->task, resp));
+	request_log(disp, resp, LVL(10),
+		    "cancel:  failsafe event %p -> task %p",
+		    ev, resp->task);
 	resp->item_out = ISC_TRUE;
 	isc_task_send(resp->task, (isc_event_t **)&ev);
 }
 
 isc_socket_t *
-dns_dispatch_getsocket(dns_dispatch_t *disp)
-{
+dns_dispatch_getsocket(dns_dispatch_t *disp) {
 	REQUIRE(VALID_DISPATCH(disp));
 
 	return (disp->socket);
 }
 
 void
-dns_dispatch_cancel(dns_dispatch_t *disp)
-{
+dns_dispatch_cancel(dns_dispatch_t *disp) {
 	REQUIRE(VALID_DISPATCH(disp));
 
 	LOCK(&disp->lock);
@@ -1540,3 +2098,28 @@ dns_dispatch_cancel(dns_dispatch_t *disp)
 
 	return;
 }
+
+void
+dns_dispatch_changeattributes(dns_dispatch_t *disp,
+			      unsigned int attributes, unsigned int mask)
+{
+	LOCK(&disp->lock);
+	disp->attributes &= ~mask;
+	disp->attributes |= (attributes & mask);
+	UNLOCK(&disp->lock);
+}
+
+#if 0
+void
+dns_dispatchmgr_dump(dns_dispatchmgr_t *mgr) {
+	dns_dispatch_t *disp;
+	char foo[1024];
+
+	disp = ISC_LIST_HEAD(mgr->list);
+	while (disp != NULL) {
+		isc_sockaddr_format(&disp->local, foo, sizeof foo);
+		printf("\tdispatch %p, addr %s\n", disp, foo);
+		disp = ISC_LIST_NEXT(disp, link);
+	}
+}
+#endif
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 09851c1e..402b42e6 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.24 2000/03/13 19:27:33 bwelling Exp $
+ * $Id: dnssec.c,v 1.38 2000/05/20 01:27:28 bwelling Exp $
  * Principal Author: Brian Wellington
  */
 
@@ -24,29 +24,21 @@
 #include <config.h>
 
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
-#include <isc/buffer.h>
-#include <isc/error.h>
-#include <isc/list.h>
-#include <isc/net.h>
-#include <isc/result.h>
-#include <isc/stdtime.h>
-#include <isc/types.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dns/db.h>
+#include <dns/dnssec.h>
 #include <dns/keyvalues.h>
 #include <dns/message.h>
-#include <dns/name.h>
 #include <dns/rdata.h>
-#include <dns/rdataset.h>
 #include <dns/rdatalist.h>
-#include <dns/rdatastruct.h>
-#include <dns/dnssec.h>
-#include <dns/tsig.h> /* for DNS_TSIG_FUDGE */
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/tsig.h>		/* for DNS_TSIG_FUDGE */
 
-#include <dst/dst.h>
 #include <dst/result.h>
 
 #define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
@@ -67,14 +59,18 @@ typedef struct digestctx {
 	isc_uint8_t type;
 } digestctx_t;
 
-static isc_result_t digest_callback(void *arg, isc_region_t *data);
-static isc_result_t keyname_to_name(char *keyname, isc_mem_t *mctx,
-				    dns_name_t *name);
-static int rdata_compare_wrapper(const void *rdata1, const void *rdata2);
-static isc_result_t rdataset_to_sortedarray(dns_rdataset_t *set,
-					    isc_mem_t *mctx,
-					    dns_rdata_t **rdata, int *nrdata);
+static isc_result_t
+digest_callback(void *arg, isc_region_t *data);
 
+static isc_result_t
+keyname_to_name(char *keyname, isc_mem_t *mctx, dns_name_t *name);
+
+static int
+rdata_compare_wrapper(const void *rdata1, const void *rdata2);
+
+static isc_result_t
+rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
+			dns_rdata_t **rdata, int *nrdata);
 
 static isc_result_t
 digest_callback(void *arg, isc_region_t *data) {
@@ -84,15 +80,17 @@ digest_callback(void *arg, isc_region_t *data) {
 	REQUIRE(ctx->type == TYPE_SIGN || ctx->type == TYPE_VERIFY);
 
 	if (ctx->type == TYPE_SIGN)
-		result = dst_sign(DST_SIGMODE_UPDATE, ctx->key, &ctx->context,
-				  data, NULL);
+		result = dst_key_sign(DST_SIGMODE_UPDATE, ctx->key,
+				      &ctx->context, data, NULL);
 	else
-		result = dst_verify(DST_SIGMODE_UPDATE, ctx->key, &ctx->context,
-				    data, NULL);
+		result = dst_key_verify(DST_SIGMODE_UPDATE, ctx->key,
+					&ctx->context, data, NULL);
 	return (result);
 }
 
-/* converts the name of a key into a canonical isc_name_t */
+/*
+ * Converts the name of a key into a canonical dns_name_t.
+ */
 static isc_result_t
 keyname_to_name(char *keyname, isc_mem_t *mctx, dns_name_t *name) {
 	isc_buffer_t src, dst;
@@ -102,9 +100,9 @@ keyname_to_name(char *keyname, isc_mem_t *mctx, dns_name_t *name) {
 
 	dns_name_init(name, NULL);
 	dns_name_init(&tname, NULL);
-	isc_buffer_init(&src, keyname, strlen(keyname), ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&src, keyname, strlen(keyname));
 	isc_buffer_add(&src, strlen(keyname));
-	isc_buffer_init(&dst, data, sizeof(data), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&dst, data, sizeof(data));
 	ret = dns_name_fromtext(&tname, &src, NULL, ISC_TRUE, &dst);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
@@ -114,13 +112,17 @@ keyname_to_name(char *keyname, isc_mem_t *mctx, dns_name_t *name) {
 	return (ret);
 }
 
-/* make qsort happy */
+/*
+ * Make qsort happy.
+ */
 static int
 rdata_compare_wrapper(const void *rdata1, const void *rdata2) {
 	return dns_rdata_compare((dns_rdata_t *)rdata1, (dns_rdata_t *)rdata2);
 }
 
-/* sort the rdataset into an array */
+/*
+ * Sort the rdataset into an array.
+ */
 static isc_result_t
 rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
 			dns_rdata_t **rdata, int *nrdata)
@@ -132,22 +134,30 @@ rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
 	ret = dns_rdataset_first(set);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
-	/* count the records */
+	/*
+	 * Count the records.
+	 */
 	while (dns_rdataset_next(set) == ISC_R_SUCCESS)
 		n++;
 
+	data = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
+	if (data == NULL)
+		return (ISC_R_NOMEMORY);
+
 	ret = dns_rdataset_first(set);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
-	data = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
-
-	/* put them in the array */
+	/*
+	 * Put them in the array.
+	 */
 	do {
 		dns_rdataset_current(set, &data[i++]);
 	} while (dns_rdataset_next(set) == ISC_R_SUCCESS);
 
-	/* sort the array */
+	/*
+	 * Sort the array.
+	 */
 	qsort(data, n, sizeof(dns_rdata_t), rdata_compare_wrapper);
 	*rdata = data;
 	*nrdata = n;
@@ -169,15 +179,14 @@ dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
 	INSIST(key != NULL);
 	INSIST(*key == NULL);
 
-	isc_buffer_init(&namebuf, namestr, sizeof(namestr) - 1,
-			ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&namebuf, namestr, sizeof(namestr) - 1);
 	ret = dns_name_totext(name, ISC_FALSE, &namebuf);
 	if (ret != ISC_R_SUCCESS)
 		return ret;
-	isc_buffer_used(&namebuf, &r);
+	isc_buffer_usedregion(&namebuf, &r);
 	namestr[r.length] = 0;
 	dns_rdata_toregion(rdata, &r);
-	isc_buffer_init(&b, r.base, r.length, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&b, r.base, r.length);
 	isc_buffer_add(&b, r.length);
 	return (dst_key_fromdns(namestr, &b, mctx, key));
 }
@@ -187,7 +196,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 		isc_stdtime_t *inception, isc_stdtime_t *expire,
 		isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata)
 {
-	dns_rdata_generic_sig_t sig;
+	dns_rdata_sig_t sig;
 	dns_rdata_t *rdatas;
 	int nrdatas, i;
 	isc_buffer_t b, sigbuf, envbuf;
@@ -200,6 +209,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	unsigned int sigsize;
 
 	REQUIRE(name != NULL);
+	REQUIRE(dns_name_depth(name) <= 255);
 	REQUIRE(set != NULL);
 	REQUIRE(key != NULL);
 	REQUIRE(inception != NULL);
@@ -210,7 +220,9 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	if (*inception >= *expire)
 		return (DNS_R_INVALIDTIME);
 
-	/* Is the key allowed to sign data? */
+	/*
+	 * Is the key allowed to sign data?
+	 */
 	flags = dst_key_flags(key);
 	if (flags & DNS_KEYTYPE_NOAUTH)
 		return (DNS_R_KEYUNAUTHORIZED);
@@ -235,7 +247,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	sig.timesigned = *inception;
 	sig.timeexpire = *expire;
 	sig.keyid = dst_key_id(key);
-	ret = dst_sig_size(key, &sigsize);
+	ret = dst_key_sigsize(key, &sigsize);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 	sig.siglen = sigsize;
@@ -243,26 +255,30 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	if (sig.signature == NULL)
 		goto cleanup_name;
 
-	isc_buffer_init(&b, data, sizeof(data), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&b, data, sizeof(data));
 	ret = dns_rdata_fromstruct(NULL, sig.common.rdclass,
 				  sig.common.rdtype, &sig, &b);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_signature;
 
-	isc_buffer_used(&b, &r);
+	isc_buffer_usedregion(&b, &r);
 
-	/* Digest the SIG rdata */
+	/*
+	 * Digest the SIG rdata.
+	 */
 	r.length -= sig.siglen;
-	ret = dst_sign(DST_SIGMODE_INIT | DST_SIGMODE_UPDATE,
-		       key, &ctx, &r, NULL);
+	ret = dst_key_sign(DST_SIGMODE_INIT | DST_SIGMODE_UPDATE,
+			   key, &ctx, &r, NULL);
 
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_signature;
 
 	dns_name_toregion(name, &r);
 
-	/* create an envelope for each rdata: <name|type|class|ttl> */
-	isc_buffer_init(&envbuf, data, sizeof(data), ISC_BUFFERTYPE_BINARY);
+	/*
+	 * Create an envelope for each rdata: <name|type|class|ttl>.
+	 */
+	isc_buffer_init(&envbuf, data, sizeof(data));
 	memcpy(data, r.base, r.length);
 	isc_buffer_add(&envbuf, r.length);
 	isc_buffer_putuint16(&envbuf, set->type);
@@ -277,42 +293,46 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_signature;
-	isc_buffer_used(&envbuf, &r);
+	isc_buffer_usedregion(&envbuf, &r);
 
 	for (i = 0; i < nrdatas; i++) {
 		isc_uint16_t len;
 		isc_buffer_t lenbuf;
 		isc_region_t lenr;
 		
-		/* Digest the envelope */
-		ret = dst_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL);
+		/*
+		 * Digest the envelope.
+		 */
+		ret = dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_array;
 
-		/* Digest the length of the rdata */
-		isc_buffer_init(&lenbuf, &len, sizeof(len),
-				ISC_BUFFERTYPE_BINARY);
+		/*
+		 * Digest the length of the rdata.
+		 */
+		isc_buffer_init(&lenbuf, &len, sizeof(len));
 		INSIST(rdatas[i].length < 65536);
 		isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
-		isc_buffer_used(&lenbuf, &lenr);
-		ret = dst_sign(DST_SIGMODE_UPDATE, key, &ctx, &lenr, NULL);
+		isc_buffer_usedregion(&lenbuf, &lenr);
+		ret = dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &lenr, NULL);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_array;
 
-		/* Digest the rdata */
+		/*
+		 * Digest the rdata.
+		 */
 		ret = dns_rdata_digest(&rdatas[i], digest_callback, &dctx);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_array;
 	}
 		
-	isc_buffer_init(&sigbuf, sig.signature, sig.siglen,
-			ISC_BUFFERTYPE_BINARY);
-	ret = dst_sign(DST_SIGMODE_FINAL, key, &ctx, NULL, &sigbuf);
+	isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
+	ret = dst_key_sign(DST_SIGMODE_FINAL, key, &ctx, NULL, &sigbuf);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_array;
-	isc_buffer_used(&sigbuf, &r);
+	isc_buffer_usedregion(&sigbuf, &r);
 	if (r.length != sig.siglen) {
-		ret = DNS_R_NOSPACE;
+		ret = ISC_R_NOSPACE;
 		goto cleanup_array;
 	}
 	memcpy(sig.signature, r.base, sig.siglen);
@@ -332,9 +352,10 @@ cleanup_name:
 
 isc_result_t
 dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		  isc_mem_t *mctx, dns_rdata_t *sigrdata)
+		  isc_boolean_t ignoretime, isc_mem_t *mctx,
+		  dns_rdata_t *sigrdata)
 {
-	dns_rdata_generic_sig_t sig;
+	dns_rdata_sig_t sig;
 	dns_fixedname_t fnewname;
 	isc_region_t r;
 	isc_buffer_t envbuf;
@@ -358,30 +379,40 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
-	isc_stdtime_get(&now);
+	if (!ignoretime) {
+		isc_stdtime_get(&now);
 
-	/* Is SIG temporally valid? */
-	if (sig.timesigned > now)
-		return (DNS_R_SIGFUTURE);
-	else if (sig.timeexpire < now)
-		return (DNS_R_SIGEXPIRED);
+		/*
+		 * Is SIG temporally valid?
+		 */
+		if (sig.timesigned > now)
+			return (DNS_R_SIGFUTURE);
+		else if (sig.timeexpire < now)
+			return (DNS_R_SIGEXPIRED);
+	}
 
-	/* Is the key allowed to sign data? */
+	/*
+	 * Is the key allowed to sign data?
+	 */
 	flags = dst_key_flags(key);
 	if (flags & DNS_KEYTYPE_NOAUTH)
 		return (DNS_R_KEYUNAUTHORIZED);
 	if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
 		return (DNS_R_KEYUNAUTHORIZED);
 
-	/* Digest the SIG rdata (not including the signature) */
+	/*
+	 * Digest the SIG rdata (not including the signature).
+	 */
 	dns_rdata_toregion(sigrdata, &r);
 	r.length -= sig.siglen;
-	RUNTIME_CHECK(r.length >= 20);
+	RUNTIME_CHECK(r.length >= 19);
 	
-	ret = dst_verify(DST_SIGMODE_INIT | DST_SIGMODE_UPDATE,
-			 key, &ctx, &r, NULL);
+	ret = dst_key_verify(DST_SIGMODE_INIT | DST_SIGMODE_UPDATE,
+			     key, &ctx, &r, NULL);
 
-	/* if the name is an expanded wildcard, use the wildcard name */
+	/*
+	 * If the name is an expanded wildcard, use the wildcard name.
+	 */
 	labels = dns_name_depth(name) - 1;
 	if (labels - sig.labels > 0) {
 		dns_fixedname_init(&fnewname);
@@ -392,8 +423,10 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	else
 		dns_name_toregion(name, &r);
 
-	/* create an envelope for each rdata: <name|type|class|ttl> */
-	isc_buffer_init(&envbuf, data, sizeof(data), ISC_BUFFERTYPE_BINARY);
+	/*
+	 * Create an envelope for each rdata: <name|type|class|ttl>.
+	 */
+	isc_buffer_init(&envbuf, data, sizeof(data));
 	if (labels - sig.labels > 0) {
 		isc_buffer_putuint8(&envbuf, 1);
 		isc_buffer_putuint8(&envbuf, '*');
@@ -404,7 +437,7 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	isc_buffer_add(&envbuf, r.length);
 	isc_buffer_putuint16(&envbuf, set->type);
 	isc_buffer_putuint16(&envbuf, set->rdclass);
-	isc_buffer_putuint32(&envbuf, set->ttl);
+	isc_buffer_putuint32(&envbuf, sig.originalttl);
 
 	memset(&dctx, 0, sizeof(dctx));
 	dctx.key = key;
@@ -414,27 +447,33 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_struct;
-	isc_buffer_used(&envbuf, &r);
+	isc_buffer_usedregion(&envbuf, &r);
 
 	for (i = 0; i < nrdatas; i++) {
 		isc_uint16_t len;
 		isc_buffer_t lenbuf;
 		isc_region_t lenr;
 
-		/* Digest the envelope */
-		ret = dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL);
+		/*
+		 * Digest the envelope.
+		 */
+		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_array;
 
-		/* Digest the rdata length */
-		isc_buffer_init(&lenbuf, &len, sizeof(len),
-				ISC_BUFFERTYPE_BINARY);
+		/*
+		 * Digest the rdata length.
+		 */
+		isc_buffer_init(&lenbuf, &len, sizeof(len));
 		INSIST(rdatas[i].length < 65536);
 		isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
-		isc_buffer_used(&lenbuf, &lenr);
+		isc_buffer_usedregion(&lenbuf, &lenr);
 
-		/* Digest the rdata */
-		ret = dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &lenr, NULL);
+		/*
+		 * Digest the rdata.
+		 */
+		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &lenr,
+				     NULL);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_array;
 		ret = dns_rdata_digest(&rdatas[i], digest_callback, &dctx);
@@ -444,7 +483,7 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 
 	r.base = sig.signature;
 	r.length = sig.siglen;
-	ret = dst_verify(DST_SIGMODE_FINAL, key, &ctx, NULL, &r);
+	ret = dst_key_verify(DST_SIGMODE_FINAL, key, &ctx, NULL, &r);
 	if (ret == DST_R_VERIFYFINALFAILURE)
 		ret = DNS_R_SIGINVALID;
 
@@ -459,15 +498,6 @@ cleanup_struct:
 #define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
 			  == DNS_KEYOWNER_ZONE)
 
-#define check_result(op, msg) \
-	do { result = (op); \
-		if (result != DNS_R_SUCCESS) { \
-			fprintf(stderr, "%s: %s\n", msg, \
-				isc_result_totext(result)); \
-			goto failure; \
-		} \
-	} while (0)
-
 isc_result_t
 dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
 			dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
@@ -482,43 +512,36 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
 
 	*nkeys = 0;
 	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_key, 0, 0,
-				     &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND)
-		goto failure;
-	check_result(result, "dns_db_findrdataset()");
-	result = dns_rdataset_first(&rdataset);
-	check_result(result, "dns_rdataset_first()");
+	RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_key, 0, 0,
+				   &rdataset, NULL));
+	RETERR(dns_rdataset_first(&rdataset));
 	while (result == ISC_R_SUCCESS && count < maxkeys) {
 		pubkey = NULL;
 		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey);
-		check_result(result, "dns_dnssec_keyfromrdata()");
+		RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
 		if (!is_zone_key(pubkey))
 			goto next;
+		keys[count] = NULL;
 		result = dst_key_fromfile(dst_key_name(pubkey),
 					  dst_key_id(pubkey),
 					  dst_key_alg(pubkey),
 					  DST_TYPE_PRIVATE,
-					  mctx, &keys[count++]);
+					  mctx, &keys[count]);
 		if (result == DST_R_INVALIDPRIVATEKEY)
-			count--;
-		else {
-			check_result(result, "dst_key_fromfile()");
-			if (dst_key_flags(keys[count - 1]) & DNS_KEYTYPE_NOAUTH)
-			{
-				dst_key_free(keys[count - 1]);
-				keys[count - 1] = NULL;
-				count--;
-			}
+			goto next;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+		if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
+			dst_key_free(&keys[count]);
+			goto next;
 		}
+		count++;
  next:
-		dst_key_free(pubkey);
-		pubkey = NULL;
+		dst_key_free(&pubkey);
 		result = dns_rdataset_next(&rdataset);
 	}
-	if (result != DNS_R_NOMORE)
-		check_result(result, "iteration over zone keys");
+	if (result != ISC_R_NOMORE)
+		goto failure;
 	if (count == 0)
 		result = ISC_R_NOTFOUND;
 	else
@@ -528,20 +551,20 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
 	if (pubkey != NULL)
-		dst_key_free(pubkey);
+		dst_key_free(&pubkey);
 	*nkeys = count;
 	return (result);
 }
 
 isc_result_t
 dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
-	dns_rdata_generic_sig_t sig;
+	dns_rdata_sig_t sig;
 	unsigned char data[512];
 	unsigned char header[DNS_MESSAGE_HEADERLEN];
 	isc_buffer_t headerbuf, databuf, sigbuf;
 	unsigned int sigsize;
 	isc_buffer_t *dynbuf;
-	dns_name_t *owner, signer;
+	dns_name_t signer;
 	dns_rdata_t *rdata;
 	dns_rdatalist_t *datalist;
 	dns_rdataset_t *dataset;
@@ -560,7 +583,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 
 	mctx = msg->mctx;
 
-	memset(&sig, 0, sizeof(dns_rdata_generic_sig_t));
+	memset(&sig, 0, sizeof(dns_rdata_sig_t));
 
 	sig.mctx = mctx;
 	sig.common.rdclass = dns_rdataclass_any;
@@ -569,7 +592,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 
 	sig.covered = 0;
 	sig.algorithm = dst_key_alg(key);
-	sig.labels = 1; /* the root name */
+	sig.labels = 0; /* the root name */
 	sig.originalttl = 0;
 
 	isc_stdtime_get(&now);
@@ -584,25 +607,28 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	sig.siglen = 0;
 	sig.signature = NULL;
 	
-	isc_buffer_init(&databuf, data, sizeof(data), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&databuf, data, sizeof(data));
 
-	RETERR(dst_sign(DST_SIGMODE_INIT, key, &ctx, NULL, NULL));
+	RETERR(dst_key_sign(DST_SIGMODE_INIT, key, &ctx, NULL, NULL));
 
 	if (is_response(msg))
-		RETERR(dst_sign(DST_SIGMODE_UPDATE, key, &ctx, msg->query,
-				NULL));
+		RETERR(dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, msg->query,
+				    NULL));
 
-	/* Digest the header */
-	isc_buffer_init(&headerbuf, header, sizeof(header),
-			ISC_BUFFERTYPE_BINARY);
+	/*
+	 * Digest the header.
+	 */
+	isc_buffer_init(&headerbuf, header, sizeof(header));
 	dns_message_renderheader(msg, &headerbuf);
-	isc_buffer_used(&headerbuf, &r);
-	RETERR(dst_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
+	isc_buffer_usedregion(&headerbuf, &r);
+	RETERR(dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
 
-	/* Digest the remainder of the message */
-	isc_buffer_used(msg->buffer, &r);
+	/*
+	 * Digest the remainder of the message.
+	 */
+	isc_buffer_usedregion(msg->buffer, &r);
 	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
-	RETERR(dst_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
+	RETERR(dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
 
 	/*
 	 * Digest the fields of the SIG - we can cheat and use
@@ -611,11 +637,11 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	 */
 	RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
 				    dns_rdatatype_sig, &sig, &databuf));
-	isc_buffer_used(&databuf, &r);
+	isc_buffer_usedregion(&databuf, &r);
 	r.length -= 2;
-	RETERR(dst_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
+	RETERR(dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
 
-	RETERR(dst_sig_size(key, &sigsize));
+	RETERR(dst_key_sigsize(key, &sigsize));
 	sig.siglen = sigsize;
 	sig.signature = (unsigned char *) isc_mem_get(mctx, sig.siglen);
 	if (sig.signature == NULL) {
@@ -623,28 +649,22 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 		goto failure;
 	}
 
-	isc_buffer_init(&sigbuf, sig.signature, sig.siglen,
-			ISC_BUFFERTYPE_BINARY);
-	RETERR(dst_sign(DST_SIGMODE_FINAL, key, &ctx, NULL, &sigbuf));
+	isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
+	RETERR(dst_key_sign(DST_SIGMODE_FINAL, key, &ctx, NULL, &sigbuf));
 
 	rdata = NULL;
 	RETERR(dns_message_gettemprdata(msg, &rdata));
 	dynbuf = NULL;
-	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024,
-				   ISC_BUFFERTYPE_BINARY));
+	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
 	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
 				    dns_rdatatype_sig, &sig, dynbuf));
 
-	dns_rdata_freestruct(&sig);
+	isc_mem_put(mctx, sig.signature, sig.siglen);
+	dns_name_free(&sig.signer, mctx);
 	signeedsfree = ISC_FALSE;
 
 	dns_message_takebuffer(msg, &dynbuf);
 
-	owner = NULL;
-	RETERR(dns_message_gettempname(msg, &owner));
-	dns_name_init(owner, NULL);
-	dns_name_clone(dns_rootname, owner);
-
 	datalist = NULL;
 	RETERR(dns_message_gettemprdatalist(msg, &datalist));
 	datalist->rdclass = dns_rdataclass_any;
@@ -657,28 +677,30 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	RETERR(dns_message_gettemprdataset(msg, &dataset));
 	dns_rdataset_init(dataset);
 	dns_rdatalist_tordataset(datalist, dataset);
-	ISC_LIST_APPEND(owner->list, dataset, link);
-	dns_message_addname(msg, owner, DNS_SECTION_SIG0);
+	msg->sig0 = dataset;
 
 	return (ISC_R_SUCCESS);
 
 failure:
 	if (dynbuf != NULL)
 		isc_buffer_free(&dynbuf);
-	if (signeedsfree)
-		dns_rdata_freestruct(&sig);
+	if (signeedsfree) {
+		isc_mem_put(mctx, sig.signature, sig.siglen);
+		dns_name_free(&sig.signer, mctx);
+	}
 
 	return (result);
 }
 
 isc_result_t
-dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key) {
-	dns_rdata_generic_sig_t sig;
+dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
+			 dst_key_t *key)
+{
+	dns_rdata_sig_t sig;
 	unsigned char header[DNS_MESSAGE_HEADERLEN];
 	dns_rdata_t rdata;
-	dns_rdataset_t *dataset;
-	dns_name_t tname, *sig0name;
-	isc_region_t r, r2, sig_r, header_r;
+	dns_name_t tname;
+	isc_region_t r, r2, source_r, sig_r, header_r;
 	isc_stdtime_t now;
 	dst_context_t ctx;
 	isc_mem_t *mctx;
@@ -686,8 +708,8 @@ dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key) {
 	isc_uint16_t addcount;
 	isc_boolean_t signeedsfree = ISC_FALSE;
 
+	REQUIRE(source != NULL);
 	REQUIRE(msg != NULL);
-	REQUIRE(msg->saved != NULL);
 	REQUIRE(key != NULL);
 
 	if (is_response(msg))
@@ -695,24 +717,21 @@ dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key) {
 
 	mctx = msg->mctx;
 
-	result = dns_message_firstname(msg, DNS_SECTION_SIG0);
-	if (result != ISC_R_SUCCESS) {
-		result = ISC_R_NOTFOUND;
-		goto failure;
-	}
-	sig0name = NULL;
-	dns_message_currentname(msg, DNS_SECTION_SIG0, &sig0name);
-	dataset = NULL;
-	result = dns_message_findtype(sig0name, dns_rdatatype_sig, 0, &dataset);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
+	msg->verify_attempted = 1;
 
-	RETERR(dns_rdataset_first(dataset));
-	dns_rdataset_current(dataset, &rdata);
+	isc_buffer_usedregion(source, &source_r);
+
+	RETERR(dns_rdataset_first(msg->sig0));
+	dns_rdataset_current(msg->sig0, &rdata);
 
 	RETERR(dns_rdata_tostruct(&rdata, &sig, mctx));
 	signeedsfree = ISC_TRUE;
 
+	if (sig.labels != 0) {
+		result = DNS_R_SIGINVALID;
+		goto failure;
+	}
+
 	isc_stdtime_get(&now);
 	if (sig.timesigned > now) {
 		result = DNS_R_SIGFUTURE;
@@ -725,50 +744,60 @@ dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key) {
 		goto failure;
 	}
 
-	/* ensure that sig.signer refers to this key :) */
+	/* XXXBEW ensure that sig.signer refers to this key */
 
-	RETERR(dst_verify(DST_SIGMODE_INIT, key, &ctx, NULL, NULL));
+	RETERR(dst_key_verify(DST_SIGMODE_INIT, key, &ctx, NULL, NULL));
 
-	/* if this is a response, digest the query */
+	/*
+	 * If this is a response, digest the query.
+	 */
 	if (is_response(msg))
-		RETERR(dst_verify(DST_SIGMODE_UPDATE, key, &ctx, msg->query,
-				  NULL));
+		RETERR(dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx,
+				      msg->query, NULL));
 
-	/* Extract the header */
-	memcpy(header, msg->saved->base, DNS_MESSAGE_HEADERLEN);
+	/*
+	 * Extract the header.
+	 */
+	memcpy(header, source_r.base, DNS_MESSAGE_HEADERLEN);
 
-	/* Decrement the additional field counter */
+	/*
+	 * Decrement the additional field counter.
+	 */
 	memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
 	addcount = htons(ntohs(addcount) - 1);
 	memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
 
-	/* Digest the modified header */
+	/*
+	 * Digest the modified header.
+	 */
 	header_r.base = (unsigned char *) header;
 	header_r.length = DNS_MESSAGE_HEADERLEN;
-	RETERR(dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &header_r, NULL));
+	RETERR(dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &header_r, NULL));
 
-	/* Digest all non-SIG(0) records */
-	r.base = msg->saved->base + DNS_MESSAGE_HEADERLEN;
+	/*
+	 * Digest all non-SIG(0) records.
+	 */
+	r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
 	r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
-	RETERR(dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
+	RETERR(dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
 
 	/*
  	 * Digest the SIG(0) record .  Find the start of the record, skip
 	 * the name and 10 bytes for class, type, ttl, length to get to
 	 * the start of the rdata.
 	 */
-	r.base = msg->saved->base + msg->sigstart;
-	r.length = msg->saved->length - msg->sigstart;
+	r.base = source_r.base + msg->sigstart;
+	r.length = source_r.length - msg->sigstart;
 	dns_name_init(&tname, NULL);
 	dns_name_fromregion(&tname, &r);
 	dns_name_toregion(&tname, &r2);
 	isc_region_consume(&r, r2.length + 10);
 	r.length -= (sig.siglen + 2);
-	RETERR(dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
+	RETERR(dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
 
 	sig_r.base = sig.signature;
 	sig_r.length = sig.siglen;
-	result = dst_verify(DST_SIGMODE_FINAL, key, &ctx, NULL, &sig_r);
+	result = dst_key_verify(DST_SIGMODE_FINAL, key, &ctx, NULL, &sig_r);
 	if (result != ISC_R_SUCCESS) {
 		msg->sig0status = dns_tsigerror_badsig;
 		goto failure;
@@ -784,7 +813,5 @@ failure:
 	if (signeedsfree)
 		dns_rdata_freestruct(&sig);
 
-	msg->verify_attempted = 1;
-
 	return (result);
 }
diff --git a/lib/dns/gen-unix.h b/lib/dns/gen-unix.h
index 3802f3fd..8e90c530 100644
--- a/lib/dns/gen-unix.h
+++ b/lib/dns/gen-unix.h
@@ -27,10 +27,16 @@
  * The dir stuff was shrunk to fit the needs of gen.c.
  */
 
+#ifndef DNS_GEN_UNIX_H
+#define DNS_GEN_UNIX_H 1
+
+#include <sys/types.h>
+
 #include <dirent.h>
 #include <unistd.h>
 
 #include <isc/boolean.h>
+#include <isc/lang.h>
 
 #define isc_commandline_parse		getopt
 #define isc_commandline_argument 	optarg
@@ -40,6 +46,8 @@ typedef struct {
 	char *filename;
 } isc_dir_t;
 
+ISC_LANG_BEGINDECLS
+
 static isc_boolean_t
 start_directory(const char *path, isc_dir_t *dir) {
 	dir->handle = opendir(path);
@@ -77,3 +85,6 @@ end_directory(isc_dir_t *dir) {
 	dir->handle = NULL;
 }
 
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_GEN_UNIX_H */
diff --git a/lib/dns/gen-win32.h b/lib/dns/gen-win32.h
index dd9b9ed0..5c5b35db 100644
--- a/lib/dns/gen-win32.h
+++ b/lib/dns/gen-win32.h
@@ -48,7 +48,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: gen-win32.h,v 1.2 2000/02/03 23:43:47 halley Exp $ */
+/* $Id: gen-win32.h,v 1.4 2000/05/01 17:59:02 tale Exp $ */
 
 /*
  * Principal Authors: Computer Systems Research Group at UC Berkeley
@@ -73,6 +73,9 @@
  * isc/commandline.c.  The dir stuff was shrunk to fit the needs of gen.c.
  */
 
+#ifndef DNS_GEN_WIN32_H
+#define DNS_GEN_WIN32_H 1
+
 #include <stdio.h>
 #include <string.h>
 #include <windows.h>
@@ -80,6 +83,7 @@
 #include <isc/assertions.h>
 #include <isc/boolean.h>
 #include <isc/commandline.h>
+#include <isc/lang.h>
 
 int isc_commandline_index = 1;		/* Index into parent argv vector. */
 int isc_commandline_option;		/* Character checked for validity. */
@@ -94,6 +98,8 @@ isc_boolean_t isc_commandline_reset = ISC_TRUE; /* Reset processing. */
 #define	BADARG	':'
 #define ENDOPT  ""
 
+ISC_LANG_BEGINDECLS
+
 /*
  * getopt --
  *	Parse argc/argv argument vector.
@@ -280,3 +286,7 @@ end_directory(isc_dir_t *dir) {
 	if (dir->handle != INVALID_HANDLE_VALUE)
 		FindClose(dir->handle);
 }
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_GEN_WIN32_H */
diff --git a/lib/dns/gen.c b/lib/dns/gen.c
index fd49cc6c..c19f7f11 100644
--- a/lib/dns/gen.c
+++ b/lib/dns/gen.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: gen.c,v 1.32 2000/03/17 17:45:01 gson Exp $ */
+/* $Id: gen.c,v 1.46 2000/05/09 22:22:11 tale Exp $ */
 
 #include <config.h>
 
@@ -34,31 +34,38 @@
 #include "gen-unix.h"
 #endif
 
-#define FROMTEXTDECL "dns_rdataclass_t rdclass, dns_rdatatype_t type, isc_lex_t *lexer, dns_name_t *origin, isc_boolean_t downcase, isc_buffer_t *target"
+#define FROMTEXTDECL "dns_rdataclass_t rdclass, dns_rdatatype_t type, " \
+			"isc_lex_t *lexer, dns_name_t *origin, " \
+			"isc_boolean_t downcase, isc_buffer_t *target"
 #define FROMTEXTARGS "rdclass, type, lexer, origin, downcase, target"
 #define FROMTEXTCLASS "rdclass"
 #define FROMTEXTTYPE "type"
 #define FROMTEXTDEF "use_default = ISC_TRUE"
 
-#define TOTEXTDECL "dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, isc_buffer_t *target"
+#define TOTEXTDECL "dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, " \
+			"isc_buffer_t *target"
 #define TOTEXTARGS "rdata, tctx, target"
 #define TOTEXTCLASS "rdata->rdclass"
 #define TOTEXTTYPE "rdata->type"
 #define TOTEXTDEF "use_default = ISC_TRUE"
 
-#define FROMWIREDECL "dns_rdataclass_t rdclass, dns_rdatatype_t type, isc_buffer_t *source, dns_decompress_t *dctx, isc_boolean_t downcase, isc_buffer_t *target"
+#define FROMWIREDECL "dns_rdataclass_t rdclass, dns_rdatatype_t type, " \
+			"isc_buffer_t *source, dns_decompress_t *dctx, " \
+			"isc_boolean_t downcase, isc_buffer_t *target"
 #define FROMWIREARGS "rdclass, type, source, dctx, downcase, target"
 #define FROMWIRECLASS "rdclass"
 #define FROMWIRETYPE "type"
 #define FROMWIREDEF "use_default = ISC_TRUE"
 
-#define TOWIREDECL "dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target"
+#define TOWIREDECL "dns_rdata_t *rdata, dns_compress_t *cctx, " \
+			"isc_buffer_t *target"
 #define TOWIREARGS "rdata, cctx, target"
 #define TOWIRECLASS "rdata->rdclass"
 #define TOWIRETYPE "rdata->type"
 #define TOWIREDEF "use_default = ISC_TRUE"
 
-#define FROMSTRUCTDECL "dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source, isc_buffer_t *target"
+#define FROMSTRUCTDECL "dns_rdataclass_t rdclass, dns_rdatatype_t type, " \
+			"void *source, isc_buffer_t *target"
 #define FROMSTRUCTARGS "rdclass, type, source, target"
 #define FROMSTRUCTCLASS "rdclass"
 #define FROMSTRUCTTYPE "type"
@@ -97,25 +104,30 @@
 #define DIGESTDEF "use_default = ISC_TRUE"
 
 char copyright[] =
-"/*\n\
- * Copyright (C) 1998%s Internet Software Consortium.\n\
- *\n\
- * Permission to use, copy, modify, and distribute this software for any\n\
- * purpose with or without fee is hereby granted, provided that the above\n\
- * copyright notice and this permission notice appear in all copies.\n\
- *\n\
- * THE SOFTWARE IS PROVIDED \"AS IS\" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS\n\
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES\n\
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE\n\
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL\n\
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR\n\
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS\n\
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS\n\
- * SOFTWARE.\n\
- */\n\
-\n\
- /* THIS FILE IS AUTOMATICALLY GENERATED: DO NOT EDIT */\n\
-\n";
+"/*\n"
+" * Copyright (C) 1998%s Internet Software Consortium.\n"
+" *\n"
+" * Permission to use, copy, modify, and distribute this software for any\n"
+" * purpose with or without fee is hereby granted, provided that the above\n"
+" * copyright notice and this permission notice appear in all copies.\n"
+" *\n"
+" * THE SOFTWARE IS PROVIDED \"AS IS\" AND INTERNET SOFTWARE CONSORTIUM\n"
+" * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL\n"
+" * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL\n"
+" * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,\n"
+" * INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING\n"
+" * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,\n"
+" * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION\n"
+" * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n"
+" */\n"
+"\n"
+"/***************\n"
+" ***************\n"
+" ***************   THIS FILE IS AUTOMATICALLY GENERATED BY gen.c.\n"
+" ***************   DO NOT EDIT!\n"
+" ***************\n"
+" ***************/\n"
+"\n";
 
 struct cc {
 	struct cc *next;
@@ -132,25 +144,42 @@ struct tt {
 	char dirname[256];		/* XXX Should be max path length */
 } *types;
 
+struct ttnam {
+	char typename[11];
+	char macroname[11];
+	char attr[256];
+	unsigned int sorted;
+} typenames[256];
+
 char *	upper(char *);
 char *	funname(char *, char *);
 void	doswitch(char *, char *, char *, char *, char *, char *);
 void	dodecl(char *, char *, char *);
 void	add(int, char *, int, char *, char *);
 void	sd(int, char *, char *, char);
+void	insert_into_typenames(int, char *, char *);
 
+/*
+ * If you use more than 10 of these in, say, a printf(), you'll have problems.
+ */
 char *
 upper(char *s) {
-	static char buf[11];
-	char *b = buf;
+	static int buf_to_use = 0;
+	static char buf[10][256];
+	char *b;
 	int c;
 
-	while ((c = (*s++) & 0xff)) {
-		
+	buf_to_use++;
+	if (buf_to_use > 9)
+		buf_to_use = 0;
+
+	b = buf[buf_to_use];
+	memset(b, 0, 256);
+
+	while ((c = (*s++) & 0xff))
 		*b++ = islower(c) ? toupper(c) : c;
-	}
 	*b = '\0';
-	return (buf);
+	return (buf[buf_to_use]);
 }
 
 char *
@@ -257,14 +286,67 @@ dodecl(char *type, char *function, char *args) {
 }
 
 void
+insert_into_typenames(int type, char *typename, char *attr)
+{
+	struct ttnam *ttn;
+	int c;
+	char tmp[256];
+
+	ttn = &typenames[type];
+	if (ttn->typename[0] == 0) {
+		if (strlen(typename) > sizeof(ttn->typename) - 1) {
+			fprintf(stderr, "Error:  type name %s is too long\n",
+				typename);
+			exit(1);
+		}
+		strcpy(ttn->typename, typename);
+	} else if (strcmp(typename, ttn->typename) != 0) {
+		fprintf(stderr, "Error:  type %d has two names: %s, %s\n",
+			type, ttn->typename, typename);
+		exit(1);
+	}
+
+	strcpy(ttn->macroname, ttn->typename);
+	c = strlen(ttn->macroname);
+	while (c > 0) {
+		if (ttn->macroname[c - 1] == '-')
+			ttn->macroname[c - 1] = '_';
+		c--;
+	}
+
+	if (attr == NULL) {
+		sprintf(tmp, "RRTYPE_%s_ATTRIBUTES", upper(ttn->macroname));
+		attr = tmp;
+	}
+
+	if (ttn->attr[0] != 0 && strcmp(attr, ttn->attr) != 0) {
+		fprintf(stderr, "Error:  type %d has different attributes: "
+			"%s, %s\n", type, ttn->attr, attr);
+		exit(1);
+	}
+
+	if (strlen(attr) > sizeof(ttn->attr) - 1) {
+		fprintf(stderr, "Error:  attr (%s) [name %s] is too long\n",
+			attr, typename);
+		exit(1);
+	}
+	strcpy(ttn->attr, attr);
+	ttn->sorted = 0;
+}
+
+void
 add(int rdclass, char *classname, int type, char *typename, char *dirname) {
 	struct tt *newtt = (struct tt *)malloc(sizeof *newtt);
 	struct tt *tt, *oldtt;
 	struct cc *newcc;
 	struct cc *cc, *oldcc;
 
-	if (newtt == NULL)
+	insert_into_typenames(type, typename, NULL);
+
+	if (newtt == NULL) {
+		fprintf(stderr, "malloc() failed\n");
 		exit(1);
+	}
 
 	newtt->next = NULL;
 	newtt->rdclass = rdclass;
@@ -297,8 +379,9 @@ add(int rdclass, char *classname, int type, char *typename, char *dirname) {
 	else
 		types = newtt;
 
-	/* do a class switch for this type */
-	 
+	/*
+	 * Do a class switch for this type.
+	 */
 	if (rdclass == 0)
 		return;
 
@@ -352,6 +435,23 @@ sd(int rdclass, char *classname, char *dirname, char filetype) {
 	end_directory(&dir);
 }
 
+static unsigned int
+HASH(char *string)
+{
+	unsigned int n;
+	unsigned char a, b;
+
+	n = strlen(string);
+	if (n == 0) {
+		fprintf(stderr, "n == 0?\n");
+		exit(1);
+	}
+	a = tolower((unsigned char)string[0]);
+	b = tolower((unsigned char)string[n - 1]);
+
+	return ((a + n) * b) % 256;
+}
+
 int
 main(int argc, char **argv) {
 	char buf[256];			/* XXX Should be max path length */
@@ -360,6 +460,8 @@ main(int argc, char **argv) {
 	char classname[11];
 	struct tt *tt;
 	struct cc *cc;
+	struct ttnam *ttn, *ttn2;
+	unsigned int hash;
 	struct tm *tm;
 	time_t now;
 	char year[11];
@@ -368,7 +470,7 @@ main(int argc, char **argv) {
 	int class_enum = 0;
 	int type_enum = 0;
 	int structs = 0;
-	int c;
+	int c, i, j;
 	char buf1[11];
 	char filetype = 'c';
 	FILE *fd;
@@ -376,6 +478,9 @@ main(int argc, char **argv) {
 	char *suffix = NULL;
 	isc_dir_t dir;
 
+	for (i = 0 ; i <= 255 ; i++)
+		memset(&typenames[i], 0, sizeof(typenames[i]));
+
 	strcpy(srcdir, "");
 	while ((c = isc_commandline_parse(argc, argv, "cits:P:S:")) != -1)
 		switch (c) {
@@ -445,16 +550,18 @@ main(int argc, char **argv) {
 	fprintf(stdout, copyright, year);
 
 	if (code) {
-		dodecl("isc_result_t", "fromtext", FROMTEXTDECL);
-		dodecl("isc_result_t", "totext", TOTEXTDECL);
-		dodecl("isc_result_t", "fromwire", FROMWIREDECL);
-		dodecl("isc_result_t", "towire", TOWIREDECL);
-		dodecl("int", "compare", COMPAREDECL);
-		dodecl("isc_result_t", "fromstruct", FROMSTRUCTDECL);
-		dodecl("isc_result_t", "tostruct", TOSTRUCTDECL);
-		dodecl("void", "freestruct", FREESTRUCTDECL);
-		dodecl("isc_result_t", "additionaldata", ADDITIONALDATADECL);
-		dodecl("isc_result_t", "digest", DIGESTDECL);
+		fputs("#ifndef DNS_CODE_H\n", stdout);
+		fputs("#define DNS_CODE_H 1\n\n", stdout);
+
+		fputs("#include <isc/boolean.h>\n", stdout);
+		fputs("#include <isc/result.h>\n\n", stdout);
+		fputs("#include <dns/name.h>\n\n", stdout);
+
+		for (tt = types; tt != NULL ; tt = tt->next)
+			fprintf(stdout, "#include \"%s/%s_%d.c\"\n",
+				tt->dirname, tt->typename, tt->type);
+
+		fputs("\n\n", stdout);
 
 		doswitch("FROMTEXTSWITCH", "fromtext", FROMTEXTARGS,
 			 FROMTEXTTYPE, FROMTEXTCLASS, FROMTEXTDEF);
@@ -479,16 +586,126 @@ main(int argc, char **argv) {
 			 DIGESTARGS, DIGESTTYPE,
 			 DIGESTCLASS, DIGESTDEF);
 
-		fprintf(stdout, "\n#define TYPENAMES%s\n",
-			types != NULL ? " \\" : "");
+		/*
+		 * From here down, we are processing the rdata names and
+		 * attributes.
+		 */
+
+#define PRINT_COMMA(x) (x == 255 ? "" : ",")
+
+#define METANOTQUESTION  "DNS_RDATATYPEATTR_META | " \
+			 "DNS_RDATATYPEATTR_NOTQUESTION"
+#define METAQUESTIONONLY "DNS_RDATATYPEATTR_META | " \
+			 "DNS_RDATATYPEATTR_QUESTIONONLY"
+#define RESERVED "DNS_RDATATYPEATTR_RESERVED"
+
+		/*
+		 * Add in reserved/special types.  This will let us
+		 * sort them without special cases.
+		 */
+		insert_into_typenames(0, "reserved0", RESERVED);
+		insert_into_typenames(31, "eid", RESERVED);
+		insert_into_typenames(32, "nimloc", RESERVED);
+		insert_into_typenames(34, "atma", RESERVED);
+		insert_into_typenames(100, "uinfo", RESERVED);
+		insert_into_typenames(101, "uid", RESERVED);
+		insert_into_typenames(102, "gid", RESERVED);
+		insert_into_typenames(251, "ixfr", METAQUESTIONONLY);
+		insert_into_typenames(252, "axfr", METAQUESTIONONLY);
+		insert_into_typenames(253, "mailb", METAQUESTIONONLY);
+		insert_into_typenames(254, "maila", METAQUESTIONONLY);
+		insert_into_typenames(255, "any", METAQUESTIONONLY);
+
+		printf("\ntypedef struct {\n");
+		printf("\tchar *name;\n");
+		printf("\tunsigned int flags;\n");
+		printf("} typeattr_t;\n");
+		printf("static typeattr_t typeattr[] = {\n");
+		for (i = 0 ; i <= 255 ; i++) {
+			ttn = &typenames[i];
+			if (ttn->typename[0] == 0) {
+				printf("\t{ \"RRTYPE%d\", "
+				       "DNS_RDATATYPEATTR_UNKNOWN"
+				       "}%s\n", i, PRINT_COMMA(i));
+			} else {
+				printf("\t{ \"%s\", %s }%s\n",
+				       upper(ttn->typename),
+				       upper(ttn->attr),
+				       PRINT_COMMA(i));
+			}
+		}
+		printf("};\n");
+
+		/*
+		 * Run through the list of types and pre-mark the unused
+		 * ones as "sorted" so we simply ignore them below.
+		 */
+		for (i = 0 ; i <= 255 ; i++) {
+			ttn = &typenames[i];
+			if (ttn->typename[0] == 0)
+				ttn->sorted = 1;
+		}
 
-		lasttype = 0;
-		for (tt = types; tt != NULL ; tt = tt->next)
-			if (tt->type != lasttype)
-				fprintf(stdout, "\t{ %d, \"%s\", 0 },%s\n",
-					lasttype = tt->type,
-					upper(tt->typename),
-					tt->next != NULL ? " \\" : "");
+		/*
+		 * Spit out a quick and dirty hash function.  Here,
+		 * we walk through the list of type names, and calculate
+		 * a hash.  This isn't perfect, but it will generate "pretty
+		 * good" estimates.  Lowercase the characters before
+		 * computing in all cases.
+		 *
+		 * Here, walk the list from top to bottom, calculating
+		 * the hash (mod 256) for each name.
+		 */
+		printf("#define RDATATYPE_COMPARE(_s, _d, _tn, _tp) \\\n");
+		printf("\tdo { \\\n");
+		printf("\t\tif (strcasecmp(_s,(_tn)) == 0) { \\\n");
+		printf("\t\t\tif ((typeattr[_d].flags & "
+		       		  "DNS_RDATATYPEATTR_RESERVED) != 0) \\\n");
+		printf("\t\t\t\treturn (ISC_R_NOTIMPLEMENTED); \\\n");
+		printf("\t\t\t*(_tp) = _d; \\\n");
+		printf("\t\t\treturn (ISC_R_SUCCESS); \\\n");
+		printf("\t\t} \\\n");
+		printf("\t} while (0)\n\n");
+
+		printf("#define RDATATYPE_FROMTEXT_SW(_hash,_typename,_typep) "
+		       "\\\n");
+		printf("\tswitch (_hash) { \\\n");
+		for (i = 0 ; i <= 255 ; i++) {
+			ttn = &typenames[i];
+
+			/*
+			 * Skip entries we already processed.
+			 */
+			if (ttn->sorted != 0)
+				continue;
+
+			hash = HASH(ttn->typename);
+			printf("\t\tcase %u: \\\n", hash);
+
+			/*
+			 * Find all other entries that happen to match
+			 * this hash.
+			 */
+			for (j = 0 ; j <= 255 ; j++) {
+				ttn2 = &typenames[j];
+				if (ttn2->sorted != 0)
+					continue;
+				if (hash == HASH(ttn2->typename)) {
+					printf("\t\t\tRDATATYPE_COMPARE"
+					       "(\"%s\", %u, "
+					       "_typename, _typep); \\\n",
+					       ttn2->typename, j);
+					ttn2->sorted = 1;
+				}
+			}
+			printf("\t\t\tbreak; \\\n");
+		}
+		printf("\t}\n");
+
+
+		/*
+		 * Dump the class names.
+		 */
 
 		fputs("\n", stdout);
 		fprintf(stdout, "\n#define CLASSNAMES%s\n",
@@ -499,35 +716,40 @@ main(int argc, char **argv) {
 				cc->rdclass, upper(cc->classname),
 				cc->next != NULL ? " \\" : "");
 
-
-		fputs("\n", stdout);
-		for (tt = types; tt != NULL ; tt = tt->next)
-			fprintf(stdout, "#include \"%s/%s_%d.c\"\n",
-				tt->dirname, tt->typename, tt->type);
+		fputs("#endif /* DNS_CODE_H */\n", stdout);
 	} else if (type_enum) {
-		fprintf(stdout, "#ifndef TYPEENUM\n");
-		fprintf(stdout, "#define TYPEENUM%s\n",
+		fprintf(stdout, "#ifndef DNS_ENUMTYPE_H\n");
+		fprintf(stdout, "#define DNS_ENUMTYPE_H 1\n");
+
+		fprintf(stdout, "#define DNS_TYPEENUM%s\n",
 			types != NULL ? " \\" : "");
 
 		lasttype = 0;
 		for (tt = types; tt != NULL ; tt = tt->next)
 			if (tt->type != lasttype)
-				fprintf(stdout, "\t dns_rdatatype_%s = %d,%s\n",
+				fprintf(stdout,
+					"\t dns_rdatatype_%s = %d,%s\n",
 					funname(tt->typename, buf1),
 					lasttype = tt->type,
 					tt->next != NULL ? " \\" : "");
-		fprintf(stdout, "#endif /* TYPEENUM */\n");
+		fprintf(stdout, "#endif /* DNS_ENUMTYPE_H */\n");
 	} else if (class_enum) {
-		fprintf(stdout, "#ifndef CLASSENUM\n");
-		fprintf(stdout, "#define CLASSENUM%s\n",
+		fprintf(stdout, "#ifndef DNS_ENUMCLASS_H\n");
+		fprintf(stdout, "#define DNS_ENUMCLASS_H 1\n");
+		
+		fprintf(stdout, "#define DNS_CLASSENUM%s\n",
 			classes != NULL ? " \\" : "");
 
-		for (cc = classes; cc != NULL; cc = cc->next)
+		printf("\t dns_rdataclass_reserved0 = 0, \\\n");
+		for (cc = classes; cc != NULL; cc = cc->next) {
+			if (cc->rdclass == 4)
+				printf("\t dns_rdataclass_chaos = 3, \\\n");
 			fprintf(stdout, "\t dns_rdataclass_%s = %d,%s\n",
 				funname(cc->classname, buf1),
 				cc->rdclass,
 				cc->next != NULL ? " \\" : "");
-		fprintf(stdout, "#endif /* CLASSENUM */\n");
+		}
+		fprintf(stdout, "#endif /* DNS_ENUMCLASS_H */\n");
 	} else if (structs) {
 		if (prefix != NULL) {
 			if ((fd = fopen(prefix,"r")) != NULL) {
diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in
index 16d812de..3c4d58b6 100644
--- a/lib/dns/include/dns/Makefile.in
+++ b/lib/dns/include/dns/Makefile.in
@@ -23,11 +23,12 @@ HEADERS =	a6.h acl.h aclconf.h adb.h byaddr.h cache.h callbacks.h \
 		cert.h compress.h \
 		confacl.h confcache.h confcommon.h confctl.h confctx.h \
 		confip.h confkeys.h conflog.h conflsn.h confparser.h \
-		confresolv.h confrrset.h confserv.h confview.h confzone.h \
+		confresolv.h confrrset.h confview.h confzone.h \
 		db.h dbiterator.h dbtable.h dispatch.h \
 		dnssec.h events.h fixedname.h journal.h keyflags.h \
 		keytable.h keyvalues.h lib.h log.h master.h masterdump.h \
-		message.h name.h namedconf.h ncache.h nxt.h rbt.h rcode.h \
+		message.h name.h namedconf.h ncache.h \
+		nxt.h peer.h rbt.h rcode.h \
 		rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \
 		rdataslab.h rdatatype.h request.h resolver.h result.h \
 		rootns.h secalg.h secproto.h ssu.h tcpmsg.h time.h tkey.h \
diff --git a/lib/dns/include/dns/a6.h b/lib/dns/include/dns/a6.h
index 25b10ff5..3de3e335 100644
--- a/lib/dns/include/dns/a6.h
+++ b/lib/dns/include/dns/a6.h
@@ -19,16 +19,12 @@
 #define DNS_A6_H 1
 
 #include <isc/lang.h>
-#include <isc/types.h>
 #include <isc/stdtime.h>
 #include <isc/bitstring.h>
 #include <isc/net.h>
-#include <isc/result.h>
 
 #include <dns/types.h>
 
-ISC_LANG_BEGINDECLS
-
 typedef isc_result_t (*dns_findfunc_t)(void *arg, dns_name_t *name,
 				       dns_rdatatype_t type,
 				       isc_stdtime_t now,
@@ -60,6 +56,8 @@ struct dns_a6context {
 	isc_bitstring_t			bitstring;
 };
 
+ISC_LANG_BEGINDECLS
+
 void
 dns_a6_init(dns_a6context_t *a6ctx, dns_findfunc_t find, dns_rrsetfunc_t rrset,
 	    dns_in6addrfunc_t address, dns_a6missingfunc_t missing, void *arg);
@@ -79,4 +77,4 @@ dns_a6_foreach(dns_a6context_t *a6ctx, dns_rdataset_t *rdataset,
 
 ISC_LANG_ENDDECLS
 
-#endif /* DNS_RESULT_H */
+#endif /* DNS_A6_H */
diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h
index 85332fb5..ef4c4e47 100644
--- a/lib/dns/include/dns/acl.h
+++ b/lib/dns/include/dns/acl.h
@@ -30,10 +30,13 @@
  *** Imports
  ***/
 
-#include <dns/types.h>
-#include <dns/name.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
 #include <isc/netaddr.h>
 
+#include <dns/name.h>
+#include <dns/types.h>
+
 /***
  *** Types
  ***/
@@ -76,51 +79,60 @@ struct dns_aclenv {
 	dns_acl_t *localnets;	
 };
 
-
 #define DNS_ACL_MAGIC		0x4461636c	/* Dacl */
-#define DNS_ACL_VALID(a)	((a) != NULL && \
-				 (a)->magic == DNS_ACL_MAGIC)
+#define DNS_ACL_VALID(a)	ISC_MAGIC_VALID(a, DNS_ACL_MAGIC)
+
 /***
  *** Functions
  ***/
 
 ISC_LANG_BEGINDECLS
 
-isc_result_t dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
+isc_result_t
+dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
 /*
  * Create a new ACL with room for 'n' elements.
  * The elements are uninitialized and the length is 0.
  */
 
-isc_result_t dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt);
+isc_result_t
+dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt);
 /*
  * Append an element to an existing ACL.
  */
 
-isc_result_t dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
+isc_result_t
+dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
 /*
  * Create a new ACL that matches everything.
  */
 
-isc_result_t dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
+isc_result_t
+dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
 /*
  * Create a new ACL that matches nothing.
  */
 
-void dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
+void
+dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
 
-void dns_acl_detach(dns_acl_t **aclp);
+void
+dns_acl_detach(dns_acl_t **aclp);
 
 isc_boolean_t
 dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb);
 
-isc_boolean_t dns_acl_equal(dns_acl_t *a, dns_acl_t *b);
+isc_boolean_t
+dns_acl_equal(dns_acl_t *a, dns_acl_t *b);
 
-isc_result_t dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
+isc_result_t
+dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
 
-void dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
+void
+dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
 	
-void dns_aclenv_destroy(dns_aclenv_t *env);
+void
+dns_aclenv_destroy(dns_aclenv_t *env);
 
 isc_result_t
 dns_acl_match(isc_netaddr_t *reqaddr,
@@ -150,7 +162,7 @@ dns_acl_match(isc_netaddr_t *reqaddr,
  * If there is no match, *match will be set to zero.
  *
  * Returns:
- *	DNS_R_SUCCESS		Always succeeds.
+ *	ISC_R_SUCCESS		Always succeeds.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/aclconf.h b/lib/dns/include/dns/aclconf.h
index 2a4476c0..8df15f65 100644
--- a/lib/dns/include/dns/aclconf.h
+++ b/lib/dns/include/dns/aclconf.h
@@ -18,12 +18,12 @@
 #ifndef DNS_ACLCONF_H
 #define DNS_ACLCONF_H 1
 
-#include <dns/acl.h>
-#include <dns/confacl.h>
+#include <isc/lang.h>
+
 #include <dns/confctx.h>
-#include <dns/confip.h>
+#include <dns/types.h>
 
-typedef struct {
+typedef struct dns_aclconfctx {
 	ISC_LIST(dns_acl_t) named_acl_cache;
 } dns_aclconfctx_t;
 
@@ -33,9 +33,11 @@ typedef struct {
 
 ISC_LANG_BEGINDECLS
 
-void dns_aclconfctx_init(dns_aclconfctx_t *ctx);
+void
+dns_aclconfctx_init(dns_aclconfctx_t *ctx);
 
-void dns_aclconfctx_destroy(dns_aclconfctx_t *ctx);
+void
+dns_aclconfctx_destroy(dns_aclconfctx_t *ctx);
 
 isc_result_t
 dns_acl_fromconfig(dns_c_ipmatchlist_t *caml,
diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
index ac602f0f..56642d14 100644
--- a/lib/dns/include/dns/adb.h
+++ b/lib/dns/include/dns/adb.h
@@ -16,13 +16,12 @@
  */
 
 #ifndef DNS_ADB_H
-#define DNS_ADB_H
+#define DNS_ADB_H 1
 
 /***** 
  ***** Module Info 
  *****/ 
 
-
 /*
  * DNS Address Database
  *
@@ -73,20 +72,11 @@
  *** Imports
  ***/
 
-#include <stdio.h>
-
-#include <isc/event.h>
 #include <isc/lang.h>
-#include <isc/list.h>
 #include <isc/magic.h>
 #include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
-#include <isc/stdtime.h>
-#include <isc/task.h>
 
 #include <dns/types.h>
-#include <dns/rdataset.h>
 #include <dns/view.h>
 
 ISC_LANG_BEGINDECLS
@@ -250,6 +240,17 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *tmgr,
  */
 
 void
+dns_adb_attach(dns_adb_t *adb, dns_adb_t **adbp);
+/*
+ * Attach to an 'adb' to 'adbp'.
+ *
+ * Requires:
+ *	'adb' to be a valid dns_adb_t, created via dns_adb_create().
+ *	'adbp' to be a valid pointer to a *dns_adb_t which is initalized
+ *		to NULL.
+ */
+
+void
 dns_adb_detach(dns_adb_t **adb);
 /*
  * Delete the ADB. Sets *ADB to NULL. Cancels any outstanding requests.
diff --git a/bin/tests/testzones.c b/lib/dns/include/dns/bit.h
index 4cb06b11..df0d56ad 100644
--- a/bin/tests/testzones.c
+++ b/lib/dns/include/dns/bit.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * Copyright (C) 1998, 1999, 2000  Internet Software Consortium.
  * 
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,20 +15,21 @@
  * SOFTWARE.
  */
 
-#include <isc/error.h>
+#ifndef DNS_BIT_H
+#define DNS_BIT_H 1
 
-#include "zone.h"
+#include <isc/int.h>
+#include <isc/boolean.h>
 
-int
-main (int argc, char **argv) {
-	isc_mem_t *memctx = NULL;
-	zonectx_t *zonectx = NULL;
-        zoneinfo_t *zone = NULL;
+typedef isc_uint64_t dns_bitset_t;
 
-	RUNTIME_CHECK(isc_mem_create(0, 0, &memctx) == ISC_R_SUCCESS);
+#define DNS_BIT_SET(bit, bitset) \
+     (*(bitset) |= ((dns_bitset_t)1 << (bit)))
+#define DNS_BIT_CLEAR(bit, bitset) \
+     (*(bitset) &= ~((dns_bitset_t)1 << (bit)))
+#define DNS_BIT_CHECK(bit, bitset) \
+     ISC_TF((*(bitset) & ((dns_bitset_t)1 << (bit))) \
+	    == ((dns_bitset_t)1 << (bit)))
 
-	RUNTIME_CHECK(new_zonecontext(memctx, &zonectx) == ISC_R_SUCCESS);
-
-        RUNTIME_CHECK(new_zone(zonectx, &zone) == ISC_R_SUCCESS);
-}
+#endif /* DNS_BIT_H */
 
diff --git a/lib/dns/include/dns/byaddr.h b/lib/dns/include/dns/byaddr.h
index 728b7e37..9dbb092c 100644
--- a/lib/dns/include/dns/byaddr.h
+++ b/lib/dns/include/dns/byaddr.h
@@ -46,13 +46,10 @@
  *	Drafts:	<TBS>
  */
 
-#include <isc/types.h>
 #include <isc/lang.h>
 #include <isc/event.h>
-#include <isc/netaddr.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h
index ba12b3d7..796517bf 100644
--- a/lib/dns/include/dns/cache.h
+++ b/lib/dns/include/dns/cache.h
@@ -49,13 +49,9 @@
  ***/
 
 #include <isc/lang.h>
-#include <isc/mem.h>
-#include <isc/task.h>
-#include <isc/timer.h>
 #include <isc/stdtime.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -87,8 +83,8 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
  */
 
 void
@@ -161,8 +157,8 @@ dns_cache_setfilename(dns_cache_t *cahce, char *filename);
  * Files that are no longer used are not unlinked automatically.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
  *	Various file-related failures
  */
 
@@ -183,7 +179,7 @@ dns_cache_load(dns_cache_t *cache);
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *      Various failures depending on the database implementation type
  */
 
@@ -203,7 +199,7 @@ dns_cache_dump(dns_cache_t *cache);
  * 
  * Returns:
  *
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *      Various failures depending on the database implementation type
  */
 
@@ -223,5 +219,4 @@ dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int interval);
 
 ISC_LANG_ENDDECLS
 
-#endif	/* DNS_CACHE_H */
-
+#endif /* DNS_CACHE_H */
diff --git a/lib/dns/include/dns/callbacks.h b/lib/dns/include/dns/callbacks.h
index b20935eb..05ab4695 100644
--- a/lib/dns/include/dns/callbacks.h
+++ b/lib/dns/include/dns/callbacks.h
@@ -22,12 +22,9 @@
  ***	Imports
  ***/
 
-#include <stdio.h>
-
 #include <isc/lang.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
 
 ISC_LANG_BEGINDECLS
  
@@ -35,24 +32,33 @@ ISC_LANG_BEGINDECLS
  ***	Types
  ***/
 
-typedef struct dns_rdatacallbacks {
-	/* dns_load_master calls this when it has rdatasets to commit */
+struct dns_rdatacallbacks {
+	/*
+	 * dns_load_master calls this when it has rdatasets to commit.
+	 */
 	dns_addrdatasetfunc_t add;
-	/* dns_load_master / dns_rdata_fromtext call this to issue a error */
+	/*
+	 * dns_load_master / dns_rdata_fromtext call this to issue a error.
+	 */
 	void		(*error)(struct dns_rdatacallbacks *, char *, ...);
-	/* dns_load_master / dns_rdata_fromtext call this to issue a warning */
+	/*
+	 * dns_load_master / dns_rdata_fromtext call this to issue a warning.
+	 */
 	void		(*warn)(struct dns_rdatacallbacks *, char *, ...);
-	/* private data handles for use by the above callback functions */
+	/*
+	 * Private data handles for use by the above callback functions.
+	 */
 	void		*add_private;
 	void		*error_private;
 	void		*warn_private;
-} dns_rdatacallbacks_t;
+};
 
 /***
  ***	Initialization
  ***/
 
-void dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks);
+void
+dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks);
 /*
  * Initalise 'callbacks'.
  * 	'error' and 'warn' are set to default callbacks that print the
@@ -64,7 +70,8 @@ void dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks);
  *      'callbacks' is a valid dns_rdatacallbacks_t,
  */
 
-void dns_rdatacallbacks_init_stdio(dns_rdatacallbacks_t *callbacks);
+void
+dns_rdatacallbacks_init_stdio(dns_rdatacallbacks_t *callbacks);
 /*
  * Like dns_rdatacallbacks_init, but logs to stdio.
  */
diff --git a/lib/dns/include/dns/cert.h b/lib/dns/include/dns/cert.h
index 2a243b81..28abb446 100644
--- a/lib/dns/include/dns/cert.h
+++ b/lib/dns/include/dns/cert.h
@@ -24,7 +24,8 @@
 
 ISC_LANG_BEGINDECLS
 
-isc_result_t dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source);
+isc_result_t
+dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source);
 /*
  * Convert the text 'source' refers to into a certificate type.
  * The text may contain either a mnemonic type name or a decimal type number.
@@ -35,12 +36,13 @@ isc_result_t dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source);
  *	'source' is a valid text region.
  *
  * Returns:
- *	DNS_R_SUCCESS			on success
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_RANGE			numeric type is out of range
  *	DNS_R_UNKNOWN			mnemonic type is unknown
- *	DNS_R_RANGE			numeric type is out of range
  */
 
-isc_result_t dns_cert_totext(dns_cert_t cert, isc_buffer_t *target);
+isc_result_t
+dns_cert_totext(dns_cert_t cert, isc_buffer_t *target);
 /*
  * Put a textual representation of certificate type 'cert' into 'target'.
  *
@@ -54,8 +56,8 @@ isc_result_t dns_cert_totext(dns_cert_t cert, isc_buffer_t *target);
  *		The used space in 'target' is updated.
  *
  * Returns:
- *	DNS_R_SUCCESS			on success
- *	DNS_R_NOSPACE			target buffer is too small
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
  */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/compress.h b/lib/dns/include/dns/compress.h
index 4bb2890e..f320a9ea 100644
--- a/lib/dns/include/dns/compress.h
+++ b/lib/dns/include/dns/compress.h
@@ -18,11 +18,9 @@
 #ifndef DNS_COMPRESS_H
 #define DNS_COMPRESS_H 1
 
-#include <isc/mem.h>
 #include <isc/lang.h>
 
 #include <dns/types.h>
-#include <dns/rbt.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -39,7 +37,6 @@ ISC_LANG_BEGINDECLS
  */
 #define DNS_COMPRESS_ALL		0x03	/* all compression. */
 
-
 /*
  * XXX  An API for manipulating these structures will be forthcoming.
  *	Also magic numbers, _init() and _invalidate(), etc.  At that time,
@@ -64,8 +61,8 @@ struct dns_decompress {
 	isc_boolean_t	strict;			/* Strict checking */
 };
 
-isc_result_t dns_compress_init(dns_compress_t *cctx, int edns,
-			       isc_mem_t *mctx);
+isc_result_t
+dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx);
 /*
  *	Inialise the compression context structure pointed to by 'cctx'.
  *
@@ -76,7 +73,7 @@ isc_result_t dns_compress_init(dns_compress_t *cctx, int edns,
  *		cctx->global is initalised.
  *
  *	Returns:
- *		DNS_R_SUCCESS
+ *		ISC_R_SUCCESS
  *		failures from dns_rbt_create()
  */
 
diff --git a/lib/dns/include/dns/confacl.h b/lib/dns/include/dns/confacl.h
index 387c056e..971542db 100644
--- a/lib/dns/include/dns/confacl.h
+++ b/lib/dns/include/dns/confacl.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFACL_H
-#define DNS_CONFIG_CONFACL_H 1
+#ifndef DNS_CONFACL_H
+#define DNS_CONFACL_H 1
 
 /*****
  ***** Module Info
@@ -56,10 +56,8 @@
  *** Imports
  ***/
 
-#include <config.h>
-
-#include <isc/list.h>
-#include <isc/mem.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
 
 #include <dns/confip.h>
 
@@ -80,9 +78,7 @@
 typedef struct dns_c_acl		dns_c_acl_t;
 typedef struct dns_c_acl_table		dns_c_acltable_t;
 
-
-struct dns_c_acl 
-{
+struct dns_c_acl {
 	isc_uint32_t		magic;
 
 	dns_c_acltable_t       *mytable;
@@ -94,9 +90,7 @@ struct dns_c_acl
 	ISC_LINK(dns_c_acl_t)	next;
 };
 
-
-struct dns_c_acl_table 
-{
+struct dns_c_acl_table {
 	isc_uint32_t		magic;
 	
 	isc_mem_t	       *mem;
@@ -104,15 +98,14 @@ struct dns_c_acl_table
 	ISC_LIST(dns_c_acl_t)	acl_list;
 };
 
-
-
 /***
  *** Functions
  ***/
 
-isc_result_t	dns_c_acltable_new(isc_mem_t *mem,
-				   dns_c_acltable_t **newtable);
+ISC_LANG_BEGINDECLS
 
+isc_result_t
+dns_c_acltable_new(isc_mem_t *mem, dns_c_acltable_t **newtable);
 /*
  * Creates a new ACL table. Returns pointer to the new table through
  * NEWTABLE paramater. The memory is allocated from the MEM memory pool.
@@ -129,8 +122,8 @@ isc_result_t	dns_c_acltable_new(isc_mem_t *mem,
  */
 
 
-isc_result_t	dns_c_acltable_delete(dns_c_acltable_t **table);
-
+isc_result_t
+dns_c_acltable_delete(dns_c_acltable_t **table);
 /*
  * Destroys the table pointed to by *TABLE and all the ACLs in it. The
  * value of *TABLE can be NULL.
@@ -145,10 +138,9 @@ isc_result_t	dns_c_acltable_delete(dns_c_acltable_t **table);
  */
 
 
-isc_result_t	dns_c_acltable_getacl(dns_c_acltable_t *table,
-				      const char *aclname,
-				      dns_c_acl_t **retval);
-
+isc_result_t
+dns_c_acltable_getacl(dns_c_acltable_t *table, const char *aclname,
+		      dns_c_acl_t **retval);
 /*
  * Looks up an ACL by name in the given table. The result is returned
  * through the parameter RETVAL. The returned ACL must not be modified.
@@ -162,9 +154,8 @@ isc_result_t	dns_c_acltable_getacl(dns_c_acltable_t *table,
  * 
  */
 
-isc_result_t	dns_c_acltable_removeacl(dns_c_acltable_t *table,
-					 const char *aclname);
-
+isc_result_t
+dns_c_acltable_removeacl(dns_c_acltable_t *table, const char *aclname);
 /*
  * Removes an acl from a table. The acl is looked up by name.
  *
@@ -178,8 +169,8 @@ isc_result_t	dns_c_acltable_removeacl(dns_c_acltable_t *table,
  * 
  */
 
-void		dns_c_acltable_print(FILE *fp, int indent,
-				     dns_c_acltable_t *table);
+void
+dns_c_acltable_print(FILE *fp, int indent, dns_c_acltable_t *table);
 /*
  * Prints the ACL table and the ACLs in it to the give stdio stream.
  * indent is the indentation level (number of tabs) printed before
@@ -190,11 +181,10 @@ void		dns_c_acltable_print(FILE *fp, int indent,
  *	indent be a non-negative number
  *	table be a valid acl table.
  * 	
-*/
-
-
-isc_result_t	dns_c_acltable_clear(dns_c_acltable_t *table);
+ */
 
+isc_result_t
+dns_c_acltable_clear(dns_c_acltable_t *table);
 /*
  * Deletes all the acls from the table.
  *
@@ -206,12 +196,9 @@ isc_result_t	dns_c_acltable_clear(dns_c_acltable_t *table);
  * 
  */
 
-
-
-isc_result_t	dns_c_acl_new(dns_c_acltable_t *table,
-			      const char *aclname,
-			      isc_boolean_t isspecial,
-			      dns_c_acl_t **newacl);
+isc_result_t
+dns_c_acl_new(dns_c_acltable_t *table, const char *aclname,
+	      isc_boolean_t isspecial, dns_c_acl_t **newacl);
 /*
  * Creates a new ACL. The acl is placed in the given table. If isspecial is 
  * true then the acl is not printed by dns_c_acl_print. The new acl is
@@ -229,8 +216,8 @@ isc_result_t	dns_c_acl_new(dns_c_acltable_t *table,
  */
 
 
-void		dns_c_acl_print(FILE *fp, int indent,
-				dns_c_acl_t *acl);
+void
+dns_c_acl_print(FILE *fp, int indent, dns_c_acl_t *acl);
 /*
  * Prints out the acl to the stdio stream. The outupt is indented by INDENT 
  * tabs.
@@ -242,11 +229,9 @@ void		dns_c_acl_print(FILE *fp, int indent,
  * 
  */
 
-
-isc_result_t	dns_c_acl_setipml(dns_c_acl_t *acl,
-				  dns_c_ipmatchlist_t *ipml,
-				  isc_boolean_t deepcopy);
-
+isc_result_t
+dns_c_acl_setipml(dns_c_acl_t *acl, dns_c_ipmatchlist_t *ipml,
+		  isc_boolean_t deepcopy);
 /*
  * Sets the ipmatch list of the ACL to the IPML. If DEEPCOPY is true, then
  * a full copy of IPML is made using the MEM memory pool. In which case the 
@@ -266,10 +251,9 @@ isc_result_t	dns_c_acl_setipml(dns_c_acl_t *acl,
  * 
  */
 
-
-isc_result_t	dns_c_acl_getipmlexpanded(isc_mem_t *mem, dns_c_acl_t *acl,
-					  dns_c_ipmatchlist_t **retval);
-
+isc_result_t
+dns_c_acl_getipmlexpanded(isc_mem_t *mem, dns_c_acl_t *acl,
+			  dns_c_ipmatchlist_t **retval);
 /*
  * Retuns a copy through the RETVAL parameter (the caller is responsible
  * for deleting the returned value) of the given ACLs ipmatch list. Any
@@ -289,11 +273,8 @@ isc_result_t	dns_c_acl_getipmlexpanded(isc_mem_t *mem, dns_c_acl_t *acl,
  * 
  */
 
-
-
-isc_result_t dns_c_acl_expandacls(dns_c_acltable_t *table,
-				  dns_c_ipmatchlist_t *list);
-
+isc_result_t
+dns_c_acl_expandacls(dns_c_acltable_t *table, dns_c_ipmatchlist_t *list);
 /*
  * Goes through all the entires (direct and indirect) of LIST and
  * expands all references to ACLs using the definitions in TABLE
@@ -306,4 +287,7 @@ isc_result_t dns_c_acl_expandacls(dns_c_acltable_t *table,
  *	ISC_R_SUCCESS		-- all is well
  *	ISC_R_FAILURE		-- some acl(s) couldn't be resolved.
  */
-#endif /* DNS_CONFIG_CONFACL_H */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CONFACL_H */
diff --git a/lib/dns/include/dns/confcache.h b/lib/dns/include/dns/confcache.h
index 5bbee4b9..a3214fab 100644
--- a/lib/dns/include/dns/confcache.h
+++ b/lib/dns/include/dns/confcache.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFCACHE_H
-#define DNS_CONFIG_CONFCACHE_H 1
+#ifndef DNS_CONFCACHE_H
+#define DNS_CONFCACHE_H 1
 
 /*****
  ***** Module Info
@@ -50,8 +50,7 @@
  *** Imports
  ***/
 
-#include <config.h>
-
+#include <isc/lang.h>
 #include <isc/types.h>
 
 
@@ -68,14 +67,14 @@ struct dns_c_cache
 	/* XXX need this fleshed out */
 };
 
-
-
-
 /***
  *** Functions
  ***/
 
-isc_result_t dns_c_cache_new(isc_mem_t *mem, dns_c_cache_t **cfgres);
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_c_cache_new(isc_mem_t *mem, dns_c_cache_t **cfgres);
 /*
  * Creates a new cache-config object.
  *
@@ -89,7 +88,8 @@ isc_result_t dns_c_cache_new(isc_mem_t *mem, dns_c_cache_t **cfgres);
  * 
  */
 
-isc_result_t dns_c_cache_delete(dns_c_cache_t **cfgres);
+isc_result_t
+dns_c_cache_delete(dns_c_cache_t **cfgres);
 /*
  * Deletes the config-cache object and its contents.
  *
@@ -102,5 +102,6 @@ isc_result_t dns_c_cache_delete(dns_c_cache_t **cfgres);
  * 
  */
 
+ISC_LANG_ENDDECLS
 
-#endif /* DNS_CONFIG_CONFCACHE_H */
+#endif /* DNS_CONFCACHE_H */
diff --git a/lib/dns/include/dns/confcommon.h b/lib/dns/include/dns/confcommon.h
index 37b8f230..092a4a4a 100644
--- a/lib/dns/include/dns/confcommon.h
+++ b/lib/dns/include/dns/confcommon.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFCOMMON_H
-#define DNS_CONFIG_CONFCOMMON_H 1
+#ifndef DNS_CONFCOMMON_H
+#define DNS_CONFCOMMON_H 1
 
 /*****
  ***** Module Info
@@ -53,25 +53,16 @@
  *** Imports
  ***/
 
-#include <config.h>
-
-#include <sys/types.h>
-
 #include <stdio.h>
-#include <stdarg.h>
-#include <string.h>
-#include <limits.h>
 
-#include <isc/int.h>
-#include <isc/result.h>
-#include <isc/types.h>
-#include <isc/net.h>
-#include <isc/sockaddr.h>
+#include <isc/lang.h>
 
 #include <dns/types.h>
 
-/* Constants used in the defintions of default logging channels and
-   categories */
+/*
+ * Constants used in the defintions of default logging channels and
+ * categories.
+ */
 #define DNS_C_DEFAULT_SYSLOG "default_syslog"
 #define DNS_C_DEFAULT_DEBUG "default_debug"
 #define DNS_C_DEFAULT_DEBUG_PATH "named.run"
@@ -79,28 +70,32 @@
 #define DNS_C_DEFAULT_STDERR  "default_stderr"
 #define DNS_C_STDERR_PATH " <stderr> "	/* not really a path */
 
-
-
-/* The value we use in config files if the user doesn't specify the port or 
- *   in some statements
+/*
+ * The value we use in config files if the user doesn't specify the port or 
+ * in some statements.
  */
 #define DNS_C_DEFAULTPORT	53	/* XXX this should be imported */
 
-
-/* What an 'unlimited' value for a size_spec is stored as internally */
+/*
+ * What an 'unlimited' value for a size_spec is stored as internally.
+ */
 #define DNS_C_SIZE_SPEC_UNLIM (~((isc_uint32_t) 0x0))
 
-/* What a 'default' value for a size_spec is stored as internally */
+/*
+ * What a 'default' value for a size_spec is stored as internally.
+ */
 #define DNS_C_SIZE_SPEC_DEFAULT (DNS_C_SIZE_SPEC_UNLIM - 1)
 
-/* What 'unlimited' is stored as internally for logging file versions */
-#define DNS_C_UNLIM_VERSIONS DNS_C_SIZE_SPEC_UNLIM
-
-/* The default ordering given to rrset-order statements when the type given 
-   is illegal (so parsing can continue). */
-#define DNS_DEFAULT_ORDERING dns_c_ordering_fixed
-
+/*
+ * What 'unlimited' is stored as internally for logging file versions
+ */
+#define DNS_C_UNLIM_VERSIONS	DNS_C_SIZE_SPEC_UNLIM
 
+/*
+ * The default ordering given to rrset-order statements when the type given 
+ * is illegal (so parsing can continue).
+ */
+#define DNS_DEFAULT_ORDERING 	dns_c_ordering_fixed
 
 /***
  *** Types
@@ -114,15 +109,6 @@ typedef enum {
 	dns_c_forw_nodomain
 } dns_c_forw_t;
 
-/* value of a 'check-names' method  */
-#if 0
-typedef enum {
-	dns_c_severity_ignore,
-	dns_c_severity_warn,
-	dns_c_severity_fail
-} dns_c_severity_t;
-#endif
-
 /* Value of a 'check-names' type. */
 typedef enum {
 	dns_trans_primary,
@@ -147,13 +133,6 @@ typedef enum {
 } dns_c_ordering_t;
 
 
-
-#if 0
-typedef enum {
-	dns_one_answer, dns_many_answers
-} dns_c_transferformat_t;
-#endif
-
 /* Possible zone types */
 typedef enum {
 	dns_c_zone_master,
@@ -198,35 +177,13 @@ typedef enum {
 } dns_c_logseverity_t;
 
 
-#if 0					/* XXXJAB remove this */
-/* Possible logging categories. */
+/* Type of additional-data field */
 typedef enum {
-	dns_c_cat_default,
-	dns_c_cat_config,
-	dns_c_cat_parser,
-	dns_c_cat_queries,  
-	dns_c_cat_lameservers,
-	dns_c_cat_statistics,
-	dns_c_cat_panic, 
-	dns_c_cat_update,
-	dns_c_cat_ncache,
-	dns_c_cat_xferin,
-	dns_c_cat_xferout,  
-	dns_c_cat_db,
-	dns_c_cat_eventlib,
-	dns_c_cat_packet,
-	dns_c_cat_notify, 
-	dns_c_cat_cname,
-	dns_c_cat_security,
-	dns_c_cat_os,
-	dns_c_cat_insist, 
-	dns_c_cat_maint,
-	dns_c_cat_load,
-	dns_c_cat_respchecks,
-	dns_c_cat_control, 
-	dns_c_cat_none
-} dns_c_category_t;
-#endif
+	dns_c_ad_minimal,
+	dns_c_ad_maximal,
+	dns_c_ad_internal
+} dns_c_addata_t;
+
 
 /* Type of the bit sets used in various structures. Macros in confpvt.h
  * depending on this being an integer type, and some structures need more
@@ -250,11 +207,12 @@ typedef struct dns_c_zone_list		dns_c_zonelist_t;
 extern isc_boolean_t debug_mem_print;
 extern FILE *debug_mem_print_stream;	/* NULL means stderr */
 
-
 /***
  *** Functions
  ***/
 
+ISC_LANG_BEGINDECLS
+
 /* The following dns_c_xxx2string() functions convert the first argument into 
  * a string value and returns that value. If the first argument is not a
  * legal value, then NULL is returned, unless PRINTABLE is true, in which 
@@ -265,20 +223,29 @@ extern FILE *debug_mem_print_stream;	/* NULL means stderr */
  * dns_c_ordering2string((dns_c_ordering_t)0xffff,ISC_TRUE) returns the
  * value "UNKNOWN_ORDERING"
  */
-const char *		dns_c_ordering2string(dns_c_ordering_t ordering,
-					      isc_boolean_t printable);
-const char *		dns_c_logseverity2string(dns_c_logseverity_t level,
-					      isc_boolean_t printable);
-const char *		dns_c_facility2string(int facility,
-					      isc_boolean_t printable);
-const char *		dns_c_transformat2string(dns_transfer_format_t tform,
-						isc_boolean_t printable);
-const char *		dns_c_transport2string(dns_c_trans_t transport,
-					       isc_boolean_t printable);
-const char *		dns_c_nameseverity2string(dns_severity_t severity,
-						  isc_boolean_t printable);
-const char *		dns_c_forward2string(dns_c_forw_t forw,
-					     isc_boolean_t printable);
+const char *
+dns_c_ordering2string(dns_c_ordering_t ordering, isc_boolean_t printable);
+
+const char *
+dns_c_logseverity2string(dns_c_logseverity_t level, isc_boolean_t printable);
+
+const char *
+dns_c_facility2string(int facility, isc_boolean_t printable);
+
+const char *
+dns_c_transformat2string(dns_transfer_format_t tform, isc_boolean_t printable);
+
+const char *
+dns_c_transport2string(dns_c_trans_t transport, isc_boolean_t printable);
+
+const char *
+dns_c_nameseverity2string(dns_severity_t severity, isc_boolean_t printable);
+
+const char *
+dns_c_forward2string(dns_c_forw_t forw, isc_boolean_t printable);
+
+const char *
+dns_c_addata2string(dns_c_addata_t addata, isc_boolean_t printable);
 
 /*
  * The following dns_c_string2xxx() functions will look up the string
@@ -286,43 +253,59 @@ const char *		dns_c_forward2string(dns_c_forw_t forw,
  * through the second argument and ISC_R_SUCCESS is returned. If the string
  * doesn't match a valid value then ISC_R_FAILURE is returned.
  */
-isc_result_t		dns_c_string2ordering(char *name,
-					      dns_c_ordering_t *ordering);
-isc_result_t		dns_c_string2logseverity(const char *string,
-					      dns_c_logseverity_t *result);
-isc_result_t		dns_c_string2facility(const char *string, int *res);
+isc_result_t
+dns_c_string2ordering(char *name, dns_c_ordering_t *ordering);
+
+isc_result_t
+dns_c_string2logseverity(const char *string, dns_c_logseverity_t *result);
+
+isc_result_t
+dns_c_string2facility(const char *string, int *res);
+
+int
+dns_c_isanyaddr(isc_sockaddr_t *inaddr);
+
+void
+dns_c_print_ipaddr(FILE *fp, isc_sockaddr_t *addr);
+
+isc_boolean_t
+dns_c_need_quote(const char *string);
+
+void
+dns_c_printtabs(FILE *fp, int count); 
 
+void
+dns_c_printinunits(FILE *fp, isc_uint32_t val);
 
+void
+dns_c_dataclass_tostream(FILE *fp, dns_rdataclass_t rclass);
 
-int			dns_c_isanyaddr(isc_sockaddr_t *inaddr);
-void 			dns_c_print_ipaddr(FILE *fp, isc_sockaddr_t *addr);
-isc_boolean_t		dns_c_need_quote(const char *string);
+void
+dns_c_datatype_tostream(FILE *fp, dns_rdatatype_t rtype);
 
-void			dns_c_printtabs(FILE *fp, int count); 
-void			dns_c_printinunits(FILE *fp, isc_uint32_t val);
+isc_boolean_t
+dns_c_netaddrisanyaddr(isc_netaddr_t *inaddr);
 
-void			dns_c_dataclass_tostream(FILE *fp,
-						 dns_rdataclass_t rclass);
-void			dns_c_datatype_tostream(FILE *fp,
-						dns_rdatatype_t rtype);
+void
+dns_c_netaddrprint(FILE *fp, isc_netaddr_t *inaddr);
 
+isc_result_t
+dns_c_charptoname(isc_mem_t *mem, const char *keyval, dns_name_t **name);
 
-isc_boolean_t		dns_c_netaddrisanyaddr(isc_netaddr_t *inaddr);
-void			dns_c_netaddrprint(FILE *fp, isc_netaddr_t *inaddr);
-isc_result_t		dns_c_charptoname(isc_mem_t *mem, const char *keyval,
-					  dns_name_t **name);
-void			dns_c_peer_print(FILE *fp, int indent,
-					 dns_peer_t *peer);
-void			dns_c_peerlist_print(FILE *fp, int indent,
-					     dns_peerlist_t *peers);
-void			dns_c_ssutable_print(FILE *fp, int indent,
-					     dns_ssutable_t *ssutable);
+void
+dns_c_peer_print(FILE *fp, int indent, dns_peer_t *peer);
 
+void
+dns_c_peerlist_print(FILE *fp, int indent, dns_peerlist_t *peers);
 
+void
+dns_c_ssutable_print(FILE *fp, int indent, dns_ssutable_t *ssutable);
 
-isc_result_t		dns_c_checkcategory(const char *name);
-isc_result_t		dns_c_checkmodule(const char *name);
+isc_result_t
+dns_c_checkcategory(const char *name);
 
+isc_result_t
+dns_c_checkmodule(const char *name);
 /*
  * Checks the argument is a known category or module name.
  *
@@ -331,5 +314,6 @@ isc_result_t		dns_c_checkmodule(const char *name);
  *	ISC_R_FAILURE if it isn't.
  */
 
+ISC_LANG_ENDDECLS
 
-#endif /* DNS_CONFIG_CONFCOMMON_H */
+#endif /* DNS_CONFCOMMON_H */
diff --git a/lib/dns/include/dns/confctl.h b/lib/dns/include/dns/confctl.h
index d2a741f6..a8199111 100644
--- a/lib/dns/include/dns/confctl.h
+++ b/lib/dns/include/dns/confctl.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFCTL_H
-#define DNS_CONFIG_CONFCTL_H 1
+#ifndef DNS_CONFCTL_H
+#define DNS_CONFCTL_H 1
 
 /*****
  ***** Module Info
@@ -55,16 +55,11 @@
  *** Imports
  ***/
 
-#include <config.h>
-
-#include <sys/types.h>
-
-#include <isc/mem.h>
-#include <isc/net.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
 
 #include <dns/confip.h>
 
-
 #define DNS_C_CONFCTL_MAGIC	0x4363746cU
 #define DNS_C_CONFCTLLIST_MAGIC	0x4354424cU
 
@@ -73,8 +68,6 @@
 #define DNS_C_CONFCTL_VALID(ptr) \
 		ISC_MAGIC_VALID(ptr, DNS_C_CONFCTL_MAGIC)
 
-
-
 /***
  *** Types
  ***/
@@ -82,8 +75,7 @@
 typedef struct dns_c_ctrl		dns_c_ctrl_t;
 typedef struct dns_c_ctrl_list		dns_c_ctrllist_t;
 
-struct dns_c_ctrl
-{
+struct dns_c_ctrl {
 	isc_uint32_t	magic;
 	isc_mem_t	*mem;		/* where it's memory came from */
 
@@ -106,25 +98,23 @@ struct dns_c_ctrl
 };
 
 
-struct dns_c_ctrl_list
-{
+struct dns_c_ctrl_list {
 	isc_uint32_t		magic;
 	isc_mem_t	       *mem;
 
 	ISC_LIST(dns_c_ctrl_t)	elements;
 };
 
-
-
 /***
  *** Functions
  ***/
 
+ISC_LANG_BEGINDECLS
 
-isc_result_t	dns_c_ctrlinet_new(isc_mem_t *mem, dns_c_ctrl_t **control,
-				   isc_sockaddr_t addr, in_port_t port,
-				   dns_c_ipmatchlist_t *iml,
-				   isc_boolean_t copy);
+isc_result_t
+dns_c_ctrlinet_new(isc_mem_t *mem, dns_c_ctrl_t **control,
+		   isc_sockaddr_t addr, in_port_t port,
+		   dns_c_ipmatchlist_t *iml, isc_boolean_t copy);
 /*
  * Creates a new INET control object. If COPY is true then a deep copy is
  * made of IML, otherwise the value of IML is stored directly in the new
@@ -139,10 +129,9 @@ isc_result_t	dns_c_ctrlinet_new(isc_mem_t *mem, dns_c_ctrl_t **control,
  *	ISC_R_NOMEMORY		-- insufficient memory available
  */
 
-
-isc_result_t	dns_c_ctrlunix_new(isc_mem_t *mem, dns_c_ctrl_t **control,
-				   const char *path,
-				   int perm, uid_t uid, gid_t gid);
+isc_result_t
+dns_c_ctrlunix_new(isc_mem_t *mem, dns_c_ctrl_t **control, const char *path,
+		   int perm, uid_t uid, gid_t gid);
 /*
  * Creates a new UNIX control object. A copy is made of the PATH argument.
  *
@@ -156,8 +145,8 @@ isc_result_t	dns_c_ctrlunix_new(isc_mem_t *mem, dns_c_ctrl_t **control,
  *	
  */
 
-
-isc_result_t	dns_c_ctrl_delete(dns_c_ctrl_t **control);
+isc_result_t
+dns_c_ctrl_delete(dns_c_ctrl_t **control);
 /*
  * Deletes the object pointed to by *CONTROL. *CONTROL may be NULL.
  *
@@ -168,8 +157,8 @@ isc_result_t	dns_c_ctrl_delete(dns_c_ctrl_t **control);
  *	ISC_R_SUCCESS
  */
 
-
-void		dns_c_ctrl_print(FILE *fp, int indent, dns_c_ctrl_t *ctl);
+void
+dns_c_ctrl_print(FILE *fp, int indent, dns_c_ctrl_t *ctl);
 /*
  * Prints the control object ctl in standard named.conf format. The output
  * is indented by indent number of tabs.
@@ -180,8 +169,8 @@ void		dns_c_ctrl_print(FILE *fp, int indent, dns_c_ctrl_t *ctl);
  *
  */
 
-
-isc_result_t	dns_c_ctrllist_new(isc_mem_t *mem, dns_c_ctrllist_t **newlist);
+isc_result_t
+dns_c_ctrllist_new(isc_mem_t *mem, dns_c_ctrllist_t **newlist);
 /*
  * Creates a new control object list using the MEM memory manager.
  *
@@ -194,8 +183,8 @@ isc_result_t	dns_c_ctrllist_new(isc_mem_t *mem, dns_c_ctrllist_t **newlist);
  *	ISC_R_NOMEMORY		-- insufficient memory available.
  */
 
-
-isc_result_t	dns_c_ctrllist_delete(dns_c_ctrllist_t **list);
+isc_result_t
+dns_c_ctrllist_delete(dns_c_ctrllist_t **list);
 /*
  * Deletes the control list. The value of *list may be NULL. Sets *list to
  * NULL when done.
@@ -208,8 +197,8 @@ isc_result_t	dns_c_ctrllist_delete(dns_c_ctrllist_t **list);
  *
  */
 
-void		dns_c_ctrllist_print(FILE *fp, int indent,
-				     dns_c_ctrllist_t *cl);
+void
+dns_c_ctrllist_print(FILE *fp, int indent, dns_c_ctrllist_t *cl);
 /*
  * Prints the control objects inside the list. The output is indented with
  * indent number of tabs.
@@ -219,5 +208,6 @@ void		dns_c_ctrllist_print(FILE *fp, int indent,
  *
  */
 
+ISC_LANG_ENDDECLS
 
-#endif /* DNS_CONFIG_CONFCTL_H */
+#endif /* DNS_CONFCTL_H */
diff --git a/lib/dns/include/dns/confctx.h b/lib/dns/include/dns/confctx.h
index eea7e571..18341f35 100644
--- a/lib/dns/include/dns/confctx.h
+++ b/lib/dns/include/dns/confctx.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFCTX_H
-#define DNS_CONFIG_CONFCTX_H 1
+#ifndef DNS_CONFCTX_H
+#define DNS_CONFCTX_H 1
 
 /*****
  ***** Module Info
@@ -49,25 +49,16 @@
  *** Imports
  ***/
 
-#include <config.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
 
-#include <isc/mem.h>
-#include <isc/int.h>
-#include <isc/list.h>
-
-#include <dns/peer.h>
-#include <dns/confcommon.h>
-#include <dns/confip.h>
-#include <dns/confzone.h>
-#include <dns/confkeys.h>
-#include <dns/conflog.h>
 #include <dns/confacl.h>
-#include <dns/conflsn.h>
-#include <dns/confrrset.h>
-#include <dns/confctl.h>
-#include <dns/confview.h>
 #include <dns/confcache.h>
+#include <dns/confctl.h>
+#include <dns/conflog.h>
+#include <dns/conflsn.h>
 #include <dns/confresolv.h>
+#include <dns/confview.h>
 
 #define DNS_C_CONFIG_MAGIC		0x434f4e46U /* CONF */
 #define DNS_C_OPTION_MAGIC		0x4f707473U /* Opts */
@@ -75,8 +66,6 @@
 #define DNS_C_CONFCTX_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_CONFIG_MAGIC)
 #define DNS_C_CONFOPT_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_OPTION_MAGIC)
 
-
-
 /***
  *** Types
  ***/
@@ -84,13 +73,11 @@
 typedef struct dns_c_options		dns_c_options_t;
 typedef struct dns_c_ctx		dns_c_ctx_t;
 
-
 /*
  * The main baby. A pointer to one of these is what the caller gets back
  * when the parsing routine is called.
  */
-struct dns_c_ctx
-{
+struct dns_c_ctx {
 	isc_uint32_t		magic;
 	isc_mem_t	       *mem;
 
@@ -113,17 +100,13 @@ struct dns_c_ctx
 	dns_c_view_t	       *currview;
 };
 
-
-
-
 /*
  * This structure holds all the values defined by a config file 'options'
- * statement
+ * statement. If a field is NULL then it has never been set.
  */
-struct dns_c_options 
-{
-	isc_mem_t	       *mem;
+struct dns_c_options {
 	isc_uint32_t		magic;
+	isc_mem_t	       *mem;
 	
 	char		       *directory;
 	char		       *version;
@@ -132,436 +115,837 @@ struct dns_c_options
 	char		       *stats_filename;
 	char		       *memstats_filename;
 	char		       *named_xfer;
-	char 		       *tkeydomain;
 
-	char 		       *tkeydhkeycp;
-	isc_int32_t		tkeydhkeyi;
+	isc_int32_t	       *transfers_in; 
+	isc_int32_t	       *transfers_per_ns;
+	isc_int32_t	       *transfers_out; 
+	isc_int32_t	       *max_log_size_ixfr;
+	isc_int32_t	       *clean_interval;
+	isc_int32_t	       *interface_interval;
+	isc_int32_t	       *stats_interval;
+	isc_int32_t	       *heartbeat_interval;
+
+	isc_int32_t	       *max_transfer_time_in;
+	isc_int32_t	       *max_transfer_time_out;
+	isc_int32_t	       *max_transfer_idle_in;
+	isc_int32_t	       *max_transfer_idle_out;
+	isc_int32_t	       *lamettl;
+	isc_int32_t	       *tcp_clients;
+	isc_int32_t	       *recursive_clients;
+	isc_int32_t	       *min_roots;
+	isc_int32_t	       *serial_queries;
 	
-	isc_uint32_t		flags;
-	isc_uint32_t		max_ncache_ttl;
-
-	isc_int32_t		transfers_in;
-	isc_int32_t		transfers_per_ns;
-	isc_int32_t		transfers_out;
-	isc_int32_t		max_log_size_ixfr;
-	isc_int32_t		clean_interval;
-	isc_int32_t		interface_interval;
-	isc_int32_t		stats_interval;
-	isc_int32_t		heartbeat_interval;
-
-	isc_int32_t		max_transfer_time_in;
-	isc_int32_t		max_transfer_time_out;
-	isc_int32_t		max_transfer_idle_in;
-	isc_int32_t		max_transfer_idle_out;
-	isc_int32_t		lamettl; /* XXX not implemented yet */
-	isc_int32_t		tcp_clients;
-	isc_int32_t		recursive_clients;
+	isc_uint32_t	       *data_size;
+	isc_uint32_t	       *stack_size;
+	isc_uint32_t	       *core_size;
+	isc_uint32_t	       *files;
+	isc_uint32_t	       *max_ncache_ttl;
+	isc_uint32_t	       *max_cache_ttl;
+
+	isc_boolean_t	       *expert_mode;
+	isc_boolean_t	       *fake_iquery;
+	isc_boolean_t	       *recursion;
+	isc_boolean_t	       *fetch_glue;
+	isc_boolean_t	       *notify;
+	isc_boolean_t	       *host_statistics;
+	isc_boolean_t	       *dealloc_on_exit;
+	isc_boolean_t	       *use_ixfr;
+	isc_boolean_t	       *maintain_ixfr_base;
+	isc_boolean_t	       *has_old_clients;
+	isc_boolean_t	       *auth_nx_domain;
+	isc_boolean_t	       *multiple_cnames;
+	isc_boolean_t	       *use_id_pool;
+	isc_boolean_t	       *dialup;
+	isc_boolean_t	       *rfc2308_type1;
+	isc_boolean_t	       *request_ixfr;
+	isc_boolean_t	       *provide_ixfr;
+	isc_boolean_t	       *treat_cr_as_space;
 	
-	isc_uint32_t		data_size;
-	isc_uint32_t		stack_size;
-	isc_uint32_t		core_size;
-	isc_uint32_t		files;
-
-	isc_boolean_t		expert_mode;
-	isc_boolean_t		fake_iquery;
-	isc_boolean_t		recursion;
-	isc_boolean_t		fetch_glue;
-	isc_boolean_t		notify;
-	isc_boolean_t		host_statistics;
-	isc_boolean_t		dealloc_on_exit;
-	isc_boolean_t		use_ixfr;
-	isc_boolean_t		maintain_ixfr_base;
-	isc_boolean_t		has_old_clients;
-	isc_boolean_t		auth_nx_domain;
-	isc_boolean_t		multiple_cnames;
-	isc_boolean_t		use_id_pool;
-	isc_boolean_t		dialup;
-	isc_boolean_t		rfc2308_type1;
-	isc_boolean_t		request_ixfr;
-	isc_boolean_t		provide_ixfr;
+	isc_sockaddr_t	       *transfer_source;
+	isc_sockaddr_t	       *transfer_source_v6;
+	isc_sockaddr_t	       *query_source;
+	isc_sockaddr_t	       *query_source_v6;
+
+	dns_c_addata_t	       *additional_data;
 	
-	isc_sockaddr_t		transfer_source;
-	isc_sockaddr_t		transfer_source_v6;
-	isc_sockaddr_t		query_source;
-	isc_sockaddr_t		query_source_v6;
+	dns_c_forw_t	       *forward;
 
+	char 		       *tkeydhkeycp;
+	isc_int32_t		tkeydhkeyi;
+	char 		       *tkeydomain;
+	
 	dns_c_iplist_t	       *also_notify;
 
-	dns_severity_t 		check_names[DNS_C_TRANSCOUNT];
-
-	dns_transfer_format_t	transfer_format;
+	dns_severity_t 	       *check_names[DNS_C_TRANSCOUNT];
 
-	dns_c_ipmatchlist_t   *queryacl;
-	dns_c_ipmatchlist_t   *transferacl;
-	dns_c_ipmatchlist_t   *recursionacl;
-	dns_c_ipmatchlist_t   *blackhole;
-	dns_c_ipmatchlist_t   *topology;
-	dns_c_ipmatchlist_t   *sortlist;
+	dns_transfer_format_t  *transfer_format;
 
-	dns_c_lstnlist_t      *listens;
+	dns_c_ipmatchlist_t    *queryacl;
+	dns_c_ipmatchlist_t    *transferacl;
+	dns_c_ipmatchlist_t    *recursionacl;
+	dns_c_ipmatchlist_t    *blackhole;
+	dns_c_ipmatchlist_t    *topology;
+	dns_c_ipmatchlist_t    *sortlist;
+	dns_c_ipmatchlist_t    *allowupdateforwarding;
 
-	dns_c_forw_t		forward;
-	dns_c_iplist_t   *forwarders;
+	dns_c_lstnlist_t       *listens;
+	dns_c_rrsolist_t       *ordering;
 
-	dns_c_rrsolist_t      *ordering;
-
-	/*
-	 * For the non-pointer fields of the struct a bit will be set in
-	 * this field if a field value was explicitly set.
-	 */
-	dns_c_setbits_t		setflags1;
+	dns_c_iplist_t	       *forwarders;
 };
 
-
-
 /***
  *** Functions
  ***/
 
-isc_result_t	dns_c_checkconfig(dns_c_ctx_t *ctx);
+ISC_LANG_BEGINDECLS
 
+isc_result_t
+dns_c_checkconfig(dns_c_ctx_t *ctx);
 
+isc_result_t
+dns_c_ctx_new(isc_mem_t *mem, dns_c_ctx_t **cfg);
 
+isc_result_t
+dns_c_ctx_delete(dns_c_ctx_t **cfg);
 
-isc_result_t	dns_c_ctx_new(isc_mem_t *mem, dns_c_ctx_t **cfg);
-isc_result_t	dns_c_ctx_delete(dns_c_ctx_t **cfg);
+void
+dns_c_ctx_print(FILE *fp, int indent, dns_c_ctx_t *cfg);
 
-void		dns_c_ctx_print(FILE *fp, int indent, dns_c_ctx_t *cfg);
-void		dns_c_ctx_optionsprint(FILE *fp, int indent,
-				       dns_c_options_t *options);
-void		dns_c_ctx_forwarderprint(FILE *fp, int indent,
-					 dns_c_options_t *options);
+void
+dns_c_ctx_optionsprint(FILE *fp, int indent, dns_c_options_t *options);
 
-isc_result_t    dns_c_ctx_getcontrols(dns_c_ctx_t *cfg,
-                                      dns_c_ctrllist_t **ctrls);
-isc_result_t	dns_c_ctx_setcontrols(dns_c_ctx_t *cfg,
-				      dns_c_ctrllist_t *ctrls);
-isc_result_t	dns_c_ctx_getoptions(dns_c_ctx_t *cfg,
-				     dns_c_options_t **options);
+void
+dns_c_ctx_forwarderprint(FILE *fp, int indent, dns_c_options_t *options);
 
-isc_result_t	dns_c_ctx_setlogging(dns_c_ctx_t *cfg,
-				     dns_c_logginglist_t *newval,
-				     isc_boolean_t deepcopy);
-isc_result_t	dns_c_ctx_getlogging(dns_c_ctx_t *cfg,
-				     dns_c_logginglist_t **retval);
+isc_result_t
+dns_c_ctx_setcurrzone(dns_c_ctx_t *cfg, dns_c_zone_t *zone);
 
-isc_result_t	dns_c_ctx_getkdeflist(dns_c_ctx_t *cfg,
-                                      dns_c_kdeflist_t **retval);
-isc_result_t	dns_c_ctx_setkdeflist(dns_c_ctx_t *cfg,
-                                      dns_c_kdeflist_t *newval,
-                                      isc_boolean_t deepcopy);
+dns_c_zone_t *
+dns_c_ctx_getcurrzone(dns_c_ctx_t *cfg);
 
+isc_result_t
+dns_c_ctx_setcurrview(dns_c_ctx_t *cfg, dns_c_view_t *view);
 
-isc_result_t	dns_c_ctx_addfile_channel(dns_c_ctx_t *cfg, const char *name,
-					  dns_c_logchan_t **chan);
-isc_result_t	dns_c_ctx_addsyslogchannel(dns_c_ctx_t *cfg,
-					   const char *name,
-					   dns_c_logchan_t **chan);
-isc_result_t	dns_c_ctx_addnullchannel(dns_c_ctx_t *cfg, const char *name,
-					 dns_c_logchan_t **chan);
-isc_result_t	dns_c_ctx_addcategory(dns_c_ctx_t *cfg,
-				      const char *catname,
-				      dns_c_logcat_t **newcat);
-isc_result_t	dns_c_ctx_currchannel(dns_c_ctx_t *cfg,
-				      dns_c_logchan_t **channel);
-isc_result_t	dns_c_ctx_currcategory(dns_c_ctx_t *cfg,
-				       dns_c_logcat_t **category);
-isc_boolean_t	dns_c_ctx_keydefinedp(dns_c_ctx_t *ctx, const char *keyname);
+dns_c_view_t *
+dns_c_ctx_getcurrview(dns_c_ctx_t *cfg);
 
+isc_result_t
+dns_c_ctx_getoptions(dns_c_ctx_t *cfg, dns_c_options_t **options);
 
+isc_result_t
+dns_c_ctx_unsetoptions(dns_c_ctx_t *cfg);
 
-isc_boolean_t	dns_c_ctx_channeldefinedp(dns_c_ctx_t *cfg,
-					  const char *name);
-isc_result_t	dns_c_ctx_optionsnew(isc_mem_t *mem,
-				     dns_c_options_t **options);
-isc_result_t	dns_c_ctx_optionsdelete(dns_c_options_t **options);
+/* detach when done with retval */
+isc_result_t
+dns_c_ctx_getpeerlist(dns_c_ctx_t *cfg, dns_peerlist_t **retval);
 
+/* cfg will attach to newval */
+isc_result_t
+dns_c_ctx_setpeerlist(dns_c_ctx_t *cfg, dns_peerlist_t *newval);
 
+isc_result_t
+dns_c_ctx_unsetpeerlist(dns_c_ctx_t *cfg);
 
-/* The modifier functions below all return ISC_R_SUCCESS when the value is
- * successfully set. If the value had already been set, then the value
- * ISC_R_EXISTS is returned (the value is still set).
- *
- * In a few functions there is a boolean parameter named 'copy'. If that is
- * true, then a deep copy is made of the parameter and the parameter itself
- * is not touched. If the value is false, then the parameter is stored
- * directly in the dns_c_ctx_t structure, and the client looses ownership
- * of it. ISC_R_NOMEMORY is a possible return value for many of these
- * functions.
- *
- */
-isc_result_t	dns_c_ctx_setcurrzone(dns_c_ctx_t *cfg, dns_c_zone_t *zone);
-isc_result_t	dns_c_ctx_setcurrview(dns_c_ctx_t *cfg, dns_c_view_t *view);
-isc_result_t	dns_c_ctx_setdirectory(dns_c_ctx_t *cfg, const char *newval);
-isc_result_t	dns_c_ctx_setversion(dns_c_ctx_t *cfg, const char *newval);
-isc_result_t	dns_c_ctx_setdumpfilename(dns_c_ctx_t *cfg,
-					  const char *newval);
-isc_result_t	dns_c_ctx_setpidfilename(dns_c_ctx_t *cfg,
-					 const char *newval);
-isc_result_t	dns_c_ctx_setstatsfilename(dns_c_ctx_t *cfg,
-					   const char *newval);
-isc_result_t	dns_c_ctx_setmemstatsfilename(dns_c_ctx_t *cfg,
-					      const char *newval);
-isc_result_t	dns_c_ctx_setnamedxfer(dns_c_ctx_t *cfg, const char *newval);
-isc_result_t	dns_c_ctx_settkeydomain(dns_c_ctx_t *cfg, const char *newval);
-isc_result_t	dns_c_ctx_settkeydhkey(dns_c_ctx_t *cfg,
-				       const char *newcpval,
-				       isc_int32_t newival);
-isc_result_t	dns_c_ctx_setmaxncachettl(dns_c_ctx_t *cfg,
-					  isc_uint32_t newval);
-isc_result_t	dns_c_ctx_settransfersin(dns_c_ctx_t *cfg,
-					 isc_int32_t newval);
-isc_result_t	dns_c_ctx_settransfersperns(dns_c_ctx_t *cfg,
-					    isc_int32_t newval);
-isc_result_t	dns_c_ctx_settransfersout(dns_c_ctx_t *cfg,
-					  isc_int32_t newval);
-isc_result_t	dns_c_ctx_setmaxlogsizeixfr(dns_c_ctx_t *cfg,
-					    isc_int32_t newval);
-isc_result_t	dns_c_ctx_setcleaninterval(dns_c_ctx_t *cfg,
-					   isc_int32_t newval);
-isc_result_t	dns_c_ctx_setinterfaceinterval(dns_c_ctx_t *cfg,
-					       isc_int32_t newval);
-isc_result_t	dns_c_ctx_setstatsinterval(dns_c_ctx_t *cfg,
-					   isc_int32_t newval);
-isc_result_t	dns_c_ctx_setheartbeat_interval(dns_c_ctx_t *cfg,
-						isc_int32_t newval);
-isc_result_t	dns_c_ctx_setmaxtransfertimein(dns_c_ctx_t *cfg,
-					       isc_int32_t newval);
-isc_result_t	dns_c_ctx_setmaxtransfertimeout(dns_c_ctx_t *cfg,
-					       isc_int32_t newval);
-isc_result_t	dns_c_ctx_setmaxtransferidlein(dns_c_ctx_t *cfg,
-					       isc_int32_t newval);
-isc_result_t	dns_c_ctx_setmaxtransferidleout(dns_c_ctx_t *cfg,
-					       isc_int32_t newval);
-isc_result_t	dns_c_ctx_settcpclients(dns_c_ctx_t *cfg, isc_int32_t newval);
-isc_result_t	dns_c_ctx_setrecursiveclients(dns_c_ctx_t *cfg,
-					      isc_int32_t newval);
-
-isc_result_t	dns_c_ctx_setdatasize(dns_c_ctx_t *cfg, isc_uint32_t newval);
-isc_result_t	dns_c_ctx_setstacksize(dns_c_ctx_t *cfg,
-				       isc_uint32_t newval);
-isc_result_t	dns_c_ctx_setcoresize(dns_c_ctx_t *cfg, isc_uint32_t newval);
-isc_result_t	dns_c_ctx_setfiles(dns_c_ctx_t *cfg, isc_uint32_t newval);
-
-isc_result_t	dns_c_ctx_setexpertmode(dns_c_ctx_t *cfg,
-					isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setfakeiquery(dns_c_ctx_t *cfg,
-					isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setrecursion(dns_c_ctx_t *cfg,
-				       isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setfetchglue(dns_c_ctx_t *cfg,
-				       isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setnotify(dns_c_ctx_t *cfg, isc_boolean_t newval);
-isc_result_t	dns_c_ctx_sethoststatistics(dns_c_ctx_t *cfg,
-					    isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setdealloconexit(dns_c_ctx_t *cfg,
-					   isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setuseixfr(dns_c_ctx_t *cfg, isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setmaintainixfrbase(dns_c_ctx_t *cfg,
-					      isc_boolean_t newval);
-isc_result_t	dns_c_ctx_sethasoldclients(dns_c_ctx_t *cfg,
-					   isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setauthnxdomain(dns_c_ctx_t *cfg,
-					  isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setmultiplecnames(dns_c_ctx_t *cfg,
-					    isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setuseidpool(dns_c_ctx_t *cfg,
-				       isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setrfc2308type1(dns_c_ctx_t *cfg,
-					  isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setrequestixfr(dns_c_ctx_t *cfg,
-                                         isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setprovideixfr(dns_c_ctx_t *cfg,
-                                         isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setdialup(dns_c_ctx_t *cfg, isc_boolean_t newval);
-isc_result_t	dns_c_ctx_setalsonotify(dns_c_ctx_t *ctx,
-					dns_c_iplist_t *newval,
-					isc_boolean_t deepcopy);
-isc_result_t	dns_c_ctx_settransfersource(dns_c_ctx_t *ctx,
-					    isc_sockaddr_t newval);
-isc_result_t	dns_c_ctx_settransfersourcev6(dns_c_ctx_t *ctx,
-					      isc_sockaddr_t newval);
-
-isc_result_t	dns_c_ctx_setquerysource(dns_c_ctx_t *cfg,
-					 isc_sockaddr_t addr);
-isc_result_t	dns_c_ctx_setquerysourcev6(dns_c_ctx_t *cfg,
-					   isc_sockaddr_t addr);
-isc_result_t	dns_c_ctx_setchecknames(dns_c_ctx_t *cfg,
-					dns_c_trans_t transtype,
-					dns_severity_t sever);
-isc_result_t	dns_c_ctx_settransferformat(dns_c_ctx_t *cfg,
-					    dns_transfer_format_t newval);
-isc_result_t	dns_c_ctx_setqueryacl(dns_c_ctx_t *cfg, isc_boolean_t copy,
-				      dns_c_ipmatchlist_t *iml);
-isc_result_t	dns_c_ctx_settransferacl(dns_c_ctx_t *cfg, isc_boolean_t copy,
-					 dns_c_ipmatchlist_t *iml);
-isc_result_t	dns_c_ctx_setrecursionacl(dns_c_ctx_t *cfg, isc_boolean_t copy,
-					  dns_c_ipmatchlist_t *iml);
-isc_result_t	dns_c_ctx_setblackhole(dns_c_ctx_t *cfg, isc_boolean_t copy,
-				       dns_c_ipmatchlist_t *iml);
-isc_result_t	dns_c_ctx_settopology(dns_c_ctx_t *cfg, isc_boolean_t copy,
-				      dns_c_ipmatchlist_t *iml);
-isc_result_t	dns_c_ctx_setsortlist(dns_c_ctx_t *cfg, isc_boolean_t copy,
-				      dns_c_ipmatchlist_t *iml);
-isc_result_t	dns_c_ctx_setforward(dns_c_ctx_t *cfg, dns_c_forw_t forw);
-isc_result_t	dns_c_ctx_setforwarders(dns_c_ctx_t *cfg, isc_boolean_t copy,
-					dns_c_iplist_t *iml);
-isc_result_t	dns_c_ctx_setrrsetorderlist(dns_c_ctx_t *cfg,
-					    isc_boolean_t copy,
-					    dns_c_rrsolist_t *olist);
-
-isc_result_t	dns_c_ctx_addlisten_on(dns_c_ctx_t *cfg, int port,
-				       dns_c_ipmatchlist_t *ml,
-				       isc_boolean_t copy);
-isc_result_t	dns_c_ctx_settrustedkeys(dns_c_ctx_t *cfg,
-					 dns_c_tkeylist_t *list,
-					 isc_boolean_t copy);
+isc_result_t
+dns_c_ctx_getcontrols(dns_c_ctx_t *cfg, dns_c_ctrllist_t **ctrls);
 
+isc_result_t
+dns_c_ctx_setcontrols(dns_c_ctx_t *cfg, dns_c_ctrllist_t *ctrls);
+/* XXX need unsetcontrols */
 
+isc_result_t
+dns_c_ctx_setlogging(dns_c_ctx_t *cfg, dns_c_logginglist_t *newval,
+		     isc_boolean_t deepcopy);
 
+isc_result_t
+dns_c_ctx_getlogging(dns_c_ctx_t *cfg, dns_c_logginglist_t **retval);
 
+isc_result_t
+dns_c_ctx_unsetlogging(dns_c_ctx_t *cfg);
 
+isc_result_t
+dns_c_ctx_addfile_channel(dns_c_ctx_t *cfg, const char *name,
+			  dns_c_logchan_t **chan);
 
+isc_result_t
+dns_c_ctx_addsyslogchannel(dns_c_ctx_t *cfg, const char *name,
+			   dns_c_logchan_t **chan);
 
+isc_result_t
+dns_c_ctx_addnullchannel(dns_c_ctx_t *cfg, const char *name,
+			 dns_c_logchan_t **chan);
+
+isc_result_t
+dns_c_ctx_addcategory(dns_c_ctx_t *cfg, const char *catname,
+		      dns_c_logcat_t **newcat);
+
+isc_result_t
+dns_c_ctx_currchannel(dns_c_ctx_t *cfg, dns_c_logchan_t **channel);
+
+isc_result_t
+dns_c_ctx_currcategory(dns_c_ctx_t *cfg, dns_c_logcat_t **category);
+
+isc_boolean_t
+dns_c_ctx_channeldefinedp(dns_c_ctx_t *cfg, const char *name);
+
+isc_result_t
+dns_c_ctx_getkdeflist(dns_c_ctx_t *cfg, dns_c_kdeflist_t **retval);
+
+isc_result_t
+dns_c_ctx_setkdeflist(dns_c_ctx_t *cfg, dns_c_kdeflist_t *newval,
+		      isc_boolean_t deepcopy);
+
+/* XXX need unsetkdeflist */
+isc_boolean_t
+dns_c_ctx_keydefinedp(dns_c_ctx_t *ctx, const char *keyname);
+
+isc_result_t
+dns_c_ctx_settrustedkeys(dns_c_ctx_t *cfg, dns_c_tkeylist_t *list,
+			 isc_boolean_t copy);
 
 /*
- * Accessor functions for the various fields in the config structure. The
- * value of the field is copied into the location pointed to by the RETVAL
- * paramater and ISC_R_SUCCESS is returned. The caller must not modify the
- * returned value, and should copy the value if it needs to hold on to it.
- *
- * If the value has not been set in the config structure, then
- * ISC_R_NOTFOUND is returned and the location pointed to by the RETVAL
- * paramater is not modified (i.e. the library assumes no particular
- * defaults for any unset values).
- */
+**
+*/
+
+isc_result_t
+dns_c_ctx_optionsnew(isc_mem_t *mem, dns_c_options_t **options);
+
+isc_result_t
+dns_c_ctx_optionsdelete(dns_c_options_t **options);
+
+isc_result_t
+dns_c_ctx_setdirectory(dns_c_ctx_t *ctx, const char *newval);
+
+isc_result_t
+dns_c_ctx_getdirectory(dns_c_ctx_t *ctx, char **retval);
+
+isc_result_t
+dns_c_ctx_unsetdirectory(dns_c_ctx_t *ctx);
+
+isc_result_t
+dns_c_ctx_setversion(dns_c_ctx_t *ctx, const char *newval);
+
+isc_result_t
+dns_c_ctx_getversion(dns_c_ctx_t *ctx, char **retval);
+
+isc_result_t
+dns_c_ctx_unsetversion(dns_c_ctx_t *ctx);
+
+isc_result_t
+dns_c_ctx_setdumpfilename(dns_c_ctx_t *ctx, const char *newval);
+
+isc_result_t
+dns_c_ctx_getdumpfilename(dns_c_ctx_t *ctx, char **retval);
+
+isc_result_t
+dns_c_ctx_unsetdumpfilename(dns_c_ctx_t *ctx);
+
+isc_result_t
+dns_c_ctx_setpidfilename(dns_c_ctx_t *ctx, const char *newval);
+
+isc_result_t
+dns_c_ctx_getpidfilename(dns_c_ctx_t *ctx, char **retval);
+
+isc_result_t
+dns_c_ctx_unsetpidfilename(dns_c_ctx_t *ctx);
+
+isc_result_t
+dns_c_ctx_setstatsfilename(dns_c_ctx_t *ctx, const char *newval);
+
+isc_result_t
+dns_c_ctx_getstatsfilename(dns_c_ctx_t *ctx, char **retval);
+
+isc_result_t
+dns_c_ctx_unsetstatsfilename(dns_c_ctx_t *ctx);
+
+isc_result_t
+dns_c_ctx_setmemstatsfilename(dns_c_ctx_t *ctx, const char *newval);
+
+isc_result_t
+dns_c_ctx_getmemstatsfilename(dns_c_ctx_t *ctx, char **retval);
+
+isc_result_t
+dns_c_ctx_unsetmemstatsfilename(dns_c_ctx_t *ctx);
+
+isc_result_t
+dns_c_ctx_setnamedxfer(dns_c_ctx_t *ctx, const char *newval);
+
+isc_result_t
+dns_c_ctx_getnamedxfer(dns_c_ctx_t *ctx, char **retval);
+isc_result_t
+dns_c_ctx_unsetnamedxfer(dns_c_ctx_t *ctx);
+
+isc_result_t
+dns_c_ctx_settransfersin(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_gettransfersin(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsettransfersin(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_settransfersperns(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_gettransfersperns(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsettransfersperns(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_settransfersout(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_gettransfersout(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsettransfersout(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setmaxlogsizeixfr(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_getmaxlogsizeixfr(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetmaxlogsizeixfr(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setcleaninterval(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_getcleaninterval(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetcleaninterval(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setinterfaceinterval(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_getinterfaceinterval(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetinterfaceinterval(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setstatsinterval(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_getstatsinterval(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetstatsinterval(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setheartbeatinterval(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_getheartbeatinterval(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetheartbeatinterval(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setmaxtransfertimein(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_getmaxtransfertimein(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetmaxtransfertimein(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setmaxtransfertimeout(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_getmaxtransfertimeout(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetmaxtransfertimeout(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setmaxtransferidlein(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_getmaxtransferidlein(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetmaxtransferidlein(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setmaxtransferidleout(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_getmaxtransferidleout(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetmaxtransferidleout(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setlamettl(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_getlamettl(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetlamettl(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_settcpclients(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_gettcpclients(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsettcpclients(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setrecursiveclients(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_getrecursiveclients(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetrecursiveclients(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setminroots(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_getminroots(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetminroots(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setserialqueries(dns_c_ctx_t *cfg, isc_int32_t newval);
+
+isc_result_t
+dns_c_ctx_getserialqueries(dns_c_ctx_t *cfg, isc_int32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetserialqueries(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setdatasize(dns_c_ctx_t *cfg, isc_uint32_t newval);
+
+isc_result_t
+dns_c_ctx_getdatasize(dns_c_ctx_t *cfg, isc_uint32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetdatasize(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setstacksize(dns_c_ctx_t *cfg,
+				    isc_uint32_t newval);
+isc_result_t
+dns_c_ctx_getstacksize(dns_c_ctx_t *cfg,
+				    isc_uint32_t *retval);
+isc_result_t
+dns_c_ctx_unsetstacksize(dns_c_ctx_t *cfg);
+
+
+isc_result_t
+dns_c_ctx_setcoresize(dns_c_ctx_t *cfg, isc_uint32_t newval);
+
+isc_result_t
+dns_c_ctx_getcoresize(dns_c_ctx_t *cfg, isc_uint32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetcoresize(dns_c_ctx_t *cfg);
+
+
+isc_result_t
+dns_c_ctx_setfiles(dns_c_ctx_t *cfg, isc_uint32_t newval);
+
+isc_result_t
+dns_c_ctx_getfiles(dns_c_ctx_t *cfg, isc_uint32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetfiles(dns_c_ctx_t *cfg);
+
+
+isc_result_t
+dns_c_ctx_setmaxncachettl(dns_c_ctx_t *cfg, isc_uint32_t newval);
+
+isc_result_t
+dns_c_ctx_getmaxncachettl(dns_c_ctx_t *cfg, isc_uint32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetmaxncachettl(dns_c_ctx_t *cfg);
+
+
+isc_result_t
+dns_c_ctx_setmaxcachettl(dns_c_ctx_t *cfg, isc_uint32_t newval);
+
+isc_result_t
+dns_c_ctx_getmaxcachettl(dns_c_ctx_t *cfg, isc_uint32_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetmaxcachettl(dns_c_ctx_t *cfg);
+
+
+isc_result_t
+dns_c_ctx_setexpertmode(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_getexpertmode(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetexpertmode(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setfakeiquery(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_getfakeiquery(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetfakeiquery(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setrecursion(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_getrecursion(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetrecursion(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setfetchglue(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_getfetchglue(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetfetchglue(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setnotify(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_getnotify(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetnotify(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_sethoststatistics(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_gethoststatistics(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsethoststatistics(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setdealloconexit(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_getdealloconexit(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetdealloconexit(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setuseixfr(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_getuseixfr(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetuseixfr(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setmaintainixfrbase(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_getmaintainixfrbase(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetmaintainixfrbase(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_sethasoldclients(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_gethasoldclients(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsethasoldclients(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setauthnxdomain(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_getauthnxdomain(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetauthnxdomain(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setmultiplecnames(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_getmultiplecnames(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetmultiplecnames(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setuseidpool(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_getuseidpool(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetuseidpool(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setdialup(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_getdialup(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetdialup(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setrfc2308type1(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_getrfc2308type1(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetrfc2308type1(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setrequestixfr(dns_c_ctx_t *cfg,
+				      isc_boolean_t newval);
+isc_result_t
+dns_c_ctx_getrequestixfr(dns_c_ctx_t *cfg,
+				      isc_boolean_t *retval);
+isc_result_t
+dns_c_ctx_unsetrequestixfr(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setprovideixfr(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_getprovideixfr(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetprovideixfr(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_settreatcrasspace(dns_c_ctx_t *cfg, isc_boolean_t newval);
+
+isc_result_t
+dns_c_ctx_gettreatcrasspace(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_ctx_unsettreatcrasspace(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_settransfersource(dns_c_ctx_t *ctx, isc_sockaddr_t transfer_source);
+
+isc_result_t
+dns_c_ctx_gettransfersource(dns_c_ctx_t *ctx, isc_sockaddr_t *transfer_source);
+
+isc_result_t
+dns_c_ctx_unsettransfersource(dns_c_ctx_t *ctx);
+
+isc_result_t
+dns_c_ctx_settransfersourcev6(dns_c_ctx_t *ctx,
+			      isc_sockaddr_t transfer_source_v6);
+
+isc_result_t
+dns_c_ctx_gettransfersourcev6(dns_c_ctx_t *ctx,
+			      isc_sockaddr_t *transfer_source_v6);
+
+isc_result_t
+dns_c_ctx_unsettransfersourcev6(dns_c_ctx_t *ctx);
+
+isc_result_t
+dns_c_ctx_setquerysource(dns_c_ctx_t *ctx, isc_sockaddr_t query_source);
+
+isc_result_t
+dns_c_ctx_getquerysource(dns_c_ctx_t *ctx, isc_sockaddr_t *query_source);
+
+isc_result_t
+dns_c_ctx_unsetquerysource(dns_c_ctx_t *ctx);
+
+
+isc_result_t
+dns_c_ctx_setquerysourcev6(dns_c_ctx_t *ctx, isc_sockaddr_t query_source_v6);
+
+isc_result_t
+dns_c_ctx_getquerysourcev6(dns_c_ctx_t *ctx, isc_sockaddr_t *query_source_v6);
+
+isc_result_t
+dns_c_ctx_unsetquerysourcev6(dns_c_ctx_t *ctx);
+
+
+isc_result_t
+dns_c_ctx_setadditionaldata(dns_c_ctx_t *ctx, dns_c_addata_t addata);
+
+isc_result_t
+dns_c_ctx_getadditionaldata(dns_c_ctx_t *ctx, dns_c_addata_t *addata);
+
+isc_result_t
+dns_c_ctx_unsetadditionaldata(dns_c_ctx_t *ctx);
+
+
+
+isc_result_t
+dns_c_ctx_setforward(dns_c_ctx_t *cfg, dns_c_forw_t forward);
+
+isc_result_t
+dns_c_ctx_getforward(dns_c_ctx_t *cfg, dns_c_forw_t *forward);
+
+isc_result_t
+dns_c_ctx_unsetforward(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_settkeydomain(dns_c_ctx_t *cfg, const char *newval);
+
+isc_result_t
+dns_c_ctx_settkeydhkey(dns_c_ctx_t *cfg, const char *newcpval,
+		       isc_int32_t newival);
+
+isc_result_t
+dns_c_ctx_gettkeydomain(dns_c_ctx_t *cfg, char **retval);
+
+isc_result_t
+dns_c_ctx_gettkeydhkey(dns_c_ctx_t *cfg, char **retcpval,
+		       isc_int32_t *retival);
+/* XXX need unset version */
+
+isc_result_t
+dns_c_ctx_setalsonotify(dns_c_ctx_t *ctx, dns_c_iplist_t *newval);
+
+isc_result_t
+dns_c_ctx_getalsonotify(dns_c_ctx_t *ctx, dns_c_iplist_t **ret);
+
+isc_result_t
+dns_c_ctx_unsetalsonotify(dns_c_ctx_t *ctx);
+
+isc_result_t
+dns_c_ctx_setchecknames(dns_c_ctx_t *cfg, dns_c_trans_t transtype,
+			dns_severity_t newval);
+
+isc_result_t
+dns_c_ctx_getchecknames(dns_c_ctx_t *cfg, dns_c_trans_t transtype,
+			dns_severity_t *retval);
+
+isc_result_t
+dns_c_ctx_unsetchecknames(dns_c_ctx_t *cfg, dns_c_trans_t transtype);
+
+isc_result_t
+dns_c_ctx_settransferformat(dns_c_ctx_t *cfg, dns_transfer_format_t tformat);
+
+isc_result_t
+dns_c_ctx_gettransferformat(dns_c_ctx_t *cfg, dns_transfer_format_t *tformat);
+
+isc_result_t
+dns_c_ctx_unsettransferformat(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setallowquery(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t *iml);
+
+isc_result_t
+dns_c_ctx_getallowquery(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t **list);
+
+isc_result_t
+dns_c_ctx_unsetallowquery(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setallowtransfer(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t *iml);
+
+isc_result_t
+dns_c_ctx_getallowtransfer(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t **list);
+
+isc_result_t
+dns_c_ctx_unsetallowtransfer(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setallowrecursion(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t *iml);
+
+isc_result_t
+dns_c_ctx_getallowrecursion(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t **list);
+
+isc_result_t
+dns_c_ctx_unsetallowrecursion(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setblackhole(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t *iml);
+
+isc_result_t
+dns_c_ctx_getblackhole(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t **list);
+
+isc_result_t
+dns_c_ctx_unsetblackhole(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_settopology(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t *iml);
+
+isc_result_t
+dns_c_ctx_gettopology(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t **list);
+
+isc_result_t
+dns_c_ctx_unsettopology(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setsortlist(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t *iml);
+
+isc_result_t
+dns_c_ctx_getsortlist(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t **list);
+
+isc_result_t
+dns_c_ctx_unsetsortlist(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setallowupdateforwarding(dns_c_ctx_t *cfg, dns_c_ipmatchlist_t *iml);
+
+isc_result_t
+dns_c_ctx_getallowupdateforwarding(dns_c_ctx_t *cfg,
+				   dns_c_ipmatchlist_t **list);
+
+isc_result_t
+dns_c_ctx_unsetallowupdateforwarding(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_setforwarders(dns_c_ctx_t *cfg, isc_boolean_t copy,
+			dns_c_iplist_t *iml);
+
+isc_result_t
+dns_c_ctx_getforwarders(dns_c_ctx_t *cfg, dns_c_iplist_t **list);
+
+isc_result_t
+dns_c_ctx_unsetforwarders(dns_c_ctx_t *cfg);
+
+isc_result_t
+dns_c_ctx_addlisten_on(dns_c_ctx_t *cfg, int port, dns_c_ipmatchlist_t *ml,
+		       isc_boolean_t copy);
+
+isc_result_t
+dns_c_ctx_getlistenlist(dns_c_ctx_t *cfg, dns_c_lstnlist_t **ll);
+
+isc_result_t
+dns_c_ctx_setrrsetorderlist(dns_c_ctx_t *cfg, isc_boolean_t copy,
+			    dns_c_rrsolist_t *olist);
+
+isc_result_t
+dns_c_ctx_getrrsetorderlist(dns_c_ctx_t *cfg, dns_c_rrsolist_t **olist);
+
+isc_result_t
+dns_c_ctx_gettrustedkeys(dns_c_ctx_t *cfg, dns_c_tkeylist_t **retval);
+
+ISC_LANG_ENDDECLS
 
+#endif /* DNS_CONFCTX_H */
 
-dns_c_zone_t   *dns_c_ctx_getcurrzone(dns_c_ctx_t *cfg);
-dns_c_view_t   *dns_c_ctx_getcurrview(dns_c_ctx_t *cfg);
-isc_result_t	dns_c_ctx_getdirectory(dns_c_ctx_t *cfg, char **retval);
-isc_result_t	dns_c_ctx_getversion(dns_c_ctx_t *cfg, char **retval);
-isc_result_t	dns_c_ctx_getdumpfilename(dns_c_ctx_t *cfg, char **retval);
-isc_result_t	dns_c_ctx_getpidfilename(dns_c_ctx_t *cfg, char **retval);
-isc_result_t	dns_c_ctx_getstatsfilename(dns_c_ctx_t *cfg, char **retval);
-isc_result_t	dns_c_ctx_getmemstatsfilename(dns_c_ctx_t *cfg,
-					      char **retval);
-isc_result_t	dns_c_ctx_getnamedxfer(dns_c_ctx_t *cfg, char **retval);
-isc_result_t	dns_c_ctx_gettkeydomain(dns_c_ctx_t *cfg, char **retval);
-isc_result_t	dns_c_ctx_gettkeydhkey(dns_c_ctx_t *cfg,
-				       char **retcpval, isc_int32_t *retival);
-isc_result_t	dns_c_ctx_getmaxncachettl(dns_c_ctx_t *cfg,
-					  isc_uint32_t *retval);
-isc_result_t	dns_c_ctx_gettransfersin(dns_c_ctx_t *cfg,
-					 isc_int32_t *retval);
-isc_result_t	dns_c_ctx_gettransfersperns(dns_c_ctx_t *cfg,
-					    isc_int32_t *retval);
-isc_result_t	dns_c_ctx_gettransfersout(dns_c_ctx_t *cfg,
-					  isc_int32_t *retval);
-isc_result_t	dns_c_ctx_getmaxlogsizeixfr(dns_c_ctx_t *cfg,
-					    isc_int32_t *retval);
-isc_result_t	dns_c_ctx_getcleaninterval(dns_c_ctx_t *cfg,
-					   isc_int32_t *retval);
-isc_result_t	dns_c_ctx_getinterfaceinterval(dns_c_ctx_t *cfg,
-					       isc_int32_t *retval);
-isc_result_t	dns_c_ctx_getstatsinterval(dns_c_ctx_t *cfg,
-					   isc_int32_t *retval);
-isc_result_t	dns_c_ctx_getheartbeatinterval(dns_c_ctx_t *cfg,
-					       isc_int32_t *retval);
-isc_result_t	dns_c_ctx_getmaxtransfertimein(dns_c_ctx_t *cfg,
-					       isc_int32_t *retval);
-isc_result_t	dns_c_ctx_getmaxtransfertimeout(dns_c_ctx_t *cfg,
-					       isc_int32_t *retval);
-isc_result_t	dns_c_ctx_getmaxtransferidlein(dns_c_ctx_t *cfg,
-					       isc_int32_t *retval);
-isc_result_t	dns_c_ctx_getmaxtransferidleout(dns_c_ctx_t *cfg,
-					       isc_int32_t *retval);
-isc_result_t	dns_c_ctx_gettcpclients(dns_c_ctx_t *cfg,
-					isc_int32_t *retval);
-isc_result_t	dns_c_ctx_getrecursiveclients(dns_c_ctx_t *cfg,
-					      isc_int32_t *retval);
-
-isc_result_t	dns_c_ctx_getdatasize(dns_c_ctx_t *cfg,
-				      isc_uint32_t *retval);
-isc_result_t	dns_c_ctx_getstacksize(dns_c_ctx_t *cfg,
-				       isc_uint32_t *retval);
-isc_result_t	dns_c_ctx_getcoresize(dns_c_ctx_t *cfg,
-				      isc_uint32_t *retval);
-isc_result_t	dns_c_ctx_getfiles(dns_c_ctx_t *cfg, isc_uint32_t *retval);
-isc_result_t	dns_c_ctx_getexpertmode(dns_c_ctx_t *cfg,
-					isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getfakeiquery(dns_c_ctx_t *cfg,
-					isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getrecursion(dns_c_ctx_t *cfg,
-				       isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getfetchglue(dns_c_ctx_t *cfg,
-				       isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getnotify(dns_c_ctx_t *cfg, isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_gethoststatistics(dns_c_ctx_t *cfg,
-					    isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getdealloconexit(dns_c_ctx_t *cfg,
-					   isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getuseixfr(dns_c_ctx_t *cfg,
-				     isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getmaintainixfrbase(dns_c_ctx_t *cfg,
-					      isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_gethasoldclients(dns_c_ctx_t *cfg,
-					   isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getauthnxdomain(dns_c_ctx_t *cfg,
-					    isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getmultiplecnames(dns_c_ctx_t *cfg,
-					    isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getuseidpool(dns_c_ctx_t *cfg,
-				       isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getrfc2308type1(dns_c_ctx_t *cfg,
-					  isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getrequestixfr(dns_c_ctx_t *cfg,
-                                         isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getprovideixfr(dns_c_ctx_t *cfg,
-                                         isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getdialup(dns_c_ctx_t *cfg, isc_boolean_t *retval);
-isc_result_t	dns_c_ctx_getalsonotify(dns_c_ctx_t *ctx,
-					dns_c_iplist_t **ret);
-isc_result_t	dns_c_ctx_gettransfersource(dns_c_ctx_t *ctx,
-					    isc_sockaddr_t *retval);
-isc_result_t	dns_c_ctx_gettransfersourcev6(dns_c_ctx_t *ctx,
-					      isc_sockaddr_t *retval);
-
-isc_result_t	dns_c_ctx_getquerysource(dns_c_ctx_t *cfg,
-					 isc_sockaddr_t *addr);
-isc_result_t	dns_c_ctx_getquerysourcev6(dns_c_ctx_t *cfg,
-					   isc_sockaddr_t *addr);
-isc_result_t	dns_c_ctx_getchecknames(dns_c_ctx_t *cfg,
-					dns_c_trans_t transtype,
-					dns_severity_t *sever);
-isc_result_t	dns_c_ctx_gettransferformat(dns_c_ctx_t *cfg,
-					    dns_transfer_format_t *retval);
-isc_result_t	dns_c_ctx_getqueryacl(dns_c_ctx_t *cfg,
-				      dns_c_ipmatchlist_t **list);
-isc_result_t	dns_c_ctx_gettransferacl(dns_c_ctx_t *cfg,
-					 dns_c_ipmatchlist_t **list);
-isc_result_t	dns_c_ctx_getrecursionacl(dns_c_ctx_t *cfg,
-					  dns_c_ipmatchlist_t **list);
-isc_result_t	dns_c_ctx_getblackhole(dns_c_ctx_t *cfg,
-				       dns_c_ipmatchlist_t **list);
-isc_result_t	dns_c_ctx_gettopology(dns_c_ctx_t *cfg,
-				      dns_c_ipmatchlist_t **list);
-isc_result_t	dns_c_ctx_getsortlist(dns_c_ctx_t *cfg,
-				      dns_c_ipmatchlist_t **list);
-isc_result_t	dns_c_ctx_getlistenlist(dns_c_ctx_t *cfg,
-					dns_c_lstnlist_t **ll);
-isc_result_t	dns_c_ctx_getforward(dns_c_ctx_t *cfg, dns_c_forw_t *forw);
-isc_result_t	dns_c_ctx_getforwarders(dns_c_ctx_t *cfg,
-					dns_c_iplist_t **list);
-isc_result_t	dns_c_ctx_getrrsetorderlist(dns_c_ctx_t *cfg,
-					    dns_c_rrsolist_t **olist);
-isc_result_t	dns_c_ctx_gettrustedkeys(dns_c_ctx_t *cfg,
-					 dns_c_tkeylist_t **retval);
-isc_result_t	dns_c_ctx_getlogging(dns_c_ctx_t *cfg,
-				     dns_c_logginglist_t **retval);
-
-
-
-
-
-#endif /* DNS_CONFIG_CONFCTX_H */
diff --git a/lib/dns/include/dns/confip.h b/lib/dns/include/dns/confip.h
index 570a347a..69a23b58 100644
--- a/lib/dns/include/dns/confip.h
+++ b/lib/dns/include/dns/confip.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFIP_H
-#define DNS_CONFIG_CONFIP_H 1
+#ifndef DNS_CONFIP_H
+#define DNS_CONFIP_H 1
 
 /*****
  ***** Module Info
@@ -51,40 +51,30 @@
  *** Imports
  ***/
 
-#include <config.h>
-
-#include <sys/types.h>
-
-#include <isc/region.h>
-#include <isc/list.h>
+#include <isc/lang.h>
 #include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/net.h>
+#include <isc/region.h>
+#include <isc/sockaddr.h>
 
 #include <dns/confcommon.h>
 
+#define DNS_C_IPLIST_MAGIC 0x49706c73		/* Ipls */
+#define DNS_C_IPMDIRECT_MAGIC 0x49506d64	/* IPmd */
+#define DNS_C_IPMINDIRECT_MAGIC 0x69506d69	/* iPmi */
+#define DNS_C_IPMELEM_MAGIC 0x49704d65		/* IpMe */
+#define DNS_C_IPMLIST_MAGIC 0x69706d6c		/* ipml */
 
-#define DNS_C_IPLIST_MAGIC 0x49706c73	/* Ipls */ /* dns_c_iplist */
-#define DNS_C_IPMDIRECT_MAGIC 0x49506d64 /* IPmd */ /* dns_c_ipmatch_direct */
-#define DNS_C_IPMINDIRECT_MAGIC 0x69506d69 /* iPmi */ /* dns_c_ipmatch_indirect */
-#define DNS_C_IPMELEM_MAGIC 0x49704d65	/* IpMe */ /* dns_c_ipmatch_element */
-#define DNS_C_IPMLIST_MAGIC 0x69706d6c	/* ipml */ /* dns_c_ipmatchlist */
-
-#define DNS_C_IPLIST_VALID(ptr)	ISC_MAGIC_VALID(ptr,DNS_C_IPLIST_MAGIC)
+#define DNS_C_IPLIST_VALID(ptr)	  ISC_MAGIC_VALID(ptr, DNS_C_IPLIST_MAGIC)
 #define DNS_C_IPDIRECT_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_IPMDIRECT_MAGIC)
 #define DNS_C_IPINDIRECT_VALID(ptr) \
-	ISC_MAGIC_VALID(ptr, DNS_C_IPMINDIRECT_MAGIC)
-#define DNS_C_IPMELEM_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_IPMELEM_MAGIC)
-#define DNS_C_IPMLIST_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_IPMLIST_MAGIC)
-
-
-
+				  ISC_MAGIC_VALID(ptr, DNS_C_IPMINDIRECT_MAGIC)
+#define DNS_C_IPMELEM_VALID(ptr)  ISC_MAGIC_VALID(ptr, DNS_C_IPMELEM_MAGIC)
+#define DNS_C_IPMLIST_VALID(ptr)  ISC_MAGIC_VALID(ptr, DNS_C_IPMLIST_MAGIC)
 
 /***
  *** Types
  ***/
 
-
 typedef struct dns_c_iplist		dns_c_iplist_t;
 typedef struct dns_c_ipmatch_direct	dns_c_ipmatch_direct_t ;
 typedef struct dns_c_ipmatch_indirect	dns_c_ipmatch_indirect_t;
@@ -93,7 +83,9 @@ typedef struct dns_c_ipmatch_element	dns_c_ipmatchelement_t;
 typedef struct dns_c_ipmatch_list	dns_c_ipmatchlist_t;
 
 
-/* A list of IP addresses (IPv4 or IPv6) */
+/*
+ * A list of IP addresses (IPv4 or IPv6).
+ */
 struct dns_c_iplist {
 	isc_uint32_t		magic;
 	
@@ -104,10 +96,7 @@ struct dns_c_iplist {
 	isc_uint32_t		nextidx;
 };
 
-
-
-struct dns_c_ipmatch_direct
-{
+struct dns_c_ipmatch_direct {
 	isc_uint32_t	magic;
 	
 	isc_sockaddr_t	address;		/* XXX IPv6??? */
@@ -116,18 +105,14 @@ struct dns_c_ipmatch_direct
 
 
 
-struct dns_c_ipmatch_indirect
-{
+struct dns_c_ipmatch_indirect {
 	isc_uint32_t	magic;
 	
-	isc_textregion_t refname;	/* for acls, mostly. */
+	isc_textregion_t refname;	/* For acls, mostly. */
 	dns_c_ipmatchlist_t *list;
 };
 
-
-
-struct dns_c_ipmatch_element
-{
+struct dns_c_ipmatch_element {
 	isc_uint32_t	magic;
 	
 	dns_c_ipmatch_type_t type;
@@ -143,8 +128,7 @@ struct dns_c_ipmatch_element
 };
 
 
-struct dns_c_ipmatch_list
-{
+struct dns_c_ipmatch_list {
 	isc_uint32_t	magic;
 	
 	isc_mem_t *mem;
@@ -158,82 +142,117 @@ struct dns_c_ipmatch_list
  *** Functions
  ***/
 
+ISC_LANG_BEGINDECLS
+
 /*
  * In all the functions below where an isc_mem_t is a parameter, that
  * paramater will be used for all memory allocation.
  */
 
 
-isc_result_t	dns_c_ipmatchelement_new(isc_mem_t *mem,
-					 dns_c_ipmatchelement_t **result);
-isc_result_t	dns_c_ipmatchelement_delete(isc_mem_t *mem,
-					    dns_c_ipmatchelement_t **ipme);
-isc_result_t	dns_c_ipmatchelement_copy(isc_mem_t *mem,
-					  dns_c_ipmatchelement_t **dest,
-					  dns_c_ipmatchelement_t *src);
-isc_result_t	dns_c_ipmatchelement_print(FILE *fp, int indent,
-					   dns_c_ipmatchelement_t *ime);
-isc_boolean_t	dns_c_ipmatchelement_isneg(dns_c_ipmatchelement_t *elem);
-
-isc_result_t	dns_c_ipmatch_negate(dns_c_ipmatchelement_t *ipe);
-isc_result_t	dns_c_ipmatch_aclnew(isc_mem_t *mem,
-				     dns_c_ipmatchelement_t **result,
-				     const char *aclname);
-isc_result_t	dns_c_ipmatchkey_new(isc_mem_t *mem,
-				     dns_c_ipmatchelement_t **result,
-				     const char *key);
-isc_result_t	dns_c_ipmatchany_new(isc_mem_t *mem,
-				     dns_c_ipmatchelement_t **result); 
-isc_result_t	dns_c_ipmatchlocalhost_new(isc_mem_t *mem,
-					   dns_c_ipmatchelement_t **result); 
-isc_result_t	dns_c_ipmatchlocalnets_new(isc_mem_t *mem,
-					   dns_c_ipmatchelement_t **result); 
-isc_result_t	dns_c_ipmatchpattern_new(isc_mem_t *mem,
-					 dns_c_ipmatchelement_t **result,
-					 isc_sockaddr_t address,
-					 isc_uint32_t maskbits);
-isc_result_t	dns_c_ipmatchindirect_new(isc_mem_t *mem,
-					  dns_c_ipmatchelement_t **result,
-					  dns_c_ipmatchlist_t *iml,
-					  const char *name);
-
-isc_result_t	dns_c_ipmatchlist_new(isc_mem_t *mem,
-				      dns_c_ipmatchlist_t **ptr);
-isc_result_t	dns_c_ipmatchlist_detach(dns_c_ipmatchlist_t **ml);
-void		dns_c_ipmatchlist_attach(dns_c_ipmatchlist_t *source,
-					  dns_c_ipmatchlist_t **target);
-isc_result_t	dns_c_ipmatchlist_copy(isc_mem_t *mem,
-				       dns_c_ipmatchlist_t **dest,
-				       dns_c_ipmatchlist_t *src);
-isc_result_t	dns_c_ipmatchlist_empty(dns_c_ipmatchlist_t *ipml);
-isc_result_t	dns_c_ipmatchlist_append(dns_c_ipmatchlist_t *dest,
-					 dns_c_ipmatchlist_t *src,
-					 isc_boolean_t negate);
-isc_result_t	dns_c_ipmatchlist_print(FILE *fp, int indent,
-					dns_c_ipmatchlist_t *iml);
-
-
-
-isc_result_t	dns_c_iplist_new(isc_mem_t *mem, int length,
-				 dns_c_iplist_t **newlist);
-isc_result_t	dns_c_iplist_detach(dns_c_iplist_t **list);
-isc_result_t	dns_c_iplist_copy(isc_mem_t *mem, dns_c_iplist_t **dest,
-				  dns_c_iplist_t *src);
-void	        dns_c_iplist_attach(dns_c_iplist_t *source,
-				    dns_c_iplist_t **target);
-isc_result_t	dns_c_iplist_append(dns_c_iplist_t *list,
-				    isc_sockaddr_t newaddr);
-isc_result_t	dns_c_iplist_remove(dns_c_iplist_t *list,
-				    isc_sockaddr_t newaddr);
-void		dns_c_iplist_print(FILE *fp, int indent,
-				   dns_c_iplist_t *list);
-isc_boolean_t	dns_c_iplist_equal(dns_c_iplist_t *list1,
-				   dns_c_iplist_t *list2);
-
-isc_boolean_t dns_c_ipmatchelement_equal(dns_c_ipmatchelement_t *e1,
-					 dns_c_ipmatchelement_t *e2);
-
-isc_boolean_t dns_c_ipmatchlist_equal(dns_c_ipmatchlist_t *l1,
-				      dns_c_ipmatchlist_t *l2);
-
-#endif /* DNS_CONFIG_CONFIP_H */
+isc_result_t
+dns_c_ipmatchelement_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result);
+
+isc_result_t
+dns_c_ipmatchelement_delete(isc_mem_t *mem, dns_c_ipmatchelement_t **ipme);
+
+isc_result_t
+dns_c_ipmatchelement_copy(isc_mem_t *mem, dns_c_ipmatchelement_t **dest,
+			  dns_c_ipmatchelement_t *src);
+
+isc_result_t
+dns_c_ipmatchelement_print(FILE *fp, int indent, dns_c_ipmatchelement_t *ime);
+
+isc_boolean_t
+dns_c_ipmatchelement_isneg(dns_c_ipmatchelement_t *elem);
+
+isc_result_t
+dns_c_ipmatch_negate(dns_c_ipmatchelement_t *ipe);
+
+isc_result_t
+dns_c_ipmatch_aclnew(isc_mem_t *mem, dns_c_ipmatchelement_t **result,
+		     const char *aclname);
+
+isc_result_t
+dns_c_ipmatchkey_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result,
+		     const char *key);
+
+isc_result_t
+dns_c_ipmatchany_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result); 
+
+isc_result_t
+dns_c_ipmatchlocalhost_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result); 
+
+isc_result_t
+dns_c_ipmatchlocalnets_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result); 
+
+isc_result_t
+dns_c_ipmatchpattern_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result,
+			 isc_sockaddr_t address, isc_uint32_t maskbits);
+
+isc_result_t
+dns_c_ipmatchindirect_new(isc_mem_t *mem, dns_c_ipmatchelement_t **result,
+			  dns_c_ipmatchlist_t *iml, const char *name);
+
+isc_result_t
+dns_c_ipmatchlist_new(isc_mem_t *mem, dns_c_ipmatchlist_t **ptr);
+
+isc_result_t
+dns_c_ipmatchlist_detach(dns_c_ipmatchlist_t **ml);
+
+void
+dns_c_ipmatchlist_attach(dns_c_ipmatchlist_t *source,
+			 dns_c_ipmatchlist_t **target);
+
+isc_result_t
+dns_c_ipmatchlist_copy(isc_mem_t *mem, dns_c_ipmatchlist_t **dest,
+		       dns_c_ipmatchlist_t *src);
+
+isc_result_t
+dns_c_ipmatchlist_empty(dns_c_ipmatchlist_t *ipml);
+
+isc_result_t
+dns_c_ipmatchlist_append(dns_c_ipmatchlist_t *dest, dns_c_ipmatchlist_t *src,
+			 isc_boolean_t negate);
+
+isc_result_t
+dns_c_ipmatchlist_print(FILE *fp, int indent, dns_c_ipmatchlist_t *iml);
+
+isc_result_t
+dns_c_iplist_new(isc_mem_t *mem, int length, dns_c_iplist_t **newlist);
+
+isc_result_t
+dns_c_iplist_detach(dns_c_iplist_t **list);
+
+isc_result_t
+dns_c_iplist_copy(isc_mem_t *mem, dns_c_iplist_t **dest, dns_c_iplist_t *src);
+
+void
+dns_c_iplist_attach(dns_c_iplist_t *source, dns_c_iplist_t **target);
+
+isc_result_t
+dns_c_iplist_append(dns_c_iplist_t *list, isc_sockaddr_t newaddr);
+
+isc_result_t
+dns_c_iplist_remove(dns_c_iplist_t *list, isc_sockaddr_t newaddr);
+
+void
+dns_c_iplist_print(FILE *fp, int indent, dns_c_iplist_t *list);
+
+void
+dns_c_iplist_printfully(FILE *fp, int indent, isc_boolean_t porttoo,
+			dns_c_iplist_t *list);
+
+isc_boolean_t
+dns_c_iplist_equal(dns_c_iplist_t *list1, dns_c_iplist_t *list2);
+
+isc_boolean_t
+dns_c_ipmatchelement_equal(dns_c_ipmatchelement_t *e1,
+			   dns_c_ipmatchelement_t *e2);
+
+isc_boolean_t
+dns_c_ipmatchlist_equal(dns_c_ipmatchlist_t *l1, dns_c_ipmatchlist_t *l2);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CONFIP_H */
diff --git a/lib/dns/include/dns/confkeys.h b/lib/dns/include/dns/confkeys.h
index 7a456bff..318f68b9 100644
--- a/lib/dns/include/dns/confkeys.h
+++ b/lib/dns/include/dns/confkeys.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFKEYS_H
-#define DNS_CONFIG_CONFKEYS_H 1
+#ifndef DNS_CONFKEYS_H
+#define DNS_CONFKEYS_H 1
 
 /*****
  ***** Module Info
@@ -55,10 +55,9 @@
 
 #include <stdio.h>
 
-#include <config.h>
-
+#include <isc/lang.h>
+#include <isc/magic.h>
 #include <isc/types.h>
-#include <isc/list.h>
 
 
 #define DNS_C_TKEY_MAGIC		0x544b4559 /* TKEY */
@@ -79,13 +78,10 @@
 #define DNS_C_KEYID_VALID(ptr)	   ISC_MAGIC_VALID(ptr, DNS_C_KEYID_MAGIC)
 #define DNS_C_KEYIDLIST_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_KEYIDLIST_MAGIC)
 
-
-
 /***
  *** Types
  ***/
 
-
 typedef struct dns_c_pubkey		dns_c_pubkey_t;
 typedef struct dns_c_pklist		dns_c_pklist_t;
 typedef struct dns_c_tkey		dns_c_tkey_t;
@@ -95,10 +91,10 @@ typedef struct dns_c_kdef_list		dns_c_kdeflist_t;
 typedef struct dns_c_kid		dns_c_kid_t;
 typedef struct dns_c_kid_list		dns_c_kidlist_t;
 
-
-/* The type for holding a trusted key value. */
-struct dns_c_tkey
-{
+/*
+ * The type for holding a trusted key value.
+ */
+struct dns_c_tkey {
 	isc_uint32_t		magic;
 	isc_mem_t	       *mem;
 	
@@ -108,9 +104,10 @@ struct dns_c_tkey
 	ISC_LINK(dns_c_tkey_t)	next;
 };
 
-/* A list of trusted keys. */
-struct dns_c_tkey_list
-{
+/*
+ * A list of trusted keys.
+ */
+struct dns_c_tkey_list {
 	isc_uint32_t		magic;
 	isc_mem_t	       *mem;
 
@@ -118,9 +115,10 @@ struct dns_c_tkey_list
 };
 	
 	
-/* A public key value */
-struct dns_c_pubkey
-{
+/*
+ * A public key value.
+ */
+struct dns_c_pubkey {
 	isc_uint32_t	magic;
 	isc_mem_t      *mem;
 	isc_int32_t	flags;
@@ -131,9 +129,10 @@ struct dns_c_pubkey
 	ISC_LINK(dns_c_pubkey_t)	next;
 };
 
-/* A list of pubkeys */
-struct dns_c_pklist
-{
+/*
+ * A list of pubkeys.
+ */
+struct dns_c_pklist {
 	isc_uint32_t			magic;
 	isc_mem_t		       *mem;
 
@@ -141,11 +140,12 @@ struct dns_c_pklist
 };
 
 
-/* A private key definition from a 'key' statement */
-struct dns_c_kdef 
-{
+/*
+ * A private key definition from a 'key' statement.
+ */
+struct dns_c_kdef {
 	isc_uint32_t		magic;
-	dns_c_kdeflist_t      *mylist;	
+	isc_mem_t	       *mem;
 
 	char		       *keyid;
 	char		       *algorithm;
@@ -154,10 +154,10 @@ struct dns_c_kdef
 	ISC_LINK(dns_c_kdef_t)	next;
 };
 
-
-/* A list of private keys */
-struct dns_c_kdef_list
-{
+/*
+ * A list of private keys.
+ */
+struct dns_c_kdef_list {
 	isc_uint32_t		magic;
 	isc_mem_t	       *mem;
 
@@ -165,140 +165,181 @@ struct dns_c_kdef_list
 };
 
 
-/* A key id for in a server statement 'keys' list */
-struct dns_c_kid
-{
+/*
+ * A key id for in a server statement 'keys' list.
+ */
+struct dns_c_kid {
 	isc_uint32_t		magic;
-	dns_c_kidlist_t	      *mylist;
+	isc_mem_t	       *mem;
 	char		       *keyid;
 
 	ISC_LINK(dns_c_kid_t)	next;
 };
 
 
-/* List of key ids for a 'server' statement */
-struct dns_c_kid_list
-{
-	isc_mem_t	       *mem;
+/*
+ * List of key ids for a 'server' statement.
+ */
+struct dns_c_kid_list {
 	isc_uint32_t		magic;
+	isc_mem_t	       *mem;
 
 	ISC_LIST(dns_c_kid_t)	keyids;
 };
 
-
 /***
  *** Functions
  ***/
 
-isc_result_t	dns_c_pklist_new(isc_mem_t *mem,
-                                 dns_c_pklist_t **pklist);
-isc_result_t	dns_c_pklist_delete(dns_c_pklist_t **list);
-isc_result_t	dns_c_pklist_addpubkey(dns_c_pklist_t *list,
-                                       dns_c_pubkey_t *pkey,
-                                       isc_boolean_t deepcopy);
-isc_result_t	dns_c_pklist_findpubkey(dns_c_pklist_t *list,
-					dns_c_pubkey_t **pubkey,
-					isc_int32_t flags,
-					isc_int32_t protocol,
-					isc_int32_t algorithm,
-					const char *key);
-isc_result_t	dns_c_pklist_rmpubkey(dns_c_pklist_t *list,
-				      isc_int32_t flags,
-				      isc_int32_t protocol,
-				      isc_int32_t algorithm,
-				      const char *key);
-void		dns_c_pklist_print(FILE *fp, int indent,
-				   dns_c_pklist_t *pubkey);
-
-
-
-isc_result_t	dns_c_pubkey_new(isc_mem_t *mem, isc_int32_t flags,
-				 isc_int32_t protocol,
-				 isc_int32_t algorithm,
-				 const char *key, dns_c_pubkey_t **pubkey);
-isc_result_t	dns_c_pubkey_delete(dns_c_pubkey_t **pubkey);
-isc_result_t	dns_c_pubkey_copy(isc_mem_t *mem, dns_c_pubkey_t **dest,
-				  dns_c_pubkey_t *src);
-isc_boolean_t	dns_c_pubkey_equal(dns_c_pubkey_t *k1, dns_c_pubkey_t *k2);
-void		dns_c_pubkey_print(FILE *fp, int indent,
-				   dns_c_pubkey_t *pubkey);
-
-
-isc_result_t	dns_c_kidlist_new(isc_mem_t *mem,
-				  dns_c_kidlist_t **list);
-isc_result_t	dns_c_kidlist_delete(dns_c_kidlist_t **list);
-isc_result_t	dns_c_kidlist_undef(dns_c_kidlist_t *list,
-				    const char *keyid);
-isc_result_t	dns_c_kidlist_find(dns_c_kidlist_t *list,
-				   const char *keyid,
-				   dns_c_kid_t **retval);
-void		dns_c_kidlist_print(FILE *fp, int indent,
-				    dns_c_kidlist_t *list);
-isc_result_t	dns_c_kid_new(dns_c_kidlist_t *list, const char *name,
-			      dns_c_kid_t **keyid);
-
-isc_result_t	dns_c_kdeflist_new(isc_mem_t *mem,
-				   dns_c_kdeflist_t **list);
-isc_result_t	dns_c_kdeflist_delete(dns_c_kdeflist_t **list);
-isc_result_t	dns_c_kdeflist_copy(isc_mem_t *mem,
-				    dns_c_kdeflist_t **dest,
-				    dns_c_kdeflist_t *src);
-isc_result_t	dns_c_kdeflist_append(dns_c_kdeflist_t *list,
-				      dns_c_kdef_t *key, isc_boolean_t copy);
-
-isc_result_t	dns_c_kdeflist_undef(dns_c_kdeflist_t *list,
-				     const char *keyid);
-isc_result_t	dns_c_kdeflist_find(dns_c_kdeflist_t *list,
-				    const char *keyid,
-				    dns_c_kdef_t **retval);
-void		dns_c_kdeflist_print(FILE *fp, int indent,
-				     dns_c_kdeflist_t *list);
-
-isc_result_t	dns_c_kdef_new(dns_c_kdeflist_t *list, const char *name,
-			       dns_c_kdef_t **keyid);
-isc_result_t	dns_c_kdef_delete(dns_c_kdef_t **keydef);
-isc_result_t	dns_c_kdef_copy(isc_mem_t *mem,
-				dns_c_kdef_t **dest, dns_c_kdef_t *src);
-
-void		dns_c_kdef_print(FILE *fp, int indent, dns_c_kdef_t *keydef);
-
-
-isc_result_t	dns_c_kdef_setalgorithm(dns_c_kdef_t *elem,
-					const char *algorithm);
-isc_result_t	dns_c_kdef_setsecret(dns_c_kdef_t *elem,
-				     const char *secret);
-
-isc_result_t	dns_c_tkeylist_new(isc_mem_t *mem,
-				   dns_c_tkeylist_t **newlist);
-isc_result_t	dns_c_tkeylist_delete(dns_c_tkeylist_t **list);
-isc_result_t	dns_c_tkeylist_copy(isc_mem_t *mem,
-				    dns_c_tkeylist_t **dest,
-				    dns_c_tkeylist_t *src);
-void		dns_c_tkeylist_print(FILE *fp, int indent,
-				     dns_c_tkeylist_t *list);
-isc_result_t	dns_c_tkeylist_append(dns_c_tkeylist_t *list,
-				      dns_c_tkey_t *element,
-				      isc_boolean_t copy);
-
-isc_result_t	dns_c_tkey_new(isc_mem_t *mem, const char *domain,
-			       isc_int32_t flags,
-			       isc_int32_t protocol,
-			       isc_int32_t algorithm,
-			       const char *key, dns_c_tkey_t **newkey);
-isc_result_t	dns_c_tkey_delete(dns_c_tkey_t **tkey);
-isc_result_t	dns_c_tkey_copy(isc_mem_t *mem,
-				dns_c_tkey_t **dest, dns_c_tkey_t *src);
-
-isc_result_t	dns_c_tkey_getflags(dns_c_tkey_t *tkey,
-				    isc_int32_t *flags);
-isc_result_t	dns_c_tkey_getprotocol(dns_c_tkey_t *tkey,
-				       isc_int32_t *protocol);
-isc_result_t	dns_c_tkey_getalgorithm(dns_c_tkey_t *tkey,
-					isc_int32_t *algorithm);
-isc_result_t	dns_c_tkey_getkey(dns_c_tkey_t *tkey,
-				  const char **key);
-void		dns_c_tkey_print(FILE *fp, int indent, dns_c_tkey_t *tkey);
-
-
-
-#endif /* DNS_CONFIG_CONFKEYS_H */
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_c_pklist_new(isc_mem_t *mem, dns_c_pklist_t **pklist);
+
+isc_result_t
+dns_c_pklist_delete(dns_c_pklist_t **list);
+
+isc_result_t
+dns_c_pklist_addpubkey(dns_c_pklist_t *list, dns_c_pubkey_t *pkey,
+		       isc_boolean_t deepcopy);
+
+isc_result_t
+dns_c_pklist_findpubkey(dns_c_pklist_t *list, dns_c_pubkey_t **pubkey,
+			isc_int32_t flags, isc_int32_t protocol,
+			isc_int32_t algorithm, const char *key);
+
+isc_result_t
+dns_c_pklist_rmpubkey(dns_c_pklist_t *list, isc_int32_t flags,
+		      isc_int32_t protocol, isc_int32_t algorithm,
+		      const char *key);
+
+void
+dns_c_pklist_print(FILE *fp, int indent, dns_c_pklist_t *pubkey);
+
+isc_result_t
+dns_c_pubkey_new(isc_mem_t *mem, isc_int32_t flags, isc_int32_t protocol,
+		 isc_int32_t algorithm, const char *key,
+		 dns_c_pubkey_t **pubkey);
+
+isc_result_t
+dns_c_pubkey_delete(dns_c_pubkey_t **pubkey);
+
+isc_result_t
+dns_c_pubkey_copy(isc_mem_t *mem, dns_c_pubkey_t **dest, dns_c_pubkey_t *src);
+
+isc_boolean_t
+dns_c_pubkey_equal(dns_c_pubkey_t *k1, dns_c_pubkey_t *k2);
+
+void
+dns_c_pubkey_print(FILE *fp, int indent, dns_c_pubkey_t *pubkey);
+
+isc_result_t
+dns_c_kidlist_new(isc_mem_t *mem, dns_c_kidlist_t **list);
+
+isc_result_t
+dns_c_kidlist_delete(dns_c_kidlist_t **list);
+
+isc_result_t
+dns_c_kidlist_undef(dns_c_kidlist_t *list, const char *keyid);
+
+isc_result_t
+dns_c_kidlist_find(dns_c_kidlist_t *list, const char *keyid,
+		   dns_c_kid_t **retval);
+
+void
+dns_c_kidlist_append(dns_c_kidlist_t *list, dns_c_kid_t *keyid);
+
+void
+dns_c_kidlist_print(FILE *fp, int indent, dns_c_kidlist_t *list);
+
+isc_result_t
+dns_c_kid_new(isc_mem_t *mem, const char *name, dns_c_kid_t **keyid);
+
+isc_result_t
+dns_c_kdeflist_new(isc_mem_t *mem, dns_c_kdeflist_t **list);
+
+isc_result_t
+dns_c_kdeflist_delete(dns_c_kdeflist_t **list);
+
+isc_result_t
+dns_c_kdeflist_copy(isc_mem_t *mem, dns_c_kdeflist_t **dest,
+		    dns_c_kdeflist_t *src);
+
+isc_result_t
+dns_c_kdeflist_append(dns_c_kdeflist_t *list, dns_c_kdef_t *key,
+		      isc_boolean_t copy);
+
+isc_result_t
+dns_c_kdeflist_undef(dns_c_kdeflist_t *list, const char *keyid);
+
+isc_result_t
+dns_c_kdeflist_find(dns_c_kdeflist_t *list, const char *keyid,
+		    dns_c_kdef_t **retval);
+
+void
+dns_c_kdeflist_print(FILE *fp, int indent, dns_c_kdeflist_t *list);
+
+isc_result_t
+dns_c_kdef_new(isc_mem_t *mem, const char *name, dns_c_kdef_t **keyid);
+
+isc_result_t
+dns_c_kdef_delete(dns_c_kdef_t **keydef);
+
+isc_result_t
+dns_c_kdef_copy(isc_mem_t *mem, dns_c_kdef_t **dest, dns_c_kdef_t *src);
+
+void
+dns_c_kdef_print(FILE *fp, int indent, dns_c_kdef_t *keydef);
+
+isc_result_t
+dns_c_kdef_setalgorithm(dns_c_kdef_t *elem, const char *algorithm);
+
+isc_result_t
+dns_c_kdef_setsecret(dns_c_kdef_t *elem, const char *secret);
+
+isc_result_t
+dns_c_tkeylist_new(isc_mem_t *mem, dns_c_tkeylist_t **newlist);
+
+isc_result_t
+dns_c_tkeylist_delete(dns_c_tkeylist_t **list);
+
+isc_result_t
+dns_c_tkeylist_copy(isc_mem_t *mem, dns_c_tkeylist_t **dest,
+		    dns_c_tkeylist_t *src);
+
+void
+dns_c_tkeylist_print(FILE *fp, int indent, dns_c_tkeylist_t *list);
+
+isc_result_t
+dns_c_tkeylist_append(dns_c_tkeylist_t *list, dns_c_tkey_t *element,
+		      isc_boolean_t copy);
+
+isc_result_t
+dns_c_tkey_new(isc_mem_t *mem, const char *domain, isc_int32_t flags,
+	       isc_int32_t protocol, isc_int32_t algorithm,
+	       const char *key, dns_c_tkey_t **newkey);
+
+isc_result_t
+dns_c_tkey_delete(dns_c_tkey_t **tkey);
+
+isc_result_t
+dns_c_tkey_copy(isc_mem_t *mem, dns_c_tkey_t **dest, dns_c_tkey_t *src);
+
+isc_result_t
+dns_c_tkey_getflags(dns_c_tkey_t *tkey, isc_int32_t *flags);
+
+isc_result_t
+dns_c_tkey_getprotocol(dns_c_tkey_t *tkey, isc_int32_t *protocol);
+
+isc_result_t
+dns_c_tkey_getalgorithm(dns_c_tkey_t *tkey, isc_int32_t *algorithm);
+
+isc_result_t
+dns_c_tkey_getkey(dns_c_tkey_t *tkey, const char **key);
+
+void
+dns_c_tkey_print(FILE *fp, int indent, dns_c_tkey_t *tkey);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CONFKEYS_H */
diff --git a/lib/dns/include/dns/conflog.h b/lib/dns/include/dns/conflog.h
index bd7c0da5..126edeed 100644
--- a/lib/dns/include/dns/conflog.h
+++ b/lib/dns/include/dns/conflog.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFLOG_H
-#define DNS_CONFIG_CONFLOG_H 1
+#ifndef DNS_CONFLOG_H
+#define DNS_CONFLOG_H 1
 
 /*****
  ***** Module Info
@@ -54,9 +54,8 @@
  *** Imports
  ***/
 
-#include <config.h>
-
-#include <isc/mem.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
 
 #include <dns/confcommon.h>
 
@@ -78,9 +77,10 @@ typedef struct dns_c_logchan		dns_c_logchan_t;
 typedef struct dns_c_logcat		dns_c_logcat_t;
 typedef struct dns_c_logging_list	dns_c_logginglist_t;
 
-/* The structure that holds the list of channel and category definitions */
-struct dns_c_logging_list
-{
+/*
+ * The structure that holds the list of channel and category definitions.
+ */
+struct dns_c_logging_list {
 	isc_uint32_t			magic;
 	isc_mem_t		       *mem;
 	
@@ -118,8 +118,9 @@ struct dns_c_logchan
 	isc_boolean_t			print_severity;
 	isc_boolean_t			print_time;
 
-	/* Some channels are predefined e.g. default_syslog, in which case
-	 * this is true
+	/*
+	 * Some channels are predefined e.g. default_syslog, in which case
+	 * this is true.
 	 */
 	isc_boolean_t			predefined; 
 	
@@ -127,10 +128,10 @@ struct dns_c_logchan
 	dns_c_setbits_t			setflags;
 };
 
-
-/* Structure for holding a category definition */
-struct dns_c_logcat
-{
+/*
+ * Structure for holding a category definition.
+ */
+struct dns_c_logcat {
 	isc_uint32_t			magic;
 	isc_mem_t		       *mem;
 
@@ -148,112 +149,153 @@ struct dns_c_logcat
 	ISC_LINK(dns_c_logcat_t)	next;
 };
 
-
 /***
  *** Functions
  ***/
 
-isc_result_t	dns_c_logginglist_new(isc_mem_t *mem,
-				      dns_c_logginglist_t **list);
-isc_result_t	dns_c_logginglist_delete(dns_c_logginglist_t **list);
-void		dns_c_logginglist_print(FILE *fp, int indent,
-					dns_c_logginglist_t *ll,
-					isc_boolean_t if_predef_too);
-isc_result_t	dns_c_logginglist_copy(isc_mem_t *mem,
-				       dns_c_logginglist_t **dest,
-				       dns_c_logginglist_t *src);
-
-isc_result_t	dns_c_logginglist_addchannel(dns_c_logginglist_t *list,
-					     dns_c_logchan_t *newchan,
-					     isc_boolean_t deepcopy);
-isc_result_t	dns_c_logginglist_addcategory(dns_c_logginglist_t *list,
-					      dns_c_logcat_t *newcat,
-					      isc_boolean_t deepcopy);
-isc_result_t	dns_c_logginglist_delchannel(dns_c_logginglist_t *list,
-					     const char *name);
-isc_result_t	dns_c_logginglist_delcategory(dns_c_logginglist_t *list,
-					      const char *name);
-
-isc_result_t	dns_c_logginglist_chanbyname(dns_c_logginglist_t *list,
-					     const char *name,
-					     dns_c_logchan_t **chan);
-isc_result_t	dns_c_logginglist_catbyname(dns_c_logginglist_t *list,
-					    const char *name,
-					    dns_c_logcat_t **cat);
-
-isc_result_t	dns_c_logchan_new(isc_mem_t *mem, const char *name,
-				  dns_c_logchantype_t ctype,
-				  dns_c_logchan_t **newchan);
-isc_result_t	dns_c_logchan_delete(dns_c_logchan_t **channel);
-isc_result_t	dns_c_logchan_copy(isc_mem_t *mem, dns_c_logchan_t **dest,
-				   dns_c_logchan_t *src);
-void		dns_c_logchan_print(FILE *fp, int indent,
-				    dns_c_logchan_t *logchan,
-				    isc_boolean_t if_predef_too);
-
-
-isc_result_t	dns_c_logchan_setpath(dns_c_logchan_t *channel,
-				      const char *path);
-isc_result_t	dns_c_logchan_setversions(dns_c_logchan_t *channel,
-					  isc_uint32_t versions);
-isc_result_t	dns_c_logchan_setsize(dns_c_logchan_t *channel,
-				      isc_uint32_t size);
-isc_result_t	dns_c_logchan_setfacility(dns_c_logchan_t *channel,
-					  int facility);
-isc_result_t	dns_c_logchan_setseverity(dns_c_logchan_t *channel,
-					  dns_c_logseverity_t severity);
-isc_result_t	dns_c_logchan_setdebuglevel(dns_c_logchan_t *channel,
-					    isc_int32_t level);
-isc_result_t	dns_c_logchan_setprintcat(dns_c_logchan_t *channel,
-					  isc_boolean_t newval);
-isc_result_t	dns_c_logchan_setprintsev(dns_c_logchan_t *channel,
-					  isc_boolean_t newval);
-isc_result_t	dns_c_logchan_setprinttime(dns_c_logchan_t *channel,
-					   isc_boolean_t newval);
-isc_result_t	dns_c_logchan_setpredef(dns_c_logchan_t *channel,
-					isc_boolean_t newval);
-
-isc_result_t	dns_c_logchan_getpath(dns_c_logchan_t *channel,
-				      const char **path);
-isc_result_t	dns_c_logchan_getversions(dns_c_logchan_t *channel,
-					  isc_uint32_t *versions);
-isc_result_t	dns_c_logchan_getsize(dns_c_logchan_t *channel,
-				      isc_uint32_t *size);
-isc_result_t	dns_c_logchan_getfacility(dns_c_logchan_t *channel,
-					  int *facility);
-isc_result_t	dns_c_logchan_getseverity(dns_c_logchan_t *channel,
-					  dns_c_logseverity_t *severity);
-isc_result_t	dns_c_logchan_getdebuglevel(dns_c_logchan_t *channel,
-					    isc_int32_t *level);
-isc_result_t	dns_c_logchan_getprintcat(dns_c_logchan_t *channel,
-					  isc_boolean_t *retval);
-isc_result_t	dns_c_logchan_getprintsev(dns_c_logchan_t *channel,
-					  isc_boolean_t *retval);
-isc_result_t	dns_c_logchan_getprinttime(dns_c_logchan_t *channel,
-					   isc_boolean_t *retval);
-isc_result_t	dns_c_logchan_getpredef(dns_c_logchan_t *channel,
-					isc_boolean_t *retval);
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_c_logginglist_new(isc_mem_t *mem, dns_c_logginglist_t **list);
+
+isc_result_t
+dns_c_logginglist_delete(dns_c_logginglist_t **list);
+
+void
+dns_c_logginglist_print(FILE *fp, int indent, dns_c_logginglist_t *ll,
+			isc_boolean_t if_predef_too);
+
+isc_result_t
+dns_c_logginglist_copy(isc_mem_t *mem, dns_c_logginglist_t **dest,
+		       dns_c_logginglist_t *src);
+
+isc_result_t
+dns_c_logginglist_addchannel(dns_c_logginglist_t *list,
+			     dns_c_logchan_t *newchan, isc_boolean_t deepcopy);
+
+isc_result_t
+dns_c_logginglist_addcategory(dns_c_logginglist_t *list,
+			      dns_c_logcat_t *newcat, isc_boolean_t deepcopy);
+
+isc_result_t
+dns_c_logginglist_delchannel(dns_c_logginglist_t *list, const char *name);
+
+isc_result_t
+dns_c_logginglist_delcategory(dns_c_logginglist_t *list, const char *name);
+
+isc_result_t
+dns_c_logginglist_chanbyname(dns_c_logginglist_t *list, const char *name,
+			     dns_c_logchan_t **chan);
+
+isc_result_t
+dns_c_logginglist_catbyname(dns_c_logginglist_t *list, const char *name,
+			    dns_c_logcat_t **cat);
+
+isc_result_t
+dns_c_logchan_new(isc_mem_t *mem, const char *name, dns_c_logchantype_t ctype,
+		  dns_c_logchan_t **newchan);
+
+isc_result_t
+dns_c_logchan_delete(dns_c_logchan_t **channel);
+
+isc_result_t
+dns_c_logchan_copy(isc_mem_t *mem, dns_c_logchan_t **dest,
+		   dns_c_logchan_t *src);
+
+void
+dns_c_logchan_print(FILE *fp, int indent, dns_c_logchan_t *logchan,
+		    isc_boolean_t if_predef_too);
+
+isc_result_t
+dns_c_logchan_setpath(dns_c_logchan_t *channel, const char *path);
+
+isc_result_t
+dns_c_logchan_setversions(dns_c_logchan_t *channel, isc_uint32_t versions);
 
+isc_result_t
+dns_c_logchan_setsize(dns_c_logchan_t *channel, isc_uint32_t size);
 
+isc_result_t
+dns_c_logchan_setfacility(dns_c_logchan_t *channel, int facility);
+
+isc_result_t
+dns_c_logchan_setseverity(dns_c_logchan_t *channel,
+			  dns_c_logseverity_t severity);
+
+isc_result_t
+dns_c_logchan_setdebuglevel(dns_c_logchan_t *channel, isc_int32_t level);
+
+isc_result_t
+dns_c_logchan_setprintcat(dns_c_logchan_t *channel, isc_boolean_t newval);
+
+isc_result_t
+dns_c_logchan_setprintsev(dns_c_logchan_t *channel, isc_boolean_t newval);
+
+isc_result_t
+dns_c_logchan_setprinttime(dns_c_logchan_t *channel, isc_boolean_t newval);
+
+isc_result_t
+dns_c_logchan_setpredef(dns_c_logchan_t *channel, isc_boolean_t newval);
+
+isc_result_t
+dns_c_logchan_getpath(dns_c_logchan_t *channel, const char **path);
+
+isc_result_t
+dns_c_logchan_getversions(dns_c_logchan_t *channel, isc_uint32_t *versions);
+
+isc_result_t
+dns_c_logchan_getsize(dns_c_logchan_t *channel, isc_uint32_t *size);
+
+isc_result_t
+dns_c_logchan_getfacility(dns_c_logchan_t *channel, int *facility);
+
+isc_result_t
+dns_c_logchan_getseverity(dns_c_logchan_t *channel,
+			  dns_c_logseverity_t *severity);
+
+isc_result_t
+dns_c_logchan_getdebuglevel(dns_c_logchan_t *channel, isc_int32_t *level);
+
+isc_result_t
+dns_c_logchan_getprintcat(dns_c_logchan_t *channel, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_logchan_getprintsev(dns_c_logchan_t *channel, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_logchan_getprinttime(dns_c_logchan_t *channel, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_logchan_getpredef(dns_c_logchan_t *channel, isc_boolean_t *retval);
 
 /*
  * Logging category
  */
-isc_result_t	dns_c_logcat_new(isc_mem_t *mem, const char *name,
-				 dns_c_logcat_t **newlc);
-isc_result_t	dns_c_logcat_delete(dns_c_logcat_t **logcat);
-void		dns_c_logcat_print(FILE *fp, int indent,
-				   dns_c_logcat_t *logcat,
-				   isc_boolean_t if_predef_too);
-isc_result_t	dns_c_logcat_copy(isc_mem_t *mem, dns_c_logcat_t **dest,
-				  dns_c_logcat_t *src);
-isc_result_t	dns_c_logcat_addname(dns_c_logcat_t *logcat,
-				     const char *name);
-isc_result_t	dns_c_logcat_delname(dns_c_logcat_t *logcat,
-				     const char *name);
-isc_result_t	dns_c_logcat_setpredef(dns_c_logcat_t *logcat,
-				       isc_boolean_t newval);
-isc_result_t	dns_c_logcat_getpredef(dns_c_logcat_t *logcat,
-					isc_boolean_t *retval);
-
-#endif /* ISC_WHATEVER_H */
+isc_result_t
+dns_c_logcat_new(isc_mem_t *mem, const char *name, dns_c_logcat_t **newlc);
+
+isc_result_t
+dns_c_logcat_delete(dns_c_logcat_t **logcat);
+
+void
+dns_c_logcat_print(FILE *fp, int indent, dns_c_logcat_t *logcat,
+		   isc_boolean_t if_predef_too);
+
+isc_result_t
+dns_c_logcat_copy(isc_mem_t *mem, dns_c_logcat_t **dest, dns_c_logcat_t *src);
+
+isc_result_t
+dns_c_logcat_addname(dns_c_logcat_t *logcat, const char *name);
+
+isc_result_t
+dns_c_logcat_delname(dns_c_logcat_t *logcat, const char *name);
+
+isc_result_t
+dns_c_logcat_setpredef(dns_c_logcat_t *logcat, isc_boolean_t newval);
+
+isc_result_t
+dns_c_logcat_getpredef(dns_c_logcat_t *logcat, isc_boolean_t *retval);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CONFLOG_H */
diff --git a/lib/dns/include/dns/conflsn.h b/lib/dns/include/dns/conflsn.h
index fa5059e0..2f5320d6 100644
--- a/lib/dns/include/dns/conflsn.h
+++ b/lib/dns/include/dns/conflsn.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFLSN_H
-#define DNS_CONFIG_CONFLSN_H 1
+#ifndef DNS_CONFLSN_H
+#define DNS_CONFLSN_H 1
 
 /*****
  ***** Module Info
@@ -55,21 +55,17 @@
  *** Imports
  ***/
 
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/int.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
 
 #include <dns/confip.h>
 
-#define DNS_C_LISTEN_MAGIC	0x4c49534eU /* LISN */
+#define DNS_C_LISTEN_MAGIC		0x4c49534eU /* LISN */
 #define DNS_C_LLIST_MAGIC		0x4c6c6973U /* Llis */
 
 #define DNS_C_LISTEN_VALID(l)	ISC_MAGIC_VALID(l, DNS_C_LISTEN_MAGIC)
 #define DNS_C_LISTENLIST_VALID(l) ISC_MAGIC_VALID(l, DNS_C_LLIST_MAGIC)
 
-
-
 /***
  *** Types
  ***/
@@ -77,12 +73,12 @@
 typedef struct dns_c_lstn_on		dns_c_lstnon_t;
 typedef struct dns_c_lstn_list		dns_c_lstnlist_t;
 
-
-/* Structure for holing value of a single listen-on statement. */
-struct dns_c_lstn_on
-{
-	isc_mem_t		       *mem;
+/*
+ * Structure for holing value of a single listen-on statement.
+ */
+struct dns_c_lstn_on {
 	isc_uint32_t			magic;
+	isc_mem_t		       *mem;
 	
 	in_port_t			port;
 	dns_c_ipmatchlist_t	       *iml;
@@ -91,22 +87,24 @@ struct dns_c_lstn_on
 };
 
 
-/* A list of listen-on statements */
-struct dns_c_lstn_list
-{
-	isc_mem_t		       *mem;
+/*
+ * A list of listen-on statements.
+ */
+struct dns_c_lstn_list {
 	isc_uint32_t			magic;
+	isc_mem_t		       *mem;
 
 	ISC_LIST(dns_c_lstnon_t)	elements;
 };
 
-
 /***
  *** Functions
  ***/
 
-isc_result_t	dns_c_lstnlist_new(isc_mem_t *mem,
-				   dns_c_lstnlist_t **llist);
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_c_lstnlist_new(isc_mem_t *mem, dns_c_lstnlist_t **llist);
 /*
  * Creates a new dns_c_lstnlist_t structure from the allocator pointed to
  * by MEM, and stores the pointer to the new structure in *LLIST.
@@ -120,7 +118,8 @@ isc_result_t	dns_c_lstnlist_new(isc_mem_t *mem,
  *	ISC_R_NOMEMORY		on allocation failure.
  */
 
-isc_result_t	dns_c_lstnlist_delete(dns_c_lstnlist_t **llist);
+isc_result_t
+dns_c_lstnlist_delete(dns_c_lstnlist_t **llist);
 /*
  * Deletes the list pointed to by **LLIST, and all the elements in it.
  * Sets *LLIST to NULL when done.
@@ -133,8 +132,8 @@ isc_result_t	dns_c_lstnlist_delete(dns_c_lstnlist_t **llist);
  */
 
 
-isc_result_t	dns_c_lstnlist_print(FILE *fp, int indent,
-				     dns_c_lstnlist_t *ll);
+isc_result_t
+dns_c_lstnlist_print(FILE *fp, int indent, dns_c_lstnlist_t *ll);
 /*
  * Prints the given the list LL to the stream FP. INDENT number of tabs
  * preceed each line of output.
@@ -146,8 +145,8 @@ isc_result_t	dns_c_lstnlist_print(FILE *fp, int indent,
  */
 
 
-isc_result_t	dns_c_lstnon_new(isc_mem_t *mem,
-				 dns_c_lstnon_t **listen);
+isc_result_t
+dns_c_lstnon_new(isc_mem_t *mem, dns_c_lstnon_t **listen);
 /*
  * Creates a new dns_c_lstnon_t structure and stores the pointer
  * in *LISTEN.
@@ -161,7 +160,8 @@ isc_result_t	dns_c_lstnon_new(isc_mem_t *mem,
  *	ISC_R_NOMEMORY on allocation failure.
  */
 
-isc_result_t	dns_c_lstnon_delete(dns_c_lstnon_t **listen);
+isc_result_t
+dns_c_lstnon_delete(dns_c_lstnon_t **listen);
 /*
  * Deletes the dns_c_lstnon_t structure pointed to by *LISTEN.
  *
@@ -172,9 +172,9 @@ isc_result_t	dns_c_lstnon_delete(dns_c_lstnon_t **listen);
  * Returns:
  */
 
-isc_result_t	dns_c_lstnon_setiml(dns_c_lstnon_t *listen,
-				    dns_c_ipmatchlist_t *iml,
-				    isc_boolean_t deepcopy);
+isc_result_t
+dns_c_lstnon_setiml(dns_c_lstnon_t *listen, dns_c_ipmatchlist_t *iml,
+		    isc_boolean_t deepcopy);
 /*
  * Sets the iml field of the structure to the value of the IML
  * parameter. If deepcopy paramater is true the structure field is
@@ -188,10 +188,9 @@ isc_result_t	dns_c_lstnon_setiml(dns_c_lstnon_t *listen,
  *	ISC_R_NOMEMORY on allocation failure.
  */
 
-isc_result_t	dns_c_lstnon_print(FILE *fp, int indent,
-				   dns_c_lstnon_t *lo);
-
-
+isc_result_t
+dns_c_lstnon_print(FILE *fp, int indent, dns_c_lstnon_t *lo);
 
+ISC_LANG_ENDDECLS
 
-#endif /* DNS_CONFIG_CONFLSN_H */
+#endif /* DNS_CONFLSN_H */
diff --git a/lib/dns/include/dns/confndc.h b/lib/dns/include/dns/confndc.h
index ffad87e8..bd19a5a1 100644
--- a/lib/dns/include/dns/confndc.h
+++ b/lib/dns/include/dns/confndc.h
@@ -15,17 +15,18 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFNDC_H
-#define DNS_CONFIG_CONFNDC_H 1
+#ifndef DNS_CONFNDC_H
+#define DNS_CONFNDC_H 1
 
+#include <isc/lang.h>
 #include <isc/magic.h>
-#include <isc/mem.h>
+
 #include <dns/confkeys.h>
 
-#define DNS_C_NDCCTX_MAGIC 0xabcdef01
-#define DNS_C_NDCSERVERLIST_MAGIC 0x12345678
-#define DNS_C_NDCOPTIONS_MAGIC 0x2468ace1
-#define DNS_C_NDCSERVER_MAGIC 0xaaabbbcc
+#define DNS_C_NDCCTX_MAGIC		0xabcdef01
+#define DNS_C_NDCSERVERLIST_MAGIC	0x12345678
+#define DNS_C_NDCOPTIONS_MAGIC		0x2468ace1
+#define DNS_C_NDCSERVER_MAGIC		0xaaabbbcc
 
 #define DNS_C_NDCCTX_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_NDCCTX_MAGIC)
 #define DNS_C_NDCOPTIONS_VALID(ptr) \
@@ -35,46 +36,39 @@
 #define DNS_C_NDCSERVER_VALID(ptr) \
 	ISC_MAGIC_VALID(ptr, DNS_C_NDCSERVER_MAGIC)
 
-
 typedef struct dns_c_ndcctx		dns_c_ndcctx_t;
 typedef struct dns_c_ndcopts		dns_c_ndcopts_t;
 typedef struct dns_c_ndcserver		dns_c_ndcserver_t;
 typedef struct dns_c_ndcserverlist	dns_c_ndcserverlist_t;
 typedef struct dns_c_ndckey		dnc_c_ndckey_t;
 
-struct  dns_c_ndcctx
-{
-	isc_mem_t	       *mem;
+struct  dns_c_ndcctx {
 	isc_uint32_t		magic;
+	isc_mem_t	       *mem;
 	
 	dns_c_ndcopts_t	       *opts;
 	dns_c_ndcserverlist_t  *servers;
 	dns_c_kdeflist_t       *keys;
 };
 
-struct dns_c_ndcopts 
-{
-	isc_mem_t      *mem;
+struct dns_c_ndcopts {
 	isc_uint32_t	magic;
+	isc_mem_t      *mem;
 
 	char	       *defserver;
 	char	       *defkey;
 };
 
-struct dns_c_ndcserverlist 
-{
-	isc_mem_t		       *mem;
+struct dns_c_ndcserverlist {
 	isc_uint32_t			magic;
+	isc_mem_t		       *mem;
 
 	ISC_LIST(dns_c_ndcserver_t)	list;
 };
-
-
 	
-struct dns_c_ndcserver 
-{
-	isc_mem_t		       *mem;
+struct dns_c_ndcserver {
 	isc_uint32_t			magic;
+	isc_mem_t		       *mem;
 
 	char			       *name;
 	char			       *key;
@@ -82,80 +76,123 @@ struct dns_c_ndcserver
 	ISC_LINK(dns_c_ndcserver_t) 	next;
 };
 
+/***
+ *** Functions
+ ***/
 
-/* All the 'set' functions do not delete the replaced value if one exists,
+ISC_LANG_BEGINDECLS
+
+/*
+ * All the 'set' functions do not delete the replaced value if one exists,
  * so if setting a value for a second time, be sure to 'get' the original
  * value first and do something with it
  */
 
-isc_result_t	dns_c_ndcctx_new(isc_mem_t *mem, dns_c_ndcctx_t **ctx);
-isc_result_t	dns_c_ndcctx_destroy(dns_c_ndcctx_t **ctx);
-isc_result_t	dns_c_ndcctx_setoptions(dns_c_ndcctx_t *ctx,
-					dns_c_ndcopts_t *opts);
-isc_result_t	dns_c_ndcctx_getoptions(dns_c_ndcctx_t *ctx,
-					dns_c_ndcopts_t **opts);
-isc_result_t	dns_c_ndcctx_setservers(dns_c_ndcctx_t *ctx,
-					dns_c_ndcserverlist_t *servers);
-isc_result_t	dns_c_ndcctx_getservers(dns_c_ndcctx_t *ctx,
-					dns_c_ndcserverlist_t **servers);
-isc_result_t	dns_c_ndcctx_addserver(dns_c_ndcctx_t *ctx,
-				       dns_c_ndcserver_t **server);
-isc_result_t	dns_c_ndcctx_getkeys(dns_c_ndcctx_t *ctx,
-				     dns_c_kdeflist_t **list);
-isc_result_t	dns_c_ndcctx_setkeys(dns_c_ndcctx_t *ctx,
-				     dns_c_kdeflist_t *list);
-isc_result_t	dns_c_ndcctx_addkey(dns_c_ndcctx_t *ctx,
-				    dns_c_kdef_t **key);
+isc_result_t
+dns_c_ndcctx_new(isc_mem_t *mem, dns_c_ndcctx_t **ctx);
+
+isc_result_t
+dns_c_ndcctx_destroy(dns_c_ndcctx_t **ctx);
+
+isc_result_t
+dns_c_ndcctx_setoptions(dns_c_ndcctx_t *ctx, dns_c_ndcopts_t *opts);
+
+isc_result_t
+dns_c_ndcctx_getoptions(dns_c_ndcctx_t *ctx, dns_c_ndcopts_t **opts);
+
+isc_result_t
+dns_c_ndcctx_setservers(dns_c_ndcctx_t *ctx, dns_c_ndcserverlist_t *servers);
 
+isc_result_t
+dns_c_ndcctx_getservers(dns_c_ndcctx_t *ctx, dns_c_ndcserverlist_t **servers);
+
+isc_result_t
+dns_c_ndcctx_addserver(dns_c_ndcctx_t *ctx, dns_c_ndcserver_t **server);
+
+isc_result_t
+dns_c_ndcctx_getserver(dns_c_ndcctx_t *ctx, const char *name,
+		       dns_c_ndcserver_t **server);
+
+isc_result_t
+dns_c_ndcctx_getkeys(dns_c_ndcctx_t *ctx, dns_c_kdeflist_t **list);
+
+isc_result_t
+dns_c_ndcctx_setkeys(dns_c_ndcctx_t *ctx, dns_c_kdeflist_t *list);
+
+isc_result_t
+dns_c_ndcctx_addkey(dns_c_ndcctx_t *ctx, dns_c_kdef_t **key);
 
 /* SERVER LIST */
-isc_result_t	dns_c_ndcserverlist_new(isc_mem_t *mem,
-					dns_c_ndcserverlist_t **servers);
-isc_result_t	dns_c_ndcserverlist_destroy(dns_c_ndcserverlist_t **servers);
-dns_c_ndcserver_t *dns_c_ndcserverlist_first(dns_c_ndcserverlist_t *servers);
-dns_c_ndcserver_t *dns_c_ndcserverlist_next(dns_c_ndcserver_t *servers);
+isc_result_t
+dns_c_ndcserverlist_new(isc_mem_t *mem, dns_c_ndcserverlist_t **servers);
 
+isc_result_t
+dns_c_ndcserverlist_destroy(dns_c_ndcserverlist_t **servers);
+
+dns_c_ndcserver_t *
+dns_c_ndcserverlist_first(dns_c_ndcserverlist_t *servers);
+
+dns_c_ndcserver_t *
+dns_c_ndcserverlist_next(dns_c_ndcserver_t *servers);
 
 /* SERVER */
-isc_result_t	dns_c_ndcserver_new(isc_mem_t *mem,
-				    dns_c_ndcserver_t **server);
-isc_result_t	dns_c_ndcserver_destroy(dns_c_ndcserver_t **server);
-isc_result_t	dns_c_ndcserver_setkey(dns_c_ndcserver_t *server,
-				       const char *val);
-isc_result_t	dns_c_ndcserver_sethost(dns_c_ndcserver_t *server,
-					const char *val);
-isc_result_t	dns_c_ndcserver_setname(dns_c_ndcserver_t *server,
-					const char *val);
-isc_result_t	dns_c_ndcserver_getkey(dns_c_ndcserver_t *server,
-				       const char **val);
-isc_result_t	dns_c_ndcserver_gethost(dns_c_ndcserver_t *server,
-					const char **val);
-isc_result_t	dns_c_ndcserver_getname(dns_c_ndcserver_t *server,
-					const char **val);
+isc_result_t
+dns_c_ndcserver_new(isc_mem_t *mem, dns_c_ndcserver_t **server);
+isc_result_t
+dns_c_ndcserver_destroy(dns_c_ndcserver_t **server);
+isc_result_t
+dns_c_ndcserver_setkey(dns_c_ndcserver_t *server, const char *val);
+
+isc_result_t
+dns_c_ndcserver_sethost(dns_c_ndcserver_t *server, const char *val);
+
+isc_result_t
+dns_c_ndcserver_setname(dns_c_ndcserver_t *server, const char *val);
 
+isc_result_t
+dns_c_ndcserver_getkey(dns_c_ndcserver_t *server, const char **val);
+
+isc_result_t
+dns_c_ndcserver_gethost(dns_c_ndcserver_t *server, const char **val);
+
+isc_result_t
+dns_c_ndcserver_getname(dns_c_ndcserver_t *server, const char **val);
 
 /* OPTIONS */
-isc_result_t	dns_c_ndcopts_new(isc_mem_t *mem, dns_c_ndcopts_t **opts);
-isc_result_t	dns_c_ndcopts_destroy(dns_c_ndcopts_t **opts);
-isc_result_t	dns_c_ndcopts_getdefserver(dns_c_ndcopts_t *opts,
-					   const char **retval);
-isc_result_t	dns_c_ndcopts_getdefkey(dns_c_ndcopts_t *opts,
-					const char **retval);
+isc_result_t
+dns_c_ndcopts_new(isc_mem_t *mem, dns_c_ndcopts_t **opts);
+
+isc_result_t
+dns_c_ndcopts_destroy(dns_c_ndcopts_t **opts);
+
+isc_result_t
+dns_c_ndcopts_getdefserver(dns_c_ndcopts_t *opts, const char **retval);
+
+isc_result_t
+dns_c_ndcopts_getdefkey(dns_c_ndcopts_t *opts, const char **retval);
+
+isc_result_t
+dns_c_ndcopts_setdefserver(dns_c_ndcopts_t *opts, const char *newval);
+
+isc_result_t
+dns_c_ndcopts_setdefkey(dns_c_ndcopts_t *opts, const char *newval);
+
+isc_result_t
+dns_c_ndcparseconf(const char *filename, isc_mem_t *mem,
+		   dns_c_ndcctx_t **ndcctx);
 
-isc_result_t	dns_c_ndcopts_setdefserver(dns_c_ndcopts_t *opts,
-					   const char *newval);
-isc_result_t	dns_c_ndcopts_setdefkey(dns_c_ndcopts_t *opts,
-					const char *newval);
+void
+dns_c_ndcctx_print(FILE *fp, dns_c_ndcctx_t *ctx);
 
+void
+dns_c_ndcopts_print(FILE *fp, dns_c_ndcopts_t *opts);
 
-isc_result_t	dns_c_ndcparseconf(const char *filename, isc_mem_t *mem,
-				   dns_c_ndcctx_t **ndcctx);
+void
+dns_c_ndcserverlist_print(FILE *fp, dns_c_ndcserverlist_t *servers);
 
-void		dns_c_ndcctx_print(FILE *fp, dns_c_ndcctx_t *ctx);
-void		dns_c_ndcopts_print(FILE *fp, dns_c_ndcopts_t *opts);
-void		dns_c_ndcserverlist_print(FILE *fp,
-					  dns_c_ndcserverlist_t *servers);
-void		dns_c_ndcserver_print(FILE *fp, dns_c_ndcserver_t *server);
+void
+dns_c_ndcserver_print(FILE *fp, dns_c_ndcserver_t *server);
 
+ISC_LANG_ENDDECLS
 
-#endif /* DNS_CONFIG_CONFZONE_H */
+#endif /* DNS_CONFNDC_H */
diff --git a/lib/dns/include/dns/confparser.h b/lib/dns/include/dns/confparser.h
index 65bcc2ba..a38cc46b 100644
--- a/lib/dns/include/dns/confparser.h
+++ b/lib/dns/include/dns/confparser.h
@@ -15,6 +15,9 @@
  * SOFTWARE.
  */
 
+#ifndef DNS_CONFPARSER_H
+#define DNS_CONFPARSER_H 1
+
 /*****
  ***** Module Info
  *****/
@@ -51,16 +54,11 @@
  *** Imports
  ***/
 
-#include <config.h>
+#include <isc/lang.h>
 #include <isc/types.h>
 
 #include <dns/confctx.h>
 
-
-/***
- *** Functions
- ***/
-
 /*
  * Typedefs for the callbacks done while parsing. If the callback functions 
  * return anything other than ISC_R_SUCCESS, then the parse routine
@@ -73,8 +71,7 @@ typedef isc_result_t (*dns_c_zonecbk_t)(dns_c_ctx_t *ctx,
 					void *uap);
 typedef isc_result_t (*dns_c_optscbk_t)(dns_c_ctx_t *ctx, void *uap);
 
-typedef struct dns_c_cbks
-{
+typedef struct dns_c_cbks {
 	dns_c_zonecbk_t	zonecbk;
 	void	       *zonecbkuap;
 
@@ -82,10 +79,15 @@ typedef struct dns_c_cbks
 	void	       *optscbkuap;
 } dns_c_cbks_t;
 
+/***
+ *** Functions
+ ***/
 
-isc_result_t dns_c_parse_namedconf(const char *filename, isc_mem_t *mem,
-				   dns_c_ctx_t **configctx,
-				   dns_c_cbks_t *callbacks);
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_c_parse_namedconf(const char *filename, isc_mem_t *mem,
+		      dns_c_ctx_t **configctx, dns_c_cbks_t *callbacks);
 
 /*
  * Parse a named confile file. Fills up a new config context with the config
@@ -109,3 +111,6 @@ isc_result_t dns_c_parse_namedconf(const char *filename, isc_mem_t *mem,
  *	ISC_R_FAILURE			file contains errors.
  */
 
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CONFPARSER_H */
diff --git a/lib/dns/include/dns/confresolv.h b/lib/dns/include/dns/confresolv.h
index 5b2396d7..f4fe4a45 100644
--- a/lib/dns/include/dns/confresolv.h
+++ b/lib/dns/include/dns/confresolv.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFRESOLV_H
-#define DNS_CONFIG_CONFRESOLV_H 1
+#ifndef DNS_CONFRESOLV_H
+#define DNS_CONFRESOLV_H 1
 
 /*****
  ***** Module Info
@@ -50,8 +50,7 @@
  *** Imports
  ***/
 
-#include <config.h>
-
+#include <isc/lang.h>
 #include <isc/types.h>
 
 /***
@@ -60,21 +59,20 @@
 
 typedef struct dns_c_resolv		dns_c_resolv_t;
 
-struct dns_c_resolv
-{
+struct dns_c_resolv {
 	isc_mem_t	       *mem;
 
 	/* XXX need this fleshed out */
 };
 
-
-
-
 /***
  *** Functions
  ***/
 
-isc_result_t dns_c_resolv_new(isc_mem_t *mem, dns_c_resolv_t **cfgres);
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_c_resolv_new(isc_mem_t *mem, dns_c_resolv_t **cfgres);
 /*
  * Creates a new resolver-config object.
  *
@@ -88,7 +86,8 @@ isc_result_t dns_c_resolv_new(isc_mem_t *mem, dns_c_resolv_t **cfgres);
  * 
  */
 
-isc_result_t dns_c_resolv_delete(dns_c_resolv_t **cfgres);
+isc_result_t
+dns_c_resolv_delete(dns_c_resolv_t **cfgres);
 /*
  * Deletes the config-resolv object and its contents.
  *
@@ -101,5 +100,6 @@ isc_result_t dns_c_resolv_delete(dns_c_resolv_t **cfgres);
  * 
  */
 
+ISC_LANG_ENDDECLS
 
-#endif /* DNS_CONFIG_CONFRESOLV_H */
+#endif /* DNS_CONFRESOLV_H */
diff --git a/lib/dns/include/dns/confrrset.h b/lib/dns/include/dns/confrrset.h
index a87569ef..cdf0ec7d 100644
--- a/lib/dns/include/dns/confrrset.h
+++ b/lib/dns/include/dns/confrrset.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFRRSET_H
-#define DNS_CONFIG_CONFRRSET_H 1
+#ifndef DNS_CONFRRSET_H
+#define DNS_CONFRRSET_H 1
 
 /*****
  ***** Module Info
@@ -44,40 +44,27 @@
  *** Imports
  ***/
 
-#include <config.h>
-
-#include <isc/mem.h>
-
-/* XXX these next two are needed by rdatatype.h. It should be fixed to
- * include them itself.
- */
-#include <isc/buffer.h>
-#include <dns/result.h>
-
-#include <dns/rdatatype.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
 
 #include <dns/confcommon.h>
 
 
 #define DNS_C_RRSOLIST_MAGIC		0x5252534c /* RRSL */
-#define DNS_C_RRSO_MAGIC			0x7272736f /* rrso */
+#define DNS_C_RRSO_MAGIC		0x7272736f /* rrso */
 
 #define DNS_C_RRSOLIST_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_RRSOLIST_MAGIC)
-#define DNS_C_RRSO_VALID(ptr)	ISC_MAGIC_VALID(ptr, DNS_C_RRSO_MAGIC)
-
-
+#define DNS_C_RRSO_VALID(ptr)     ISC_MAGIC_VALID(ptr, DNS_C_RRSO_MAGIC)
 
 /***
  *** Types
  ***/
 
-
 typedef struct dns_c_rrso		dns_c_rrso_t;
 typedef struct dns_c_rrso_list		dns_c_rrsolist_t;
 
 
-struct dns_c_rrso 
-{
+struct dns_c_rrso {
 	isc_uint32_t		magic;
 	
 	isc_mem_t	       *mem;
@@ -90,47 +77,53 @@ struct dns_c_rrso
 	ISC_LINK(dns_c_rrso_t)	next;
 };
 
-
-struct dns_c_rrso_list
-{
+struct dns_c_rrso_list {
 	isc_uint32_t		magic;
-	
+
 	isc_mem_t	       *mem;
 
 	ISC_LIST(dns_c_rrso_t)	elements;
 
 };
 
-
 /***
  *** Functions
  ***/
 
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_c_rrsolist_new(isc_mem_t *mem, dns_c_rrsolist_t **rval);
+
+isc_result_t
+dns_c_rrsolist_delete(dns_c_rrsolist_t **list);
+
+isc_result_t
+dns_c_rrsolist_copy(isc_mem_t *mem, dns_c_rrsolist_t **dest,
+		    dns_c_rrsolist_t *source);
+
+isc_result_t
+dns_c_rrsolist_clear(dns_c_rrsolist_t *olist);
+
+isc_result_t
+dns_c_rrsolist_append(dns_c_rrsolist_t *dest, dns_c_rrsolist_t *src);
+
+isc_result_t
+dns_c_rrso_new(isc_mem_t *mem, dns_c_rrso_t **res, dns_rdataclass_t oclass,
+	       dns_rdatatype_t otype, char *name, dns_c_ordering_t ordering);
+
+isc_result_t
+dns_c_rrso_delete(dns_c_rrso_t **order);
+
+isc_result_t
+dns_c_rrso_copy(isc_mem_t *mem, dns_c_rrso_t **dest, dns_c_rrso_t *source);
+
+void
+dns_c_rrsolist_print(FILE *fp, int indent, dns_c_rrsolist_t *rrlist);
+
+void
+dns_c_rrso_print(FILE *fp, int indent, dns_c_rrso_t *rrlist);
+
+ISC_LANG_ENDDECLS
 
-isc_result_t	dns_c_rrsolist_new(isc_mem_t *mem,
-				   dns_c_rrsolist_t **rval);
-isc_result_t	dns_c_rrsolist_delete(dns_c_rrsolist_t **list);
-isc_result_t	dns_c_rrsolist_copy(isc_mem_t *mem,
-				    dns_c_rrsolist_t **dest,
-				    dns_c_rrsolist_t *source);
-isc_result_t	dns_c_rrsolist_clear(dns_c_rrsolist_t *olist);
-isc_result_t	dns_c_rrsolist_append(dns_c_rrsolist_t *dest,
-				      dns_c_rrsolist_t *src);
-
-isc_result_t	dns_c_rrso_new(isc_mem_t *mem,
-			       dns_c_rrso_t **res,
-			       dns_rdataclass_t oclass,
-			       dns_rdatatype_t otype,
-			       char *name,
-			       dns_c_ordering_t ordering);
-isc_result_t	dns_c_rrso_delete(dns_c_rrso_t **order);
-isc_result_t	dns_c_rrso_copy(isc_mem_t *mem,
-				dns_c_rrso_t **dest,
-				dns_c_rrso_t *source);
-void		dns_c_rrsolist_print(FILE *fp, int indent,
-				     dns_c_rrsolist_t *rrlist);
-void		dns_c_rrso_print(FILE *fp, int indent,
-				 dns_c_rrso_t *rrlist);
-
-
-#endif /* DNS_CONFIG_CONFRRSET_H */
+#endif /* DNS_CONFRRSET_H */
diff --git a/lib/dns/include/dns/confserv.h b/lib/dns/include/dns/confserv.h
deleted file mode 100644
index 7794dd50..00000000
--- a/lib/dns/include/dns/confserv.h
+++ /dev/null
@@ -1,163 +0,0 @@
-#if 1
-#error "Shouldn't be using this file."
-#else
-
-/*
- * Copyright (C) 1999, 2000  Internet Software Consortium.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#ifndef DNS_CONFIG_CONFSERV_H
-#define DNS_CONFIG_CONFSERV_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * 
- *
- * 
- *
- * 
- *
- * MP:
- *	
- *
- * Reliability:
- *	
- *
- * Resources:
- *	
- *
- * Security:
- *	
- *
- * Standards:
- *	
- */
-
-/***
- *** Imports
- ***/
-
-#include <config.h>
-
-#include <sys/types.h>
-
-#include <isc/mem.h>
-#include <isc/net.h>
-
-#include <dns/types.h>
-#include <dns/confcommon.h>
-#include <dns/confkeys.h>
-
-
-#define DNS_C_SRVLIST_MAGIC	0x7365524c /* seRL */
-#define DNS_C_SRV_MAGIC		0x53457276 /* SErv */
-
-#define DNS_C_SRVLIST_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_SRVLIST_MAGIC)
-#define DNS_C_SRV_VALID(ptr)	 ISC_MAGIC_VALID(ptr, DNS_C_SRV_MAGIC)
-
-
-/***
- *** Types
- ***/
-
-typedef struct dns_c_srv		dns_c_srv_t;
-typedef struct dns_c_srv_list		dns_c_srvlist_t;
-
-struct dns_c_srv_list
-{
-	isc_uint32_t		magic;
-	
-	isc_mem_t	       *mem;
-
-	ISC_LIST(dns_c_srv_t) elements;
-};
-
-
-struct dns_c_srv 
-{
-	isc_uint32_t		magic;
-	
-	isc_mem_t	       *mem;
-
-	isc_sockaddr_t		address;
-	isc_boolean_t		bogus;
-	dns_transfer_format_t	transfer_format;
-	int			transfers;
-	isc_boolean_t		support_ixfr;
-	dns_c_kidlist_t	       *keys;
-
-	dns_c_setbits_t		bitflags;
-	
-	ISC_LINK(dns_c_srv_t)	next;
-};
-
-
-/***
- *** Functions
- ***/
-
-isc_result_t	dns_c_srvlist_new(isc_mem_t *mem,
-				  dns_c_srvlist_t **list);
-isc_result_t	dns_c_srvlist_delete(dns_c_srvlist_t **list);
-void		dns_c_srvlist_print(FILE *fp, int indent,
-				    dns_c_srvlist_t *servers);
-isc_result_t	dns_c_srvlist_servbyaddr(dns_c_srvlist_t *servers,
-					 isc_sockaddr_t addr,
-					 dns_c_srv_t **retval);
-
-
-isc_result_t	dns_c_srv_new(isc_mem_t *mem,
-			      isc_sockaddr_t ipaddr,
-			      dns_c_srv_t **server);
-isc_result_t	dns_c_srv_delete(dns_c_srv_t **server);
-void		dns_c_srv_print(FILE *fp, int indent,
-				dns_c_srv_t *server);
-
-isc_result_t	dns_c_srv_setbogus(dns_c_srv_t *server,
-				   isc_boolean_t newval);
-isc_result_t	dns_c_srv_getbogus(dns_c_srv_t *server,
-				   isc_boolean_t *retval);
-isc_result_t	dns_c_srv_setsupportixfr(dns_c_srv_t *server,
-					 isc_boolean_t newval);
-isc_result_t	dns_c_srv_getsupportixfr(dns_c_srv_t *server,
-					 isc_boolean_t *retval);
-isc_result_t	dns_c_srv_settransfers(dns_c_srv_t *server,
-				       isc_int32_t newval);
-isc_result_t	dns_c_srv_gettransfers(dns_c_srv_t *server,
-				       isc_int32_t *retval);
-isc_result_t	dns_c_srv_settransferformat(dns_c_srv_t *server,
-					    dns_transfer_format_t newval);
-isc_result_t	dns_c_srv_gettransferformat(dns_c_srv_t *server,
-					    dns_transfer_format_t *retval);
-isc_result_t	dns_c_srv_get_keylist(dns_c_srv_t *server,
-				      dns_c_kidlist_t **keylist);
-
-isc_result_t	dns_c_srv_settkeydomain(dns_c_srv_t *server,
-					char *newval);
-isc_result_t	dns_c_srv_gettkeydomain(dns_c_srv_t *server,
-					char **retval);
-isc_result_t	dns_c_srv_getkeys(dns_c_srv_t *server,
-				  dns_c_kidlist_t **retval);
-isc_result_t	dns_c_srv_setkeys(dns_c_srv_t *server,
-				  dns_c_kidlist_t *newval);
-
-
-#endif /* DNS_CONFIG_CONFSERV_H */
-
-#endif
diff --git a/lib/dns/include/dns/confview.h b/lib/dns/include/dns/confview.h
index 0a248461..ac38319d 100644
--- a/lib/dns/include/dns/confview.h
+++ b/lib/dns/include/dns/confview.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFVIEW_H
-#define DNS_CONFIG_CONFVIEW_H 1
+#ifndef DNS_CONFVIEW_H
+#define DNS_CONFVIEW_H 1
 
 /*****
  ***** Module Info
@@ -53,25 +53,11 @@
  *** Imports
  ***/
 
-#include <config.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
 
-#include <isc/mem.h>
-
-/* XXX these next two are needed by rdatatype.h. It should be fixed to
- * include them itself.
- */
-#include <isc/buffer.h>
-#include <dns/result.h>
-
-#include <dns/rdatatype.h>
-
-#include <dns/confcommon.h>
-#include <dns/confip.h>
-#include <dns/confkeys.h>
-#include <dns/confacl.h>
-#include <dns/confip.h>
-#include <dns/conflsn.h>
 #include <dns/confrrset.h>
+#include <dns/confzone.h>
 
 #define DNS_C_VIEWTABLE_MAGIC		0x76497774 /* vIwt */
 #define DNS_C_VIEW_MAGIC 		0x56696557 /* VieW */
@@ -91,8 +77,7 @@ typedef struct dns_c_view		dns_c_view_t;
 typedef struct dns_c_viewtable		dns_c_viewtable_t;
 
 
-struct dns_c_viewtable
-{
+struct dns_c_viewtable {
 	isc_uint32_t		magic;
 	
 	isc_mem_t	       *mem;
@@ -100,356 +85,516 @@ struct dns_c_viewtable
 	ISC_LIST(dns_c_view_t)	views;
 };
 
-
-struct dns_c_view
-{
+struct dns_c_view {
 	isc_uint32_t		magic;
-	
 	isc_mem_t	       *mem;
 	
 	char 		       *name;
 
+	dns_rdataclass_t	viewclass;
+	
 	dns_c_zonelist_t       *zonelist;
 
-	dns_c_forw_t		forward;
-	
+	dns_c_forw_t	       *forward;
+	dns_c_iplist_t         *forwarders;
+
 	dns_c_ipmatchlist_t    *allowquery;
 	dns_c_ipmatchlist_t    *allowupdateforwarding;
 	dns_c_ipmatchlist_t    *transferacl;
 	dns_c_ipmatchlist_t    *recursionacl;
-	dns_c_ipmatchlist_t    *blackhole;
 	dns_c_ipmatchlist_t    *sortlist;
 	dns_c_ipmatchlist_t    *topology;
+	dns_c_ipmatchlist_t    *matchclients;
 
-	dns_c_iplist_t         *forwarders;
-
-	dns_c_lstnlist_t       *listens;
+	dns_c_rrsolist_t       *ordering; /* XXX not parsed yet */
 	
-	dns_c_rrsolist_t       *ordering;
+	dns_severity_t	       *check_names[DNS_C_TRANSCOUNT];
 	
-	dns_severity_t	check_names[DNS_C_TRANSCOUNT];
-	
-	dns_transfer_format_t	transfer_format;
-	
-	isc_boolean_t		auth_nx_domain;
-	isc_boolean_t		dialup;
-	isc_boolean_t		fetch_glue;
-	isc_boolean_t		has_old_clients;
-	isc_boolean_t		host_statistics;
-	isc_boolean_t		maintain_ixfr_base;
-	isc_boolean_t		multiple_cnames;
-	isc_boolean_t		notify;
-	isc_boolean_t		recursion;
-	isc_boolean_t		rfc2308_type1;
-	isc_boolean_t		use_id_pool;
-	isc_boolean_t		fake_iquery;
-	isc_boolean_t		use_ixfr;
-
-	isc_int32_t		clean_interval;
-	isc_int32_t		lamettl;
-	isc_int32_t		max_log_size_ixfr;
-	isc_int32_t		max_ncache_ttl;
-	isc_int32_t		max_transfer_time_in;
-	isc_int32_t		max_transfer_time_out;
-	isc_int32_t		max_transfer_idle_in;
-	isc_int32_t		max_transfer_idle_out;
-	isc_int32_t		stats_interval;
-	isc_int32_t		transfers_in;
-	isc_int32_t		transfers_out;
-	isc_int32_t		transfers_per_ns;
-
-	dns_c_setbits_t		setflags;
+	/*
+	 * XXX to implement now.
+	 */
+	isc_boolean_t	       *auth_nx_domain;
+	isc_boolean_t	       *recursion;
+	isc_boolean_t	       *provide_ixfr;
+	isc_boolean_t	       *request_ixfr;
+	isc_boolean_t	       *fetch_glue;
+	isc_boolean_t	       *notify;
+	isc_boolean_t	       *rfc2308_type1;
+
+	isc_sockaddr_t	       *query_source;
+	isc_sockaddr_t	       *query_source_v6;
+	isc_sockaddr_t	       *transfer_source;
+	isc_sockaddr_t	       *transfer_source_v6;
+
+	isc_int32_t	       *max_transfer_time_out;
+	isc_int32_t	       *max_transfer_idle_out;
+	isc_int32_t	       *clean_interval;
+	isc_int32_t	       *min_roots;
+	isc_int32_t	       *lamettl;
+	isc_int32_t	       *max_ncache_ttl;
+	isc_int32_t	       *max_cache_ttl;
+
+	dns_c_addata_t	       *additional_data;
+	dns_transfer_format_t  *transfer_format;
+
+	dns_c_kdeflist_t       *keydefs;
+	dns_peerlist_t	       *peerlist;
+
+#if 0	
+	/*
+	 * To implement later.
+	 */
+	isc_int32_t	       *max_transfer_time_in;
+	isc_int32_t	       *max_transfer_idle_in;
+	isc_int32_t	       *transfers_per_ns;
+	isc_int32_t	       *serial_queries;
+
+#endif
 
 	ISC_LINK(dns_c_view_t)	next;
 };
 
-
-
 /***
  *** Functions
  ***/
 
-isc_result_t dns_c_viewtable_new(isc_mem_t *mem,
-				 dns_c_viewtable_t **viewtable);
+ISC_LANG_BEGINDECLS
 
-/*
- * Creates a new viewtable. Returns pointer to the new table through
- * NEWTABLE paramater. The memory is allocated from the MEM memory pool.
- *
- * Requires:
- *	mem is a valid memory pool
- *	newtable is a valid non-NULL pointer.
- *	mem remain a valuid memory pool until the table is destroyed.
- * 	
- * Returns:
- *	ISC_R_SUCCESS		-- all is well.
- *	ISC_R_NOMEMORY		-- not enough memory.
- * 
- */
+isc_result_t
+dns_c_viewtable_new(isc_mem_t *mem, dns_c_viewtable_t **viewtable);
 
-isc_result_t dns_c_viewtable_delete(dns_c_viewtable_t **viewtable);
-/*
- * Destroys the table pointed to by *VIEWTABLE and all the views in it. The
- * value of *VIEWTABLE can be NULL (which is a no-op).
- *
- * Requires:
- *	viewtable is a valid pointer.
- *	The memory pool used at creation time still be valid.
- * 
- * Returns:
- *	ISC_R_SUCCESS
- * 
- */
+isc_result_t
+dns_c_viewtable_delete(dns_c_viewtable_t **viewtable);
 
+void
+dns_c_viewtable_print(FILE *fp, int indent, dns_c_viewtable_t *table);
 
-void dns_c_viewtable_addview(dns_c_viewtable_t *viewtable,
-			     dns_c_view_t *view);
+void
+dns_c_viewtable_addview(dns_c_viewtable_t *viewtable, dns_c_view_t *view);
 
-/*
- * Inserts the given view into the viewtable. The viewtable takes ownership 
- * of the view's allocations.
- *
- * Requires:
- *	viewtable be a pointer to a valid dns_c_viewtable_t
- *	view be a pointer to a valie dns_c_view_t
- *
- */
+void
+dns_c_viewtable_rmview(dns_c_viewtable_t *viewtable, dns_c_view_t *view);
 
-void dns_c_viewtable_rmview(dns_c_viewtable_t *viewtable,
-			    dns_c_view_t *view);
+isc_result_t
+dns_c_viewtable_clear(dns_c_viewtable_t *table);
 
-/*
- * Removes the view from the given table. Does not memory
- * deallocations. Caller owns the view.
+isc_result_t
+dns_c_viewtable_viewbyname(dns_c_viewtable_t *viewtable, const char *viewname,
+			   dns_c_view_t **retval);
+
+isc_result_t
+dns_c_viewtable_rmviewbyname(dns_c_viewtable_t *viewtable, const char *name);
+
+isc_result_t
+dns_c_viewtable_checkviews(dns_c_viewtable_t *viewtable);
+
+/* NOTE: For the various get* functions. The caller must not delete the
+ * returned value.
  *
- * Requires:
- *	viewtable be a pointer to a valid dns_c_viewtable_t
- *	view be a pointer to a valid dns_c_view_t
+ *	- For functions where retval is a dns_c_ipmatchlist_t
+ *	  (e.g. dns_c_view_getallowquery) the caller must call
+ *	  dns_c_ipmatcglist_detach() when finished with retval).
  *
  */
 
-isc_result_t dns_c_viewtable_viewbyname(dns_c_viewtable_t *viewtable,
-					const char *viewname,
-					dns_c_view_t **retval);
+isc_result_t
+dns_c_view_new(isc_mem_t *mem, const char *name, dns_rdataclass_t viewclass,
+	       dns_c_view_t **newview);
 
-/*
- * Looks up a view by name in the given table. The result is returned
- * through the parameter RETVAL. The returned view must not be modified.
- *
- * Requires:
- *	VIEWTABLE be a valid dns_c_viewtable_t
- * 	
- * Returns:
- *	ISC_R_SUCCESS		-- all is well
- *	ISC_R_NOTFOUND		-- view was not found
- * 
- */
+isc_result_t
+dns_c_view_delete(dns_c_view_t **viewptr);
 
-isc_result_t dns_c_viewtable_rmviewbyname(dns_c_viewtable_t *viewtable,
-					  const char *name);
-/*
- * Removes a view from a view table. The view is looked up by name.
- *
- * Requires:
- *	viewtable be a pointer to a valie dns_viewtable_t
- *	name be a valid pointer to string of positive length.
- * 
- * Returns:
- *	ISC_R_SUCCESS		-- all is well
- *	ISC_R_NOTFOUND		-- view was not in the table.
- * 
- */
+void
+dns_c_view_print(FILE *fp, int indent, dns_c_view_t *view);
 
+isc_boolean_t
+dns_c_view_keydefinedp(dns_c_view_t *view, const char *keyname);
 
-isc_result_t dns_c_viewtable_clear(dns_c_viewtable_t *viewtable);
-/*
- * Removes (and deletes) all the views in the viewtable.
- *
- * Requires:
- *	viewtable to be a pointer to a valid dns_c_viewtable_t
- *
- * Returns:
- *	ISC_R_SUCCESS		-- all is well
- */
+isc_result_t
+dns_c_view_getname(dns_c_view_t *view, const char **retval);
 
-void dns_c_viewtable_print(FILE *fp, int indent,
-			   dns_c_viewtable_t *table);
+isc_result_t
+dns_c_view_addzone(dns_c_view_t *view, dns_c_zone_t *zone);
 
-/*
- * Prints the viewtable TABLE to the stdio stream FP. An INDENT number of
- * tabs is printed at the start of each line.
- *
- * Requires:
- *	FP be a valid stdio stream
- *	table be a pointer to a valid dns_c_viewtable_t
- */
+isc_result_t
+dns_c_view_getzonelist(dns_c_view_t *view, dns_c_zonelist_t **zonelist);
 
+isc_result_t
+dns_c_view_unsetzonelist(dns_c_view_t *view);
 
-isc_result_t dns_c_view_new(isc_mem_t *mem, const char *name,
-			    dns_c_view_t **newview);
-/*
- * Creates a new view. The view is placed in the given viewtable.
- * The new view is returned via the newview parameter
- *
- * Requires:
- *	viewtable be a pointer to a valid view table.
- *	name be a pointer to a valid string of positive length
- *	newview be a valid non-NULL pointer.
- * 
- * Returns:
- *	ISC_R_SUCCESS		-- all is well
- *	ISC_R_NOMEMORY		-- out of memory
- * 
- */
+isc_result_t
+dns_c_view_getviewclass(dns_c_view_t *view, dns_rdataclass_t *retval);
+
+isc_result_t
+dns_c_view_getforward(dns_c_view_t *view, dns_c_forw_t *retval);
+
+isc_result_t
+dns_c_view_setforward(dns_c_view_t *view, dns_c_forw_t newval);
+
+isc_result_t
+dns_c_view_unsetforward(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_setforwarders(dns_c_view_t *view, dns_c_iplist_t *ipl,
+			 isc_boolean_t deepcopy);
+
+isc_result_t
+dns_c_view_unsetforwarders(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getforwarders(dns_c_view_t *view, dns_c_iplist_t **ipl);
+
+isc_result_t
+dns_c_view_getallowquery(dns_c_view_t *view, dns_c_ipmatchlist_t **retval);
+
+isc_result_t
+dns_c_view_setallowquery(dns_c_view_t *view, dns_c_ipmatchlist_t *newval);
+
+isc_result_t
+dns_c_view_unsetallowquery(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getallowupdateforwarding(dns_c_view_t *view,
+				    dns_c_ipmatchlist_t **retval);
+
+isc_result_t
+dns_c_view_setallowupdateforwarding(dns_c_view_t *view,
+				    dns_c_ipmatchlist_t *newval);
+
+isc_result_t
+dns_c_view_unsetallowupdateforwarding(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_gettransferacl(dns_c_view_t *view, dns_c_ipmatchlist_t **retval);
+
+isc_result_t
+dns_c_view_settransferacl(dns_c_view_t *view, dns_c_ipmatchlist_t *newval);
+
+isc_result_t
+dns_c_view_unsettransferacl(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getrecursionacl(dns_c_view_t *view, dns_c_ipmatchlist_t **retval);
+
+isc_result_t
+dns_c_view_setrecursionacl(dns_c_view_t *view, dns_c_ipmatchlist_t *newval);
+
+isc_result_t
+dns_c_view_unsetrecursionacl(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getsortlist(dns_c_view_t *view, dns_c_ipmatchlist_t **retval);
+
+isc_result_t
+dns_c_view_setsortlist(dns_c_view_t *view, dns_c_ipmatchlist_t *newval);
+
+isc_result_t
+dns_c_view_unsetsortlist(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_gettopology(dns_c_view_t *view, dns_c_ipmatchlist_t **retval);
+
+isc_result_t
+dns_c_view_settopology(dns_c_view_t *view, dns_c_ipmatchlist_t *newval);
+
+isc_result_t
+dns_c_view_unsettopology(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getmatchclients(dns_c_view_t *view, dns_c_ipmatchlist_t **retval);
+
+isc_result_t
+dns_c_view_setmatchclients(dns_c_view_t *view, dns_c_ipmatchlist_t *newval);
+
+isc_result_t
+dns_c_view_unsetmatchclients(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getordering(dns_c_view_t *view, dns_c_rrsolist_t **olist);
+
+isc_result_t
+dns_c_view_setordering(dns_c_view_t *view, isc_boolean_t copy,
+		       dns_c_rrsolist_t *olist);
+
+isc_result_t
+dns_c_view_unsetordering(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_setchecknames(dns_c_view_t *view, dns_c_trans_t transtype,
+			 dns_severity_t newval);
+
+isc_result_t
+dns_c_view_getchecknames(dns_c_view_t *view, dns_c_trans_t transtype,
+			 dns_severity_t *retval);
+
+isc_result_t
+dns_c_view_unsetchecknames(dns_c_view_t *view, dns_c_trans_t transtype);
+
+isc_result_t
+dns_c_view_getauthnxdomain(dns_c_view_t *view, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_view_setauthnxdomain(dns_c_view_t *view, isc_boolean_t newval);
+
+isc_result_t
+dns_c_view_unsetauthnxdomain(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getrecursion(dns_c_view_t *view, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_view_setrecursion(dns_c_view_t *view, isc_boolean_t newval);
+
+isc_result_t
+dns_c_view_unsetrecursion(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getprovideixfr(dns_c_view_t *view, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_view_setprovideixfr(dns_c_view_t *view, isc_boolean_t newval);
+
+isc_result_t
+dns_c_view_unsetprovideixfr(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getrequestixfr(dns_c_view_t *view, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_view_setrequestixfr(dns_c_view_t *view, isc_boolean_t newval);
+
+isc_result_t
+dns_c_view_unsetrequestixfr(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getfetchglue(dns_c_view_t *view, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_view_setfetchglue(dns_c_view_t *view, isc_boolean_t newval);
+
+isc_result_t
+dns_c_view_unsetfetchglue(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getnotify(dns_c_view_t *view, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_view_setnotify(dns_c_view_t *view, isc_boolean_t newval);
+
+isc_result_t
+dns_c_view_unsetnotify(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getrfc2308type1(dns_c_view_t *view, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_view_setrfc2308type1(dns_c_view_t *view, isc_boolean_t newval);
+
+isc_result_t
+dns_c_view_unsetrfc2308type1(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_settransfersource(dns_c_view_t *view,
+			     isc_sockaddr_t transfer_source);
+
+isc_result_t
+dns_c_view_gettransfersource(dns_c_view_t *view,
+			     isc_sockaddr_t *transfer_source);
+
+isc_result_t
+dns_c_view_unsettransfersource(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_settransfersourcev6(dns_c_view_t *view,
+			       isc_sockaddr_t transfer_source_v6);
+
+isc_result_t
+dns_c_view_gettransfersourcev6(dns_c_view_t *view,
+			       isc_sockaddr_t *transfer_source_v6);
+
+isc_result_t
+dns_c_view_unsettransfersourcev6(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_setquerysource(dns_c_view_t *view, isc_sockaddr_t query_source);
+
+isc_result_t
+dns_c_view_getquerysource(dns_c_view_t *view, isc_sockaddr_t *query_source);
+
+isc_result_t
+dns_c_view_unsetquerysource(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_setquerysourcev6(dns_c_view_t *view,
+			    isc_sockaddr_t query_source_v6);
+
+isc_result_t
+dns_c_view_getquerysourcev6(dns_c_view_t *view,
+			    isc_sockaddr_t *query_source_v6);
+
+isc_result_t
+dns_c_view_unsetquerysourcev6(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getmaxtransferidleout(dns_c_view_t *view, isc_int32_t *retval);
+
+isc_result_t
+dns_c_view_setmaxtransferidleout(dns_c_view_t *view, isc_int32_t newval);
+
+isc_result_t
+dns_c_view_unsetmaxtransferidleout(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getmaxtransfertimeout(dns_c_view_t *view, isc_int32_t *retval);
+
+isc_result_t
+dns_c_view_setmaxtransfertimeout(dns_c_view_t *view, isc_int32_t newval);
+
+isc_result_t
+dns_c_view_unsetmaxtransfertimeout(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getcleaninterval(dns_c_view_t *view, isc_int32_t *retval);
+
+isc_result_t
+dns_c_view_setcleaninterval(dns_c_view_t *view, isc_int32_t newval);
+
+isc_result_t
+dns_c_view_unsetcleaninterval(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getminroots(dns_c_view_t *view, isc_int32_t *retval);
+
+isc_result_t
+dns_c_view_setminroots(dns_c_view_t *view, isc_int32_t newval);
+
+isc_result_t
+dns_c_view_unsetminroots(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getlamettl(dns_c_view_t *view, isc_int32_t *retval);
+
+isc_result_t
+dns_c_view_setlamettl(dns_c_view_t *view, isc_int32_t newval);
+
+isc_result_t
+dns_c_view_unsetlamettl(dns_c_view_t *view);
+
+
+isc_result_t
+dns_c_view_getmaxncachettl(dns_c_view_t *view, isc_int32_t *retval);
+
+isc_result_t
+dns_c_view_setmaxncachettl(dns_c_view_t *view, isc_int32_t newval);
+
+isc_result_t
+dns_c_view_unsetmaxncachettl(dns_c_view_t *view);
+
+
+isc_result_t
+dns_c_view_getmaxcachettl(dns_c_view_t *view, isc_int32_t *retval);
+
+isc_result_t
+dns_c_view_setmaxcachettl(dns_c_view_t *view, isc_int32_t newval);
+
+isc_result_t
+dns_c_view_unsetmaxcachettl(dns_c_view_t *view);
+
+
+
+isc_result_t
+dns_c_view_setadditionaldata(dns_c_view_t *view, dns_c_addata_t newval);
+
+isc_result_t
+dns_c_view_getadditionaldata(dns_c_view_t *view, dns_c_addata_t *retval);
+
+isc_result_t
+dns_c_view_unsetadditionaldata(dns_c_view_t *cfg);
+
+
+
+isc_result_t
+dns_c_view_settransferformat(dns_c_view_t *view,
+			     dns_transfer_format_t tformat);
+
+isc_result_t
+dns_c_view_gettransferformat(dns_c_view_t *view,
+			     dns_transfer_format_t *tformat);
+
+isc_result_t
+dns_c_view_unsettransferformat(dns_c_view_t *cfg);
 
-isc_result_t dns_c_view_delete(dns_c_view_t **view);
 /*
- * Deletes the view and its contents.
- *
- * Requires:
- *	view be a pointer to a valid view.
- * 
- * Returns:
- *	ISC_R_SUCCESS		-- all is well
- *  
+ * Caller must not delete retval.
  */
+isc_result_t
+dns_c_view_getkeydefs(dns_c_view_t *view, dns_c_kdeflist_t **retval);
+
+isc_result_t
+dns_c_view_setkeydefs(dns_c_view_t *view, dns_c_kdeflist_t *newval);
+
+isc_result_t
+dns_c_view_unsetkeydefs(dns_c_view_t *view);
 
-isc_result_t dns_c_view_addzone(dns_c_view_t *view, dns_c_zone_t *zone);
 /*
- * Puts the zone in the view's zonetable. Dosn't alter the 'owner' view of 
- * the zone.
+ * Detach when done with retval.
  */
+isc_result_t
+dns_c_view_getpeerlist(dns_c_view_t *cfg, dns_peerlist_t **retval);
 
-isc_result_t dns_c_view_setallowquery(dns_c_view_t *view,
-				      dns_c_ipmatchlist_t *ipml,
-				      isc_boolean_t deepcopy);
 /*
- * Sets the ipmatch list of the allow-query field to the IPML. If DEEPCOPY
- * is true, then a full copy of IPML is made using the MEM memory pool. In
- * which case the caller still is the owner the memory IPML points to. If
- * DEEPCOPY is false, then the view takes ownership of the memory IPML
- * points to. If the view already has an allow-query list, then it is deleted
- * before the new one is added.
- *
- * Requires:
- *	mem be a pointer to a valid memory manager
- *	ipml be a valid dns_c_ipmatchlist_t
- * 
- * Returns:
- *	ISC_R_SUCCESS		-- all is well
- *	ISC_R_NOMEMORY		-- memory could not be allocated for the
- *				   deepcopy  .
- * 
+ * cfg will attach to newval.
  */
+isc_result_t
+dns_c_view_setpeerlist(dns_c_view_t *cfg, dns_peerlist_t *newval);
 
+isc_result_t
+dns_c_view_unsetpeerlist(dns_c_view_t *cfg);
+
+#if 0
 
-isc_result_t dns_c_view_setallowtransfer(dns_c_view_t *view,
-					 dns_c_ipmatchlist_t *ipml,
-					 isc_boolean_t deepcopy);
-isc_result_t dns_c_view_setallowrecursion(dns_c_view_t *view,
-					  dns_c_ipmatchlist_t *ipml,
-					  isc_boolean_t deepcopy);
-isc_result_t dns_c_view_setallowupdateforwarding(dns_c_view_t *view,
-						 dns_c_ipmatchlist_t *ipml,
-						 isc_boolean_t deepcopy);
-isc_result_t dns_c_view_setblackhole(dns_c_view_t *view,
-				     dns_c_ipmatchlist_t *ipml,
-				     isc_boolean_t deepcopy);
-isc_result_t dns_c_view_setforwarders(dns_c_view_t *view,
-				      dns_c_iplist_t *ipml,
-				      isc_boolean_t deepcopy);
-isc_result_t dns_c_view_setsortlist(dns_c_view_t *view,
-				    dns_c_ipmatchlist_t *ipml,
-				    isc_boolean_t deepcopy);
-isc_result_t dns_c_view_settopology(dns_c_view_t *view,
-				    dns_c_ipmatchlist_t *ipml,
-				    isc_boolean_t deepcopy);
-isc_result_t dns_c_view_addlisten_on(dns_c_view_t *view, in_port_t port,
-				     dns_c_ipmatchlist_t *ml,
-				     isc_boolean_t copy);
-isc_result_t dns_c_view_setrrsetorderlist(dns_c_view_t *view,
-					  isc_boolean_t copy,
-					  dns_c_rrsolist_t *olist);
-isc_result_t dns_c_view_setchecknames(dns_c_view_t *view,
-				      dns_c_trans_t transtype,
-				      dns_severity_t sever);
-isc_result_t dns_c_view_settransferformat(dns_c_view_t *view,
-					  dns_transfer_format_t format);
-					  
-/* caller must not modifiy or delete returned values */
-isc_result_t dns_c_view_getallowquery(dns_c_view_t *view,
-				      dns_c_ipmatchlist_t **ipml);
-isc_result_t dns_c_view_getallowtransfer(dns_c_view_t *view,
-					 dns_c_ipmatchlist_t **ipml);
-isc_result_t dns_c_view_getallowrecursion(dns_c_view_t *view,
-					  dns_c_ipmatchlist_t **ipml);
-isc_result_t dns_c_view_getallowupdateforwarding(dns_c_view_t *view,
-						 dns_c_ipmatchlist_t **ipml);
-isc_result_t dns_c_view_getblackhole(dns_c_view_t *view,
-				     dns_c_ipmatchlist_t **ipml);
-isc_result_t dns_c_view_getforwarders(dns_c_view_t *view,
-				      dns_c_iplist_t **ipml);
-isc_result_t dns_c_view_getsortlist(dns_c_view_t *view,
-				    dns_c_ipmatchlist_t **ipml);
-isc_result_t dns_c_view_gettopology(dns_c_view_t *view,
-				    dns_c_ipmatchlist_t **ipml);
-isc_result_t dns_c_view_getlistenlist(dns_c_view_t *cfg,
-				      dns_c_lstnlist_t **ll);
-isc_result_t dns_c_view_getrrsetorderlist(dns_c_view_t *view,
-					  dns_c_rrsolist_t **olist);
-isc_result_t dns_c_view_getchecknames(dns_c_view_t *view,
-				      dns_c_trans_t transtype,
-				      dns_severity_t *sever);
-isc_result_t dns_c_view_gettransferformat(dns_c_view_t *view,
-					  dns_transfer_format_t *format);
-
-
-
-isc_result_t dns_c_view_getallowqueryexpanded(isc_mem_t *mem,
-					      dns_c_view_t *view,
-					      dns_c_acltable_t *acltable,
-					      dns_c_ipmatchlist_t **retval);
 /*
- * Retuns a copy through the RETVAL parameter (the caller is responsible
- * for deleting the returned value) of the allow-query address-match
- * list. Any references in the list to acls or indirect address-match
- * lists. are recursivly expanded ((using the definitions in ACLTABLE) so
- * that the end result has no references in it. Memory allocation for the
- * copy is done via the memory pool pointed to by the MEM paramater.
- *
- * Requires:
- *	mem be a pointer to a valid memory manager
- *	acl be a pointer to a valid acl.
- *	retval be a valid non-NULL pointer.
- * 
- * Returns:
- *	ISC_R_SUCCESS		-- all is well
- *	ISC_R_NOMEMORY		-- not enough memory to make copy.
- *	ISC_R_FAILURE		-- an acl reference couldn't be expanded.
- * 
+ * XXX waiting to server to implement these items before enabling them
  */
 
+isc_result_t
+dns_c_view_getmaxtransfertimein(dns_c_view_t *view, isc_int32_t *retval);
 
-void dns_c_view_print(FILE *fp, int indent,
-		      dns_c_view_t *view);
+isc_result_t
+dns_c_view_setmaxtransfertimein(dns_c_view_t *view, isc_int32_t newval);
 
-/*	
- * Prints the view VIEW to the stdio stream FP. An INDENT number of
- * tabs is printed at the start of each line.
- *
- * Requires:
- *	FP be a valid stdio stream
- *	view be a pointer to a valid dns_c_view_t
- */
+isc_result_t
+dns_c_view_unsetmaxtransfertimein(dns_c_view_t *view);
 
+isc_result_t
+dns_c_view_getmaxtransferidlein(dns_c_view_t *view, isc_int32_t *retval);
 
-isc_result_t dns_c_view_getname(dns_c_view_t *view,
-				const char **retval);
+isc_result_t
+dns_c_view_setmaxtransferidlein(dns_c_view_t *view, isc_int32_t newval);
 
-/*
- * Returns the name of the view. Caller must NOT free or touch the returned 
- * array.
- */
+isc_result_t
+dns_c_view_unsetmaxtransferidlein(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_gettransfersperns(dns_c_view_t *view, isc_int32_t *retval);
+
+isc_result_t
+dns_c_view_settransfersperns(dns_c_view_t *view, isc_int32_t newval);
+
+isc_result_t
+dns_c_view_unsettransfersperns(dns_c_view_t *view);
+
+isc_result_t
+dns_c_view_getserialqueries(dns_c_view_t *view, isc_int32_t *retval);
+
+isc_result_t
+dns_c_view_setserialqueries(dns_c_view_t *view, isc_int32_t newval);
+
+isc_result_t
+dns_c_view_unsetserialqueries(dns_c_view_t *view);
+
+#endif
 
+ISC_LANG_ENDDECLS
 
-#endif /* DNS_CONFIG_CONFVIEW_H */
+#endif /* DNS_CONFVIEW_H */
diff --git a/lib/dns/include/dns/confzone.h b/lib/dns/include/dns/confzone.h
index bbf86508..6b804a3c 100644
--- a/lib/dns/include/dns/confzone.h
+++ b/lib/dns/include/dns/confzone.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef DNS_CONFIG_CONFZONE_H
-#define DNS_CONFIG_CONFZONE_H 1
+#ifndef DNS_CONFZONE_H
+#define DNS_CONFZONE_H 1
 
 /*****
  ***** Module Info
@@ -53,19 +53,9 @@
  *** Imports
  ***/
 
-#include <config.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
 
-#include <isc/mem.h>
-
-/* XXX these next two are needed by rdatatype.h. It should be fixed to
- * include them itself.
- */
-#include <isc/buffer.h>
-#include <dns/result.h>
-
-#include <dns/rdatatype.h>
-
-#include <dns/confcommon.h>
 #include <dns/confip.h>
 #include <dns/confkeys.h>
 
@@ -73,8 +63,7 @@
 #define DNS_C_ZONE_MAGIC		0x7a4f6e45 /* zOnE */
 
 #define DNS_C_ZONELIST_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_ZONELIST_MAGIC)
-#define DNS_C_ZONE_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_ZONE_MAGIC)
-
+#define DNS_C_ZONE_VALID(ptr)     ISC_MAGIC_VALID(ptr, DNS_C_ZONE_MAGIC)
 
 /***
  *** Types
@@ -95,25 +84,19 @@ typedef struct dns_c_zonelem		dns_c_zonelem_t;
 typedef struct dns_c_zone_list		dns_c_zonelist_t;
 #endif
 
-
-struct dns_c_zonelem
-{
+struct dns_c_zonelem {
 	dns_c_zone_t	*thezone;
 	ISC_LINK(dns_c_zonelem_t) next;
 };
 
-
-struct dns_c_zone_list
-{
+struct dns_c_zone_list {
 	isc_int32_t 		magic;
 	isc_mem_t	       *mem;
 
 	ISC_LIST(dns_c_zonelem_t)	zones;
 };
 
-
-struct dns_c_master_zone
-{
+struct dns_c_master_zone {
 	char		       *file;
 	dns_severity_t	check_names;
 	dns_c_ipmatchlist_t    *allow_update;
@@ -138,9 +121,7 @@ struct dns_c_master_zone
 	dns_c_setbits_t		setflags;
 };
 
-
-struct dns_c_slave_zone
-{
+struct dns_c_slave_zone {
 	char		       *file;
 	dns_severity_t	check_names;
 	dns_c_ipmatchlist_t    *allow_update;
@@ -170,9 +151,7 @@ struct dns_c_slave_zone
 	dns_c_setbits_t		setflags;
 };
 
-
-struct dns_c_stub_zone
-{
+struct dns_c_stub_zone {
 	char		       *file;
 	dns_severity_t	check_names;
 	dns_c_ipmatchlist_t    *allow_update; /* should be here??? */
@@ -194,10 +173,7 @@ struct dns_c_stub_zone
 	dns_c_setbits_t		setflags;
 };
 
-
-
-struct dns_c_forward_zone
-{
+struct dns_c_forward_zone {
 	dns_severity_t	check_names;
 	dns_c_forw_t		forward;
 	dns_c_iplist_t	       *forwarders;
@@ -205,9 +181,7 @@ struct dns_c_forward_zone
 	dns_c_setbits_t		setflags;
 };
 
-
-struct dns_c_hint_zone
-{
+struct dns_c_hint_zone {
 	char		       *file;
 	dns_severity_t	check_names;
 	dns_c_pklist_t	       *pubkeylist;
@@ -215,9 +189,7 @@ struct dns_c_hint_zone
 	dns_c_setbits_t		setflags;
 };
 
-
-struct dns_c_zone
-{
+struct dns_c_zone {
 	isc_int32_t			magic;
 	
 	isc_mem_t		       *mem;
@@ -225,8 +197,10 @@ struct dns_c_zone
 	
 	char			       *name; /* e.g. "foo.com" */
 	char			       *internalname; /* e.g. "foo.com.ext" */
+	char			       *database;
 	dns_rdataclass_t		zclass; 
 	dns_c_view_t		       *view;
+	isc_boolean_t		       *enabled;
 	
 	dns_c_zonetype_t		ztype;
 	union 
@@ -241,155 +215,263 @@ struct dns_c_zone
 	isc_boolean_t			afteropts;
 };
 
-
 /***
  *** Functions
  ***/
 
-isc_result_t	dns_c_zonelist_new(isc_mem_t *mem,
-				   dns_c_zonelist_t **zlist);
-isc_result_t	dns_c_zonelist_delete(dns_c_zonelist_t **zlist);
+ISC_LANG_BEGINDECLS
+
+
+isc_result_t
+dns_c_zonelist_new(isc_mem_t *mem, dns_c_zonelist_t **zlist);
+
+isc_result_t
+dns_c_zonelist_delete(dns_c_zonelist_t **zlist);
+
+isc_result_t
+dns_c_zonelist_checkzones(dns_c_zonelist_t *zlist);
+
 #if 0
-dns_c_zone_t   *dns_c_zonelist_currzone(dns_c_zonelist_t *zlist);
+dns_c_zone_t *
+dns_c_zonelist_currzone(dns_c_zonelist_t *zlist);
 #endif
 
-isc_result_t	dns_c_zonelist_find(dns_c_zonelist_t *zlist,
-				    const char *name, dns_c_zone_t **retval);
-isc_result_t	dns_c_zonelist_rmbyname(dns_c_zonelist_t *zlist,
-					const char *name);
-isc_result_t	dns_c_zonelist_addzone(dns_c_zonelist_t *zlist,
-				       dns_c_zone_t *zone);
-isc_result_t	dns_c_zonelist_rmzone(dns_c_zonelist_t *zlist,
-				      dns_c_zone_t *zone);
-void		dns_c_zonelist_print(FILE *fp, int indent,
-				     dns_c_zonelist_t *list);
-void		dns_c_zonelist_printpostopts(FILE *fp,
-					     int indent,
-					     dns_c_zonelist_t *list);
-void		dns_c_zonelist_printpreopts(FILE *fp,
-					    int indent,
-					    dns_c_zonelist_t *list);
-isc_result_t	dns_c_zone_new(isc_mem_t *mem,
-			       dns_c_zonetype_t ztype, dns_rdataclass_t zclass,
-			       const char *name, const char *internalname,
-			       dns_c_zone_t **zone);
-isc_result_t	dns_c_zone_detach(dns_c_zone_t **zone);
-void		dns_c_zone_attach(dns_c_zone_t *source,
-				  dns_c_zone_t **target);
-void		dns_c_zone_print(FILE *fp, int indent,
-				 dns_c_zone_t *zone);
-isc_result_t	dns_c_zone_setfile(dns_c_zone_t *zone,
-				   const char *newfile);
-isc_result_t	dns_c_zone_setchecknames(dns_c_zone_t *zone,
-					 dns_severity_t severity);
-isc_result_t	dns_c_zone_setallowupd(dns_c_zone_t *zone,
-				       dns_c_ipmatchlist_t *ipml,
-				       isc_boolean_t deepcopy);
-isc_result_t	dns_c_zone_setallowupdateforwarding(dns_c_zone_t *zone,
-						    dns_c_ipmatchlist_t *ipml,
-						    isc_boolean_t deepcopy);
-isc_result_t	dns_c_zone_setssuauth(dns_c_zone_t *zone,
-				      dns_ssutable_t *ssutable);
-isc_result_t	dns_c_zone_setallowquery(dns_c_zone_t *zone,
-					 dns_c_ipmatchlist_t *ipml,
-					 isc_boolean_t deepcopy);
-isc_result_t	dns_c_zone_setallowtransfer(dns_c_zone_t *zone,
-					    dns_c_ipmatchlist_t *ipml,
-					    isc_boolean_t deepcopy);
-isc_result_t	dns_c_zone_setdialup(dns_c_zone_t *zone,
-				     isc_boolean_t newval);
-isc_result_t	dns_c_zone_setnotify(dns_c_zone_t *zone,
-				     isc_boolean_t newval);
-isc_result_t	dns_c_zone_setmaintixfrbase(dns_c_zone_t *zone,
-					    isc_boolean_t newval);
-isc_result_t	dns_c_zone_setalsonotify(dns_c_zone_t *zone,
-					 dns_c_iplist_t *newval,
-					 isc_boolean_t deepcopy);
-isc_result_t	dns_c_zone_setixfrbase(dns_c_zone_t *zone,
-				       const char *newval);
-isc_result_t	dns_c_zone_setixfrtmp(dns_c_zone_t *zone,
-				      const char *newval);
-isc_result_t	dns_c_zone_addpubkey(dns_c_zone_t *zone,
-				     dns_c_pubkey_t *pubkey,
-				     isc_boolean_t deepcopy);
-isc_result_t	dns_c_zone_setmasterport(dns_c_zone_t *zone,
-					 in_port_t port);
-isc_result_t	dns_c_zone_setmasterips(dns_c_zone_t *zone,
-					dns_c_iplist_t *newval,
-					isc_boolean_t deepcopy);
-isc_result_t	dns_c_zone_settransfersource(dns_c_zone_t *zone,
-					     isc_sockaddr_t newval);
-isc_result_t	dns_c_zone_settransfersourcev6(dns_c_zone_t *zone,
-					     isc_sockaddr_t newval);
-isc_result_t	dns_c_zone_setmaxtranstimein(dns_c_zone_t *zone,
-					     isc_int32_t newval);
-isc_result_t	dns_c_zone_setmaxtranstimeout(dns_c_zone_t *zone,
-					     isc_int32_t newval);
-isc_result_t	dns_c_zone_setmaxtransidlein(dns_c_zone_t *zone,
-					     isc_int32_t newval);
-isc_result_t	dns_c_zone_setmaxtransidleout(dns_c_zone_t *zone,
-					     isc_int32_t newval);
-isc_result_t	dns_c_zone_setmaxixfrlog(dns_c_zone_t *zone,
-					 isc_int32_t new);
-isc_result_t	dns_c_zone_setforward(dns_c_zone_t *zone,
-				      dns_c_forw_t newval);
-isc_result_t	dns_c_zone_setforwarders(dns_c_zone_t *zone,
-					 dns_c_iplist_t *ipml,
-					 isc_boolean_t deepcopy);
-isc_result_t	dns_c_zone_getname(dns_c_zone_t *zone,
-				   const char **retval);
-isc_result_t	dns_c_zone_getinternalname(dns_c_zone_t *zone,
-					   const char **retval);
-isc_result_t	dns_c_zone_getfile(dns_c_zone_t *zone,
-				   const char **retval);
-isc_result_t	dns_c_zone_getchecknames(dns_c_zone_t *zone,
-					 dns_severity_t *retval);
-isc_result_t	dns_c_zone_getallowupd(dns_c_zone_t *zone,
-				       dns_c_ipmatchlist_t **retval);
-isc_result_t	dns_c_zone_getssuauth(dns_c_zone_t *zone,
-				      dns_ssutable_t **ssutable);
-isc_result_t	dns_c_zone_getallowupdateforwarding(dns_c_zone_t *zone,
-						 dns_c_ipmatchlist_t **retval);
-isc_result_t	dns_c_zone_getallowquery(dns_c_zone_t *zone,
-					 dns_c_ipmatchlist_t **retval);
-isc_result_t	dns_c_zone_getallowtransfer(dns_c_zone_t *zone,
-					    dns_c_ipmatchlist_t **retval);
-isc_result_t	dns_c_zone_getdialup(dns_c_zone_t *zone,
-				     isc_boolean_t *retval);
-isc_result_t	dns_c_zone_getnotify(dns_c_zone_t *zone,
-				     isc_boolean_t *retval);
-isc_result_t	dns_c_zone_getmaintixfrbase(dns_c_zone_t *zone,
-					    isc_boolean_t *retval);
-isc_result_t	dns_c_zone_getalsonotify(dns_c_zone_t *zone,
-					 dns_c_iplist_t **retval);
-isc_result_t	dns_c_zone_getixfrbase(dns_c_zone_t *zone,
-				       const char **retval);
-isc_result_t	dns_c_zone_getixfrtmp(dns_c_zone_t *zone,
-				      const char **retval);
-isc_result_t	dns_c_zone_getpubkeylist(dns_c_zone_t *zone,
-				     dns_c_pklist_t **retval);
-isc_result_t	dns_c_zone_getmasterport(dns_c_zone_t *zone,
-					 in_port_t *retval);
-isc_result_t	dns_c_zone_getmasterips(dns_c_zone_t *zone,
-					dns_c_iplist_t **retval);
-isc_result_t	dns_c_zone_gettransfersource(dns_c_zone_t *zone,
-					     isc_sockaddr_t *retval);
-isc_result_t	dns_c_zone_gettransfersourcev6(dns_c_zone_t *zone,
-					       isc_sockaddr_t *retval);
-isc_result_t	dns_c_zone_getmaxtranstimein(dns_c_zone_t *zone,
-					     isc_int32_t *retval);
-isc_result_t	dns_c_zone_getmaxtranstimeout(dns_c_zone_t *zone,
-					     isc_int32_t *retval);
-isc_result_t	dns_c_zone_getmaxtransidlein(dns_c_zone_t *zone,
-					     isc_int32_t *retval);
-isc_result_t	dns_c_zone_getmaxtransidleout(dns_c_zone_t *zone,
-					     isc_int32_t *retval);
-isc_result_t	dns_c_zone_getmaxixfrlog(dns_c_zone_t *zone,
-					 isc_int32_t *retval);
-isc_result_t	dns_c_zone_getforward(dns_c_zone_t *zone,
-				      dns_c_forw_t *retval);
-isc_result_t	dns_c_zone_getforwarders(dns_c_zone_t *zone,
-					 dns_c_iplist_t **retval);
-
-
-#endif /* DNS_CONFIG_CONFZONE_H */
+isc_result_t
+dns_c_zonelist_find(dns_c_zonelist_t *zlist, const char *name,
+		    dns_c_zone_t **retval);
+
+isc_result_t
+dns_c_zonelist_rmbyname(dns_c_zonelist_t *zlist, const char *name);
+
+isc_result_t
+dns_c_zonelist_addzone(dns_c_zonelist_t *zlist, dns_c_zone_t *zone);
+
+isc_result_t
+dns_c_zonelist_rmzone(dns_c_zonelist_t *zlist, dns_c_zone_t *zone);
+
+void
+dns_c_zonelist_print(FILE *fp, int indent, dns_c_zonelist_t *list);
+
+void
+dns_c_zonelist_printpostopts(FILE *fp, int indent, dns_c_zonelist_t *list);
+
+void
+dns_c_zonelist_printpreopts(FILE *fp, int indent, dns_c_zonelist_t *list);
+
+dns_c_zone_t *
+dns_c_zonelist_firstzone(dns_c_zonelist_t *list);
+
+dns_c_zone_t *
+dns_c_zonelist_nextzone(dns_c_zonelist_t *list, dns_c_zone_t *thezone);
+
+isc_result_t
+dns_c_zone_new(isc_mem_t *mem, dns_c_zonetype_t ztype,
+	       dns_rdataclass_t zclass, const char *name,
+	       const char *internalname, dns_c_zone_t **zone);
+
+isc_result_t
+dns_c_zone_detach(dns_c_zone_t **zone);
+
+void
+dns_c_zone_attach(dns_c_zone_t *source, dns_c_zone_t **target);
+
+void
+dns_c_zone_print(FILE *fp, int indent, dns_c_zone_t *zone);
+
+isc_result_t
+dns_c_zone_setfile(dns_c_zone_t *zone, const char *newfile);
+
+isc_result_t
+dns_c_zone_setchecknames(dns_c_zone_t *zone, dns_severity_t severity);
+
+isc_result_t
+dns_c_zone_setallowupdateforwarding(dns_c_zone_t *zone,
+				    dns_c_ipmatchlist_t *ipml,
+				    isc_boolean_t deepcopy);
+
+isc_result_t
+dns_c_zone_setssuauth(dns_c_zone_t *zone, dns_ssutable_t *ssutable);
+
+isc_result_t
+dns_c_zone_setallowquery(dns_c_zone_t *zone, dns_c_ipmatchlist_t *ipml,
+			 isc_boolean_t deepcopy);
+
+isc_result_t
+dns_c_zone_setallowtransfer(dns_c_zone_t *zone, dns_c_ipmatchlist_t *ipml,
+			    isc_boolean_t deepcopy);
+
+isc_result_t
+dns_c_zone_setdialup(dns_c_zone_t *zone, isc_boolean_t newval);
+
+isc_result_t
+dns_c_zone_setnotify(dns_c_zone_t *zone, isc_boolean_t newval);
+
+isc_result_t
+dns_c_zone_setmaintixfrbase(dns_c_zone_t *zone, isc_boolean_t newval);
+
+isc_result_t
+dns_c_zone_setalsonotify(dns_c_zone_t *zone, dns_c_iplist_t *newval,
+			 isc_boolean_t deepcopy);
+
+isc_result_t
+dns_c_zone_setixfrbase(dns_c_zone_t *zone, const char *newval);
+
+isc_result_t
+dns_c_zone_setixfrtmp(dns_c_zone_t *zone, const char *newval);
+
+isc_result_t
+dns_c_zone_addpubkey(dns_c_zone_t *zone, dns_c_pubkey_t *pubkey,
+		     isc_boolean_t deepcopy);
+
+isc_result_t
+dns_c_zone_setmasterport(dns_c_zone_t *zone, in_port_t port);
+
+isc_result_t
+dns_c_zone_setmasterips(dns_c_zone_t *zone, dns_c_iplist_t *newval,
+			isc_boolean_t deepcopy);
+
+isc_result_t
+dns_c_zone_settransfersource(dns_c_zone_t *zone, isc_sockaddr_t newval);
+
+isc_result_t
+dns_c_zone_settransfersourcev6(dns_c_zone_t *zone, isc_sockaddr_t newval);
+
+isc_result_t
+dns_c_zone_setmaxtranstimein(dns_c_zone_t *zone, isc_int32_t newval);
+
+isc_result_t
+dns_c_zone_setmaxtranstimeout(dns_c_zone_t *zone, isc_int32_t newval);
+
+isc_result_t
+dns_c_zone_setmaxtransidlein(dns_c_zone_t *zone, isc_int32_t newval);
+
+isc_result_t
+dns_c_zone_setmaxtransidleout(dns_c_zone_t *zone, isc_int32_t newval);
+
+isc_result_t
+dns_c_zone_setmaxixfrlog(dns_c_zone_t *zone, isc_int32_t newval);
+
+isc_result_t
+dns_c_zone_setforward(dns_c_zone_t *zone, dns_c_forw_t newval);
+
+isc_result_t
+dns_c_zone_setforwarders(dns_c_zone_t *zone, dns_c_iplist_t *ipml,
+			 isc_boolean_t deepcopy);
+
+isc_result_t
+dns_c_zone_getname(dns_c_zone_t *zone, const char **retval);
+
+isc_result_t
+dns_c_zone_getinternalname(dns_c_zone_t *zone, const char **retval);
+
+isc_result_t
+dns_c_zone_getfile(dns_c_zone_t *zone, const char **retval);
+
+isc_result_t
+dns_c_zone_getchecknames(dns_c_zone_t *zone, dns_severity_t *retval);
+
+isc_result_t
+dns_c_zone_getssuauth(dns_c_zone_t *zone, dns_ssutable_t **ssutable);
+
+isc_result_t
+dns_c_zone_getallowupdateforwarding(dns_c_zone_t *zone,
+				    dns_c_ipmatchlist_t **retval);
+
+isc_result_t
+dns_c_zone_getallowquery(dns_c_zone_t *zone, dns_c_ipmatchlist_t **retval);
+
+isc_result_t
+dns_c_zone_getallowtransfer(dns_c_zone_t *zone, dns_c_ipmatchlist_t **retval);
+
+isc_result_t
+dns_c_zone_getdialup(dns_c_zone_t *zone, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_zone_getnotify(dns_c_zone_t *zone, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_zone_getmaintixfrbase(dns_c_zone_t *zone, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_zone_getalsonotify(dns_c_zone_t *zone, dns_c_iplist_t **retval);
+
+isc_result_t
+dns_c_zone_getixfrbase(dns_c_zone_t *zone, const char **retval);
+
+isc_result_t
+dns_c_zone_getixfrtmp(dns_c_zone_t *zone, const char **retval);
+
+isc_result_t
+dns_c_zone_getpubkeylist(dns_c_zone_t *zone, dns_c_pklist_t **retval);
+
+isc_result_t
+dns_c_zone_getmasterport(dns_c_zone_t *zone, in_port_t *retval);
+
+isc_result_t
+dns_c_zone_getmasterips(dns_c_zone_t *zone, dns_c_iplist_t **retval);
+
+isc_result_t
+dns_c_zone_gettransfersource(dns_c_zone_t *zone, isc_sockaddr_t *retval);
+
+isc_result_t
+dns_c_zone_gettransfersourcev6(dns_c_zone_t *zone, isc_sockaddr_t *retval);
+
+isc_result_t
+dns_c_zone_getmaxtranstimein(dns_c_zone_t *zone, isc_int32_t *retval);
+
+isc_result_t
+dns_c_zone_getmaxtranstimeout(dns_c_zone_t *zone, isc_int32_t *retval);
+
+isc_result_t
+dns_c_zone_getmaxtransidlein(dns_c_zone_t *zone, isc_int32_t *retval);
+
+isc_result_t
+dns_c_zone_getmaxtransidleout(dns_c_zone_t *zone, isc_int32_t *retval);
+
+isc_result_t
+dns_c_zone_getmaxixfrlog(dns_c_zone_t *zone, isc_int32_t *retval);
+
+isc_result_t
+dns_c_zone_getforward(dns_c_zone_t *zone, dns_c_forw_t *retval);
+
+isc_result_t
+dns_c_zone_getforwarders(dns_c_zone_t *zone, dns_c_iplist_t **retval);
+
+isc_result_t
+dns_c_zone_setallowupd(dns_c_zone_t *zone, dns_c_ipmatchlist_t *ipml,
+		       isc_boolean_t deepcopy);
+
+isc_result_t
+dns_c_zone_getallowupd(dns_c_zone_t *zone, dns_c_ipmatchlist_t **retval);
+
+isc_result_t
+dns_c_zone_unsetallowupd(dns_c_zone_t *zone);
+
+
+isc_result_t
+dns_c_zone_setdatabase(dns_c_zone_t *zone, const char *database);
+
+isc_result_t
+dns_c_zone_getdatabase(dns_c_zone_t *zone, char **retval);
+
+isc_result_t
+dns_c_zone_unsetdatabase(dns_c_zone_t *zone);
+
+
+isc_result_t
+dns_c_zone_setenabled(dns_c_zone_t *zone, isc_boolean_t enabled);
+
+isc_result_t
+dns_c_zone_getenabled(dns_c_zone_t *zone, isc_boolean_t *retval);
+
+isc_result_t
+dns_c_zone_unsetenabled(dns_c_zone_t *zone);
+
+
+isc_result_t
+dns_c_zone_validate(dns_c_zone_t *zone);
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CONFZONE_H */
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
index fd7e481d..814088e4 100644
--- a/lib/dns/include/dns/db.h
+++ b/lib/dns/include/dns/db.h
@@ -53,17 +53,13 @@
  ***** Imports
  *****/
 
-#include <stdio.h>
-
-#include <isc/boolean.h>
-#include <isc/mem.h>
 #include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/ondestroy.h>
 #include <isc/stdtime.h>
 
-#include <dns/types.h>
-#include <dns/result.h>
 #include <dns/name.h>
-#include <dns/callbacks.h>
+#include <dns/types.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -144,9 +140,8 @@ typedef struct dns_dbmethods {
 	isc_boolean_t	(*issecure)(dns_db_t *db);
 } dns_dbmethods_t;
 
-#define DNS_DB_MAGIC			0x444E5344U		/* DNSD. */
-#define DNS_DB_VALID(db)		((db) != NULL && \
-					 (db)->magic == DNS_DB_MAGIC)
+#define DNS_DB_MAGIC		0x444E5344U		/* DNSD. */
+#define DNS_DB_VALID(db)	ISC_MAGIC_VALID(db, DNS_DB_MAGIC)
 
 /*
  * This structure is actually just the common prefix of a DNS db
@@ -177,6 +172,7 @@ struct dns_db {
 #define DNS_DBFIND_VALIDATEGLUE		0x02
 #define DNS_DBFIND_NOWILD		0x04
 #define DNS_DBFIND_PENDINGOK		0x08
+#define DNS_DBFIND_NOEXACT		0x10
 
 /*
  * Options that can be specified for dns_db_addrdataset().
@@ -226,9 +222,9 @@ dns_db_create(isc_mem_t *mctx, char *db_type, dns_name_t *origin,
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY
- *	DNS_R_NOTFOUND				db_type not found
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_NOTFOUND				db_type not found
  *
  *	Many other errors are possible, depending on what db_type was
  *	specified.
@@ -379,8 +375,8 @@ dns_db_beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp,
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
  *
  *	Other results are possible, depending upon the database
  *	implementation used, syntax errors in the master file, etc.
@@ -403,8 +399,8 @@ dns_db_endload(dns_db_t *db, dns_dbload_t **dbloadp);
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
  *
  *	Other results are possible, depending upon the database
  *	implementation used, syntax errors in the master file, etc.
@@ -430,8 +426,8 @@ dns_db_load(dns_db_t *db, const char *filename);
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
  *
  *	Other results are possible, depending upon the database
  *	implementation used, syntax errors in the master file, etc.
@@ -450,8 +446,8 @@ dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename);
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
  *
  *	Other results are possible, depending upon the database
  *	implementation used, OS file errors, etc.
@@ -495,8 +491,8 @@ dns_db_newversion(dns_db_t *db, dns_dbversion_t **versionp);
  * 
  * Returns:
  *
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
  *
  *	Other results are possible, depending upon the database
  *	implementation used.
@@ -586,9 +582,9 @@ dns_db_findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
- *	DNS_R_NOTFOUND			If !create and name not found.
- *	DNS_R_NOMEMORY		        Can only happen if create is ISC_TRUE.
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND			If !create and name not found.
+ *	ISC_R_NOMEMORY		        Can only happen if create is ISC_TRUE.
  *
  *	Other results are possible, depending upon the database
  *	implementation used.
@@ -658,7 +654,7 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *
  *	Non-error results are:
  *
- *		DNS_R_SUCCESS			The desired node and type were
+ *		ISC_R_SUCCESS			The desired node and type were
  *						found.
  *
  *		DNS_R_GLUE			The desired node and type were
@@ -709,7 +705,7 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *		DNS_R_NXRRSET			The desired name exists, but
  *						the desired type does not.
  *
- *		DNS_R_NOTFOUND			The desired name does not
+ *		ISC_R_NOTFOUND			The desired name does not
  *						exist, and no delegation could
  *						be found.  This result can only
  *						occur if 'db' is a cache
@@ -731,7 +727,7 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *
  *	Error results:
  *
- *		DNS_R_NOMEMORY
+ *		ISC_R_NOMEMORY
  *
  *		DNS_R_BADDB			Data that is required to be
  *						present in the DB, e.g. an NXT
@@ -752,8 +748,8 @@ dns_db_findzonecut(dns_db_t *db, dns_name_t *name,
  *
  * Notes:
  *
- *	If 'options' has DNS_DBFIND_ONLYANCESTORS set, then 'name' will
- *	be returned as the deepest match if it has an NS rdataset.
+ *	If the DNS_DBFIND_NOEXACT option is set, then the zonecut returned
+ *	(if any) will be the deepest known ancestor of 'name'.
  *
  *	If 'now' is zero, then the current time will be used.
  *
@@ -782,9 +778,9 @@ dns_db_findzonecut(dns_db_t *db, dns_name_t *name,
  *
  *	Non-error results are:
  *
- *		DNS_R_SUCCESS
+ *		ISC_R_SUCCESS
  *
- *		DNS_R_NOTFOUND
+ *		ISC_R_NOTFOUND
  *
  *		Other results are possible, and should all be treated as
  *		errors.
@@ -881,8 +877,8 @@ dns_db_createiterator(dns_db_t *db, isc_boolean_t relative_names,
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
  */
 
 /***
@@ -935,8 +931,8 @@ dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
- *	DNS_R_NOTFOUND
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
  *	
  *	Other results are possible, depending upon the database
  *	implementation used.
@@ -973,8 +969,8 @@ dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
- *	DNS_R_NOTFOUND
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
  *	
  *	Other results are possible, depending upon the database
  *	implementation used.
@@ -1027,9 +1023,9 @@ dns_db_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *	DNS_R_UNCHANGED			The operation did not change anything.
- *	DNS_R_NOMEMORY
+ *	ISC_R_NOMEMORY
  *	
  *	Other results are possible, depending upon the database
  *	implementation used.
@@ -1065,9 +1061,9 @@ dns_db_subtractrdataset(dns_db_t *db, dns_dbnode_t *node,
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *	DNS_R_UNCHANGED			The operation did not change anything.
- *	DNS_R_NXRDATASET		All rdata of the same type as those
+ *	DNS_R_NXRRSET			All rdata of the same type as those
  *					in 'rdataset' have been deleted.
  *	
  *	Other results are possible, depending upon the database
@@ -1109,7 +1105,7 @@ dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *	DNS_R_UNCHANGED			No rdatasets of 'type' existed before
  *					the operation was attempted.
  *	
@@ -1117,6 +1113,16 @@ dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
  *	implementation used.
  */
 
+isc_result_t
+dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp);
+/*
+ * Get the current SOA serial number from a zone database.
+ *
+ * Requires:
+ *      'db' is a valid database with zone semantics.
+ *      'ver' is a valid version.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_DB_H */
diff --git a/lib/dns/include/dns/dbiterator.h b/lib/dns/include/dns/dbiterator.h
index 9e1ce34d..39c56d44 100644
--- a/lib/dns/include/dns/dbiterator.h
+++ b/lib/dns/include/dns/dbiterator.h
@@ -60,12 +60,10 @@
  ***** Imports
  *****/
 
-#include <isc/boolean.h>
-#include <isc/buffer.h>
 #include <isc/lang.h>
+#include <isc/magic.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -87,9 +85,8 @@ typedef struct dns_dbiteratormethods {
 				  dns_name_t *name);
 } dns_dbiteratormethods_t;
 
-#define DNS_DBITERATOR_MAGIC		0x444E5349U		/* DNSI. */
-#define DNS_DBITERATOR_VALID(dbi)	((dbi) != NULL && \
-					 (dbi)->magic == DNS_DBITERATOR_MAGIC)
+#define DNS_DBITERATOR_MAGIC	     0x444E5349U		/* DNSI. */
+#define DNS_DBITERATOR_VALID(dbi)    ISC_MAGIC_VALID(dbi, DNS_DBITERATOR_MAGIC)
 /*
  * This structure is actually just the common prefix of a DNS db
  * implementation's version of a dns_dbiterator_t.
@@ -133,8 +130,8 @@ dns_dbiterator_first(dns_dbiterator_t *iterator);
  *	'iterator' is a valid iterator.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMORE			There are no nodes in the database.
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no nodes in the database.
  *
  *	Other results are possible, depending on the DB implementation.
  */
@@ -148,8 +145,8 @@ dns_dbiterator_last(dns_dbiterator_t *iterator);
  *	'iterator' is a valid iterator.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMORE			There are no nodes in the database.
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no nodes in the database.
  *
  *	Other results are possible, depending on the DB implementation.
  */
@@ -165,8 +162,8 @@ dns_dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name);
  *	'name' is a valid name.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOTFOUND
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
  *
  *	Other results are possible, depending on the DB implementation.
  */
@@ -180,8 +177,8 @@ dns_dbiterator_prev(dns_dbiterator_t *iterator);
  *	'iterator' is a valid iterator.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMORE			There are no more nodes in the
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no more nodes in the
  *					database.
  *
  *	Other results are possible, depending on the DB implementation.
@@ -196,8 +193,8 @@ dns_dbiterator_next(dns_dbiterator_t *iterator);
  *	'iterator' is a valid iterator.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMORE			There are no more nodes in the
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no more nodes in the
  *					database.
  *
  *	Other results are possible, depending on the DB implementation.
@@ -218,13 +215,13 @@ dns_dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
  *	nodep != NULL && *nodep == NULL
  *
  *	The node cursor of 'iterator' is at a valid location (i.e. the
- *	result of last call to a cursor movement command was DNS_R_SUCCESS).
+ *	result of last call to a cursor movement command was ISC_R_SUCCESS).
  *
  *	'name' is NULL, or is a valid name with a dedicated buffer.
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *	DNS_R_NEWORIGIN			If this iterator was created with
  *					'relative_names' set to ISC_TRUE,
  *					then DNS_R_NEWORIGIN will be returned
@@ -259,7 +256,7 @@ dns_dbiterator_pause(dns_dbiterator_t *iterator);
  *	released.
  *
  * Returns:
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *
  *	Other results are possible, depending on the DB implementation.
  */
@@ -277,8 +274,8 @@ dns_dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name);
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
- *	DNS_R_NOSPACE
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
  *
  *	Other results are possible, depending on the DB implementation.
  */
diff --git a/lib/dns/include/dns/dbtable.h b/lib/dns/include/dns/dbtable.h
index d95c5e6d..b0157748 100644
--- a/lib/dns/include/dns/dbtable.h
+++ b/lib/dns/include/dns/dbtable.h
@@ -15,6 +15,9 @@
  * SOFTWARE.
  */
 
+#ifndef DNS_DBTABLE_H
+#define DNS_DBTABLE_H 1
+
 /*****
  ***** Module Info
  *****/
@@ -41,11 +44,14 @@
  *	None.
  */
 
-#include <isc/mem.h>
+#include <isc/lang.h>
 
-#include <dns/result.h>
 #include <dns/types.h>
 
+#define DNS_DBTABLEFIND_NOEXACT		0x01
+
+ISC_LANG_BEGINDECLS
+
 isc_result_t
 dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		   dns_dbtable_t **dbtablep);
@@ -58,9 +64,9 @@ dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
  *	'rdclass' is a valid class
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY
- *	DNS_R_UNEXPECTED
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
  */
 
 void
@@ -138,10 +144,19 @@ dns_dbtable_removedefault(dns_dbtable_t *dbtable);
  */
 
 isc_result_t
-dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name, dns_db_t **dbp);
+dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name,
+		 unsigned int options, dns_db_t **dbp);
 /*
  * Find the deepest match to 'name' in the dbtable, and return it
  *
- * Returns:  DNS_R_SUCCESS		on success
+ * Notes:
+ *	If the DNS_DBTABLEFIND_NOEXACT option is set, the best partial
+ *	match (if any) to 'name' will be returned.
+ *
+ * Returns:  ISC_R_SUCCESS		on success
  *	     <something else>		no default and match
  */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DBTABLE_H */
diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h
index 5355ee00..52025863 100644
--- a/lib/dns/include/dns/dispatch.h
+++ b/lib/dns/include/dns/dispatch.h
@@ -49,19 +49,15 @@
  *** Imports
  ***/
 
-#include <isc/boolean.h>
 #include <isc/buffer.h>
+#include <isc/eventclass.h>
 #include <isc/lang.h>
-#include <isc/sockaddr.h>
 #include <isc/socket.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
 
 ISC_LANG_BEGINDECLS
 
-#define DNS_DISPATCHEVENT_RECV	(ISC_EVENTCLASS_DNS + 1) /* XXXMLG */
-
 /*
  * This event is sent to a task when a response (or request) comes in.
  * No part of this structure should ever be modified by the caller,
@@ -86,39 +82,119 @@ struct dns_dispatchevent {
 	isc_sockaddr_t		addr;		/* address recv'd from */
 	struct in6_pktinfo	pktinfo;	/* reply info for v6 */
 	isc_buffer_t	        buffer;		/* data buffer */
+	isc_uint32_t		attributes;	/* mirrored from socket.h */
 };
 
 /*
- * event attributes
+ * Attributes for added dispatchers.
+ *
+ * Values with the mask 0xffff0000 are application defined.
+ * Values with the mask 0x0000ffff are library defined.
+ *
+ * Insane values (like setting both TCP and UDP) are not caught.  Don't
+ * do that.
+ *
+ * _PRIVATE
+ *	The dispatcher cannot be shared.
+ *
+ * _TCP, _UDP
+ *	The dispatcher is a TCP or UDP socket.
+ *
+ * _IPV4, _IPV6
+ *	The dispatcher uses an ipv4 or ipv6 socket.
+ *
+ * _ACCEPTREQUEST
+ *	The dispatcher can be used to accept requests.
+ *
+ * _MAKEQUERY
+ *	The dispatcher can be used to issue queries to other servers, and
+ *	accept replies from them.
  */
-#define DNS_DISPATCHATTR_PKTINFO	0x00100000U
+#define DNS_DISPATCHATTR_PRIVATE	0x00000001U
+#define DNS_DISPATCHATTR_TCP		0x00000002U
+#define DNS_DISPATCHATTR_UDP		0x00000004U
+#define DNS_DISPATCHATTR_IPV4		0x00000008U
+#define DNS_DISPATCHATTR_IPV6		0x00000010U
+#define DNS_DISPATCHATTR_ACCEPTREQUEST	0x00000020U
+#define DNS_DISPATCHATTR_MAKEQUERY	0x00000040U
 
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_dispatchmgr_create(isc_mem_t *mctx, dns_dispatchmgr_t **mgrp);
 /*
- * Functions to:
+ * Creates a new dispatchmgr object.
  *
- *	Return if a packet is a query or a response,
- *	Hash IDs,
- *	Generate a new random ID,
- *	Compare entries (IDs) for equality,
+ * Requires:
+ *	"mctx" be a valid memory context.
+ *
+ *	mgrp != NULL && *mgrp == NULL
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	-- all ok
+ *
+ *	anything else	-- failure
  */
-struct dns_dispatchmethods {
-	isc_uint32_t (*randomid)(dns_dispatch_t *);
-	isc_uint32_t (*hash)(dns_dispatch_t *, isc_sockaddr_t *,
-			     isc_uint32_t);
-};
-typedef struct dns_dispatchmethods dns_dispatchmethods_t;
+
+
+void
+dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp);
+/*
+ * Destroys the dispatchmgr when it becomes empty.  This could be
+ * immediately.
+ *
+ * Requires:
+ *	mgrp != NULL && *mgrp is a valid dispatchmgr.
+ */
+
+
+isc_result_t
+dns_dispatchmgr_find(dns_dispatchmgr_t *mgr,
+		     isc_sockaddr_t *local, isc_sockaddr_t *remote,
+		     unsigned int attributes, unsigned int mask,
+		     dns_dispatch_t **dispp);
+/*
+ * Search for a dispatcher that has the attributes specified by
+ *	(attributes & mask)
+ *
+ * Requires:
+ *	"mgr" be a valid dispatchmgr.
+ *
+ *	dispp != NULL && *dispp == NULL.
+ *
+ * Ensures:
+ *	The dispatcher returned into *dispp is attached on behalf of the
+ *	caller.  It is required that the caller detach from it when it is
+ *	no longer needed.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	-- found.
+ *
+ *	ISC_R_NOTFOUND	-- no dispatcher matching the requirements found.
+ *
+ *	anything else	-- failure.
+ */
+
 
 isc_result_t
-dns_dispatch_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
-		    unsigned int maxbuffersize,
+dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
+		    unsigned int buffersize,
 		    unsigned int maxbuffers, unsigned int maxrequests,
 		    unsigned int buckets, unsigned int increment,
-		    dns_dispatchmethods_t *methods,
+		    unsigned int attributes, unsigned int mask,
 		    dns_dispatch_t **dispp);
+
+isc_result_t
+dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+		       isc_taskmgr_t *taskmgr, unsigned int buffersize,
+		       unsigned int maxbuffers, unsigned int maxrequests,
+		       unsigned int buckets, unsigned int increment,
+		       unsigned int attributes, dns_dispatch_t **dispp);
 /*
  * Create a new dns_dispatch and attach it to the provided isc_socket_t.
  *
- * For all dispatches, "maxbuffersize" is the maximum packet size we will
+ * For all dispatches, "buffersize" is the maximum packet size we will
  * accept.
  *
  * "maxbuffers" and "maxrequests" control the number of buffers in the
@@ -130,13 +206,9 @@ dns_dispatch_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
  * "increment" is used in a collision avoidance function, and needs to be
  * a prime > buckets, and not 2.
  *
- * "methods" be NULL for normal DNS wire format, or all elements in that
- * structure be filled in with function pointers to control dispatch
- * behavior.
- *
  * Requires:
  *
- *	mctx is a valid memory context.
+ *	mgr is a valid dispatch manager.
  *
  *	sock is a valid.
  *
@@ -154,6 +226,7 @@ dns_dispatch_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
  *	increment > buckets (and prime)
  */
 
+
 void
 dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp);
 /*
@@ -169,6 +242,7 @@ dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp);
  *	< mumble >
  */
 
+
 void
 dns_dispatch_detach(dns_dispatch_t **dispp);
 /*
@@ -184,6 +258,7 @@ dns_dispatch_detach(dns_dispatch_t **dispp);
  *	< mumble >
  */
 
+
 isc_result_t
 dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 			 isc_task_t *task, isc_taskaction_t action, void *arg,
@@ -214,14 +289,15 @@ dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
  *
  * Returns:
  *
- *	DNS_R_SUCCESS		-- all is well.
- *	DNS_R_NOMEMORY		-- memory could not be allocated.
- *	DNS_R_NOMORE		-- no more message ids can be allocated
+ *	ISC_R_SUCCESS		-- all is well.
+ *	ISC_R_NOMEMORY		-- memory could not be allocated.
+ *	ISC_R_NOMORE		-- no more message ids can be allocated
  *				   for this destination.
  */
 
+
 void
-dns_dispatch_removeresponse(dns_dispatch_t *disp, dns_dispentry_t **resp,
+dns_dispatch_removeresponse(dns_dispentry_t **resp,
 			    dns_dispatchevent_t **sockevent);
 /*
  * Stops the flow of responses for the provided id and destination.
@@ -239,6 +315,7 @@ dns_dispatch_removeresponse(dns_dispatch_t *disp, dns_dispentry_t **resp,
  *	< mumble >
  */
 
+
 isc_result_t
 dns_dispatch_addrequest(dns_dispatch_t *disp,
 			isc_task_t *task, isc_taskaction_t action, void *arg,
@@ -258,8 +335,9 @@ dns_dispatch_addrequest(dns_dispatch_t *disp,
  *	< mumble >
  */
 
+
 void
-dns_dispatch_removerequest(dns_dispatch_t *disp, dns_dispentry_t **resp,
+dns_dispatch_removerequest(dns_dispentry_t **resp,
 			   dns_dispatchevent_t **sockevent);
 /*
  * Stops the flow of requests for the provided id and destination.
@@ -276,6 +354,7 @@ dns_dispatch_removerequest(dns_dispatch_t *disp, dns_dispentry_t **resp,
  *	< mumble >
  */
 
+
 void
 dns_dispatch_freeevent(dns_dispatch_t *disp, dns_dispentry_t *resp,
 		       dns_dispatchevent_t **sockevent);
@@ -294,16 +373,53 @@ dns_dispatch_freeevent(dns_dispatch_t *disp, dns_dispentry_t *resp,
  *	< mumble >
  */
 
+
 isc_socket_t *
 dns_dispatch_getsocket(dns_dispatch_t *disp);
 /*
- * Return the socket associated with this dispatcher
+ * Return the socket associated with this dispatcher.
+ *
+ * Requires:
+ *	< mumble >
+ *
+ * Ensures:
+ *	< mumble >
+ *
+ * Returns:
+ *	< mumble >
  */
 
+
 void
 dns_dispatch_cancel(dns_dispatch_t *disp);
 /*
  * cancel outstanding clients
+ *
+ * Requires:
+ *	< mumble >
+ *
+ * Ensures:
+ *	< mumble >
+ *
+ * Returns:
+ *	< mumble >
+ */
+
+void
+dns_dispatch_changeattributes(dns_dispatch_t *disp,
+			      unsigned int attributes, unsigned int mask);
+/*
+ * Set the bits described by "mask" to the corresponding values in
+ * "attributes".
+ *
+ * Requires:
+ *	< mumble >
+ *
+ * Ensures:
+ *	< mumble >
+ *
+ * Returns:
+ *	< mumble >
  */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 3a800b59..14eb7f85 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -18,9 +18,8 @@
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
 
-#include <isc/mem.h>
 #include <isc/lang.h>
-#include <isc/time.h>
+#include <isc/stdtime.h>
 
 #include <dns/types.h>
 
@@ -80,11 +79,13 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 
 isc_result_t
 dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		  isc_mem_t *mctx, dns_rdata_t *sigrdata);
+		  isc_boolean_t ignoretime, isc_mem_t *mctx,
+		  dns_rdata_t *sigrdata);
 /*
  *	Verifies the SIG record covering this rdataset signed by a specific
  *	key.  This does not determine if the key's owner is authorized to
  *	sign this record, as this requires a resolver or database.
+ *	If 'ignoretime' is ISC_TRUE, temporal validity will not be checked.
  *
  *	Requires:
  *		'name' (the owner name of the record) is a valid name
@@ -94,7 +95,7 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
  *		'sigrdata' is a valid rdata containing a SIG record
  *
  *	Returns:
- *		DNS_R_SUCCESS
+ *		ISC_R_SUCCESS
  *		ISC_R_NOMEMORY
  *		DNS_R_SIGINVALID - the signature fails to verify
  *		DNS_R_SIGEXPIRED - the signature has expired
@@ -131,7 +132,8 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key);
  */
 
 isc_result_t
-dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key);
+dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
+			 dst_key_t *key);
 /*
  *	Verifies a message signed by a SIG(0) record.  This is not
  *	called implicitly by dns_message_parse().  If dns_message_signer()
@@ -141,6 +143,7 @@ dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key);
  *	the sig0status field otherwise.
  *
  *	Requires:
+ *		'source' is a valid buffer containing the unparsed message
  *		'msg' is a valid message
  *		'key' is a valid key
  *
diff --git a/lib/dns/include/dns/events.h b/lib/dns/include/dns/events.h
index 1cd90dfe..f6697526 100644
--- a/lib/dns/include/dns/events.h
+++ b/lib/dns/include/dns/events.h
@@ -19,14 +19,11 @@
 #define DNS_EVENTS_H 1
 
 #include <isc/eventclass.h>
-#include <isc/lang.h>
 
 /*
  * Registry of DNS event numbers.
  */
 
-ISC_LANG_BEGINDECLS
-
 #define DNS_EVENT_FETCHCONTROL			(ISC_EVENTCLASS_DNS + 0)
 #define DNS_EVENT_FETCHDONE			(ISC_EVENTCLASS_DNS + 1)
 #define DNS_EVENT_VIEWRESSHUTDOWN		(ISC_EVENTCLASS_DNS + 2)
@@ -48,10 +45,13 @@ ISC_LANG_BEGINDECLS
 #define DNS_EVENT_DBDESTROYED			(ISC_EVENTCLASS_DNS + 18)
 #define DNS_EVENT_VALIDATORDONE			(ISC_EVENTCLASS_DNS + 19)
 #define DNS_EVENT_REQUESTDONE			(ISC_EVENTCLASS_DNS + 20)
+#define DNS_EVENT_VALIDATORSTART		(ISC_EVENTCLASS_DNS + 21)
+#define DNS_EVENT_VIEWREQSHUTDOWN		(ISC_EVENTCLASS_DNS + 22)
+#define DNS_EVENT_NOTIFYSENDTOADDR		(ISC_EVENTCLASS_DNS + 23)
+#define DNS_EVENT_ZONE				(ISC_EVENTCLASS_DNS + 24)
+#define DNS_EVENT_ZONESTARTXFRIN		(ISC_EVENTCLASS_DNS + 25)
 
 #define DNS_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_DNS + 0)
 #define DNS_EVENT_LASTEVENT			(ISC_EVENTCLASS_DNS + 65535)
 
-ISC_LANG_ENDDECLS
-
 #endif /* DNS_EVENTS_H */
diff --git a/lib/dns/include/dns/fixedname.h b/lib/dns/include/dns/fixedname.h
index 3545ef9f..55f4fa5e 100644
--- a/lib/dns/include/dns/fixedname.h
+++ b/lib/dns/include/dns/fixedname.h
@@ -51,13 +51,8 @@
  *****/
 
 #include <isc/buffer.h>
-#include <isc/lang.h>
 
-#include <dns/types.h>
 #include <dns/name.h>
-#include <dns/result.h>
-
-ISC_LANG_BEGINDECLS
 
 /*****
  ***** Types
@@ -73,8 +68,7 @@ struct dns_fixedname {
 #define dns_fixedname_init(fn) \
 	do { \
 		dns_name_init(&((fn)->name), (fn)->offsets); \
-		isc_buffer_init(&((fn)->buffer), (fn)->data, 255, \
-				ISC_BUFFERTYPE_BINARY); \
+		isc_buffer_init(&((fn)->buffer), (fn)->data, 255); \
 		dns_name_setbuffer(&((fn)->name), &((fn)->buffer)); \
 	} while (0)
 
@@ -83,6 +77,4 @@ struct dns_fixedname {
 
 #define dns_fixedname_name(fn)		(&((fn)->name))
 
-ISC_LANG_ENDDECLS
-
 #endif /* DNS_FIXEDNAME_H */
diff --git a/lib/dns/include/dns/journal.h b/lib/dns/include/dns/journal.h
index 79441d86..2969ed8a 100644
--- a/lib/dns/include/dns/journal.h
+++ b/lib/dns/include/dns/journal.h
@@ -30,19 +30,17 @@
  *** Imports
  ***/
 
-#include <isc/types.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
 
-#include <dns/result.h>
-#include <dns/types.h>
 #include <dns/name.h>
 #include <dns/rdata.h>
+#include <dns/types.h>
 
 /***
  *** Types
  ***/
 
-ISC_LANG_BEGINDECLS
-
 /*
  * A dns_difftuple_t represents a single RR being added or deleted.
  * The RR type and class are in the 'rdata' member; the class is always
@@ -68,8 +66,7 @@ typedef enum {
 typedef struct dns_difftuple dns_difftuple_t;
 
 #define DNS_DIFFTUPLE_MAGIC	0x44494654U	/* DIFT. */
-#define DNS_DIFFTUPLE_VALID(t)	((t) != NULL && \
-				 (t)->magic == DNS_DIFFTUPLE_MAGIC)
+#define DNS_DIFFTUPLE_VALID(t)	ISC_MAGIC_VALID(t, DNS_DIFFTUPLE_MAGIC)
 
 struct dns_difftuple {
         unsigned int			magic;
@@ -90,8 +87,7 @@ struct dns_difftuple {
 typedef struct dns_diff dns_diff_t;
 
 #define DNS_DIFF_MAGIC		0x44494646U	/* DIFF. */
-#define DNS_DIFF_VALID(t)	((t) != NULL && \
-					 (t)->magic == DNS_DIFF_MAGIC)
+#define DNS_DIFF_VALID(t)	ISC_MAGIC_VALID(t, DNS_DIFF_MAGIC)
 
 struct dns_diff {
 	unsigned int			magic;
@@ -118,6 +114,8 @@ typedef struct dns_journal dns_journal_t;
  *** Functions
  ***/
 
+ISC_LANG_BEGINDECLS
+
 /**************************************************************************/
 /*
  * Maniuplation of diffs and tuples.
@@ -162,7 +160,8 @@ dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp);
  *	copyp != NULL && *copyp == NULL
  */
 
-void dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff);
+void
+dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff);
 /*
  * Initialize a diff.
  *
@@ -174,7 +173,8 @@ void dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff);
  *    '*diff' is a valid, empty diff.
  */ 
 
-void dns_diff_clear(dns_diff_t *diff);
+void
+dns_diff_clear(dns_diff_t *diff);
 /*
  * Clear a diff, destroying all its tuples.
  *
@@ -272,9 +272,9 @@ dns_diff_print(dns_diff_t *diff, FILE *file);
  *	'file' to refer to a open file or NULL.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY
- *	DNS_R_UNEXPECTED
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
  *	any error from dns_rdataset_totext()
  */
 	
@@ -284,7 +284,8 @@ dns_diff_print(dns_diff_t *diff, FILE *file);
  * XXX these belong in a general-purpose DNS library
  */
 
-isc_uint32_t dns_soa_getserial(dns_rdata_t *rdata);
+isc_uint32_t
+dns_soa_getserial(dns_rdata_t *rdata);
 /*
  * Extract the serial number from the rdata of a SOA record.
  *  
@@ -292,7 +293,8 @@ isc_uint32_t dns_soa_getserial(dns_rdata_t *rdata);
  *	rdata refers to the rdata of a well-formed SOA record.
  */
 
-void dns_soa_setserial(isc_uint32_t val, dns_rdata_t *rdata);
+void
+dns_soa_setserial(isc_uint32_t val, dns_rdata_t *rdata);
 /*
  * Change the serial number of a SOA record by modifying the
  * rdata in-place.
@@ -302,16 +304,6 @@ void dns_soa_setserial(isc_uint32_t val, dns_rdata_t *rdata);
  */
 
 isc_result_t
-dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp);
-/*
- * Get the current SOA serial number from a zone database.
- *
- * Requires:
- *      'db' is a valid database with zone semantics.
- *      'ver' is a valid version.
- */
-
-isc_result_t
 dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
 		   dns_diffop_t op, dns_difftuple_t **tp);
 /*
@@ -413,8 +405,10 @@ dns_journal_write_transaction(dns_journal_t *j, dns_diff_t *diff);
  * Reading transactions from journals.
  */
 
-isc_uint32_t dns_journal_first_serial(dns_journal_t *j);
-isc_uint32_t dns_journal_last_serial(dns_journal_t *j);
+isc_uint32_t
+dns_journal_first_serial(dns_journal_t *j);
+isc_uint32_t
+dns_journal_last_serial(dns_journal_t *j);
 /*
  * Get the first and last addressable serial number in the journal.
  */
@@ -427,15 +421,17 @@ dns_journal_iter_init(dns_journal_t *j,
  * from SOA serial number 'begin_serial' to 'end_serial'.
  *
  * Returns:
- *	DNS_R_SUCCESS	
- *	DNS_R_NOTFOUND	begin_serial is within the range of adressable
+ *	ISC_R_SUCCESS	
+ *	ISC_R_RANGE	begin_serial is outside the addressable range.
+ *	ISC_R_NOTFOUND	begin_serial is within the range of adressable
  *			serial numbers covered by the journal, but
  *			this particular serial number does not exist.
- *	DNS_R_RANGE	begin_serial is outside the addressable range.
  */
 
-isc_result_t dns_journal_first_rr(dns_journal_t *j);
-isc_result_t dns_journal_next_rr(dns_journal_t *j);
+isc_result_t
+dns_journal_first_rr(dns_journal_t *j);
+isc_result_t
+dns_journal_next_rr(dns_journal_t *j);
 /*
  * Position the iterator at the first/next RR in a journal
  * transaction sequence established using dns_journal_iter_init().
@@ -445,14 +441,15 @@ isc_result_t dns_journal_next_rr(dns_journal_t *j);
  *
  */
 
-void dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, 
-			    isc_uint32_t *ttl, dns_rdata_t **rdata);
+void
+dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, isc_uint32_t *ttl,
+		       dns_rdata_t **rdata);
 /*
  * Get the name, ttl, and rdata of the current journal RR.
  *
  * Requires:
  *      The last call to dns_journal_first_rr() or dns_journal_next_rr()
- *      returned DNS_R_SUCCESS.
+ *      returned ISC_R_SUCCESS.
  */
 
 /**************************************************************************/
@@ -475,12 +472,13 @@ dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, const char *filename);
  *
  * Returns:
  *	DNS_R_NOJOURNAL when journal does not exist.
- *	DNS_R_NOTFOUND when current serial in not in journal.
- *	DNS_R_SUCCESS journal has been applied successfully to database.
+ *	ISC_R_NOTFOUND when current serial in not in journal.
+ *	ISC_R_SUCCESS journal has been applied successfully to database.
  *	others
  */
 
-isc_result_t dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file);
+isc_result_t
+dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file);
 /* For debugging not general use */
 
 isc_result_t
diff --git a/lib/dns/include/dns/keyflags.h b/lib/dns/include/dns/keyflags.h
index 343fe2f9..0b977a8e 100644
--- a/lib/dns/include/dns/keyflags.h
+++ b/lib/dns/include/dns/keyflags.h
@@ -24,8 +24,8 @@
 
 ISC_LANG_BEGINDECLS
 
-isc_result_t dns_keyflags_fromtext(dns_keyflags_t *flagsp,
-				   isc_textregion_t *source);
+isc_result_t
+dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source);
 /*
  * Convert the text 'source' refers to into a DNSSEC KEY flags value.
  * The text may contain either a set of flag mnemonics separated by
@@ -40,9 +40,9 @@ isc_result_t dns_keyflags_fromtext(dns_keyflags_t *flagsp,
  *	'source' is a valid text region.
  *
  * Returns:
- *	DNS_R_SUCCESS			on success
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_RANGE			numeric flag value is out of range
  *	DNS_R_UNKNOWN			mnemonic flag is unknown
- *	DNS_R_RANGE			numeric flag value is out of range
  */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h
index 49c35dcb..7bba2c9e 100644
--- a/lib/dns/include/dns/keytable.h
+++ b/lib/dns/include/dns/keytable.h
@@ -40,12 +40,9 @@
  *	No anticipated impact.
  */
 
-#include <isc/types.h>
 #include <isc/lang.h>
-#include <isc/result.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
 
 #include <dst/dst.h>
 
@@ -156,6 +153,51 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
  *	Any other result indicates an error.
  */
 
+isc_result_t 
+dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
+		                             dns_keynode_t **nextnodep);
+/*
+ * Search for the next key with the same properties as 'keynode' in
+ * 'keytable'.
+ *
+ * Requires:
+ *
+ *	'keytable' is a valid keytable.
+ *
+ *	'keynode' is a valid keynode.
+ *
+ *	nextnodep != NULL && *nextnodep == NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ *
+ *	Any other result indicates an error.
+ */
+
+isc_result_t
+dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
+			      dns_name_t *foundname);
+/*
+ * Search for the deepest match of 'name' in 'keytable'.
+ *
+ * Requires:
+ *
+ *	'keytable' is a valid keytable.
+ *
+ *	'name' is a valid absolute name.
+ *
+ *	'foundname' is a name with a dedicated buffer.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ *
+ *	Any other result indicates an error.
+ */
+
 void
 dns_keytable_detachkeynode(dns_keytable_t *keytable,
 			   dns_keynode_t **keynodep);
diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
index f61a3615..6bf44298 100644
--- a/lib/dns/include/dns/keyvalues.h
+++ b/lib/dns/include/dns/keyvalues.h
@@ -18,8 +18,6 @@
 #ifndef DNS_KEYVALUES_H
 #define DNS_KEYVALUES_H 1
 
-ISC_LANG_BEGINDECLS
-
 /*
  * Flags field of the KEY RR rdata
  */
@@ -89,6 +87,4 @@ ISC_LANG_BEGINDECLS
 #define DNS_SIG_DSAMINBYTES	213
 #define DNS_SIG_DSAMAXBYTES	405
 
-ISC_LANG_ENDDECLS
-
 #endif /* DNS_KEYVALUES_H */
diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h
index 2e1cda7d..61fa3a01 100644
--- a/lib/dns/include/dns/log.h
+++ b/lib/dns/include/dns/log.h
@@ -15,19 +15,16 @@
  * SOFTWARE.
  */
 
-/* $Id: log.h,v 1.13 2000/03/23 00:53:45 gson Exp $ */
+/* $Id: log.h,v 1.20 2000/05/09 23:31:12 gson Exp $ */
 
 /* Principal Authors: DCL */
 
 #ifndef DNS_LOG_H
 #define DNS_LOG_H 1
 
+#include <isc/lang.h>
 #include <isc/log.h>
 
-#include <dns/result.h>
-
-ISC_LANG_BEGINDECLS
-
 extern isc_log_t *dns_lctx;
 extern isc_logcategory_t dns_categories[];
 extern isc_logmodule_t dns_modules[];
@@ -36,10 +33,11 @@ extern isc_logmodule_t dns_modules[];
 #define DNS_LOGCATEGORY_DATABASE	(&dns_categories[1])
 #define DNS_LOGCATEGORY_SECURITY	(&dns_categories[2])
 #define DNS_LOGCATEGORY_CONFIG		(&dns_categories[3])
-/* Unused slot */
+#define DNS_LOGCATEGORY_DNSSEC		(&dns_categories[4])
 #define DNS_LOGCATEGORY_RESOLVER	(&dns_categories[5])
 #define DNS_LOGCATEGORY_XFER_IN		(&dns_categories[6])
 #define DNS_LOGCATEGORY_XFER_OUT	(&dns_categories[7])
+#define DNS_LOGCATEGORY_DISPATCH	(&dns_categories[8])
 
 /* Backwards compatibility. */
 #define DNS_LOGCATEGORY_GENERAL		ISC_LOGCATEGORY_GENERAL
@@ -60,11 +58,17 @@ extern isc_logmodule_t dns_modules[];
 #define DNS_LOGMODULE_XFER_IN		(&dns_modules[13])
 #define DNS_LOGMODULE_XFER_OUT		(&dns_modules[14])
 #define DNS_LOGMODULE_ACL		(&dns_modules[15])
+#define DNS_LOGMODULE_VALIDATOR		(&dns_modules[16])
+#define DNS_LOGMODULE_DISPATCH		(&dns_modules[17])
+#define DNS_LOGMODULE_REQUEST		(&dns_modules[18])
+#define DNS_LOGMODULE_MASTERDUMP	(&dns_modules[19])
+
+ISC_LANG_BEGINDECLS
 
 void
 dns_log_init(isc_log_t *lctx);
 /*
- * Make the libdns.a categories and modules available for use with the
+ * Make the libdns categories and modules available for use with the
  * ISC logging library.
  *
  * Requires:
@@ -77,6 +81,18 @@ dns_log_init(isc_log_t *lctx);
  * 	use by isc_log_usechannnel() and isc_log_write().
  */
 
+void
+dns_log_setcontext(isc_log_t *lctx);
+/*
+ * Make the libdns library use the provided context for logging internal
+ * messages.
+ *
+ * Requires:
+ *	lctx is a valid logging context.
+ *
+ *	dns_log_setcontext() is called only once.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_LOG_H */
diff --git a/lib/dns/include/dns/master.h b/lib/dns/include/dns/master.h
index 9ba14451..78f24873 100644
--- a/lib/dns/include/dns/master.h
+++ b/lib/dns/include/dns/master.h
@@ -22,15 +22,11 @@
  ***	Imports
  ***/
 
+#include <stdio.h>
+
 #include <isc/lang.h>
-#include <isc/mem.h>
-#include <isc/lex.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
-#include <dns/name.h>
-#include <dns/rdataset.h>
-#include <dns/callbacks.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -38,42 +34,45 @@ ISC_LANG_BEGINDECLS
  ***	Function
  ***/
 
-isc_result_t dns_master_loadfile(const char *master_file,
-				 dns_name_t *top,
-				 dns_name_t *origin,
-				 dns_rdataclass_t zclass,
-				 isc_boolean_t age_ttl,
-				 int *soacount,
-				 int *nscount,
-				 dns_rdatacallbacks_t *callbacks,
-				 isc_mem_t *mctx);
+isc_result_t
+dns_master_loadfile(const char *master_file,
+		    dns_name_t *top,
+		    dns_name_t *origin,
+		    dns_rdataclass_t zclass,
+		    isc_boolean_t age_ttl,
+		    int *soacount,
+		    int *nscount,
+		    dns_rdatacallbacks_t *callbacks,
+		    isc_mem_t *mctx);
 
-isc_result_t dns_master_loadstream(FILE *stream,
-				   dns_name_t *top,
-				   dns_name_t *origin,
-				   dns_rdataclass_t zclass,
-				   isc_boolean_t age_ttl,
-				   int *soacount,
-				   int *nscount,
-				   dns_rdatacallbacks_t *callbacks,
-				   isc_mem_t *mctx);
+isc_result_t
+dns_master_loadstream(FILE *stream,
+		      dns_name_t *top,
+		      dns_name_t *origin,
+		      dns_rdataclass_t zclass,
+		      isc_boolean_t age_ttl,
+		      int *soacount,
+		      int *nscount,
+		      dns_rdatacallbacks_t *callbacks,
+		      isc_mem_t *mctx);
 
-isc_result_t dns_master_loadbuffer(isc_buffer_t *buffer,
-				   dns_name_t *top,
-				   dns_name_t *origin,
-				   dns_rdataclass_t zclass,
-				   isc_boolean_t age_ttl,
-				   int *soacount,
-				   int *nscount,
-				   dns_rdatacallbacks_t *callbacks,
-				   isc_mem_t *mctx);
+isc_result_t
+dns_master_loadbuffer(isc_buffer_t *buffer,
+		      dns_name_t *top,
+		      dns_name_t *origin,
+		      dns_rdataclass_t zclass,
+		      isc_boolean_t age_ttl,
+		      int *soacount,
+		      int *nscount,
+		      dns_rdatacallbacks_t *callbacks,
+		      isc_mem_t *mctx);
 
 /*
  * Loads a RFC 1305 master file from a file, stream, or buffer into rdatasets
- * and then calls 'callbacks->commit' to commit the rdatasets.  Rdata memory belongs
- * to dns_master_load and will be reused / released when the callback
+ * and then calls 'callbacks->commit' to commit the rdatasets.  Rdata memory
+ * belongs to dns_master_load and will be reused / released when the callback
  * completes.  dns_load_master will abort if callbacks->commit returns
- * any value other than DNS_R_SUCCESS.
+ * any value other than ISC_R_SUCCESS.
  *
  * If 'age_ttl' is ISC_TRUE and the master file contains one or more
  * $DATE directives, the TTLs of the data will be aged accordingly.
@@ -93,11 +92,11 @@ isc_result_t dns_master_loadbuffer(isc_buffer_t *buffer,
  *	'mctx' to point to a memory context.
  *
  * Returns:
- *	DNS_R_SUCCESS upon successfully loading the master file.
- *	DNS_R_NOMEMORY out of memory.
- *	DNS_R_UNEXPECTEDEND expected to be able to read a input token and
+ *	ISC_R_SUCCESS upon successfully loading the master file.
+ *	ISC_R_NOMEMORY out of memory.
+ *	ISC_R_UNEXPECTEDEND expected to be able to read a input token and
  *		there was not one.
- *	DNS_R_UNEXPECTED
+ *	ISC_R_UNEXPECTED
  *	DNS_R_NOOWNER failed to specify a ownername.
  *	DNS_R_NOTTL failed to specify a ttl.
  *	DNS_R_BADCLASS record class did not match zone class.
@@ -107,4 +106,4 @@ isc_result_t dns_master_loadbuffer(isc_buffer_t *buffer,
 
 ISC_LANG_ENDDECLS
 
-#endif	/* DNS_MASTER_H */
+#endif /* DNS_MASTER_H */
diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h
index 76a538d1..455cd655 100644
--- a/lib/dns/include/dns/masterdump.h
+++ b/lib/dns/include/dns/masterdump.h
@@ -25,12 +25,8 @@
 #include <stdio.h>
 
 #include <isc/lang.h>
-#include <isc/mem.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
-#include <dns/name.h>
-#include <dns/rdataset.h>
 
 /***
  *** Types
@@ -63,8 +59,8 @@ extern const dns_master_style_t dns_master_style_default;
 
 isc_result_t
 dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
-		dns_dbversion_t *version,
-		const dns_master_style_t *style, FILE *f);
+			dns_dbversion_t *version,
+			const dns_master_style_t *style, FILE *f);
 /*
  * Dump the database 'db' to the steam 'f' in RFC1035 master 
  * file format, in the style defined by 'style'
@@ -73,8 +69,8 @@ dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
  * Temporary dynamic memory may be allocated from 'mctx'.
  *
  * Returns:
- *	DNS_R_SUCCESS 
- *	DNS_R_NOMEMORY
+ *	ISC_R_SUCCESS 
+ *	ISC_R_NOMEMORY
  * 	Any database or rrset iterator error.
  *	Any dns_rdata_totext() error code.
  */
@@ -91,12 +87,12 @@ dns_master_dump(isc_mem_t *mctx, dns_db_t *db,
  * Temporary dynamic memory may be allocated from 'mctx'.
  *
  * Returns:
- *	DNS_R_SUCCESS 
- *	DNS_R_NOMEMORY
+ *	ISC_R_SUCCESS 
+ *	ISC_R_NOMEMORY
  * 	Any database or rrset iterator error.
  *	Any dns_rdata_totext() error code.
  */
 
 ISC_LANG_ENDDECLS
 
-#endif	/* DNS_MASTERDUMP_H */
+#endif /* DNS_MASTERDUMP_H */
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index 5b588664..7285c385 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -22,17 +22,12 @@
  ***	Imports
  ***/
 
+#include <isc/lang.h>
 #include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/buffer.h>
-#include <isc/bufferlist.h>
 
-#include <dns/types.h>
-#include <dns/result.h>
-#include <dns/name.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
 #include <dns/compress.h>
+#include <dns/rdatastruct.h>
+#include <dns/types.h>
 
 #include <dst/dst.h>
 
@@ -77,7 +72,7 @@
  * Since the buffer itself exists until the message is destroyed, this sort
  * of code can be written:
  *
- *	buffer = isc_buffer_allocate(mctx, 512, ISC_BUFFERTYPE_BINARY);
+ *	buffer = isc_buffer_allocate(mctx, 512);
  *	name = NULL;
  *	name = dns_message_gettempname(message, &name);
  *	dns_name_init(name, NULL);
@@ -93,8 +88,6 @@
  * move rdata from one section to another, remove rdata, etc.
  */
 
-ISC_LANG_BEGINDECLS
-
 #define DNS_MESSAGEFLAG_QR		0x8000U
 #define DNS_MESSAGEFLAG_AA		0x0400U
 #define DNS_MESSAGEFLAG_TC		0x0200U
@@ -120,9 +113,15 @@ typedef int dns_section_t;
 #define DNS_SECTION_ANSWER		1
 #define DNS_SECTION_AUTHORITY		2
 #define DNS_SECTION_ADDITIONAL		3
-#define DNS_SECTION_TSIG		4 /* pseudo-section */
-#define DNS_SECTION_SIG0		5 /* pseudo-section */
-#define DNS_SECTION_MAX			6
+#define DNS_SECTION_MAX			4
+
+typedef int dns_pseudosection_t;
+#define DNS_PSEUDOSECTION_ANY		(-1)
+#define DNS_PSEUDOSECTION_OPT           0
+#define DNS_PSEUDOSECTION_TSIG          1
+#define DNS_PSEUDOSECTION_SIG0          2
+#define DNS_PSEUDOSECTION_MAX           3
+
 
 /*
  * Dynamic update names for these sections.
@@ -162,6 +161,8 @@ struct dns_message {
 	dns_namelist_t			sections[DNS_SECTION_MAX];
 	dns_name_t		       *cursors[DNS_SECTION_MAX];
 	dns_rdataset_t		       *opt;
+	dns_rdataset_t		       *sig0;
+	dns_rdataset_t		       *tsigset;
 
 	int				state;
 	unsigned int			from_to_wire : 2;
@@ -193,6 +194,7 @@ struct dns_message {
 
 	dns_rcode_t			tsigstatus;
 	dns_rcode_t			querytsigstatus;
+	dns_name_t		       *tsigname;
 	dns_rdata_any_tsig_t	       *tsig;
 	dns_rdata_any_tsig_t	       *querytsig;
 	dns_tsigkey_t		       *tsigkey;
@@ -205,9 +207,14 @@ struct dns_message {
 	isc_region_t		       *saved;
 };
 
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
 isc_result_t
-dns_message_create(isc_mem_t *mctx, unsigned int intent,
-		   dns_message_t **msgp);
+dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp);
 		   
 /*
  * Create msg structure.
@@ -228,8 +235,8 @@ dns_message_create(isc_mem_t *mctx, unsigned int intent,
  *	structure.
  *
  * Returns:
- *	DNS_R_NOMEMORY		-- out of memory
- *	DNS_R_SUCCESS		-- success
+ *	ISC_R_NOMEMORY		-- out of memory
+ *	ISC_R_SUCCESS		-- success
  */
 
 void
@@ -266,6 +273,91 @@ dns_message_destroy(dns_message_t **msgp);
  */
 
 isc_result_t
+dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
+			  isc_boolean_t comments,
+			  isc_boolean_t omit_final_dot,
+			  isc_buffer_t *target);
+
+isc_result_t
+dns_message_pseudosectiontotext(dns_message_t *msg,
+				dns_pseudosection_t section,
+				isc_boolean_t comments,
+				isc_boolean_t omit_final_dot,
+				isc_buffer_t *target);
+/*
+ * Convert section 'section' or 'pseudosection' of message 'msg' to 
+ * a cleartext representation
+ *
+ * Notes:
+ *	If 'omit_final_dot' is true, then the final '.' in absolute names
+ *	will not be emitted.
+ *	If 'no_rdata_or_tt;' is true, omit rdata and ttl fields.
+ *	If 'comments' is true, lines beginning with ";;" will be emitted
+ *	indicating section name.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message.
+ *
+ *	'target' is a valid buffer.
+ *
+ *	'section' is a valid section label.
+ *
+ * Ensures:
+ *
+ *	If the result is success:
+ *
+ *		Any bitstring labels are in canonical form.
+ *
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
+ *	ISC_R_NOMORE
+ *
+ *	Note: On error return, *target may be partially filled with data. 
+*/
+
+isc_result_t
+dns_message_totext(dns_message_t *msg, isc_boolean_t comments,
+		   isc_boolean_t headers, isc_boolean_t omit_final_dot,
+		   isc_buffer_t *target);
+/*
+ * Convert all sections of message 'msg' to a cleartext representation
+ *
+ * Notes:
+ *	If 'omit_final_dot' is true, then the final '.' in absolute names
+ *	will not be emitted.
+ *	If 'no_rdata_or_tt;' is true, omit rdata and ttl fields.
+ *	If 'comments' is true, lines beginning with ";;" will be emitted
+ *	indicating section name.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message.
+ *
+ *	'target' is a valid buffer.
+ *
+ * Ensures:
+ *
+ *	If the result is success:
+ *
+ *		Any bitstring labels are in canonical form.
+ *
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
+ *	ISC_R_NOMORE
+ *
+ *	Note: On error return, *target may be partially filled with data. 
+*/
+
+isc_result_t
 dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
 		  isc_boolean_t preserve_order);
 /*
@@ -289,7 +381,7 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
  *
  * If this is a multi-packet message (edns) and more data is required to
  * build the full message state, DNS_R_MOREDATA is returned.  In this case,
- * this function should be repeated with all input buffers until DNS_R_SUCCESS
+ * this function should be repeated with all input buffers until ISC_R_SUCCESS
  * (or an error) is returned.
  *
  * Requires:
@@ -304,8 +396,8 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
  * 	and rdata sizes, etc.
  *
  * Returns:
- *	DNS_R_SUCCESS		-- all is well
- *	DNS_R_NOMEMORY		-- no memory
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOMEMORY		-- no memory
  *	DNS_R_MOREDATA		-- more packets needed for complete message
  *	DNS_R_???		-- bad signature (XXXMLG need more of these)
  *	Many other errors possible XXXMLG
@@ -331,8 +423,8 @@ dns_message_renderbegin(dns_message_t *msg, isc_buffer_t *buffer);
  *	The buffer is cleared before it is used.
  *
  * Returns:
- *	DNS_R_SUCCESS		-- all is well
- *	DNS_R_NOSPACE		-- output buffer is too small
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOSPACE		-- output buffer is too small
  *	Anything that dns_compress_init() can return.
  */
 
@@ -340,7 +432,7 @@ isc_result_t
 dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer);
 /*
  * Reset the buffer.  This can be used after growing the old buffer
- * on a DNS_R_NOSPACE return from most of the render functions.
+ * on a ISC_R_NOSPACE return from most of the render functions.
  *
  * On successful completion, the old buffer is no longer used by the
  * library.  The new buffer is owned by the library until
@@ -355,8 +447,8 @@ dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer);
  *	buffer != NULL.
  *
  * Returns:
- *	DNS_R_NOSPACE		-- new buffer is too small
- *	DNS_R_SUCCESS		-- all is well.
+ *	ISC_R_NOSPACE		-- new buffer is too small
+ *	ISC_R_SUCCESS		-- all is well.
  */
 
 isc_result_t
@@ -374,8 +466,8 @@ dns_message_renderreserve(dns_message_t *msg, unsigned int space);
  *	dns_message_renderbegin() was called.
  *
  * Returns:
- *	DNS_R_SUCCESS		-- all is well.
- *	DNS_R_NOSPACE		-- not enough free space in the buffer.
+ *	ISC_R_SUCCESS		-- all is well.
+ *	ISC_R_NOSPACE		-- not enough free space in the buffer.
  */
 
 void
@@ -411,9 +503,9 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t section,
  *	dns_message_renderbegin() was called.
  *
  * Returns:
- *	DNS_R_SUCCESS		-- all records were written, and there are
+ *	ISC_R_SUCCESS		-- all records were written, and there are
  *				   no more records for this section.
- *	DNS_R_NOSPACE		-- Not enough room in the buffer to write
+ *	ISC_R_NOSPACE		-- Not enough room in the buffer to write
  *				   all records requested.
  *	DNS_R_MOREDATA		-- All requested records written, and there
  *				   are records remaining for this section.
@@ -448,7 +540,7 @@ dns_message_renderend(dns_message_t *msg);
  *	dns_message_renderbegin() was called.
  *
  * Returns:
- *	DNS_R_SUCCESS		-- all is well.
+ *	ISC_R_SUCCESS		-- all is well.
  */
 		      
 void
@@ -481,8 +573,8 @@ dns_message_firstname(dns_message_t *msg, dns_section_t section);
  *	'section' be a valid section.
  *
  * Returns:
- *	DNS_R_SUCCESS		-- All is well.
- *	DNS_R_NOMORE		-- No names on given section.
+ *	ISC_R_SUCCESS		-- All is well.
+ *	ISC_R_NOMORE		-- No names on given section.
  */
 
 isc_result_t
@@ -498,11 +590,11 @@ dns_message_nextname(dns_message_t *msg, dns_section_t section);
  *	'section' be a valid section.
  *
  *	dns_message_firstname() must have been called on this section,
- *	and the result was DNS_R_SUCCESS.
+ *	and the result was ISC_R_SUCCESS.
  *
  * Returns:
- *	DNS_R_SUCCESS		-- All is well.
- *	DNS_R_NOMORE		-- No names in given section.
+ *	ISC_R_SUCCESS		-- All is well.
+ *	ISC_R_NOMORE		-- No names in given section.
  */
 
 void
@@ -525,7 +617,7 @@ dns_message_currentname(dns_message_t *msg, dns_section_t section,
  *
  *	dns_message_firstname() must have been called on this section,
  *	and the result of it and any dns_message_nextname() calls was
- *	DNS_R_SUCCESS.
+ *	ISC_R_SUCCESS.
  */
 
 isc_result_t
@@ -555,9 +647,9 @@ dns_message_findname(dns_message_t *msg, dns_section_t section,
  *	'type' be a valid type.
  *
  * Returns:
- *	DNS_R_SUCCESS		-- all is well.
+ *	ISC_R_SUCCESS		-- all is well.
  *	DNS_R_NXDOMAIN		-- name does not exist in that section.
- *	DNS_R_NXRDATASET	-- The name does exist, but the desired
+ *	DNS_R_NXRRSET		-- The name does exist, but the desired
  *				   type does not.
  */
 
@@ -574,8 +666,8 @@ dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
  *	'type' be a valid type, and NOT dns_rdatatype_any.
  *
  * Returns:
- *	DNS_R_SUCCESS		-- all is well.
- *	DNS_R_NOTFOUND		-- the desired type does not exist.
+ *	ISC_R_SUCCESS		-- all is well.
+ *	ISC_R_NOTFOUND		-- the desired type does not exist.
  */
 
 void
@@ -638,8 +730,8 @@ dns_message_gettempname(dns_message_t *msg, dns_name_t **item);
  *	item != NULL && *item == NULL
  *
  * Returns:
- *	DNS_R_SUCCESS		-- All is well.
- *	DNS_R_NOMEMORY		-- No item can be allocated.
+ *	ISC_R_SUCCESS		-- All is well.
+ *	ISC_R_NOMEMORY		-- No item can be allocated.
  */
 
 isc_result_t
@@ -655,8 +747,8 @@ dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item);
  *	item != NULL && *item == NULL
  *
  * Returns:
- *	DNS_R_SUCCESS		-- All is well.
- *	DNS_R_NOMEMORY		-- No item can be allocated.
+ *	ISC_R_SUCCESS		-- All is well.
+ *	ISC_R_NOMEMORY		-- No item can be allocated.
  */
 
 isc_result_t
@@ -672,8 +764,8 @@ dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item);
  *	item != NULL && *item == NULL
  *
  * Returns:
- *	DNS_R_SUCCESS		-- All is well.
- *	DNS_R_NOMEMORY		-- No item can be allocated.
+ *	ISC_R_SUCCESS		-- All is well.
+ *	ISC_R_NOMEMORY		-- No item can be allocated.
  */
 
 isc_result_t
@@ -689,8 +781,8 @@ dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
  *	item != NULL && *item == NULL
  *
  * Returns:
- *	DNS_R_SUCCESS		-- All is well.
- *	DNS_R_NOMEMORY		-- No item can be allocated.
+ *	ISC_R_SUCCESS		-- All is well.
+ *	ISC_R_NOMEMORY		-- No item can be allocated.
  */
 
 void
@@ -772,9 +864,9 @@ dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
  *
  * Returns:
  *
- *	DNS_R_SUCCESS		-- all is well.
+ *	ISC_R_SUCCESS		-- all is well.
  *
- *	DNS_R_UNEXPECTEDEND	-- buffer doesn't contain enough for a header.
+ *	ISC_R_UNEXPECTEDEND	-- buffer doesn't contain enough for a header.
  */
 
 isc_result_t
@@ -797,7 +889,7 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section);
  *
  * Returns:
  *
- *	DNS_R_SUCCESS		-- all is well.
+ *	ISC_R_SUCCESS		-- all is well.
  *
  *	DNS_R_FORMERR		-- the header or question section of the
  *				   message is invalid, replying is impossible.
@@ -842,9 +934,38 @@ dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt);
  *
  * Returns:
  *
- *	DNS_R_SUCCESS		-- all is well.
+ *	ISC_R_SUCCESS		-- all is well.
+ *
+ *	ISC_R_NOSPACE		-- there is no space for the OPT record.
+ */
+
+dns_rdataset_t *
+dns_message_gettsig(dns_message_t *msg, dns_name_t **owner);
+/*
+ * Get the TSIG record and owner for 'msg'.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message.
+ *	'owner' is not NULL, and *owner is NULL.  Contains the owner on return.
+ *
+ * Returns:
+ *
+ *	The TSIG rdataset of 'msg', or NULL if there isn't one.
+ */
+
+dns_rdataset_t *
+dns_message_getsig0(dns_message_t *msg);
+/*
+ * Get the SIG(0) record for 'msg'.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message.
+ *
+ * Returns:
  *
- *	DNS_R_NOSPACE		-- there is no space for the OPT record.
+ *	The SIG(0) rdataset of 'msg', or NULL if there isn't one.
  */
 
 void
@@ -922,4 +1043,4 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view);
 
 ISC_LANG_ENDDECLS
 
-#endif	/* DNS_MESSAGE_H */
+#endif /* DNS_MESSAGE_H */
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index 6eae9d44..1c1d3e68 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -72,14 +72,13 @@
  *** Imports
  ***/
 
+#include <stdio.h>
+
 #include <isc/boolean.h>
-#include <isc/buffer.h>
 #include <isc/lang.h>
+#include <isc/region.h>		/* Required for storage size of dns_label_t. */
 
 #include <dns/types.h>
-#include <dns/result.h>
-
-#include <stdio.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -194,9 +193,12 @@ struct dns_name {
 	ISC_LIST(dns_rdataset_t)	list;
 };
 
+#define DNS_NAME_MAGIC			0x444E536EU	/* DNSn. */
+
 #define DNS_NAMEATTR_ABSOLUTE		0x0001
 #define DNS_NAMEATTR_READONLY		0x0002
 #define DNS_NAMEATTR_DYNAMIC		0x0004
+#define DNS_NAMEATTR_DYNOFFSETS		0x0008
 /*
  * Attributes below 0x0100 reserved for name.c usage.
  */
@@ -383,7 +385,7 @@ dns_name_fullcompare(dns_name_t *name1, dns_name_t *name2,
  *
  * Ensures:
  *
- *	*orderp is -1 if name1 < name2, 0 if name1 = name2, 1 if
+ *	*orderp is < 0 if name1 < name2, 0 if name1 = name2, > 0 if
  *	name1 > name2.
  *
  *	*nlabelsp is the number of common significant labels.
@@ -426,9 +428,9 @@ dns_name_compare(dns_name_t *name1, dns_name_t *name2);
  *	Either name1 is absolute and name2 is absolute, or neither is.
  *
  * Returns:
- *	-1		'name1' is less than 'name2'
+ *	< 0		'name1' is less than 'name2'
  *	0		'name1' is equal to 'name2'
- *	1		'name1' is greater than 'name2'
+ *	> 0		'name1' is greater than 'name2'
  */
 
 isc_boolean_t
@@ -475,9 +477,9 @@ dns_name_rdatacompare(dns_name_t *name1, dns_name_t *name2);
  *	dns_name_countlabels(name2) > 0
  *
  * Returns:
- *	-1		'name1' is less than 'name2'
+ *	< 0		'name1' is less than 'name2'
  *	0		'name1' is equal to 'name2'
- *	1		'name1' is greater than 'name2'
+ *	> 0		'name1' is greater than 'name2'
  */
 
 isc_boolean_t
@@ -708,12 +710,11 @@ isc_result_t dns_name_fromwire(dns_name_t *name,
  *
  *	'name' is a valid name.
  *
- *	'source' is a valid buffer of type ISC_BUFFERTYPE_BINARY, and the
- *	first byte of the active region should be the first byte of a DNS
- *	wire format domain name.
+ *	'source' is a valid buffer and the first byte of the active
+ *	region should be the first byte of a DNS wire format domain name.
  *
- *	'target' is a valid buffer of type ISC_BUFFERTYPE_BINARY or 
- *	'target' is NULL and 'name' has a dedicated buffer.
+ *	'target' is a valid buffer or 'target' is NULL and 'name' has
+ *	a dedicated buffer.
  *
  *	'dctx' is a valid decompression context.
  *
@@ -740,8 +741,7 @@ isc_result_t dns_name_fromwire(dns_name_t *name,
  *	Bad Form: Bad compression pointer
  *	Bad Form: Input too short
  *	Resource Limit: Too many compression pointers
- *	Resource Limit: Not enough space in buffer
- */
+ *	Resource Limit: Not enough space in buffer */
 
 isc_result_t dns_name_towire(dns_name_t *name,
 			     dns_compress_t *cctx,
@@ -761,7 +761,7 @@ isc_result_t dns_name_towire(dns_name_t *name,
  *
  *	dns_name_isabsolute(name) == TRUE
  *
- *	target is a valid buffer of type ISC_BUFFERTYPE_BINARY.
+ *	target is a valid buffer.
  *
  *	Any offsets specified in a global compression table are valid
  *	for buffer.
@@ -800,10 +800,10 @@ isc_result_t dns_name_fromtext(dns_name_t *name,
  *
  *	'name' is a valid name.
  *
- *	'source' is a valid buffer of type ISC_BUFFERTYPE_TEXT.
+ *	'source' is a valid buffer.
  *
- *	'target' is a valid buffer of type ISC_BUFFERTYPE_BINARY or 
- *	'target' is NULL and 'name' has a dedicated buffer.
+ *	'target' is a valid buffer or 'target' is NULL and 'name' has
+ *	a dedicated buffer.
  *
  * Ensures:
  *
@@ -819,16 +819,15 @@ isc_result_t dns_name_fromtext(dns_name_t *name,
  *		in target is updated.
  *
  * Result:
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *	DNS_R_EMPTYLABEL
  *	DNS_R_LABELTOOLONG
  *	DNS_R_BADESCAPE
  *	DNS_R_BADBITSTRING
  *	DNS_R_BITSTRINGTOOLONG
  *	DNS_R_BADDOTTEDQUAD
- *	DNS_R_NOSPACE
- *	DNS_R_UNEXPECTEDEND
- */
+ *	ISC_R_NOSPACE
+ *	ISC_R_UNEXPECTEDEND */
 
 isc_result_t dns_name_totext(dns_name_t *name,
 			     isc_boolean_t omit_final_dot,
@@ -844,7 +843,7 @@ isc_result_t dns_name_totext(dns_name_t *name,
  *
  *	'name' is a valid name
  *
- *	'target' is a valid buffer of type ISC_BUFFERTYPE_TEXT
+ *	'target' is a valid buffer.
  *
  *	dns_name_countlabels(name) > 0
  *
@@ -859,8 +858,8 @@ isc_result_t dns_name_totext(dns_name_t *name,
  *		The used space in target is updated.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOSPACE
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
  */
 
 isc_result_t
@@ -879,15 +878,14 @@ dns_name_downcase(dns_name_t *source, dns_name_t *name,
  *
  *	Otherwise,
  *
- *		'target' is a valid buffer of type ISC_BUFFERTYPE_BINARY, or 
- *		'target' is NULL and 'name' has a dedicated buffer.
+ *		'target' is a valid buffer or 'target' is NULL and
+ *		'name' has a dedicated buffer.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOSPACE
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
  *
- *	Note: if source == name, then the result will always be DNS_R_SUCCESS.
- */
+ * Note: if source == name, then the result will always be ISC_R_SUCCESS.  */
 
 isc_result_t dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix,
 				  dns_name_t *name, isc_buffer_t *target);
@@ -902,8 +900,8 @@ isc_result_t dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix,
  *
  *	'name' is a valid name or NULL.
  *
- *	'target' is a valid buffer of type ISC_BUFFERTYPE_BINARY, or 
- *	'target' is NULL and 'name' has a dedicated buffer.
+ *	'target' is a valid buffer or 'target' is NULL and 'name' has
+ *	a dedicated buffer.
  *
  *	If 'prefix' is absolute, 'suffix' must be NULL or the empty name.
  *
@@ -918,9 +916,8 @@ isc_result_t dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix,
  *		The used space in target is updated.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOSPACE
- */
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE */
 
 isc_result_t
 dns_name_split(dns_name_t *name,
@@ -981,8 +978,8 @@ dns_name_split(dns_name_t *name,
  *		on which one the problem was encountered with).
  *
  * Returns:
- *	DNS_R_SUCCESS	No worries.
- *	DNS_R_NOSPACE	An attempt was made to split a name on a bitlabel
+ *	ISC_R_SUCCESS	No worries.
+ *	ISC_R_NOSPACE	An attempt was made to split a name on a bitlabel
  *			boundary but either 'prefix' or 'suffix' did not
  *			have enough room to receive the split name.
  */
@@ -1034,6 +1031,24 @@ dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target);
  *	'mctx' is a valid memory context.
  */
 
+isc_result_t
+dns_name_dupwithoffsets(dns_name_t *source, isc_mem_t *mctx,
+			dns_name_t *target);
+/*
+ * Make 'target' a read-only dynamically allocated copy of 'source'.
+ * 'target' will also have a dynamically allocated offsets table.
+ *
+ * Requires:
+ *
+ *	'source' is a valid non-empty name.
+ *	
+ *	'target' is a valid name that is not read-only.
+ *
+ *	'target' has no offsets table.
+ *	
+ *	'mctx' is a valid memory context.
+ */
+
 void
 dns_name_free(dns_name_t *name, isc_mem_t *mctx);
 /*
@@ -1067,12 +1082,12 @@ dns_name_digest(dns_name_t *name, dns_digestfunc_t digest, void *arg);
  *	If successful, the DNSSEC canonical form of 'name' will have been
  *	sent to 'digest'.
  *
- *	If digest() returns something other than DNS_R_SUCCESS, that result
+ *	If digest() returns something other than ISC_R_SUCCESS, that result
  *	will be returned as the result of dns_name_digest().
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *
  *	Many other results are possible if not successful.
  *	
@@ -1110,6 +1125,73 @@ dns_name_print(dns_name_t *name, FILE *stream);
  *	Any error that dns_name_totext() can return.
  */
 
+void
+dns_name_format(dns_name_t *name, char *cp, unsigned int size);
+/*
+ * Format 'name' as text appropriate for use in log messages.
+ *
+ * Store the formatted name at 'cp', writing no more than
+ * 'size' bytes.  The resulting string is guaranteed to be
+ * null terminated.
+ *
+ * The formatted name will have a terminating dot only if it is 
+ * the root.
+ *
+ * This function cannot fail, instead any errors are indicated
+ * in the returned text.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name.
+ *
+ *	'cp' points a valid character array of size 'size'.
+ *
+ *	'size' > 0.
+ *
+ */
+
+/***
+ *** High Peformance Macros
+ ***/
+
+/*
+ * WARNING:  Use of these macros by applications may require recompilation
+ *           of the application in some situations where calling the function
+ *           would not.
+ *
+ * WARNING:  No assertion checking is done for these macros.
+ */
+
+#ifdef DNS_NAME_USEINLINE
+
+#define dns_name_init(n, o)		DNS_NAME_INIT(n, o)
+#define dns_name_countlabels(n)		DNS_NAME_COUNTLABELS(n)
+#define dns_name_isabsolute(n)		DNS_NAME_ISABSOLUTE(n)
+
+#define DNS_NAME_INIT(n, o) \
+do { \
+	(n)->magic = DNS_NAME_MAGIC; \
+	(n)->ndata = NULL; \
+	(n)->length = 0; \
+	(n)->labels = 0; \
+	(n)->attributes = 0; \
+	(n)->offsets = (o); \
+	(n)->buffer = NULL; \
+	ISC_LINK_INIT((n), link); \
+	ISC_LIST_INIT((n)->list); \
+} while (0)
+
+#define DNS_NAME_SETBUFFER(n, b) \
+	(n)->buffer = (b)
+
+#define DNS_NAME_ISABSOLUTE(n) \
+	(((n)->attributes & DNS_NAMEATTR_ABSOLUTE) ? ISC_TRUE : ISC_FALSE)
+
+#define DNS_NAME_COUNTLABELS(n) \
+	((n)->labels)
+
+#endif /* DNS_NAME_USEINLINE */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_NAME_H */
diff --git a/lib/dns/include/dns/namedconf.h b/lib/dns/include/dns/namedconf.h
index 7d74c279..09a9770b 100644
--- a/lib/dns/include/dns/namedconf.h
+++ b/lib/dns/include/dns/namedconf.h
@@ -18,17 +18,17 @@
 #ifndef DNS_NAMEDCONF_H
 #define DNS_NAMEDCONF_H 1
 
-#include <dns/confacl.h>
-#include <dns/confcommon.h>
-#include <dns/confctl.h>
-#include <dns/confctx.h>
-#include <dns/confip.h>
-#include <dns/confkeys.h>
-#include <dns/conflog.h>
-#include <dns/conflsn.h>
-#include <dns/confparser.h>
-#include <dns/confrrset.h>
-#include <dns/confzone.h>
-#include <dns/peer.h>
+#include <dns/confacl.h>	/* Contractual promise. */
+#include <dns/confcommon.h>	/* Contractual promise. */
+#include <dns/confctl.h>	/* Contractual promise. */
+#include <dns/confctx.h>	/* Contractual promise. */
+#include <dns/confip.h>		/* Contractual promise. */
+#include <dns/confkeys.h>	/* Contractual promise. */
+#include <dns/conflog.h>	/* Contractual promise. */
+#include <dns/conflsn.h>	/* Contractual promise. */
+#include <dns/confparser.h>	/* Contractual promise. */
+#include <dns/confrrset.h>	/* Contractual promise. */
+#include <dns/confzone.h>	/* Contractual promise. */
+#include <dns/peer.h>		/* Contractual promise. */
 
-#endif
+#endif /* DNS_NAMEDCONF_H */
diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h
index dd2c9f7f..36a5e32a 100644
--- a/lib/dns/include/dns/ncache.h
+++ b/lib/dns/include/dns/ncache.h
@@ -44,12 +44,9 @@
  */
 
 #include <isc/lang.h>
-#include <isc/types.h>
 #include <isc/stdtime.h>
-#include <isc/buffer.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -61,6 +58,9 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
  * Convert the authority data from 'message' into a negative cache
  * rdataset, and store it in 'cache' at 'node'.
  *
+ * The 'covers' argument is the RR type whose nonexistence we are caching,
+ * or dns_rdatatype_any when caching a NXDOMAIN response.
+ *
  * Note:
  *	If 'addedrdataset' is not NULL, then it will be attached to the added
  *	rdataset.  See dns_db_addrdataset() for more details.
@@ -99,7 +99,7 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
  *	'countp' is a valid pointer.
  *
  * Ensures:
- *	On a return of DNS_R_SUCCESS, 'target' contains a wire format
+ *	On a return of ISC_R_SUCCESS, 'target' contains a wire format
  *	for the data contained in 'rdataset'.  Any error return leaves
  *	the buffer unchanged.
  *
@@ -107,8 +107,8 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
  *	target.
  *
  * Returns:
- *	DNS_R_SUCCESS		- all ok
- *	DNS_R_NOSPACE		- 'target' doesn't have enough room
+ *	ISC_R_SUCCESS		- all ok
+ *	ISC_R_NOSPACE		- 'target' doesn't have enough room
  *
  *	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
  *	dns_name_towire().
diff --git a/lib/dns/include/dns/nxt.h b/lib/dns/include/dns/nxt.h
index ecc1c811..2ba5f7ff 100644
--- a/lib/dns/include/dns/nxt.h
+++ b/lib/dns/include/dns/nxt.h
@@ -20,12 +20,12 @@
 
 #include <isc/lang.h>
 
-#include <dns/result.h>
-
-ISC_LANG_BEGINDECLS
+#include <dns/types.h>
 
 #define DNS_NXT_BUFFERSIZE (256 + 16)
 
+ISC_LANG_BEGINDECLS
+
 isc_result_t
 dns_buildnxtrdata(dns_db_t *db, dns_dbversion_t *version,
 		  dns_dbnode_t *node, dns_name_t *target,
@@ -50,6 +50,17 @@ dns_buildnxt(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
  * Build a NXT record and add it to a database.
  */
 
+isc_boolean_t
+dns_nxt_typepresent(dns_rdata_t *nxt, dns_rdatatype_t type);
+/*
+ * Determine if a type is marked as present in an NXT record.
+ *
+ * Requires:
+ *	'nxt' points to a valid rdataset of type NXT
+ *	'type' < 128
+ *
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_NXT_H */
diff --git a/lib/dns/include/dns/peer.h b/lib/dns/include/dns/peer.h
index 75b93b34..282f9e14 100644
--- a/lib/dns/include/dns/peer.h
+++ b/lib/dns/include/dns/peer.h
@@ -30,18 +30,11 @@
  *** Imports
  ***/
 
-#include <config.h>
-
-#include <sys/types.h>
-
-#include <isc/mem.h>
-#include <isc/net.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
 #include <isc/netaddr.h>
 
 #include <dns/types.h>
-#include <dns/confcommon.h>
-#include <dns/confkeys.h>
-
 
 #define DNS_PEERLIST_MAGIC	0x7365524c /* seRL */
 #define DNS_PEER_MAGIC		0x53457276 /* SErv */
@@ -49,13 +42,11 @@
 #define DNS_PEERLIST_VALID(ptr)	ISC_MAGIC_VALID(ptr, DNS_PEERLIST_MAGIC)
 #define DNS_PEER_VALID(ptr)	ISC_MAGIC_VALID(ptr, DNS_PEER_MAGIC)
 
-
 /***
  *** Types
  ***/
 
-struct dns_peerlist
-{
+struct dns_peerlist {
 	isc_uint32_t		magic;
 	isc_uint32_t		refs;
 	
@@ -64,9 +55,7 @@ struct dns_peerlist
 	ISC_LIST(dns_peer_t) elements;
 };
 
-
-struct dns_peer 
-{
+struct dns_peer {
 	isc_uint32_t		magic;
 	isc_uint32_t		refs;
 
@@ -86,66 +75,93 @@ struct dns_peer
 	ISC_LINK(dns_peer_t)	next;
 };
 
-
 /***
  *** Functions
  ***/
 
-isc_result_t	dns_peerlist_new(isc_mem_t *mem,
-				 dns_peerlist_t **list);
-void		dns_peerlist_attach(dns_peerlist_t *source,
-				    dns_peerlist_t **target);
-void		dns_peerlist_detach(dns_peerlist_t **list);
-
-/* After return caller still holds a reference to peer. */
-void		dns_peerlist_addpeer(dns_peerlist_t *peers,
-				     dns_peer_t *peer);
-
-/* ditto */
-isc_result_t	dns_peerlist_peerbyaddr(dns_peerlist_t *peers,
-					isc_netaddr_t *addr,
-					dns_peer_t **retval);
-
-/* what he said. */
-isc_result_t	dns_peerlist_currpeer(dns_peerlist_t *peers,
-				      dns_peer_t **retval);
-
-
-
-isc_result_t	dns_peer_new(isc_mem_t *mem,
-			     isc_netaddr_t *ipaddr,
-			     dns_peer_t **peer);
-isc_result_t	dns_peer_attach(dns_peer_t *source, dns_peer_t **target);
-isc_result_t	dns_peer_detach(dns_peer_t **list);
-
-isc_result_t	dns_peer_setbogus(dns_peer_t *peer,
-				  isc_boolean_t newval);
-isc_result_t	dns_peer_getbogus(dns_peer_t *peer,
-				  isc_boolean_t *retval);
-isc_result_t	dns_peer_setsupportixfr(dns_peer_t *peer,
-					isc_boolean_t newval);
-isc_result_t	dns_peer_getsupportixfr(dns_peer_t *peer,
-					isc_boolean_t *retval);
-isc_result_t	dns_peer_setrequestixfr(dns_peer_t *peer,
-					isc_boolean_t newval);
-isc_result_t	dns_peer_getrequestixfr(dns_peer_t *peer,
-					isc_boolean_t *retval);
-isc_result_t	dns_peer_setprovideixfr(dns_peer_t *peer,
-					isc_boolean_t newval);
-isc_result_t	dns_peer_getprovideixfr(dns_peer_t *peer,
-					isc_boolean_t *retval);
-isc_result_t	dns_peer_settransfers(dns_peer_t *peer,
-				      isc_int32_t newval);
-isc_result_t	dns_peer_gettransfers(dns_peer_t *peer,
-				      isc_int32_t *retval);
-isc_result_t	dns_peer_settransferformat(dns_peer_t *peer,
-					   dns_transfer_format_t newval);
-isc_result_t	dns_peer_gettransferformat(dns_peer_t *peer,
-					   dns_transfer_format_t *retval);
-isc_result_t	dns_peer_setkeybycharp(dns_peer_t *peer,
-				       const char *keyval);
-isc_result_t	dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval);
-isc_result_t	dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval);
-
-
-#endif /* DNS_CONFIG_CONFSERV_H */
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list);
+
+void
+dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target);
+
+void
+dns_peerlist_detach(dns_peerlist_t **list);
+
+/*
+ * After return caller still holds a reference to peer.
+ */
+void
+dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer);
+
+/*
+ * Ditto. */
+isc_result_t
+dns_peerlist_peerbyaddr(dns_peerlist_t *peers, isc_netaddr_t *addr,
+			dns_peer_t **retval);
+
+/*
+ * What he said.
+ */
+isc_result_t
+dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval);
+
+isc_result_t
+dns_peer_new(isc_mem_t *mem, isc_netaddr_t *ipaddr, dns_peer_t **peer);
+
+isc_result_t
+dns_peer_attach(dns_peer_t *source, dns_peer_t **target);
+
+isc_result_t
+dns_peer_detach(dns_peer_t **list);
+
+isc_result_t
+dns_peer_setbogus(dns_peer_t *peer, isc_boolean_t newval);
+
+isc_result_t
+dns_peer_getbogus(dns_peer_t *peer, isc_boolean_t *retval);
+
+isc_result_t
+dns_peer_setsupportixfr(dns_peer_t *peer, isc_boolean_t newval);
+
+isc_result_t
+dns_peer_getsupportixfr(dns_peer_t *peer, isc_boolean_t *retval);
+
+isc_result_t
+dns_peer_setrequestixfr(dns_peer_t *peer, isc_boolean_t newval);
+
+isc_result_t
+dns_peer_getrequestixfr(dns_peer_t *peer, isc_boolean_t *retval);
+
+isc_result_t
+dns_peer_setprovideixfr(dns_peer_t *peer, isc_boolean_t newval);
+
+isc_result_t
+dns_peer_getprovideixfr(dns_peer_t *peer, isc_boolean_t *retval);
+
+isc_result_t
+dns_peer_settransfers(dns_peer_t *peer, isc_int32_t newval);
+
+isc_result_t
+dns_peer_gettransfers(dns_peer_t *peer, isc_int32_t *retval);
+
+isc_result_t
+dns_peer_settransferformat(dns_peer_t *peer, dns_transfer_format_t newval);
+
+isc_result_t
+dns_peer_gettransferformat(dns_peer_t *peer, dns_transfer_format_t *retval);
+
+isc_result_t
+dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval);
+
+isc_result_t
+dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval);
+
+isc_result_t
+dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_PEER_H */
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
index 6c2711b9..5e22719d 100644
--- a/lib/dns/include/dns/rbt.h
+++ b/lib/dns/include/dns/rbt.h
@@ -15,19 +15,25 @@
  * SOFTWARE.
  */
 
-#ifndef	DNS_RBT_H
-#define	DNS_RBT_H 1
+#ifndef DNS_RBT_H
+#define DNS_RBT_H 1
 
 #include <isc/lang.h>
-#include <isc/result.h>
-#include <isc/mem.h>
 
 #include <dns/types.h>
-#include <dns/name.h>
 
 ISC_LANG_BEGINDECLS
 
 /*
+ * Option values for dns_rbt_findnode() and dns_rbt_findname().
+ * These are used to form a bitmask.
+ */
+#define DNS_RBTFIND_NOOPTIONS			0x00
+#define DNS_RBTFIND_EMPTYDATA			0x01
+#define DNS_RBTFIND_NOEXACT			0x02
+#define DNS_RBTFIND_NOPREDECESSOR		0x04
+
+/*
  * These should add up to 30.
  */
 #define DNS_RBT_LOCKLENGTH			10
@@ -41,6 +47,7 @@ ISC_LANG_BEGINDECLS
  * multiple dns_rbtnode structures will not work.
  */
 typedef struct dns_rbtnode {
+	struct dns_rbtnode *parent;
 	struct dns_rbtnode *left;
 	struct dns_rbtnode *right;
 	struct dns_rbtnode *down;
@@ -56,12 +63,13 @@ typedef struct dns_rbtnode {
 	 * In each case below the "range" indicated is what's _necessary_ for
 	 * the bitfield to hold, not what it actually _can_ hold.
 	 */
-	unsigned int color:1;	      /* range is 0..1 */
-	unsigned int find_callback:1; /* range is 0..1 */
-	unsigned int attributes:5;    /* range is 0..2 */
-	unsigned int namelen:8;	      /* range is 1..255 */
-	unsigned int offsetlen:8;     /* range is 1..128 */
-	unsigned int padbytes:9;      /* range is 0..380 */
+	unsigned int is_root : 1;	/* range is 0..1 */
+	unsigned int color : 1;		/* range is 0..1 */
+	unsigned int find_callback : 1;	/* range is 0..1 */
+	unsigned int attributes : 4;	/* range is 0..2 */
+	unsigned int namelen : 8;	/* range is 1..255 */
+	unsigned int offsetlen : 8;	/* range is 1..128 */
+	unsigned int padbytes : 9;	/* range is 0..380 */
 	/*
 	 * These values are used in the RBT DB implementation.  The appropriate
 	 * node lock must be held before accessing them.
@@ -197,15 +205,15 @@ dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
  *	arg == NULL iff deleter == NULL
  *
  * Ensures:
- *	If result is DNS_R_SUCCESS:
+ *	If result is ISC_R_SUCCESS:
  *		*rbtp points to a valid red-black tree manager
  *
  *	If result is failure:
  *		*rbtp does not point to a valid red-black tree manager.
  *
  * Returns:
- *	DNS_R_SUCCESS	Success
- *	DNS_R_NOMEMORY	Resource limit: Out of Memory
+ *	ISC_R_SUCCESS	Success
+ *	ISC_R_NOMEMORY	Resource limit: Out of Memory
  */
 
 isc_result_t
@@ -231,22 +239,22 @@ dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data);
  *	Any external references to nodes in the tree are unaffected by
  *	node splits that are necessary to insert the new name.
  *
- *	If result is DNS_R_SUCCESS:
+ *	If result is ISC_R_SUCCESS:
  *		'name' is findable in the red/black tree of trees in O(log N).
  *
  *		The data pointer of the node for 'name' is set to 'data'.
  *
- *	If result is DNS_R_EXISTS or DNS_R_NOSPACE:
+ *	If result is ISC_R_EXISTS or ISC_R_NOSPACE:
  *		The tree of trees is unaltered.
  *
- *	If result is DNS_R_NOMEMORY:
+ *	If result is ISC_R_NOMEMORY:
  *		No guarantees.
  *
  * Returns:
- *	DNS_R_SUCCESS	Success
- *	DNS_R_EXISTS	The name already exists with associated data.
- *	DNS_R_NOSPACE 	The name had more logical labels than are allowed.
- *	DNS_R_NOMEMORY	Resource Limit: Out of Memory
+ *	ISC_R_SUCCESS	Success
+ *	ISC_R_EXISTS	The name already exists with associated data.
+ *	ISC_R_NOSPACE 	The name had more logical labels than are allowed.
+ *	ISC_R_NOMEMORY	Resource Limit: Out of Memory
  */
 
 isc_result_t
@@ -266,33 +274,38 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep);
  *	Any external references to nodes in the tree are unaffected by
  *	node splits that are necessary to insert the new name.
  *
- *	If result is DNS_R_SUCCESS:
+ *	If result is ISC_R_SUCCESS:
  *		'name' is findable in the red/black tree of trees in O(log N).
  *
  *		*nodep is the node that was added for 'name'.
  *
- *	If result is DNS_R_EXISTS:
+ *	If result is ISC_R_EXISTS:
  *		The tree of trees is unaltered.
  *
  *		*nodep is the existing node for 'name'.
  *
- *	If result is DNS_R_NOMEMORY:
+ *	If result is ISC_R_NOMEMORY:
  *		No guarantees.
  *
  * Returns:
- *	DNS_R_SUCCESS	Success
- *	DNS_R_EXISTS	The name already exists, possibly without data.
- *	DNS_R_NOMEMORY	Resource Limit: Out of Memory
+ *	ISC_R_SUCCESS	Success
+ *	ISC_R_EXISTS	The name already exists, possibly without data.
+ *	ISC_R_NOMEMORY	Resource Limit: Out of Memory
  */
 
 isc_result_t
-dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name,
+dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name, unsigned int options,
 		 dns_name_t *foundname, void **data);
 /*
  * Get the data pointer associated with 'name'.
  *
  * Notes:
- *	A node that has no data is considered not to exist for this function.
+ *	When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
+ *      returned (also subject to DNS_RBTFIND_EMPTYDATA), even when there is
+ *	an exact match in the tree.
+ *
+ *      A node that has no data is considered not to exist for this function,
+ *      unless the DNS_RBTFIND_EMPTYDATA option is set.
  *
  * Requires:
  *	rbt is a valid rbt manager.
@@ -302,27 +315,27 @@ dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name,
  * Ensures:
  *	'name' and the tree are not altered in any way.
  *
- *	If result is DNS_R_SUCCESS:
+ *	If result is ISC_R_SUCCESS:
  *		*data is the data associated with 'name'.
  *
  *	If result is DNS_R_PARTIALMATCH:
  *		*data is the data associated with the deepest superdomain
  * 		of 'name' which has data.
  *
- *	If result is DNS_R_NOTFOUND:
+ *	If result is ISC_R_NOTFOUND:
  *		Neither the name nor a superdomain was found with data.
  *
  * Returns:
- *	DNS_R_SUCCESS		Success
+ *	ISC_R_SUCCESS		Success
  *	DNS_R_PARTIALMATCH	Superdomain found with data
- *	DNS_R_NOTFOUND		No match
- *	DNS_R_NOSPACE		Concatenating nodes to form foundname failed
+ *	ISC_R_NOTFOUND		No match
+ *	ISC_R_NOSPACE		Concatenating nodes to form foundname failed
  */
 
 isc_result_t
 dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 		 dns_rbtnode_t **node, dns_rbtnodechain_t *chain,
-		 isc_boolean_t empty_data_ok, dns_rbtfindcallback_t callback,
+		 unsigned int options, dns_rbtfindcallback_t callback,
 		 void *callback_arg);
 /*
  * Find the node for 'name'.
@@ -330,13 +343,16 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
  * Notes:
  *	It is _not_ required that the node associated with 'name' has a
  *	non-NULL data pointer for an exact match.  A partial match must
- *	have associated data, unless the empty_data_ok flag is true.
+ *	have associated data, unless the DNS_RBTFIND_EMPTYDATA option is set.
  *
  *	If the chain parameter is non-NULL, then the path through the tree
- *	to the DNSSEC predecessor of the searched for name is maintained.
+ *	to the DNSSEC predecessor of the searched for name is maintained,
+ *	unless the DNS_RBT_NOPREDECESSOR or DNS_RBT_NOEXACT option is used.
+ *	(For more details on those options, see below.)
+ *
  *	If there is no predecessor, then the chain will point to nowhere, as
  *	indicated by chain->end being NULL or dns_rbtnodechain_current
- *	returning DNS_R_NOTFOUND.  Note that in a normal Internet DNS RBT
+ *	returning ISC_R_NOTFOUND.  Note that in a normal Internet DNS RBT
  *	there will always be a predecessor for all names except the root
  *	name, because '.' will exist and '.' is the predecessor of
  *	everything.  But you can certainly construct a trivial tree and a
@@ -372,15 +388,34 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
  *	could have been stored; the amount to be freed from the rbt->mctx
  *	is ancestor_maxitems * sizeof(dns_rbtnode_t *).
  *
+ *	When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
+ *      returned (also subject to DNS_RBTFIND_EMPTYDATA), even when
+ *      there is an exact match in the tree.  In this case, the chain
+ *	will not point to the DNSSEC predecessor, but will instead point
+ *	to the exact match, if there was any.  Thus the preceding paragraphs
+ *	should have "exact match" substituted for "predecessor" to describe
+ *	how the various elements of the chain are set.  This was done to 
+ * 	ensure that the chain's state was sane, and to prevent problems that
+ *	occurred when running the predecessor location code under conditions
+ *	it was not designed for.  It is clear *where* the chain should point
+ *	when DNS_RBTFIND_NOEXACT is set, so if you end up using a chain
+ *	with this option because you want a particular node, let us know
+ *	where you want the chain pointed, so this can be made more firm.
+ *
+ *      A node that has no data is considered not to exist for this function,
+ *      unless the DNS_RBTFIND_EMPTYDATA option is set.  
+ *
  * Requires:
  *	rbt is a valid rbt manager.
- *	dns_name_isabsolute(name) == TRUE
- *	node != NULL && *node == NULL
+ *	dns_name_isabsolute(name) == TRUE.
+ *	node != NULL && *node == NULL.
+ *	DNS_RBTFIND_NOEXACT and DNS_RBTFIND_NOPREDECESSOR are mutally
+ *		exclusive.
  *
  * Ensures:
  *	'name' and the tree are not altered in any way.
  *
- *	If result is DNS_R_SUCCESS:
+ *	If result is ISC_R_SUCCESS:
  *		*node is the terminal node for 'name'.
  *
  *		'foundname' and 'name' represent the same name (though not
@@ -395,18 +430,18 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
  * 		of 'name' which has data.
  *
  *		'foundname' is the name of deepest superdomain (which has
- *		data, unless 'empty_data_ok').
+ *		data, unless the DNS_RBTFIND_EMPTYDATA option is set).
  *
  *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
  *
- *	If result is DNS_R_NOTFOUND:
+ *	If result is ISC_R_NOTFOUND:
  *		Neither the name nor a superdomain was found.  *node is NULL.
  *
  *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
  *
  *		chain->level_matches is 0.
  *
- *	If result is DNS_R_NOMEMORY:
+ *	If result is ISC_R_NOMEMORY:
  *		The function could not complete because memory could not
  *		be allocated to maintain the chain.  However, it
  *		is possible that some memory was allocated;
@@ -414,11 +449,11 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
  *		DNS_RBT_ANCESTORBLOCK if so.
  *
  * Returns:
- *	DNS_R_SUCCESS		Success
+ *	ISC_R_SUCCESS		Success
  *	DNS_R_PARTIALMATCH	Superdomain found with data
- *	DNS_R_NOTFOUND		No match, or superdomain with no data
- *	DNS_R_NOMEMORY		Resource Limit: Out of Memory building chain
- *	DNS_R_NOSPACE 		Concatenating nodes to form foundname failed
+ *	ISC_R_NOTFOUND		No match, or superdomain with no data
+ *	ISC_R_NOMEMORY		Resource Limit: Out of Memory building chain
+ *	ISC_R_NOSPACE 		Concatenating nodes to form foundname failed
  */
 
 isc_result_t
@@ -440,22 +475,62 @@ dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse);
  *	Does NOT ensure that any external references to nodes in the tree
  *	are unaffected by node joins.
  *
- *	If result is DNS_R_SUCCESS:
+ *	If result is ISC_R_SUCCESS:
  *		'name' does not appear in the tree with data; however,
  *		the node for the name might still exist which can be
  *		found with dns_rbt_findnode (but not dns_rbt_findname).
  *
- *	If result is DNS_R_NOTFOUND:
+ *	If result is ISC_R_NOTFOUND:
  *		'name' does not appear in the tree with data, because
  *		it did not appear in the tree before the function was called.
  *
- *	If result is DNS_R_NOMEMORY:
- *		'name' remains in the tree, if it was there to begin with.
+ *	If result is something else:
+ *		See result codes for dns_rbt_findnode (if it fails, the
+ *		node is not deleted) or dns_rbt_deletenode (if it fails,
+ *		the node is deleted, but the tree is not optimized when
+ *		it could have been).
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Success
+ *	ISC_R_NOTFOUND	No match
+ *	something_else	Any return code from dns_rbt_findnode except
+ *			DNS_R_PARTIALMATCH (which causes ISC_R_NOTFOUND
+ *			to be returned instead), and any code from
+ *			dns_rbt_deletenode.
+ */
+
+isc_result_t
+dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse);
+/*
+ * Delete 'node' from the tree of trees.
+ *
+ * Notes:
+ *	When 'node' is removed, if recurse is ISC_TRUE then all nodes
+ *	in levels down from it are removed too.
+ *
+ * Requires:
+ *	rbt is a valid rbt manager.
+ *	node != NULL.
+ *
+ * Ensures:
+ *	Does NOT ensure that any external references to nodes in the tree
+ *	are unaffected by node joins.
+ *
+ *	If result is ISC_R_SUCCESS:
+ *		'node' does not appear in the tree with data; however,
+ *		the node might still exist if it serves as a pointer to
+ *		a lower tree level as long as 'recurse' was false, hence
+ *		the node could can be found with dns_rbt_findnode whem
+ *		that function's empty_data_ok parameter is true.
+ *
+ *	If result is ISC_R_NOMEMORY or ISC_R_NOSPACE:
+ *		The node was deleted, but the tree structure was not
+ *		optimized.
  *
  * Returns:
- *	DNS_R_SUCCESS	Success
- *	DNS_R_NOTFOUND	No match
- *	DNS_R_NOMEMORY	Resource Limit: Out of Memory
+ *	ISC_R_SUCCESS	Success
+ *	ISC_R_NOMEMORY	Resource Limit: Out of Memory when joining nodes.
+ *	ISC_R_NOSPACE	dns_name_concatenate failed when joining nodes.
  */
 
 void
@@ -578,7 +653,7 @@ dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
  *	by dns_rbt_findnode, dns_rbtnodechain_first or dns_rbtnodechain_last.
  *	If none were called for the chain since it was initialized or reset,
  *	or if the was no predecessor to the name searched for with
- *	dns_rbt_findnode, then '*node' is NULL and DNS_R_NOTFOUND is returned.
+ *	dns_rbt_findnode, then '*node' is NULL and ISC_R_NOTFOUND is returned.
  *
  *	'name', if non-NULL, is the name stored at the terminal level of
  *	the chain.  This is typically a single label, like the "www" of
@@ -594,8 +669,8 @@ dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
  *	
  *
  * Returns:
- *	DNS_R_SUCCESS		name, origin & node were successfully set.
- *	DNS_R_NOTFOUND		The chain does not point to any node.
+ *	ISC_R_SUCCESS		name, origin & node were successfully set.
+ *	ISC_R_NOTFOUND		The chain does not point to any node.
  *	<something_else>	Any error return from dns_name_concatenate.
  */
 
@@ -643,7 +718,7 @@ dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
  *
  * Returns:
  *	DNS_R_NEWORIGIN		The name & origin were successfully set.
- *	DNS_R_NOMEMORY		Resource Limit: Out of Memory building chain.
+ *	ISC_R_NOMEMORY		Resource Limit: Out of Memory building chain.
  *	<something_else>	Any error result from dns_name_concatenate.
  */
 
@@ -670,10 +745,10 @@ dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
  *	'origin' is only if a new origin was found.
  *
  * Returns:
- *	DNS_R_SUCCESS		The predecessor was found and 'name' was set.
+ *	ISC_R_SUCCESS		The predecessor was found and 'name' was set.
  *	DNS_R_NEWORIGIN		The predecessor was found with a different
  *				origin and 'name' and 'origin' were set.
- *	DNS_R_NOMORE		There was no predecessor.
+ *	ISC_R_NOMORE		There was no predecessor.
  *	<something_else>	Any error result from dns_rbtnodechain_current.
  */
 
@@ -700,10 +775,10 @@ dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
  *	'origin' is only if a new origin was found.
  *
  * Returns:
- *	DNS_R_SUCCESS		The successor was found and 'name' was set.
+ *	ISC_R_SUCCESS		The successor was found and 'name' was set.
  *	DNS_R_NEWORIGIN		The successor was found with a different
  *				origin and 'name' and 'origin' were set.
- *	DNS_R_NOMORE		There was no successor.
+ *	ISC_R_NOMORE		There was no successor.
  *	<something_else>	Any error result from dns_name_concatenate.
  */
 
diff --git a/lib/dns/include/dns/rcode.h b/lib/dns/include/dns/rcode.h
index d15f2ec4..1d148a09 100644
--- a/lib/dns/include/dns/rcode.h
+++ b/lib/dns/include/dns/rcode.h
@@ -34,7 +34,7 @@ isc_result_t dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source);
  *	'source' is a valid text region.
  *
  * Returns:
- *	DNS_R_SUCCESS			on success
+ *	ISC_R_SUCCESS			on success
  *	DNS_R_UNKNOWN			type is unknown
  */
 
@@ -52,8 +52,8 @@ isc_result_t dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
  *		The used space in 'target' is updated.
  *
  * Returns:
- *	DNS_R_SUCCESS			on success
- *	DNS_R_NOSPACE			target buffer is too small
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
  */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
index 7ed4b69e..badbd738 100644
--- a/lib/dns/include/dns/rdata.h
+++ b/lib/dns/include/dns/rdata.h
@@ -92,12 +92,8 @@
  ***/
 
 #include <isc/lang.h>
-#include <isc/lex.h>
 
 #include <dns/types.h>
-#include <dns/name.h>
-#include <dns/callbacks.h>
-#include <dns/compress.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -167,9 +163,9 @@ int dns_rdata_compare(dns_rdata_t *rdata1, dns_rdata_t *rdata2);
  *	'rdata2' is a valid, non-empty rdata
  *
  * Returns:
- *	-1		'rdata1' is less than 'rdata2'
+ *	< 0		'rdata1' is less than 'rdata2'
  *	0		'rdata1' is equal to 'rdata2'
- *	1		'rdata1' is greater than 'rdata2'
+ *	> 0		'rdata1' is greater than 'rdata2'
  */
 
 /***
@@ -390,6 +386,9 @@ isc_result_t dns_rdata_fromstruct(dns_rdata_t *rdata,
  *
  *	'target' is a valid binary buffer.
  *
+ *	All structure pointers to memory blocks should be NULL if their
+ *	corresponding length values are zero.
+ *
  * Ensures:
  *	If result is success:
  *	 	If 'rdata' is not NULL, it is attached to the target.
@@ -406,6 +405,10 @@ isc_result_t dns_rdata_tostruct(dns_rdata_t *rdata, void *target,
 				isc_mem_t *mctx);
 /*
  * Convert an rdata into its C structure representation.
+ *	
+ * If 'mctx' is NULL then 'rdata' must persist while 'target' is being used.
+ *
+ * If 'mctx' is non NULL then memory will be allocated if required.
  *
  * Requires:
  *
@@ -439,6 +442,16 @@ isc_boolean_t dns_rdatatype_ismeta(dns_rdatatype_t type);
  *
  */
 
+isc_boolean_t dns_rdatatype_issingleton(dns_rdatatype_t type);
+/*
+ * Return true iff the rdata type 'type' is a singleton type,
+ * like CNAME or SOA.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ *
+ */
+
 isc_boolean_t dns_rdataclass_ismeta(dns_rdataclass_t rdclass);
 /*
  * Return true iff the rdata class 'rdclass' is a meta-class
@@ -469,6 +482,16 @@ isc_boolean_t dns_rdatatype_iszonecutauth(dns_rdatatype_t type);
  *
  */
 
+isc_boolean_t dns_rdatatype_isknown(dns_rdatatype_t type);
+/*
+ * Return true iff the rdata type 'type' is known.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ *
+ */
+
+
 isc_result_t
 dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 			 void *arg);
@@ -487,12 +510,12 @@ dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
  *	If successful, then add() will have been called for each name
  *	and type subject to additional section processing.
  *
- *	If add() returns something other than DNS_R_SUCCESS, that result
+ *	If add() returns something other than ISC_R_SUCCESS, that result
  *	will be returned as the result of dns_rdata_additionaldata().
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *
  *	Many other results are possible if not successful.
  */
@@ -518,16 +541,69 @@ dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg);
  *	If successful, then all of the rdata's data has been sent, in
  *	DNSSEC canonical form, to 'digest'.
  *
- *	If digest() returns something other than DNS_R_SUCCESS, that result
+ *	If digest() returns something other than ISC_R_SUCCESS, that result
  *	will be returned as the result of dns_rdata_digest().
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *
  *	Many other results are possible if not successful.
  */
 
+isc_boolean_t
+dns_rdatatype_questiononly(dns_rdatatype_t type);
+/*
+ * Return true iff rdata of type 'type' can only appear in the question
+ * section of a properly formatted message.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ *
+ */
+
+isc_boolean_t
+dns_rdatatype_notquestion(dns_rdatatype_t type);
+/*
+ * Return true iff rdata of type 'type' can not appear in the question
+ * section of a properly formatted message.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ *
+ */
+
+unsigned int
+dns_rdatatype_attributes(dns_rdatatype_t rdtype);
+/*
+ * Return attributes for the given type.
+ *
+ * Requires:
+ *	'rdtype' are known.
+ *
+ * Returns:
+ *	a bitmask consisting of the following flags.
+ */
+
+/* only one may exist for a name */
+#define DNS_RDATATYPEATTR_SINGLETON		0x00000001U
+/* requires no other data be present */
+#define DNS_RDATATYPEATTR_EXCLUSIVE		0x00000002U
+/* Is a meta type */
+#define DNS_RDATATYPEATTR_META			0x00000004U
+/* Is a DNSSEC type, like SIG or NXT */
+#define DNS_RDATATYPEATTR_DNSSEC		0x00000008U
+/* Is a zone cut authority type */
+#define DNS_RDATATYPEATTR_ZONECUTAUTH		0x00000010U
+/* Is reserved (unusable) */
+#define DNS_RDATATYPEATTR_RESERVED		0x00000020U
+/* Is an unknown type */
+#define DNS_RDATATYPEATTR_UNKNOWN		0x00000040U
+/* Is META, and can only be in a question section */
+#define DNS_RDATATYPEATTR_QUESTIONONLY		0x00000080U
+/* is META, and can NOT be in a question section */
+#define DNS_RDATATYPEATTR_NOTQUESTION		0x00000100U
+
 dns_rdatatype_t
 dns_rdata_covers(dns_rdata_t *rdata);
 /*
diff --git a/lib/dns/include/dns/rdataclass.h b/lib/dns/include/dns/rdataclass.h
index 6e4b5186..89699040 100644
--- a/lib/dns/include/dns/rdataclass.h
+++ b/lib/dns/include/dns/rdataclass.h
@@ -35,9 +35,9 @@ isc_result_t dns_rdataclass_fromtext(dns_rdataclass_t *classp,
  *	'source' is a valid text region.
  *
  * Returns:
- *	DNS_R_SUCCESS			on success
+ *	ISC_R_SUCCESS			on success
  *	DNS_R_UNKNOWN			class is unknown
- *	DNS_R_NOTIMPLEMENTED		class is known, but not implemented
+ *	ISC_R_NOTIMPLEMENTED		class is known, but not implemented
  */
 
 isc_result_t dns_rdataclass_totext(dns_rdataclass_t rdclass,
@@ -55,8 +55,8 @@ isc_result_t dns_rdataclass_totext(dns_rdataclass_t rdclass,
  *		The used space in 'target' is updated.
  *
  * Returns:
- *	DNS_R_SUCCESS			on success
- *	DNS_R_NOSPACE			target buffer is too small
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
  */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/rdatalist.h b/lib/dns/include/dns/rdatalist.h
index ecb2f1c5..3b1e918b 100644
--- a/lib/dns/include/dns/rdatalist.h
+++ b/lib/dns/include/dns/rdatalist.h
@@ -46,9 +46,6 @@
 #include <isc/lang.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
-
-ISC_LANG_BEGINDECLS
 
 /*
  * Clients may use this type directly.
@@ -62,6 +59,8 @@ struct dns_rdatalist {
 	ISC_LINK(dns_rdatalist_t)	link;
 };
 
+ISC_LANG_BEGINDECLS
+
 void
 dns_rdatalist_init(dns_rdatalist_t *rdatalist);
 /*
@@ -95,7 +94,7 @@ dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
  *		'rdataset' is associated with the rdata in rdatalist.
  *
  * Returns:
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index 13df2e15..fcf934d0 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -50,13 +50,10 @@
  *	None.
  */
 
-#include <isc/boolean.h>
-#include <isc/buffer.h>
 #include <isc/lang.h>
-#include <isc/stdtime.h>
+#include <isc/magic.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -71,10 +68,8 @@ typedef struct dns_rdatasetmethods {
 	unsigned int		(*count)(dns_rdataset_t *rdataset);
 } dns_rdatasetmethods_t;
 
-#define DNS_RDATASET_MAGIC		0x444E5352U	/* DNSR. */
-#define DNS_RDATASET_VALID(rdataset)	((rdataset) != NULL && \
-					 (rdataset)->magic == \
-					  DNS_RDATASET_MAGIC)
+#define DNS_RDATASET_MAGIC	       0x444E5352U	/* DNSR. */
+#define DNS_RDATASET_VALID(set)	       ISC_MAGIC_VALID(set, DNS_RDATASET_MAGIC)
 
 /*
  * Direct use of this structure by clients is strongly discouraged, except
@@ -238,8 +233,8 @@ dns_rdataset_first(dns_rdataset_t *rdataset);
  *	'rdataset' is a valid, associated rdataset.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMORE			There are no rdata in the set.
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no rdata in the set.
  */
 
 isc_result_t
@@ -251,8 +246,8 @@ dns_rdataset_next(dns_rdataset_t *rdataset);
  *	'rdataset' is a valid, associated rdataset.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMORE			There are no more rdata in the set.
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no more rdata in the set.
  */
 
 void
@@ -270,7 +265,7 @@ dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
  *	'rdataset' is a valid, associated rdataset.
  *
  *	The rdata cursor of 'rdataset' is at a valid location (i.e. the
- *	result of last call to a cursor movement command was DNS_R_SUCCESS).
+ *	result of last call to a cursor movement command was ISC_R_SUCCESS).
  *
  * Ensures:
  *	'rdata' refers to the rdata at the rdata cursor location of
@@ -326,7 +321,7 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
  *	'countp' is a valid pointer.
  *
  * Ensures:
- *	On a return of DNS_R_SUCCESS, 'target' contains a wire format
+ *	On a return of ISC_R_SUCCESS, 'target' contains a wire format
  *	for the data contained in 'rdataset'.  Any error return leaves
  *	the buffer unchanged.
  *
@@ -334,8 +329,8 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
  *	target.
  *
  * Returns:
- *	DNS_R_SUCCESS		- all ok
- *	DNS_R_NOSPACE		- 'target' doesn't have enough room
+ *	ISC_R_SUCCESS		- all ok
+ *	ISC_R_NOSPACE		- 'target' doesn't have enough room
  *
  *	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
  *	dns_name_towire().
@@ -364,7 +359,7 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
  *
  * Returns:
  *
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *
  *	Any error that dns_rdata_additionaldata() can return.
  */
diff --git a/lib/dns/include/dns/rdatasetiter.h b/lib/dns/include/dns/rdatasetiter.h
index 6dd677da..16274ba5 100644
--- a/lib/dns/include/dns/rdatasetiter.h
+++ b/lib/dns/include/dns/rdatasetiter.h
@@ -60,13 +60,11 @@
  ***** Imports
  *****/
 
-#include <isc/boolean.h>
-#include <isc/buffer.h>
 #include <isc/lang.h>
+#include <isc/magic.h>
 #include <isc/stdtime.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -82,10 +80,8 @@ typedef struct dns_rdatasetitermethods {
 				   dns_rdataset_t *rdataset);
 } dns_rdatasetitermethods_t;
 
-#define DNS_RDATASETITER_MAGIC		0x444E5369U		/* DNSi. */
-#define DNS_RDATASETITER_VALID(dbi)	((dbi) != NULL && \
-					 (dbi)->magic == \
-					 DNS_RDATASETITER_MAGIC)
+#define DNS_RDATASETITER_MAGIC	     0x444E5369U		/* DNSi. */
+#define DNS_RDATASETITER_VALID(i)    ISC_MAGIC_VALID(i, DNS_RDATASETITER_MAGIC)
 
 /*
  * This structure is actually just the common prefix of a DNS db
@@ -131,8 +127,8 @@ dns_rdatasetiter_first(dns_rdatasetiter_t *iterator);
  *	'iterator' is a valid iterator.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMORE			There are no rdatasets at the node.
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no rdatasets at the node.
  *
  *	Other results are possible, depending on the DB implementation.
  */
@@ -146,8 +142,8 @@ dns_rdatasetiter_next(dns_rdatasetiter_t *iterator);
  *	'iterator' is a valid iterator.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMORE			There are no more rdatasets at the
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no more rdatasets at the
  *					node.
  *
  *	Other results are possible, depending on the DB implementation.
@@ -165,7 +161,7 @@ dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
  *	'rdataset' is a valid, disassociated rdataset.
  *
  *	The rdataset cursor of 'iterator' is at a valid location (i.e. the
- *	result of last call to a cursor movement command was DNS_R_SUCCESS).
+ *	result of last call to a cursor movement command was ISC_R_SUCCESS).
  */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h
index 6c9afa86..cef913e3 100644
--- a/lib/dns/include/dns/rdataslab.h
+++ b/lib/dns/include/dns/rdataslab.h
@@ -47,7 +47,6 @@
  *** Imports
  ***/
 
-#include <isc/region.h>
 #include <isc/lang.h>
 
 #include <dns/types.h>
@@ -74,7 +73,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
  *	region->length contains the total length allocated.
  *
  * Returns:
- *	DNS_R_SUCCESS		- successful completion
+ *	ISC_R_SUCCESS		- successful completion
  *	DNS_R_NOMEM		- no memory.
  *	<XXX others>
  */
@@ -115,4 +114,4 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 
 ISC_LANG_ENDDECLS
 
-#endif /* DNS_RDATADLAB_H */
+#endif /* DNS_RDATASLAB_H */
diff --git a/lib/dns/include/dns/rdatatype.h b/lib/dns/include/dns/rdatatype.h
index aa623687..fea2a4e7 100644
--- a/lib/dns/include/dns/rdatatype.h
+++ b/lib/dns/include/dns/rdatatype.h
@@ -35,9 +35,9 @@ isc_result_t dns_rdatatype_fromtext(dns_rdatatype_t *typep,
  *	'source' is a valid text region.
  *
  * Returns:
- *	DNS_R_SUCCESS			on success
+ *	ISC_R_SUCCESS			on success
  *	DNS_R_UNKNOWN			type is unknown
- *	DNS_R_NOTIMPLEMENTED		type is known, but not implemented
+ *	ISC_R_NOTIMPLEMENTED		type is known, but not implemented
  */
 
 isc_result_t dns_rdatatype_totext(dns_rdatatype_t type,
@@ -55,8 +55,8 @@ isc_result_t dns_rdatatype_totext(dns_rdatatype_t type,
  *		The used space in 'target' is updated.
  *
  * Returns:
- *	DNS_R_SUCCESS			on success
- *	DNS_R_NOSPACE			target buffer is too small
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
  */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/request.h b/lib/dns/include/dns/request.h
index a43f02e3..d4540084 100644
--- a/lib/dns/include/dns/request.h
+++ b/lib/dns/include/dns/request.h
@@ -39,26 +39,25 @@
  *	No anticipated impact.
  */
 
-#include <isc/types.h>
 #include <isc/lang.h>
 #include <isc/event.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
 
 #define DNS_REQUESTOPT_TCP 0x00000001U
 
-ISC_LANG_BEGINDECLS
-
 typedef struct dns_requestevent {
         ISC_EVENT_COMMON(struct dns_requestevent);
 	isc_result_t result;
 	dns_request_t *request;
 } dns_requestevent_t;
 
+ISC_LANG_BEGINDECLS
+
 isc_result_t
 dns_requestmgr_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
-		      isc_socketmgr_t *socketmgr,
+		      isc_socketmgr_t *socketmgr, isc_taskmgr_t *taskmgr,
+		      dns_dispatchmgr_t *dispatchmgr,
 		      dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
 		      dns_requestmgr_t **requestmgrp);
 /*
@@ -72,6 +71,8 @@ dns_requestmgr_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
  *
  *	'socketmgr' is a valid socket manager.
  *
+ *	'taskmgr' is a valid task manager.
+ *
  *	'dispatchv4' is a valid dispatcher with an IPv4 UDP socket, or is NULL.
  *
  *	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
@@ -130,10 +131,32 @@ dns_requestmgr_shutdown(dns_requestmgr_t *requestmgr);
 
 void
 dns_requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp);
+/*
+ *	Attach to the request manager.  dns_requestmgr_shutdown() must not
+ *	have been called on 'source' prior to calling dns_requestmgr_attach().
+ *
+ * Requires:
+ *
+ *	'source' is a valid requestmgr.
+ *
+ *	'targetp' to be non NULL and '*targetp' to be NULL.
+ */
 
 void
 dns_requestmgr_detach(dns_requestmgr_t **requestmgrp);
-
+/*
+ *
+ *	Detach from the given requestmgr.  If this is the final detach
+ *	requestmgr will be destroyed.  dns_requestmgr_shutdown() must
+ *	be called before the final detach.
+ *
+ * Requires:
+ *
+ *	'*requestmgrp' is a valid requestmgr.
+ *
+ * Ensures:
+ *	'*requestmgrp' is NULL.
+ */
 
 isc_result_t
 dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
@@ -182,9 +205,13 @@ dns_request_cancel(dns_request_t *request);
  */
 
 isc_result_t
-dns_request_getresponse(dns_request_t *request, dns_message_t *message);
+dns_request_getresponse(dns_request_t *request, dns_message_t *message,
+			isc_boolean_t preserve_order);
 /*
- * Get the response to 'request'.
+ * Get the response to 'request' by filling in 'message'.
+ *
+ * 'preserve_order' is passed to dns_message_parse().  See dns_message_parse()
+ * for more details.
  *
  * Requires:
  *
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index e0aab783..14c60b51 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -45,15 +45,11 @@
  *	Drafts:	<TBS>
  */
 
-#include <isc/types.h>
 #include <isc/lang.h>
-#include <isc/event.h>
 #include <isc/socket.h>
 
 #include <dns/types.h>
-#include <dns/name.h>
 #include <dns/fixedname.h>
-#include <dns/result.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -81,10 +77,11 @@ typedef struct dns_fetchevent {
 /*
  * Options that modify how a 'fetch' is done.
  */
-#define DNS_FETCHOPT_TCP		0x01		/* Use TCP. */
-#define DNS_FETCHOPT_UNSHARED		0x02		/* See below. */
-#define DNS_FETCHOPT_RECURSIVE		0x04		/* Set RD? */
-#define DNS_FETCHOPT_NOEDNS0		0x08		/* Do not use EDNS. */
+#define DNS_FETCHOPT_TCP		0x01	     /* Use TCP. */
+#define DNS_FETCHOPT_UNSHARED		0x02	     /* See below. */
+#define DNS_FETCHOPT_RECURSIVE		0x04	     /* Set RD? */
+#define DNS_FETCHOPT_NOEDNS0		0x08	     /* Do not use EDNS. */
+#define DNS_FETCHOPT_FORWARDONLY	0x10	     /* Only use forwarders. */
 
 /*
  * XXXRTH  Should this API be made semi-private?  (I.e.
@@ -97,6 +94,7 @@ dns_resolver_create(dns_view_t *view,
 		    isc_socketmgr_t *socketmgr,
 		    isc_timermgr_t *timermgr,
 		    unsigned int options,
+		    dns_dispatchmgr_t *dispatchmgr,
 		    dns_dispatch_t *dispatchv4,
 		    dns_dispatch_t *dispatchv6,
 		    dns_resolver_t **resp);
@@ -308,7 +306,6 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
  *
  *	Many other values are possible, all of which indicate failure.
  */
- 
 
 void
 dns_resolver_cancelfetch(dns_fetch_t *fetch);
@@ -342,6 +339,21 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp);
  *	*fetchp == NULL.
  */
 
+dns_dispatchmgr_t *
+dns_resolver_dispatchmgr(dns_resolver_t *resolver);
+
+dns_dispatch_t *
+dns_resolver_dispatchv4(dns_resolver_t *resolver);
+
+dns_dispatch_t *
+dns_resolver_dispatchv6(dns_resolver_t *resolver);
+
+isc_socketmgr_t *
+dns_resolver_socketmgr(dns_resolver_t *resolver);
+
+isc_taskmgr_t *
+dns_resolver_taskmgr(dns_resolver_t *resolver);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_RESOLVER_H */
diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
index 267ad7c7..6efa216d 100644
--- a/lib/dns/include/dns/result.h
+++ b/lib/dns/include/dns/result.h
@@ -19,28 +19,17 @@
 #define DNS_RESULT_H 1
 
 #include <isc/lang.h>
-#include <isc/result.h>
 #include <isc/resultclass.h>
 
 #include <dns/types.h>
 
-ISC_LANG_BEGINDECLS
-
 /*
- * XXXRTH  Legacy result codes, to be eliminated before public release.
+ * Nothing in this file truly depends on <isc/result.h>, but the
+ * DNS result codes are considered to be publicly derived from
+ * the ISC result codes, so including this file buys you the ISC_R_
+ * namespace too.
  */
-#define DNS_R_SUCCESS			ISC_R_SUCCESS
-#define DNS_R_NOMEMORY			ISC_R_NOMEMORY
-#define DNS_R_NOSPACE			ISC_R_NOSPACE
-#define DNS_R_NOTIMPLEMENTED		ISC_R_NOTIMPLEMENTED
-#define DNS_R_NOMORE			ISC_R_NOMORE
-#define DNS_R_EXISTS			ISC_R_EXISTS
-#define DNS_R_NOTFOUND			ISC_R_NOTFOUND
-#define DNS_R_BADBASE64			ISC_R_BADBASE64
-#define DNS_R_TIMEDOUT			ISC_R_TIMEDOUT
-#define DNS_R_CANCELED			ISC_R_CANCELED
-#define DNS_R_UNEXPECTED		ISC_R_UNEXPECTED
-#define DNS_R_NXRDATASET		DNS_R_NXRRSET
+#include <isc/result.h>		/* Contractual promise. */
 
 /*
  * DNS library result codes
@@ -51,7 +40,7 @@ ISC_LANG_BEGINDECLS
 #define DNS_R_BITSTRINGTOOLONG		(ISC_RESULTCLASS_DNS + 3)
 #define DNS_R_EMPTYLABEL		(ISC_RESULTCLASS_DNS + 4)
 #define DNS_R_BADDOTTEDQUAD		(ISC_RESULTCLASS_DNS + 5)
-#define DNS_R_UNEXPECTEDEND		(ISC_RESULTCLASS_DNS + 6)
+/* 6 is unused */
 #define DNS_R_UNKNOWN			(ISC_RESULTCLASS_DNS + 7)
 #define DNS_R_BADLABELTYPE		(ISC_RESULTCLASS_DNS + 8)
 #define DNS_R_BADPOINTER		(ISC_RESULTCLASS_DNS + 9)
@@ -60,14 +49,14 @@ ISC_LANG_BEGINDECLS
 #define DNS_R_EXTRATOKEN		(ISC_RESULTCLASS_DNS + 12)
 #define DNS_R_EXTRADATA			(ISC_RESULTCLASS_DNS + 13)
 #define DNS_R_TEXTTOOLONG		(ISC_RESULTCLASS_DNS + 14)
-#define DNS_R_RANGE			(ISC_RESULTCLASS_DNS + 15)
+/* 15 is unused */
 #define DNS_R_SYNTAX			(ISC_RESULTCLASS_DNS + 16)
 #define DNS_R_BADCKSUM			(ISC_RESULTCLASS_DNS + 17)
 #define DNS_R_BADAAAA			(ISC_RESULTCLASS_DNS + 18)
 #define DNS_R_NOOWNER			(ISC_RESULTCLASS_DNS + 19)
 #define DNS_R_NOTTL			(ISC_RESULTCLASS_DNS + 20)
 #define DNS_R_BADCLASS			(ISC_RESULTCLASS_DNS + 21)
-#define DNS_R_UNEXPECTEDTOKEN		(ISC_RESULTCLASS_DNS + 22)
+/* 22 is unused */
 #define DNS_R_PARTIALMATCH		(ISC_RESULTCLASS_DNS + 23)
 #define DNS_R_NEWORIGIN			(ISC_RESULTCLASS_DNS + 24)
 #define DNS_R_UNCHANGED			(ISC_RESULTCLASS_DNS + 25)
@@ -104,8 +93,11 @@ ISC_LANG_BEGINDECLS
 #define DNS_R_NOJOURNAL			(ISC_RESULTCLASS_DNS + 56)
 #define DNS_R_ALIAS			(ISC_RESULTCLASS_DNS + 57)
 #define DNS_R_USETCP			(ISC_RESULTCLASS_DNS + 58)
+#define DNS_R_NOVALIDSIG		(ISC_RESULTCLASS_DNS + 59)
+#define DNS_R_NOVALIDNXT		(ISC_RESULTCLASS_DNS + 60)
+#define DNS_R_NOTINSECURE		(ISC_RESULTCLASS_DNS + 61)
 
-#define DNS_R_NRESULTS			59	/* Number of results */
+#define DNS_R_NRESULTS			62	/* Number of results */
 
 /*
  * DNS wire format rcodes
@@ -131,9 +123,16 @@ ISC_LANG_BEGINDECLS
 #define DNS_RESULT_ISRCODE(result) \
 	(ISC_RESULTCLASS_INCLASS(ISC_RESULTCLASS_DNSRCODE, (result)))
 
-char *				dns_result_totext(isc_result_t);
-void				dns_result_register(void);
-dns_rcode_t			dns_result_torcode(isc_result_t result);
+ISC_LANG_BEGINDECLS
+
+char *
+dns_result_totext(isc_result_t);
+
+void
+dns_result_register(void);
+
+dns_rcode_t
+dns_result_torcode(isc_result_t result);
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/dns/include/dns/rootns.h b/lib/dns/include/dns/rootns.h
index 87bfa1fb..a5cc8302 100644
--- a/lib/dns/include/dns/rootns.h
+++ b/lib/dns/include/dns/rootns.h
@@ -19,15 +19,14 @@
 #define DNS_ROOTNS_H 1
 
 #include <isc/lang.h>
-#include <isc/types.h>
-#include <isc/result.h>
 
 #include <dns/types.h>
 
 ISC_LANG_BEGINDECLS
 
-isc_result_t dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-			       const char *filename, dns_db_t **target);
+isc_result_t
+dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+                  const char *filename, dns_db_t **target);
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/dns/include/dns/secalg.h b/lib/dns/include/dns/secalg.h
index 30886f14..0de257cd 100644
--- a/lib/dns/include/dns/secalg.h
+++ b/lib/dns/include/dns/secalg.h
@@ -24,8 +24,8 @@
 
 ISC_LANG_BEGINDECLS
 
-isc_result_t dns_secalg_fromtext(dns_secalg_t *secalgp,
-				 isc_textregion_t *source);
+isc_result_t
+dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source);
 /*
  * Convert the text 'source' refers to into a DNSSEC security algorithm value.
  * The text may contain either a mnemonic algorithm name or a decimal algorithm
@@ -37,12 +37,13 @@ isc_result_t dns_secalg_fromtext(dns_secalg_t *secalgp,
  *	'source' is a valid text region.
  *
  * Returns:
- *	DNS_R_SUCCESS			on success
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_RANGE			numeric type is out of range
  *	DNS_R_UNKNOWN			mnemonic type is unknown
- *	DNS_R_RANGE			numeric type is out of range
  */
 
-isc_result_t dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target);
+isc_result_t
+dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target);
 /*
  * Put a textual representation of the DNSSEC security algorithm 'secalg'
  * into 'target'.
@@ -57,8 +58,8 @@ isc_result_t dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target);
  *		The used space in 'target' is updated.
  *
  * Returns:
- *	DNS_R_SUCCESS			on success
- *	DNS_R_NOSPACE			target buffer is too small
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
  */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/secproto.h b/lib/dns/include/dns/secproto.h
index 4f4e8a3f..7bd9f3fa 100644
--- a/lib/dns/include/dns/secproto.h
+++ b/lib/dns/include/dns/secproto.h
@@ -24,8 +24,8 @@
 
 ISC_LANG_BEGINDECLS
 
-isc_result_t dns_secproto_fromtext(dns_secproto_t *secprotop,
-				   isc_textregion_t *source);
+isc_result_t
+dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source);
 /*
  * Convert the text 'source' refers to into a DNSSEC security protocol value.
  * The text may contain either a mnemonic protocol name or a decimal protocol
@@ -37,9 +37,9 @@ isc_result_t dns_secproto_fromtext(dns_secproto_t *secprotop,
  *	'source' is a valid text region.
  *
  * Returns:
- *	DNS_R_SUCCESS			on success
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_RANGE			numeric type is out of range
  *	DNS_R_UNKNOWN			mnemonic type is unknown
- *	DNS_R_RANGE			numeric type is out of range
  */
 
 isc_result_t
@@ -58,8 +58,8 @@ dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target);
  *		The used space in 'target' is updated.
  *
  * Returns:
- *	DNS_R_SUCCESS			on success
- *	DNS_R_NOSPACE			target buffer is too small
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
  */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/ssu.h b/lib/dns/include/dns/ssu.h
index 9fce445d..c4c35139 100644
--- a/lib/dns/include/dns/ssu.h
+++ b/lib/dns/include/dns/ssu.h
@@ -18,10 +18,7 @@
 #ifndef DNS_SSU_H
 #define DNS_SSU_H 1
 
-#include <isc/types.h>
 #include <isc/lang.h>
-#include <isc/list.h>
-#include <isc/rwlock.h>
 
 #include <dns/types.h>
 
diff --git a/lib/dns/include/dns/tcpmsg.h b/lib/dns/include/dns/tcpmsg.h
index ab94280e..e253d2a0 100644
--- a/lib/dns/include/dns/tcpmsg.h
+++ b/lib/dns/include/dns/tcpmsg.h
@@ -16,13 +16,13 @@
  */
 
 #ifndef DNS_TCPMSG_H
-#define DNS_TCPMSG_H
+#define DNS_TCPMSG_H 1
 
 #include <isc/buffer.h>
-#include <isc/int.h>
+#include <isc/lang.h>
 #include <isc/socket.h>
 
-typedef struct {
+typedef struct dns_tcpmsg {
 	/* private (don't touch!) */
 	unsigned int		magic;
 	isc_uint16_t		size;
@@ -39,6 +39,8 @@ typedef struct {
 	isc_sockaddr_t		address;
 } dns_tcpmsg_t;
 
+ISC_LANG_BEGINDECLS
+
 void
 dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg);
 /*
@@ -136,4 +138,6 @@ dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg);
  *	sockets, etc.
  */
 
+ISC_LANG_ENDDECLS
+
 #endif /* DNS_TCPMSG_H */
diff --git a/lib/dns/include/dns/time.h b/lib/dns/include/dns/time.h
index 12953ff5..9c3d88fb 100644
--- a/lib/dns/include/dns/time.h
+++ b/lib/dns/include/dns/time.h
@@ -22,9 +22,8 @@
  ***	Imports
  ***/
 
-#include <isc/lang.h>
-#include <isc/int.h>
 #include <isc/buffer.h>
+#include <isc/lang.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -32,27 +31,31 @@ ISC_LANG_BEGINDECLS
  ***	Functions
  ***/
 
-isc_result_t dns_time64_fromtext(char *source, isc_int64_t *target);
+isc_result_t
+dns_time64_fromtext(char *source, isc_int64_t *target);
 /*
  * Convert a date and time in YYYYMMDDHHMMSS text format at 'source'
  * into to a 64-bit count of seconds since Jan 1 1970 0:00 GMT.  
  * Store the count at 'target'.
  */ 
 
-isc_result_t dns_time32_fromtext(char *source, isc_uint32_t *target);
+isc_result_t
+dns_time32_fromtext(char *source, isc_uint32_t *target);
 /*
  * Like dns_time64_fromtext, but returns the second count modulo 2^32
  * as per RFC2535.
  */
 	
 
-isc_result_t dns_time64_totext(isc_int64_t value, isc_buffer_t *target);
+isc_result_t
+dns_time64_totext(isc_int64_t value, isc_buffer_t *target);
 /*
  * Convert a 64-bit count of seconds since Jan 1 1970 0:00 GMT into 
  * a YYYYMMDDHHMMSS text representation and append it to 'target'.
  */
 
-isc_result_t dns_time32_totext(isc_uint32_t value, isc_buffer_t *target);
+isc_result_t
+dns_time32_totext(isc_uint32_t value, isc_buffer_t *target);
 /*
  * Like dns_time64_totext, but for a 32-bit cyclic time value.
  * Of those dates whose counts of seconds since Jan 1 1970 0:00 GMT
@@ -62,4 +65,4 @@ isc_result_t dns_time32_totext(isc_uint32_t value, isc_buffer_t *target);
 
 ISC_LANG_ENDDECLS
 
-#endif	/* DNS_TIME_H */
+#endif /* DNS_TIME_H */
diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h
index 3ed6b04c..bc4e4a87 100644
--- a/lib/dns/include/dns/tkey.h
+++ b/lib/dns/include/dns/tkey.h
@@ -18,11 +18,9 @@
 #ifndef DNS_TKEY_H
 #define DNS_TKEY_H 1
 
-#include <isc/types.h>
 #include <isc/lang.h>
 
 #include <dns/types.h>
-#include <dns/name.h>
 
 #include <dst/dst.h>
 
diff --git a/lib/dns/include/dns/tkeyconf.h b/lib/dns/include/dns/tkeyconf.h
index 16588515..1c49a7ca 100644
--- a/lib/dns/include/dns/tkeyconf.h
+++ b/lib/dns/include/dns/tkeyconf.h
@@ -21,13 +21,13 @@
 #include <isc/types.h>
 #include <isc/lang.h>
 
-#include <dns/tkey.h>
 #include <dns/confctx.h>
 
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-dns_tkeyctx_fromconfig(dns_c_ctx_t *cfg, isc_mem_t *mctx, dns_tkey_ctx_t **tctxp);
+dns_tkeyctx_fromconfig(dns_c_ctx_t *cfg, isc_mem_t *mctx,
+		       dns_tkey_ctx_t **tctxp);
 /*
  * 	Create a TKEY context and configure it, including the default DH key
  *	and default domain, according to 'cfg'.
diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h
index 30803722..b301ac67 100644
--- a/lib/dns/include/dns/tsig.h
+++ b/lib/dns/include/dns/tsig.h
@@ -18,7 +18,6 @@
 #ifndef DNS_TSIG_H
 #define DNS_TSIG_H 1
 
-#include <isc/types.h>
 #include <isc/lang.h>
 #include <isc/rwlock.h>
 #include <isc/stdtime.h>
@@ -28,14 +27,16 @@
 
 #include <dst/dst.h>
 
-ISC_LANG_BEGINDECLS
-
-/* Standard algorithm */
+/*
+ * Standard algorithm.
+ */
 #define DNS_TSIG_HMACMD5		"HMAC-MD5.SIG-ALG.REG.INT."
 extern dns_name_t *dns_tsig_hmacmd5_name;
 #define DNS_TSIG_HMACMD5_NAME		dns_tsig_hmacmd5_name
 
-/* Default fudge value. */
+/*
+ * Default fudge value.
+ */
 #define DNS_TSIG_FUDGE			300
 
 struct dns_tsig_keyring {
@@ -68,6 +69,8 @@ struct dns_tsigkey {
 #define dns_tsigkey_identity(tsigkey) \
 	((tsigkey)->generated ? ((tsigkey)->creator) : (&((tsigkey)->name)))
 
+ISC_LANG_BEGINDECLS
+
 isc_result_t
 dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
 		   unsigned char *secret, int length, isc_boolean_t generated,
@@ -94,7 +97,7 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
  *	Returns:
  *		ISC_R_SUCCESS
  *		ISC_R_EXISTS - a key with this name already exists
- *		DNS_R_NOTIMPLEMENTED - algorithm is not implemented
+ *		ISC_R_NOTIMPLEMENTED - algorithm is not implemented
  *		ISC_R_NOMEMORY
  */
 
@@ -150,7 +153,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
  *		'dring' is a valid keyring or NULL
  *
  *	Returns:
- *		DNS_R_SUCCESS
+ *		ISC_R_SUCCESS
  *		ISC_R_NOMEMORY
  *		DNS_R_EXPECTEDTSIG - A TSIG was expected but not seen
  *		DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected
diff --git a/lib/dns/include/dns/tsigconf.h b/lib/dns/include/dns/tsigconf.h
index c43067f6..d97c9c94 100644
--- a/lib/dns/include/dns/tsigconf.h
+++ b/lib/dns/include/dns/tsigconf.h
@@ -21,7 +21,6 @@
 #include <isc/types.h>
 #include <isc/lang.h>
 
-#include <dns/tsig.h>
 #include <dns/confctx.h>
 
 ISC_LANG_BEGINDECLS
diff --git a/lib/dns/include/dns/ttl.h b/lib/dns/include/dns/ttl.h
index 0f594b94..c83e1080 100644
--- a/lib/dns/include/dns/ttl.h
+++ b/lib/dns/include/dns/ttl.h
@@ -22,8 +22,8 @@
  ***	Imports
  ***/
 
+#include <isc/lang.h>
 #include <isc/types.h>
-#include <isc/buffer.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -45,8 +45,8 @@ dns_ttl_totext(isc_uint32_t src, isc_boolean_t verbose,
  * in "dig", like "1 week 2 days 3 hours 4 minutes 5 seconds".
  *
  * Returns:
- * 	DNS_R_SUCCESS
- * 	DNS_R_NOSPACE
+ * 	ISC_R_SUCCESS
+ * 	ISC_R_NOSPACE
  */
 
 isc_result_t
@@ -55,7 +55,7 @@ dns_counter_fromtext(isc_textregion_t *source, isc_uint32_t *ttl);
  * Converts a counter from either a plain number or a BIND 8 style value.
  *
  * Returns:
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *	DNS_R_SYNTAX
  */
 
@@ -65,10 +65,10 @@ dns_ttl_fromtext(isc_textregion_t *source, isc_uint32_t *ttl);
  * Converts a ttl from either a plain number or a BIND 8 style value.
  *
  * Returns:
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *	DNS_R_BADTTL
  */
 
 ISC_LANG_ENDDECLS
 
-#endif	/* DNS_MASTER_H */
+#endif /* DNS_TTL_H */
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index 127451f9..132785a8 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -4,7 +4,7 @@
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
- * 
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
  * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
  * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
@@ -27,89 +27,79 @@
  */
 
 #include <isc/types.h>
-#include <isc/lang.h>
-#include <isc/region.h>
-#include <isc/int.h>
-#include <isc/list.h>
 
-ISC_LANG_BEGINDECLS
-
-typedef isc_region_t				dns_label_t;
-typedef struct dns_name				dns_name_t;
-typedef ISC_LIST(dns_name_t)			dns_namelist_t;
-typedef struct dns_fixedname			dns_fixedname_t;
+typedef struct dns_a6context			dns_a6context_t;
+typedef struct dns_acl 				dns_acl_t;
+typedef struct dns_aclelement 			dns_aclelement_t;
+typedef struct dns_aclenv			dns_aclenv_t;
+typedef struct dns_adb				dns_adb_t;
+typedef struct dns_adbaddrinfo			dns_adbaddrinfo_t;
+typedef ISC_LIST(dns_adbaddrinfo_t)		dns_adbaddrinfolist_t;
+typedef struct dns_adbentry			dns_adbentry_t;
+typedef struct dns_adbfind			dns_adbfind_t;
+typedef ISC_LIST(dns_adbfind_t)			dns_adbfindlist_t;
+typedef struct dns_byaddr			dns_byaddr_t;
+typedef struct dns_cache			dns_cache_t;
+typedef isc_uint16_t				dns_cert_t;
+typedef struct dns_compress			dns_compress_t;
 typedef struct dns_db				dns_db_t;
-typedef void					dns_dbnode_t;
+typedef struct dns_dbiterator			dns_dbiterator_t;
 typedef void					dns_dbload_t;
+typedef void					dns_dbnode_t;
+typedef struct dns_dbtable			dns_dbtable_t;
 typedef void					dns_dbversion_t;
-typedef struct dns_dbiterator			dns_dbiterator_t;
-typedef unsigned char				dns_offsets_t[128];
-typedef struct dns_compress			dns_compress_t;
 typedef struct dns_decompress			dns_decompress_t;
-typedef isc_uint8_t				dns_secalg_t;
-typedef isc_uint8_t				dns_secproto_t;
+typedef struct dns_dispatch			dns_dispatch_t;
+typedef struct dns_dispatchevent		dns_dispatchevent_t;
+typedef struct dns_dispatchlist			dns_dispatchlist_t;
+typedef struct dns_dispatchmgr			dns_dispatchmgr_t;
+typedef struct dns_dispentry			dns_dispentry_t;
+typedef struct dns_fetch			dns_fetch_t;
+typedef struct dns_fixedname			dns_fixedname_t;
+typedef struct dns_forwarders			dns_forwarders_t;
 typedef isc_uint16_t				dns_keyflags_t;
+typedef struct dns_keynode			dns_keynode_t;
+typedef struct dns_keytable			dns_keytable_t;
 typedef isc_uint16_t				dns_keytag_t;
-typedef isc_uint16_t				dns_rdataclass_t;
-typedef isc_uint16_t				dns_rdatatype_t;
-typedef isc_uint16_t				dns_rcode_t;
+typedef struct dns_message			dns_message_t;
+typedef isc_uint16_t				dns_messageid_t;
+typedef isc_region_t				dns_label_t;
+typedef struct dns_name				dns_name_t;
+typedef ISC_LIST(dns_name_t)			dns_namelist_t;
 typedef isc_uint16_t				dns_opcode_t;
-typedef isc_uint16_t				dns_cert_t;
-typedef isc_uint32_t				dns_ttl_t;
-typedef isc_uint64_t				dns_bitset_t;
+typedef unsigned char				dns_offsets_t[128];
+typedef struct dns_peer				dns_peer_t;
+typedef struct dns_peerlist			dns_peerlist_t;
+typedef struct dns_rbt				dns_rbt_t;
+typedef isc_uint16_t				dns_rcode_t;
 typedef struct dns_rdata			dns_rdata_t;
+typedef struct dns_rdatacallbacks		dns_rdatacallbacks_t;
+typedef isc_uint16_t				dns_rdataclass_t;
 typedef struct dns_rdatalist			dns_rdatalist_t;
-typedef struct dns_signature			dns_signature_t;
 typedef struct dns_rdataset			dns_rdataset_t;
 typedef ISC_LIST(dns_rdataset_t)		dns_rdatasetlist_t;
 typedef struct dns_rdatasetiter			dns_rdatasetiter_t;
-typedef struct dns_dbtable			dns_dbtable_t;
+typedef isc_uint16_t				dns_rdatatype_t;
+typedef struct dns_request			dns_request_t;
+typedef struct dns_requestmgr			dns_requestmgr_t;
 typedef struct dns_resolver			dns_resolver_t;
-typedef struct dns_fetch			dns_fetch_t;
-typedef struct dns_adb				dns_adb_t;
-typedef struct dns_adbentry			dns_adbentry_t;
-typedef struct dns_adbaddrinfo			dns_adbaddrinfo_t;
-typedef ISC_LIST(dns_adbaddrinfo_t)		dns_adbaddrinfolist_t;
-typedef struct dns_adbfind			dns_adbfind_t;
-typedef ISC_LIST(dns_adbfind_t)			dns_adbfindlist_t;
-typedef struct dns_forwarders			dns_forwarders_t;
-typedef struct dns_message			dns_message_t;
-typedef isc_uint16_t				dns_messageid_t;
+typedef isc_uint8_t				dns_secalg_t;
+typedef isc_uint8_t				dns_secproto_t;
+typedef struct dns_signature			dns_signature_t;
+typedef struct dns_ssurule			dns_ssurule_t;
+typedef struct dns_ssutable			dns_ssutable_t;
+typedef struct dns_tkey_ctx			dns_tkey_ctx_t;
 typedef isc_uint16_t				dns_trust_t;
-typedef struct dns_dispatch			dns_dispatch_t;
-typedef struct dns_dispentry			dns_dispentry_t;
-typedef struct dns_dispatchevent		dns_dispatchevent_t;
-typedef struct dns_tsigkey			dns_tsigkey_t;
 typedef struct dns_tsig_keyring			dns_tsig_keyring_t;
-typedef struct dns_tkey_ctx			dns_tkey_ctx_t;
+typedef struct dns_tsigkey			dns_tsigkey_t;
+typedef isc_uint32_t				dns_ttl_t;
+typedef struct dns_validator			dns_validator_t;
 typedef struct dns_view				dns_view_t;
 typedef ISC_LIST(dns_view_t)			dns_viewlist_t;
 typedef struct dns_zone				dns_zone_t;
+typedef ISC_LIST(dns_zone_t)			dns_zonelist_t;
 typedef struct dns_zonemgr			dns_zonemgr_t;
-typedef struct dns_zone_callbackarg		dns_zone_callbackarg_t;
-typedef struct dns_a6context			dns_a6context_t;
-typedef struct dns_rbt				dns_rbt_t;
 typedef struct dns_zt				dns_zt_t;
-typedef struct dns_cache			dns_cache_t;
-typedef struct dns_aclelement 			dns_aclelement_t;
-typedef struct dns_acl 				dns_acl_t;
-typedef struct dns_aclenv			dns_aclenv_t;
-typedef struct dns_byaddr			dns_byaddr_t;
-typedef struct dns_ssutable			dns_ssutable_t;
-typedef struct dns_ssurule			dns_ssurule_t;
-typedef struct dns_validator			dns_validator_t;
-typedef struct dns_keytable			dns_keytable_t;
-typedef struct dns_keynode			dns_keynode_t;
-typedef struct dns_peer				dns_peer_t;
-typedef struct dns_peerlist			dns_peerlist_t;
-typedef struct dns_xfrinlist			dns_xfrinlist_t;
-typedef struct dns_requestmgr			dns_requestmgr_t;
-typedef struct dns_request			dns_request_t;
-
-typedef enum {
-	dns_labeltype_ordinary = 0,
-	dns_labeltype_bitstring = 1
-} dns_labeltype_t;
 
 typedef enum {
 	dns_bitlabel_0 = 0,
@@ -117,8 +107,15 @@ typedef enum {
 } dns_bitlabel_t;
 
 typedef enum {
-	dns_one_answer, dns_many_answers
-} dns_transfer_format_t;
+	dns_fwdpolicy_none = 0,
+	dns_fwdpolicy_first = 1,
+	dns_fwdpolicy_only = 2
+} dns_fwdpolicy_t;
+
+typedef enum {
+	dns_labeltype_ordinary = 0,
+	dns_labeltype_bitstring = 1
+} dns_labeltype_t;
 
 typedef enum {
 	dns_namereln_none = 0,
@@ -129,16 +126,14 @@ typedef enum {
 } dns_namereln_t;
 
 typedef enum {
-	dns_fwdpolicy_none = 0,
-	dns_fwdpolicy_first = 1,
-	dns_fwdpolicy_only = 2
-} dns_fwdpolicy_t;
+	dns_one_answer, dns_many_answers
+} dns_transfer_format_t;
 
 #include <dns/enumtype.h>
 
 enum {
 	dns_rdatatype_none = 0,
-	TYPEENUM
+	DNS_TYPEENUM
 	dns_rdatatype_ixfr = 251,
 	dns_rdatatype_axfr = 252,
 	dns_rdatatype_mailb = 253,
@@ -148,16 +143,18 @@ enum {
 
 #include <dns/enumclass.h>
 enum {
-	CLASSENUM
+	DNS_CLASSENUM
 	dns_rdataclass_ch = 3,
 	dns_rdataclass_none = 254	/* RFC2136 */
 };
 
 /*
- * rcodes
+ * rcodes.
  */
 enum {
-	/* standard rcodes */
+	/*
+	 * Standard rcodes.
+	 */
 	dns_rcode_noerror = 0,
 	dns_rcode_formerr = 1,
 	dns_rcode_servfail = 2,
@@ -169,12 +166,14 @@ enum {
 	dns_rcode_nxrrset = 8,
 	dns_rcode_notauth = 9,
 	dns_rcode_notzone = 10,
-	/* extended rcodes */
+	/*
+	 * Extended rcodes.
+	 */
 	dns_rcode_badvers = 16
 };
 
 /*
- * TSIG errors
+ * TSIG errors.
  */
 enum {
 	dns_tsigerror_badsig = 16,
@@ -186,7 +185,7 @@ enum {
 };
 
 /*
- * Opcodes
+ * Opcodes.
  */
 enum {
 	dns_opcode_query = 0,
@@ -208,7 +207,8 @@ enum {
 	dns_trust_authauthority = 5,
 	dns_trust_authanswer = 6,
 	dns_trust_secure = 7,
-	dns_trust_authsecure = 8
+	dns_trust_authsecure = 8,
+	dns_trust_ultimate = 9
 };
 
 /*
@@ -223,7 +223,6 @@ typedef enum {
 /*
  * Functions.
  */
-
 typedef isc_result_t
 (*dns_addrdatasetfunc_t)(void *, dns_name_t *, dns_rdataset_t *);
 
@@ -236,20 +235,4 @@ typedef isc_result_t
 typedef void
 (*dns_xfrindone_t)(dns_zone_t *, isc_result_t);
 
-
-#ifndef DNS_SETBIT
-
-/* XXXJAB there must be a better file for these. */
-
-#define DNS_SETBIT(bit, bitset) \
-     (*(bitset) |= ((dns_bitset_t)1 << (bit)))
-#define DNS_CLEARBIT(bit, bitset) \
-     (*(bitset) &= ~((dns_bitset_t)1 << (bit)))
-#define DNS_CHECKBIT(bit, bitset) \
-     ISC_TF((*(bitset) & ((dns_bitset_t)1 << (bit))) == ((dns_bitset_t)1 << (bit)))
-
-#endif
-
-ISC_LANG_ENDDECLS
-
 #endif /* DNS_TYPES_H */
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index 81b2f3dd..96ad809e 100644
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -45,19 +45,15 @@
  *	Drafts:	<TBS>
  */
 
-#include <isc/types.h>
 #include <isc/lang.h>
 #include <isc/event.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
-
-ISC_LANG_BEGINDECLS
 
 /*
  * A dns_validatorevent_t is sent when a 'validation' completes.
  *
- * 'rdataset', 'sigrdataset', and 'message' are the values that were
+ * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
  * supplied when dns_validator_create() was called.  They are returned to the
  * caller so that they may be freed.
  */
@@ -66,23 +62,81 @@ typedef struct dns_validatorevent {
 	dns_validator_t *		validator;
 	isc_result_t			result;
 	dns_name_t *			name;
+	dns_rdatatype_t			type;
 	dns_rdataset_t *		rdataset;
 	dns_rdataset_t *		sigrdataset;
 	dns_message_t *			message;
 } dns_validatorevent_t;
 
+ISC_LANG_BEGINDECLS
+
 isc_result_t
-dns_validator_create(dns_view_t *view, dns_name_t *name,
+dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
 		     dns_message_t *message, unsigned int options,
 		     isc_task_t *task, isc_taskaction_t action, void *arg,
 		     dns_validator_t **validatorp);
+/*
+ * Start a DNSSEC validation.
+ *
+ * This validates a response to the question given by
+ * 'name' and 'type'.
+ *
+ * To validate a positive response, the response data is
+ * given by 'rdataset' and 'sigrdataset'.  If 'sigrdataset'
+ * is NULL, the data is presumed insecure and an attempt
+ * is made to prove its insecurity by finding the appropriate
+ * null key.
+ *
+ * The complete response message may be given in 'message',
+ * to make available any authority section NXTs that may be
+ * needed for validation of a response resulting from a 
+ * wildcard expansion (though no such wildcard validation 
+ * is implemented yet).  If the complete response message
+ * is not available, 'message' is NULL.
+ *
+ * To validate a negative response, the complete negative response
+ * message is given in 'message'.  The 'rdataset', and 
+ * 'sigrdataset' arguments must be NULL, but the 'name' and 'type'
+ * arguments must be provided.
+ *
+ * The validation is performed in the context of 'view'.
+ * 'options' must be zero.
+ *
+ * When the validation finishes, a dns_validatorevent_t with
+ * the given 'action' and 'arg' are sent to 'task'.
+ * Its 'result' field will be ISC_R_SUCCESS iff the
+ * response was successfully proven to be either secure or
+ * part of a known insecure domain.
+ */
 
 void
 dns_validator_cancel(dns_validator_t *validator);
+/*
+ * Cancel a DNSSEC validation in progress.
+ *
+ * Requires:
+ *	'validator' points to a valid DNSSEC validator, which 
+ *	may or may not already have completed.
+ *
+ * Ensures:
+ *	It the validator has not already sent its completion
+ *	event, it will send it with result code ISC_R_CANCELED.
+ */
 
 void
 dns_validator_destroy(dns_validator_t **validatorp);
+/*
+ * Destroy a DNSSEC validator.
+ *
+ * Requires:
+ *	'*validatorp' points to a valid DNSSEC validator.
+ * 	The validator must have completed and sent its completion
+ * 	event.
+ *
+ * Ensures:
+ *	All resources used by the validator are freed.
+ */
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index fdbfb33f..d09b1a80 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -59,15 +59,13 @@
  * Standards:
  * None.  */
 
-#include <isc/types.h>
 #include <isc/lang.h>
+#include <isc/magic.h>
 #include <isc/event.h>
-#include <isc/mutex.h>
 #include <isc/rwlock.h>
 #include <isc/stdtime.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -80,6 +78,7 @@ struct dns_view {
 	dns_zt_t *			zonetable;
 	dns_resolver_t *		resolver;
 	dns_adb_t *			adb;
+	dns_requestmgr_t *		requestmgr;
 	dns_cache_t *			cache;
 	dns_db_t *			cachedb;
 	dns_db_t *			hints;
@@ -91,23 +90,38 @@ struct dns_view {
 	isc_task_t *			task;
 	isc_event_t			resevent;
 	isc_event_t			adbevent;
+	isc_event_t			reqevent;
 	/* Configurable data, locked by conflock. */
 	dns_tsig_keyring_t *		statickeys;
 	dns_tsig_keyring_t *		dynamickeys;
 	dns_peerlist_t *		peers;
+	isc_boolean_t			recursion;
+	isc_boolean_t			auth_nxdomain;
+	dns_transfer_format_t		transfer_format;
+	dns_acl_t *			queryacl;
+	dns_acl_t *			recursionacl;
+	isc_boolean_t			requestixfr;
+	isc_boolean_t			provideixfr;
+
+	/*
+	 * Configurable data for server use only,
+	 * locked by server configuration lock.
+	 */
+	dns_acl_t *			matchclients;
 	/* Locked by lock. */
 	unsigned int			references;
+	unsigned int			weakrefs;
 	unsigned int			attributes;
 	/* Under owner's locking control. */
 	ISC_LINK(struct dns_view)	link;
 };
 
 #define DNS_VIEW_MAGIC			0x56696577	/* View. */
-#define DNS_VIEW_VALID(view)		((view) != NULL && \
-					 (view)->magic == DNS_VIEW_MAGIC)
+#define DNS_VIEW_VALID(view)		ISC_MAGIC_VALID(view, DNS_VIEW_MAGIC)
 
 #define DNS_VIEWATTR_RESSHUTDOWN	0x01
 #define DNS_VIEWATTR_ADBSHUTDOWN	0x02
+#define DNS_VIEWATTR_REQSHUTDOWN	0x04
 
 isc_result_t
 dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
@@ -152,6 +166,8 @@ dns_view_attach(dns_view_t *source, dns_view_t **targetp);
  * Ensures:
  *
  *	*targetp is attached to source.
+ *
+ *	While *targetp is attached, the view will not shut down.
  */
 
 void
@@ -161,15 +177,43 @@ dns_view_detach(dns_view_t **viewp);
  *
  * Requires:
  *
- *	'viewp' points to a valid dns_view_t *.
+ *	'viewp' points to a valid dns_view_t *
  *
  * Ensures:
  *
  *	*viewp is NULL.
+ */
+
+void
+dns_view_weakattach(dns_view_t *source, dns_view_t **targetp);
+/*
+ * Weakly attach '*targetp' to 'source'.
  *
- *	If '*viewp' is the last reference to the view,
+ * Requires:
  *
- *		All resources used by the view will be freed.
+ *	'source' is a valid, frozen view.
+ *
+ *	'targetp' points to a NULL dns_view_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to source.
+ *
+ * 	While *targetp is attached, the view will not be freed.
+ */
+
+void
+dns_view_weakdetach(dns_view_t **targetp);
+/*
+ * Detach '*viewp' from its view.
+ *
+ * Requires:
+ *
+ *	'viewp' points to a valid dns_view_t *.
+ *
+ * Ensures:
+ *
+ *	*viewp is NULL.
  */
 
 isc_result_t
@@ -178,6 +222,7 @@ dns_view_createresolver(dns_view_t *view,
 			isc_socketmgr_t *socketmgr,
 			isc_timermgr_t *timermgr,
 			unsigned int options,
+			dns_dispatchmgr_t *dispatchmgr,
 			dns_dispatch_t *dispatchv4,
 			dns_dispatch_t *dispatchv6);
 /*
diff --git a/lib/dns/include/dns/xfrin.h b/lib/dns/include/dns/xfrin.h
index a2b4e1fb..7b4b852f 100644
--- a/lib/dns/include/dns/xfrin.h
+++ b/lib/dns/include/dns/xfrin.h
@@ -42,12 +42,6 @@
 /* A transfer in progress.  This is an opaque type. */
 typedef struct dns_xfrin_ctx dns_xfrin_ctx_t;
 
-/* A list of transfers in progress. */
-struct dns_xfrinlist {
-	isc_mutex_t lock;
-	ISC_LIST(dns_xfrin_ctx_t) transfers;
-};
-		 
 /***
  *** Functions
  ***/
@@ -55,7 +49,8 @@ struct dns_xfrinlist {
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-dns_xfrin_create(dns_zone_t *zone, isc_sockaddr_t *masteraddr, 
+dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		 isc_sockaddr_t *masteraddr, dns_tsigkey_t *tsigkey,
 		 isc_mem_t *mctx, isc_timermgr_t *timermgr,
 		 isc_socketmgr_t *socketmgr, isc_task_t *task,
 		 dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp);
@@ -84,10 +79,6 @@ void dns_xfrin_detach(dns_xfrin_ctx_t **xfrp);
  * only be one reference).
  */
 
-isc_result_t dns_xfrinlist_init(dns_xfrinlist_t *list);
-
-void dns_xfrinlist_destroy(dns_xfrinlist_t *list);
-
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_XFRIN_H */
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index bfb07aaf..34bd2cf9 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -22,17 +22,12 @@
  ***	Imports
  ***/
 
+#include <stdio.h>
+
 #include <isc/lang.h>
 #include <isc/rwlock.h>
-#include <isc/sockaddr.h>
-#include <isc/types.h>
 
 #include <dns/types.h>
-#include <dns/result.h>
-#include <dns/name.h>
-#include <dns/fixedname.h>
-#include <dns/rdataset.h>
-#include <dns/callbacks.h>
 
 typedef enum {
 	dns_zone_none,
@@ -56,8 +51,8 @@ ISC_LANG_BEGINDECLS
  ***	Functions
  ***/
 
-isc_result_t dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx);
-
+isc_result_t
+dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx);
 /*
  *	Creates a new empty zone and attach to it.
  *
@@ -69,12 +64,13 @@ isc_result_t dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx);
  *	'*zonep' refers to a valid zone.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY
- *	DNS_R_UNEXPECTED
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
  */
 
-void dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass);
+void
+dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass);
 /*
  *	Sets the class of a zone.  This operation can only be performed
  *	once on a zone.
@@ -86,7 +82,8 @@ void dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass);
  *	'rdclass' != dns_rdataclass_none.
  */	
 
-dns_rdataclass_t dns_zone_getclass(dns_zone_t *zone);
+dns_rdataclass_t
+dns_zone_getclass(dns_zone_t *zone);
 /*
  *	Returns the current zone class.
  *
@@ -94,7 +91,8 @@ dns_rdataclass_t dns_zone_getclass(dns_zone_t *zone);
  *	'zone' to be a valid initalised zone.
  */
 
-void dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type);
+void
+dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type);
 /*
  *	Sets the zone type. This operation can only be performed once on
  *	a zone.
@@ -106,7 +104,8 @@ void dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type);
  *	'type' != dns_zone_none
  */
 
-void dns_zone_setview(dns_zone_t *zone, dns_view_t *view);
+void
+dns_zone_setview(dns_zone_t *zone, dns_view_t *view);
 /*
  *	Associate the zone with a view.
  *
@@ -114,7 +113,8 @@ void dns_zone_setview(dns_zone_t *zone, dns_view_t *view);
  *	'zone' to be a valid initalised zone.
  */	
 
-dns_view_t *dns_zone_getview(dns_zone_t *zone);
+dns_view_t *
+dns_zone_getview(dns_zone_t *zone);
 /*
  *	Returns the zone's associated view.
  *
@@ -122,7 +122,8 @@ dns_view_t *dns_zone_getview(dns_zone_t *zone);
  *	'zone' to be a valid initalised zone.
  */
 
-isc_result_t dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin);
+isc_result_t
+dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin);
 /*
  *	Sets the zones origin to 'origin'.
  *
@@ -135,7 +136,8 @@ isc_result_t dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin);
  * 	ISC_R_NOMEMORY
  */
 
-dns_name_t * dns_zone_getorigin(dns_zone_t *zone);
+dns_name_t *
+dns_zone_getorigin(dns_zone_t *zone);
 /*
  *	Returns the value of the origin.
  *
@@ -143,7 +145,8 @@ dns_name_t * dns_zone_getorigin(dns_zone_t *zone);
  *	'zone' to be a valid initalised zone.
  */
 
-isc_result_t dns_zone_setdatabase(dns_zone_t *zone, const char *database);
+isc_result_t
+dns_zone_setdatabase(dns_zone_t *zone, const char *database);
 /*
  *	Sets the name of the database to be loaded. 
  *	For databases loaded from MASTER files this corresponds to the
@@ -154,11 +157,12 @@ isc_result_t dns_zone_setdatabase(dns_zone_t *zone, const char *database);
  *	'database' to be non NULL.
  *
  * Returns:
- *	DNS_R_NOMEMORY
- *	DNS_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_SUCCESS
  */
 
-isc_result_t dns_zone_load(dns_zone_t *zone);
+isc_result_t
+dns_zone_load(dns_zone_t *zone);
 /*
  *	Cause the database to be loaded from its backing store.
  *	Confirm that the mimimum requirements for the zone type are
@@ -168,49 +172,14 @@ isc_result_t dns_zone_load(dns_zone_t *zone);
  *	'zone' to be a valid initalised zone.
  *
  * Returns:
- *	DNS_R_UNEXPECTED
- *	DNS_R_SUCCESS
+ *	ISC_R_UNEXPECTED
+ *	ISC_R_SUCCESS
  *	DNS_R_BADZONE
  *	Any result value from dns_db_load().
  */
 
-void dns_zone_checkservers(dns_zone_t *zone);
-/*
- *	Initiate a consistancy check of the zones servers.
- *	XXX MPA to be implemented.
- *
- * Require:
- *	'zone' to be a valid initalised zone.
- */
-
-void dns_zone_checkparents(dns_zone_t *zone);
-/*
- *	Initiate a consistancy check of the zone and the parent zone servers.
- *	XXX MPA to be implemented.
- *
- * Require:
- *	'zone' to be a valid initalised zone.
- */
-
-void dns_zone_checkchildren(dns_zone_t *zone);
-/*
- *	Initiate a consistancy check of the child delegations from this zone.
- *	XXX MPA to be implemented.
- *
- * Require:
- *	'zone' to be a valid initalised zone.
- */
-
-void dns_zone_checkglue(dns_zone_t *zone);
-/*
- *	Initiate a consistancy check of the glue records in this zone.
- *	XXX MPA to be implemented.
- *
- * Require:
- *	'zone' to be a valid initalised zone.
- */
-
-void dns_zone_attach(dns_zone_t *source, dns_zone_t **target);
+void
+dns_zone_attach(dns_zone_t *source, dns_zone_t **target);
 /*
  *	Attach 'zone' to 'target' incrementing its external
  * 	reference count.
@@ -220,7 +189,8 @@ void dns_zone_attach(dns_zone_t *source, dns_zone_t **target);
  *	'target' to be non NULL and '*target' to be NULL.
  */
 
-void dns_zone_detach(dns_zone_t **zonep);
+void
+dns_zone_detach(dns_zone_t **zonep);
 /*
  *	Detach from a zone decrementing its external reference count.
  *	If this was the last external reference to the zone it will be
@@ -230,7 +200,8 @@ void dns_zone_detach(dns_zone_t **zonep);
  *	'zonep' to point to a valid initalised zone.
  */
 
-void dns_zone_iattach(dns_zone_t *source, dns_zone_t **target);
+void
+dns_zone_iattach(dns_zone_t *source, dns_zone_t **target);
 /*
  *	Attach 'zone' to 'target' incrementing its internal 
  * 	reference count.  This is intended for use by operations
@@ -238,22 +209,25 @@ void dns_zone_iattach(dns_zone_t *source, dns_zone_t **target);
  * 	object from being freed but not from shutting down.
  *
  * Require:
+ *	The caller is running in the context of the zone's task.
  *	'zone' to be a valid initalised zone.
  *	'target' to be non NULL and '*target' to be NULL.
  */
-
-void dns_zone_idetach(dns_zone_t **zonep);
+ 
+void
+dns_zone_idetach(dns_zone_t **zonep);
 /*
  *	Detach from a zone decrementing its internal reference count.
  *	If there are no more internal or external references to the
  * 	zone, it will be freed.
  *
  * Require:
+ *	The caller is running in the context of the zone's task. 
  *	'zonep' to point to a valid initalised zone.
  */
 
-void dns_zone_setflag(dns_zone_t *zone, unsigned int flags,
-		      isc_boolean_t value);
+void
+dns_zone_setflag(dns_zone_t *zone, unsigned int flags, isc_boolean_t value);
 /*
  *	Sets ('value' == 'ISC_TRUE') / clears ('value' == 'IS_FALSE')
  *	zone flags.  Valid flag bits are DNS_ZONE_F_*.
@@ -262,7 +236,8 @@ void dns_zone_setflag(dns_zone_t *zone, unsigned int flags,
  *	'zone' to be a valid initalised zone.
  */
 
-isc_result_t dns_zone_adddbarg(dns_zone_t *zone, char *arg);
+isc_result_t
+dns_zone_adddbarg(dns_zone_t *zone, char *arg);
 /*
  *	Add 'arg' to the end of the list of database arguements.
  *	No attempt in made to validate the arguements.
@@ -272,11 +247,12 @@ isc_result_t dns_zone_adddbarg(dns_zone_t *zone, char *arg);
  *	'arg' to be non NULL.
  *
  * Returns:
- *	DNS_R_NOMEMORY
- *	DNS_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_SUCCESS
  */
 
-void dns_zone_cleardbargs(dns_zone_t *zone);
+void
+dns_zone_cleardbargs(dns_zone_t *zone);
 /*
  *	Clear all database arguements.
  *
@@ -284,7 +260,8 @@ void dns_zone_cleardbargs(dns_zone_t *zone);
  *	'zone' to be a valid initalised zone.
  */
 
-isc_result_t dns_zone_getdb(dns_zone_t *zone, dns_db_t **dbp);
+isc_result_t
+dns_zone_getdb(dns_zone_t *zone, dns_db_t **dbp);
 /*
  * 	Attach the database to '*dbp' if it exists otherwise
  *	return DNS_R_NOTLOADED.
@@ -294,11 +271,12 @@ isc_result_t dns_zone_getdb(dns_zone_t *zone, dns_db_t **dbp);
  *	'dbp' to be != NULL && '*dbp' == NULL.
  *
  * Returns:
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  *	DNS_R_NOTLOADED
  */
 
-isc_result_t dns_zone_setdbtype(dns_zone_t *zone, char *db_type);
+isc_result_t
+dns_zone_setdbtype(dns_zone_t *zone, char *db_type);
 /*
  *	Sets the database type. Current database types are: "rbt", "rbt64".
  *	'db_type' is not checked to see if it is a valid database type. 
@@ -308,15 +286,16 @@ isc_result_t dns_zone_setdbtype(dns_zone_t *zone, char *db_type);
  *	'database' to be non NULL.
  *
  * Returns:
- *	DNS_R_NOMEMORY
- *	DNS_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_SUCCESS
  */
 
-void dns_zone_validate(dns_zone_t *zone);
-
-	/* XXX MPA */
+void
+dns_zone_validate(dns_zone_t *zone);
+/* XXX MPA */
 
-void dns_zone_expire(dns_zone_t *zone);
+void
+dns_zone_expire(dns_zone_t *zone);
 /*
  *	Mark the zone as expired.  If the zone requires dumping cause it to
  *	be initiated.  Set the refresh and retry intervals to there default
@@ -326,7 +305,8 @@ void dns_zone_expire(dns_zone_t *zone);
  *	'zone' to be a valid initalised zone.
  */
 
-void dns_zone_refresh(dns_zone_t *zone);
+void
+dns_zone_refresh(dns_zone_t *zone);
 /*
  *	Initiate zone up to date checks.  The zone must already be being
  *	managed.
@@ -335,7 +315,8 @@ void dns_zone_refresh(dns_zone_t *zone);
  *	'zone' to be a valid initalised zone.
  */
 
-isc_result_t dns_zone_dump(dns_zone_t *zone);
+isc_result_t
+dns_zone_dump(dns_zone_t *zone);
 /*
  *	Write the zone to database.
  *
@@ -343,7 +324,8 @@ isc_result_t dns_zone_dump(dns_zone_t *zone);
  *	'zone' to be a valid initalised zone.
  */
 
-isc_result_t dns_zone_dumptostream(dns_zone_t *zone, FILE *fd);
+isc_result_t
+dns_zone_dumptostream(dns_zone_t *zone, FILE *fd);
 /*
  *	Write the zone to stream 'fd'.
  *
@@ -352,7 +334,8 @@ isc_result_t dns_zone_dumptostream(dns_zone_t *zone, FILE *fd);
  *	'fd' to be a stream open for writing.
  */
 
-void dns_zone_maintenance(dns_zone_t *zone);
+void
+dns_zone_maintenance(dns_zone_t *zone);
 /*
  *	Perform regular maintenace on the zone.  This is called as a
  *	result of a zone being managed.
@@ -361,55 +344,49 @@ void dns_zone_maintenance(dns_zone_t *zone);
  *	'zone' to be a valid initalised zone.
  */
 
-void dns_zone_clearmasters(dns_zone_t *zone);
-/*
- *	Clear the set of master servers the zone transfers from.
- *
- * Require
- *	'zone' to be a valid initalised zone.
- */
-
-isc_result_t dns_zone_addmaster(dns_zone_t *zone, isc_sockaddr_t *master);
+isc_result_t
+dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
+		    isc_uint32_t count);
 /*
- *	Add a master server to the end of the set of master servers for
- *	the zone.
+ *	Set the list of master servers for the zone.
  *
  * Require:
  *	'zone' to be a valid initalised zone.
- *	'master' to be non NULL.
+ *	'masters' array of isc_sockaddr_t with port set or NULL.
+ *	'count' the number of masters.
  *
- * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY
- */
-
-void dns_zone_clearnotify(dns_zone_t *zone);
-/*
- *	Clear the set of additional servers to be notified when the zone
- *	changes.
+ * 	If 'masters' is NULL then 'count' must be zero.
  *
- * Require:
- *	'zone' to be a valid initalised zone.
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
  */
 
-isc_result_t dns_zone_addnotify(dns_zone_t *zone, isc_sockaddr_t *notify);
+isc_result_t
+dns_zone_setnotifyalso(dns_zone_t *zone, isc_sockaddr_t *notify,
+		       isc_uint32_t count);
 /*
- *	Add a server to the end of the list of additional servers to be
- *	notified when a zone changes.
+ *	Set the list of additional servers to be notified when
+ *	a zone changes.
  *
  * Require:
  *	'zone' to be a valid initalised zone.
  *	'notify' to be non NULL.
+ *	'count' the number of notify.
+ *
+ * 	If 'notify' is NULL then 'count' must be zero.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
  */
 
-void dns_zone_unmount(dns_zone_t *zone);
+void
+dns_zone_unmount(dns_zone_t *zone);
 	/* XXX MPA */
 
-void dns_zone_unload(dns_zone_t *zone);
+void
+dns_zone_unload(dns_zone_t *zone);
 /*
  *	detach the database from the zone structure.
  *
@@ -417,8 +394,8 @@ void dns_zone_unload(dns_zone_t *zone);
  *	'zone' to be a valid initalised zone.
  */
 
-void dns_zone_setoption(dns_zone_t *zone, unsigned int option,
-		        isc_boolean_t value);
+void
+dns_zone_setoption(dns_zone_t *zone, unsigned int option, isc_boolean_t value);
 /*
  *	Set given options on ('value' == ISC_TRUE) or off ('value' ==
  *	ISC_FALSE).
@@ -427,7 +404,8 @@ void dns_zone_setoption(dns_zone_t *zone, unsigned int option,
  *	'zone' to be a valid initalised zone.
  */
 
-void dns_zone_clearoption(dns_zone_t *zone, unsigned int option);
+void
+dns_zone_clearoption(dns_zone_t *zone, unsigned int option);
 /*
  *	Clear the given options from the zone and allow system wide value
  *	to be used.
@@ -436,20 +414,18 @@ void dns_zone_clearoption(dns_zone_t *zone, unsigned int option);
  *	'zone' to be a valid initalised zone.
  */
 
-void dns_zone_getoptions(dns_zone_t *zone, unsigned int *options,
-			 unsigned int *optionsmask);
+unsigned int
+dns_zone_getoptions(dns_zone_t *zone);
 /*
- *	Return which options a set ('options') and which are active
- *	('optionsmask').
+ *	Return which options a set.
  *
  * Require:
  *	'zone' to be a valid initalised zone.
- *	'options' to be non NULL.
- *	'optionsmask' to be non NULL.
  */
 
-void dns_zone_setrefresh(dns_zone_t *zone, isc_uint32_t refresh,
-			 isc_uint32_t retry);
+void
+dns_zone_setrefresh(dns_zone_t *zone, isc_uint32_t refresh,
+		    isc_uint32_t retry);
 /*
  *	Set the refresh and retry values.  Normally this are set as a
  *	result of loading the zone (dns_zone_load).
@@ -468,7 +444,7 @@ dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
  *	'xfrsource' to contain the address.
  *
  * Returns:
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  */
 
 isc_sockaddr_t *
@@ -491,7 +467,7 @@ dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
  *	'xfrsource' to contain the address.
  *
  * Returns:
- *	DNS_R_SUCCESS
+ *	ISC_R_SUCCESS
  */
 
 isc_sockaddr_t *
@@ -504,7 +480,8 @@ dns_zone_getxfrsource6(dns_zone_t *zone);
  *	'zone' to be a valid initalised zone.
  */
 
-void dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl);
+void
+dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl);
 /*
  *	Sets the query acl list for the zone.
  *
@@ -513,7 +490,8 @@ void dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl);
  *	'acl' to be initalised.
  */
 
-void dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl);
+void
+dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl);
 /*
  *	Sets the update acl list for the zone.
  *
@@ -522,7 +500,8 @@ void dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl);
  *	'acl' to be initalised.
  */
 
-void dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl);
+void
+dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl);
 /*
  *	Sets the transfer acl list for the zone.
  *
@@ -531,7 +510,8 @@ void dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl);
  *	'acl' to be initalised.
  */
 
-dns_acl_t * dns_zone_getqueryacl(dns_zone_t *zone);
+dns_acl_t *
+dns_zone_getqueryacl(dns_zone_t *zone);
 /*
  * 	Returns the current query acl or NULL.
  *
@@ -543,7 +523,8 @@ dns_acl_t * dns_zone_getqueryacl(dns_zone_t *zone);
  *	NULL
  */
 
-dns_acl_t * dns_zone_getupdateacl(dns_zone_t *zone);
+dns_acl_t *
+dns_zone_getupdateacl(dns_zone_t *zone);
 /*
  * 	Returns the current update acl or NULL.
  *
@@ -555,7 +536,8 @@ dns_acl_t * dns_zone_getupdateacl(dns_zone_t *zone);
  *	NULL
  */
 
-dns_acl_t * dns_zone_getxfracl(dns_zone_t *zone);
+dns_acl_t *
+dns_zone_getxfracl(dns_zone_t *zone);
 /*
  * 	Returns the current transfer acl or NULL.
  *
@@ -567,7 +549,8 @@ dns_acl_t * dns_zone_getxfracl(dns_zone_t *zone);
  *	NULL
  */
 
-void dns_zone_clearupdateacl(dns_zone_t *zone);
+void
+dns_zone_clearupdateacl(dns_zone_t *zone);
 /*
  *	Clear the current update acl.
  *
@@ -575,7 +558,8 @@ void dns_zone_clearupdateacl(dns_zone_t *zone);
  *	'zone' to be initalised.
  */
 
-void dns_zone_clearqueryacl(dns_zone_t *zone);
+void
+dns_zone_clearqueryacl(dns_zone_t *zone);
 /*
  *	Clear the current query acl.
  *
@@ -583,7 +567,8 @@ void dns_zone_clearqueryacl(dns_zone_t *zone);
  *	'zone' to be initalised.
  */
 
-void dns_zone_clearxfracl(dns_zone_t *zone);
+void
+dns_zone_clearxfracl(dns_zone_t *zone);
 /*
  *	Clear the current transfer acl.
  *
@@ -591,7 +576,8 @@ void dns_zone_clearxfracl(dns_zone_t *zone);
  *	'zone' to be initalised.
  */
 
-void dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity);
+void
+dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity);
 /*
  * 	Set the severity of name checking when loading a zone.
  *
@@ -599,7 +585,8 @@ void dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity);
  *      'zone' to be initalised.
  */
 
-dns_severity_t dns_zone_getchecknames(dns_zone_t *zone);
+dns_severity_t
+dns_zone_getchecknames(dns_zone_t *zone);
 /*
  *	Return the current severity of name checking.
  *
@@ -607,16 +594,15 @@ dns_severity_t dns_zone_getchecknames(dns_zone_t *zone);
  *	'zone' to be initalised.
  */
 
-void dns_zone_setjournalsize(dns_zone_t *zone, isc_int32_t size);
-isc_int32_t dns_zone_getjournalsize(dns_zone_t *zone);
-
-void dns_zone_setmasterport(dns_zone_t *zone,  isc_uint16_t port);
-isc_uint16_t dns_zone_getmasterport(dns_zone_t *zone);
+void
+dns_zone_setjournalsize(dns_zone_t *zone, isc_int32_t size);
 
-void dns_zone_setresolver(dns_zone_t *zone, dns_resolver_t *resolver);
+isc_int32_t
+dns_zone_getjournalsize(dns_zone_t *zone);
 
-isc_result_t dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
-				dns_message_t *msg);
+isc_result_t
+dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
+		       dns_message_t *msg);
 
 void
 dns_zone_setmaxxfrin(dns_zone_t *zone, isc_uint32_t maxxfrin);
@@ -629,7 +615,8 @@ dns_zone_setmaxxfrin(dns_zone_t *zone, isc_uint32_t maxxfrin);
  *	'xfrtime' to be non zero.
  */
 
-isc_uint32_t dns_zone_getmaxxfrin(dns_zone_t *zone);
+isc_uint32_t
+dns_zone_getmaxxfrin(dns_zone_t *zone);
 /*
  * Returns the maximum transfer time for this zone.  This will be
  * either the value set by the last call to dns_zone_setmaxxfrin() or
@@ -650,7 +637,8 @@ dns_zone_setmaxxfrout(dns_zone_t *zone, isc_uint32_t maxxfrout);
  *	'xfrtime' to be non zero.
  */
 
-isc_uint32_t dns_zone_getmaxxfrout(dns_zone_t *zone);
+isc_uint32_t
+dns_zone_getmaxxfrout(dns_zone_t *zone);
 /*
  * Returns the maximum transfer time for this zone.  This will be
  * either the value set by the last call to dns_zone_setmaxxfrout() or
@@ -660,8 +648,8 @@ isc_uint32_t dns_zone_getmaxxfrout(dns_zone_t *zone);
  *	'zone' to be valid initialised zone.
  */
 
-isc_result_t dns_zone_setjournal(dns_zone_t *zone, const char *journal);
-
+isc_result_t
+dns_zone_setjournal(dns_zone_t *zone, const char *journal);
 /*
  * Sets the filename used for journaling updates / IXFR transfers.
  * The default journal name is set by dns_zone_setdatabase() to be
@@ -672,12 +660,12 @@ isc_result_t dns_zone_setjournal(dns_zone_t *zone, const char *journal);
  *	'journal' to be non NULL.
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_NOMEMORY 
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY 
  */
 
-char * dns_zone_getjournal(dns_zone_t *zone);
-
+char *
+dns_zone_getjournal(dns_zone_t *zone);
 /*
  * Returns the journal name associated with this zone.
  * If not journal has been set this will be NULL.
@@ -686,7 +674,8 @@ char * dns_zone_getjournal(dns_zone_t *zone);
  *	'zone' to be valid initialised zone.
  */
 
-dns_zonetype_t dns_zone_gettype(dns_zone_t *zone);
+dns_zonetype_t
+dns_zone_gettype(dns_zone_t *zone);
 /*
  * Returns the type of the zone (master/slave/etc.)
  *
@@ -715,7 +704,8 @@ dns_zone_gettask(dns_zone_t *zone, isc_task_t **target);
  *	'target' to be != NULL && '*target' == NULL.
  */
 
-const char *dns_zone_getdatabase(dns_zone_t *zone);
+const char *
+dns_zone_getdatabase(dns_zone_t *zone);
 /*
  * Gets the name of the database.  For databases loaded from
  * master files, this corresponds to the file name of the master file.
@@ -724,7 +714,8 @@ const char *dns_zone_getdatabase(dns_zone_t *zone);
  *	'zone' to be valid initialised zone.
  */
 
-void dns_zone_notify(dns_zone_t *zone);
+void
+dns_zone_notify(dns_zone_t *zone);
 /*
  * Generate notify events for this zone.
  *
@@ -733,8 +724,7 @@ void dns_zone_notify(dns_zone_t *zone);
  */
 
 isc_result_t
-dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db,
-                   isc_boolean_t dump);
+dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump);
 /*
  * Replace the database of "zone" with a new database "db".
  *
@@ -754,7 +744,6 @@ dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db,
 
 isc_boolean_t
 dns_zone_equal(dns_zone_t *oldzone, dns_zone_t *newzone);
-
 /*
  * Tests whether the configuration of two zones is equal.
  * Zone contents and state information is not tested.
@@ -821,7 +810,8 @@ dns_zone_getmctx(dns_zone_t *zone);
  * Get the memory context of a zone.
  */
 
-dns_zonemgr_t *dns_zone_getmgr(dns_zone_t *zone);
+dns_zonemgr_t *
+dns_zone_getmgr(dns_zone_t *zone);
 
 isc_result_t
 dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
@@ -857,15 +847,16 @@ dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr);
 void
 dns_zonemgr_shutdown(dns_zonemgr_t *zmgr);
 /*
- * Shut down and detach the task of the zone manager.
+ * Shut down the zone manager.
  */
 
 void
-dns_zonemgr_destroy(dns_zonemgr_t **zmgrp);
+dns_zonemgr_detach(dns_zonemgr_t **zmgrp);
 /*
- * Destroy a zone manager.
+ * Detach from a zone manager.
  *
  * Requires:
+ *
  *	'*zmgrp' is a valid, non-NULL zone manager pointer.
  * Ensures:
  *	'*zmgrp' is NULL.
@@ -892,15 +883,6 @@ dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, int value);
 int
 dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr);
 
-dns_xfrinlist_t	*
-dns_zonemgr_gettransferlist(dns_zonemgr_t *zmgr);
-
-void
-dns_zonemgr_setrequestixfr(dns_zonemgr_t *zmgr, isc_boolean_t value);
-
-isc_boolean_t
-dns_zonemgr_getrequestixfr(dns_zonemgr_t *zmgr);
-
 ISC_LANG_ENDDECLS
 
-#endif	/* DNS_ZONE_H */
+#endif /* DNS_ZONE_H */
diff --git a/lib/dns/include/dns/zoneconf.h b/lib/dns/include/dns/zoneconf.h
index c920b7f0..d3bf66a9 100644
--- a/lib/dns/include/dns/zoneconf.h
+++ b/lib/dns/include/dns/zoneconf.h
@@ -15,24 +15,19 @@
  * SOFTWARE.
  */
 
-#ifndef NS_ZONECONF_H
-#define NS_ZONECONF_H 1
+#ifndef DNS_ZONECONF_H
+#define DNS_ZONECONF_H 1
 
-#include <isc/log.h>
+#include <isc/lang.h>
 #include <isc/types.h>
 
-#include <dns/acl.h>
-#include <dns/confacl.h>
-#include <dns/confip.h>
+#include <dns/aclconf.h>
 
-/*
- * Create a dns_acl_t from the corresponding configuration data structure,
- * 'caml'.  References to named ACLs in caml are resolved against the ACL
- * table in 'cctx'.
- */
+ISC_LANG_BEGINDECLS
 
-isc_result_t dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
-				dns_c_zone_t *czone, dns_zone_t *zone);
+isc_result_t
+dns_zone_configure(dns_c_ctx_t *cctx, dns_c_view_t *cview, dns_c_zone_t *czone,
+		   dns_aclconfctx_t *ac, dns_zone_t *zone);
 /*
  * Configure or reconfigure a zone according to the named.conf
  * data in 'cctx' and 'czone'.
@@ -65,4 +60,4 @@ dns_zonemgr_configure(dns_c_ctx_t *cctx, dns_zonemgr_t *zonemgr);
  */
 ISC_LANG_ENDDECLS
 
-#endif /* NS_ZONECONF_H */
+#endif /* DNS_ZONECONF_H */
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
index 1bdb7124..b2a80507 100644
--- a/lib/dns/include/dns/zt.h
+++ b/lib/dns/include/dns/zt.h
@@ -15,21 +15,19 @@
  * SOFTWARE.
  */
 
-#ifndef	DNS_ZT_H
-#define DNS_ZT_H
+#ifndef DNS_ZT_H
+#define DNS_ZT_H 1
 
 #include <isc/lang.h>
 
-#include <isc/mem.h>
-#include <dns/name.h>
 #include <dns/types.h>
-#include <dns/rbt.h>
 
+#define DNS_ZTFIND_NOEXACT		0x01
 
 ISC_LANG_BEGINDECLS
 
-isc_result_t dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-			   dns_zt_t **zt);
+isc_result_t
+dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **zt);
 /*
  * Creates a new zone table.
  *
@@ -37,12 +35,12 @@ isc_result_t dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
  * 	'mctx' to be initalised.
  *
  * Returns:
- *	DNS_R_SUCCESS on success.
- *	DNS_R_NOMEMORY
+ *	ISC_R_SUCCESS on success.
+ *	ISC_R_NOMEMORY
  */
 
-isc_result_t dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone);
-
+isc_result_t
+dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone);
 /*
  * Mounts the zone on the zone table.
  *
@@ -51,14 +49,14 @@ isc_result_t dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone);
  *	'zone' to be valid
  *
  * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_EXISTS
- *	DNS_R_NOSPACE
- *	DNS_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ *	ISC_R_EXISTS
+ *	ISC_R_NOSPACE
+ *	ISC_R_NOMEMORY
  */
 
-isc_result_t dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone);
-
+isc_result_t
+dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone);
 /*
  * Unmount the given zone from the table.
  *
@@ -67,18 +65,22 @@ isc_result_t dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone);
  *	'zone' to be valid
  *
  * Returns:
- * 	DNS_R_SUCCESS
- *	DNS_R_NOTFOUND
- *	DNS_R_NOMEMORY
+ * 	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ *	ISC_R_NOMEMORY
  */
 
-isc_result_t dns_zt_find(dns_zt_t *zt, dns_name_t *name,
-				dns_name_t *foundname, dns_zone_t **zone);
-
+isc_result_t
+dns_zt_find(dns_zt_t *zt, dns_name_t *name, unsigned int options,
+	    dns_name_t *foundname, dns_zone_t **zone);
 /*
  * Find the best match for 'name' in 'zt'.  If foundname is non NULL
  * then the name of the zone found is returned.
  *
+ * Notes:
+ *	If the DNS_ZTFIND_NOEXACT is set, the best partial match (if any)
+ *	to 'name' will be returned.
+ *
  * Requires:
  *	'zt' to be valid
  *	'name' to be valid
@@ -86,14 +88,14 @@ isc_result_t dns_zt_find(dns_zt_t *zt, dns_name_t *name,
  *	'zone' to be non NULL and '*zone' to be NULL
  *
  * Returns:
- * 	DNS_R_SUCCESS
+ * 	ISC_R_SUCCESS
  *	DNS_R_PARTIALMATCH
- *	DNS_R_NOTFOUND
- *	DNS_R_NOSPACE
+ *	ISC_R_NOTFOUND
+ *	ISC_R_NOSPACE
  */
 
-void dns_zt_detach(dns_zt_t **ztp);
-
+void
+dns_zt_detach(dns_zt_t **ztp);
 /*
  * Detach the given zonetable, if the reference count goes to zero the
  * zonetable will be freed.  In either case 'ztp' is set to NULL.
@@ -102,8 +104,8 @@ void dns_zt_detach(dns_zt_t **ztp);
  *	'*ztp' to be valid
  */
 
-void dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp);
-
+void
+dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp);
 /*
  * Attach 'zt' to '*ztp'.
  *
@@ -112,8 +114,8 @@ void dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp);
  *	'*ztp' to be NULL
  */
 
-isc_result_t dns_zt_load(dns_zt_t *zt, isc_boolean_t stop);
-
+isc_result_t
+dns_zt_load(dns_zt_t *zt, isc_boolean_t stop);
 /*
  * Load all zones in the table.  If 'stop' is ISC_TRUE,
  * stop on the first error and return it.  If 'stop'
@@ -123,9 +125,8 @@ isc_result_t dns_zt_load(dns_zt_t *zt, isc_boolean_t stop);
  *	'zt' to be valid
  */
 
-
-void dns_zt_print(dns_zt_t *zt);
-
+void
+dns_zt_print(dns_zt_t *zt);
 /*
  * Print zones in zonetable, address, name and reference count.
  *
@@ -136,21 +137,20 @@ void dns_zt_print(dns_zt_t *zt);
 isc_result_t
 dns_zt_apply(dns_zt_t *zt, isc_boolean_t stop,
 	     isc_result_t (*action)(dns_zone_t *, void *), void *uap);
-
 /*
  * Apply a given 'action' to all zone zones in the table.
  * If 'stop' is 'ISC_TRUE' then walking the zone tree will stop if
- * 'action' does not return DNS_R_SUCCESS.
+ * 'action' does not return ISC_R_SUCCESS.
  *
  * Requires:
  *	'zt' to be valid.
  *	'action' to be non NULL.
  *
  * Returns:
- *	DNS_R_SUCCESS if action was applied to all nodes.
+ *	ISC_R_SUCCESS if action was applied to all nodes.
  *	any error code from 'action'.
  */
 
 ISC_LANG_ENDDECLS
 
-#endif
+#endif /* DNS_ZT_H */
diff --git a/lib/dns/journal.c b/lib/dns/journal.c
index 99bb42aa..94983d0a 100644
--- a/lib/dns/journal.c
+++ b/lib/dns/journal.c
@@ -17,34 +17,26 @@
 
 #include <config.h>
 
-#include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
-#include <fcntl.h> 
-#include <errno.h>
-#include <string.h>
 
-#include <sys/types.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <isc/file.h>
 #include <isc/mem.h>
-#include <isc/net.h>
-#include <isc/result.h>
-#include <isc/buffer.h>
+#include <isc/net.h>		/* Required for ntohl. */
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
+#include <dns/compress.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
 #include <dns/fixedname.h>
 #include <dns/journal.h>
 #include <dns/log.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
 #include <dns/result.h>
-#include <dns/types.h>
 
 /*
  * When true, accept IXFR difference sequences where the
@@ -64,7 +56,15 @@ static isc_boolean_t bind8_compat = ISC_TRUE; /* XXX config */
 #define JOURNAL_DEBUG_LOGARGS(n) \
 	JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(n)
 
-#define FAIL(code) do { result = (code); goto failure; } while (0)
+/*
+ * It would be non-sensical (or at least obtuse) to use FAIL() with an
+ * ISC_R_SUCCESS code, but the test is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAIL(code) \
+	do { result = (code);					\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
 
 #define CHECK(op) \
      	do { result = (op); 					\
@@ -96,8 +96,7 @@ rdata_covers(dns_rdata_t *rdata) {
 }
 
 isc_uint32_t
-dns_soa_getserial(dns_rdata_t *rdata)
-{
+dns_soa_getserial(dns_rdata_t *rdata) {
 	INSIST(rdata->type == dns_rdatatype_soa);
 	/*
 	 * Locate the serial number within the SOA RDATA based
@@ -116,50 +115,13 @@ dns_soa_getserial(dns_rdata_t *rdata)
 }
 
 void
-dns_soa_setserial(isc_uint32_t val, dns_rdata_t *rdata)
-{
+dns_soa_setserial(isc_uint32_t val, dns_rdata_t *rdata) {
 	INSIST(rdata->type == dns_rdatatype_soa);
 	INSIST(rdata->length > 20);
 	encode_uint32(val, rdata->data + rdata->length - 20);
 }
 
 isc_result_t
-dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata;
-
-	REQUIRE(dns_db_iszone(db));
-		
-	result = dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node);
-	if (result != DNS_R_SUCCESS)
-		return (result);
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
-				     (isc_stdtime_t) 0, &rdataset, NULL);
- 	if (result != DNS_R_SUCCESS)
-		goto freenode;
-	
-	result = dns_rdataset_first(&rdataset);
- 	if (result != DNS_R_SUCCESS)
-		goto freerdataset;
-	dns_rdataset_current(&rdataset, &rdata);
-
-	*serialp = dns_soa_getserial(&rdata);
-	result = DNS_R_SUCCESS;
-
- freerdataset:
-	dns_rdataset_disassociate(&rdataset);
-	
- freenode:
-	dns_db_detachnode(db, &node);
-	return (result);
-}
-
-isc_result_t
 dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
 		      dns_diffop_t op, dns_difftuple_t **tp)
 {
@@ -168,24 +130,22 @@ dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
 	dns_rdataset_t rdataset;
 	dns_rdata_t rdata;
 	dns_name_t *zonename;
-	dns_rdataclass_t zoneclass;
 	
 	zonename = dns_db_origin(db);
-	zoneclass = dns_db_class(db);
 	
 	node = NULL;
 	result = dns_db_findnode(db, zonename, ISC_FALSE, &node);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto nonode;
 	
 	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
-				     (isc_stdtime_t) 0, &rdataset, NULL);
- 	if (result != DNS_R_SUCCESS)
+				     (isc_stdtime_t)0, &rdataset, NULL);
+ 	if (result != ISC_R_SUCCESS)
 		goto freenode;
 	
 	result = dns_rdataset_first(&rdataset);
- 	if (result != DNS_R_SUCCESS)
+ 	if (result != ISC_R_SUCCESS)
 		goto freenode;
 
 	dns_rdataset_current(&rdataset, &rdata);
@@ -228,11 +188,11 @@ dns_difftuple_create(isc_mem_t *mctx,
 	size = sizeof(*t) + name->length + rdata->length;
 	t = isc_mem_allocate(mctx, size);
 	if (t == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	t->mctx = mctx;
 	t->op = op;
 
-	datap = (unsigned char *) (t + 1);
+	datap = (unsigned char *)(t + 1);
 	
 	memcpy(datap, name->ndata, name->length);
 	dns_name_init(&t->name, NULL);
@@ -252,10 +212,10 @@ dns_difftuple_create(isc_mem_t *mctx,
 	ISC_LINK_INIT(&t->rdata, link);
 	t->magic = DNS_DIFFTUPLE_MAGIC;
 
-	INSIST(datap == (unsigned char *) t + size);
+	INSIST(datap == (unsigned char *)t + size);
 
 	*tp = t;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 void
@@ -269,15 +229,13 @@ dns_difftuple_free(dns_difftuple_t **tp) {
 }
 
 isc_result_t
-dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp)
-{
+dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp) {
 	return (dns_difftuple_create(orig->mctx, orig->op, &orig->name,
 				     orig->ttl, &orig->rdata, copyp));
 }
 
 void
-dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff)
-{
+dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff) {
 	diff->mctx = mctx;
 	ISC_LIST_INIT(diff->tuples);
 	diff->magic = DNS_DIFF_MAGIC;
@@ -457,8 +415,8 @@ dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver)
 				isc_log_write(JOURNAL_COMMON_LOGARGS,
 					      ISC_LOG_WARNING,
 					      "update with no effect");
-			} else if (result == DNS_R_SUCCESS ||
-				   result == DNS_R_NXRDATASET) {
+			} else if (result == ISC_R_SUCCESS ||
+				   result == DNS_R_NXRRSET) {
 				/* OK */
 			} else {
 				CHECK(result);
@@ -466,7 +424,7 @@ dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver)
 		}
 		dns_db_detachnode(db, &node);
 	}
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
  failure:
 	if (node != NULL)
@@ -518,6 +476,7 @@ dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
 			/* Convert the rdatalist into a rdataset. */
 			dns_rdataset_init(&rds);
 			CHECK(dns_rdatalist_tordataset(&rdl, &rds));
+			rds.trust = dns_trust_ultimate;
 
 			INSIST(op == DNS_DIFFOP_ADD);
 			result = (*addfunc)(add_private, name, &rds);
@@ -525,15 +484,15 @@ dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
 				isc_log_write(JOURNAL_COMMON_LOGARGS,
 					      ISC_LOG_WARNING,
 					      "update with no effect");
-			} else if (result == DNS_R_SUCCESS ||
-				   result == DNS_R_NXRDATASET) {
+			} else if (result == ISC_R_SUCCESS ||
+				   result == DNS_R_NXRRSET) {
 				/* OK */
 			} else {
 				CHECK(result);
 			}
 		}
 	}
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
  failure:
 	return (result);
 }
@@ -558,7 +517,7 @@ dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare) {
 		return (ISC_R_SUCCESS);
 	v = isc_mem_get(diff->mctx, length * sizeof(dns_difftuple_t *));
 	if (v == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	i = 0;
 	for (i = 0; i < length; i++) {
 		p = ISC_LIST_HEAD(diff->tuples);
@@ -610,7 +569,7 @@ dns_diff_print(dns_diff_t *diff, FILE *file) {
 
 	mem = isc_mem_get(diff->mctx, size);
 	if (mem == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
 	     t = ISC_LIST_NEXT(t, link))
@@ -622,34 +581,37 @@ dns_diff_print(dns_diff_t *diff, FILE *file) {
 		dns_rdataset_t rds;		
 
 		result = diff_tuple_tordataset(t, &rdl, &rds);
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "diff_tuple_tordataset failed: %s",
 					 dns_result_totext(result));
-			result =  DNS_R_UNEXPECTED;
+			result =  ISC_R_UNEXPECTED;
 			goto cleanup;
 		}
  again:
-		isc_buffer_init(&buf, mem, size, ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&buf, mem, size);
 		result = dns_rdataset_totext(&rds, &t->name,
 					     ISC_FALSE, ISC_FALSE, &buf);
 
-		/* Get rid of final newline. */
-		INSIST(buf.used >= 1 && ((char *) buf.base)[buf.used-1] == '\n');
+		/*
+		 * Get rid of final newline.
+		 */
+		INSIST(buf.used >= 1 &&
+		       ((char *) buf.base)[buf.used-1] == '\n');
 		buf.used--;
 
-		if (result == DNS_R_NOSPACE) {
+		if (result == ISC_R_NOSPACE) {
 			isc_mem_put(diff->mctx, mem, size);
 			size += 1024;
 			mem = isc_mem_get(diff->mctx, size);
 			if (mem == NULL) {
-				result = DNS_R_NOMEMORY;
+				result = ISC_R_NOMEMORY;
 				goto cleanup;
 			}
 			goto again;
 		}
-		if (result == DNS_R_SUCCESS) {
-			isc_buffer_used(&buf, &r);
+		if (result == ISC_R_SUCCESS) {
+			isc_buffer_usedregion(&buf, &r);
 			if (file != NULL)
 				fprintf(file, "%s %.*s\n",
 					t->op == DNS_DIFFOP_ADD ?
@@ -665,7 +627,7 @@ dns_diff_print(dns_diff_t *diff, FILE *file) {
 		} else 
 			goto cleanup;
 	}
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
  cleanup:
 	if (mem != NULL)
 		isc_mem_put(diff->mctx, mem, size);
@@ -829,19 +791,13 @@ typedef enum {
 	JOURNAL_STATE_TRANSACTION
 } journal_state_t;
 
-/*
- * XXXRTH  We use 'off_t' in the following structure.  If we continue to
- *         use stdio instead of creating an ISC file module, we'll convert
- *         'off_t' to 'long'.
- */
-
 struct dns_journal {
 	unsigned int		magic;		/* JOUR */
 	isc_mem_t		*mctx;		/* Memory context */
 	journal_state_t		state;
 	const char 		*filename;	/* Journal file name */
 	FILE *			fp;		/* File handle */
-	off_t			offset;		/* Current file offset */
+	isc_offset_t		offset;		/* Current file offset */
 	journal_header_t 	header;		/* In-core journal header */
 	journal_pos_t		*index;		/* In-core journal index */
 
@@ -872,26 +828,22 @@ struct dns_journal {
 };
 
 #define DNS_JOURNAL_MAGIC	0x4a4f5552U	/* JOUR. */
-#define DNS_JOURNAL_VALID(t)	((t) != NULL && \
-					 (t)->magic == DNS_JOURNAL_MAGIC)
+#define DNS_JOURNAL_VALID(t)	ISC_MAGIC_VALID(t, DNS_JOURNAL_MAGIC)
 
 static void
-journal_pos_decode(journal_rawpos_t *raw, journal_pos_t *cooked)
-{
+journal_pos_decode(journal_rawpos_t *raw, journal_pos_t *cooked) {
 	cooked->serial = decode_uint32(raw->serial);
 	cooked->offset = decode_uint32(raw->offset);
 }
 
 static void
-journal_pos_encode(journal_rawpos_t *raw, journal_pos_t *cooked)
-{
+journal_pos_encode(journal_rawpos_t *raw, journal_pos_t *cooked) {
 	encode_uint32(cooked->serial, raw->serial);
 	encode_uint32(cooked->offset, raw->offset);
 }
 
 static void
-journal_header_decode(journal_rawheader_t *raw, journal_header_t *cooked)
-{
+journal_header_decode(journal_rawheader_t *raw, journal_header_t *cooked) {
 	INSIST(sizeof(cooked->format) == sizeof(raw->h.format));
 	memcpy(cooked->format, raw->h.format, sizeof(cooked->format));
 	journal_pos_decode(&raw->h.begin, &cooked->begin); 
@@ -900,8 +852,7 @@ journal_header_decode(journal_rawheader_t *raw, journal_header_t *cooked)
 }
 
 static void
-journal_header_encode(journal_header_t *cooked, journal_rawheader_t *raw)
-{
+journal_header_encode(journal_header_t *cooked, journal_rawheader_t *raw) {
 	INSIST(sizeof(cooked->format) == sizeof(raw->h.format));
 	memset(raw->pad, 0, sizeof(raw->pad));
 	memcpy(raw->h.format, cooked->format, sizeof(raw->h.format));
@@ -910,100 +861,89 @@ journal_header_encode(journal_header_t *cooked, journal_rawheader_t *raw)
 	encode_uint32(cooked->index_size, raw->h.index_size);
 }
 
-
 /* Journal file I/O subroutines, with error checking and reporting. */
   
-/*
- * XXXRTH  You may not use UNIX I/O routines.  Use fread()/fwrite()/fseek().
- *	   Alternatively, we can create isc_file_t.  We may need to do this
- *	   anyway at some point, to provide "safe open" semantics (see
- *	   write_open() in BIND 8's ns_config.c).  We also need a portable
- *	   "fsync()", so isc_file_t is looking more and more probable.
- */
-
 static isc_result_t
 journal_seek(dns_journal_t *j, isc_uint32_t offset) {
-	int seek_result;
-	seek_result = fseek(j->fp, (long) offset, SEEK_SET);
-	if (seek_result != 0) {
+	isc_result_t result;
+	result = isc_stdio_seek(j->fp, (long)offset, SEEK_SET);
+	if (result != ISC_R_SUCCESS) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "%s: seek: %s",
-				 j->filename, strerror(errno));
-		return (DNS_R_UNEXPECTED);
+			      "%s: seek: %s", j->filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
 	}
 	j->offset = offset;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
 journal_read(dns_journal_t *j, void *mem, size_t nbytes) {
-	size_t nread;
+	isc_result_t result;
 
-	clearerr(j->fp);
-	nread = fread(mem, 1, nbytes, j->fp);
-	if (nread != nbytes) {
-		if (feof(j->fp))
-			return (DNS_R_NOMORE);
+	result = isc_stdio_read(mem, 1, nbytes, j->fp, NULL);
+	if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_EOF)
+			return (ISC_R_NOMORE);
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "%s: read: %s",
-				 j->filename, strerror(errno));
-		return (DNS_R_UNEXPECTED);
+			      "%s: read: %s",
+			      j->filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
 	}
 	j->offset += nbytes;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
 journal_write(dns_journal_t *j, void *mem, size_t nbytes) {
-	size_t nwritten;
+	isc_result_t result;
 
-	clearerr(j->fp);	
-	nwritten = fwrite(mem, 1, nbytes, j->fp);
-	if (nwritten != nbytes) {
+	result = isc_stdio_write(mem, 1, nbytes, j->fp, NULL);
+	if (result != ISC_R_SUCCESS) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "%s: write: %s",
-				 j->filename, strerror(errno));
-		return (DNS_R_UNEXPECTED);
+			      "%s: write: %s",
+			      j->filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
 	}
 	j->offset += nbytes;	
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
 journal_fsync(dns_journal_t *j) {
-	int r;
-	r = fflush(j->fp);
-	if (r < 0) {
+	isc_result_t result;
+	result = isc_stdio_flush(j->fp);
+	if (result != ISC_R_SUCCESS) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "%s: fflush: %s",
-				 j->filename,
-				 strerror(errno));
-		return (DNS_R_UNEXPECTED);
+			      "%s: flush: %s",
+			      j->filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
 	}
-	r = fsync(fileno(j->fp));
-	if (r < 0) {
+	result = isc_stdio_sync(j->fp);
+	if (result != ISC_R_SUCCESS) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "%s: fsync: %s",
-				 j->filename,
-				 strerror(errno));
-		return (DNS_R_UNEXPECTED);
+			      "%s: fsync: %s",
+			      j->filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
 	}
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
-/* Read/write a transaction header at the current file position. */
+/*
+ * Read/write a transaction header at the current file position.
+ */
    
 static isc_result_t
 journal_read_xhdr(dns_journal_t *j, journal_xhdr_t *xhdr) {
 	journal_rawxhdr_t raw;
 	isc_result_t result;
 	result = journal_read(j, &raw, sizeof(raw));
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	xhdr->size = decode_uint32(raw.size);
 	xhdr->serial0 = decode_uint32(raw.serial0);
 	xhdr->serial1 = decode_uint32(raw.serial1);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -1018,24 +958,25 @@ journal_write_xhdr(dns_journal_t *j, isc_uint32_t size,
 }
 
 
-/* Read an RR header at the current file position. */
+/*
+ * Read an RR header at the current file position.
+ */
    
 static isc_result_t
 journal_read_rrhdr(dns_journal_t *j, journal_rrhdr_t *rrhdr) {
 	journal_rawrrhdr_t raw;
 	isc_result_t result;
 	result = journal_read(j, &raw, sizeof(raw));
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	rrhdr->size = decode_uint32(raw.size);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
 journal_file_create(isc_mem_t *mctx, const char *filename) {
-	FILE *fp;
-	int r;
-	size_t nwritten;
+	FILE *fp = NULL;
+	isc_result_t result;
 	journal_header_t header;
 	journal_rawheader_t rawheader;
 	int index_size = 56; /* XXX configurable */
@@ -1043,13 +984,13 @@ journal_file_create(isc_mem_t *mctx, const char *filename) {
 	void *mem; /* Memory for temporary index image. */
 
 	INSIST(sizeof(journal_rawheader_t) == JOURNAL_HEADER_SIZE);
-	       
-	fp = fopen(filename, "w");
-	if (fp == 0) {
+	
+	result = isc_stdio_open(filename, "w", &fp);
+	if (result != ISC_R_SUCCESS) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "%s: create: %s",
-				 filename, strerror(errno));
-		return (DNS_R_UNEXPECTED);
+			      "%s: create: %s",
+			      filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
 	}
 
 	header = initial_journal_header;
@@ -1061,42 +1002,42 @@ journal_file_create(isc_mem_t *mctx, const char *filename) {
 
 	mem = isc_mem_get(mctx, size);
 	if (mem == NULL) {
-		(void) fclose(fp);
-		(void) unlink(filename);		
-		return (DNS_R_NOMEMORY);
+		(void)isc_stdio_close(fp);
+		(void)isc_file_remove(filename);
+		return (ISC_R_NOMEMORY);
 	}
 	memset(mem, 0, size);
 	memcpy(mem, &rawheader, sizeof(rawheader));
 
-	nwritten = fwrite(mem, 1, (size_t) size, fp);
-	if (nwritten != (size_t) size) {
+	result = isc_stdio_write(mem, 1, (size_t) size, fp, NULL);
+	if (result != ISC_R_SUCCESS) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
 				 "%s: write: %s",
-				 filename, strerror(errno));
-		(void) fclose(fp);
-		(void) unlink(filename);		
+				 filename, isc_result_totext(result));
+		(void)isc_stdio_close(fp);
+		(void)isc_file_remove(filename);		
 		isc_mem_put(mctx, mem, size); 
-		return (DNS_R_UNEXPECTED);
+		return (ISC_R_UNEXPECTED);
 	}
 	isc_mem_put(mctx, mem, size); 	
 	
-	r = fclose(fp);
-	if (r != 0) {
+	result = isc_stdio_close(fp);
+	if (result != ISC_R_SUCCESS) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,		
 				 "%s: close: %s",
-				 filename, strerror(errno));
-		(void) unlink(filename);
-		return (DNS_R_UNEXPECTED);
+				 filename, isc_result_totext(result));
+		(void)isc_file_remove(filename);
+		return (ISC_R_UNEXPECTED);
 	}
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 				    
 
 isc_result_t
 dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
 		 dns_journal_t **journalp) {
-	FILE *fp;
+	FILE *fp = NULL;
 	isc_result_t result;
 	journal_rawheader_t rawheader;
 	dns_journal_t *j;
@@ -1108,13 +1049,13 @@ dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
 	
 	j->mctx = mctx;
 	j->state = JOURNAL_STATE_INVALID;
-	j->fp = 0;
+	j->fp = NULL;
 	j->filename = filename;
 	j->index = NULL;
 
-	/* XXX fopen() will need "b" (binary) on some platforms */
-	fp = fopen(j->filename, write ? "r+" : "r");
-	if (fp == 0 && errno == ENOENT) {
+	result = isc_stdio_open(j->filename, write ? "rb+" : "rb", &fp);
+
+	if (result == ISC_R_FILENOTFOUND) {
 		if (write) {
 			isc_log_write(JOURNAL_COMMON_LOGARGS,
 				      ISC_LOG_INFO,
@@ -1122,22 +1063,26 @@ dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
 				      "creating it",
 				      j->filename);
 			CHECK(journal_file_create(mctx, filename));
-			/* Retry. */
-			fp = fopen(j->filename, "r+");
+			/*
+			 * Retry.
+			 */
+			result = isc_stdio_open(j->filename, "rb+", &fp);
 		} else {
 			FAIL(ISC_R_NOTFOUND);
 		}
 	}
-	if (fp == 0) {
+	if (result != ISC_R_SUCCESS) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
 			      "%s: open: %s",
-			      j->filename, strerror(errno));
-		FAIL(DNS_R_UNEXPECTED);
+			      j->filename, isc_result_totext(result));
+		FAIL(ISC_R_UNEXPECTED);
 	}
 
 	j->fp = fp;
 
-	/* Set magic early so that seek/read can succeed. */
+	/*
+	 * Set magic early so that seek/read can succeed.
+	 */
 	j->magic = DNS_JOURNAL_MAGIC; 
 
 	CHECK(journal_seek(j, 0));
@@ -1148,7 +1093,7 @@ dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
 				 "%s: journal format not recognized",
 				 j->filename);
-		FAIL(DNS_R_UNEXPECTED);
+		FAIL(ISC_R_UNEXPECTED);
 	}
 	journal_header_decode(&rawheader, &j->header);
 
@@ -1161,7 +1106,7 @@ dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
 			      "%s: journal unexpectedly empty",
 			      j->filename);
-		FAIL(DNS_R_UNEXPECTED);
+		FAIL(ISC_R_UNEXPECTED);
 	}
 	
 	/*
@@ -1185,8 +1130,9 @@ dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
 	}
 	j->offset = -1; /* Invalid, must seek explicitly. */
 
-	/* Initialize the iterator. */
-
+	/*
+	 * Initialize the iterator.
+	 */
 	dns_name_init(&j->it.name, NULL);
 	dns_rdata_init(&j->it.rdata);
 	
@@ -1195,15 +1141,15 @@ dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
 	 * wire format RR data.  They will be reallocated
 	 * later.
 	 */
-	isc_buffer_init(&j->it.source, NULL, 0, ISC_BUFFERTYPE_BINARY);
-	isc_buffer_init(&j->it.target, NULL, 0, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&j->it.source, NULL, 0);
+	isc_buffer_init(&j->it.target, NULL, 0);
 	dns_decompress_init(&j->it.dctx, -1, ISC_FALSE);
 
 	j->state =
 		write ? JOURNAL_STATE_WRITE : JOURNAL_STATE_READ;
 	
 	*journalp = j;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
  failure:
 	j->magic = 0;
@@ -1213,7 +1159,7 @@ dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
 		j->index = NULL;
 	}
 	if (j->fp != NULL)
-		(void) fclose(j->fp);
+		(void)isc_stdio_close(j->fp);
 	isc_mem_put(j->mctx, j, sizeof(*j));		
 	return (result);
 }
@@ -1231,8 +1177,7 @@ dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
  * rdataset merging it has to do.
  */
 static int 
-ixfr_order(const void *av, const void *bv)
-{
+ixfr_order(const void *av, const void *bv) {
 	dns_difftuple_t * const *ap = av;
 	dns_difftuple_t * const *bp = bv;
 	dns_difftuple_t *a = *ap;
@@ -1259,13 +1204,13 @@ ixfr_order(const void *av, const void *bv)
  *	*pos refers to a valid journal transaction.
  *
  * Ensures:
- *	When DNS_R_SUCCESS is returned,
+ *	When ISC_R_SUCCESS is returned,
  *	*pos refers to the next journal transaction.
  *
  * Returns one of:
  *
- *    DNS_R_SUCCESS 
- *    DNS_R_NOMORE 	*pos pointed at the last transaction
+ *    ISC_R_SUCCESS 
+ *    ISC_R_NOMORE 	*pos pointed at the last transaction
  *    Other results due to file errors are possible.
  */
 static isc_result_t
@@ -1275,41 +1220,44 @@ journal_next(dns_journal_t *j, journal_pos_t *pos) {
 	REQUIRE(DNS_JOURNAL_VALID(j));
 	
 	result = journal_seek(j, pos->offset);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 
 	/*
 	 * Read the header of the current transaction.
-	 * This will return DNS_R_NOMORE if we are at EOF.
+	 * This will return ISC_R_NOMORE if we are at EOF.
 	 */
 	result = journal_read_xhdr(j, &xhdr);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	/* Check serial number consistency. */
+	/*
+	 * Check serial number consistency.
+	 */
 	if (xhdr.serial0 != pos->serial) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
 				 "%s: journal file corrupt: "
 				 "expected serial %u, got %u",
 				 j->filename,
 				 pos->serial, xhdr.serial0);
-		return (DNS_R_UNEXPECTED);
+		return (ISC_R_UNEXPECTED);
 	}
 
-	/* Check for offset wraparound. */
+	/*
+	 * Check for offset wraparound.
+	 */
 	if (pos->offset + xhdr.size < pos->offset) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,		
 				 "%s: offset too large",
 				 j->filename);
-		return (DNS_R_UNEXPECTED);		
+		return (ISC_R_UNEXPECTED);		
 	}
 	
 	pos->offset += sizeof(journal_rawxhdr_t) + xhdr.size;
 	pos->serial = xhdr.serial1;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
-
 /*
  * If the index of the journal 'j' contains an entry "better"
  * than '*best_guess', replace '*best_guess' with it.
@@ -1344,14 +1292,18 @@ index_add(dns_journal_t *j, journal_pos_t *pos) {
 	unsigned int i;
 	if (j->index == NULL)
 		return;
-	/* Search for a vacant position. */
+	/*
+	 * Search for a vacant position.
+	 */
 	for (i = 0; i < j->header.index_size; i++) {
 		if (! POS_VALID(j->index[i]))
 			break;
 	}
 	if (i == j->header.index_size) {
 		unsigned int k = 0;
-		/* Found no vacant position.  Make some room. */
+		/*
+		 * Found no vacant position.  Make some room.
+		 */
 		for (i = 0; i < j->header.index_size; i += 2) {
 			j->index[k++] = j->index[i];
 		}
@@ -1364,7 +1316,9 @@ index_add(dns_journal_t *j, journal_pos_t *pos) {
 	INSIST(i < j->header.index_size); 
 	INSIST(! POS_VALID(j->index[i]));
 
-	/* Store the new index entry. */
+	/*
+	 * Store the new index entry.
+	 */
 	j->index[i] = *pos;
 }
 
@@ -1373,8 +1327,7 @@ index_add(dns_journal_t *j, journal_pos_t *pos) {
  * ambiguous when a new transaction with number 'serial' is added.
  */
 static void
-index_invalidate(dns_journal_t *j, isc_uint32_t serial)
-{
+index_invalidate(dns_journal_t *j, isc_uint32_t serial) {
 	unsigned int i;
 	if (j->index == NULL)
 		return;
@@ -1388,19 +1341,19 @@ index_invalidate(dns_journal_t *j, isc_uint32_t serial)
  * Try to find a transaction with initial serial number 'serial'
  * in the journal 'j'.
  *
- * If found, store its position at '*pos' and return DNS_R_SUCCESS.
+ * If found, store its position at '*pos' and return ISC_R_SUCCESS.
  *
  * If 'serial' is current (= the ending serial number of the
  * last transaction in the journal), set '*pos' to 
  * the position immediately following the last transaction and
- * return DNS_R_SUCCESS.
+ * return ISC_R_SUCCESS.
  *
  * If 'serial' is within the range of addressable serial numbers 
  * covered by the journal but that particular serial number is missing
- * (from the journal, not just from the index), return DNS_R_NOTFOUND.
+ * (from the journal, not just from the index), return ISC_R_NOTFOUND.
  *
  * If 'serial' is outside the range of addressable serial numbers
- * covered by the journal, return DNS_R_RANGE.
+ * covered by the journal, return ISC_R_RANGE.
  * 
  */
 static isc_result_t
@@ -1410,12 +1363,12 @@ journal_find(dns_journal_t *j, isc_uint32_t serial, journal_pos_t *pos) {
 	REQUIRE(DNS_JOURNAL_VALID(j));
 	
 	if (DNS_SERIAL_GT(j->header.begin.serial, serial))
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	if (DNS_SERIAL_GT(serial, j->header.end.serial))
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	if (serial == j->header.end.serial) {
 		*pos = j->header.end;
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 	}
 
 	current_pos = j->header.begin;
@@ -1423,13 +1376,13 @@ journal_find(dns_journal_t *j, isc_uint32_t serial, journal_pos_t *pos) {
 	
 	while (current_pos.serial != serial) {
 		if (DNS_SERIAL_GT(current_pos.serial, serial))
-			return (DNS_R_NOTFOUND);
+			return (ISC_R_NOTFOUND);
 		result = journal_next(j, &current_pos);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 	*pos = current_pos;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -1467,7 +1420,7 @@ dns_journal_begin_transaction(dns_journal_t *j) {
 	j->x.pos[1].offset = j->offset;
 
 	j->state = JOURNAL_STATE_TRANSACTION;
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
  failure:
 	return (result);
 }	
@@ -1509,9 +1462,9 @@ dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff) {
 
 	mem = isc_mem_get(j->mctx, size);
 	if (mem == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	
-	isc_buffer_init(&buffer, mem, size, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&buffer, mem, size);
 
 	/*
 	 * Pass 2.  Write RRs to buffer.
@@ -1519,30 +1472,35 @@ dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff) {
 	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
 	     t = ISC_LIST_NEXT(t, link))
 	{
-		isc_region_t avail;
-		/* Write the RR header */
+		/*
+		 * Write the RR header.
+		 */
 		isc_buffer_putuint32(&buffer, t->name.length + 10 +
 				     t->rdata.length);
-		/* Write the owner name, RR header, and RR data. */
+		/*
+		 * Write the owner name, RR header, and RR data.
+		 */
 		isc_buffer_putmem(&buffer, t->name.ndata, t->name.length);
 		isc_buffer_putuint16(&buffer, t->rdata.type);
 		isc_buffer_putuint16(&buffer, t->rdata.rdclass);
 		isc_buffer_putuint32(&buffer, t->ttl);
 		INSIST(t->rdata.length < 65536);
 		isc_buffer_putuint16(&buffer, (isc_uint16_t)t->rdata.length);
-		isc_buffer_available(&buffer, &avail);
-		isc_buffer_putmem(&buffer, t->rdata.data, t->rdata.length);		
+		INSIST(isc_buffer_availablelength(&buffer) >= t->rdata.length);
+		isc_buffer_putmem(&buffer, t->rdata.data, t->rdata.length);
 	}
 	
-	isc_buffer_used(&buffer, &used);
+	isc_buffer_usedregion(&buffer, &used);
 	INSIST(used.length == size);
 
 	j->x.pos[1].offset += used.length;
 		
-	/* Write the buffer contents to the journal file. */
+	/*
+	 * Write the buffer contents to the journal file.
+	 */
 	CHECK(journal_write(j, used.base, used.length));
 
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
 
  failure:
 	if (mem != NULL)
@@ -1560,7 +1518,9 @@ dns_journal_commit(dns_journal_t *j) {
 	REQUIRE(DNS_JOURNAL_VALID(j));
 	REQUIRE(j->state == JOURNAL_STATE_TRANSACTION);
 	
-	/* Perform some basic consistency checks. */
+	/*
+	 * Perform some basic consistency checks.
+	 */
 	if (j->x.n_soa != 2) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
 			      "malformed transaction: %d SOAs",
@@ -1585,7 +1545,7 @@ dns_journal_commit(dns_journal_t *j) {
 					 j->filename,
 					 j->header.end.serial,
 					 j->x.pos[0].serial);
-			return (DNS_R_UNEXPECTED);
+			return (ISC_R_UNEXPECTED);
 		}
 	}
 	
@@ -1608,16 +1568,22 @@ dns_journal_commit(dns_journal_t *j) {
 	}
 #endif
 
-	/* Commit the transaction data to stable storage. */
+	/*
+	 * Commit the transaction data to stable storage.
+	 */
 	CHECK(journal_fsync(j));
 
-	/* Update the transaction header. */
+	/*
+	 * Update the transaction header.
+	 */
 	CHECK(journal_seek(j, j->x.pos[0].offset));
 	CHECK(journal_write_xhdr(j, (j->x.pos[1].offset - j->x.pos[0].offset) -
 				 sizeof(journal_rawxhdr_t),
 				 j->x.pos[0].serial, j->x.pos[1].serial));
 
-	/* Update the journal header. */
+	/*
+	 * Update the journal header.
+	 */
 	if (JOURNAL_EMPTY(&j->header)) {
 		j->header.begin = j->x.pos[0];
 	}
@@ -1626,7 +1592,9 @@ dns_journal_commit(dns_journal_t *j) {
 	CHECK(journal_seek(j, 0));
 	CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
 	
-	/* Update the index.  Byte swap in-place if necessary. */
+	/*
+	 * Update the index.  Byte swap in-place if necessary.
+	 */
 	index_add(j, &j->x.pos[0]);
 	if (j->header.index_size != 0) {
 		unsigned int i;
@@ -1638,19 +1606,25 @@ dns_journal_commit(dns_journal_t *j) {
 				    sizeof(journal_rawpos_t)));
 	}
 
-	/* Commit the header to stable storage. */
+	/*
+	 * Commit the header to stable storage.
+	 */
 	CHECK(journal_fsync(j));
 
-	/* Undo the byte swapping. */
+	/*
+	 * Undo the byte swapping.
+	 */
 	for (i = 0; i < j->header.index_size; i++) {
 		j->index[i].serial = ntohl(j->index[i].serial);
 		j->index[i].offset = ntohl(j->index[i].offset);
 	}
 
-	/* We no longer have a transaction open. */
+	/*
+	 * We no longer have a transaction open.
+	 */
 	j->state = JOURNAL_STATE_WRITE;
 	
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
 
  failure:
 	return (result);
@@ -1663,7 +1637,7 @@ dns_journal_write_transaction(dns_journal_t *j, dns_diff_t *diff) {
 	CHECK(dns_journal_begin_transaction(j));
 	CHECK(dns_journal_writediff(j, diff));
 	CHECK(dns_journal_commit(j));
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
  failure:
 	return (result);
 }
@@ -1685,7 +1659,7 @@ dns_journal_destroy(dns_journal_t **journalp) {
 		isc_mem_put(j->mctx, j->it.source.base, j->it.source.length);
 
 	if (j->fp != NULL)
-		(void) fclose(j->fp);
+		(void)isc_stdio_close(j->fp);
 	j->magic = 0;
 	isc_mem_put(j->mctx, j, sizeof(*j));
 	*journalp = NULL;
@@ -1721,16 +1695,22 @@ roll_forward(dns_journal_t *j, dns_db_t *db) {
 	 * wire format transaction data.  They will be reallocated
 	 * later.
 	 */
-	isc_buffer_init(&source, NULL, 0, ISC_BUFFERTYPE_BINARY);
-	isc_buffer_init(&target, NULL, 0, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&source, NULL, 0);
+	isc_buffer_init(&target, NULL, 0);
 
-	/* Create the new database version. */
+	/*
+	 * Create the new database version.
+	 */
 	CHECK(dns_db_newversion(db, &ver));
 
-	/* Get the current database SOA serial number. */
+	/*
+	 * Get the current database SOA serial number.
+	 */
 	CHECK(dns_db_getsoaserial(db, ver, &db_serial));
 
-	/* Locate a journal entry for the current database serial. */
+	/*
+	 * Locate a journal entry for the current database serial.
+	 */
 	CHECK(journal_find(j, db_serial, &pos));
         /*
 	 * XXX do more drastic things, like marking zone stale,
@@ -1749,7 +1729,7 @@ roll_forward(dns_journal_t *j, dns_db_t *db) {
 	CHECK(dns_journal_iter_init(j, db_serial, end_serial));
 
 	for (result = dns_journal_first_rr(j);
-	     result == DNS_R_SUCCESS;
+	     result == ISC_R_SUCCESS;
 	     result = dns_journal_next_rr(j))
 	{
 		dns_name_t *name;
@@ -1770,7 +1750,7 @@ roll_forward(dns_journal_t *j, dns_db_t *db) {
 			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,			
 					 "%s: journal file corrupt: missing "
 					 "initial SOA", j->filename);
-			FAIL(DNS_R_UNEXPECTED);
+			FAIL(ISC_R_UNEXPECTED);
 		}
 		CHECK(dns_difftuple_create(diff.mctx, n_soa == 1 ?
 					   DNS_DIFFOP_DEL : DNS_DIFFOP_ADD,
@@ -1786,8 +1766,8 @@ roll_forward(dns_journal_t *j, dns_db_t *db) {
 			n_put = 0;
 		}
 	}
-	if (result == DNS_R_NOMORE)
-		result = DNS_R_SUCCESS;
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
 	CHECK(result);
 
 	if (n_put != 0) {
@@ -1800,7 +1780,7 @@ roll_forward(dns_journal_t *j, dns_db_t *db) {
 	
  failure:
 	if (ver != NULL)
-		dns_db_closeversion(db, &ver, result == DNS_R_SUCCESS ?
+		dns_db_closeversion(db, &ver, result == ISC_R_SUCCESS ?
 				    ISC_TRUE : ISC_FALSE);
 
 	if (source.base != NULL)
@@ -1823,12 +1803,12 @@ dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, const char *filename) {
 	
 	j = NULL;
 	result = dns_journal_open(mctx, filename, ISC_FALSE, &j);
-	if (result == DNS_R_NOTFOUND) {
+	if (result == ISC_R_NOTFOUND) {
 		isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
 			      "no journal file, but that's OK");
 		return (DNS_R_NOJOURNAL);
 	}
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	result = roll_forward(j, db);
 
@@ -1853,12 +1833,12 @@ dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file) {
 
 	j = NULL;
 	result = dns_journal_open(mctx, filename, ISC_FALSE, &j);
-	if (result == DNS_R_NOTFOUND) {
+	if (result == ISC_R_NOTFOUND) {
 		isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "no journal file");
 		return (DNS_R_NOJOURNAL);
 	}
 
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
 			      "journal open failure");
 		return (result);
@@ -1871,8 +1851,8 @@ dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file) {
 	 * wire format transaction data.  They will be reallocated
 	 * later.
 	 */
-	isc_buffer_init(&source, NULL, 0, ISC_BUFFERTYPE_BINARY);
-	isc_buffer_init(&target, NULL, 0, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&source, NULL, 0);
+	isc_buffer_init(&target, NULL, 0);
 
 	start_serial = dns_journal_first_serial(j);
 	end_serial = dns_journal_last_serial(j);
@@ -1880,7 +1860,7 @@ dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file) {
 	CHECK(dns_journal_iter_init(j, start_serial, end_serial));
 
 	for (result = dns_journal_first_rr(j);
-	     result == DNS_R_SUCCESS;
+	     result == ISC_R_SUCCESS;
 	     result = dns_journal_next_rr(j))
 	{
 		dns_name_t *name;
@@ -1901,7 +1881,7 @@ dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
 					 "%s: journal file corrupt: missing "
 					 "initial SOA", j->filename);
-			FAIL(DNS_R_UNEXPECTED);
+			FAIL(ISC_R_UNEXPECTED);
 		}
 		CHECK(dns_difftuple_create(diff.mctx, n_soa == 1 ?
 					   DNS_DIFFOP_DEL : DNS_DIFFOP_ADD,
@@ -1912,12 +1892,12 @@ dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file) {
 			result = dns_diff_print(&diff, file);
 			dns_diff_clear(&diff);
 			n_put = 0;
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				break;
 		}
 	}
-	if (result == DNS_R_NOMORE)
-		result = DNS_R_SUCCESS;
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
 	CHECK(result);
 
 	if (n_put != 0) {
@@ -1982,14 +1962,14 @@ size_buffer(isc_mem_t *mctx, isc_buffer_t *b, unsigned size) {
 	if (b->length < size) {
 		void *mem = isc_mem_get(mctx, size);
 		if (mem == NULL)
-			return (DNS_R_NOMEMORY);
+			return (ISC_R_NOMEMORY);
 		if (b->base != NULL)
 			isc_mem_put(mctx, b->base, b->length);
 		b->base = mem;
 		b->length = size;
 	}
 	isc_buffer_clear(b);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -2004,7 +1984,7 @@ dns_journal_iter_init(dns_journal_t *j,
 	CHECK(journal_find(j, end_serial, &j->it.epos)); 
 	INSIST(j->it.epos.serial == end_serial);
 
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
  failure:
 	j->it.result = result;
 	return (j->it.result);
@@ -2012,8 +1992,7 @@ dns_journal_iter_init(dns_journal_t *j,
 
 
 isc_result_t
-dns_journal_first_rr(dns_journal_t *j)
-{
+dns_journal_first_rr(dns_journal_t *j) {
 	isc_result_t result;
 
 	/* 
@@ -2042,7 +2021,6 @@ read_one_rr(dns_journal_t *j) {
 	isc_uint32_t ttl;
 	journal_xhdr_t xhdr;
 	journal_rrhdr_t rrhdr;
-	isc_region_t r;
 
 	/*
 	 * XXXRTH  Need to resolve the comparison between int and unsigned
@@ -2051,7 +2029,7 @@ read_one_rr(dns_journal_t *j) {
 	 */
 	INSIST(j->offset <= j->it.epos.offset);
 	if (j->offset == j->it.epos.offset)
-		return (DNS_R_NOMORE);
+		return (ISC_R_NOMORE);
 	if (j->it.xpos == j->it.xsize) {
 		/*
 		 * We are at a transaction boundary.
@@ -2061,7 +2039,7 @@ read_one_rr(dns_journal_t *j) {
 		if (xhdr.size == 0) {
 			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
 				      "journal corrupt: empty transaction");
-			FAIL(DNS_R_UNEXPECTED);
+			FAIL(ISC_R_UNEXPECTED);
 		}
 		if (xhdr.serial0 != j->it.current_serial) {
 			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
@@ -2069,12 +2047,14 @@ read_one_rr(dns_journal_t *j) {
 					 "expected serial %u, got %u",
 					 j->filename,
 					 j->it.current_serial, xhdr.serial0);
-			FAIL(DNS_R_UNEXPECTED);
+			FAIL(ISC_R_UNEXPECTED);
 		}
 		j->it.xsize = xhdr.size;
 		j->it.xpos = 0;
 	}
-	/* Read an RR. */
+	/*
+	 * Read an RR.
+	 */
 	result = journal_read_rrhdr(j, &rrhdr);
 	/*
 	 * Perform a sanity check on the journal RR size.
@@ -2087,7 +2067,7 @@ read_one_rr(dns_journal_t *j) {
 		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
 				 "%s: journal corrupt: impossible RR size "
 				 "(%d bytes)", j->filename, rrhdr.size);
-		FAIL(DNS_R_UNEXPECTED);
+		FAIL(ISC_R_UNEXPECTED);
 	}
 	
 	CHECK(size_buffer(j->mctx, &j->it.source, rrhdr.size));
@@ -2112,9 +2092,10 @@ read_one_rr(dns_journal_t *j) {
 	CHECK(dns_name_fromwire(&j->it.name, &j->it.source,
 				&j->it.dctx, ISC_FALSE, &j->it.target));
 
-	/* Check that the RR header is there, and parse it. */
-	isc_buffer_remaining(&j->it.source, &r);
-	if (r.length < 10)
+	/*
+	 * Check that the RR header is there, and parse it.
+	 */
+	if (isc_buffer_remaininglength(&j->it.source) < 10)
 		FAIL(DNS_R_FORMERR);
 	
 	rdtype = isc_buffer_getuint16(&j->it.source);
@@ -2122,7 +2103,9 @@ read_one_rr(dns_journal_t *j) {
 	ttl = isc_buffer_getuint32(&j->it.source);
 	rdlen = isc_buffer_getuint16(&j->it.source);
 
-	/* Parse the rdata. */
+	/*
+	 * Parse the rdata.
+	 */
 	isc_buffer_setactive(&j->it.source, rdlen);
 	CHECK(dns_rdata_fromwire(&j->it.rdata, rdclass,
 				 rdtype, &j->it.source, &j->it.dctx,
@@ -2135,7 +2118,7 @@ read_one_rr(dns_journal_t *j) {
 		j->it.current_serial = dns_soa_getserial(&j->it.rdata);
 	}
 		
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
 
  failure:
 	j->it.result = result;
@@ -2152,7 +2135,7 @@ void
 dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, isc_uint32_t *ttl,
 		   dns_rdata_t **rdata)
 {
-	REQUIRE(j->it.result == DNS_R_SUCCESS);
+	REQUIRE(j->it.result == ISC_R_SUCCESS);
 	*name = &j->it.name;
 	*ttl = j->it.ttl;
 	*rdata = &j->it.rdata;
@@ -2183,15 +2166,15 @@ get_name_diff(dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_t now,
 	dns_difftuple_t *tuple = NULL;
 
 	result = dns_dbiterator_current(dbit, &node, name);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	
 	result = dns_db_allrdatasets(db, node, ver, now, &rdsiter);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_node;
 
 	for (result = dns_rdatasetiter_first(rdsiter);
-	     result == DNS_R_SUCCESS;
+	     result == ISC_R_SUCCESS;
 	     result = dns_rdatasetiter_next(rdsiter))
 	{
 		dns_rdataset_t rdataset;
@@ -2200,7 +2183,7 @@ get_name_diff(dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_t now,
 		dns_rdatasetiter_current(rdsiter, &rdataset);
 
 		for (result = dns_rdataset_first(&rdataset);
-		     result == DNS_R_SUCCESS;
+		     result == ISC_R_SUCCESS;
 		     result = dns_rdataset_next(&rdataset))
 		{
 			dns_rdata_t rdata;
@@ -2208,20 +2191,20 @@ get_name_diff(dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_t now,
 			result = dns_difftuple_create(diff->mctx, op, name,
 						      rdataset.ttl, &rdata,
 						      &tuple);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 				dns_rdataset_disassociate(&rdataset);
 				goto cleanup_iterator;
 			}
 			dns_diff_append(diff, &tuple);
 		}
 		dns_rdataset_disassociate(&rdataset);
-		if (result != DNS_R_NOMORE)
+		if (result != ISC_R_NOMORE)
 			goto cleanup_iterator;
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		goto cleanup_iterator;
 	
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
 
  cleanup_iterator:
 	dns_rdatasetiter_destroy(&rdsiter);
@@ -2239,8 +2222,7 @@ get_name_diff(dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_t now,
  * it is known to be the same for all tuples.
  */
 static int
-rdata_order(const void *av, const void *bv)
-{
+rdata_order(const void *av, const void *bv) {
 	dns_difftuple_t * const *ap = av;
 	dns_difftuple_t * const *bp = bv;
 	dns_difftuple_t *a = *ap;
@@ -2254,8 +2236,7 @@ rdata_order(const void *av, const void *bv)
 }
 
 static isc_result_t
-dns_diff_subtract(dns_diff_t diff[2], dns_diff_t *r)
-{
+dns_diff_subtract(dns_diff_t diff[2], dns_diff_t *r) {
 	isc_result_t result;
 	dns_difftuple_t *p[2];
 	int i, t;
@@ -2341,7 +2322,7 @@ dns_db_diff(isc_mem_t *mctx,
 
 	for (;;) {
 		for (i = 0; i < 2; i++) {
-			if (! have[i] && itresult[i] == DNS_R_SUCCESS) {
+			if (! have[i] && itresult[i] == ISC_R_SUCCESS) {
 				CHECK(get_name_diff(db[i], ver[i], 0, dbit[i],
 					    dns_fixedname_name(&fixname[i]),
 					    i == 0 ?
@@ -2392,9 +2373,9 @@ dns_db_diff(isc_mem_t *mctx,
 		have[0] = have[1] = ISC_FALSE;
 	next: ;
 	}
-	if (itresult[0] != DNS_R_NOMORE)
+	if (itresult[0] != ISC_R_NOMORE)
 		FAIL(itresult[0]);
-	if (itresult[1] != DNS_R_NOMORE)
+	if (itresult[1] != ISC_R_NOMORE)
 		FAIL(itresult[1]);
 
 	if (ISC_LIST_EMPTY(resultdiff.tuples)) {
diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c
index 35a7230d..847f5087 100644
--- a/lib/dns/keytable.c
+++ b/lib/dns/keytable.c
@@ -17,20 +17,15 @@
 
 #include <config.h>
 
-#include <stddef.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/buffer.h>
-#include <isc/magic.h>
+#include <isc/mem.h>
 #include <isc/rwlock.h>
-#include <isc/result.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
 
 #include <dns/keytable.h>
 #include <dns/fixedname.h>
-#include <dns/name.h>
 #include <dns/rbt.h>
+#include <dns/result.h>
 
 struct dns_keytable {
 	/* Unlocked. */
@@ -57,6 +52,18 @@ struct dns_keynode {
 #define KEYNODE_MAGIC			0x4b4e6f64U	/* KNod */
 #define VALID_KEYNODE(kn)	 	ISC_MAGIC_VALID(kn, KEYNODE_MAGIC)
 
+static void
+free_keynode(void *node, void *arg) {
+	dns_keynode_t *keynode = node;
+	isc_mem_t *mctx = arg;
+
+	REQUIRE(VALID_KEYNODE(keynode));
+	dst_key_free(&keynode->key);
+	if (keynode->next != NULL)
+		free_keynode(keynode->next, mctx);
+	isc_mem_put(mctx, keynode, sizeof(dns_keynode_t));
+}
+
 isc_result_t
 dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep) {
 	dns_keytable_t *keytable;
@@ -70,10 +77,10 @@ dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep) {
 
 	keytable = isc_mem_get(mctx, sizeof *keytable);
 	if (keytable == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	keytable->table = NULL;
-	result = dns_rbt_create(mctx, NULL, NULL, &keytable->table);
+	result = dns_rbt_create(mctx, free_keynode, mctx, &keytable->table);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_keytable;
 
@@ -192,7 +199,7 @@ dns_keytable_add(dns_keytable_t *keytable, dst_key_t **keyp) {
 	keyname = dst_key_name(*keyp);
 	INSIST(keyname != NULL);
 	len = strlen(keyname);
-	isc_buffer_init(&buffer, keyname, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&buffer, keyname, len);
 	isc_buffer_add(&buffer, len);
 	dns_fixedname_init(&fname);
 	result = dns_name_fromtext(dns_fixedname_name(&fname), &buffer,
@@ -217,6 +224,7 @@ dns_keytable_add(dns_keytable_t *keytable, dst_key_t **keyp) {
 		node->data = knode;
 		*keyp = NULL;
 		knode = NULL;
+		result = ISC_R_SUCCESS;
 	}
 
 	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
@@ -249,7 +257,7 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
 
 	knode = NULL;
 	data = NULL;
-	result = dns_rbt_findname(keytable->table, name, NULL, &data);
+	result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
 
 	if (result == ISC_R_SUCCESS) {
 		INSIST(data != NULL);
@@ -273,9 +281,69 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
 	return (result);
 }
 
+isc_result_t
+dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
+			     dns_keynode_t **nextnodep)
+{
+	isc_result_t result;
+	dns_keynode_t *knode;
+
+	/*
+	 * Search for the next key with the same properties as 'keynode' in
+	 * 'keytable'.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(VALID_KEYNODE(keynode));
+	REQUIRE(nextnodep != NULL && *nextnodep == NULL);
+
+	for (knode = keynode->next; knode != NULL; knode = knode->next) {
+		if (dst_key_alg(keynode->key) == dst_key_alg(knode->key) &&
+		    dst_key_id(keynode->key) == dst_key_id(knode->key))
+			break;
+	}
+	if (knode != NULL) {
+		LOCK(&keytable->lock);
+		keytable->active_nodes++;
+		UNLOCK(&keytable->lock);
+		result = ISC_R_SUCCESS;
+		*nextnodep = knode;
+	} else
+		result = ISC_R_NOTFOUND;
+
+	return (result);
+}
+
+isc_result_t
+dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
+			      dns_name_t *foundname)
+{
+	isc_result_t result;
+	void *data;
+
+	/*
+	 * Search for the deepest match in 'keytable'.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(foundname != NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	data = NULL;
+	result = dns_rbt_findname(keytable->table, name, 0, foundname, &data);
+
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+		result = ISC_R_SUCCESS;
+
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
 void
-dns_keytable_detachkeynode(dns_keytable_t *keytable,
-			   dns_keynode_t **keynodep)
+dns_keytable_detachkeynode(dns_keytable_t *keytable, dns_keynode_t **keynodep)
 {
 	/*
 	 * Give back a keynode found via dns_keytable_findkeynode().
@@ -310,7 +378,7 @@ dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
 	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
 
 	data = NULL;
-	result = dns_rbt_findname(keytable->table, name, NULL, &data);
+	result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
 
 	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
 		INSIST(data != NULL);
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
index 7f808843..cfc5a278 100644
--- a/lib/dns/lib.c
+++ b/lib/dns/lib.c
@@ -17,11 +17,9 @@
 
 #include <config.h>
 
-#include <stddef.h>
-
 #include <isc/once.h>
-#include <isc/error.h>
 #include <isc/msgcat.h>
+#include <isc/util.h>
 
 #include <dns/lib.h>
 
diff --git a/lib/dns/log.c b/lib/dns/log.c
index ab87b8f9..32fc4e15 100644
--- a/lib/dns/log.c
+++ b/lib/dns/log.c
@@ -15,16 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: log.c,v 1.15 2000/03/23 00:53:44 gson Exp $ */
+/* $Id: log.c,v 1.23 2000/05/09 23:31:10 gson Exp $ */
 
 /* Principal Authors: DCL */
 
-#include <isc/assertions.h>
-#include <isc/log.h>
-#include <isc/result.h>
+#include <config.h>
+
+#include <isc/util.h>
 
 #include <dns/log.h>
-#include <dns/result.h>
 
 /*
  * When adding a new category, be sure to add the appropriate
@@ -35,10 +34,11 @@ isc_logcategory_t dns_categories[] = {
 	{ "database", 	0 },
 	{ "security", 	0 },
 	{ "config",	0 },
-	{ "",		0 },
+	{ "dnssec",	0 },
 	{ "resolver",	0 },
 	{ "xfer-in",	0 },
 	{ "xfer-out",	0 },
+	{ "dispatch",	0 },
 	{ NULL, 	0 }
 };
 
@@ -48,9 +48,9 @@ isc_logcategory_t dns_categories[] = {
  */
 isc_logmodule_t dns_modules[] = {
 	{ "dns/db",	 	0 },
-	{ "dns/rbtdb", 		0 }, 
-	{ "dns/rbtdb64", 	0 }, 
-	{ "dns/rbt", 		0 }, 
+	{ "dns/rbtdb", 		0 },
+	{ "dns/rbtdb64", 	0 },
+	{ "dns/rbt", 		0 },
 	{ "dns/rdata", 		0 },
 	{ "dns/master", 	0 },
 	{ "dns/message", 	0 },
@@ -62,18 +62,27 @@ isc_logmodule_t dns_modules[] = {
 	{ "dns/adb",		0 },
 	{ "dns/xfrin",		0 },
 	{ "dns/xfrout",		0 },
-	{ "dns/acl",		0 },	
+	{ "dns/acl",		0 },
+	{ "dns/validator",	0 },
+	{ "dns/dispatch",	0 },
+	{ "dns/request",	0 },
+	{ "dns/masterdump",	0 },
 	{ NULL, 		0 }
 };
 
-isc_log_t *dns_lctx;
+isc_log_t *dns_lctx = NULL;
 
 void
 dns_log_init(isc_log_t *lctx) {
-	REQUIRE(dns_lctx == NULL);
+	REQUIRE(lctx != NULL);
 
 	isc_log_registercategories(lctx, dns_categories);
 	isc_log_registermodules(lctx, dns_modules);
+}
+
+void
+dns_log_setcontext(isc_log_t *lctx) {
+	REQUIRE(dns_lctx == NULL);
 
 	dns_lctx = lctx;
 }
diff --git a/lib/dns/master.c b/lib/dns/master.c
index fb98766e..d1a86261 100644
--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -15,31 +15,25 @@
  * SOFTWARE.
  */
 
-/* $Id: master.c,v 1.45 2000/03/22 19:27:51 gson Exp $ */
+/* $Id: master.c,v 1.52 2000/05/08 14:34:42 tale Exp $ */
 
 #include <config.h>
 
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <limits.h>
-#include <time.h>
-
 #include <isc/lex.h>
-#include <isc/list.h>
 #include <isc/mem.h>
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
+#include <dns/callbacks.h>
 #include <dns/master.h>
-#include <dns/types.h>
-#include <dns/result.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
-#include <dns/rdataclass.h>
 #include <dns/rdatatype.h>
-#include <dns/rdata.h>
+#include <dns/result.h>
 #include <dns/time.h>
 #include <dns/ttl.h>
 
@@ -91,32 +85,37 @@ typedef struct {
 	isc_boolean_t 	warn_1035;
 } loadctx_t;
 
-static isc_result_t	loadfile(const char *master_file, dns_name_t *top,
-				 dns_name_t *origin,
-				 dns_rdataclass_t zclass, isc_boolean_t age_ttl,
-				 int *soacount, int *nscount,
-				 dns_rdatacallbacks_t *callbacks,
-				 loadctx_t *ctx,
-				 isc_mem_t *mctx);
-static isc_result_t	commit(dns_rdatacallbacks_t *, rdatalist_head_t *,
-			       dns_name_t *);
-static isc_boolean_t	is_glue(rdatalist_head_t *, dns_name_t *);
-static dns_rdatalist_t	*grow_rdatalist(int, dns_rdatalist_t *, int,
-				        rdatalist_head_t *,
-					rdatalist_head_t *,
-					isc_mem_t *mctx);
-static dns_rdata_t	*grow_rdata(int, dns_rdata_t *, int,
-				    rdatalist_head_t *, rdatalist_head_t *,
-				    isc_mem_t *);
-static isc_boolean_t	on_list(dns_rdatalist_t *this, dns_rdata_t *rdata);
+static isc_result_t
+loadfile(const char *master_file, dns_name_t *top, dns_name_t *origin,
+	 dns_rdataclass_t zclass, isc_boolean_t age_ttl, int *soacount,
+	 int *nscount, dns_rdatacallbacks_t *callbacks, loadctx_t *ctx,
+	 isc_mem_t *mctx);
+
+static isc_result_t
+commit(dns_rdatacallbacks_t *, isc_lex_t *, rdatalist_head_t *, dns_name_t *,
+       dns_name_t *);
+
+static isc_boolean_t
+is_glue(rdatalist_head_t *, dns_name_t *);
+
+static dns_rdatalist_t *
+grow_rdatalist(int, dns_rdatalist_t *, int, rdatalist_head_t *,
+		rdatalist_head_t *, isc_mem_t *mctx);
+
+static dns_rdata_t *
+grow_rdata(int, dns_rdata_t *, int, rdatalist_head_t *, rdatalist_head_t *,
+	   isc_mem_t *);
+
+static isc_boolean_t
+on_list(dns_rdatalist_t *this, dns_rdata_t *rdata);
 
 #define GETTOKEN(lexer, options, token, eol) \
 	do { \
 		result = gettoken(lexer, options, token, eol, callbacks); \
 		switch (result) { \
-		case DNS_R_SUCCESS: \
+		case ISC_R_SUCCESS: \
 			break; \
-		case DNS_R_UNEXPECTED: \
+		case ISC_R_UNEXPECTED: \
 			goto cleanup; \
 		default: \
 			goto error_cleanup; \
@@ -135,12 +134,12 @@ gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *token,
 	if (result != ISC_R_SUCCESS) {
 		switch (result) {
 		case ISC_R_NOMEMORY:
-			return (DNS_R_NOMEMORY);
+			return (ISC_R_NOMEMORY);
 		default:
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 				"isc_lex_gettoken() failed: %s",
 				isc_result_totext(result));
-			return (DNS_R_UNEXPECTED);
+			return (ISC_R_UNEXPECTED);
 		}
 		/*NOTREACHED*/
 	}
@@ -154,9 +153,9 @@ gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *token,
 					    (token->type ==
 					     isc_tokentype_eol) ?
 					    "line" : "file");
-			return (DNS_R_UNEXPECTEDEND);
+			return (ISC_R_UNEXPECTEDEND);
 		}
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static void
@@ -190,7 +189,7 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 	isc_boolean_t read_till_eol = ISC_FALSE;
 	char *include_file = NULL;
 	isc_token_t token;
-	isc_result_t result = DNS_R_UNEXPECTED; 
+	isc_result_t result = ISC_R_UNEXPECTED; 
 	rdatalist_head_t glue_list;
 	rdatalist_head_t current_list;
 	dns_rdatalist_t *this;
@@ -248,11 +247,10 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 	 */
 	target_mem = isc_mem_get(mctx, target_size);
 	if (target_mem == NULL) {
-		result = DNS_R_NOMEMORY;
+		result = ISC_R_NOMEMORY;
 		goto error_cleanup;
 	}
-	isc_buffer_init(&target, target_mem, target_size,
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&target, target_mem, target_size);
 	target_save = target;
 
 	memset(name_in_use, 0, NBUFS * sizeof(isc_boolean_t));
@@ -283,7 +281,9 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 				result = DNS_R_NOOWNER;
 				goto cleanup;
 			}
-			/* Still working on the same name. */
+			/*
+			 * Still working on the same name.
+			 */
 		} else if (token.type == isc_tokentype_string) {
 
 			/*
@@ -303,9 +303,9 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 				              "$TTL") == 0) {
 				GETTOKEN(lex, 0, &token, ISC_FALSE);
 				result =
-				    dns_ttl_fromtext(&token.value.as_textregion,
-						     &ctx->ttl);
-				if (result != DNS_R_SUCCESS)
+				   dns_ttl_fromtext(&token.value.as_textregion,
+						    &ctx->ttl);
+				if (result != ISC_R_SUCCESS)
 					goto cleanup;
 				if (ctx->ttl > 0x7fffffffUL) {
 					(callbacks->warn)(callbacks,
@@ -335,7 +335,7 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 				include_file = isc_mem_strdup(mctx,
 						token.value.as_pointer);
 				if (include_file == NULL) {
-					result = DNS_R_NOMEMORY;
+					result = ISC_R_NOMEMORY;
 					goto error_cleanup;
 				}
 				GETTOKEN(lex, 0, &token, ISC_TRUE);
@@ -354,7 +354,7 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 							  callbacks,
 							  ctx,
 							  mctx);
-					if (result != DNS_R_SUCCESS)
+					if (result != ISC_R_SUCCESS)
 						goto cleanup;
 					isc_lex_ungettoken(lex, &token);
 					continue;
@@ -417,17 +417,16 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 					break;
 			INSIST(new_in_use < NBUFS);
 			isc_buffer_init(&name, &name_buf[new_in_use][0],
-					MAXWIRESZ, ISC_BUFFERTYPE_BINARY);
+					MAXWIRESZ);
 			dns_name_init(&new_name, NULL);
 			isc_buffer_init(&buffer, token.value.as_region.base,
-					token.value.as_region.length,
-					ISC_BUFFERTYPE_TEXT);
+					token.value.as_region.length);
 			isc_buffer_add(&buffer, token.value.as_region.length);
 			isc_buffer_setactive(&buffer,
 					     token.value.as_region.length);
 			result = dns_name_fromtext(&new_name, &buffer,
 					  &origin_name, ISC_FALSE, &name);
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				goto error_cleanup;
 
 			/*
@@ -453,7 +452,7 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 						  callbacks,
 						  ctx,
 						  mctx);
-				if (result != DNS_R_SUCCESS)
+				if (result != ISC_R_SUCCESS)
 					goto cleanup;
 				finish_include = ISC_FALSE;
 				continue;
@@ -471,9 +470,9 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 			 */
 			if (in_glue && dns_name_compare(&glue_name,
 							&new_name) != 0) {
-				result = commit(callbacks, &glue_list,
-						&glue_name);
-				if (result != DNS_R_SUCCESS)
+				result = commit(callbacks, lex, &glue_list,
+						&glue_name, top);
+				if (result != ISC_R_SUCCESS)
 					goto cleanup;
 				if (glue_in_use != -1)
 					name_in_use[glue_in_use] = ISC_FALSE;
@@ -504,10 +503,10 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 					glue_in_use = new_in_use;
 					name_in_use[glue_in_use] = ISC_TRUE;
 				} else {
-					result = commit(callbacks,
+					result = commit(callbacks, lex,
 							&current_list,
-							&current_name);
-					if (result != DNS_R_SUCCESS)
+							&current_name, top);
+					if (result != ISC_R_SUCCESS)
 						goto cleanup;
 					rdcount = 0;
 					rdlcount = 0;
@@ -520,8 +519,7 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 					current_known = ISC_TRUE;
 					current_has_delegation = ISC_FALSE;
 					isc_buffer_init(&target, target_mem,
-							target_size,
-							ISC_BUFFERTYPE_BINARY);
+							target_size);
 				}
 			}
 		} else {
@@ -530,7 +528,7 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 					 isc_lex_getsourcename(lex),
 					 isc_lex_getsourceline(lex),
 					 token.type);
-			result = DNS_R_UNEXPECTED;
+			result = ISC_R_UNEXPECTED;
 			goto cleanup;
 		}
 
@@ -550,11 +548,11 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 
 		if (dns_rdataclass_fromtext(&rdclass,
 					    &token.value.as_textregion)
-				== DNS_R_SUCCESS)
+				== ISC_R_SUCCESS)
 			GETTOKEN(lex, 0, &token, ISC_FALSE);
 
 		if (dns_ttl_fromtext(&token.value.as_textregion, &ctx->ttl)
-				== DNS_R_SUCCESS) {
+				== ISC_R_SUCCESS) {
 			if (ctx->ttl > 0x7fffffffUL) {
 				(callbacks->warn)(callbacks,
 	"dns_master_load: %s:%d: TTL %lu > MAXTTL, setting TTL to 0",
@@ -590,26 +588,26 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 		if (token.type != isc_tokentype_string) {
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 			"isc_lex_gettoken() returned unexpected token type");
-			result = DNS_R_UNEXPECTED;
+			result = ISC_R_UNEXPECTED;
 			goto cleanup;
 		}
 			
 		if (rdclass == 0 &&
 		    dns_rdataclass_fromtext(&rdclass,
 					    &token.value.as_textregion)
-				== DNS_R_SUCCESS)
+				== ISC_R_SUCCESS)
 			GETTOKEN(lex, 0, &token, ISC_FALSE);
 
 		if (token.type !=  isc_tokentype_string) {
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 			"isc_lex_gettoken() returned unexpected token type");
-			result = DNS_R_UNEXPECTED;
+			result = ISC_R_UNEXPECTED;
 			goto cleanup;
 		}
 
 		result = dns_rdatatype_fromtext(&type,
 						&token.value.as_textregion);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 
 		/*
@@ -623,29 +621,27 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 			isc_buffer_t buffer;
 			isc_region_t region;
 
-			isc_buffer_init(&buffer, buf1, sizeof buf1,
-					ISC_BUFFERTYPE_TEXT);
+			isc_buffer_init(&buffer, buf1, sizeof(buf1));
 			result = dns_rdataclass_totext(rdclass, &buffer);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 				UNEXPECTED_ERROR(__FILE__, __LINE__,
 					"dns_rdataclass_totext() failed: %s",
 						 dns_result_totext(result));
-				result = DNS_R_UNEXPECTED;
+				result = ISC_R_UNEXPECTED;
 				goto cleanup;
 			}
-			isc_buffer_used(&buffer, &region);
+			isc_buffer_usedregion(&buffer, &region);
 			len1 = region.length;
-			isc_buffer_init(&buffer, buf2, sizeof buf2,
-					ISC_BUFFERTYPE_TEXT);
+			isc_buffer_init(&buffer, buf2, sizeof(buf2));
 			result = dns_rdataclass_totext(zclass, &buffer);
-			if (result != DNS_R_SUCCESS) {
+			if (result != ISC_R_SUCCESS) {
 				UNEXPECTED_ERROR(__FILE__, __LINE__,
 					"dns_rdataclass_totext() failed: %s",
 						 dns_result_totext(result));
-				result = DNS_R_UNEXPECTED;
+				result = ISC_R_UNEXPECTED;
 				goto cleanup;
 			}
-			isc_buffer_used(&buffer, &region);
+			isc_buffer_usedregion(&buffer, &region);
 			len2 = region.length;
 			(*callbacks->error)(callbacks,
 			       "%s: %s:%d: class (%.*s) != zone class (%.*s)",
@@ -682,7 +678,7 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 					       rdata_size, &current_list,
 					       &glue_list, mctx);
 			if (new_rdata == NULL) {
-				result = DNS_R_NOMEMORY;
+				result = ISC_R_NOMEMORY;
 				goto error_cleanup;
 			}
 			rdata_size += RDSZ;
@@ -695,7 +691,7 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 		result = dns_rdata_fromtext(&rdata[rdcount], zclass, type,
 				   lex, &origin_name, ISC_FALSE, &target,
 				   callbacks);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		if (type == dns_rdatatype_sig)
 			covers = dns_rdata_covers(&rdata[rdcount]);
@@ -729,7 +725,7 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 						       &glue_list,
 						       mctx);
 				if (new_rdatalist == NULL) {
-					result = DNS_R_NOMEMORY;
+					result = ISC_R_NOMEMORY;
 					goto error_cleanup;
 				}
 				rdatalist = new_rdatalist;
@@ -775,12 +771,13 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 		 * If we don't commit everything we have so far.
 		 */
 		if ((target.length - target.used) < MINTSIZ) {
-			result = commit(callbacks, &current_list,
-					&current_name);
-			if (result != DNS_R_SUCCESS)
+			result = commit(callbacks, lex, &current_list,
+					&current_name, top);
+			if (result != ISC_R_SUCCESS)
 				goto cleanup;
-			result = commit(callbacks, &glue_list, &glue_name);
-			if (result != DNS_R_SUCCESS)
+			result = commit(callbacks, lex, &glue_list, &glue_name,
+					top);
+			if (result != ISC_R_SUCCESS)
 				goto cleanup;
 			rdcount = 0;
 			rdlcount = 0;
@@ -789,21 +786,20 @@ load(isc_lex_t *lex, dns_name_t *top, dns_name_t *origin,
 			glue_in_use = -1;
 			in_glue = ISC_FALSE;
 			current_has_delegation = ISC_FALSE;
-			isc_buffer_init(&target, target_mem, target_size,
-					ISC_BUFFERTYPE_BINARY);
+			isc_buffer_init(&target, target_mem, target_size);
 		}
 	} while (!done);
 	/*
 	 * Commit what has not yet been committed.
 	 */
-	result = commit(callbacks, &current_list, &current_name);
-	if (result != DNS_R_SUCCESS)
+	result = commit(callbacks, lex, &current_list, &current_name, top);
+	if (result != ISC_R_SUCCESS)
 		goto cleanup;
-	result = commit(callbacks, &glue_list, &glue_name);
-	if (result != DNS_R_SUCCESS)
+	result = commit(callbacks, lex, &glue_list, &glue_name, top);
+	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 	else
-		result = DNS_R_SUCCESS;
+		result = ISC_R_SUCCESS;
 	goto cleanup;
 
  error_cleanup:
@@ -1051,23 +1047,42 @@ grow_rdata(int new_len, dns_rdata_t *old, int old_len,
  */
 
 static isc_result_t
-commit(dns_rdatacallbacks_t *callbacks, rdatalist_head_t *head,
-       dns_name_t *owner)
+commit(dns_rdatacallbacks_t *callbacks, isc_lex_t *lex,
+       rdatalist_head_t *head, dns_name_t *owner, dns_name_t *top)
 {
 	dns_rdatalist_t *this;
 	dns_rdataset_t dataset;
 	isc_result_t result;
+	isc_boolean_t ignore = ISC_FALSE;
 
-	while ((this = ISC_LIST_HEAD(*head)) != NULL) {
-		dns_rdataset_init(&dataset);
-		dns_rdatalist_tordataset(this, &dataset);
-		result = ((*callbacks->add)(callbacks->add_private, owner,
-					    &dataset));
-		if (result != DNS_R_SUCCESS)
-			return (result);
-		ISC_LIST_UNLINK(*head, this, link);
+	this = ISC_LIST_HEAD(*head);
+	if (this == NULL)
+		return (ISC_R_SUCCESS);
+	if (!dns_name_issubdomain(owner, top)) {
+		/*
+		 * Ignore out-of-zone data.
+		 */
+		(callbacks->warn)(callbacks,
+		"dns_master_load: %s:%d: ignoring out-of-zone data",
+				  isc_lex_getsourcename(lex),
+				  isc_lex_getsourceline(lex));
+		ignore = ISC_TRUE;
 	}
-	return (DNS_R_SUCCESS);
+	do {
+		if (!ignore) {
+			dns_rdataset_init(&dataset);
+			dns_rdatalist_tordataset(this, &dataset);
+			dataset.trust = dns_trust_ultimate;
+			result = ((*callbacks->add)(callbacks->add_private,
+						    owner,
+						    &dataset));
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+		ISC_LIST_UNLINK(*head, this, link);
+		this = ISC_LIST_HEAD(*head);
+	} while (this != NULL);
+	return (ISC_R_SUCCESS);
 }
 
 /*
@@ -1081,7 +1096,9 @@ is_glue(rdatalist_head_t *head, dns_name_t *owner) {
 	isc_region_t region;
 	dns_name_t name;
 
-	/* find NS rrset */
+	/*
+	 * Find NS rrset.
+	 */
 	this = ISC_LIST_HEAD(*head);
 	while (this != NULL) {
 		if (this->type == dns_rdatatype_ns)
diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
index dbca04e4..c5a45471 100644
--- a/lib/dns/masterdump.c
+++ b/lib/dns/masterdump.c
@@ -17,36 +17,31 @@
 
 #include <config.h>
 
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <errno.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/boolean.h>
-#include <isc/region.h>
-
-#include <dns/types.h>
-#include <dns/result.h>
-#include <dns/name.h>
+#include <errno.h>		/* XXX */
+
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
 #include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
 #include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
 #include <dns/time.h>
 #include <dns/ttl.h>
-#include <dns/masterdump.h>
 
 #define RETERR(x) do { \
-	isc_result_t __r = (x); \
-	if (__r != DNS_R_SUCCESS) \
-		return (__r); \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
 	} while (0)
 
 struct dns_master_style {
@@ -155,10 +150,10 @@ dns_masterfile_style_debug = {
 
 
 #define N_SPACES 10
-char spaces[N_SPACES+1] = "          ";
+static char spaces[N_SPACES+1] = "          ";
 
 #define N_TABS 10
-char tabs[N_TABS+1] = "\t\t\t\t\t\t\t\t\t\t";
+static char tabs[N_TABS+1] = "\t\t\t\t\t\t\t\t\t\t";
 
 
 
@@ -186,9 +181,9 @@ indent(unsigned int *current, unsigned int to, int tabwidth,
 		ntabs = 0;
 
 	if (ntabs > 0) {
-		isc_buffer_available(target, &r);
+		isc_buffer_availableregion(target, &r);
 		if (r.length < (unsigned) ntabs)
-			return (DNS_R_NOSPACE);
+			return (ISC_R_NOSPACE);
 		p = r.base;
 	
 		t = ntabs;
@@ -207,9 +202,9 @@ indent(unsigned int *current, unsigned int to, int tabwidth,
 	nspaces = to - from;
 	INSIST(nspaces >= 0);
 
-	isc_buffer_available(target, &r);
+	isc_buffer_availableregion(target, &r);
 	if (r.length < (unsigned) nspaces)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	p = r.base;
 
 	t = nspaces;	
@@ -224,29 +219,32 @@ indent(unsigned int *current, unsigned int to, int tabwidth,
 	isc_buffer_add(target, nspaces);	
 
 	*current = to;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
-totext_ctx_init(const dns_master_style_t *style, dns_totext_ctx_t *ctx)
-{
+totext_ctx_init(const dns_master_style_t *style, dns_totext_ctx_t *ctx) {
 	isc_result_t result;
 	
-	ctx->style = *style;
 	REQUIRE(style->tab_width != 0);
+
+	ctx->style = *style;
+	ctx->class_printed = ISC_FALSE;
+	
 	dns_fixedname_init(&ctx->origin_fixname);
 
-	/* Set up the line break string if needed. */
+	/*
+	 * Set up the line break string if needed.
+	 */
 	if ((ctx->style.flags & DNS_STYLEFLAG_MULTILINE) != 0) {
 		isc_buffer_t buf;
 		isc_region_t r;
 		unsigned int col = 0;
 
 		isc_buffer_init(&buf, ctx->linebreak_buf,
-				sizeof(ctx->linebreak_buf),
-				ISC_BUFFERTYPE_TEXT);
+				sizeof(ctx->linebreak_buf));
 		
-		isc_buffer_available(&buf, &r);
+		isc_buffer_availableregion(&buf, &r);
 		if (r.length < 1)
 			return (DNS_R_TEXTTOOLONG);
 		r.base[0] = '\n';
@@ -255,18 +253,18 @@ totext_ctx_init(const dns_master_style_t *style, dns_totext_ctx_t *ctx)
 		result = indent(&col, ctx->style.rdata_column, 
 				ctx->style.tab_width, &buf);
 		/*
-		 * Do not return DNS_R_NOSPACE if the line break string
+		 * Do not return ISC_R_NOSPACE if the line break string
 		 * buffer is too small, because that would just make 
 		 * dump_rdataset() retry indenfinitely with ever 
 		 * bigger target buffers.  That's a different buffer,
 		 * so it won't help.  Use DNS_R_TEXTTOOLONG as a substitute.
 		 */
-		if (result == DNS_R_NOSPACE)
+		if (result == ISC_R_NOSPACE)
 			return (DNS_R_TEXTTOOLONG);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 		
-		isc_buffer_available(&buf, &r);
+		isc_buffer_availableregion(&buf, &r);
 		if (r.length < 1)
 			return (DNS_R_TEXTTOOLONG);
 		r.base[0] = '\0';
@@ -276,17 +274,18 @@ totext_ctx_init(const dns_master_style_t *style, dns_totext_ctx_t *ctx)
 		ctx->linebreak = NULL;
 	}
 
-	ctx->class_printed = ISC_FALSE;
 	ctx->origin = NULL;
+	ctx->current_ttl = 0;
+	ctx->current_ttl_valid = ISC_FALSE;
 	
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 #define INDENT_TO(col) \
 	do { \
 		 if ((result = indent(&column, ctx->style.col, \
 				      ctx->style.tab_width, target)) \
-		     != DNS_R_SUCCESS) \
+		     != ISC_R_SUCCESS) \
 			    return (result); \
         } while (0)
 
@@ -314,7 +313,7 @@ rdataset_totext(dns_rdataset_t *rdataset,
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
 	
 	result = dns_rdataset_first(rdataset);
-	REQUIRE(result == DNS_R_SUCCESS);
+	REQUIRE(result == ISC_R_SUCCESS);
 
 	current_ttl = ctx->current_ttl;
 	current_ttl_valid = ctx->current_ttl_valid;
@@ -322,7 +321,9 @@ rdataset_totext(dns_rdataset_t *rdataset,
 	do {
 		column = 0;
 		
-		/* Owner name. */
+		/*
+		 * Owner name.
+		 */
 		if (owner_name != NULL &&
 		    ! ((ctx->style.flags & DNS_STYLEFLAG_OMIT_OWNER) != 0 &&
 		       !first))
@@ -334,7 +335,9 @@ rdataset_totext(dns_rdataset_t *rdataset,
 			column += target->used - name_start;
 		}
 
-		/* TTL. */
+		/*
+		 * TTL.
+		 */
 		if (! ((ctx->style.flags & DNS_STYLEFLAG_OMIT_TTL) != 0 &&
 		       current_ttl_valid &&
 		       rdataset->ttl == current_ttl))
@@ -346,9 +349,9 @@ rdataset_totext(dns_rdataset_t *rdataset,
 			INDENT_TO(ttl_column);
 			length = sprintf(ttlbuf, "%u", rdataset->ttl);
 			INSIST(length <= sizeof ttlbuf);
-			isc_buffer_available(target, &r);
+			isc_buffer_availableregion(target, &r);
 			if (r.length < length)
-				return (DNS_R_NOSPACE);
+				return (ISC_R_NOSPACE);
 			memcpy(r.base, ttlbuf, length);
 			isc_buffer_add(target, length);
 			column += length;
@@ -363,7 +366,9 @@ rdataset_totext(dns_rdataset_t *rdataset,
 			}
 		}
 
-		/* Class. */
+		/*
+		 * Class.
+		 */
 		if ((ctx->style.flags & DNS_STYLEFLAG_OMIT_CLASS) == 0 ||
 		    ctx->class_printed == ISC_FALSE)
 		{
@@ -372,23 +377,27 @@ rdataset_totext(dns_rdataset_t *rdataset,
 			class_start = target->used;
 			result = dns_rdataclass_totext(rdataset->rdclass,
 						       target);
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				return (result);
 			column += (target->used - class_start);
 		}
 
-		/* Type. */
+		/*
+		 * Type.
+		 */
 		{
 			unsigned int type_start;
 			INDENT_TO(type_column);
 			type_start = target->used;
 			result = dns_rdatatype_totext(rdataset->type, target);
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				return (result);
 			column += (target->used - type_start);
 		}
 
-		/* Rdata. */ 
+		/*
+		 * Rdata.
+		 */ 
 		{
 			dns_rdata_t rdata;
 			isc_region_t r;
@@ -404,18 +413,18 @@ rdataset_totext(dns_rdataset_t *rdataset,
 						   ctx->linebreak,
 						   target));
 
-			isc_buffer_available(target, &r);
+			isc_buffer_availableregion(target, &r);
 			if (r.length < 1)
-				return (DNS_R_NOSPACE);
+				return (ISC_R_NOSPACE);
 			r.base[0] = '\n';
 			isc_buffer_add(target, 1);
 		}
 
 		first = ISC_FALSE;
 		result = dns_rdataset_next(rdataset);
-	} while (result == DNS_R_SUCCESS);
+	} while (result == ISC_R_SUCCESS);
 
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		return (result);
 
 	/*
@@ -429,7 +438,7 @@ rdataset_totext(dns_rdataset_t *rdataset,
 	ctx->current_ttl= current_ttl;
 	ctx->current_ttl_valid = current_ttl_valid;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 /*
@@ -450,7 +459,7 @@ question_totext(dns_rdataset_t *rdataset,
 
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
 	result = dns_rdataset_first(rdataset);
-	REQUIRE(result == DNS_R_NOMORE);
+	REQUIRE(result == ISC_R_NOMORE);
 
 	column = 0;
 
@@ -469,7 +478,7 @@ question_totext(dns_rdataset_t *rdataset,
 		INDENT_TO(class_column);
 		class_start = target->used;
 		result = dns_rdataclass_totext(rdataset->rdclass, target);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 		column += (target->used - class_start);
 	}
@@ -480,18 +489,18 @@ question_totext(dns_rdataset_t *rdataset,
 		INDENT_TO(type_column);
 		type_start = target->used;
 		result = dns_rdatatype_totext(rdataset->type, target);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 		column += (target->used - type_start);
 	}
 
-	isc_buffer_available(target, &r);
+	isc_buffer_availableregion(target, &r);
 	if (r.length < 1)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	r.base[0] = '\n';
 	isc_buffer_add(target, 1);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 /*
@@ -509,10 +518,10 @@ dns_rdataset_totext(dns_rdataset_t *rdataset,
 	dns_totext_ctx_t ctx;
 	isc_result_t result;
 	result = totext_ctx_init(&dns_masterfile_style_debug, &ctx);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "could not set master file style");
-		return (DNS_R_UNEXPECTED);
+		return (ISC_R_UNEXPECTED);
 	}
 
 	/*
@@ -546,11 +555,12 @@ dump_rdataset(isc_mem_t *mctx, dns_name_t *name, dns_rdataset_t *rdataset,
 {
 	isc_region_t r;
 	isc_result_t result;
-	size_t nwritten;
 	
 	REQUIRE(buffer->length > 0);
 
-	/* Output a $TTL directive if needed. */
+	/*
+	 * Output a $TTL directive if needed.
+	 */
 	
 	if ((ctx->style.flags & DNS_STYLEFLAG_TTL) != 0) {
 		if (ctx->current_ttl_valid == ISC_FALSE ||
@@ -561,8 +571,8 @@ dump_rdataset(isc_mem_t *mctx, dns_name_t *name, dns_rdataset_t *rdataset,
 				isc_buffer_clear(buffer);
 				result = dns_ttl_totext(rdataset->ttl,
 							ISC_TRUE, buffer);
-				INSIST(result == DNS_R_SUCCESS);
-				isc_buffer_used(buffer, &r);
+				INSIST(result == ISC_R_SUCCESS);
+				isc_buffer_usedregion(buffer, &r);
 				fprintf(f, "$TTL %u\t; %.*s\n", rdataset->ttl,
 					(int) r.length, (char *) r.base);
 			} else {
@@ -584,32 +594,33 @@ dump_rdataset(isc_mem_t *mctx, dns_name_t *name, dns_rdataset_t *rdataset,
 		void *newmem;
 		result = rdataset_totext(rdataset, name, ctx,
 					 ISC_FALSE, buffer);
-		if (result != DNS_R_NOSPACE)
+		if (result != ISC_R_NOSPACE)
 			break;
 
 		isc_mem_put(mctx, buffer->base, buffer->length);
 		newlength = buffer->length * 2;
 		newmem = isc_mem_get(mctx, newlength);
 		if (newmem == NULL)
-			return (DNS_R_NOMEMORY);
-		isc_buffer_init(buffer, newmem, newlength,
-				ISC_BUFFERTYPE_TEXT);
+			return (ISC_R_NOMEMORY);
+		isc_buffer_init(buffer, newmem, newlength);
 	}
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	/* Write the buffer contents to the master file. */
-	isc_buffer_used(buffer, &r);
-	nwritten = fwrite(r.base, 1, (size_t) r.length, f);
+	/*
+	 * Write the buffer contents to the master file.
+	 */
+	isc_buffer_usedregion(buffer, &r);
+	result = isc_stdio_write(r.base, 1, (size_t)r.length, f, NULL);
 
-	if (nwritten != (size_t) r.length) {
+	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "master file write failed: %s",
-				 strerror(errno));
-		return (DNS_R_UNEXPECTED);
+				 isc_result_totext(result));
+		return (result);
 	}
 	
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 /*
@@ -625,7 +636,7 @@ dump_rdatasets(isc_mem_t *mctx, dns_name_t *name, dns_rdatasetiter_t *rdsiter,
 	
 	dns_rdataset_init(&rdataset);
 	result = dns_rdatasetiter_first(rdsiter);
-	while (result == DNS_R_SUCCESS) {
+	while (result == ISC_R_SUCCESS) {
 		dns_rdatasetiter_current(rdsiter, &rdataset);
 		if (rdataset.type != 0) {
 			/*
@@ -637,17 +648,17 @@ dump_rdatasets(isc_mem_t *mctx, dns_name_t *name, dns_rdatasetiter_t *rdsiter,
 			result = dump_rdataset(mctx, name, &rdataset, ctx,
 					       buffer, f);
 		} else
-			result = DNS_R_SUCCESS;
+			result = ISC_R_SUCCESS;
 		dns_rdataset_disassociate(&rdataset);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 		result = dns_rdatasetiter_next(rdsiter);
 		if ((ctx->style.flags & DNS_STYLEFLAG_OMIT_OWNER) != 0)
 			name = NULL;
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		return (result);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 
@@ -661,7 +672,7 @@ dump_rdatasets(isc_mem_t *mctx, dns_name_t *name, dns_rdatasetiter_t *rdsiter,
  * the  initial size must large enough to hold the longest possible 
  * text representation of any domain name (for $ORIGIN).
  */
-const int initial_buffer_length = 1200;
+static const int initial_buffer_length = 1200;
 
 /*
  * Dump an entire database into a master file.
@@ -683,10 +694,10 @@ dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
 	dns_totext_ctx_t ctx;
 
 	result = totext_ctx_init(style, &ctx);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "could not set master file style");
-		return (DNS_R_UNEXPECTED);
+		return (ISC_R_UNEXPECTED);
 	}
 
 	dns_fixedname_init(&fixname);
@@ -696,10 +707,9 @@ dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
 
 	bufmem = isc_mem_get(mctx, initial_buffer_length);
 	if (bufmem == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	
-	isc_buffer_init(&buffer, bufmem, initial_buffer_length,
-			ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&buffer, bufmem, initial_buffer_length);
 
 	/*
 	 * If the database has cache semantics, output an RFC2540
@@ -710,8 +720,8 @@ dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
 	 */
 	if (dns_db_iscache(db)) {
 		result = dns_time32_totext(now, &buffer);
-		RUNTIME_CHECK(result == DNS_R_SUCCESS);
-		isc_buffer_used(&buffer, &r);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		isc_buffer_usedregion(&buffer, &r);
 		fprintf(f, "$DATE %.*s\n", (int) r.length, (char *) r.base);
 	}
 
@@ -719,39 +729,39 @@ dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
 		       ((ctx.style.flags & DNS_STYLEFLAG_REL_OWNER) != 0) ? 
 		           ISC_TRUE : ISC_FALSE,
 		       &dbiter);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto create_iter_failure;
 
 	result = dns_dbiterator_first(dbiter);
 
-	while (result == DNS_R_SUCCESS) {
+	while (result == ISC_R_SUCCESS) {
 		dns_rdatasetiter_t *rdsiter = NULL;
 		dns_dbnode_t *node = NULL;
 		result = dns_dbiterator_current(dbiter, &node, name);
-		if (result != DNS_R_SUCCESS && result != DNS_R_NEWORIGIN)
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
 			break;
 		if (result == DNS_R_NEWORIGIN) {
 			dns_name_t *origin =
 				dns_fixedname_name(&ctx.origin_fixname);
 			result = dns_dbiterator_origin(dbiter, origin);
-			RUNTIME_CHECK(result == DNS_R_SUCCESS);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
 			isc_buffer_clear(&buffer);
 			result = dns_name_totext(origin, ISC_FALSE, &buffer);
-			RUNTIME_CHECK(result == DNS_R_SUCCESS);
-			isc_buffer_used(&buffer, &r);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			isc_buffer_usedregion(&buffer, &r);
 			fprintf(f, "$ORIGIN %.*s\n", (int) r.length,
 				(char *) r.base);
 			if ((ctx.style.flags & DNS_STYLEFLAG_REL_DATA) != 0)
 				ctx.origin = origin;
 		}
 		result = dns_db_allrdatasets(db, node, version, now, &rdsiter);
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			dns_db_detachnode(db, &node);
 			goto iter_failure;
 		}
 		result = dump_rdatasets(mctx, name, rdsiter, &ctx,
 					&buffer, f);
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			dns_db_detachnode(db, &node);
 			goto iter_failure;
 		}
@@ -759,10 +769,10 @@ dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
 		dns_db_detachnode(db, &node);
 		result = dns_dbiterator_next(dbiter);
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		goto iter_failure;
 
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
 	
  iter_failure:
 	dns_dbiterator_destroy(&dbiter);
@@ -777,24 +787,27 @@ isc_result_t
 dns_master_dump(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 		const dns_master_style_t *style, const char *filename)
 {
-	FILE *f;
+	FILE *f = NULL;
 	isc_result_t result;
-	
-	f = fopen(filename, "w");
-	if (f == NULL) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "could not open %s",
-				 filename);
-		return (DNS_R_UNEXPECTED);
+
+	result = isc_stdio_open(filename, "w", &f);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: open: %s", filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
 	}
 
 	result = dns_master_dumptostream(mctx, db, version, style, f);
 
-	if (fclose(f) != 0) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "error closing %s",
-				 filename);
-		return (DNS_R_UNEXPECTED);
+	result = isc_stdio_close(f);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: close: %s", filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
 	}
 
 	return (result);
diff --git a/lib/dns/message.c b/lib/dns/message.c
index f7c23afd..f19fd808 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -21,23 +21,19 @@
 
 #include <config.h>
 
-#include <stddef.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/boolean.h>
-#include <isc/region.h>
-#include <isc/types.h>
+#include <isc/mem.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+#include <isc/buffer.h>
 
+#include <dns/dnssec.h>
+#include <dns/keyvalues.h>
 #include <dns/message.h>
-#include <dns/rdataset.h>
 #include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
 #include <dns/rdatalist.h>
-#include <dns/compress.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
 #include <dns/tsig.h>
-#include <dns/dnssec.h>
 #include <dns/view.h>
 
 #define DNS_MESSAGE_OPCODE_MASK		0x7800U
@@ -53,6 +49,12 @@
 				 && ((s) < DNS_SECTION_MAX))
 #define VALID_SECTION(s)	(((s) >= DNS_SECTION_ANY) \
 				 && ((s) < DNS_SECTION_MAX))
+#define ADD_STRING(b, s)        {if (strlen(s) >= \
+                                   isc_buffer_availablelength(b)) \
+                                       return(ISC_R_NOSPACE); else \
+                                       isc_buffer_putstr(b, s);}
+#define VALID_PSEUDOSECTION(s)	(((s) >= DNS_PSEUDOSECTION_ANY) \
+				 && ((s) < DNS_PSEUDOSECTION_MAX))
 
 /*
  * This is the size of each individual scratchpad buffer, and the numbers
@@ -66,6 +68,57 @@
 #define RDATASET_COUNT		 RDATALIST_COUNT
 
 /*
+ * Text representation of the different items, for message_totext
+ * functions.
+ */
+static char *sectiontext[] = {
+	"QUESTION",
+	"ANSWER",
+	"AUTHORITY",
+	"ADDITIONAL"
+};
+
+static char *opcodetext[] = {
+	"QUERY",
+	"IQUERY",
+	"STATUS",
+	"RESERVED3",
+	"NOTIFY",
+	"UPDATE",
+	"RESERVED6",
+	"RESERVED7",
+	"RESERVED8",
+	"RESERVED9",
+	"RESERVED10",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15"
+};
+
+static char *rcodetext[] = {
+	"NOERROR",
+	"FORMERR",
+	"SERVFAIL",
+	"NXDOMAIN",
+	"NOTIMPL",
+	"REFUSED",
+	"YXDOMAIN",
+	"YXRRSET",
+	"NXRRSET",
+	"NOTAUTH",
+	"NOTZONE",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15",
+	"BADVERS"
+};
+
+
+/*
  * "helper" type, which consists of a block of some type, and is linkable.
  * For it to work, sizeof(dns_msgblock_t) must be a multiple of the pointer
  * size, or the allocated elements will not be alligned correctly.
@@ -121,8 +174,7 @@ msgblock_allocate(isc_mem_t *mctx, unsigned int sizeof_type,
  * NULL.
  */
 static inline void *
-msgblock_internalget(dns_msgblock_t *block, unsigned int sizeof_type)
-{
+msgblock_internalget(dns_msgblock_t *block, unsigned int sizeof_type) {
 	void *ptr;
 
 	if (block == NULL || block->remaining == 0)
@@ -138,8 +190,7 @@ msgblock_internalget(dns_msgblock_t *block, unsigned int sizeof_type)
 }
 
 static inline void
-msgblock_reset(dns_msgblock_t *block)
-{
+msgblock_reset(dns_msgblock_t *block) {
 	block->remaining = block->count;
 }
 
@@ -147,8 +198,7 @@ msgblock_reset(dns_msgblock_t *block)
  * Release memory associated with a message block.
  */
 static inline void
-msgblock_free(isc_mem_t *mctx, dns_msgblock_t *block,
-	      unsigned int sizeof_type)
+msgblock_free(isc_mem_t *mctx, dns_msgblock_t *block, unsigned int sizeof_type)
 {
 	unsigned int length;
 
@@ -163,24 +213,21 @@ msgblock_free(isc_mem_t *mctx, dns_msgblock_t *block,
  * uses)
  */
 static inline isc_result_t
-newbuffer(dns_message_t *msg, unsigned int size)
-{
+newbuffer(dns_message_t *msg, unsigned int size) {
 	isc_result_t result;
 	isc_buffer_t *dynbuf;
 
 	dynbuf = NULL;
-	result = isc_buffer_allocate(msg->mctx, &dynbuf, size,
-					ISC_BUFFERTYPE_BINARY);
+	result = isc_buffer_allocate(msg->mctx, &dynbuf, size);
 	if (result != ISC_R_SUCCESS)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	ISC_LIST_APPEND(msg->scratchpad, dynbuf, link);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_buffer_t *
-currentbuffer(dns_message_t *msg)
-{
+currentbuffer(dns_message_t *msg) {
 	isc_buffer_t *dynbuf;
 
 	dynbuf = ISC_LIST_TAIL(msg->scratchpad);
@@ -190,14 +237,12 @@ currentbuffer(dns_message_t *msg)
 }
 
 static inline void
-releaserdata(dns_message_t *msg, dns_rdata_t *rdata)
-{
+releaserdata(dns_message_t *msg, dns_rdata_t *rdata) {
 	ISC_LIST_PREPEND(msg->freerdata, rdata, link);
 }
 
 static inline dns_rdata_t *
-newrdata(dns_message_t *msg)
-{
+newrdata(dns_message_t *msg) {
 	dns_msgblock_t *msgblock;
 	dns_rdata_t *rdata;
 
@@ -224,14 +269,12 @@ newrdata(dns_message_t *msg)
 }
 
 static inline void
-releaserdatalist(dns_message_t *msg, dns_rdatalist_t *rdatalist)
-{
+releaserdatalist(dns_message_t *msg, dns_rdatalist_t *rdatalist) {
 	ISC_LIST_PREPEND(msg->freerdatalist, rdatalist, link);
 }
 
 static inline dns_rdatalist_t *
-newrdatalist(dns_message_t *msg)
-{
+newrdatalist(dns_message_t *msg) {
 	dns_msgblock_t *msgblock;
 	dns_rdatalist_t *rdatalist;
 
@@ -259,8 +302,7 @@ newrdatalist(dns_message_t *msg)
 }
 
 static inline void
-msginitheader(dns_message_t *m)
-{
+msginitheader(dns_message_t *m) {
 	m->id = 0;
 	m->flags = 0;
 	m->rcode = 0;
@@ -269,8 +311,7 @@ msginitheader(dns_message_t *m)
 }
 
 static inline void
-msginitprivate(dns_message_t *m)
-{
+msginitprivate(dns_message_t *m) {
 	unsigned int i;
 
 	for (i = 0; i < DNS_SECTION_MAX; i++) {
@@ -278,6 +319,9 @@ msginitprivate(dns_message_t *m)
 		m->counts[i] = 0;
 	}
 	m->opt = NULL;
+	m->sig0 = NULL;
+	m->tsigset = NULL;
+	m->tsigname = NULL;
 	m->state = DNS_SECTION_ANY;  /* indicate nothing parsed or rendered */
 	m->opt_reserved = 0;
 	m->reserved = 0;
@@ -286,8 +330,7 @@ msginitprivate(dns_message_t *m)
 }
 
 static inline void
-msginittsig(dns_message_t *m)
-{
+msginittsig(dns_message_t *m) {
 	m->tsigstatus = m->querytsigstatus = dns_rcode_noerror;
 	m->tsig = m->querytsig = NULL;
 	m->tsigkey = NULL;
@@ -304,8 +347,7 @@ msginittsig(dns_message_t *m)
  * and when resetting one.
  */
 static inline void
-msginit(dns_message_t *m)
-{
+msginit(dns_message_t *m) {
 	msginitheader(m);
 	msginitprivate(m);
 	msginittsig(m);
@@ -362,13 +404,31 @@ msgresetopt(dns_message_t *msg)
 	}
 }
 
+static void
+msgresetsigs(dns_message_t *msg) {
+	if (msg->tsigset != NULL) {
+		INSIST(dns_rdataset_isassociated(msg->tsigset));
+		INSIST(msg->namepool != NULL);
+		dns_rdataset_disassociate(msg->tsigset);
+		isc_mempool_put(msg->rdspool, msg->tsigset);
+		isc_mempool_put(msg->namepool, msg->tsigname);
+		msg->tsigset = NULL;
+		msg->tsigname = NULL;
+	}
+	if (msg->sig0 != NULL) {
+		INSIST(dns_rdataset_isassociated(msg->sig0));
+		dns_rdataset_disassociate(msg->sig0);
+		isc_mempool_put(msg->rdspool, msg->sig0);
+		msg->sig0 = NULL;
+	}
+}
+
 /*
  * Free all but one (or everything) for this message.  This is used by
  * both dns_message_reset() and dns_message_parse().
  */
 static void
-msgreset(dns_message_t *msg, isc_boolean_t everything)
-{
+msgreset(dns_message_t *msg, isc_boolean_t everything) {
 	dns_msgblock_t *msgblock, *next_msgblock;
 	isc_buffer_t *dynbuf, *next_dynbuf;
 	dns_rdata_t *rdata;
@@ -376,6 +436,7 @@ msgreset(dns_message_t *msg, isc_boolean_t everything)
 
 	msgresetnames(msg, 0);
 	msgresetopt(msg);
+	msgresetsigs(msg);
 
 	/*
 	 * Clean up linked lists.
@@ -444,8 +505,7 @@ msgreset(dns_message_t *msg, isc_boolean_t everything)
 
 	if (msg->tsig != NULL) {
 		dns_rdata_freestruct(msg->tsig);
-		isc_mem_put(msg->mctx, msg->tsig,
-			    sizeof(dns_rdata_any_tsig_t));
+		isc_mem_put(msg->mctx, msg->tsig, sizeof(dns_rdata_any_tsig_t));
 		msg->tsig = NULL;
 	}
 
@@ -508,7 +568,7 @@ dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp)
 
 	m = isc_mem_get(mctx, sizeof(dns_message_t));
 	if (m == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	/*
 	 * No allocations until further notice.  Just initialize all lists
@@ -552,8 +612,7 @@ dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp)
 	isc_mempool_setname(m->rdspool, "msg:rdataset");
 
 	dynbuf = NULL;
-	result = isc_buffer_allocate(mctx, &dynbuf, SCRATCHPAD_SIZE,
-				     ISC_BUFFERTYPE_BINARY);
+	result = isc_buffer_allocate(mctx, &dynbuf, SCRATCHPAD_SIZE);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 	ISC_LIST_APPEND(m->scratchpad, dynbuf, link);
@@ -573,7 +632,7 @@ dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp)
 	}
 
 	*msgp = m;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
 	/*
 	 * Cleanup for error returns.
@@ -592,23 +651,21 @@ dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp)
 	m->magic = 0;
 	isc_mem_put(mctx, m, sizeof(dns_message_t));
 
-	return (DNS_R_NOMEMORY);
+	return (ISC_R_NOMEMORY);
 }
 
 void
-dns_message_reset(dns_message_t *msg, unsigned int intent)
-{
+dns_message_reset(dns_message_t *msg, unsigned int intent) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(intent == DNS_MESSAGE_INTENTPARSE
 		|| intent == DNS_MESSAGE_INTENTRENDER);
 
-	msg->from_to_wire = intent;
 	msgreset(msg, ISC_FALSE);
+	msg->from_to_wire = intent;
 }
 
 void
-dns_message_destroy(dns_message_t **msgp)
-{
+dns_message_destroy(dns_message_t **msgp) {
 	dns_message_t *msg;
 
 	REQUIRE(msgp != NULL);
@@ -637,11 +694,11 @@ findname(dns_name_t **foundname, dns_name_t *target, unsigned int attributes,
 		    (curr->attributes & attributes) == attributes) {
 			if (foundname != NULL)
 				*foundname = curr;
-			return (DNS_R_SUCCESS);
+			return (ISC_R_SUCCESS);
 		}
 	}
 
-	return (DNS_R_NOTFOUND);
+	return (ISC_R_NOTFOUND);
 }
 
 isc_result_t
@@ -660,11 +717,11 @@ dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
 		if (curr->type == type && curr->covers == covers) {
 			if (rdataset != NULL)
 				*rdataset = curr;
-			return (DNS_R_SUCCESS);
+			return (ISC_R_SUCCESS);
 		}
 	}
 
-	return (DNS_R_NOTFOUND);
+	return (ISC_R_NOTFOUND);
 }
 
 /*
@@ -690,11 +747,11 @@ getname(dns_name_t *name, isc_buffer_t *source, dns_message_t *msg,
 		result = dns_name_fromwire(name, source, dctx, ISC_FALSE,
 					   scratch);
 
-		if (result == DNS_R_NOSPACE) {
+		if (result == ISC_R_NOSPACE) {
 			tries++;
 
 			result = newbuffer(msg, SCRATCHPAD_SIZE);
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				return (result);
 
 			scratch = currentbuffer(msg);
@@ -704,7 +761,7 @@ getname(dns_name_t *name, isc_buffer_t *source, dns_message_t *msg,
 	}
 
 	INSIST(0);  /* Cannot get here... */
-	return (DNS_R_UNEXPECTED);
+	return (ISC_R_UNEXPECTED);
 }
 
 static isc_result_t
@@ -729,7 +786,7 @@ getrdata(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		rdata->length = 0;
 		rdata->rdclass = rdclass;
 		rdata->type = rdtype;
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 	}
 
 	scratch = currentbuffer(msg);
@@ -751,7 +808,7 @@ getrdata(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 					    source, dctx, ISC_FALSE,
 					    scratch);
 
-		if (result == DNS_R_NOSPACE) {
+		if (result == ISC_R_NOSPACE) {
 			if (tries == 0) {
 				trysize = 2 * rdatalen;
 				if (trysize < SCRATCHPAD_SIZE)
@@ -765,7 +822,7 @@ getrdata(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 			}
 			tries++;
 			result = newbuffer(msg, trysize);
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				return (result);
 
 			scratch = currentbuffer(msg);
@@ -799,16 +856,16 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx)
 	for (count = 0 ; count < msg->counts[DNS_SECTION_QUESTION] ; count++) {
 		name = isc_mempool_get(msg->namepool);
 		if (name == NULL)
-			return (DNS_R_NOMEMORY);
+			return (ISC_R_NOMEMORY);
 		free_name = ISC_TRUE;
 
 		/*
 		 * Parse the name out of this packet.
 		 */
-		isc_buffer_remaining(source, &r);
+		isc_buffer_remainingregion(source, &r);
 		isc_buffer_setactive(source, r.length);
 		result = getname(name, source, msg, dctx);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 
 		/*
@@ -829,7 +886,7 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx)
 		 * this should be legal or not.  In either case we no longer
 		 * need this name pointer.
 		 */
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			if (ISC_LIST_EMPTY(*section)) {
 				ISC_LIST_APPEND(*section, name, link);
 				free_name = ISC_FALSE;
@@ -847,9 +904,9 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx)
 		/*
 		 * Get type and class.
 		 */
-		isc_buffer_remaining(source, &r);
+		isc_buffer_remainingregion(source, &r);
 		if (r.length < 4) {
-			result = DNS_R_UNEXPECTEDEND;
+			result = ISC_R_UNEXPECTEDEND;
 			goto cleanup;
 		}
 		rdtype = isc_buffer_getuint16(source);
@@ -866,12 +923,21 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx)
 			result = DNS_R_FORMERR;
 			goto cleanup;
 		}
-		
+
+		/*
+		 * If this is a type that cannot occur in a question section,
+		 * return failure.
+		 */
+		if (dns_rdatatype_notquestion(rdtype)) {
+			result = DNS_R_FORMERR;
+			goto cleanup;
+		}
+
 		/*
 		 * Can't ask the same question twice.
 		 */
 		result = dns_message_findtype(name, rdtype, 0, NULL);
-		if (result == DNS_R_SUCCESS) {
+		if (result == ISC_R_SUCCESS) {
 			result = DNS_R_FORMERR;
 			goto cleanup;
 		}
@@ -881,12 +947,12 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx)
 		 */
 		rdatalist = newrdatalist(msg);
 		if (rdatalist == NULL) {
-			result = DNS_R_NOMEMORY;
+			result = ISC_R_NOMEMORY;
 			goto cleanup;
 		}
 		rdataset =  isc_mempool_get(msg->rdspool);
 		if (rdataset == NULL) {
-			result = DNS_R_NOMEMORY;
+			result = ISC_R_NOMEMORY;
 			goto cleanup;
 		}
 
@@ -902,15 +968,16 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx)
 
 		dns_rdataset_init(rdataset);
 		result = dns_rdatalist_tordataset(rdatalist, rdataset);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 
 		rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
 
 		ISC_LIST_APPEND(name->list, rdataset, link);
+		rdataset = NULL;
 	}
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
  cleanup:
 	if (rdataset != NULL) {
@@ -958,16 +1025,16 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 
 		name = isc_mempool_get(msg->namepool);
 		if (name == NULL)
-			return (DNS_R_NOMEMORY);
+			return (ISC_R_NOMEMORY);
 		free_name = ISC_TRUE;
 
 		/*
 		 * Parse the name out of this packet.
 		 */
-		isc_buffer_remaining(source, &r);
+		isc_buffer_remainingregion(source, &r);
 		isc_buffer_setactive(source, r.length);
 		result = getname(name, source, msg, dctx);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 
 		/*
@@ -975,9 +1042,9 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		 * rdatalen bytes remain.  (Some of this is deferred to
 		 * later.)
 		 */
-		isc_buffer_remaining(source, &r);
+		isc_buffer_remainingregion(source, &r);
 		if (r.length < 2 + 2 + 4 + 2) {
-			result = DNS_R_UNEXPECTEDEND;
+			result = ISC_R_UNEXPECTEDEND;
 			goto cleanup;
 		}
 		rdtype = isc_buffer_getuint16(source);
@@ -1024,7 +1091,10 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 				result = DNS_R_FORMERR;
 				goto cleanup;
 			}
-			section = &msg->sections[DNS_SECTION_TSIG];
+			if (msg->tsigset != NULL) {
+				result = DNS_R_FORMERR;
+				goto cleanup;
+			}
 			msg->sigstart = recstart;
 			skip_name_search = ISC_TRUE;
 			skip_type_search = ISC_TRUE;
@@ -1044,10 +1114,18 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 			skip_type_search = ISC_TRUE;
 		} else if (rdtype == dns_rdatatype_tkey) {
 			/*
-			 * A TKEY must be in the additional section.
+			 * A TKEY must be in the additional section if this
+			 * is a query, and the answer section if this is a
+			 * response.
 			 * Its class is ignored.
 			 */
-			if (sectionid != DNS_SECTION_ADDITIONAL) {
+			dns_section_t tkeysection;
+
+			if ((msg->flags & DNS_MESSAGEFLAG_QR) == 0)
+				tkeysection = DNS_SECTION_ADDITIONAL;
+			else
+				tkeysection = DNS_SECTION_ANSWER;
+			if (sectionid != tkeysection) {
 				result = DNS_R_FORMERR;
 				goto cleanup;
 			}
@@ -1060,7 +1138,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		rdatalen = isc_buffer_getuint16(source);
 		r.length -= (2 + 2 + 4 + 2);
 		if (r.length < rdatalen) {
-			result = DNS_R_UNEXPECTEDEND;
+			result = ISC_R_UNEXPECTEDEND;
 			goto cleanup;
 		}
 
@@ -1072,7 +1150,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		 */
 		rdata = newrdata(msg);
 		if (rdata == NULL) {
-			result = DNS_R_NOMEMORY;
+			result = ISC_R_NOMEMORY;
 			goto cleanup;
 		}
 		attributes = 0;
@@ -1091,7 +1169,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		} else
 			result = getrdata(source, msg, dctx, rdclass,
 					  rdtype, rdatalen, rdata);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		rdata->rdclass = rdclass;
 		if (rdtype == dns_rdatatype_sig && rdata->length > 0) {
@@ -1100,9 +1178,16 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 				attributes = DNS_NAMEATTR_CNAME;
 			else if (covers == dns_rdatatype_dname)
 				attributes = DNS_NAMEATTR_DNAME;
-			else if (covers == 0) {
+			else if (covers == 0 &&
+				 sectionid == DNS_SECTION_ADDITIONAL)
+			{
+				if (msg->sig0 != NULL) {
+					result = DNS_R_FORMERR;
+					goto cleanup;
+				}
 				msg->sigstart = recstart;
-				section = &msg->sections[DNS_SECTION_SIG0];
+				skip_name_search = ISC_TRUE;
+				skip_type_search = ISC_TRUE;
 			}
 		} else
 			covers = 0;
@@ -1113,7 +1198,11 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		 */
 		if (preserve_order || msg->opcode == dns_opcode_update ||
 		    skip_name_search) {
-			if (rdtype != dns_rdatatype_opt) {
+			if (rdtype != dns_rdatatype_opt &&
+			    rdtype != dns_rdatatype_tsig &&
+			    !(rdtype == dns_rdatatype_sig && covers == 0 &&
+			      sectionid == DNS_SECTION_ADDITIONAL))
+			{
 				ISC_LIST_APPEND(*section, name, link);
 				free_name = ISC_FALSE;
 			}
@@ -1129,7 +1218,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 			/*
 			 * If it is a new name, append to the section.
 			 */
-			if (result == DNS_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS) {
 				isc_mempool_put(msg->namepool, name);
 				name = name2;
 			} else {
@@ -1144,8 +1233,17 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		 */
 		if (preserve_order || msg->opcode == dns_opcode_update ||
 		    skip_type_search)
-			result = DNS_R_NOTFOUND;
+			result = ISC_R_NOTFOUND;
 		else {
+			/*
+			 * If this is a type that can only occur in
+			 * the question section, fail.
+			 */
+			if (dns_rdatatype_questiononly(rdtype)) {
+				result = DNS_R_FORMERR;
+				goto cleanup;
+			}
+
 			rdataset = NULL;
 			result = dns_message_findtype(name, rdtype, covers,
 						      &rdataset);
@@ -1156,22 +1254,30 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		 * append this rdata to that set.  If we did not, we need
 		 * to create a new rdatalist, store the important bits there,
 		 * convert it to an rdataset, and link the latter to the name.
-		 * Yuck.
+		 * Yuck.  When appending, make certain that the type isn't
+		 * a singleton type, such as SOA or CNAME.
 		 *
-		 * XXXRTH  Check for attempts to create multi-record RRsets
-		 *	   for singleton RR types.
+		 * Note that this check will be bypassed when preserving order,
+		 * the opcode is an update, or the type search is skipped.
 		 */
-		if (result == DNS_R_NOTFOUND) {
+		if (result == ISC_R_SUCCESS) {
+			if (dns_rdatatype_issingleton(rdtype)) {
+				result = DNS_R_FORMERR;
+				goto cleanup;
+			}
+		}
+
+		if (result == ISC_R_NOTFOUND) {
 			rdataset = isc_mempool_get(msg->rdspool);
 			if (rdataset == NULL) {
-				result = DNS_R_NOMEMORY;
+				result = ISC_R_NOMEMORY;
 				goto cleanup;
 			}
 			free_rdataset = ISC_TRUE;
 
 			rdatalist = newrdatalist(msg);
 			if (rdatalist == NULL) {
-				result = DNS_R_NOMEMORY;
+				result = ISC_R_NOMEMORY;
 				goto cleanup;
 			}
 
@@ -1231,11 +1337,31 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 			free_name = ISC_FALSE;
 		}
 
+		/*
+		 * If this is an SIG(0) or TSIG record, remember it.
+		 */
+		if (rdtype == dns_rdatatype_sig && covers == 0 &&
+		    sectionid == DNS_SECTION_ADDITIONAL)
+		{
+			msg->sig0 = rdataset;
+			rdataset = NULL;
+			free_rdataset = ISC_FALSE;
+			isc_mempool_put(msg->namepool, name);
+			free_name = ISC_FALSE;
+		}
+		else if (rdtype == dns_rdatatype_tsig) {
+			msg->tsigset = rdataset;
+			msg->tsigname = name;
+			rdataset = NULL;
+			free_rdataset = ISC_FALSE;
+			free_name = ISC_FALSE;
+		}
+
 		INSIST(free_name == ISC_FALSE);
 		INSIST(free_rdataset == ISC_FALSE);
 	}
 	
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
  cleanup:
 	if (free_name)
@@ -1265,9 +1391,9 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
 	msg->header_ok = 0;
 	msg->question_ok = 0;
 
-	isc_buffer_remaining(source, &r);
+	isc_buffer_remainingregion(source, &r);
 	if (r.length < DNS_MESSAGE_HEADERLEN)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 
 	msg->id = isc_buffer_getuint16(source);
 	tmpflags = isc_buffer_getuint16(source);
@@ -1287,43 +1413,38 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
 	 */
 	dns_decompress_init(&dctx, -1, ISC_FALSE);
 
-	if (dns_decompress_edns(&dctx) > 1 || !dns_decompress_strict(&dctx))
-		dns_decompress_setmethods(&dctx, DNS_COMPRESS_GLOBAL);
-	else
-		dns_decompress_setmethods(&dctx, DNS_COMPRESS_GLOBAL14);
-
+	dns_decompress_setmethods(&dctx, DNS_COMPRESS_GLOBAL14);
 
 	ret = getquestions(source, msg, &dctx);
-	if (ret != DNS_R_SUCCESS)
+	if (ret != ISC_R_SUCCESS)
 		return (ret);
 	msg->question_ok = 1;
 
 	ret = getsection(source, msg, &dctx, DNS_SECTION_ANSWER,
 			 preserve_order);
-	if (ret != DNS_R_SUCCESS)
+	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
 	ret = getsection(source, msg, &dctx, DNS_SECTION_AUTHORITY,
 			 preserve_order);
-	if (ret != DNS_R_SUCCESS)
+	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
 	ret = getsection(source, msg, &dctx, DNS_SECTION_ADDITIONAL,
 			 preserve_order);
-	if (ret != DNS_R_SUCCESS)
+	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
-	isc_buffer_remaining(source, &r);
+	isc_buffer_remainingregion(source, &r);
 	if (r.length != 0)
 		return (DNS_R_FORMERR);
 
-	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG]) ||
-	    !ISC_LIST_EMPTY(msg->sections[DNS_SECTION_SIG0]))
-	{
+	if (msg->tsigset != NULL || msg->tsigkey != NULL ||
+	    msg->sig0 != NULL) {
 		msg->saved = isc_mem_get(msg->mctx, sizeof(isc_region_t));
 		if (msg->saved == NULL)
 			return (ISC_R_NOMEMORY);
-		isc_buffer_used(&origsource, &r);
+		isc_buffer_usedregion(&origsource, &r);
 		msg->saved->length = r.length;
 		msg->saved->base = isc_mem_get(msg->mctx, msg->saved->length);
 		if (msg->saved->base == NULL) {
@@ -1335,12 +1456,11 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
 		memcpy(msg->saved->base, r.base, msg->saved->length);
 	}
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
-dns_message_renderbegin(dns_message_t *msg, isc_buffer_t *buffer)
-{
+dns_message_renderbegin(dns_message_t *msg, isc_buffer_t *buffer) {
 	isc_region_t r;
 	isc_result_t result;
 
@@ -1358,11 +1478,11 @@ dns_message_renderbegin(dns_message_t *msg, isc_buffer_t *buffer)
 	 * Make certain there is enough for at least the header in this
 	 * buffer.
 	 */
-	isc_buffer_available(buffer, &r);
+	isc_buffer_availableregion(buffer, &r);
 	REQUIRE(r.length >= DNS_MESSAGE_HEADERLEN);
 
 	result = dns_compress_init(&msg->cctx, -1, msg->mctx);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	msg->need_cctx_cleanup = 1;
 
@@ -1373,12 +1493,11 @@ dns_message_renderbegin(dns_message_t *msg, isc_buffer_t *buffer)
 
 	msg->buffer = buffer;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
-dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer)
-{
+dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer) {
 	isc_region_t r, rn;
 
 	REQUIRE(DNS_MESSAGE_VALID(msg));
@@ -1386,13 +1505,13 @@ dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer)
 	REQUIRE(msg->buffer != NULL);
 
 	/*
-	 * ensure that the new buffer is empty, and has enough space to
+	 * Ensure that the new buffer is empty, and has enough space to
 	 * hold the current contents.
 	 */
 	isc_buffer_clear(buffer);
 
-	isc_buffer_available(buffer, &rn);
-	isc_buffer_used(msg->buffer, &r);
+	isc_buffer_availableregion(buffer, &rn);
+	isc_buffer_usedregion(msg->buffer, &r);
 	REQUIRE(rn.length > r.length);
 
 	/*
@@ -1403,12 +1522,11 @@ dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer)
 
 	msg->buffer = buffer;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 void
-dns_message_renderrelease(dns_message_t *msg, unsigned int space)
-{
+dns_message_renderrelease(dns_message_t *msg, unsigned int space) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(msg->buffer != NULL);
 	REQUIRE(space <= msg->reserved);
@@ -1417,25 +1535,23 @@ dns_message_renderrelease(dns_message_t *msg, unsigned int space)
 }
 
 isc_result_t
-dns_message_renderreserve(dns_message_t *msg, unsigned int space)
-{
+dns_message_renderreserve(dns_message_t *msg, unsigned int space) {
 	isc_region_t r;
 
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(msg->buffer != NULL);
 
-	isc_buffer_available(msg->buffer, &r);
+	isc_buffer_availableregion(msg->buffer, &r);
 	if (r.length < (space + msg->reserved))
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
 	msg->reserved += space;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_boolean_t
-wrong_priority(dns_rdataset_t *rds, int pass)
-{
+wrong_priority(dns_rdataset_t *rds, int pass) {
 	int pass_needed;
 
 	/*
@@ -1498,7 +1614,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 	do {
 		name = ISC_LIST_HEAD(*section);
 		if (name == NULL)
-			return (DNS_R_SUCCESS);
+			return (ISC_R_SUCCESS);
 
 		while (name != NULL) {
 			next_name = ISC_LIST_NEXT(name, link);
@@ -1507,10 +1623,12 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 			while (rdataset != NULL) {
 				next_rdataset = ISC_LIST_NEXT(rdataset, link);
 
-				if (rdataset->attributes & DNS_RDATASETATTR_RENDERED)
+				if ((rdataset->attributes &
+				     DNS_RDATASETATTR_RENDERED) != 0)
 					goto next;
 
-				if (((options & DNS_MESSAGERENDER_ORDERED) == 0)
+				if (((options & DNS_MESSAGERENDER_ORDERED)
+				     == 0)
 				    && (sectionid == DNS_SECTION_ADDITIONAL)
 				    && wrong_priority(rdataset, pass))
 					goto next;
@@ -1520,27 +1638,28 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 				count = 0;
 				result = dns_rdataset_towire(rdataset, name,
 							     &msg->cctx,
-							     msg->buffer, &count);
+							     msg->buffer,
+							     &count);
 
 				total += count;
 
 				/*
-				 * If out of space, record stats on what we rendered
-				 * so far, and return that status.
+				 * If out of space, record stats on what we
+				 * rendered so far, and return that status.
 				 *
 				 * XXXMLG Need to change this when
 				 * dns_rdataset_towire() can render partial
-				 * sets starting at some arbitary point in the set.
-				 * This will include setting a bit in the
-				 * rdataset to indicate that a partial rendering
-				 * was done, and some state saved somewhere
-				 * (probably in the message struct)
+				 * sets starting at some arbitary point in the
+				 * set.  This will include setting a bit in the
+				 * rdataset to indicate that a partial
+				 * rendering was done, and some state saved
+				 * somewhere (probably in the message struct)
 				 * to indicate where to continue from.
 				 */
-				if (result != DNS_R_SUCCESS) {
+				if (result != ISC_R_SUCCESS) {
 					INSIST(st.used < 65536);
 					dns_compress_rollback(&msg->cctx,
-							      (isc_uint16_t)st.used);
+							(isc_uint16_t)st.used);
 					*(msg->buffer) = st;  /* rollback */
 					msg->buffer->length += msg->reserved;
 					msg->counts[sectionid] += total;
@@ -1548,15 +1667,16 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 				}
 
 				/*
-				 * If we have rendered pending data, ensure that the
-				 * AD bit is not set.
+				 * If we have rendered pending data, ensure
+				 * that the AD bit is not set.
 				 */
 				if (rdataset->trust == dns_trust_pending &&
 				    (sectionid == DNS_SECTION_ANSWER ||
 				     sectionid == DNS_SECTION_AUTHORITY))
 					msg->flags &= ~DNS_MESSAGEFLAG_AD;
 
-				rdataset->attributes |= DNS_RDATASETATTR_RENDERED;
+				rdataset->attributes |=
+					DNS_RDATASETATTR_RENDERED;
 
 			next:
 				rdataset = next_rdataset;
@@ -1569,19 +1689,18 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 	msg->buffer->length += msg->reserved;
 	msg->counts[sectionid] += total;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 void
-dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target)
-{
+dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target) {
 	isc_uint16_t tmp;
 	isc_region_t r;
 
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(target != NULL);
 
-	isc_buffer_available(target, &r);
+	isc_buffer_availableregion(target, &r);
 	REQUIRE(r.length >= DNS_MESSAGE_HEADERLEN);
 
 	isc_buffer_putuint16(target, msg->id);
@@ -1594,26 +1713,21 @@ dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target)
 	INSIST(msg->counts[DNS_SECTION_QUESTION]  < 65536 &&
 	       msg->counts[DNS_SECTION_ANSWER]    < 65536 &&
 	       msg->counts[DNS_SECTION_AUTHORITY] < 65536 &&
-	       (msg->counts[DNS_SECTION_ADDITIONAL] +
-		msg->counts[DNS_SECTION_TSIG] +
-		msg->counts[DNS_SECTION_SIG0]) < 65536);
+	       msg->counts[DNS_SECTION_ADDITIONAL] < 65536);
 
 	isc_buffer_putuint16(target, tmp);
 	isc_buffer_putuint16(target,
-			     (isc_uint16_t)msg->counts[DNS_SECTION_QUESTION]);
+			    (isc_uint16_t)msg->counts[DNS_SECTION_QUESTION]);
 	isc_buffer_putuint16(target,
-			     (isc_uint16_t)msg->counts[DNS_SECTION_ANSWER]);
+			    (isc_uint16_t)msg->counts[DNS_SECTION_ANSWER]);
 	isc_buffer_putuint16(target,
-			     (isc_uint16_t)msg->counts[DNS_SECTION_AUTHORITY]);
-	tmp  = msg->counts[DNS_SECTION_ADDITIONAL]
-		+ msg->counts[DNS_SECTION_TSIG]
-		+ msg->counts[DNS_SECTION_SIG0];
-	isc_buffer_putuint16(target, tmp);
+			    (isc_uint16_t)msg->counts[DNS_SECTION_AUTHORITY]);
+	isc_buffer_putuint16(target,
+			    (isc_uint16_t)msg->counts[DNS_SECTION_ADDITIONAL]);
 }
 
 isc_result_t
-dns_message_renderend(dns_message_t *msg)
-{
+dns_message_renderend(dns_message_t *msg) {
 	isc_buffer_t tmpbuf;
 	isc_region_t r;
 	int result;
@@ -1655,24 +1769,30 @@ dns_message_renderend(dns_message_t *msg)
 	if (msg->tsigkey != NULL) {
 		REQUIRE(msg->tsig == NULL);
 		result = dns_tsig_sign(msg);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
-		result = dns_message_rendersection(msg, DNS_SECTION_TSIG, 0);
-		if (result != DNS_R_SUCCESS)
+		count = 0;
+		result = dns_rdataset_towire(msg->tsigset, msg->tsigname,
+					     &msg->cctx, msg->buffer, &count);
+		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 
 	else if (msg->sig0key != NULL) {
 		result = dns_dnssec_signmessage(msg, msg->sig0key);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
-		result = dns_message_rendersection(msg, DNS_SECTION_SIG0, 0);
-		if (result != DNS_R_SUCCESS)
+		count = 0;
+		result = dns_rdataset_towire(msg->sig0, dns_rootname,
+					     &msg->cctx, msg->buffer, &count);
+		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 
-	isc_buffer_used(msg->buffer, &r);
-	isc_buffer_init(&tmpbuf, r.base, r.length, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_usedregion(msg->buffer, &r);
+	isc_buffer_init(&tmpbuf, r.base, r.length);
 
 	dns_message_renderheader(msg, &tmpbuf);
 
@@ -1681,12 +1801,11 @@ dns_message_renderend(dns_message_t *msg)
 	dns_compress_invalidate(&msg->cctx);
 	msg->need_cctx_cleanup = 0;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 void
-dns_message_renderreset(dns_message_t *msg)
-{
+dns_message_renderreset(dns_message_t *msg) {
 	unsigned int i;
 	dns_name_t *name;
 	dns_rdataset_t *rds;
@@ -1716,22 +1835,20 @@ dns_message_renderreset(dns_message_t *msg)
 }
 
 isc_result_t
-dns_message_firstname(dns_message_t *msg, dns_section_t section)
-{
+dns_message_firstname(dns_message_t *msg, dns_section_t section) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(VALID_NAMED_SECTION(section));
 
 	msg->cursors[section] = ISC_LIST_HEAD(msg->sections[section]);
 
 	if (msg->cursors[section] == NULL)
-		return (DNS_R_NOMORE);
+		return (ISC_R_NOMORE);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
-dns_message_nextname(dns_message_t *msg, dns_section_t section)
-{
+dns_message_nextname(dns_message_t *msg, dns_section_t section) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(VALID_NAMED_SECTION(section));
 	REQUIRE(msg->cursors[section] != NULL);
@@ -1739,9 +1856,9 @@ dns_message_nextname(dns_message_t *msg, dns_section_t section)
 	msg->cursors[section] = ISC_LIST_NEXT(msg->cursors[section], link);
 
 	if (msg->cursors[section] == NULL)
-		return (DNS_R_NOMORE);
+		return (ISC_R_NOMORE);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 void
@@ -1803,9 +1920,9 @@ dns_message_findname(dns_message_t *msg, dns_section_t section,
 	 */
 	result = findname(&foundname, target, attributes,
 			  &msg->sections[section]);
-	if (result == DNS_R_NOTFOUND)
+	if (result == ISC_R_NOTFOUND)
 		return (DNS_R_NXDOMAIN);
-	else if (result != DNS_R_SUCCESS)
+	else if (result != ISC_R_SUCCESS)
 		return (result);
 
 	if (name != NULL)
@@ -1815,11 +1932,11 @@ dns_message_findname(dns_message_t *msg, dns_section_t section,
 	 * And now look for the type.
 	 */
 	if (type == dns_rdatatype_any)
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 
 	result = dns_message_findtype(foundname, type, covers, rdataset);
-	if (result == DNS_R_NOTFOUND)
-		return (DNS_R_NXRDATASET);
+	if (result == ISC_R_NOTFOUND)
+		return (DNS_R_NXRRSET);
 
 	return (result);
 }
@@ -1855,21 +1972,19 @@ dns_message_addname(dns_message_t *msg, dns_name_t *name,
 }
 
 isc_result_t
-dns_message_gettempname(dns_message_t *msg, dns_name_t **item)
-{
+dns_message_gettempname(dns_message_t *msg, dns_name_t **item) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(item != NULL && *item == NULL);
 
 	*item = isc_mempool_get(msg->namepool);
 	if (*item == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 void
-dns_message_puttempname(dns_message_t *msg, dns_name_t **item)
-{
+dns_message_puttempname(dns_message_t *msg, dns_name_t **item) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(item != NULL && *item != NULL);
 
@@ -1878,49 +1993,45 @@ dns_message_puttempname(dns_message_t *msg, dns_name_t **item)
 }
 
 isc_result_t
-dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item)
-{
+dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(item != NULL && *item == NULL);
 
 	*item = newrdata(msg);
 	if (*item == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
-dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item)
-{
+dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(item != NULL && *item == NULL);
 
 	*item = isc_mempool_get(msg->rdspool);
 	if (*item == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	dns_rdataset_init(*item);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
-dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item)
-{
+dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(item != NULL && *item == NULL);
 
 	*item = newrdatalist(msg);
 	if (*item == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 void
-dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item)
-{
+dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(item != NULL && *item != NULL);
 
@@ -1929,8 +2040,7 @@ dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item)
 }
 
 void
-dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item)
-{
+dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(item != NULL && *item != NULL);
 
@@ -1940,8 +2050,7 @@ dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item)
 }
 
 void
-dns_message_puttemprdatalist(dns_message_t *msg, dns_rdatalist_t **item)
-{
+dns_message_puttemprdatalist(dns_message_t *msg, dns_rdatalist_t **item) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(item != NULL && *item != NULL);
 
@@ -1962,9 +2071,9 @@ dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
 
 	buffer = *source;
 
-	isc_buffer_remaining(&buffer, &r);
+	isc_buffer_remainingregion(&buffer, &r);
 	if (r.length < DNS_MESSAGE_HEADERLEN)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 
 	id = isc_buffer_getuint16(&buffer);
 	flags = isc_buffer_getuint16(&buffer);
@@ -1975,7 +2084,7 @@ dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
 	if (idp != NULL)
 		*idp = id;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -1999,6 +2108,7 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
 	msg->from_to_wire = DNS_MESSAGE_INTENTRENDER;
 	msgresetnames(msg, first_section);
 	msgresetopt(msg);
+	msgresetsigs(msg);
 	msginitprivate(msg);
 	/*
 	 * We now clear most flags and then set QR, ensuring that the
@@ -2023,7 +2133,7 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
 		msg->saved = NULL;
 	}
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 dns_rdataset_t *
@@ -2068,6 +2178,7 @@ dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt) {
 	REQUIRE(msg->state == DNS_SECTION_ANY);
 
 	msgresetopt(msg);
+	msgresetsigs(msg);
 
 	result = dns_rdataset_first(opt);
 	if (result != ISC_R_SUCCESS)
@@ -2082,12 +2193,37 @@ dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt) {
 
 	msg->opt = opt;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
+}
+
+dns_rdataset_t *
+dns_message_gettsig(dns_message_t *msg, dns_name_t **owner) {
+
+	/*
+	 * Get the TSIG record and owner for 'msg'.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(owner != NULL && *owner == NULL);
+
+	*owner = msg->tsigname;
+	return (msg->tsigset);
+}
+
+dns_rdataset_t *
+dns_message_getsig0(dns_message_t *msg) {
+
+	/*
+	 * Get the SIG(0) record for 'msg'.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	return (msg->sig0);
 }
 
 void
-dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer)
-{
+dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer) {
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(buffer != NULL);
 	REQUIRE(ISC_BUFFER_VALID(*buffer));
@@ -2105,46 +2241,34 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
 	REQUIRE(signer != NULL);
 	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
 
-	if ((msg->tsig == NULL || msg->tsigkey == NULL) &&
-	    ISC_LIST_EMPTY(msg->sections[DNS_SECTION_SIG0]))
+	if ((msg->tsig == NULL || msg->tsigkey == NULL) && msg->sig0 == NULL)
 		return (ISC_R_NOTFOUND);
 
+	if (msg->verify_attempted == 0)
+		return (DNS_R_NOTVERIFIEDYET);
+
 	if (!dns_name_hasbuffer(signer)) {
 		isc_buffer_t *dynbuf = NULL;
-		result = isc_buffer_allocate(msg->mctx, &dynbuf, 512,
-					     ISC_BUFFERTYPE_BINARY);
+		result = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 		dns_name_setbuffer(signer, dynbuf);
 		dns_message_takebuffer(msg, &dynbuf);
 	}
 
-	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_SIG0])) {
-		dns_rdataset_t *dataset;
+	if (msg->sig0 != NULL) {
 		dns_rdata_t rdata;
-		dns_name_t *sig0name;
-		dns_rdata_generic_sig_t sig;
+		dns_rdata_sig_t sig;
 
-		if (msg->verify_attempted == 0)
-			result = DNS_R_NOTVERIFIEDYET;
-		result = dns_message_firstname(msg, DNS_SECTION_SIG0);
-		if (result != ISC_R_SUCCESS)
-			return (ISC_R_NOTFOUND);
-		sig0name = NULL;
-		dns_message_currentname(msg, DNS_SECTION_SIG0, &sig0name);
-		dataset = NULL;
-		result = dns_message_findtype(sig0name, dns_rdatatype_sig, 0,
-					      &dataset);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = dns_rdataset_first(dataset);
-		dns_rdataset_current(dataset, &rdata);
+		result = dns_rdataset_first(msg->sig0);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->sig0, &rdata);
 
 		result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 		
-		if (msg->verified_sig && msg->sig0status != dns_rcode_noerror)
+		if (msg->verified_sig && msg->sig0status == dns_rcode_noerror)
 			result = ISC_R_SUCCESS;
 		else
 			result = DNS_R_SIGINVALID;
@@ -2154,9 +2278,7 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
 	}
 	else {
 		dns_name_t *identity;
-		if (msg->verify_attempted == 0)
-			result = DNS_R_NOTVERIFIEDYET;
-		else if (msg->tsigstatus != dns_rcode_noerror)
+		if (msg->tsigstatus != dns_rcode_noerror)
 			result = DNS_R_TSIGVERIFYFAILURE;
 		else if (msg->tsig->error != dns_rcode_noerror)
 			result = DNS_R_TSIGERRORSET;
@@ -2177,18 +2299,314 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
 
 isc_result_t
 dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
-	isc_buffer_t b;
+	isc_buffer_t b, msgb;
 
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(view != NULL);
 
-	if (msg->tsigkey == NULL &&
-	    ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG]))
+	if (msg->tsigkey == NULL && msg->tsigset == NULL && msg->sig0 == NULL)
+		return (ISC_R_SUCCESS);
+	INSIST(msg->saved != NULL);
+	isc_buffer_init(&msgb, msg->saved->base, msg->saved->length);
+	isc_buffer_add(&msgb, msg->saved->length);
+	if (msg->tsigkey != NULL || msg->tsigset != NULL)
+		return (dns_view_checksig(view, &msgb, msg));
+	else {
+		dns_rdata_t rdata;
+		dns_rdata_sig_t sig;
+		dns_rdataset_t keyset;
+		isc_result_t result;
+
+		result = dns_rdataset_first(msg->sig0);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->sig0, &rdata);
+
+		/*
+		 * This can occur when the message is a dynamic update, since
+		 * the rdata length checking is relaxed.  This should not
+		 * happen in a well-formed message, since the SIG(0) is only
+		 * looked for in the additional section, and the dynamic update
+		 * meta-records are in the prerequisite and update sections.
+		 */
+		if (rdata.length == 0)
+			return (ISC_R_UNEXPECTEDEND);
+
+		result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		dns_rdataset_init(&keyset);
+		result = dns_view_simplefind(view, &sig.signer,
+					     dns_rdatatype_key, 0, 0,
+					     ISC_FALSE, &keyset, NULL);
+
+		if (result != ISC_R_SUCCESS) {
+			/* XXXBEW Should possibly create a fetch here */
+			result = DNS_R_KEYUNAUTHORIZED;
+			goto freesig;
+		} else if (keyset.trust < dns_trust_secure) {
+			/* XXXBEW Should call a validator here */
+			result = DNS_R_KEYUNAUTHORIZED;
+			goto freesig;
+		}
+		result = dns_rdataset_first(&keyset);
+		INSIST(result == ISC_R_SUCCESS);
+		for (;
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&keyset))
+		{
+			dst_key_t *key = NULL;
+
+			dns_rdataset_current(&keyset, &rdata);
+			isc_buffer_init(&b, rdata.data, rdata.length);
+			isc_buffer_add(&b, rdata.length);
+
+			/*
+			 * XXXBEW should actually pass in the key name,
+			 * but it's not used anyway.
+			 */
+			result = dst_key_fromdns("", &b, view->mctx, &key);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			if (dst_key_alg(key) != sig.algorithm ||
+			    dst_key_id(key) != sig.keyid ||
+			    !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
+			      dst_key_proto(key) == DNS_KEYPROTO_ANY))
+			{
+				dst_key_free(&key);
+				continue;
+			}
+			result = dns_dnssec_verifymessage(&msgb, msg, key);
+			dst_key_free(&key);
+			if (result == ISC_R_SUCCESS)
+				break;
+		}
+		if (result == ISC_R_NOMORE)
+			result = DNS_R_KEYUNAUTHORIZED;
+
+ freesig:
+		if (dns_rdataset_isassociated(&keyset))
+			dns_rdataset_disassociate(&keyset);
+		dns_rdata_freestruct(&sig);
+		return (result);
+	}
+}
+
+isc_result_t
+dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
+			  isc_boolean_t comments,
+			  isc_boolean_t omit_final_dot,
+			  isc_buffer_t *target) {
+	dns_name_t *name, empty_name;
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+	isc_boolean_t no_rdata;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+	REQUIRE(VALID_SECTION(section));
+
+	/*
+	 * If the section is empty, that's still success, but we don't
+	 * actually do anything.
+	 */
+	if (ISC_LIST_EMPTY(msg->sections[section]))
+		return ISC_R_SUCCESS;
+
+	if (section == DNS_SECTION_QUESTION)
+		no_rdata = ISC_TRUE;
+	else
+		no_rdata = ISC_FALSE;
+
+	if (comments) {
+		ADD_STRING(target, ";; ");
+		ADD_STRING(target, sectiontext[section]);
+		ADD_STRING(target, " SECTION:\n");
+	}
+
+	dns_name_init(&empty_name, NULL);
+	result = dns_message_firstname(msg, section);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	do {
+		name = NULL;
+		dns_message_currentname(msg, section, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (no_rdata)
+				ADD_STRING(target, ";");
+			result = dns_rdataset_totext(rdataset, name,
+						     omit_final_dot,
+						     no_rdata,
+						     target);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+		result = dns_message_nextname(msg, section);
+	} while (result == ISC_R_SUCCESS);
+	ADD_STRING(target, "\n");
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+isc_result_t
+dns_message_pseudosectiontotext(dns_message_t *msg,
+				dns_pseudosection_t section,
+				isc_boolean_t comments,
+				isc_boolean_t omit_final_dot,
+				isc_buffer_t *target) {
+	dns_rdataset_t *ps = NULL;
+	dns_name_t *name = NULL;
+	isc_result_t result;
+	char buf[sizeof("1234567890")];
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+	REQUIRE(VALID_PSEUDOSECTION(section));
+
+	/*
+	 * If the section is empty, that's still success, but we don't
+	 * actually do anything.
+	 */
+	switch (section) {
+	case DNS_PSEUDOSECTION_OPT:
+		ps = dns_message_getopt(msg);
+		if (ps == NULL)
+			return (ISC_R_SUCCESS);
+		if (comments)
+			ADD_STRING(target, ";; OPT PSEUDOSECTION:\n");
+		ADD_STRING(target, "; EDNS: version: ");
+		sprintf(buf, "%4u",
+			(unsigned int)((ps->ttl &
+					0x00ff0000 >> 16)));
+		ADD_STRING(target, buf);
+		ADD_STRING(target, ", udp=");
+		sprintf(buf, "%7u\n",
+			(unsigned int)ps->rdclass);
+		ADD_STRING(target, buf);
 		return (ISC_R_SUCCESS);
-	if (msg->saved == NULL)
-		return (DNS_R_EXPECTEDTSIG);
-	isc_buffer_init(&b, msg->saved->base, msg->saved->length,
-			ISC_BUFFERTYPE_BINARY);
-	isc_buffer_add(&b, msg->saved->length);
-	return (dns_view_checksig(view, &b, msg));
+		break;
+	case DNS_PSEUDOSECTION_TSIG:
+		ps = dns_message_gettsig(msg, &name);
+		if (ps == NULL)
+			return (ISC_R_SUCCESS);
+		if (comments)
+			ADD_STRING(target, ";; TSIG PSEUDOSECTION:\n");
+		result = dns_rdataset_totext(ps, name, omit_final_dot,
+					     ISC_FALSE, target);
+		ADD_STRING(target, "\n");
+		return (result);
+		break;
+	case DNS_PSEUDOSECTION_SIG0:
+		ps = dns_message_getsig0(msg);
+		if (ps == NULL)
+			return (ISC_R_SUCCESS);
+		if (comments)
+			ADD_STRING(target, ";; SIG0 PSEUDOSECTION:\n");
+		result = dns_rdataset_totext(ps, dns_rootname, omit_final_dot,
+					     ISC_FALSE, target);
+		ADD_STRING(target, "\n");
+		return (result);
+		break;
+	}
+	return (ISC_R_UNEXPECTED);
+}
+
+isc_result_t
+dns_message_totext(dns_message_t *msg, isc_boolean_t comments,
+		   isc_boolean_t headers, isc_boolean_t omit_final_dot,
+		   isc_buffer_t *target) {
+	char buf[sizeof "1234567890"];
+	isc_result_t result;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+
+	if (headers) {
+		ADD_STRING(target, ";; ->>HEADER<<- opcode: ");
+		ADD_STRING(target, opcodetext[msg->opcode]);
+		ADD_STRING(target, ", status: ");
+		ADD_STRING(target, rcodetext[msg->rcode]);
+		ADD_STRING(target, ", id: ");
+		sprintf(buf, "%6u", msg->id);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n;; flags: ");
+		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
+			ADD_STRING(target, "qr ");
+		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0)
+			ADD_STRING(target, "aa ");
+		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0)
+			ADD_STRING(target, "tc ");
+		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0)
+			ADD_STRING(target, "rd ");
+		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0)
+			ADD_STRING(target, "ra ");
+		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0)
+			ADD_STRING(target, "ad ");
+		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0)
+			ADD_STRING(target, "cd ");
+		ADD_STRING(target, "\n; QUESTION: ");
+		sprintf(buf, "%3u", msg->counts[DNS_SECTION_QUESTION]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, ", ANSWER: ");
+		sprintf(buf, "%3u", msg->counts[DNS_SECTION_ANSWER]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, ", AUTHORITY: ");
+		sprintf(buf, "%3u", msg->counts[DNS_SECTION_AUTHORITY]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, ", ADDITIONAL: ");
+		sprintf(buf, "%3u", msg->counts[DNS_SECTION_ADDITIONAL]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+	}
+	result = dns_message_pseudosectiontotext(msg,
+						 DNS_PSEUDOSECTION_OPT,
+						 comments, omit_final_dot,
+						 target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_message_sectiontotext(msg, DNS_SECTION_QUESTION,
+					   comments,
+					   omit_final_dot,
+					   target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_sectiontotext(msg, DNS_SECTION_ANSWER,
+					   comments,
+					   omit_final_dot,
+					   target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_sectiontotext(msg, DNS_SECTION_AUTHORITY,
+					   comments,
+					   omit_final_dot,
+					   target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_sectiontotext(msg, DNS_SECTION_ADDITIONAL,
+					   comments,
+					   omit_final_dot,
+					   target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_message_pseudosectiontotext(msg,
+						 DNS_PSEUDOSECTION_TSIG,
+						 comments, omit_final_dot,
+						 target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_message_pseudosectiontotext(msg,
+						 DNS_PSEUDOSECTION_SIG0,
+						 comments, omit_final_dot,
+						 target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	return (ISC_R_SUCCESS);
 }
diff --git a/lib/dns/name.c b/lib/dns/name.c
index 1ea70c74..5196341f 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -18,21 +18,18 @@
 #include <config.h>
 
 #include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
-#include <dns/types.h>
 #include <dns/result.h>
 #include <dns/name.h>
 #include <dns/compress.h>
 
-#define NAME_MAGIC			0x444E536EU	/* DNSn. */
-#define VALID_NAME(n)			((n) != NULL && \
-					 (n)->magic == NAME_MAGIC)
+#define VALID_NAME(n)	ISC_MAGIC_VALID(n, DNS_NAME_MAGIC)
 
 typedef enum {
 	ft_init = 0,
@@ -135,7 +132,7 @@ static unsigned char maptolower[] = {
 		var = name->offsets; \
 	else { \
 		var = default; \
-		set_offsets(name, var, ISC_FALSE, ISC_FALSE, ISC_FALSE); \
+		set_offsets(name, var, ISC_FALSE); \
 	}
 
 /*
@@ -159,7 +156,7 @@ do { \
 	 == 0)
 
 static struct dns_name root = {
-	NAME_MAGIC,
+	DNS_NAME_MAGIC,
 	(unsigned char *)"", 1, 1,
 	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, 
 	(unsigned char *)"", NULL,
@@ -170,7 +167,7 @@ static struct dns_name root = {
 dns_name_t *dns_rootname = &root;
 
 static struct dns_name wild = {
-	NAME_MAGIC,
+	DNS_NAME_MAGIC,
 	(unsigned char *)"\001*", 2, 1,
 	DNS_NAMEATTR_READONLY,
 	(unsigned char *)"", NULL,
@@ -181,8 +178,7 @@ static struct dns_name wild = {
 dns_name_t *dns_wildcardname = &wild;
 
 static void set_offsets(dns_name_t *name, unsigned char *offsets,
-			isc_boolean_t set_labels, isc_boolean_t set_length,
-			isc_boolean_t set_absolute);
+			isc_boolean_t want_set);
 static void compact(dns_name_t *name, unsigned char *offsets);
 
 /*
@@ -202,13 +198,12 @@ get_bit(unsigned char *array, unsigned int index) {
 
 static void
 set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
-	unsigned int byte, shift, mask;
+	unsigned int shift, mask;
 	
-	byte = array[index / 8];
 	shift = 7 - (index % 8);
 	mask = 1 << shift;
 
-	if (bit)
+	if (bit != 0)
 		array[index / 8] |= mask;
 	else
 		array[index / 8] &= (~mask & 0xFF);
@@ -283,7 +278,7 @@ dns_name_init(dns_name_t *name, unsigned char *offsets) {
 	 * Initialize 'name'.
 	 */
 	 
-	name->magic = NAME_MAGIC;
+	name->magic = DNS_NAME_MAGIC;
 	name->ndata = NULL;
 	name->length = 0;
 	name->labels = 0;
@@ -319,9 +314,7 @@ dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer) {
 	 */
 
 	REQUIRE(VALID_NAME(name));
-	REQUIRE((buffer != NULL &&
-		 name->buffer == NULL &&
-		 isc_buffer_type(buffer) == ISC_BUFFERTYPE_BINARY) ||
+	REQUIRE((buffer != NULL && name->buffer == NULL) ||
 		(buffer == NULL));
 
 	name->buffer = buffer;
@@ -468,8 +461,7 @@ dns_name_fullcompare(dns_name_t *name1, dns_name_t *name2,
 {
 	unsigned int l1, l2, l, count1, count2, count;
 	unsigned int b1, b2, n, nlabels, nbits;
-	unsigned char c1, c2;
-	int cdiff, ldiff;
+	int cdiff, ldiff, chdiff;
 	unsigned char *label1, *label2;
 	unsigned char *offsets1, *offsets2;
 	dns_offsets_t odata1, odata2;
@@ -506,16 +498,11 @@ dns_name_fullcompare(dns_name_t *name1, dns_name_t *name2,
 	nbits = 0;
 	l1 = name1->labels;
 	l2 = name2->labels;
-	if (l1 < l2) {
+	ldiff = (int)l1 - (int)l2;
+	if (ldiff < 0)
 		l = l1;
-		ldiff = -1;
-	} else {
+	else
 		l = l2;
-		if (l1 > l2)
-			ldiff = 1;
-		else
-			ldiff = 0;
-	}
 
 	while (l > 0) {
 		l--;
@@ -526,28 +513,22 @@ dns_name_fullcompare(dns_name_t *name1, dns_name_t *name2,
 		count1 = *label1++;
 		count2 = *label2++;
 		if (count1 <= 63 && count2 <= 63) {
-			if (count1 < count2) {
-				cdiff = -1;
+			cdiff = (int)count1 - (int)count2;
+			if (cdiff < 0)
 				count = count1;
-			} else {
+			else
 				count = count2;
-				if (count1 > count2)
-					cdiff = 1;
-				else
-					cdiff = 0;
-			}
 
 			while (count > 0) {
-				count--;
-				c1 = maptolower[*label1++];
-				c2 = maptolower[*label2++];
-				if (c1 < c2) {
-					*orderp = -1;
-					goto done;
-				} else if (c1 > c2) {
-					*orderp = 1;
+				chdiff = (int)maptolower[*label1] -
+					(int)maptolower[*label2];
+				if (chdiff != 0) {
+					*orderp = chdiff;
 					goto done;
 				}
+				count--;
+				label1++;
+				label2++;
 			}
 			if (cdiff != 0) {
 				*orderp = cdiff;
@@ -741,7 +722,9 @@ dns_name_equal(dns_name_t *name1, dns_name_t *name2) {
 				return (ISC_FALSE);
 			if (count == 0)
 				count = 256;
-			/* number of bytes */
+			/*
+			 * Number of bytes.
+			 */
 			count = (count + 7) / 8;
 			while (count > 0) {
 				count--;
@@ -866,9 +849,10 @@ dns_name_matcheswildcard(dns_name_t *name, dns_name_t *wname) {
 	dns_name_t tname;
 
 	REQUIRE(VALID_NAME(name));
-	REQUIRE(dns_name_countlabels(name) > 0);
+	REQUIRE(name->labels > 0);
 	REQUIRE(VALID_NAME(wname));
-	REQUIRE((labels = dns_name_countlabels(wname)) > 0);
+	labels = wname->labels;
+	REQUIRE(labels > 0);
 	REQUIRE(dns_name_iswildcard(wname));
 
 	dns_name_init(&tname, NULL);
@@ -995,9 +979,14 @@ dns_name_getlabelsequence(dns_name_t *source,
 	}
 	target->labels = n;
 
-	if (target->offsets != NULL)
-		set_offsets(target, target->offsets, ISC_FALSE, ISC_FALSE,
-			    ISC_FALSE);
+	/*
+	 * If source and target are the same, and we're making target
+	 * a prefix of source, the offsets table is correct already
+	 * so we don't need to call set_offsets().
+	 */
+	if (target->offsets != NULL &&
+	    (target != source || first != 0))
+		set_offsets(target, target->offsets, ISC_FALSE);
 }
 
 void
@@ -1015,14 +1004,14 @@ dns_name_clone(dns_name_t *source, dns_name_t *target) {
 	target->length = source->length;
 	target->labels = source->labels;
 	target->attributes = source->attributes &
-		~(DNS_NAMEATTR_READONLY|DNS_NAMEATTR_DYNAMIC);
+		~(DNS_NAMEATTR_READONLY | DNS_NAMEATTR_DYNAMIC |
+		  DNS_NAMEATTR_DYNOFFSETS);
 	if (target->offsets != NULL && source->labels > 0) {
 		if (source->offsets != NULL)
 			memcpy(target->offsets, source->offsets,
 			       source->labels);
 		else
-			set_offsets(target, target->offsets, ISC_FALSE,
-				    ISC_FALSE, ISC_FALSE);
+			set_offsets(target, target->offsets, ISC_FALSE);
 	}
 }
 
@@ -1045,7 +1034,7 @@ dns_name_fromregion(dns_name_t *name, isc_region_t *r) {
 
 	if (name->buffer != NULL) {
 		isc_buffer_clear(name->buffer);
-		isc_buffer_available(name->buffer, &r2);
+		isc_buffer_availableregion(name->buffer, &r2);
 		len = (r->length < r2.length) ? r->length : r2.length;
 		if (len > 255)
 			len = 255;
@@ -1058,7 +1047,7 @@ dns_name_fromregion(dns_name_t *name, isc_region_t *r) {
 	}
 
 	if (r->length > 0)
-		set_offsets(name, offsets, ISC_TRUE, ISC_TRUE, ISC_TRUE);
+		set_offsets(name, offsets, ISC_TRUE);
 	else {
 		name->labels = 0;
 		name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
@@ -1109,12 +1098,12 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 	 */
 
 	REQUIRE(VALID_NAME(name));
-	REQUIRE(isc_buffer_type(source) == ISC_BUFFERTYPE_TEXT);
+
 	if (target == NULL && name->buffer != NULL) {
 		target = name->buffer;
 		isc_buffer_clear(target);
 	}
-	REQUIRE(isc_buffer_type(target) == ISC_BUFFERTYPE_BINARY);
+
 	REQUIRE(BINDABLE(name));
 	
 	INIT_OFFSETS(name, offsets, odata);
@@ -1540,7 +1529,7 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 					if (bitlength % 8 != 0)
 						n1++;
 					if (nrem < n1)
-						return (DNS_R_NOSPACE);
+						return (ISC_R_NOSPACE);
 					for (n2 = 0; n2 < n1; n2++) {
 						*ndata++ = dqchars[n2];
 						nrem--;
@@ -1591,11 +1580,11 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 
 	if (!done) {
 		if (nrem == 0)
-			return (DNS_R_NOSPACE);
+			return (ISC_R_NOSPACE);
 		INSIST(tlen == 0);
 		if (state != ft_ordinary && state != ft_eatdot &&
 		    state != ft_at)
-			return (DNS_R_UNEXPECTEDEND);
+			return (ISC_R_UNEXPECTEDEND);
 		if (state == ft_ordinary) {
 			INSIST(count != 0);
 			*label = count;
@@ -1605,7 +1594,7 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 		}
 		if (origin != NULL) {
 			if (nrem < origin->length)
-				return (DNS_R_NOSPACE);
+				return (ISC_R_NOSPACE);
 			label = origin->ndata;
 			n1 = origin->length;
 			nrem -= n1;
@@ -1661,7 +1650,7 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 	isc_buffer_forward(source, tused);
 	isc_buffer_add(target, name->length);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -1685,7 +1674,6 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 	 */
 	REQUIRE(VALID_NAME(name));
 	REQUIRE(name->labels > 0);
-	REQUIRE(isc_buffer_type(target) == ISC_BUFFERTYPE_TEXT);
 
 	ndata = name->ndata;
 	nlen = name->length;
@@ -1701,7 +1689,7 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 		labels = 0;
 		nlen = 0;
 		if (trem == 0)
-			return (DNS_R_NOSPACE);
+			return (ISC_R_NOSPACE);
 		*tdata++ = '.';
 		trem--;
 	}
@@ -1727,7 +1715,7 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 				case 0x40: /* '@' */
 				case 0x24: /* '$' */
 					if (trem < 2)
-						return (DNS_R_NOSPACE);
+						return (ISC_R_NOSPACE);
 					*tdata++ = '\\';
 					CONVERTFROMASCII(c);
 					*tdata++ = c;
@@ -1738,7 +1726,7 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 				default:
 					if (c > 0x20 && c < 0x7f) {
 						if (trem == 0)
-							return (DNS_R_NOSPACE);
+							return (ISC_R_NOSPACE);
 						CONVERTFROMASCII(c);
 						*tdata++ = c;
 						ndata++;
@@ -1746,7 +1734,7 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 						nlen--;
 					} else {
 						if (trem < 4)
-							return (DNS_R_NOSPACE);
+							return (ISC_R_NOSPACE);
 						sprintf(tdata, "\\%03u",
 							c);
 						tdata += 4;
@@ -1759,7 +1747,7 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 			}
 		} else if (count == DNS_LABELTYPE_BITSTRING) {
 			if (trem < 3)
-				return (DNS_R_NOSPACE);
+				return (ISC_R_NOSPACE);
 			*tdata++ = '\\';
 			*tdata++ = '[';
 			*tdata++ = 'x';
@@ -1779,7 +1767,7 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 			if (count % 4 != 0)
 				nibbles++;
 			if (trem < nibbles)
-				return (DNS_R_NOSPACE);
+				return (ISC_R_NOSPACE);
 			trem -= nibbles;
 			nlen -= bytes;
 			while (nibbles > 0) {
@@ -1793,7 +1781,7 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 				}
 			}
 			if (trem < 2 + len)
-				return (DNS_R_NOSPACE);
+				return (ISC_R_NOSPACE);
 			*tdata++ = '/';
 			for (i = 0; i < len; i++)
 				*tdata++ = num[i];
@@ -1812,26 +1800,24 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 		 * needed in the final output.
 		 */
 		if (trem == 0)
-			return (DNS_R_NOSPACE);
+			return (ISC_R_NOSPACE);
 		*tdata++ = '.';
 		trem--;
 	}
 
 	if (nlen != 0 && trem == 0)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	INSIST(nlen == 0);
 	if (!saw_root || omit_final_dot)
 		trem++;
 
 	isc_buffer_add(target, tlen - trem);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
-dns_name_downcase(dns_name_t *source, dns_name_t *name,
-		  isc_buffer_t *target)
-{
+dns_name_downcase(dns_name_t *source, dns_name_t *name, isc_buffer_t *target) {
 	unsigned char *sndata, *ndata;
 	unsigned int nlen, count, bytes, labels;
 	isc_buffer_t buffer;
@@ -1844,8 +1830,7 @@ dns_name_downcase(dns_name_t *source, dns_name_t *name,
 	REQUIRE(VALID_NAME(name));
 	if (source == name) {
 		REQUIRE((name->attributes & DNS_NAMEATTR_READONLY) == 0);
-		isc_buffer_init(&buffer, source->ndata, source->length,
-				ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&buffer, source->ndata, source->length);
 		target = &buffer;
 		ndata = source->ndata;
 	} else {
@@ -1864,7 +1849,7 @@ dns_name_downcase(dns_name_t *source, dns_name_t *name,
 
 	if (nlen > (target->length - target->used)) {
 		MAKE_EMPTY(name);
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	}
 
 	while (labels > 0 && nlen > 0) {
@@ -1912,8 +1897,7 @@ dns_name_downcase(dns_name_t *source, dns_name_t *name,
 		else
 			name->attributes = 0;
 		if (name->labels > 0 && name->offsets != NULL)
-			set_offsets(name, name->offsets, ISC_FALSE, ISC_FALSE,
-				    ISC_FALSE);
+			set_offsets(name, name->offsets, ISC_FALSE);
 	}
 
 	isc_buffer_add(target, name->length);
@@ -1922,49 +1906,46 @@ dns_name_downcase(dns_name_t *source, dns_name_t *name,
 }
 
 static void
-set_offsets(dns_name_t *name, unsigned char *offsets, isc_boolean_t set_labels,
-	    isc_boolean_t set_length, isc_boolean_t set_absolute)
-{
-	unsigned int offset, count, nlabels, nrem, n;
+set_offsets(dns_name_t *name, unsigned char *offsets, isc_boolean_t want_set) {
+	unsigned int offset, count, length, nlabels, n;
 	unsigned char *ndata;
-	isc_boolean_t absolute = ISC_FALSE;
+	isc_boolean_t absolute;
 
 	ndata = name->ndata;
-	nrem = name->length;
+	length = name->length;
 	offset = 0;
 	nlabels = 0;
-	while (nrem > 0) {
+	absolute = ISC_FALSE;
+	while (offset != length) {
 		INSIST(nlabels < 128);
 		offsets[nlabels++] = offset;
 		count = *ndata++;
-		nrem--;
 		offset++;
-		if (count == 0) {
-			absolute = ISC_TRUE;
-			break;
-		}
-		if (count > 63) {
+		if (count <= 63) {
+			offset += count;
+			ndata += count;
+			INSIST(offset <= length);
+			if (count == 0) {
+				absolute = ISC_TRUE;
+				break;
+			}
+		} else {
 			INSIST(count == DNS_LABELTYPE_BITSTRING);
-			INSIST(nrem != 0);
 			n = *ndata++;
-			nrem--;
 			offset++;
 			if (n == 0)
 				n = 256;
 			count = n / 8;
 			if (n % 8 != 0)
 				count++;
+			offset += count;
+			ndata += count;
+			INSIST(offset <= length);
 		}
-		INSIST(nrem >= count);
-		nrem -= count;
-		offset += count;
-		ndata += count;
 	}
-	if (set_labels)
+	if (want_set) {
 		name->labels = nlabels;
-	if (set_length)
 		name->length = offset;
-	if (set_absolute) {
 		if (absolute)
 			name->attributes |= DNS_NAMEATTR_ABSOLUTE;
 		else
@@ -2110,8 +2091,7 @@ compact(dns_name_t *name, unsigned char *offsets) {
 				/*
 				 * The offsets table may now be invalid.
 				 */
-				set_offsets(name, offsets, ISC_FALSE,
-					    ISC_FALSE, ISC_FALSE);
+				set_offsets(name, offsets, ISC_FALSE);
 				goto again;
 			}
 		}
@@ -2139,12 +2119,12 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 	 */
 
 	REQUIRE(VALID_NAME(name));
-	REQUIRE(isc_buffer_type(source) == ISC_BUFFERTYPE_BINARY);
+
 	if (target == NULL && name->buffer != NULL) {
 		target = name->buffer;
 		isc_buffer_clear(target);
 	}
-	REQUIRE(isc_buffer_type(target) == ISC_BUFFERTYPE_BINARY);
+
 	REQUIRE(dctx != NULL);
 	REQUIRE(BINDABLE(name));
 
@@ -2194,7 +2174,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 			if (c < 64) {
 				labels++;
 				if (nrem < c + 1)
-					return (DNS_R_NOSPACE);
+					return (ISC_R_NOSPACE);
 				nrem -= c + 1;
 				nused += c + 1;
 				*ndata++ = c;
@@ -2222,7 +2202,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 			} else if (c == DNS_LABELTYPE_BITSTRING) {
 				labels++;
 				if (nrem == 0)
-					return (DNS_R_NOSPACE);
+					return (ISC_R_NOSPACE);
 				nrem--;
 				nused++;
 				*ndata++ = c;
@@ -2259,7 +2239,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 			if ((c % 8) != 0)
 				n++;
 			if (nrem < n + 1)
-				return (DNS_R_NOSPACE);
+				return (ISC_R_NOSPACE);
 			nrem -= n + 1;
 			nused += n + 1;
 			*ndata++ = c;
@@ -2290,7 +2270,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 	}
 
 	if (!done)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 
 	name->ndata = (unsigned char *)target->base + target->used;
 	name->labels = labels;
@@ -2301,7 +2281,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 	 * We should build the offsets table directly.
 	 */
 	if (name->offsets != NULL || saw_bitstring)
-		set_offsets(name, offsets, ISC_FALSE, ISC_FALSE, ISC_FALSE);
+		set_offsets(name, offsets, ISC_FALSE);
 
 	if (saw_bitstring)
 		compact(name, offsets);
@@ -2309,13 +2289,11 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 	isc_buffer_forward(source, cused);
 	isc_buffer_add(target, name->length);
 	
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
-dns_name_towire(dns_name_t *name, dns_compress_t *cctx,
-		isc_buffer_t *target)
-{
+dns_name_towire(dns_name_t *name, dns_compress_t *cctx, isc_buffer_t *target) {
 	unsigned int methods;
 	isc_uint16_t offset;
 	dns_name_t gp, gs;
@@ -2323,6 +2301,8 @@ dns_name_towire(dns_name_t *name, dns_compress_t *cctx,
 	isc_uint16_t go;
 	unsigned char gb[257];
 	isc_buffer_t gws;
+	dns_offsets_t po, so, clo;
+	dns_name_t clname;
 
 	/*
 	 * Convert 'name' into wire format, compressing it as specified by the
@@ -2331,11 +2311,19 @@ dns_name_towire(dns_name_t *name, dns_compress_t *cctx,
 
 	REQUIRE(VALID_NAME(name));
 	REQUIRE(cctx != NULL);
-	REQUIRE(isc_buffer_type(target) == ISC_BUFFERTYPE_BINARY);
 
-	dns_name_init(&gp, NULL);
-	dns_name_init(&gs, NULL);
-	isc_buffer_init(&gws, gb, sizeof gb, ISC_BUFFERTYPE_BINARY);
+	/*
+	 * If 'name' doesn't have an offsets table, make a clone which
+	 * has one.
+	 */
+	if (name->offsets == NULL) {
+		dns_name_init(&clname, clo);
+		dns_name_clone(name, &clname);
+		name = &clname;
+	}
+	dns_name_init(&gp, po);
+	dns_name_init(&gs, so);
+	isc_buffer_init(&gws, gb, sizeof (gb));
 
 	offset = target->used;	/*XXX*/
 
@@ -2354,18 +2342,18 @@ dns_name_towire(dns_name_t *name, dns_compress_t *cctx,
 
 	if (gf) {
 		if (target->length - target->used < gp.length)
-			return (DNS_R_NOSPACE);
+			return (ISC_R_NOSPACE);
 		(void)memcpy((unsigned char *)target->base + target->used,
 			     gp.ndata, (size_t)gp.length);
 		isc_buffer_add(target, gp.length);
 		if (go < 16384) {
 			go |= 0xc000;
 			if (target->length - target->used < 2)
-				return (DNS_R_NOSPACE);
+				return (ISC_R_NOSPACE);
 			isc_buffer_putuint16(target, go);
 		} else {
 			if (target->length - target->used < 3)
-				return (DNS_R_NOSPACE);
+				return (ISC_R_NOSPACE);
 			*((unsigned char*)target->base + target->used) =
 				DNS_LABELTYPE_GLOBALCOMP16;
 			isc_buffer_add(target, 1);
@@ -2375,13 +2363,13 @@ dns_name_towire(dns_name_t *name, dns_compress_t *cctx,
 			dns_compress_add(cctx, &gp, &gs, offset);
 	} else {
 		if (target->length - target->used < name->length)
-			return (DNS_R_NOSPACE);
+			return (ISC_R_NOSPACE);
 		(void)memcpy((unsigned char *)target->base + target->used,
 			     name->ndata, (size_t)name->length);
 		isc_buffer_add(target, name->length);
 		dns_compress_add(cctx, name, NULL, offset);
 	}
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -2421,7 +2409,7 @@ dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix, dns_name_t *name,
 		target = name->buffer;
 		isc_buffer_clear(name->buffer);
 	}
-	REQUIRE(isc_buffer_type(target) == ISC_BUFFERTYPE_BINARY);
+
 	REQUIRE(BINDABLE(name));
 
 	/*
@@ -2464,7 +2452,7 @@ dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix, dns_name_t *name,
 	}
 	if (length > nrem) {
 		MAKE_EMPTY(name);
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	}
 
 	if (copy_suffix) {
@@ -2525,14 +2513,14 @@ dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix, dns_name_t *name,
 
 	if (name->labels > 0 && (name->offsets != NULL || saw_bitstring)) {
 		INIT_OFFSETS(name, offsets, odata);
-		set_offsets(name, offsets, ISC_FALSE, ISC_FALSE, ISC_FALSE);
+		set_offsets(name, offsets, ISC_FALSE);
 		if (saw_bitstring)
 			compact(name, offsets);
 	}
 
 	isc_buffer_add(target, name->length);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -2543,7 +2531,7 @@ dns_name_split(dns_name_t *name,
 {
 	dns_offsets_t name_odata, split_odata;
 	unsigned char *offsets, *splitoffsets;
-	isc_result_t result = DNS_R_SUCCESS;
+	isc_result_t result = ISC_R_SUCCESS;
 	unsigned int splitlabel, bitbytes, mod, len;
 	unsigned char *p, *src, *dst;
 
@@ -2556,12 +2544,10 @@ dns_name_split(dns_name_t *name,
 	REQUIRE(prefix == NULL ||
 		(VALID_NAME(prefix) &&
 		 prefix->buffer != NULL &&
-		 isc_buffer_type(prefix->buffer) == ISC_BUFFERTYPE_BINARY &&
 		 BINDABLE(prefix)));
 	REQUIRE(suffix == NULL ||
 		(VALID_NAME(suffix) &&
 		 suffix->buffer != NULL &&
-		 isc_buffer_type(suffix->buffer) == ISC_BUFFERTYPE_BINARY &&
 		 BINDABLE(suffix)));
 
 	/*
@@ -2632,7 +2618,7 @@ dns_name_split(dns_name_t *name,
 
 			if (prefix->length > prefix->buffer->length ) {
 				dns_name_invalidate(prefix);
-				return(DNS_R_NOSPACE);
+				return(ISC_R_NOSPACE);
 			}
 
 			/*
@@ -2686,8 +2672,7 @@ dns_name_split(dns_name_t *name,
 			INSIST(len = prefix->length);
 
 			INIT_OFFSETS(prefix, splitoffsets, split_odata);
-			set_offsets(prefix, splitoffsets,
-				    ISC_TRUE, ISC_TRUE, ISC_TRUE);
+			set_offsets(prefix, splitoffsets, ISC_TRUE);
 
 			INSIST(prefix->labels == splitlabel + 1 &&
 			       prefix->length == len);
@@ -2698,7 +2683,7 @@ dns_name_split(dns_name_t *name,
 
 	}
 
-	if (suffix != NULL && result == DNS_R_SUCCESS) {
+	if (suffix != NULL && result == ISC_R_SUCCESS) {
 		if (nbits > 0) {
 			bitbytes = (nbits - 1) / 8 + 1;
 
@@ -2719,7 +2704,7 @@ dns_name_split(dns_name_t *name,
 			INSIST(suffix->length > 0);
 			if (suffix->length > suffix->buffer->length) {
 				dns_name_invalidate(suffix);
-				return (DNS_R_NOSPACE);
+				return (ISC_R_NOSPACE);
 			}
 
 			/*
@@ -2788,13 +2773,11 @@ dns_name_split(dns_name_t *name,
 			INSIST(len = suffix->length);
 
 			INIT_OFFSETS(suffix, splitoffsets, split_odata);
-			set_offsets(suffix, splitoffsets,
-				    ISC_TRUE, ISC_TRUE, ISC_TRUE);
+			set_offsets(suffix, splitoffsets, ISC_TRUE);
 
 			INSIST(suffix->labels == suffixlabels &&
 			       suffix->length == len);
 
-
 		} else
 			dns_name_getlabelsequence(name, splitlabel,
 						  suffixlabels, suffix);
@@ -2890,7 +2873,7 @@ dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
 
 	target->ndata = isc_mem_get(mctx, source->length);
 	if (target->ndata == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	memcpy(target->ndata, source->ndata, source->length);
 
@@ -2899,15 +2882,62 @@ dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
 	target->attributes = DNS_NAMEATTR_DYNAMIC;
 	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
 		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
-	if (target->offsets != NULL)
-		set_offsets(target, target->offsets, ISC_FALSE, ISC_FALSE,
-			    ISC_FALSE);
+	if (target->offsets != NULL) {
+		if (source->offsets != NULL)
+			memcpy(target->offsets, source->offsets,
+			       source->labels);
+		else
+			set_offsets(target, target->offsets, ISC_FALSE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_dupwithoffsets(dns_name_t *source, isc_mem_t *mctx,
+			dns_name_t *target)
+{
+	/*
+	 * Make 'target' a read-only dynamically allocated copy of 'source'.
+	 * 'target' will also have a dynamically allocated offsets table.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(source->length > 0);
+	REQUIRE(VALID_NAME(target));
+	REQUIRE(BINDABLE(target));
+	REQUIRE(target->offsets == NULL);
+
+	/*
+	 * Make 'target' empty in case of failure.
+	 */
+	MAKE_EMPTY(target);
+
+	target->ndata = isc_mem_get(mctx, source->length + source->labels);
+	if (target->ndata == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memcpy(target->ndata, source->ndata, source->length);
+
+	target->length = source->length;
+	target->labels = source->labels;
+	target->attributes = DNS_NAMEATTR_DYNAMIC | DNS_NAMEATTR_DYNOFFSETS |
+		DNS_NAMEATTR_READONLY;
+	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
+	target->offsets = target->ndata + source->length;
+	if (source->offsets != NULL)
+		memcpy(target->offsets, source->offsets, source->labels);
+	else
+		set_offsets(target, target->offsets, ISC_FALSE);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 void
 dns_name_free(dns_name_t *name, isc_mem_t *mctx) {
+	size_t size;
+
 	/*
 	 * Free 'name'.
 	 */
@@ -2915,7 +2945,10 @@ dns_name_free(dns_name_t *name, isc_mem_t *mctx) {
 	REQUIRE(VALID_NAME(name));
 	REQUIRE((name->attributes & DNS_NAMEATTR_DYNAMIC) != 0);
 
-	isc_mem_put(mctx, name->ndata, name->length);
+	size = name->length;
+	if ((name->attributes & DNS_NAMEATTR_DYNOFFSETS) != 0)
+		size += name->labels;
+	isc_mem_put(mctx, name->ndata, size);
 	dns_name_invalidate(name);
 }
 
@@ -2935,13 +2968,13 @@ dns_name_digest(dns_name_t *name, dns_digestfunc_t digest, void *arg) {
 	REQUIRE(digest != NULL);
 
 	dns_name_init(&downname, NULL);
-	isc_buffer_init(&buffer, data, sizeof data, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&buffer, data, sizeof(data));
 	
 	result = dns_name_downcase(name, &downname, &buffer);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	
-	isc_buffer_used(&buffer, &r);
+	isc_buffer_usedregion(&buffer, &r);
 	
 	return ((digest)(arg, &r));
 }
@@ -2971,12 +3004,41 @@ dns_name_print(dns_name_t *name, FILE *stream) {
 
 	REQUIRE(VALID_NAME(name));
 
-	isc_buffer_init(&b, t, sizeof t, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&b, t, sizeof(t));
 	result = dns_name_totext(name, ISC_FALSE, &b);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	isc_buffer_used(&b, &r);
+	isc_buffer_usedregion(&b, &r);
 	fprintf(stream, "%.*s", (int)r.length, (char *)r.base);
 
 	return (ISC_R_SUCCESS);
 }
+
+void
+dns_name_format(dns_name_t *name, char *cp, unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	isc_boolean_t omit_final_dot = ISC_TRUE;
+
+	REQUIRE(size > 0);
+	
+	if (dns_name_equal(name, dns_rootname))
+		omit_final_dot = ISC_FALSE;
+
+	/*
+	 * Leave room for null termination after buffer.
+	 */
+	isc_buffer_init(&buf, cp, size - 1);
+	result = dns_name_totext(name, omit_final_dot, &buf);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Null terminate.
+		 */
+		isc_region_t r;
+		isc_buffer_usedregion(&buf, &r);
+		((char *) r.base)[r.length] = '\0';
+
+	} else
+		snprintf(cp, size, "<unknown>");
+}
+
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index 03384ff5..1833900e 100644
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -17,19 +17,14 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/region.h>
-#include <isc/buffer.h>
+#include <isc/util.h>
 
-#include <dns/types.h>
-#include <dns/ncache.h>
-#include <dns/name.h>
-#include <dns/compress.h>
-#include <dns/message.h>
 #include <dns/db.h>
+#include <dns/message.h>
+#include <dns/ncache.h>
 #include <dns/rdata.h>
-#include <dns/rdataset.h>
 #include <dns/rdatalist.h>
+#include <dns/rdataset.h>
 
 /*
  * The format of an ncache rdata is a sequence of one or more records of
@@ -53,7 +48,7 @@ copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) {
 	/*
 	 * Copy the rdataset count to the buffer.
 	 */
-	isc_buffer_available(buffer, &ar);
+	isc_buffer_availableregion(buffer, &ar);
 	if (ar.length < 2)
 		return (ISC_R_NOSPACE);
 	count = dns_rdataset_count(rdataset);
@@ -65,7 +60,7 @@ copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) {
 		dns_rdataset_current(rdataset, &rdata);
 		dns_rdata_toregion(&rdata, &r);
 		INSIST(r.length <= 65535);
-		isc_buffer_available(buffer, &ar);
+		isc_buffer_availableregion(buffer, &ar);
 		if (ar.length < 2)
 			return (ISC_R_NOSPACE);
 		/*
@@ -121,7 +116,7 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	 */
 	ttl = 0xffffffff;
 	trust = 0xffff;
-	isc_buffer_init(&buffer, data, sizeof data, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&buffer, data, sizeof(data));
 	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
 	while (result == ISC_R_SUCCESS) {
 		name = NULL;
@@ -154,10 +149,12 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 					/*
 					 * Copy the type to the buffer.
 					 */
-					isc_buffer_available(&buffer, &r);
+					isc_buffer_availableregion(&buffer,
+								   &r);
 					if (r.length < 2)
 						return (ISC_R_NOSPACE);
-					isc_buffer_putuint16(&buffer, type);
+					isc_buffer_putuint16(&buffer,
+							     rdataset->type);
 					/*
 					 * Copy the rdataset into the buffer.
 					 */
@@ -198,7 +195,7 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 		/*
 		 * Copy the type and a zero rdata count to the buffer.
 		 */
-		isc_buffer_available(&buffer, &r);
+		isc_buffer_availableregion(&buffer, &r);
 		if (r.length < 4)
 			return (ISC_R_NOSPACE);
 		isc_buffer_putuint16(&buffer, 0);
@@ -227,7 +224,7 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	 */
 	INSIST(trust != 0xffff);
 	dns_rdata_init(&rdata);
-	isc_buffer_used(&buffer, &r);
+	isc_buffer_usedregion(&buffer, &r);
 	rdata.data = r.base;
 	rdata.length = r.length;
 	rdata.rdclass = dns_db_class(cache);
@@ -276,21 +273,15 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 		return (result);
 	dns_rdataset_current(rdataset, &rdata);
 	INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE);
-	isc_buffer_init(&source, rdata.data, rdata.length,
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&source, rdata.data, rdata.length);
 	isc_buffer_add(&source, rdata.length);
-	
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 
 	savedbuffer = *target;
 
 	count = 0;
 	do {
 		dns_name_init(&name, NULL);
-		isc_buffer_remaining(&source, &remaining);
+		isc_buffer_remainingregion(&source, &remaining);
 		dns_name_fromregion(&name, &remaining);
 		INSIST(remaining.length >= name.length);
 		isc_buffer_forward(&source, name.length);
@@ -305,11 +296,11 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 			 * Get the length of this rdata and set up an
 			 * rdata structure for it.
 			 */
-			isc_buffer_remaining(&source, &remaining);
+			isc_buffer_remainingregion(&source, &remaining);
 			INSIST(remaining.length >= 2);
 			dns_rdata_init(&rdata);
 			rdata.length = isc_buffer_getuint16(&source);
-			isc_buffer_remaining(&source, &remaining);
+			isc_buffer_remainingregion(&source, &remaining);
 			rdata.data = remaining.base;
 			rdata.type = type;
 			rdata.rdclass = rdataset->rdclass;
@@ -319,15 +310,16 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 			/*
 			 * Write the name.
 			 */
+			dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 			result = dns_name_towire(&name, cctx, target);
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				goto rollback;
 
 			/*
 			 * See if we have space for type, class, ttl, and
 			 * rdata length.  Write the type, class, and ttl.
 			 */
-			isc_buffer_remaining(target, &tremaining);
+			isc_buffer_remainingregion(target, &tremaining);
 			if (tremaining.length < 10) {
 				result = ISC_R_NOSPACE;
 				goto rollback;
@@ -346,7 +338,7 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 			 * Write the rdata.
 			 */
 			result = dns_rdata_towire(&rdata, cctx, target);
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				goto rollback;
 
 			/*
@@ -361,7 +353,7 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 
 			count++;
 		}
-		isc_buffer_remaining(&source, &remaining);
+		isc_buffer_remainingregion(&source, &remaining);
 	} while (remaining.length > 0);
 
 	*countp = count;
diff --git a/lib/dns/nxt.c b/lib/dns/nxt.c
index b6528103..915308c3 100644
--- a/lib/dns/nxt.c
+++ b/lib/dns/nxt.c
@@ -17,23 +17,20 @@
 
 #include <config.h>
 
-#include <string.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
-#include <isc/assertions.h>
-
-#include <dns/types.h>
-#include <dns/name.h>
 #include <dns/db.h>
-#include <dns/dbiterator.h>
+#include <dns/nxt.h>
 #include <dns/rdata.h>
+#include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
-#include <dns/rdatalist.h>
-#include <dns/nxt.h>
+#include <dns/result.h>
 
 #define check_result(op, msg) \
 	do { result = (op); \
-		if (result != DNS_R_SUCCESS) { \
+		if (result != ISC_R_SUCCESS) { \
 			fprintf(stderr, "%s: %s\n", msg, \
 				isc_result_totext(result)); \
 			goto failure; \
@@ -42,13 +39,12 @@
 
 static void
 set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
-	unsigned int byte, shift, mask;
-	
-	byte = array[index / 8];
+	unsigned int shift, mask;
+
 	shift = 7 - (index % 8);
 	mask = 1 << shift;
 
-	if (bit)
+	if (bit != 0)
 		array[index / 8] |= mask;
 	else
 		array[index / 8] &= (~mask & 0xFF);
@@ -57,11 +53,12 @@ set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
 static unsigned int
 bit_isset(unsigned char *array, unsigned int index) {
 	unsigned int byte, shift, mask;
-	
+
 	byte = array[index / 8];
 	shift = 7 - (index % 8);
 	mask = 1 << shift;
-	return ((array[index / 8] & mask) != 0);
+
+	return ((byte & mask) != 0);
 }
 
 isc_result_t
@@ -88,7 +85,7 @@ dns_buildnxtrdata(dns_db_t *db, dns_dbversion_t *version,
 	dns_rdataset_init(&rdataset);
 	rdsiter = NULL;
 	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	for (result = dns_rdatasetiter_first(rdsiter);
 	     result == ISC_R_SUCCESS;
@@ -96,7 +93,8 @@ dns_buildnxtrdata(dns_db_t *db, dns_dbversion_t *version,
 	{
 		dns_rdatasetiter_current(rdsiter, &rdataset);
 		if (rdataset.type > 127)
-			return DNS_R_RANGE; /* XXX "rdataset type too large" */
+			/* XXX "rdataset type too large" */
+			return (ISC_R_RANGE);
 		if (rdataset.type != dns_rdatatype_nxt) {
 			if (rdataset.type > max_type)
 				max_type = rdataset.type;
@@ -105,7 +103,9 @@ dns_buildnxtrdata(dns_db_t *db, dns_dbversion_t *version,
 		dns_rdataset_disassociate(&rdataset);
 	}
 
-	/* At zone cuts, deny the existence of glue in the parent zone. */
+	/*
+	 * At zone cuts, deny the existence of glue in the parent zone.
+	 */
 	if (bit_isset(nxt_bits, dns_rdatatype_ns) &&
 	    ! bit_isset(nxt_bits, dns_rdatatype_soa)) {
 		for (i = 0; i < 128; i++) {
@@ -116,7 +116,7 @@ dns_buildnxtrdata(dns_db_t *db, dns_dbversion_t *version,
 	}
 
 	dns_rdatasetiter_destroy(&rdsiter);
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		return (result);
 
 	r.length += ((max_type + 7) / 8);
@@ -126,7 +126,7 @@ dns_buildnxtrdata(dns_db_t *db, dns_dbversion_t *version,
 			     dns_rdatatype_nxt,
 			     &r);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 
@@ -164,3 +164,26 @@ dns_buildnxt(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
 		dns_rdataset_disassociate(&rdataset);
 	return (result);
 }
+
+isc_boolean_t
+dns_nxt_typepresent(dns_rdata_t *nxt, dns_rdatatype_t type) {
+	dns_name_t name;
+	isc_region_t r, r2;
+	unsigned char *nxt_bits;
+	int nxt_bits_length;
+
+	REQUIRE(nxt != NULL);
+	REQUIRE(nxt->type == dns_rdatatype_nxt);
+	REQUIRE(type < 128);
+
+	dns_rdata_toregion(nxt, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	dns_name_toregion(&name, &r2);
+	nxt_bits = ((unsigned char *)r.base) + r2.length;
+	nxt_bits_length = r.length - r2.length;
+	if (type >= nxt_bits_length * 8)
+		return (ISC_FALSE);
+	else
+		return (ISC_TF(bit_isset(nxt_bits, type)));
+}
diff --git a/lib/dns/peer.c b/lib/dns/peer.c
index 3bf26bce..d14d79fd 100644
--- a/lib/dns/peer.c
+++ b/lib/dns/peer.c
@@ -17,19 +17,14 @@
 
 #include <config.h>
 
-#include <sys/types.h>	/* XXXRTH */
-
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/magic.h>
-#include <isc/net.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
+#include <dns/bit.h>
 #include <dns/name.h>
-#include <dns/types.h>
 #include <dns/peer.h>
 
-
 /*
  * Bit positions in the dns_peer_t structure flags field
  */
@@ -39,12 +34,14 @@
 #define PROVIDE_IXFR_BIT		3
 #define REQUEST_IXFR_BIT		4
 
-static isc_result_t dns_peerlist_delete(dns_peerlist_t **list);
-static isc_result_t dns_peer_delete(dns_peer_t **peer);
+static isc_result_t
+dns_peerlist_delete(dns_peerlist_t **list);
+
+static isc_result_t
+dns_peer_delete(dns_peer_t **peer);
 
 isc_result_t
-dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list)
-{
+dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list) {
 	dns_peerlist_t *l;
 	
 	REQUIRE(list != NULL);
@@ -66,8 +63,7 @@ dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list)
 
 
 void
-dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target)
-{
+dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target) {
 	REQUIRE(DNS_PEERLIST_VALID(source));
 	REQUIRE(target != NULL);
 	REQUIRE(*target == NULL);
@@ -79,10 +75,8 @@ dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target)
 	*target = source;
 }
 
-
 void
-dns_peerlist_detach(dns_peerlist_t **list)
-{
+dns_peerlist_detach(dns_peerlist_t **list) {
 	dns_peerlist_t *plist;
 	
 	REQUIRE(list != NULL);
@@ -102,12 +96,11 @@ dns_peerlist_detach(dns_peerlist_t **list)
 }
 
 static isc_result_t
-dns_peerlist_delete(dns_peerlist_t **list)
-{
+dns_peerlist_delete(dns_peerlist_t **list) {
 	dns_peerlist_t *l;
 	dns_peer_t *server, *stmp;
 	isc_result_t r;
-	
+
 	REQUIRE(list != NULL);
 	REQUIRE(DNS_PEERLIST_VALID(*list));
 	
@@ -135,19 +128,15 @@ dns_peerlist_delete(dns_peerlist_t **list)
 	return (ISC_R_SUCCESS);
 }
 
-
 void
-dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer)
-{
+dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer) {
 	dns_peer_t *p = NULL;
 
 	dns_peer_attach(peer, &p);
 	
 	ISC_LIST_APPEND(peers->elements, peer, next);
 }
-
 	
-
 isc_result_t
 dns_peerlist_peerbyaddr(dns_peerlist_t *servers,
 			isc_netaddr_t *addr, dns_peer_t **retval)
@@ -180,8 +169,7 @@ dns_peerlist_peerbyaddr(dns_peerlist_t *servers,
 
 
 isc_result_t
-dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval)
-{
+dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval) {
 	dns_peer_t *p = NULL;
 
 	p = ISC_LIST_TAIL(peers->elements);
@@ -190,16 +178,9 @@ dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval)
 
 	return (ISC_R_SUCCESS);
 }
-
 	
-
-
-
-
-
 isc_result_t
-dns_peer_new(isc_mem_t *mem, isc_netaddr_t *addr, dns_peer_t **peerptr)
-{
+dns_peer_new(isc_mem_t *mem, isc_netaddr_t *addr, dns_peer_t **peerptr) {
 	dns_peer_t *peer;
 	
 	REQUIRE(peerptr != NULL);
@@ -230,8 +211,7 @@ dns_peer_new(isc_mem_t *mem, isc_netaddr_t *addr, dns_peer_t **peerptr)
 }
 
 isc_result_t
-dns_peer_attach(dns_peer_t *source, dns_peer_t **target)
-{
+dns_peer_attach(dns_peer_t *source, dns_peer_t **target) {
 	REQUIRE(DNS_PEER_VALID(source));
 	REQUIRE(target != NULL);
 	REQUIRE(*target == NULL);
@@ -245,10 +225,8 @@ dns_peer_attach(dns_peer_t *source, dns_peer_t **target)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_peer_detach(dns_peer_t **peer)
-{
+dns_peer_detach(dns_peer_t **peer) {
 	dns_peer_t *p;
 	
 	REQUIRE(peer != NULL);
@@ -269,10 +247,8 @@ dns_peer_detach(dns_peer_t **peer)
 	return (ISC_R_SUCCESS);
 }
 
-
 static isc_result_t
-dns_peer_delete(dns_peer_t **peer)
-{
+dns_peer_delete(dns_peer_t **peer) {
 	dns_peer_t *p;
 	isc_mem_t *mem;
 	
@@ -299,64 +275,53 @@ dns_peer_delete(dns_peer_t **peer)
 	return (ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_peer_setbogus(dns_peer_t *peer, isc_boolean_t newval)
-{
+dns_peer_setbogus(dns_peer_t *peer, isc_boolean_t newval) {
 	isc_boolean_t existed;
 	
 	REQUIRE(DNS_PEER_VALID(peer));
 	
-	existed = DNS_CHECKBIT(BOGUS_BIT, &peer->bitflags);
+	existed = DNS_BIT_CHECK(BOGUS_BIT, &peer->bitflags);
 	
 	peer->bogus = newval;
-	DNS_SETBIT(BOGUS_BIT, &peer->bitflags);
+	DNS_BIT_SET(BOGUS_BIT, &peer->bitflags);
 	
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_peer_getbogus(dns_peer_t *peer,
-		  isc_boolean_t *retval)
-{
+dns_peer_getbogus(dns_peer_t *peer, isc_boolean_t *retval) {
 	REQUIRE(DNS_PEER_VALID(peer));
 	REQUIRE(retval != NULL);
 	
-	if (DNS_CHECKBIT(BOGUS_BIT, &peer->bitflags)) {
+	if (DNS_BIT_CHECK(BOGUS_BIT, &peer->bitflags)) {
 		*retval = peer->bogus;
 		return (ISC_R_SUCCESS);
-	} else {
+	} else
 		return (ISC_R_NOTFOUND);
-	}
 }
 
 
 isc_result_t
-dns_peer_setprovideixfr(dns_peer_t *peer,
-			isc_boolean_t newval)
-{
+dns_peer_setprovideixfr(dns_peer_t *peer, isc_boolean_t newval) {
 	isc_boolean_t existed;
 	
 	REQUIRE(DNS_PEER_VALID(peer));
 	
-	existed = DNS_CHECKBIT(PROVIDE_IXFR_BIT, &peer->bitflags);
+	existed = DNS_BIT_CHECK(PROVIDE_IXFR_BIT, &peer->bitflags);
 	
 	peer->provide_ixfr = newval;
-	DNS_SETBIT(PROVIDE_IXFR_BIT, &peer->bitflags);
+	DNS_BIT_SET(PROVIDE_IXFR_BIT, &peer->bitflags);
 	
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_peer_getprovideixfr(dns_peer_t *peer,
-			isc_boolean_t *retval)
-{
+dns_peer_getprovideixfr(dns_peer_t *peer, isc_boolean_t *retval) {
 	REQUIRE(DNS_PEER_VALID(peer));
 	REQUIRE(retval != NULL);
 	
-	if (DNS_CHECKBIT(PROVIDE_IXFR_BIT, &peer->bitflags)) {
+	if (DNS_BIT_CHECK(PROVIDE_IXFR_BIT, &peer->bitflags)) {
 		*retval = peer->provide_ixfr;
 		return (ISC_R_SUCCESS);
 	} else {
@@ -364,65 +329,52 @@ dns_peer_getprovideixfr(dns_peer_t *peer,
 	}
 }
 
-
 isc_result_t
-dns_peer_setrequestixfr(dns_peer_t *peer,
-			isc_boolean_t newval)
-{
+dns_peer_setrequestixfr(dns_peer_t *peer, isc_boolean_t newval) {
 	isc_boolean_t existed;
 	
 	REQUIRE(DNS_PEER_VALID(peer));
 	
-	existed = DNS_CHECKBIT(REQUEST_IXFR_BIT, &peer->bitflags);
+	existed = DNS_BIT_CHECK(REQUEST_IXFR_BIT, &peer->bitflags);
 	
 	peer->request_ixfr = newval;
-	DNS_SETBIT(REQUEST_IXFR_BIT, &peer->bitflags);
+	DNS_BIT_SET(REQUEST_IXFR_BIT, &peer->bitflags);
 	
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_peer_getrequestixfr(dns_peer_t *peer,
-			isc_boolean_t *retval)
-{
+dns_peer_getrequestixfr(dns_peer_t *peer, isc_boolean_t *retval) {
 	REQUIRE(DNS_PEER_VALID(peer));
 	REQUIRE(retval != NULL);
 	
-	if (DNS_CHECKBIT(REQUEST_IXFR_BIT, &peer->bitflags)) {
+	if (DNS_BIT_CHECK(REQUEST_IXFR_BIT, &peer->bitflags)) {
 		*retval = peer->request_ixfr;
 		return (ISC_R_SUCCESS);
-	} else {
+	} else
 		return (ISC_R_NOTFOUND);
-	}
 }
 
-
 isc_result_t
-dns_peer_settransfers(dns_peer_t *peer,
-		      isc_int32_t newval)
-{
+dns_peer_settransfers(dns_peer_t *peer, isc_int32_t newval) {
 	isc_boolean_t existed;
 	
 	REQUIRE(DNS_PEER_VALID(peer));
 	
-	existed = DNS_CHECKBIT(TRANSFERS_BIT, &peer->bitflags);
+	existed = DNS_BIT_CHECK(TRANSFERS_BIT, &peer->bitflags);
 	
 	peer->transfers = newval;
-	DNS_SETBIT(TRANSFERS_BIT, &peer->bitflags);
+	DNS_BIT_SET(TRANSFERS_BIT, &peer->bitflags);
 	
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_peer_gettransfers(dns_peer_t *peer,
-		      isc_int32_t *retval)
-{
+dns_peer_gettransfers(dns_peer_t *peer, isc_int32_t *retval) {
 	REQUIRE(DNS_PEER_VALID(peer));
 	REQUIRE(retval != NULL);
 	
-	if (DNS_CHECKBIT(TRANSFERS_BIT, &peer->bitflags)) {
+	if (DNS_BIT_CHECK(TRANSFERS_BIT, &peer->bitflags)) {
 		*retval = peer->transfers;
 		return (ISC_R_SUCCESS);
 	} else {
@@ -430,33 +382,27 @@ dns_peer_gettransfers(dns_peer_t *peer,
 	}
 }
 
-
 isc_result_t
-dns_peer_settransferformat(dns_peer_t *peer,
-			   dns_transfer_format_t newval)
-{
+dns_peer_settransferformat(dns_peer_t *peer, dns_transfer_format_t newval) {
 	isc_boolean_t existed;
 	
 	REQUIRE(DNS_PEER_VALID(peer));
 	
-	existed = DNS_CHECKBIT(SERVER_TRANSFER_FORMAT_BIT,
+	existed = DNS_BIT_CHECK(SERVER_TRANSFER_FORMAT_BIT,
 				 &peer->bitflags);
 	
 	peer->transfer_format = newval;
-	DNS_SETBIT(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags);
+	DNS_BIT_SET(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags);
 	
 	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
 }
 
-
 isc_result_t
-dns_peer_gettransferformat(dns_peer_t *peer,
-			   dns_transfer_format_t *retval)
-{
+dns_peer_gettransferformat(dns_peer_t *peer, dns_transfer_format_t *retval) {
 	REQUIRE(DNS_PEER_VALID(peer));
 	REQUIRE(retval != NULL);
 	
-	if (DNS_CHECKBIT(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags)) {
+	if (DNS_BIT_CHECK(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags)) {
 		*retval = peer->transfer_format;
 		return (ISC_R_SUCCESS);
 	} else {
@@ -464,10 +410,8 @@ dns_peer_gettransferformat(dns_peer_t *peer,
 	}
 }
 
-
 isc_result_t
-dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval)
-{
+dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval) {
 	REQUIRE(DNS_PEER_VALID(peer));
 	REQUIRE(retval != NULL);
 
@@ -478,12 +422,8 @@ dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval)
 	return (peer->key == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
 }
 
-
-
-
 isc_result_t
-dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval)
-{
+dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval) {
 	isc_boolean_t exists = ISC_FALSE;
 
 	if (peer->key != NULL) {
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index e34b3897..9d9dd898 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -15,32 +15,30 @@
  * SOFTWARE.
  */
 
-/* $Id: rbt.c,v 1.70 2000/02/03 23:43:53 halley Exp $ */
+/* $Id: rbt.c,v 1.81 2000/05/19 05:58:48 tale Exp $ */
 
 /* Principal Authors: DCL */
 
 #include <config.h>
 
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/boolean.h>
-#include <isc/error.h>
 #include <isc/mem.h>
-#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dns/rbt.h>
 #include <dns/result.h>
 #include <dns/fixedname.h>
 
 #define RBT_MAGIC		0x5242542BU /* RBT+. */
-#define VALID_RBT(rbt)		((rbt) != NULL && (rbt)->magic == RBT_MAGIC)
+#define VALID_RBT(rbt)		ISC_MAGIC_VALID(rbt, RBT_MAGIC)
 
+/*
+ * XXXDCL Since parent pointers were added in again, I could remove all of the
+ * chain junk, and replace with dns_rbt_firstnode, _previousnode, _nextnode,
+ * _lastnode.  This would involve pretty major change to the API.
+ */
 #define CHAIN_MAGIC		0x302d302dU /* 0-0-. */
-#define VALID_CHAIN(chain)	((chain) != NULL && \
-				 (chain)->magic == CHAIN_MAGIC)
+#define VALID_CHAIN(chain)	ISC_MAGIC_VALID(chain, CHAIN_MAGIC)
 
 struct dns_rbt {
 	unsigned int		magic;
@@ -56,6 +54,8 @@ struct dns_rbt {
 /*
  * Elements of the rbtnode structure.
  */
+#define IS_ROOT(node)		((node)->is_root)
+#define PARENT(node)		((node)->parent)
 #define LEFT(node)	 	((node)->left)
 #define RIGHT(node)		((node)->right)
 #define DOWN(node)		((node)->down)
@@ -73,7 +73,7 @@ struct dns_rbt {
  */
 #define DIRTY(node)	((node)->dirty)
 #define WILD(node)	((node)->wild)
-#define LOCK(node)	((node)->locknum)
+#define LOCKNUM(node)	((node)->locknum)
 #define REFS(node)	((node)->references)
 
 /*
@@ -99,9 +99,9 @@ struct dns_rbt {
 #define ADD_ANCESTOR(chain, node) \
 do { \
 	if ((chain)->ancestor_count == (chain)->ancestor_maxitems &&	\
-	    get_ancestor_mem(chain) != DNS_R_SUCCESS) {		\
+	    get_ancestor_mem(chain) != ISC_R_SUCCESS) {		\
 		dns_rbtnodechain_invalidate(chain);		\
-		return (DNS_R_NOMEMORY);			\
+		return (ISC_R_NOMEMORY);			\
 	}							\
 	(chain)->ancestors[(chain)->ancestor_count++] = (node);	\
 } while (0)
@@ -159,34 +159,31 @@ static void dns_rbt_printnodename(dns_rbtnode_t *node);
 /*
  * Forward declarations.
  */
-static isc_result_t create_node(isc_mem_t *mctx,
-				dns_name_t *name, dns_rbtnode_t **nodep);
-
-static isc_result_t join_nodes(dns_rbt_t *rbt,
-			       dns_rbtnode_t *node, dns_rbtnode_t *parent,
-			       dns_rbtnode_t **rootp);
-
-static inline isc_result_t get_ancestor_mem(dns_rbtnodechain_t *chain);
-static inline void put_ancestor_mem(dns_rbtnodechain_t *chain);
-
-static inline void rotate_left(dns_rbtnode_t *node, dns_rbtnode_t *parent,
-			       dns_rbtnode_t **rootp);
-static inline void rotate_right(dns_rbtnode_t *node, dns_rbtnode_t *parent,
-				dns_rbtnode_t **rootp);
-
-static void dns_rbt_addonlevel(dns_rbtnode_t *node,
-				       dns_rbtnode_t *current, int order,
-				       dns_rbtnode_t **rootp,
-				       dns_rbtnodechain_t *chain);
-static void dns_rbt_deletefromlevel(dns_rbt_t *rbt,
-				    dns_rbtnode_t *delete,
-				    dns_rbtnodechain_t *chain);
-static void dns_rbt_deletetree(dns_rbt_t *rbt, dns_rbtnode_t *node);
-
-static isc_result_t zapnode_and_fixlevels(dns_rbt_t *rbt,
-					  dns_rbtnode_t *node,
-					  isc_boolean_t recurse,
-					  dns_rbtnodechain_t *chain);
+static isc_result_t
+create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep);
+static isc_result_t
+join_nodes(dns_rbt_t *rbt, dns_rbtnode_t *node);
+
+static inline isc_result_t
+get_ancestor_mem(dns_rbtnodechain_t *chain);
+static inline void
+put_ancestor_mem(dns_rbtnodechain_t *chain);
+
+static inline void
+rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp);
+static inline void
+rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp);
+
+static void
+dns_rbt_addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order,
+		   dns_rbtnode_t **rootp, dns_rbtnodechain_t *chain);
+
+static void
+dns_rbt_deletefromlevel(dns_rbt_t *rbt, dns_rbtnode_t *delete,
+			dns_rbtnode_t **rootp);
+
+static void
+dns_rbt_deletetree(dns_rbt_t *rbt, dns_rbtnode_t *node);
 
 /*
  * Initialize a red/black tree of trees.
@@ -203,7 +200,7 @@ dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
 
 	rbt = (dns_rbt_t *)isc_mem_get(mctx, sizeof(*rbt));
 	if (rbt == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	rbt->mctx = mctx;
 	rbt->data_deleter = deleter;
@@ -213,7 +210,7 @@ dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
 
 	*rbtp = rbt;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 /*
@@ -241,7 +238,6 @@ dns_rbt_destroy(dns_rbt_t **rbtp) {
  * and chain_name, appear early in this file so they can be effectively
  * inlined by the other rbt functions that use them.
  */
-
 static inline isc_result_t
 get_ancestor_mem(dns_rbtnodechain_t *chain) {
 	dns_rbtnode_t **ancestor_mem;
@@ -256,7 +252,7 @@ get_ancestor_mem(dns_rbtnodechain_t *chain) {
 		ancestor_mem = isc_mem_get(chain->mctx, newsize);
 
 		if (ancestor_mem == NULL)
-			return (DNS_R_NOMEMORY);
+			return (ISC_R_NOMEMORY);
 
 		memcpy(ancestor_mem, chain->ancestors, oldsize);
 
@@ -268,7 +264,7 @@ get_ancestor_mem(dns_rbtnodechain_t *chain) {
 
 	chain->ancestor_maxitems += DNS_RBT_ANCESTORBLOCK;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 /*
@@ -299,18 +295,18 @@ chain_name(dns_rbtnodechain_t *chain, dns_name_t *name,
 	 * XXX DCL Is this too devilish, initializing name like this?
 	 */
 	result = dns_name_concatenate(NULL, NULL, name, NULL);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return result;
 
 	for (i = 0; i < chain->level_count; i++) {
 		NODENAME(chain->levels[i], &nodename);
 		result = dns_name_concatenate(&nodename, name, name, NULL);
 
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			break;
 	}
 
-	if (result == DNS_R_SUCCESS &&
+	if (result == ISC_R_SUCCESS &&
 	    include_chain_end && chain->end != NULL) {
 		NODENAME(chain->end, &nodename);
 		result = dns_name_concatenate(&nodename, name, name, NULL);
@@ -341,7 +337,7 @@ move_chain_to_last(dns_rbtnodechain_t *chain, dns_rbtnode_t *node) {
 
 	chain->end = node;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 /*
@@ -358,7 +354,7 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 	dns_fixedname_t fixedcopy, fixedprefix, fixedsuffix;
 	dns_offsets_t current_offsets;
 	dns_namereln_t compared;
-	isc_result_t result = DNS_R_SUCCESS;
+	isc_result_t result = ISC_R_SUCCESS;
 	dns_rbtnodechain_t chain;
 	unsigned int common_labels, common_bits, add_bits;
 	int order;
@@ -378,7 +374,8 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 
 	if (rbt->root == NULL) {
 		result = create_node(rbt->mctx, add_name, &new_current);
-		if (result == DNS_R_SUCCESS) {
+		if (result == ISC_R_SUCCESS) {
+			IS_ROOT(new_current) = ISC_TRUE;
 			rbt->root = new_current;
 			*nodep = new_current;
 		}
@@ -394,6 +391,7 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 	suffix = dns_fixedname_name(&fixedsuffix);
 
 	root = &rbt->root;
+	INSIST(IS_ROOT(*root));
 	parent = NULL;
 	current = NULL;
 	child = *root;
@@ -401,6 +399,12 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 	do {
 		current = child;
 
+		INSIST((IS_ROOT(current) && 
+			chain.ancestors[chain.ancestor_count - 1] == NULL) ||
+		       (! IS_ROOT(current) &&
+			chain.ancestors[chain.ancestor_count - 1] ==
+			PARENT(current)));
+
 		NODENAME(current, &current_name);
 		compared = dns_name_fullcompare(add_name, &current_name,
 						&order,
@@ -408,7 +412,7 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 
 		if (compared == dns_namereln_equal) {
 			*nodep = current;
-			result = DNS_R_EXISTS;
+			result = ISC_R_EXISTS;
 			break;
 
 		}
@@ -441,7 +445,7 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 
 			if (compared == dns_namereln_subdomain) {
 				/*
-				 * All of the exising labels are in common,
+				 * All of the existing labels are in common,
 				 * so the new name is in a subtree.
 				 * Whack off the common labels for the 
 				 * not-in-common part to be searched for
@@ -452,13 +456,18 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 							common_bits,
 							add_name, NULL);
 
-				if (result != DNS_R_SUCCESS)
+				if (result != ISC_R_SUCCESS)
 					break;
 				
 				/*
 				 * Follow the down pointer (possibly NULL).
 				 */
 				root = &DOWN(current);
+
+				INSIST(*root == NULL ||
+				       (IS_ROOT(*root) &&
+					PARENT(*root) == current));
+
 				parent = NULL;
 				child = DOWN(current);
 				ADD_ANCESTOR(&chain, NULL);
@@ -486,7 +495,7 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 				if (chain.level_count ==
 				    (sizeof(chain.levels) / 
 				     sizeof(*chain.levels))) {
-					result = DNS_R_NOSPACE;
+					result = ISC_R_NOSPACE;
 					break;
 				}
 
@@ -501,20 +510,22 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 							common_bits,
 							prefix, suffix);
 
-				if (result == DNS_R_SUCCESS)
+				if (result == ISC_R_SUCCESS)
 					result = create_node(rbt->mctx, suffix,
 							     &new_current);
 
-				if (result != DNS_R_SUCCESS)
+				if (result != ISC_R_SUCCESS)
 					break;
 
 				/* 
 				 * Reproduce the tree attributes of the
 				 * current node.
 				 */
-				LEFT(new_current) = LEFT(current);
-				RIGHT(new_current) = RIGHT(current);
-				COLOR(new_current) = COLOR(current);
+				IS_ROOT(new_current) = IS_ROOT(current);
+				PARENT(new_current)  = PARENT(current);
+				LEFT(new_current)    = LEFT(current);
+				RIGHT(new_current)   = RIGHT(current);
+				COLOR(new_current)   = COLOR(current);
 
 				/*
 				 * Fix pointers that were to the current node.
@@ -525,6 +536,12 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 					else
 						RIGHT(parent) = new_current;
 				}
+				if (LEFT(new_current) != NULL)
+					PARENT(LEFT(new_current)) =
+						new_current;
+				if (RIGHT(new_current) != NULL)
+					PARENT(RIGHT(new_current)) =
+						new_current;
 				if (*root == current)
 					*root = new_current;
 
@@ -594,8 +611,11 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 				 * By definition it will not be the top
 				 * level tree, so clear DNS_NAMEATTR_ABSOLUTE.
 				 */
+				IS_ROOT(current) = ISC_TRUE;
+				PARENT(current) = new_current;
 				DOWN(new_current) = current;
 				root = &DOWN(new_current);
+
 				ADD_ANCESTOR(&chain, NULL);
 				ADD_LEVEL(&chain, new_current);
 
@@ -615,7 +635,7 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 					 */
 					*nodep = new_current;
 					put_ancestor_mem(&chain);
-					return (DNS_R_SUCCESS);
+					return (ISC_R_SUCCESS);
 
 				} else {
 					/*
@@ -632,7 +652,7 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 					/* The not-in-common parts of the new
 					 * name will be inserted into the new
 					 * level following this loop (unless
-					 * result != DNS_R_SUCCESS, which
+					 * result != ISC_R_SUCCESS, which
 					 * is tested after the loop ends).
 					 */
 					result = dns_name_split(add_name, 
@@ -651,10 +671,10 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 
 	} while (child != NULL);
 
-	if (result == DNS_R_SUCCESS)
+	if (result == ISC_R_SUCCESS)
 		result = create_node(rbt->mctx, add_name, &new_current);
 
-	if (result == DNS_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS) {
 		dns_rbt_addonlevel(new_current, current, order, root, &chain);
 		*nodep = new_current;
 	}
@@ -685,10 +705,10 @@ dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data) {
 	 * dns_rbt_*name functions all behave depending on whether
 	 * there is data associated with a node.
 	 */
-	if (result == DNS_R_SUCCESS ||
-	    (result == DNS_R_EXISTS && DATA(node) == NULL)) {
+	if (result == ISC_R_SUCCESS ||
+	    (result == ISC_R_EXISTS && DATA(node) == NULL)) {
 		DATA(node) = data;
-		result = DNS_R_SUCCESS;
+		result = ISC_R_SUCCESS;
 	}
 
 	return (result);
@@ -700,7 +720,7 @@ dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data) {
 isc_result_t
 dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 		 dns_rbtnode_t **node, dns_rbtnodechain_t *chain,
-		 isc_boolean_t empty_data_ok, dns_rbtfindcallback_t callback,
+		 unsigned int options, dns_rbtfindcallback_t callback,
 		 void *callback_arg)
 {
 	dns_rbtnode_t *current;
@@ -715,6 +735,8 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 	REQUIRE(VALID_RBT(rbt));
 	REQUIRE(FAST_ISABSOLUTE(name));
 	REQUIRE(node != NULL && *node == NULL);
+	REQUIRE((options & (DNS_RBTFIND_NOEXACT | DNS_RBTFIND_NOPREDECESSOR))
+		!=         (DNS_RBTFIND_NOEXACT | DNS_RBTFIND_NOPREDECESSOR));
 
 	/* 
 	 * If there is a chain it needs to appear to be in a sane state,
@@ -722,13 +744,14 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 	 * callback_name.
 	 */
 	if (chain == NULL) {
+		options |= DNS_RBTFIND_NOPREDECESSOR;
 		chain = &localchain;
 		dns_rbtnodechain_init(chain, rbt->mctx);
 	} else
 		dns_rbtnodechain_reset(chain);
 
 	if (rbt->root == NULL)
-		return (DNS_R_NOTFOUND);
+		return (ISC_R_NOTFOUND);
 
 	dns_fixedname_init(&fixedcallbackname);
 	callback_name = dns_fixedname_name(&fixedcallbackname);
@@ -748,7 +771,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 
 	ADD_ANCESTOR(chain, NULL);
 
-	saved_result = DNS_R_SUCCESS;
+	saved_result = ISC_R_SUCCESS;
 	current = rbt->root;
 	while (current != NULL) {
 		NODENAME(current, &current_name);
@@ -787,7 +810,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 							common_labels,
 							common_bits,
 							search_name, NULL);
-				if (result != DNS_R_SUCCESS) {
+				if (result != ISC_R_SUCCESS) {
 					dns_rbtnodechain_reset(chain);
 					return (result);
 				}
@@ -795,7 +818,8 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 				/*
 				 * This might be the closest enclosing name.
 				 */
-				if (empty_data_ok || DATA(current) != NULL)
+				if (DATA(current) != NULL ||
+				    (options & DNS_RBTFIND_EMPTYDATA) != 0)
 					*node = current;
 
 				/*
@@ -824,7 +848,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 					result = chain_name(chain,
 							    callback_name,
 							    ISC_FALSE);
-					if (result != DNS_R_SUCCESS) {
+					if (result != ISC_R_SUCCESS) {
 						dns_rbtnodechain_reset(chain);
 						return (result);
 					}
@@ -867,7 +891,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 		}
 	}
 
-	if (current != NULL) {
+	if (current != NULL && (options & DNS_RBTFIND_NOEXACT) == 0) {
 		/*
 		 * Found an exact match.
 		 */
@@ -877,17 +901,16 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 		if (foundname != NULL)
 			result = chain_name(chain, foundname, ISC_TRUE);
 		else
-			result = DNS_R_SUCCESS;
+			result = ISC_R_SUCCESS;
 
-		if (result == DNS_R_SUCCESS) {
+		if (result == ISC_R_SUCCESS) {
 			*node = current;
 			result = saved_result;
 		} else
 			*node = NULL;
-
 	} else {
 		/*
-		 * Did not find an exact match.
+		 * Did not find an exact match (or did not want one).
 		 */
 		if (*node != NULL) {
 			/*
@@ -917,15 +940,34 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 
 				chain->level_count = saved_count;
 			} else
-				result = DNS_R_SUCCESS;
+				result = ISC_R_SUCCESS;
 
-			if (result == DNS_R_SUCCESS)
+			if (result == ISC_R_SUCCESS)
 				result = DNS_R_PARTIALMATCH;
 
 		} else
-			result = DNS_R_NOTFOUND;
+			result = ISC_R_NOTFOUND;
+
+		if (current != NULL) {
+			/*
+			 * There was an exact match but DNS_RBTFIND_NOEXACT
+			 * was set.  A policy decision was made to set the
+			 * chain to the exact match, but this is subject
+			 * to change if it becomes apparent that something
+			 * else would be more useful.  It is important that
+			 * this case is handled here, because the predecessor
+			 * setting code below assumes the match was not exact.
+			 */
+			INSIST((options & DNS_RBTFIND_NOEXACT) != 0);
+			chain->end = current;
+
+		} else if ((options & DNS_RBTFIND_NOPREDECESSOR) != 0) {
+			/*
+			 * Ensure the chain points nowhere.
+			 */
+			chain->end = NULL;
 
-		if (chain != &localchain) {
+		} else {
 			/*
 			 * Since there was no exact match, the chain argument
 			 * needs to be pointed at the DNSSEC predecessor of
@@ -953,6 +995,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 				       chain->level_count);
 				chain->end =
 					chain->levels[--chain->level_count];
+
 			} else {
 				isc_result_t result2;
 
@@ -991,7 +1034,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 						      move_chain_to_last(chain,
 								DOWN(current));
 
-						if (result2 != DNS_R_SUCCESS)
+						if (result2 != ISC_R_SUCCESS)
 							result = result2;
 					} else
 						/*
@@ -1009,10 +1052,10 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 					result2 = dns_rbtnodechain_prev(chain,
 									NULL,
 									NULL);
-					if (result2 == DNS_R_SUCCESS ||
+					if (result2 == ISC_R_SUCCESS ||
 					    result2 == DNS_R_NEWORIGIN)
-						; 	/* Nothing */
-					else if (result2 == DNS_R_NOMORE)
+						; 	/* Nothing. */
+					else if (result2 == ISC_R_NOMORE)
 						/*
 						 * There is no predecessor.
 						 */
@@ -1035,7 +1078,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
  * Get the data pointer associated with 'name'.
  */
 isc_result_t
-dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name,
+dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name, unsigned int options,
 		 dns_name_t *foundname, void **data) {
 	dns_rbtnode_t *node = NULL;
 	isc_result_t result;
@@ -1043,12 +1086,12 @@ dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name,
 	REQUIRE(data != NULL && *data == NULL);
 
 	result = dns_rbt_findnode(rbt, name, foundname, &node, NULL,
-				  ISC_FALSE, NULL, NULL);
+				  options, NULL, NULL);
 
 	if (node != NULL && DATA(node) != NULL)
 		*data = DATA(node);
 	else
-		result = DNS_R_NOTFOUND;
+		result = ISC_R_NOTFOUND;
 		
 	return (result);
 }
@@ -1060,13 +1103,12 @@ isc_result_t
 dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse) {
 	dns_rbtnode_t *node = NULL;
 	isc_result_t result;
-	dns_rbtnodechain_t chain;
 
 	REQUIRE(VALID_RBT(rbt));
 	REQUIRE(FAST_ISABSOLUTE(name));
 
 	/*
-	 * Find the node, building the ancestor chain.
+	 * First, find the node.
 	 *
 	 * When searching, the name might not have an exact match:
 	 * consider a.b.a.com, b.b.a.com and c.b.a.com as the only
@@ -1079,54 +1121,45 @@ dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse) {
 	 * ->dirty, ->locknum and ->references are ignored; they are
 	 * solely the province of rbtdb.c.
 	 */
-	dns_rbtnodechain_init(&chain, rbt->mctx);
-	result = dns_rbt_findnode(rbt, name, NULL, &node, &chain, ISC_FALSE,
-				  NULL, NULL);
+	result = dns_rbt_findnode(rbt, name, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
 
-	/*
-	 * The guts of this routine are in a separate function (which
-	 * is called only once, by this function) to make freeing the
-	 * ancestor memory easier, since there are several different
-	 * exit points from the level checking logic.
-	 */
-	if (result == DNS_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS)
 		if (DATA(node) != NULL)
-			result = zapnode_and_fixlevels(rbt, node,
-						       recurse, &chain);
+			result = dns_rbt_deletenode(rbt, node, recurse);
 		else
-			result = DNS_R_NOTFOUND;
-
-	} else if (result == DNS_R_PARTIALMATCH)
-		result = DNS_R_NOTFOUND;
+			result = ISC_R_NOTFOUND;
 
-	put_ancestor_mem(&chain);
+	else if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
 
 	return (result);
 }
 
 /*
- *
+ * Remove a node from the tree of trees and rejoin any levels, if possible.
  */
-static isc_result_t
-zapnode_and_fixlevels(dns_rbt_t *rbt, dns_rbtnode_t *node,
-		      isc_boolean_t recurse, dns_rbtnodechain_t *chain) {
-	dns_rbtnode_t *down, *parent, **rootp;
+isc_result_t
+dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse)
+{
+	dns_rbtnode_t *parent, *root;
 	isc_result_t result;
 
-	down = DOWN(node);
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(node != NULL);
 
-	if (down != NULL) {
-		if (recurse) {
-			dns_rbt_deletetree(rbt, down);
-			down = NULL;
+	if (DOWN(node) != NULL) {
+		if (recurse)
+			dns_rbt_deletetree(rbt, DOWN(node));
 
-		} else {
+		else {
 			if (rbt->data_deleter != NULL)
 				rbt->data_deleter(DATA(node),
 						  rbt->deleter_arg);
 			DATA(node) = NULL;
 
-			if (LEFT(down) != NULL || RIGHT(down) != NULL)
+			if (LEFT(DOWN(node)) != NULL ||
+			    RIGHT(DOWN(node)) != NULL)
 				/*
 				 * This node cannot be removed because it
 				 * points down to a level that has more than
@@ -1134,75 +1167,54 @@ zapnode_and_fixlevels(dns_rbt_t *rbt, dns_rbtnode_t *node,
 				 * as the root for that level.  All that
 				 * could be done was to blast its data.
 				 */
-				return (DNS_R_SUCCESS);
+				return (ISC_R_SUCCESS);
 
 			/*
 			 * There is a down pointer to a level with a single
 			 * item.  That item's name can be joined with the name
 			 * on this level.
 			 */
-			INSIST(chain->ancestor_count > 0);
-			rootp = chain->level_count > 0 ?
-				&DOWN(chain->levels[chain->level_count - 1]) :
-				&rbt->root;
-			parent = chain->ancestors[chain->ancestor_count - 1];
-
-			result = join_nodes(rbt, node, parent, rootp);
+			result = join_nodes(rbt, node);
 
 			return (result);
 		}
 	}
 
+	/* 
+	 * Note the node that points to the level of the node that is being
+	 * deleted.  If the deleted node is the top level, parent will be set
+	 * to NULL.
+	 */
+	for (root = node; ! IS_ROOT(root); root = PARENT(root))
+		; /* Nothing. */
+
+	parent = PARENT(root);
+
 	/*
 	 * This node now has no down pointer (either because it didn't
 	 * have one to start, or because it was recursively removed).
 	 * So now the node needs to be removed from this level.
 	 */
-	dns_rbt_deletefromlevel(rbt, node, chain);
+	dns_rbt_deletefromlevel(rbt, node,
+				parent == NULL ? &rbt->root : &DOWN(parent));
 
 	if (rbt->data_deleter != NULL)
 		rbt->data_deleter(DATA(node), rbt->deleter_arg);
 	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
 
 	/*
-	 * Everything is successful, unless the next block fails.
-	 */
-	result = DNS_R_SUCCESS;
-
-	/*
 	 * If there is one node left on this level, and the node one level up
 	 * that points down to here has no data, then those two nodes can be
 	 * merged.  The focus for exploring this criteria is shifted up one
-	 * level.
-	 */
-	node = chain->level_count > 0 ?
-		chain->levels[chain->level_count - 1] : NULL;
+	 * level, to the node that points to the level of the deleted node.
+  	 */
+	node = parent;
 
 	if (node != NULL && DATA(node) == NULL &&
-	    LEFT(DOWN(node)) == NULL && RIGHT(DOWN(node)) == NULL) {
-		rootp = chain->level_count > 1 ?
-			&DOWN(chain->levels[chain->level_count - 2]) :
-			&rbt->root;
-		/*
-		 * The search to find the original node went through the
-		 * node that is now being examined.  It might have been
-		 *
-		 * current_node -down-to-> deleted_node      ... or ...
-		 *
-		 * current_node -down-to-> remaining_node -left/right-to->
-		 *						deleted_node
-		 *
-		 * In the first case, ancestor_count - 1 is NULL and - 2
-		 * is the parent of current_node (possibly also NULL).
-		 * In the second case, ancestor_count - 1 is remaining_node,
-		 * - 2, is NULL and - 3 is the parent of current_node.
-		 */
-		parent = chain->ancestors[chain->ancestor_count - 1] == NULL ?
-			 chain->ancestors[chain->ancestor_count - 2] :
-			 chain->ancestors[chain->ancestor_count - 3];
-
-		result = join_nodes(rbt, node, parent, rootp);
-	}
+	    LEFT(DOWN(node)) == NULL && RIGHT(DOWN(node)) == NULL)
+		result = join_nodes(rbt, node);
+	else
+		result = ISC_R_SUCCESS;
 
 	return (result);
 }
@@ -1234,20 +1246,22 @@ create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
 					    region.length + labels);
 					    
 	if (node == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
+	IS_ROOT(node) = ISC_FALSE;
+	PARENT(node) = NULL;
 	RIGHT(node) = NULL;
 	LEFT(node) = NULL;
 	DOWN(node) = NULL;
 	DATA(node) = NULL;
 
-	LOCK(node) = 0;
+	LOCKNUM(node) = 0;
 	REFS(node) = 0;
-	DIRTY(node) = 0;
 	WILD(node) = 0;
+	DIRTY(node) = 0;
+	FINDCALLBACK(node) = 0;
 
 	MAKE_BLACK(node);
-	FINDCALLBACK(node) = 0;
 
 	/*
 	 * The following is stored to make reconstructing a name from the
@@ -1270,13 +1284,11 @@ create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
 
 	*nodep = node;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
-join_nodes(dns_rbt_t *rbt,
-	   dns_rbtnode_t *node, dns_rbtnode_t *parent, dns_rbtnode_t **rootp)
-{
+join_nodes(dns_rbt_t *rbt, dns_rbtnode_t *node) {
 	dns_rbtnode_t *down, *newnode;
 	isc_result_t result;
 	dns_fixedname_t fixed_newname;
@@ -1299,7 +1311,7 @@ join_nodes(dns_rbt_t *rbt,
 	newname = dns_fixedname_name(&fixed_newname);
 
 	result = dns_name_concatenate(&prefix, &suffix, newname, NULL);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 
 	/*
@@ -1325,28 +1337,40 @@ join_nodes(dns_rbt_t *rbt,
 		ATTRS(down) = newname->attributes;
 
 		newnode = down;
-		result = DNS_R_SUCCESS;
+		result = ISC_R_SUCCESS;
 	}
 
-	if (result == DNS_R_SUCCESS) {
-		COLOR(newnode) = COLOR(node);
-		RIGHT(newnode) = RIGHT(node);
-		LEFT(newnode)  = LEFT(node);
+	if (result == ISC_R_SUCCESS) {
+		COLOR(newnode)   = COLOR(node);
+		PARENT(newnode)  = PARENT(node);
+		RIGHT(newnode)   = RIGHT(node);
+		LEFT(newnode)    = LEFT(node);
+		IS_ROOT(newnode) = IS_ROOT(node);
 
-		DOWN(newnode) = DOWN(down);
-		DATA(newnode) = DATA(down);
+		DOWN(newnode)   = DOWN(down);
+		DATA(newnode)   = DATA(down);
 
 		/*
 		 * Fix the pointers to the original node.
 		 */
-		if (parent != NULL) {
-			if (LEFT(parent) == node)
-				LEFT(parent) = newnode;
+		if (IS_ROOT(node))
+			if (PARENT(node) == NULL)
+				rbt->root = newnode;
 			else
-				RIGHT(parent) = newnode;
+				DOWN(PARENT(node)) = newnode;
 
-		} else
-			*rootp = newnode;
+		else
+			if (LEFT(PARENT(node)) == node)
+				LEFT(PARENT(node)) = newnode;
+			else
+				RIGHT(PARENT(node)) = newnode;
+
+		if (LEFT(node) != NULL)
+			PARENT(LEFT(node))  = newnode;
+		if (RIGHT(node) != NULL)
+			PARENT(RIGHT(node)) = newnode;
+		if (DOWN(down) != NULL)
+			PARENT(DOWN(down))  = newnode;
 
 		isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
 
@@ -1358,52 +1382,69 @@ join_nodes(dns_rbt_t *rbt,
 }
 
 static inline void
-rotate_left(dns_rbtnode_t *node, dns_rbtnode_t *parent, dns_rbtnode_t **rootp) {
+rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp) {
 	dns_rbtnode_t *child;
 
 	REQUIRE(node != NULL);
 	REQUIRE(rootp != NULL);
-	REQUIRE(parent == NULL ||
-		RIGHT(parent) == node || LEFT(parent) == node);
 
 	child = RIGHT(node);
-	REQUIRE(child != NULL);
+	INSIST(child != NULL);
 
 	RIGHT(node) = LEFT(child);
+	if (LEFT(child) != NULL)
+		PARENT(LEFT(child)) = node;
 	LEFT(child) = node;
 
-	if (parent != NULL) {
-		if (LEFT(parent) == node)
-			LEFT(parent) = child;
-		else
-			RIGHT(parent) = child;
-	} else
+	if (child != NULL)
+		PARENT(child) = PARENT(node);
+
+	if (IS_ROOT(node)) {
 		*rootp = child;
+		IS_ROOT(child) = ISC_TRUE;
+		IS_ROOT(node) = ISC_FALSE;
+
+	} else {
+		if (LEFT(PARENT(node)) == node)
+			LEFT(PARENT(node)) = child;
+		else
+			RIGHT(PARENT(node)) = child;
+	}
+
+	PARENT(node) = child;
 }
 
 static inline void
-rotate_right(dns_rbtnode_t *node, dns_rbtnode_t *parent, dns_rbtnode_t **rootp)
-{
+rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp) {
 	dns_rbtnode_t *child;
 
 	REQUIRE(node != NULL);
 	REQUIRE(rootp != NULL);
-	REQUIRE(parent == NULL ||
-		RIGHT(parent) == node || LEFT(parent) == node);
 
 	child = LEFT(node);
-	REQUIRE(child != NULL);
+	INSIST(child != NULL);
 
-	LEFT(node)   = RIGHT(child);
+	LEFT(node) = RIGHT(child);
+	if (RIGHT(child) != NULL)
+		PARENT(RIGHT(child)) = node;
 	RIGHT(child) = node;
 
-	if (parent != NULL) {
-		if (LEFT(parent) == node)
-			LEFT(parent) = child;
-		else
-			RIGHT(parent) = child;
-	} else
+	if (child != NULL)
+		PARENT(child) = PARENT(node);
+
+	if (IS_ROOT(node)) {
 		*rootp = child;
+		IS_ROOT(child) = ISC_TRUE;
+		IS_ROOT(node) = ISC_FALSE;
+
+	} else {
+		if (LEFT(PARENT(node)) == node)
+			LEFT(PARENT(node)) = child;
+		else
+			RIGHT(PARENT(node)) = child;
+	}
+
+	PARENT(node) = child;
 }
 
 /*
@@ -1421,12 +1462,17 @@ dns_rbt_addonlevel(dns_rbtnode_t *node,
 	unsigned int depth;
 
 	REQUIRE(rootp != NULL);
-	REQUIRE(node != NULL    && LEFT(node) == NULL && RIGHT(node) == NULL);
-	REQUIRE(current != NULL && LEFT(node) == NULL && RIGHT(node) == NULL);
+	REQUIRE(node != NULL && LEFT(node) == NULL && RIGHT(node) == NULL);
+	REQUIRE(current != NULL);
 
 	root = *rootp;
 	if (root == NULL) {
+		/*
+		 * First node of a level.
+		 */
 		MAKE_BLACK(node);
+		IS_ROOT(node) = ISC_TRUE;
+		PARENT(node) = current;
 		*rootp = node;
 		return;
 	}
@@ -1439,10 +1485,17 @@ dns_rbt_addonlevel(dns_rbtnode_t *node,
 	dns_name_init(&current_name, current_offsets);
 	NODENAME(current, &current_name);
 
-	if (order < 0)
+	if (order < 0) {
+		INSIST(LEFT(current) == NULL);
 		LEFT(current) = node;
-	else
+	} else {
+		INSIST(RIGHT(current) == NULL);
 		RIGHT(current) = node;
+	}
+
+	INSIST(PARENT(node) == NULL);
+	PARENT(node) = current;
+
 	MAKE_RED(node);
 
 	depth = chain->ancestor_count - 1;
@@ -1463,8 +1516,7 @@ dns_rbt_addonlevel(dns_rbtnode_t *node,
 				depth -= 2;
 			} else {
 				if (node == RIGHT(parent)) {
-					rotate_left(parent, grandparent,
-						    &root);
+					rotate_left(parent, &root);
 					tmp = node;
 					node = parent;
 					parent = tmp;
@@ -1473,9 +1525,7 @@ dns_rbt_addonlevel(dns_rbtnode_t *node,
 				MAKE_BLACK(parent);
 				MAKE_RED(grandparent);
 				INSIST(depth > 1);
-				rotate_right(grandparent,
-					     chain->ancestors[depth - 2],
-					     &root);
+				rotate_right(grandparent, &root);
 			}
 		} else {
 			child = LEFT(grandparent);
@@ -1487,8 +1537,7 @@ dns_rbt_addonlevel(dns_rbtnode_t *node,
 				depth -= 2;
 			} else {
 				if (node == LEFT(parent)) {
-					rotate_right(parent, grandparent,
-						     &root);
+					rotate_right(parent, &root);
 					tmp = node;
 					node = parent;
 					parent = tmp;
@@ -1497,14 +1546,13 @@ dns_rbt_addonlevel(dns_rbtnode_t *node,
 				MAKE_BLACK(parent);
 				MAKE_RED(grandparent);
 				INSIST(depth > 1);
-				rotate_left(grandparent,
-					    chain->ancestors[depth - 2],
-					    &root);
+				rotate_left(grandparent, &root);
 			}
 		}
 	}
 
 	MAKE_BLACK(root);
+	ENSURE(IS_ROOT(root));
 	*rootp = root;
 
 	return;
@@ -1513,41 +1561,30 @@ dns_rbt_addonlevel(dns_rbtnode_t *node,
 /*
  * This is the real workhorse of the deletion code, because it does the
  * true red/black tree on a single level.
- *
- * The ancestor and level history _must_ be set with dns_rbt_findnode for
- * this function to work properly.
  */
 static void
 dns_rbt_deletefromlevel(dns_rbt_t *rbt, dns_rbtnode_t *delete,
-			dns_rbtnodechain_t *chain) {
-	dns_rbtnode_t *sibling, *parent, *grandparent, *child;
-	dns_rbtnode_t *successor, **rootp;
-	int depth;
+			dns_rbtnode_t **rootp)
+{
+	dns_rbtnode_t *child, *sibling, *parent;
+	dns_rbtnode_t *successor;
 
 	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(delete);
-	REQUIRE(chain->ancestor_count > 0);
-
-	parent = chain->ancestors[chain->ancestor_count - 1];
-
-	if (chain->level_count > 0)
-		rootp = &DOWN(chain->levels[chain->level_count - 1]);
-	else
-		rootp = &rbt->root;
+	REQUIRE(delete != NULL);
 
 	/*
-	 * Verify that the ancestor/level history is (apparently) correct.
+	 * Verify that the parent history is (apparently) correct.
 	 */
-	REQUIRE((parent == NULL && *rootp == delete) ||
-		(parent != NULL && 
-		 (LEFT(parent) == delete || RIGHT(parent) == delete)));
+	INSIST((IS_ROOT(delete) && *rootp == delete) ||
+	       (! IS_ROOT(delete) && 
+		(LEFT(PARENT(delete)) == delete ||
+		 RIGHT(PARENT(delete)) == delete)));
 
 	child = NULL;
 
 	if (LEFT(delete) == NULL) {
 		if (RIGHT(delete) == NULL) {
-			if (chain->ancestors[chain->ancestor_count - 1]
-			    == NULL) {
+			if (IS_ROOT(delete)) {
 				/*
 				 * This is the only item in the tree.
 				 */
@@ -1575,14 +1612,10 @@ dns_rbt_deletefromlevel(dns_rbt_t *rbt, dns_rbtnode_t *delete,
 		 * move it to this location, then do the deletion at the
 		 * old site of the successor.
 		 */
-		depth = chain->ancestor_count++;
 		successor = RIGHT(delete);
-		while (LEFT(successor) != NULL) {
-			chain->ancestors[chain->ancestor_count++] = successor;
+		while (LEFT(successor) != NULL)
 			successor = LEFT(successor);
 
-		}
-
 		/*
 		 * The successor cannot possibly have a left child;
 		 * if there is any child, it is on the right.
@@ -1600,76 +1633,90 @@ dns_rbt_deletefromlevel(dns_rbt_t *rbt, dns_rbtnode_t *delete,
 
 		/*
 		 * First, put the successor in the tree location of the
-		 * node to be deleted.
+		 * node to be deleted.  Save its existing tree pointer
+		 * information, which will be needed when linking up
+		 * delete to the successor's old location.
 		 */
 		memcpy(tmp, successor, sizeof(dns_rbtnode_t));
 
-		chain->ancestors[depth] = successor;
-		parent = chain->ancestors[depth - 1];
+		if (IS_ROOT(delete)) {
+			*rootp = successor;
+			IS_ROOT(successor) = ISC_TRUE;
+			IS_ROOT(delete) = ISC_FALSE;
 
-		if (parent != NULL) {
-			if (LEFT(parent) == delete)
-				LEFT(parent) = successor;
-			else
-				RIGHT(parent) = successor;
 		} else
-			*rootp = successor;
+			if (LEFT(PARENT(delete)) == delete)
+				LEFT(PARENT(delete)) = successor;
+			else
+				RIGHT(PARENT(delete)) = successor;
+
+		PARENT(successor) = PARENT(delete);
+		LEFT(successor)   = LEFT(delete);
+		RIGHT(successor)  = RIGHT(delete);
+		COLOR(successor)  = COLOR(delete);
 
-		LEFT(successor)  = LEFT(delete);
-		RIGHT(successor) = RIGHT(delete);
-		COLOR(successor) = COLOR(delete);
+		if (LEFT(successor) != NULL)
+			PARENT(LEFT(successor)) = successor;
+		if (RIGHT(successor) != successor)
+			PARENT(RIGHT(successor)) = successor;
 
 		/*
 		 * Now relink the node to be deleted into the
-		 * successor's previous tree location.
+		 * successor's previous tree location.  PARENT(tmp)
+		 * is the successor's original parent.
 		 */
-		parent = chain->ancestors[chain->ancestor_count - 1];
-		if (parent == successor)
-			RIGHT(parent) = delete;
-		else
-			LEFT(parent) = delete;
+		INSIST(! IS_ROOT(delete));
+
+		if (PARENT(tmp) == delete) {
+			/*
+			 * Node being deleted was successor's parent.
+			 */
+			RIGHT(successor) = delete;
+			PARENT(delete) = successor;
+
+		} else {
+			LEFT(PARENT(tmp)) = delete;
+			PARENT(delete) = PARENT(tmp);
+		}
 
 		/*
 		 * Original location of successor node has no left.
 		 */
-		LEFT(delete)  = NULL;
-		RIGHT(delete) = RIGHT(tmp);
-		COLOR(delete) = COLOR(tmp);
+		LEFT(delete)   = NULL;
+		RIGHT(delete)  = RIGHT(tmp);
+		COLOR(delete)  = COLOR(tmp);
 	}
 
-	parent = chain->ancestors[chain->ancestor_count - 1];
-
 	/*
 	 * Remove the node by removing the links from its parent.
 	 */
-	if (parent != NULL) {
-		if (LEFT(parent) == delete) {
-			LEFT(parent) = child;
-			sibling = RIGHT(parent);
-		} else {
-			RIGHT(parent) = child;
-			sibling = LEFT(parent);
-		}
+	if (! IS_ROOT(delete)) {
+		if (LEFT(PARENT(delete)) == delete)
+			LEFT(PARENT(delete)) = child;
+		else
+			RIGHT(PARENT(delete)) = child;
+
+		if (child != NULL)
+			PARENT(child) = PARENT(delete);
 
 	} else {
 		/*
 		 * This is the root being deleted, and at this point
 		 * it is known to have just one child.
 		 */
-		sibling = NULL;
 		*rootp = child;
+		IS_ROOT(child) = ISC_TRUE;
+		PARENT(child) = PARENT(delete);
 	} 
 
 	/*
 	 * Fix color violations.
 	 */
 	if (IS_BLACK(delete)) {
-		dns_rbtnode_t *parent;
-		depth = chain->ancestor_count - 1;
+		parent = PARENT(delete);
 
 		while (child != *rootp && IS_BLACK(child)) {
-			parent = chain->ancestors[depth--];
-			grandparent = chain->ancestors[depth];
+			INSIST(child == NULL || ! IS_ROOT(child));
 
 			if (LEFT(parent) == child) {
 				sibling = RIGHT(parent);
@@ -1677,15 +1724,7 @@ dns_rbt_deletefromlevel(dns_rbt_t *rbt, dns_rbtnode_t *delete,
 				if (IS_RED(sibling)) {
 					MAKE_BLACK(sibling);
 					MAKE_RED(parent);
-					rotate_left(parent, grandparent,
-						    rootp);
-					/*
-					 * Parent was reparented by the
-					 * rotation, so the new grandparent
-					 * needs to be noted.  Grandpa is dead,
-					 * long live grandpa.
-					 */
-					grandparent = sibling;
+					rotate_left(parent, rootp);
 					sibling = RIGHT(parent);
 				}
 
@@ -1699,16 +1738,14 @@ dns_rbt_deletefromlevel(dns_rbt_t *rbt, dns_rbtnode_t *delete,
 					if (IS_BLACK(RIGHT(sibling))) {
 						MAKE_BLACK(LEFT(sibling));
 						MAKE_RED(sibling);
-						rotate_right(sibling, parent,
-							     rootp);
+						rotate_right(sibling, rootp);
 						sibling = RIGHT(parent);
 					}
 
 					COLOR(sibling) = COLOR(parent);
 					MAKE_BLACK(parent);
 					MAKE_BLACK(RIGHT(sibling));
-					rotate_left(parent, grandparent,
-						    rootp);
+					rotate_left(parent, rootp);
 					child = *rootp;
 				}
 
@@ -1723,15 +1760,7 @@ dns_rbt_deletefromlevel(dns_rbt_t *rbt, dns_rbtnode_t *delete,
 				if (IS_RED(sibling)) {
 					MAKE_BLACK(sibling);
 					MAKE_RED(parent);
-					rotate_right(parent, grandparent,
-						     rootp);
-					/*
-					 * Parent was reparented by the
-					 * rotation, so the new grandparent
-					 * needs to be noted.  Grandma is dead,
-					 * long live grandma.
-					 */
-					grandparent = sibling;
+					rotate_right(parent, rootp);
 					sibling = LEFT(parent);
 				}
 
@@ -1744,19 +1773,19 @@ dns_rbt_deletefromlevel(dns_rbt_t *rbt, dns_rbtnode_t *delete,
 					if (IS_BLACK(LEFT(sibling))) {
 						MAKE_BLACK(RIGHT(sibling));
 						MAKE_RED(sibling);
-						rotate_left(sibling, parent,
-							    rootp);
+						rotate_left(sibling, rootp);
 						sibling = LEFT(parent);
 					}
 
 					COLOR(sibling) = COLOR(parent);
 					MAKE_BLACK(parent);
 					MAKE_BLACK(LEFT(sibling));
-					rotate_right(parent, grandparent,
-						     rootp);
+					rotate_right(parent, rootp);
 					child = *rootp;
 				}
 			}
+
+			parent = PARENT(child);
 		}
 
 		if (IS_RED(child))
@@ -1822,7 +1851,7 @@ dns_rbt_printnodename(dns_rbtnode_t *node) {
 	dns_name_init(&name, offsets);
 	dns_name_fromregion(&name, &r);
 
-	isc_buffer_init(&target, buffer, 255, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&target, buffer, 255);
 
 	/*
 	 * ISC_FALSE means absolute names have the final dot added.
@@ -1843,7 +1872,22 @@ dns_rbt_printtree(dns_rbtnode_t *root, dns_rbtnode_t *parent, int depth) {
 			printf(" from ");
 			dns_rbt_printnodename(parent);
 		}
+
+		if ((! IS_ROOT(root) && PARENT(root) != parent) ||
+		    (  IS_ROOT(root) && depth > 0 &&
+		       DOWN(PARENT(root)) != root)) {
+
+			printf(" (BAD parent pointer! -> ");
+			if (PARENT(root) != NULL)
+				dns_rbt_printnodename(PARENT(root));
+			else
+				printf("NULL");
+			printf(")");
+		}
+
 		printf(")\n");
+
+
 		depth++;
 
 		if (DOWN(root)) {
@@ -1903,7 +1947,7 @@ dns_rbtnodechain_init(dns_rbtnodechain_t *chain, isc_mem_t *mctx) {
 isc_result_t
 dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
 			 dns_name_t *origin, dns_rbtnode_t **node) {
-	isc_result_t result = DNS_R_SUCCESS;
+	isc_result_t result = ISC_R_SUCCESS;
 
 	REQUIRE(VALID_CHAIN(chain));
 
@@ -1911,7 +1955,7 @@ dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
 		*node = chain->end;
 
 	if (chain->end == NULL)
-		return (DNS_R_NOTFOUND);
+		return (ISC_R_NOTFOUND);
 
 	if (name != NULL) {
 		NODENAME(chain->end, name);
@@ -1949,7 +1993,7 @@ dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
 		      dns_name_t *origin)
 {
 	dns_rbtnode_t *current, *previous, *predecessor;
-	isc_result_t result = DNS_R_SUCCESS;
+	isc_result_t result = ISC_R_SUCCESS;
 	isc_boolean_t new_origin = ISC_FALSE;
 
 	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
@@ -2041,7 +2085,7 @@ dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
 		if (new_origin) {
 			result = dns_rbtnodechain_current(chain, name, origin,
 							  NULL);
-			if (result == DNS_R_SUCCESS)
+			if (result == ISC_R_SUCCESS)
 				result = DNS_R_NEWORIGIN;
 
 		} else
@@ -2049,7 +2093,7 @@ dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
 							  NULL);
 
 	} else
-		result = DNS_R_NOMORE;
+		result = ISC_R_NOMORE;
 
 	return (result);
 }
@@ -2059,7 +2103,7 @@ dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
 		      dns_name_t *origin)
 {
 	dns_rbtnode_t *current, *previous, *successor;
-	isc_result_t result = DNS_R_SUCCESS;
+	isc_result_t result = ISC_R_SUCCESS;
 	isc_boolean_t new_origin = ISC_FALSE;
 
 	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
@@ -2164,14 +2208,14 @@ dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
 			if (origin != NULL)
 				result = chain_name(chain, origin, ISC_FALSE);
 
-			if (result == DNS_R_SUCCESS)
+			if (result == ISC_R_SUCCESS)
 				result = DNS_R_NEWORIGIN;
 
 		} else
-			result = DNS_R_SUCCESS;
+			result = ISC_R_SUCCESS;
 
 	} else
-		result = DNS_R_NOMORE;
+		result = ISC_R_NOMORE;
 
 	return (result);
 }
@@ -2194,7 +2238,7 @@ dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
 
 	result = dns_rbtnodechain_current(chain, name, origin, NULL);
 
-	if (result == DNS_R_SUCCESS)
+	if (result == ISC_R_SUCCESS)
 		result = DNS_R_NEWORIGIN;
 
 	return (result);
@@ -2215,12 +2259,12 @@ dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
 	ADD_ANCESTOR(chain, NULL);
 
 	result = move_chain_to_last(chain, rbt->root);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 
 	result = dns_rbtnodechain_current(chain, name, origin, NULL);
 
-	if (result == DNS_R_SUCCESS)
+	if (result == ISC_R_SUCCESS)
 		result = DNS_R_NEWORIGIN;
 
 	return (result);
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 6ede7f11..546e78a1 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -21,28 +21,21 @@
 
 #include <config.h>
 
-#include <stddef.h>
-#include <string.h>
-#include <limits.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/mutex.h>
+#include <isc/mem.h>
 #include <isc/rwlock.h>
+#include <isc/string.h>
 #include <isc/util.h>
 
-#include <dns/types.h>
-#include <dns/name.h>
-#include <dns/fixedname.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
+#include <dns/fixedname.h>
+#include <dns/masterdump.h>
 #include <dns/rbt.h>
-#include <dns/master.h>
-#include <dns/rdataslab.h>
 #include <dns/rdata.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
-#include <dns/masterdump.h>
+#include <dns/rdataslab.h>
+#include <dns/result.h>
 
 #ifdef DNS_RBTDB_VERSION64
 #include "rbtdb64.h"
@@ -98,9 +91,18 @@ typedef struct rdatasetheader {
 	struct rdatasetheader		*down;
 } rdatasetheader_t;
 
-#define RDATASET_ATTR_NONEXISTENT	0x01
-#define RDATASET_ATTR_STALE		0x02
-#define RDATASET_ATTR_IGNORE		0x04
+#define RDATASET_ATTR_NONEXISTENT	0x0001
+#define RDATASET_ATTR_STALE		0x0002
+#define RDATASET_ATTR_IGNORE		0x0004
+#define RDATASET_ATTR_RETAIN		0x0008
+
+/*
+ * XXX
+ * When the cache will pre-expire data (due to memory low or other
+ * situations) before the rdataset's TTL has expired, it MUST
+ * respect the RETAIN bit and not expire the data until its TTL is
+ * expired.
+ */
 
 #undef IGNORE			/* WIN32 winbase.h defines this. */
 
@@ -110,6 +112,8 @@ typedef struct rdatasetheader {
 	(((header)->attributes & RDATASET_ATTR_NONEXISTENT) != 0)
 #define IGNORE(header) \
 	(((header)->attributes & RDATASET_ATTR_IGNORE) != 0)
+#define RETAIN(header) \
+	(((header)->attributes & RDATASET_ATTR_RETAIN) != 0)
 
 #define DEFAULT_NODE_LOCK_COUNT		7		/* Should be prime. */
 
@@ -312,17 +316,17 @@ attach(dns_db_t *source, dns_db_t **targetp) {
 static void
 free_rbtdb(dns_rbtdb_t *rbtdb) {
 	unsigned int i;
-	isc_region_t r;
 	isc_ondestroy_t ondest;
+	isc_mem_t *mctx;
 
 	REQUIRE(EMPTY(rbtdb->open_versions));
 	REQUIRE(rbtdb->future_version == NULL);
 
-	isc_mem_put(rbtdb->common.mctx, rbtdb->current_version,
-		    sizeof (rbtdb_version_t));
-	dns_name_toregion(&rbtdb->common.origin, &r);
-	if (r.base != NULL)
-		isc_mem_put(rbtdb->common.mctx, r.base, r.length);
+	if (rbtdb->current_version != NULL)
+		isc_mem_put(rbtdb->common.mctx, rbtdb->current_version,
+			    sizeof (rbtdb_version_t));
+	if (dns_name_dynamic(&rbtdb->common.origin))
+		dns_name_free(&rbtdb->common.origin, rbtdb->common.mctx);
 	if (rbtdb->tree != NULL)
 		dns_rbt_destroy(&rbtdb->tree);
 	for (i = 0; i < rbtdb->node_lock_count; i++)
@@ -334,7 +338,9 @@ free_rbtdb(dns_rbtdb_t *rbtdb) {
 	rbtdb->common.magic = 0;
 	rbtdb->common.impmagic = 0;
 	ondest = rbtdb->common.ondest;
-	isc_mem_put(rbtdb->common.mctx, rbtdb, sizeof *rbtdb);
+	mctx = rbtdb->common.mctx;
+	isc_mem_put(mctx, rbtdb, sizeof *rbtdb);
+	isc_mem_detach(&mctx);
 	isc_ondestroy_notify(&ondest, rbtdb);
 }
 
@@ -439,11 +445,11 @@ newversion(dns_db_t *db, dns_dbversion_t **versionp) {
 	UNLOCK(&rbtdb->lock);
 
 	if (version == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	*versionp = version;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static void
@@ -954,12 +960,12 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 	dns_name_init(&nodename, NULL);
 	RWLOCK(&rbtdb->tree_lock, locktype);
 	result = dns_rbt_findnode(rbtdb->tree, name, NULL, &node, NULL,
-				  ISC_TRUE, NULL, NULL);
-	if (result != DNS_R_SUCCESS) {
+				  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
 		RWUNLOCK(&rbtdb->tree_lock, locktype);
 		if (!create) {
 			if (result == DNS_R_PARTIALMATCH)
-				result = DNS_R_NOTFOUND;
+				result = ISC_R_NOTFOUND;
 			return (result);
 		}
 		/*
@@ -970,11 +976,11 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 		RWLOCK(&rbtdb->tree_lock, locktype);
 		node = NULL;
 		result = dns_rbt_addnode(rbtdb->tree, name, &node);
-		if (result == DNS_R_SUCCESS) {
+		if (result == ISC_R_SUCCESS) {
 			dns_rbt_namefromnode(node, &nodename);
 			node->locknum = dns_name_hash(&nodename, ISC_TRUE) %
 				rbtdb->node_lock_count;
-		} else if (result != DNS_R_EXISTS) {
+		} else if (result != ISC_R_EXISTS) {
 			RWUNLOCK(&rbtdb->tree_lock, locktype);
 			return (result);
 		}
@@ -987,7 +993,7 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 
 	*nodep = (dns_dbnode_t *)node;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -1103,7 +1109,7 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 			zcname = dns_fixedname_name(&search->zonecut_name);
 			RUNTIME_CHECK(dns_name_concatenate(name, NULL, zcname,
 							   NULL) ==
-				      DNS_R_SUCCESS);
+				      ISC_R_SUCCESS);
 			search->copy_name = ISC_TRUE;
 		}
 	} else {
@@ -1195,7 +1201,7 @@ setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep,
 	if (foundname != NULL && search->copy_name) {
 		zcname = dns_fixedname_name(&search->zonecut_name);
 		result = dns_name_concatenate(zcname, NULL, foundname, NULL);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 	if (nodep != NULL) {
@@ -1281,7 +1287,7 @@ find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep) {
 	unsigned int i, j;
 	dns_rbtnode_t *node, *level_node, *wnode;
 	rdatasetheader_t *header;
-	isc_result_t result = DNS_R_NOTFOUND;
+	isc_result_t result = ISC_R_NOTFOUND;
 	dns_name_t name;
 	dns_name_t *wname;
 	dns_fixedname_t fwname;
@@ -1346,7 +1352,7 @@ find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep) {
 			result = dns_name_concatenate(dns_wildcardname, &name,
 						      wname, NULL);
 			j = i;
-			while (result == DNS_R_SUCCESS && j != 0) {
+			while (result == ISC_R_SUCCESS && j != 0) {
 				j--;
 				level_node = search->chain.levels[j];
 				dns_name_init(&name, NULL);
@@ -1356,14 +1362,15 @@ find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep) {
 							      wname,
 							      NULL);
 			}
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				break;
 
 			wnode = NULL;
 			result = dns_rbt_findnode(rbtdb->tree, wname,
 						  NULL, &wnode, NULL,
-						  ISC_TRUE, NULL, NULL);
-			if (result == DNS_R_SUCCESS) {
+						  DNS_RBTFIND_EMPTYDATA,
+						  NULL, NULL);
+			if (result == ISC_R_SUCCESS) {
 			    /*
 			     * We have found the wildcard node.  If it
 			     * is active in the search's version, we're
@@ -1382,13 +1389,13 @@ find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep) {
 				    /*
 				     * The wildcard node is active!
 				     *
-				     * Note: result is still DNS_R_SUCCESS
+				     * Note: result is still ISC_R_SUCCESS
 				     * so we don't have to set it.
 				     */
 				    *nodep = wnode;
 				    break;
 			    }
-			} else if (result != DNS_R_NOTFOUND &&
+			} else if (result != ISC_R_NOTFOUND &&
 				   result != DNS_R_PARTIALMATCH) {
 				/*
 				 * An error has occurred.  Bail out.
@@ -1403,7 +1410,7 @@ find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep) {
 			 * present at higher levels has no
 			 * effect and we're done.
 			 */
-			result = DNS_R_NOTFOUND;
+			result = ISC_R_NOTFOUND;
 			break;
 		}
 
@@ -1417,6 +1424,13 @@ find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep) {
 	return (result);
 }
 
+static inline isc_boolean_t
+rootname(dns_name_t *name) {
+	if (dns_name_countlabels(name) == 1 && dns_name_isabsolute(name))
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
 static inline isc_result_t
 find_closest_nxt(rbtdb_search_t *search, dns_dbnode_t **nodep,
 		 dns_name_t *foundname, dns_rdataset_t *rdataset,
@@ -1497,6 +1511,8 @@ find_closest_nxt(rbtdb_search_t *search, dns_dbnode_t **nodep,
 				 * that we're looking at one.  For now, we
 				 * do nothing.
 				 */
+				if (rootname(name))
+					origin = NULL;
 				result = dns_name_concatenate(name,
 							      origin,
 							      foundname, NULL);
@@ -1557,11 +1573,11 @@ find_closest_nxt(rbtdb_search_t *search, dns_dbnode_t **nodep,
 	} while (empty_node && result == ISC_R_SUCCESS);
 
 	/*
-	 * If the result is DNS_R_NOMORE, then we got to the beginning of
+	 * If the result is ISC_R_NOMORE, then we got to the beginning of
 	 * the database and didn't find a NXT record.  This shouldn't
 	 * happen.
 	 */
-	if (result == DNS_R_NOMORE)
+	if (result == ISC_R_NOMORE)
 		result = DNS_R_BADDB;
 
 	return (result);
@@ -1591,10 +1607,9 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	REQUIRE(VALID_RBTDB(search.rbtdb));
 
 	/*
-	 * We don't care about 'now'.  We set it to zero so compilers won't
-	 * complain about it being unused.
+	 * We don't care about 'now'.
 	 */
-	now = 0;
+	UNUSED(now);
 
 	/*
 	 * If the caller didn't supply a version, attach to the current
@@ -1629,7 +1644,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	 * rdatasets at the zone cut for active DNAME or NS rdatasets.
 	 */
 	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
-				  &search.chain, ISC_TRUE,
+				  &search.chain, DNS_RBTFIND_EMPTYDATA,
 				  zone_zonecut_callback, &search);
 
 	if (result == DNS_R_PARTIALMATCH) {
@@ -1648,10 +1663,10 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 			 * in the current version.
 			 */
 			result = find_wildcard(&search, &node);
-			if (result == DNS_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS) {
 				result = dns_name_concatenate(name, NULL,
 							      foundname, NULL);
-				if (result != DNS_R_SUCCESS)
+				if (result != ISC_R_SUCCESS)
 					goto tree_exit;	      
 				wild = ISC_TRUE;
 				goto found;
@@ -1672,7 +1687,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		} else
 			result = DNS_R_NXDOMAIN;
 		goto tree_exit;
-	} else if (result != DNS_R_SUCCESS)
+	} else if (result != ISC_R_SUCCESS)
 		goto tree_exit;
 
  found:
@@ -1880,7 +1895,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 			/*
 			 * The desired type doesn't exist.
 			 */
-			result = DNS_R_NXRDATASET;
+			result = DNS_R_NXRRSET;
 			if (search.rbtdb->secure &&
 			    (nxtheader == NULL || nxtsig == NULL)) {
 				/*
@@ -1926,7 +1941,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		if (search.zonecut == node) {
 			if (type == dns_rdatatype_nxt ||
 			    type == dns_rdatatype_key)
-				result = DNS_R_SUCCESS;
+				result = ISC_R_SUCCESS;
 			else if (type == dns_rdatatype_any)
 				result = DNS_R_ZONECUT;
 			else
@@ -1952,7 +1967,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		/*
 		 * An ordinary successful query!
 		 */
-		result = DNS_R_SUCCESS;
+		result = ISC_R_SUCCESS;
 	}
 
 	if (nodep != NULL) {
@@ -2016,7 +2031,7 @@ zone_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 
 	FATAL_ERROR(__FILE__, __LINE__, "zone_findzonecut() called!");
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (ISC_R_NOTIMPLEMENTED);
 }
 
 static isc_result_t
@@ -2100,7 +2115,7 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
 	dns_rbtnode_t *level_node;
 	rdatasetheader_t *header, *header_prev, *header_next;
 	rdatasetheader_t *found, *foundsig;
-	isc_result_t result = DNS_R_NOTFOUND;
+	isc_result_t result = ISC_R_NOTFOUND;
 	dns_name_t name;
 	dns_rbtdb_t *rbtdb;
 	isc_boolean_t done;
@@ -2183,7 +2198,7 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
 				dns_rbt_namefromnode(node, &name);
 				result = dns_name_concatenate(&name, NULL,
 							      foundname, NULL);
-				while (result == DNS_R_SUCCESS && i > 0) {
+				while (result == ISC_R_SUCCESS && i > 0) {
 					i--;
 					level_node = search->chain.levels[i];
 					dns_name_init(&name, NULL);
@@ -2195,7 +2210,7 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
 								     foundname,
 								     NULL);
 				}
-				if (result != DNS_R_SUCCESS) {
+				if (result != ISC_R_SUCCESS) {
 					*nodep = NULL;
 					goto node_exit;
 				}
@@ -2242,6 +2257,8 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	rdatasetheader_t *foundsig, *nssig, *cnamesig;
 	rbtdb_rdatatype_t sigtype, nxtype;
 
+	UNUSED(version);
+
 	search.rbtdb = (dns_rbtdb_t *)db;
 
 	REQUIRE(VALID_RBTDB(search.rbtdb));
@@ -2269,7 +2286,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	 * rdatasets at the zone cut for a DNAME rdataset.
 	 */
 	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
-				  &search.chain, ISC_TRUE,
+				  &search.chain, DNS_RBTFIND_EMPTYDATA,
 				  cache_zonecut_callback, &search);
 
 	if (result == DNS_R_PARTIALMATCH) {
@@ -2284,7 +2301,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 						      sigrdataset);
 			goto tree_exit;
 		}
-	} else if (result != DNS_R_SUCCESS)
+	} else if (result != ISC_R_SUCCESS)
 		goto tree_exit;
 
 	/*
@@ -2481,7 +2498,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		/*
 		 * An ordinary successful query!
 		 */
-		result = DNS_R_SUCCESS;
+		result = ISC_R_SUCCESS;
 	}
 
 	if (type != dns_rdatatype_any || result == DNS_R_NCACHENXDOMAIN) {
@@ -2516,6 +2533,7 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 	rbtdb_search_t search;
 	rdatasetheader_t *header, *header_prev, *header_next;
 	rdatasetheader_t *found, *foundsig;
+	unsigned int rbtoptions = DNS_RBTFIND_EMPTYDATA;
 
 	search.rbtdb = (dns_rbtdb_t *)db;
 
@@ -2535,20 +2553,23 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 	dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx);
 	search.now = now;
 
+	if ((options & DNS_DBFIND_NOEXACT) != 0)
+		rbtoptions |= DNS_RBTFIND_NOEXACT;
+
 	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
 
 	/*
 	 * Search down from the root of the tree.
 	 */
 	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
-				  &search.chain, ISC_TRUE, NULL, &search);
+				  &search.chain, rbtoptions, NULL, &search);
 
 	if (result == DNS_R_PARTIALMATCH) {
 	find_ns:
 		result = find_deepest_zonecut(&search, node, nodep, foundname,
 					      rdataset, sigrdataset);
 		goto tree_exit;
-	} else if (result != DNS_R_SUCCESS)
+	} else if (result != ISC_R_SUCCESS)
 		goto tree_exit;
 
 	/*
@@ -2635,7 +2656,7 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 	dns_rbtnodechain_reset(&search.chain);
 
 	if (result == DNS_R_DELEGATION)
-		result = DNS_R_SUCCESS;
+		result = ISC_R_SUCCESS;
 
 	return (result);
 }
@@ -2714,7 +2735,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
 
 	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static void
@@ -2768,7 +2789,7 @@ createiterator(dns_db_t *db, isc_boolean_t relative_names,
 
 	rbtdbiter = isc_mem_get(rbtdb->common.mctx, sizeof *rbtdbiter);
 	if (rbtdbiter == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	rbtdbiter->common.methods = &dbiterator_methods;
 	dns_db_attach(db, &rbtdbiter->common.db);
@@ -2776,7 +2797,7 @@ createiterator(dns_db_t *db, isc_boolean_t relative_names,
 	rbtdbiter->common.magic = DNS_DBITERATOR_MAGIC;
 	rbtdbiter->paused = ISC_FALSE;
 	rbtdbiter->tree_locked = ISC_FALSE;
-	rbtdbiter->result = DNS_R_SUCCESS;
+	rbtdbiter->result = ISC_R_SUCCESS;
 	dns_fixedname_init(&rbtdbiter->name);
 	dns_fixedname_init(&rbtdbiter->origin);
 	rbtdbiter->node = NULL;
@@ -2784,7 +2805,7 @@ createiterator(dns_db_t *db, isc_boolean_t relative_names,
 
 	*iteratorp = (dns_dbiterator_t *)rbtdbiter;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -2866,9 +2887,9 @@ zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		closeversion(db, (dns_dbversion_t **)(&rbtversion), ISC_FALSE);
 
 	if (found == NULL)
-		return (DNS_R_NOTFOUND);
+		return (ISC_R_NOTFOUND);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -2886,7 +2907,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	REQUIRE(VALID_RBTDB(rbtdb));
 	REQUIRE(type != dns_rdatatype_any);
 
-	version = NULL;		/* Keep compilers quiet. */
+	UNUSED(version);
 
 	result = ISC_R_SUCCESS;
 
@@ -2936,7 +2957,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
 
 	if (found == NULL)
-		return (DNS_R_NOTFOUND);
+		return (ISC_R_NOTFOUND);
 
 	if (RBTDB_RDATATYPE_BASE(found->type) == 0) {
 		/*
@@ -2964,7 +2985,7 @@ allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 
 	iterator = isc_mem_get(rbtdb->common.mctx, sizeof *iterator);
 	if (iterator == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	if ((db->attributes & DNS_DBATTR_CACHE) == 0) {
 		now = 0;
@@ -3001,7 +3022,7 @@ allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 
 	*iteratorp = (dns_rdatasetiter_t *)iterator;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -3047,7 +3068,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 		changed = add_changed(rbtdb, rbtversion, rbtnode);
 		if (changed == NULL) {
 			free_rdataset(rbtdb->common.mctx, newheader);
-			return (DNS_R_NOMEMORY);
+			return (ISC_R_NOMEMORY);
 		}
 	}
 
@@ -3201,7 +3222,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 					     (dns_rdatatype_t)header->type,
 					     force,
 					     &merged);
-			if (result == DNS_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS) {
 				/*
 				 * If 'header' has the same serial number as
 				 * we do, we could clean it up now if we knew
@@ -3289,7 +3310,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	if (addedrdataset != NULL)
 		bind_rdataset(rbtdb, rbtnode, newheader, now, addedrdataset);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_boolean_t
@@ -3331,7 +3352,7 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
 					    &region,
 					    sizeof (rdatasetheader_t));
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 
 	newheader = (rdatasetheader_t *)region.base;
@@ -3364,7 +3385,7 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 
 	result = add(rbtdb, rbtnode, rbtversion, newheader, options, ISC_FALSE,
 		     addedrdataset, now);
-	if (result == DNS_R_SUCCESS && delegating)
+	if (result == ISC_R_SUCCESS && delegating)
 		rbtnode->find_callback = 1;
 
 	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
@@ -3393,7 +3414,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
 					    &region,
 					    sizeof (rdatasetheader_t));
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	newheader = (rdatasetheader_t *)region.base;
 	newheader->ttl = 0;
@@ -3408,7 +3429,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	changed = add_changed(rbtdb, rbtversion, rbtnode);
 	if (changed == NULL) {
 		free_rdataset(rbtdb->common.mctx, newheader);
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	}
 
 	topheader_prev = NULL;
@@ -3437,7 +3458,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 					rbtdb->common.rdclass,
 					(dns_rdatatype_t)header->type,
 					&subresult);
-		if (result == DNS_R_SUCCESS) {
+		if (result == ISC_R_SUCCESS) {
 			free_rdataset(rbtdb->common.mctx, newheader);
 			newheader = (rdatasetheader_t *)subresult;
 			/*
@@ -3446,7 +3467,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			 * header, not newheader.
 			 */
 			newheader->serial = rbtversion->serial;
-		} else if (result == DNS_R_NXRDATASET) {
+		} else if (result == DNS_R_NXRRSET) {
 			/*
 			 * This subtraction would remove all of the rdata;
 			 * add a nonexistent header instead.
@@ -3455,7 +3476,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			newheader = isc_mem_get(rbtdb->common.mctx,
 						sizeof *newheader);
 			if (newheader == NULL) {
-				result = DNS_R_NOMEMORY;
+				result = ISC_R_NOMEMORY;
 				goto unlock;
 			}
 			newheader->ttl = 0;
@@ -3491,7 +3512,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		result = DNS_R_UNCHANGED;
 	}
 
-	if (result == DNS_R_SUCCESS && newrdataset != NULL)
+	if (result == ISC_R_SUCCESS && newrdataset != NULL)
 		bind_rdataset(rbtdb, rbtnode, newheader, 0, newrdataset);
 
  unlock:
@@ -3513,13 +3534,13 @@ deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	REQUIRE(VALID_RBTDB(rbtdb));
 
 	if (type == dns_rdatatype_any)
-		return (DNS_R_NOTIMPLEMENTED);
+		return (ISC_R_NOTIMPLEMENTED);
 	if (type == dns_rdatatype_sig && covers == 0)
-		return (DNS_R_NOTIMPLEMENTED);
+		return (ISC_R_NOTIMPLEMENTED);
 
 	newheader = isc_mem_get(rbtdb->common.mctx, sizeof *newheader);
 	if (newheader == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	newheader->ttl = 0;
 	newheader->type = RBTDB_RDATATYPE_VALUE(type, covers);
 	newheader->attributes = RDATASET_ATTR_NONEXISTENT;
@@ -3575,7 +3596,7 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 		dns_name_getlabelsequence(name, 1, n, &foundname);
 		node = NULL;
 		result = dns_rbt_addnode(rbtdb->tree, &foundname, &node);
-		if (result != DNS_R_SUCCESS && result != DNS_R_EXISTS)
+		if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
 			return (result);
 		node->find_callback = 1;
 		node->wild = 1;
@@ -3583,9 +3604,9 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 
 	node = NULL;
 	result = dns_rbt_addnode(rbtdb->tree, name, &node);
-	if (result != DNS_R_SUCCESS && result != DNS_R_EXISTS)
+	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
 		return (result);
-	if (result != DNS_R_EXISTS) {
+	if (result != ISC_R_EXISTS) {
 		dns_name_init(&foundname, NULL);
 		dns_rbt_namefromnode(node, &foundname);
 		node->locknum = dns_name_hash(&foundname, ISC_TRUE) %
@@ -3595,7 +3616,7 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
 					    &region,
 					    sizeof (rdatasetheader_t));
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	newheader = (rdatasetheader_t *)region.base;
 	newheader->ttl = rdataset->ttl + loadctx->now; /* XXX overflow check */
@@ -3607,11 +3628,11 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 
 	result = add(rbtdb, node, rbtdb->current_version, newheader,
 		     DNS_DBADD_MERGE, ISC_TRUE, NULL, 0);
-	if (result == DNS_R_SUCCESS &&
+	if (result == ISC_R_SUCCESS &&
 	    delegating_type(rbtdb, node, rdataset->type))
 		node->find_callback = 1;
 	else if (result == DNS_R_UNCHANGED)
-		result = DNS_R_SUCCESS;
+		result = ISC_R_SUCCESS;
 
 	return (result);
 }
@@ -3627,7 +3648,7 @@ beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) {
 
 	loadctx = isc_mem_get(rbtdb->common.mctx, sizeof *loadctx);
 	if (loadctx == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	loadctx->rbtdb = rbtdb;
 	if ((rbtdb->common.attributes & DNS_DBATTR_CACHE) != 0)
@@ -3646,7 +3667,7 @@ beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) {
 	*addp = loading_addrdataset;
 	*dbloadp = loadctx;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -3691,7 +3712,7 @@ endload(dns_db_t *db, dns_dbload_t **dbloadp) {
 
 	isc_mem_put(rbtdb->common.mctx, loadctx, sizeof *loadctx);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -3799,7 +3820,6 @@ dns_rbtdb_create
 	dns_rbtdb_t *rbtdb;
 	isc_result_t result;
 	int i;
-	isc_region_t r1, r2;
 	dns_name_t name;
 
 	/* Keep the compiler happy. */
@@ -3808,8 +3828,9 @@ dns_rbtdb_create
 
 	rbtdb = isc_mem_get(mctx, sizeof *rbtdb);
 	if (rbtdb == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	memset(rbtdb, '\0', sizeof *rbtdb);
+	dns_name_init(&rbtdb->common.origin, NULL);
 	rbtdb->common.attributes = 0;
 	if (cache) {
 		rbtdb->common.methods = &cache_methods;
@@ -3817,25 +3838,25 @@ dns_rbtdb_create
 	} else
 		rbtdb->common.methods = &zone_methods;
 	rbtdb->common.rdclass = rdclass;
-	rbtdb->common.mctx = mctx;
+	rbtdb->common.mctx = NULL;
 
 	result = isc_mutex_init(&rbtdb->lock);
 	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(rbtdb->common.mctx, rbtdb, sizeof *rbtdb);
+		isc_mem_put(mctx, rbtdb, sizeof *rbtdb);
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_mutex_init() failed: %s",
 				 isc_result_totext(result));
-		return (DNS_R_UNEXPECTED);
+		return (ISC_R_UNEXPECTED);
 	}
 
 	result = isc_rwlock_init(&rbtdb->tree_lock, 0, 0);
 	if (result != ISC_R_SUCCESS) {
 		isc_mutex_destroy(&rbtdb->lock);
-		isc_mem_put(rbtdb->common.mctx, rbtdb, sizeof *rbtdb);
+		isc_mem_put(mctx, rbtdb, sizeof *rbtdb);
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_rwlock_init() failed: %s",
 				 isc_result_totext(result));
-		return (DNS_R_UNEXPECTED);
+		return (ISC_R_UNEXPECTED);
 	}
 
 	INSIST(rbtdb->node_lock_count < (1 << DNS_RBT_LOCKLENGTH));
@@ -3857,35 +3878,37 @@ dns_rbtdb_create
 				    sizeof (rbtdb_nodelock_t));
 			isc_rwlock_destroy(&rbtdb->tree_lock);
 			isc_mutex_destroy(&rbtdb->lock);
-			isc_mem_put(rbtdb->common.mctx, rbtdb, sizeof *rbtdb);
+			isc_mem_put(mctx, rbtdb, sizeof *rbtdb);
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "isc_mutex_init() failed: %s",
 					 isc_result_totext(result));
-			return (DNS_R_UNEXPECTED);
+			return (ISC_R_UNEXPECTED);
 		}
 		rbtdb->node_locks[i].references = 0;
 		rbtdb->node_locks[i].exiting = ISC_FALSE;
 	}
 
 	/*
+	 * Attach to the mctx.  The database will persist so long as there
+	 * are references to it, and attaching to the mctx ensures that our
+	 * mctx won't disappear out from under us.
+	 */
+	isc_mem_attach(mctx, &rbtdb->common.mctx);
+
+	/*
 	 * Make a copy of the origin name.
 	 */
-	dns_name_init(&rbtdb->common.origin, NULL);
-	dns_name_toregion(origin, &r1);
-	r2.base = isc_mem_get(mctx, r1.length);
-	if (r2.base == NULL) {
+	result = dns_name_dupwithoffsets(origin, mctx, &rbtdb->common.origin);
+	if (result != ISC_R_SUCCESS) {
 		free_rbtdb(rbtdb);
-		return (DNS_R_NOMEMORY);
+		return (result);
 	}
-	r2.length = r1.length;
-	memcpy(r2.base, r1.base, r1.length);
-	dns_name_fromregion(&rbtdb->common.origin, &r2);
 
 	/*
 	 * Make the Red-Black Tree.
 	 */
 	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->tree);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		free_rbtdb(rbtdb);
 		return (result);
 	}
@@ -3906,8 +3929,8 @@ dns_rbtdb_create
 		rbtdb->origin_node = NULL;
 		result = dns_rbt_addnode(rbtdb->tree, &rbtdb->common.origin,
 					 &rbtdb->origin_node);
-		if (result != DNS_R_SUCCESS) {
-			INSIST(result != DNS_R_EXISTS);
+		if (result != ISC_R_SUCCESS) {
+			INSIST(result != ISC_R_EXISTS);
 			free_rbtdb(rbtdb);
 			return (result);
 		}
@@ -3937,7 +3960,7 @@ dns_rbtdb_create
 	rbtdb->current_version = allocate_version(mctx, 1, 0, ISC_FALSE);
 	if (rbtdb->current_version == NULL) {
 		free_rbtdb(rbtdb);
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	}
 	rbtdb->future_version = NULL;
 	ISC_LIST_INIT(rbtdb->open_versions);
@@ -3949,7 +3972,7 @@ dns_rbtdb_create
 
 	*dbp = (dns_db_t *)rbtdb;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 
@@ -3973,7 +3996,7 @@ rdataset_first(dns_rdataset_t *rdataset) {
 	count = raw[0] * 256 + raw[1];
 	if (count == 0) {
 		rdataset->private5 = NULL;
-		return (DNS_R_NOMORE);
+		return (ISC_R_NOMORE);
 	}
 	raw += 2;
 	/*
@@ -3985,7 +4008,7 @@ rdataset_first(dns_rdataset_t *rdataset) {
 	rdataset->private4 = (void *)count;
 	rdataset->private5 = raw;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -3996,7 +4019,7 @@ rdataset_next(dns_rdataset_t *rdataset) {
 
 	count = (unsigned int)rdataset->private4;
 	if (count == 0)
-		return (DNS_R_NOMORE);
+		return (ISC_R_NOMORE);
 	count--;
 	rdataset->private4 = (void *)count;
 	raw = rdataset->private5;
@@ -4004,7 +4027,7 @@ rdataset_next(dns_rdataset_t *rdataset) {
 	raw += length + 2;
 	rdataset->private5 = raw;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static void
@@ -4112,9 +4135,9 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
 	rbtiterator->current = header;
 
 	if (header == NULL)
-		return (DNS_R_NOMORE);
+		return (ISC_R_NOMORE);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -4130,7 +4153,7 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 
 	header = rbtiterator->current;
 	if (header == NULL)
-		return (DNS_R_NOMORE);
+		return (ISC_R_NOMORE);
 
 	if ((rbtdb->common.attributes & DNS_DBATTR_CACHE) == 0) {
 		serial = rbtversion->serial;
@@ -4171,9 +4194,9 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 	rbtiterator->current = header;
 
 	if (header == NULL)
-		return (DNS_R_NOMORE);
+		return (ISC_R_NOMORE);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static void
@@ -4253,8 +4276,8 @@ dbiterator_first(dns_dbiterator_t *iterator) {
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
 	dns_name_t *name, *origin;
 	
-	if (rbtdbiter->result != DNS_R_SUCCESS &&
-	    rbtdbiter->result != DNS_R_NOMORE)
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOMORE)
 		return (rbtdbiter->result);
 
 	unpause(rbtdbiter);
@@ -4270,18 +4293,18 @@ dbiterator_first(dns_dbiterator_t *iterator) {
 	result = dns_rbtnodechain_first(&rbtdbiter->chain, rbtdb->tree, name,
 					origin);
 	if (result != DNS_R_NEWORIGIN) {
-		INSIST(result != DNS_R_SUCCESS);
-		if (result == DNS_R_NOTFOUND) {
+		INSIST(result != ISC_R_SUCCESS);
+		if (result == ISC_R_NOTFOUND) {
 			/*
 			 * The tree is empty.
 			 */
-			result = DNS_R_NOMORE;
+			result = ISC_R_NOMORE;
 		}
 		rbtdbiter->node = NULL;
 	} else {
 		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
 						  NULL, &rbtdbiter->node);
-		if (result == DNS_R_SUCCESS)
+		if (result == ISC_R_SUCCESS)
 			rbtdbiter->new_origin = ISC_TRUE;
 		else
 			rbtdbiter->node = NULL;
@@ -4298,8 +4321,8 @@ dbiterator_last(dns_dbiterator_t *iterator) {
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
 	dns_name_t *name, *origin;
 	
-	if (rbtdbiter->result != DNS_R_SUCCESS &&
-	    rbtdbiter->result != DNS_R_NOMORE)
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOMORE)
 		return (rbtdbiter->result);
 
 	unpause(rbtdbiter);
@@ -4315,18 +4338,18 @@ dbiterator_last(dns_dbiterator_t *iterator) {
 	result = dns_rbtnodechain_last(&rbtdbiter->chain, rbtdb->tree, name,
 				       origin);
 	if (result != DNS_R_NEWORIGIN) {
-		INSIST(result != DNS_R_SUCCESS);
-		if (result == DNS_R_NOTFOUND) {
+		INSIST(result != ISC_R_SUCCESS);
+		if (result == ISC_R_NOTFOUND) {
 			/*
 			 * The tree is empty.
 			 */
-			result = DNS_R_NOMORE;
+			result = ISC_R_NOMORE;
 		}
 		rbtdbiter->node = NULL;
 	} else {
 		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
 						  NULL, &rbtdbiter->node);
-		if (result == DNS_R_SUCCESS)
+		if (result == ISC_R_SUCCESS)
 			rbtdbiter->new_origin = ISC_TRUE;
 		else
 			rbtdbiter->node = NULL;
@@ -4343,8 +4366,8 @@ dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
 	dns_name_t *iname, *origin;
 	
-	if (rbtdbiter->result != DNS_R_SUCCESS &&
-	    rbtdbiter->result != DNS_R_NOMORE)
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOMORE)
 		return (rbtdbiter->result);
 
 	unpause(rbtdbiter);
@@ -4359,15 +4382,16 @@ dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
 	dns_rbtnodechain_reset(&rbtdbiter->chain);
 	rbtdbiter->node = NULL;
 	result = dns_rbt_findnode(rbtdb->tree, name, NULL, &rbtdbiter->node,
-				  &rbtdbiter->chain, ISC_TRUE, NULL, NULL);
-	if (result != DNS_R_SUCCESS) {
+				  &rbtdbiter->chain, DNS_RBTFIND_EMPTYDATA,
+				  NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
 		if (result == DNS_R_PARTIALMATCH)
-			result = DNS_R_NOTFOUND;
+			result = ISC_R_NOTFOUND;
 		rbtdbiter->node = NULL;
 	} else {
 		result = dns_rbtnodechain_current(&rbtdbiter->chain, iname,
 						  origin, NULL);
-		if (result == DNS_R_SUCCESS)
+		if (result == ISC_R_SUCCESS)
 			rbtdbiter->new_origin = ISC_TRUE;
 		else
 			rbtdbiter->node = NULL;
@@ -4385,7 +4409,7 @@ dbiterator_prev(dns_dbiterator_t *iterator) {
 
 	REQUIRE(rbtdbiter->node != NULL);
 
-	if (rbtdbiter->result != DNS_R_SUCCESS)
+	if (rbtdbiter->result != ISC_R_SUCCESS)
 		return (rbtdbiter->result);
 
 	if (rbtdbiter->paused)
@@ -4394,14 +4418,14 @@ dbiterator_prev(dns_dbiterator_t *iterator) {
 	name = dns_fixedname_name(&rbtdbiter->name);
 	origin = dns_fixedname_name(&rbtdbiter->origin);
 	result = dns_rbtnodechain_prev(&rbtdbiter->chain, name, origin);
-	if (result == DNS_R_NEWORIGIN || result == DNS_R_SUCCESS) {
+	if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
 		if (result == DNS_R_NEWORIGIN)
 			rbtdbiter->new_origin = ISC_TRUE;
 		else
 			rbtdbiter->new_origin = ISC_FALSE;
 		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
 						  NULL, &rbtdbiter->node);
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			rbtdbiter->result = result;
 			rbtdbiter->node = NULL;
 		}
@@ -4419,7 +4443,7 @@ dbiterator_next(dns_dbiterator_t *iterator) {
 
 	REQUIRE(rbtdbiter->node != NULL);
 
-	if (rbtdbiter->result != DNS_R_SUCCESS)
+	if (rbtdbiter->result != ISC_R_SUCCESS)
 		return (rbtdbiter->result);
 
 	if (rbtdbiter->paused)
@@ -4428,14 +4452,14 @@ dbiterator_next(dns_dbiterator_t *iterator) {
 	name = dns_fixedname_name(&rbtdbiter->name);
 	origin = dns_fixedname_name(&rbtdbiter->origin);
 	result = dns_rbtnodechain_next(&rbtdbiter->chain, name, origin);
-	if (result == DNS_R_NEWORIGIN || result == DNS_R_SUCCESS) {
+	if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
 		if (result == DNS_R_NEWORIGIN)
 			rbtdbiter->new_origin = ISC_TRUE;
 		else
 			rbtdbiter->new_origin = ISC_FALSE;
 		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
 						  NULL, &rbtdbiter->node);
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			rbtdbiter->result = result;
 			rbtdbiter->node = NULL;
 		}
@@ -4445,13 +4469,6 @@ dbiterator_next(dns_dbiterator_t *iterator) {
 	return (result);
 }
 
-static inline isc_boolean_t
-rootname(dns_name_t *name) {
-	if (dns_name_countlabels(name) == 1 && dns_name_isabsolute(name))
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
 static isc_result_t
 dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
 		   dns_name_t *name)
@@ -4463,7 +4480,7 @@ dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
 	dns_name_t *nodename = dns_fixedname_name(&rbtdbiter->name);
 	dns_name_t *origin = dns_fixedname_name(&rbtdbiter->origin);
 
-	REQUIRE(rbtdbiter->result == DNS_R_SUCCESS);
+	REQUIRE(rbtdbiter->result == ISC_R_SUCCESS);
 	REQUIRE(rbtdbiter->node != NULL);
 
 	if (rbtdbiter->paused)
@@ -4473,12 +4490,12 @@ dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
 		if (rbtdbiter->common.relative_names || rootname(nodename))
 			origin = NULL;
 		result = dns_name_concatenate(nodename, origin, name, NULL);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 		if (rbtdbiter->common.relative_names && rbtdbiter->new_origin)
 			result = DNS_R_NEWORIGIN;
 	} else
-		result = DNS_R_SUCCESS;
+		result = ISC_R_SUCCESS;
 		
 	LOCK(&rbtdb->node_locks[node->locknum].lock);
 	new_reference(rbtdb, node);
@@ -4495,8 +4512,8 @@ dbiterator_pause(dns_dbiterator_t *iterator) {
 	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
 	dns_rbtnode_t *node = rbtdbiter->node;
 
-	if (rbtdbiter->result != DNS_R_SUCCESS &&
-	    rbtdbiter->result != DNS_R_NOMORE)
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOMORE)
 		return (rbtdbiter->result);
 
 	REQUIRE(!rbtdbiter->paused);
@@ -4513,7 +4530,7 @@ dbiterator_pause(dns_dbiterator_t *iterator) {
 	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
 	rbtdbiter->tree_locked = ISC_FALSE;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -4521,7 +4538,7 @@ dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
 	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
 	dns_name_t *origin = dns_fixedname_name(&rbtdbiter->origin);
 
-	if (rbtdbiter->result != DNS_R_SUCCESS)
+	if (rbtdbiter->result != ISC_R_SUCCESS)
 		return (rbtdbiter->result);
 
 	return (dns_name_concatenate(origin, NULL, name, NULL));
diff --git a/lib/dns/rbtdb.h b/lib/dns/rbtdb.h
index dce8c57a..989505da 100644
--- a/lib/dns/rbtdb.h
+++ b/lib/dns/rbtdb.h
@@ -18,6 +18,9 @@
 #ifndef DNS_RBTDB_H
 #define DNS_RBTDB_H 1
 
+#include <isc/lang.h>
+#include <dns/types.h>
+
 /*****
  ***** Module Info
  *****/
@@ -26,9 +29,13 @@
  * DNS Red-Black Tree DB Implementation
  */
 
+ISC_LANG_BEGINDECLS
+
 isc_result_t
 dns_rbtdb_create(isc_mem_t *mctx, dns_name_t *base, isc_boolean_t is_cache,
 		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
 		 dns_db_t **dbp);
 
+ISC_LANG_ENDDECLS
+
 #endif /* DNS_RBTDB_H */
diff --git a/lib/dns/rbtdb64.h b/lib/dns/rbtdb64.h
index d52e89b8..f22cb610 100644
--- a/lib/dns/rbtdb64.h
+++ b/lib/dns/rbtdb64.h
@@ -18,6 +18,8 @@
 #ifndef DNS_RBTDB64_H
 #define DNS_RBTDB64_H 1
 
+#include <isc/lang.h>
+
 /*****
  ***** Module Info
  *****/
@@ -28,9 +30,13 @@
 
 #include <dns/db.h>
 
+ISC_LANG_BEGINDECLS
+
 isc_result_t
 dns_rbtdb64_create(isc_mem_t *mctx, dns_name_t *base, isc_boolean_t is_cache,
 		   dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
 		   dns_db_t **dbp);
 
-#endif /* DNS_RBTDB_H */
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RBTDB64_H */
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
index 42478a15..7aa7c68a 100644
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -15,40 +15,36 @@
  * SOFTWARE.
  */
 
-/* $Id: rdata.c,v 1.72 2000/03/22 17:28:57 gson Exp $ */
+/* $Id: rdata.c,v 1.93 2000/05/20 01:05:50 explorer Exp $ */
 
 #include <config.h>
-
-#include <stdarg.h>
-#include <stdio.h>
+#include <ctype.h>
 
 #include <isc/base64.h>
-#include <isc/buffer.h>
 #include <isc/lex.h>
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/region.h>
+#include <isc/mem.h>
+#include <isc/string.h>
 #include <isc/util.h>
 
-#include <dns/types.h>
-#include <dns/result.h>
+#include <dns/callbacks.h>
+#include <dns/cert.h>
+#include <dns/compress.h>
+#include <dns/keyflags.h>
+#include <dns/rcode.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
+#include <dns/rdatastruct.h>
 #include <dns/rdatatype.h>
-#include <dns/rcode.h>
-#include <dns/cert.h>
+#include <dns/result.h>
 #include <dns/secalg.h>
 #include <dns/secproto.h>
-#include <dns/keyflags.h>
-#include <dns/fixedname.h>
-#include <dns/rdatastruct.h>
 #include <dns/time.h>
 #include <dns/ttl.h>
 
 #define RETERR(x) do { \
-	isc_result_t __r = (x); \
-	if (__r != DNS_R_SUCCESS) \
-		return (__r); \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
 	} while (0)
 
 /*
@@ -63,89 +59,115 @@ typedef struct dns_rdata_textctx {
   	char *linebreak;	/* Line break string. */
 } dns_rdata_textctx_t;
 
-static isc_result_t	txt_totext(isc_region_t *source, isc_buffer_t *target);
-static isc_result_t	txt_fromtext(isc_textregion_t *source,
-				     isc_buffer_t *target);
-static isc_result_t	txt_fromwire(isc_buffer_t *source,
-				    isc_buffer_t *target);
-static isc_boolean_t	name_prefix(dns_name_t *name, dns_name_t *origin,
-				    dns_name_t *target);
-static unsigned int 	name_length(dns_name_t *name);
-static isc_result_t	str_totext(char *source, isc_buffer_t *target);
-static isc_boolean_t	buffer_empty(isc_buffer_t *source);
-static void		buffer_fromregion(isc_buffer_t *buffer,
-					  isc_region_t *region,
-					  unsigned int type);
-static isc_result_t	uint32_tobuffer(isc_uint32_t,
-					isc_buffer_t *target);
-static isc_result_t	uint16_tobuffer(isc_uint32_t,
-					isc_buffer_t *target);
-static isc_result_t	uint8_tobuffer(isc_uint32_t value,
-				       isc_buffer_t *target);
-static isc_uint32_t	uint32_fromregion(isc_region_t *region);
-static isc_uint16_t	uint16_fromregion(isc_region_t *region);
-static isc_uint8_t	uint8_fromregion(isc_region_t *region);
-static isc_result_t	gettoken(isc_lex_t *lexer, isc_token_t *token,
-				 isc_tokentype_t expect, isc_boolean_t eol);
-static isc_result_t	mem_tobuffer(isc_buffer_t *target, void *base,
-				     unsigned int length);
-static int		compare_region(isc_region_t *r1, isc_region_t *r2);
-static int		hexvalue(char value);
-static int		decvalue(char value);
-static isc_result_t	btoa_totext(unsigned char *inbuf, int inbuflen,
-				    isc_buffer_t *target);
-static isc_result_t	atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target);
-static void		default_fromtext_callback(
-					    dns_rdatacallbacks_t *callbacks,
-						  char *, ...);
-
-static void		fromtext_error(void (*callback)(dns_rdatacallbacks_t *,
-							char *, ...),
-				       dns_rdatacallbacks_t *callbacks,
-				       char *name, int line,
-				       isc_token_t *token,
-				       isc_result_t result);
-
-static isc_result_t	 rdata_totext(dns_rdata_t *rdata,
-				      dns_rdata_textctx_t *tctx,
-				      isc_buffer_t *target);
+static isc_result_t
+txt_totext(isc_region_t *source, isc_buffer_t *target);
+
+static isc_result_t
+txt_fromtext(isc_textregion_t *source, isc_buffer_t *target);
+
+static isc_result_t
+txt_fromwire(isc_buffer_t *source, isc_buffer_t *target);
+
+static isc_boolean_t
+name_prefix(dns_name_t *name, dns_name_t *origin, dns_name_t *target);
+
+static unsigned int
+name_length(dns_name_t *name);
+
+static isc_result_t
+str_totext(char *source, isc_buffer_t *target);
+
+static isc_boolean_t
+buffer_empty(isc_buffer_t *source);
+
+static void
+buffer_fromregion(isc_buffer_t *buffer, isc_region_t *region);
+
+static isc_result_t
+uint32_tobuffer(isc_uint32_t, isc_buffer_t *target);
+
+static isc_result_t
+uint16_tobuffer(isc_uint32_t, isc_buffer_t *target);
+
+static isc_result_t
+uint8_tobuffer(isc_uint32_t, isc_buffer_t *target);
+
+static isc_result_t
+name_tobuffer(dns_name_t *name, isc_buffer_t *target);
+
+static isc_uint32_t
+uint32_fromregion(isc_region_t *region);
+
+static isc_uint16_t
+uint16_fromregion(isc_region_t *region);
+
+static isc_uint8_t
+uint8_fromregion(isc_region_t *region);
+
+static isc_result_t
+gettoken(isc_lex_t *lexer, isc_token_t *token, isc_tokentype_t expect,
+	 isc_boolean_t eol);
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
+
+static int
+compare_region(isc_region_t *r1, isc_region_t *r2);
+
+static int
+hexvalue(char value);
+
+static int
+decvalue(char value);
+
+static isc_result_t
+btoa_totext(unsigned char *inbuf, int inbuflen, isc_buffer_t *target);
+
+static isc_result_t
+atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target);
+
+static void
+default_fromtext_callback(dns_rdatacallbacks_t *callbacks, char *, ...);
+
+static void
+fromtext_error(void (*callback)(dns_rdatacallbacks_t *, char *, ...),
+	       dns_rdatacallbacks_t *callbacks, char *name, int line,
+	       isc_token_t *token, isc_result_t result);
+
+static isc_result_t
+rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
+	     isc_buffer_t *target);
+
+static inline isc_result_t
+name_duporclone(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
+
+	if (mctx != NULL)
+                return (dns_name_dup(source, mctx, target));
+	dns_name_clone(source, target);
+	return (ISC_R_SUCCESS);
+}
+
+static inline void *
+mem_maybedup(isc_mem_t *mctx, void *source, size_t length) {
+	void *new;
+
+	if (mctx == NULL)
+		return (source);
+	new = isc_mem_allocate(mctx, length);
+	if (new != NULL)
+		memcpy(new, source, length);
+
+	return (new);
+}
 
 static const char hexdigits[] = "0123456789abcdef";
 static const char decdigits[] = "0123456789";
-static const char octdigits[] = "01234567";
 
 #include "code.h"
 
 #define META 0x0001
 #define RESERVED 0x0002
 
-#define METATYPES \
-	{ 0, "RESERVED0", META }, \
-	{ 31, "EID", RESERVED }, \
-	{ 32, "NIMLOC", RESERVED }, \
-	{ 34, "ATMA", RESERVED }, \
-	{ 100, "UINFO", RESERVED }, \
-	{ 101, "UID", RESERVED }, \
-	{ 102, "GID", RESERVED }, \
-	{ 249, "TKEY", META }, \
-	{ 250, "TSIG", META }, \
-	{ 251, "IXFR", META }, \
-	{ 252, "AXFR", META }, \
-	{ 253, "MAILB", META }, \
-	{ 254, "MAILA", META }, \
-	{ 255, "ANY", META },
-
-/*
- * Empty classes are those without any types of their own.
- */
-#define EMPTYCLASSES \
-	{ 3, "CHAOS", 0 },
-
-#define METACLASSES \
-	{ 0, "RESERVED0", META }, \
-	{ 254, "NONE", META }, \
-	{ 255, "ANY", META },
-
 #define RCODENAMES \
 	/* standard rcodes */ \
 	{ dns_rcode_noerror, "NOERROR", 0}, \
@@ -194,16 +216,16 @@ static const char octdigits[] = "01234567";
 	{ 255,    "ALL", 0 }, \
 	{ 0, NULL, 0}
 
-static struct tbl {
+struct tbl {
 	unsigned int	value;
 	char	*name;
 	int	flags;
-} types[] = { TYPENAMES METATYPES {0, NULL, 0} },
-classes[] = { METACLASSES CLASSNAMES EMPTYCLASSES { 0, NULL, 0} },
-rcodes[] = { RCODENAMES },
-certs[] = { CERTNAMES },
-secalgs[] = { SECALGNAMES },
-secprotos[] = { SECPROTONAMES };
+};
+
+static struct tbl rcodes[] = { RCODENAMES };
+static struct tbl certs[] = { CERTNAMES };
+static struct tbl secalgs[] = { SECALGNAMES };
+static struct tbl secprotos[] = { SECPROTONAMES };
 
 static struct keyflag {
 	char *name;
@@ -328,14 +350,12 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		   dns_decompress_t *dctx, isc_boolean_t downcase,
 		   isc_buffer_t *target)
 {
-	isc_result_t result = DNS_R_NOTIMPLEMENTED;
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
 	isc_region_t region;
 	isc_buffer_t ss;
 	isc_buffer_t st;
 	isc_boolean_t use_default = ISC_FALSE;
 
-	REQUIRE(isc_buffer_type(source) == ISC_BUFFERTYPE_BINARY);
-	REQUIRE(isc_buffer_type(target) == ISC_BUFFERTYPE_BINARY);
 	REQUIRE(dctx != NULL);
 
 	ss = *source;
@@ -348,16 +368,18 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 	if (use_default)
 		(void)NULL;
 
-	/* We should have consumed all of our buffer. */
-	if (result == DNS_R_SUCCESS && !buffer_empty(source))
+	/*
+	 * We should have consumed all of our buffer.
+	 */
+	if (result == ISC_R_SUCCESS && !buffer_empty(source))
 		result = DNS_R_EXTRADATA;
 
-	if (rdata && result == DNS_R_SUCCESS) {
+	if (rdata && result == ISC_R_SUCCESS) {
 		region.length = target->used - st.used;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		*source = ss;
 		*target = st;
 	}
@@ -368,26 +390,26 @@ isc_result_t
 dns_rdata_towire(dns_rdata_t *rdata, dns_compress_t *cctx,
 	         isc_buffer_t *target)
 {
-	isc_result_t result = DNS_R_NOTIMPLEMENTED;
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
 	isc_boolean_t use_default = ISC_FALSE;
 	isc_region_t tr;
 	isc_buffer_t st;
 
 	REQUIRE(rdata != NULL);
-	REQUIRE(isc_buffer_type(target) == ISC_BUFFERTYPE_BINARY);
+
 	st = *target;
 
 	TOWIRESWITCH
 	
 	if (use_default) {
-		isc_buffer_available(target, &tr);
+		isc_buffer_availableregion(target, &tr);
 		if (tr.length < rdata->length) 
-			return (DNS_R_NOSPACE);
+			return (ISC_R_NOSPACE);
 		memcpy(tr.base, rdata->data, rdata->length);
 		isc_buffer_add(target, rdata->length);
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 	}
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		*target = st;
 		INSIST(target->used < 65536);
 		dns_compress_rollback(cctx, (isc_uint16_t)target->used);
@@ -401,7 +423,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		   dns_name_t *origin, isc_boolean_t downcase,
 		   isc_buffer_t *target, dns_rdatacallbacks_t *callbacks)
 {
-	isc_result_t result = DNS_R_NOTIMPLEMENTED;
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
 	isc_region_t region;
 	isc_buffer_t st;
 	isc_boolean_t use_default = ISC_FALSE;
@@ -413,9 +435,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 	void (*callback)(dns_rdatacallbacks_t *, char *, ...);
 	isc_result_t iresult;
 
-	if (origin != NULL)
-		REQUIRE(dns_name_isabsolute(origin) == ISC_TRUE);
-	REQUIRE(isc_buffer_type(target) == ISC_BUFFERTYPE_BINARY);
+	REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
 
 	st = *target;
 	region.base = (unsigned char *)(target->base) + target->used;
@@ -442,19 +462,19 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		line = isc_lex_getsourceline(lexer);
 		iresult = isc_lex_gettoken(lexer, options, &token);
 		if (iresult != ISC_R_SUCCESS) {
-			if (result == DNS_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS) {
 				switch (iresult) {
 				case ISC_R_NOMEMORY:
-					result = DNS_R_NOMEMORY;
+					result = ISC_R_NOMEMORY;
 					break;
 				case ISC_R_NOSPACE:
-					result = DNS_R_NOSPACE;
+					result = ISC_R_NOSPACE;
 					break;
 				default:
 					UNEXPECTED_ERROR(__FILE__, __LINE__,
 					    "isc_lex_gettoken() failed: %s",
 					    isc_result_totext(result));
-					result = DNS_R_UNEXPECTED;
+					result = ISC_R_UNEXPECTED;
 					break;
 				}
 			}
@@ -464,14 +484,14 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 			break;
 		} else if (token.type != isc_tokentype_eol &&
 			   token.type != isc_tokentype_eof) {
-			if (result == DNS_R_SUCCESS)
+			if (result == ISC_R_SUCCESS)
 				result = DNS_R_EXTRATOKEN;
 			if (callback != NULL) {
 				fromtext_error(callback, callbacks, name,
 					       line, &token, result);
 				callback = NULL;
 			}
-		} else if (result != DNS_R_SUCCESS && callback != NULL) {
+		} else if (result != ISC_R_SUCCESS && callback != NULL) {
 			fromtext_error(callback, callbacks, name, line,
 				       &token, result);
 			break;
@@ -479,11 +499,11 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 			break;
 	} while (1);
 
-	if (rdata != NULL && result == DNS_R_SUCCESS) {
+	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.length = target->used - st.used;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		*target = st;
 	}
 	return (result);
@@ -493,17 +513,18 @@ static isc_result_t
 rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	     isc_buffer_t *target)
 {
-	isc_result_t result = DNS_R_NOTIMPLEMENTED;
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
 	isc_boolean_t use_default = ISC_FALSE;
 	
 	REQUIRE(rdata != NULL);
-	REQUIRE(isc_buffer_type(target) == ISC_BUFFERTYPE_TEXT);
-	if (tctx->origin != NULL)
-		REQUIRE(dns_name_isabsolute(tctx->origin) == ISC_TRUE);
+	REQUIRE(tctx->origin == NULL ||
+		dns_name_isabsolute(tctx->origin) == ISC_TRUE);
 
-	/* Some DynDNS meta-RRs have empty rdata. */
+	/*
+	 * Some DynDNS meta-RRs have empty rdata.
+	 */
 	if (rdata->length == 0)
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 
 	TOTEXTSWITCH
 
@@ -514,10 +535,11 @@ rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 }
 
 isc_result_t
-dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin,
-		 isc_buffer_t *target)
+dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin, isc_buffer_t *target)
 {
-	/* Set up formatting options for single-line output. */
+	/*
+	 * Set up formatting options for single-line output.
+	 */
 	dns_rdata_textctx_t tctx;
 	tctx.origin = origin;
 	tctx.flags = 0;
@@ -531,7 +553,9 @@ dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin,
 		    unsigned int flags, unsigned int width,
 		    char *linebreak, isc_buffer_t *target)
 {
-	/* Set up formatting options for formatted output. */
+	/*
+	 * Set up formatting options for formatted output.
+	 */
 	dns_rdata_textctx_t tctx;
 	tctx.origin = origin;
 	tctx.flags = flags;
@@ -550,13 +574,12 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		     dns_rdatatype_t type, void *source,
 		     isc_buffer_t *target)
 {
-	isc_result_t result = DNS_R_NOTIMPLEMENTED;
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
 	isc_buffer_t st;
 	isc_region_t region;
 	isc_boolean_t use_default = ISC_FALSE;
 
 	REQUIRE(source != NULL);
-	REQUIRE(isc_buffer_type(target) == ISC_BUFFERTYPE_BINARY);
 
 	region.base = (unsigned char *)(target->base) + target->used;
 	st = *target;
@@ -566,18 +589,18 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 	if (use_default)
 		(void)NULL;
 
-	if (rdata != NULL && result == DNS_R_SUCCESS) {
+	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.length = target->used - st.used;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		*target = st;
 	return (result);
 }
 
 isc_result_t
 dns_rdata_tostruct(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
-	isc_result_t result = DNS_R_NOTIMPLEMENTED;
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
 	isc_boolean_t use_default = ISC_FALSE;
 
 	REQUIRE(rdata != NULL);
@@ -602,7 +625,7 @@ isc_result_t
 dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 			 void *arg)
 {
-	isc_result_t result = DNS_R_NOTIMPLEMENTED;
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
 	isc_boolean_t use_default = ISC_FALSE;
 
 	/*
@@ -623,7 +646,7 @@ dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 
 isc_result_t
 dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
-	isc_result_t result = DNS_R_NOTIMPLEMENTED;
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
 	isc_boolean_t use_default = ISC_FALSE;
 
 	/*
@@ -641,6 +664,15 @@ dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 	return (result);
 }
 
+unsigned int
+dns_rdatatype_attributes(dns_rdatatype_t type)
+{
+	if (type > 255)
+		return (DNS_RDATATYPEATTR_UNKNOWN);
+
+	return (typeattr[type].flags);
+}
+
 #define NUMBERSIZE sizeof("037777777777") /* 2^32-1 octal + NUL */ 
 
 static isc_result_t
@@ -665,11 +697,13 @@ dns_mnemonic_fromtext(unsigned int *valuep, isc_textregion_t *source,
 		n = strtoul(buffer, &e, 10);
 		if (*e == 0) {
 			if (n > max)
-				return (DNS_R_RANGE);
+				return (ISC_R_RANGE);
 			*valuep = n;
-			return (DNS_R_SUCCESS);
+			return (ISC_R_SUCCESS);
 		}
-		/* It was not a number after all; fall through. */
+		/*
+		 * It was not a number after all; fall through.
+		 */
 	}
 	
 	for (i = 0; table[i].name != NULL; i++) {
@@ -678,7 +712,7 @@ dns_mnemonic_fromtext(unsigned int *valuep, isc_textregion_t *source,
 		if (n == source->length &&
 		    strncasecmp(source->base, table[i].name, n) == 0) {
 			*valuep = table[i].value;
-			return (DNS_R_SUCCESS);
+			return (ISC_R_SUCCESS);
 		}
 	}
 	return (DNS_R_UNKNOWN);
@@ -700,58 +734,109 @@ dns_mnemonic_totext(unsigned int value, isc_buffer_t *target,
 	return (str_totext(buf, target));
 }
 
+
+/*
+ * This uses lots of hard coded values, but how often do we actually
+ * add classes?
+ */
 isc_result_t
 dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source) {
-	int i = 0;
-	unsigned int n;
 
-	while (classes[i].name != NULL) {
-		n = strlen(classes[i].name);
-		if (n == source->length &&
-		    strncasecmp(source->base, classes[i].name, n) == 0) {
-			*classp = classes[i].value;
-			if ((classes[i].flags & RESERVED) != 0)
-				return (DNS_R_NOTIMPLEMENTED);
-			return (DNS_R_SUCCESS);
-		}
-		i++;
+#define COMPARE(string, flags, type) \
+	if (((sizeof(string) - 1) == source->length) \
+	    && (strcasecmp(source->base, string) == 0)) { \
+		*classp = type; \
+		if ((flags & RESERVED) != 0) \
+			return (ISC_R_NOTIMPLEMENTED); \
+		return (ISC_R_SUCCESS); \
 	}
+
+	switch (tolower((unsigned char)source->base[0])) {
+	case 'a':
+		COMPARE("any", META, dns_rdataclass_any);
+		break;
+	case 'c':
+		COMPARE("chaos", 0, dns_rdataclass_chaos);
+		break;
+	case 'h':
+		COMPARE("hs", 0, dns_rdataclass_hs);
+		break;
+	case 'i':
+		COMPARE("in", 0, dns_rdataclass_in);
+		break;
+	case 'n':
+		COMPARE("none", META, dns_rdataclass_none);
+		break;
+	case 'r':
+		COMPARE("reserved0", META, dns_rdataclass_reserved0);
+		break;
+	}
+
+#undef COMPARE
+
 	return (DNS_R_UNKNOWN);
 }
 
-/* XXXRTH  This should probably be a switch() */
-
 isc_result_t
 dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(rdclass, target, classes));	
-}
+	char buf[sizeof "RDCLASS4294967296"];
+
+	switch (rdclass) {
+	case dns_rdataclass_any:
+		return (str_totext("ANY", target));
+	case dns_rdataclass_chaos:
+		return (str_totext("CHAOS", target));
+	case dns_rdataclass_hs:
+		return (str_totext("HS", target));
+	case dns_rdataclass_in:
+		return (str_totext("IN", target));
+	case dns_rdataclass_none:
+		return (str_totext("NONE", target));
+	case dns_rdataclass_reserved0:
+		return (str_totext("RESERVED0", target));
+	default:
+		sprintf(buf, "RDCLASS%u", rdclass);
+		return (str_totext(buf, target));
+	}
 
-/* XXXRTH  Should we use a hash table here? */
+}
 
 isc_result_t
 dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source) {
-	int i = 0;
+	unsigned int hash;
 	unsigned int n;
+	unsigned char a, b;
+
+	n = source->length;
+
+	if (n == 0)
+		return (DNS_R_UNKNOWN);
+
+	a = tolower((unsigned char)source->base[0]);
+	b = tolower((unsigned char)source->base[n - 1]);
+
+	hash = ((a + n) * b) % 256;
+
+	/*
+	 * This switch block is inlined via #define, and will use "return"
+	 * to return a result to the caller if it is a valid (known)
+	 * rdatatype name.
+	 */
+	RDATATYPE_FROMTEXT_SW(hash, source->base, typep);
 
-	while (types[i].name != NULL) {
-		n = strlen(types[i].name);
-		if (n == source->length &&
-		    strncasecmp(source->base, types[i].name, n) == 0) {
-			*typep = types[i].value;
-			if ((types[i].flags & RESERVED) != 0)
-				return (DNS_R_NOTIMPLEMENTED);
-			return (DNS_R_SUCCESS);
-		}
-		i++;
-	}
 	return (DNS_R_UNKNOWN);
 }
 
-/* XXXRTH  This should probably be a switch() */
-
 isc_result_t
 dns_rdatatype_totext(dns_rdatatype_t type, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(type, target, types));
+	char buf[sizeof "RRTYPE4294967296"];
+
+	if (type > 255) {
+		sprintf(buf, "RRTYPE%u", type);
+		return (str_totext(buf, target));
+	}
+
+	return (str_totext(typeattr[type].name, target));
 }
 
 /* XXXRTH  Should we use a hash table here? */
@@ -766,7 +851,7 @@ dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
 		if (n == source->length &&
 		    strncasecmp(source->base, rcodes[i].name, n) == 0) {
 			*rcodep = rcodes[i].value;
-			return (DNS_R_SUCCESS);
+			return (ISC_R_SUCCESS);
 		}
 		i++;
 	}
@@ -783,7 +868,7 @@ dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source) {
 	unsigned int value;
 	RETERR(dns_mnemonic_fromtext(&value, source, certs, 0xffff));
 	*certp = value;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }	
 
 isc_result_t
@@ -796,7 +881,7 @@ dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
 	unsigned int value;
 	RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff));
 	*secalgp = value;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -809,7 +894,7 @@ dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source) {
 	unsigned int value;
 	RETERR(dns_mnemonic_fromtext(&value, source, secprotos, 0xff));
 	*secprotop = value;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -839,9 +924,9 @@ dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source)
 		n = strtoul(buffer, &e, 0); /* Allow hex/octal. */
 		if (*e == 0) {
 			if (n > 0xffff)
-				return (DNS_R_RANGE);
+				return (ISC_R_RANGE);
 			*flagsp = n;
-			return (DNS_R_SUCCESS);
+			return (ISC_R_SUCCESS);
 		}
 		/* It was not a number after all; fall through. */
 	}
@@ -875,10 +960,12 @@ dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source)
 			text++;	/* Skip "|" */
 	}
 	*flagsp = value;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
-/* Private function */
+/*
+ * Private function.
+ */
 
 static unsigned int
 name_length(dns_name_t *name) {
@@ -893,7 +980,7 @@ txt_totext(isc_region_t *source, isc_buffer_t *target) {
 	char *tp;
 	isc_region_t region;
 
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	sp = source->base;
 	tp = (char *)region.base;
 	tl = region.length;
@@ -903,13 +990,13 @@ txt_totext(isc_region_t *source, isc_buffer_t *target) {
 	REQUIRE(n + 1 <= source->length);
 
 	if (tl < 1)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	*tp++ = '"';
 	tl--;
 	while (n--) {
 		if (*sp < 0x20 || *sp > 0x7f) {
 			if (tl < 4)
-				return (DNS_R_NOSPACE);
+				return (ISC_R_NOSPACE);
 			sprintf(tp, "\\%03u", *sp++);
 			tp += 4;
 			tl -= 4;
@@ -917,22 +1004,22 @@ txt_totext(isc_region_t *source, isc_buffer_t *target) {
 		}
 		if (*sp == 0x22 || *sp == 0x3b || *sp == 0x5c) {
 			if (tl < 2)
-				return (DNS_R_NOSPACE);
+				return (ISC_R_NOSPACE);
 			*tp++ = '\\';
 			tl--;
 		}
 		if (tl < 1)
-			return (DNS_R_NOSPACE);
+			return (ISC_R_NOSPACE);
 		*tp++ = *sp++;
 		tl--;
 	}
 	if (tl < 1)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	*tp++ = '"';
 	tl--;
 	isc_buffer_add(target, tp - (char *)region.base);
 	isc_region_consume(source, *source->base + 1);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -945,18 +1032,22 @@ txt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
 	int d;
 	int c;
 
-	isc_buffer_available(target, &tregion);
+	isc_buffer_availableregion(target, &tregion);
 	s = source->base;
 	n = source->length;
 	t = tregion.base;
 	nrem = tregion.length;
 	escape = ISC_FALSE;
 	if (nrem < 1)
-		return (DNS_R_NOSPACE);
-	/* Length byte. */
+		return (ISC_R_NOSPACE);
+	/*
+	 * Length byte.
+	 */
 	nrem--;
 	t++;
-	/* Maximum text string length. */
+	/*
+	 * Maximum text string length.
+	 */
 	if (nrem > 255)
 		nrem = 255;
 	while (n-- != 0) {
@@ -985,7 +1076,7 @@ txt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
 		}
 		escape = ISC_FALSE;
 		if (nrem == 0) 
-			return (DNS_R_NOSPACE);
+			return (ISC_R_NOSPACE);
 		*t++ = c;
 		nrem--;
 	}
@@ -993,7 +1084,7 @@ txt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
 		return (DNS_R_SYNTAX);
 	*tregion.base = t - tregion.base - 1;
 	isc_buffer_add(target, *tregion.base + 1);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -1002,21 +1093,21 @@ txt_fromwire(isc_buffer_t *source, isc_buffer_t *target) {
 	isc_region_t sregion;
 	isc_region_t tregion;
 
-	isc_buffer_active(source, &sregion);
+	isc_buffer_activeregion(source, &sregion);
 	if (sregion.length == 0)
-		return(DNS_R_UNEXPECTEDEND);
+		return(ISC_R_UNEXPECTEDEND);
 	n = *sregion.base + 1;
 	if (n > sregion.length)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	
-	isc_buffer_available(target, &tregion);
+	isc_buffer_availableregion(target, &tregion);
 	if (n > tregion.length)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
 	memcpy(tregion.base, sregion.base, n);
 	isc_buffer_forward(source, n);
 	isc_buffer_add(target, n);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_boolean_t
@@ -1051,15 +1142,15 @@ str_totext(char *source, isc_buffer_t *target) {
 	unsigned int l;
 	isc_region_t region;
 
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	l = strlen(source);
 
 	if (l > region.length)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
 	memcpy(region.base, source, l);
 	isc_buffer_add(target, l);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_boolean_t
@@ -1068,10 +1159,8 @@ buffer_empty(isc_buffer_t *source) {
 }
 
 static void
-buffer_fromregion(isc_buffer_t *buffer, isc_region_t *region,
-		  unsigned int type) {
-
-	isc_buffer_init(buffer, region->base, region->length, type);
+buffer_fromregion(isc_buffer_t *buffer, isc_region_t *region) {
+	isc_buffer_init(buffer, region->base, region->length);
 	isc_buffer_add(buffer, region->length);
 	isc_buffer_setactive(buffer, region->length);
 }
@@ -1080,11 +1169,11 @@ static isc_result_t
 uint32_tobuffer(isc_uint32_t value, isc_buffer_t *target) {
 	isc_region_t region;
 
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	if (region.length < 4)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	isc_buffer_putuint32(target, value);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -1092,12 +1181,12 @@ uint16_tobuffer(isc_uint32_t value, isc_buffer_t *target) {
 	isc_region_t region;
 
 	if (value > 0xffff)
-		return (DNS_R_RANGE);
-	isc_buffer_available(target, &region);
+		return (ISC_R_RANGE);
+	isc_buffer_availableregion(target, &region);
 	if (region.length < 2)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	isc_buffer_putuint16(target, (isc_uint16_t)value);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -1105,12 +1194,19 @@ uint8_tobuffer(isc_uint32_t value, isc_buffer_t *target) {
 	isc_region_t region;
 
 	if (value > 0xff)
-		return (DNS_R_RANGE);
-	isc_buffer_available(target, &region);
+		return (ISC_R_RANGE);
+	isc_buffer_availableregion(target, &region);
 	if (region.length < 1)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	isc_buffer_putuint8(target, (isc_uint8_t)value);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+name_tobuffer(dns_name_t *name, isc_buffer_t *target) {
+	isc_region_t r;
+	dns_name_toregion(name, &r);
+	return (isc_buffer_copyregion(target, &r));
 }
 
 static isc_uint32_t
@@ -1158,41 +1254,41 @@ gettoken(isc_lex_t *lexer, isc_token_t *token, isc_tokentype_t expect,
 	case ISC_R_SUCCESS:
 		break;
 	case ISC_R_NOMEMORY:
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	case ISC_R_NOSPACE:
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	default:
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_lex_gettoken() failed: %s",
 				 isc_result_totext(result));
-                return (DNS_R_UNEXPECTED);
+                return (ISC_R_UNEXPECTED);
 	}
 	if (eol && ((token->type == isc_tokentype_eol) || 
 		    (token->type == isc_tokentype_eof)))
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 	if (token->type == isc_tokentype_string &&
 	    expect == isc_tokentype_qstring)
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
         if (token->type != expect) {
                 isc_lex_ungettoken(lexer, token);
                 if (token->type == isc_tokentype_eol ||
                     token->type == isc_tokentype_eof)
-                        return (DNS_R_UNEXPECTEDEND);
-                return (DNS_R_UNEXPECTEDTOKEN);
+                        return (ISC_R_UNEXPECTEDEND);
+                return (ISC_R_UNEXPECTEDTOKEN);
         }
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
 mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
 	isc_region_t tr;
 
-	isc_buffer_available(target, &tr);
+	isc_buffer_availableregion(target, &tr);
         if (length > tr.length)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	memcpy(tr.base, base, length);
 	isc_buffer_add(target, length);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static int
@@ -1212,10 +1308,14 @@ compare_region(isc_region_t *r1, isc_region_t *r2) {
 static int
 hexvalue(char value) {
 	char *s;
-	if (!isascii(value & 0xff))
+	unsigned char c;
+
+	c = (unsigned char)value;
+
+	if (!isascii(c))
 		return (-1);
-	if (isupper(value & 0xff))
-		value = tolower(value);
+	if (isupper(c))
+		c = tolower(c);
 	if ((s = strchr(hexdigits, value)) == NULL)
 		return (-1);
 	return (s - hexdigits);
@@ -1224,7 +1324,12 @@ hexvalue(char value) {
 static int
 decvalue(char value) {
 	char *s;
-	if (!isascii(value&0xff))
+
+	/*
+	 * isascii() is valid for full range of int values, no need to
+	 * mask or cast.
+	 */
+	if (!isascii(value))
 		return (-1);
 	if ((s = strchr(decdigits, value)) == NULL)
 		return (-1);
@@ -1232,7 +1337,8 @@ decvalue(char value) {
 }
 
 static const char atob_digits[86] =
-"!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstu";
+	"!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`" \
+	"abcdefghijklmnopqrstu";
 /*
  * Subroutines to convert between 8 bit binary bytes and printable ASCII.
  * Computes the number of bytes, and three kinds of simple checksums.
@@ -1269,8 +1375,9 @@ static isc_result_t	byte_atob(int c, isc_buffer_t *target,
 static isc_result_t	putbyte(int c, isc_buffer_t *, struct state *state);
 static isc_result_t	byte_btoa(int c, isc_buffer_t *, struct state *state);
 
-/* Decode ASCII-encoded byte c into binary representation and 
- * place into *bufp, advancing bufp 
+/*
+ * Decode ASCII-encoded byte c into binary representation and 
+ * place into *bufp, advancing bufp.
  */
 static isc_result_t
 byte_atob(int c, isc_buffer_t *target, struct state *state) {
@@ -1304,10 +1411,12 @@ byte_atob(int c, isc_buffer_t *target, struct state *state) {
 		}
 	} else
 		return(DNS_R_SYNTAX);
-	return(DNS_R_SUCCESS);
+	return(ISC_R_SUCCESS);
 }
 
-/* Compute checksum info and place c into target */
+/*
+ * Compute checksum info and place c into target.
+ */
 static isc_result_t
 putbyte(int c, isc_buffer_t *target, struct state *state) {
 	isc_region_t tr;
@@ -1322,28 +1431,30 @@ putbyte(int c, isc_buffer_t *target, struct state *state) {
 		Crot <<= 1;
 	}
 	Crot += c;
-	isc_buffer_available(target, &tr);
+	isc_buffer_availableregion(target, &tr);
 	if (tr.length < 1)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	tr.base[0] = c;
 	isc_buffer_add(target, 1);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
-/* Read the ASCII-encoded data from inbuf, of length inbuflen, and convert
-   it into T_UNSPEC (binary data) in outbuf, not to exceed outbuflen bytes;
-   outbuflen must be divisible by 4.  (Note: this is because outbuf is filled
-   in 4 bytes at a time.  If the actual data doesn't end on an even 4-byte
-   boundary, there will be no problem...it will be padded with 0 bytes, and
-   numbytes will indicate the correct number of bytes.  The main point is
-   that since the buffer is filled in 4 bytes at a time, even if there is
-   not a full 4 bytes of data at the end, there has to be room to 0-pad the
-   data, so the buffer must be of size divisible by 4).  Place the number of
-   output bytes in numbytes, and return a failure/success status  */
+/*
+ * Read the ASCII-encoded data from inbuf, of length inbuflen, and convert
+ * it into T_UNSPEC (binary data) in outbuf, not to exceed outbuflen bytes;
+ * outbuflen must be divisible by 4.  (Note: this is because outbuf is filled
+ * in 4 bytes at a time.  If the actual data doesn't end on an even 4-byte
+ * boundary, there will be no problem...it will be padded with 0 bytes, and
+ * numbytes will indicate the correct number of bytes.  The main point is
+ * that since the buffer is filled in 4 bytes at a time, even if there is
+ * not a full 4 bytes of data at the end, there has to be room to 0-pad the
+ * data, so the buffer must be of size divisible by 4).  Place the number of
+ * output bytes in numbytes, and return a failure/success status.
+ */
 
 static isc_result_t
 atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target) {
-	isc_int32_t oeor, osum, orot;
+	long oeor, osum, orot;
 	struct state statebuf, *state= &statebuf;
 	isc_token_t token;
 	char c;
@@ -1360,41 +1471,51 @@ atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target) {
 		isc_textregion_consume(&token.value.as_textregion, 1);
 	}
 
-	/* number of bytes */
+	/*
+	 * Number of bytes.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	if ((token.value.as_ulong % 4) != 0)
 		isc_buffer_subtract(target,  4 - (token.value.as_ulong % 4));
 
-	/* checksum */
+	/*
+	 * Checksum.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
-	oeor = strtoul(token.value.as_pointer, &e, 16);
+	oeor = strtol(token.value.as_pointer, &e, 16);
 	if (*e != 0)
 		return (DNS_R_SYNTAX);
 
-	/* checksum */
+	/*
+	 * Checksum.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
-	osum = strtoul(token.value.as_pointer, &e, 16);
+	osum = strtol(token.value.as_pointer, &e, 16);
 	if (*e != 0)
 		return (DNS_R_SYNTAX);
 
-	/* checksum */
+	/*
+	 * Checksum.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
-	orot = strtoul(token.value.as_pointer, &e, 16);
+	orot = strtol(token.value.as_pointer, &e, 16);
 	if (*e != 0)
 		return (DNS_R_SYNTAX);
 
 	if ((oeor != Ceor) || (osum != Csum) || (orot != Crot))
 		return(DNS_R_BADCKSUM);
-	return(DNS_R_SUCCESS);
+	return(ISC_R_SUCCESS);
 }
 
-/* Encode binary byte c into ASCII representation and place into *bufp,
-   advancing bufp */
+/*
+ * Encode binary byte c into ASCII representation and place into *bufp,
+ * advancing bufp.
+ */
 static isc_result_t
 byte_btoa(int c, isc_buffer_t *target, struct state *state) {
 	isc_region_t tr;
 
-	isc_buffer_available(target, &tr);
+	isc_buffer_availableregion(target, &tr);
 	Ceor ^= c;
 	Csum += c;
 	Csum += 1;
@@ -1411,7 +1532,7 @@ byte_btoa(int c, isc_buffer_t *target, struct state *state) {
 	if (bcount == 3) {
 		if (word == 0) {
 			if (tr.length < 1)
-				return (DNS_R_NOSPACE);
+				return (ISC_R_NOSPACE);
 			tr.base[0] = 'z';
 			isc_buffer_add(target, 1);
 		} else {
@@ -1419,7 +1540,9 @@ byte_btoa(int c, isc_buffer_t *target, struct state *state) {
 		    register isc_int32_t tmpword = word;
 			
 		    if (tmpword < 0) {	
-			   /* Because some don't support u_long */
+			   /*
+			    * Because some don't support u_long.
+			    */
 		    	tmp = 32;
 		    	tmpword -= (isc_int32_t)(85 * 85 * 85 * 85 * 32);
 		    }
@@ -1428,7 +1551,7 @@ byte_btoa(int c, isc_buffer_t *target, struct state *state) {
 		    	tmpword -= (isc_int32_t)(85 * 85 * 85 * 85 * 32);
 		    }
 			if (tr.length < 5)
-				return (DNS_R_NOSPACE);
+				return (ISC_R_NOSPACE);
 		    	tr.base[0] = atob_digits[(tmpword /
 					      (isc_int32_t)(85 * 85 * 85 * 85))
 						+ tmp];
@@ -1446,7 +1569,7 @@ byte_btoa(int c, isc_buffer_t *target, struct state *state) {
 	} else {
 		bcount += 1;
 	}
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 
@@ -1480,7 +1603,7 @@ static void
 default_fromtext_callback(dns_rdatacallbacks_t *callbacks, char *fmt, ...) {
 	va_list ap;
 
-	callbacks = callbacks; /*unused*/
+	UNUSED(callbacks);
 
 	va_start(ap, fmt);
 	vfprintf(stderr, fmt, ap);
@@ -1537,41 +1660,70 @@ dns_rdata_covers(dns_rdata_t *rdata) {
 	return (covers_sig(rdata));
 }
 
-static isc_boolean_t
-ismeta(unsigned int code, struct tbl *table) {
-	struct tbl *t;
-	REQUIRE(code < 65536);
-	/* XXXBEW Yes, this is a hack.  But otherwise TKEY will not work */
-	if (code == dns_rdatatype_tsig || code == dns_rdatatype_tkey)
+isc_boolean_t
+dns_rdatatype_ismeta(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_META) != 0)
 		return (ISC_TRUE);
-	for (t = table; t->name != NULL; t++) {
-		if (code == t->value)
-			return ((t->flags & META) ? ISC_TRUE : ISC_FALSE);
-	}
-	return (ISC_FALSE); /* Unknown, assume non-meta. */
+	return (ISC_FALSE);
 }
 
 isc_boolean_t
-dns_rdatatype_ismeta(dns_rdatatype_t type) {
-	return (ismeta(type, types));
-}	
+dns_rdatatype_issingleton(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_SINGLETON)
+	    != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_rdatatype_notquestion(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_NOTQUESTION)
+	    != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_rdatatype_questiononly(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_QUESTIONONLY)
+	    != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
 
 isc_boolean_t
 dns_rdataclass_ismeta(dns_rdataclass_t rdclass) {
-	return (ismeta(rdclass, classes));
+	REQUIRE(rdclass < 65536);
+
+	if (rdclass == dns_rdataclass_reserved0
+	    || rdclass == dns_rdataclass_none
+	    || rdclass == dns_rdataclass_any)
+		return (ISC_TRUE);
+
+	return (ISC_FALSE);  /* Assume it is not a meta class. */
 }
 
 isc_boolean_t
 dns_rdatatype_isdnssec(dns_rdatatype_t type) {
-	return ((type == dns_rdatatype_sig ||
-		 type == dns_rdatatype_key ||
-		 type == dns_rdatatype_nxt) ?
-		ISC_TRUE : ISC_FALSE);
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_DNSSEC) != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
 }
 
 isc_boolean_t
 dns_rdatatype_iszonecutauth(dns_rdatatype_t type) {
-	return (type == dns_rdatatype_ns ||
-		dns_rdatatype_isdnssec(type) ?
-		ISC_TRUE : ISC_FALSE);
+	if ((dns_rdatatype_attributes(type)
+	     & (DNS_RDATATYPEATTR_DNSSEC | DNS_RDATATYPEATTR_ZONECUTAUTH))
+	    != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
 }
+
+isc_boolean_t
+dns_rdatatype_isknown(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_UNKNOWN)
+	    == 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
diff --git a/lib/dns/rdata/any_255/tsig_250.c b/lib/dns/rdata/any_255/tsig_250.c
index 2488a853..6195040c 100644
--- a/lib/dns/rdata/any_255/tsig_250.c
+++ b/lib/dns/rdata/any_255/tsig_250.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: tsig_250.c,v 1.25 2000/03/20 22:44:33 gson Exp $ */
+/* $Id: tsig_250.c,v 1.38 2000/05/22 12:37:28 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 13:39:43 PST 2000 by gson */
 
@@ -24,7 +24,8 @@
 #ifndef RDATA_ANY_255_TSIG_250_C
 #define RDATA_ANY_255_TSIG_250_C
 
-#include <isc/str.h>
+#define RRTYPE_TSIG_ATTRIBUTES \
+	(DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_NOTQUESTION)
 
 static inline isc_result_t
 fromtext_any_tsig(dns_rdataclass_t rdclass, dns_rdatatype_t type,
@@ -40,59 +41,76 @@ fromtext_any_tsig(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 250);
 	REQUIRE(rdclass == 255);
 
-	/* Algorithm Name */
+	/*
+	 * Algorithm Name.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	RETERR(dns_name_fromtext(&name, &buffer, origin, downcase, target));
 
-	/* Time Signed: 48 bits */
+	/*
+	 * Time Signed: 48 bits.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
-	sigtime = isc_strtouq(token.value.as_pointer, &e, 10);
+	sigtime = isc_string_touint64(token.value.as_pointer, &e, 10);
 	if (*e != 0)
 		return (DNS_R_SYNTAX);
 	if ((sigtime >> 48) != 0)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer((isc_uint16_t)(sigtime >> 32), target));
 	RETERR(uint32_tobuffer((isc_uint32_t)(sigtime & 0xffffffffU), target));
 
-	/* Fudge */
+	/*
+	 * Fudge.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	if (token.value.as_ulong > 0xffff)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* Signature Size */
+	/*
+	 * Signature Size.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	if (token.value.as_ulong > 0xffff)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* Signature */
-	RETERR(isc_base64_tobuffer(lexer, target, token.value.as_ulong));
+	/*
+	 * Signature.
+	 */
+	RETERR(isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
 
-	/* Original ID */
+	/*
+	 * Original ID.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	if (token.value.as_ulong > 0xffff)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* Error */
+	/*
+	 * Error.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	if (token.value.as_ulong > 0xffff)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* Other Len */
+	/*
+	 * Other Len.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	if (token.value.as_ulong > 0xffff)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* Other Data */
-	return (isc_base64_tobuffer(lexer, target, token.value.as_ulong));
+	/*
+	 * Other Data.
+	 */
+	return (isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
 }
 
 static inline isc_result_t
@@ -113,7 +131,9 @@ totext_any_tsig(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	REQUIRE(rdata->rdclass == 255);
 
 	dns_rdata_toregion(rdata, &sr);
-	/* Algorithm Name */
+	/*
+	 * Algorithm Name.
+	 */
 	dns_name_init(&name, NULL);
 	dns_name_init(&prefix, NULL);
 	dns_name_fromregion(&name, &sr);
@@ -122,7 +142,9 @@ totext_any_tsig(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	RETERR(str_totext(" ", target));
 	isc_region_consume(&sr, name_length(&name));
 
-	/* Time Signed */
+	/*
+	 * Time Signed.
+	 */
 	sigtime = ((isc_uint64_t)sr.base[0] << 40) |
 		  ((isc_uint64_t)sr.base[1] << 32) |
 		  (sr.base[2] << 24) | (sr.base[3] << 16) |
@@ -138,19 +160,25 @@ totext_any_tsig(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	bufp++;
 	RETERR(str_totext(bufp, target));
 
-	/* Fudge */
+	/*
+	 * Fudge.
+	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 	sprintf(buf, "%u ", n);
 	RETERR(str_totext(buf, target));
 
-	/* Signature Size */
+	/*
+	 * Signature Size.
+	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 	sprintf(buf, "%u", n);
 	RETERR(str_totext(buf, target));
 
-	/* Signature */
+	/*
+	 * Signature.
+	 */
 	REQUIRE(n <= sr.length);
 	sigr = sr;
 	sigr.length = n;
@@ -165,25 +193,33 @@ totext_any_tsig(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 		RETERR(str_totext(" ", target));		
 	isc_region_consume(&sr, n);
 
-	/* Original ID */
+	/*
+	 * Original ID.
+	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 	sprintf(buf, "%u ", n);
 	RETERR(str_totext(buf, target));
 
-	/* Error */
+	/*
+	 * Error.
+	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 	sprintf(buf, "%u ", n);
 	RETERR(str_totext(buf, target));
 
-	/* Other Size */
+	/*
+	 * Other Size.
+	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 	sprintf(buf, "%u ", n);
 	RETERR(str_totext(buf, target));
 
-	/* Other */
+	/*
+	 * Other.
+	 */
 	return (isc_base64_totext(&sr, 60, " ", target));
 }
 
@@ -199,63 +235,68 @@ fromwire_any_tsig(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 250);
 	REQUIRE(rdclass == 255);
 	
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
 
-	/* Algorithm Name */
+	/*
+	 * Algorithm Name.
+	 */
 	dns_name_init(&name, NULL);
 	RETERR(dns_name_fromwire(&name, source, dctx, downcase, target));
 
-	isc_buffer_active(source, &sr);
-	/* Time Signed + Fudge */
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * Time Signed + Fudge.
+	 */
 	if (sr.length < 8)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	RETERR(mem_tobuffer(target, sr.base, 8));
 	isc_region_consume(&sr, 8);
 	isc_buffer_forward(source, 8);
 
-	/* Signature Length + Signature */
+	/*
+	 * Signature Length + Signature.
+	 */
 	if (sr.length < 2)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	n = uint16_fromregion(&sr);
 	if (sr.length < n + 2)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	RETERR(mem_tobuffer(target, sr.base, n + 2));
 	isc_region_consume(&sr, n + 2);
 	isc_buffer_forward(source, n + 2);
 
-	/* Original ID + Error */
+	/*
+	 * Original ID + Error.
+	 */
 	if (sr.length < 4)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	RETERR(mem_tobuffer(target, sr.base,  4));
 	isc_region_consume(&sr, 4);
 	isc_buffer_forward(source, 4);
 
-	/* Other Length + Other */
+	/*
+	 * Other Length + Other.
+	 */
 	if (sr.length < 2)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	n = uint16_fromregion(&sr);
 	if (sr.length < n + 2)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	isc_buffer_forward(source, n + 2);
 	return (mem_tobuffer(target, sr.base, n + 2));
 }
 
 static inline isc_result_t
-towire_any_tsig(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
+towire_any_tsig(dns_rdata_t *rdata, dns_compress_t *cctx,
+		isc_buffer_t *target)
+{
 	isc_region_t sr;
 	dns_name_t name;
 
 	REQUIRE(rdata->type == 250);
 	REQUIRE(rdata->rdclass == 255);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
 	dns_rdata_toregion(rdata, &sr);
 	dns_name_init(&name, NULL);
 	dns_name_fromregion(&name, &sr);
@@ -295,69 +336,70 @@ static inline isc_result_t
 fromstruct_any_tsig(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		    void *source, isc_buffer_t *target)
 {
+	dns_rdata_any_tsig_t *tsig = source;
 	isc_region_t tr;
-	dns_rdata_any_tsig_t *tsig;
-	dns_compress_t cctx;
 
 	REQUIRE(type == 250);
 	REQUIRE(rdclass == 255);
-	
-	tsig = (dns_rdata_any_tsig_t *) source;
-	REQUIRE(tsig->mctx != NULL);
+	REQUIRE(source != NULL);
+	REQUIRE(tsig->common.rdclass == rdclass);
+	REQUIRE(tsig->common.rdtype == type);
 
-	/* Algorithm Name */
-	RETERR(dns_compress_init(&cctx, -1, tsig->mctx));
-	dns_compress_setmethods(&cctx, DNS_COMPRESS_NONE);
-	RETERR(dns_name_towire(&tsig->algorithm, &cctx, target));
-	dns_compress_invalidate(&cctx);
+	/*
+	 * Algorithm Name.
+	 */
+	RETERR(name_tobuffer(&tsig->algorithm, target));
 
-	isc_buffer_available(target, &tr);
+	isc_buffer_availableregion(target, &tr);
 	if (tr.length < 6 + 2 + 2)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
-	/* Time Signed: 48 bits */
-	RETERR(uint16_tobuffer((isc_uint16_t)(tsig->timesigned >> 32), target));
+	/*
+	 * Time Signed: 48 bits.
+	 */
+	RETERR(uint16_tobuffer((isc_uint16_t)(tsig->timesigned >> 32),
+			       target));
 	RETERR(uint32_tobuffer((isc_uint32_t)(tsig->timesigned & 0xffffffffU),
 			       target));
 
-	/* Fudge */
+	/*
+	 * Fudge.
+	 */
 	RETERR(uint16_tobuffer(tsig->fudge, target));
 
-	/* Signature Size */
+	/*
+	 * Signature Size.
+	 */
 	RETERR(uint16_tobuffer(tsig->siglen, target));
 
-	/* Signature */
-	if (tsig->siglen > 0) {
-		isc_buffer_available(target, &tr);
-		if (tr.length < tsig->siglen)
-			return (DNS_R_NOSPACE);
-		memcpy(tr.base, tsig->signature, tsig->siglen);
-		isc_buffer_add(target, tsig->siglen);
-	}
+	/*
+	 * Signature.
+	 */
+	RETERR(mem_tobuffer(target, tsig->signature, tsig->siglen));
 
-	isc_buffer_available(target, &tr);
+	isc_buffer_availableregion(target, &tr);
 	if (tr.length < 2 + 2 + 2)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
-	/* Original ID */
+	/*
+	 * Original ID.
+	 */
 	RETERR(uint16_tobuffer(tsig->originalid, target));
 
-	/* Error */
+	/*
+	 * Error.
+	 */
 	RETERR(uint16_tobuffer(tsig->error, target));
 
-	/* Other Len */
+	/*
+	 * Other Len.
+	 */
 	RETERR(uint16_tobuffer(tsig->otherlen, target));
 
-	/* Other Data */
-	if (tsig->otherlen > 0) {
-		isc_buffer_available(target, &tr);
-		if (tr.length < tsig->otherlen)
-			return (DNS_R_NOSPACE);
-		memcpy(tr.base, tsig->other, tsig->otherlen);
-		isc_buffer_add(target, tsig->otherlen);
-	}
-
-	return (DNS_R_SUCCESS);
+	/*
+	 * Other Data.
+	 */
+	return (mem_tobuffer(target, tsig->other, tsig->otherlen));
 }
 
 static inline isc_result_t
@@ -373,75 +415,91 @@ tostruct_any_tsig(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
 	tsig->common.rdclass = rdata->rdclass;
 	tsig->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&tsig->common, link);
-	tsig->mctx = mctx;
+
 	dns_rdata_toregion(rdata, &sr);
 
-	/* Algorithm Name */
+	/*
+	 * Algorithm Name.
+	 */
 	dns_name_init(&alg, NULL);
 	dns_name_fromregion(&alg, &sr);
 	dns_name_init(&tsig->algorithm, NULL);
-	RETERR(dns_name_dup(&alg, mctx, &tsig->algorithm));
+	RETERR(name_duporclone(&alg, mctx, &tsig->algorithm));
 	
 	isc_region_consume(&sr, name_length(&tsig->algorithm));
 
-	/* Time Signed */
-	if (sr.length < 6)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Time Signed.
+	 */
+	INSIST(sr.length >= 6);
 	tsig->timesigned = ((isc_uint64_t)sr.base[0] << 40) |
 			   ((isc_uint64_t)sr.base[1] << 32) |
 			   (sr.base[2] << 24) | (sr.base[3] << 16) |
 			   (sr.base[4] << 8) | sr.base[5];
 	isc_region_consume(&sr, 6);
 
-	/* Fudge */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Fudge.
+	 */
 	tsig->fudge = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 
-	/* Signature Size */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Signature Size.
+	 */
 	tsig->siglen = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 
-	/* Signature */
-	if (sr.length < tsig->siglen)
-		return (ISC_R_UNEXPECTEDEND);
-	tsig->signature = isc_mem_get(mctx, tsig->siglen);
-	if (tsig->signature == NULL)
-		return (DNS_R_NOMEMORY);
-	memcpy(tsig->signature, sr.base, tsig->siglen);
-	isc_region_consume(&sr, tsig->siglen);
-
-	/* Original ID */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Signature.
+	 */
+	INSIST(sr.length >= tsig->siglen);
+	if (tsig->siglen != 0) {
+		tsig->signature = mem_maybedup(mctx, sr.base, tsig->siglen);
+		if (tsig->signature == NULL)
+			goto cleanup;
+		isc_region_consume(&sr, tsig->siglen);
+	} else
+		tsig->signature = NULL;
+
+	/*
+	 * Original ID.
+	 */
 	tsig->originalid = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 
-	/* Error */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Error.
+	 */
 	tsig->error = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 
-	/* Other Size */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Other Size.
+	 */
 	tsig->otherlen = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 
-	/* Other */
-	if (sr.length < tsig->otherlen)
-		return (ISC_R_UNEXPECTEDEND);
-	tsig->other = isc_mem_get(mctx, tsig->otherlen);
-	if (tsig->other == NULL)
-		return (DNS_R_NOMEMORY);
-	memcpy(tsig->other, sr.base, tsig->otherlen);
-	isc_region_consume(&sr, tsig->otherlen);
+	/*
+	 * Other.
+	 */
+	INSIST(sr.length == tsig->otherlen);
+	if (tsig->otherlen != 0) {
+		tsig->other = mem_maybedup(mctx, sr.base, tsig->otherlen);
+		if (tsig->other == NULL)
+			goto cleanup;
+	} else
+		tsig->other = NULL;
 
-	return (DNS_R_SUCCESS);
+	tsig->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&tsig->algorithm, tsig->mctx);	
+	if (mctx != NULL && tsig->signature != NULL)
+		isc_mem_free(mctx, tsig->signature);
+	return (ISC_R_NOMEMORY);
 }
 
 static inline void
@@ -452,11 +510,15 @@ freestruct_any_tsig(void *source) {
 	REQUIRE(tsig->common.rdclass == 255);
 	REQUIRE(tsig->common.rdtype == 250);
 
+	if (tsig->mctx == NULL)
+		return;
+
 	dns_name_free(&tsig->algorithm, tsig->mctx);	
 	if (tsig->signature != NULL)
-		isc_mem_put(tsig->mctx, tsig->signature, tsig->siglen);
+		isc_mem_free(tsig->mctx, tsig->signature);
 	if (tsig->other != NULL)
-		isc_mem_put(tsig->mctx, tsig->other, tsig->otherlen);
+		isc_mem_free(tsig->mctx, tsig->other);
+	tsig->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -466,10 +528,11 @@ additionaldata_any_tsig(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 	REQUIRE(rdata->type == 250);
 	REQUIRE(rdata->rdclass == 255);
 
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -478,10 +541,11 @@ digest_any_tsig(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 	REQUIRE(rdata->type == 250);
 	REQUIRE(rdata->rdclass == 255);
 
+	UNUSED(rdata);
 	UNUSED(digest);
 	UNUSED(arg);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (ISC_R_NOTIMPLEMENTED);
 }
 
 #endif	/* RDATA_ANY_255_TSIG_250_C */
diff --git a/lib/dns/rdata/any_255/tsig_250.h b/lib/dns/rdata/any_255/tsig_250.h
index f032abd2..11f29873 100644
--- a/lib/dns/rdata/any_255/tsig_250.h
+++ b/lib/dns/rdata/any_255/tsig_250.h
@@ -15,9 +15,11 @@
  * SOFTWARE.
  */
 
-/* $Id: tsig_250.h,v 1.15 2000/03/16 23:13:02 gson Exp $ */
+/* $Id: tsig_250.h,v 1.16 2000/04/29 02:01:34 tale Exp $ */
 
 /* draft-ietf-dnsext-tsig-00.txt */
+#ifndef ANY_255_TSIG_250_H
+#define ANY_255_TSIG_250_H 1
 
 typedef struct dns_rdata_any_tsig {
 	dns_rdatacommon_t	common;
@@ -32,3 +34,5 @@ typedef struct dns_rdata_any_tsig {
 	isc_uint16_t		otherlen;
 	unsigned char *		other;
 } dns_rdata_any_tsig_t;
+
+#endif /* ANY_255_TSIG_250_H */
diff --git a/lib/dns/rdata/generic/afsdb_18.c b/lib/dns/rdata/generic/afsdb_18.c
index 5e9a6773..aa9d2c16 100644
--- a/lib/dns/rdata/generic/afsdb_18.c
+++ b/lib/dns/rdata/generic/afsdb_18.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: afsdb_18.c,v 1.19 2000/03/18 01:46:15 tale Exp $ */
+/* $Id: afsdb_18.c,v 1.28 2000/05/22 12:37:29 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 14:59:00 PST 2000 by explorer */
 
@@ -24,6 +24,8 @@
 #ifndef RDATA_GENERIC_AFSDB_18_C
 #define RDATA_GENERIC_AFSDB_18_C
 
+#define RRTYPE_AFSDB_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_afsdb(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	   isc_lex_t *lexer, dns_name_t *origin,
@@ -37,15 +39,20 @@ fromtext_afsdb(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 18);
 
-	/* subtype */
+	/*
+	 * Subtype.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
+	if (token.value.as_ulong > 0xffff)
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 	
-	/* hostname */
+	/*
+	 * Hostname.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -89,19 +96,16 @@ fromwire_afsdb(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 18);
 	
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
 
 	dns_name_init(&name, NULL);
 
-	isc_buffer_active(source, &sr);
-	isc_buffer_available(target, &tr);
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_availableregion(target, &tr);
 	if (tr.length < 2)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	if (sr.length < 2)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	memcpy(tr.base, sr.base, 2);
 	isc_buffer_forward(source, 2);
 	isc_buffer_add(target, 2);
@@ -109,23 +113,18 @@ fromwire_afsdb(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 }
 
 static inline isc_result_t
-towire_afsdb(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
-{
+towire_afsdb(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 	isc_region_t tr;
 	isc_region_t sr;
 	dns_name_t name;
 
 	REQUIRE(rdata->type == 18);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
-	isc_buffer_available(target, &tr);
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	isc_buffer_availableregion(target, &tr);
 	dns_rdata_toregion(rdata, &sr);
 	if (tr.length < 2)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	memcpy(tr.base, sr.base, 2);
 	isc_region_consume(&sr, 2);
 	isc_buffer_add(target, 2);
@@ -137,8 +136,7 @@ towire_afsdb(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 }
 
 static inline int
-compare_afsdb(dns_rdata_t *rdata1, dns_rdata_t *rdata2)
-{
+compare_afsdb(dns_rdata_t *rdata1, dns_rdata_t *rdata2) {
 	int result;
 	dns_name_t name1;
 	dns_name_t name2;
@@ -172,35 +170,59 @@ static inline isc_result_t
 fromstruct_afsdb(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 		 isc_buffer_t *target)
 {
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_afsdb_t *afsdb = source;
+	isc_region_t region;
 
 	REQUIRE(type == 18);
+	REQUIRE(source != NULL);
+	REQUIRE(afsdb->common.rdclass == rdclass);
+	REQUIRE(afsdb->common.rdtype == type);
 	
-	return (DNS_R_NOTIMPLEMENTED);
+	RETERR(uint16_tobuffer(afsdb->subtype, target));
+	dns_name_toregion(&afsdb->server, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
-tostruct_afsdb(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
-{
-	UNUSED(target);
-	UNUSED(mctx);
+tostruct_afsdb(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	isc_region_t region;
+	dns_rdata_afsdb_t *afsdb = target;
+	dns_name_t name;
 
 	REQUIRE(rdata->type == 18);
 	REQUIRE(target != NULL);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	afsdb->common.rdclass = rdata->rdclass;
+	afsdb->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&afsdb->common, link);
+
+	dns_name_init(&afsdb->server, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	afsdb->subtype = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+
+	RETERR(name_duporclone(&name, mctx, &afsdb->server));
+	afsdb->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
-freestruct_afsdb(void *source)
-{
+freestruct_afsdb(void *source) {
 	dns_rdata_afsdb_t *afsdb = source;
 
 	REQUIRE(source != NULL);
 	REQUIRE(afsdb->common.rdtype == 18);
-	REQUIRE(ISC_FALSE);
+
+	if (afsdb->mctx == NULL)
+		return;
+
+	dns_name_free(&afsdb->server, afsdb->mctx);
+	afsdb->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -221,8 +243,7 @@ additionaldata_afsdb(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 }
 
 static inline isc_result_t
-digest_afsdb(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg)
-{
+digest_afsdb(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 	isc_region_t r1, r2;
 	dns_name_t name;
 
diff --git a/lib/dns/rdata/generic/afsdb_18.h b/lib/dns/rdata/generic/afsdb_18.h
index cc88bfd1..5730c925 100644
--- a/lib/dns/rdata/generic/afsdb_18.h
+++ b/lib/dns/rdata/generic/afsdb_18.h
@@ -15,11 +15,19 @@
  * SOFTWARE.
  */
 
-/* $Id: afsdb_18.h,v 1.10 2000/03/16 00:52:59 explorer Exp $ */
+#ifndef GENERIC_AFSDB_18_H
+#define GENERIC_AFSDB_18_H 1
+
+/* $Id: afsdb_18.h,v 1.12 2000/04/29 02:01:35 tale Exp $ */
 
 /* RFC 1183 */
 
 typedef struct dns_rdata_afsdb {
 	dns_rdatacommon_t	common;
-	/*XXX*/
+	isc_mem_t		*mctx;
+	isc_uint16_t		subtype;
+	dns_name_t		server;
 } dns_rdata_afsdb_t;
+
+#endif /* GENERIC_AFSDB_18_H */
+
diff --git a/lib/dns/rdata/generic/cert_37.c b/lib/dns/rdata/generic/cert_37.c
index c87f6be9..08f51f9c 100644
--- a/lib/dns/rdata/generic/cert_37.c
+++ b/lib/dns/rdata/generic/cert_37.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: cert_37.c,v 1.20 2000/03/16 02:15:52 tale Exp $ */
+/* $Id: cert_37.c,v 1.29 2000/05/22 12:37:30 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 21:14:32 EST 2000 by tale */
 
@@ -24,6 +24,8 @@
 #ifndef RDATA_GENERIC_CERT_37_C
 #define RDATA_GENERIC_CERT_37_C
 
+#define RRTYPE_CERT_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_cert(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	      isc_lex_t *lexer, dns_name_t *origin,
@@ -39,16 +41,24 @@ fromtext_cert(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	UNUSED(origin);
 	UNUSED(downcase);
 
-	/* cert type */
+	/*
+	 * Cert type.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	RETERR(dns_cert_fromtext(&cert, &token.value.as_textregion));
 	RETERR(uint16_tobuffer(cert, target));
 	
-	/* key tag */
+	/*
+	 * Key tag.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
+	if (token.value.as_ulong > 0xffff)
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* algorithm */
+	/*
+	 * Algorithm.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	RETERR(dns_secalg_fromtext(&secalg, &token.value.as_textregion));
 	RETERR(mem_tobuffer(target, &secalg, 1));
@@ -70,23 +80,31 @@ totext_cert(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 
 	dns_rdata_toregion(rdata, &sr);
 
-	/* type */
+	/*
+	 * Type.
+	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 	RETERR(dns_cert_totext((dns_cert_t)n, target));
 	RETERR(str_totext(" ", target));
 
-	/* key tag */
+	/*
+	 * Key tag.
+	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 	sprintf(buf, "%u ", n);
 	RETERR(str_totext(buf, target));
 
-	/* algorithm */
+	/*
+	 * Algorithm.
+	 */
 	RETERR(dns_secalg_totext(sr.base[0], target));
 	isc_region_consume(&sr, 1);
 
-	/* cert */
+	/*
+	 * Cert.
+	 */
 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
 		RETERR(str_totext(" (", target));
 	RETERR(str_totext(tctx->linebreak, target));
@@ -94,7 +112,7 @@ totext_cert(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 				 tctx->linebreak, target));
 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
 		RETERR(str_totext(" )", target));
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -110,9 +128,9 @@ fromwire_cert(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	UNUSED(dctx);
 	UNUSED(downcase);
 
-	isc_buffer_active(source, &sr);
+	isc_buffer_activeregion(source, &sr);
 	if (sr.length < 5)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
@@ -148,32 +166,67 @@ static inline isc_result_t
 fromstruct_cert(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 		isc_buffer_t *target)
 {
+	dns_rdata_cert_t *cert = source;
 
 	REQUIRE(type == 37);
+	REQUIRE(source != NULL);
+	REQUIRE(cert->common.rdtype == type);
+	REQUIRE(cert->common.rdclass == rdclass);
 	
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	RETERR(uint16_tobuffer(cert->type, target));
+	RETERR(uint16_tobuffer(cert->key_tag, target));
+	RETERR(uint8_tobuffer(cert->algorithm, target));
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (mem_tobuffer(target, cert->certificate, cert->length));
 }
 
 static inline isc_result_t
 tostruct_cert(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	dns_rdata_cert_t *cert = target;
+	isc_region_t region;
 
 	REQUIRE(rdata->type == 37);
-	REQUIRE(target != NULL && target == NULL);
-	
-	UNUSED(target);
-	UNUSED(mctx);
-
-	return (DNS_R_NOTIMPLEMENTED);
+	REQUIRE(target != NULL);
+
+	cert->common.rdclass = rdata->rdclass;
+	cert->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&cert->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	cert->type = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	cert->key_tag = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	cert->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	cert->length = region.length;
+
+	if (cert->length > 0) {
+		cert->certificate = mem_maybedup(mctx, region.base,
+						 region.length);
+		if (cert->certificate == NULL)
+			return (ISC_R_NOMEMORY);
+	} else
+		cert->certificate = NULL;
+
+	cert->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_cert(void *target) {
+	dns_rdata_cert_t *cert = target;
+
 	REQUIRE(target != NULL && target != NULL);
-	REQUIRE(ISC_FALSE);	/* XXX */
+	REQUIRE(cert->common.rdtype == 37);
+
+	if (cert->mctx == NULL)
+		return;
+
+	if (cert->certificate != NULL)
+		isc_mem_free(cert->mctx, cert->certificate);
+	cert->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -182,10 +235,11 @@ additionaldata_cert(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 {
 	REQUIRE(rdata->type == 37);
 
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/cert_37.h b/lib/dns/rdata/generic/cert_37.h
index 2422bb22..ed3a5651 100644
--- a/lib/dns/rdata/generic/cert_37.h
+++ b/lib/dns/rdata/generic/cert_37.h
@@ -15,7 +15,20 @@
  * SOFTWARE.
  */
 
-/* $Id: cert_37.h,v 1.10 2000/03/20 22:48:58 gson Exp $ */
+/* $Id: cert_37.h,v 1.12 2000/04/29 02:01:35 tale Exp $ */
 
-/* draft-ietf-dnssec-certs-04.txt */
+/* RFC 2538 */
+#ifndef GENERIC_CERT_37_H
+#define GENERIC_CERT_37_H 1
 
+typedef struct dns_rdata_cert {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		type;
+	isc_uint16_t		key_tag;
+	isc_uint8_t		algorithm;
+	isc_uint16_t		length;
+	unsigned char		*certificate;
+} dns_rdata_cert_t;
+
+#endif /* GENERIC_CERT_37_H */
diff --git a/lib/dns/rdata/generic/cname_5.c b/lib/dns/rdata/generic/cname_5.c
index e713ee92..6fb04f17 100644
--- a/lib/dns/rdata/generic/cname_5.c
+++ b/lib/dns/rdata/generic/cname_5.c
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: cname_5.c,v 1.22 2000/03/16 02:00:31 brister Exp $ */
+/* $Id: cname_5.c,v 1.30 2000/05/22 12:37:31 marka Exp $ */
 
 /* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
 
 #ifndef RDATA_GENERIC_CNAME_5_C
 #define RDATA_GENERIC_CNAME_5_C
 
+#define RRTYPE_CNAME_ATTRIBUTES (DNS_RDATATYPEATTR_EXCLUSIVE | DNS_RDATATYPEATTR_SINGLETON)
+
 static inline isc_result_t
 fromtext_cname(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	       isc_lex_t *lexer, dns_name_t *origin,
@@ -38,8 +40,7 @@ fromtext_cname(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -77,10 +78,7 @@ fromwire_cname(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	UNUSED(rdclass);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
 	dns_name_init(&name, NULL);
 	return (dns_name_fromwire(&name, source, dctx, downcase, target));
@@ -94,10 +92,7 @@ towire_cname(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 
 	REQUIRE(rdata->type == 5);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 
 	dns_name_init(&name, NULL);
 	dns_rdata_toregion(rdata, &region);
@@ -134,47 +129,66 @@ static inline isc_result_t
 fromstruct_cname(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 		 isc_buffer_t *target)
 {
+	dns_rdata_cname_t *cname = source;
+	isc_region_t region;
 
 	REQUIRE(type == 5);
+	REQUIRE(source != NULL);
+	REQUIRE(cname->common.rdtype == type);
+	REQUIRE(cname->common.rdclass == rdclass);
 
-	UNUSED(rdclass);
-
-	UNUSED(source);
-	UNUSED(target);
-
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_toregion(&cname->cname, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
 tostruct_cname(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 {
+	isc_region_t region;
+	dns_rdata_cname_t *cname = target;
+	dns_name_t name;
 	
 	REQUIRE(rdata->type == 5);
 	REQUIRE(target != NULL);
 
-	UNUSED(target);
-	UNUSED(mctx);
+	cname->common.rdclass = rdata->rdclass;
+	cname->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&cname->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&cname->cname, NULL);
+	RETERR(name_duporclone(&name, mctx, &cname->cname));
+	cname->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_cname(void *source)
 {
+	dns_rdata_cname_t *cname = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);
+
+	if (cname->mctx == NULL)
+		return;
+
+	dns_name_free(&cname->cname, cname->mctx);
+	cname->mctx = NULL;
 }
 
 static inline isc_result_t
 additionaldata_cname(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 		     void *arg)
 {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+	
 	REQUIRE(rdata->type == 5);
 
-	(void)add;
-	(void)arg;
-
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/cname_5.h b/lib/dns/rdata/generic/cname_5.h
index 83b7967a..9e2f7fe8 100644
--- a/lib/dns/rdata/generic/cname_5.h
+++ b/lib/dns/rdata/generic/cname_5.h
@@ -15,5 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: cname_5.h,v 1.16 2000/03/20 22:57:11 gson Exp $ */
+/* $Id: cname_5.h,v 1.19 2000/05/08 14:36:45 tale Exp $ */
 
+#ifndef GENERIC_CNAME_5_H
+#define GENERIC_CNAME_5_H 1
+
+typedef struct dns_rdata_cname {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		cname;
+} dns_rdata_cname_t;
+
+#endif /* GENERIC_CNAME_5_H */
diff --git a/lib/dns/rdata/generic/dname_39.c b/lib/dns/rdata/generic/dname_39.c
index 7bd743c4..2d262f99 100644
--- a/lib/dns/rdata/generic/dname_39.c
+++ b/lib/dns/rdata/generic/dname_39.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: dname_39.c,v 1.15 2000/03/16 02:18:13 explorer Exp $ */
+/* $Id: dname_39.c,v 1.22 2000/05/22 12:37:32 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 16:52:38 PST 2000 by explorer */
 
@@ -24,6 +24,8 @@
 #ifndef RDATA_GENERIC_DNAME_39_C
 #define RDATA_GENERIC_DNAME_39_C
 
+#define RRTYPE_DNAME_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON)
+
 static inline isc_result_t
 fromtext_dname(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	       isc_lex_t *lexer, dns_name_t *origin,
@@ -40,8 +42,7 @@ fromtext_dname(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -79,10 +80,7 @@ fromwire_dname(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 39);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
 
 	dns_name_init(&name, NULL);
 	return(dns_name_fromwire(&name, source, dctx, downcase, target));
@@ -96,11 +94,7 @@ towire_dname(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 
 	REQUIRE(rdata->type == 39);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
 	dns_name_init(&name, NULL);
 	dns_rdata_toregion(rdata, &region);
 	dns_name_fromregion(&name, &region);
@@ -136,44 +130,67 @@ static inline isc_result_t
 fromstruct_dname(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 		 isc_buffer_t *target)
 {
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_dname_t *dname = source;
+	isc_region_t region;
 
 	REQUIRE(type == 39);
+	REQUIRE(source != NULL);
+	REQUIRE(dname->common.rdtype == type);
+	REQUIRE(dname->common.rdclass == rdclass);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_toregion(&dname->dname, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
 tostruct_dname(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 {
-	UNUSED(target);
-	UNUSED(mctx);
+	isc_region_t region;
+	dns_rdata_dname_t *dname = target;
+	dns_name_t name;
 
 	REQUIRE(rdata->type == 39);
 	REQUIRE(target != NULL);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dname->common.rdclass = rdata->rdclass;
+	dname->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dname->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&dname->dname, NULL);
+	RETERR(name_duporclone(&name, mctx, &dname->dname));
+	dname->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_dname(void *source)
 {
+	dns_rdata_dname_t *dname = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/* XXX */
+	REQUIRE(dname->common.rdtype == 39);
+	
+	if (dname->mctx == NULL)
+		return;
+
+	dns_name_free(&dname->dname, dname->mctx);
+	dname->mctx = NULL;
 }
 
 static inline isc_result_t
 additionaldata_dname(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 		     void *arg)
 {
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
 	REQUIRE(rdata->type == 39);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/dname_39.h b/lib/dns/rdata/generic/dname_39.h
index d7d657f9..2dd5e75e 100644
--- a/lib/dns/rdata/generic/dname_39.h
+++ b/lib/dns/rdata/generic/dname_39.h
@@ -15,7 +15,17 @@
  * SOFTWARE.
  */
 
-/* $Id: dname_39.h,v 1.9 2000/03/16 00:53:01 explorer Exp $ */
+#ifndef GENERIC_DNAME_39_H
+#define GENERIC_DNAME_39_H 1
+
+/* $Id: dname_39.h,v 1.12 2000/05/08 14:36:46 tale Exp $ */
 
 /* draft-ietf-dnsind-dname-02.txt */
 
+typedef struct dns_rdata_dname {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		dname;
+} dns_rdata_dname_t;
+
+#endif /* GENERIC_DNAME_39_H */
diff --git a/lib/dns/rdata/generic/gpos_27.c b/lib/dns/rdata/generic/gpos_27.c
index 354182fb..7ef878ce 100644
--- a/lib/dns/rdata/generic/gpos_27.c
+++ b/lib/dns/rdata/generic/gpos_27.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: gpos_27.c,v 1.14 2000/03/21 23:48:20 gson Exp $ */
+/* $Id: gpos_27.c,v 1.20 2000/05/22 12:37:33 marka Exp $ */
 
 /* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
 
@@ -24,6 +24,8 @@
 #ifndef RDATA_GENERIC_GPOS_27_C
 #define RDATA_GENERIC_GPOS_27_C
 
+#define RRTYPE_GPOS_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_gpos(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	      isc_lex_t *lexer, dns_name_t *origin,
@@ -43,7 +45,7 @@ fromtext_gpos(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 				ISC_FALSE));
 		RETERR(txt_fromtext(&token.value.as_textregion, target));
 	}
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -65,7 +67,7 @@ totext_gpos(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 			RETERR(str_totext(" ", target));
 	}
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -83,7 +85,7 @@ fromwire_gpos(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	for (i = 0 ; i < 3; i++)
 		RETERR(txt_fromwire(source, target));
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -116,34 +118,96 @@ static inline isc_result_t
 fromstruct_gpos(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 		isc_buffer_t *target)
 {
+	dns_rdata_gpos_t *gpos = source;
 
 	REQUIRE(type == 27);
-
-	UNUSED(rdclass);
-
-	UNUSED(source);
-	UNUSED(target);
-
-	return (DNS_R_NOTIMPLEMENTED);
+	REQUIRE(source != NULL);
+	REQUIRE(gpos->common.rdtype == type);
+	REQUIRE(gpos->common.rdclass == rdclass);
+
+	RETERR(uint8_tobuffer(gpos->long_len, target));
+	RETERR(mem_tobuffer(target, gpos->longitude, gpos->long_len));
+	RETERR(uint8_tobuffer(gpos->lat_len, target));
+	RETERR(mem_tobuffer(target, gpos->latitude, gpos->lat_len));
+	RETERR(uint8_tobuffer(gpos->alt_len, target));
+	return (mem_tobuffer(target, gpos->altitude, gpos->alt_len));
 }
 
 static inline isc_result_t
 tostruct_gpos(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 {
+	dns_rdata_gpos_t *gpos = target;
+	isc_region_t region;
 
 	REQUIRE(rdata->type == 27);
+	REQUIRE(target != NULL);
 
-	UNUSED(target);
-	UNUSED(mctx);
+	gpos->common.rdclass = rdata->rdclass;
+	gpos->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&gpos->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_rdata_toregion(rdata, &region);
+	gpos->long_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	if (gpos->long_len != 0) {
+		gpos->longitude = mem_maybedup(mctx, region.base,
+					       gpos->long_len);
+		if (gpos->longitude == NULL)
+			return (ISC_R_NOMEMORY);
+		isc_region_consume(&region, gpos->long_len);
+	} else
+		gpos->longitude = NULL;
+
+	gpos->lat_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	if (gpos->lat_len > 0) {
+		gpos->latitude = mem_maybedup(mctx, region.base, gpos->lat_len);
+		if (gpos->latitude == NULL)
+			goto cleanup_longitude;
+		isc_region_consume(&region, gpos->lat_len);
+	} else
+		gpos->latitude = NULL;
+
+	gpos->alt_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	if (gpos->lat_len > 0) {
+		gpos->altitude = mem_maybedup(mctx, region.base, gpos->alt_len);
+		if (gpos->altitude == NULL)
+			goto cleanup_latitude;
+	} else 
+		gpos->altitude = NULL;
+
+	gpos->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup_latitude:
+	if (mctx != NULL && gpos->longitude != NULL)
+		isc_mem_free(mctx, gpos->longitude);
+
+ cleanup_longitude:
+	if (mctx != NULL && gpos->latitude != NULL)
+		isc_mem_free(mctx, gpos->latitude);
+	return (ISC_R_NOMEMORY);
 }
 
 static inline void
 freestruct_gpos(void *source)
 {
+	dns_rdata_gpos_t *gpos = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/* XXX */
+	REQUIRE(gpos->common.rdtype == 27);
+
+	if (gpos->mctx == NULL)
+		return;
+
+	if (gpos->longitude != NULL)
+		isc_mem_free(gpos->mctx, gpos->longitude);
+	if (gpos->latitude != NULL)
+		isc_mem_free(gpos->mctx, gpos->latitude);
+	if (gpos->altitude != NULL)
+		isc_mem_free(gpos->mctx, gpos->altitude);
+	gpos->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -152,10 +216,11 @@ additionaldata_gpos(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 {
 	REQUIRE(rdata->type == 27);
 
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/gpos_27.h b/lib/dns/rdata/generic/gpos_27.h
index 62422923..9605015c 100644
--- a/lib/dns/rdata/generic/gpos_27.h
+++ b/lib/dns/rdata/generic/gpos_27.h
@@ -15,7 +15,22 @@
  * SOFTWARE.
  */
 
-/* $Id: gpos_27.h,v 1.7 2000/03/20 22:57:11 gson Exp $ */
+#ifndef GENERIC_GPOS_27_H
+#define GENERIC_GPOS_27_H 1
+
+/* $Id: gpos_27.h,v 1.9 2000/04/29 02:01:37 tale Exp $ */
 
 /* RFC 1712 */
 
+typedef struct dns_rdata_gpos {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	char			*longitude;
+	char			*latitude;
+	char			*altitude;
+	isc_uint8_t		long_len;
+	isc_uint8_t		lat_len;
+	isc_uint8_t		alt_len;
+} dns_rdata_gpos_t;
+
+#endif /* GENERIC_GPOS_27_H */
diff --git a/lib/dns/rdata/generic/hinfo_13.c b/lib/dns/rdata/generic/hinfo_13.c
index 08db72a5..9086ca73 100644
--- a/lib/dns/rdata/generic/hinfo_13.c
+++ b/lib/dns/rdata/generic/hinfo_13.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: hinfo_13.c,v 1.20 2000/03/16 22:42:32 halley Exp $ */
+/* $Id: hinfo_13.c,v 1.25 2000/05/22 12:37:34 marka Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
@@ -24,6 +24,8 @@
 #ifndef RDATA_GENERIC_HINFO_13_C
 #define RDATA_GENERIC_HINFO_13_C
 
+#define RRTYPE_HINFO_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_hinfo(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	       isc_lex_t *lexer, dns_name_t *origin,
@@ -43,7 +45,7 @@ fromtext_hinfo(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 				ISC_FALSE));
 		RETERR(txt_fromtext(&token.value.as_textregion, target));
 	}
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -106,42 +108,86 @@ static inline isc_result_t
 fromstruct_hinfo(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 		 isc_buffer_t *target)
 {
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_hinfo_t *hinfo = source;
 
 	REQUIRE(type == 13);
+	REQUIRE(source != NULL);
+	REQUIRE(hinfo->common.rdtype == type);
+	REQUIRE(hinfo->common.rdclass == rdclass);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	RETERR(uint8_tobuffer(hinfo->cpu_len, target));
+	RETERR(mem_tobuffer(target, hinfo->cpu, hinfo->cpu_len));
+	RETERR(uint8_tobuffer(hinfo->os_len, target));
+	return (mem_tobuffer(target, hinfo->os, hinfo->os_len));
 }
 
 static inline isc_result_t
 tostruct_hinfo(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	dns_rdata_hinfo_t *hinfo = target;
+	isc_region_t region;
 
 	REQUIRE(rdata->type == 13);
+	REQUIRE(target != NULL);
 
-	UNUSED(target);
-	UNUSED(mctx);
+	hinfo->common.rdclass = rdata->rdclass;
+	hinfo->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&hinfo->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_rdata_toregion(rdata, &region);
+	hinfo->cpu_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	if (hinfo->cpu_len > 0) {
+		hinfo->cpu = mem_maybedup(mctx, region.base, hinfo->cpu_len);
+		if (hinfo->cpu == NULL)
+			return (ISC_R_NOMEMORY);
+		isc_region_consume(&region, hinfo->cpu_len);
+	} else
+		hinfo->cpu = NULL;
+
+	hinfo->os_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	if (hinfo->os_len > 0) {
+		hinfo->os = mem_maybedup(mctx, region.base, hinfo->os_len);
+		if (hinfo->os == NULL)
+			goto cleanup;
+	} else
+		hinfo->os = NULL;
+	hinfo->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL && hinfo->cpu != NULL)
+		isc_mem_free(mctx, hinfo->cpu);
+	return (ISC_R_NOMEMORY);
 }
 
 static inline void
 freestruct_hinfo(void *source) {
+	dns_rdata_hinfo_t *hinfo = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE); /* XXX */
+
+	if (hinfo->mctx == NULL)
+		return;
+
+	if (hinfo->cpu != NULL)
+		isc_mem_free(hinfo->mctx, hinfo->cpu);
+	if (hinfo->os != NULL)
+		isc_mem_free(hinfo->mctx, hinfo->os);
+	hinfo->mctx = NULL;
 }
 
 static inline isc_result_t
 additionaldata_hinfo(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 		     void *arg)
 {
+	REQUIRE(rdata->type == 13);
+
 	UNUSED(add);
 	UNUSED(arg);
+	UNUSED(rdata);
 
-	REQUIRE(rdata->type == 13);
-
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/hinfo_13.h b/lib/dns/rdata/generic/hinfo_13.h
index 300be1e4..2724ee6d 100644
--- a/lib/dns/rdata/generic/hinfo_13.h
+++ b/lib/dns/rdata/generic/hinfo_13.h
@@ -15,5 +15,18 @@
  * SOFTWARE.
  */
 
-/* $Id: hinfo_13.h,v 1.15 2000/03/20 22:57:12 gson Exp $ */
+#ifndef GENERIC_HINFO_13_H
+#define GENERIC_HINFO_13_H 1
 
+/* $Id: hinfo_13.h,v 1.18 2000/05/04 23:50:55 explorer Exp $ */
+
+typedef struct dns_rdata_hinfo {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	char			*cpu;
+	char			*os;
+	isc_uint8_t		cpu_len;
+	isc_uint8_t		os_len;
+} dns_rdata_hinfo_t;
+
+#endif /* GENERIC_HINFO_13_H */
diff --git a/lib/dns/rdata/generic/isdn_20.c b/lib/dns/rdata/generic/isdn_20.c
index dc367085..6fbc936f 100644
--- a/lib/dns/rdata/generic/isdn_20.c
+++ b/lib/dns/rdata/generic/isdn_20.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: isdn_20.c,v 1.14 2000/03/16 02:08:49 bwelling Exp $ */
+/* $Id: isdn_20.c,v 1.19 2000/05/22 12:37:36 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 16:53:11 PST 2000 by bwelling */
 
@@ -24,6 +24,8 @@
 #ifndef RDATA_GENERIC_ISDN_20_C
 #define RDATA_GENERIC_ISDN_20_C
 
+#define RRTYPE_ISDN_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_isdn(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	      isc_lex_t *lexer, dns_name_t *origin,
@@ -46,7 +48,7 @@ fromtext_isdn(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	if (token.type != isc_tokentype_string &&
 	    token.type != isc_tokentype_qstring) {
 		isc_lex_ungettoken(lexer, &token);
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 	}
 	return (txt_fromtext(&token.value.as_textregion, target));
 }
@@ -64,7 +66,7 @@ totext_isdn(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	dns_rdata_toregion(rdata, &region);
 	RETERR(txt_totext(&region, target));
 	if (region.length == 0)
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 	RETERR(str_totext(" ", target));
 	return (txt_totext(&region, target));
 }
@@ -82,7 +84,7 @@ fromwire_isdn(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	RETERR(txt_fromwire(source, target));
 	if (buffer_empty(source))
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 	return (txt_fromwire(source, target));
 }
 
@@ -113,41 +115,89 @@ static inline isc_result_t
 fromstruct_isdn(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 		isc_buffer_t *target)
 {
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_isdn_t *isdn = source;
 
 	REQUIRE(type == 20);
+	REQUIRE(source != NULL);
+	REQUIRE(isdn->common.rdtype == type);
+	REQUIRE(isdn->common.rdclass == rdclass);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	RETERR(uint8_tobuffer(isdn->isdn_len, target));
+	RETERR(mem_tobuffer(target, isdn->isdn, isdn->isdn_len));
+	RETERR(uint8_tobuffer(isdn->subaddress_len, target));
+	return (mem_tobuffer(target, isdn->subaddress, isdn->subaddress_len));
 }
 
 static inline isc_result_t
 tostruct_isdn(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
-	UNUSED(target);
-	UNUSED(mctx);
+	dns_rdata_isdn_t *isdn = target;
+	isc_region_t r;
 
 	REQUIRE(rdata->type == 20);
+	REQUIRE(target != NULL);
+
+	isdn->common.rdclass = rdata->rdclass;
+	isdn->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&isdn->common, link);
+
+	dns_rdata_toregion(rdata, &r);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	isdn->isdn_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	if (isdn->isdn_len > 0) {
+		isdn->isdn = mem_maybedup(mctx, r.base, isdn->isdn_len);
+		if (isdn->isdn == NULL)
+			return (ISC_R_NOMEMORY);
+		isc_region_consume(&r, isdn->isdn_len);
+	} else
+		isdn->isdn = NULL;
+
+	isdn->subaddress_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	if (isdn->subaddress_len > 0) {
+		isdn->subaddress = mem_maybedup(mctx, r.base,
+						isdn->subaddress_len);
+		if (isdn->subaddress == NULL)
+			goto cleanup;
+	} else
+		isdn->subaddress = NULL;
+
+	isdn->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL && isdn->isdn != NULL)
+		isc_mem_free(mctx, isdn->isdn);
+	return (ISC_R_NOMEMORY);
 }
 
 static inline void
 freestruct_isdn(void *source) {
+	dns_rdata_isdn_t *isdn = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	
+	if (isdn->mctx == NULL)
+		return;
+
+	if (isdn->isdn != NULL)
+		isc_mem_free(isdn->mctx, isdn->isdn);
+	if (isdn->subaddress != NULL)
+		isc_mem_free(isdn->mctx, isdn->subaddress);
+	isdn->mctx = NULL;
 }
 
 static inline isc_result_t
 additionaldata_isdn(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 		    void *arg)
 {
+	REQUIRE(rdata->type == 20);
+
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	REQUIRE(rdata->type == 20);
-
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/isdn_20.h b/lib/dns/rdata/generic/isdn_20.h
index 9ea2723b..42fc75c4 100644
--- a/lib/dns/rdata/generic/isdn_20.h
+++ b/lib/dns/rdata/generic/isdn_20.h
@@ -15,7 +15,20 @@
  * SOFTWARE.
  */
 
-/* $Id: isdn_20.h,v 1.7 2000/03/20 22:57:12 gson Exp $ */
+#ifndef GENERIC_ISDN_20_H
+#define GENERIC_ISDN_20_H 1
+
+/* $Id: isdn_20.h,v 1.10 2000/05/04 23:50:56 explorer Exp $ */
 
 /* RFC 1183 */
 
+typedef struct dns_rdata_isdn {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	char			*isdn;
+	char			*subaddress;
+	isc_uint8_t		isdn_len;
+	isc_uint8_t		subaddress_len;
+} dns_rdata_isdn_t;
+
+#endif /* GENERIC_ISDN_20_H */
diff --git a/lib/dns/rdata/generic/key_25.c b/lib/dns/rdata/generic/key_25.c
index fdddffb6..27c6014f 100644
--- a/lib/dns/rdata/generic/key_25.c
+++ b/lib/dns/rdata/generic/key_25.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: key_25.c,v 1.17 2000/03/16 22:42:32 halley Exp $ */
+/* $Id: key_25.c,v 1.25 2000/05/22 12:37:37 marka Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
@@ -26,6 +26,8 @@
 #ifndef RDATA_GENERIC_KEY_25_C
 #define RDATA_GENERIC_KEY_25_C
 
+#define RRTYPE_KEY_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
 static inline isc_result_t
 fromtext_key(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	     isc_lex_t *lexer, dns_name_t *origin,
@@ -59,7 +61,7 @@ fromtext_key(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	
 	/* No Key? */
 	if ((flags & 0xc000) == 0xc000)
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 
 	return (isc_base64_tobuffer(lexer, target, -1));
 }
@@ -98,7 +100,7 @@ totext_key(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 
 	/* No Key? */
 	if ((flags & 0xc000) == 0xc00)
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 
 	/* key */
 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
@@ -109,7 +111,7 @@ totext_key(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
 		RETERR(str_totext(" )", target));
 
-	return DNS_R_SUCCESS;
+	return ISC_R_SUCCESS;
 }
 
 static inline isc_result_t
@@ -125,9 +127,9 @@ fromwire_key(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 25);
 
-	isc_buffer_active(source, &sr);
+	isc_buffer_activeregion(source, &sr);
 	if (sr.length < 4)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
@@ -163,17 +165,12 @@ static inline isc_result_t
 fromstruct_key(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	       isc_buffer_t *target)
 {
-	dns_rdata_generic_key_t *key;
-	isc_region_t tr;
-
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_key_t *key = source;
 
 	REQUIRE(type == 25);
-	
-	key = (dns_rdata_generic_key_t *) source;
-	REQUIRE(key->mctx != NULL);
+	REQUIRE(source != NULL);
+	REQUIRE(key->common.rdtype == type);
+	REQUIRE(key->common.rdclass == rdclass);
 
 	/* Flags */
 	RETERR(uint16_tobuffer(key->flags, target));
@@ -185,32 +182,21 @@ fromstruct_key(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	RETERR(uint8_tobuffer(key->algorithm, target));
 
 	/* Data */
-	if (key->datalen > 0) {
-		isc_buffer_available(target, &tr);
-		if (tr.length < key->datalen)
-			return (DNS_R_NOSPACE);
-		memcpy(tr.base, key->data, key->datalen);
-		isc_buffer_add(target, key->datalen);
-	}
-
-	return (DNS_R_SUCCESS);
+	return (mem_tobuffer(target, key->data, key->datalen));
 }
 
 static inline isc_result_t
 tostruct_key(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
-	dns_rdata_generic_key_t *key;
+	dns_rdata_key_t *key = target;
 	isc_region_t sr;
 
-	UNUSED(target);
-	UNUSED(mctx);
-
 	REQUIRE(rdata->type == 25);
+	REQUIRE(target != NULL);
 
-	key = (dns_rdata_generic_key_t *) target;
 	key->common.rdclass = rdata->rdclass;
 	key->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&key->common, link);
-	key->mctx = mctx;
+
 	dns_rdata_toregion(rdata, &sr);
 
 	/* Flags */
@@ -234,27 +220,29 @@ tostruct_key(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
 	/* Data */
 	key->datalen = sr.length;
 	if (key->datalen > 0) {
-		key->data = isc_mem_get(mctx, key->datalen);
+		key->data = mem_maybedup(mctx, sr.base, key->datalen);
 		if (key->data == NULL)
-			return (DNS_R_NOMEMORY);
-		memcpy(key->data, sr.base, key->datalen);
-		isc_region_consume(&sr, key->datalen);
-	}
-	else
+			return (ISC_R_NOMEMORY);
+	} else
 		key->data = NULL;
 
-	return (DNS_R_SUCCESS);
+	key->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_key(void *source) {
-	dns_rdata_generic_key_t *key = (dns_rdata_generic_key_t *) source;
+	dns_rdata_key_t *key = (dns_rdata_key_t *) source;
 
 	REQUIRE(source != NULL);
 	REQUIRE(key->common.rdtype == 25);
 
-	if (key->datalen > 0)
-		isc_mem_put(key->mctx, key->data, key->datalen);
+	if (key->mctx == NULL)
+		return;
+
+	if (key->data != NULL)
+		isc_mem_free(key->mctx, key->data);
+	key->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -263,10 +251,11 @@ additionaldata_key(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 {
 	REQUIRE(rdata->type == 25);
 
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/key_25.h b/lib/dns/rdata/generic/key_25.h
index 864c3b54..25bd6765 100644
--- a/lib/dns/rdata/generic/key_25.h
+++ b/lib/dns/rdata/generic/key_25.h
@@ -15,11 +15,14 @@
  * SOFTWARE.
  */
 
-/* $Id: key_25.h,v 1.9 2000/03/20 22:57:12 gson Exp $ */
+#ifndef GENERIC_KEY_25_H
+#define GENERIC_KEY_25_H 1
+
+/* $Id: key_25.h,v 1.11 2000/04/29 02:01:38 tale Exp $ */
 
 /* RFC 2535 */
 
-typedef struct dns_rdata_generic_key_t {
+typedef struct dns_rdata_key_t {
         dns_rdatacommon_t	common;
         isc_mem_t *		mctx;
         isc_uint16_t		flags;
@@ -27,5 +30,7 @@ typedef struct dns_rdata_generic_key_t {
         isc_uint8_t		algorithm;
         isc_uint16_t		datalen;
         unsigned char *		data;
-} dns_rdata_generic_key_t;
+} dns_rdata_key_t;
+
 
+#endif /* GENERIC_KEY_25_H */
diff --git a/lib/dns/rdata/generic/loc_29.c b/lib/dns/rdata/generic/loc_29.c
index 0beeed93..ebd19919 100644
--- a/lib/dns/rdata/generic/loc_29.c
+++ b/lib/dns/rdata/generic/loc_29.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: loc_29.c,v 1.12 2000/03/16 02:18:15 explorer Exp $ */
+/* $Id: loc_29.c,v 1.20 2000/05/22 12:37:38 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 18:13:09 PST 2000 by explorer */
 
@@ -24,6 +24,8 @@
 #ifndef RDATA_GENERIC_LOC_29_C
 #define RDATA_GENERIC_LOC_29_C
 
+#define RRTYPE_LOC_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	     isc_lex_t *lexer, dns_name_t *origin,
@@ -57,7 +59,9 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 29);
 	
-	/* defaults */
+	/*
+	 * Defaults.
+	 */
 	m1 = s1 = 0;
 	m2 = s2 = 0;
 	size = 0x12;	/* 1.00m */
@@ -65,12 +69,16 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	vp = 0x13;	/* 10.00 m */
 	version = 0;
 
-	/* degree */
+	/*
+	 * Degrees.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	if (token.value.as_ulong > 90)
-		return (DNS_R_RANGE);
-	d1 = token.value.as_ulong;
-	/* minute */
+		return (ISC_R_RANGE);
+	d1 = (int)token.value.as_ulong;
+	/*
+	 * Minutes.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	if (strcasecmp(token.value.as_pointer, "N") == 0)
 		north = ISC_TRUE;
@@ -80,11 +88,13 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	if (*e != 0)
 		return (DNS_R_SYNTAX);
 	if (m1 < 0 || m1 > 59)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	if (d1 == 90 && m1 != 0)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 
-	/* second */
+	/*
+	 * Seconds.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	if (strcasecmp(token.value.as_pointer, "N") == 0)
 		north = ISC_TRUE;
@@ -94,7 +104,7 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	if (*e != 0 && *e != '.')
 		return (DNS_R_SYNTAX);
 	if (s1 < 0 || s1 > 59)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	if (*e == '.') {
 		e++;
 		for (i = 0; i < 3 ; i++) {
@@ -112,9 +122,11 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	} else
 		s1 *= 1000;
 	if (d1 == 90 && s1 != 0)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 
-	/* direction */
+	/*
+	 * Direction.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	if (strcasecmp(token.value.as_pointer, "N") == 0)
 		north = ISC_TRUE;
@@ -122,13 +134,17 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		return (DNS_R_SYNTAX);
 
  getlong:
-	/* degree */
+	/*
+	 * Degrees.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	if (token.value.as_ulong > 180)
-		return (DNS_R_RANGE);
-	d2 = token.value.as_ulong;
+		return (ISC_R_RANGE);
+	d2 = (int)token.value.as_ulong;
 
-	/* minute */
+	/*
+	 * Minutes.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	if (strcasecmp(token.value.as_pointer, "E") == 0)
 		east = ISC_TRUE;
@@ -138,11 +154,13 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	if (*e != 0)
 		return (DNS_R_SYNTAX);
 	if (m2 < 0 || m2 > 59)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	if (d2 == 180 && m2 != 0)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 		
-	/* second */
+	/*
+	 * Seconds.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	if (strcasecmp(token.value.as_pointer, "E") == 0)
 		east = ISC_TRUE;
@@ -152,7 +170,7 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	if (*e != 0 && *e != '.')
 		return (DNS_R_SYNTAX);
 	if (s2 < 0 || s2 > 59)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	if (*e == '.') {
 		e++;
 		for (i = 0; i < 3 ; i++) {
@@ -170,9 +188,11 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	} else
 		s2 *= 1000;
 	if (d2 == 180 && s2 != 0)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 
-	/* direction */
+	/*
+	 * Direction.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	if (strcasecmp(token.value.as_pointer, "E") == 0)
 		east = ISC_TRUE;
@@ -180,13 +200,15 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		return (DNS_R_SYNTAX);
 
  getalt:
-	/* alt */
+	/*
+	 * Altitude.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	m = strtol(token.value.as_pointer, &e, 10);
 	if (*e != 0 && *e != '.' && *e != 'm')
 		return (DNS_R_SYNTAX);
 	if (m < -100000 || m > 42849672)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	cm = 0;
 	if (*e == '.') {
 		e++;
@@ -209,15 +231,19 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	if (*e != 0)
 		return (DNS_R_SYNTAX);
 	if (m == -100000 && cm != 0)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	if (m == 42849672 && cm > 95)
-		return (DNS_R_RANGE);
-	/* adjust base */
+		return (ISC_R_RANGE);
+	/*
+	 * Adjust base.
+	 */
 	altitude = m + 100000;
 	altitude *= 100;
 	altitude += cm;
 
-	/* size: optional */
+	/*
+	 * Size: optional.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_TRUE));
 	if (token.type == isc_tokentype_eol ||
 	    token.type == isc_tokentype_eof) {
@@ -228,7 +254,7 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	if (*e != 0 && *e != '.' && *e != 'm')
 		return (DNS_R_SYNTAX);
 	if (m < 0 || m > 90000000)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	cm = 0;
 	if (*e == '.') {
 		e++;
@@ -247,7 +273,9 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		e++;
 	if (*e != 0)
 		return (DNS_R_SYNTAX);
-	/* we don't just multiply out as we will overflow */
+	/*
+	 * We don't just multiply out as we will overflow.
+	 */
 	if (m > 0) {
 		for (exp = 0 ; exp < 7 ; exp++)
 			if (m < poweroften[exp+1])
@@ -265,7 +293,9 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	}
 	size = (man << 4) + exp;
 
-	/* hp: optional */
+	/*
+	 * Horizontal precision: optional.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_TRUE));
 	if (token.type == isc_tokentype_eol ||
 	    token.type == isc_tokentype_eof) {
@@ -276,7 +306,7 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	if (*e != 0 && *e != '.' && *e != 'm')
 		return (DNS_R_SYNTAX);
 	if (m < 0 || m > 90000000)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	cm = 0;
 	if (*e == '.') {
 		e++;
@@ -295,7 +325,9 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		e++;
 	if (*e != 0)
 		return (DNS_R_SYNTAX);
-	/* we don't just multiply out as we will overflow */
+	/*
+	 * We don't just multiply out as we will overflow.
+	 */
 	if (m > 0) {
 		for (exp = 0 ; exp < 7 ; exp++)
 			if (m < poweroften[exp+1])
@@ -311,7 +343,9 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	}
 	hp = (man << 4) + exp;
 
-	/* vp: optional */
+	/*
+	 * Vertical precision: optional.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_TRUE));
 	if (token.type == isc_tokentype_eol ||
 	    token.type == isc_tokentype_eof) {
@@ -322,7 +356,7 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	if (*e != 0 && *e != '.' && *e != 'm')
 		return (DNS_R_SYNTAX);
 	if (m < 0 || m > 90000000)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	cm = 0;
 	if (*e == '.') {
 		e++;
@@ -341,7 +375,9 @@ fromtext_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		e++;
 	if (*e != 0)
 		return (DNS_R_SYNTAX);
-	/* we don't just multiply out as we will overflow */
+	/*
+	 * We don't just multiply out as we will overflow.
+	 */
 	if (m > 0) {
 		for (exp = 0 ; exp < 7 ; exp++)
 			if (m < poweroften[exp+1])
@@ -390,11 +426,11 @@ totext_loc(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	isc_boolean_t east;
 	isc_boolean_t below;
 	isc_region_t sr;
-	char buf[sizeof
-   "89 59 59.999 N 179 59 59.999 E 42849672.95m 90000000m 90000000m 90000000m"];
-	char sbuf[sizeof "90000000m"];
-	char hbuf[sizeof "90000000m"];
-	char vbuf[sizeof "90000000m"];
+	char buf[sizeof("89 59 59.999 N 179 59 59.999 E "
+			"42849672.95m 90000000m 90000000m 90000000m")];
+	char sbuf[sizeof("90000000m")];
+	char hbuf[sizeof("90000000m")];
+	char vbuf[sizeof("90000000m")];
 	unsigned char size, hp, vp;
 	unsigned long poweroften[8] = { 1, 10, 100, 1000,
 					10000, 100000, 1000000, 10000000 };
@@ -432,13 +468,13 @@ totext_loc(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 		north = ISC_FALSE;
 		latitude = 0x80000000 - latitude;
 	}
-	fs1 = latitude % 1000;
+	fs1 = (int)(latitude % 1000);
 	latitude /= 1000;
-	s1 = latitude % 60;
+	s1 = (int)(latitude % 60);
 	latitude /= 60;
-	m1 = latitude % 60;
+	m1 = (int)(latitude % 60);
 	latitude /= 60;
-	d1 = latitude;
+	d1 = (int)latitude;
 
 	longitude = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
@@ -449,13 +485,13 @@ totext_loc(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 		east = ISC_FALSE;
 		longitude = 0x80000000 - longitude;
 	}
-	fs2 = longitude % 1000;
+	fs2 = (int)(longitude % 1000);
 	longitude /= 1000;
-	s2 = longitude % 60;
+	s2 = (int)(longitude % 60);
 	longitude /= 60;
-	m2 = longitude % 60;
+	m2 = (int)(longitude % 60);
 	longitude /= 60;
-	d2 = longitude;
+	d2 = (int)longitude;
 
 	altitude = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
@@ -492,67 +528,77 @@ fromwire_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 29);
 	
-	isc_buffer_active(source, &sr);
+	isc_buffer_activeregion(source, &sr);
 	if (sr.length < 1)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	if (sr.base[0] != 0)
-		return (DNS_R_NOTIMPLEMENTED);
+		return (ISC_R_NOTIMPLEMENTED);
 	if (sr.length < 16)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 
-	/* size */
+	/*
+	 * Size.
+	 */
 	c = sr.base[1];
 	if (c != 0)
 		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
-			return (DNS_R_RANGE);
+			return (ISC_R_RANGE);
 
-	/* horiz pre */
+	/*
+	 * Horizontal precision.
+	 */
 	c = sr.base[2];
 	if (c != 0)
 		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
-			return (DNS_R_RANGE);
+			return (ISC_R_RANGE);
 
-	/* vert pre */
+	/*
+	 * Vertical precision.
+	 */
 	c = sr.base[3];
 	if (c != 0)
 		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0) 
-			return (DNS_R_RANGE);
+			return (ISC_R_RANGE);
 	isc_region_consume(&sr, 4);
 
-	/* latitude */
+	/*
+	 * Latitude.
+	 */
 	latitude = uint32_fromregion(&sr);
 	if (latitude < (0x80000000UL - 90 * 3600000) ||
 	    latitude > (0x80000000UL + 90 * 3600000))
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	isc_region_consume(&sr, 4);
 
-	/* longitude */
+	/*
+	 * Longitude.
+	 */
 	longitude = uint32_fromregion(&sr);
 	if (longitude < (0x80000000UL - 180 * 3600000) ||
 	    longitude > (0x80000000UL + 180 * 3600000))
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 
-	/* altitiude */
-	/* all values possible */
+	/*
+	 * Altitiude.
+	 * All values possible.
+	 */
 
-	isc_buffer_active(source, &sr);
+	isc_buffer_activeregion(source, &sr);
 	isc_buffer_forward(source, 16);
 	return (mem_tobuffer(target, sr.base, 16));
 }
 
 static inline isc_result_t
-towire_loc(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
-{
+towire_loc(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 	UNUSED(cctx);
 
 	REQUIRE(rdata->type == 29);
 	
-	return(mem_tobuffer(target, rdata->data, rdata->length));
+	return (mem_tobuffer(target, rdata->data, rdata->length));
 }
 
 static inline int
-compare_loc(dns_rdata_t *rdata1, dns_rdata_t *rdata2)
-{
+compare_loc(dns_rdata_t *rdata1, dns_rdata_t *rdata2) {
 	isc_region_t r1;
 	isc_region_t r2;
 
@@ -569,48 +615,106 @@ static inline isc_result_t
 fromstruct_loc(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
                isc_buffer_t *target)
 {
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_loc_t *loc = source;
+	isc_uint8_t c;
 
 	REQUIRE(type == 29);
+	REQUIRE(source != NULL);
+	REQUIRE(loc->common.rdtype == type);
+	REQUIRE(loc->common.rdclass == rdclass);
 	
-	return (DNS_R_NOTIMPLEMENTED);
+	if (loc->v.v0.version != 0)
+		return (ISC_R_NOTIMPLEMENTED);
+	RETERR(uint8_tobuffer(loc->v.v0.version, target));
+
+	c = loc->v.v0.size;
+	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0) 
+		return (ISC_R_RANGE);
+	RETERR(uint8_tobuffer(loc->v.v0.size, target));
+
+	c = loc->v.v0.horizontal;
+	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0) 
+		return (ISC_R_RANGE);
+	RETERR(uint8_tobuffer(loc->v.v0.horizontal, target));
+
+	c = loc->v.v0.vertical;
+	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0) 
+		return (ISC_R_RANGE);
+	RETERR(uint8_tobuffer(loc->v.v0.vertical, target));
+
+	if (loc->v.v0.latitude < (0x80000000UL - 90 * 3600000) ||
+	    loc->v.v0.latitude > (0x80000000UL + 90 * 3600000))
+		return (ISC_R_RANGE);
+	RETERR(uint32_tobuffer(loc->v.v0.latitude, target));
+
+	if (loc->v.v0.longitude < (0x80000000UL - 180 * 3600000) ||
+	    loc->v.v0.longitude > (0x80000000UL + 180 * 3600000))
+		return (ISC_R_RANGE);
+	RETERR(uint32_tobuffer(loc->v.v0.longitude, target));
+	return (uint32_tobuffer(loc->v.v0.altitude, target));
 }
 
 static inline isc_result_t
-tostruct_loc(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
-{
-	UNUSED(target);
-	UNUSED(mctx);
+tostruct_loc(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	dns_rdata_loc_t *loc = target;
+	isc_region_t r;
+	isc_uint8_t version;
 
 	REQUIRE(rdata->type == 29);
+	REQUIRE(target != NULL);
+
+	UNUSED(mctx);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_rdata_toregion(rdata, &r);
+	version = uint8_fromregion(&r);
+	if (version != 0)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	loc->common.rdclass = rdata->rdclass;
+	loc->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&loc->common, link);
+
+	loc->v.v0.version = version;
+	isc_region_consume(&r, 1);
+	loc->v.v0.size = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	loc->v.v0.horizontal = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	loc->v.v0.vertical = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	loc->v.v0.latitude = uint32_fromregion(&r);
+	isc_region_consume(&r, 4);
+	loc->v.v0.longitude = uint32_fromregion(&r);
+	isc_region_consume(&r, 4);
+	loc->v.v0.altitude = uint32_fromregion(&r);
+	isc_region_consume(&r, 4);
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
-freestruct_loc(void *source)
-{
+freestruct_loc(void *source) {
+	dns_rdata_loc_t *loc = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(loc->common.rdtype == 29);
+
+	UNUSED(source);
 }
 
 static inline isc_result_t
-additionaldata_loc(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
-		   void *arg)
+additionaldata_loc(dns_rdata_t *rdata, dns_additionaldatafunc_t add, void *arg)
 {
+	REQUIRE(rdata->type == 29);
+
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	REQUIRE(rdata->type == 29);
-
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
-digest_loc(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg)
-{
+digest_loc(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 	isc_region_t r;
 
 	REQUIRE(rdata->type == 29);
diff --git a/lib/dns/rdata/generic/loc_29.h b/lib/dns/rdata/generic/loc_29.h
index b1d90fa8..18c774bf 100644
--- a/lib/dns/rdata/generic/loc_29.h
+++ b/lib/dns/rdata/generic/loc_29.h
@@ -15,7 +15,28 @@
  * SOFTWARE.
  */
 
-/* $Id: loc_29.h,v 1.7 2000/03/16 02:18:16 explorer Exp $ */
+#ifndef GENERIC_LOC_29_H
+#define GENERIC_LOC_29_H 1
+
+/* $Id: loc_29.h,v 1.11 2000/05/22 12:37:39 marka Exp $ */
 
 /* RFC 1876 */
 
+typedef struct dns_rdata_loc_0 {
+	isc_uint8_t	version;	/* must be first and zero */
+	isc_uint8_t	size;
+	isc_uint8_t	horizontal;
+	isc_uint8_t	vertical;	
+	isc_uint32_t	latitude;
+	isc_uint32_t	longitude;
+	isc_uint32_t	altitude;
+} dns_rdata_loc_0_t;
+
+typedef struct dns_rdata_loc {
+	dns_rdatacommon_t	common;
+	union {
+		dns_rdata_loc_0_t v0;
+	} v;
+} dns_rdata_loc_t;
+
+#endif /* GENERIC_LOC_29_H */
diff --git a/lib/dns/rdata/generic/mb_7.c b/lib/dns/rdata/generic/mb_7.c
index 606292d6..1f6c2f61 100644
--- a/lib/dns/rdata/generic/mb_7.c
+++ b/lib/dns/rdata/generic/mb_7.c
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: mb_7.c,v 1.22 2000/03/16 02:08:50 bwelling Exp $ */
+/* $Id: mb_7.c,v 1.29 2000/05/22 12:37:40 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 17:31:26 PST 2000 by bwelling */
 
 #ifndef RDATA_GENERIC_MB_7_C
 #define RDATA_GENERIC_MB_7_C
 
+#define RRTYPE_MB_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_mb(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	    isc_lex_t *lexer, dns_name_t *origin,
@@ -38,8 +40,7 @@ fromtext_mb(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -77,10 +78,7 @@ fromwire_mb(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 7);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
         dns_name_init(&name, NULL);
         return (dns_name_fromwire(&name, source, dctx, downcase, target));
@@ -93,10 +91,7 @@ towire_mb(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 
 	REQUIRE(rdata->type == 7);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 
 	dns_name_init(&name, NULL);
 	dns_rdata_toregion(rdata, &region);
@@ -132,29 +127,51 @@ static inline isc_result_t
 fromstruct_mb(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	     isc_buffer_t *target)
 {
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_mb_t *mb = source;
+	isc_region_t region;
 
 	REQUIRE(type == 7);
+	REQUIRE(source != NULL);
+	REQUIRE(mb->common.rdtype == type);
+	REQUIRE(mb->common.rdclass == rdclass);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_toregion(&mb->mb, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
 tostruct_mb(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
-	UNUSED(target);
-	UNUSED(mctx);
+	isc_region_t region;
+	dns_rdata_mb_t *mb = target;
+	dns_name_t name;
 
 	REQUIRE(rdata->type == 7);
+	REQUIRE(target != NULL);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	mb->common.rdclass = rdata->rdclass;
+	mb->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mb->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mb->mb, NULL);
+	RETERR(name_duporclone(&name, mctx, &mb->mb));
+	mb->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_mb(void *source) {
+	dns_rdata_mb_t *mb = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+
+	if (mb->mctx == NULL)
+		return;
+	
+	dns_name_free(&mb->mb, mb->mctx);
+	mb->mctx = NULL;
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/mb_7.h b/lib/dns/rdata/generic/mb_7.h
index e8aea9eb..2f7bdbee 100644
--- a/lib/dns/rdata/generic/mb_7.h
+++ b/lib/dns/rdata/generic/mb_7.h
@@ -15,5 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: mb_7.h,v 1.15 2000/03/20 22:57:12 gson Exp $ */
+#ifndef GENERIC_MB_7_H
+#define GENERIC_MB_7_H 1
 
+/* $Id: mb_7.h,v 1.18 2000/05/08 14:36:47 tale Exp $ */
+
+typedef struct dns_rdata_mb {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		mb;
+} dns_rdata_mb_t;
+
+#endif /* GENERIC_MB_7_H */
diff --git a/lib/dns/rdata/generic/md_3.c b/lib/dns/rdata/generic/md_3.c
index a2313375..a7435655 100644
--- a/lib/dns/rdata/generic/md_3.c
+++ b/lib/dns/rdata/generic/md_3.c
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: md_3.c,v 1.23 2000/03/16 02:08:51 bwelling Exp $ */
+/* $Id: md_3.c,v 1.31 2000/05/22 12:37:41 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 17:48:20 PST 2000 by bwelling */
 
 #ifndef RDATA_GENERIC_MD_3_C
 #define RDATA_GENERIC_MD_3_C
 
+#define RRTYPE_MD_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_md(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	    isc_lex_t *lexer, dns_name_t *origin,
@@ -38,8 +40,7 @@ fromtext_md(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -77,10 +78,7 @@ fromwire_md(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 3);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
         dns_name_init(&name, NULL);
         return (dns_name_fromwire(&name, source, dctx, downcase, target));
@@ -93,10 +91,7 @@ towire_md(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 
 	REQUIRE(rdata->type == 3);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 
 	dns_name_init(&name, NULL);
 	dns_rdata_toregion(rdata, &region);
@@ -132,29 +127,52 @@ static inline isc_result_t
 fromstruct_md(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	      isc_buffer_t *target)
 {
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_md_t *md = source;
+	isc_region_t region;
 
 	REQUIRE(type == 3);
+	REQUIRE(source != NULL);
+	REQUIRE(md->common.rdtype == type);
+	REQUIRE(md->common.rdclass == rdclass);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_toregion(&md->md, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
 tostruct_md(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
-	UNUSED(target);
-	UNUSED(mctx);
+	dns_rdata_md_t *md = target;
+	isc_region_t r;
+	dns_name_t name;
 
 	REQUIRE(rdata->type == 3);
+	REQUIRE(target != NULL);
+
+	md->common.rdclass = rdata->rdclass;
+	md->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&md->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &r);
+	dns_name_fromregion(&name, &r);
+	dns_name_init(&md->md, NULL);
+	RETERR(name_duporclone(&name, mctx, &md->md));
+	md->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_md(void *source) {
+	dns_rdata_md_t *md = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(md->common.rdtype == 3);
+
+	if (md->mctx == NULL)
+		return;
+
+	dns_name_free(&md->md, md->mctx);
+	md->mctx = NULL;
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/md_3.h b/lib/dns/rdata/generic/md_3.h
index 10244f77..cd9a0075 100644
--- a/lib/dns/rdata/generic/md_3.h
+++ b/lib/dns/rdata/generic/md_3.h
@@ -15,5 +15,16 @@
  * SOFTWARE.
  */
 
-/* $Id: md_3.h,v 1.16 2000/03/20 22:57:12 gson Exp $ */
+#ifndef GENERIC_MD_3_H
+#define GENERIC_MD_3_H 1
 
+/* $Id: md_3.h,v 1.19 2000/05/08 14:36:48 tale Exp $ */
+
+typedef struct dns_rdata_md {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		md;
+} dns_rdata_md_t;
+
+
+#endif /* GENERIC_MD_3_H */
diff --git a/lib/dns/rdata/generic/mf_4.c b/lib/dns/rdata/generic/mf_4.c
index 645f5d64..4a9400e2 100644
--- a/lib/dns/rdata/generic/mf_4.c
+++ b/lib/dns/rdata/generic/mf_4.c
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: mf_4.c,v 1.21 2000/03/16 02:00:34 brister Exp $ */
+/* $Id: mf_4.c,v 1.29 2000/05/22 12:37:42 marka Exp $ */
 
 /* reviewed: Wed Mar 15 17:47:33 PST 2000 by brister */
 
 #ifndef RDATA_GENERIC_MF_4_C
 #define RDATA_GENERIC_MF_4_C
 
+#define RRTYPE_MF_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_mf(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	    isc_lex_t *lexer, dns_name_t *origin,
@@ -38,8 +40,7 @@ fromtext_mf(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -77,10 +78,7 @@ fromwire_mf(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	UNUSED(rdclass);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
         
         dns_name_init(&name, NULL);
         return (dns_name_fromwire(&name, source, dctx, downcase, target));
@@ -94,10 +92,7 @@ towire_mf(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 
 	REQUIRE(rdata->type == 4);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 
 	dns_name_init(&name, NULL);
 	dns_rdata_toregion(rdata, &region);
@@ -134,34 +129,53 @@ static inline isc_result_t
 fromstruct_mf(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	      isc_buffer_t *target)
 {
+	dns_rdata_mf_t *mf = source;
+	isc_region_t region;
 
 	REQUIRE(type == 4);
+	REQUIRE(source != NULL);
+	REQUIRE(mf->common.rdtype == type);
+	REQUIRE(mf->common.rdclass == rdclass);
 
-	UNUSED(rdclass);
-
-	UNUSED(source);
-	UNUSED(target);
-
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_toregion(&mf->mf, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
 tostruct_mf(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 {
+	dns_rdata_mf_t *mf = target;
+	isc_region_t r;
+	dns_name_t name;
 
 	REQUIRE(rdata->type == 4);
+	REQUIRE(target != NULL);
 
-	UNUSED(target);
-	UNUSED(mctx);
+	mf->common.rdclass = rdata->rdclass;
+	mf->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mf->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &r);
+	dns_name_fromregion(&name, &r);
+	dns_name_init(&mf->mf, NULL);
+	RETERR(name_duporclone(&name, mctx, &mf->mf));
+	mf->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_mf(void *source)
 {
+	dns_rdata_mf_t *mf = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(mf->common.rdtype == 4);
+
+	if (mf->mctx == NULL)
+		return;
+	dns_name_free(&mf->mf, mf->mctx);
+	mf->mctx = NULL;
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/mf_4.h b/lib/dns/rdata/generic/mf_4.h
index 3220b927..03bdc581 100644
--- a/lib/dns/rdata/generic/mf_4.h
+++ b/lib/dns/rdata/generic/mf_4.h
@@ -15,5 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: mf_4.h,v 1.14 2000/03/20 22:57:12 gson Exp $ */
+#ifndef GENERIC_MF_4_H
+#define GENERIC_MF_4_H 1
 
+/* $Id: mf_4.h,v 1.17 2000/05/08 14:36:49 tale Exp $ */
+
+typedef struct dns_rdata_mf {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		mf;
+} dns_rdata_mf_t;
+
+#endif /* GENERIC_MF_4_H */
diff --git a/lib/dns/rdata/generic/mg_8.c b/lib/dns/rdata/generic/mg_8.c
index fb88192a..f30ec576 100644
--- a/lib/dns/rdata/generic/mg_8.c
+++ b/lib/dns/rdata/generic/mg_8.c
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: mg_8.c,v 1.20 2000/03/16 02:00:35 brister Exp $ */
+/* $Id: mg_8.c,v 1.27 2000/05/22 12:37:43 marka Exp $ */
 
 /* reviewed: Wed Mar 15 17:49:21 PST 2000 by brister */
 
 #ifndef RDATA_GENERIC_MG_8_C
 #define RDATA_GENERIC_MG_8_C
 
+#define RRTYPE_MG_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_mg(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	    isc_lex_t *lexer, dns_name_t *origin,
@@ -38,8 +40,7 @@ fromtext_mg(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -77,10 +78,7 @@ fromwire_mg(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	UNUSED(rdclass);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
         
         dns_name_init(&name, NULL);
         return (dns_name_fromwire(&name, source, dctx, downcase, target));
@@ -94,10 +92,7 @@ towire_mg(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 
 	REQUIRE(rdata->type == 8);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 
 	dns_name_init(&name, NULL);
 	dns_rdata_toregion(rdata, &region);
@@ -134,34 +129,53 @@ static inline isc_result_t
 fromstruct_mg(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	      isc_buffer_t *target)
 {
+	dns_rdata_mg_t *mg = source;
+	isc_region_t region;
 
 	REQUIRE(type == 8);
+	REQUIRE(source != NULL);
+	REQUIRE(mg->common.rdtype == type);
+	REQUIRE(mg->common.rdclass == rdclass);
 
-	UNUSED(rdclass);
-
-	UNUSED(source);
-	UNUSED(target);
-
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_toregion(&mg->mg, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
 tostruct_mg(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 {
+	isc_region_t region;
+	dns_rdata_mg_t *mg = target;
+	dns_name_t name;
 
 	REQUIRE(rdata->type == 8);
+	REQUIRE(target != NULL);
 
-	UNUSED(target);
-	UNUSED(mctx);
+	mg->common.rdclass = rdata->rdclass;
+	mg->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mg->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mg->mg, NULL);
+	RETERR(name_duporclone(&name, mctx, &mg->mg));
+	mg->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_mg(void *source)
 {
+	dns_rdata_mg_t *mg = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(mg->common.rdtype == 8);
+	
+	if (mg->mctx == NULL)
+		return;
+	dns_name_free(&mg->mg, mg->mctx);
+	mg->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -170,10 +184,11 @@ additionaldata_mg(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 {
 	REQUIRE(rdata->type == 8);
 
-	(void)add;
-	(void)arg;
+	UNUSED(add);
+	UNUSED(arg);
+	UNUSED(rdata);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/mg_8.h b/lib/dns/rdata/generic/mg_8.h
index f692b561..ba261527 100644
--- a/lib/dns/rdata/generic/mg_8.h
+++ b/lib/dns/rdata/generic/mg_8.h
@@ -15,5 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: mg_8.h,v 1.14 2000/03/20 22:57:13 gson Exp $ */
+#ifndef GENERIC_MG_8_H
+#define GENERIC_MG_8_H 1
 
+/* $Id: mg_8.h,v 1.17 2000/05/08 14:36:50 tale Exp $ */
+
+typedef struct dns_rdata_mg {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		mg;
+} dns_rdata_mg_t;
+
+#endif /* GENERIC_MG_8_H */
diff --git a/lib/dns/rdata/generic/minfo_14.c b/lib/dns/rdata/generic/minfo_14.c
index 5c7ac4a2..dc4f5a97 100644
--- a/lib/dns/rdata/generic/minfo_14.c
+++ b/lib/dns/rdata/generic/minfo_14.c
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: minfo_14.c,v 1.21 2000/03/20 22:44:33 gson Exp $ */
+/* $Id: minfo_14.c,v 1.28 2000/05/22 12:37:44 marka Exp $ */
 
 /* reviewed: Wed Mar 15 17:45:32 PST 2000 by brister */
 
 #ifndef RDATA_GENERIC_MINFO_14_C
 #define RDATA_GENERIC_MINFO_14_C
 
+#define RRTYPE_MINFO_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_minfo(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	       isc_lex_t *lexer, dns_name_t *origin,
@@ -40,13 +42,12 @@ fromtext_minfo(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		RETERR(gettoken(lexer, &token, isc_tokentype_string,
 				ISC_FALSE));
 		dns_name_init(&name, NULL);
-		buffer_fromregion(&buffer, &token.value.as_region,
-				  ISC_BUFFERTYPE_TEXT);
+		buffer_fromregion(&buffer, &token.value.as_region);
 		origin = (origin != NULL) ? origin : dns_rootname;
 		RETERR(dns_name_fromtext(&name, &buffer, origin,
 					 downcase, target));
 	}
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -93,10 +94,7 @@ fromwire_minfo(dns_rdataclass_t rdclass, dns_rdatatype_t type,
         
 	REQUIRE(type == 14);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
 	UNUSED(rdclass);
 
@@ -116,10 +114,7 @@ towire_minfo(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 
 	REQUIRE(rdata->type == 14);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 
 	dns_name_init(&rmail, NULL);
 	dns_name_init(&email, NULL);
@@ -180,34 +175,70 @@ static inline isc_result_t
 fromstruct_minfo(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 		 isc_buffer_t *target)
 {
+	dns_rdata_minfo_t *minfo = source;
+	isc_region_t region;
 
 	REQUIRE(type == 14);
+	REQUIRE(source != NULL);
+	REQUIRE(minfo->common.rdtype == type);
+	REQUIRE(minfo->common.rdclass == rdclass);
 
-	UNUSED(rdclass);
-
-	UNUSED(source);
-	UNUSED(target);
-
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_toregion(&minfo->rmailbox, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&minfo->emailbox, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
 tostruct_minfo(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 {
-	
+	dns_rdata_minfo_t *minfo = target;
+	isc_region_t region;
+	dns_name_t name;
+	isc_result_t result;
+
 	REQUIRE(rdata->type == 14);
+	REQUIRE(target != NULL);
 
-	UNUSED(target);
-	UNUSED(mctx);
+	minfo->common.rdclass = rdata->rdclass;
+	minfo->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&minfo->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&minfo->rmailbox, NULL);
+	RETERR(name_duporclone(&name, mctx, &minfo->rmailbox));
+	isc_region_consume(&region, name_length(&name));
+
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&minfo->emailbox, NULL);
+	result = name_duporclone(&name, mctx, &minfo->emailbox);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	minfo->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&minfo->rmailbox, mctx);
+	return (ISC_R_NOMEMORY);
 }
 
 static inline void
 freestruct_minfo(void *source)
 {
+	dns_rdata_minfo_t *minfo = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(minfo->common.rdtype == 14);
+
+	if (minfo->mctx == NULL)
+		return;
+
+	dns_name_free(&minfo->rmailbox, minfo->mctx);
+	dns_name_free(&minfo->emailbox, minfo->mctx);
+	minfo->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -216,10 +247,11 @@ additionaldata_minfo(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 {
 	REQUIRE(rdata->type == 14);
 
-	(void)add;
-	(void)arg;
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -235,7 +267,7 @@ digest_minfo(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg)
 	dns_name_init(&name, NULL);
 	dns_name_fromregion(&name, &r);
 	result = dns_name_digest(&name, digest, arg);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	isc_region_consume(&r, name_length(&name));
 	dns_name_init(&name, NULL);
diff --git a/lib/dns/rdata/generic/minfo_14.h b/lib/dns/rdata/generic/minfo_14.h
index 956de030..dbaef0df 100644
--- a/lib/dns/rdata/generic/minfo_14.h
+++ b/lib/dns/rdata/generic/minfo_14.h
@@ -15,5 +15,16 @@
  * SOFTWARE.
  */
 
-/* $Id: minfo_14.h,v 1.15 2000/03/20 22:57:13 gson Exp $ */
+#ifndef GENERIC_MINFO_14_H
+#define GENERIC_MINFO_14_H 1
 
+/* $Id: minfo_14.h,v 1.18 2000/05/08 14:36:51 tale Exp $ */
+
+typedef struct dns_rdata_minfo {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		rmailbox;
+	dns_name_t		emailbox;
+} dns_rdata_minfo_t;
+
+#endif /* GENERIC_MINFO_14_H */
diff --git a/lib/dns/rdata/generic/mr_9.c b/lib/dns/rdata/generic/mr_9.c
index 1731eb0c..1d77eb39 100644
--- a/lib/dns/rdata/generic/mr_9.c
+++ b/lib/dns/rdata/generic/mr_9.c
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: mr_9.c,v 1.19 2000/03/16 02:31:14 tale Exp $ */
+/* $Id: mr_9.c,v 1.26 2000/05/22 12:37:46 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 21:30:35 EST 2000 by tale */
 
 #ifndef RDATA_GENERIC_MR_9_C
 #define RDATA_GENERIC_MR_9_C
 
+#define RRTYPE_MR_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_mr(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	    isc_lex_t *lexer, dns_name_t *origin,
@@ -38,8 +40,7 @@ fromtext_mr(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -76,10 +77,7 @@ fromwire_mr(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	UNUSED(rdclass);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
         dns_name_init(&name, NULL);
         return (dns_name_fromwire(&name, source, dctx, downcase, target));
@@ -92,10 +90,7 @@ towire_mr(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 
 	REQUIRE(rdata->type == 9);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 
 	dns_name_init(&name, NULL);
 	dns_rdata_toregion(rdata, &region);
@@ -131,29 +126,51 @@ static inline isc_result_t
 fromstruct_mr(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	      isc_buffer_t *target)
 {
-	REQUIRE(type == 9);
+	dns_rdata_mr_t *mr = source;
+	isc_region_t region;
 
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	REQUIRE(type == 9);
+	REQUIRE(source != NULL);
+	REQUIRE(mr->common.rdtype == type);
+	REQUIRE(mr->common.rdclass == rdclass);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_toregion(&mr->mr, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
 tostruct_mr(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	isc_region_t region;
+	dns_rdata_mr_t *mr = target;
+	dns_name_t name;
+
 	REQUIRE(rdata->type == 9);
+	REQUIRE(target != NULL);
 
-	UNUSED(target);
-	UNUSED(mctx);
+	mr->common.rdclass = rdata->rdclass;
+	mr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mr->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mr->mr, NULL);
+	RETERR(name_duporclone(&name, mctx, &mr->mr));
+	mr->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_mr(void *source) {
+	dns_rdata_mr_t *mr = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(mr->common.rdtype == 9);
+
+	if (mr->mctx == NULL)
+		return;
+	dns_name_free(&mr->mr, mr->mctx);
+	mr->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -162,10 +179,11 @@ additionaldata_mr(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 {
 	REQUIRE(rdata->type == 9);
 
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/mr_9.h b/lib/dns/rdata/generic/mr_9.h
index fc814bc1..5fa26bd7 100644
--- a/lib/dns/rdata/generic/mr_9.h
+++ b/lib/dns/rdata/generic/mr_9.h
@@ -15,5 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: mr_9.h,v 1.14 2000/03/20 22:57:13 gson Exp $ */
+#ifndef GENERIC_MR_9_H
+#define GENERIC_MR_9_H 1
 
+/* $Id: mr_9.h,v 1.17 2000/05/08 14:36:52 tale Exp $ */
+
+typedef struct dns_rdata_mr {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		mr;
+} dns_rdata_mr_t;
+
+#endif /* GENERIC_MR_9_H */
diff --git a/lib/dns/rdata/generic/mx_15.c b/lib/dns/rdata/generic/mx_15.c
index 26e715bd..fbebdc9f 100644
--- a/lib/dns/rdata/generic/mx_15.c
+++ b/lib/dns/rdata/generic/mx_15.c
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: mx_15.c,v 1.26 2000/03/20 22:44:34 gson Exp $ */
+/* $Id: mx_15.c,v 1.36 2000/05/22 12:37:47 marka Exp $ */
 
 /* reviewed: Wed Mar 15 18:05:46 PST 2000 by brister */
 
 #ifndef RDATA_GENERIC_MX_15_C
 #define RDATA_GENERIC_MX_15_C
 
+#define RRTYPE_MX_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_mx(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	    isc_lex_t *lexer, dns_name_t *origin,
@@ -36,12 +38,13 @@ fromtext_mx(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	UNUSED(rdclass);
 
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
+	if (token.value.as_ulong > 0xffff)
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -87,33 +90,26 @@ fromwire_mx(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	UNUSED(rdclass);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
         
         dns_name_init(&name, NULL);
 
-	isc_buffer_active(source, &sregion);
+	isc_buffer_activeregion(source, &sregion);
 	if (sregion.length < 2)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	RETERR(mem_tobuffer(target, sregion.base, 2));
 	isc_buffer_forward(source, 2);
 	return (dns_name_fromwire(&name, source, dctx, downcase, target));
 }
 
 static inline isc_result_t
-towire_mx(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
-{
+towire_mx(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 	dns_name_t name;
 	isc_region_t region;
 
 	REQUIRE(rdata->type == 15);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 
 	dns_rdata_toregion(rdata, &region);
 	RETERR(mem_tobuffer(target, region.base, 2));
@@ -126,8 +122,7 @@ towire_mx(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 }
 
 static inline int
-compare_mx(dns_rdata_t *rdata1, dns_rdata_t *rdata2)
-{
+compare_mx(dns_rdata_t *rdata1, dns_rdata_t *rdata2) {
 	dns_name_t name1;
 	dns_name_t name2;
 	isc_region_t region1;
@@ -161,32 +156,55 @@ static inline isc_result_t
 fromstruct_mx(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	      isc_buffer_t *target)
 {
-	REQUIRE(type == 15);
-
-	UNUSED(rdclass);
+	dns_rdata_mx_t *mx = source;
+	isc_region_t region;
 
-	UNUSED(source);
-	UNUSED(target);
+	REQUIRE(type == 15);
+	REQUIRE(source != NULL);
+	REQUIRE(mx->common.rdtype == type);
+	REQUIRE(mx->common.rdclass == rdclass);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	RETERR(uint16_tobuffer(mx->pref, target));
+	dns_name_toregion(&mx->mx, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
-tostruct_mx(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
-{
+tostruct_mx(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	isc_region_t region;
+	dns_rdata_mx_t *mx = target;
+	dns_name_t name;
+
 	REQUIRE(rdata->type == 15);
+	REQUIRE(target != NULL);
 
-	UNUSED(target);
-	UNUSED(mctx);
+	mx->common.rdclass = rdata->rdclass;
+	mx->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mx->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	mx->pref = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mx->mx, NULL);
+	RETERR(name_duporclone(&name, mctx, &mx->mx));
+	mx->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
-freestruct_mx(void *source)
-{
+freestruct_mx(void *source) {
+	dns_rdata_mx_t *mx = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(mx->common.rdtype == 15);
+
+	if (mx->mctx == NULL)
+		return;
+
+	dns_name_free(&mx->mx, mx->mctx);
+	mx->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -207,8 +225,7 @@ additionaldata_mx(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 }
 
 static inline isc_result_t
-digest_mx(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg)
-{
+digest_mx(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 	isc_region_t r1, r2;
 	dns_name_t name;
 
diff --git a/lib/dns/rdata/generic/mx_15.h b/lib/dns/rdata/generic/mx_15.h
index 3049c259..81f37b58 100644
--- a/lib/dns/rdata/generic/mx_15.h
+++ b/lib/dns/rdata/generic/mx_15.h
@@ -15,5 +15,16 @@
  * SOFTWARE.
  */
 
-/* $Id: mx_15.h,v 1.17 2000/03/20 22:57:13 gson Exp $ */
+#ifndef GENERIC_MX_15_H
+#define GENERIC_MX_15_H 1
 
+/* $Id: mx_15.h,v 1.20 2000/05/08 14:36:53 tale Exp $ */
+
+typedef struct dns_rdata_mx {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		pref;
+	dns_name_t		mx;
+} dns_rdata_mx_t;
+
+#endif /* GENERIC_MX_15_H */
diff --git a/lib/dns/rdata/generic/ns_2.c b/lib/dns/rdata/generic/ns_2.c
index db631b01..7b5e8b55 100644
--- a/lib/dns/rdata/generic/ns_2.c
+++ b/lib/dns/rdata/generic/ns_2.c
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: ns_2.c,v 1.22 2000/03/16 02:16:16 bwelling Exp $ */
+/* $Id: ns_2.c,v 1.30 2000/05/22 12:37:48 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 18:15:00 PST 2000 by bwelling */
 
 #ifndef RDATA_GENERIC_NS_2_C
 #define RDATA_GENERIC_NS_2_C
 
+#define RRTYPE_NS_ATTRIBUTES (DNS_RDATATYPEATTR_ZONECUTAUTH)
+
 static inline isc_result_t
 fromtext_ns(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	    isc_lex_t *lexer, dns_name_t *origin,
@@ -38,8 +40,7 @@ fromtext_ns(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	RETERR(gettoken(lexer, &token,isc_tokentype_string, ISC_FALSE));
 
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -77,10 +78,7 @@ fromwire_ns(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 2);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
         dns_name_init(&name, NULL);
         return (dns_name_fromwire(&name, source, dctx, downcase, target));
@@ -93,10 +91,7 @@ towire_ns(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 
 	REQUIRE(rdata->type == 2);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 
 	dns_name_init(&name, NULL);
 	dns_rdata_toregion(rdata, &region);
@@ -132,13 +127,16 @@ static inline isc_result_t
 fromstruct_ns(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	      isc_buffer_t *target)
 {
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_ns_t *ns = source;
+	isc_region_t region;
 
 	REQUIRE(type == 2);
+	REQUIRE(source != NULL);
+	REQUIRE(ns->common.rdtype == type);
+	REQUIRE(ns->common.rdclass == rdclass);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_toregion(&ns->name, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
@@ -146,11 +144,9 @@ tostruct_ns(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
 	isc_region_t region;
 	dns_rdata_ns_t *ns = target;
 	dns_name_t name;
-	isc_result_t result;
 
 	REQUIRE(rdata->type == 2);
 	REQUIRE(target != NULL);
-	REQUIRE(mctx != NULL);
 
 	ns->common.rdclass = rdata->rdclass;
 	ns->common.rdtype = rdata->type;
@@ -159,13 +155,10 @@ tostruct_ns(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
 	dns_name_init(&name, NULL);
 	dns_rdata_toregion(rdata, &region);
 	dns_name_fromregion(&name, &region);
-	ns->mctx = mctx;
 	dns_name_init(&ns->name, NULL);
-	result = dns_name_dup(&name, ns->mctx, &ns->name);
-	if (result != ISC_R_SUCCESS)
-		ns->mctx = NULL;
-
-	return (result);
+	RETERR(name_duporclone(&name, mctx, &ns->name));
+	ns->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
@@ -174,6 +167,9 @@ freestruct_ns(void *source) {
 
 	REQUIRE(source != NULL);
 
+	if (ns->mctx == NULL)
+		return;
+
 	dns_name_free(&ns->name, ns->mctx);
 	ns->mctx = NULL;
 }
diff --git a/lib/dns/rdata/generic/ns_2.h b/lib/dns/rdata/generic/ns_2.h
index 6671291d..5819879d 100644
--- a/lib/dns/rdata/generic/ns_2.h
+++ b/lib/dns/rdata/generic/ns_2.h
@@ -15,7 +15,10 @@
  * SOFTWARE.
  */
 
-/* $Id: ns_2.h,v 1.16 2000/03/20 22:57:13 gson Exp $ */
+#ifndef GENERIC_NS_2_H
+#define GENERIC_NS_2_H 1
+
+/* $Id: ns_2.h,v 1.17 2000/04/29 02:01:45 tale Exp $ */
 
 #include <dns/fixedname.h>
 
@@ -25,3 +28,5 @@ typedef struct dns_rdata_ns {
 	dns_name_t		name;
 } dns_rdata_ns_t;
 
+
+#endif /* GENERIC_NS_2_H */
diff --git a/lib/dns/rdata/generic/null_10.c b/lib/dns/rdata/generic/null_10.c
index f0c93f39..ebb5b2f4 100644
--- a/lib/dns/rdata/generic/null_10.c
+++ b/lib/dns/rdata/generic/null_10.c
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: null_10.c,v 1.18 2000/03/16 21:58:58 explorer Exp $ */
+/* $Id: null_10.c,v 1.24 2000/05/22 12:37:49 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 13:57:50 PST 2000 by explorer */
 
 #ifndef RDATA_GENERIC_NULL_10_C
 #define RDATA_GENERIC_NULL_10_C
 
+#define RRTYPE_NULL_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_null(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	      isc_lex_t *lexer, dns_name_t *origin,
@@ -43,6 +45,7 @@ static inline isc_result_t
 totext_null(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, 
 	    isc_buffer_t *target) 
 {
+	UNUSED(rdata);
 	UNUSED(tctx);
 	UNUSED(target);
 
@@ -64,7 +67,7 @@ fromwire_null(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 10);
 
-	isc_buffer_active(source, &sr);
+	isc_buffer_activeregion(source, &sr);
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
 }
@@ -98,43 +101,71 @@ static inline isc_result_t
 fromstruct_null(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	        isc_buffer_t *target)
 {
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_null_t *null = source;
 
 	REQUIRE(type == 10);
+	REQUIRE(source != NULL);
+	REQUIRE(null->common.rdtype == type);
+	REQUIRE(null->common.rdclass == rdclass);
+	REQUIRE((null->data != NULL && null->length != 0) ||
+		(null->data == NULL && null->length == 0));
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (mem_tobuffer(target, null->data, null->length));
 }
 
 static inline isc_result_t
 tostruct_null(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 {
-	UNUSED(target);
-	UNUSED(mctx);
+	dns_rdata_null_t *null = target;
+	isc_region_t r;
 
 	REQUIRE(rdata->type == 10);
+	REQUIRE(target != NULL);
+
+	null->common.rdclass = rdata->rdclass;
+	null->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&null->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_rdata_toregion(rdata, &r);
+	null->length = r.length;
+	if (null->length != 0) {
+		null->data = mem_maybedup(mctx, r.base, r.length);
+		if (null->data == NULL)
+			return (ISC_R_NOMEMORY);
+	} else
+		null->data = NULL;
+
+	null->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_null(void *source)
 {
+	dns_rdata_null_t *null = source;
+	
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);
+	REQUIRE(null->common.rdtype == 10);
+
+	if (null->mctx == NULL)
+		return;
+
+	if (null->data != NULL)
+		isc_mem_free(null->mctx, null->data);
+	null->mctx = NULL;
 }
 
 static inline isc_result_t
 additionaldata_null(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 		    void *arg)
 {
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
 	REQUIRE(rdata->type == 10);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/null_10.h b/lib/dns/rdata/generic/null_10.h
index 300aa7fe..6e833907 100644
--- a/lib/dns/rdata/generic/null_10.h
+++ b/lib/dns/rdata/generic/null_10.h
@@ -15,4 +15,17 @@
  * SOFTWARE.
  */
 
-/* $Id: null_10.h,v 1.13 2000/03/20 22:57:13 gson Exp $ */
+#ifndef GENERIC_NULL_10_H
+#define GENERIC_NULL_10_H 1
+
+/* $Id: null_10.h,v 1.15 2000/04/29 02:01:46 tale Exp $ */
+
+typedef struct dns_rdata_null {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_int16_t		length;
+	unsigned char		*data;
+} dns_rdata_null_t;
+
+
+#endif /* GENERIC_NULL_10_H */
diff --git a/lib/dns/rdata/generic/nxt_30.c b/lib/dns/rdata/generic/nxt_30.c
index 1dfd7d95..65433be4 100644
--- a/lib/dns/rdata/generic/nxt_30.c
+++ b/lib/dns/rdata/generic/nxt_30.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: nxt_30.c,v 1.23 2000/03/20 22:48:58 gson Exp $ */
+/* $Id: nxt_30.c,v 1.35 2000/05/22 12:37:50 marka Exp $ */
 
 /* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
 
@@ -24,6 +24,12 @@
 #ifndef RDATA_GENERIC_NXT_30_C
 #define RDATA_GENERIC_NXT_30_C
 
+/*
+ * The attributes do not include DNS_RDATATYPEATTR_SINGLETON
+ * because we must be able to handle a parent/child NXT pair.
+ */
+#define RRTYPE_NXT_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
 static inline isc_result_t
 fromtext_nxt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	     isc_lex_t *lexer, dns_name_t *origin,
@@ -43,11 +49,12 @@ fromtext_nxt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	UNUSED(rdclass);
 	
-	/* next domain */
+	/*
+	 * Next domain.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	RETERR(dns_name_fromtext(&name, &buffer, origin, downcase, target));
 
@@ -58,7 +65,7 @@ fromtext_nxt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		if (token.type != isc_tokentype_string)
 			break;
 		n = strtol(token.value.as_pointer, &e, 10);
-		if (e != token.value.as_pointer && *e == '\0') {
+		if (e != (char *)token.value.as_pointer && *e == '\0') {
 			covered = (dns_rdatatype_t)n;
 		} else if (dns_rdatatype_fromtext(&covered, 
 				&token.value.as_textregion) == DNS_R_UNKNOWN)
@@ -67,7 +74,7 @@ fromtext_nxt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		 * NXT is only specified for types 1..127.
 		 */
 		if (covered < 1 || covered > 127)
-			return (DNS_R_RANGE);
+			return (ISC_R_RANGE);
 		if (first || covered > maxcovered)
 			maxcovered = covered;
 		first = ISC_FALSE;
@@ -75,21 +82,19 @@ fromtext_nxt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	} while (1);
 	isc_lex_ungettoken(lexer, &token);
 	if (first) 
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 	n = (maxcovered + 8) / 8;
 	return (mem_tobuffer(target, bm, n));
 }
 
 static inline isc_result_t
-totext_nxt(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, 
+totext_nxt(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	   isc_buffer_t *target) 
 {
 	isc_region_t sr;
-	char buf[sizeof "65535"];
 	unsigned int i, j;
 	dns_name_t name;
 	dns_name_t prefix;
-	isc_result_t result;
 	isc_boolean_t sub;
 
 	REQUIRE(rdata->type == 30);
@@ -108,19 +113,17 @@ totext_nxt(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 		if (sr.base[i] != 0)
 			for (j = 0; j < 8; j++)
 				if ((sr.base[i] & (0x80 >> j)) != 0) {
-					result = dns_rdatatype_totext(
-						  (dns_rdatatype_t)(i * 8 + j),
-						  target);
-					if (result == DNS_R_SUCCESS) {
-						RETERR(str_totext(" ",
+					dns_rdatatype_t t = i * 8 + j;
+					if (dns_rdatatype_isknown(t)) {
+						RETERR(dns_rdatatype_totext(t,
+								      target));
+					} else {
+						char buf[sizeof "65535"];
+						sprintf(buf, "%u", t);
+						RETERR(str_totext(buf,
 								  target));
-						continue;
 					}
-					if (result != DNS_R_UNKNOWN)
-						return (result);
-					sprintf(buf, "%u", i * 8 + j);
 					RETERR(str_totext(" ", target));
-					RETERR(str_totext(buf, target));
 				}
 	}
 	return (str_totext(")", target));
@@ -138,36 +141,28 @@ fromwire_nxt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	UNUSED(rdclass);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
 
 	dns_name_init(&name, NULL);
 	RETERR(dns_name_fromwire(&name, source, dctx, downcase, target));
 	
-	isc_buffer_active(source, &sr);
+	isc_buffer_activeregion(source, &sr);
 	/* XXXRTH  Enforce RFC 2535 length rules if bit 0 is not set. */
 	if (sr.length > 8 * 1024)
 		return (DNS_R_EXTRADATA);
 	RETERR(mem_tobuffer(target, sr.base, sr.length));
 	isc_buffer_forward(source, sr.length);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
-towire_nxt(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
-{
+towire_nxt(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 	isc_region_t sr;
 	dns_name_t name;
 
 	REQUIRE(rdata->type == 30);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
 	dns_name_init(&name, NULL);
 	dns_rdata_toregion(rdata, &sr);
 	dns_name_fromregion(&name, &sr);
@@ -206,26 +201,41 @@ static inline isc_result_t
 fromstruct_nxt(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	       isc_buffer_t *target)
 {
+	dns_rdata_nxt_t *nxt = source;
 
 	REQUIRE(type == 30);
+	REQUIRE(source != NULL);
+	REQUIRE(nxt->common.rdtype == type);
+	REQUIRE(nxt->common.rdclass == rdclass);
+	REQUIRE((nxt->nxt != NULL && nxt->len != 0) ||
+		(nxt->nxt == NULL && nxt->len == 0));
 
-	UNUSED(rdclass);
-
-	UNUSED(source);
-	UNUSED(target);
-
-	return (DNS_R_NOTIMPLEMENTED);
+	return (mem_tobuffer(target, nxt->nxt, nxt->len));
 }
 
 static inline isc_result_t
 tostruct_nxt(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	dns_rdata_nxt_t *nxt = target;
+	isc_region_t r;
 
 	REQUIRE(rdata->type == 30);
+	REQUIRE(target != NULL);
 
-	UNUSED(target);
-	UNUSED(mctx);
+	nxt->common.rdclass = rdata->rdclass;
+	nxt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nxt->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_rdata_toregion(rdata, &r);
+	nxt->len = r.length;
+	if (nxt->len != 0) {
+		nxt->nxt = mem_maybedup(mctx, r.base, r.length);
+		if (nxt->nxt == NULL)
+			return (ISC_R_NOMEMORY);
+	} else
+		nxt->nxt = NULL;
+
+	nxt->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
@@ -234,7 +244,13 @@ freestruct_nxt(void *source) {
 
 	REQUIRE(source != NULL);
 	REQUIRE(nxt->common.rdtype == 30);
-	REQUIRE(ISC_FALSE);
+
+	if (nxt->mctx == NULL)
+		return;
+
+	if (nxt->nxt != NULL)
+		isc_mem_free(nxt->mctx, nxt->nxt);
+	nxt->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -243,10 +259,11 @@ additionaldata_nxt(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 {
 	REQUIRE(rdata->type == 30);
 
-	(void)add;
-	(void)arg;
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -261,7 +278,7 @@ digest_nxt(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 	dns_name_init(&name, NULL);
 	dns_name_fromregion(&name, &r);
 	result = dns_name_digest(&name, digest, arg);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	isc_region_consume(&r, name_length(&name));
 
diff --git a/lib/dns/rdata/generic/nxt_30.h b/lib/dns/rdata/generic/nxt_30.h
index 9b33b574..fc66d845 100644
--- a/lib/dns/rdata/generic/nxt_30.h
+++ b/lib/dns/rdata/generic/nxt_30.h
@@ -15,11 +15,18 @@
  * SOFTWARE.
  */
 
-/* $Id: nxt_30.h,v 1.12 2000/03/20 22:57:14 gson Exp $ */
+#ifndef GENERIC_NXT_30_H
+#define GENERIC_NXT_30_H 1
+
+/* $Id: nxt_30.h,v 1.14 2000/04/29 02:01:46 tale Exp $ */
 
 /* RFC 2065 */
 
 typedef struct dns_rdata_nxt {
 	dns_rdatacommon_t	common;
-	/*XXX*/
+	isc_mem_t		*mctx;
+	isc_uint16_t		len;
+	unsigned char		*nxt;
 } dns_rdata_nxt_t;
+
+#endif /* GENERIC_NXT_30_H */
diff --git a/lib/dns/rdata/generic/opt_41.c b/lib/dns/rdata/generic/opt_41.c
index e3a696cd..f3754c41 100644
--- a/lib/dns/rdata/generic/opt_41.c
+++ b/lib/dns/rdata/generic/opt_41.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: opt_41.c,v 1.5 2000/03/16 22:42:10 gson Exp $ */
+/* $Id: opt_41.c,v 1.14 2000/05/22 12:37:51 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 14:06:44 PST 2000 by gson */
 
@@ -24,6 +24,10 @@
 #ifndef RDATA_GENERIC_OPT_41_C
 #define RDATA_GENERIC_OPT_41_C
 
+#define RRTYPE_OPT_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON | \
+			       DNS_RDATATYPEATTR_META | \
+			       DNS_RDATATYPEATTR_NOTQUESTION)
+
 static inline isc_result_t
 fromtext_opt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	     isc_lex_t *lexer, dns_name_t *origin,
@@ -41,23 +45,51 @@ fromtext_opt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	UNUSED(downcase);
 	UNUSED(target);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (ISC_R_NOTIMPLEMENTED);
 }
 
 static inline isc_result_t
 totext_opt(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, 
 	   isc_buffer_t *target) 
 {
+	isc_region_t r;
+	isc_region_t or;
+	isc_uint16_t option;
+	isc_uint16_t length;
+	char buf[sizeof("64000 64000")];
+
 	/*
 	 * OPT records do not have a text format.
 	 */
 
 	REQUIRE(rdata->type == 41);
 
-	UNUSED(tctx);
-	UNUSED(target);
+	dns_rdata_toregion(rdata, &r);
+	while (r.length > 0) {
+		option = uint16_fromregion(&r);
+		isc_region_consume(&r, 2);
+		length = uint16_fromregion(&r);
+		isc_region_consume(&r, 2);
+		sprintf(buf, "%u %u", option, length);
+		RETERR(str_totext(buf, target));
+		INSIST(r.length >= length);
+		if (length > 0) {
+			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+				RETERR(str_totext(" (", target));
+			RETERR(str_totext(tctx->linebreak, target));
+			or = r;
+			or.length = length;
+			RETERR(isc_base64_totext(&or, tctx->width - 2,
+						 tctx->linebreak, target));
+			isc_region_consume(&r, length);
+			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+				RETERR(str_totext(" )", target));
+		}
+		if (r.length > 0)
+			RETERR(str_totext(" ", target));
+	}
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -67,7 +99,7 @@ fromwire_opt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 {
 	isc_region_t sregion;
 	isc_region_t tregion;
-	isc_uint16_t option, length;
+	isc_uint16_t length;
 	unsigned int total;
 
 	REQUIRE(type == 41);
@@ -76,31 +108,34 @@ fromwire_opt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	UNUSED(dctx);
 	UNUSED(downcase);
 
-	isc_buffer_active(source, &sregion);
+	isc_buffer_activeregion(source, &sregion);
 	total = 0;
 	while (sregion.length != 0) {
 		if (sregion.length < 4)
-			return (DNS_R_UNEXPECTEDEND);
-		option = uint16_fromregion(&sregion);
+			return (ISC_R_UNEXPECTEDEND);
+		/*
+		 * Eat the 16bit option code.  There is nothing to
+		 * be done with it currently.
+		 */
 		isc_region_consume(&sregion, 2);
 		length = uint16_fromregion(&sregion);
 		isc_region_consume(&sregion, 2);
 		total += 4;
 		if (sregion.length < length)
-			return (DNS_R_UNEXPECTEDEND);
+			return (ISC_R_UNEXPECTEDEND);
 		isc_region_consume(&sregion, length);
 		total += length;
 	}
 
-	isc_buffer_active(source, &sregion);
-	isc_buffer_available(target, &tregion);
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
 	if (tregion.length < total)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	memcpy(tregion.base, sregion.base, total);
 	isc_buffer_forward(source, total);
 	isc_buffer_add(target, total);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -131,29 +166,72 @@ static inline isc_result_t
 fromstruct_opt(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	       isc_buffer_t *target)
 {
-	REQUIRE(type == 41);
+	dns_rdata_opt_t *opt = source;
+	isc_region_t region;
+	isc_uint8_t length;
 
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	REQUIRE(type == 41);
+	REQUIRE(source != NULL);
+	REQUIRE(opt->common.rdtype == type);
+	REQUIRE(opt->common.rdclass == rdclass);
+	REQUIRE((opt->options != NULL && opt->length != 0) ||
+		(opt->options == NULL && opt->length == 0));
+
+	region.base = opt->options;
+	region.length = opt->length;
+	while (region.length >= 4) {
+		isc_region_consume(&region, 2);	/* opt */
+		length = uint16_fromregion(&region);
+		isc_region_consume(&region, 2);
+		if (region.length < length)
+			return (ISC_R_UNEXPECTEDEND);
+		isc_region_consume(&region, length);
+	}
+	if (region.length != 0)
+		return (ISC_R_UNEXPECTEDEND);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (mem_tobuffer(target, opt->options, opt->length));
 }
 
 static inline isc_result_t
 tostruct_opt(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	dns_rdata_opt_t *opt = target;
+	isc_region_t r;
 
 	REQUIRE(rdata->type == 41);
-
-	UNUSED(target);
-	UNUSED(mctx);
-
-	return (DNS_R_NOTIMPLEMENTED);
+	REQUIRE(target != NULL);
+
+	opt->common.rdclass = rdata->rdclass;
+	opt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&opt->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	opt->length = r.length;
+	if (opt->length != 0) {
+		opt->options = mem_maybedup(mctx, r.base, r.length);
+		if (opt->options == NULL)
+			return (ISC_R_NOMEMORY);
+	} else
+		opt->options = NULL;
+
+	opt->offset = 0;
+	opt->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_opt(void *source) {
-	UNUSED(source);
+	dns_rdata_opt_t *opt = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(opt->common.rdtype == 41);
+
+	if (opt->mctx == NULL)
+		return;
+
+	if (opt->options != NULL)
+		isc_mem_free(opt->mctx, opt->options);
+	opt->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -162,10 +240,11 @@ additionaldata_opt(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 {
 	REQUIRE(rdata->type == 41);
 
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -177,10 +256,11 @@ digest_opt(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 
 	REQUIRE(rdata->type == 41);
 
+	UNUSED(rdata);
 	UNUSED(digest);
 	UNUSED(arg);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (ISC_R_NOTIMPLEMENTED);
 }
 
 #endif	/* RDATA_GENERIC_OPT_41_C */
diff --git a/lib/dns/rdata/generic/opt_41.h b/lib/dns/rdata/generic/opt_41.h
index d3a194bd..1ff03750 100644
--- a/lib/dns/rdata/generic/opt_41.h
+++ b/lib/dns/rdata/generic/opt_41.h
@@ -15,12 +15,36 @@
  * SOFTWARE.
  */
 
-/* $Id: opt_41.h,v 1.4 2000/03/16 22:42:31 gson Exp $ */
+#ifndef GENERIC_OPT_41_H
+#define GENERIC_OPT_41_H 1
+
+/* $Id: opt_41.h,v 1.6 2000/04/29 02:01:47 tale Exp $ */
 
 /* RFC 2671 */
 
+typedef struct dns_rdata_opt_opcode {
+		isc_uint16_t	opcode;
+		isc_uint16_t	length;
+		unsigned char	*data;
+} dns_rdata_opt_opcode_t;
+
 typedef struct dns_rdata_opt {
 	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;	/* if required */
-	/* XXXRTH Not implemented. */
+	isc_mem_t		*mctx;
+	unsigned char		*options;
+	isc_uint16_t		length;
+	/* private */
+	isc_uint16_t		offset;
 } dns_rdata_opt_t;
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_rdata_opt_first(dns_rdata_opt_t *);
+isc_result_t dns_rdata_opt_next(dns_rdata_opt_t *);
+isc_result_t dns_rdata_opt_current(dns_rdata_opt_t *, dns_rdata_opt_opcode_t *);
+
+ISC_LANG_ENDDECLS
+
+#endif /* GENERIC_OPT_41_H */
diff --git a/lib/dns/rdata/generic/proforma.c b/lib/dns/rdata/generic/proforma.c
index 1fa9ab4f..ae29afa6 100644
--- a/lib/dns/rdata/generic/proforma.c
+++ b/lib/dns/rdata/generic/proforma.c
@@ -15,11 +15,13 @@
  * SOFTWARE.
  */
 
-/* $Id: proforma.c,v 1.19 2000/03/20 22:48:58 gson Exp $ */
+/* $Id: proforma.c,v 1.23 2000/05/22 12:37:52 marka Exp $ */
 
 #ifndef RDATA_GENERIC_#_#_C
 #define RDATA_GENERIC_#_#_C
 
+#define RRTYPE_#_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_#(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	   isc_lex_t *lexer, dns_name_t *origin,
@@ -31,7 +33,7 @@ fromtext_#(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (ISC_R_NOTIMPLEMENTED);
 }
 
 static inline isc_result_t
@@ -42,7 +44,7 @@ totext_#(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	REQUIRE(rdata->type == #);
 	REQUIRE(rdata->rdclass == #);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (ISC_R_NOTIMPLEMENTED);
 }
 
 static inline isc_result_t
@@ -53,13 +55,10 @@ fromwire_#(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == #);
 	REQUIRE(rdclass == #);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		/* NONE or GLOBAL14 */
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	/* NONE or GLOBAL14 */
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (ISC_R_NOTIMPLEMENTED);
 }
 
 static inline isc_result_t
@@ -68,13 +67,10 @@ towire_#(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 	REQUIRE(rdata->type == #);
 	REQUIRE(rdata->rdclass == #);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL):
-	else
-		/* NONE or GLOBAL14 */
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/* NONE or GLOBAL14 */
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (ISC_R_NOTIMPLEMENTED);
 }
 
 static inline int
@@ -94,12 +90,17 @@ compare_#(dns_rdata_t *rdata1, dns_rdata_t *rdata2) {
 
 static inline isc_result_t
 fromstruct_#(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
-	     isc_buffer_t *target) {
+	     isc_buffer_t *target)
+{
+	dns_rdata_#_t *# = source;
 
 	REQUIRE(type == #);
 	REQUIRE(rdclass == #);
+	REQUIRE(source != NULL);
+	REQUIRE(#->common.rdtype == type);
+	REQUIRE(#->common.rdclass == rdclass);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (ISC_R_NOTIMPLEMENTED);
 }
 
 static inline isc_result_t
@@ -108,7 +109,7 @@ tostruct_#(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
 	REQUIRE(rdata->type == #);
 	REQUIRE(rdata->rdclass == #);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (ISC_R_NOTIMPLEMENTED);
 }
 
 static inline void
@@ -131,7 +132,7 @@ additionaldata_#(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 	(void)add;
 	(void)arg;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/proforma.h b/lib/dns/rdata/generic/proforma.h
index ea4a5e3c..b0b346a2 100644
--- a/lib/dns/rdata/generic/proforma.h
+++ b/lib/dns/rdata/generic/proforma.h
@@ -15,10 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: proforma.h,v 1.13 2000/03/20 22:57:14 gson Exp $ */
+#ifndef GENERIC_PROFORMA_H
+#define GENERIC_PROFORMA_H 1
+
+/* $Id: proforma.h,v 1.14 2000/04/29 02:01:47 tale Exp $ */
 
 typedef struct dns_rdata_# {
 	dns_rdatacommon_t	common;
 	isc_mem_t		*mctx;	/* if required */
 	/* type & class specific elements */
 } dns_rdata_#_t;
+
+#endif /* GENERIC_PROFORMA_H */
diff --git a/lib/dns/rdata/generic/ptr_12.c b/lib/dns/rdata/generic/ptr_12.c
index e47ec420..23bef291 100644
--- a/lib/dns/rdata/generic/ptr_12.c
+++ b/lib/dns/rdata/generic/ptr_12.c
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: ptr_12.c,v 1.20 2000/03/16 22:07:28 explorer Exp $ */
+/* $Id: ptr_12.c,v 1.27 2000/05/22 12:37:53 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 14:05:12 PST 2000 by explorer */
 
 #ifndef RDATA_GENERIC_PTR_12_C
 #define RDATA_GENERIC_PTR_12_C
 
+#define RRTYPE_PTR_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_ptr(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	     isc_lex_t *lexer, dns_name_t *origin,
@@ -38,8 +40,7 @@ fromtext_ptr(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -77,10 +78,7 @@ fromwire_ptr(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 12);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
         
         dns_name_init(&name, NULL);
         return (dns_name_fromwire(&name, source, dctx, downcase, target));
@@ -94,10 +92,7 @@ towire_ptr(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 
 	REQUIRE(rdata->type == 12);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 
 	dns_name_init(&name, NULL);
 	dns_rdata_toregion(rdata, &region);
@@ -134,43 +129,67 @@ static inline isc_result_t
 fromstruct_ptr(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	       isc_buffer_t *target)
 {
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_ptr_t *ptr = source;
+	isc_region_t region;
 
 	REQUIRE(type == 12);
+	REQUIRE(source != NULL);
+	REQUIRE(ptr->common.rdtype == type);
+	REQUIRE(ptr->common.rdclass == rdclass);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_toregion(&ptr->ptr, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
 tostruct_ptr(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 {
-	UNUSED(target);
-	UNUSED(mctx);
+	isc_region_t region;
+	dns_rdata_ptr_t *ptr = target;
+	dns_name_t name;
 
 	REQUIRE(rdata->type == 12);
+	REQUIRE(target != NULL);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	ptr->common.rdclass = rdata->rdclass;
+	ptr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ptr->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&ptr->ptr, NULL);
+	RETERR(name_duporclone(&name, mctx, &ptr->ptr));
+	ptr->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_ptr(void *source)
 {
+	dns_rdata_ptr_t *ptr = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);
+	REQUIRE(ptr->common.rdtype == 12);
+	
+	if (ptr->mctx == NULL)
+		return;
+
+	dns_name_free(&ptr->ptr, ptr->mctx);
+	ptr->mctx = NULL;
 }
 
 static inline isc_result_t
 additionaldata_ptr(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 		   void *arg)
 {
+	REQUIRE(rdata->type == 12);
+
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	REQUIRE(rdata->type == 12);
-
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/ptr_12.h b/lib/dns/rdata/generic/ptr_12.h
index da8bf279..fcfa1ce2 100644
--- a/lib/dns/rdata/generic/ptr_12.h
+++ b/lib/dns/rdata/generic/ptr_12.h
@@ -15,5 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: ptr_12.h,v 1.15 2000/03/20 22:57:14 gson Exp $ */
+#ifndef GENERIC_PTR_12_H
+#define GENERIC_PTR_12_H 1
 
+/* $Id: ptr_12.h,v 1.18 2000/05/08 14:36:54 tale Exp $ */
+
+typedef struct dns_rdata_ptr {
+        dns_rdatacommon_t       common;
+        isc_mem_t               *mctx;
+        dns_name_t              ptr;
+} dns_rdata_ptr_t;
+
+#endif /* GENERIC_PTR_12_H */
diff --git a/lib/dns/rdata/generic/rp_17.c b/lib/dns/rdata/generic/rp_17.c
index cd47dbda..9e20ba1e 100644
--- a/lib/dns/rdata/generic/rp_17.c
+++ b/lib/dns/rdata/generic/rp_17.c
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: rp_17.c,v 1.17 2000/03/20 22:48:59 gson Exp $ */
+/* $Id: rp_17.c,v 1.24 2000/05/22 12:37:54 marka Exp $ */
 
 /* RFC 1183 */
 
 #ifndef RDATA_GENERIC_RP_17_C
 #define RDATA_GENERIC_RP_17_C
 
+#define RRTYPE_RP_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_rp(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	    isc_lex_t *lexer, dns_name_t *origin,
@@ -42,12 +44,11 @@ fromtext_rp(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		RETERR(gettoken(lexer, &token, isc_tokentype_string,
 				ISC_FALSE));
 		dns_name_init(&name, NULL);
-		buffer_fromregion(&buffer, &token.value.as_region,
-				  ISC_BUFFERTYPE_TEXT);
+		buffer_fromregion(&buffer, &token.value.as_region);
 		RETERR(dns_name_fromtext(&name, &buffer, origin,
 					 downcase, target));
 	}
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -95,10 +96,7 @@ fromwire_rp(dns_rdataclass_t rdclass, dns_rdatatype_t type,
         
 	REQUIRE(type == 17);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
 
         dns_name_init(&rmail, NULL);
         dns_name_init(&email, NULL);
@@ -116,11 +114,7 @@ towire_rp(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 
 	REQUIRE(rdata->type == 17);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
 	dns_name_init(&rmail, NULL);
 	dns_name_init(&email, NULL);
 
@@ -179,43 +173,83 @@ static inline isc_result_t
 fromstruct_rp(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	      isc_buffer_t *target)
 {
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_rp_t *rp = source;
+	isc_region_t region;
 
 	REQUIRE(type == 17);
+	REQUIRE(source != NULL);
+	REQUIRE(rp->common.rdtype == type);
+	REQUIRE(rp->common.rdclass == rdclass);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_toregion(&rp->mail, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&rp->text, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
 tostruct_rp(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 {
-	UNUSED(target);
-	UNUSED(mctx);
+	isc_result_t result;
+	isc_region_t region;
+	dns_rdata_rp_t *rp = target;
+	dns_name_t name;
 
 	REQUIRE(rdata->type == 17);
+	REQUIRE(target != NULL);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	rp->common.rdclass = rdata->rdclass;
+	rp->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&rp->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&rp->mail, NULL);
+	RETERR(name_duporclone(&name, mctx, &rp->mail));
+	isc_region_consume(&region, name_length(&name));
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&rp->text, NULL);
+	result = name_duporclone(&name, mctx, &rp->text);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	rp->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&rp->mail, mctx);
+	return (ISC_R_NOMEMORY);
 }
 
 static inline void
 freestruct_rp(void *source)
 {
+	dns_rdata_rp_t *rp = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(rp->common.rdtype == 17);
+
+	if (rp->mctx == NULL)
+		return;
+
+	dns_name_free(&rp->mail, rp->mctx);
+	dns_name_free(&rp->text, rp->mctx);
+	rp->mctx = NULL;
 }
 
 static inline isc_result_t
 additionaldata_rp(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 		  void *arg)
 {
+	REQUIRE(rdata->type == 17);
+
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	REQUIRE(rdata->type == 17);
-
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/rp_17.h b/lib/dns/rdata/generic/rp_17.h
index afb78099..1e5ae597 100644
--- a/lib/dns/rdata/generic/rp_17.h
+++ b/lib/dns/rdata/generic/rp_17.h
@@ -15,7 +15,19 @@
  * SOFTWARE.
  */
 
-/* $Id: rp_17.h,v 1.10 2000/03/20 22:57:14 gson Exp $ */
+#ifndef GENERIC_RP_17_H
+#define GENERIC_RP_17_H 1
+
+/* $Id: rp_17.h,v 1.13 2000/05/08 14:36:55 tale Exp $ */
 
 /* RFC 1183 */
 
+typedef struct dns_rdata_rp {
+        dns_rdatacommon_t       common;
+        isc_mem_t               *mctx;
+        dns_name_t              mail;
+        dns_name_t              text;
+} dns_rdata_rp_t;
+
+
+#endif /* GENERIC_RP_17_H */
diff --git a/lib/dns/rdata/generic/rt_21.c b/lib/dns/rdata/generic/rt_21.c
index 02df497b..ea40c803 100644
--- a/lib/dns/rdata/generic/rt_21.c
+++ b/lib/dns/rdata/generic/rt_21.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: rt_21.c,v 1.17 2000/03/20 22:44:34 gson Exp $ */
+/* $Id: rt_21.c,v 1.26 2000/05/22 12:37:55 marka Exp $ */
 
 /* reviewed: Thu Mar 16 15:02:31 PST 2000 by brister */
 
@@ -24,6 +24,8 @@
 #ifndef RDATA_GENERIC_RT_21_C
 #define RDATA_GENERIC_RT_21_C
 
+#define RRTYPE_RT_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_rt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	    isc_lex_t *lexer, dns_name_t *origin,
@@ -38,14 +40,14 @@ fromtext_rt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	UNUSED(rdclass);
 
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
-	
+	if (token.value.as_ulong > 0xffff)
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -89,19 +91,16 @@ fromwire_rt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 21);
 	UNUSED(rdclass);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
         
         dns_name_init(&name, NULL);
 
-	isc_buffer_active(source, &sregion);
-	isc_buffer_available(target, &tregion);
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
 	if (tregion.length < 2)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	if (sregion.length < 2)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	memcpy(tregion.base, sregion.base, 2);
 	isc_buffer_forward(source, 2);
 	isc_buffer_add(target, 2);
@@ -109,23 +108,18 @@ fromwire_rt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 }
 
 static inline isc_result_t
-towire_rt(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
-{
+towire_rt(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 	dns_name_t name;
 	isc_region_t region;
 	isc_region_t tr;
 
 	REQUIRE(rdata->type == 21);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
-	isc_buffer_available(target, &tr);
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	isc_buffer_availableregion(target, &tr);
 	dns_rdata_toregion(rdata, &region);
 	if (tr.length < 2)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	memcpy(tr.base, region.base, 2);
 	isc_region_consume(&region, 2);
 	isc_buffer_add(target, 2);
@@ -137,8 +131,7 @@ towire_rt(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 }
 
 static inline int
-compare_rt(dns_rdata_t *rdata1, dns_rdata_t *rdata2)
-{
+compare_rt(dns_rdata_t *rdata1, dns_rdata_t *rdata2) {
 	dns_name_t name1;
 	dns_name_t name2;
 	isc_region_t region1;
@@ -172,33 +165,56 @@ static inline isc_result_t
 fromstruct_rt(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	      isc_buffer_t *target)
 {
+	dns_rdata_rt_t *rt = source;
+	isc_region_t region;
 
 	REQUIRE(type == 21);
+	REQUIRE(source != NULL);
+	REQUIRE(rt->common.rdtype == type);
+	REQUIRE(rt->common.rdclass == rdclass);
 
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
-
-	return (DNS_R_NOTIMPLEMENTED);
+	RETERR(uint16_tobuffer(rt->preference, target));
+	dns_name_toregion(&rt->host, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
-tostruct_rt(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
-{
+tostruct_rt(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	isc_region_t region;
+	dns_rdata_rt_t *rt = target;
+	dns_name_t name;
 
 	REQUIRE(rdata->type == 21);
+	REQUIRE(target != NULL);
 
-	UNUSED(target);
-	UNUSED(mctx);
+	rt->common.rdclass = rdata->rdclass;
+	rt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&rt->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	rt->preference = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&rt->host, NULL);
+	RETERR(name_duporclone(&name, mctx, &rt->host));
+
+	rt->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
-freestruct_rt(void *source)
-{
+freestruct_rt(void *source) {
+	dns_rdata_rt_t *rt = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(rt->common.rdtype == 21);
+
+	if (rt->mctx == NULL)
+		return;
+
+	dns_name_free(&rt->host, rt->mctx);
+	rt->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -226,8 +242,7 @@ additionaldata_rt(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 }
 
 static inline isc_result_t
-digest_rt(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg)
-{
+digest_rt(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 	isc_region_t r1, r2;
 	isc_result_t result;
 	dns_name_t name;
diff --git a/lib/dns/rdata/generic/rt_21.h b/lib/dns/rdata/generic/rt_21.h
index 94b49f61..1516df38 100644
--- a/lib/dns/rdata/generic/rt_21.h
+++ b/lib/dns/rdata/generic/rt_21.h
@@ -15,7 +15,18 @@
  * SOFTWARE.
  */
 
-/* $Id: rt_21.h,v 1.10 2000/03/20 22:57:14 gson Exp $ */
+#ifndef GENERIC_RT_21_H
+#define GENERIC_RT_21_H 1
+
+/* $Id: rt_21.h,v 1.13 2000/05/08 14:36:57 tale Exp $ */
 
 /* RFC 1183 */
 
+typedef struct dns_rdata_rt {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		preference;
+	dns_name_t		host;
+} dns_rdata_rt_t;
+
+#endif /* GENERIC_RT_21_H */
diff --git a/lib/dns/rdata/generic/sig_24.c b/lib/dns/rdata/generic/sig_24.c
index 27b96a3d..2dd67ddc 100644
--- a/lib/dns/rdata/generic/sig_24.c
+++ b/lib/dns/rdata/generic/sig_24.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: sig_24.c,v 1.30 2000/03/17 21:43:46 gson Exp $ */
+/* $Id: sig_24.c,v 1.42 2000/05/22 21:42:47 gson Exp $ */
 
 /* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
 
@@ -24,6 +24,8 @@
 #ifndef RDATA_GENERIC_SIG_24_C
 #define RDATA_GENERIC_SIG_24_C
 
+#define RRTYPE_SIG_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
 static inline isc_result_t
 fromtext_sig(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	     isc_lex_t *lexer, dns_name_t *origin,
@@ -43,58 +45,75 @@ fromtext_sig(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	UNUSED(rdclass);
 
-	/* type covered */
+	/*
+	 * Type covered.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	result = dns_rdatatype_fromtext(&covered, &token.value.as_textregion);
-	if (result != DNS_R_SUCCESS && result != DNS_R_NOTIMPLEMENTED) {
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
 		i = strtol(token.value.as_pointer, &e, 10);
 		if (i < 0 || i > 65535)
-			return (DNS_R_RANGE);
+			return (ISC_R_RANGE);
 		if (*e != 0)
 			return (result);
 		covered = (dns_rdatatype_t)i;
 	}
 	RETERR(uint16_tobuffer(covered, target));
 
-	/* algorithm */
+	/*
+	 * Algorithm.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	RETERR(dns_secalg_fromtext(&c, &token.value.as_textregion));
 	RETERR(mem_tobuffer(target, &c, 1));
 
-	/* labels */
+	/*
+	 * Labels.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	if (token.value.as_ulong > 0xff)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	c = (unsigned char)token.value.as_ulong;
 	RETERR(mem_tobuffer(target, &c, 1));
 
-	/* original ttl */
+	/*
+	 * Original ttl.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	RETERR(uint32_tobuffer(token.value.as_ulong, target));
 
-	/* signature expiration */
+	/*
+	 * Signature expiration.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	RETERR(dns_time32_fromtext(token.value.as_pointer, &time_expire));
 	RETERR(uint32_tobuffer(time_expire, target));
 
-	/* time signed */
+	/*
+	 * Time signed.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	RETERR(dns_time32_fromtext(token.value.as_pointer, &time_signed));
 	RETERR(uint32_tobuffer(time_signed, target));
 
-	/* key footprint */
+	/*
+	 * Key footprint.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 	
-	/* signer */
+	/*
+	 * Signer.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	RETERR(dns_name_fromtext(&name, &buffer, origin, downcase, target));
 
-	/* sig */
+	/*
+	 * Sig.
+	 */
 	return (isc_base64_tobuffer(lexer, target, -1));
 }
 
@@ -117,32 +136,52 @@ totext_sig(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 
 	dns_rdata_toregion(rdata, &sr);
 
-	/* type covered */
+	/*
+	 * Type covered.
+	 */
 	covered = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	RETERR(dns_rdatatype_totext(covered, target));
+	/*
+	 * XXXAG We should have something like dns_rdatatype_isknown()
+	 * that does the right thing with type 0.
+	 */
+	if (dns_rdatatype_isknown(covered) && covered != 0) {
+		RETERR(dns_rdatatype_totext(covered, target));
+	} else {
+		char buf[sizeof "65535"];
+		sprintf(buf, "%u", covered);
+		RETERR(str_totext(buf, target));
+	}
 	RETERR(str_totext(" ", target));
 
-	/* algorithm */
+	/*
+	 * Algorithm.
+	 */
 	sprintf(buf, "%u", sr.base[0]);
 	isc_region_consume(&sr, 1);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
-	/* labels */
+	/*
+	 * Labels.
+	 */
 	sprintf(buf, "%u", sr.base[0]);
 	isc_region_consume(&sr, 1);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
-	/* ttl */
+	/*
+	 * Ttl.
+	 */
 	ttl = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
 	sprintf(buf, "%lu", ttl); 
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
-	/* sig exp */
+	/*
+	 * Sig exp.
+	 */
 	exp = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
 	RETERR(dns_time32_totext(exp, target));
@@ -151,20 +190,26 @@ totext_sig(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 		RETERR(str_totext(" (", target));
 	RETERR(str_totext(tctx->linebreak, target));
 
-	/* time signed */
+	/*
+	 * Time signed.
+	 */
 	when = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
 	RETERR(dns_time32_totext(when, target));
 	RETERR(str_totext(" ", target));
 
-	/* footprint */
+	/*
+	 * Footprint.
+	 */
 	foot = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 	sprintf(buf, "%lu", foot); 
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
-	/* signer */
+	/*
+	 * Signer.
+	 */
 	dns_name_init(&name, NULL);
 	dns_name_init(&prefix, NULL);
 	dns_name_fromregion(&name, &sr);
@@ -172,14 +217,16 @@ totext_sig(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	sub = name_prefix(&name, tctx->origin, &prefix);
 	RETERR(dns_name_totext(&prefix, sub, target));
 
-	/* sig */
+	/*
+	 * Sig.
+	 */
 	RETERR(str_totext(tctx->linebreak, target));
 	RETERR(isc_base64_totext(&sr, tctx->width - 2,
 				    tctx->linebreak, target));
 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
 		RETERR(str_totext(" )", target));
 	
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -192,14 +239,11 @@ fromwire_sig(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 24);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
 	
 	UNUSED(rdclass);
 
-	isc_buffer_active(source, &sr);
+	isc_buffer_activeregion(source, &sr);
 	/*
 	 * type covered: 2
 	 * algorithm: 1
@@ -210,17 +254,21 @@ fromwire_sig(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	 * key footprint: 2
 	 */
 	if (sr.length < 18)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 
 	isc_buffer_forward(source, 18);
 	RETERR(mem_tobuffer(target, sr.base, 18));
 
-	/* signer */
+	/*
+	 * Signer.
+	 */
 	dns_name_init(&name, NULL);
 	RETERR(dns_name_fromwire(&name, source, dctx, downcase, target));
 
-	/* sig */
-	isc_buffer_active(source, &sr);
+	/*
+	 * Sig.
+	 */
+	isc_buffer_activeregion(source, &sr);
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
 }
@@ -232,11 +280,7 @@ towire_sig(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 
 	REQUIRE(rdata->type == 24);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
 	dns_rdata_toregion(rdata, &sr);
 	/*
 	 * type covered: 2
@@ -250,13 +294,17 @@ towire_sig(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 	RETERR(mem_tobuffer(target, sr.base, 18));
 	isc_region_consume(&sr, 18);
 
-	/* signer */
+	/*
+	 * Signer.
+	 */
 	dns_name_init(&name, NULL);
 	dns_name_fromregion(&name, &sr);
 	isc_region_consume(&sr, name_length(&name));        
 	RETERR(dns_name_towire(&name, cctx, target));
 
-	/* signature */
+	/*
+	 * Signature.
+	 */
 	return (mem_tobuffer(target, sr.base, sr.length));
 }
 
@@ -305,140 +353,159 @@ static inline isc_result_t
 fromstruct_sig(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	       isc_buffer_t *target)
 {
-	isc_region_t tr;
-	dns_rdata_generic_sig_t *sig;
-	dns_compress_t cctx;
+	dns_rdata_sig_t *sig = source;
 
 	REQUIRE(type == 24);
+	REQUIRE(source != NULL);
+	REQUIRE(sig->common.rdtype == type);
+	REQUIRE(sig->common.rdclass == rdclass);
+	REQUIRE((sig->signature != NULL && sig->siglen != 0) ||
+		(sig->signature == NULL && sig->siglen == 0));
 	
-	UNUSED(rdclass);
-
-	sig = (dns_rdata_generic_sig_t *) source;
-	REQUIRE(sig->mctx != NULL);
-
-	/* Type covered */
+	/*
+	 * Type covered.
+	 */
 	RETERR(uint16_tobuffer(sig->covered, target));
 
-	/* Algorithm */
+	/*
+	 * Algorithm.
+	 */
 	RETERR(uint8_tobuffer(sig->algorithm, target));
 
-	/* Labels */
+	/*
+	 * Labels.
+	 */
 	RETERR(uint8_tobuffer(sig->labels, target));
 
-	/* Original TTL */
+	/*
+	 * Original TTL.
+	 */
 	RETERR(uint32_tobuffer(sig->originalttl, target));
 
-	/* Expire time */
+	/*
+	 * Expire time.
+	 */
 	RETERR(uint32_tobuffer(sig->timeexpire, target));
 
-	/* Time signed */
+	/*
+	 * Time signed.
+	 */
 	RETERR(uint32_tobuffer(sig->timesigned, target));
 
-	/* Key ID */
+	/*
+	 * Key ID.
+	 */
 	RETERR(uint16_tobuffer(sig->keyid, target));
 
-	/* Signer name */
-	RETERR(dns_compress_init(&cctx, -1, sig->mctx));
-	dns_compress_setmethods(&cctx, DNS_COMPRESS_NONE);
-	RETERR(dns_name_towire(&sig->signer, &cctx, target));
-	dns_compress_invalidate(&cctx);
-
-	/* Signature */
-	if (sig->siglen > 0) {
-		isc_buffer_available(target, &tr);
-		if (tr.length < sig->siglen)
-			return (DNS_R_NOSPACE);
-		memcpy(tr.base, sig->signature, sig->siglen);
-		isc_buffer_add(target, sig->siglen);
-	}
+	/*
+	 * Signer name.
+	 */
+	RETERR(name_tobuffer(&sig->signer, target));
 
-	return (DNS_R_SUCCESS);
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sig->signature, sig->siglen));
 }
 
 static inline isc_result_t
 tostruct_sig(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
 	isc_region_t sr;
-	dns_rdata_generic_sig_t *sig;
+	dns_rdata_sig_t *sig = target;
 	dns_name_t signer;
 
 	REQUIRE(rdata->type == 24);
+	REQUIRE(target != NULL);
 	
-	sig = (dns_rdata_generic_sig_t *) target;
 	sig->common.rdclass = rdata->rdclass;
 	sig->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&sig->common, link);
-	sig->mctx = mctx;
+
 	dns_rdata_toregion(rdata, &sr);
 
-	/* Type covered */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Type covered.
+	 */
 	sig->covered = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 
-	/* Algorithm */
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Algorithm.
+	 */
 	sig->algorithm = uint8_fromregion(&sr);
 	isc_region_consume(&sr, 1);
 
-	/* Labels */
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Labels.
+	 */
 	sig->labels = uint8_fromregion(&sr);
 	isc_region_consume(&sr, 1);
 
-	/* Original TTL */
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Original TTL.
+	 */
 	sig->originalttl = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
 
-	/* Expire time */
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Expire time.
+	 */
 	sig->timeexpire = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
 
-	/* Time signed */
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Time signed.
+	 */
 	sig->timesigned = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
 
-	/* Key ID */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Key ID.
+	 */
 	sig->keyid = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 
 	dns_name_init(&signer, NULL);
 	dns_name_fromregion(&signer, &sr);
 	dns_name_init(&sig->signer, NULL);
-	RETERR(dns_name_dup(&signer, mctx, &sig->signer));
+	RETERR(name_duporclone(&signer, mctx, &sig->signer));
 	isc_region_consume(&sr, name_length(&sig->signer));
 
-	/* Signature */
+	/*
+	 * Signature.
+	 */
 	sig->siglen = sr.length;
-	sig->signature = isc_mem_get(mctx, sig->siglen);
-	if (sig->signature == NULL)
-		return (DNS_R_NOMEMORY);
-	memcpy(sig->signature, sr.base, sig->siglen);
-	isc_region_consume(&sr, sig->siglen);
+	if (sig->siglen > 0) {
+		sig->signature = mem_maybedup(mctx, sr.base, sig->siglen);
+		if (sig->signature == NULL)
+			goto cleanup;
+	} else
+		sig->signature = NULL;
+
 
-	return (DNS_R_SUCCESS);
+	sig->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&sig->signer, mctx);
+	return (ISC_R_NOMEMORY);
 }
 
 static inline void
 freestruct_sig(void *source) {
-	dns_rdata_generic_sig_t *sig = (dns_rdata_generic_sig_t *) source;
+	dns_rdata_sig_t *sig = (dns_rdata_sig_t *) source;
 
 	REQUIRE(source != NULL);
 	REQUIRE(sig->common.rdtype == 24);
 
+	if (sig->mctx == NULL)
+		return;
+
 	dns_name_free(&sig->signer, sig->mctx);
 	if (sig->signature != NULL)
-		isc_mem_put(sig->mctx, sig->signature, sig->siglen);
+		isc_mem_free(sig->mctx, sig->signature);
+	sig->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -447,10 +514,11 @@ additionaldata_sig(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 {
 	REQUIRE(rdata->type == 24);
 
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -458,10 +526,11 @@ digest_sig(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 
 	REQUIRE(rdata->type == 24);
 
+	UNUSED(rdata);
 	UNUSED(digest);
 	UNUSED(arg);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (ISC_R_NOTIMPLEMENTED);
 }
 
 static inline dns_rdatatype_t
diff --git a/lib/dns/rdata/generic/sig_24.h b/lib/dns/rdata/generic/sig_24.h
index 283b936e..06cc3588 100644
--- a/lib/dns/rdata/generic/sig_24.h
+++ b/lib/dns/rdata/generic/sig_24.h
@@ -15,11 +15,14 @@
  * SOFTWARE.
  */
 
-/* $Id: sig_24.h,v 1.16 2000/03/17 17:07:10 gson Exp $ */
+#ifndef GENERIC_SIG_24_H
+#define GENERIC_SIG_24_H 1
+
+/* $Id: sig_24.h,v 1.18 2000/04/29 02:01:49 tale Exp $ */
 
 /* RFC 2535 */
 
-typedef struct dns_rdata_generic_sig_t {
+typedef struct dns_rdata_sig_t {
 	dns_rdatacommon_t	common;
 	isc_mem_t *		mctx;
 	dns_rdatatype_t		covered;
@@ -32,5 +35,7 @@ typedef struct dns_rdata_generic_sig_t {
         dns_name_t		signer;
 	isc_uint16_t		siglen;
 	unsigned char *		signature;
-} dns_rdata_generic_sig_t;
+} dns_rdata_sig_t;
+
 
+#endif /* GENERIC_SIG_24_H */
diff --git a/lib/dns/rdata/generic/soa_6.c b/lib/dns/rdata/generic/soa_6.c
index a916d871..14dd5679 100644
--- a/lib/dns/rdata/generic/soa_6.c
+++ b/lib/dns/rdata/generic/soa_6.c
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: soa_6.c,v 1.30 2000/03/18 00:19:25 explorer Exp $ */
+/* $Id: soa_6.c,v 1.38 2000/05/22 12:37:58 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 15:18:32 PST 2000 by explorer */
 
 #ifndef RDATA_GENERIC_SOA_6_C
 #define RDATA_GENERIC_SOA_6_C
 
+#define RRTYPE_SOA_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON)
+
 static inline isc_result_t
 fromtext_soa(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	     isc_lex_t *lexer, dns_name_t *origin,
@@ -44,8 +46,7 @@ fromtext_soa(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 				ISC_FALSE));
 
 		dns_name_init(&name, NULL);
-		buffer_fromregion(&buffer, &token.value.as_region,
-				  ISC_BUFFERTYPE_TEXT);
+		buffer_fromregion(&buffer, &token.value.as_region);
 		RETERR(dns_name_fromtext(&name, &buffer, origin,
 					 downcase, target));
 	}
@@ -60,7 +61,7 @@ fromtext_soa(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		RETERR(uint32_tobuffer(n, target));
 	}
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static char *soa_fieldnames[5] = {
@@ -132,7 +133,7 @@ totext_soa(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 
 	RETERR(str_totext(")", target));
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -149,10 +150,7 @@ fromwire_soa(dns_rdataclass_t rdclass, dns_rdatatype_t type,
        
 	REQUIRE(type == 6);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
         dns_name_init(&mname, NULL);
         dns_name_init(&rname, NULL);
@@ -160,19 +158,19 @@ fromwire_soa(dns_rdataclass_t rdclass, dns_rdatatype_t type,
         RETERR(dns_name_fromwire(&mname, source, dctx, downcase, target));
         RETERR(dns_name_fromwire(&rname, source, dctx, downcase, target));
 
-	isc_buffer_active(source, &sregion);
-	isc_buffer_available(target, &tregion);
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
 
 	if (sregion.length < 20)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	if (tregion.length < 20)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
 	memcpy(tregion.base, sregion.base, 20);
 	isc_buffer_forward(source, 20);
 	isc_buffer_add(target, 20);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -185,10 +183,7 @@ towire_soa(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 
 	REQUIRE(rdata->type == 6);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 
 	dns_name_init(&mname, NULL);
 	dns_name_init(&rname, NULL);
@@ -203,13 +198,13 @@ towire_soa(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 	isc_region_consume(&sregion, name_length(&rname));
 	RETERR(dns_name_towire(&rname, cctx, target));
 
-	isc_buffer_available(target, &tregion);
+	isc_buffer_availableregion(target, &tregion);
 	if (tregion.length < 20)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
 	memcpy(tregion.base, sregion.base, 20);
 	isc_buffer_add(target, 20);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline int
@@ -261,13 +256,23 @@ static inline isc_result_t
 fromstruct_soa(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	       isc_buffer_t *target)
 {
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_soa_t *soa = source;
+	isc_region_t region;
 
 	REQUIRE(type == 6);
-
-	return (DNS_R_NOTIMPLEMENTED);
+	REQUIRE(source != NULL);
+	REQUIRE(soa->common.rdtype == type);
+	REQUIRE(soa->common.rdclass == rdclass);
+
+	dns_name_toregion(&soa->origin, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&soa->mname, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	RETERR(uint32_tobuffer(soa->serial, target));
+	RETERR(uint32_tobuffer(soa->refresh, target));
+	RETERR(uint32_tobuffer(soa->retry, target));
+	RETERR(uint32_tobuffer(soa->expire, target));
+	return (uint32_tobuffer(soa->minimum, target));
 }
 
 static inline isc_result_t
@@ -276,6 +281,7 @@ tostruct_soa(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 	isc_region_t region;
 	dns_rdata_soa_t *soa = target;
 	dns_name_t name;
+	isc_result_t result;
 
 	REQUIRE(rdata->type == 6);
 	REQUIRE(target != NULL);
@@ -284,7 +290,6 @@ tostruct_soa(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 	soa->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&soa->common, link);
 
-	soa->mctx = mctx;
 
 	dns_rdata_toregion(rdata, &region);
 
@@ -292,12 +297,14 @@ tostruct_soa(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 	dns_name_fromregion(&name, &region);
 	isc_region_consume(&region, name_length(&name));
 	dns_name_init(&soa->origin, NULL);
-	RETERR(dns_name_dup(&name, soa->mctx, &soa->origin));
+	RETERR(name_duporclone(&name, mctx, &soa->origin));
 
 	dns_name_fromregion(&name, &region);
 	isc_region_consume(&region, name_length(&name));
 	dns_name_init(&soa->mname, NULL);
-	RETERR(dns_name_dup(&name, soa->mctx, &soa->mname));
+	result = name_duporclone(&name, mctx, &soa->mname);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
 
 	soa->serial = uint32_fromregion(&region);
 	isc_region_consume(&region, 4);
@@ -313,7 +320,13 @@ tostruct_soa(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 
 	soa->minimum = uint32_fromregion(&region);
 
-	return (DNS_R_SUCCESS);
+	soa->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&soa->origin, mctx);
+	return (ISC_R_NOMEMORY);
 }
 
 static inline void
@@ -324,6 +337,9 @@ freestruct_soa(void *source)
 	REQUIRE(source != NULL);
 	REQUIRE(soa->common.rdtype == 6);
 
+	if (soa->mctx == NULL)
+		return;
+
 	dns_name_free(&soa->origin, soa->mctx);
 	dns_name_free(&soa->mname, soa->mctx);
 	soa->mctx = NULL;
@@ -333,12 +349,13 @@ static inline isc_result_t
 additionaldata_soa(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 		   void *arg)
 {
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
 	REQUIRE(rdata->type == 6);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/soa_6.h b/lib/dns/rdata/generic/soa_6.h
index 2d112ba7..f96fa63c 100644
--- a/lib/dns/rdata/generic/soa_6.h
+++ b/lib/dns/rdata/generic/soa_6.h
@@ -15,9 +15,10 @@
  * SOFTWARE.
  */
 
-/* $Id: soa_6.h,v 1.20 2000/03/17 01:22:17 explorer Exp $ */
+#ifndef GENERIC_SOA_6_H
+#define GENERIC_SOA_6_H 1
 
-#include <dns/name.h>
+/* $Id: soa_6.h,v 1.22 2000/05/08 14:36:58 tale Exp $ */
 
 typedef struct dns_rdata_soa {
 	dns_rdatacommon_t	common;
@@ -31,3 +32,5 @@ typedef struct dns_rdata_soa {
 	isc_uint32_t		minimum;	/* host order */
 } dns_rdata_soa_t;
 
+
+#endif /* GENERIC_SOA_6_H */
diff --git a/lib/dns/rdata/generic/tkey_249.c b/lib/dns/rdata/generic/tkey_249.c
index da0f284e..e2b4abdc 100644
--- a/lib/dns/rdata/generic/tkey_249.c
+++ b/lib/dns/rdata/generic/tkey_249.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: tkey_249.c,v 1.23 2000/03/20 22:44:35 gson Exp $ */
+/* $Id: tkey_249.c,v 1.34 2000/05/22 12:37:59 marka Exp $ */
 
 /*
  * Reviewed: Thu Mar 16 17:35:30 PST 2000 by halley.
@@ -26,6 +26,8 @@
 #ifndef RDATA_GENERIC_TKEY_249_C
 #define RDATA_GENERIC_TKEY_249_C
 
+#define RRTYPE_TKEY_ATTRIBUTES (DNS_RDATATYPEATTR_META)
+
 static inline isc_result_t
 fromtext_tkey(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		  isc_lex_t *lexer, dns_name_t *origin,
@@ -42,59 +44,76 @@ fromtext_tkey(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 249);
 
-	/* Algorithm */
+	/*
+	 * Algorithm.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	RETERR(dns_name_fromtext(&name, &buffer, origin, downcase, target));
 
 
-	/* Inception */
+	/*
+	 * Inception.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	RETERR(uint32_tobuffer(token.value.as_ulong, target));
 
-	/* Expiration */
+	/*
+	 * Expiration.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	RETERR(uint32_tobuffer(token.value.as_ulong, target));
 
-	/* Mode */
+	/*
+	 * Mode.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	if (token.value.as_ulong > 0xffff)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* Error */
+	/*
+	 * Error.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	if (dns_rcode_fromtext(&rcode, &token.value.as_textregion)
-				!= DNS_R_SUCCESS) {
+				!= ISC_R_SUCCESS) {
 		i = strtol(token.value.as_pointer, &e, 10);
 		if (*e != 0)
 			return (DNS_R_UNKNOWN);
 		if (i < 0 || i > 0xffff)
-			return (DNS_R_RANGE);
+			return (ISC_R_RANGE);
 		rcode = (dns_rcode_t)i;
 	}
 	RETERR(uint16_tobuffer(rcode, target));
 
-	/* Key Size */
+	/*
+	 * Key Size.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	if (token.value.as_ulong > 0xffff)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* Key Data */
-	RETERR(isc_base64_tobuffer(lexer, target, token.value.as_ulong));
+	/*
+	 * Key Data.
+	 */
+	RETERR(isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
 
-	/* Other Size */
+	/*
+	 * Other Size.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	if (token.value.as_ulong > 0xffff)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* Other Data */
-	return (isc_base64_tobuffer(lexer, target, token.value.as_ulong));
+	/*
+	 * Other Data.
+	 */
+	return (isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
 }
 
 static inline isc_result_t
@@ -112,7 +131,9 @@ totext_tkey(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 
 	dns_rdata_toregion(rdata, &sr);
 
-	/* Algorithm */
+	/*
+	 * Algorithm.
+	 */
 	dns_name_init(&name, NULL);
 	dns_name_init(&prefix, NULL);
 	dns_name_fromregion(&name, &sr);
@@ -121,41 +142,53 @@ totext_tkey(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	RETERR(str_totext(" ", target));
 	isc_region_consume(&sr, name_length(&name));
 
-	/* Inception */
+	/*
+	 * Inception.
+	 */
 	n = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
 	sprintf(buf, "%lu ", n);
 	RETERR(str_totext(buf, target));
 
-	/* Expiration */
+	/*
+	 * Expiration.
+	 */
 	n = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
 	sprintf(buf, "%lu ", n);
 	RETERR(str_totext(buf, target));
 
-	/* Mode */
+	/*
+	 * Mode.
+	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 	sprintf(buf, "%lu ", n);
 	RETERR(str_totext(buf, target));
 
-	/* Error */
+	/*
+	 * Error.
+	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	if (dns_rcode_totext((dns_rcode_t)n, target) == DNS_R_SUCCESS)
+	if (dns_rcode_totext((dns_rcode_t)n, target) == ISC_R_SUCCESS)
 		RETERR(str_totext(" ", target));
 	else {
 		sprintf(buf, "%lu ", n);
 		RETERR(str_totext(buf, target));
 	}
 
-	/* Key Size */
+	/*
+	 * Key Size.
+	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 	sprintf(buf, "%lu", n);
 	RETERR(str_totext(buf, target));
 
-	/* Key Data */
+	/*
+	 * Key Data.
+	 */
 	REQUIRE(n <= sr.length);
 	dr = sr;
 	dr.length = n;
@@ -170,13 +203,17 @@ totext_tkey(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 		RETERR(str_totext(" ", target));		
 	isc_region_consume(&sr, n);
 
-	/* Other Size */
+	/*
+	 * Other Size.
+	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 	sprintf(buf, "%lu", n);
 	RETERR(str_totext(buf, target));
 
-	/* Other Data */
+	/*
+	 * Other Data.
+	 */
 	REQUIRE(n <= sr.length);
 	if (n != 0) {
 	    dr = sr;
@@ -205,44 +242,47 @@ fromwire_tkey(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 249);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
 	
-	/* Algorithm */
+	/*
+	 * Algorithm.
+	 */
 	dns_name_init(&name, NULL);
 	RETERR(dns_name_fromwire(&name, source, dctx, downcase, target));
 
-	/* 
+	/*
 	 * Inception: 4
 	 * Expiration: 4
 	 * Mode: 2
 	 * Error: 2
 	 */
-	isc_buffer_active(source, &sr);
+	isc_buffer_activeregion(source, &sr);
 	if (sr.length < 12)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	RETERR(mem_tobuffer(target, sr.base, 12));
 	isc_region_consume(&sr, 12);
 	isc_buffer_forward(source, 12);
 
-	/* Key Length + Key Data */
+	/*
+	 * Key Length + Key Data.
+	 */
 	if (sr.length < 2)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	n = uint16_fromregion(&sr);
 	if (sr.length < n + 2)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	RETERR(mem_tobuffer(target, sr.base, n + 2));
 	isc_region_consume(&sr, n + 2);
 	isc_buffer_forward(source, n + 2);
 
-	/* Other Length + Other Data */
+	/*
+	 * Other Length + Other Data.
+	 */
 	if (sr.length < 2)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	n = uint16_fromregion(&sr);
 	if (sr.length < n + 2)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	isc_buffer_forward(source, n + 2);
 	return (mem_tobuffer(target, sr.base, n + 2));
 }
@@ -254,12 +294,10 @@ towire_tkey(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 
 	REQUIRE(rdata->type == 249);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
-	/* Algorithm */
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Algorithm.
+	 */
 	dns_rdata_toregion(rdata, &sr);
 	dns_name_init(&name, NULL);
 	dns_name_fromregion(&name, &sr);
@@ -281,7 +319,9 @@ compare_tkey(dns_rdata_t *rdata1, dns_rdata_t *rdata2) {
 	REQUIRE(rdata1->rdclass == rdata2->rdclass);
 	REQUIRE(rdata1->type == 249);
 	
-	/* Algorithm */
+	/*
+	 * Algorithm.
+	 */
 	dns_rdata_toregion(rdata1, &r1);
 	dns_rdata_toregion(rdata2, &r2);
 	dns_name_init(&name1, NULL);
@@ -299,177 +339,195 @@ static inline isc_result_t
 fromstruct_tkey(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		void *source, isc_buffer_t *target)
 {
-	isc_region_t tr;
-	dns_rdata_generic_tkey_t *tkey;
-	dns_compress_t cctx;
-
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_tkey_t *tkey = source;
 
 	REQUIRE(type == 249);
-	
-	tkey = (dns_rdata_generic_tkey_t *) source;
-	REQUIRE(tkey->mctx != NULL);
-
-	/* Algorithm Name */
-	RETERR(dns_compress_init(&cctx, -1, tkey->mctx));
-	dns_compress_setmethods(&cctx, DNS_COMPRESS_NONE);
-	RETERR(dns_name_towire(&tkey->algorithm, &cctx, target));
-	dns_compress_invalidate(&cctx);
+	REQUIRE(source != NULL);
+	REQUIRE(tkey->common.rdtype == type);
+	REQUIRE(tkey->common.rdclass == rdclass);
+	REQUIRE((tkey->key == NULL && tkey->keylen == 0) ||
+		(tkey->key != NULL && tkey->keylen != 0));
+	REQUIRE((tkey->other == NULL && tkey->otherlen == 0) ||
+		(tkey->other != NULL && tkey->otherlen != 0));
+
+	/*
+	 * Algorithm Name.
+	 */
+	RETERR(name_tobuffer(&tkey->algorithm, target));
 
-	/* Inception: 32 bits */
+	/*
+	 * Inception: 32 bits.
+	 */
 	RETERR(uint32_tobuffer(tkey->inception, target));
 
-	/* Expire: 32 bits */
+	/*
+	 * Expire: 32 bits.
+	 */
 	RETERR(uint32_tobuffer(tkey->expire, target));
 
-	/* Mode: 16 bits */
+	/*
+	 * Mode: 16 bits.
+	 */
 	RETERR(uint16_tobuffer(tkey->mode, target));
 
-	/* Error: 16 bits */
+	/*
+	 * Error: 16 bits.
+	 */
 	RETERR(uint16_tobuffer(tkey->error, target));
 
-	/* Key size: 16 bits */
+	/*
+	 * Key size: 16 bits.
+	 */
 	RETERR(uint16_tobuffer(tkey->keylen, target));
 
-	/* Key */
-	if (tkey->keylen > 0) {
-		isc_buffer_available(target, &tr);
-		if (tr.length < tkey->keylen)
-			return (DNS_R_NOSPACE);
-		memcpy(tr.base, tkey->key, tkey->keylen);
-		isc_buffer_add(target, tkey->keylen);
-	}
+	/*
+	 * Key.
+	 */
+	RETERR(mem_tobuffer(target, tkey->key, tkey->keylen));
 
-	/* Other size: 16 bits */
+	/*
+	 * Other size: 16 bits.
+	 */
 	RETERR(uint16_tobuffer(tkey->otherlen, target));
 
-	/* Other data */
-	if (tkey->otherlen > 0) {
-		isc_buffer_available(target, &tr);
-		if (tr.length < tkey->otherlen)
-			return (DNS_R_NOSPACE);
-		memcpy(tr.base, tkey->other, tkey->otherlen);
-		isc_buffer_add(target, tkey->otherlen);
-	}
-
-	return (DNS_R_SUCCESS);
+	/*
+	 * Other data.
+	 */
+	return (mem_tobuffer(target, tkey->other, tkey->otherlen));
 }
 
 static inline isc_result_t
 tostruct_tkey(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
-	dns_rdata_generic_tkey_t *tkey;
+	dns_rdata_tkey_t *tkey = target;
 	dns_name_t alg;
 	isc_region_t sr;
 
-	UNUSED(target);
-	UNUSED(mctx);
-
 	REQUIRE(rdata->type == 249);
-
-	tkey = (dns_rdata_generic_tkey_t *) target;
+	REQUIRE(target != NULL);
 
 	tkey->common.rdclass = rdata->rdclass;
 	tkey->common.rdtype = rdata->type;
 	ISC_LINK_INIT(&tkey->common, link);
-	tkey->mctx = mctx;
+
 	dns_rdata_toregion(rdata, &sr);
 
-	/* Algorithm Name */
+	/*
+	 * Algorithm Name.
+	 */
 	dns_name_init(&alg, NULL);
 	dns_name_fromregion(&alg, &sr);
 	dns_name_init(&tkey->algorithm, NULL);
-	RETERR(dns_name_dup(&alg, mctx, &tkey->algorithm));
+	RETERR(name_duporclone(&alg, mctx, &tkey->algorithm));
 	isc_region_consume(&sr, name_length(&tkey->algorithm));
 
-	/* Inception */
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Inception.
+	 */
 	tkey->inception = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
 
-	/* Expire */
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Expire.
+	 */
 	tkey->expire = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
 
-	/* Mode */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Mode.
+	 */
 	tkey->mode = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 
-	/* Error */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Error.
+	 */
 	tkey->error = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 
-	/* Key size */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Key size.
+	 */
 	tkey->keylen = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 
-	/* Key */
-	tkey->key = isc_mem_get(mctx, tkey->keylen);
-	if (tkey->key == NULL)
-		return (DNS_R_NOMEMORY);
-	memcpy(tkey->key, sr.base, tkey->keylen);
-	isc_region_consume(&sr, tkey->keylen);
-
-	/* Other size */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Key.
+	 */
+	if (tkey->keylen > 0) {
+		tkey->key = mem_maybedup(mctx, sr.base, tkey->keylen);
+		if (tkey->key == NULL)
+			goto cleanup;
+		isc_region_consume(&sr, tkey->keylen);
+	} else
+		tkey->key = NULL;
+
+	/*
+	 * Other size.
+	 */
 	tkey->otherlen = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 
-	/* Other */
-	tkey->other = isc_mem_get(mctx, tkey->otherlen);
-	if (tkey->other == NULL)
-		return (DNS_R_NOMEMORY);
-	memcpy(tkey->other, sr.base, tkey->otherlen);
-	isc_region_consume(&sr, tkey->otherlen);
+	/*
+	 * Other.
+	 */
+	if (tkey->otherlen > 0) {
+		tkey->other = mem_maybedup(mctx, sr.base, tkey->otherlen);
+		if (tkey->other == NULL)
+			goto cleanup;
+	} else
+		tkey->other = NULL;
+
+	tkey->mctx = mctx;
+	return (ISC_R_SUCCESS);
 
-	return (DNS_R_SUCCESS);
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&tkey->algorithm, mctx);
+	if (mctx != NULL && tkey->key != NULL)
+		isc_mem_free(mctx, tkey->key);
+	return (ISC_R_NOMEMORY);
 }
 
 static inline void
 freestruct_tkey(void *source) {
-	dns_rdata_generic_tkey_t *tkey = (dns_rdata_generic_tkey_t *) source;
+	dns_rdata_tkey_t *tkey = (dns_rdata_tkey_t *) source;
 
 	REQUIRE(source != NULL);
 
+	if (tkey->mctx == NULL)
+		return;
+
 	dns_name_free(&tkey->algorithm, tkey->mctx);
 	if (tkey->key != NULL)
-		isc_mem_put(tkey->mctx, tkey->key, tkey->keylen);
+		isc_mem_free(tkey->mctx, tkey->key);
 	if (tkey->other != NULL)
-		isc_mem_put(tkey->mctx, tkey->other, tkey->otherlen);
+		isc_mem_free(tkey->mctx, tkey->other);
+	tkey->mctx = NULL;
 }
 
 static inline isc_result_t
 additionaldata_tkey(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 		    void *arg)
 {
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
 	REQUIRE(rdata->type == 249);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
 digest_tkey(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg)
 {
+	UNUSED(rdata);
 	UNUSED(digest);
 	UNUSED(arg);
 
 	REQUIRE(rdata->type == 249);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (ISC_R_NOTIMPLEMENTED);
 }
 
 #endif	/* RDATA_GENERIC_TKEY_249_C */
diff --git a/lib/dns/rdata/generic/tkey_249.h b/lib/dns/rdata/generic/tkey_249.h
index b962fbe8..3d1fd489 100644
--- a/lib/dns/rdata/generic/tkey_249.h
+++ b/lib/dns/rdata/generic/tkey_249.h
@@ -15,11 +15,14 @@
  * SOFTWARE.
  */
 
-/* $Id: tkey_249.h,v 1.13 2000/03/20 22:57:14 gson Exp $ */
+#ifndef GENERIC_TKEY_249_H
+#define GENERIC_TKEY_249_H 1
+
+/* $Id: tkey_249.h,v 1.15 2000/04/29 02:01:51 tale Exp $ */
 
 /* draft-ietf-dnsind-tkey-00.txt */
 
-typedef struct dns_rdata_generic_tkey {
+typedef struct dns_rdata_key {
         dns_rdatacommon_t	common;
         isc_mem_t *		mctx;
         dns_name_t		algorithm;
@@ -31,5 +34,7 @@ typedef struct dns_rdata_generic_tkey {
         unsigned char *		key;
         isc_uint16_t		otherlen;
         unsigned char *		other;
-} dns_rdata_generic_tkey_t;
+} dns_rdata_tkey_t;
+
 
+#endif /* GENERIC_TKEY_249_H */
diff --git a/lib/dns/rdata/generic/txt_16.c b/lib/dns/rdata/generic/txt_16.c
index 48cc5396..ba70f42f 100644
--- a/lib/dns/rdata/generic/txt_16.c
+++ b/lib/dns/rdata/generic/txt_16.c
@@ -15,13 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: txt_16.c,v 1.20 2000/03/16 23:40:50 bwelling Exp $ */
+/* $Id: txt_16.c,v 1.26 2000/05/22 12:38:00 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */
 
 #ifndef RDATA_GENERIC_TXT_16_C
 #define RDATA_GENERIC_TXT_16_C
 
+#define RRTYPE_TXT_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_txt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	     isc_lex_t *lexer, dns_name_t *origin,
@@ -45,7 +47,7 @@ fromtext_txt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	}
 	/* Let upper layer handle eol/eof. */
 	isc_lex_ungettoken(lexer, &token);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -66,7 +68,7 @@ totext_txt(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 			RETERR(str_totext(" ", target));
 	}
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -84,10 +86,10 @@ fromwire_txt(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	while (!buffer_empty(source)) {
 		result = txt_fromwire(source, target);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -98,13 +100,13 @@ towire_txt(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 
 	UNUSED(cctx);
 
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	if (region.length < rdata->length)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
 	memcpy(region.base, rdata->data, rdata->length);
 	isc_buffer_add(target, rdata->length);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline int
@@ -125,41 +127,82 @@ static inline isc_result_t
 fromstruct_txt(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	       isc_buffer_t *target)
 {
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_txt_t *txt = source;
+	isc_region_t region;
+	isc_uint8_t length;
 
 	REQUIRE(type == 16);
+	REQUIRE(source != NULL);
+	REQUIRE(txt->common.rdtype == type);
+	REQUIRE(txt->common.rdclass == rdclass);
+	REQUIRE((txt->txt == NULL && txt->txt_len == 0) ||
+		(txt->txt != NULL && txt->txt_len != 0));
+
+	region.base = txt->txt;
+	region.length = txt->txt_len;
+	while (region.length > 0) {
+		length = uint8_fromregion(&region);
+		isc_region_consume(&region, 1);
+		if (region.length <= length)
+			return (ISC_R_UNEXPECTEDEND);
+		isc_region_consume(&region, length);
+	}
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (mem_tobuffer(target, txt->txt, txt->txt_len));
 }
 
 static inline isc_result_t
 tostruct_txt(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
-	UNUSED(target);
-	UNUSED(mctx);
+	dns_rdata_txt_t *txt = target;
+	isc_region_t r;
 
 	REQUIRE(rdata->type == 16);
+	REQUIRE(target != NULL);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	txt->common.rdclass = rdata->rdclass;
+	txt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&txt->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	txt->txt_len = r.length;
+	if (txt->txt_len != 0) {
+		txt->txt = mem_maybedup(mctx, r.base, r.length);
+		if (txt->txt == NULL)
+			return (ISC_R_NOMEMORY);
+	} else
+		txt->txt = NULL;
+
+	txt->offset = 0;
+	txt->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_txt(void *source) {
+	dns_rdata_txt_t *txt = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);
+	REQUIRE(txt->common.rdtype == 16);
+
+	if (txt->mctx == NULL)
+		return;
+
+	if (txt->txt != NULL)
+		isc_mem_free(txt->mctx, txt->txt);
+	txt->mctx = NULL;
 }
 
 static inline isc_result_t
 additionaldata_txt(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 		   void *arg)
 {
-	UNUSED(add);
-	UNUSED(arg);
-
 	REQUIRE(rdata->type == 16);
 
-	return (DNS_R_SUCCESS);
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+	
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/txt_16.h b/lib/dns/rdata/generic/txt_16.h
index 8f6ee0af..80bb8f4a 100644
--- a/lib/dns/rdata/generic/txt_16.h
+++ b/lib/dns/rdata/generic/txt_16.h
@@ -15,5 +15,34 @@
  * SOFTWARE.
  */
 
-/* $Id: txt_16.h,v 1.14 2000/03/20 23:08:50 gson Exp $ */
+#ifndef GENERIC_TXT_16_H
+#define GENERIC_TXT_16_H 1
 
+/* $Id: txt_16.h,v 1.16 2000/04/29 02:01:51 tale Exp $ */
+
+
+typedef struct dns_rdata_txt_string {
+                isc_uint8_t    length;
+                unsigned char   *data;
+} dns_rdata_txt_string_t;
+
+typedef struct dns_rdata_txt {
+        dns_rdatacommon_t       common;
+        isc_mem_t               *mctx;
+        unsigned char           *txt;
+        isc_uint16_t            txt_len;
+        /* private */
+        isc_uint16_t            offset;
+} dns_rdata_txt_t;
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_rdata_txt_first(dns_rdata_txt_t *);
+isc_result_t dns_rdata_txt_next(dns_rdata_txt_t *);
+isc_result_t dns_rdata_txt_current(dns_rdata_txt_t *, dns_rdata_txt_string_t *);
+
+ISC_LANG_ENDDECLS
+
+#endif /* GENERIC_TXT_16_H */
diff --git a/lib/dns/rdata/generic/unspec_103.c b/lib/dns/rdata/generic/unspec_103.c
index 70a6c43d..4dbfa303 100644
--- a/lib/dns/rdata/generic/unspec_103.c
+++ b/lib/dns/rdata/generic/unspec_103.c
@@ -15,11 +15,13 @@
  * SOFTWARE.
  */
 
-/* $Id: unspec_103.c,v 1.12 2000/03/20 22:48:59 gson Exp $ */
+/* $Id: unspec_103.c,v 1.20 2000/05/22 12:38:01 marka Exp $ */
 
 #ifndef RDATA_GENERIC_UNSPEC_103_C
 #define RDATA_GENERIC_UNSPEC_103_C
 
+#define RRTYPE_UNSPEC_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_unspec(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		isc_lex_t *lexer, dns_name_t *origin,
@@ -28,9 +30,9 @@ fromtext_unspec(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 103);
 
-	rdclass = rdclass;		/*unused*/
-	origin = origin;	/*unused*/
-	downcase = downcase;	/*unused*/
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(downcase);
 
 	return (atob_tobuffer(lexer, target));
 }
@@ -39,11 +41,10 @@ static inline isc_result_t
 totext_unspec(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, 
 	      isc_buffer_t *target) 
 {
-	
 
 	REQUIRE(rdata->type == 103);
 
-	tctx = tctx;	/*unused*/
+	UNUSED(tctx);
 
 	return (btoa_totext(rdata->data, rdata->length, target));
 }
@@ -57,10 +58,11 @@ fromwire_unspec(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 103);
 
-	rdclass = rdclass;		/*unused*/
-	dctx = dctx;		/*unused*/
-	downcase = downcase;	/*unused*/
-	isc_buffer_active(source, &sr);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(downcase);
+	
+	isc_buffer_activeregion(source, &sr);
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
 }
@@ -70,7 +72,7 @@ towire_unspec(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 
 	REQUIRE(rdata->type == 103);
 
-	cctx = cctx;		/*unused*/
+	UNUSED(cctx);
 
 	return (mem_tobuffer(target, rdata->data, rdata->length));
 }
@@ -93,32 +95,56 @@ static inline isc_result_t
 fromstruct_unspec(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 		  isc_buffer_t *target)
 {
+	dns_rdata_unspec_t *unspec = source;
 
 	REQUIRE(type == 103);
+	REQUIRE(source != NULL);
+	REQUIRE(unspec->common.rdtype == type);
+	REQUIRE(unspec->common.rdclass == rdclass);
+	REQUIRE((unspec->data != NULL && unspec->datalen != 0) ||
+		(unspec->data == NULL && unspec->datalen == 0));
 
-	rdclass = rdclass;	/*unused*/
-
-	source = source;
-	target = target;
-
-	return (DNS_R_NOTIMPLEMENTED);
+	return (mem_tobuffer(target, unspec->data, unspec->datalen));
 }
 
 static inline isc_result_t
 tostruct_unspec(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	dns_rdata_unspec_t *unspec = target;
+	isc_region_t r;
 
 	REQUIRE(rdata->type == 103);
+	REQUIRE(target != NULL);
 
-	target = target;
-	mctx = mctx;
+	unspec->common.rdclass = rdata->rdclass;
+	unspec->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&unspec->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_rdata_toregion(rdata, &r);
+	unspec->datalen = r.length;
+	if (unspec->datalen != 0) {
+		unspec->data = mem_maybedup(mctx, r.base, r.length);
+		if (unspec->data == NULL)
+			return (ISC_R_NOMEMORY);
+	} else
+		unspec->data = NULL;
+
+	unspec->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_unspec(void *source) {
+	dns_rdata_unspec_t *unspec = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(unspec->common.rdtype == 103);
+
+	if (unspec->mctx == NULL)
+		return;
+
+	if (unspec->data != NULL)
+		isc_mem_free(unspec->mctx, unspec->data);
+	unspec->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -127,10 +153,11 @@ additionaldata_unspec(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 {
 	REQUIRE(rdata->type == 103);
 
-	(void)add;
-	(void)arg;
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/unspec_103.h b/lib/dns/rdata/generic/unspec_103.h
index 5ebc11f8..74b8951d 100644
--- a/lib/dns/rdata/generic/unspec_103.h
+++ b/lib/dns/rdata/generic/unspec_103.h
@@ -15,5 +15,16 @@
  * SOFTWARE.
  */
 
- /* $Id: unspec_103.h,v 1.6 2000/02/03 23:43:09 halley Exp $ */
+#ifndef GENERIC_UNSPEC_103_H
+#define GENERIC_UNSPEC_103_H 1
 
+ /* $Id: unspec_103.h,v 1.8 2000/04/29 02:01:52 tale Exp $ */
+
+typedef struct dns_rdata_unspec_t {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	unsigned char		*data;
+	isc_uint16_t		datalen;
+} dns_rdata_unspec_t;
+
+#endif /* GENERIC_UNSPEC_103_H */
diff --git a/lib/dns/rdata/generic/x25_19.c b/lib/dns/rdata/generic/x25_19.c
index 29f03a9a..565ed6bc 100644
--- a/lib/dns/rdata/generic/x25_19.c
+++ b/lib/dns/rdata/generic/x25_19.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: x25_19.c,v 1.12 2000/03/17 00:15:30 bwelling Exp $ */
+/* $Id: x25_19.c,v 1.20 2000/05/22 12:38:02 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:15:57 PST 2000 by bwelling */
 
@@ -24,7 +24,7 @@
 #ifndef RDATA_GENERIC_X25_19_C
 #define RDATA_GENERIC_X25_19_C
 
-#include <ctype.h>
+#define RRTYPE_X25_ATTRIBUTES (0)
 
 static inline isc_result_t
 fromtext_x25(dns_rdataclass_t rdclass, dns_rdatatype_t type,
@@ -45,7 +45,7 @@ fromtext_x25(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		return (DNS_R_SYNTAX);
 	for (i = 0; i < token.value.as_textregion.length; i++)
 		if (!isdigit(token.value.as_textregion.base[i] & 0xff))
-			return (DNS_R_RANGE);
+			return (ISC_R_RANGE);
 	return (txt_fromtext(&token.value.as_textregion, target));
 }
 
@@ -76,7 +76,7 @@ fromwire_x25(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	REQUIRE(type == 19);
 
-	isc_buffer_active(source, &sr);
+	isc_buffer_activeregion(source, &sr);
 	if (sr.length < 5)
 		return (DNS_R_FORMERR);
 	return (txt_fromwire(source, target));
@@ -109,42 +109,75 @@ static inline isc_result_t
 fromstruct_x25(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	       isc_buffer_t *target)
 {
-	UNUSED(rdclass);
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_x25_t *x25 = source;
+	isc_uint8_t i;
 
 	REQUIRE(type == 19);
+	REQUIRE(source != NULL);
+	REQUIRE(x25->common.rdtype == type);
+	REQUIRE(x25->common.rdclass == rdclass);
+	REQUIRE((x25->x25 == NULL && x25->x25_len == 0) ||
+		(x25->x25 != NULL && x25->x25_len != 0));
+
+	for (i = 0; i < x25->x25_len; i++)
+		if (!isdigit(x25->x25[i] & 0xff))
+			return (ISC_R_RANGE);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	RETERR(uint8_tobuffer(x25->x25_len, target));
+	return (mem_tobuffer(target, x25->x25, x25->x25_len));
 }
 
 static inline isc_result_t
 tostruct_x25(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	dns_rdata_x25_t *x25 = target;
+	isc_region_t r;
 
 	REQUIRE(rdata->type == 19);
+	REQUIRE(target != NULL);
 
-	UNUSED(target);
-	UNUSED(mctx);
+	x25->common.rdclass = rdata->rdclass;
+	x25->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&x25->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_rdata_toregion(rdata, &r);
+	x25->x25_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	if (x25->x25_len != 0) {
+		x25->x25 = mem_maybedup(mctx, r.base, x25->x25_len);
+		if (x25->x25 == NULL)
+			return (ISC_R_NOMEMORY);
+	} else
+		x25->x25 = NULL;
+
+	x25->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_x25(void *source) {
+	dns_rdata_x25_t *x25 = source;
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(x25->common.rdtype == 19);
+
+	if (x25->mctx == NULL)
+		return;
+
+	if (x25->x25 != NULL)
+		isc_mem_free(x25->mctx, x25->x25);
+	x25->mctx = NULL;
 }
 
 static inline isc_result_t
 additionaldata_x25(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 		   void *arg)
 {
+	REQUIRE(rdata->type == 19);
+
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	REQUIRE(rdata->type == 19);
-
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/generic/x25_19.h b/lib/dns/rdata/generic/x25_19.h
index 3b48a76b..f557954e 100644
--- a/lib/dns/rdata/generic/x25_19.h
+++ b/lib/dns/rdata/generic/x25_19.h
@@ -15,7 +15,18 @@
  * SOFTWARE.
  */
 
-/* $Id: x25_19.h,v 1.7 2000/03/20 22:57:14 gson Exp $ */
+#ifndef GENERIC_X25_19_H
+#define GENERIC_X25_19_H 1
+
+/* $Id: x25_19.h,v 1.10 2000/05/05 05:50:14 marka Exp $ */
 
 /* RFC 1183 */
 
+typedef struct dns_rdata_x25 {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	unsigned char		*x25;
+	isc_uint8_t		x25_len;
+} dns_rdata_x25_t;
+
+#endif /* GENERIC_X25_19_H */
diff --git a/lib/dns/rdata/hs_4/a_1.c b/lib/dns/rdata/hs_4/a_1.c
index 5e2a87a2..c52a845f 100644
--- a/lib/dns/rdata/hs_4/a_1.c
+++ b/lib/dns/rdata/hs_4/a_1.c
@@ -15,17 +15,17 @@
  * SOFTWARE.
  */
 
-/* $Id: a_1.c,v 1.5 2000/03/20 22:44:35 gson Exp $ */
+/* $Id: a_1.c,v 1.13 2000/05/22 12:38:03 marka Exp $ */
 
 /* reviewed: Thu Mar 16 15:58:36 PST 2000 by brister */
 
 #ifndef RDATA_HS_4_A_1_C
 #define RDATA_HS_4_A_1_C
 
-#include <string.h>
-
 #include <isc/net.h>
 
+#define RRTYPE_A_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_hs_a(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	      isc_lex_t *lexer, dns_name_t *origin,
@@ -45,12 +45,12 @@ fromtext_hs_a(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	if (inet_aton(token.value.as_pointer, &addr) != 1)
 		return (DNS_R_BADDOTTEDQUAD);
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	if (region.length < 4)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	memcpy(region.base, &addr, 4);
 	isc_buffer_add(target, 4);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -65,13 +65,13 @@ totext_hs_a(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 
 	UNUSED(tctx);
 
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	if (inet_ntop(AF_INET, rdata->data,
 			  (char *)region.base, region.length) == NULL)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
 	isc_buffer_add(target, strlen((char *)region.base));
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -89,17 +89,17 @@ fromwire_hs_a(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	UNUSED(downcase);
 
 
-	isc_buffer_active(source, &sregion);
-	isc_buffer_available(target, &tregion);
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
 	if (sregion.length < 4)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	if (tregion.length < 4)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
 	memcpy(tregion.base, sregion.base, 4);
 	isc_buffer_forward(source, 4);
 	isc_buffer_add(target, 4);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -112,12 +112,12 @@ towire_hs_a(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 
 	UNUSED(cctx);
 
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	if (region.length < rdata->length)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	memcpy(region.base, rdata->data, rdata->length);
 	isc_buffer_add(target, 4);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline int
@@ -141,14 +141,18 @@ static inline isc_result_t
 fromstruct_hs_a(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	        isc_buffer_t *target)
 {
+	dns_rdata_hs_a_t *a = source;
+	isc_uint32_t n;
 
 	REQUIRE(type == 1);
 	REQUIRE(rdclass == 4);
+	REQUIRE(source != NULL);
+	REQUIRE(a->common.rdtype == type);
+	REQUIRE(a->common.rdclass == rdclass);
 
-	UNUSED(source);
-	UNUSED(target);
+	n = ntohl(a->in_addr.s_addr);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (uint32_tobuffer(n, target));
 }
 
 static inline isc_result_t
@@ -171,15 +175,15 @@ tostruct_hs_a(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 	n = uint32_fromregion(&region);
 	a->in_addr.s_addr = htonl(n);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_hs_a(void *source)
 {
-	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	UNUSED(source);
 
+	REQUIRE(source != NULL);
 }
 
 static inline isc_result_t
@@ -189,10 +193,11 @@ additionaldata_hs_a(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 	REQUIRE(rdata->type == 1);
 	REQUIRE(rdata->rdclass == 4);
 
-	(void)add;
-	(void)arg;
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/hs_4/a_1.h b/lib/dns/rdata/hs_4/a_1.h
index 6e539ac8..7a90e0e2 100644
--- a/lib/dns/rdata/hs_4/a_1.h
+++ b/lib/dns/rdata/hs_4/a_1.h
@@ -15,9 +15,14 @@
  * SOFTWARE.
  */
 
-/* $Id: a_1.h,v 1.3 2000/03/20 22:57:15 gson Exp $ */
+#ifndef HS_4_A_1_H
+#define HS_4_A_1_H 1
+
+/* $Id: a_1.h,v 1.4 2000/04/29 02:01:53 tale Exp $ */
 
 typedef struct dns_rdata_hs_a {
 	dns_rdatacommon_t	common;
 	struct in_addr          in_addr;
 } dns_rdata_hs_a_t;
+
+#endif /* HS_4_A_1_H */
diff --git a/lib/dns/rdata/in_1/a6_38.c b/lib/dns/rdata/in_1/a6_38.c
index 5ee4c4b4..7e5c75e9 100644
--- a/lib/dns/rdata/in_1/a6_38.c
+++ b/lib/dns/rdata/in_1/a6_38.c
@@ -15,17 +15,17 @@
  * SOFTWARE.
  */
 
- /* $Id: a6_38.c,v 1.22 2000/03/20 22:44:35 gson Exp $ */
+ /* $Id: a6_38.c,v 1.32 2000/05/22 12:38:05 marka Exp $ */
 
  /* draft-ietf-ipngwg-dns-lookups-03.txt */
 
 #ifndef RDATA_IN_1_A6_28_C
 #define RDATA_IN_1_A6_28_C
 
-#include <string.h>
-
 #include <isc/net.h>
 
+#define RRTYPE_A6_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_in_a6(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	       isc_lex_t *lexer, dns_name_t *origin,
@@ -42,19 +42,27 @@ fromtext_in_a6(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 38);
 	REQUIRE(rdclass == 1);
 
-	/* prefix length */
+	/*
+	 * Prefix length.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
 	if (token.value.as_ulong > 128)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 
 	prefixlen = (unsigned char)token.value.as_ulong;
 	RETERR(mem_tobuffer(target, &prefixlen, 1));
 
-	/* suffix */
+	/*
+	 * Suffix.
+	 */
 	if (prefixlen != 128) {
-		/* prefix 0..127 */
+		/*
+		 * Prefix 0..127.
+		 */
 		octets = prefixlen/8;
-		/* octets 0..15 */
+		/*
+		 * Octets 0..15.
+		 */
 		RETERR(gettoken(lexer, &token, isc_tokentype_string,
 				ISC_FALSE));
 		if (inet_pton(AF_INET6, token.value.as_pointer, addr) != 1)
@@ -65,12 +73,11 @@ fromtext_in_a6(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	}
 
 	if (prefixlen == 0)
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -107,17 +114,17 @@ totext_in_a6(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 		memcpy(&addr[octets], sr.base, 16 - octets);
 		mask = 0xff >> (prefixlen % 8);
 		addr[octets] &= mask;
-		isc_buffer_available(target, &tr);
+		isc_buffer_availableregion(target, &tr);
 		if (inet_ntop(AF_INET6, addr,
 			      (char *)tr.base, tr.length) == NULL)
-			return (DNS_R_NOSPACE);
+			return (ISC_R_NOSPACE);
 
 		isc_buffer_add(target, strlen((char *)tr.base));
 		isc_region_consume(&sr, 16 - octets);
 	}
 
 	if (prefixlen == 0)
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 
 	RETERR(str_totext(" ", target));
 	dns_name_init(&name, NULL);
@@ -141,35 +148,36 @@ fromwire_in_a6(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 38);
 	REQUIRE(rdclass == 1);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
 
-	isc_buffer_active(source, &sr);
-	/* prefix length */
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * Prefix length.
+	 */
 	if (sr.length < 1)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	prefixlen = sr.base[0];
 	if (prefixlen > 128)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 	isc_region_consume(&sr, 1);
 	RETERR(mem_tobuffer(target, &prefixlen, 1));
 	isc_buffer_forward(source, 1);
 
-	/* suffix */
+	/*
+	 * Suffix.
+	 */
 	if (prefixlen != 128) {
 		octets = 16 - prefixlen / 8;
 		if (sr.length < octets)
-			return (DNS_R_UNEXPECTEDEND);
+			return (ISC_R_UNEXPECTEDEND);
 		mask = 0xff >> (prefixlen % 8);
-		sr.base[0] &= mask;	/* ensure pad bits are zero */
+		sr.base[0] &= mask;	/* Ensure pad bits are zero. */
 		RETERR(mem_tobuffer(target, sr.base, octets));
 		isc_buffer_forward(source, octets);
 	}
 
 	if (prefixlen == 0)
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 
 	dns_name_init(&name, NULL);
 	return (dns_name_fromwire(&name, source, dctx, downcase, target));
@@ -185,11 +193,7 @@ towire_in_a6(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 	REQUIRE(rdata->type == 38);
 	REQUIRE(rdata->rdclass == 1);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
 	dns_rdata_toregion(rdata, &sr);
 	prefixlen = sr.base[0];
 	INSIST(prefixlen <= 128);
@@ -199,7 +203,7 @@ towire_in_a6(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 	isc_region_consume(&sr, octets);
 
 	if (prefixlen == 0)
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 
 	dns_name_init(&name, NULL);
 	dns_name_fromregion(&name, &sr);
@@ -263,48 +267,104 @@ fromstruct_in_a6(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 		 isc_buffer_t *target)
 {
 	dns_rdata_in_a6_t *a6 = source;
-	unsigned char prefixlen;
-	unsigned char octets;
+	isc_region_t region;
+	int octets;
+	isc_uint8_t bits;
+	isc_uint8_t first;
+	isc_uint8_t mask;
 
-	REQUIRE(type == 1);
+	REQUIRE(type == 38);
 	REQUIRE(rdclass == 1);
 	REQUIRE(source != NULL);
 	REQUIRE(a6->common.rdtype == type);
 	REQUIRE(a6->common.rdclass == rdclass);
 
 	if (a6->prefixlen > 128)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 
-	prefixlen = a6->prefixlen;
-	RETERR(mem_tobuffer(target, &prefixlen, 1));
+	RETERR(uint8_tobuffer(a6->prefixlen, target));
 
+	/* Suffix */
 	if (a6->prefixlen != 128) {
-		/* XXX fix this! */
+		octets = 16 - a6->prefixlen / 8;
+		bits = a6->prefixlen % 8;
+		if (bits != 0) {
+			mask = 0xffU >> bits;
+			first = a6->in6_addr.s6_addr[16 - octets] & mask;
+			RETERR(uint8_tobuffer(first, target));
+			octets--;
+		}
+		if (octets > 0)
+			RETERR(mem_tobuffer(target,
+					    a6->in6_addr.s6_addr + 16 - octets,
+					    octets));
 	}
 
-	octets = 16 - prefixlen / 8;
-
-	return (DNS_R_NOTIMPLEMENTED);
+	if (a6->prefixlen == 0)
+		return (ISC_R_SUCCESS);
+	dns_name_toregion(&a6->prefix, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
 tostruct_in_a6(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 {
+	dns_rdata_in_a6_t *a6 = target;
+	unsigned char octets;
+	dns_name_t name;
+	isc_region_t r;
 
 	REQUIRE(rdata->type == 38);
 	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(target != NULL);
+
+	a6->common.rdclass = rdata->rdclass;
+	a6->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&a6->common, link);
+
+	dns_rdata_toregion(rdata, &r);
 
-	UNUSED(target);
-	UNUSED(mctx);
+	a6->prefixlen = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	memset(a6->in6_addr.s6_addr, 0, sizeof(a6->in6_addr.s6_addr));
+
+	/*
+	 * Suffix.
+	 */
+	if (a6->prefixlen != 128) {
+		octets = 16 - a6->prefixlen / 8;
+		INSIST(r.length >= octets);
+		memcpy(a6->in6_addr.s6_addr + 16 - octets, r.base, octets);
+		isc_region_consume(&r, octets);
+	}
 
-	return (DNS_R_NOTIMPLEMENTED);
+	/*
+	 * Prefix.
+	 */
+	dns_name_init(&a6->prefix, NULL);
+	if (a6->prefixlen != 0) {
+		dns_name_init(&name, NULL);
+		dns_name_fromregion(&name, &r);
+		RETERR(name_duporclone(&name, mctx, &a6->prefix));
+	}
+	a6->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
-freestruct_in_a6(void *source)
-{
+freestruct_in_a6(void *source) {
+	dns_rdata_in_a6_t *a6 = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(a6->common.rdclass == 1);
+	REQUIRE(a6->common.rdtype == 38);
+
+	if (a6->mctx == NULL)
+		return;
+
+	if (dns_name_dynamic(&a6->prefix))
+		dns_name_free(&a6->prefix, a6->mctx);
+	a6->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -314,15 +374,15 @@ additionaldata_in_a6(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 	REQUIRE(rdata->type == 38);
 	REQUIRE(rdata->rdclass == 1);
 
-	(void)add;
-	(void)arg;
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
-digest_in_a6(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg)
-{
+digest_in_a6(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 	isc_region_t r1, r2;
 	unsigned char prefixlen, octets;
 	isc_result_t result;
@@ -338,10 +398,10 @@ digest_in_a6(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg)
 
 	r1.length = octets;
 	result = (digest)(arg, &r1);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (prefixlen == 0)
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 
 	isc_region_consume(&r2, octets);
 	dns_name_init(&name, NULL);
diff --git a/lib/dns/rdata/in_1/a6_38.h b/lib/dns/rdata/in_1/a6_38.h
index 4728244a..4971eaa6 100644
--- a/lib/dns/rdata/in_1/a6_38.h
+++ b/lib/dns/rdata/in_1/a6_38.h
@@ -15,7 +15,10 @@
  * SOFTWARE.
  */
 
- /* $Id: a6_38.h,v 1.12 2000/02/03 23:43:16 halley Exp $ */
+#ifndef IN_1_A6_38_H
+#define IN_1_A6_38_H 1
+
+ /* $Id: a6_38.h,v 1.13 2000/04/29 02:01:54 tale Exp $ */
 
  /* draft-ietf-ipngwg-dns-lookups-03.txt */
 
@@ -27,3 +30,4 @@ typedef struct dns_rdata_in_a6 {
 	struct in6_addr		in6_addr;
 } dns_rdata_in_a6_t;
 
+#endif /* IN_1_A6_38_H */
diff --git a/lib/dns/rdata/in_1/a_1.c b/lib/dns/rdata/in_1/a_1.c
index e05a6ee0..bffaf1dd 100644
--- a/lib/dns/rdata/in_1/a_1.c
+++ b/lib/dns/rdata/in_1/a_1.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: a_1.c,v 1.25 2000/03/17 01:48:29 bwelling Exp $ */
+/* $Id: a_1.c,v 1.33 2000/05/22 12:38:06 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
@@ -26,6 +26,8 @@
 
 #include <isc/net.h>
 
+#define RRTYPE_A_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_in_a(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	      isc_lex_t *lexer, dns_name_t *origin,
@@ -45,12 +47,12 @@ fromtext_in_a(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	if (inet_aton(token.value.as_pointer, &addr) != 1)
 		return (DNS_R_BADDOTTEDQUAD);
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	if (region.length < 4)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	memcpy(region.base, &addr, 4);
 	isc_buffer_add(target, 4);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -65,13 +67,13 @@ totext_in_a(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	REQUIRE(rdata->rdclass == 1);
 	REQUIRE(rdata->length == 4);
 
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	if (inet_ntop(AF_INET, rdata->data,
 			  (char *)region.base, region.length) == NULL)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
 	isc_buffer_add(target, strlen((char *)region.base));
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -88,17 +90,17 @@ fromwire_in_a(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 1);
 	REQUIRE(rdclass == 1);
 
-	isc_buffer_active(source, &sregion);
-	isc_buffer_available(target, &tregion);
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
 	if (sregion.length < 4)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	if (tregion.length < 4)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
 	memcpy(tregion.base, sregion.base, 4);
 	isc_buffer_forward(source, 4);
 	isc_buffer_add(target, 4);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -110,12 +112,12 @@ towire_in_a(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 	REQUIRE(rdata->type == 1);
 	REQUIRE(rdata->rdclass == 1);
 
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	if (region.length < rdata->length)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	memcpy(region.base, rdata->data, rdata->length);
 	isc_buffer_add(target, 4);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline int
@@ -137,15 +139,21 @@ static inline isc_result_t
 fromstruct_in_a(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 	        isc_buffer_t *target)
 {
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_in_a_t *a = source;
+	isc_uint32_t n;
 
 	REQUIRE(type == 1);
 	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(a->common.rdtype == type);
+	REQUIRE(a->common.rdclass == rdclass);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	n = ntohl(a->in_addr.s_addr); 
+
+	return (uint32_tobuffer(n, target));
 }
 
+
 static inline isc_result_t
 tostruct_in_a(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
 	dns_rdata_in_a_t *a = target;
@@ -165,26 +173,30 @@ tostruct_in_a(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
 	n = uint32_fromregion(&region);
 	a->in_addr.s_addr = htonl(n);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_in_a(void *source) {
+	dns_rdata_in_a_t *a = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(a->common.rdtype == 1);
+	REQUIRE(a->common.rdclass == 1);
 }
 
 static inline isc_result_t
 additionaldata_in_a(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 		    void *arg)
 {
-	UNUSED(add);
-	UNUSED(arg);
-
 	REQUIRE(rdata->type == 1);
 	REQUIRE(rdata->rdclass == 1);
 
-	return (DNS_R_SUCCESS);
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/in_1/a_1.h b/lib/dns/rdata/in_1/a_1.h
index cf215fa2..a2615d80 100644
--- a/lib/dns/rdata/in_1/a_1.h
+++ b/lib/dns/rdata/in_1/a_1.h
@@ -15,9 +15,14 @@
  * SOFTWARE.
  */
 
-/* $Id: a_1.h,v 1.18 2000/03/20 22:57:15 gson Exp $ */
+#ifndef IN_1_A_1_H
+#define IN_1_A_1_H 1
+
+/* $Id: a_1.h,v 1.19 2000/04/29 02:01:54 tale Exp $ */
 
 typedef struct dns_rdata_in_a {
 	dns_rdatacommon_t	common;
 	struct in_addr          in_addr;
 } dns_rdata_in_a_t;
+
+#endif /* IN_1_A_1_H */
diff --git a/lib/dns/rdata/in_1/aaaa_28.c b/lib/dns/rdata/in_1/aaaa_28.c
index a97d83af..49464449 100644
--- a/lib/dns/rdata/in_1/aaaa_28.c
+++ b/lib/dns/rdata/in_1/aaaa_28.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: aaaa_28.c,v 1.17 2000/03/17 01:48:28 bwelling Exp $ */
+/* $Id: aaaa_28.c,v 1.24 2000/05/22 12:38:07 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
@@ -24,10 +24,10 @@
 #ifndef RDATA_IN_1_AAAA_28_C
 #define RDATA_IN_1_AAAA_28_C
 
-#include <string.h>
-
 #include <isc/net.h>
 
+#define RRTYPE_AAAA_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_in_aaaa(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		 isc_lex_t *lexer, dns_name_t *origin,
@@ -47,12 +47,12 @@ fromtext_in_aaaa(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 
 	if (inet_pton(AF_INET6, token.value.as_pointer, addr) != 1)
 		return (DNS_R_BADAAAA);
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	if (region.length < 16)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	memcpy(region.base, addr, 16);
 	isc_buffer_add(target, 16);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -67,13 +67,13 @@ totext_in_aaaa(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	REQUIRE(rdata->rdclass == 1);
 	REQUIRE(rdata->length == 16);
 
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	if (inet_ntop(AF_INET6, rdata->data,
 		      (char *)region.base, region.length) == NULL)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
 	isc_buffer_add(target, strlen((char *)region.base));
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -90,17 +90,17 @@ fromwire_in_aaaa(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 28);
 	REQUIRE(rdclass == 1);
 
-	isc_buffer_active(source, &sregion);
-	isc_buffer_available(target, &tregion);
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
 	if (sregion.length < 16)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	if (tregion.length < 16)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
 	memcpy(tregion.base, sregion.base, 16);
 	isc_buffer_forward(source, 16);
 	isc_buffer_add(target, 16);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -112,12 +112,12 @@ towire_in_aaaa(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 	REQUIRE(rdata->type == 28);
 	REQUIRE(rdata->rdclass == 1);
 
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	if (region.length < rdata->length)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	memcpy(region.base, rdata->data, rdata->length);
 	isc_buffer_add(target, 16);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline int
@@ -139,43 +139,60 @@ static inline isc_result_t
 fromstruct_in_aaaa(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		   void *source, isc_buffer_t *target)
 {
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_in_aaaa_t *aaaa = source;
 
-	REQUIRE(type == 1);
+	REQUIRE(type == 28);
 	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(aaaa->common.rdtype == type);
+	REQUIRE(aaaa->common.rdclass == rdclass);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	return (mem_tobuffer(target, aaaa->in6_addr.s6_addr, 16));
 }
 
 static inline isc_result_t
 tostruct_in_aaaa(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
-	UNUSED(target);
-	UNUSED(mctx);
+	dns_rdata_in_aaaa_t *aaaa = target;
+	isc_region_t r;
 
 	REQUIRE(rdata->type == 28);
 	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(target != NULL);
+
+	UNUSED(mctx);
+
+	aaaa->common.rdclass = rdata->rdclass;
+	aaaa->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&aaaa->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_rdata_toregion(rdata, &r);
+	INSIST(r.length == 16);
+	memcpy(aaaa->in6_addr.s6_addr, r.base, 16);
+
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_in_aaaa(void *source) {
+	dns_rdata_in_aaaa_t *aaaa = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(aaaa->common.rdclass == 1);
+	REQUIRE(aaaa->common.rdtype == 28);
 }
 
 static inline isc_result_t
 additionaldata_in_aaaa(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 		       void *arg)
 {
-	UNUSED(add);
-	UNUSED(arg);
-
 	REQUIRE(rdata->type == 28);
 	REQUIRE(rdata->rdclass == 1);
 
-	return (DNS_R_SUCCESS);
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/in_1/aaaa_28.h b/lib/dns/rdata/in_1/aaaa_28.h
index c96e0e62..30f60c38 100644
--- a/lib/dns/rdata/in_1/aaaa_28.h
+++ b/lib/dns/rdata/in_1/aaaa_28.h
@@ -15,7 +15,10 @@
  * SOFTWARE.
  */
 
-/* $Id: aaaa_28.h,v 1.12 2000/03/20 22:57:15 gson Exp $ */
+#ifndef IN_1_AAAA_28_H
+#define IN_1_AAAA_28_H 1
+
+/* $Id: aaaa_28.h,v 1.13 2000/04/29 02:01:55 tale Exp $ */
 
 /* RFC 1886 */
 
@@ -24,3 +27,4 @@ typedef struct dns_rdata_in_aaaa {
 	struct in6_addr		in6_addr; 
 } dns_rdata_in_aaaa_t;
 
+#endif /* IN_1_AAAA_28_H */
diff --git a/lib/dns/rdata/in_1/kx_36.c b/lib/dns/rdata/in_1/kx_36.c
index b6b6958d..02c9c4d7 100644
--- a/lib/dns/rdata/in_1/kx_36.c
+++ b/lib/dns/rdata/in_1/kx_36.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: kx_36.c,v 1.19 2000/03/20 22:44:35 gson Exp $ */
+/* $Id: kx_36.c,v 1.26 2000/05/15 21:14:32 tale Exp $ */
 
 /* Reviewed: Thu Mar 16 17:24:54 PST 2000 by explorer */
 
@@ -24,6 +24,8 @@
 #ifndef RDATA_GENERIC_KX_36_C
 #define RDATA_GENERIC_KX_36_C
 
+#define RRTYPE_KX_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_in_kx(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	       isc_lex_t *lexer, dns_name_t *origin,
@@ -37,12 +39,13 @@ fromtext_in_kx(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(rdclass == 1);
 
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
+	if (token.value.as_ulong > 0xffff)
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -88,35 +91,27 @@ fromwire_in_kx(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 36);
 	REQUIRE(rdclass == 1);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
         
         dns_name_init(&name, NULL);
 
-	isc_buffer_active(source, &sregion);
+	isc_buffer_activeregion(source, &sregion);
 	if (sregion.length < 2)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	RETERR(mem_tobuffer(target, sregion.base, 2));
 	isc_buffer_forward(source, 2);
 	return (dns_name_fromwire(&name, source, dctx, downcase, target));
 }
 
 static inline isc_result_t
-towire_in_kx(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
-{
+towire_in_kx(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 	dns_name_t name;
 	isc_region_t region;
 
 	REQUIRE(rdata->type == 36);
 	REQUIRE(rdata->rdclass == 1);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
 	dns_rdata_toregion(rdata, &region);
 	RETERR(mem_tobuffer(target, region.base, 2));
 	isc_region_consume(&region, 2);
@@ -128,8 +123,7 @@ towire_in_kx(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 }
 
 static inline int
-compare_in_kx(dns_rdata_t *rdata1, dns_rdata_t *rdata2)
-{
+compare_in_kx(dns_rdata_t *rdata1, dns_rdata_t *rdata2) {
 	dns_name_t name1;
 	dns_name_t name2;
 	isc_region_t region1;
@@ -179,17 +173,14 @@ fromstruct_in_kx(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 }
 
 static inline isc_result_t
-tostruct_in_kx(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
-{
+tostruct_in_kx(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
 	isc_region_t region;
 	dns_rdata_in_kx_t *kx = target;
 	dns_name_t name;
-	isc_result_t result;
 
 	REQUIRE(rdata->type == 36);
 	REQUIRE(rdata->rdclass == 1);
 	REQUIRE(target != NULL);
-	REQUIRE(mctx != NULL);
 
 	kx->common.rdclass = rdata->rdclass;
 	kx->common.rdtype = rdata->type;
@@ -202,20 +193,22 @@ tostruct_in_kx(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
 	isc_region_consume(&region, 2);
 
 	dns_name_fromregion(&name, &region);
-	kx->mctx = mctx;
 	dns_name_init(&kx->exchange, NULL);
-	result = dns_name_dup(&name, kx->mctx, &kx->exchange);
-	if (result != ISC_R_SUCCESS)
-		kx->mctx = NULL;
-	return (result);
+	RETERR(name_duporclone(&name, mctx, &kx->exchange));
+	kx->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
-freestruct_in_kx(void *source)
-{
+freestruct_in_kx(void *source) {
 	dns_rdata_in_kx_t *kx = source;
 
 	REQUIRE(source != NULL);
+	REQUIRE(kx->common.rdclass == 1);
+	REQUIRE(kx->common.rdtype == 36);
+
+	if (kx->mctx == NULL)
+		return;
 
 	dns_name_free(&kx->exchange, kx->mctx);
 	kx->mctx = NULL;
@@ -240,8 +233,7 @@ additionaldata_in_kx(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 }
 
 static inline isc_result_t
-digest_in_kx(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg)
-{
+digest_in_kx(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 	isc_region_t r1, r2;
 	dns_name_t name;
 
@@ -258,4 +250,4 @@ digest_in_kx(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg)
 	return (dns_name_digest(&name, digest, arg));
 }
 
-#endif	/* RDATA_GENERIC_KX_15_C */
+#endif	/* RDATA_GENERIC_KX_36_C */
diff --git a/lib/dns/rdata/in_1/kx_36.h b/lib/dns/rdata/in_1/kx_36.h
index a27d368c..8e2306ed 100644
--- a/lib/dns/rdata/in_1/kx_36.h
+++ b/lib/dns/rdata/in_1/kx_36.h
@@ -15,7 +15,10 @@
  * SOFTWARE.
  */
 
-/* $Id: kx_36.h,v 1.11 2000/03/20 22:57:15 gson Exp $ */
+#ifndef IN_1_KX_36_H
+#define IN_1_KX_36_H 1
+
+/* $Id: kx_36.h,v 1.12 2000/04/29 02:01:55 tale Exp $ */
 
 /* RFC 2230 */
 
@@ -25,3 +28,5 @@ typedef struct dns_rdata_in_kx {
 	isc_uint16_t		preference;
 	dns_name_t		exchange;
 } dns_rdata_in_kx_t;
+
+#endif /* IN_1_KX_36_H */
diff --git a/lib/dns/rdata/in_1/naptr_35.c b/lib/dns/rdata/in_1/naptr_35.c
index 2afae79e..a08be99d 100644
--- a/lib/dns/rdata/in_1/naptr_35.c
+++ b/lib/dns/rdata/in_1/naptr_35.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: naptr_35.c,v 1.18 2000/03/20 22:44:36 gson Exp $ */
+/* $Id: naptr_35.c,v 1.29 2000/05/22 12:38:08 marka Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
@@ -24,6 +24,8 @@
 #ifndef RDATA_IN_1_NAPTR_35_C
 #define RDATA_IN_1_NAPTR_35_C
 
+#define RRTYPE_NAPTR_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_in_naptr(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		  isc_lex_t *lexer, dns_name_t *origin,
@@ -36,31 +38,46 @@ fromtext_in_naptr(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 35);
 	REQUIRE(rdclass == 1);
 
-	/* order */
+	/*
+	 * Order.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
+	if (token.value.as_ulong > 0xffff)
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* preference */
+	/*
+	 * Preference.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
+	if (token.value.as_ulong > 0xffff)
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* flags */
+	/*
+	 * Flags.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_qstring, ISC_FALSE));
 	RETERR(txt_fromtext(&token.value.as_textregion, target));
 
-	/* service */
+	/*
+	 * Service.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_qstring, ISC_FALSE));
 	RETERR(txt_fromtext(&token.value.as_textregion, target));
 
-	/* regexp */
+	/*
+	 * Regexp.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_qstring, ISC_FALSE));
 	RETERR(txt_fromtext(&token.value.as_textregion, target));
 
-	/* replacement */
+	/*
+	 * Replacement.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -84,33 +101,45 @@ totext_in_naptr(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 
 	dns_rdata_toregion(rdata, &region);
 
-	/* order */
+	/*
+	 * Order.
+	 */
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
 	sprintf(buf, "%u", num);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
-	/* preference */
+	/*
+	 * Preference.
+	 */
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
 	sprintf(buf, "%u", num);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
-	/* flags */
+	/*
+	 * Flags.
+	 */
 	RETERR(txt_totext(&region, target));
 	RETERR(str_totext(" ", target));
 
-	/* service */
+	/*
+	 * Service.
+	 */
 	RETERR(txt_totext(&region, target));
 	RETERR(str_totext(" ", target));
 
-	/* regexp */
+	/*
+	 * Regexp.
+	 */
 	RETERR(txt_totext(&region, target));
 	RETERR(str_totext(" ", target));
 
-	/* replacement */
+	/*
+	 * Replacement.
+	 */
 	dns_name_fromregion(&name, &region);
 	sub = name_prefix(&name, tctx->origin, &prefix);
 	return (dns_name_totext(&prefix, sub, target));
@@ -127,30 +156,37 @@ fromwire_in_naptr(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 35);
 	REQUIRE(rdclass == 1);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
         
         dns_name_init(&name, NULL);
 
-	/* order, preference */
-	isc_buffer_active(source, &sr);
+	/*
+	 * Order, preference.
+	 */
+	isc_buffer_activeregion(source, &sr);
 	if (sr.length < 4)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	RETERR(mem_tobuffer(target, sr.base, 4));
 	isc_buffer_forward(source, 4);
 
-	/* flags */
+	/*
+	 * Flags.
+	 */
 	RETERR(txt_fromwire(source, target));
 
-	/* service */
+	/*
+	 * Service.
+	 */
 	RETERR(txt_fromwire(source, target));
 
-	/* regexp */
+	/*
+	 * Regexp.
+	 */
 	RETERR(txt_fromwire(source, target));
 
-	/* replacement */
+	/*
+	 * Replacement.
+	 */
 	return (dns_name_fromwire(&name, source, dctx, downcase, target));
 }
 
@@ -162,29 +198,35 @@ towire_in_naptr(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 	REQUIRE(rdata->type == 35);
 	REQUIRE(rdata->rdclass == 1);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
-	/* order, preference */
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Order, preference.
+	 */
 	dns_rdata_toregion(rdata, &sr);
 	RETERR(mem_tobuffer(target, sr.base, 4));
 	isc_region_consume(&sr, 4);
 	
-	/* flags */
+	/*
+	 * Flags.
+	 */
 	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
 	isc_region_consume(&sr, sr.base[0] + 1);
 
-	/* service */
+	/*
+	 * Service.
+	 */
 	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
 	isc_region_consume(&sr, sr.base[0] + 1);
 
-	/* regexp */
+	/*
+	 * Regexp.
+	 */
 	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
 	isc_region_consume(&sr, sr.base[0] + 1);
 
-	/* replacement */
+	/*
+	 * Replacement.
+	 */
 	dns_name_init(&name, NULL);
 	dns_name_fromregion(&name, &sr);
 	return (dns_name_towire(&name, cctx, target));
@@ -206,14 +248,18 @@ compare_in_naptr(dns_rdata_t *rdata1, dns_rdata_t *rdata2) {
 	dns_rdata_toregion(rdata1, &region1);
 	dns_rdata_toregion(rdata2, &region2);
 
-	/* order, preference */
+	/*
+	 * Order, preference.
+	 */
 	order = memcmp(region1.base, region2.base, 4);
 	if (order != 0)
 		return (order < 0 ? -1 : 1);
 	isc_region_consume(&region1, 4);
 	isc_region_consume(&region2, 4);
 
-	/* flags */
+	/*
+	 * Flags.
+	 */
 	len = ISC_MIN(region1.base[0], region2.base[0]);
 	order = memcmp(region1.base, region2.base, len + 1);
 	if (order != 0)
@@ -221,7 +267,9 @@ compare_in_naptr(dns_rdata_t *rdata1, dns_rdata_t *rdata2) {
 	isc_region_consume(&region1, region1.base[0] + 1);
 	isc_region_consume(&region2, region2.base[0] + 1);
 
-	/* service */
+	/*
+	 * Service.
+	 */
 	len = ISC_MIN(region1.base[0], region2.base[0]);
 	order = memcmp(region1.base, region2.base, len + 1);
 	if (order != 0)
@@ -229,7 +277,9 @@ compare_in_naptr(dns_rdata_t *rdata1, dns_rdata_t *rdata2) {
 	isc_region_consume(&region1, region1.base[0] + 1);
 	isc_region_consume(&region2, region2.base[0] + 1);
 
-	/* regexp */
+	/*
+	 * Regexp.
+	 */
 	len = ISC_MIN(region1.base[0], region2.base[0]);
 	order = memcmp(region1.base, region2.base, len + 1);
 	if (order != 0)
@@ -237,7 +287,9 @@ compare_in_naptr(dns_rdata_t *rdata1, dns_rdata_t *rdata2) {
 	isc_region_consume(&region1, region1.base[0] + 1);
 	isc_region_consume(&region2, region2.base[0] + 1);
 
-	/* replacement */
+	/*
+	 * Replacement.
+	 */
 	dns_name_init(&name1, NULL);
 	dns_name_init(&name2, NULL);
 
@@ -251,30 +303,129 @@ static inline isc_result_t
 fromstruct_in_naptr(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		    void *source, isc_buffer_t *target)
 {
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_in_naptr_t *naptr = source;
+	isc_region_t region;
 
 	REQUIRE(type == 35);
 	REQUIRE(rdclass == 1);
-
-	return (DNS_R_NOTIMPLEMENTED);
+	REQUIRE(source != NULL);
+	REQUIRE(naptr->common.rdtype == type);
+	REQUIRE(naptr->common.rdclass == rdclass);
+	REQUIRE((naptr->flags == NULL && naptr->flags_len == 0) ||
+		(naptr->flags != NULL && naptr->flags_len != 0));
+	REQUIRE((naptr->service == NULL && naptr->service_len == 0) ||
+		(naptr->service != NULL && naptr->service_len != 0));
+	REQUIRE((naptr->regexp == NULL && naptr->regexp_len == 0) ||
+		(naptr->regexp != NULL && naptr->regexp_len != 0));
+
+	RETERR(uint16_tobuffer(naptr->order, target));
+	RETERR(uint16_tobuffer(naptr->preference, target));
+	RETERR(uint8_tobuffer(naptr->flags_len, target));
+	RETERR(mem_tobuffer(target, naptr->flags, naptr->flags_len));
+	RETERR(uint8_tobuffer(naptr->service_len, target));
+	RETERR(mem_tobuffer(target, naptr->service, naptr->service_len));
+	RETERR(uint8_tobuffer(naptr->regexp_len, target));
+	RETERR(mem_tobuffer(target, naptr->regexp, naptr->regexp_len));
+	dns_name_toregion(&naptr->replacement, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
 tostruct_in_naptr(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
-	UNUSED(target);
-	UNUSED(mctx);
+	dns_rdata_in_naptr_t *naptr = target;
+	isc_region_t r;
+	isc_result_t result;
+	dns_name_t name;
 
 	REQUIRE(rdata->type == 35);
 	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(target != NULL);
+
+	naptr->common.rdclass = rdata->rdclass;
+	naptr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&naptr->common, link);
+
+	naptr->flags = NULL;
+	naptr->service = NULL;
+	naptr->regexp = NULL;
+
+	dns_rdata_toregion(rdata, &r);
+
+	naptr->order = uint16_fromregion(&r);
+	isc_region_consume(&r, 2);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	naptr->preference = uint16_fromregion(&r);
+	isc_region_consume(&r, 2);
+
+	naptr->flags_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	if (naptr->flags_len != 0) {
+		INSIST(naptr->flags_len <= r.length);
+		naptr->flags = mem_maybedup(mctx, r.base, naptr->flags_len);
+		if (naptr->flags == NULL)
+			goto cleanup;
+		isc_region_consume(&r, naptr->flags_len);
+	}
+
+	naptr->service_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	if (naptr->service_len != 0) {
+		INSIST(naptr->service_len <= r.length);
+		naptr->service = mem_maybedup(mctx, r.base,
+					       naptr->service_len);
+		if (naptr->service == NULL)
+			goto cleanup;
+		isc_region_consume(&r, naptr->service_len);
+	}
+
+	naptr->regexp_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	if (naptr->regexp_len != 0) {
+		INSIST(naptr->regexp_len <= r.length);
+		naptr->regexp = mem_maybedup(mctx, r.base, naptr->regexp_len);
+		if (naptr->regexp == NULL)
+			goto cleanup;
+		isc_region_consume(&r, naptr->regexp_len);
+	}
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	dns_name_init(&naptr->replacement, NULL);
+	result = name_duporclone(&name, mctx, &naptr->replacement);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	naptr->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL && naptr->flags != NULL)
+		isc_mem_free(mctx, naptr->flags);
+	if (mctx != NULL && naptr->service != NULL)
+		isc_mem_free(mctx, naptr->service);
+	if (mctx != NULL && naptr->regexp != NULL)
+		isc_mem_free(mctx, naptr->regexp);
+	return (ISC_R_NOMEMORY);
 }
 
 static inline void
 freestruct_in_naptr(void *source) {
+	dns_rdata_in_naptr_t *naptr = source;
+	
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);
+	REQUIRE(naptr->common.rdclass == 1);
+	REQUIRE(naptr->common.rdtype == 35);
+
+	if (naptr->mctx == NULL)
+		return;
+
+	if (naptr->flags != NULL)
+		isc_mem_free(naptr->mctx, naptr->flags);
+	if (naptr->service != NULL)
+		isc_mem_free(naptr->mctx, naptr->service);
+	if (naptr->regexp != NULL)
+		isc_mem_free(naptr->mctx, naptr->regexp);
+	dns_name_free(&naptr->replacement, naptr->mctx);
+	naptr->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -290,11 +441,15 @@ additionaldata_in_naptr(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 	REQUIRE(rdata->type == 35);
 	REQUIRE(rdata->rdclass == 1);
 
-	/* order, preference */
+	/*
+	 * Order, preference.
+	 */
 	dns_rdata_toregion(rdata, &sr);
 	isc_region_consume(&sr, 4);
 	
-	/* flags */
+	/*
+	 * Flags.
+	 */
 	atype = 0;
 	flagslen = sr.base[0];
 	cp = (char *)&sr.base[1];
@@ -310,20 +465,26 @@ additionaldata_in_naptr(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 	}
 	isc_region_consume(&sr, flagslen + 1);
 
-	/* service */
+	/*
+	 * Service.
+	 */
 	isc_region_consume(&sr, sr.base[0] + 1);
 
-	/* regexp */
+	/*
+	 * Regexp.
+	 */
 	isc_region_consume(&sr, sr.base[0] + 1);
 
-	/* replacement */
+	/*
+	 * Replacement.
+	 */
 	dns_name_init(&name, NULL);
 	dns_name_fromregion(&name, &sr);
 
 	if (atype != 0)
 		return ((add)(arg, &name, atype));
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -340,21 +501,29 @@ digest_in_naptr(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 	r2 = r1;
 	length = 0;
 
-	/* order, preference */
+	/*
+	 * Order, preference.
+	 */
 	length += 4;
 	isc_region_consume(&r2, 4);
 
-	/* flags */
+	/*
+	 * Flags.
+	 */
 	n = r2.base[0] + 1;
 	length += n;
 	isc_region_consume(&r2, n);
 
-	/* service */
+	/*
+	 * Service.
+	 */
 	n = r2.base[0] + 1;
 	length += n;
 	isc_region_consume(&r2, n);
 
-	/* regexp */
+	/*
+	 * Regexp.
+	 */
 	n = r2.base[0] + 1;
 	length += n;
 	isc_region_consume(&r2, n);
@@ -364,10 +533,12 @@ digest_in_naptr(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 	 */
 	r1.length = length;
 	result = (digest)(arg, &r1);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	/* replacement */
+	/*
+	 * Replacement.
+	 */
 
 	dns_name_init(&name, NULL);
 	dns_name_fromregion(&name, &r2);
diff --git a/lib/dns/rdata/in_1/naptr_35.h b/lib/dns/rdata/in_1/naptr_35.h
index d604e0ef..bfc7dc6b 100644
--- a/lib/dns/rdata/in_1/naptr_35.h
+++ b/lib/dns/rdata/in_1/naptr_35.h
@@ -15,7 +15,10 @@
  * SOFTWARE.
  */
 
-/* $Id: naptr_35.h,v 1.11 2000/03/20 22:57:15 gson Exp $ */
+#ifndef IN_1_NAPTR_35_H
+#define IN_1_NAPTR_35_H 1
+
+/* $Id: naptr_35.h,v 1.14 2000/05/05 23:20:04 marka Exp $ */
 
 /* RFC 2168 */
 
@@ -25,7 +28,12 @@ typedef struct dns_rdata_in_naptr {
 	isc_uint16_t		order;
 	isc_uint16_t		preference;
 	char			*flags;
+	isc_uint8_t		flags_len;
 	char			*service;
+	isc_uint8_t		service_len;
 	char			*regexp;
+	isc_uint8_t		regexp_len;
 	dns_name_t		replacement;
 } dns_rdata_in_naptr_t;
+
+#endif /* IN_1_NAPTR_35_H */
diff --git a/lib/dns/rdata/in_1/nsap-ptr_23.c b/lib/dns/rdata/in_1/nsap-ptr_23.c
index 410a3725..20d90799 100644
--- a/lib/dns/rdata/in_1/nsap-ptr_23.c
+++ b/lib/dns/rdata/in_1/nsap-ptr_23.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: nsap-ptr_23.c,v 1.14 2000/03/17 18:18:27 gson Exp $ */
+/* $Id: nsap-ptr_23.c,v 1.21 2000/05/22 12:38:09 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 10:16:02 PST 2000 by gson */
 
@@ -24,6 +24,8 @@
 #ifndef RDATA_IN_1_NSAP_PTR_23_C
 #define RDATA_IN_1_NSAP_PTR_23_C
 
+#define RRTYPE_NSAP_PTR_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_in_nsap_ptr(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		     isc_lex_t *lexer, dns_name_t *origin,
@@ -39,8 +41,7 @@ fromtext_in_nsap_ptr(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -78,10 +79,7 @@ fromwire_in_nsap_ptr(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 23);
 	REQUIRE(rdclass == 1);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
         
         dns_name_init(&name, NULL);
         return (dns_name_fromwire(&name, source, dctx, downcase, target));
@@ -97,11 +95,7 @@ towire_in_nsap_ptr(dns_rdata_t *rdata, dns_compress_t *cctx,
 	REQUIRE(rdata->type == 23);
 	REQUIRE(rdata->rdclass == 1);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
 	dns_name_init(&name, NULL);
 	dns_rdata_toregion(rdata, &region);
 	dns_name_fromregion(&name, &region);
@@ -137,32 +131,55 @@ static inline isc_result_t
 fromstruct_in_nsap_ptr(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		       void *source, isc_buffer_t *target)
 {
+	dns_rdata_in_nsap_ptr_t *nsap_ptr = source;
+	isc_region_t region;
 
 	REQUIRE(type == 23);
 	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(nsap_ptr->common.rdtype == type);
+	REQUIRE(nsap_ptr->common.rdclass == rdclass);
 
-	UNUSED(source);
-	UNUSED(target);
-
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_toregion(&nsap_ptr->owner, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
 tostruct_in_nsap_ptr(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
-	
+	isc_region_t region;
+	dns_rdata_in_nsap_ptr_t *nsap_ptr = target;
+	dns_name_t name;
+
 	REQUIRE(rdata->type == 23);
 	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(target != NULL);
 
-	UNUSED(target);
-	UNUSED(mctx);
+	nsap_ptr->common.rdclass = rdata->rdclass;
+	nsap_ptr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsap_ptr->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&nsap_ptr->owner, NULL);
+	RETERR(name_duporclone(&name, mctx, &nsap_ptr->owner));
+	nsap_ptr->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_in_nsap_ptr(void *source) {
+	dns_rdata_in_nsap_ptr_t *nsap_ptr = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);
+	REQUIRE(nsap_ptr->common.rdclass == 1);
+	REQUIRE(nsap_ptr->common.rdtype == 23);
+
+	if (nsap_ptr->mctx == NULL)
+		return;
+
+	dns_name_free(&nsap_ptr->owner, nsap_ptr->mctx);
+	nsap_ptr->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -172,10 +189,11 @@ additionaldata_in_nsap_ptr(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 	REQUIRE(rdata->type == 23);
 	REQUIRE(rdata->rdclass == 1);
 
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/in_1/nsap-ptr_23.h b/lib/dns/rdata/in_1/nsap-ptr_23.h
index dc3b529b..66e92ed4 100644
--- a/lib/dns/rdata/in_1/nsap-ptr_23.h
+++ b/lib/dns/rdata/in_1/nsap-ptr_23.h
@@ -15,7 +15,10 @@
  * SOFTWARE.
  */
 
-/* $Id: nsap-ptr_23.h,v 1.10 2000/03/17 18:18:28 gson Exp $ */
+#ifndef IN_1_NSAP_PTR_23_H
+#define IN_1_NSAP_PTR_23_H 1
+
+/* $Id: nsap-ptr_23.h,v 1.11 2000/04/29 02:01:56 tale Exp $ */
 
 /* RFC 1348.  Obsoleted in RFC 1706 - use PTR instead. */
 
@@ -24,3 +27,5 @@ typedef struct dns_rdata_in_nsap_ptr {
 	isc_mem_t		*mctx;
 	dns_name_t		owner;
 } dns_rdata_in_nsap_ptr_t;
+
+#endif /* IN_1_NSAP_PTR_23_H */
diff --git a/lib/dns/rdata/in_1/nsap_22.c b/lib/dns/rdata/in_1/nsap_22.c
index 04af216f..01c5f8bc 100644
--- a/lib/dns/rdata/in_1/nsap_22.c
+++ b/lib/dns/rdata/in_1/nsap_22.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: nsap_22.c,v 1.14 2000/03/20 18:03:53 gson Exp $ */
+/* $Id: nsap_22.c,v 1.21 2000/05/22 12:38:10 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 10:41:07 PST 2000 by gson */
 
@@ -24,7 +24,7 @@
 #ifndef RDATA_IN_1_NSAP_22_C
 #define RDATA_IN_1_NSAP_22_C
 
-#include <string.h>
+#define RRTYPE_NSAP_ATTRIBUTES (0)
 
 static inline isc_result_t
 fromtext_in_nsap(dns_rdataclass_t rdclass, dns_rdatatype_t type,
@@ -46,7 +46,7 @@ fromtext_in_nsap(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	sr = &token.value.as_textregion;
 	if (sr->length < 2)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	if (sr->base[0] != '0' || (sr->base[1] != 'x' && sr->base[1] != 'X'))
 		return (DNS_R_SYNTAX);
 	isc_textregion_consume(sr, 2);
@@ -68,9 +68,9 @@ fromtext_in_nsap(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		isc_textregion_consume(sr, 1);
 	}
 	if (digits) {
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	}
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -92,7 +92,7 @@ totext_in_nsap(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 		isc_region_consume(&region, 1);
 		RETERR(str_totext(buf, target));
 	}
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -108,13 +108,13 @@ fromwire_in_nsap(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	UNUSED(dctx);
 	UNUSED(downcase);
 
-	isc_buffer_active(source, &region);
+	isc_buffer_activeregion(source, &region);
 	if (region.length < 1)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 
 	RETERR(mem_tobuffer(target, region.base, region.length));
 	isc_buffer_forward(source, region.length);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -147,32 +147,59 @@ static inline isc_result_t
 fromstruct_in_nsap(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		   void *source, isc_buffer_t *target)
 {
+	dns_rdata_in_nsap_t *nsap = source;
 
 	REQUIRE(type == 22);
 	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(nsap->common.rdtype == type);
+	REQUIRE(nsap->common.rdclass == rdclass);
+	REQUIRE((nsap->nsap == NULL && nsap->nsap_len == 0) ||
+		(nsap->nsap != NULL && nsap->nsap_len != 0));
 
-	UNUSED(source);
-	UNUSED(target);
-
-	return (DNS_R_NOTIMPLEMENTED);
+	return (mem_tobuffer(target, nsap->nsap, nsap->nsap_len));
 }
 
 static inline isc_result_t
 tostruct_in_nsap(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	dns_rdata_in_nsap_t *nsap = target;
+	isc_region_t r;
 
 	REQUIRE(rdata->type == 22);
 	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(target != NULL);
 
-	UNUSED(target);
-	UNUSED(mctx);
+	nsap->common.rdclass = rdata->rdclass;
+	nsap->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsap->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_rdata_toregion(rdata, &r);
+	nsap->nsap_len = r.length;
+	if (nsap->nsap_len != 0) {
+		nsap->nsap = mem_maybedup(mctx, r.base, r.length);
+		if (nsap->nsap == NULL)
+			return (ISC_R_NOMEMORY);
+	} else
+		nsap->nsap = NULL;
+
+	nsap->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_in_nsap(void *source) {
+	dns_rdata_in_nsap_t *nsap = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);
+	REQUIRE(nsap->common.rdclass == 1);
+	REQUIRE(nsap->common.rdtype == 22);
+
+	if (nsap->mctx == NULL)
+		return;
+
+	if (nsap->nsap != NULL)
+		isc_mem_free(nsap->mctx, nsap->nsap);
+	nsap->mctx = NULL;
 }
 
 static inline isc_result_t
@@ -182,10 +209,11 @@ additionaldata_in_nsap(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 	REQUIRE(rdata->type == 22);
 	REQUIRE(rdata->rdclass == 1);
 
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/in_1/nsap_22.h b/lib/dns/rdata/in_1/nsap_22.h
index 1fb0621e..2d495c8c 100644
--- a/lib/dns/rdata/in_1/nsap_22.h
+++ b/lib/dns/rdata/in_1/nsap_22.h
@@ -15,7 +15,10 @@
  * SOFTWARE.
  */
 
-/* $Id: nsap_22.h,v 1.8 2000/03/17 19:35:25 gson Exp $ */
+#ifndef IN_1_NSAP_22_H
+#define IN_1_NSAP_22_H 1
+
+/* $Id: nsap_22.h,v 1.10 2000/04/29 02:01:57 tale Exp $ */
 
 /* RFC 1706 */
 
@@ -23,5 +26,7 @@ typedef struct dns_rdata_in_nsap {
 	dns_rdatacommon_t	common;
 	isc_mem_t		*mctx;
 	unsigned char		*nsap;
-	isc_uint16_t		length;
+	isc_uint16_t		nsap_len;
 } dns_rdata_in_nsap_t;
+
+#endif /* IN_1_NSAP_22_H */
diff --git a/lib/dns/rdata/in_1/px_26.c b/lib/dns/rdata/in_1/px_26.c
index 374842ba..0cf36ca0 100644
--- a/lib/dns/rdata/in_1/px_26.c
+++ b/lib/dns/rdata/in_1/px_26.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: px_26.c,v 1.15 2000/03/20 19:32:10 gson Exp $ */
+/* $Id: px_26.c,v 1.23 2000/05/15 21:14:34 tale Exp $ */
 
 /* Reviewed: Mon Mar 20 10:44:27 PST 2000 */
 
@@ -24,6 +24,8 @@
 #ifndef RDATA_IN_1_PX_26_C
 #define RDATA_IN_1_PX_26_C
 
+#define RRTYPE_PX_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_in_px(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	       isc_lex_t *lexer, dns_name_t *origin,
@@ -36,23 +38,29 @@ fromtext_in_px(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 26);
 	REQUIRE(rdclass == 1);
 
-	/* preference */
+	/*
+	 * Preference.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
+	if (token.value.as_ulong > 0xffff)
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* MAP822 */
+	/*
+	 * MAP822.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	RETERR(dns_name_fromtext(&name, &buffer, origin, downcase, target));
 
-	/* MAPX400 */
+	/*
+	 * MAPX400.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -74,7 +82,9 @@ totext_in_px(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	dns_name_init(&name, NULL);
 	dns_name_init(&prefix, NULL);
 
-	/* preference */
+	/*
+	 * Preference.
+	 */
 	dns_rdata_toregion(rdata, &region);
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
@@ -82,14 +92,18 @@ totext_in_px(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
-	/* MAP822 */
+	/*
+	 * MAP822.
+	 */
 	dns_name_fromregion(&name, &region);
 	sub = name_prefix(&name, tctx->origin, &prefix);
 	isc_region_consume(&region, name_length(&name));
 	RETERR(dns_name_totext(&prefix, sub, target));
 	RETERR(str_totext(" ", target));
 
-	/* MAPX400 */
+	/*
+	 * MAPX400.
+	 */
 	dns_name_fromregion(&name, &region);
 	sub = name_prefix(&name, tctx->origin, &prefix);
 	return(dns_name_totext(&prefix, sub, target));
@@ -106,24 +120,27 @@ fromwire_in_px(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 26);
 	REQUIRE(rdclass == 1);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
         
         dns_name_init(&name, NULL);
 
-	/* preference */
-	isc_buffer_active(source, &sregion);
+	/*
+	 * Preference.
+	 */
+	isc_buffer_activeregion(source, &sregion);
 	if (sregion.length < 2)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	RETERR(mem_tobuffer(target, sregion.base, 2));
 	isc_buffer_forward(source, 2);
 
-	/* MAP822 */
+	/*
+	 * MAP822.
+	 */
 	RETERR(dns_name_fromwire(&name, source, dctx, downcase, target));
 
-	/* MAPX400 */
+	/*
+	 * MAPX400.
+	 */
 	return (dns_name_fromwire(&name, source, dctx, downcase, target));
 }
 
@@ -135,23 +152,25 @@ towire_in_px(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 	REQUIRE(rdata->type == 26);
 	REQUIRE(rdata->rdclass == 1);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
-	/* preference */
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Preference.
+	 */
 	dns_rdata_toregion(rdata, &region);
 	RETERR(mem_tobuffer(target, region.base, 2));
 	isc_region_consume(&region, 2);
 
-	/* MAP822 */
+	/*
+	 * MAP822.
+	 */
 	dns_name_init(&name, NULL);
 	dns_name_fromregion(&name, &region);
 	RETERR(dns_name_towire(&name, cctx, target));
 	isc_region_consume(&region, name_length(&name));
 
-	/* MAPX400 */
+	/*
+	 * MAPX400.
+	 */
 	dns_name_init(&name, NULL);
 	dns_name_fromregion(&name, &region);
 	return (dns_name_towire(&name, cctx, target));
@@ -221,16 +240,14 @@ fromstruct_in_px(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 
 static inline isc_result_t
 tostruct_in_px(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
-	isc_region_t region;
-	isc_region_t nr;
 	dns_rdata_in_px_t *px = target;
 	dns_name_t name;
+	isc_region_t region;
 	isc_result_t result;
 
 	REQUIRE(rdata->type == 26);
 	REQUIRE(rdata->rdclass == 1);
 	REQUIRE(target != NULL);
-	REQUIRE(mctx != NULL);
 
 	px->common.rdclass = rdata->rdclass;
 	px->common.rdtype = rdata->type;
@@ -243,23 +260,22 @@ tostruct_in_px(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
 	isc_region_consume(&region, 2);
 
 	dns_name_fromregion(&name, &region);
-	dns_name_toregion(&name, &nr);
-	isc_region_consume(&region, nr.length);
-	px->mctx = mctx;
+
 	dns_name_init(&px->map822, NULL);
-	result = dns_name_dup(&name, px->mctx, &px->map822);
-	if (result != ISC_R_SUCCESS) {
-		px->mctx = NULL;
-		return (result);
-	}
+	RETERR(name_duporclone(&name, mctx, &px->map822));
+	isc_region_consume(&region, name_length(&px->map822));
 
 	dns_name_init(&px->mapx400, NULL);
-	result = dns_name_dup(&name, px->mctx, &px->map822);
-	if (result != ISC_R_SUCCESS) {
-		dns_name_free(&px->map822, px->mctx);
-		px->mctx = NULL;
-	}
+	result = name_duporclone(&name, mctx, &px->mapx400);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	px->mctx = mctx;
 	return (result);
+
+ cleanup:
+	dns_name_free(&px->map822, mctx);
+	return (ISC_R_NOMEMORY);
 }
 
 static inline void
@@ -267,6 +283,11 @@ freestruct_in_px(void *source) {
 	dns_rdata_in_px_t *px = source;
 
 	REQUIRE(source != NULL);
+	REQUIRE(px->common.rdclass == 1);
+	REQUIRE(px->common.rdtype == 26);
+
+	if (px->mctx == NULL)
+		return;
 
 	dns_name_free(&px->map822, px->mctx);
 	dns_name_free(&px->mapx400, px->mctx);
@@ -280,10 +301,11 @@ additionaldata_in_px(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 	REQUIRE(rdata->type == 26);
 	REQUIRE(rdata->rdclass == 1);
 
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -300,12 +322,12 @@ digest_in_px(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 	isc_region_consume(&r2, 2);
 	r1.length = 2;
 	result = (digest)(arg, &r1);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	dns_name_init(&name, NULL);
 	dns_name_fromregion(&name, &r2);
 	result = dns_name_digest(&name, digest, arg);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	isc_region_consume(&r2, name_length(&name));
 	dns_name_init(&name, NULL);
diff --git a/lib/dns/rdata/in_1/px_26.h b/lib/dns/rdata/in_1/px_26.h
index 173ae77b..c97b7ad7 100644
--- a/lib/dns/rdata/in_1/px_26.h
+++ b/lib/dns/rdata/in_1/px_26.h
@@ -15,7 +15,10 @@
  * SOFTWARE.
  */
 
-/* $Id: px_26.h,v 1.10 2000/03/20 19:32:10 gson Exp $ */
+#ifndef IN_1_PX_26_H
+#define IN_1_PX_26_H 1
+
+/* $Id: px_26.h,v 1.11 2000/04/29 02:01:57 tale Exp $ */
 
 /* RFC 2163 */
 
@@ -26,3 +29,5 @@ typedef struct dns_rdata_in_px {
 	dns_name_t		map822;
 	dns_name_t		mapx400;
 } dns_rdata_in_px_t;
+
+#endif /* IN_1_PX_26_H */
diff --git a/lib/dns/rdata/in_1/srv_33.c b/lib/dns/rdata/in_1/srv_33.c
index 4331e75b..b45d3430 100644
--- a/lib/dns/rdata/in_1/srv_33.c
+++ b/lib/dns/rdata/in_1/srv_33.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: srv_33.c,v 1.16 2000/03/20 22:44:36 gson Exp $ */
+/* $Id: srv_33.c,v 1.25 2000/05/22 12:38:11 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
 
@@ -24,6 +24,8 @@
 #ifndef RDATA_IN_1_SRV_33_C
 #define RDATA_IN_1_SRV_33_C
 
+#define RRTYPE_SRV_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_in_srv(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		isc_lex_t *lexer, dns_name_t *origin,
@@ -36,23 +38,36 @@ fromtext_in_srv(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 33);
 	REQUIRE(rdclass == 1);
 
-	/* priority */
+	/*
+	 * Priority.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
+	if (token.value.as_ulong > 0xffff)
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* weight */
+	/*
+	 * Weight.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
+	if (token.value.as_ulong > 0xffff)
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* port */
+	/*
+	 * Port.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_number, ISC_FALSE));
+	if (token.value.as_ulong > 0xffff)
+		return (ISC_R_RANGE);
 	RETERR(uint16_tobuffer(token.value.as_ulong, target));
 
-	/* target */
+	/*
+	 * Target.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region,
-			  ISC_BUFFERTYPE_TEXT);
+	buffer_fromregion(&buffer, &token.value.as_region);
 	origin = (origin != NULL) ? origin : dns_rootname;
 	return (dns_name_fromtext(&name, &buffer, origin, downcase, target));
 }
@@ -74,7 +89,9 @@ totext_in_srv(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	dns_name_init(&name, NULL);
 	dns_name_init(&prefix, NULL);
 
-	/* priority */
+	/*
+	 * Priority.
+	 */
 	dns_rdata_toregion(rdata, &region);
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
@@ -82,21 +99,27 @@ totext_in_srv(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
-	/* weight */
+	/*
+	 * Weight.
+	 */
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
 	sprintf(buf, "%u", num);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
-	/* port */
+	/*
+	 * Port.
+	 */
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
 	sprintf(buf, "%u", num);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
-	/* target */
+	/*
+	 * Target.
+	 */
 	dns_name_fromregion(&name, &region);
 	sub = name_prefix(&name, tctx->origin, &prefix);
 	return (dns_name_totext(&prefix, sub, target));
@@ -113,21 +136,22 @@ fromwire_in_srv(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 33);
 	REQUIRE(rdclass == 1);
 
-	if (dns_decompress_edns(dctx) >= 1 || !dns_decompress_strict(dctx))
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_ALL);
-	else
-		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
         
         dns_name_init(&name, NULL);
 
-	/* priority, weight, port */
-	isc_buffer_active(source, &sr);
+	/*
+	 * Priority, weight, port.
+	 */
+	isc_buffer_activeregion(source, &sr);
 	if (sr.length < 6)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	RETERR(mem_tobuffer(target, sr.base, 6));
 	isc_buffer_forward(source, 6);
 
-	/* target */
+	/*
+	 * Target.
+	 */
 	return (dns_name_fromwire(&name, source, dctx, downcase, target));
 }
 
@@ -138,17 +162,17 @@ towire_in_srv(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 
 	REQUIRE(rdata->type == 33);
 
-	if (dns_compress_getedns(cctx) >= 1)
-		dns_compress_setmethods(cctx, DNS_COMPRESS_ALL);
-	else
-		dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
-	/* priority, weight, port */
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Priority, weight, port.
+	 */
 	dns_rdata_toregion(rdata, &sr);
 	RETERR(mem_tobuffer(target, sr.base, 6));
 	isc_region_consume(&sr, 6);
 
-	/* target */
+	/*
+	 * Target.
+	 */
 	dns_name_init(&name, NULL);
 	dns_name_fromregion(&name, &sr);
 	return (dns_name_towire(&name, cctx, target));
@@ -167,12 +191,16 @@ compare_in_srv(dns_rdata_t *rdata1, dns_rdata_t *rdata2) {
 	REQUIRE(rdata1->type == 33);
 	REQUIRE(rdata1->rdclass == 1);
 
-	/* priority, weight, port */
+	/*
+	 * Priority, weight, port.
+	 */
 	order = memcmp(rdata1->data, rdata2->data, 6);
 	if (order != 0)
 		return (order < 0 ? -1 : 1);
 
-	/* target */
+	/*
+	 * Target.
+	 */
 	dns_name_init(&name1, NULL);
 	dns_name_init(&name2, NULL);
 
@@ -192,30 +220,64 @@ static inline isc_result_t
 fromstruct_in_srv(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 		  isc_buffer_t *target)
 {
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_in_srv_t *srv = source;
+	isc_region_t region;
 
 	REQUIRE(type == 33);
 	REQUIRE(rdclass == 1);
-
-	return (DNS_R_NOTIMPLEMENTED);
+	REQUIRE(source != NULL);
+	REQUIRE(srv->common.rdtype == type);
+	REQUIRE(srv->common.rdclass == rdclass);
+
+	RETERR(uint16_tobuffer(srv->priority, target));
+	RETERR(uint16_tobuffer(srv->weight, target));
+	RETERR(uint16_tobuffer(srv->port, target));
+	dns_name_toregion(&srv->target, &region);
+	return (isc_buffer_copyregion(target, &region));
 }
 
 static inline isc_result_t
 tostruct_in_srv(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
-	UNUSED(target);
-	UNUSED(mctx);
+	isc_region_t region;
+	dns_rdata_in_srv_t *srv = target;
+	dns_name_t name;
 
-	REQUIRE(rdata->type == 33);
 	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->type == 33);
+	REQUIRE(target != NULL);
+
+	srv->common.rdclass = rdata->rdclass;
+	srv->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&srv->common, link);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	srv->priority = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	srv->weight = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	srv->port = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&srv->target, NULL);
+	RETERR(name_duporclone(&name, mctx, &srv->target));
+	srv->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
 freestruct_in_srv(void *source) {
+	dns_rdata_in_srv_t *srv = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(srv->common.rdclass == 1);
+	REQUIRE(srv->common.rdtype == 33);
+
+	if (srv->mctx == NULL)
+		return;
+
+	dns_name_free(&srv->target, srv->mctx);
+	srv->mctx = NULL;
 }
 
 static inline isc_result_t
diff --git a/lib/dns/rdata/in_1/srv_33.h b/lib/dns/rdata/in_1/srv_33.h
index e0857e9b..a5a9ea3d 100644
--- a/lib/dns/rdata/in_1/srv_33.h
+++ b/lib/dns/rdata/in_1/srv_33.h
@@ -15,7 +15,10 @@
  * SOFTWARE.
  */
 
-/* $Id: srv_33.h,v 1.10 2000/03/17 21:03:34 bwelling Exp $ */
+#ifndef IN_1_SRV_33_H
+#define IN_1_SRV_33_H 1
+
+/* $Id: srv_33.h,v 1.11 2000/04/29 02:01:58 tale Exp $ */
 
 /* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
 
@@ -30,3 +33,4 @@ typedef struct dns_rdata_in_srv {
 	dns_name_t		target;
 } dns_rdata_in_srv_t;
 
+#endif /* IN_1_SRV_33_H */
diff --git a/lib/dns/rdata/in_1/wks_11.c b/lib/dns/rdata/in_1/wks_11.c
index dc616eb7..815784ad 100644
--- a/lib/dns/rdata/in_1/wks_11.c
+++ b/lib/dns/rdata/in_1/wks_11.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: wks_11.c,v 1.22 2000/03/20 19:29:44 gson Exp $ */
+/* $Id: wks_11.c,v 1.31 2000/05/22 12:38:12 marka Exp $ */
 
 /* Reviewed: Fri Mar 17 15:01:49 PST 2000 by explorer */
 
@@ -24,11 +24,12 @@
 
 #include <limits.h>
 #include <stdlib.h>
-#include <string.h>
 
 #include <isc/net.h>
 #include <isc/netdb.h>
 
+#define RRTYPE_WKS_ATTRIBUTES (0)
+
 static inline isc_result_t
 fromtext_in_wks(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		isc_lex_t *lexer, dns_name_t *origin,
@@ -46,6 +47,8 @@ fromtext_in_wks(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	long maxport = -1;
 	char *ps = NULL;
 	unsigned int n;
+	char service[32];
+	int i;
 
 	UNUSED(origin);
 	UNUSED(downcase);
@@ -53,18 +56,22 @@ fromtext_in_wks(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 11);
 	REQUIRE(rdclass == 1);
 	
-	/* IPv4 dotted quad */
+	/*
+	 * IPv4 dotted quad.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	if (inet_aton(token.value.as_pointer, &addr) != 1)
 		return (DNS_R_BADDOTTEDQUAD);
 	if (region.length < 4)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	memcpy(region.base, &addr, 4);
 	isc_buffer_add(target, 4);
 
-	/* protocol */
+	/*
+	 * Protocol.
+	 */
 	RETERR(gettoken(lexer, &token, isc_tokentype_string, ISC_FALSE));
 
 	proto = strtol(token.value.as_pointer, &e, 10);
@@ -73,9 +80,9 @@ fromtext_in_wks(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	else if ((pe = getprotobyname(token.value.as_pointer)) != NULL)
 		proto = pe->p_proto;
 	else
-		return (DNS_R_UNEXPECTED);
+		return (ISC_R_UNEXPECTED);
 	if (proto < 0 || proto > 0xff)
-		return (DNS_R_RANGE);
+		return (ISC_R_RANGE);
 
 	if (proto == IPPROTO_TCP)
 		ps = "tcp";
@@ -90,22 +97,37 @@ fromtext_in_wks(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 				  ISC_TRUE));
 		if (token.type != isc_tokentype_string)
 			break;
+
+		/*
+		 * Lowercase the service string as some getservbyname() are
+		 * case sensitive and the database is usually in lowercase.
+		 */
+		strncpy(service, token.value.as_pointer, sizeof(service));
+		service[sizeof(service)-1] = '\0';
+		for (i = strlen(service) - 1; i >= 0; i--)
+			if (isupper(service[i]&0xff))
+				service[i] = tolower(service[i]);
+
 		port = strtol(token.value.as_pointer, &e, 10);
 		if (*e == 0)
 			;
+		else if ((se = getservbyname(service, ps)) != NULL)
+			port = ntohs(se->s_port);
 		else if ((se = getservbyname(token.value.as_pointer, ps))
 			  != NULL)
 			port = ntohs(se->s_port);
 		else
-			return (DNS_R_UNEXPECTED);
+			return (ISC_R_UNEXPECTED);
 		if (port < 0 || port > 0xffff)
-			return (DNS_R_RANGE);
+			return (ISC_R_RANGE);
 		if (port > maxport)
 			maxport = port;
 		bm[port / 8] |= (0x80 >> (port % 8));
 	} while (1);
 
-	/* Let upper layer handle eol/eof. */
+	/*
+	 * Let upper layer handle eol/eof.
+	 */
 	isc_lex_ungettoken(lexer, &token);
 
 	n = (maxport + 8) / 8;
@@ -128,9 +150,9 @@ totext_in_wks(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	REQUIRE(rdata->rdclass == 1);
 
 	dns_rdata_toregion(rdata, &sr);
-	isc_buffer_available(target, &tr);
+	isc_buffer_availableregion(target, &tr);
 	if (inet_ntop(AF_INET, sr.base, (char *)tr.base, tr.length) == NULL)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	isc_buffer_add(target, strlen((char *)tr.base));
 	isc_region_consume(&sr, 4);
 
@@ -152,7 +174,7 @@ totext_in_wks(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
 	}
 
 	RETERR(str_totext(" )", target));
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -169,26 +191,25 @@ fromwire_in_wks(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	REQUIRE(type == 11);
 	REQUIRE(rdclass == 1);
 
-	isc_buffer_active(source, &sr);
-	isc_buffer_available(target, &tr);
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_availableregion(target, &tr);
 
 	if (sr.length < 5)
-		return (DNS_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	if (sr.length > 8 * 1024 + 5)
 		return (DNS_R_EXTRADATA);
 	if (tr.length < sr.length)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
 	memcpy(tr.base, sr.base, sr.length);
 	isc_buffer_add(target, sr.length);
 	isc_buffer_forward(source, sr.length);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
-towire_in_wks(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
-{
+towire_in_wks(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target) {
 	isc_region_t sr;
 
 	UNUSED(cctx);
@@ -201,8 +222,7 @@ towire_in_wks(dns_rdata_t *rdata, dns_compress_t *cctx, isc_buffer_t *target)
 }
 
 static inline int
-compare_in_wks(dns_rdata_t *rdata1, dns_rdata_t *rdata2)
-{
+compare_in_wks(dns_rdata_t *rdata1, dns_rdata_t *rdata2) {
 	isc_region_t r1;
 	isc_region_t r2;
 
@@ -220,50 +240,83 @@ static inline isc_result_t
 fromstruct_in_wks(dns_rdataclass_t rdclass, dns_rdatatype_t type, void *source,
 		  isc_buffer_t *target)
 {
-	UNUSED(source);
-	UNUSED(target);
+	dns_rdata_in_wks_t *wks = source;
+	isc_uint32_t a;
 
 	REQUIRE(type == 11);
 	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(wks->common.rdtype == type);
+	REQUIRE(wks->common.rdclass == rdclass);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	a = ntohl(wks->in_addr.s_addr);
+	RETERR(uint32_tobuffer(a, target));
+	RETERR(uint16_tobuffer(wks->protocol, target));
+	return (mem_tobuffer(target, wks->map, wks->map_len));
 }
 
 static inline isc_result_t
-tostruct_in_wks(dns_rdata_t *rdata, void *target, isc_mem_t *mctx)
-{
-	UNUSED(target);
-	UNUSED(mctx);
+tostruct_in_wks(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	dns_rdata_in_wks_t *wks = target;
+	isc_uint32_t n;
+	isc_region_t region;
 
 	REQUIRE(rdata->type == 11);
 	REQUIRE(rdata->rdclass == 1);
 
-	return (DNS_R_NOTIMPLEMENTED);
+	wks->common.rdclass = rdata->rdclass;
+	wks->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&wks->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	n = uint32_fromregion(&region);
+	wks->in_addr.s_addr = htonl(n);
+	isc_region_consume(&region, 4);
+	wks->protocol = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	wks->map_len = region.length;
+	if (wks->map_len > 0) {
+		wks->map = mem_maybedup(mctx, region.base, region.length);
+		if (wks->map == NULL)
+			return (ISC_R_NOMEMORY);
+	} else
+		wks->map = NULL;
+	wks->mctx = mctx;
+	return (ISC_R_SUCCESS);
 }
 
 static inline void
-freestruct_in_wks(void *source)
-{
+freestruct_in_wks(void *source) {
+	dns_rdata_in_wks_t *wks = source;
+
 	REQUIRE(source != NULL);
-	REQUIRE(ISC_FALSE);	/*XXX*/
+	REQUIRE(wks->common.rdtype == 11);
+	REQUIRE(wks->common.rdclass == 1);
+
+	if (wks->mctx == NULL)
+		return;
+
+	if (wks->map != NULL)
+		isc_mem_free(wks->mctx, wks->map);
+	wks->mctx = NULL;
 }
 
 static inline isc_result_t
 additionaldata_in_wks(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 		      void *arg)
 {
+	UNUSED(rdata);
 	UNUSED(add);
 	UNUSED(arg);
 
 	REQUIRE(rdata->type == 11);
 	REQUIRE(rdata->rdclass == 1);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
-digest_in_wks(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg)
-{
+digest_in_wks(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
 	isc_region_t r;
 
 	REQUIRE(rdata->type == 11);
diff --git a/lib/dns/rdata/in_1/wks_11.h b/lib/dns/rdata/in_1/wks_11.h
index 86e733dd..d0553a52 100644
--- a/lib/dns/rdata/in_1/wks_11.h
+++ b/lib/dns/rdata/in_1/wks_11.h
@@ -15,7 +15,10 @@
  * SOFTWARE.
  */
 
-/* $Id: wks_11.h,v 1.14 2000/03/20 22:57:15 gson Exp $ */
+#ifndef IN_1_WKS_11_H
+#define IN_1_WKS_11_H 1
+
+/* $Id: wks_11.h,v 1.16 2000/04/29 02:01:59 tale Exp $ */
 
 typedef	struct dns_rdata_in_wks {
 	dns_rdatacommon_t	common;
@@ -23,5 +26,7 @@ typedef	struct dns_rdata_in_wks {
 	struct in_addr		in_addr;
 	isc_uint16_t		protocol;
 	unsigned char		*map;
-	isc_uint16_t		length;
+	isc_uint16_t		map_len;
 } dns_rdata_in_wks_t;
+
+#endif /* IN_1_WKS_11_H */
diff --git a/lib/dns/rdata/rdatastructpre.h b/lib/dns/rdata/rdatastructpre.h
index d711a907..110af4b7 100644
--- a/lib/dns/rdata/rdatastructpre.h
+++ b/lib/dns/rdata/rdatastructpre.h
@@ -21,6 +21,8 @@
 #include <isc/lang.h>
 #include <isc/sockaddr.h>
 
+#include <dns/types.h>
+
 ISC_LANG_BEGINDECLS
 
 typedef struct dns_rdatacommon {
diff --git a/lib/dns/rdatalist.c b/lib/dns/rdatalist.c
index 4065857d..fb04b8f8 100644
--- a/lib/dns/rdatalist.c
+++ b/lib/dns/rdatalist.c
@@ -15,9 +15,11 @@
  * SOFTWARE.
  */
 
+#include <config.h>
+
 #include <stddef.h>
 
-#include <isc/assertions.h>
+#include <isc/util.h>
 
 #include <dns/rdata.h>
 #include <dns/rdatalist.h>
@@ -64,7 +66,7 @@ dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
 
 	REQUIRE(rdatalist != NULL);
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods == NULL);
+	REQUIRE(! dns_rdataset_isassociated(rdataset));
 
 	rdataset->methods = &methods;
 	rdataset->rdclass = rdatalist->rdclass;
@@ -78,12 +80,12 @@ dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
 	rdataset->private4 = NULL;
 	rdataset->private5 = NULL;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static void
 rdatalist_disassociate(dns_rdataset_t *rdataset) {
-	(void)rdataset;				/* Keep compiler quiet. */
+	UNUSED(rdataset);
 }
 
 static isc_result_t
@@ -94,9 +96,9 @@ rdatalist_first(dns_rdataset_t *rdataset) {
 	rdataset->private2 = ISC_LIST_HEAD(rdatalist->rdata);
 
 	if (rdataset->private2 == NULL)
-		return (DNS_R_NOMORE);
+		return (ISC_R_NOMORE);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -105,14 +107,14 @@ rdatalist_next(dns_rdataset_t *rdataset) {
 
 	rdata = rdataset->private2;
 	if (rdata == NULL)
-		return (DNS_R_NOMORE);
+		return (ISC_R_NOMORE);
 
 	rdataset->private2 = ISC_LIST_NEXT(rdata, link);
 
 	if (rdataset->private2 == NULL)
-		return (DNS_R_NOMORE);
+		return (ISC_R_NOMORE);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 static void
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index 7e076158..c7ca0cc6 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -17,16 +17,14 @@
 
 #include <config.h>
 
-#include <stddef.h>
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
+#include <isc/buffer.h>
+#include <isc/util.h>
 
+#include <dns/name.h>
 #include <dns/ncache.h>
 #include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
 #include <dns/rdataset.h>
 #include <dns/compress.h>
 
@@ -128,7 +126,7 @@ question_disassociate(dns_rdataset_t *rdataset) {
 static isc_result_t
 question_cursor(dns_rdataset_t *rdataset) {
 	(void)rdataset;
-	return (DNS_R_NOMORE);
+	return (ISC_R_NOMORE);
 }
 
 static void
@@ -287,7 +285,7 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 		question = ISC_TRUE;
 		count = 1;
 		result = dns_rdataset_first(rdataset);
-		INSIST(result == DNS_R_NOMORE);
+		INSIST(result == ISC_R_NOMORE);
 	} else if (rdataset->type == 0) {
 		/*
 		 * This is a negative caching rdataset.
@@ -296,9 +294,9 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 	} else {
 		count = (rdataset->methods->count)(rdataset);
 		result = dns_rdataset_first(rdataset);
-		if (result == DNS_R_NOMORE)
-			return (DNS_R_SUCCESS);
-		if (result != DNS_R_SUCCESS)
+		if (result == ISC_R_NOMORE)
+			return (ISC_R_SUCCESS);
+		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 
@@ -323,7 +321,7 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 				i++;
 				result = dns_rdataset_next(rdataset);
 			} while (result == ISC_R_SUCCESS);
-			if (result != DNS_R_NOMORE)
+			if (result != ISC_R_NOMORE)
 				return (result);
 			INSIST(i == count);
 			/*
@@ -358,20 +356,17 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 
 	do {
 		/*
-		 * copy out the name, type, class, ttl.
+		 * Copy out the name, type, class, ttl.
 		 */
-		if (dns_compress_getedns(cctx) >= 1)
-			dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL);
-		else
-			dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 		result = dns_name_towire(owner_name, cctx, target);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			goto rollback;
 		headlen = sizeof(dns_rdataclass_t) + sizeof(dns_rdatatype_t);
 		if (!question)
 			headlen += sizeof(dns_ttl_t)
 				+ 2;  /* XXX 2 for rdata len */
-		isc_buffer_available(target, &r);
+		isc_buffer_availableregion(target, &r);
 		if (r.length < headlen) {
 			result = ISC_R_NOSPACE;
 			goto rollback;
@@ -388,14 +383,14 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 			isc_buffer_add(target, 2);
 
 			/*
-			 * copy out the rdata
+			 * Copy out the rdata
 			 */
 			if (shuffle)
 				rdata = shuffled[i];
 			else
 				dns_rdataset_current(rdataset, &rdata);
 			result = dns_rdata_towire(&rdata, cctx, target);
-			if (result != DNS_R_SUCCESS)
+			if (result != ISC_R_SUCCESS)
 				goto rollback;
 			INSIST((target->used >= rdlen.used + 2) &&
 			       (target->used - rdlen.used - 2 < 65536));
@@ -413,19 +408,19 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 				i = 0;
 			tcount++;
 			if (tcount == count)
-				result = DNS_R_NOMORE;
+				result = ISC_R_NOMORE;
 			else
 				result = ISC_R_SUCCESS;
 		} else
 			result = dns_rdataset_next(rdataset);
-	} while (result == DNS_R_SUCCESS);
+	} while (result == ISC_R_SUCCESS);
 
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		goto rollback;
 
 	*countp += count;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
  rollback:
 	INSIST(savedbuffer.used < 65536);
@@ -452,18 +447,18 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
 	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
 
 	result = dns_rdataset_first(rdataset);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 
 	do {
 		dns_rdataset_current(rdataset, &rdata);
 		result = dns_rdata_additionaldata(&rdata, add, arg);
-		if (result == DNS_R_SUCCESS)
+		if (result == ISC_R_SUCCESS)
 			result = dns_rdataset_next(rdataset);
-	} while (result == DNS_R_SUCCESS);
+	} while (result == ISC_R_SUCCESS);
 
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		return (result);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
diff --git a/lib/dns/rdatasetiter.c b/lib/dns/rdatasetiter.c
index 03771d42..b042db3e 100644
--- a/lib/dns/rdatasetiter.c
+++ b/lib/dns/rdatasetiter.c
@@ -19,7 +19,7 @@
 
 #include <stddef.h>
 
-#include <isc/assertions.h>
+#include <isc/util.h>
 
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
@@ -61,7 +61,7 @@ dns_rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 }
 
 void
-dns_rdatasetiter_current(dns_rdatasetiter_t *iterator, 
+dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
 			 dns_rdataset_t *rdataset)
 {
 	/*
@@ -70,7 +70,7 @@ dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
 
 	REQUIRE(DNS_RDATASETITER_VALID(iterator));
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods == NULL);
+	REQUIRE(! dns_rdataset_isassociated(rdataset));
 
 	iterator->methods->current(iterator, rdataset);
 }
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index d8f26fd6..ff98d010 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -15,21 +15,17 @@
  * SOFTWARE.
  */
 
-/* $Id: rdataslab.c,v 1.9 2000/02/03 23:43:58 halley Exp $ */
+/* $Id: rdataslab.c,v 1.13 2000/05/08 19:23:14 tale Exp $ */
 
 #include <config.h>
 
-#include <string.h>
-
+#include <isc/mem.h>
 #include <isc/region.h>
-#include <isc/buffer.h>
-#include <isc/assertions.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
 
-#include <dns/types.h>
 #include <dns/result.h>
 #include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
 #include <dns/rdataset.h>
 #include <dns/rdataslab.h>
 
@@ -44,7 +40,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 	unsigned int	nitems;
 
 	result = dns_rdataset_first(rdataset);
-	REQUIRE(result == DNS_R_SUCCESS);
+	REQUIRE(result == ISC_R_SUCCESS);
 
 	buflen = reservelen + 2;
 	nitems = 0;
@@ -63,9 +59,9 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		nitems++;
 
 		result = dns_rdataset_next(rdataset);
-	} while (result == DNS_R_SUCCESS);
+	} while (result == ISC_R_SUCCESS);
 
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		return (result);
 
 	/*
@@ -74,7 +70,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 	 */
 	rawbuf = isc_mem_get(mctx, buflen);
 	if (rawbuf == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	region->base = rawbuf;
 	region->length = buflen;
@@ -84,7 +80,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 	*rawbuf++ = (nitems & 0xff00) >> 8;
 	*rawbuf++ = (nitems & 0x00ff);
 	result = dns_rdataset_first(rdataset);
-	REQUIRE(result == DNS_R_SUCCESS);
+	REQUIRE(result == ISC_R_SUCCESS);
 	do {
 		dns_rdataset_current(rdataset, &rdata);
 		*rawbuf++ = (rdata.length & 0xff00) >> 8;
@@ -93,9 +89,9 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		rawbuf += rdata.length;
 
 		result = dns_rdataset_next(rdataset);
-	} while (result == DNS_R_SUCCESS);
+	} while (result == ISC_R_SUCCESS);
 
-	if (result != DNS_R_NOMORE) {
+	if (result != ISC_R_NOMORE) {
 		isc_mem_put(mctx, region->base, region->length);
 		region->base = NULL;
 		region->length = 0;
@@ -103,7 +99,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		return (result);
 	}
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 unsigned int
@@ -219,7 +215,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 	 */
 	tstart = isc_mem_get(mctx, tlength);
 	if (tstart == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	memcpy(tstart, nslab, reservelen);
 	tcurrent = tstart + reservelen;
 	
@@ -271,7 +267,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 
 	*tslabp = tstart;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -348,7 +344,7 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 	 * Don't continue if the new rdataslab would be empty.
 	 */
 	if (tcount == 0)
-		return (DNS_R_NXRDATASET);
+		return (DNS_R_NXRRSET);
 
 	/*
 	 * If nothing is going to change, we can stop.
@@ -361,7 +357,7 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 	 */
 	tstart = isc_mem_get(mctx, tlength);
 	if (tstart == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	memcpy(tstart, mslab, reservelen);
 	tcurrent = tstart + reservelen;
 	
@@ -408,5 +404,5 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 
 	*tslabp = tstart;
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
diff --git a/lib/dns/request.c b/lib/dns/request.c
index 885a3c72..c35600cb 100644
--- a/lib/dns/request.c
+++ b/lib/dns/request.c
@@ -17,21 +17,17 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/buffer.h>
-#include <isc/event.h>
-#include <isc/net.h>
-#include <isc/mutex.h>
-#include <isc/region.h>
-#include <isc/socket.h>
+#include <isc/mem.h>
 #include <isc/task.h>
 #include <isc/timer.h>
 #include <isc/util.h>
 
 #include <dns/dispatch.h>
 #include <dns/events.h>
+#include <dns/log.h>
 #include <dns/message.h>
 #include <dns/request.h>
+#include <dns/result.h>
 
 #define REQUESTMGR_MAGIC 0x5271754dU		/* RquM */
 #define VALID_REQUESTMGR(mgr) ((mgr) != NULL && \
@@ -41,46 +37,44 @@
 #define VALID_REQUEST(request) ((request) != NULL && \
 				(request)->magic == REQUEST_MAGIC)
 
-#if 0
-#define TRACE(x) printf(x)
-#else
-#define TRACE(x)
-#endif
 typedef ISC_LIST(dns_request_t) dns_requestlist_t;
 
 #define DNS_REQUEST_NLOCKS 7
 
 struct dns_requestmgr {
-	isc_int32_t	magic;
-	isc_mutex_t     lock;
-	isc_mem_t	*mctx;
+	isc_int32_t			magic;
+	isc_mutex_t			lock;
+	isc_mem_t		       *mctx;
 
 	/* locked */
-	isc_int32_t	references;
-	isc_timermgr_t	*timermgr;
-	isc_socketmgr_t	*socketmgr;
-	dns_dispatch_t	*dispatchv4;
-	dns_dispatch_t  *dispatchv6;
-	isc_boolean_t	exiting;
-	isc_eventlist_t whenshutdown;
-	unsigned int	hash;
-	isc_mutex_t	locks[DNS_REQUEST_NLOCKS];
-	dns_requestlist_t requests;
+	isc_int32_t			eref;
+	isc_int32_t			iref;
+	isc_timermgr_t		       *timermgr;
+	isc_socketmgr_t		       *socketmgr;
+	isc_taskmgr_t		       *taskmgr;
+	dns_dispatchmgr_t	       *dispatchmgr;
+	dns_dispatch_t		       *dispatchv4;
+	dns_dispatch_t		       *dispatchv6;
+	isc_boolean_t			exiting;
+	isc_eventlist_t			whenshutdown;
+	unsigned int			hash;
+	isc_mutex_t			locks[DNS_REQUEST_NLOCKS];
+	dns_requestlist_t 		requests;
 };
 
 struct dns_request {
-	isc_int32_t		magic;
-	unsigned int		hash;
-	isc_mem_t		*mctx;
-	isc_int32_t		flags;
-	ISC_LINK(dns_request_t) link;
-	isc_buffer_t		*query;
-	isc_buffer_t		*answer;
-	dns_requestevent_t	*event;
-	dns_dispatch_t		*dispatch;
-	dns_dispentry_t		*dispentry;
-	isc_timer_t		*timer;
-	dns_requestmgr_t	*requestmgr;
+	isc_int32_t			magic;
+	unsigned int			hash;
+	isc_mem_t		       *mctx;
+	isc_int32_t			flags;
+	ISC_LINK(dns_request_t) 	link;
+	isc_buffer_t		       *query;
+	isc_buffer_t		       *answer;
+	dns_requestevent_t	       *event;
+	dns_dispatch_t		       *dispatch;
+	dns_dispentry_t		       *dispentry;
+	isc_timer_t		       *timer;
+	dns_requestmgr_t	       *requestmgr;
 };
 
 #define DNS_REQUEST_F_CONNECTING 0x0001
@@ -99,8 +93,8 @@ static void mgr_shutdown(dns_requestmgr_t *requestmgr);
 static unsigned int mgr_gethash(dns_requestmgr_t *requestmgr);
 static void send_shutdown_events(dns_requestmgr_t *requestmgr);
 
-static isc_result_t render(dns_message_t *message, isc_buffer_t **buffer,
-			   isc_mem_t *mctx);
+static isc_result_t req_render(dns_message_t *message, isc_buffer_t **buffer,
+			       isc_mem_t *mctx);
 static void req_senddone(isc_task_t *task, isc_event_t *event);
 static void req_response(isc_task_t *task, isc_event_t *event);
 static void req_timeout(isc_task_t *task, isc_event_t *event);
@@ -108,6 +102,7 @@ static void req_connected(isc_task_t *task, isc_event_t *event);
 static void req_sendevent(dns_request_t *request, isc_result_t result);
 static void req_cancel(dns_request_t *request);
 static void req_destroy(dns_request_t *request);
+static void req_log(int level, const char *fmt, ...);
 
 /***
  *** Public
@@ -117,6 +112,8 @@ isc_result_t
 dns_requestmgr_create(isc_mem_t *mctx,
 		      isc_timermgr_t *timermgr,
 		      isc_socketmgr_t *socketmgr,
+		      isc_taskmgr_t *taskmgr,
+		      dns_dispatchmgr_t *dispatchmgr,
 		      dns_dispatch_t *dispatchv4,
 		      dns_dispatch_t *dispatchv6,
 		      dns_requestmgr_t **requestmgrp)
@@ -126,9 +123,13 @@ dns_requestmgr_create(isc_mem_t *mctx,
 	isc_result_t result;
 	int i;
 
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_create");
+
 	REQUIRE(requestmgrp != NULL && *requestmgrp == NULL);
 	REQUIRE(timermgr != NULL);
 	REQUIRE(socketmgr != NULL);
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(dispatchmgr != NULL);
 	if (dispatchv4 != NULL) {
 		socket = dns_dispatch_getsocket(dispatchv4);
 		REQUIRE(isc_socket_gettype(socket) == isc_sockettype_udp);
@@ -143,36 +144,43 @@ dns_requestmgr_create(isc_mem_t *mctx,
 		return (ISC_R_NOMEMORY);
 
 	result = isc_mutex_init(&requestmgr->lock);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
 		return (result);
 	}
 	for (i = 0; i < DNS_REQUEST_NLOCKS; i++) {
 		result = isc_mutex_init(&requestmgr->locks[i]);
-		if (result != DNS_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) {
 			while (--i >= 0)
 				isc_mutex_destroy(&requestmgr->locks[i]);
 			isc_mutex_destroy(&requestmgr->lock);
+			isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
 			return (result);
 		}
 	}
 	requestmgr->timermgr = timermgr;
 	requestmgr->socketmgr = socketmgr;
+	requestmgr->taskmgr = taskmgr;
+	requestmgr->dispatchmgr = dispatchmgr;
 	requestmgr->dispatchv4 = NULL;
 	if (dispatchv4 != NULL)
 		dns_dispatch_attach(dispatchv4, &requestmgr->dispatchv4);
 	requestmgr->dispatchv6 = NULL;
 	if (dispatchv6 != NULL)
 		dns_dispatch_attach(dispatchv6, &requestmgr->dispatchv6);
-	requestmgr->mctx = mctx;
-	requestmgr->references = 1;	/* implict attach */
+	requestmgr->mctx = NULL;
+	isc_mem_attach(mctx, &requestmgr->mctx);
+	requestmgr->eref = 1;	/* implict attach */
+	requestmgr->iref = 0;
 	ISC_LIST_INIT(requestmgr->whenshutdown);
 	ISC_LIST_INIT(requestmgr->requests);
 	requestmgr->exiting = ISC_FALSE;
 	requestmgr->hash = 0;
 	requestmgr->magic = REQUESTMGR_MAGIC;
-	*requestmgrp = requestmgr;
 
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_create: %p", requestmgr);
+
+	*requestmgrp = requestmgr;
 	return (ISC_R_SUCCESS);
 }
 
@@ -183,6 +191,8 @@ dns_requestmgr_whenshutdown(dns_requestmgr_t *requestmgr, isc_task_t *task,
         isc_task_t *clone;
         isc_event_t *event;
 
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_whenshutdown");
+
         REQUIRE(VALID_REQUESTMGR(requestmgr));
         REQUIRE(eventp != NULL);
 
@@ -195,13 +205,13 @@ dns_requestmgr_whenshutdown(dns_requestmgr_t *requestmgr, isc_task_t *task,
                 /*
                  * We're already shutdown.  Send the event.
                  */
-                event->sender = requestmgr;
+                event->ev_sender = requestmgr;
                 isc_task_send(task, &event);
         } else {
                 clone = NULL;
                 isc_task_attach(task, &clone);
-                event->sender = clone;
-                ISC_LIST_APPEND(requestmgr->whenshutdown, event, link);
+                event->ev_sender = clone;
+                ISC_LIST_APPEND(requestmgr->whenshutdown, event, ev_link);
 	}
 	UNLOCK(&requestmgr->lock);
 }
@@ -211,6 +221,8 @@ dns_requestmgr_shutdown(dns_requestmgr_t *requestmgr) {
 
         REQUIRE(VALID_REQUESTMGR(requestmgr));
 
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_shutdown: %p", requestmgr);
+
 	LOCK(&requestmgr->lock);
 	mgr_shutdown(requestmgr);
 	UNLOCK(&requestmgr->lock);
@@ -219,6 +231,9 @@ dns_requestmgr_shutdown(dns_requestmgr_t *requestmgr) {
 static void 
 mgr_shutdown(dns_requestmgr_t *requestmgr) {
 	dns_request_t *request;
+
+	req_log(ISC_LOG_DEBUG(3), "mgr_shutdown: %p", requestmgr);
+
 	/*
 	 * Caller holds lock.
 	 */
@@ -229,8 +244,59 @@ mgr_shutdown(dns_requestmgr_t *requestmgr) {
 		     request = ISC_LIST_NEXT(request, link)) {
 			dns_request_cancel(request);
 		}
+		if (requestmgr->iref == 0) {
+			INSIST(ISC_LIST_EMPTY(requestmgr->requests));
+			send_shutdown_events(requestmgr);
+		}
+	}
+}
+
+static void
+requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp) {
+
+	/*
+	 * Locked by caller.
+	 */
+
+        REQUIRE(VALID_REQUESTMGR(source));
+        REQUIRE(targetp != NULL && *targetp == NULL);
+
+	REQUIRE(!source->exiting);
+
+	source->iref++;
+	*targetp = source;
+
+	req_log(ISC_LOG_DEBUG(3), "requestmgr_attach: %p: eref %d iref %d",
+		source, source->eref, source->iref);
+}
+
+static void
+requestmgr_detach(dns_requestmgr_t **requestmgrp) {
+	dns_requestmgr_t *requestmgr;
+	isc_boolean_t need_destroy  =ISC_FALSE;
+
+	REQUIRE(requestmgrp != NULL);
+	requestmgr = *requestmgrp;
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+
+	*requestmgrp = NULL;
+	LOCK(&requestmgr->lock);
+	INSIST(requestmgr->iref > 0);
+	requestmgr->iref--;
+
+	req_log(ISC_LOG_DEBUG(3), "requestmgr_detach: %p: eref %d iref %d",
+		requestmgr, requestmgr->eref, requestmgr->iref);
+
+	if (requestmgr->iref == 0 && requestmgr->exiting) {
+		INSIST(ISC_LIST_HEAD(requestmgr->requests) == NULL);
 		send_shutdown_events(requestmgr);
+		if (requestmgr->eref == 0)
+			need_destroy = ISC_TRUE;
 	}
+	UNLOCK(&requestmgr->lock);
+
+	if (need_destroy)
+		mgr_destroy(requestmgr);
 }
 
 void
@@ -238,16 +304,15 @@ dns_requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp) {
 
         REQUIRE(VALID_REQUESTMGR(source));
         REQUIRE(targetp != NULL && *targetp == NULL);
-
-	LOCK(&source->lock);
 	REQUIRE(!source->exiting);
 
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);
+	LOCK(&source->lock);
+	source->eref++;
+	*targetp = source;
 	UNLOCK(&source->lock);
 
-	*targetp = source;
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_attach: %p: eref %d iref %d",
+		source, source->eref, source->iref);
 }
 
 void
@@ -260,12 +325,16 @@ dns_requestmgr_detach(dns_requestmgr_t **requestmgrp) {
 	REQUIRE(VALID_REQUESTMGR(requestmgr));
 
 	LOCK(&requestmgr->lock);
-	INSIST(requestmgr->references > 0);
-	requestmgr->references--;
-	if (requestmgr->references == 0) {
+	INSIST(requestmgr->eref > 0);
+	requestmgr->eref--;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_detach: %p: eref %d iref %d",
+		requestmgr, requestmgr->eref, requestmgr->iref);
+
+	if (requestmgr->eref == 0 && requestmgr->iref == 0) {
 		INSIST(requestmgr->exiting &&
 		       ISC_LIST_HEAD(requestmgr->requests) == NULL);
-			need_destroy = ISC_TRUE;
+		need_destroy = ISC_TRUE;
 	}
 	UNLOCK(&requestmgr->lock);
 
@@ -280,16 +349,18 @@ send_shutdown_events(dns_requestmgr_t *requestmgr) {
 	isc_event_t *event, *next_event;
 	isc_task_t *etask;
 
+	req_log(ISC_LOG_DEBUG(3), "send_shutdown_events: %p", requestmgr);
+
 	/*
 	 * Caller must be holding the manager lock.
 	 */
 	for (event = ISC_LIST_HEAD(requestmgr->whenshutdown);
 	     event != NULL;
 	     event = next_event) {
-		next_event = ISC_LIST_NEXT(event, link);
-		ISC_LIST_UNLINK(requestmgr->whenshutdown, event, link);
-		etask = event->sender;
-		event->sender = requestmgr;
+		next_event = ISC_LIST_NEXT(event, ev_link);
+		ISC_LIST_UNLINK(requestmgr->whenshutdown, event, ev_link);
+		etask = event->ev_sender;
+		event->ev_sender = requestmgr;
 		isc_task_sendanddetach(&etask, &event);
 	}
 }
@@ -297,22 +368,29 @@ send_shutdown_events(dns_requestmgr_t *requestmgr) {
 static void
 mgr_destroy(dns_requestmgr_t *requestmgr) {
 	int i;
+	isc_mem_t *mctx;
+
+	req_log(ISC_LOG_DEBUG(3), "mgr_destroy");
 
-	REQUIRE(requestmgr->references == 0);
+	REQUIRE(requestmgr->eref == 0);
+	REQUIRE(requestmgr->iref == 0);
 
 	isc_mutex_destroy(&requestmgr->lock);
 	for (i = 0; i < DNS_REQUEST_NLOCKS; i++)
 		isc_mutex_destroy(&requestmgr->locks[i]);
 	if (requestmgr->dispatchv4 != NULL)
 		dns_dispatch_detach(&requestmgr->dispatchv4);
-	if (requestmgr->dispatchv4 != NULL)
-		dns_dispatch_detach(&requestmgr->dispatchv4);
+	if (requestmgr->dispatchv6 != NULL)
+		dns_dispatch_detach(&requestmgr->dispatchv6);
 	requestmgr->magic = 0;
-	isc_mem_put(requestmgr->mctx, requestmgr, sizeof *requestmgr);
+	mctx = requestmgr->mctx;
+	isc_mem_put(mctx, requestmgr, sizeof *requestmgr);
+	isc_mem_detach(&mctx);
 }
 
 static unsigned int
 mgr_gethash(dns_requestmgr_t *requestmgr) {
+	req_log(ISC_LOG_DEBUG(3), "mgr_gethash");
 	/*
 	 * Locked by caller.
 	 */
@@ -325,8 +403,11 @@ req_send(dns_request_t *request, isc_task_t *task, isc_sockaddr_t *address) {
 	isc_region_t r;
 	isc_socket_t *socket;
 
+	req_log(ISC_LOG_DEBUG(3), "req_send: request %p", request);
+
+	REQUIRE(VALID_REQUEST(request));
 	socket = dns_dispatch_getsocket(request->dispatch);
-	isc_buffer_used(request->query, &r);
+	isc_buffer_usedregion(request->query, &r);
 	return (isc_socket_sendto(socket, &r, task, req_senddone,
 				  request, address, NULL));
 }
@@ -346,6 +427,7 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
 	isc_interval_t interval;
 	dns_messageid_t	id;
 	isc_time_t expires;
+	unsigned int attrs;
 
 	REQUIRE(VALID_REQUESTMGR(requestmgr));
 	REQUIRE(message != NULL);
@@ -357,6 +439,8 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
 
 	mctx = requestmgr->mctx;
 
+	req_log(ISC_LOG_DEBUG(3), "dns_request_create");
+
 	request = isc_mem_get(mctx, sizeof(*request));
 	if (request == NULL) {
 		return (ISC_R_NOMEMORY);
@@ -365,7 +449,7 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
 	 * Zero structure.
 	 */
 	request->magic = 0;
-	request->mctx = mctx;
+	request->mctx = NULL;
 	request->flags = 0;
 	ISC_LINK_INIT(request, link);
 	request->query = NULL;
@@ -376,7 +460,6 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
 	request->timer = NULL;
 	request->requestmgr = NULL;
 
-	dns_requestmgr_attach(requestmgr, &request->requestmgr);
 	/*
 	 * Create timer now.  We will set it below once.
 	 */
@@ -394,7 +477,7 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		goto cleanup;
 	}
 	isc_task_attach(task, &tclone);
-	request->event->sender = task;
+	request->event->ev_sender = task;
 	request->event->request = request;
 	request->event->result = ISC_R_FAILURE;
 	
@@ -405,9 +488,18 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
 					   isc_sockettype_tcp, &socket);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
-		result = dns_dispatch_create(mctx, socket, task,
-					     4096, 2, 1, 1, 3, NULL,
-					     &request->dispatch);
+		attrs = 0;
+		attrs |= DNS_DISPATCHATTR_TCP;
+		attrs |= DNS_DISPATCHATTR_PRIVATE;
+		if (isc_sockaddr_pf(address) == AF_INET)
+			attrs |= DNS_DISPATCHATTR_IPV4;
+		else
+			attrs |= DNS_DISPATCHATTR_IPV6;
+		attrs |= DNS_DISPATCHATTR_MAKEQUERY;
+		result = dns_dispatch_createtcp(requestmgr->dispatchmgr,
+						socket, requestmgr->taskmgr,
+						4096, 2, 1, 1, 3, attrs,
+						&request->dispatch);
 		isc_socket_detach(&socket);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
@@ -422,7 +514,7 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
 					    &request->dispatch);
 			break;
 		default:
-			result = DNS_R_NOTIMPLEMENTED;
+			result = ISC_R_NOTIMPLEMENTED;
 			goto cleanup;
 		}
 	}
@@ -435,15 +527,14 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		goto cleanup;
 
 	message->id = id;
-	result = render(message, &request->query, mctx);
+	result = req_render(message, &request->query, mctx);
 	if (result == DNS_R_USETCP &&
 	    (options & DNS_REQUESTOPT_TCP) == 0) {
 		/*
 		 * Try again using TCP.
 		 */
 		dns_message_renderreset(message);
-		dns_dispatch_removeresponse(request->dispatch,
-					    &request->dispentry, NULL);
+		dns_dispatch_removeresponse(&request->dispentry, NULL);
 		dns_dispatch_detach(&request->dispatch);
 		socket = NULL;
 		isc_buffer_free(&request->query);
@@ -453,43 +544,55 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
 	if (result != ISC_R_SUCCESS && result != DNS_R_USETCP)
 		goto cleanup;
 	
-	request->magic = REQUEST_MAGIC;
+	isc_mem_attach(mctx, &request->mctx);
 	LOCK(&requestmgr->lock);
+	if (requestmgr->exiting) {
+		UNLOCK(&requestmgr->lock);
+		result = ISC_R_SHUTTINGDOWN;
+		goto cleanup;
+	}
+	requestmgr_attach(requestmgr, &request->requestmgr);
 	request->hash = mgr_gethash(requestmgr);
+	request->magic = REQUEST_MAGIC;
 	ISC_LIST_APPEND(requestmgr->requests, request, link);
 	UNLOCK(&requestmgr->lock);
 
 	isc_interval_set(&interval, timeout, 0);
 	result = isc_time_nowplusinterval(&expires, &interval);
 	if (result != ISC_R_SUCCESS)
-		goto cleanup;
+		goto unlink;
 
 	result = isc_timer_reset(request->timer, isc_timertype_once,
 				 &expires, NULL, ISC_FALSE);
 	if (result != ISC_R_SUCCESS)
-		goto cleanup;
+		goto unlink;
 
 	if ((options & DNS_REQUESTOPT_TCP) != 0) {
 		result = isc_socket_connect(socket, address, task,
 					    req_connected, request);
 		if (result != ISC_R_SUCCESS)
-			goto cleanup;
+			goto unlink;
 		request->flags |= DNS_REQUEST_F_CONNECTING;
 	} else {
 		result = req_send(request, task, address);
 		if (result != ISC_R_SUCCESS)
-			goto cleanup;
+			goto unlink;
 	}
 
+	req_log(ISC_LOG_DEBUG(3), "dns_request_create: request %p", request);
 	*requestp = request;
 	return (ISC_R_SUCCESS);
 
+ unlink:
+	LOCK(&requestmgr->lock);
+	ISC_LIST_UNLINK(requestmgr->requests, request, link);
+	UNLOCK(&requestmgr->lock);
+
  cleanup:
 	if (request->requestmgr != NULL)
-		dns_requestmgr_detach(&request->requestmgr);
+		requestmgr_detach(&request->requestmgr);
 	if (request->dispentry != NULL)
-		dns_dispatch_removeresponse(request->dispatch,
-					    &request->dispentry, NULL);
+		dns_dispatch_removeresponse(&request->dispentry, NULL);
 	if (request->dispatch != NULL)
 		dns_dispatch_detach(&request->dispatch);
 	if (request->event != NULL)
@@ -500,13 +603,16 @@ dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		isc_timer_detach(&request->timer);
 	if (tclone != NULL)
 		isc_task_detach(&tclone);
-	request->magic = 0;
+	if (request->mctx != NULL)
+		isc_mem_detach(&request->mctx);
 	isc_mem_put(mctx, request, sizeof *request);
+	req_log(ISC_LOG_DEBUG(3), "dns_request_create: failed %s", 
+		dns_result_totext(result));
 	return (result);
 }
 
 static isc_result_t
-render(dns_message_t *message, isc_buffer_t **bufferp, isc_mem_t *mctx) {
+req_render(dns_message_t *message, isc_buffer_t **bufferp, isc_mem_t *mctx) {
 	isc_buffer_t *buf1 = NULL;
 	isc_buffer_t *buf2 = NULL;
 	isc_result_t result;
@@ -514,13 +620,12 @@ render(dns_message_t *message, isc_buffer_t **bufferp, isc_mem_t *mctx) {
 
 	REQUIRE(bufferp != NULL && *bufferp == NULL);
 
-	TRACE("render\n");
+	req_log(ISC_LOG_DEBUG(3), "request_render");
 
 	/*
 	 * Create buffer able to hold largest possible message.
 	 */
-	result = isc_buffer_allocate(mctx, &buf1, 65535,
-				     ISC_BUFFERTYPE_BINARY);
+	result = isc_buffer_allocate(mctx, &buf1, 65535);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -528,31 +633,30 @@ render(dns_message_t *message, isc_buffer_t **bufferp, isc_mem_t *mctx) {
 	 * Render message.
 	 */
 	result = dns_message_renderbegin(message, buf1);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 	result = dns_message_rendersection(message, DNS_SECTION_QUESTION, 0);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 	result = dns_message_rendersection(message, DNS_SECTION_ANSWER, 0);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 	result = dns_message_rendersection(message, DNS_SECTION_AUTHORITY, 0);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 	result = dns_message_rendersection(message, DNS_SECTION_ADDITIONAL, 0);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 	result = dns_message_renderend(message);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
 	/*
 	 * Copy rendered message to exact sized buffer.
 	 */
-	isc_buffer_used(buf1, &r);
+	isc_buffer_usedregion(buf1, &r);
 	result = isc_buffer_allocate(mctx, &buf2, r.length +
-				     ((r.length > 512) ? 2 : 0),
-				     ISC_BUFFERTYPE_BINARY);
+				     ((r.length > 512) ? 2 : 0));
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 	if (r.length > 512) {
@@ -582,6 +686,10 @@ isc_result_t
 dns_request_cancel(dns_request_t *request) {
 	REQUIRE(VALID_REQUEST(request));
 
+	req_log(ISC_LOG_DEBUG(3), "dns_request_cancel: request %p", request);
+
+	REQUIRE(VALID_REQUEST(request));
+
 	LOCK(&request->requestmgr->locks[request->hash]);
 	if (!DNS_REQUEST_CANCELED(request)) {
 		req_cancel(request);
@@ -592,11 +700,16 @@ dns_request_cancel(dns_request_t *request) {
 }
 
 isc_result_t
-dns_request_getresponse(dns_request_t *request, dns_message_t *message) {
+dns_request_getresponse(dns_request_t *request, dns_message_t *message,
+			isc_boolean_t preserve_order)
+{
 	REQUIRE(VALID_REQUEST(request));
 	REQUIRE(request->answer != NULL);
 
-	return (dns_message_parse(message, request->answer, ISC_TRUE));
+	req_log(ISC_LOG_DEBUG(3), "dns_request_getresponse: request %p",
+		request);
+
+	return (dns_message_parse(message, request->answer, preserve_order));
 }
 
 void
@@ -605,7 +718,11 @@ dns_request_destroy(dns_request_t **requestp) {
 	isc_boolean_t need_destroy = ISC_FALSE;
 	
 	REQUIRE(requestp != NULL && VALID_REQUEST(*requestp));
+
 	request = *requestp;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_destroy: request %p", request);
+
 	LOCK(&request->requestmgr->locks[request->hash]);
 	LOCK(&request->requestmgr->lock);
 	ISC_LIST_UNLINK(request->requestmgr->requests, request, link);
@@ -628,12 +745,13 @@ static void
 req_connected(isc_task_t *task, isc_event_t *event) {
 	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
 	isc_result_t result;
-	dns_request_t *request = event->arg;
+	dns_request_t *request = event->ev_arg;
 
-	REQUIRE(event->type == ISC_SOCKEVENT_SENDDONE);
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+	REQUIRE(VALID_REQUEST(request));
 	REQUIRE(DNS_REQUEST_CONNECTING(request));
 
-	TRACE("req_connected\n");
+	req_log(ISC_LOG_DEBUG(3), "req_connected: request %p", request);
 
 	request->flags &= ~DNS_REQUEST_F_CONNECTING;
 
@@ -653,11 +771,13 @@ req_connected(isc_task_t *task, isc_event_t *event) {
 static void
 req_senddone(isc_task_t *task, isc_event_t *event) {
 	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	dns_request_t *request = event->arg;
+	dns_request_t *request = event->ev_arg;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+	REQUIRE(VALID_REQUEST(request));
 
-	REQUIRE(event->type == ISC_SOCKEVENT_SENDDONE);
+	req_log(ISC_LOG_DEBUG(3), "req_senddone: request %p", request);
 
-	TRACE("req_senddone\n");
 	(void)task;
 
 	if (sevent->result != ISC_R_SUCCESS)
@@ -669,16 +789,17 @@ req_senddone(isc_task_t *task, isc_event_t *event) {
 static void
 req_response(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result;
-	dns_request_t *request = event->arg;
+	dns_request_t *request = event->ev_arg;
 	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
 	isc_region_t r;
 
 	REQUIRE(VALID_REQUEST(request));
-	REQUIRE(event->type == DNS_EVENT_DISPATCH);
+	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
 
 	UNUSED(task);
 	
-	TRACE("req_response\n");
+	req_log(ISC_LOG_DEBUG(3), "req_response: request %p: %s", request,
+		dns_result_totext(devent->result));
 
 	LOCK(&request->requestmgr->locks[request->hash]);
 	result = devent->result;
@@ -688,9 +809,9 @@ req_response(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Copy buffer to request.
 	 */
-	isc_buffer_used(&devent->buffer, &r);
-	result = isc_buffer_allocate(request->mctx, &request->answer, r.length,
-				     ISC_BUFFERTYPE_BINARY);
+	isc_buffer_usedregion(&devent->buffer, &r);
+	result = isc_buffer_allocate(request->mctx, &request->answer,
+				     r.length);
 	if (result != ISC_R_SUCCESS)
 		goto done;
 	result = isc_buffer_copyregion(request->answer, &r);
@@ -700,8 +821,7 @@ req_response(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Cleanup.
 	 */
-	dns_dispatch_removeresponse(request->dispatch, &request->dispentry,
-				    &devent);
+	dns_dispatch_removeresponse(&request->dispentry, &devent);
 	req_cancel(request);
 	/*
 	 * Send completion event.
@@ -712,9 +832,12 @@ req_response(isc_task_t *task, isc_event_t *event) {
 
 static void
 req_timeout(isc_task_t *task, isc_event_t *event) {
-	dns_request_t *request = event->arg;
+	dns_request_t *request = event->ev_arg;
 	
-	TRACE("req_timeout\n");
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_timeout: request %p", request);
+
 	UNUSED(task);
 	LOCK(&request->requestmgr->locks[request->hash]);
 	req_cancel(request);
@@ -727,17 +850,26 @@ static void
 req_sendevent(dns_request_t *request, isc_result_t result) {
 	isc_task_t *task;
 
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_sendevent: request %p", request);
+
 	/*
 	 * Lock held by caller.
 	 */
-	task = request->event->sender;
-	request->event->sender = request;
+	task = request->event->ev_sender;
+	request->event->ev_sender = request;
 	request->event->result = result;
 	isc_task_sendanddetach(&task, (isc_event_t **)&request->event);
 }
 
 static void
 req_destroy(dns_request_t *request) {
+	isc_mem_t *mctx;
+
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_destroy: request %p", request);
 
 	request->magic = 0;
 	if (request->query != NULL)
@@ -747,33 +879,47 @@ req_destroy(dns_request_t *request) {
 	if (request->event != NULL)
 		isc_event_free((isc_event_t **)&request->event);
 	if (request->dispentry != NULL)
-		dns_dispatch_removeresponse(request->dispatch,
-					    &request->dispentry, NULL);
+		dns_dispatch_removeresponse(&request->dispentry, NULL);
 	if (request->dispatch != NULL)
 		dns_dispatch_detach(&request->dispatch);
 	if (request->timer != NULL)
 		isc_timer_detach(&request->timer);
-	dns_requestmgr_detach(&request->requestmgr);
-	isc_mem_put(request->mctx, request, sizeof(*request));
+	requestmgr_detach(&request->requestmgr);
+	mctx = request->mctx;
+	isc_mem_put(mctx, request, sizeof(*request));
+	isc_mem_detach(&mctx);
 }
 
 static void
 req_cancel(dns_request_t *request) {
 	isc_socket_t *socket;
 
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_cancel: request %p", request);
+
 	/*
-	 * Lock help by caller.
+	 * Lock held by caller.
 	 */
 	request->flags |= DNS_REQUEST_F_CANCELED;
 
 	if (request->timer != NULL)
 		isc_timer_detach(&request->timer);
 	if (request->dispentry != NULL)
-		dns_dispatch_removeresponse(request->dispatch,
-					    &request->dispentry, NULL);
-	dns_dispatch_detach(&request->dispatch);
+		dns_dispatch_removeresponse(&request->dispentry, NULL);
 	if (DNS_REQUEST_CONNECTING(request)) {
 		socket = dns_dispatch_getsocket(request->dispatch);
 		isc_socket_cancel(socket, NULL, ISC_SOCKCANCEL_CONNECT);
 	}
+	dns_dispatch_detach(&request->dispatch);
+}
+
+static void
+req_log(int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		       DNS_LOGMODULE_REQUEST, level, fmt, ap);
+	va_end(ap);
 }
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index a8a4abea..340c48ad 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -17,39 +17,27 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/boolean.h>
-#include <isc/error.h>
-#include <isc/result.h>
-#include <isc/types.h>
-#include <isc/timer.h>
-#include <isc/mutex.h>
-#include <isc/event.h>
 #include <isc/task.h>
-#include <isc/stdtime.h>
+#include <isc/timer.h>
 #include <isc/util.h>
-#include <isc/netaddr.h>
 
-#include <dns/types.h>
 #include <dns/adb.h>
-#include <dns/result.h>
-#include <dns/name.h>
 #include <dns/db.h>
+#include <dns/dispatch.h>
 #include <dns/events.h>
 #include <dns/keytable.h>
+#include <dns/log.h>
 #include <dns/message.h>
 #include <dns/ncache.h>
-#include <dns/dispatch.h>
-#include <dns/resolver.h>
 #include <dns/rdata.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/rdatatype.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
 #include <dns/tsig.h>
-#include <dns/view.h>
-#include <dns/log.h>
+#include <dns/validator.h>
 
-#include <dst/dst.h>
 #include <dns/peer.h>
 
 #define DNS_RESOLVER_TRACE
@@ -100,8 +88,10 @@ typedef struct query {
 	/* Locked by task event serialization. */
 	unsigned int			magic;
 	fetchctx_t *			fctx;
+	dns_dispatchmgr_t *		dispatchmgr;
 	dns_dispatch_t *		dispatch;
 	dns_adbaddrinfo_t *		addrinfo;
+	isc_socket_t *			tcpsocket;
 	isc_time_t			start;
 	dns_messageid_t			id;
 	dns_dispentry_t *		dispentry;
@@ -162,6 +152,7 @@ struct fetchctx {
 	dns_adbaddrinfolist_t		forwaddrs;
 	isc_sockaddrlist_t		forwarders;
 	isc_sockaddrlist_t		bad;
+	dns_validator_t *		validator;	
 	/*
 	 * # of events we're waiting for.
 	 */
@@ -218,13 +209,13 @@ struct dns_resolver {
 	dns_rdataclass_t		rdclass;
 	isc_socketmgr_t *		socketmgr;
 	isc_timermgr_t *		timermgr;
+	isc_taskmgr_t *			taskmgr;
 	dns_view_t *			view;
 	isc_boolean_t			frozen;
 	isc_sockaddrlist_t		forwarders;
 	dns_fwdpolicy_t			fwdpolicy;
 	unsigned int			options;
-	isc_socket_t *			udpsocketv4;
-	isc_socket_t *			udpsocketv6;
+	dns_dispatchmgr_t *		dispatchmgr;
 	dns_dispatch_t *		dispatchv4;
 	dns_dispatch_t *		dispatchv6;
 	unsigned int			nbuckets;
@@ -260,15 +251,25 @@ static void resquery_response(isc_task_t *task, isc_event_t *event);
 static void resquery_connected(isc_task_t *task, isc_event_t *event);
 static void fctx_try(fetchctx_t *fctx);
 static isc_boolean_t fctx_destroy(fetchctx_t *fctx);
+static isc_result_t ncache_adderesult(dns_message_t *message,
+				      dns_db_t *cache, dns_dbnode_t *node,
+				      dns_rdatatype_t covers,
+				      isc_stdtime_t now,
+				      dns_rdataset_t *ardataset,
+				      isc_result_t *eresultp);
 
 static inline isc_result_t
 fctx_starttimer(fetchctx_t *fctx) {
 	/*
 	 * Start the lifetime timer for fctx.
+	 *
+	 * This is also used for stopping the idle timer; in that
+	 * case we must purge events already posted to ensure that
+	 * no further idle events are delivered.
 	 */
 	return (isc_timer_reset(fctx->timer, isc_timertype_once,
 				&fctx->expires, NULL,
-				ISC_FALSE));
+				ISC_TRUE));
 }
 
 static inline void
@@ -317,6 +318,8 @@ resquery_destroy(resquery_t **queryp) {
 	query = *queryp;
 	REQUIRE(!ISC_LINK_LINKED(query, link));
 
+	INSIST(query->tcpsocket == NULL);
+	
 	query->magic = 0;
 	isc_mem_put(query->fctx->res->mctx, query, sizeof *query);
 	*queryp = NULL;
@@ -330,7 +333,6 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
 	resquery_t *query;
 	unsigned int rtt;
 	unsigned int factor;
-	isc_socket_t *socket;
 
 	query = *queryp;
 	fctx = query->fctx;
@@ -374,8 +376,7 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
 	}
 
 	if (query->dispentry != NULL)
-		dns_dispatch_removeresponse(query->dispatch, &query->dispentry,
-					    deventp);
+		dns_dispatch_removeresponse(&query->dispentry, deventp);
 	ISC_LIST_UNLINK(fctx->queries, query, link);
 	if (query->tsig != NULL) {
 		dns_rdata_freestruct(query->tsig);
@@ -386,10 +387,13 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
 		/*
 		 * Cancel the connect.
 		 */
-		socket = dns_dispatch_getsocket(query->dispatch);
-		isc_socket_cancel(socket, NULL, ISC_SOCKCANCEL_CONNECT);
+		isc_socket_cancel(query->tcpsocket, NULL,
+				  ISC_SOCKCANCEL_CONNECT);
 	}
-	dns_dispatch_detach(&query->dispatch);
+
+	if (query->dispatch != NULL)
+		dns_dispatch_detach(&query->dispatch);
+	
 	if (!RESQUERY_CONNECTING(query)) {
 		/*
 		 * It's safe to destroy the query now.
@@ -467,9 +471,9 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
 	for (event = ISC_LIST_HEAD(fctx->events);
 	     event != NULL;
 	     event = next_event) {
-		next_event = ISC_LIST_NEXT(event, link);
-		task = event->sender;
-		event->sender = fctx;
+		next_event = ISC_LIST_NEXT(event, ev_link);
+		task = event->ev_sender;
+		event->ev_sender = fctx;
 		if (!HAVE_ANSWER(fctx))
 			event->result = result;
 		isc_task_sendanddetach(&task, (isc_event_t **)&event);
@@ -503,9 +507,9 @@ fctx_done(fetchctx_t *fctx, isc_result_t result) {
 static void
 resquery_senddone(isc_task_t *task, isc_event_t *event) {
 	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	resquery_t *query = event->arg;
+	resquery_t *query = event->ev_arg;
 
-	REQUIRE(event->type == ISC_SOCKEVENT_SENDDONE);
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
 
 	QTRACE("senddone");
 
@@ -517,7 +521,7 @@ resquery_senddone(isc_task_t *task, isc_event_t *event) {
 	 * up doing extra work!
 	 */
 
-	(void)task;
+	UNUSED(task);
 
 	if (sevent->result != ISC_R_SUCCESS)
 		fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
@@ -564,6 +568,8 @@ fctx_addopt(dns_message_t *message) {
 	 */
 	rdata->data = NULL;
 	rdata->length = 0;
+	rdata->rdclass = rdatalist->rdclass;
+	rdata->type = rdatalist->type;
 
 	ISC_LIST_INIT(rdatalist->rdata);
 	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
@@ -613,7 +619,6 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	isc_task_t *task;
 	isc_result_t result;
 	resquery_t *query;
-	isc_socket_t *socket;
 
 	FCTXTRACE("query");
 
@@ -625,11 +630,12 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	INSIST(fctx->validator == NULL); /* Validator needs rmessage. */
 	dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
 
 	query = isc_mem_get(res->mctx, sizeof *query);
 	if (query == NULL) {
-		result = ISC_R_NOMEMORY; 
+		result = ISC_R_NOMEMORY;
 		goto stop_idle_timer;
 	}
 	query->options = options;
@@ -648,25 +654,38 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	 * a dispatch for it here.  Otherwise we use the resolver's
 	 * shared dispatch.
 	 */
+	query->dispatchmgr = res->dispatchmgr;
 	query->dispatch = NULL;
+	query->tcpsocket = NULL;
 	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
-		socket = NULL;
+		isc_sockaddr_t any;
+
 		result = isc_socket_create(res->socketmgr,
 					   isc_sockaddr_pf(addrinfo->sockaddr),
 					   isc_sockettype_tcp,
-					   &socket);
+					   &query->tcpsocket);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup_query;
-		result = dns_dispatch_create(res->mctx, socket, task,
-					     4096, 2, 1, 1, 3, NULL,
-					     &query->dispatch);
+
+		switch (isc_sockaddr_pf(addrinfo->sockaddr)) {
+		case AF_INET:
+			isc_sockaddr_any(&any);
+			break;
+		case AF_INET6:
+			isc_sockaddr_any6(&any);
+			break;
+		default:
+			INSIST(0);
+		}
+		result = isc_socket_bind(query->tcpsocket, &any);
+		if (result != ISC_R_SUCCESS) {
+			isc_socket_detach(&query->tcpsocket);
+			goto cleanup_query;
+		}
+		
 		/*
-		 * Regardless of whether dns_dispatch_create() succeeded or
-		 * not, we don't need our reference to the socket anymore.
+		 * A dispatch will be created once the connect succeeds.
 		 */
-		isc_socket_detach(&socket);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_dispatch;
 	} else {
 		switch (isc_sockaddr_pf(addrinfo->sockaddr)) {
 		case PF_INET:
@@ -676,8 +695,8 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 			dns_dispatch_attach(res->dispatchv6, &query->dispatch);
 			break;
 		default:
-			result = DNS_R_NOTIMPLEMENTED;
-			goto cleanup_dispatch;
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup_query;
 		}
 		/*
 		 * We should always have a valid dispatcher here.  If we
@@ -701,11 +720,10 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 		 *
 		 * XXXRTH  Should we attach to the socket?
 		 */
-		socket = dns_dispatch_getsocket(query->dispatch);
-		result = isc_socket_connect(socket, addrinfo->sockaddr,
+		result = isc_socket_connect(query->tcpsocket, addrinfo->sockaddr,
 					    task, resquery_connected, query);
 		if (result != ISC_R_SUCCESS)
-			goto cleanup_dispatch;
+			goto cleanup_query;
 		query->attributes |= RESQUERY_ATTR_CONNECTING;
 		QTRACE("connecting via TCP");
 	} else {
@@ -735,7 +753,7 @@ static isc_result_t
 resquery_send(resquery_t *query) {
 	fetchctx_t *fctx;
 	isc_result_t result;
-	dns_rdataset_t *qrdataset, *trdataset;
+	dns_rdataset_t *qrdataset;
 	dns_name_t *qname;
 	isc_region_t r;
 	dns_resolver_t *res;
@@ -759,15 +777,13 @@ resquery_send(resquery_t *query) {
 		/*
 		 * Reserve space for the TCP message length.
 		 */
-		isc_buffer_init(&tcpbuffer, query->data,
-				sizeof query->data, ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&tcpbuffer, query->data, sizeof(query->data));
 		isc_buffer_init(&query->buffer, query->data + 2,
-				sizeof query->data - 2,
-				ISC_BUFFERTYPE_BINARY);
+				sizeof(query->data) - 2);
 		buffer = &tcpbuffer;
 	} else {
 		isc_buffer_init(&query->buffer, query->data,
-				sizeof query->data, ISC_BUFFERTYPE_BINARY);
+				sizeof(query->data));
 		buffer = &query->buffer;
 	}
 
@@ -838,7 +854,6 @@ resquery_send(resquery_t *query) {
 	 */
 	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 		if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
-			trdataset = NULL;
 			result = fctx_addopt(fctx->qmessage);
 			if (result != ISC_R_SUCCESS) {
 				/*
@@ -915,7 +930,7 @@ resquery_send(resquery_t *query) {
 	 * of the buffer.
 	 */
 	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
-		isc_buffer_used(&query->buffer, &r);
+		isc_buffer_usedregion(&query->buffer, &r);
 		isc_buffer_putuint16(&tcpbuffer, (isc_uint16_t)r.length);
 		isc_buffer_add(&tcpbuffer, r.length);
 	}
@@ -931,7 +946,11 @@ resquery_send(resquery_t *query) {
 	 */
 	if ((query->options & DNS_FETCHOPT_TCP) == 0)
 		address = query->addrinfo->sockaddr;
-	isc_buffer_used(buffer, &r);
+	isc_buffer_usedregion(buffer, &r);
+	/*
+	 * XXXRTH  Make sure we don't send to ourselves!  We should probably
+	 *         prune out these addresses when we get them from the ADB.
+	 */
 	result = isc_socket_sendto(socket, &r, task, resquery_senddone,
 				   query, address, NULL);
 	if (result != ISC_R_SUCCESS)
@@ -946,9 +965,7 @@ resquery_send(resquery_t *query) {
 	/*
 	 * Stop the dispatcher from listening.
 	 */
-	dns_dispatch_removeresponse(query->dispatch,
-				    &query->dispentry,
-				    NULL);
+	dns_dispatch_removeresponse(&query->dispentry, NULL);
 
  cleanup_temps:
 	if (qname != NULL)
@@ -962,15 +979,15 @@ resquery_send(resquery_t *query) {
 static void
 resquery_connected(isc_task_t *task, isc_event_t *event) {
 	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	resquery_t *query = event->arg;
+	resquery_t *query = event->ev_arg;
 	isc_result_t result;
 
-	REQUIRE(event->type == ISC_SOCKEVENT_CONNECT);
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
 	REQUIRE(VALID_QUERY(query));
 
 	QTRACE("connected");
 
-	(void)task;
+	UNUSED(task);
 
 	/*
 	 * XXXRTH
@@ -987,25 +1004,59 @@ resquery_connected(isc_task_t *task, isc_event_t *event) {
 		 * This query was canceled while the connect() was in
 		 * progress.
 		 */
+		isc_socket_detach(&query->tcpsocket);
 		resquery_destroy(&query);
 	} else {
 		if (sevent->result == ISC_R_SUCCESS) {
+			unsigned int attrs;
+			
+			/*
+			 * We are connected.  Create a dispatcher and
+			 * send the query.
+			 */
+			attrs = 0;
+			attrs |= DNS_DISPATCHATTR_TCP;
+			attrs |= DNS_DISPATCHATTR_PRIVATE;
+			if (isc_sockaddr_pf(query->addrinfo->sockaddr) ==
+			    AF_INET)
+				attrs |= DNS_DISPATCHATTR_IPV4;
+			else
+				attrs |= DNS_DISPATCHATTR_IPV6;
+			attrs |= DNS_DISPATCHATTR_MAKEQUERY;
+
+			result = dns_dispatch_createtcp(query->dispatchmgr,
+							query->tcpsocket,
+							query->fctx->res->taskmgr,
+							4096, 2, 1, 1, 3,
+							attrs,
+							&query->dispatch);
+		
 			/*
-			 * We are connected.  Send the query.
+			 * Regardless of whether dns_dispatch_create()
+			 * succeeded or not, we don't need our reference
+			 * to the socket anymore.
 			 */
-			result = resquery_send(query);
+			isc_socket_detach(&query->tcpsocket);
+
+			if (result == ISC_R_SUCCESS)
+				result = resquery_send(query);
+			
 			if (result != ISC_R_SUCCESS) {
 				fctx_cancelquery(&query, NULL, NULL,
 						 ISC_FALSE);
 				fctx_done(query->fctx, result);
 			}
-		} else
+		} else {
+			isc_socket_detach(&query->tcpsocket);
 			fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
+		}
 	}
 				 
 	isc_event_free(&event);
 }
 
+
+
 static void
 fctx_finddone(isc_task_t *task, isc_event_t *event) {
 	fetchctx_t *fctx;
@@ -1016,12 +1067,12 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) {
 	isc_boolean_t bucket_empty = ISC_FALSE;
 	unsigned int bucketnum;
 
-	find = event->sender;
-	fctx = event->arg;
+	find = event->ev_sender;
+	fctx = event->ev_arg;
 	REQUIRE(VALID_FCTX(fctx));
 	res = fctx->res;
 
-	(void)task;
+	UNUSED(task);
 
 	FCTXTRACE("finddone");
 
@@ -1034,7 +1085,7 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) {
 		 */
 		INSIST(!SHUTTINGDOWN(fctx));
 		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-		if (event->type == DNS_EVENT_ADBMOREADDRESSES)
+		if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES)
 			want_try = ISC_TRUE;
 		else if (fctx->pending == 0) {
 			/*
@@ -1360,7 +1411,7 @@ fctx_getaddresses(fetchctx_t *fctx) {
 		}
 		result = dns_rdataset_next(&fctx->nameservers);
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		return (result);
 
  out:
@@ -1542,6 +1593,7 @@ fctx_destroy(fetchctx_t *fctx) {
 	REQUIRE(fctx->pending == 0);
 	REQUIRE(fctx->validating == 0);
 	REQUIRE(fctx->references == 0);
+	REQUIRE(fctx->validator == NULL);
 
 	FCTXTRACE("destroy");
 
@@ -1584,16 +1636,16 @@ fctx_destroy(fetchctx_t *fctx) {
 
 static void
 fctx_timeout(isc_task_t *task, isc_event_t *event) {
-	fetchctx_t *fctx = event->arg;
+	fetchctx_t *fctx = event->ev_arg;
 
 	REQUIRE(VALID_FCTX(fctx));
 
-	(void)task;	/* Keep compiler quiet. */
+	UNUSED(task);
 
 	FCTXTRACE("timeout");
 
-	if (event->type == ISC_TIMEREVENT_LIFE) {
-		fctx_done(fctx, DNS_R_TIMEDOUT);
+	if (event->ev_type == ISC_TIMEREVENT_LIFE) {
+		fctx_done(fctx, ISC_R_TIMEDOUT);
 	} else {
 		/*
 		 * We could cancel the running queries here, or we could let
@@ -1648,16 +1700,17 @@ fctx_shutdown(fetchctx_t *fctx) {
 
 static void
 fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
-	fetchctx_t *fctx = event->arg;
+	fetchctx_t *fctx = event->ev_arg;
 	isc_boolean_t bucket_empty = ISC_FALSE;
 	dns_resolver_t *res;
 	unsigned int bucketnum;
 
 	REQUIRE(VALID_FCTX(fctx));
 
+	UNUSED(task);
+
 	res = fctx->res;
 	bucketnum = fctx->bucketnum;
-	(void)task;	/* Keep compiler quiet. */
 	
 	FCTXTRACE("doshutdown");
 
@@ -1692,7 +1745,7 @@ fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
 
 static void
 fctx_start(isc_task_t *task, isc_event_t *event) {
-	fetchctx_t *fctx = event->arg;
+	fetchctx_t *fctx = event->ev_arg;
 	isc_boolean_t done = ISC_FALSE, bucket_empty = ISC_FALSE;
 	dns_resolver_t *res;
 	unsigned int bucketnum;
@@ -1701,7 +1754,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
 
 	res = fctx->res;
 	bucketnum = fctx->bucketnum;
-	(void)task;	/* Keep compiler quiet. */
+	UNUSED(task);
 
 	FCTXTRACE("start");
 
@@ -1738,7 +1791,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
 		 * Reset the control event for later use in shutting down
 		 * the fctx.
 		 */
-		ISC_EVENT_INIT(event, sizeof *event, 0, NULL,
+		ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
 			       DNS_EVENT_FETCHCONTROL, fctx_doshutdown, fctx,
 			       (void *)fctx_doshutdown, NULL, NULL);
 	}
@@ -1792,8 +1845,15 @@ fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_taskaction_t action,
 	event->sigrdataset = sigrdataset;
 	event->fetch = fetch;
 	dns_fixedname_init(&event->foundname);
-	ISC_LIST_APPEND(fctx->events, event, link);
 
+	/*
+	 * Make sure that we can store the sigrdataset in the
+	 * first event if it is needed by any of the events.
+	 */
+	if (event->sigrdataset != NULL)
+		ISC_LIST_PREPEND(fctx->events, event, ev_link);
+	else
+		ISC_LIST_APPEND(fctx->events, event, ev_link);
 	fctx->references++;
 
 	fetch->magic = DNS_FETCH_MAGIC;
@@ -1882,6 +1942,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	ISC_LIST_INIT(fctx->forwaddrs);
 	ISC_LIST_INIT(fctx->forwarders);
 	ISC_LIST_INIT(fctx->bad);
+	fctx->validator = NULL;
 	fctx->find = NULL;
 	fctx->pending = 0;
 	fctx->validating = 0;
@@ -1914,7 +1975,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_time_nowplusinterval: %s",
 				 isc_result_totext(iresult));
-		result = DNS_R_UNEXPECTED;
+		result = ISC_R_UNEXPECTED;
 		goto cleanup_rmessage;
 	}
 
@@ -1938,7 +1999,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_timer_create: %s",
 				 isc_result_totext(iresult));
-		result = DNS_R_UNEXPECTED;
+		result = ISC_R_UNEXPECTED;
 		goto cleanup_rmessage;
 	}
 
@@ -2027,9 +2088,9 @@ clone_results(fetchctx_t *fctx) {
 	if (hevent == NULL)
 		return;
 	hname = dns_fixedname_name(&hevent->foundname);
-	for (event = ISC_LIST_NEXT(hevent, link);
+	for (event = ISC_LIST_NEXT(hevent, ev_link);
 	     event != NULL;
-	     event = ISC_LIST_NEXT(event, link)) {
+	     event = ISC_LIST_NEXT(event, ev_link)) {
 		name = dns_fixedname_name(&event->foundname);
 		result = dns_name_concatenate(hname, NULL, name, NULL);
 		if (result != ISC_R_SUCCESS)
@@ -2038,11 +2099,15 @@ clone_results(fetchctx_t *fctx) {
 			event->result = hevent->result;
 		dns_db_attach(hevent->db, &event->db);
 		dns_db_attachnode(hevent->db, hevent->node, &event->node);
-		if (hevent->rdataset != NULL &&
-		    dns_rdataset_isassociated(hevent->rdataset))
+		INSIST(hevent->rdataset != NULL);
+		INSIST(event->rdataset != NULL);
+		if (dns_rdataset_isassociated(hevent->rdataset))
 			dns_rdataset_clone(hevent->rdataset, event->rdataset);
+		INSIST(! (hevent->sigrdataset == NULL &&
+			  event->sigrdataset != NULL));
 		if (hevent->sigrdataset != NULL &&
-		    dns_rdataset_isassociated(hevent->sigrdataset))
+		    dns_rdataset_isassociated(hevent->sigrdataset) &&
+		    event->sigrdataset != NULL)
 			dns_rdataset_clone(hevent->sigrdataset,
 					   event->sigrdataset);
 	}
@@ -2054,35 +2119,182 @@ clone_results(fetchctx_t *fctx) {
 #define EXTERNAL(r)	(((r)->attributes & DNS_RDATASETATTR_EXTERNAL) != 0)
 #define CHAINING(r)	(((r)->attributes & DNS_RDATASETATTR_CHAINING) != 0)
 
-#ifdef notyet
+
+/*
+ * Destroy '*fctx' if it is ready to be destroyed (i.e., if it has
+ * no references and is no longer waiting for any events).  If this
+ * was the last fctx in the resolver, destroy the resolver.
+ *
+ * Requires:
+ *	'*fctx' is shutting down.
+ */
+static void
+maybe_destroy(fetchctx_t *fctx) {
+	unsigned int bucketnum;
+	isc_boolean_t bucket_empty = ISC_FALSE;
+	dns_resolver_t *res = fctx->res;
+	
+	REQUIRE(SHUTTINGDOWN(fctx));
+
+	if (fctx->pending != 0 || fctx->validating != 0)
+		return;
+
+	bucketnum = fctx->bucketnum;
+	LOCK(&res->buckets[bucketnum].lock);
+	if (fctx->references == 0)
+		bucket_empty = fctx_destroy(fctx);
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	if (bucket_empty)
+		empty_bucket(res);
+}
+
+/*
+ * The validator has finished.
+ */
 static void
 validated(isc_task_t *task, isc_event_t *event) {
-	fetchctx_t *fctx;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t eresult = ISC_R_SUCCESS;
+	isc_stdtime_t now;
+        fetchctx_t *fctx;
+        dns_validatorevent_t *vevent;
+	dns_fetchevent_t *hevent;
+	dns_rdataset_t *ardataset = NULL;
+	dns_rdataset_t *asigrdataset = NULL;
+	dns_dbnode_t *node = NULL;
+
+        UNUSED(task); /* for now */
+
+        REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE);
+        fctx = event->ev_arg;
+        REQUIRE(VALID_FCTX(fctx));
+        REQUIRE(fctx->validating > 0);
+
+        vevent = (dns_validatorevent_t *)event;
+	INSIST(vevent->validator == fctx->validator);
+	
+        fctx->validating--;
 
-	REQUIRE(event->type == XXX);
-	fctx = event->arg;
-	REQUIRE(VALID_FCTX(fctx));
-	REQUIRE(fctx->validating > 0);
+	INSIST(fctx->validating == 0);
+	
+	/*
+	 * Destroy the validator early so that we can
+	 * destroy the fctx if necessary.
+	 */
+	dns_validator_destroy(&fctx->validator);
 
-	fctx->validating--;
+        /*
+         * If shutting down, ignore the results.  Check to see if we're
+         * done waiting for validator completions and ADB pending events; if
+         * so, destroy the fctx.
+	 */
+	if (SHUTTINGDOWN(fctx)) {
+		maybe_destroy(fctx);
+		goto cleanup_event;
+	}
 
 	/*
-	 * If shutting down, ignore the results.  Check to see if we're
-	 * done waiting for validator completions and ADB pending events; if
-	 * so, destroy the fctx.
-	 *
-	 * Else, we're not shutting down.  If this is "the answer"
-	 * call fctx_done().
+         * We're not shutting down.
+         */
+	FCTXTRACE("received validation completion event");
+
+	hevent = ISC_LIST_HEAD(fctx->events);
+	if (hevent != NULL) {
+		ardataset = hevent->rdataset;
+		asigrdataset = hevent->sigrdataset;
+	}
+
+        if (vevent->result != ISC_R_SUCCESS) {
+		FCTXTRACE("validation failed");
+		result = vevent->result;
+		goto respond;
+	}
+
+	isc_stdtime_get(&now);
+
+	if (vevent->rdataset == NULL) {
+		dns_rdatatype_t covers;
+		FCTXTRACE("nonexistence validation OK");
+
+		if (fctx->rmessage->rcode == dns_rcode_nxdomain)
+			covers = dns_rdatatype_any;
+		else
+			covers = fctx->type;
+
+		result = dns_db_findnode(fctx->res->view->cachedb,
+					 vevent->name, ISC_TRUE, &node);
+		if (result != ISC_R_SUCCESS)
+			goto respond;
+		
+		result = ncache_adderesult(fctx->rmessage,
+					   fctx->res->view->cachedb, node,
+					   covers, now, ardataset, &eresult);
+		if (result != ISC_R_SUCCESS)
+			goto respond;			
+
+		fctx->attributes |= FCTX_ATTR_HAVEANSWER;		
+		goto respond;
+	}
+
+	FCTXTRACE("validation OK");
+	
+	/*
+	 * The data was already cached as pending data.
+	 * Re-cache it as secure and bind the cached
+	 * rdatasets to the first event on the fetch
+	 * event list.
 	 */
+	result = dns_db_findnode(fctx->res->view->cachedb,
+				 vevent->name, ISC_TRUE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto respond;
+
+	result = dns_db_addrdataset(fctx->res->view->cachedb,
+				    node, NULL, now,
+				    vevent->rdataset, 0,
+				    ardataset);
+	if (result != ISC_R_SUCCESS &&
+	    result != DNS_R_UNCHANGED)
+		goto respond;
+	if (vevent->sigrdataset != NULL) {
+		result = dns_db_addrdataset(fctx->res->view->cachedb,
+					    node, NULL, now,
+					    vevent->sigrdataset, 0,
+					    asigrdataset);
+		if (result != ISC_R_SUCCESS &&
+		    result != DNS_R_UNCHANGED)
+			goto respond;
+	}
+	
+	fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+	result = ISC_R_SUCCESS;
+
+ respond:
+	if (hevent != NULL) {
+		hevent->result = eresult;
+		dns_name_concatenate(vevent->name, NULL,
+		     dns_fixedname_name(&hevent->foundname), NULL);
+		dns_db_attach(fctx->res->view->cachedb, &hevent->db);
+		hevent->node = node;
+		node = NULL;
+		clone_results(fctx);
+	}
 
+	if (node != NULL)
+		dns_db_detachnode(fctx->res->view->cachedb, &node);
+
+	fctx_done(fctx, result);
+
+ cleanup_event:
 	isc_event_free(&event);
 }
-#endif
 
 static inline isc_result_t
 cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 	dns_rdataset_t *rdataset, *sigrdataset;
 	dns_rdataset_t *addedrdataset, *ardataset, *asigrdataset;
+	dns_rdataset_t *valrdataset = NULL, *valsigrdataset = NULL;
 	dns_dbnode_t *node, **anodep;
 	dns_db_t **adbp;
 	dns_name_t *aname;
@@ -2091,9 +2303,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 	isc_result_t result, eresult;
 	dns_fetchevent_t *event;
 	unsigned int options;
-#ifdef notyet
 	isc_task_t *task;
-#endif
 
 	/*
 	 * The appropriate bucket lock must be held.
@@ -2111,21 +2321,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 					     &need_validation);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-#ifdef notyet
 	if (need_validation) {
-		/*
-		 * XXXRTH
-		 *
-		 * If some of the rdatasets associated with this name
-		 * don't have signatures, it could be that data we got is in
-		 * an unsecured subzone of a secure domain.
-		 * 
-		 * In this case we need to see if we can find a key chain
-		 * starting at the most-enclosing security root that proves
-		 * that this name is not secure.
-		 */
+		
 	}
-#endif
 
 	adbp = NULL;
 	aname = NULL;
@@ -2190,13 +2388,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 					break;
 			}
 			if (sigrdataset == NULL) {
-				if (ANSWER(rdataset)) {
-					/*
-					 * The peer is broken.
-					 */
-					result = DNS_R_FORMERR;
-					break;
-				} else {
+				if (!ANSWER(rdataset)) {
 					/*
 					 * Ignore non-answer rdatasets that
 					 * are missing signatures.
@@ -2210,50 +2402,40 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 			 * pending data.
 			 */
 #ifdef notyet
-			set_ttl(rdataset, sigrdataset);
+			if (sigrdataset != NULL)
+				set_ttl(rdataset, sigrdataset);
 #endif
 			rdataset->trust = dns_trust_pending;
-			sigrdataset->trust = dns_trust_pending;
+			if (sigrdataset != NULL)
+				sigrdataset->trust = dns_trust_pending;
 			result = dns_db_addrdataset(res->view->cachedb,
 						    node, NULL, now,
 						    rdataset, 0, NULL);
-			if (result != ISC_R_SUCCESS &&
-			    result != DNS_R_UNCHANGED)
-				break;
-			result = dns_db_addrdataset(res->view->cachedb,
-						    node, NULL, now,
-						    sigrdataset, 0, NULL);
-			if (result != ISC_R_SUCCESS &&
-			    result != DNS_R_UNCHANGED)
+			if (result == DNS_R_UNCHANGED)
+				result = ISC_R_SUCCESS;
+			if (result != ISC_R_SUCCESS)
 				break;
+			if (sigrdataset != NULL) {
+				result = dns_db_addrdataset(res->view->cachedb,
+							    node, NULL, now,
+							    sigrdataset, 0,
+							    NULL);
+				if (result == DNS_R_UNCHANGED)
+					result = ISC_R_SUCCESS;
+				if (result != ISC_R_SUCCESS)
+					break;
+			}
 			if (ANSWER(rdataset)) {
-#ifdef notyet
 				/*
-				 * XXXRTH  We should probably do this
-				 *         after we've cached everything as
-				 *         pending, otherwise we might not
-				 *         take advantage of a key which we
-				 *         have learned.
+				 * This is the answer.  We will
+				 * validate it, but first we cache
+				 * the rest of the response - it may
+				 * contain useful keys.
 				 */
-				validator = NULL;
-				task = res->buckets[fctx->bucketnum].task;
-				result = dns_validator_create(res->view,
-							       name,
-							       rdataset,
-							       sigrdataset,
-							       fctx->rmessage,
-							       ISC_TRUE,
-							       task,
-							       validated,
-							       fctx,
-							       &validator);
-				if (result == ISC_R_SUCCESS) {
-					ISC_LIST_APPEND(validator);
-					fctx->validating++;
-				}
-#else
-				result = DNS_R_NOTIMPLEMENTED;
-#endif
+				INSIST(valrdataset == NULL &&
+				       valsigrdataset == NULL);
+				valrdataset = rdataset;
+				valsigrdataset = sigrdataset;
 			}
 		} else if (!EXTERNAL(rdataset)) {
 			/*
@@ -2261,6 +2443,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 			 */
 			if (ANSWER(rdataset))
 				addedrdataset = ardataset;
+			else if (ANSWERSIG(rdataset))
+				addedrdataset = asigrdataset;
 			else
 				addedrdataset = NULL;
 			if (CHAINING(rdataset)) {
@@ -2315,6 +2499,24 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
 		}
 	}
 
+	if (valrdataset != NULL) {
+		task = res->buckets[fctx->bucketnum].task;
+		result = dns_validator_create(res->view,
+					      name,
+					      fctx->type,
+					      valrdataset,
+					      valsigrdataset,
+					      fctx->rmessage,
+					      0,
+					      task,
+					      validated,
+					      fctx,
+					      &fctx->validator);
+		if (result == ISC_R_SUCCESS)
+			fctx->validating++;
+	}
+	
+
 	if (result == ISC_R_SUCCESS && have_answer) {
 		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
 		if (event != NULL) {
@@ -2370,6 +2572,55 @@ cache_message(fetchctx_t *fctx, isc_stdtime_t now) {
 	return (result);
 }
 
+/*
+ * Do what dns_ncache_add() does, and then compute an appropriate eresult.
+ */
+static isc_result_t
+ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+		  dns_rdatatype_t covers, isc_stdtime_t now,
+		  dns_rdataset_t *ardataset,
+		  isc_result_t *eresultp)
+{
+	isc_result_t result;
+	result = dns_ncache_add(message, cache, node, covers, now, ardataset);
+	if (result == DNS_R_UNCHANGED) {
+		/*
+		 * The data in the cache is better than the negative cache
+		 * entry we're trying to add.
+		 */
+		if (ardataset != NULL && ardataset->type == 0) {
+			/*
+			 * The cache data is also a negative cache
+			 * entry.
+			 */
+			if (ardataset->covers == dns_rdatatype_any)
+				*eresultp = DNS_R_NCACHENXDOMAIN;
+			else
+				*eresultp = DNS_R_NCACHENXRRSET;
+			result = ISC_R_SUCCESS;
+		} else {
+			/*
+			 * Either we don't care about the nature of the
+			 * cache rdataset (because no fetch is interested
+			 * in the outcome), or the cache rdataset is not
+			 * a negative cache entry.  Whichever case it is,
+			 * we can return success. 
+			 *
+			 * XXXRTH  There's a CNAME/DNAME problem here.
+			 */
+			*eresultp = ISC_R_SUCCESS;
+			result = ISC_R_SUCCESS;
+		}
+	} else if (result == ISC_R_SUCCESS) {
+		if (covers == dns_rdatatype_any)
+			*eresultp = DNS_R_NCACHENXDOMAIN;
+		else
+			*eresultp = DNS_R_NCACHENXRRSET;
+	}
+
+	return (result);
+}
+
 static inline isc_result_t
 ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) {
 	isc_result_t result, eresult;
@@ -2398,21 +2649,21 @@ ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) {
 					     &need_validation);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-#ifdef notyet
 	if (need_validation) {
 		/*
-		 * XXXRTH
-		 *
-		 * If some of the rdatasets associated with this name
-		 * don't have signatures, it could be that data we got is in
-		 * an unsecured subzone of a secure domain.
-		 * 
-		 * In this case we need to see if we can find a key chain
-		 * starting at the most-enclosing security root that proves
-		 * that this name is not secure.
+		 * Do negative response validation.
 		 */
+                isc_task_t *task = res->buckets[fctx->bucketnum].task;
+                result = dns_validator_create(res->view, name, fctx->type,
+					      NULL, NULL,
+                                              fctx->rmessage, 0, task,
+                                              validated, fctx,
+                                              &fctx->validator);
+                if (result != ISC_R_SUCCESS)
+                        return (result);
+                fctx->validating++;
+		return (ISC_R_SUCCESS);
 	}
-#endif
 
 	LOCK(&res->buckets[fctx->bucketnum].lock);
 
@@ -2439,44 +2690,12 @@ ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) {
 				 &node);
 	if (result != ISC_R_SUCCESS)
 		goto unlock;
-	result = dns_ncache_add(fctx->rmessage, res->view->cachedb, node,
-				covers, now, ardataset);
-	if (result == DNS_R_UNCHANGED) {
-		/*
-		 * The data in the cache is better than the negative cache
-		 * entry we're trying to add.
-		 */
-		if (ardataset != NULL && ardataset->type == 0) {
-			/*
-			 * The cache data is also a negative cache
-			 * entry.
-			 */
-			if (ardataset->covers == dns_rdatatype_any)
-				eresult = DNS_R_NCACHENXDOMAIN;
-			else
-				eresult = DNS_R_NCACHENXRRSET;
-			result = ISC_R_SUCCESS;
-		} else {
-			/*
-			 * Either we don't care about the nature of the
-			 * cache rdataset (because no fetch is interested
-			 * in the outcome), or the cache rdataset is not
-			 * a negative cache entry.  Whichever case it is,
-			 * we can return success.  In the latter case,
-			 * 'eresult' is already set correctly.
-			 *
-			 * XXXRTH  There's a CNAME/DNAME problem here.
-			 */
-			result = ISC_R_SUCCESS;
-		}
-	} else if (result == ISC_R_SUCCESS) {
-		if (covers == dns_rdatatype_any)
-			eresult = DNS_R_NCACHENXDOMAIN;
-		else
-			eresult = DNS_R_NCACHENXRRSET;
-	} else
-		goto unlock;
 
+	result = ncache_adderesult(fctx->rmessage, res->view->cachedb, node,
+				   covers, now, ardataset, &eresult);
+	if (result != ISC_R_SUCCESS)
+		goto unlock;	
+	
 	if (!HAVE_ANSWER(fctx)) {
 		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
 		if (event != NULL) {
@@ -2715,7 +2934,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname) {
 				type = rdataset->type;
 				if (type == dns_rdatatype_sig)
 					type = rdataset->covers;
-				if (rdataset->type == dns_rdatatype_ns) {
+				if (type == dns_rdatatype_ns) {
 					/*
 					 * NS or SIG NS.
 					 *
@@ -2730,19 +2949,20 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname) {
 						DNS_RDATASETATTR_CACHE;
 					rdataset->trust = dns_trust_glue;
 					ns_rdataset = rdataset;
-				} else if (rdataset->type ==
-					   dns_rdatatype_soa ||
-					   rdataset->type ==
-					   dns_rdatatype_nxt) {
+				} else if (type == dns_rdatatype_soa ||
+					   type == dns_rdatatype_nxt) {
 					/*
 					 * SOA, SIG SOA, NXT, or SIG NXT.
 					 *
 					 * Only one SOA is allowed.
 					 */
-					if (soa_name != NULL &&
-					    name != soa_name)
-						return (DNS_R_FORMERR);
-					soa_name = name;
+					if (rdataset->type == dns_rdatatype_soa)
+					{
+						if (soa_name != NULL &&
+						    name != soa_name)
+							return (DNS_R_FORMERR);
+						soa_name = name;
+					}
 					negative_response = ISC_TRUE;
 					name->attributes |=
 						DNS_NAMEATTR_NCACHE;
@@ -2762,7 +2982,9 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname) {
 			}
 		}
 		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
-		if (result != ISC_R_NOMORE)
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 
@@ -2854,7 +3076,7 @@ answer_response(fetchctx_t *fctx) {
 	dns_name_t *name, *qname, tname;
 	dns_rdataset_t *rdataset;
 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
-	isc_boolean_t have_sig, have_answer;
+	isc_boolean_t have_answer;
 	unsigned int aflag;
 	dns_rdatatype_t type;
 	dns_fixedname_t dname;
@@ -2871,7 +3093,6 @@ answer_response(fetchctx_t *fctx) {
 	done = ISC_FALSE;
 	chaining = ISC_FALSE;
 	have_answer = ISC_FALSE;
-	have_sig = ISC_FALSE;
 	want_chaining = ISC_FALSE;
 	if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
 		aa = ISC_TRUE;
@@ -2960,8 +3181,6 @@ answer_response(fetchctx_t *fctx) {
 						if (aflag ==
 						    DNS_RDATASETATTR_ANSWER)
 							have_answer = ISC_TRUE;
-						else
-							have_sig = ISC_TRUE;
 						name->attributes |=
 							DNS_NAMEATTR_ANSWER;
 						rdataset->attributes |= aflag;
@@ -3190,13 +3409,12 @@ answer_response(fetchctx_t *fctx) {
 static void
 resquery_response(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result;
-	resquery_t *query = event->arg;
+	resquery_t *query = event->ev_arg;
 	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
 	isc_boolean_t keep_trying, broken_server, get_nameservers, resend;
 	isc_boolean_t truncated;
 	dns_message_t *message;
 	fetchctx_t *fctx;
-	dns_rdatatype_t covers;
 	dns_name_t *fname;
 	dns_fixedname_t foundname;
 	isc_stdtime_t now;
@@ -3208,9 +3426,9 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	fctx = query->fctx;
 	options = query->options;
 	REQUIRE(VALID_FCTX(fctx));
-	REQUIRE(event->type == DNS_EVENT_DISPATCH);
+	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
 
-	(void)task;
+	UNUSED(task);
 	QTRACE("response");
 
 	(void)isc_timer_touch(fctx->timer);
@@ -3220,7 +3438,6 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	get_nameservers = ISC_FALSE;
 	resend = ISC_FALSE;
 	truncated = ISC_FALSE;
-	covers = 0;
 	finish = NULL;
 
 	/*
@@ -3273,7 +3490,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	result = dns_message_parse(message, &devent->buffer, ISC_FALSE);
 	if (result != ISC_R_SUCCESS) {
 		switch (result) {
-		case DNS_R_UNEXPECTEDEND:
+		case ISC_R_UNEXPECTEDEND:
 			if (!message->question_ok ||
 			    (message->flags & DNS_MESSAGEFLAG_TC) == 0 ||
 			    (options & DNS_FETCHOPT_TCP) != 0) {
@@ -3337,7 +3554,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			}
 			goto done;
 		case DNS_R_MOREDATA:
-			result = DNS_R_NOTIMPLEMENTED;
+			result = ISC_R_NOTIMPLEMENTED;
 			goto done;
 		default:
 			/*
@@ -3532,10 +3749,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	 * also cause work to be queued to the DNSSEC validator.
 	 */
 	if (WANTNCACHE(fctx)) {
+		dns_rdatatype_t covers;
 		if (message->rcode == dns_rcode_nxdomain)
 			covers = dns_rdatatype_any;
 		else
 			covers = fctx->type;
+
 		/*
 		 * Cache any negative cache entries in the message.
 		 */
@@ -3628,7 +3847,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		 * All has gone well so far, but we are waiting for the
 		 * DNSSEC validator to validate the answer.
 		 */
+		FCTXTRACE("wait for validator");
 		fctx_cancelqueries(fctx, ISC_TRUE);
+		/*
+		 * We must not retransmit while the validator is working;
+		 * it has references to the current rmessage.
+		 */
 		result = fctx_stopidletimer(fctx);
 		if (result != ISC_R_SUCCESS)
 			fctx_done(fctx, result);
@@ -3679,12 +3903,8 @@ destroy(dns_resolver_t *res) {
 		    res->nbuckets * sizeof (fctxbucket_t));
 	if (res->dispatchv4 != NULL)
 		dns_dispatch_detach(&res->dispatchv4);
-	if (res->udpsocketv4 != NULL)
-		isc_socket_detach(&res->udpsocketv4);
 	if (res->dispatchv6 != NULL)
 		dns_dispatch_detach(&res->dispatchv6);
-	if (res->udpsocketv6 != NULL)
-		isc_socket_detach(&res->udpsocketv6);
 	free_forwarders(res);
 	res->magic = 0;
 	isc_mem_put(res->mctx, res, sizeof *res);
@@ -3702,10 +3922,10 @@ send_shutdown_events(dns_resolver_t *res) {
 	for (event = ISC_LIST_HEAD(res->whenshutdown);
 	     event != NULL;
 	     event = next_event) {
-		next_event = ISC_LIST_NEXT(event, link);
-		ISC_LIST_UNLINK(res->whenshutdown, event, link);
-		etask = event->sender;
-		event->sender = res;
+		next_event = ISC_LIST_NEXT(event, ev_link);
+		ISC_LIST_UNLINK(res->whenshutdown, event, ev_link);
+		etask = event->ev_sender;
+		event->ev_sender = res;
 		isc_task_sendanddetach(&etask, &event);
 	}
 }
@@ -3730,6 +3950,7 @@ dns_resolver_create(dns_view_t *view,
 		    isc_socketmgr_t *socketmgr,
 		    isc_timermgr_t *timermgr,
 		    unsigned int options,
+		    dns_dispatchmgr_t *dispatchmgr,
 		    dns_dispatch_t *dispatchv4,
 		    dns_dispatch_t *dispatchv6,
 		    dns_resolver_t **resp)
@@ -3746,6 +3967,8 @@ dns_resolver_create(dns_view_t *view,
 	REQUIRE(DNS_VIEW_VALID(view));
 	REQUIRE(ntasks > 0);
 	REQUIRE(resp != NULL && *resp == NULL);
+	REQUIRE(dispatchmgr != NULL);
+	REQUIRE(dispatchv4 != NULL || dispatchv6 != NULL);
 
 	res = isc_mem_get(view->mctx, sizeof *res);
 	if (res == NULL)
@@ -3755,6 +3978,8 @@ dns_resolver_create(dns_view_t *view,
 	res->rdclass = view->rdclass;
 	res->socketmgr = socketmgr;
 	res->timermgr = timermgr;
+	res->taskmgr = taskmgr;
+	res->dispatchmgr = dispatchmgr;
 	res->view = view;
 	res->options = options;
 
@@ -3771,8 +3996,7 @@ dns_resolver_create(dns_view_t *view,
 		if (result != ISC_R_SUCCESS)
 			goto cleanup_buckets;
 		res->buckets[i].task = NULL;
-		result = isc_task_create(taskmgr, view->mctx, 0,
-					 &res->buckets[i].task);
+		result = isc_task_create(taskmgr, 0, &res->buckets[i].task);
 		if (result != ISC_R_SUCCESS) {
 			isc_mutex_destroy(&res->buckets[i].lock);
 			goto cleanup_buckets;
@@ -3784,53 +4008,12 @@ dns_resolver_create(dns_view_t *view,
 		buckets_created++;
 	}
 
-	/*
-	 * IPv4 Dispatcher.
-	 */
 	res->dispatchv4 = NULL;
-	res->udpsocketv4 = NULL;
-	if (dispatchv4 != NULL) {
+	if (dispatchv4 != NULL)
 		dns_dispatch_attach(dispatchv4, &res->dispatchv4);
-	} else if (isc_net_probeipv4() == ISC_R_SUCCESS) {
-		/*
-		 * Create an IPv4 UDP socket and a dispatcher for it.
-		 */
-		result = isc_socket_create(socketmgr, AF_INET,
-					   isc_sockettype_udp,
-					   &res->udpsocketv4);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_buckets;
-		result = dns_dispatch_create(res->mctx, res->udpsocketv4,
-					     res->buckets[0].task, 4096,
-					     1000, 32768, 16411, 16433, NULL,
-					     &res->dispatchv4);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_udpsocketv4;
-	}
-
-	/*
-	 * IPv6 Dispatcher.
-	 */
 	res->dispatchv6 = NULL;
-	res->udpsocketv6 = NULL;
-	if (dispatchv6 != NULL) {
+	if (dispatchv6 != NULL)
 		dns_dispatch_attach(dispatchv6, &res->dispatchv6);
-	} else if (isc_net_probeipv6() == ISC_R_SUCCESS) {
-		/*
-		 * Create an IPv6 UDP socket and a dispatcher for it.
-		 */
-		result = isc_socket_create(socketmgr, AF_INET6,
-					   isc_sockettype_udp,
-					   &res->udpsocketv6);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_dispatchv4;
-		result = dns_dispatch_create(res->mctx, res->udpsocketv6,
-					     res->buckets[0].task, 4096, 
-					     1000, 32768, 16411, 16433, NULL,
-					     &res->dispatchv6);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_udpsocketv6;
-	}
 
 	/*
 	 * Forwarding.
@@ -3847,7 +4030,7 @@ dns_resolver_create(dns_view_t *view,
 
 	result = isc_mutex_init(&res->lock);
 	if (result != ISC_R_SUCCESS)
-		goto cleanup_dispatchv6;
+		goto cleanup_dispatches;
 
 	res->magic = RES_MAGIC;
 	
@@ -3855,22 +4038,12 @@ dns_resolver_create(dns_view_t *view,
 
 	return (ISC_R_SUCCESS);
 
- cleanup_dispatchv6:
+ cleanup_dispatches:
 	if (res->dispatchv6 != NULL)
 		dns_dispatch_detach(&res->dispatchv6);
-
- cleanup_udpsocketv6:
-	if (res->udpsocketv6 != NULL)
-		isc_socket_detach(&res->udpsocketv6);
-
- cleanup_dispatchv4:
 	if (res->dispatchv4 != NULL)
 		dns_dispatch_detach(&res->dispatchv4);
 
- cleanup_udpsocketv4:
-	if (res->udpsocketv4 != NULL)
-		isc_socket_detach(&res->udpsocketv4);
-
  cleanup_buckets:
 	for (i = 0; i < buckets_created; i++) {
 		(void)isc_mutex_destroy(&res->buckets[i].lock);
@@ -3941,12 +4114,12 @@ prime_done(isc_task_t *task, isc_event_t *event) {
 	dns_fetchevent_t *fevent;
 	dns_fetch_t *fetch;
 
-	REQUIRE(event->type == DNS_EVENT_FETCHDONE);
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
 	fevent = (dns_fetchevent_t *)event;
-	res = event->arg;
+	res = event->ev_arg;
 	REQUIRE(VALID_RESOLVER(res));
 
-	(void)task;
+	UNUSED(task);
 
 	LOCK(&res->lock);
 
@@ -4088,13 +4261,13 @@ dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
 		/*
 		 * We're already shutdown.  Send the event.
 		 */
-		event->sender = res;
+		event->ev_sender = res;
 		isc_task_send(task, &event);
 	} else {
 		clone = NULL;
 		isc_task_attach(task, &clone);
-		event->sender = clone;
-		ISC_LIST_APPEND(res->whenshutdown, event, link);
+		event->ev_sender = clone;
+		ISC_LIST_APPEND(res->whenshutdown, event, ev_link);
 	}
 	
 	UNLOCK(&res->lock);
@@ -4104,6 +4277,7 @@ void
 dns_resolver_shutdown(dns_resolver_t *res) {
 	unsigned int i;
 	fetchctx_t *fctx;
+	isc_socket_t *sock;
 
 	REQUIRE(VALID_RESOLVER(res));
 
@@ -4121,14 +4295,16 @@ dns_resolver_shutdown(dns_resolver_t *res) {
 			     fctx != NULL;
 			     fctx = ISC_LIST_NEXT(fctx, link))
 				fctx_shutdown(fctx);
-			if (res->udpsocketv4 != NULL)
-				isc_socket_cancel(res->udpsocketv4,
-						  res->buckets[i].task,
+			if (res->dispatchv4 != NULL) {
+				sock = dns_dispatch_getsocket(res->dispatchv4);
+				isc_socket_cancel(sock, res->buckets[i].task,
 						  ISC_SOCKCANCEL_ALL);
-			if (res->udpsocketv6 != NULL)
-				isc_socket_cancel(res->udpsocketv6,
-						  res->buckets[i].task,
+			}
+			if (res->dispatchv6 != NULL) {
+				sock = dns_dispatch_getsocket(res->dispatchv6);
+				isc_socket_cancel(sock, res->buckets[i].task,
 						  ISC_SOCKCANCEL_ALL);
+			}
 			res->buckets[i].exiting = ISC_TRUE;
 			if (ISC_LIST_EMPTY(res->buckets[i].fctxs)) {
 				INSIST(res->activebuckets > 0);
@@ -4190,19 +4366,17 @@ log_fetch(dns_name_t *name, dns_rdatatype_t type) {
 	 * XXXRTH  Allow this to be turned on and off...
 	 */
 
-	isc_buffer_init(&b, (unsigned char *)text, sizeof text,
-			ISC_BUFFERTYPE_TEXT);
-	if (dns_name_totext(name, ISC_FALSE, &b) !=
-	    ISC_R_SUCCESS)
+	isc_buffer_init(&b, (unsigned char *)text, sizeof(text));
+	if (dns_name_totext(name, ISC_FALSE, &b) != ISC_R_SUCCESS)
 		return;
-	isc_buffer_available(&b, &r);
+	isc_buffer_availableregion(&b, &r);
 	if (r.length < 1)
 		return;
 	*r.base = ' ';
 	isc_buffer_add(&b, 1);
 	if (dns_rdatatype_totext(type, &b) != ISC_R_SUCCESS)
 		return;
-	isc_buffer_used(&b, &r);
+	isc_buffer_usedregion(&b, &r);
 	/* XXXRTH  Give them their own category? */
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
 		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
@@ -4227,7 +4401,7 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
 	isc_boolean_t new_fctx = ISC_FALSE;
 	isc_event_t *event;
 
-	(void)forwarders;
+	UNUSED(forwarders);
 
 	REQUIRE(VALID_RESOLVER(res));
 	REQUIRE(res->frozen);
@@ -4286,7 +4460,7 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
 			 * Launch this fctx.
 			 */
 			event = &fctx->control_event;
-			ISC_EVENT_INIT(event, sizeof *event, 0, NULL,
+			ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
 				       DNS_EVENT_FETCHCONTROL,
 				       fctx_start, fctx, (void *)fctx_create,
 				       NULL, NULL);
@@ -4333,16 +4507,16 @@ dns_resolver_cancelfetch(dns_fetch_t *fetch) {
 		for (event = ISC_LIST_HEAD(fctx->events);
 		     event != NULL;
 		     event = next_event) {
-			next_event = ISC_LIST_NEXT(event, link);
+			next_event = ISC_LIST_NEXT(event, ev_link);
 			if (event->fetch == fetch) {
-				ISC_LIST_UNLINK(fctx->events, event,
-						link);
+				ISC_LIST_UNLINK(fctx->events, event, ev_link);
 				break;
 			}
 		}
 	}
 	if (event != NULL) {
-		etask = event->sender;
+		etask = event->ev_sender;
+		event->ev_sender = fctx;
 		event->result = ISC_R_CANCELED;
 		isc_task_sendanddetach(&etask, (isc_event_t **)&event);
 	}
@@ -4380,7 +4554,7 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
 		for (event = ISC_LIST_HEAD(fctx->events);
 		     event != NULL;
 		     event = next_event) {
-			next_event = ISC_LIST_NEXT(event, link);
+			next_event = ISC_LIST_NEXT(event, ev_link);
 			RUNTIME_CHECK(event->fetch != fetch);
 		}
 	}
@@ -4414,3 +4588,33 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
 	if (bucket_empty)
 		empty_bucket(res);
 }
+
+dns_dispatchmgr_t *
+dns_resolver_dispatchmgr(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->dispatchmgr);
+}
+
+dns_dispatch_t *
+dns_resolver_dispatchv4(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->dispatchv4);
+}
+
+dns_dispatch_t *
+dns_resolver_dispatchv6(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->dispatchv6);
+}
+
+isc_socketmgr_t *
+dns_resolver_socketmgr(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->socketmgr);
+}
+
+isc_taskmgr_t *
+dns_resolver_taskmgr(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->taskmgr);
+}
diff --git a/lib/dns/result.c b/lib/dns/result.c
index 4c69df20..202fb8ed 100644
--- a/lib/dns/result.c
+++ b/lib/dns/result.c
@@ -17,11 +17,8 @@
 
 #include <config.h>
 
-#include <stddef.h>
-
-#include <isc/resultclass.h>
 #include <isc/once.h>
-#include <isc/error.h>
+#include <isc/util.h>
 
 #include <dns/result.h>
 #include <dns/lib.h>
@@ -33,7 +30,7 @@ static char *text[DNS_R_NRESULTS] = {
 	"bitstring too long",			/*  3 */
 	"empty label",				/*  4 */
 	"bad dotted quad",			/*  5 */
-	"unexpected end of input",		/*  6 */
+	"UNUSED6",				/*  6 */
 	"unknown class/type",			/*  7 */
 	"bad label type",			/*  8 */
 	"bad compression pointer",		/*  9 */
@@ -42,14 +39,14 @@ static char *text[DNS_R_NRESULTS] = {
 	"extra input text",			/* 12 */
 	"extra input data",			/* 13 */
 	"text too long",			/* 14 */
-	"out of range",				/* 15 */
+	"UNUSED15",				/* 15 */
 	"syntax error",				/* 16 */
 	"bad checksum",				/* 17 */
 	"bad IPv6 address",			/* 18 */
 	"no owner",				/* 19 */
 	"no ttl",				/* 20 */
 	"bad class",				/* 21 */
-	"unexpected token",			/* 22 */
+	"UNUSED22",				/* 22 */
 	"partial match",			/* 23 */
 	"new origin",				/* 24 */
 	"unchanged",				/* 25 */
@@ -86,6 +83,9 @@ static char *text[DNS_R_NRESULTS] = {
 	"no journal",				/* 56 */
 	"alias",				/* 57 */
 	"use TCP",				/* 58 */
+	"no valid SIG",				/* 59 */
+	"no valid NXT",				/* 60 */
+	"not insecure"				/* 61 */
 };
 
 static char *rcode_text[DNS_R_NRCODERESULTS] = {
@@ -165,28 +165,27 @@ dns_result_torcode(isc_result_t result) {
 	case ISC_R_SUCCESS:
 		rcode = dns_rcode_noerror;
 		break;
+	case ISC_R_BADBASE64:
 	case ISC_R_NOSPACE:
+	case ISC_R_RANGE:
 	case ISC_R_UNEXPECTEDEND:
-	case ISC_R_BADBASE64:
-	case DNS_R_LABELTOOLONG:
+	case DNS_R_BADAAAA:
 	case DNS_R_BADBITSTRING:
-	case DNS_R_BITSTRINGTOOLONG:
-	case DNS_R_UNEXPECTEDEND:
-	case DNS_R_UNKNOWN:
-	case DNS_R_BADLABELTYPE:
-	case DNS_R_BADPOINTER:
-	case DNS_R_TOOMANYHOPS:
-	case DNS_R_EXTRADATA:
-	case DNS_R_TEXTTOOLONG:
-	case DNS_R_RANGE:
-	case DNS_R_SYNTAX:
 	case DNS_R_BADCKSUM:
-	case DNS_R_BADAAAA:
 	case DNS_R_BADCLASS:
+	case DNS_R_BADLABELTYPE:
+	case DNS_R_BADPOINTER:
 	case DNS_R_BADTTL:
-	case DNS_R_NOREDATA:
 	case DNS_R_BADZONE:
+	case DNS_R_BITSTRINGTOOLONG:
+	case DNS_R_EXTRADATA:
+	case DNS_R_LABELTOOLONG:
+	case DNS_R_NOREDATA:
+	case DNS_R_SYNTAX:
+	case DNS_R_TEXTTOOLONG:
+	case DNS_R_TOOMANYHOPS:
 	case DNS_R_TSIGERRORSET:
+	case DNS_R_UNKNOWN:
 		rcode = dns_rcode_formerr;
 		break;
 	case DNS_R_DISALLOWED:
diff --git a/lib/dns/rootns.c b/lib/dns/rootns.c
index 448a5258..70f4664c 100644
--- a/lib/dns/rootns.c
+++ b/lib/dns/rootns.c
@@ -17,14 +17,11 @@
 
 #include <config.h>
 
-#include <stddef.h>
-#include <string.h>
+#include <isc/buffer.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/types.h>
-
-#include <dns/types.h>
+#include <dns/callbacks.h>
 #include <dns/db.h>
 #include <dns/master.h>
 #include <dns/rootns.h>
@@ -84,7 +81,7 @@ dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	dns_rdatacallbacks_init(&callbacks);
 
 	len = strlen(root_ns);
-	isc_buffer_init(&source, root_ns, len, ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&source, root_ns, len);
 	isc_buffer_add(&source, len);
 
 	result = dns_db_beginload(db, &callbacks.add,
@@ -110,7 +107,7 @@ dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 					       &soacount, &nscount, &callbacks,
 					       db->mctx);
 	} else
-		result = DNS_R_NOTFOUND;
+		result = ISC_R_NOTFOUND;
 	eresult = dns_db_endload(db, &callbacks.add_private);
 	if (result == ISC_R_SUCCESS)
 		result = eresult;
@@ -118,7 +115,7 @@ dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		goto db_detach;
 
 	*target = db;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
  db_detach:
 	dns_db_detach(&db);
diff --git a/lib/dns/sec/Makefile.in b/lib/dns/sec/Makefile.in
index 281e6008..4d21db7a 100644
--- a/lib/dns/sec/Makefile.in
+++ b/lib/dns/sec/Makefile.in
@@ -17,7 +17,7 @@ srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-SUBDIRS =	dnssafe dst openssl
+SUBDIRS =	dnssafe dst @dst_privateopenssl@
 TARGETS =
 
 @BIND9_MAKE_RULES@
diff --git a/lib/dns/sec/dnssafe/ahcbcpad.h b/lib/dns/sec/dnssafe/ahcbcpad.h
index 9daa2435..20154976 100644
--- a/lib/dns/sec/dnssafe/ahcbcpad.h
+++ b/lib/dns/sec/dnssafe/ahcbcpad.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _AHCBCPAD_H_
-#define _AHCBCPAD_H_
+#ifndef DNSSAFE_AHCBCPAD_H
+#define DNSSAFE_AHCBCPAD_H 1
 
 #include "ahchencr.h"
 
@@ -34,4 +34,5 @@ int AHSecretCBCPadDecryptFinal PROTO_LIST
   ((THIS_ENCRYPT_DECRYPT *, unsigned char *, unsigned int *,
     unsigned int, B_Algorithm *, A_SURRENDER_CTX *));
 
-#endif
+#endif /* DNSSAFE_AHCBCPAD_H */
+
diff --git a/lib/dns/sec/dnssafe/ahchdig.h b/lib/dns/sec/dnssafe/ahchdig.h
index d56df5ba..b58eec7e 100644
--- a/lib/dns/sec/dnssafe/ahchdig.h
+++ b/lib/dns/sec/dnssafe/ahchdig.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _AHCHDIG_H_
-#define _AHCHDIG_H_ 1
+#ifndef DNSSAFE_AHCHDIG_H
+#define DNSSAFE_AHCHDIG_H 1
 
 #include "ahdigest.h"
 #include "algchoic.h"
@@ -29,4 +29,5 @@ int AHChooseDigestFinal PROTO_LIST
   ((THIS_DIGEST *, unsigned char *, unsigned int *, unsigned int,
     A_SURRENDER_CTX *));
 
-#endif
+#endif /* DNSSAFE_AHCHDIG_H */
+
diff --git a/lib/dns/sec/dnssafe/ahchencr.h b/lib/dns/sec/dnssafe/ahchencr.h
index 4befa783..836fc1dd 100644
--- a/lib/dns/sec/dnssafe/ahchencr.h
+++ b/lib/dns/sec/dnssafe/ahchencr.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _AHCHENCR_H_
-#define _AHCHENCR_H_ 1
+#ifndef DNSSAFE_AHCHENCR_H
+#define DNSSAFE_AHCHENCR_H 1
 
 #include "ahencryp.h"
 #include "algchoic.h"
@@ -71,4 +71,5 @@ int AHChooseEncryptDecryptFinal PROTO_LIST
   ((THIS_ENCRYPT_DECRYPT *, unsigned char *, unsigned int *,
     unsigned int, B_Algorithm *, A_SURRENDER_CTX *));
 
-#endif
+#endif /* DNSSAFE_AHCHENCR_H */
+
diff --git a/lib/dns/sec/dnssafe/ahchgen.h b/lib/dns/sec/dnssafe/ahchgen.h
index 8e7ecf3d..2c7cf3dd 100644
--- a/lib/dns/sec/dnssafe/ahchgen.h
+++ b/lib/dns/sec/dnssafe/ahchgen.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _AHCHGEN_H_
-#define _AHCHGEN_H_ 1
+#ifndef DNSSAFE_AHCHGEN_H
+#define DNSSAFE_AHCHGEN_H 1
 
 #include "ahgen.h"
 #include "algchoic.h"
@@ -41,4 +41,5 @@ int AHChooseGenerateKeypair PROTO_LIST
 int AHChooseGenerateParameters PROTO_LIST
   ((THIS_GENERATE *, B_Algorithm *, B_Algorithm *, A_SURRENDER_CTX *));
 
-#endif
+#endif /* DNSSAFE_AHCHGEN_H */
+
diff --git a/lib/dns/sec/dnssafe/ahchrand.h b/lib/dns/sec/dnssafe/ahchrand.h
index 51e0f984..36d430cf 100644
--- a/lib/dns/sec/dnssafe/ahchrand.h
+++ b/lib/dns/sec/dnssafe/ahchrand.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _AHCHRAND_H_
-#define _AHCHRAND_H_ 1
+#ifndef DNSSAFE_AHCHRAND_H
+#define DNSSAFE_AHCHRAND_H 1
 
 #include "ahrandom.h"
 #include "algchoic.h"
@@ -28,4 +28,5 @@ int AHChooseRandomUpdate PROTO_LIST
 int AHChooseRandomGenerateBytes PROTO_LIST
   ((THIS_RANDOM *, unsigned char *, unsigned int, A_SURRENDER_CTX *));
 
-#endif
+#endif /* DNSSAFE_AHCHRAND_H */
+
diff --git a/lib/dns/sec/dnssafe/ahdigest.h b/lib/dns/sec/dnssafe/ahdigest.h
index d7cc5f93..ee9ce4f3 100644
--- a/lib/dns/sec/dnssafe/ahdigest.h
+++ b/lib/dns/sec/dnssafe/ahdigest.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _AHDIGEST_H_
-#define _AHDIGEST_H_ 1
+#ifndef DNSSAFE_AHDIGEST_H
+#define DNSSAFE_AHDIGEST_H 1
 
 #include "btypechk.h"
 
@@ -45,4 +45,5 @@ void AHDigestConstructor PROTO_LIST ((AHDigest *));
      for B_TypeCheck, since this will just re-invoke this virtual
      destructor. */
 
-#endif
+#endif /* DNSSAFE_AHDIGEST_H */
+
diff --git a/lib/dns/sec/dnssafe/ahencryp.h b/lib/dns/sec/dnssafe/ahencryp.h
index f7ab14ca..d2cb28c4 100644
--- a/lib/dns/sec/dnssafe/ahencryp.h
+++ b/lib/dns/sec/dnssafe/ahencryp.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _AHENCRYP_H_
-#define _AHENCRYP_H_ 1
+#ifndef DNSSAFE_AHENCRYP_H
+#define DNSSAFE_AHENCRYP_H 1
 
 #include "btypechk.h"
 
@@ -82,4 +82,5 @@ void AHEncryptDecryptConstructor PROTO_LIST ((AHEncryptDecrypt *));
      for B_TypeCheck, since this will just re-invoke this virtual
      destructor. */
 
-#endif
+#endif /* DNSSAFE_AHENCRYP_H */
+
diff --git a/lib/dns/sec/dnssafe/ahgen.h b/lib/dns/sec/dnssafe/ahgen.h
index 7240e2e1..0ff23ec5 100644
--- a/lib/dns/sec/dnssafe/ahgen.h
+++ b/lib/dns/sec/dnssafe/ahgen.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _AHGEN_H_
-#define _AHGEN_H_ 1
+#ifndef DNSSAFE_AHGEN_H
+#define DNSSAFE_AHGEN_H 1
 
 #include "btypechk.h"
 
@@ -44,4 +44,5 @@ void AHGenerateConstructor PROTO_LIST ((AHGenerate *));
      for B_TypeCheck, since this will just re-invoke this virtual
      destructor. */
 
-#endif
+#endif /* DNSSAFE_AHGEN_H */
+
diff --git a/lib/dns/sec/dnssafe/ahrandom.h b/lib/dns/sec/dnssafe/ahrandom.h
index aeb4f3b0..de878b25 100644
--- a/lib/dns/sec/dnssafe/ahrandom.h
+++ b/lib/dns/sec/dnssafe/ahrandom.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _AHRANDOM_H_
-#define _AHRANDOM_H_ 1
+#ifndef DNSSAFE_AHRANDOM_H
+#define DNSSAFE_AHRANDOM_H 1
 
 #include "btypechk.h"
 
@@ -44,4 +44,5 @@ void AHRandomConstructor PROTO_LIST ((AHRandom *));
      for B_TypeCheck, since this will just re-invoke this virtual
      destructor. */
 
-#endif
+#endif /* DNSSAFE_AHRANDOM_H */
+
diff --git a/lib/dns/sec/dnssafe/ahrsaenc.h b/lib/dns/sec/dnssafe/ahrsaenc.h
index ede21c78..b8ab4852 100644
--- a/lib/dns/sec/dnssafe/ahrsaenc.h
+++ b/lib/dns/sec/dnssafe/ahrsaenc.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _AHRSAENC_H_
-#define _AHRSAENC_H_
+#ifndef DNSSAFE_AHRSAENC_H
+#define DNSSAFE_AHRSAENC_H 1
 
 #include "ahchencr.h"
 
@@ -65,4 +65,5 @@ int AH_RSAEncryptionDecryptFinal PROTO_LIST
   ((THIS_ENCRYPT_DECRYPT *, unsigned char *, unsigned int *,
     unsigned int, B_Algorithm *, A_SURRENDER_CTX *));
 
-#endif
+#endif /* DNSSAFE_AHRSAENC_H */
+
diff --git a/lib/dns/sec/dnssafe/ahrsaepr.h b/lib/dns/sec/dnssafe/ahrsaepr.h
index f5847bc6..0834a2e2 100644
--- a/lib/dns/sec/dnssafe/ahrsaepr.h
+++ b/lib/dns/sec/dnssafe/ahrsaepr.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _AHRSAEPR_H_
-#define _AHRSAEPR_H_
+#ifndef DNSSAFE_AHRSAEPR_H
+#define DNSSAFE_AHRSAEPR_H 1
 
 #include "ahrsaenc.h"
 
@@ -17,4 +17,5 @@ typedef AH_RSAEncryption AH_RSAEncryptionPrivate;
 AH_RSAEncryptionPrivate *AH_RSAEncrypPrivateConstructor PROTO_LIST
   ((AH_RSAEncryptionPrivate *));
 
-#endif
+#endif /* DNSSAFE_AHRSAEPR_H */
+
diff --git a/lib/dns/sec/dnssafe/ahrsaepu.h b/lib/dns/sec/dnssafe/ahrsaepu.h
index 0c13e204..aa37daed 100644
--- a/lib/dns/sec/dnssafe/ahrsaepu.h
+++ b/lib/dns/sec/dnssafe/ahrsaepu.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _AHRSAEPU_H_
-#define _AHRSAEPU_H_
+#ifndef DNSSAFE_AHRSAEPU_H
+#define DNSSAFE_AHRSAEPU_H 1
 
 #include "ahrsaenc.h"
 
@@ -17,4 +17,5 @@ typedef AH_RSAEncryption AH_RSAEncryptionPublic;
 AH_RSAEncryptionPublic *AH_RSAEncrypPublicConstructor PROTO_LIST
   ((AH_RSAEncryptionPublic *));
 
-#endif
+#endif /* DNSSAFE_AHRSAEPU_H */
+
diff --git a/lib/dns/sec/dnssafe/aichdig.h b/lib/dns/sec/dnssafe/aichdig.h
index e8228d91..3ea11e1e 100644
--- a/lib/dns/sec/dnssafe/aichdig.h
+++ b/lib/dns/sec/dnssafe/aichdig.h
@@ -6,12 +6,13 @@
    prohibited.
  */
 
-#ifndef _AICHDIG_H_
-#define _AICHDIG_H_ 1
+#ifndef DNSSAFE_AICHDIG_H
+#define DNSSAFE_AICHDIG_H 1
 
 #include "ainfotyp.h"
 #include "ainull.h"
 
 extern B_AlgorithmInfoTypeVTable AITChooseDigestNull_V_TABLE;
 
-#endif
+#endif /* DNSSAFE_AICHDIG_H */
+
diff --git a/lib/dns/sec/dnssafe/aichenc8.h b/lib/dns/sec/dnssafe/aichenc8.h
index 4c2096bd..a2ff06b5 100644
--- a/lib/dns/sec/dnssafe/aichenc8.h
+++ b/lib/dns/sec/dnssafe/aichenc8.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _AICHENC8_H_
-#define _AICHENC8_H_ 1
+#ifndef DNSSAFE_AICHENC8_H
+#define DNSSAFE_AICHENC8_H 1
 
 #include "aichencr.h"
 
@@ -16,4 +16,5 @@ extern B_AlgorithmInfoTypeVTable AITChooseEncrypt8_V_TABLE;
 int AIT_8AddInfo PROTO_LIST
   ((THIS_ALGORITHM_INFO_TYPE *, B_Algorithm *, POINTER));
 
-#endif
+#endif /* DNSSAFE_AICHENC8_H */
+
diff --git a/lib/dns/sec/dnssafe/aichencn.h b/lib/dns/sec/dnssafe/aichencn.h
index 11301573..ace47f41 100644
--- a/lib/dns/sec/dnssafe/aichencn.h
+++ b/lib/dns/sec/dnssafe/aichencn.h
@@ -6,12 +6,13 @@
    prohibited.
  */
 
-#ifndef _AICHENCN_H_
-#define _AICHENCN_H_ 1
+#ifndef DNSSAFE_AICHENCN_H
+#define DNSSAFE_AICHENCN_H 1
 
 #include "aichencr.h"
 #include "ainull.h"
 
 extern B_AlgorithmInfoTypeVTable AITChooseEncryptNull_V_TABLE;
 
-#endif
+#endif /* DNSSAFE_AICHENCN_H */
+
diff --git a/lib/dns/sec/dnssafe/aichencr.h b/lib/dns/sec/dnssafe/aichencr.h
index 2d99bfb0..13678076 100644
--- a/lib/dns/sec/dnssafe/aichencr.h
+++ b/lib/dns/sec/dnssafe/aichencr.h
@@ -6,12 +6,13 @@
    prohibited.
  */
 
-#ifndef _AICHENCR_H_
-#define _AICHENCR_H_ 1
+#ifndef DNSSAFE_AICHENCR_H
+#define DNSSAFE_AICHENCR_H 1
 
 #include "ainfotyp.h"
 
 struct B_TypeCheck *AITChooseEncryptNewHandler PROTO_LIST
   ((B_AlgorithmInfoType *, B_Algorithm *));
 
-#endif
+#endif /* DNSSAFE_AICHENCR_H */
+
diff --git a/lib/dns/sec/dnssafe/aichgen.h b/lib/dns/sec/dnssafe/aichgen.h
index eebd9b72..e8a9b15c 100644
--- a/lib/dns/sec/dnssafe/aichgen.h
+++ b/lib/dns/sec/dnssafe/aichgen.h
@@ -6,12 +6,13 @@
    prohibited.
  */
 
-#ifndef _AICHGEN_H_
-#define _AICHGEN_H_ 1
+#ifndef DNSSAFE_AICHGEN_H
+#define DNSSAFE_AICHGEN_H 1
 
 #include "ainfotyp.h"
 
 struct B_TypeCheck *AITChooseGenerateNewHandler PROTO_LIST
   ((B_AlgorithmInfoType *, B_Algorithm *));
 
-#endif
+#endif /* DNSSAFE_AICHGEN_H */
+
diff --git a/lib/dns/sec/dnssafe/aichrand.h b/lib/dns/sec/dnssafe/aichrand.h
index 6f188e18..0751c233 100644
--- a/lib/dns/sec/dnssafe/aichrand.h
+++ b/lib/dns/sec/dnssafe/aichrand.h
@@ -6,12 +6,13 @@
    prohibited.
  */
 
-#ifndef _AICHRAND_H_
-#define _AICHRAND_H_ 1
+#ifndef DNSSAFE_AICHRAND_H
+#define DNSSAFE_AICHRAND_H 1
 
 #include "ainfotyp.h"
 #include "ainull.h"
 
 extern B_AlgorithmInfoTypeVTable AITChooseRandomNull_V_TABLE;
 
-#endif
+#endif /* DNSSAFE_AICHRAND_H */
+
diff --git a/lib/dns/sec/dnssafe/ainfotyp.h b/lib/dns/sec/dnssafe/ainfotyp.h
index fa9f4a64..5ba10fce 100644
--- a/lib/dns/sec/dnssafe/ainfotyp.h
+++ b/lib/dns/sec/dnssafe/ainfotyp.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _AINFOTYP_H_
-#define _AINFOTYP_H_ 1
+#ifndef DNSSAFE_AINFOTYP_H
+#define DNSSAFE_AINFOTYP_H 1
 
 /* Use the THIS_ALGORITHM_INFO_TYPE macro to define the type of object in the
      virtual function prototype.  It defaults to the most base class, but
@@ -36,4 +36,5 @@ typedef struct B_AlgorithmInfoType {
 int B_AlgorithmInfoTypeMakeError PROTO_LIST
   ((THIS_ALGORITHM_INFO_TYPE *, POINTER *, B_Algorithm *));
 
-#endif
+#endif /* DNSSAFE_AINFOTYP_H */
+
diff --git a/lib/dns/sec/dnssafe/ainull.h b/lib/dns/sec/dnssafe/ainull.h
index 3b48901a..c68e1bde 100644
--- a/lib/dns/sec/dnssafe/ainull.h
+++ b/lib/dns/sec/dnssafe/ainull.h
@@ -6,5 +6,10 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_AINULL_H
+#define DNSSAFE_AINULL_H 1
+
 int AITNullAddInfo PROTO_LIST
   ((THIS_ALGORITHM_INFO_TYPE *, B_Algorithm *, POINTER));
+
+#endif /* DNSSAFE_AINULL_H */
diff --git a/lib/dns/sec/dnssafe/algae.h b/lib/dns/sec/dnssafe/algae.h
index f1ceb62d..ee76fc78 100644
--- a/lib/dns/sec/dnssafe/algae.h
+++ b/lib/dns/sec/dnssafe/algae.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _ALGAE_H_
-#define _ALGAE_H_ 1
+#ifndef DNSSAFE_ALGAE_H
+#define DNSSAFE_ALGAE_H 1
 
 #ifndef T_CALL
 #define T_CALL
@@ -63,4 +63,5 @@ unsigned int A_IntegerBits PROTO_LIST ((unsigned char *, unsigned int));
 }
 #endif
 
-#endif
+#endif /* DNSSAFE_ALGAE_H */
+
diff --git a/lib/dns/sec/dnssafe/algchoic.h b/lib/dns/sec/dnssafe/algchoic.h
index 5743441d..bbf2c611 100644
--- a/lib/dns/sec/dnssafe/algchoic.h
+++ b/lib/dns/sec/dnssafe/algchoic.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _ALGCHOICE_H_
-#define _ALGCHOICE_H_ 1
+#ifndef DNSSAFE_ALGCHOIC_H
+#define DNSSAFE_ALGCHOIC_H 1
 
 #define IS_FATAL_BSAFE_ERROR(status) \
   (status == BE_ALLOC || status == BE_HARDWARE || status == BE_CANCEL)
@@ -71,7 +71,6 @@ private:
   ResizeContext context;
 };
  */
-struct B_AlgorithmInfoType;
 
 typedef struct ResizeContext {
   struct {
@@ -108,4 +107,4 @@ int AlgaChoiceChoose PROTO_LIST
 
 int ConvertAlgaeError PROTO_LIST ((int));
 
-#endif
+#endif /* DNSSAFE_ALGCHOIC_H */
diff --git a/lib/dns/sec/dnssafe/algobj.h b/lib/dns/sec/dnssafe/algobj.h
index 7f87cfae..3925478a 100644
--- a/lib/dns/sec/dnssafe/algobj.h
+++ b/lib/dns/sec/dnssafe/algobj.h
@@ -6,6 +6,9 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_ALGOBJ_H
+#define DNSSAFE_ALGOBJ_H 1
+
 #define THE_ALG_WRAP ((AlgorithmWrap *)algorithmObject)
 
 typedef struct AlgorithmWrap {
@@ -17,3 +20,4 @@ typedef struct AlgorithmWrap {
 int AlgorithmWrapCheck PROTO_LIST ((AlgorithmWrap *));
 int RandomAlgorithmCheck PROTO_LIST ((B_ALGORITHM_OBJ));
 
+#endif /* DNSSAFE_ALGOBJ_H */
diff --git a/lib/dns/sec/dnssafe/amdigest.h b/lib/dns/sec/dnssafe/amdigest.h
index 5b8f5662..7c4c19aa 100644
--- a/lib/dns/sec/dnssafe/amdigest.h
+++ b/lib/dns/sec/dnssafe/amdigest.h
@@ -6,6 +6,9 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_AMDIGEST_H
+#define DNSSAFE_AMDIGEST_H 1
+
 typedef struct {
   int (*Query) PROTO_LIST ((unsigned int *, POINTER));
   int (*Init) PROTO_LIST ((POINTER, POINTER, A_SURRENDER_CTX *));
@@ -17,3 +20,4 @@ typedef struct {
   int (*GetMaxOutputLen) PROTO_LIST ((POINTER, unsigned int *));
 } A_DIGEST_ALGA;
 
+#endif /* DNSSAFE_AMDIGEST_H */
diff --git a/lib/dns/sec/dnssafe/amencdec.h b/lib/dns/sec/dnssafe/amencdec.h
index 8f91a0fa..4c5d9d82 100644
--- a/lib/dns/sec/dnssafe/amencdec.h
+++ b/lib/dns/sec/dnssafe/amencdec.h
@@ -6,6 +6,9 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_AMENCDEC_H
+#define DNSSAFE_AMENCDEC_H 1
+
 typedef struct {
   int (*Query) PROTO_LIST ((unsigned int *, POINTER, POINTER));
   int (*Init) PROTO_LIST ((POINTER, POINTER, POINTER, A_SURRENDER_CTX *));
@@ -19,3 +22,4 @@ typedef struct {
   int (*GetBlockLen) PROTO_LIST ((POINTER, unsigned int *));
 } A_ENCRYPT_DECRYPT_ALGA;
 
+#endif /* DNSSAFE_AMENCDEC_H */
diff --git a/lib/dns/sec/dnssafe/amgen.h b/lib/dns/sec/dnssafe/amgen.h
index ffdf4576..7a45af2f 100644
--- a/lib/dns/sec/dnssafe/amgen.h
+++ b/lib/dns/sec/dnssafe/amgen.h
@@ -6,6 +6,9 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_AMGEN_H
+#define DNSSAFE_AMGEN_H 1
+
 struct B_KeyInfoType;
 
 typedef struct {
@@ -17,3 +20,4 @@ typedef struct {
     ((POINTER, POINTER *, unsigned char *, A_SURRENDER_CTX *));
 } A_GENERATE_ALGA;
 
+#endif /* DNSSAFE_AMGEN_H */
diff --git a/lib/dns/sec/dnssafe/amrandom.h b/lib/dns/sec/dnssafe/amrandom.h
index 3b9539a0..98a779e4 100644
--- a/lib/dns/sec/dnssafe/amrandom.h
+++ b/lib/dns/sec/dnssafe/amrandom.h
@@ -6,6 +6,9 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_AMRANDOM_H
+#define DNSSAFE_AMRANDOM_H 1
+
 typedef struct {
   int (*Query) PROTO_LIST ((unsigned int *, POINTER));
   int (*Init) PROTO_LIST ((POINTER, POINTER, A_SURRENDER_CTX *));
@@ -15,3 +18,4 @@ typedef struct {
     ((POINTER, unsigned char *, unsigned int, A_SURRENDER_CTX *));
 } A_RANDOM_ALGA;
 
+#endif /* DNSSAFE_AMRANDOM_H */
diff --git a/lib/dns/sec/dnssafe/atypes.h b/lib/dns/sec/dnssafe/atypes.h
index e1af4eac..c83980ff 100644
--- a/lib/dns/sec/dnssafe/atypes.h
+++ b/lib/dns/sec/dnssafe/atypes.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _ATYPES_H_
-#define _ATYPES_H_ 1
+#ifndef DNSSAFE_ATYPES_H
+#define DNSSAFE_ATYPES_H 1
 
 #ifdef __cplusplus
 extern "C" {
@@ -57,4 +57,5 @@ typedef struct {
 }
 #endif
 
-#endif
+#endif /* DNSSAFE_ATYPES_H */
+
diff --git a/lib/dns/sec/dnssafe/balg.h b/lib/dns/sec/dnssafe/balg.h
index fdbc269b..1dfb8963 100644
--- a/lib/dns/sec/dnssafe/balg.h
+++ b/lib/dns/sec/dnssafe/balg.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _BALG_H_
-#define _BALG_H_ 1
+#ifndef DNSSAFE_BALG_H
+#define DNSSAFE_BALG_H 1
 
 #include "binfocsh.h"
 #include "btypechk.h"
@@ -113,4 +113,5 @@ int B_AlgorithmGenerateKeypair PROTO_LIST
 int B_AlgorithmGenerateParameters PROTO_LIST
   ((B_Algorithm *, B_Algorithm *, B_Algorithm *, A_SURRENDER_CTX *));
 
-#endif
+#endif /* DNSSAFE_BALG_H */
+
diff --git a/lib/dns/sec/dnssafe/balgmeth.h b/lib/dns/sec/dnssafe/balgmeth.h
index c73e3ad4..228f522c 100644
--- a/lib/dns/sec/dnssafe/balgmeth.h
+++ b/lib/dns/sec/dnssafe/balgmeth.h
@@ -6,6 +6,9 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_BALGMETH_H
+#define DNSSAFE_BALGMETH_H 1
+
 struct B_AlgorithmInfoType;
 struct B_KeyInfoType;
 
@@ -16,3 +19,4 @@ struct B_ALGORITHM_METHOD {
   POINTER alga;
 };
 
+#endif /* DNSSAFE_BALGMETH_H */
diff --git a/lib/dns/sec/dnssafe/bigmath.h b/lib/dns/sec/dnssafe/bigmath.h
index 351b55b2..baa782ea 100644
--- a/lib/dns/sec/dnssafe/bigmath.h
+++ b/lib/dns/sec/dnssafe/bigmath.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _BIGMATH_H_
-#define _BIGMATH_H_ 1
+#ifndef DNSSAFE_BIGMATH_H
+#define DNSSAFE_BIGMATH_H 1
 
 #include "algae.h"
 #include "bigmaxes.h"
@@ -68,4 +68,5 @@ int CanonicalToBig PROTO_LIST
 }
 #endif
 
-#endif
+#endif /* DNSSAFE_BIGMATH_H */
+
diff --git a/lib/dns/sec/dnssafe/bigmaxes.h b/lib/dns/sec/dnssafe/bigmaxes.h
index 49992f67..9f5ba820 100644
--- a/lib/dns/sec/dnssafe/bigmaxes.h
+++ b/lib/dns/sec/dnssafe/bigmaxes.h
@@ -6,14 +6,14 @@
    prohibited.
  */
 
-#ifndef _BIGMAXES_H_
-#define _BIGMAXES_H_ 1
+#ifndef DNSSAFE_BIGMAXES_H
+#define DNSSAFE_BIGMAXES_H 1
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-#define MAX_RSA_MODULUS_BITS 1024
+#define MAX_RSA_MODULUS_BITS 2028
 
 #define BITS_TO_LEN(modulusBits) (((modulusBits) + 7) / 8)
 #define RSA_PRIME_BITS(modulusBits) (((modulusBits) + 1) / 2)
@@ -44,4 +44,5 @@ extern "C" {
 }
 #endif
 
-#endif
+#endif /* DNSSAFE_BIGMAXES_H */
+
diff --git a/lib/dns/sec/dnssafe/binfocsh.h b/lib/dns/sec/dnssafe/binfocsh.h
index 32778765..6bd68493 100644
--- a/lib/dns/sec/dnssafe/binfocsh.h
+++ b/lib/dns/sec/dnssafe/binfocsh.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _BINFOCSH_H_
-#define _BINFOCSH_H_ 1
+#ifndef DNSSAFE_BINFOCSH_H
+#define DNSSAFE_BINFOCSH_H 1
 
 #include "bmempool.h"
 
@@ -30,4 +30,5 @@ void B_InfoCacheConstructor PROTO_LIST ((B_InfoCache *));
 int B_InfoCacheAddInfo PROTO_LIST ((B_InfoCache *, POINTER, POINTER));
 int B_InfoCacheFindInfo PROTO_LIST ((B_InfoCache *, POINTER *, POINTER));
 
-#endif
+#endif /* DNSSAFE_BINFOCSH_H */
+
diff --git a/lib/dns/sec/dnssafe/bkey.h b/lib/dns/sec/dnssafe/bkey.h
index bfcaca7a..5ea9b581 100644
--- a/lib/dns/sec/dnssafe/bkey.h
+++ b/lib/dns/sec/dnssafe/bkey.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _BKEY_H_
-#define _BKEY_H_ 1
+#ifndef DNSSAFE_BKEY_H
+#define DNSSAFE_BKEY_H 1
 
 #include "binfocsh.h"
 
@@ -29,4 +29,5 @@ int B_KeySetInfo PROTO_LIST ((B_Key *, struct B_KeyInfoType *, POINTER));
 int B_KeyGetInfo PROTO_LIST ((B_Key *, POINTER *, struct B_KeyInfoType *));
 int B_KeyAddItemInfo PROTO_LIST ((B_Key *, unsigned char *, unsigned int));
 
-#endif
+#endif /* DNSSAFE_BKEY_H */
+
diff --git a/lib/dns/sec/dnssafe/bmempool.h b/lib/dns/sec/dnssafe/bmempool.h
index b5216dd2..6f87e178 100644
--- a/lib/dns/sec/dnssafe/bmempool.h
+++ b/lib/dns/sec/dnssafe/bmempool.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _BMEMPOOL_H_
-#define _BMEMPOOL_H_ 1
+#ifndef DNSSAFE_BMEMPOOL_H
+#define DNSSAFE_BMEMPOOL_H 1
 
 typedef void (*B_MEMORY_POOL_DELETE_FUNCTION) PROTO_LIST ((POINTER));
 
@@ -50,4 +50,5 @@ B_ALLOCED_DATA *B_MemoryPoolFindAllocedObject PROTO_LIST
 int B_MemoryPoolAdoptHelper PROTO_LIST
   ((B_MemoryPool *, POINTER, unsigned int, B_MEMORY_POOL_DELETE_FUNCTION));
 
-#endif
+#endif /* DNSSAFE_BMEMPOOL_H */
+
diff --git a/lib/dns/sec/dnssafe/bsafe2.h b/lib/dns/sec/dnssafe/bsafe2.h
index 4eb4ef55..a3a51d05 100644
--- a/lib/dns/sec/dnssafe/bsafe2.h
+++ b/lib/dns/sec/dnssafe/bsafe2.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _BSAFE_H_
-#define _BSAFE_H_ 1
+#ifndef DNSSAFE_BSAFE2_H
+#define DNSSAFE_BSAFE2_H 1
 
 #ifndef T_CALL
 #define T_CALL
@@ -191,4 +191,5 @@ extern B_ALGORITHM_METHOD T_CALL AM_RSA_KEY_GEN;
 }
 #endif
 
-#endif
+#endif /* DNSSAFE_BSAFE2_H */
+
diff --git a/lib/dns/sec/dnssafe/btypechk.h b/lib/dns/sec/dnssafe/btypechk.h
index 93f5a97b..e171fd64 100644
--- a/lib/dns/sec/dnssafe/btypechk.h
+++ b/lib/dns/sec/dnssafe/btypechk.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _BTYPECHK_H_
-#define _BTYPECHK_H_ 1
+#ifndef DNSSAFE_BTYPECHK_H
+#define DNSSAFE_BTYPECHK_H 1
 
 struct B_TypeCheck;
 
@@ -22,4 +22,5 @@ typedef struct B_TypeCheck {
 #define B_TYPE_CHECK_Destructor(typeCheck)\
   (*(typeCheck)->_Destructor) (typeCheck)
 
-#endif
+#endif /* DNSSAFE_BTYPECHK_H */
+
diff --git a/lib/dns/sec/dnssafe/crt2.h b/lib/dns/sec/dnssafe/crt2.h
index 4c5c0f7d..2ead317b 100644
--- a/lib/dns/sec/dnssafe/crt2.h
+++ b/lib/dns/sec/dnssafe/crt2.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _RSA_H_
-#define _RSA_H_ 1
+#ifndef DNSSAFE_CRT2_H
+#define DNSSAFE_CRT2_H 1
 
 #include "bigmaxes.h"
 
@@ -47,4 +47,4 @@ void A_RSA_CRT2GetMaxOutputLen PROTO_LIST
 }
 #endif
 
-#endif
+#endif /* DNSSAFE_CRT2_H */
diff --git a/lib/dns/sec/dnssafe/digrand.h b/lib/dns/sec/dnssafe/digrand.h
index 6753c9cf..493dd87c 100644
--- a/lib/dns/sec/dnssafe/digrand.h
+++ b/lib/dns/sec/dnssafe/digrand.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _DIGRAND_H_
-#define _DIGRAND_H_ 1
+#ifndef DNSSAFE_DIGRAND_H
+#define DNSSAFE_DIGRAND_H 1
 
 #ifdef __cplusplus
 extern "C" {
@@ -50,4 +50,5 @@ void A_DigestRandomGenerateBytes PROTO_LIST
 }
 #endif
 
-#endif
+#endif /* DNSSAFE_DIGRAND_H */
+
diff --git a/lib/dns/sec/dnssafe/global.h b/lib/dns/sec/dnssafe/global.h
index e95ac180..ca21ecb7 100644
--- a/lib/dns/sec/dnssafe/global.h
+++ b/lib/dns/sec/dnssafe/global.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _GLOBAL_H_
-#define _GLOBAL_H_ 1
+#ifndef DNSSAFE_GLOBAL_H
+#define DNSSAFE_GLOBAL_H 1
 
 #ifdef __cplusplus
 extern "C" {
@@ -24,7 +24,7 @@ extern "C" {
 
 #include <config.h>
 #include <isc/int.h>
-#include <sys/types.h>
+#include <sys/types.h> /* XXXMLG This should go... */
 
 /* POINTER defines a generic pointer type */
 typedef unsigned char *POINTER;
@@ -57,4 +57,5 @@ typedef isc_uint32_t UINT4;
 }
 #endif
 
-#endif /* end _GLOBAL_H_ */
+#endif /* DNSSAFE_GLOBAL_H */
+
diff --git a/lib/dns/sec/dnssafe/intitem.h b/lib/dns/sec/dnssafe/intitem.h
index 05cb2fc1..a0062d4b 100644
--- a/lib/dns/sec/dnssafe/intitem.h
+++ b/lib/dns/sec/dnssafe/intitem.h
@@ -6,6 +6,10 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_INTITEM_H
+#define DNSSAFE_INTITEM_H 1
+
 int AllocAndCopyIntegerItems PROTO_LIST
   ((POINTER, POINTER, POINTER, ITEM **, unsigned int, B_MemoryPool *));
 
+#endif /* DNSSAFE_INTITEM_H */
diff --git a/lib/dns/sec/dnssafe/keyobj.h b/lib/dns/sec/dnssafe/keyobj.h
index b7f582f8..9a75b012 100644
--- a/lib/dns/sec/dnssafe/keyobj.h
+++ b/lib/dns/sec/dnssafe/keyobj.h
@@ -6,6 +6,9 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_KEYOBJ_H
+#define DNSSAFE_KEYOBJ_H 1
+
 typedef struct KeyWrap {
   B_Key key;
   char *typeTag;
@@ -14,3 +17,4 @@ typedef struct KeyWrap {
 
 int KeyWrapCheck PROTO_LIST ((KeyWrap *));
 
+#endif /* DNSSAFE_KEYOBJ_H */
diff --git a/lib/dns/sec/dnssafe/ki8byte.h b/lib/dns/sec/dnssafe/ki8byte.h
index 1c78bb12..8ef0b844 100644
--- a/lib/dns/sec/dnssafe/ki8byte.h
+++ b/lib/dns/sec/dnssafe/ki8byte.h
@@ -6,4 +6,9 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_KI8BYTE_H
+#define DNSSAFE_KI8BYTE_H 1
+
 extern B_KeyInfoType KIT_8Byte;
+
+#endif /* DNSSAFE_KI8BYTE_H */
diff --git a/lib/dns/sec/dnssafe/kifulprv.h b/lib/dns/sec/dnssafe/kifulprv.h
index 8e469ce9..ccc8eee9 100644
--- a/lib/dns/sec/dnssafe/kifulprv.h
+++ b/lib/dns/sec/dnssafe/kifulprv.h
@@ -6,7 +6,12 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_KIFULPRV_H
+#define DNSSAFE_KIFULPRV_H 1
+
 int CacheFullPrivateKey PROTO_LIST
   ((B_Key *, ITEM *, ITEM *, ITEM *, ITEM *, ITEM *, ITEM *));
 int GetFullPrivateKeyInfo PROTO_LIST
   ((ITEM *, ITEM *, ITEM *, ITEM *, ITEM *, ITEM *, B_Key *));
+
+#endif /* DNSSAFE_KIFULPRV_H */
diff --git a/lib/dns/sec/dnssafe/kiitem.h b/lib/dns/sec/dnssafe/kiitem.h
index ab80ceee..c97a23cc 100644
--- a/lib/dns/sec/dnssafe/kiitem.h
+++ b/lib/dns/sec/dnssafe/kiitem.h
@@ -6,4 +6,9 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_KIITEM_H
+#define DNSSAFE_KIITEM_H 1
+
 extern B_KeyInfoType KITItem;
+
+#endif /* DNSSAFE_KIITEM_H */
diff --git a/lib/dns/sec/dnssafe/kinfotyp.h b/lib/dns/sec/dnssafe/kinfotyp.h
index 3f6ce7c1..39c5292c 100644
--- a/lib/dns/sec/dnssafe/kinfotyp.h
+++ b/lib/dns/sec/dnssafe/kinfotyp.h
@@ -6,6 +6,9 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_KINFOTYP_H
+#define DNSSAFE_KINFOTYP_H 1
+
 typedef int (*KIT_ADD_INFO) PROTO_LIST ((B_Key *, POINTER));
 typedef int (*KIT_MAKE_INFO) PROTO_LIST ((POINTER *, B_Key *));
 
@@ -55,3 +58,5 @@ typedef struct B_KeyInfoType {
 } B_KeyInfoType;
 
 int B_KeyInfoTypeMakeError PROTO_LIST ((POINTER *, B_Key *));
+
+#endif /* DNSSAFE_KINFOTYP_H */
diff --git a/lib/dns/sec/dnssafe/kipkcrpr.h b/lib/dns/sec/dnssafe/kipkcrpr.h
index 9bcfc02d..bcb7eaf4 100644
--- a/lib/dns/sec/dnssafe/kipkcrpr.h
+++ b/lib/dns/sec/dnssafe/kipkcrpr.h
@@ -6,8 +6,12 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_KIPKCRPR_H
+#define DNSSAFE_KIPKCRPR_H 1
+
 extern B_KeyInfoType KIT_PKCS_RSAPrivate;
 
 int KIT_PKCS_RSAPrivateAddInfo PROTO_LIST ((B_Key *, POINTER));
 int KIT_PKCS_RSAPrivateMakeInfo PROTO_LIST ((POINTER *, B_Key *));
 
+#endif /* DNSSAFE_KIPKCRPR_H */
diff --git a/lib/dns/sec/dnssafe/kirsapub.h b/lib/dns/sec/dnssafe/kirsapub.h
index 485fd79a..548b40ec 100644
--- a/lib/dns/sec/dnssafe/kirsapub.h
+++ b/lib/dns/sec/dnssafe/kirsapub.h
@@ -6,8 +6,12 @@
    prohibited.
  */
 
+#ifndef DNSSAFE_KIRSAPUB_H
+#define DNSSAFE_KIRSAPUB_H 1
+
 extern B_KeyInfoType KIT_RSAPublic;
 
 int KIT_RSAPublicAddInfo PROTO_LIST ((B_Key *, POINTER));
 int KIT_RSAPublicMakeInfo PROTO_LIST ((POINTER *, B_Key *));
 
+#endif /* DNSSAFE_KIRSAPUB_H */
diff --git a/lib/dns/sec/dnssafe/md5.h b/lib/dns/sec/dnssafe/md5.h
index f770a073..0abec037 100644
--- a/lib/dns/sec/dnssafe/md5.h
+++ b/lib/dns/sec/dnssafe/md5.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _MD5_H_
-#define _MD5_H_ 1
+#ifndef DNSSAFE_MD5_H
+#define DNSSAFE_MD5_H 1
 
 #ifdef __cplusplus
 extern "C" {
@@ -29,4 +29,5 @@ void A_MD5Final PROTO_LIST ((A_MD5_CTX *, unsigned char *));
 }
 #endif
 
-#endif
+#endif /* DNSSAFE_MD5_H */
+
diff --git a/lib/dns/sec/dnssafe/md5rand.h b/lib/dns/sec/dnssafe/md5rand.h
index f1974106..dc0b20ae 100644
--- a/lib/dns/sec/dnssafe/md5rand.h
+++ b/lib/dns/sec/dnssafe/md5rand.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _MD5RAND_H_
-#define _MD5RAND_H_ 1
+#ifndef DNSSAFE_MD5RAND_H
+#define DNSSAFE_MD5RAND_H 1
 
 #include "digrand.h"
 #include "md5.h"
@@ -33,4 +33,5 @@ void A_MD5RandomGenerateBytes PROTO_LIST
 }
 #endif
 
-#endif
+#endif /* DNSSAFE_MD5RAND_H */
+
diff --git a/lib/dns/sec/dnssafe/prime.h b/lib/dns/sec/dnssafe/prime.h
index e922f36a..77484675 100644
--- a/lib/dns/sec/dnssafe/prime.h
+++ b/lib/dns/sec/dnssafe/prime.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _PRIME_H_
-#define _PRIME_H_ 1
+#ifndef DNSSAFE_PRIME_H
+#define DNSSAFE_PRIME_H 1
 
 #ifdef __cplusplus
 extern "C" {
@@ -23,4 +23,5 @@ int PseudoPrime PROTO_LIST
 }
 #endif
 
-#endif
+#endif /* DNSSAFE_PRIME_H */
+
diff --git a/lib/dns/sec/dnssafe/rsa.h b/lib/dns/sec/dnssafe/rsa.h
index 2d86099a..63cf788b 100644
--- a/lib/dns/sec/dnssafe/rsa.h
+++ b/lib/dns/sec/dnssafe/rsa.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _RSA_H_
-#define _RSA_H_ 1
+#ifndef DNSSAFE_RSA_H
+#define DNSSAFE_RSA_H 1
 
 #include "bigmaxes.h"
 
@@ -41,4 +41,5 @@ int A_RSAFinal PROTO_LIST ((A_RSA_CTX *));
 }
 #endif
 
-#endif
+#endif /* DNSSAFE_RSA_H */
+
diff --git a/lib/dns/sec/dnssafe/rsakeygn.h b/lib/dns/sec/dnssafe/rsakeygn.h
index ba40b864..d3637160 100644
--- a/lib/dns/sec/dnssafe/rsakeygn.h
+++ b/lib/dns/sec/dnssafe/rsakeygn.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _RSAKEYGN_H_
-#define _RSAKEYGN_H_ 1
+#ifndef DNSSAFE_RSAKEYGN_H
+#define DNSSAFE_RSAKEYGN_H 1
 
 #include "bigmaxes.h"
 
@@ -50,5 +50,6 @@ int A_RSAKeyGen PROTO_LIST
 }
 #endif
 
-#endif
+#endif /* DNSSAFE_RSAKEYGN_H */
+
 
diff --git a/lib/dns/sec/dnssafe/secrcbc.h b/lib/dns/sec/dnssafe/secrcbc.h
index 122f83f5..fb552307 100644
--- a/lib/dns/sec/dnssafe/secrcbc.h
+++ b/lib/dns/sec/dnssafe/secrcbc.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _SECRCBC_H_
-#define _SECRCBC_H_ 1
+#ifndef DNSSAFE_SECRCBC_H
+#define DNSSAFE_SECRCBC_H 1
 
 #ifdef __cplusplus
 extern "C" {
@@ -33,4 +33,5 @@ int SecretCBCDecryptFinal PROTO_LIST
 }
 #endif
 
-#endif
+#endif /* DNSSAFE_SECRCBC_H */
+
diff --git a/lib/dns/sec/dnssafe/surrendr.h b/lib/dns/sec/dnssafe/surrendr.h
index dc929046..179cda26 100644
--- a/lib/dns/sec/dnssafe/surrendr.h
+++ b/lib/dns/sec/dnssafe/surrendr.h
@@ -6,8 +6,8 @@
    prohibited.
  */
 
-#ifndef _SURRENDR_H_
-#define _SURRENDR_H_ 1
+#ifndef DNSSAFE_SURRENDR_H
+#define DNSSAFE_SURRENDR_H 1
 
 #ifdef __cplusplus
 extern "C" {
@@ -19,4 +19,5 @@ int CheckSurrender PROTO_LIST ((A_SURRENDER_CTX *));
 }
 #endif
 
-#endif
+#endif /* DNSSAFE_SURRENDR_H */
+
diff --git a/lib/dns/sec/dst/Makefile.in b/lib/dns/sec/dst/Makefile.in
index b881b2bc..9c00156f 100644
--- a/lib/dns/sec/dst/Makefile.in
+++ b/lib/dns/sec/dst/Makefile.in
@@ -22,9 +22,9 @@ top_srcdir =	@top_srcdir@
 CINCLUDES =	-I${srcdir} \
 		-I${srcdir}/../dnssafe \
 		-I${srcdir}/../openssl/include \
-		${DNS_INCLUDES} ${ISC_INCLUDES}
+		${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
 
-CDEFINES =	-DUSE_MD5 -DDNSSAFE -DOPENSSL
+CDEFINES =	-DUSE_MD5 -DDNSSAFE -DOPENSSL @DST_PRIVATEOPENSSL@
 CWARNINGS =
 
 LIBS =		@LIBS@
diff --git a/lib/dns/sec/dst/bsafe_link.c b/lib/dns/sec/dst/bsafe_link.c
index d4c84005..2aa51087 100644
--- a/lib/dns/sec/dst/bsafe_link.c
+++ b/lib/dns/sec/dst/bsafe_link.c
@@ -1,41 +1,39 @@
-#if defined(BSAFE) || defined(DNSSAFE)
-
 /*
  * Portions Copyright (c) 1995-1999 by Network Associates, Inc.
+ * Portions Copyright (C) 1999, 2000  Internet Software Consortium.
  *
- * Permission to use, copy modify, and distribute this software for any
+ * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND NETWORK ASSOCIATES
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
- * NETWORK ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND
+ * NETWORK ASSOCIATES DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
+ * SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR NETWORK
+ * ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+ * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
 /*
  * Principal Author: Brian Wellington
- * $Id: bsafe_link.c,v 1.12 2000/03/06 20:05:58 bwelling Exp $
+ * $Id: bsafe_link.c,v 1.19 2000/05/15 21:30:39 bwelling Exp $
  */
 
-#include <config.h>
+#if defined(BSAFE) || defined(DNSSAFE)
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <memory.h>
+#include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/buffer.h>
-#include <isc/int.h>
-#include <isc/region.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dns/keyvalues.h>
 
+#include <dst/result.h>
+
 #include "dst_internal.h"
 #include "dst_parse.h"
 
@@ -115,7 +113,7 @@ static isc_result_t	dst_bsafe_from_file(dst_key_t *key,
  * Sets up function pointers for BSAFE/DNSSAFE related functions 
  */
 void
-dst_s_bsafersa_init() {
+dst_s_bsafersa_init(void) {
 	REQUIRE(dst_t_func[DST_ALG_RSA] == NULL);
 	dst_t_func[DST_ALG_RSA] = &bsafe_functions;
 	memset(&bsafe_functions, 0, sizeof(struct dst_func));
@@ -154,31 +152,28 @@ static isc_result_t
 dst_bsafe_sign(const unsigned int mode, dst_key_t *key, void **context,
 	       isc_region_t *data, isc_buffer_t *sig, isc_mem_t *mctx)
 {
-	int status = 0;
 	B_ALGORITHM_OBJ *md5_ctx = NULL;
 	unsigned char digest_array[DNS_SIG_RSAMAXSIZE];
 	isc_buffer_t digest;
 	isc_region_t sig_region, digest_region;
 	isc_result_t ret;
 	
-	if (mode & DST_SIGMODE_INIT) { 
-		md5_ctx = (B_ALGORITHM_OBJ *) isc_mem_get(mctx,
-							  sizeof(*md5_ctx));
+	if ((mode & DST_SIGMODE_INIT) != 0) { 
+		md5_ctx = (B_ALGORITHM_OBJ *)isc_mem_get(mctx,
+							 sizeof(*md5_ctx));
 		if (md5_ctx == NULL)
 			return (ISC_R_NOMEMORY);
-		if ((status = B_CreateAlgorithmObject(md5_ctx)) != 0)
+		if (B_CreateAlgorithmObject(md5_ctx) != 0)
 			return (ISC_R_NOMEMORY);
-		if ((status = B_SetAlgorithmInfo(*md5_ctx, AI_MD5, NULL)) != 0)
+		if (B_SetAlgorithmInfo(*md5_ctx, AI_MD5, NULL) != 0)
 			return (ISC_R_NOMEMORY);
-	}
-	else if (context != NULL) 
-		md5_ctx = (B_ALGORITHM_OBJ *) *context;
+	} else if (context != NULL) 
+		md5_ctx = (B_ALGORITHM_OBJ *)*context;
 	REQUIRE (md5_ctx != NULL);
 
-	isc_buffer_init(&digest, digest_array, sizeof(digest_array),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&digest, digest_array, sizeof(digest_array));
 	ret = dst_bsafe_md5digest(mode, md5_ctx, data, &digest);
-	if (ret != ISC_R_SUCCESS || (mode & DST_SIGMODE_FINAL)) {
+	if (ret != ISC_R_SUCCESS || (mode & DST_SIGMODE_FINAL) != 0) {
 		B_DestroyAlgorithmObject(md5_ctx);
 		memset(md5_ctx, 0, sizeof(*md5_ctx));
 		isc_mem_put(mctx, md5_ctx, sizeof(*md5_ctx));
@@ -186,64 +181,61 @@ dst_bsafe_sign(const unsigned int mode, dst_key_t *key, void **context,
 			return (ret);
 	}
 
-	if (mode & DST_SIGMODE_FINAL) {
+	if ((mode & DST_SIGMODE_FINAL) != 0) {
 		RSA_Key *rkey;
-		B_ALGORITHM_OBJ rsaEncryptor = (B_ALGORITHM_OBJ) NULL_PTR;
+		B_ALGORITHM_OBJ rsaEncryptor = (B_ALGORITHM_OBJ)NULL_PTR;
 		unsigned int written = 0;
 
-		isc_buffer_available(sig, &sig_region);
-		isc_buffer_remaining(&digest, &digest_region);
+		isc_buffer_availableregion(sig, &sig_region);
+		isc_buffer_remainingregion(&digest, &digest_region);
 
-		if (sig_region.length * 8 < (unsigned int) key->key_size)
+		if (sig_region.length * 8 < (unsigned int)key->key_size)
 			return (ISC_R_NOSPACE);
 		
-		rkey = (RSA_Key *) key->opaque;
+		rkey = (RSA_Key *)key->opaque;
 		if (rkey == NULL)
 			return (DST_R_NULLKEY);
 		if (rkey->rk_Private_Key == NULL)
 			return (DST_R_NOTPRIVATEKEY);
 
-		if ((status = B_CreateAlgorithmObject(&rsaEncryptor)) != 0)
+		if (B_CreateAlgorithmObject(&rsaEncryptor) != 0)
 			return (ISC_R_NOMEMORY);
-		if ((status = B_SetAlgorithmInfo(rsaEncryptor,
-						 AI_PKCS_RSAPrivate,
-						 NULL_PTR)) != 0)
-
+		if (B_SetAlgorithmInfo(rsaEncryptor, AI_PKCS_RSAPrivate,
+				       NULL_PTR) != 0)
 			goto finalfail;
-		if ((status = B_EncryptInit(rsaEncryptor,
-					    rkey->rk_Private_Key,
-					    CHOOSER, NULL_SURRENDER)) != 0)
+
+		if (B_EncryptInit(rsaEncryptor, rkey->rk_Private_Key, CHOOSER,
+				  NULL_SURRENDER) != 0)
 			goto finalfail;
-		if ((status = B_EncryptUpdate(rsaEncryptor, sig_region.base,
-					      &written, sig_region.length,
-					      pkcs1, sizeof(pkcs1),
-					      NULL_PTR, NULL_SURRENDER)) != 0)
+
+		if (B_EncryptUpdate(rsaEncryptor, sig_region.base, &written,
+				    sig_region.length, pkcs1, sizeof(pkcs1),
+				    NULL_PTR, NULL_SURRENDER) != 0)
 			goto finalfail;
 
 		if (written > 0) {
 			isc_buffer_add(sig, written);
-			isc_buffer_available(sig, &sig_region);
+			isc_buffer_availableregion(sig, &sig_region);
 			written = 0;
 		}
 
-		if ((status = B_EncryptUpdate(rsaEncryptor, sig_region.base,
-					      &written, sig_region.length,
-					      digest_region.base,
-					      digest_region.length,
-					      NULL_PTR, NULL_SURRENDER)) != 0)
+		if (B_EncryptUpdate(rsaEncryptor, sig_region.base, &written,
+				    sig_region.length, digest_region.base,
+				    digest_region.length, NULL_PTR,
+				    NULL_SURRENDER) != 0)
 			goto finalfail;
 
 		if (written > 0) {
 			isc_buffer_add(sig, written);
-			isc_buffer_available(sig, &sig_region);
+			isc_buffer_availableregion(sig, &sig_region);
 			written = 0;
 		}
 
 		isc_buffer_forward(&digest, digest_region.length);
 
-		if ((status = B_EncryptFinal(rsaEncryptor, sig_region.base,
-					     &written, sig_region.length,
-					     NULL_PTR, NULL_SURRENDER)) != 0)
+		if (B_EncryptFinal(rsaEncryptor, sig_region.base, &written,
+				   sig_region.length, NULL_PTR,
+				   NULL_SURRENDER) != 0)
 			goto finalfail;
 		isc_buffer_add(sig, written);
 
@@ -287,26 +279,23 @@ dst_bsafe_verify(const unsigned int mode, dst_key_t *key, void **context,
 	isc_buffer_t work, digest;
 	isc_region_t work_region, digest_region;
 	isc_result_t ret;
-	int status = 0;
 
-	if (mode & DST_SIGMODE_INIT) { 
-		md5_ctx = (B_ALGORITHM_OBJ *) isc_mem_get(mctx,
-							  sizeof(*md5_ctx));
+	if ((mode & DST_SIGMODE_INIT) != 0) { 
+		md5_ctx = (B_ALGORITHM_OBJ *)isc_mem_get(mctx,
+							 sizeof(*md5_ctx));
 		if (md5_ctx == NULL)
 			return (ISC_R_NOMEMORY);
-		if ((status = B_CreateAlgorithmObject(md5_ctx)) != 0)
+		if (B_CreateAlgorithmObject(md5_ctx) != 0)
 			return (ISC_R_NOMEMORY);
-		if ((status = B_SetAlgorithmInfo(*md5_ctx, AI_MD5, NULL)) != 0)
+		if (B_SetAlgorithmInfo(*md5_ctx, AI_MD5, NULL) != 0)
 			return (ISC_R_NOMEMORY);
-	}
-	else if (context != NULL) 
-		md5_ctx = (B_ALGORITHM_OBJ *) *context;
+	} else if (context != NULL) 
+		md5_ctx = (B_ALGORITHM_OBJ *)*context;
 	REQUIRE (md5_ctx != NULL);
 
-	isc_buffer_init(&digest, digest_array, sizeof(digest_array),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&digest, digest_array, sizeof(digest_array));
 	ret = dst_bsafe_md5digest(mode, md5_ctx, data, &digest);
-	if (ret != ISC_R_SUCCESS || (mode & DST_SIGMODE_FINAL)) {
+	if (ret != ISC_R_SUCCESS || (mode & DST_SIGMODE_FINAL) != 0) {
 		B_DestroyAlgorithmObject(md5_ctx);
 		memset(md5_ctx, 0, sizeof(*md5_ctx));
 		isc_mem_put(mctx, md5_ctx, sizeof(*md5_ctx));
@@ -319,52 +308,52 @@ dst_bsafe_verify(const unsigned int mode, dst_key_t *key, void **context,
 		B_ALGORITHM_OBJ rsaEncryptor = (B_ALGORITHM_OBJ) NULL_PTR;
 		unsigned int written = 0;
 
-		isc_buffer_init(&work, work_area, sizeof(work_area),
-				ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&work, work_area, sizeof(work_area));
 
-		isc_buffer_available(&work, &work_region);
+		isc_buffer_availableregion(&work, &work_region);
 
 		rkey = (RSA_Key *) key->opaque;
 		if (rkey == NULL)
 			return (DST_R_NULLKEY);
 		if (rkey->rk_Public_Key == NULL)
 			return (DST_R_NOTPUBLICKEY);
-		if ((status = B_CreateAlgorithmObject(&rsaEncryptor)) != 0)
+		if (B_CreateAlgorithmObject(&rsaEncryptor) != 0)
 			return (ISC_R_NOMEMORY);
-		if ((status = B_SetAlgorithmInfo(rsaEncryptor,
-						 AI_PKCS_RSAPublic,
-						 NULL_PTR)) != 0)
+		if (B_SetAlgorithmInfo(rsaEncryptor, AI_PKCS_RSAPublic,
+				       NULL_PTR) != 0)
 			goto finalfail;
-		if ((status = B_DecryptInit(rsaEncryptor, rkey->rk_Public_Key,
-					    CHOOSER, NULL_SURRENDER)) != 0)
+		if (B_DecryptInit(rsaEncryptor, rkey->rk_Public_Key,
+				  CHOOSER, NULL_SURRENDER) != 0)
 			goto finalfail;
 
-		if ((status = B_DecryptUpdate(rsaEncryptor, work_region.base,
-					      &written, work_region.length,
-					      sig->base, sig->length,
-					      NULL_PTR, NULL_SURRENDER)) != 0)
+		if (B_DecryptUpdate(rsaEncryptor, work_region.base, &written,
+				    work_region.length, sig->base, sig->length,
+				    NULL_PTR, NULL_SURRENDER) != 0)
 			goto finalfail;
 
 		if (written > 0) {
 			isc_buffer_add(&work, written);
-			isc_buffer_available(&work, &work_region);
+			isc_buffer_availableregion(&work, &work_region);
 			written = 0;
 		}
 
-		if ((status = B_DecryptFinal(rsaEncryptor, work_region.base,
-					     &written, work_region.length,
-					     NULL_PTR, NULL_SURRENDER)) != 0)
+		if (B_DecryptFinal(rsaEncryptor, work_region.base, &written,
+				   work_region.length, NULL_PTR,
+				   NULL_SURRENDER) != 0)
 			goto finalfail;
 
 		if (written > 0)
 			isc_buffer_add(&work, written);
 
-		isc_buffer_used(&work, &work_region);
-		isc_buffer_used(&digest, &digest_region);
+		isc_buffer_usedregion(&work, &work_region);
+		isc_buffer_usedregion(&digest, &digest_region);
 		
 		B_DestroyAlgorithmObject(&rsaEncryptor);
-		/* skip PKCS#1 header in output from Decrypt function */
-		if (memcmp(digest_region.base, work_region.base + sizeof(pkcs1),
+		/*
+		 * Skip PKCS#1 header in output from Decrypt function.
+		 */
+		if (memcmp(digest_region.base,
+			   work_region.base + sizeof(pkcs1),
 			   digest_region.length) == 0)
 			return (ISC_R_SUCCESS);
 		else
@@ -412,15 +401,14 @@ dst_bsafe_to_dns(const dst_key_t *key, isc_buffer_t *data) {
 	B_KEY_OBJ public;
 	A_RSA_KEY *pub = NULL;
 	isc_region_t r;
-	int status;
 
 	REQUIRE(key->opaque != NULL);
 
 	public = (B_KEY_OBJ)((RSA_Key *)key->opaque)->rk_Public_Key;
 
-	if ((status = B_GetKeyInfo((POINTER *)&pub, public, KI_RSAPublic)) != 0)
+	if (B_GetKeyInfo((POINTER *)&pub, public, KI_RSAPublic) != 0)
 		return (DST_R_INVALIDPUBLICKEY);
-	isc_buffer_available(data, &r);
+	isc_buffer_availableregion(data, &r);
 	if (pub->exponent.len < 256) {  /* key exponent is <= 2040 bits */
 		if (r.length < 1 + pub->exponent.len + pub->modulus.len)
 			return (ISC_R_NOSPACE);
@@ -432,7 +420,7 @@ dst_bsafe_to_dns(const dst_key_t *key, isc_buffer_t *data) {
 		isc_buffer_putuint16(data, (isc_uint16_t)pub->exponent.len);
 	}
 
-	isc_buffer_available(data, &r);
+	isc_buffer_availableregion(data, &r);
 	memcpy(r.base, pub->exponent.data, pub->exponent.len);
 	r.base += pub->exponent.len;
 	memcpy(r.base, pub->modulus.data, pub->modulus.len);
@@ -459,9 +447,8 @@ dst_bsafe_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx) {
 	A_RSA_KEY *public;
 	isc_region_t r;
 	isc_buffer_t b;
-	int status;
 
-	isc_buffer_remaining(data, &r);
+	isc_buffer_remainingregion(data, &r);
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
@@ -476,7 +463,9 @@ dst_bsafe_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx) {
 		return (ISC_R_NOMEMORY);
 	}
 
-	/* length of exponent in bytes */
+	/*
+	 * Length of exponent in bytes.
+	 */
 	bytes = isc_buffer_getuint8(data);
 	if (bytes == 0)  /* special case for long exponents */
 		bytes = isc_buffer_getuint16(data);
@@ -497,7 +486,7 @@ dst_bsafe_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx) {
 		return (ISC_R_NOMEMORY);
 	}
 
-	isc_buffer_remaining(data, &r);
+	isc_buffer_remainingregion(data, &r);
 	if (r.length < bytes) {
 		isc_mem_put(mctx, public, sizeof(*public));
 		return (ISC_R_NOMEMORY);
@@ -505,7 +494,7 @@ dst_bsafe_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx) {
 	memcpy(public->exponent.data, r.base, bytes);
 	isc_buffer_forward(data, bytes);
 
-	isc_buffer_remaining(data, &r);
+	isc_buffer_remainingregion(data, &r);
 
 	if (r.length > MAX_RSA_MODULUS_LEN) { 
 		dst_bsafe_destroy(rkey, mctx);
@@ -526,13 +515,11 @@ dst_bsafe_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx) {
 	memcpy(public->modulus.data, r.base, r.length);
 	isc_buffer_forward(data, r.length);
 
-	status = B_SetKeyInfo(rkey->rk_Public_Key, KI_RSAPublic,
-			      (POINTER) public);
-	if (status != 0)
+	if (B_SetKeyInfo(rkey->rk_Public_Key, KI_RSAPublic, (POINTER)public)
+	    != 0)
 		return (DST_R_INVALIDPUBLICKEY);
 
-	isc_buffer_init(&b, public->modulus.data + public->modulus.len - 3,
-			2, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&b, public->modulus.data + public->modulus.len - 3, 2);
 	isc_buffer_add(&b, 2);
 	key->key_id = isc_buffer_getuint16(&b);
 	key->key_size = dst_bsafe_key_size(rkey);
@@ -568,9 +555,9 @@ dst_bsafe_to_file(const dst_key_t *key) {
 	if (key->opaque == NULL)
 		return (DST_R_NULLKEY);
 
-	rkey = (B_KEY_OBJ)((RSA_Key *) key->opaque)->rk_Private_Key;
+	rkey = (B_KEY_OBJ)((RSA_Key *)key->opaque)->rk_Private_Key;
 
-	B_GetKeyInfo((POINTER *) &private, rkey, KI_PKCS_RSAPrivate);
+	(void)B_GetKeyInfo((POINTER *)&private, rkey, KI_PKCS_RSAPrivate);
 
 	priv.elements[cnt].tag = TAG_RSA_MODULUS;
 	priv.elements[cnt].data = private->modulus.data;
@@ -605,8 +592,7 @@ dst_bsafe_to_file(const dst_key_t *key) {
 	priv.elements[cnt++].length = private->coefficient.len;
 
 	priv.nelements = cnt;
-	return (dst_s_write_private_key_file(key->key_name, key->key_alg,
-					     key->key_id, &priv));
+	return (dst_s_write_private_key_file(key, &priv));
 }
 
 
@@ -631,15 +617,18 @@ dst_bsafe_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx) {
 	RSA_Key *rkey = NULL;
 	A_RSA_KEY *public = NULL;
 	A_PKCS_RSA_PRIVATE_KEY *private = NULL;
-	int status = 0;
+
 #define DST_RET(a) {ret = a; goto err;}
 
-	/* read private key file */
-	ret = dst_s_parse_private_key_file(key->key_name, key->key_alg, 
-					   id, &priv, mctx);
+	/*
+	 * Read private key file.
+	 */
+	ret = dst_s_parse_private_key_file(key, id, &priv, mctx);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
-	/* allocate key*/
+	/*
+	 * Allocate key.
+	 */
 	private = (A_PKCS_RSA_PRIVATE_KEY *)
 		isc_mem_get(mctx, sizeof(A_PKCS_RSA_PRIVATE_KEY));
 	if (private == NULL)
@@ -695,8 +684,7 @@ dst_bsafe_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx) {
 		}
 	}
 
-	isc_buffer_init(&b, public->modulus.data + public->modulus.len - 3,
-			2, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&b, public->modulus.data + public->modulus.len - 3, 2);
 	isc_buffer_add(&b, 2);
 	key->key_id = isc_buffer_getuint16(&b);
 	if (key->key_id != id)
@@ -706,17 +694,17 @@ dst_bsafe_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx) {
 	if (rkey == NULL) 
 		DST_RET(ISC_R_NOMEMORY);
 	memset(rkey, 0, sizeof(*rkey));
-	if ((status = B_CreateKeyObject(&(rkey->rk_Public_Key))) != 0)
+	if (B_CreateKeyObject(&(rkey->rk_Public_Key)) != 0)
 		DST_RET(ISC_R_NOMEMORY);
-	if ((status = B_SetKeyInfo(rkey->rk_Public_Key, KI_RSAPublic,
-				   (POINTER) public)) != 0)
+	if (B_SetKeyInfo(rkey->rk_Public_Key, KI_RSAPublic, (POINTER)public)
+	    != 0)
 		DST_RET(DST_R_INVALIDPUBLICKEY);
 
-	if ((status = B_CreateKeyObject(&rkey->rk_Private_Key)) != 0)
+	if (B_CreateKeyObject(&rkey->rk_Private_Key) != 0)
 		DST_RET(ISC_R_NOMEMORY);
 
-	if ((status = B_SetKeyInfo(rkey->rk_Private_Key, KI_PKCS_RSAPrivate,
-				   (POINTER) private)) != 0)
+	if (B_SetKeyInfo(rkey->rk_Private_Key, KI_PKCS_RSAPrivate,
+			 (POINTER)private) != 0)
 		DST_RET(DST_R_INVALIDPRIVATEKEY);
 
 	key->key_size = dst_bsafe_key_size(rkey);
@@ -773,7 +761,6 @@ dst_bsafe_destroy(void *key, isc_mem_t *mctx)
 
 static isc_result_t
 dst_bsafe_generate(dst_key_t *key, int exp, isc_mem_t *mctx) {
-	int status;
 	B_KEY_OBJ private;
 	B_KEY_OBJ public;
 	B_ALGORITHM_OBJ keypairGenerator = NULL;
@@ -795,18 +782,22 @@ dst_bsafe_generate(dst_key_t *key, int exp, isc_mem_t *mctx) {
 	keygenParams.publicExponent.data = NULL;
 
 #define do_fail(code) {ret = code; goto fail;}
-	if ((status = B_CreateAlgorithmObject(&keypairGenerator)) != 0)
+	if (B_CreateAlgorithmObject(&keypairGenerator) != 0)
 		do_fail(ISC_R_NOMEMORY);
 
 	keygenParams.modulusBits = key->key_size;
 
-	/* exp = 0 or 1 are special (mean 3 or F4) */
+	/*
+	 * exp = 0 or 1 are special (mean 3 or F4).
+	 */
 	if (exp == 0)
 		exp = 3;
 	else if (exp == 1)
 		exp = 65537;
 
-	/* Now encode the exponent and its length */
+	/*
+	 * Now encode the exponent and its length.
+	 */
 	if (exp < 256) {
 		exponent_len = 1;
 		exponent[0] = exp;
@@ -827,55 +818,52 @@ dst_bsafe_generate(dst_key_t *key, int exp, isc_mem_t *mctx) {
 		exponent[3] = exp;
 	}
 
-	keygenParams.publicExponent.data = (unsigned char *) isc_mem_get(mctx,
-								  exponent_len);
+	keygenParams.publicExponent.data =
+		(unsigned char *)isc_mem_get(mctx, exponent_len);
 	if (keygenParams.publicExponent.data == NULL)
 		do_fail(ISC_R_NOMEMORY);
 
 	memcpy(keygenParams.publicExponent.data, exponent, exponent_len);
 	keygenParams.publicExponent.len = exponent_len;
-	if ((status = B_SetAlgorithmInfo
-	     (keypairGenerator, AI_RSAKeyGen, (POINTER) &keygenParams)) != 0)
+	if (B_SetAlgorithmInfo(keypairGenerator, AI_RSAKeyGen,
+			       (POINTER)&keygenParams) != 0)
 		do_fail(DST_R_INVALIDPARAM);
 
 	isc_mem_put(mctx, keygenParams.publicExponent.data, exponent_len);
 	keygenParams.publicExponent.data = NULL;
 
-	if ((status = B_GenerateInit(keypairGenerator, CHOOSER,
-				     NULL_SURRENDER)) != 0)
+	if (B_GenerateInit(keypairGenerator, CHOOSER, NULL_SURRENDER) != 0)
 		do_fail(ISC_R_NOMEMORY);
 
-	if ((status = B_CreateKeyObject(&public)) != 0)
+	if (B_CreateKeyObject(&public) != 0)
 		do_fail(ISC_R_NOMEMORY);
 
-	if ((status = B_CreateKeyObject(&private)) != 0)
+	if (B_CreateKeyObject(&private) != 0)
 		do_fail(ISC_R_NOMEMORY);
 
-	if ((status = B_CreateAlgorithmObject(&randomAlgorithm)) != 0)
+	if (B_CreateAlgorithmObject(&randomAlgorithm) != 0)
 		do_fail(ISC_R_NOMEMORY);
 
-	if ((status = B_SetAlgorithmInfo(randomAlgorithm, AI_MD5Random,
-					 NULL_PTR)) != 0)
+	if (B_SetAlgorithmInfo(randomAlgorithm, AI_MD5Random,
+					 NULL_PTR) != 0)
 		do_fail(ISC_R_NOMEMORY);
 
-	if ((status = B_RandomInit(randomAlgorithm, CHOOSER,
-				   NULL_SURRENDER)) != 0)
+	if (B_RandomInit(randomAlgorithm, CHOOSER, NULL_SURRENDER) != 0)
 		do_fail(ISC_R_NOMEMORY);
 
-	isc_buffer_init(&rand, randomSeed, sizeof(randomSeed),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&rand, randomSeed, sizeof(randomSeed));
 	ret = dst_random_get(sizeof(randomSeed), &rand);
 	if (ret != ISC_R_SUCCESS)
 		goto fail;
 
-	if ((status = B_RandomUpdate(randomAlgorithm, randomSeed, 
-				     sizeof(randomSeed), NULL_SURRENDER)) != 0)
+	if (B_RandomUpdate(randomAlgorithm, randomSeed, sizeof(randomSeed),
+			   NULL_SURRENDER) != 0)
 		do_fail(ISC_R_NOMEMORY);
 
 	memset(randomSeed, 0, sizeof(randomSeed));
 
-	if ((status = B_GenerateKeypair(keypairGenerator, public, private,
-					randomAlgorithm, NULL_SURRENDER)) != 0)
+	if (B_GenerateKeypair(keypairGenerator, public, private,
+			      randomAlgorithm, NULL_SURRENDER) != 0)
 		do_fail(DST_R_INVALIDPARAM);
 
 	rsa->rk_Private_Key = private;
@@ -885,11 +873,12 @@ dst_bsafe_generate(dst_key_t *key, int exp, isc_mem_t *mctx) {
 	B_DestroyAlgorithmObject(&keypairGenerator);
 	B_DestroyAlgorithmObject(&randomAlgorithm);
 
-	/* fill in the footprint in generate key */
-	B_GetKeyInfo((POINTER *) &pub, public, KI_RSAPublic);
+	/*
+	 * Fill in the footprint in generate key.
+	 */
+	(void)B_GetKeyInfo((POINTER *)&pub, public, KI_RSAPublic);
 
-	isc_buffer_init(&b, pub->modulus.data + pub->modulus.len - 3,
-			2, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&b, pub->modulus.data + pub->modulus.len - 3, 2);
 	isc_buffer_add(&b, 2);
 	key->key_id = isc_buffer_getuint16(&b);
 	return (ISC_R_SUCCESS);
@@ -929,7 +918,7 @@ dst_s_bsafe_itemcmp(ITEM i1, ITEM i2) {
  */
 static isc_boolean_t
 dst_bsafe_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	int status, s1 = 0, s2 = 0;
+	int status;
 	RSA_Key *rkey1, *rkey2;
 	A_RSA_KEY *public1 = NULL, *public2 = NULL;
 	A_PKCS_RSA_PRIVATE_KEY *p1 = NULL, *p2 = NULL;
@@ -943,11 +932,11 @@ dst_bsafe_compare(const dst_key_t *key1, const dst_key_t *key2) {
 		return (ISC_FALSE);
 
 	if (rkey1->rk_Public_Key) 
-		B_GetKeyInfo((POINTER *) &public1, rkey1->rk_Public_Key, 
-			     KI_RSAPublic);
+		(void)B_GetKeyInfo((POINTER *) &public1, rkey1->rk_Public_Key, 
+				   KI_RSAPublic);
 	if (rkey2->rk_Public_Key) 
-		B_GetKeyInfo((POINTER *) &public2, rkey2->rk_Public_Key, 
-			     KI_RSAPublic);
+		(void)B_GetKeyInfo((POINTER *) &public2, rkey2->rk_Public_Key, 
+				   KI_RSAPublic);
 	if (public1 == NULL && public2 == NULL)
 		return (ISC_TRUE);
 	else if (public1 == NULL || public2 == NULL)
@@ -964,10 +953,10 @@ dst_bsafe_compare(const dst_key_t *key1, const dst_key_t *key2) {
 		    rkey2->rk_Private_Key == NULL)
 			return (ISC_FALSE);
 
-		s1 = B_GetKeyInfo((POINTER *) &p1, rkey1->rk_Private_Key,
-				  KI_PKCS_RSAPrivate);
-		s2 = B_GetKeyInfo((POINTER *) &p2, rkey2->rk_Private_Key,
-				  KI_PKCS_RSAPrivate);
+		(void)B_GetKeyInfo((POINTER *)&p1, rkey1->rk_Private_Key,
+				   KI_PKCS_RSAPrivate);
+		(void)B_GetKeyInfo((POINTER *)&p2, rkey2->rk_Private_Key,
+				   KI_PKCS_RSAPrivate);
 		if (p1 == NULL || p2 == NULL) 
 			return (ISC_FALSE);
 
@@ -1004,11 +993,11 @@ dst_bsafe_key_size(RSA_Key *key)
 	REQUIRE(key->rk_Private_Key != NULL || key->rk_Public_Key != NULL);
 
 	if (key->rk_Private_Key != NULL)
-		B_GetKeyInfo((POINTER *) &private, key->rk_Private_Key,
-			     KI_PKCS_RSAPrivate);
+		(void)B_GetKeyInfo((POINTER *)&private, key->rk_Private_Key,
+				   KI_PKCS_RSAPrivate);
 	else
-		B_GetKeyInfo((POINTER *) &private, key->rk_Public_Key,
-			     KI_RSAPublic);
+		(void)B_GetKeyInfo((POINTER *)&private, key->rk_Public_Key,
+				   KI_RSAPublic);
 
 	size = dst_s_calculate_bits(private->modulus.data,
 				    private->modulus.len * 8);
@@ -1023,28 +1012,27 @@ static isc_result_t
 dst_bsafe_md5digest(const unsigned int mode, B_ALGORITHM_OBJ *digest_obj,
 		    isc_region_t *data, isc_buffer_t *digest)
 {
-	int status = 0;
 	unsigned int written = 0;
 	isc_region_t r;
 
 	REQUIRE(digest != NULL);
 	REQUIRE(digest_obj != NULL);
 
-	if ((mode & DST_SIGMODE_INIT) &&
-	    (status = B_DigestInit(*digest_obj, (B_KEY_OBJ) NULL,
-				   CHOOSER, NULL_SURRENDER)) != 0)
+	if ((mode & DST_SIGMODE_INIT) != 0 &&
+	    B_DigestInit(*digest_obj, (B_KEY_OBJ) NULL, CHOOSER,
+			 NULL_SURRENDER) != 0)
 		return (DST_R_SIGNINITFAILURE);
 
-	if ((mode & DST_SIGMODE_UPDATE) &&
-	    (status = B_DigestUpdate(*digest_obj, data->base, data->length,
-				     NULL_SURRENDER)) != 0)
+	if ((mode & DST_SIGMODE_UPDATE) != 0 &&
+	    B_DigestUpdate(*digest_obj, data->base, data->length,
+			   NULL_SURRENDER) != 0)
 		return (DST_R_SIGNUPDATEFAILURE);
 
-	isc_buffer_available(digest, &r);
-	if (mode & DST_SIGMODE_FINAL) {
+	isc_buffer_availableregion(digest, &r);
+	if ((mode & DST_SIGMODE_FINAL) != 0) {
 		if (digest == NULL ||
-		    (status = B_DigestFinal(*digest_obj, r.base, &written,
-					    r.length, NULL_SURRENDER)) != 0)
+		    B_DigestFinal(*digest_obj, r.base, &written, r.length,
+				  NULL_SURRENDER) != 0)
 			return (DST_R_SIGNFINALFAILURE);
 		isc_buffer_add(digest, written);
 	}
diff --git a/lib/dns/sec/dst/dst_api.c b/lib/dns/sec/dst/dst_api.c
index 41ac0c89..be1a31fd 100644
--- a/lib/dns/sec/dst/dst_api.c
+++ b/lib/dns/sec/dst/dst_api.c
@@ -1,54 +1,52 @@
 /*
  * Portions Copyright (c) 1995-1999 by Network Associates, Inc.
+ * Portions Copyright (C) 1999, 2000  Internet Software Consortium.
  *
- * Permission to use, copy modify, and distribute this software for any
+ * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND NETWORK ASSOCIATES
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
- * NETWORK ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND
+ * NETWORK ASSOCIATES DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
+ * SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR NETWORK
+ * ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+ * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.23 2000/03/16 22:43:33 halley Exp $
+ * $Id: dst_api.c,v 1.38 2000/05/19 00:20:57 bwelling Exp $
  */
 
 #include <config.h>
 
-#include <ctype.h>
-#include <limits.h>
-#include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
 #include <isc/buffer.h>
 #include <isc/dir.h>
-#include <isc/error.h>
-#include <isc/int.h>
 #include <isc/lex.h>
 #include <isc/mem.h>
-#include <isc/mutex.h>
 #include <isc/once.h>
-#include <isc/region.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
 #include <dns/rdata.h>
 #include <dns/keyvalues.h>
 
-#include <openssl/rand.h>
-
 #include "dst_internal.h"
 #include "dst/result.h"
 
+#include <openssl/rand.h>
+
 #define KEY_MAGIC	0x44535421U	/* DST! */
 
-#define VALID_KEY(key) (key != NULL && key->magic == KEY_MAGIC)
+#define VALID_KEY(key) ((key) != NULL && (key)->magic == KEY_MAGIC)
 
 dst_func *dst_t_func[DST_MAX_ALGS];
 
@@ -67,7 +65,7 @@ static isc_result_t	read_public_key(const char *name,
 static isc_result_t	write_public_key(const dst_key_t *key);
 
 /*
- *  dst_supported_algorithm
+ *  dst_algorithm_supported
  *	This function determines if the crypto system for the specified
  *	algorithm is present.
  *  Parameters
@@ -77,7 +75,7 @@ static isc_result_t	write_public_key(const dst_key_t *key);
  *	ISC_FALSE	The algorithm is not available.
  */
 isc_boolean_t
-dst_supported_algorithm(const int alg) {
+dst_algorithm_supported(const int alg) {
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
 	if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL)
 		return (ISC_FALSE);
@@ -85,7 +83,7 @@ dst_supported_algorithm(const int alg) {
 }
 
 /*
- * dst_sign
+ * dst_key_sign
  *	An incremental signing function.  Data is signed in steps.
  *	First the context must be initialized (DST_SIGMODE_INIT).
  *	Then data is hashed (DST_SIGMODE_UPDATE).  Finally the signature
@@ -107,8 +105,8 @@ dst_supported_algorithm(const int alg) {
  *	!ISC_R_SUCCESS	Failure
  */
 isc_result_t
-dst_sign(const unsigned int mode, dst_key_t *key, dst_context_t *context, 
-	 isc_region_t *data, isc_buffer_t *sig)
+dst_key_sign(const unsigned int mode, dst_key_t *key, dst_context_t *context, 
+	     isc_region_t *data, isc_buffer_t *sig)
 {
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
 	REQUIRE(VALID_KEY(key));
@@ -120,7 +118,7 @@ dst_sign(const unsigned int mode, dst_key_t *key, dst_context_t *context,
 	if ((mode & DST_SIGMODE_FINAL) != 0)
 		REQUIRE(sig != NULL);
 
-	if (dst_supported_algorithm(key->key_alg) == ISC_FALSE)
+	if (dst_algorithm_supported(key->key_alg) == ISC_FALSE)
 		return (DST_R_UNSUPPORTEDALG);
 	if (key->opaque == NULL)
 		return (DST_R_NULLKEY);
@@ -133,7 +131,7 @@ dst_sign(const unsigned int mode, dst_key_t *key, dst_context_t *context,
 
 
 /*
- *  dst_verify
+ *  dst_key_verify
  *	An incremental verify function.  Data is verified in steps.
  *	First the context must be initialized (DST_SIGMODE_INIT).
  *	Then data is hashed (DST_SIGMODE_UPDATE).  Finally the signature
@@ -156,8 +154,8 @@ dst_sign(const unsigned int mode, dst_key_t *key, dst_context_t *context,
  */
 
 isc_result_t
-dst_verify(const unsigned int mode, dst_key_t *key, dst_context_t *context, 
-	   isc_region_t *data, isc_region_t *sig)
+dst_key_verify(const unsigned int mode, dst_key_t *key, dst_context_t *context, 
+	       isc_region_t *data, isc_region_t *sig)
 {
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
 	REQUIRE(VALID_KEY(key));
@@ -169,7 +167,7 @@ dst_verify(const unsigned int mode, dst_key_t *key, dst_context_t *context,
 	if ((mode & DST_SIGMODE_FINAL) != 0)
 		REQUIRE(sig != NULL && sig->base != NULL);
 
-	if (dst_supported_algorithm(key->key_alg) == ISC_FALSE)
+	if (dst_algorithm_supported(key->key_alg) == ISC_FALSE)
 		return (DST_R_UNSUPPORTEDALG);
 	if (key->opaque == NULL)
 		return (DST_R_NULLKEY);
@@ -181,7 +179,7 @@ dst_verify(const unsigned int mode, dst_key_t *key, dst_context_t *context,
 }
 
 /*
- *  dst_digest
+ *  dst_key_digest
  *	An incremental digest function.  Data is digested in steps.
  *	First the context must be initialized (DST_SIGMODE_INIT).
  *	Then data is hashed (DST_SIGMODE_UPDATE).  Finally the digest
@@ -203,8 +201,8 @@ dst_verify(const unsigned int mode, dst_key_t *key, dst_context_t *context,
  *	!ISC_R_SUCCESS	Failure
  */
 isc_result_t
-dst_digest(const unsigned int mode, const unsigned int alg,
-           dst_context_t *context, isc_region_t *data, isc_buffer_t *digest)
+dst_key_digest(const unsigned int mode, const unsigned int alg,
+	       dst_context_t *context, isc_region_t *data, isc_buffer_t *digest)
 {
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
 	REQUIRE((mode & DST_SIGMODE_ALL) != 0);
@@ -223,7 +221,7 @@ dst_digest(const unsigned int mode, const unsigned int alg,
 
 
 /*
- * dst_computesecret
+ * dst_key_computesecret
  *	A function to compute a shared secret from two (Diffie-Hellman) keys.
  * Parameters
  *      pub             The public key
@@ -234,15 +232,15 @@ dst_digest(const unsigned int mode, const unsigned int alg,
  *      !ISC_R_SUCCESS  Failure
  */
 isc_result_t
-dst_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 		  isc_buffer_t *secret) 
 {
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
 	REQUIRE(VALID_KEY(pub) && VALID_KEY(priv));
 	REQUIRE(secret != NULL);
 
-	if (dst_supported_algorithm(pub->key_alg)  == ISC_FALSE ||
-	    dst_supported_algorithm(priv->key_alg) == ISC_FALSE)
+	if (dst_algorithm_supported(pub->key_alg)  == ISC_FALSE ||
+	    dst_algorithm_supported(priv->key_alg) == ISC_FALSE)
 		return (DST_R_UNSUPPORTEDALG);
 
 	if (pub->opaque == NULL || priv->opaque == NULL)
@@ -278,7 +276,7 @@ dst_key_tofile(const dst_key_t *key, const int type) {
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
 	REQUIRE(VALID_KEY(key));
 
-	if (dst_supported_algorithm(key->key_alg) == ISC_FALSE)
+	if (dst_algorithm_supported(key->key_alg) == ISC_FALSE)
 		return (DST_R_UNSUPPORTEDALG);
 
 	if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == 0)
@@ -324,10 +322,9 @@ dst_key_fromfile(const char *name, const isc_uint16_t id, const int alg,
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
 	REQUIRE(name != NULL);
 	REQUIRE(mctx != NULL);
-	REQUIRE(keyp != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
 
-	*keyp = NULL;
-	if (dst_supported_algorithm(alg) == ISC_FALSE)
+	if (dst_algorithm_supported(alg) == ISC_FALSE)
 		return (DST_R_UNSUPPORTEDALG);
 
 	if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == 0)
@@ -349,16 +346,18 @@ dst_key_fromfile(const char *name, const isc_uint16_t id, const int alg,
 	
 		key = get_key_struct(name, pubkey->key_alg, pubkey->key_flags,
 					   pubkey->key_proto, 0, mctx);
-		dst_key_free(pubkey);
+		dst_key_free(&pubkey);
 	}
 
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
 
-	/* Fill in private key and some fields in the general key structure */
+	/*
+	 * Fill in private key and some fields in the general key structure.
+	 */
 	ret = key->func->from_file(key, id, mctx);
 	if (ret != ISC_R_SUCCESS) {
-		dst_key_free(key);
+		dst_key_free(&key);
 		return (ret);
 	}
 
@@ -384,10 +383,10 @@ dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(target != NULL);
 
-	if (dst_supported_algorithm(key->key_alg) == ISC_FALSE)
+	if (dst_algorithm_supported(key->key_alg) == ISC_FALSE)
 		return (DST_R_UNSUPPORTEDALG);
 
-	isc_buffer_available(target, &r);
+	isc_buffer_availableregion(target, &r);
 	if (r.length < 4)
 		return (ISC_R_NOSPACE);
 	isc_buffer_putuint16(target, (isc_uint16_t)(key->key_flags & 0xffff));
@@ -395,7 +394,7 @@ dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
 	isc_buffer_putuint8(target, (isc_uint8_t)key->key_alg);
 
 	if (key->key_flags & DNS_KEYFLAG_EXTENDED) {
-		isc_buffer_available(target, &r);
+		isc_buffer_availableregion(target, &r);
 		if (r.length < 2)
 			return (ISC_R_NOSPACE);
 		isc_buffer_putuint16(target,
@@ -430,39 +429,44 @@ dst_key_fromdns(const char *name, isc_buffer_t *source, isc_mem_t *mctx,
 	isc_uint8_t alg, proto;
 	isc_uint32_t flags, extflags;
 	isc_result_t ret;
+	dst_key_t *key = NULL;
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
-	REQUIRE (name != NULL);
-	REQUIRE (source != NULL);
-	REQUIRE (mctx != NULL);
-	REQUIRE (keyp != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(source != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
 
-	isc_buffer_remaining(source, &r);
+	isc_buffer_remainingregion(source, &r);
 	if (r.length < 4) /* 2 bytes of flags, 1 proto, 1 alg */
 		return (DST_R_INVALIDPUBLICKEY);
 	flags = isc_buffer_getuint16(source);
 	proto = isc_buffer_getuint8(source);
 	alg = isc_buffer_getuint8(source);
 
-	if (!dst_supported_algorithm(alg))
+	if (!dst_algorithm_supported(alg))
 		return (DST_R_UNSUPPORTEDALG);
 
 	if (flags & DNS_KEYFLAG_EXTENDED) {
-		isc_buffer_remaining(source, &r);
+		isc_buffer_remainingregion(source, &r);
 		if (r.length < 2)
 			return (DST_R_INVALIDPUBLICKEY);
 		extflags = isc_buffer_getuint16(source);
 		flags |= (extflags << 16);
 	}
 
-	*keyp = get_key_struct(name, alg, flags, proto, 0, mctx);
-	if (*keyp == NULL)
+	key = get_key_struct(name, alg, flags, proto, 0, mctx);
+	if (key == NULL)
 		return (ISC_R_NOMEMORY);
 
-	ret = (*keyp)->func->from_dns(*keyp, source, mctx);
-	if (ret != ISC_R_SUCCESS) 
-		dst_key_free((*keyp));
-	return (ret);
+	ret = key->func->from_dns(key, source, mctx);
+	if (ret != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (ret);
+	}
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
 }
 
 
@@ -487,26 +491,30 @@ dst_key_frombuffer(const char *name, const int alg, const int flags,
 		   const int protocol, isc_buffer_t *source, isc_mem_t *mctx,
 		   dst_key_t **keyp)
 {
+	dst_key_t *key;
 	isc_result_t ret;
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
 	REQUIRE(name != NULL);
 	REQUIRE(source != NULL);
 	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
 
-	if (dst_supported_algorithm(alg) == ISC_FALSE)
+	if (dst_algorithm_supported(alg) == ISC_FALSE)
 		return (DST_R_UNSUPPORTEDALG);
 
-	*keyp = get_key_struct(name, alg, flags, protocol, 0, mctx);
+	key = get_key_struct(name, alg, flags, protocol, 0, mctx);
 
-	if (*keyp == NULL)
+	if (key == NULL)
 		return (ISC_R_NOMEMORY);
 
-	ret = (*keyp)->func->from_dns((*keyp), source, mctx);
+	ret = key->func->from_dns(key, source, mctx);
 	if (ret != ISC_R_SUCCESS) {
-		dst_key_free((*keyp));
+		dst_key_free(&key);
 		return (ret);
 	}
+
+	*keyp = key;
 	return (ISC_R_SUCCESS);
 }
 
@@ -527,7 +535,7 @@ dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target) {
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(target != NULL);
 
-	if (dst_supported_algorithm(key->key_alg) == ISC_FALSE)
+	if (dst_algorithm_supported(key->key_alg) == ISC_FALSE)
 		return (DST_R_UNSUPPORTEDALG);
 
 	return (key->func->to_dns(key, target));
@@ -565,31 +573,34 @@ dst_key_generate(const char *name, const int alg, const int bits,
 		 const int exp, const int flags, const int protocol,
 		 isc_mem_t *mctx, dst_key_t **keyp)
 {
+	dst_key_t *key;
 	isc_result_t ret;
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
 	REQUIRE(name != NULL);
 	REQUIRE(mctx != NULL);
-	REQUIRE(keyp != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
 
-	if (dst_supported_algorithm(alg) == ISC_FALSE)
+	if (dst_algorithm_supported(alg) == ISC_FALSE)
 		return (DST_R_UNSUPPORTEDALG);
 
-	*keyp = get_key_struct(name, alg, flags, protocol, bits, mctx);
-	if (*keyp == NULL)
+	key = get_key_struct(name, alg, flags, protocol, bits, mctx);
+	if (key == NULL)
 		return (ISC_R_NOMEMORY);
 
 	if (bits == 0) { /* NULL KEY */
-		(*keyp)->key_flags |= DNS_KEYTYPE_NOKEY;
+		key->key_flags |= DNS_KEYTYPE_NOKEY;
+		*keyp = key;
 		return (ISC_R_SUCCESS);
 	}
 
-	ret = (*keyp)->func->generate(*keyp, exp, mctx);
+	ret = key->func->generate(key, exp, mctx);
 	if (ret != ISC_R_SUCCESS) {
-		dst_key_free(*keyp);
+		dst_key_free(&key);
 		return (ret);
 	}
 
+	*keyp = key;
 	return (ISC_R_SUCCESS);
 }
 
@@ -652,15 +663,17 @@ dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
  *  dst_key_free
  *	Release all data structures pointed to by a key structure.
  *  Parameters
- *	key	Key structure to be freed.
+ *	keyp	Pointer to key structure to be freed.
  */
 void
-dst_key_free(dst_key_t *key) {
+dst_key_free(dst_key_t **keyp) {
 	isc_mem_t *mctx;
+	dst_key_t *key;
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
-	REQUIRE(VALID_KEY(key));
+	REQUIRE(keyp != NULL && VALID_KEY(*keyp));
 
+	key = *keyp;
 	mctx = key->mctx;
 
 	if (key->opaque != NULL)
@@ -669,6 +682,7 @@ dst_key_free(dst_key_t *key) {
 	isc_mem_free(mctx, key->key_name);
 	memset(key, 0, sizeof(dst_key_t));
 	isc_mem_put(mctx, key, sizeof(dst_key_t));
+	*keyp = NULL;
 }
 
 char *
@@ -715,20 +729,154 @@ dst_key_isprivate(const dst_key_t *key) {
 
 isc_boolean_t
 dst_key_iszonekey(const dst_key_t *key) {
-	unsigned int namtyp;
+	REQUIRE(VALID_KEY(key));
+      
+	if ((key->key_flags & DNS_KEYTYPE_NOAUTH) != 0)
+		return (ISC_FALSE);
+	if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
+		return (ISC_FALSE);
+	if (key->key_proto != DNS_KEYPROTO_DNSSEC &&
+	    key->key_proto != DNS_KEYPROTO_ANY)
+		return (ISC_FALSE);
+	return (ISC_TRUE);
+}
 
+isc_boolean_t
+dst_key_isnullkey(const dst_key_t *key) {
 	REQUIRE(VALID_KEY(key));
       
-	if ((key->key_flags & DST_KEYFLAG_NOAUTH) != 0)
+	if ((key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY)
 		return (ISC_FALSE);
-	namtyp = (key->key_flags & DST_KEYFLAG_NTMASK) >> DST_KEYFLAG_NTSHIFT;
-	if (namtyp != DST_NAMTYP_ZONE)
+	if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
+		return (ISC_FALSE);
+	if (key->key_proto != DNS_KEYPROTO_DNSSEC &&
+	    key->key_proto != DNS_KEYPROTO_ANY)
 		return (ISC_FALSE);
 	return (ISC_TRUE);
 }
 
+isc_result_t
+dst_key_buildfilename(const dst_key_t *key, const int type, isc_buffer_t *out) {
+	char *suffix;
+	unsigned int namelen;
+	isc_region_t r;
+
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type == DST_TYPE_PRIVATE || type == DST_TYPE_PUBLIC ||
+		type == 0);
+	REQUIRE(out != NULL);
+	if (type == 0)
+		suffix = "";
+	else if (type == DST_TYPE_PRIVATE)
+		suffix = ".private";
+	else
+		suffix = ".key";
+	namelen =  1 + strlen(key->key_name) + 1 + 3 + 1 + 5 + 1 +
+		   strlen(suffix);
+	isc_buffer_availableregion(out, &r);
+	if (namelen >= r.length)
+		return (ISC_R_NOSPACE);
+	if (namelen >= ISC_DIR_NAMEMAX)
+		return (ISC_R_INVALIDFILE);
+	sprintf((char *) r.base, "K%s+%03d+%05d%s", key->key_name,
+		key->key_alg, key->key_id, suffix);
+	isc_buffer_add(out, namelen);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_parsefilename(isc_buffer_t *source, isc_mem_t *mctx, char **name,
+		      isc_uint16_t *id, int *alg, char **suffix)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	char c, str[6], *p, *endp;
+	isc_region_t r;
+	unsigned int length;
+
+	REQUIRE(source != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(name != NULL && *name == NULL);
+	REQUIRE(id != NULL);
+	REQUIRE(alg != NULL);
+	REQUIRE(suffix == NULL || *suffix == NULL);
+
+	if (isc_buffer_remaininglength(source) < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	c = (char) isc_buffer_getuint8(source);
+	if (c != 'K') {
+		result = ISC_R_INVALIDFILE;
+		goto fail;
+	}
+	isc_buffer_remainingregion(source, &r);
+	p = (char *)r.base;
+	length = r.length;
+	while (length > 0 && *p != '+') {
+		length--;
+		p++;
+	}
+	if (length == 0)
+		return (ISC_R_UNEXPECTEDEND);
+	length = p - (char *) r.base;
+	*name = isc_mem_get(mctx, length + 1);
+	if (*name == NULL)
+		return (ISC_R_NOMEMORY);
+	memcpy(*name, r.base, length);
+	(*name)[length] = 0;
+	isc_buffer_forward(source, length);
+	if (isc_buffer_remaininglength(source) < 1 + 3 + 1 + 5) {
+		result = ISC_R_UNEXPECTEDEND;
+		goto fail;
+	}
+	c = (char) isc_buffer_getuint8(source);
+	if (c != '+') {
+		result = ISC_R_INVALIDFILE;
+		goto fail;
+	}
+	isc_buffer_remainingregion(source, &r);
+	memcpy(str, r.base, 3);
+	str[3] = 0;
+	*alg = strtol(str, &endp, 10);
+	if (*endp != '\0') {
+		result = ISC_R_INVALIDFILE;
+		goto fail;
+	}
+	isc_buffer_forward(source, 3);
+	c = (char) isc_buffer_getuint8(source);
+	if (c != '+') {
+		result = ISC_R_INVALIDFILE;
+		goto fail;
+	}
+	isc_buffer_remainingregion(source, &r);
+	memcpy(str, r.base, 5);
+	str[5] = 0;
+	*id = strtol(str, &endp, 10);
+	if (*endp != '\0') {
+		result = ISC_R_INVALIDFILE;
+		goto fail;
+	}
+	isc_buffer_forward(source, 5);
+	if (suffix == NULL)
+		return (ISC_R_SUCCESS);
+	isc_buffer_remainingregion(source, &r);
+	*suffix = isc_mem_get(mctx, r.length + 1);
+	if (*suffix == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto fail;
+	}
+	if (r.length > 0)
+		memcpy(*suffix, r.base, r.length);
+	(*suffix)[r.length] = 0;
+	return (ISC_R_SUCCESS);
+
+ fail:
+	if (*name != NULL)
+		 isc_mem_put(mctx, name, strlen(*name) + 1);
+	return (result);
+
+}
+
 /*
- * dst_sig_size
+ * dst_key_sigsize
  *	Computes the maximum size of a signature generated by the given key
  * Parameters
  *	key	The DST key
@@ -739,7 +887,7 @@ dst_key_iszonekey(const dst_key_t *key) {
  *	DST_R_UNSUPPORTEDALG
  */
 isc_result_t
-dst_sig_size(const dst_key_t *key, unsigned int *n) {
+dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(n != NULL);
@@ -776,7 +924,7 @@ dst_sig_size(const dst_key_t *key, unsigned int *n) {
  *	DST_R_UNSUPPORTEDALG
  */
 isc_result_t
-dst_secret_size(const dst_key_t *key, unsigned int *n) {
+dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(n != NULL);
@@ -810,17 +958,21 @@ dst_secret_size(const dst_key_t *key, unsigned int *n) {
 isc_result_t 
 dst_random_get(const unsigned int wanted, isc_buffer_t *target) {
 	isc_region_t r;
+	int status;
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
 	REQUIRE(target != NULL);
 
-	isc_buffer_available(target, &r);
+	isc_buffer_availableregion(target, &r);
 	if (r.length < wanted)
 		return (ISC_R_NOSPACE);
 
 	RUNTIME_CHECK(isc_mutex_lock((&random_lock)) == ISC_R_SUCCESS);
-	RAND_bytes(r.base, wanted);
+	status = RAND_bytes(r.base, wanted);
 	RUNTIME_CHECK(isc_mutex_unlock((&random_lock)) == ISC_R_SUCCESS);
+	if (status == 0)
+		return (DST_R_NORANDOMNESS);
+
 	isc_buffer_add(target, wanted);
 	return (ISC_R_SUCCESS);
 }
@@ -838,7 +990,7 @@ dst_random_get(const unsigned int wanted, isc_buffer_t *target) {
  *	none
  */
 static void
-initialize() {
+initialize(void) {
 	memset(dst_t_func, 0, sizeof(dst_t_func));
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &dst_memory_pool) == ISC_R_SUCCESS);
@@ -853,6 +1005,27 @@ initialize() {
 #ifdef OPENSSL
 	dst_s_openssldsa_init();
 	dst_s_openssldh_init();
+
+	/*
+	 * Seed the random number generator, if necessary.
+	 * XXX This doesn't do a very good job, and must be fixed.
+	 */
+	if (RAND_status() == 0) {
+		isc_random_t rctx;
+		isc_uint32_t val;
+		isc_time_t now;
+		isc_result_t result;
+
+		isc_random_init(&rctx);
+		result = isc_time_now(&now);
+		INSIST(result == ISC_R_SUCCESS);
+		isc_random_seed(&rctx, isc_time_nanoseconds(&now));
+		while (RAND_status() == 0) {
+			isc_random_get(&rctx, &val);
+			RAND_add(&val, sizeof(isc_uint32_t), 1);
+		}
+		isc_random_invalidate(&rctx);
+	}
 #endif
 }
 
@@ -877,7 +1050,7 @@ get_key_struct(const char *name, const int alg, const int flags,
 {
 	dst_key_t *key; 
 
-	REQUIRE(dst_supported_algorithm(alg) != ISC_FALSE);
+	REQUIRE(dst_algorithm_supported(alg) != ISC_FALSE);
 
 	key = (dst_key_t *) isc_mem_get(mctx, sizeof(dst_key_t));
 	if (key == NULL)
@@ -926,7 +1099,7 @@ get_key_struct(const char *name, const int alg, const int flags,
 
 static isc_result_t
 read_public_key(const char *name, const isc_uint16_t id, int alg,
-		      isc_mem_t *mctx, dst_key_t **keyp)
+		isc_mem_t *mctx, dst_key_t **keyp)
 {
 	char filename[ISC_DIR_NAMEMAX];
 	u_char rdatabuf[DST_KEY_MAXSIZE];
@@ -936,10 +1109,17 @@ read_public_key(const char *name, const isc_uint16_t id, int alg,
 	isc_result_t ret;
 	dns_rdata_t rdata;
 	unsigned int opt = ISC_LEXOPT_DNSMULTILINE;
+	dst_key_t *tempkey;
 
-	if (dst_s_build_filename(filename, name, id, alg, PUBLIC_KEY,
-				 sizeof(filename)) != ISC_R_SUCCESS)
-		return (DST_R_NAMETOOLONG);
+	tempkey = get_key_struct(name, alg, 0, 0, 0, mctx);
+	if (tempkey == NULL)
+		return (ISC_R_NOMEMORY);
+	tempkey->key_id = id;
+	isc_buffer_init(&b, filename, sizeof(filename));
+	ret = dst_key_buildfilename(tempkey, DST_TYPE_PUBLIC, &b);
+	dst_key_free(&tempkey);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
 
 	/*
 	 * Open the file and read its formatted contents
@@ -954,7 +1134,7 @@ read_public_key(const char *name, const isc_uint16_t id, int alg,
 
 	ret = isc_lex_openfile(lex, filename);
 	if (ret != ISC_R_SUCCESS) {
-		if (ret == ISC_R_FAILURE)
+		if (ret == ISC_R_FILENOTFOUND)
 			ret = ISC_R_NOTFOUND;
 		goto cleanup;
 	}
@@ -992,7 +1172,7 @@ read_public_key(const char *name, const isc_uint16_t id, int alg,
 	if (strcasecmp(token.value.as_pointer, "KEY") != 0)
 		BADTOKEN();
 	
-	isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));
 	ret = dns_rdata_fromtext(&rdata, dns_rdataclass_in, dns_rdatatype_key,
 				 lex, NULL, ISC_FALSE, &b, NULL);
 	if (ret != ISC_R_SUCCESS)
@@ -1029,7 +1209,7 @@ cleanup:
 static isc_result_t
 write_public_key(const dst_key_t *key) {
 	FILE *fp;
-	isc_buffer_t keyb, textb;
+	isc_buffer_t keyb, textb, fileb;
 	isc_region_t r;
 	char filename[ISC_DIR_NAMEMAX];
 	unsigned char key_array[DST_KEY_MAXSIZE];
@@ -1040,16 +1220,14 @@ write_public_key(const dst_key_t *key) {
 
 	REQUIRE(VALID_KEY(key));
 
-	isc_buffer_init(&keyb, key_array, sizeof(key_array),
-			ISC_BUFFERTYPE_BINARY);
-	isc_buffer_init(&textb, text_array, sizeof(text_array),
-			ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&keyb, key_array, sizeof(key_array));
+	isc_buffer_init(&textb, text_array, sizeof(text_array));
 
 	ret = dst_key_todns(key, &keyb);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
-	isc_buffer_used(&keyb, &r);
+	isc_buffer_usedregion(&keyb, &r);
 	dns_rdata_fromregion(&rdata, dns_rdataclass_in, dns_rdatatype_key, &r);
 
 	dnsret = dns_rdata_totext(&rdata, (dns_name_t *) NULL, &textb);
@@ -1058,15 +1236,15 @@ write_public_key(const dst_key_t *key) {
 
 	dns_rdata_freestruct(&rdata);
 
-	isc_buffer_used(&textb, &r);
+	isc_buffer_usedregion(&textb, &r);
 	
 	/*
 	 * Make the filename.
 	 */
-	if (dst_s_build_filename(filename,
-				 key->key_name, key->key_id, key->key_alg,
-				 PUBLIC_KEY, sizeof(filename)) < 0)
-		return (DST_R_NAMETOOLONG);
+	isc_buffer_init(&fileb, filename, sizeof(filename));
+	ret = dst_key_buildfilename(key, DST_TYPE_PUBLIC, &fileb);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
 
 	/*
 	 * Create public key file.
diff --git a/lib/dns/sec/dst/dst_internal.h b/lib/dns/sec/dst/dst_internal.h
index 7ab84ed4..db864f3e 100644
--- a/lib/dns/sec/dst/dst_internal.h
+++ b/lib/dns/sec/dst/dst_internal.h
@@ -1,6 +1,3 @@
-#ifndef DST_INTERNAL_H
-#define DST_INTERNAL_H
-
 /*
  * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
  *
@@ -17,13 +14,18 @@
  * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
  * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
  */
+
+#ifndef DST_DST_INTERNAL_H
+#define DST_DST_INTERNAL_H 1
+
 #include <isc/lang.h>
 #include <isc/buffer.h>
 #include <isc/int.h>
 #include <isc/region.h>
 
+#include "../rename.h"
+
 #include <dst/dst.h>
-#include <dst/result.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -83,41 +85,44 @@ struct dst_func {
 
 extern dst_func *dst_t_func[DST_MAX_ALGS];
 
-/* suffixes for key file names */
-#define PRIVATE_KEY		"private"
-#define PUBLIC_KEY		"key"
-
 #ifndef DST_HASH_SIZE
 #define DST_HASH_SIZE 20	/* RIPEMD160 & SHA-1 are 20 bytes, MD5 is 16 */
 #endif
 
-void		dst_s_hmacmd5_init(void);
-void		dst_s_bsafersa_init(void);
-void		dst_s_openssldsa_init(void);
-void		dst_s_openssldh_init(void);
-
-/* support functions */
-
-int		dst_s_calculate_bits(const unsigned char *str, const int max_bits); 
-isc_uint16_t	dst_s_id_calc(const unsigned char *key, const int keysize);
-int		dst_s_build_filename(char *filename, const char *name, 
-				     isc_uint16_t id, int alg,
-				     const char *suffix, 
-				     size_t filename_length);
-
-
-/* digest functions */
-isc_result_t	dst_s_md5(const unsigned int mode, void **context,
-			  isc_region_t *data, isc_buffer_t *digest,
-			  isc_mem_t *mctx);
+void
+dst_s_hmacmd5_init(void);
+void
+dst_s_bsafersa_init(void);
+void
+dst_s_openssldsa_init(void);
+void
+dst_s_openssldh_init(void);
 
+/*
+ * Support functions.
+ */
+int
+dst_s_calculate_bits(const unsigned char *str, const int max_bits); 
+isc_uint16_t
+dst_s_id_calc(const unsigned char *key, const int keysize);
 
-/* memory allocators using the DST memory pool */
-void *		dst_mem_alloc(size_t size);
-void		dst_mem_free(void *ptr);
-void *		dst_mem_realloc(void *ptr, size_t size);
+/*
+ * Digest functions.
+ */
+isc_result_t
+dst_s_md5(const unsigned int mode, void **context, isc_region_t *data,
+	  isc_buffer_t *digest, isc_mem_t *mctx);
 
+/*
+ * Memory allocators using the DST memory pool.
+ */
+void *
+dst_mem_alloc(size_t size);
+void
+dst_mem_free(void *ptr);
+void *
+dst_mem_realloc(void *ptr, size_t size);
 
 ISC_LANG_ENDDECLS
 
-#endif /* DST_INTERNAL_H */
+#endif /* DST_DST_INTERNAL_H */
diff --git a/lib/dns/sec/dst/dst_lib.c b/lib/dns/sec/dst/dst_lib.c
index 64d0c6b7..8762ded5 100644
--- a/lib/dns/sec/dst/dst_lib.c
+++ b/lib/dns/sec/dst/dst_lib.c
@@ -17,16 +17,14 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_lib.c,v 1.2 2000/03/23 19:30:04 halley Exp $
+ * $Id: dst_lib.c,v 1.4 2000/05/08 14:37:01 tale Exp $
  */
 
 #include <config.h>
 
-#include <stddef.h>
-
 #include <isc/once.h>
-#include <isc/error.h>
 #include <isc/msgcat.h>
+#include <isc/util.h>
 
 #include <dst/lib.h>
 
diff --git a/lib/dns/sec/dst/dst_parse.c b/lib/dns/sec/dst/dst_parse.c
index e2dae73a..8a20c6e9 100644
--- a/lib/dns/sec/dst/dst_parse.c
+++ b/lib/dns/sec/dst/dst_parse.c
@@ -1,42 +1,35 @@
 /*
  * Portions Copyright (c) 1995-1999 by Network Associates, Inc.
+ * Portions Copyright (C) 1999, 2000  Internet Software Consortium.
  *
- * Permission to use, copy modify, and distribute this software for any
+ * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND NETWORK ASSOCIATES
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
- * NETWORK ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND
+ * NETWORK ASSOCIATES DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
+ * SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR NETWORK
+ * ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+ * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.9 1999/10/20 22:14:14 bwelling Exp $
+ * $Id: dst_parse.c,v 1.16 2000/05/15 23:14:11 bwelling Exp $
  */
 
 #include <config.h>
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <limits.h>
-
-#include <isc/assertions.h>
 #include <isc/base64.h>
-#include <isc/buffer.h>
 #include <isc/dir.h>
-#include <isc/int.h>
 #include <isc/lex.h>
 #include <isc/mem.h>
-#include <isc/region.h>
-#include <dns/rdata.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 /* XXXBEW For chmod.  This should be removed. */
 #include <sys/stat.h>
@@ -194,9 +187,8 @@ dst_s_free_private_structure_fields(dst_private_t *priv, isc_mem_t *mctx) {
 }
 
 int
-dst_s_parse_private_key_file(const char *name, const int alg,
-			     const isc_uint16_t id, dst_private_t *priv,
-			     isc_mem_t *mctx)
+dst_s_parse_private_key_file(dst_key_t *key, const isc_uint16_t id,
+			     dst_private_t *priv, isc_mem_t *mctx)
 {
 	char filename[ISC_DIR_NAMEMAX];
 	int n = 0, ret, major, minor;
@@ -205,16 +197,16 @@ dst_s_parse_private_key_file(const char *name, const int alg,
 	isc_token_t token;
 	unsigned int opt = ISC_LEXOPT_EOL;
 	isc_result_t iret;
-	isc_result_t error = DST_R_INVALIDPRIVATEKEY;
 
 	REQUIRE(priv != NULL);
 
 	priv->nelements = 0;
 
-	ret = dst_s_build_filename(filename, name, id, alg, PRIVATE_KEY,
-				   sizeof(filename));
-	if (ret < 0)
-		return (DST_R_NAMETOOLONG);
+	isc_buffer_init(&b, filename, sizeof(filename));
+	key->key_id = id;
+	ret = dst_key_buildfilename(key, DST_TYPE_PRIVATE, &b);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
 
 	iret = isc_lex_create(mctx, 1024, &lex);
 	if (iret != ISC_R_SUCCESS)
@@ -236,7 +228,9 @@ dst_s_parse_private_key_file(const char *name, const int alg,
 		NEXTTOKEN(lex, opt, token) \
 	} while ((*token).type != isc_tokentype_eol) \
 
-	/* Read the description line */
+	/*
+	 * Read the description line.
+	 */
 	NEXTTOKEN(lex, opt, &token);
 	if (token.type != isc_tokentype_string ||
 	    strcmp(token.value.as_pointer, PRIVATE_KEY_STR) != 0)
@@ -255,7 +249,9 @@ dst_s_parse_private_key_file(const char *name, const int alg,
 
 	READLINE(lex, opt, &token);
 
-	/* Read the algorithm line */
+	/*
+	 * Read the algorithm line.
+	 */
 	NEXTTOKEN(lex, opt, &token);
 	if (token.type != isc_tokentype_string ||
 	    strcmp(token.value.as_pointer, ALGORITHM_STR) != 0)
@@ -263,12 +259,14 @@ dst_s_parse_private_key_file(const char *name, const int alg,
 
 	NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
 	if (token.type != isc_tokentype_number ||
-	    token.value.as_ulong != (unsigned long) alg)
+	    token.value.as_ulong != (unsigned long) dst_key_alg(key))
 		goto fail;
 
 	READLINE(lex, opt, &token);
 
-	/* Read the key data */
+	/*
+	 * Read the key data.
+	 */
 	for (n = 0; n < MAXFIELDS; n++) {
 		int tag;
 		unsigned char *data;
@@ -283,21 +281,20 @@ dst_s_parse_private_key_file(const char *name, const int alg,
 			goto fail;
 
 		memset(&priv->elements[n], 0, sizeof(dst_private_element_t));
-		tag = find_value(token.value.as_pointer, alg);
-		if (tag < 0 || TAG_ALG(tag) != alg)
+		tag = find_value(token.value.as_pointer, dst_key_alg(key));
+		if (tag < 0 || TAG_ALG(tag) != dst_key_alg(key))
 			goto fail;
 		priv->elements[n].tag = tag;
 
 		data = (unsigned char *) isc_mem_get(mctx, MAXFIELDSIZE);
-		if (data == NULL) {
-			error = DST_R_INVALIDPRIVATEKEY;
+		if (data == NULL)
 			goto fail;
-		}
-		isc_buffer_init(&b, data, MAXFIELDSIZE, ISC_BUFFERTYPE_BINARY);
+
+		isc_buffer_init(&b, data, MAXFIELDSIZE);
 		ret = isc_base64_tobuffer(lex, &b, -1);
 		if (ret != ISC_R_SUCCESS)
 			goto fail;
-		isc_buffer_used(&b, &r);
+		isc_buffer_usedregion(&b, &r);
 		priv->elements[n].length = r.length;
 		priv->elements[n].data = r.base;
 
@@ -306,7 +303,7 @@ dst_s_parse_private_key_file(const char *name, const int alg,
 
 	priv->nelements = n;
 
-	if (check_data(priv, alg) < 0)
+	if (check_data(priv, dst_key_alg(key)) < 0)
 		goto fail;
 
 	isc_lex_close(lex);
@@ -326,24 +323,23 @@ fail:
 }
 
 int
-dst_s_write_private_key_file(const char *name, const int alg,
-			     const isc_uint16_t id, const dst_private_t *priv)
-{
+dst_s_write_private_key_file(const dst_key_t *key, const dst_private_t *priv) {
 	FILE *fp;
 	int ret, i;
 	isc_result_t iret;
 	char filename[ISC_DIR_NAMEMAX];
 	char buffer[MAXFIELDSIZE * 2];
+	isc_buffer_t b;
 
 	REQUIRE(priv != NULL);
 
-	if (check_data(priv, alg) < 0)
+	if (check_data(priv, dst_key_alg(key)) < 0)
 		return (DST_R_INVALIDPRIVATEKEY);
 
-	ret = dst_s_build_filename(filename, name, id, alg, PRIVATE_KEY,
-				   sizeof(filename));
-	if (ret < 0)
-		return (DST_R_NAMETOOLONG);
+	isc_buffer_init(&b, filename, sizeof(filename));
+	ret = dst_key_buildfilename(key, DST_TYPE_PRIVATE, &b);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
 
 	if ((fp = fopen(filename, "w")) == NULL)
 		return (DST_R_WRITEERROR);
@@ -354,8 +350,8 @@ dst_s_write_private_key_file(const char *name, const int alg,
 	fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, MAJOR_VERSION,
 		MINOR_VERSION);
 
-	fprintf(fp, "%s %d ", ALGORITHM_STR, alg);
-	switch (alg) {
+	fprintf(fp, "%s %d ", ALGORITHM_STR, dst_key_alg(key));
+	switch (dst_key_alg(key)) {
 		case DST_ALG_RSA: fprintf(fp, "(RSA)\n"); break;
 		case DST_ALG_DH: fprintf(fp, "(DH)\n"); break;
 		case DST_ALG_DSA: fprintf(fp, "(DSA)\n"); break;
@@ -372,14 +368,13 @@ dst_s_write_private_key_file(const char *name, const int alg,
 
 		r.base = priv->elements[i].data;
 		r.length = priv->elements[i].length;
-		isc_buffer_init(&b, buffer, sizeof(buffer),
-				ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&b, buffer, sizeof(buffer));
 		iret = isc_base64_totext(&r, sizeof(buffer), "", &b);
 		if (iret != ISC_R_SUCCESS) {
 			fclose(fp);
 			return (DST_R_INVALIDPRIVATEKEY);
 		}
-		isc_buffer_used(&b, &r);
+		isc_buffer_usedregion(&b, &r);
 
 		fprintf(fp, "%s ", s);
 		fwrite(r.base, 1, r.length, fp);
diff --git a/lib/dns/sec/dst/dst_parse.h b/lib/dns/sec/dst/dst_parse.h
index a431fc98..3d9406bb 100644
--- a/lib/dns/sec/dst/dst_parse.h
+++ b/lib/dns/sec/dst/dst_parse.h
@@ -1,6 +1,3 @@
-#ifndef DST_PARSE_H
-#define DST_PARSE_H
-
 /*
  * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
  *
@@ -17,11 +14,12 @@
  * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
  * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
  */
+#ifndef DST_DST_PARSE_H
+#define DST_DST_PARSE_H 1
+
 #include <isc/lang.h>
-#include <isc/mem.h>
-#include <dst/dst.h>
 
-ISC_LANG_BEGINDECLS
+#include <dst/dst.h>
 
 #define MAJOR_VERSION		1
 #define MINOR_VERSION		2
@@ -74,15 +72,18 @@ struct dst_private {
 
 typedef struct dst_private dst_private_t;
 
-void	dst_s_free_private_structure_fields(dst_private_t *priv,
-					    isc_mem_t *mctx);
-int	dst_s_parse_private_key_file(const char *name, const int alg,
-				     const isc_uint16_t id, dst_private_t *priv,
-				     isc_mem_t *mctx);
-int	dst_s_write_private_key_file(const char *name, const int alg,
-				     const isc_uint16_t id,
-				     const dst_private_t *priv);
+ISC_LANG_BEGINDECLS
+
+void
+dst_s_free_private_structure_fields(dst_private_t *priv, isc_mem_t *mctx);
+
+int
+dst_s_parse_private_key_file(dst_key_t *key, const isc_uint16_t id,
+			     dst_private_t *priv, isc_mem_t *mctx);
+
+int
+dst_s_write_private_key_file(const dst_key_t *key, const dst_private_t *priv);
 
 ISC_LANG_ENDDECLS
 
-#endif /* DST_PARSE_H */
+#endif /* DST_DST_PARSE_H */
diff --git a/lib/dns/sec/dst/dst_result.c b/lib/dns/sec/dst/dst_result.c
index b1c88c3e..e09997e6 100644
--- a/lib/dns/sec/dst/dst_result.c
+++ b/lib/dns/sec/dst/dst_result.c
@@ -17,16 +17,13 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_result.c,v 1.5 2000/03/23 19:48:24 halley Exp $
+ * $Id: dst_result.c,v 1.8 2000/05/08 14:37:05 tale Exp $
  */
 
 #include <config.h>
 
-#include <stddef.h>
-
-#include <isc/resultclass.h>
 #include <isc/once.h>
-#include <isc/error.h>
+#include <isc/util.h>
 
 #include <dst/result.h>
 #include <dst/lib.h>
@@ -51,6 +48,7 @@ static char *text[DST_R_NRESULTS] = {
 	"not a private key",			/* 16 */
 	"not a key that can compute a secret",	/* 17 */
 	"failure computing a shared secret",	/* 18 */
+	"no randomness available",		/* 19 */
 };
 
 #define DST_RESULT_RESULTSET			2
diff --git a/lib/dns/sec/dst/dst_support.c b/lib/dns/sec/dst/dst_support.c
index a2d42a9d..e2833678 100644
--- a/lib/dns/sec/dst/dst_support.c
+++ b/lib/dns/sec/dst/dst_support.c
@@ -1,32 +1,32 @@
 /*
  * Portions Copyright (c) 1995-1999 by Network Associates, Inc.
+ * Portions Copyright (C) 1999, 2000  Internet Software Consortium.
  *
- * Permission to use, copy modify, and distribute this software for any
+ * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND NETWORK ASSOCIATES
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
- * NETWORK ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND
+ * NETWORK ASSOCIATES DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
+ * SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR NETWORK
+ * ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+ * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_support.c,v 1.3 1999/11/02 19:52:29 bwelling Exp $
+ * $Id: dst_support.c,v 1.5 2000/05/15 21:02:34 bwelling Exp $
  */
 
 #include <config.h>
 
 #include <stdio.h>
-#include <unistd.h>
-#include <memory.h>
-#include <string.h>
-#include <isc/int.h>
+
+#include <isc/string.h>
 
 #include "dst_internal.h"
 
@@ -42,8 +42,7 @@
  */
 
 int
-dst_s_calculate_bits(const unsigned char *str, const int max_bits)
-{
+dst_s_calculate_bits(const unsigned char *str, const int max_bits) {
 	const unsigned char *p = str;
 	unsigned char i, j = 0x80;
 	int bits;
@@ -65,8 +64,7 @@ dst_s_calculate_bits(const unsigned char *str, const int max_bits)
  *	N	the 16 bit checksum.
  */
 isc_uint16_t
-dst_s_id_calc(const unsigned char *key, const int keysize)
-{
+dst_s_id_calc(const unsigned char *key, const int keysize) {
 	isc_uint32_t ac;
 	const unsigned char *kp = key;
 	int size = keysize;
@@ -83,47 +81,3 @@ dst_s_id_calc(const unsigned char *key, const int keysize)
 
 	return ((isc_uint16_t)(ac & 0xffff));
 }
-
-/*
- *  dst_s_build_filename
- *	Builds a key filename from the key name, its id, and a
- *	suffix.  '\', '/' and ':' are not allowed. fA filename is of the
- *	form:  K<keyname><id>.<suffix>
- *	form: K<keyname>+<alg>+<id>.<suffix>
- *
- *	Returns -1 if the conversion fails:
- *	  if the filename would be too long for space allotted
- *	  if the filename would contain a '\', '/' or ':'
- *	Returns 0 on success
- */
-
-int
-dst_s_build_filename(char *filename, const char *name, isc_uint16_t id,
-		     int alg, const char *suffix, size_t filename_length)
-{
-	isc_uint32_t my_id;
-	char *dot;
-	if (filename == NULL)
-		return (-1);
-	memset(filename, 0, filename_length);
-	if (name == NULL)
-		return (-1);
-	if (suffix == NULL)
-		return (-1);
-	if (filename_length < 1 + strlen(name) + 1 + 4 + 6 + 1 + strlen(suffix))
-		return (-1);
-	my_id = id;
-	if (name[strlen(name) - 1] == '.')
-		dot = "";
-	else
-		dot = ".";
-	sprintf(filename, "K%s%s+%03d+%05d.%s", name, dot, alg, my_id,
-		(char *) suffix);
-	if (strrchr(filename, '/'))
-		return (-1);
-	if (strrchr(filename, '\\'))
-		return (-1);
-	if (strrchr(filename, ':'))
-		return (-1);
-	return (0);
-}
diff --git a/lib/dns/sec/dst/hmac_link.c b/lib/dns/sec/dst/hmac_link.c
index 809d2b2a..c6f3ca00 100644
--- a/lib/dns/sec/dst/hmac_link.c
+++ b/lib/dns/sec/dst/hmac_link.c
@@ -1,51 +1,44 @@
 /*
  * Portions Copyright (c) 1995-1998 by Network Associates, Inc.
+ * Portions Copyright (C) 1999, 2000  Internet Software Consortium.
  *
- * Permission to use, copy modify, and distribute this software for any
+ * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND NETWORK ASSOCIATES
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
- * NETWORK ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND
+ * NETWORK ASSOCIATES DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
+ * SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR NETWORK
+ * ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+ * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
 /*
  * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.17 2000/03/15 18:52:23 bwelling Exp $
+ * $Id: hmac_link.c,v 1.26 2000/05/15 21:30:43 bwelling Exp $
  */
 
 #include <config.h>
 
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <memory.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
-#include <isc/assertions.h>
-#include <isc/buffer.h>
-#include <isc/int.h>
-#include <isc/region.h>
-
-#include <openssl/md5.h>
+#include <dst/result.h>
 
 #include "dst_internal.h"
 #include "dst_parse.h"
 
+#include <openssl/md5.h>
+
 #define HMAC_LEN	64
 #define HMAC_IPAD	0x36
 #define HMAC_OPAD	0x5c
 
-#define MD5Init MD5_Init
-#define MD5Update MD5_Update
-#define MD5Final MD5_Final
-
 #define RETERR(x) do { \
 	ret = (x); \
 	if (ret != ISC_R_SUCCESS) \
@@ -58,36 +51,45 @@ typedef struct hmackey {
 
 static struct dst_func hmacmd5_functions;
 
-static isc_result_t	dst_hmacmd5_sign(const unsigned int mode,
-					 dst_key_t *key,
-					 void **context, isc_region_t *data,
-					 isc_buffer_t *sig, isc_mem_t *mctx);
-static isc_result_t	dst_hmacmd5_verify(const unsigned int mode,
-					   dst_key_t *key,
-					   void **context, isc_region_t *data,
-					   isc_region_t *sig, isc_mem_t *mctx);
-static isc_boolean_t	dst_hmacmd5_compare(const dst_key_t *key1,
-					    const dst_key_t *key2);
-static isc_result_t	dst_hmacmd5_generate(dst_key_t *key, int exp,
-					     isc_mem_t *mctx);
-static isc_boolean_t	dst_hmacmd5_isprivate(const dst_key_t *key);
-static void		dst_hmacmd5_destroy(void *key, isc_mem_t *mctx);
-static isc_result_t	dst_hmacmd5_to_dns(const dst_key_t *in_key,
-					   isc_buffer_t *data);
-static isc_result_t	dst_hmacmd5_from_dns(dst_key_t *key, isc_buffer_t *data,
-					     isc_mem_t *mctx);
-static isc_result_t	dst_hmacmd5_to_file(const dst_key_t *key);
-static isc_result_t	dst_hmacmd5_from_file(dst_key_t *key,
-					      const isc_uint16_t id,
-					      isc_mem_t *mctx);
+static isc_result_t
+dst_hmacmd5_sign(const unsigned int mode, dst_key_t *key,
+		 void **context, isc_region_t *data, isc_buffer_t *sig,
+		 isc_mem_t *mctx);
+
+static isc_result_t
+dst_hmacmd5_verify(const unsigned int mode, dst_key_t *key, void **context,
+		   isc_region_t *data, isc_region_t *sig, isc_mem_t *mctx);
+
+static isc_boolean_t
+dst_hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2);
+
+static isc_result_t
+dst_hmacmd5_generate(dst_key_t *key, int exp, isc_mem_t *mctx);
+
+static isc_boolean_t
+dst_hmacmd5_isprivate(const dst_key_t *key);
+
+static void
+dst_hmacmd5_destroy(void *key, isc_mem_t *mctx);
+
+static isc_result_t
+dst_hmacmd5_to_dns(const dst_key_t *in_key, isc_buffer_t *data);
+
+static isc_result_t
+dst_hmacmd5_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx);
+
+static isc_result_t
+dst_hmacmd5_to_file(const dst_key_t *key);
+
+static isc_result_t
+dst_hmacmd5_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx);
 
 /*
  * dst_s_hmacmd5_init()
  * Sets up function pointers for HMAC-MD5 related functions 
  */
 void
-dst_s_hmacmd5_init()
-{
+dst_s_hmacmd5_init(void) {
 	REQUIRE(dst_t_func[DST_ALG_HMACMD5] == NULL);
 	dst_t_func[DST_ALG_HMACMD5] = &hmacmd5_functions;
 	memset(&hmacmd5_functions, 0, sizeof(struct dst_func));
@@ -152,8 +154,7 @@ dst_hmacmd5_sign(const unsigned int mode, dst_key_t *key, void **context,
 		unsigned char digest[MD5_DIGEST_LENGTH];
 		isc_buffer_t b;
 
-		isc_buffer_init(&b, digest, sizeof(digest),
-				ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&b, digest, sizeof(digest));
 
 		RETERR(dst_s_md5(DST_SIGMODE_FINAL, context, NULL, &b, mctx));
 
@@ -161,7 +162,7 @@ dst_hmacmd5_sign(const unsigned int mode, dst_key_t *key, void **context,
 		r.base = hkey->opad;
 		r.length = HMAC_LEN;
 		RETERR(dst_s_md5(DST_SIGMODE_UPDATE, context, &r, NULL, mctx));
-		isc_buffer_used(&b, &r);
+		isc_buffer_usedregion(&b, &r);
 		RETERR(dst_s_md5(DST_SIGMODE_UPDATE, context, &r, NULL, mctx));
 		RETERR(dst_s_md5(DST_SIGMODE_FINAL, context, NULL, sig, mctx));
 	}
@@ -217,8 +218,7 @@ dst_hmacmd5_verify(const unsigned int mode, dst_key_t *key, void **context,
 		unsigned char digest[MD5_DIGEST_LENGTH];
 		isc_buffer_t b;
 
-		isc_buffer_init(&b, digest, sizeof(digest),
-				ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&b, digest, sizeof(digest));
 
 		RETERR(dst_s_md5(DST_SIGMODE_FINAL, context, NULL, &b, mctx));
 
@@ -226,7 +226,7 @@ dst_hmacmd5_verify(const unsigned int mode, dst_key_t *key, void **context,
 		r.base = hkey->opad;
 		r.length = HMAC_LEN;
 		RETERR(dst_s_md5(DST_SIGMODE_UPDATE, context, &r, NULL, mctx));
-		isc_buffer_used(&b, &r);
+		isc_buffer_usedregion(&b, &r);
 		RETERR(dst_s_md5(DST_SIGMODE_UPDATE, context, &r, NULL, mctx));
 		isc_buffer_clear(&b);
 		RETERR(dst_s_md5(DST_SIGMODE_FINAL, context, NULL, &b, mctx));
@@ -248,12 +248,11 @@ dst_hmacmd5_verify(const unsigned int mode, dst_key_t *key, void **context,
  */
 static isc_boolean_t
 dst_hmacmd5_isprivate(const dst_key_t *key) {
-	key = key; /* suppress warning */
+	UNUSED(key);
 
         return (ISC_TRUE);
 }
 
-
 /*
  * dst_hmacmd5_to_dns
  *	Converts key from HMAC to DNS rdata (raw bytes)
@@ -264,7 +263,6 @@ dst_hmacmd5_isprivate(const dst_key_t *key) {
  *	ISC_R_SUCCESS	Success
  *	!ISC_R_SUCCESS	Failure
  */
-
 static isc_result_t
 dst_hmacmd5_to_dns(const dst_key_t *key, isc_buffer_t *data) {
 	HMAC_Key *hkey;
@@ -275,7 +273,7 @@ dst_hmacmd5_to_dns(const dst_key_t *key, isc_buffer_t *data) {
 
 	hkey = (HMAC_Key *) key->opaque;
 
-	isc_buffer_available(data, &r);
+	isc_buffer_availableregion(data, &r);
 
 	bytes = (key->key_size + 7) / 8;
 	if (r.length < bytes)
@@ -289,7 +287,6 @@ dst_hmacmd5_to_dns(const dst_key_t *key, isc_buffer_t *data) {
 	return (ISC_R_SUCCESS);
 }
 
-
 /*
  * dst_hmacmd5_from_dns
  *	Converts from a DNS KEY RR format to an HMAC-MD5 KEY. 
@@ -306,7 +303,7 @@ dst_hmacmd5_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx) {
 	isc_region_t r;
 	int i, keylen;
 
-	isc_buffer_remaining(data, &r);
+	isc_buffer_remainingregion(data, &r);
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
@@ -321,9 +318,9 @@ dst_hmacmd5_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx) {
 		MD5_CTX ctx;
 		unsigned char digest[MD5_DIGEST_LENGTH];
 
-		MD5Init(&ctx);
-		MD5Update(&ctx, r.base, r.length);
-		MD5Final(digest, &ctx);
+		MD5_Init(&ctx);
+		MD5_Update(&ctx, r.base, r.length);
+		MD5_Final(digest, &ctx);
 		memcpy(hkey->ipad, digest, MD5_DIGEST_LENGTH);
 		memcpy(hkey->opad, digest, MD5_DIGEST_LENGTH);
 		keylen = MD5_DIGEST_LENGTH;
@@ -334,7 +331,9 @@ dst_hmacmd5_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx) {
 		keylen = r.length;
 	}
 	
-	/* XOR key with ipad and opad values */
+	/*
+	 * XOR key with ipad and opad values.
+	 */
 	for (i = 0; i < HMAC_LEN; i++) {
 		hkey->ipad[i] ^= HMAC_IPAD;
 		hkey->opad[i] ^= HMAC_OPAD;
@@ -376,8 +375,7 @@ dst_hmacmd5_to_file(const dst_key_t *key) {
 	priv.elements[cnt++].data = keydata;
 
 	priv.nelements = cnt;
-	return (dst_s_write_private_key_file(key->key_name, key->key_alg,
-					     key->key_id, &priv));
+	return (dst_s_write_private_key_file(key, &priv));
 }
 
 
@@ -392,7 +390,6 @@ dst_hmacmd5_to_file(const dst_key_t *key) {
  *	ISC_R_SUCCESS	Success
  *	!ISC_R_SUCCESS	Failure
  */
-
 static isc_result_t 
 dst_hmacmd5_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx) {
 	dst_private_t priv;
@@ -402,8 +399,7 @@ dst_hmacmd5_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx) {
 #define DST_RET(a) {ret = a; goto err;}
 
 	/* read private key file */
-	ret = dst_s_parse_private_key_file(key->key_name, key->key_alg, 
-					   id, &priv, mctx);
+	ret = dst_s_parse_private_key_file(key, id, &priv, mctx);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
@@ -412,8 +408,7 @@ dst_hmacmd5_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx) {
 		DST_RET(ISC_R_NOMEMORY);
 
 	key->opaque = hkey;
-	isc_buffer_init(&b, priv.elements[0].data, priv.elements[0].length,
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&b, priv.elements[0].data, priv.elements[0].length);
 	ret = dst_hmacmd5_from_dns(key, &b, mctx);
 	if (ret != ISC_R_SUCCESS)
 		DST_RET(ret);
@@ -438,7 +433,6 @@ dst_hmacmd5_destroy(void *key, isc_mem_t *mctx) {
 	isc_mem_put(mctx, hkey, sizeof(HMAC_Key));
 }
 
-
 /*
  *  dst_hmacmd5_generate
  *	Creates an HMAC-MD5 key.  If the specified size is more than 512
@@ -451,7 +445,6 @@ dst_hmacmd5_destroy(void *key, isc_mem_t *mctx) {
  *	ISC_R_SUCCESS	Success
  *	!ISC_R_SUCCESS	Failure
  */
-
 static isc_result_t
 dst_hmacmd5_generate(dst_key_t *key, int unused, isc_mem_t *mctx) {
 	isc_buffer_t b;
@@ -459,7 +452,7 @@ dst_hmacmd5_generate(dst_key_t *key, int unused, isc_mem_t *mctx) {
 	int bytes;
 	unsigned char data[HMAC_LEN];
 
-	unused = unused;	/* make the compiler happy */
+	UNUSED(unused);
 
 	bytes = (key->key_size + 7) / 8;
 	if (bytes > 64) {
@@ -468,7 +461,7 @@ dst_hmacmd5_generate(dst_key_t *key, int unused, isc_mem_t *mctx) {
 	}
 
 	memset(data, 0, HMAC_LEN);
-	isc_buffer_init(&b, data, sizeof(data), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&b, data, sizeof(data));
 	ret = dst_random_get(bytes, &b);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
@@ -479,7 +472,6 @@ dst_hmacmd5_generate(dst_key_t *key, int unused, isc_mem_t *mctx) {
 	return (ret);
 }
 
-
 /************************************************************************** 
  *  dst_hmacmd5_compare
  *	Compare two keys for equality.
@@ -491,8 +483,8 @@ static isc_boolean_t
 dst_hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	HMAC_Key *hkey1, *hkey2;
 
-	hkey1 = (HMAC_Key *) key1->opaque;
-	hkey2 = (HMAC_Key *) key2->opaque;
+	hkey1 = (HMAC_Key *)key1->opaque;
+	hkey2 = (HMAC_Key *)key2->opaque;
 
 	if (hkey1 == NULL && hkey2 == NULL) 
 		return (ISC_TRUE);
diff --git a/lib/dns/sec/dst/include/dst/dst.h b/lib/dns/sec/dst/include/dst/dst.h
index 4ba113f6..4a89a03a 100644
--- a/lib/dns/sec/dst/include/dst/dst.h
+++ b/lib/dns/sec/dst/include/dst/dst.h
@@ -1,14 +1,8 @@
 #ifndef DST_DST_H
 #define DST_DST_H 1
 
-#include <isc/boolean.h>
-#include <isc/buffer.h>
-#include <isc/int.h>
 #include <isc/lang.h>
-#include <isc/mem.h>
-#include <isc/region.h>
-
-#include <dst/result.h>
+#include <isc/types.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -48,18 +42,6 @@ typedef void *		dst_context_t;
 				 DST_SIGMODE_UPDATE | \
 				 DST_SIGMODE_FINAL)
 
-/* Key protocol octet values. */
-#define DST_KEYPROTO_TLS	1
-#define DST_KEYPROTO_EMAIL	2
-#define DST_KEYPROTO_DNSSEC	3
-#define DST_KEYPROTO_IPSEC	4
-
-/* Key flag values. */
-#define DST_KEYFLAG_NOAUTH	0x00008000
-#define DST_KEYFLAG_NTMASK	0x00000300
-#define DST_KEYFLAG_NTSHIFT	8
-#define DST_NAMTYP_ZONE		0x02
-
 /* A buffer of this size is large enough to hold any key */
 #define DST_KEY_MAXSIZE		1024
 
@@ -71,13 +53,17 @@ typedef void *		dst_context_t;
  *** Functions
  ***/
 
+isc_boolean_t
+dst_algorithm_supported(const int alg);
 /*
  * Check that a given algorithm is supported
  */
-isc_boolean_t
-dst_supported_algorithm(const int alg);
 
-/* Sign a block of data.
+isc_result_t
+dst_key_sign(const unsigned int mode, dst_key_t *key, dst_context_t *context,
+	     isc_region_t *data, isc_buffer_t *sig);
+/*
+ * Sign a block of data.
  *
  * Requires:
  *	"mode" is some combination of DST_SIGMODE_INIT, DST_SIGMODE_UPDATE,
@@ -91,11 +77,12 @@ dst_supported_algorithm(const int alg);
  *	All allocated memory will be freed after the FINAL call.  "sig"
  *	will contain a signature if all operations completed successfully.
  */
-isc_result_t
-dst_sign(const unsigned int mode, dst_key_t *key, dst_context_t *context,
-	 isc_region_t *data, isc_buffer_t *sig);
 
-/* Verify a signature on a block of data.
+isc_result_t
+dst_key_verify(const unsigned int mode, dst_key_t *key, dst_context_t *context,
+	       isc_region_t *data, isc_region_t *sig);
+/*
+ * Verify a signature on a block of data.
  *
  * Requires:
  *	"mode" is some combination of DST_SIGMODE_INIT, DST_SIGMODE_UPDATE,
@@ -108,11 +95,13 @@ dst_sign(const unsigned int mode, dst_key_t *key, dst_context_t *context,
  * Ensures:
  *	All allocated memory will be freed after the FINAL call.
  */
-isc_result_t
-dst_verify(const unsigned int mode, dst_key_t *key, dst_context_t *context,
-	   isc_region_t *data, isc_region_t *sig);
 
-/* Digest a block of data.
+isc_result_t
+dst_key_digest(const unsigned int mode, const unsigned int alg,
+	       dst_context_t *context, isc_region_t *data,
+	       isc_buffer_t *digest);
+/*
+ * Digest a block of data.
  *
  * Requires:
  *	"mode" is some combination of DST_SIGMODE_INIT, DST_SIGMODE_UPDATE,
@@ -126,27 +115,27 @@ dst_verify(const unsigned int mode, dst_key_t *key, dst_context_t *context,
  *	All allocated memory will be freed after the FINAL call.  "digest"
  *	will contain a digest if all operations completed successfully.
  */
-isc_result_t
-dst_digest(const unsigned int mode, const unsigned int alg,
-	   dst_context_t *context, isc_region_t *data, isc_buffer_t *digest);
 
+isc_result_t
+dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+		      isc_buffer_t *secret);
 /*
- * dst_computesecret
- *      A function to compute a shared secret from two (Diffie-Hellman) keys.
+ * A function to compute a shared secret from two (Diffie-Hellman) keys.
  *
  * Requires:
- *      "pub" is a valid key that can be used to derive a shared secret
- *      "priv" is a valid private key that can be used to derive a shared secret
- *      "secret" is a valid buffer
+ *     "pub" is a valid key that can be used to derive a shared secret
+ *     "priv" is a valid private key that can be used to derive a shared secret
+ *     "secret" is a valid buffer
  *
  * Ensures:
  *      If successful, secret will contain the derived shared secret.
  */
-isc_result_t
-dst_computesecret(const dst_key_t *pub, const dst_key_t *priv,
-                  isc_buffer_t *secret);
 
-/* Reads a key from permanent storage.
+isc_result_t
+dst_key_fromfile(const char *name, const isc_uint16_t id, const int alg,
+		 const int type, isc_mem_t *mctx, dst_key_t **keyp);
+/*
+ * Reads a key from permanent storage.
  *
  * Requires:
  *	"name" is not NULL.
@@ -154,41 +143,43 @@ dst_computesecret(const dst_key_t *pub, const dst_key_t *priv,
  *	"alg" is a supported key algorithm.
  *	"type" is either DST_TYPE_PUBLIC or DST_TYPE_PRIVATE.
  *	"mctx" is a valid memory context.
- *	"keyp" is not NULL.
+ *	"keyp" is not NULL and "*keyp" is NULL.
  *
  * Ensures:
  *	If successful, *keyp will contain a valid key.
  */
-isc_result_t
-dst_key_fromfile(const char *name, const isc_uint16_t id, const int alg,
-		 const int type, isc_mem_t *mctx, dst_key_t **keyp);
 
-/* Writes a key to permanent storage.
+isc_result_t
+dst_key_tofile(const dst_key_t *key, const int type);
+/*
+ * Writes a key to permanent storage.
  *
  * Requires:
  *	"key" is a valid key.
  *	"type" is either DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or both.
  */
-isc_result_t
-dst_key_tofile(const dst_key_t *key, const int type);
 
-/* Converts a DNS KEY record into a DST key.
+isc_result_t
+dst_key_fromdns(const char *name, isc_buffer_t *source, isc_mem_t *mctx,
+		dst_key_t **keyp);
+/*
+ * Converts a DNS KEY record into a DST key.
  *
  * Requires:
  *	"name" is not NULL.
  *	"source" is a valid buffer.  There must be at least 4 bytes available.
  *	"mctx" is a valid memory context.
- *	"keyp" is not NULL.
+ *	"keyp" is not NULL and "*keyp" is NULL.
  *
  * Ensures:
  *	If successful, *keyp will contain a valid key, and the consumed
  *	pointer in data will be advanced.
  */
-isc_result_t
-dst_key_fromdns(const char *name, isc_buffer_t *source, isc_mem_t *mctx,
-		dst_key_t **keyp);
 
-/*  Converts a DST key into a DNS KEY record.
+isc_result_t
+dst_key_todns(const dst_key_t *key, isc_buffer_t *target);
+/*
+ * Converts a DST key into a DNS KEY record.
  *
  * Requires:
  *	"key" is a valid key.
@@ -197,28 +188,30 @@ dst_key_fromdns(const char *name, isc_buffer_t *source, isc_mem_t *mctx,
  * Ensures:
  *	If successful, the used pointer in 'target' is advanced by at least 4.
  */
-isc_result_t
-dst_key_todns(const dst_key_t *key, isc_buffer_t *target);
 
-/* Converts a buffer containing DNS KEY RDATA into a DST key.
+isc_result_t
+dst_key_frombuffer(const char *name, const int alg, const int flags,
+		   const int protocol, isc_buffer_t *source, isc_mem_t *mctx,
+		   dst_key_t **keyp);
+/*
+ * Converts a buffer containing DNS KEY RDATA into a DST key.
  *
  * Requires:
  *	"name" is not NULL.
  *	"alg" is a supported key algorithm.
  *	"source" is a valid buffer.
  *	"mctx" is a valid memory context.
- *	"keyp" is not NULL.
+ *	"keyp" is not NULL and "*keyp" is NULL.
  *
  * Ensures:
  *	If successful, *keyp will contain a valid key, and the consumed
  *	pointer in source will be advanced.
  */
-isc_result_t
-dst_key_frombuffer(const char *name, const int alg, const int flags,
-		   const int protocol, isc_buffer_t *source, isc_mem_t *mctx,
-		   dst_key_t **keyp);
 
-/*  Converts a DST key into DNS KEY RDATA format.
+isc_result_t
+dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target);
+/*
+ * Converts a DST key into DNS KEY RDATA format.
  *
  * Requires:
  *	"key" is a valid key.
@@ -227,55 +220,59 @@ dst_key_frombuffer(const char *name, const int alg, const int flags,
  * Ensures:
  *	If successful, the used pointer in 'target' is advanced.
  */
-isc_result_t
-dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target);
 
-/* Generate a DST key (or keypair)
+isc_result_t
+dst_key_generate(const char *name, const int alg, const int bits,
+		 const int param, const int flags, const int protocol,
+		 isc_mem_t *mctx, dst_key_t **keyp);
+/*
+ * Generate a DST key (or keypair)
  *
  * Requires:
  *	"name" is not NULL
  *	"alg" is a supported algorithm
  *	"bits" is a valid key size for the given algorithm
- *	"keyp" is not NULL.
+ *	"keyp" is not NULL and "*keyp" is NULL.
  *
  * Ensures:
  *	If successful, *keyp will contain a valid key.
  */
-isc_result_t
-dst_key_generate(const char *name, const int alg, const int bits,
-		 const int param, const int flags, const int protocol,
-		 isc_mem_t *mctx, dst_key_t **keyp);
 
-/* Compares two DST keys.
+isc_boolean_t
+dst_key_compare(const dst_key_t *key1, const dst_key_t *key2);
+/*
+ * Compares two DST keys.
  *
  * Requires:
  *	"key1" is a valid key.
  *	"key2" is a valid key.
  */
-isc_boolean_t
-dst_key_compare(const dst_key_t *key1, const dst_key_t *key2);
 
-/* Compares the parameters of two DST keys.
+isc_boolean_t
+dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2);
+/*
+ * Compares the parameters of two DST keys.
  *
  * Requires:
  *	"key1" is a valid key.
  *	"key2" is a valid key.
  */
-isc_boolean_t
-dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2);
 
-/* Free a DST key.
+void
+dst_key_free(dst_key_t **keyp);
+/*
+ * Free a DST key.
  *
  * Requires:
- *	"key" is a valid key.
+ *	"keyp" is not NULL and "*keyp" is a valid key.
  *
  * Ensures:
- *	All memory associated with "key" will be freed.
+ *	All memory associated with "*keyp" will be freed.
+ *	*keyp == NULL
  */
-void
-dst_key_free(dst_key_t *key);
 
-/* Accessor functions to obtain key fields.
+/*
+ * Accessor functions to obtain key fields.
  *
  * Require:
  *	"key" is a valid key.
@@ -304,7 +301,47 @@ dst_key_isprivate(const dst_key_t *key);
 isc_boolean_t
 dst_key_iszonekey(const dst_key_t *key);
 
-/* Computes the size of a signature generated by the given key.
+isc_boolean_t
+dst_key_isnullkey(const dst_key_t *key);
+
+isc_result_t
+dst_key_buildfilename(const dst_key_t *key, const int type, isc_buffer_t *out);
+/*
+ * Generates the filename used by dst to store the specified key.
+ *
+ * Requires:
+ *	"key" is a valid key
+ *	"type" is either DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or 0
+ *	"out" is a valid buffer
+ *
+ * Ensures:
+ *	the file name will be written to "out", and the used pointer will
+ *		be advanced.
+ */
+
+isc_result_t
+dst_key_parsefilename(isc_buffer_t *source, isc_mem_t *mctx, char **name,
+		      isc_uint16_t *id, int *alg, char **suffix);
+/*
+ * Parses a dst key filename into its components.
+ *
+ * Requires:
+ *	"source" is a valid buffer
+ *	"mctx" is a valid memory context
+ *	"name" is not NULL and "*name" is NULL
+ *	"id" and "alg" are not NULL
+ *	Either "suffix" is NULL or "suffix" is not NULL and "*suffix" is NULL
+ *
+ * Ensures:
+ *	"*name" will point to allocated memory, as will "*suffix" if suffix
+ *	is not NULL (strlen() + 1 bytes).  The current pointer in source
+ *	will be advanced.
+ */
+
+isc_result_t
+dst_key_sigsize(const dst_key_t *key, unsigned int *n);
+/*
+ * Computes the size of a signature generated by the given key.
  *
  * Requires:
  *	"key" is a valid key.
@@ -314,10 +351,11 @@ dst_key_iszonekey(const dst_key_t *key);
  *	ISC_R_SUCCESS
  *	DST_R_UNSUPPORTEDALG
  */
-isc_result_t
-dst_sig_size(const dst_key_t *key, unsigned int *n);
 
-/* Computes the size of a shared secret generated by the given key.
+isc_result_t
+dst_key_secretsize(const dst_key_t *key, unsigned int *n);
+/*
+ * Computes the size of a shared secret generated by the given key.
  *
  * Requires:
  *	"key" is a valid key.
@@ -327,10 +365,11 @@ dst_sig_size(const dst_key_t *key, unsigned int *n);
  *	ISC_R_SUCCESS
  *	DST_R_UNSUPPORTEDALG
  */
-isc_result_t
-dst_secret_size(const dst_key_t *key, unsigned int *n);
 
-/* Generate random data.
+isc_result_t
+dst_random_get(const unsigned int wanted, isc_buffer_t *data);
+/*
+ * Generate random data.
  *
  * Requires:
  *	"data" is a valid buffer, with at least "wanted" bytes available.
@@ -339,8 +378,6 @@ dst_secret_size(const dst_key_t *key, unsigned int *n);
  *	<= wanted bytes will be written to "data", and the used pointer will
  *		be advanced.
  */
-isc_result_t
-dst_random_get(const unsigned int wanted, isc_buffer_t *data);
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/dns/sec/dst/include/dst/result.h b/lib/dns/sec/dst/include/dst/result.h
index a4ccc783..18968871 100644
--- a/lib/dns/sec/dst/include/dst/result.h
+++ b/lib/dns/sec/dst/include/dst/result.h
@@ -19,10 +19,15 @@
 #define DST_RESULT_H 1
 
 #include <isc/lang.h>
-#include <isc/result.h>
 #include <isc/resultclass.h>
 
-ISC_LANG_BEGINDECLS
+/*
+ * Nothing in this file truly depends on <isc/result.h>, but the
+ * DST result codes are considered to be publicly derived from
+ * the ISC result codes, so including this file buys you the ISC_R_
+ * namespace too.
+ */
+#include <isc/result.h>		/* Contractual promise. */
 
 #define DST_R_UNSUPPORTEDALG		(ISC_RESULTCLASS_DST + 0)
 #define DST_R_UNSUPPORTEDTYPE		(ISC_RESULTCLASS_DST + 1)
@@ -43,12 +48,17 @@ ISC_LANG_BEGINDECLS
 #define DST_R_NOTPRIVATEKEY		(ISC_RESULTCLASS_DST + 16)
 #define DST_R_KEYCANNOTCOMPUTESECRET	(ISC_RESULTCLASS_DST + 17)
 #define DST_R_COMPUTESECRETFAILURE	(ISC_RESULTCLASS_DST + 18)
+#define DST_R_NORANDOMNESS		(ISC_RESULTCLASS_DST + 19)
 
-#define DST_R_NRESULTS			19	/* Number of results */
+#define DST_R_NRESULTS			20	/* Number of results */
+
+ISC_LANG_BEGINDECLS
 
+char *
+dst_result_totext(isc_result_t);
 
-char *                                  dst_result_totext(isc_result_t);
-void					dst_result_register(void);
+void
+dst_result_register(void);
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/dns/sec/dst/openssl_link.c b/lib/dns/sec/dst/openssl_link.c
index 921d144a..0926b802 100644
--- a/lib/dns/sec/dst/openssl_link.c
+++ b/lib/dns/sec/dst/openssl_link.c
@@ -1,83 +1,85 @@
-#if defined(OPENSSL)
-
 /*
  * Portions Copyright (c) 1995-1998 by Network Associates, Inc.
+ * Portions Copyright (C) 1999, 2000  Internet Software Consortium.
  *
- * Permission to use, copy modify, and distribute this software for any
+ * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND NETWORK ASSOCIATES
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
- * NETWORK ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND
+ * NETWORK ASSOCIATES DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
+ * SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR NETWORK
+ * ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+ * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.14 2000/03/07 19:27:50 bwelling Exp $
+ * $Id: openssl_link.c,v 1.23 2000/05/15 21:30:44 bwelling Exp $
  */
+#if defined(OPENSSL)
 
 #include <config.h>
 
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <memory.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
-#include <isc/assertions.h>
-#include <isc/buffer.h>
-#include <isc/int.h>
-#include <isc/region.h>
+#include <dst/result.h>
 
 #include "dst_internal.h"
 #include "dst_parse.h"
 
-#include <openssl/crypto.h>
-#include <openssl/bn.h>
 #include <openssl/dsa.h>
 #include <openssl/sha.h>
 
 static struct dst_func openssl_functions;
 
-static isc_result_t	dst_openssl_sign(const unsigned int mode,
-					 dst_key_t *key,
-					 void **context, isc_region_t *data,
-					 isc_buffer_t *sig, isc_mem_t *mctx);
-static isc_result_t	dst_openssl_verify(const unsigned int mode,
-					   dst_key_t *key,
-					   void **context, isc_region_t *data,
-					   isc_region_t *sig, isc_mem_t *mctx);
-static isc_boolean_t	dst_openssl_compare(const dst_key_t *key1,
-					    const dst_key_t *key2);
-static isc_result_t	dst_openssl_generate(dst_key_t *key, int unused,
-					     isc_mem_t *mctx);
-static isc_boolean_t	dst_openssl_isprivate(const dst_key_t *key);
-static void		dst_openssl_destroy(void *key, isc_mem_t *mctx);
-static isc_result_t	dst_openssl_to_dns(const dst_key_t *in_key,
-					   isc_buffer_t *data);
-static isc_result_t	dst_openssl_from_dns(dst_key_t *key, isc_buffer_t *data,
-					     isc_mem_t *mctx);
-static isc_result_t	dst_openssl_to_file(const dst_key_t *key);
-static isc_result_t	dst_openssl_from_file(dst_key_t *key,
-					      const isc_uint16_t id,
-					      isc_mem_t *mctx);
-
-static int		BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf,
-					int size);
+static isc_result_t
+dst_openssl_sign(const unsigned int mode, dst_key_t *key, void **context,
+		 isc_region_t *data, isc_buffer_t *sig, isc_mem_t *mctx);
 
+static isc_result_t
+dst_openssl_verify(const unsigned int mode, dst_key_t *key, void **context,
+		   isc_region_t *data, isc_region_t *sig, isc_mem_t *mctx);
+
+static isc_boolean_t
+dst_openssl_compare(const dst_key_t *key1, const dst_key_t *key2);
+
+static isc_result_t
+dst_openssl_generate(dst_key_t *key, int unused, isc_mem_t *mctx);
+
+static isc_boolean_t
+dst_openssl_isprivate(const dst_key_t *key);
+
+static void
+dst_openssl_destroy(void *key, isc_mem_t *mctx);
+
+static isc_result_t
+dst_openssl_to_dns(const dst_key_t *in_key, isc_buffer_t *data);
+
+static isc_result_t
+dst_openssl_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx);
+
+static isc_result_t
+dst_openssl_to_file(const dst_key_t *key);
+
+static isc_result_t
+dst_openssl_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx);
+
+static int
+BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size);
 
 /*
  * dst_s_openssldsa_init()
  * Sets up function pointers for OpenSSL related functions 
  */
 void
-dst_s_openssldsa_init() {
+dst_s_openssldsa_init(void) {
 	REQUIRE(dst_t_func[DST_ALG_DSA] == NULL);
 	dst_t_func[DST_ALG_DSA] = &openssl_functions;
 	memset(&openssl_functions, 0, sizeof(struct dst_func));
@@ -140,7 +142,7 @@ dst_openssl_sign(const unsigned int mode, dst_key_t *key, void **context,
 		DSA_SIG *dsasig;
 		unsigned char digest[SHA_DIGEST_LENGTH];
 
-		isc_buffer_available(sig, &r);
+		isc_buffer_availableregion(sig, &r);
 		if (r.length < SHA_DIGEST_LENGTH * 2 + 1)
 			return (ISC_R_NOSPACE);
 
@@ -272,17 +274,18 @@ dst_openssl_to_dns(const dst_key_t *key, isc_buffer_t *data) {
 	DSA *dsa;
 	isc_region_t r;
 	int dnslen;
-	unsigned int t;
+	unsigned int t, p_bytes;
 
 	REQUIRE(key->opaque != NULL);
 
 	dsa = (DSA *) key->opaque;
 
-	isc_buffer_available(data, &r);
+	isc_buffer_availableregion(data, &r);
 
 	t = (BN_num_bytes(dsa->p) - 64) / 8;
 	if (t > 8)
 		return (DST_R_INVALIDPUBLICKEY);
+	p_bytes = 64 + 8 * t;
 
 	dnslen = 1 + (key->key_size * 3)/8 + SHA_DIGEST_LENGTH;
 	if (r.length < (unsigned int) dnslen)
@@ -292,11 +295,11 @@ dst_openssl_to_dns(const dst_key_t *key, isc_buffer_t *data) {
 	BN_bn2bin_fixed(dsa->q, r.base, SHA_DIGEST_LENGTH);
 	r.base += SHA_DIGEST_LENGTH;
 	BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
-	r.base += key->key_size/8;
+	r.base += p_bytes;
 	BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
-	r.base += key->key_size/8;
+	r.base += p_bytes;
 	BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
-	r.base += key->key_size/8;
+	r.base += p_bytes;
 
 	isc_buffer_add(data, dnslen);
 
@@ -320,14 +323,13 @@ dst_openssl_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx) {
 	isc_region_t r;
 	unsigned int t, p_bytes;
 
-	mctx = mctx;	/* make the compiler happy */
+	UNUSED(mctx);
 
-	isc_buffer_remaining(data, &r);
+	isc_buffer_remainingregion(data, &r);
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
 	dsa = DSA_new();
-/*	dsa = (DSA *) isc_mem_get(mctx, sizeof(DSA));*/
 	if (dsa == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -347,20 +349,20 @@ dst_openssl_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx) {
 	r.base += SHA_DIGEST_LENGTH;
 
 	dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
-	r.base += SHA_DIGEST_LENGTH;
+	r.base += p_bytes;
 
 	dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
-	r.base += SHA_DIGEST_LENGTH;
+	r.base += p_bytes;
 
 	dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
-	r.base += SHA_DIGEST_LENGTH;
+	r.base += p_bytes;
 
-	isc_buffer_remaining(data, &r);
+	isc_buffer_remainingregion(data, &r);
 	key->key_id = dst_s_id_calc(r.base,
 				    1 + SHA_DIGEST_LENGTH + 3 * p_bytes);
 	key->key_size = p_bytes * 8;
 
-	isc_buffer_forward(data, SHA_DIGEST_LENGTH + 3 * p_bytes);
+	isc_buffer_forward(data, 1 + SHA_DIGEST_LENGTH + 3 * p_bytes);
 
 	key->opaque = (void *) dsa;
 
@@ -420,8 +422,7 @@ dst_openssl_to_file(const dst_key_t *key) {
 	cnt++;
 
 	priv.nelements = cnt;
-	return (dst_s_write_private_key_file(key->key_name, key->key_alg,
-					     key->key_id, &priv));
+	return (dst_s_write_private_key_file(key, &priv));
 }
 
 
@@ -449,8 +450,7 @@ dst_openssl_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx) {
 #define DST_RET(a) {ret = a; goto err;}
 
 	/* read private key file */
-	ret = dst_s_parse_private_key_file(key->key_name, key->key_alg, 
-					   id, &priv, mctx);
+	ret = dst_s_parse_private_key_file(key, id, &priv, mctx);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
@@ -487,12 +487,11 @@ dst_openssl_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx) {
 	dst_s_free_private_structure_fields(&priv, mctx);
 
 	key->key_size = BN_num_bits(dsa->p);
-	isc_buffer_init(&dns, dns_array, sizeof(dns_array),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&dns, dns_array, sizeof(dns_array));
 	ret = dst_openssl_to_dns(key, &dns);
 	if (ret != ISC_R_SUCCESS)
 		DST_RET(ret);
-	isc_buffer_used(&dns, &r);
+	isc_buffer_usedregion(&dns, &r);
 	key->key_id = dst_s_id_calc(r.base, r.length);
 
 	if (key->key_id != id)
@@ -515,11 +514,12 @@ dst_openssl_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx) {
 static void
 dst_openssl_destroy(void *key, isc_mem_t *mctx) {
 	DSA *dsa = (DSA *) key;
+
+	UNUSED(mctx);
+
 	if (dsa == NULL)
 		return;
 
-	mctx = mctx;	/* make the compiler happy */
-
 	DSA_free(dsa);
 }
 
@@ -545,11 +545,10 @@ dst_openssl_generate(dst_key_t *key, int unused, isc_mem_t *mctx) {
 	isc_result_t ret;
 	isc_region_t r;
 
-	unused = unused;	/* make the compiler happy */
-	mctx = mctx;		/* make the compiler happy */
+	UNUSED(unused);
+	UNUSED(mctx);
 
-	isc_buffer_init(&rand, rand_array, sizeof(rand_array),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&rand, rand_array, sizeof(rand_array));
 	ret = dst_random_get(SHA_DIGEST_LENGTH, &rand);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
@@ -566,10 +565,9 @@ dst_openssl_generate(dst_key_t *key, int unused, isc_mem_t *mctx) {
 
 	key->opaque = dsa;
 
-	isc_buffer_init(&dns, dns_array, sizeof(dns_array),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&dns, dns_array, sizeof(dns_array));
 	dst_openssl_to_dns(key, &dns);
-	isc_buffer_used(&dns, &r);
+	isc_buffer_usedregion(&dns, &r);
 	key->key_id = dst_s_id_calc(r.base, r.length);
 
 	return (ISC_R_SUCCESS);
@@ -622,4 +620,4 @@ BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) {
 	return (size);
 }	
 
-#endif
+#endif /* OPENSSL */
diff --git a/lib/dns/sec/dst/openssldh_link.c b/lib/dns/sec/dst/openssldh_link.c
index ed9edb42..6f05be7a 100644
--- a/lib/dns/sec/dst/openssldh_link.c
+++ b/lib/dns/sec/dst/openssldh_link.c
@@ -1,79 +1,94 @@
-#if defined(OPENSSL)
-
 /*
  * Portions Copyright (c) 1995-1998 by Network Associates, Inc.
+ * Portions Copyright (C) 1999, 2000  Internet Software Consortium.
  *
- * Permission to use, copy modify, and distribute this software for any
+ * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND NETWORK ASSOCIATES
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
- * NETWORK ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND
+ * NETWORK ASSOCIATES DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
+ * SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR NETWORK
+ * ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+ * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.8 2000/03/07 19:27:50 bwelling Exp $
+ * $Id: openssldh_link.c,v 1.16 2000/05/15 21:30:45 bwelling Exp $
  */
 
+#if defined(OPENSSL)
+
 #include <config.h>
 
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <memory.h>
 #include <ctype.h>
 
-#include <isc/assertions.h>
-#include <isc/buffer.h>
-#include <isc/error.h>
-#include <isc/int.h>
-#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
 
 #include "dst_internal.h"
 #include "dst_parse.h"
 
-#include <openssl/crypto.h>
-#include <openssl/bn.h>
 #include <openssl/dh.h>
 
-#define PRIME768 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF"
+#define PRIME768 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088" \
+	"A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25" \
+	"F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF"
 
-#define PRIME1024 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF"
+#define PRIME1024 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" \
+	"8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF2" \
+	"5F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406" \
+	"B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF"
 
 static struct dst_func openssldh_functions;
 
-static isc_result_t	dst_openssldh_computesecret(const dst_key_t *pub,
-						    const dst_key_t *priv,
-						    isc_buffer_t *secret);
-static isc_boolean_t	dst_openssldh_compare(const dst_key_t *key1,
-					      const dst_key_t *key2);
-static isc_boolean_t	dst_openssldh_paramcompare(const dst_key_t *key1,
-						   const dst_key_t *key2);
-static isc_result_t	dst_openssldh_generate(dst_key_t *key, int generator,
-					       isc_mem_t *mctx);
-static isc_boolean_t	dst_openssldh_isprivate(const dst_key_t *key);
-static void		dst_openssldh_destroy(void *key, isc_mem_t *mctx);
-static isc_result_t	dst_openssldh_to_dns(const dst_key_t *in_key,
-					     isc_buffer_t *data);
-static isc_result_t	dst_openssldh_from_dns(dst_key_t *key,
-					       isc_buffer_t *data,
-					       isc_mem_t *mctx);
-static isc_result_t	dst_openssldh_to_file(const dst_key_t *key);
-static isc_result_t	dst_openssldh_from_file(dst_key_t *key,
-						const isc_uint16_t id,
-						isc_mem_t *mctx);
-
-static void		uint16_toregion(isc_uint16_t val, isc_region_t *region);
-static isc_uint16_t	uint16_fromregion(isc_region_t *region);
-static void		BN_fromhex(BIGNUM *b, const char *str);
+static isc_result_t
+dst_openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+			    isc_buffer_t *secret);
+
+static isc_boolean_t
+dst_openssldh_compare(const dst_key_t *key1, const dst_key_t *key2);
+
+static isc_boolean_t
+dst_openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2);
+
+static isc_result_t
+dst_openssldh_generate(dst_key_t *key, int generator, isc_mem_t *mctx);
+
+static isc_boolean_t
+dst_openssldh_isprivate(const dst_key_t *key);
+
+static void
+dst_openssldh_destroy(void *key, isc_mem_t *mctx);
+
+static isc_result_t
+dst_openssldh_to_dns(const dst_key_t *in_key, isc_buffer_t *data);
+
+static isc_result_t
+dst_openssldh_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx);
+
+static isc_result_t
+dst_openssldh_to_file(const dst_key_t *key);
+
+static isc_result_t
+dst_openssldh_from_file(dst_key_t *key, const isc_uint16_t id,
+			isc_mem_t *mctx);
+
+static void
+uint16_toregion(isc_uint16_t val, isc_region_t *region);
+
+static isc_uint16_t
+uint16_fromregion(isc_region_t *region);
+
+static void
+BN_fromhex(BIGNUM *b, const char *str);
 
 static BIGNUM bn2, bn768, bn1024;
 
@@ -82,8 +97,7 @@ static BIGNUM bn2, bn768, bn1024;
  * Sets up function pointers for OpenSSL related functions 
  */
 void
-dst_s_openssldh_init()
-{
+dst_s_openssldh_init(void) {
 	REQUIRE(dst_t_func[DST_ALG_DH] == NULL);
 	dst_t_func[DST_ALG_DH] = &openssldh_functions;
 	memset(&openssldh_functions, 0, sizeof(struct dst_func));
@@ -136,7 +150,7 @@ dst_openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 	dhpriv = (DH *) priv->opaque;
 
 	len = DH_size(dhpriv);
-	isc_buffer_available(secret, &r);
+	isc_buffer_availableregion(secret, &r);
 	if (r.length < len)
 		return (ISC_R_NOSPACE);
 	ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv);
@@ -183,7 +197,7 @@ dst_openssldh_to_dns(const dst_key_t *key, isc_buffer_t *data) {
 
 	dh = (DH *) key->opaque;
 
-	isc_buffer_available(data, &r);
+	isc_buffer_availableregion(data, &r);
 
 	if (dh->g == &bn2 && (dh->p == &bn768 || dh->p == &bn1024)) {
 		plen = 1;
@@ -241,9 +255,9 @@ dst_openssldh_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx) {
 	isc_uint16_t plen, glen, publen;
 	int special = 0;
 
-	mctx = mctx;	/* make the compiler happy */
+	UNUSED(mctx);
 
-	isc_buffer_remaining(data, &r);
+	isc_buffer_remainingregion(data, &r);
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
@@ -340,7 +354,7 @@ dst_openssldh_from_dns(dst_key_t *key, isc_buffer_t *data, isc_mem_t *mctx) {
 	dh->pub_key = BN_bin2bn(r.base, publen, NULL);
 	r.base += publen;
 
-	isc_buffer_remaining(data, &r);
+	isc_buffer_remainingregion(data, &r);
 	key->key_id = dst_s_id_calc(r.base, plen + glen + publen + 6);
 	key->key_size = BN_num_bits(dh->p);
 
@@ -398,8 +412,7 @@ dst_openssldh_to_file(const dst_key_t *key) {
 	cnt++;
 
 	priv.nelements = cnt;
-	return (dst_s_write_private_key_file(key->key_name, key->key_alg,
-					     key->key_id, &priv));
+	return (dst_s_write_private_key_file(key, &priv));
 }
 
 
@@ -416,7 +429,8 @@ dst_openssldh_to_file(const dst_key_t *key) {
  */
 
 static isc_result_t 
-dst_openssldh_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx) {
+dst_openssldh_from_file(dst_key_t *key, const isc_uint16_t id,
+			isc_mem_t *mctx) {
 	dst_private_t priv;
 	isc_result_t ret;
 	isc_buffer_t dns;
@@ -427,8 +441,7 @@ dst_openssldh_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx)
 #define DST_RET(a) {ret = a; goto err;}
 
 	/* read private key file */
-	ret = dst_s_parse_private_key_file(key->key_name, key->key_alg, 
-					   id, &priv, mctx);
+	ret = dst_s_parse_private_key_file(key, id, &priv, mctx);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
@@ -479,12 +492,11 @@ dst_openssldh_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx)
 			dh->g = &bn2;
 		}
 	}
-	isc_buffer_init(&dns, dns_array, sizeof(dns_array),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&dns, dns_array, sizeof(dns_array));
 	ret = dst_openssldh_to_dns(key, &dns);
 	if (ret != ISC_R_SUCCESS)
 		DST_RET(ret);
-	isc_buffer_used(&dns, &r);
+	isc_buffer_usedregion(&dns, &r);
 	key->key_id = dst_s_id_calc(r.base, r.length);
 
 	if (key->key_id != id)
@@ -507,11 +519,12 @@ dst_openssldh_from_file(dst_key_t *key, const isc_uint16_t id, isc_mem_t *mctx)
 static void
 dst_openssldh_destroy(void *key, isc_mem_t *mctx) {
 	DH *dh = (DH *) key;
+
+	UNUSED(mctx);
+	
 	if (dh == NULL)
 		return;
 
-	mctx = mctx;	/* make the compiler happy */
-
 	if (dh->p == &bn768 || dh->p == &bn1024)
 		dh->p = NULL;
 	if (dh->g == &bn2)
@@ -539,7 +552,7 @@ dst_openssldh_generate(dst_key_t *key, int generator, isc_mem_t *mctx) {
 	isc_buffer_t dns;
 	isc_region_t r;
 
-	mctx = mctx;		/* make the compiler happy */
+	UNUSED(mctx);
 
 	if (generator == 0) {
 		if (key->key_size == 768 || key->key_size == 1024) {
@@ -570,10 +583,9 @@ dst_openssldh_generate(dst_key_t *key, int generator, isc_mem_t *mctx) {
 
 	key->opaque = dh;
 
-	isc_buffer_init(&dns, dns_array, sizeof(dns_array),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&dns, dns_array, sizeof(dns_array));
 	dst_openssldh_to_dns(key, &dns);
-	isc_buffer_used(&dns, &r);
+	isc_buffer_usedregion(&dns, &r);
 	key->key_id = dst_s_id_calc(r.base, r.length);
 
 	return (ISC_R_SUCCESS);
@@ -674,11 +686,11 @@ BN_fromhex(BIGNUM *b, const char *str) {
 		char *s;
 		unsigned int high, low;
 
-		s = strchr(hexdigits, tolower(str[i]));
+		s = strchr(hexdigits, tolower((unsigned char)str[i]));
 		RUNTIME_CHECK(s != NULL);
 		high = s - hexdigits;
 
-		s = strchr(hexdigits, tolower(str[i + 1]));
+		s = strchr(hexdigits, tolower((unsigned char)str[i + 1]));
 		RUNTIME_CHECK(s != NULL);
 		low = s - hexdigits;
 
@@ -688,4 +700,4 @@ BN_fromhex(BIGNUM *b, const char *str) {
 	RUNTIME_CHECK(out != NULL);
 }
 
-#endif
+#endif /* OPENSSL */
diff --git a/lib/dns/sec/dst/opensslmd5_link.c b/lib/dns/sec/dst/opensslmd5_link.c
index 9f2d355c..3698364e 100644
--- a/lib/dns/sec/dst/opensslmd5_link.c
+++ b/lib/dns/sec/dst/opensslmd5_link.c
@@ -1,51 +1,39 @@
-#if defined(OPENSSL)
-
 /*
  * Portions Copyright (c) 1995-1998 by Network Associates, Inc.
+ * Portions Copyright (C) 1999, 2000  Internet Software Consortium.
  *
- * Permission to use, copy modify, and distribute this software for any
+ * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
- * THE SOFTWARE IS PROVIDED "AS IS" AND NETWORK ASSOCIATES
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
- * NETWORK ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND
+ * NETWORK ASSOCIATES DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
+ * SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR NETWORK
+ * ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
+ * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+ * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
  */
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslmd5_link.c,v 1.3 2000/03/06 20:06:01 bwelling Exp $
+ * $Id: opensslmd5_link.c,v 1.7 2000/05/08 14:37:10 tale Exp $
  */
 
-#include <config.h>
+#if defined(OPENSSL)
 
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <memory.h>
+#include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/buffer.h>
-#include <isc/int.h>
-#include <isc/region.h>
+#include <isc/mem.h>
+#include <isc/util.h>
 
 #include "dst_internal.h"
 #include "dst_parse.h"
 
-#include <openssl/crypto.h>
-#include <openssl/bn.h>
 #include <openssl/md5.h>
 
-#define MD5Init MD5_Init
-#define MD5Update MD5_Update
-#define MD5Final MD5_Final
-
 /*
  * dst_s_md5
  *	Call MD5 functions to digest a block of data.
@@ -79,17 +67,17 @@ dst_s_md5(const unsigned int mode, void **context, isc_region_t *data,
 	REQUIRE (ctx != NULL);
 
 	if (mode & DST_SIGMODE_INIT)
-		MD5Init(ctx);
+		MD5_Init(ctx);
 
 	if (mode & DST_SIGMODE_UPDATE)
-		MD5Update(ctx, data->base, data->length);
+		MD5_Update(ctx, data->base, data->length);
 
 	if (mode & DST_SIGMODE_FINAL) {
-		isc_buffer_available(digest, &r);
+		isc_buffer_availableregion(digest, &r);
 		if (r.length < MD5_DIGEST_LENGTH)
 			return (ISC_R_NOSPACE);
 
-		MD5Final(r.base, ctx);
+		MD5_Final(r.base, ctx);
 		isc_buffer_add(digest, MD5_DIGEST_LENGTH);
 		isc_mem_put(mctx, ctx, sizeof(MD5_CTX));
 	}
@@ -99,4 +87,4 @@ dst_s_md5(const unsigned int mode, void **context, isc_region_t *data,
 	return (ISC_R_SUCCESS);
 }
 
-#endif
+#endif /* OPENSSL */
diff --git a/lib/dns/sec/openssl/Makefile.in b/lib/dns/sec/openssl/Makefile.in
index 5ffba57d..8dafd039 100644
--- a/lib/dns/sec/openssl/Makefile.in
+++ b/lib/dns/sec/openssl/Makefile.in
@@ -19,7 +19,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	-I${srcdir}/include
 
-CDEFINES =	-DMFUNC
+CDEFINES =	-DMFUNC @DST_PRIVATEOPENSSL@
 CWARNINGS =
 
 LIBS =		@LIBS@
diff --git a/lib/dns/sec/openssl/bn_add.c b/lib/dns/sec/openssl/bn_add.c
index 5d246912..21f1c7ed 100644
--- a/lib/dns/sec/openssl/bn_add.c
+++ b/lib/dns/sec/openssl/bn_add.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
diff --git a/lib/dns/sec/openssl/bn_asm.c b/lib/dns/sec/openssl/bn_asm.c
index 3329cc18..7fbb68a5 100644
--- a/lib/dns/sec/openssl/bn_asm.c
+++ b/lib/dns/sec/openssl/bn_asm.c
@@ -61,8 +61,11 @@
 # define NDEBUG
 #endif
 
-#include <stdio.h>
+#include <config.h>
+#include "../rename.h"
+
 #include <assert.h>
+#include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
@@ -431,6 +434,9 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
 #undef bn_sqr_comba8
 #undef bn_sqr_comba4
 
+#undef SEC_RENAME_H		/* force multiple inclusion */
+#include "../rename.h"
+
 /* mul_add_c(a,b,c0,c1,c2)  -- c+=a*b for three word number c=(c2,c1,c0) */
 /* mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) */
 /* sqr_add_c(a,i,c0,c1,c2)  -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
diff --git a/lib/dns/sec/openssl/bn_ctx.c b/lib/dns/sec/openssl/bn_ctx.c
index 46132fd1..26b8d9a2 100644
--- a/lib/dns/sec/openssl/bn_ctx.c
+++ b/lib/dns/sec/openssl/bn_ctx.c
@@ -54,6 +54,9 @@
  *
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #ifndef BN_CTX_DEBUG
 # undef NDEBUG /* avoid conflicting definitions */
 # define NDEBUG
diff --git a/lib/dns/sec/openssl/bn_div.c b/lib/dns/sec/openssl/bn_div.c
index 07af1d3b..f81adaae 100644
--- a/lib/dns/sec/openssl/bn_div.c
+++ b/lib/dns/sec/openssl/bn_div.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <openssl/bn.h>
 #include "cryptlib.h"
diff --git a/lib/dns/sec/openssl/bn_err.c b/lib/dns/sec/openssl/bn_err.c
index f3b9497d..3e943399 100644
--- a/lib/dns/sec/openssl/bn_err.c
+++ b/lib/dns/sec/openssl/bn_err.c
@@ -57,6 +57,9 @@
  * made to it will be overwritten when the script next updates this file.
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <openssl/err.h>
 #include <openssl/bn.h>
diff --git a/lib/dns/sec/openssl/bn_exp.c b/lib/dns/sec/openssl/bn_exp.c
index 0c116016..22f10b41 100644
--- a/lib/dns/sec/openssl/bn_exp.c
+++ b/lib/dns/sec/openssl/bn_exp.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
diff --git a/lib/dns/sec/openssl/bn_exp2.c b/lib/dns/sec/openssl/bn_exp2.c
index 4f4e9e32..bd296de3 100644
--- a/lib/dns/sec/openssl/bn_exp2.c
+++ b/lib/dns/sec/openssl/bn_exp2.c
@@ -1,3 +1,6 @@
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
diff --git a/lib/dns/sec/openssl/bn_gcd.c b/lib/dns/sec/openssl/bn_gcd.c
index 39820719..dbc80ae9 100644
--- a/lib/dns/sec/openssl/bn_gcd.c
+++ b/lib/dns/sec/openssl/bn_gcd.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
diff --git a/lib/dns/sec/openssl/bn_lcl.h b/lib/dns/sec/openssl/bn_lcl.h
index de4a1d94..63f30422 100644
--- a/lib/dns/sec/openssl/bn_lcl.h
+++ b/lib/dns/sec/openssl/bn_lcl.h
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef HEADER_BN_LCL_H
-#define HEADER_BN_LCL_H
+#ifndef OPENSSL_BN_LCL_H
+#define OPENSSL_BN_LCL_H 1
 
 #include <openssl/bn.h>
 
@@ -235,17 +235,6 @@ extern "C" {
 #define OPENSSL_EXTERN extern
 #define NO_BIO
 
-OPENSSL_EXTERN int bn_limit_bits;
-OPENSSL_EXTERN int bn_limit_num;        /* (1<<bn_limit_bits) */
-/* Recursive 'low' limit */
-OPENSSL_EXTERN int bn_limit_bits_low;
-OPENSSL_EXTERN int bn_limit_num_low;    /* (1<<bn_limit_bits_low) */
-/* Do modified 'high' part calculation' */
-OPENSSL_EXTERN int bn_limit_bits_high;
-OPENSSL_EXTERN int bn_limit_num_high;   /* (1<<bn_limit_bits_high) */
-OPENSSL_EXTERN int bn_limit_bits_mont;
-OPENSSL_EXTERN int bn_limit_num_mont;   /* (1<<bn_limit_bits_mont) */
-
 BIGNUM *bn_expand2(BIGNUM *b, int bits);
 
 void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb);
@@ -269,4 +258,4 @@ void bn_mul_high(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,BN_ULONG *l,int n2,
 }
 #endif
 
-#endif
+#endif /* OPENSSL_BN_LCL_H */
diff --git a/lib/dns/sec/openssl/bn_lib.c b/lib/dns/sec/openssl/bn_lib.c
index 4ee26e21..a0c0b224 100644
--- a/lib/dns/sec/openssl/bn_lib.c
+++ b/lib/dns/sec/openssl/bn_lib.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
diff --git a/lib/dns/sec/openssl/bn_mont.c b/lib/dns/sec/openssl/bn_mont.c
index 7bb0b912..4eea5d6a 100644
--- a/lib/dns/sec/openssl/bn_mont.c
+++ b/lib/dns/sec/openssl/bn_mont.c
@@ -63,6 +63,9 @@
  * sections 3.8 and 4.2 in http://security.ece.orst.edu/koc/papers/r01rsasw.pdf
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
diff --git a/lib/dns/sec/openssl/bn_mul.c b/lib/dns/sec/openssl/bn_mul.c
index eb007e19..e511330e 100644
--- a/lib/dns/sec/openssl/bn_mul.c
+++ b/lib/dns/sec/openssl/bn_mul.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
diff --git a/lib/dns/sec/openssl/bn_prime.c b/lib/dns/sec/openssl/bn_prime.c
index a5f01b92..bbb1439d 100644
--- a/lib/dns/sec/openssl/bn_prime.c
+++ b/lib/dns/sec/openssl/bn_prime.c
@@ -109,6 +109,9 @@
  *
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <time.h>
 #include "cryptlib.h"
diff --git a/lib/dns/sec/openssl/bn_prime.h b/lib/dns/sec/openssl/bn_prime.h
index 6fce0210..d63e3dac 100644
--- a/lib/dns/sec/openssl/bn_prime.h
+++ b/lib/dns/sec/openssl/bn_prime.h
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#ifndef OPENSSL_BN_PRIME_H
+#define OPENSSL_BN_PRIME_H 1
+
 #ifndef EIGHT_BIT
 #define NUMPRIMES 2048
 #else
@@ -323,3 +326,5 @@ static unsigned int primes[NUMPRIMES]=
 	17789,17791,17807,17827,17837,17839,17851,17863,
 #endif
 	};
+
+#endif /* OPENSSL_BN_PRIME_H */
diff --git a/lib/dns/sec/openssl/bn_print.c b/lib/dns/sec/openssl/bn_print.c
index c5469f9e..0527f886 100644
--- a/lib/dns/sec/openssl/bn_print.c
+++ b/lib/dns/sec/openssl/bn_print.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <ctype.h>
 #include "cryptlib.h"
diff --git a/lib/dns/sec/openssl/bn_rand.c b/lib/dns/sec/openssl/bn_rand.c
index 943712c1..08f6b68f 100644
--- a/lib/dns/sec/openssl/bn_rand.c
+++ b/lib/dns/sec/openssl/bn_rand.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <time.h>
 #include "cryptlib.h"
diff --git a/lib/dns/sec/openssl/bn_recp.c b/lib/dns/sec/openssl/bn_recp.c
index ecc73c7b..6f8202f9 100644
--- a/lib/dns/sec/openssl/bn_recp.c
+++ b/lib/dns/sec/openssl/bn_recp.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
diff --git a/lib/dns/sec/openssl/bn_shift.c b/lib/dns/sec/openssl/bn_shift.c
index 61aae65a..3ea3f1c3 100644
--- a/lib/dns/sec/openssl/bn_shift.c
+++ b/lib/dns/sec/openssl/bn_shift.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
diff --git a/lib/dns/sec/openssl/bn_sqr.c b/lib/dns/sec/openssl/bn_sqr.c
index fe00c5f6..daaa548f 100644
--- a/lib/dns/sec/openssl/bn_sqr.c
+++ b/lib/dns/sec/openssl/bn_sqr.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
diff --git a/lib/dns/sec/openssl/bn_word.c b/lib/dns/sec/openssl/bn_word.c
index 73157a7d..51d718e1 100644
--- a/lib/dns/sec/openssl/bn_word.c
+++ b/lib/dns/sec/openssl/bn_word.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
diff --git a/lib/dns/sec/openssl/buffer.c b/lib/dns/sec/openssl/buffer.c
index c3a108ea..acbf48b7 100644
--- a/lib/dns/sec/openssl/buffer.c
+++ b/lib/dns/sec/openssl/buffer.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/buffer.h>
diff --git a/lib/dns/sec/openssl/cryptlib.c b/lib/dns/sec/openssl/cryptlib.c
index a8f29f1e..c450c7e1 100644
--- a/lib/dns/sec/openssl/cryptlib.c
+++ b/lib/dns/sec/openssl/cryptlib.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <string.h>
 #include "cryptlib.h"
diff --git a/lib/dns/sec/openssl/cryptlib.h b/lib/dns/sec/openssl/cryptlib.h
index e3d38524..de6c17b9 100644
--- a/lib/dns/sec/openssl/cryptlib.h
+++ b/lib/dns/sec/openssl/cryptlib.h
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef HEADER_CRYPTLIB_H
-#define HEADER_CRYPTLIB_H
+#ifndef OPENSSL_CRYPTLIB_H
+#define OPENSSL_CRYPTLIB_H 1
 
 #include <stdlib.h>
 #include <string.h>
@@ -93,4 +93,4 @@ extern "C" {
 }
 #endif
 
-#endif
+#endif /* OPENSSL_CRYPTLIB_H */
diff --git a/lib/dns/sec/openssl/dh_err.c b/lib/dns/sec/openssl/dh_err.c
index 0348bd24..84deb6f5 100644
--- a/lib/dns/sec/openssl/dh_err.c
+++ b/lib/dns/sec/openssl/dh_err.c
@@ -57,6 +57,9 @@
  * made to it will be overwritten when the script next updates this file.
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <openssl/err.h>
 #include <openssl/dh.h>
diff --git a/lib/dns/sec/openssl/dh_gen.c b/lib/dns/sec/openssl/dh_gen.c
index 7a6a38fb..7aff041f 100644
--- a/lib/dns/sec/openssl/dh_gen.c
+++ b/lib/dns/sec/openssl/dh_gen.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/bn.h>
diff --git a/lib/dns/sec/openssl/dh_key.c b/lib/dns/sec/openssl/dh_key.c
index 7d851378..cf220501 100644
--- a/lib/dns/sec/openssl/dh_key.c
+++ b/lib/dns/sec/openssl/dh_key.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/bn.h>
diff --git a/lib/dns/sec/openssl/dh_lib.c b/lib/dns/sec/openssl/dh_lib.c
index 6c214630..cc6fe210 100644
--- a/lib/dns/sec/openssl/dh_lib.c
+++ b/lib/dns/sec/openssl/dh_lib.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/bn.h>
diff --git a/lib/dns/sec/openssl/dsa_asn1.c b/lib/dns/sec/openssl/dsa_asn1.c
index 3bc02163..8123d8e7 100644
--- a/lib/dns/sec/openssl/dsa_asn1.c
+++ b/lib/dns/sec/openssl/dsa_asn1.c
@@ -1,5 +1,8 @@
 /* crypto/dsa/dsa_asn1.c */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/dsa.h>
diff --git a/lib/dns/sec/openssl/dsa_err.c b/lib/dns/sec/openssl/dsa_err.c
index 38e4af96..47744ef0 100644
--- a/lib/dns/sec/openssl/dsa_err.c
+++ b/lib/dns/sec/openssl/dsa_err.c
@@ -57,6 +57,9 @@
  * made to it will be overwritten when the script next updates this file.
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <openssl/err.h>
 #include <openssl/dsa.h>
diff --git a/lib/dns/sec/openssl/dsa_gen.c b/lib/dns/sec/openssl/dsa_gen.c
index 2294a362..4de242f8 100644
--- a/lib/dns/sec/openssl/dsa_gen.c
+++ b/lib/dns/sec/openssl/dsa_gen.c
@@ -71,6 +71,9 @@
 
 #ifndef NO_SHA
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <time.h>
 #include "cryptlib.h"
diff --git a/lib/dns/sec/openssl/dsa_key.c b/lib/dns/sec/openssl/dsa_key.c
index ab7f38fc..fa1b46b5 100644
--- a/lib/dns/sec/openssl/dsa_key.c
+++ b/lib/dns/sec/openssl/dsa_key.c
@@ -57,6 +57,9 @@
  */
 
 #ifndef NO_SHA
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <time.h>
 #include "cryptlib.h"
diff --git a/lib/dns/sec/openssl/dsa_lib.c b/lib/dns/sec/openssl/dsa_lib.c
index d77244d1..dea1f7bf 100644
--- a/lib/dns/sec/openssl/dsa_lib.c
+++ b/lib/dns/sec/openssl/dsa_lib.c
@@ -58,6 +58,9 @@
 
 /* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/bn.h>
diff --git a/lib/dns/sec/openssl/dsa_ossl.c b/lib/dns/sec/openssl/dsa_ossl.c
index a72b5d03..25dc0d35 100644
--- a/lib/dns/sec/openssl/dsa_ossl.c
+++ b/lib/dns/sec/openssl/dsa_ossl.c
@@ -58,6 +58,9 @@
 
 /* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/bn.h>
diff --git a/lib/dns/sec/openssl/dsa_sign.c b/lib/dns/sec/openssl/dsa_sign.c
index 72ff4391..bef95bb3 100644
--- a/lib/dns/sec/openssl/dsa_sign.c
+++ b/lib/dns/sec/openssl/dsa_sign.c
@@ -58,6 +58,9 @@
 
 /* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/bn.h>
diff --git a/lib/dns/sec/openssl/dsa_vrf.c b/lib/dns/sec/openssl/dsa_vrf.c
index 9e20358b..2cbaaf7a 100644
--- a/lib/dns/sec/openssl/dsa_vrf.c
+++ b/lib/dns/sec/openssl/dsa_vrf.c
@@ -58,6 +58,9 @@
 
 /* Original version from Steven Schoch <schoch@sheba.arc.nasa.gov> */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/bn.h>
diff --git a/lib/dns/sec/openssl/err.c b/lib/dns/sec/openssl/err.c
index 93c64cbc..36c13b2b 100644
--- a/lib/dns/sec/openssl/err.c
+++ b/lib/dns/sec/openssl/err.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <stdarg.h>
 #include <openssl/lhash.h>
diff --git a/lib/dns/sec/openssl/ex_data.c b/lib/dns/sec/openssl/ex_data.c
index a057dd3b..0d782d6c 100644
--- a/lib/dns/sec/openssl/ex_data.c
+++ b/lib/dns/sec/openssl/ex_data.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <openssl/buffer.h>
diff --git a/lib/dns/sec/openssl/include/openssl/Makefile.in b/lib/dns/sec/openssl/include/openssl/Makefile.in
index 65fe2000..d3be2681 100644
--- a/lib/dns/sec/openssl/include/openssl/Makefile.in
+++ b/lib/dns/sec/openssl/include/openssl/Makefile.in
@@ -17,6 +17,8 @@ srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
+CDEFINES =	@DST_PRIVATEOPENSSL@
+
 SUBDIRS =
 TARGETS =
 
diff --git a/lib/dns/sec/openssl/include/openssl/bio.h b/lib/dns/sec/openssl/include/openssl/bio.h
index c41db123..23d70253 100644
--- a/lib/dns/sec/openssl/include/openssl/bio.h
+++ b/lib/dns/sec/openssl/include/openssl/bio.h
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef HEADER_BIO_H
-#define HEADER_BIO_H
+#ifndef OPENSSL_BIO_H
+#define OPENSSL_BIO_H 1
 
 #ifdef  __cplusplus
 extern "C" {
@@ -592,5 +592,4 @@ int BIO_printf(BIO *bio, ...);
 #ifdef  __cplusplus
 }
 #endif
-#endif
-
+#endif /* OPENSSL_BIO_H */
diff --git a/lib/dns/sec/openssl/include/openssl/bn.h b/lib/dns/sec/openssl/include/openssl/bn.h
index 2bddfeb8..d3157830 100644
--- a/lib/dns/sec/openssl/include/openssl/bn.h
+++ b/lib/dns/sec/openssl/include/openssl/bn.h
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef HEADER_BN_H
-#define HEADER_BN_H
+#ifndef OPENSSL_BN_H
+#define OPENSSL_BN_H 1
 
 #ifndef WIN16
 #include <stdio.h> /* FILE */
@@ -379,7 +379,7 @@ int	BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
 #ifndef NO_FP_API
 int	BN_print_fp(FILE *fp, const BIGNUM *a);
 #endif
-#ifdef HEADER_BIO_H
+#ifdef OPENSSL_BIO_H
 int	BN_print(BIO *fp, const BIGNUM *a);
 #else
 int	BN_print(void *fp, const BIGNUM *a);
@@ -512,5 +512,5 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
 #ifdef  __cplusplus
 }
 #endif
-#endif
+#endif /* OPENSSL_BN_H */
 
diff --git a/lib/dns/sec/openssl/include/openssl/buffer.h b/lib/dns/sec/openssl/include/openssl/buffer.h
index bff26bf3..247c8ee6 100644
--- a/lib/dns/sec/openssl/include/openssl/buffer.h
+++ b/lib/dns/sec/openssl/include/openssl/buffer.h
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef HEADER_BUFFER_H
-#define HEADER_BUFFER_H
+#ifndef OPENSSL_BUFFER_H
+#define OPENSSL_BUFFER_H 1
 
 #ifdef  __cplusplus
 extern "C" {
@@ -94,5 +94,5 @@ void ERR_load_BUF_strings(void );
 #ifdef  __cplusplus
 }
 #endif
-#endif
+#endif /* OPENSSL_BUFFER_H */
 
diff --git a/lib/dns/sec/openssl/include/openssl/crypto.h b/lib/dns/sec/openssl/include/openssl/crypto.h
index 41c93796..2a69c5ab 100644
--- a/lib/dns/sec/openssl/include/openssl/crypto.h
+++ b/lib/dns/sec/openssl/include/openssl/crypto.h
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef HEADER_CRYPTO_H
-#define HEADER_CRYPTO_H
+#ifndef OPENSSL_CRYPTO_H
+#define OPENSSL_CRYPTO_H 1
 
 #ifdef  __cplusplus
 extern "C" {
@@ -369,5 +369,5 @@ void ERR_load_CRYPTO_strings(void);
 #ifdef  __cplusplus
 }
 #endif
-#endif
+#endif /* OPENSSL_CRYPTO_H */
 
diff --git a/lib/dns/sec/openssl/include/openssl/dh.h b/lib/dns/sec/openssl/include/openssl/dh.h
index c15b2ad4..c164c149 100644
--- a/lib/dns/sec/openssl/include/openssl/dh.h
+++ b/lib/dns/sec/openssl/include/openssl/dh.h
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef HEADER_DH_H
-#define HEADER_DH_H
+#ifndef OPENSSL_DH_H
+#define OPENSSL_DH_H 1
 
 #ifdef  __cplusplus
 extern "C" {
@@ -169,7 +169,7 @@ int	i2d_DHparams(DH *a,unsigned char **pp);
 #ifndef NO_FP_API
 int	DHparams_print_fp(FILE *fp, DH *x);
 #endif
-#ifdef HEADER_BIO_H
+#ifdef OPENSSL_BIO_H
 int	DHparams_print(BIO *bp, DH *x);
 #else
 int	DHparams_print(char *bp, DH *x);
@@ -197,5 +197,5 @@ void	ERR_load_DH_strings(void );
 #ifdef  __cplusplus
 }
 #endif
-#endif
+#endif /* OPENSSL_DH_H */
 
diff --git a/lib/dns/sec/openssl/include/openssl/dsa.h b/lib/dns/sec/openssl/include/openssl/dsa.h
index 68d9912c..243775f4 100644
--- a/lib/dns/sec/openssl/include/openssl/dsa.h
+++ b/lib/dns/sec/openssl/include/openssl/dsa.h
@@ -62,8 +62,8 @@
  * work and I have just tweaked them a little to fit into my
  * stylistic vision for SSLeay :-) */
 
-#ifndef HEADER_DSA_H
-#define HEADER_DSA_H
+#ifndef OPENSSL_DSA_H
+#define OPENSSL_DSA_H 1
 
 #ifdef  __cplusplus
 extern "C" {
@@ -188,7 +188,7 @@ int	i2d_DSAPublicKey(DSA *a, unsigned char **pp);
 int 	i2d_DSAPrivateKey(DSA *a, unsigned char **pp);
 int	i2d_DSAparams(DSA *a,unsigned char **pp);
 
-#ifdef HEADER_BIO_H
+#ifdef OPENSSL_BIO_H
 int	DSAparams_print(BIO *bp, DSA *x);
 int	DSA_print(BIO *bp, DSA *x, int off);
 #endif
@@ -237,5 +237,5 @@ DH *DSA_dup_DH(DSA *r);
 #ifdef  __cplusplus
 }
 #endif
-#endif
+#endif /* OPENSSL_DSA_H */
 
diff --git a/lib/dns/sec/openssl/include/openssl/e_os.h b/lib/dns/sec/openssl/include/openssl/e_os.h
index b8d053bd..1a3e49d1 100644
--- a/lib/dns/sec/openssl/include/openssl/e_os.h
+++ b/lib/dns/sec/openssl/include/openssl/e_os.h
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef HEADER_E_OS_H
-#define HEADER_E_OS_H
+#ifndef OPENSSL_E_OS_H
+#define OPENSSL_E_OS_H 1
 
 #include <openssl/e_os2.h>
 /* <openssl/e_os2.h> contains what we can justify to make visible
@@ -369,5 +369,5 @@ extern HINSTANCE _hInstance;
 }
 #endif
 
-#endif
+#endif /* OPENSSL_E_OS_H */
 
diff --git a/lib/dns/sec/openssl/include/openssl/e_os2.h b/lib/dns/sec/openssl/include/openssl/e_os2.h
index 2bc0b487..63e5d547 100644
--- a/lib/dns/sec/openssl/include/openssl/e_os2.h
+++ b/lib/dns/sec/openssl/include/openssl/e_os2.h
@@ -1,7 +1,7 @@
 /* e_os2.h */
 
-#ifndef HEADER_E_OS2_H
-#define HEADER_E_OS2_H
+#ifndef OPENSSL_E_OS2_H
+#define OPENSSL_E_OS2_H 1
 
 #ifdef  __cplusplus
 extern "C" {
@@ -24,5 +24,5 @@ extern "C" {
 #ifdef  __cplusplus
 }
 #endif
-#endif
+#endif /* OPENSSL_E_OS2_H */
 
diff --git a/lib/dns/sec/openssl/include/openssl/err.h b/lib/dns/sec/openssl/include/openssl/err.h
index 15bafbff..10ec4d90 100644
--- a/lib/dns/sec/openssl/include/openssl/err.h
+++ b/lib/dns/sec/openssl/include/openssl/err.h
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef HEADER_ERR_H
-#define HEADER_ERR_H
+#ifndef OPENSSL_ERR_H
+#define OPENSSL_ERR_H 1
 
 #ifdef	__cplusplus
 extern "C" {
@@ -69,7 +69,7 @@ extern "C" {
 
 /* The following is a bit of a trick to help the object files only contain
  * the 'name of the file' string once.  Since 'err.h' is protected by the
- * HEADER_ERR_H stuff, this should be included only once per file. */
+ * OPENSSL_ERR_H stuff, this should be included only once per file. */
 
 #define ERR_file_name	__FILE__
 
@@ -236,7 +236,7 @@ const char *ERR_reason_error_string(unsigned long e);
 #ifndef NO_FP_API
 void ERR_print_errors_fp(FILE *fp);
 #endif
-#ifdef HEADER_BIO_H
+#ifdef OPENSSL_BIO_H
 void ERR_print_errors(BIO *bp);
 void ERR_add_error_data(int num, ...);
 #endif
@@ -248,7 +248,7 @@ void ERR_free_strings(void);
 void ERR_remove_state(unsigned long pid); /* if zero we look it up */
 ERR_STATE *ERR_get_state(void);
 
-#ifdef HEADER_LHASH_H
+#ifdef OPENSSL_LHASH_H
 LHASH *ERR_get_string_table(void );
 LHASH *ERR_get_err_state_table(void );
 #else
@@ -262,4 +262,5 @@ int ERR_get_next_error_library(void );
 }
 #endif
 
-#endif
+#endif /* OPENSSL_ERR_H */
+
diff --git a/lib/dns/sec/openssl/include/openssl/lhash.h b/lib/dns/sec/openssl/include/openssl/lhash.h
index 6f6eeb26..dd38186d 100644
--- a/lib/dns/sec/openssl/include/openssl/lhash.h
+++ b/lib/dns/sec/openssl/include/openssl/lhash.h
@@ -60,8 +60,8 @@
  * Author - Eric Young
  */
 
-#ifndef HEADER_LHASH_H
-#define HEADER_LHASH_H
+#ifndef OPENSSL_LHASH_H
+#define OPENSSL_LHASH_H 1
 
 #ifdef  __cplusplus
 extern "C" {
@@ -83,8 +83,8 @@ typedef struct lhash_node_st
 typedef struct lhash_st
 	{
 	LHASH_NODE **b;
-	int (*comp)();
-	unsigned long (*hash)();
+	int (*comp)(void *, void *);
+	unsigned long (*hash)(void *);
 	unsigned int num_nodes;
 	unsigned int num_alloc_nodes;
 	unsigned int p;
@@ -131,7 +131,7 @@ void lh_node_stats(LHASH *lh, FILE *out);
 void lh_node_usage_stats(LHASH *lh, FILE *out);
 #endif
 
-#ifdef HEADER_BIO_H
+#ifdef OPENSSL_BIO_H
 void lh_stats_bio(LHASH *lh, BIO *out);
 void lh_node_stats_bio(LHASH *lh, BIO *out);
 void lh_node_usage_stats_bio(LHASH *lh, BIO *out);
@@ -140,5 +140,5 @@ void lh_node_usage_stats_bio(LHASH *lh, BIO *out);
 }
 #endif
 
-#endif
+#endif /* OPENSSL_LHASH_H */
 
diff --git a/lib/dns/sec/openssl/include/openssl/md5.h b/lib/dns/sec/openssl/include/openssl/md5.h
index d10bc839..7acff491 100644
--- a/lib/dns/sec/openssl/include/openssl/md5.h
+++ b/lib/dns/sec/openssl/include/openssl/md5.h
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef HEADER_MD5_H
-#define HEADER_MD5_H
+#ifndef OPENSSL_MD5_H
+#define OPENSSL_MD5_H 1
 
 #ifdef  __cplusplus
 extern "C" {
@@ -111,4 +111,5 @@ void MD5_Transform(MD5_CTX *c, const unsigned char *b);
 }
 #endif
 
-#endif
+#endif /* OPENSSL_MD5_H */
+
diff --git a/lib/dns/sec/openssl/include/openssl/opensslconf.h b/lib/dns/sec/openssl/include/openssl/opensslconf.h
index 1ff8fea1..52fb2db7 100644
--- a/lib/dns/sec/openssl/include/openssl/opensslconf.h
+++ b/lib/dns/sec/openssl/include/openssl/opensslconf.h
@@ -1,7 +1,7 @@
-#ifndef HEADER_OPENSSLCONF_H
-#define HEADER_OPENSSLCONF_H
+#ifndef OPENSSL_OPENSSLCONF_H
+#define OPENSSL_OPENSSLCONF_H 1
 
 /* This would be filled in by the openssl configure script if it was run. */
 
-#endif /* HEADER_OPENSSLCONF_H */
+#endif /* OPENSSL_OPENSSLCONF_H */
 
diff --git a/lib/dns/sec/openssl/include/openssl/opensslv.h b/lib/dns/sec/openssl/include/openssl/opensslv.h
index b34462e9..c721ceb3 100644
--- a/lib/dns/sec/openssl/include/openssl/opensslv.h
+++ b/lib/dns/sec/openssl/include/openssl/opensslv.h
@@ -1,5 +1,5 @@
-#ifndef HEADER_OPENSSLV_H
-#define HEADER_OPENSSLV_H
+#ifndef OPENSSL_OPENSSLV_H
+#define OPENSSL_OPENSSLV_H 1
 
 /* Numeric release version identifier:
  * MMNNFFRBB: major minor fix final beta/patch
@@ -17,4 +17,5 @@
 #define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.3a 29 May 1999"
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
-#endif /* HEADER_OPENSSLV_H */
+#endif /* OPENSSL_OPENSSLV_H */
+
diff --git a/lib/dns/sec/openssl/include/openssl/rand.h b/lib/dns/sec/openssl/include/openssl/rand.h
index 28f45ec0..0f6a0888 100644
--- a/lib/dns/sec/openssl/include/openssl/rand.h
+++ b/lib/dns/sec/openssl/include/openssl/rand.h
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef HEADER_RAND_H
-#define HEADER_RAND_H
+#ifndef OPENSSL_RAND_H
+#define OPENSSL_RAND_H 1
 
 #ifdef  __cplusplus
 extern "C" {
@@ -106,5 +106,5 @@ void	ERR_load_RAND_strings(void);
 #ifdef  __cplusplus
 }
 #endif
-#endif
+#endif /* OPENSSL_RAND_H */
 
diff --git a/lib/dns/sec/openssl/include/openssl/safestack.h b/lib/dns/sec/openssl/include/openssl/safestack.h
index 38934981..1b018ba7 100644
--- a/lib/dns/sec/openssl/include/openssl/safestack.h
+++ b/lib/dns/sec/openssl/include/openssl/safestack.h
@@ -52,8 +52,8 @@
  *
  */
 
-#ifndef HEADER_SAFESTACK_H
-#define HEADER_SAFESTACK_H
+#ifndef OPENSSL_SAFESTACK_H
+#define OPENSSL_SAFESTACK_H 1
 
 #include <openssl/stack.h>
 
@@ -126,4 +126,5 @@ type *sk_##type##_pop(STACK_OF(type) *sk) \
 void sk_##type##_sort(STACK_OF(type) *sk) \
     { sk_sort((STACK *)sk); }
 
-#endif /* ndef HEADER_SAFESTACK_H */
+#endif /* OPENSSL_SAFESTACK_H */
+
diff --git a/lib/dns/sec/openssl/include/openssl/sha.h b/lib/dns/sec/openssl/include/openssl/sha.h
index 77f6d969..9113e53e 100644
--- a/lib/dns/sec/openssl/include/openssl/sha.h
+++ b/lib/dns/sec/openssl/include/openssl/sha.h
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef HEADER_SHA_H
-#define HEADER_SHA_H
+#ifndef OPENSSL_SHA_H
+#define OPENSSL_SHA_H 1
 
 #ifdef  __cplusplus
 extern "C" {
@@ -116,4 +116,5 @@ void SHA1_Transform(SHA_CTX *c, const unsigned char *data);
 }
 #endif
 
-#endif
+#endif /* OPENSSL_SHA_H */
+
diff --git a/lib/dns/sec/openssl/include/openssl/stack.h b/lib/dns/sec/openssl/include/openssl/stack.h
index a615d9b4..80cf81c0 100644
--- a/lib/dns/sec/openssl/include/openssl/stack.h
+++ b/lib/dns/sec/openssl/include/openssl/stack.h
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef HEADER_STACK_H
-#define HEADER_STACK_H
+#ifndef OPENSSL_STACK_H
+#define OPENSSL_STACK_H 1
 
 #ifdef  __cplusplus
 extern "C" {
@@ -70,7 +70,7 @@ typedef struct stack_st
 	int sorted;
 
 	int num_alloc;
-	int (*comp)();
+	int (*comp)(char **, char **);
 	} STACK;
 
 
@@ -104,4 +104,5 @@ void sk_sort(STACK *st);
 }
 #endif
 
-#endif
+#endif /* OPENSSL_STACK_H */
+
diff --git a/lib/dns/sec/openssl/lhash.c b/lib/dns/sec/openssl/lhash.c
index 6a340a24..7439a68d 100644
--- a/lib/dns/sec/openssl/lhash.c
+++ b/lib/dns/sec/openssl/lhash.c
@@ -94,6 +94,10 @@
  *
  * 1.0 eay - First version
  */
+
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
@@ -272,7 +276,7 @@ void lh_doall(LHASH *lh, void (*func)())
 	lh_doall_arg(lh,func,NULL);
 	}
 
-void lh_doall_arg(LHASH *lh, void (*func)(), void *arg)
+void lh_doall_arg(LHASH *lh, void (*func)(void *, void *), void *arg)
 	{
 	int i;
 	LHASH_NODE *a,*n;
@@ -392,7 +396,7 @@ static LHASH_NODE **getrn(LHASH *lh, void *data, unsigned long *rhash)
 	{
 	LHASH_NODE **ret,*n1;
 	unsigned long hash,nn;
-	int (*cf)();
+	int (*cf)(void *, void *);
 
 	hash=(*(lh->hash))(data);
 	lh->num_hash_calls++;
diff --git a/lib/dns/sec/openssl/md32_common.h b/lib/dns/sec/openssl/md32_common.h
index 1a404a45..d1a556a7 100644
--- a/lib/dns/sec/openssl/md32_common.h
+++ b/lib/dns/sec/openssl/md32_common.h
@@ -52,6 +52,8 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+#ifndef OPENSSL_MD32_COMMON_H
+#define OPENSSL_MD32_COMMON_H 1
 
 /*
  * This is a generic 32 bit "collector" for message digest algorithms.
@@ -605,3 +607,5 @@ void HASH_FINAL (unsigned char *md, HASH_CTX *c)
 	memset((void *)c,0,sizeof(HASH_CTX));
 	 */
 	}
+
+#endif /* OPENSSL_MD32_COMMON_H */
diff --git a/lib/dns/sec/openssl/md5_dgst.c b/lib/dns/sec/openssl/md5_dgst.c
index 23d196b8..a0a906c1 100644
--- a/lib/dns/sec/openssl/md5_dgst.c
+++ b/lib/dns/sec/openssl/md5_dgst.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "md5_locl.h"
 #include <openssl/opensslv.h>
@@ -81,8 +84,8 @@ void MD5_Init(MD5_CTX *c)
 	c->num=0;
 	}
 
-#ifndef md5_block_host_order
-void md5_block_host_order (MD5_CTX *c, const void *data, int num)
+#ifndef dst__openssl_md5_block_host_order
+void dst__openssl_md5_block_host_order (MD5_CTX *c, const void *data, int num)
 	{
 	const MD5_LONG *X=data;
 	register unsigned long A,B,C,D;
@@ -185,11 +188,11 @@ void md5_block_host_order (MD5_CTX *c, const void *data, int num)
 	}
 #endif
 
-#ifndef md5_block_data_order
+#ifndef dst__openssl_md5_block_data_order
 #ifdef X
 #undef X
 #endif
-void md5_block_data_order (MD5_CTX *c, const void *data_, int num)
+void dst__openssl_md5_block_data_order (MD5_CTX *c, const void *data_, int num)
 	{
 	const unsigned char *data=data_;
 	register unsigned long A,B,C,D,l;
diff --git a/lib/dns/sec/openssl/md5_locl.h b/lib/dns/sec/openssl/md5_locl.h
index ccaa284f..b89f53f9 100644
--- a/lib/dns/sec/openssl/md5_locl.h
+++ b/lib/dns/sec/openssl/md5_locl.h
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#ifndef OPENSSL_MD5_LOCL_H
+#define OPENSSL_MD5_LOCL_H 1
+
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/opensslconf.h>
@@ -67,15 +70,15 @@
 
 #ifdef MD5_ASM
 # if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
-#  define md5_block_host_order md5_block_asm_host_order
+#  define dst__openssl_md5_block_host_order dst__openssl_md5_block_asm_host_order
 # elif defined(__sparc) && defined(ULTRASPARC)
-   void md5_block_asm_data_order_aligned (MD5_CTX *c, const MD5_LONG *p,int num);
-#  define HASH_BLOCK_DATA_ORDER_ALIGNED md5_block_asm_data_order_aligned
+   void dst__openssl_md5_block_asm_data_order_aligned (MD5_CTX *c, const MD5_LONG *p,int num);
+#  define HASH_BLOCK_DATA_ORDER_ALIGNED dst__openssl_md5_block_asm_data_order_aligned
 # endif
 #endif
 
-void md5_block_host_order (MD5_CTX *c, const void *p,int num);
-void md5_block_data_order (MD5_CTX *c, const void *p,int num);
+void dst__openssl_md5_block_host_order (MD5_CTX *c, const void *p,int num);
+void dst__openssl_md5_block_data_order (MD5_CTX *c, const void *p,int num);
 
 #if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
 /*
@@ -99,7 +102,7 @@ void md5_block_data_order (MD5_CTX *c, const void *p,int num);
  *
  *				<appro@fy.chalmers.se>
  */
-#define md5_block_data_order md5_block_host_order
+#define dst__openssl_md5_block_data_order dst__openssl_md5_block_host_order
 #endif
 
 #define DATA_ORDER_IS_LITTLE_ENDIAN
@@ -119,13 +122,13 @@ void md5_block_data_order (MD5_CTX *c, const void *p,int num);
 	ll=(c)->C; HOST_l2c(ll,(s));	\
 	ll=(c)->D; HOST_l2c(ll,(s));	\
 	} while (0)
-#define HASH_BLOCK_HOST_ORDER	md5_block_host_order
-#if !defined(L_ENDIAN) || defined(md5_block_data_order)
-#define	HASH_BLOCK_DATA_ORDER	md5_block_data_order
+#define HASH_BLOCK_HOST_ORDER	dst__openssl_md5_block_host_order
+#if !defined(L_ENDIAN) || defined(dst__openssl_md5_block_data_order)
+#define	HASH_BLOCK_DATA_ORDER	dst__openssl_md5_block_data_order
 /*
  * Little-endians (Intel and Alpha) feel better without this.
  * It looks like memcpy does better job than generic
- * md5_block_data_order on copying-n-aligning input data.
+ * dst__openssl_md5_block_data_order on copying-n-aligning input data.
  * But frankly speaking I didn't expect such result on Alpha.
  * On the other hand I've got this with egcs-1.0.2 and if
  * program is compiled with another (better?) compiler it
@@ -177,3 +180,5 @@ void md5_block_data_order (MD5_CTX *c, const void *p,int num);
 	a+=((k)+(t)+I((b),(c),(d))); \
 	a=ROTATE(a,s); \
 	a+=b; };
+
+#endif /* OPENSSL_MD5_LOCL_H */
diff --git a/lib/dns/sec/openssl/md_rand.c b/lib/dns/sec/openssl/md_rand.c
index 4e5758c5..3972a4c8 100644
--- a/lib/dns/sec/openssl/md_rand.c
+++ b/lib/dns/sec/openssl/md_rand.c
@@ -64,6 +64,9 @@
 # endif
 #endif
 
+#include <config.h>
+#include "../rename.h"
+
 #include <assert.h>
 #include <stdio.h>
 #include <time.h>
diff --git a/lib/dns/sec/openssl/mem.c b/lib/dns/sec/openssl/mem.c
index 6d5c93a3..057b18d2 100644
--- a/lib/dns/sec/openssl/mem.c
+++ b/lib/dns/sec/openssl/mem.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <openssl/crypto.h>
@@ -81,19 +84,29 @@ static void (*free_func)(void *)            = free;
 /* XXX use correct function pointer types */
 #ifdef CRYPTO_MDEBUG
   /* use default functions from mem_dbg.c */
-  static void (*malloc_debug_func)()= (void (*)())CRYPTO_dbg_malloc;
-  static void (*realloc_debug_func)()= (void (*)())CRYPTO_dbg_realloc;
-  static void (*free_debug_func)()= (void (*)())CRYPTO_dbg_free;
-  static void (*set_debug_options_func)()= (void (*)())CRYPTO_dbg_set_options;
-  static long (*get_debug_options_func)()= (long (*)())CRYPTO_dbg_get_options;
+  static void (*malloc_debug_func)(void *, int, const char *, int, int)
+	  = (void (*)())CRYPTO_dbg_malloc;
+  static void (*realloc_debug_func)(void *, void *, int, const char *, int,int)
+	  = (void (*)())CRYPTO_dbg_realloc;
+  static void (*free_debug_func)(void *, int)
+	  = (void (*)())CRYPTO_dbg_free;
+  static void (*set_debug_options_func)(long)
+	  = (void (*)())CRYPTO_dbg_set_options;
+  static long (*get_debug_options_func)(void)
+	  = (long (*)())CRYPTO_dbg_get_options;
 #else
   /* applications can use CRYPTO_malloc_debug_init() to select above case
    * at run-time */
-  static void (*malloc_debug_func)()= NULL;
-  static void (*realloc_debug_func)()= NULL;
-  static void (*free_debug_func)()= NULL;
-  static void (*set_debug_options_func)()= NULL;
-  static long (*get_debug_options_func)()= NULL;
+  static void (*malloc_debug_func)(void *, int, const char *, int, int)
+	  = NULL;
+  static void (*realloc_debug_func)(void *, void *, int, const char *, int,int)
+	  = NULL;
+  static void (*free_debug_func)(void *, int)
+	  = NULL;
+  static void (*set_debug_options_func)(long)
+	  = NULL;
+  static long (*get_debug_options_func)(void)
+	  = NULL;
 #endif
 
 
diff --git a/lib/dns/sec/openssl/mem_dbg.c b/lib/dns/sec/openssl/mem_dbg.c
index d92faaf6..306151a6 100644
--- a/lib/dns/sec/openssl/mem_dbg.c
+++ b/lib/dns/sec/openssl/mem_dbg.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>	
diff --git a/lib/dns/sec/openssl/rand_lib.c b/lib/dns/sec/openssl/rand_lib.c
index b09a300c..a43180e3 100644
--- a/lib/dns/sec/openssl/rand_lib.c
+++ b/lib/dns/sec/openssl/rand_lib.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <time.h>
 #include <openssl/rand.h>
diff --git a/lib/dns/sec/openssl/sha1_one.c b/lib/dns/sec/openssl/sha1_one.c
index 861752ea..63de73c8 100644
--- a/lib/dns/sec/openssl/sha1_one.c
+++ b/lib/dns/sec/openssl/sha1_one.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <string.h>
 #include <openssl/sha.h>
diff --git a/lib/dns/sec/openssl/sha1dgst.c b/lib/dns/sec/openssl/sha1dgst.c
index c09edb4c..c35159b4 100644
--- a/lib/dns/sec/openssl/sha1dgst.c
+++ b/lib/dns/sec/openssl/sha1dgst.c
@@ -61,6 +61,9 @@
 #undef  SHA_0
 #define SHA_1
 
+#include <config.h>
+#include "../rename.h"
+
 #include <openssl/opensslv.h>
 
 const char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT;
diff --git a/lib/dns/sec/openssl/sha_locl.h b/lib/dns/sec/openssl/sha_locl.h
index 3e6f489b..82d316f7 100644
--- a/lib/dns/sec/openssl/sha_locl.h
+++ b/lib/dns/sec/openssl/sha_locl.h
@@ -55,6 +55,8 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+#ifndef OPENSSL_SHA_LOCL_H
+#define OPENSSL_SHA_LOCL_H 1
 
 #include <stdlib.h>
 #include <string.h>
@@ -473,3 +475,5 @@ void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, int num)
 		}
 	}
 #endif
+
+#endif /* OPENSSL_SHA_LOCL_H */
diff --git a/lib/dns/sec/openssl/stack.c b/lib/dns/sec/openssl/stack.c
index 58e91263..b4a212eb 100644
--- a/lib/dns/sec/openssl/stack.c
+++ b/lib/dns/sec/openssl/stack.c
@@ -65,6 +65,9 @@
  *
  * 1.0 eay - First version 29/07/92
  */
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/stack.h>
@@ -262,7 +265,7 @@ void sk_zero(STACK *st)
 	st->num=0;
 	}
 
-void sk_pop_free(STACK *st, void (*func)())
+void sk_pop_free(STACK *st, void (*func)(char *))
 	{
 	int i;
 
diff --git a/lib/dns/sec/openssl/th-lock.c b/lib/dns/sec/openssl/th-lock.c
index ed976db3..e1b26d3e 100644
--- a/lib/dns/sec/openssl/th-lock.c
+++ b/lib/dns/sec/openssl/th-lock.c
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+#include <config.h>
+#include "../rename.h"
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
diff --git a/lib/dns/sec/rename.h b/lib/dns/sec/rename.h
new file mode 100644
index 00000000..0d1cc409
--- /dev/null
+++ b/lib/dns/sec/rename.h
@@ -0,0 +1,297 @@
+/*
+ * Copyright (C) 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+#ifndef SEC_RENAME_H
+#define SEC_RENAME_H 1
+
+#ifdef DST_USE_PRIVATE_OPENSSL
+#define BN_CTX_end dst__openssl_BN_CTX_end
+#define BN_CTX_free dst__openssl_BN_CTX_free
+#define BN_CTX_get dst__openssl_BN_CTX_get
+#define BN_CTX_init dst__openssl_BN_CTX_init
+#define BN_CTX_new dst__openssl_BN_CTX_new
+#define BN_CTX_start dst__openssl_BN_CTX_start
+#define BN_MONT_CTX_copy dst__openssl_BN_MONT_CTX_copy
+#define BN_MONT_CTX_free dst__openssl_BN_MONT_CTX_free
+#define BN_MONT_CTX_init dst__openssl_BN_MONT_CTX_init
+#define BN_MONT_CTX_new dst__openssl_BN_MONT_CTX_new
+#define BN_MONT_CTX_set dst__openssl_BN_MONT_CTX_set
+#define BN_RECP_CTX_free dst__openssl_BN_RECP_CTX_free
+#define BN_RECP_CTX_init dst__openssl_BN_RECP_CTX_init
+#define BN_RECP_CTX_new dst__openssl_BN_RECP_CTX_new
+#define BN_RECP_CTX_set dst__openssl_BN_RECP_CTX_set
+#define BN_add dst__openssl_BN_add
+#define BN_add_word dst__openssl_BN_add_word
+#define BN_bin2bn dst__openssl_BN_bin2bn
+#define BN_bn2bin dst__openssl_BN_bn2bin
+#define BN_bn2hex dst__openssl_BN_bn2hex
+#define BN_clear dst__openssl_BN_clear
+#define BN_clear_bit dst__openssl_BN_clear_bit
+#define BN_clear_free dst__openssl_BN_clear_free
+#define BN_cmp dst__openssl_BN_cmp
+#define BN_copy dst__openssl_BN_copy
+#define BN_div dst__openssl_BN_div
+#define BN_div_recp dst__openssl_BN_div_recp
+#define BN_div_word dst__openssl_BN_div_word
+#define BN_dup dst__openssl_BN_dup
+#define BN_exp dst__openssl_BN_exp
+#define BN_free dst__openssl_BN_free
+#define BN_from_montgomery dst__openssl_BN_from_montgomery
+#define BN_gcd dst__openssl_BN_gcd
+#define BN_generate_prime dst__openssl_BN_generate_prime
+#define BN_get_params dst__openssl_BN_get_params
+#define BN_get_word dst__openssl_BN_get_word
+#define BN_hex2bn dst__openssl_BN_hex2bn
+#define BN_init dst__openssl_BN_init
+#define BN_is_bit_set dst__openssl_BN_is_bit_set
+#define BN_is_prime dst__openssl_BN_is_prime
+#define BN_is_prime_fasttest dst__openssl_BN_is_prime_fasttest
+#define BN_lshift dst__openssl_BN_lshift
+#define BN_lshift1 dst__openssl_BN_lshift1
+#define BN_mask_bits dst__openssl_BN_mask_bits
+#define BN_mod dst__openssl_BN_mod
+#define BN_mod_exp dst__openssl_BN_mod_exp
+#define BN_mod_exp2_mont dst__openssl_BN_mod_exp2_mont
+#define BN_mod_exp_mont dst__openssl_BN_mod_exp_mont
+#define BN_mod_exp_recp dst__openssl_BN_mod_exp_recp
+#define BN_mod_exp_simple dst__openssl_BN_mod_exp_simple
+#define BN_mod_inverse dst__openssl_BN_mod_inverse
+#define BN_mod_mul dst__openssl_BN_mod_mul
+#define BN_mod_mul_montgomery dst__openssl_BN_mod_mul_montgomery
+#define BN_mod_mul_reciprocal dst__openssl_BN_mod_mul_reciprocal
+#define BN_mod_word dst__openssl_BN_mod_word
+#define BN_mul dst__openssl_BN_mul
+#define BN_mul_word dst__openssl_BN_mul_word
+#define BN_new dst__openssl_BN_new
+#define BN_num_bits dst__openssl_BN_num_bits
+#define BN_num_bits_word dst__openssl_BN_num_bits_word
+#define BN_options dst__openssl_BN_options
+#define BN_pseudo_rand dst__openssl_BN_pseudo_rand
+#define BN_rand dst__openssl_BN_rand
+#define BN_reciprocal dst__openssl_BN_reciprocal
+#define BN_rshift dst__openssl_BN_rshift
+#define BN_rshift1 dst__openssl_BN_rshift1
+#define BN_set_bit dst__openssl_BN_set_bit
+#define BN_set_params dst__openssl_BN_set_params
+#define BN_set_word dst__openssl_BN_set_word
+#define BN_sqr dst__openssl_BN_sqr
+#define BN_sub dst__openssl_BN_sub
+#define BN_sub_word dst__openssl_BN_sub_word
+#define BN_uadd dst__openssl_BN_uadd
+#define BN_ucmp dst__openssl_BN_ucmp
+#define BN_usub dst__openssl_BN_usub
+#define BN_value_one dst__openssl_BN_value_one
+#define BN_version dst__openssl_BN_version
+#define BUF_MEM_free dst__openssl_BUF_MEM_free
+#define BUF_MEM_grow dst__openssl_BUF_MEM_grow
+#define BUF_MEM_new dst__openssl_BUF_MEM_new
+#define BUF_strdup dst__openssl_BUF_strdup
+#define CRYPTO_add_lock dst__openssl_CRYPTO_add_lock
+#define CRYPTO_dbg_free dst__openssl_CRYPTO_dbg_free
+#define CRYPTO_dbg_get_options dst__openssl_CRYPTO_dbg_get_options
+#define CRYPTO_dbg_malloc dst__openssl_CRYPTO_dbg_malloc
+#define CRYPTO_dbg_realloc dst__openssl_CRYPTO_dbg_realloc
+#define CRYPTO_dbg_set_options dst__openssl_CRYPTO_dbg_set_options
+#define CRYPTO_dup_ex_data dst__openssl_CRYPTO_dup_ex_data
+#define CRYPTO_free dst__openssl_CRYPTO_free
+#define CRYPTO_free_ex_data dst__openssl_CRYPTO_free_ex_data
+#define CRYPTO_free_locked dst__openssl_CRYPTO_free_locked
+#define CRYPTO_get_add_lock_callback dst__openssl_CRYPTO_get_add_lock_callback
+#define CRYPTO_get_ex_data dst__openssl_CRYPTO_get_ex_data
+#define CRYPTO_get_ex_new_index dst__openssl_CRYPTO_get_ex_new_index
+#define CRYPTO_get_id_callback dst__openssl_CRYPTO_get_id_callback
+#define CRYPTO_get_lock_name dst__openssl_CRYPTO_get_lock_name
+#define CRYPTO_get_locked_mem_functions dst__openssl_CRYPTO_get_locked_mem_functions
+#define CRYPTO_get_locking_callback dst__openssl_CRYPTO_get_locking_callback
+#define CRYPTO_get_mem_debug_functions dst__openssl_CRYPTO_get_mem_debug_functions
+#define CRYPTO_get_mem_debug_options dst__openssl_CRYPTO_get_mem_debug_options
+#define CRYPTO_get_mem_functions dst__openssl_CRYPTO_get_mem_functions
+#define CRYPTO_get_new_lockid dst__openssl_CRYPTO_get_new_lockid
+#define CRYPTO_is_mem_check_on dst__openssl_CRYPTO_is_mem_check_on
+#define CRYPTO_lock dst__openssl_CRYPTO_lock
+#define CRYPTO_malloc dst__openssl_CRYPTO_malloc
+#define CRYPTO_malloc_locked dst__openssl_CRYPTO_malloc_locked
+#define CRYPTO_mem_ctrl dst__openssl_CRYPTO_mem_ctrl
+#define CRYPTO_new_ex_data dst__openssl_CRYPTO_new_ex_data
+#define CRYPTO_num_locks dst__openssl_CRYPTO_num_locks
+#define CRYPTO_pop_info dst__openssl_CRYPTO_pop_info
+#define CRYPTO_push_info_ dst__openssl_CRYPTO_push_info_
+#define CRYPTO_realloc dst__openssl_CRYPTO_realloc
+#define CRYPTO_remalloc dst__openssl_CRYPTO_remalloc
+#define CRYPTO_remove_all_info dst__openssl_CRYPTO_remove_all_info
+#define CRYPTO_set_add_lock_callback dst__openssl_CRYPTO_set_add_lock_callback
+#define CRYPTO_set_ex_data dst__openssl_CRYPTO_set_ex_data
+#define CRYPTO_set_id_callback dst__openssl_CRYPTO_set_id_callback
+#define CRYPTO_set_locked_mem_functions dst__openssl_CRYPTO_set_locked_mem_functions
+#define CRYPTO_set_locking_callback dst__openssl_CRYPTO_set_locking_callback
+#define CRYPTO_set_mem_debug_functions dst__openssl_CRYPTO_set_mem_debug_functions
+#define CRYPTO_set_mem_debug_options dst__openssl_CRYPTO_set_mem_debug_options
+#define CRYPTO_set_mem_functions dst__openssl_CRYPTO_set_mem_functions
+#define CRYPTO_thread_id dst__openssl_CRYPTO_thread_id
+#define DH_OpenSSL dst__openssl_DH_OpenSSL
+#define DH_compute_key dst__openssl_DH_compute_key
+#define DH_free dst__openssl_DH_free
+#define DH_generate_key dst__openssl_DH_generate_key
+#define DH_generate_parameters dst__openssl_DH_generate_parameters
+#define DH_get_default_method dst__openssl_DH_get_default_method
+#define DH_get_ex_data dst__openssl_DH_get_ex_data
+#define DH_get_ex_new_index dst__openssl_DH_get_ex_new_index
+#define DH_new dst__openssl_DH_new
+#define DH_new_method dst__openssl_DH_new_method
+#define DH_set_default_method dst__openssl_DH_set_default_method
+#define DH_set_ex_data dst__openssl_DH_set_ex_data
+#define DH_set_method dst__openssl_DH_set_method
+#define DH_size dst__openssl_DH_size
+#define DSA_OpenSSL dst__openssl_DSA_OpenSSL
+#define DSA_SIG_free dst__openssl_DSA_SIG_free
+#define DSA_SIG_new dst__openssl_DSA_SIG_new
+#define DSA_do_sign dst__openssl_DSA_do_sign
+#define DSA_do_verify dst__openssl_DSA_do_verify
+#define DSA_free dst__openssl_DSA_free
+#define DSA_generate_key dst__openssl_DSA_generate_key
+#define DSA_generate_parameters dst__openssl_DSA_generate_parameters
+#define DSA_get_default_method dst__openssl_DSA_get_default_method
+#define DSA_get_ex_data dst__openssl_DSA_get_ex_data
+#define DSA_get_ex_new_index dst__openssl_DSA_get_ex_new_index
+#define DSA_new dst__openssl_DSA_new
+#define DSA_new_method dst__openssl_DSA_new_method
+#define DSA_set_default_method dst__openssl_DSA_set_default_method
+#define DSA_set_ex_data dst__openssl_DSA_set_ex_data
+#define DSA_set_method dst__openssl_DSA_set_method
+#define DSA_sign_setup dst__openssl_DSA_sign_setup
+#define ERR_add_error_data dst__openssl_ERR_add_error_data
+#define ERR_clear_error dst__openssl_ERR_clear_error
+#define ERR_error_string dst__openssl_ERR_error_string
+#define ERR_free_strings dst__openssl_ERR_free_strings
+#define ERR_func_error_string dst__openssl_ERR_func_error_string
+#define ERR_get_err_state_table dst__openssl_ERR_get_err_state_table
+#define ERR_get_error dst__openssl_ERR_get_error
+#define ERR_get_error_line dst__openssl_ERR_get_error_line
+#define ERR_get_error_line_data dst__openssl_ERR_get_error_line_data
+#define ERR_get_next_error_library dst__openssl_ERR_get_next_error_library
+#define ERR_get_state dst__openssl_ERR_get_state
+#define ERR_get_string_table dst__openssl_ERR_get_string_table
+#define ERR_lib_error_string dst__openssl_ERR_lib_error_string
+#define ERR_load_BN_strings dst__openssl_ERR_load_BN_strings
+#define ERR_load_DH_strings dst__openssl_ERR_load_DH_strings
+#define ERR_load_DSA_strings dst__openssl_ERR_load_DSA_strings
+#define ERR_load_ERR_strings dst__openssl_ERR_load_ERR_strings
+#define ERR_load_strings dst__openssl_ERR_load_strings
+#define ERR_peek_error dst__openssl_ERR_peek_error
+#define ERR_peek_error_line dst__openssl_ERR_peek_error_line
+#define ERR_peek_error_line_data dst__openssl_ERR_peek_error_line_data
+#define ERR_put_error dst__openssl_ERR_put_error
+#define ERR_reason_error_string dst__openssl_ERR_reason_error_string
+#define ERR_remove_state dst__openssl_ERR_remove_state
+#define ERR_set_error_data dst__openssl_ERR_set_error_data
+#define MD5_Final dst__openssl_MD5_Final
+#define MD5_Init dst__openssl_MD5_Init
+#define MD5_Transform dst__openssl_MD5_Transform
+#define MD5_Update dst__openssl_MD5_Update
+#define RAND_SSLeay dst__openssl_RAND_SSLeay
+#define RAND_add dst__openssl_RAND_add
+#define RAND_bytes dst__openssl_RAND_bytes
+#define RAND_cleanup dst__openssl_RAND_cleanup
+#define RAND_get_rand_method dst__openssl_RAND_get_rand_method
+#define RAND_pseudo_bytes dst__openssl_RAND_pseudo_bytes
+#define RAND_seed dst__openssl_RAND_seed
+#define RAND_set_rand_method dst__openssl_RAND_set_rand_method
+#define RAND_status dst__openssl_RAND_status
+#define rand_ssleay_meth dst__openssl_rand_ssleay_meth
+#define SHA1 dst__openssl_SHA1
+#define SHA1_Final dst__openssl_SHA1_Final
+#define SHA1_Init dst__openssl_SHA1_Init
+#define SHA1_Transform dst__openssl_SHA1_Transform
+#define SHA1_Update dst__openssl_SHA1_Update
+#define bn_add_words dst__openssl_bn_add_words
+#define bn_cmp_words dst__openssl_bn_cmp_words
+#define bn_div_words dst__openssl_bn_div_words
+#define bn_expand2 dst__openssl_bn_expand2
+#define bn_mul_add_words dst__openssl_bn_mul_add_words
+#define bn_mul_comba4 dst__openssl_bn_mul_comba4
+#define bn_mul_comba8 dst__openssl_bn_mul_comba8
+#define bn_mul_high dst__openssl_bn_mul_high
+#define bn_mul_low_normal dst__openssl_bn_mul_low_normal
+#define bn_mul_low_recursive dst__openssl_bn_mul_low_recursive
+#define bn_mul_normal dst__openssl_bn_mul_normal
+#define bn_mul_part_recursive dst__openssl_bn_mul_part_recursive
+#define bn_mul_recursive dst__openssl_bn_mul_recursive
+#define bn_mul_words dst__openssl_bn_mul_words
+#define bn_sqr_comba4 dst__openssl_bn_sqr_comba4
+#define bn_sqr_comba8 dst__openssl_bn_sqr_comba8
+#define bn_sqr_normal dst__openssl_bn_sqr_normal
+#define bn_sqr_recursive dst__openssl_bn_sqr_recursive
+#define bn_sqr_words dst__openssl_bn_sqr_words
+#define bn_sub_words dst__openssl_bn_sub_words
+#define lh_delete dst__openssl_lh_delete
+#define lh_doall dst__openssl_lh_doall
+#define lh_doall_arg dst__openssl_lh_doall_arg
+#define lh_free dst__openssl_lh_free
+#define lh_insert dst__openssl_lh_insert
+#define lh_new dst__openssl_lh_new
+#define lh_retrieve dst__openssl_lh_retrieve
+#define lh_strhash dst__openssl_lh_strhash
+#define md5_block_host_order dst__openssl_md5_block_host_order
+#define md5_block_data_order dst__openssl_md5_block_data_order
+#define sha1_block_data_order dst__openssl_sha1_block_data_order
+#define sha1_block_host_order dst__openssl_sha1_block_host_order
+#define sk_CRYPTO_EX_DATA_FUNCS_delete dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_delete
+#define sk_CRYPTO_EX_DATA_FUNCS_delete_ptr dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_delete_ptr
+#define sk_CRYPTO_EX_DATA_FUNCS_dup dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_dup
+#define sk_CRYPTO_EX_DATA_FUNCS_find dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_find
+#define sk_CRYPTO_EX_DATA_FUNCS_free dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_free
+#define sk_CRYPTO_EX_DATA_FUNCS_insert dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_insert
+#define sk_CRYPTO_EX_DATA_FUNCS_new dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_new
+#define sk_CRYPTO_EX_DATA_FUNCS_new_null dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_new_null
+#define sk_CRYPTO_EX_DATA_FUNCS_num dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_num
+#define sk_CRYPTO_EX_DATA_FUNCS_pop dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_pop
+#define sk_CRYPTO_EX_DATA_FUNCS_pop_free dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_pop_free
+#define sk_CRYPTO_EX_DATA_FUNCS_push dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_push
+#define sk_CRYPTO_EX_DATA_FUNCS_set dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_set
+#define sk_CRYPTO_EX_DATA_FUNCS_set_cmp_func dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_set_cmp_func
+#define sk_CRYPTO_EX_DATA_FUNCS_shift dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_shift
+#define sk_CRYPTO_EX_DATA_FUNCS_sort dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_sort
+#define sk_CRYPTO_EX_DATA_FUNCS_unshift dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_unshift
+#define sk_CRYPTO_EX_DATA_FUNCS_value dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_value
+#define sk_CRYPTO_EX_DATA_FUNCS_zero dst__openssl_sk_CRYPTO_EX_DATA_FUNCS_zero
+#define sk_delete dst__openssl_sk_delete
+#define sk_delete_ptr dst__openssl_sk_delete_ptr
+#define sk_dup dst__openssl_sk_dup
+#define sk_find dst__openssl_sk_find
+#define sk_free dst__openssl_sk_free
+#define sk_insert dst__openssl_sk_insert
+#define sk_new dst__openssl_sk_new
+#define sk_num dst__openssl_sk_num
+#define sk_pop dst__openssl_sk_pop
+#define sk_pop_free dst__openssl_sk_pop_free
+#define sk_push dst__openssl_sk_push
+#define sk_set dst__openssl_sk_set
+#define sk_set_cmp_func dst__openssl_sk_set_cmp_func
+#define sk_shift dst__openssl_sk_shift
+#define sk_sort dst__openssl_sk_sort
+#define sk_unshift dst__openssl_sk_unshift
+#define sk_value dst__openssl_sk_value
+#define sk_zero dst__openssl_sk_zero
+#define DH_version dst__openssl_DH_version
+#define DSA_version dst__openssl_DSA_version
+#define lh_version dst__openssl_lh_version
+#define RAND_version dst__openssl_RAND_version
+#define MD5_version dst__openssl_MD5_version
+#define SHA1_version dst__openssl_SHA1_version
+#define STACK_version dst__openssl_STACK_version
+#endif
+
+#endif /* SEC_RENAME_H */
diff --git a/lib/dns/ssu.c b/lib/dns/ssu.c
index b2014001..9f5bf3c9 100644
--- a/lib/dns/ssu.c
+++ b/lib/dns/ssu.c
@@ -16,21 +16,15 @@
  */
 
 /*
- * $Id: ssu.c,v 1.7 2000/03/23 19:48:19 halley Exp $
+ * $Id: ssu.c,v 1.11 2000/05/14 02:29:23 tale Exp $
  * Principal Author: Brian Wellington
  */
 
 #include <config.h>
 
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/list.h>
 #include <isc/magic.h>
-#include <isc/result.h>
-#include <isc/types.h>
-#include <isc/mutex.h>
+#include <isc/mem.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
 
 #include <dns/name.h>
@@ -243,9 +237,9 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
 
 static inline isc_boolean_t
 isusertype(dns_rdatatype_t type) {
-	return (type != dns_rdatatype_ns &&
-		type != dns_rdatatype_soa &&
-		type != dns_rdatatype_sig);
+	return (ISC_TF(type != dns_rdatatype_ns &&
+		       type != dns_rdatatype_soa &&
+		       type != dns_rdatatype_sig));
 }
 
 isc_boolean_t
diff --git a/lib/dns/tcpmsg.c b/lib/dns/tcpmsg.c
index 572f8402..952a6ebd 100644
--- a/lib/dns/tcpmsg.c
+++ b/lib/dns/tcpmsg.c
@@ -17,43 +17,33 @@
 
 #include <config.h>
 
-#include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/buffer.h>
-#include <isc/error.h>
 #include <isc/mem.h>
-#include <isc/socket.h>
+#include <isc/task.h>
 #include <isc/util.h>
 
 #include <dns/events.h>
-#include <dns/types.h>
 #include <dns/result.h>
 #include <dns/tcpmsg.h>
 
 #ifdef TCPMSG_DEBUG
+#include <stdio.h>		/* Required for printf. */
 #define XDEBUG(x) printf x
 #else
 #define XDEBUG(x)
 #endif
 
-#define TCPMSG_MAGIC			0x5443506d	/* TCPm */
-
-#define VALID_TCPMSG(foo) ((foo) != NULL && ((foo)->magic == TCPMSG_MAGIC))
+#define TCPMSG_MAGIC		0x5443506d	/* TCPm */
+#define VALID_TCPMSG(foo)	ISC_MAGIC_VALID(foo, TCPMSG_MAGIC)
 
 static void recv_length(isc_task_t *, isc_event_t *);
 static void recv_message(isc_task_t *, isc_event_t *);
 
 
 static void
-recv_length(isc_task_t *task, isc_event_t *ev_in)
-{
+recv_length(isc_task_t *task, isc_event_t *ev_in) {
 	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
 	isc_event_t *dev;
-	dns_tcpmsg_t *tcpmsg = ev_in->arg;
+	dns_tcpmsg_t *tcpmsg = ev_in->ev_arg;
 	isc_region_t region;
 	isc_result_t result;
 
@@ -67,15 +57,15 @@ recv_length(isc_task_t *task, isc_event_t *ev_in)
 	}
 
 	/*
-	 * success
+	 * Success.
 	 */
 	tcpmsg->size = ntohs(tcpmsg->size);
 	if (tcpmsg->size == 0) {
-		tcpmsg->result = DNS_R_UNEXPECTEDEND;
+		tcpmsg->result = ISC_R_UNEXPECTEDEND;
 		goto send_and_free;
 	}
 	if (tcpmsg->size > tcpmsg->maxsize) {
-		tcpmsg->result = DNS_R_RANGE;
+		tcpmsg->result = ISC_R_RANGE;
 		goto send_and_free;
 	}
 
@@ -87,8 +77,7 @@ recv_length(isc_task_t *task, isc_event_t *ev_in)
 	}
 	XDEBUG(("Allocated %d bytes\n", tcpmsg->size));
 
-	isc_buffer_init(&tcpmsg->buffer, region.base, region.length,
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&tcpmsg->buffer, region.base, region.length);
 	result = isc_socket_recv(tcpmsg->sock, &region, 0,
 				 task, recv_message, tcpmsg);
 	if (result != ISC_R_SUCCESS) {
@@ -107,11 +96,10 @@ recv_length(isc_task_t *task, isc_event_t *ev_in)
 }
 
 static void
-recv_message(isc_task_t *task, isc_event_t *ev_in)
-{
+recv_message(isc_task_t *task, isc_event_t *ev_in) {
 	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
 	isc_event_t *dev;
-	dns_tcpmsg_t *tcpmsg = ev_in->arg;
+	dns_tcpmsg_t *tcpmsg = ev_in->ev_arg;
 
 	(void)task;
 
@@ -137,8 +125,7 @@ recv_message(isc_task_t *task, isc_event_t *ev_in)
 }
 
 void
-dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg)
-{
+dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg) {
 	REQUIRE(mctx != NULL);
 	REQUIRE(sock != NULL);
 	REQUIRE(tcpmsg != NULL);
@@ -147,18 +134,19 @@ dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg)
 	tcpmsg->size = 0;
 	tcpmsg->buffer.base = NULL;
 	tcpmsg->buffer.length = 0;
-	tcpmsg->maxsize = 65535;  /* largest message possible */
+	tcpmsg->maxsize = 65535;		/* Largest message possible. */
 	tcpmsg->mctx = mctx;
 	tcpmsg->sock = sock;
-	tcpmsg->task = NULL;  /* none yet */
-	tcpmsg->result = ISC_R_UNEXPECTED;  /* none yet */
-	/* Should probably initialize the event here, but it can wait. */
+	tcpmsg->task = NULL;			/* None yet. */
+	tcpmsg->result = ISC_R_UNEXPECTED;	/* None yet. */
+	/*
+	 * Should probably initialize the event here, but it can wait.
+	 */
 }
 
 
 void
-dns_tcpmsg_setmaxsize(dns_tcpmsg_t *tcpmsg, unsigned int maxsize)
-{
+dns_tcpmsg_setmaxsize(dns_tcpmsg_t *tcpmsg, unsigned int maxsize) {
 	REQUIRE(VALID_TCPMSG(tcpmsg));
 	REQUIRE(maxsize < 65536);
 
@@ -205,16 +193,14 @@ dns_tcpmsg_readmessage(dns_tcpmsg_t *tcpmsg,
 }
 
 void
-dns_tcpmsg_cancelread(dns_tcpmsg_t *tcpmsg)
-{
+dns_tcpmsg_cancelread(dns_tcpmsg_t *tcpmsg) {
 	REQUIRE(VALID_TCPMSG(tcpmsg));
 
 	isc_socket_cancel(tcpmsg->sock, NULL, ISC_SOCKCANCEL_RECV);
 }
 
 void
-dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer)
-{
+dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer) {
 	REQUIRE(VALID_TCPMSG(tcpmsg));
 	REQUIRE(buffer != NULL);
 
@@ -225,8 +211,7 @@ dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer)
 
 #if 0
 void
-dns_tcpmsg_freebuffer(dns_tcpmsg_t *tcpmsg)
-{
+dns_tcpmsg_freebuffer(dns_tcpmsg_t *tcpmsg) {
 	REQUIRE(VALID_TCPMSG(tcpmsg));
 
 	if (tcpmsg->buffer.base == NULL)
@@ -239,8 +224,7 @@ dns_tcpmsg_freebuffer(dns_tcpmsg_t *tcpmsg)
 #endif
 
 void
-dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg)
-{
+dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg) {
 	REQUIRE(VALID_TCPMSG(tcpmsg));
 
 	tcpmsg->magic = 0;
diff --git a/lib/dns/time.c b/lib/dns/time.c
index 056c0ed0..2d3d773e 100644
--- a/lib/dns/time.c
+++ b/lib/dns/time.c
@@ -15,17 +15,17 @@
  * SOFTWARE.
  */
 
-/* $Id: time.c,v 1.7 2000/03/17 17:45:05 gson Exp $ */
+/* $Id: time.c,v 1.13 2000/05/15 21:14:10 tale Exp $ */
 
 #include <config.h>
 
 #include <stdio.h>
-#include <string.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <time.h>
 
-#include <isc/assertions.h>
+#include <isc/region.h>
+#include <isc/util.h>
 
-#include <dns/types.h>
 #include <dns/result.h>
 #include <dns/time.h>
 
@@ -43,14 +43,14 @@ dns_time64_totext(isc_int64_t t, isc_buffer_t *target) {
 
 #define is_leap(y) ((((y) % 4) == 0 && ((y) % 100) != 0) || ((y) % 400) == 0)
 #define year_secs(y) ((is_leap(y) ? 366 : 365 ) * 86400)
-#define month_secs(m, y) ((days[m] + ((m == 1 && is_leap(y)) ? 1 : 0 )) * 86400)
+#define month_secs(m,y) ((days[m] + ((m == 1 && is_leap(y)) ? 1 : 0 )) * 86400)
 
 	tm.tm_year = 70;
 	while ((secs = year_secs(tm.tm_year + 1900)) <= t) {
 		t -= secs;
 		tm.tm_year++;
 		if (tm.tm_year + 1900 > 9999)
-			return DNS_R_RANGE;
+			return (ISC_R_RANGE);
 	}
 	tm.tm_mon = 0;
 	while ((secs = month_secs(tm.tm_mon, tm.tm_year + 1900)) <= t) {
@@ -78,15 +78,15 @@ dns_time64_totext(isc_int64_t t, isc_buffer_t *target) {
 		tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
 		tm.tm_hour, tm.tm_min, tm.tm_sec);
 
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	l = strlen(buf);
 
 	if (l > region.length)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 
 	memcpy(region.base, buf, l);
 	isc_buffer_add(target, l);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -95,7 +95,9 @@ dns_time32_totext(isc_uint32_t value, isc_buffer_t *target) {
 	isc_int64_t base;
 	isc_int64_t t;
 
-	/* Find the right epoch. */
+	/*
+	 * Find the right epoch.
+	 */
 	start = time(NULL);
 	start -= 0x7fffffff;
 	base = 0;
@@ -116,7 +118,7 @@ dns_time64_fromtext(char *source, isc_int64_t *target) {
 #define RANGE(min, max, value) \
 	do { \
 		if (value < (min) || value > (max)) \
-			return (DNS_R_RANGE); \
+			return (ISC_R_RANGE); \
 	} while (0)
 
 	if (strlen(source) != 14)
@@ -131,9 +133,11 @@ dns_time64_fromtext(char *source, isc_int64_t *target) {
 		 ((month == 2 && is_leap(year)) ? 1 : 0), day);
 	RANGE(0, 23, hour);
 	RANGE(0, 59, minute);
-	RANGE(0, 60, second);	/* leap second */
+	RANGE(0, 60, second);		/* 60 == leap second. */
 
-	/* Calulate seconds since epoch. */
+	/*
+	 * Calulate seconds since epoch.
+	 */
 	value = second + (60 * minute) + (3600 * hour) + ((day - 1) * 86400);
 	for (i = 0; i < (month - 1) ; i++)
 		value += days[i] * 86400;
@@ -145,7 +149,7 @@ dns_time64_fromtext(char *source, isc_int64_t *target) {
 	}
 
 	*target = value;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -154,12 +158,12 @@ dns_time32_fromtext(char *source, isc_uint32_t *target) {
 	isc_int32_t value32;
 	isc_result_t result;
 	result = dns_time64_fromtext(source, &value64);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 	value32 = (isc_uint32_t)value64;
 	if (value32 != value64)
-		return DNS_R_RANGE;
+		return (ISC_R_RANGE);
 	*target = value32;
 
-	return DNS_R_SUCCESS;
+	return (ISC_R_SUCCESS);
 }
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 1bce162d..5f20d9e2 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -16,42 +16,26 @@
  */
 
 /*
- * $Id: tkey.c,v 1.25 2000/03/17 19:50:22 bwelling Exp $
+ * $Id: tkey.c,v 1.37 2000/05/19 22:11:20 bwelling Exp $
  * Principal Author: Brian Wellington
  */
 
-
 #include <config.h>
 
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/buffer.h>
-#include <isc/error.h>
-#include <isc/list.h>
-#include <isc/log.h>
 #include <isc/mem.h>
-#include <isc/net.h>
-#include <isc/result.h>
-#include <isc/rwlock.h>
-#include <isc/stdtime.h>
-#include <isc/types.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dns/dnssec.h>
 #include <dns/keyvalues.h>
-#include <dns/name.h>
 #include <dns/message.h>
 #include <dns/rdata.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
+#include <dns/result.h>
 #include <dns/tkey.h>
 #include <dns/tsig.h>
 
-#include <dst/dst.h>
-#include <dst/result.h>
-
 #define TKEY_RANDOM_AMOUNT 16
 
 #define RETERR(x) do { \
@@ -85,10 +69,11 @@ dns_tkeyctx_destroy(dns_tkey_ctx_t **tctx) {
 	REQUIRE(*tctx != NULL);
 
 	if ((*tctx)->dhkey != NULL)
-		dst_key_free((*tctx)->dhkey);
+		dst_key_free(&(*tctx)->dhkey);
 	if ((*tctx)->domain != NULL) {
 		dns_name_free((*tctx)->domain, (*tctx)->mctx);
-		isc_mem_put((*tctx)->mctx, (*tctx)->domain, sizeof(dns_name_t));
+		isc_mem_put((*tctx)->mctx, (*tctx)->domain,
+			    sizeof(dns_name_t));
 	}
 
 	mctx = (*tctx)->mctx;
@@ -110,9 +95,8 @@ add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
 	RETERR(dns_message_gettemprdata(msg, &newrdata));
 
 	dns_rdata_toregion(rdata, &r);
-	RETERR(isc_buffer_allocate(msg->mctx, &tmprdatabuf, r.length,
-				   ISC_BUFFERTYPE_BINARY));
-	isc_buffer_available(tmprdatabuf, &newr);
+	RETERR(isc_buffer_allocate(msg->mctx, &tmprdatabuf, r.length));
+	isc_buffer_availableregion(tmprdatabuf, &newr);
 	memcpy(newr.base, r.base, r.length);
 	dns_rdata_fromregion(newrdata, rdata->rdclass, rdata->type, &newr);
 	dns_message_takebuffer(msg, &tmprdatabuf);
@@ -120,9 +104,8 @@ add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
 	dns_name_toregion(name, &r);
 	RETERR(dns_message_gettempname(msg, &newname));
 	dns_name_init(newname, NULL);
-	RETERR(isc_buffer_allocate(msg->mctx, &tmpnamebuf, r.length,
-				   ISC_BUFFERTYPE_BINARY));
-	isc_buffer_available(tmpnamebuf, &newr);
+	RETERR(isc_buffer_allocate(msg->mctx, &tmpnamebuf, r.length));
+	isc_buffer_availableregion(tmpnamebuf, &newr);
 	memcpy(newr.base, r.base, r.length);
 	dns_name_fromregion(newname, &newr);
 	dns_message_takebuffer(msg, &tmpnamebuf);
@@ -171,26 +154,38 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
 	isc_buffer_t b;
 	unsigned int i;
 
-	isc_buffer_init(&b, digests, sizeof(digests), ISC_BUFFERTYPE_BINARY);
-	isc_buffer_used(shared, &r);
+	isc_buffer_init(&b, digests, sizeof(digests));
+	isc_buffer_usedregion(shared, &r);
 
-	/* MD5 ( query data | DH value ) */
-	RETERR(dst_digest(DST_SIGMODE_INIT, DST_DIGEST_MD5, &ctx, NULL, NULL));
-	RETERR(dst_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx,
-			  queryrandomness, NULL));
-	RETERR(dst_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx, &r, NULL));
-	RETERR(dst_digest(DST_SIGMODE_FINAL, DST_DIGEST_MD5, &ctx, NULL, &b));
+	/*
+	 * MD5 ( query data | DH value ).
+	 */
+	RETERR(dst_key_digest(DST_SIGMODE_INIT, DST_DIGEST_MD5, &ctx, NULL,
+			      NULL));
+	RETERR(dst_key_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx,
+			      queryrandomness, NULL));
+	RETERR(dst_key_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx, &r,
+			      NULL));
+	RETERR(dst_key_digest(DST_SIGMODE_FINAL, DST_DIGEST_MD5, &ctx, NULL,
+			      &b));
 			
-	/* MD5 ( server data | DH value ) */
-	RETERR(dst_digest(DST_SIGMODE_INIT, DST_DIGEST_MD5, &ctx, NULL, NULL));
-	RETERR(dst_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx,
-			  serverrandomness, NULL));
-	RETERR(dst_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx, &r, NULL));
-	RETERR(dst_digest(DST_SIGMODE_FINAL, DST_DIGEST_MD5, &ctx, NULL, &b));
-
-	/* XOR ( DH value, MD5-1 | MD5-2) */
-	isc_buffer_available(secret, &r);
-	isc_buffer_used(shared, &r2);
+	/*
+	 * MD5 ( server data | DH value ).
+	 */
+	RETERR(dst_key_digest(DST_SIGMODE_INIT, DST_DIGEST_MD5, &ctx, NULL,
+			      NULL));
+	RETERR(dst_key_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx,
+			      serverrandomness, NULL));
+	RETERR(dst_key_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx, &r,
+			      NULL));
+	RETERR(dst_key_digest(DST_SIGMODE_FINAL, DST_DIGEST_MD5, &ctx, NULL,
+			      &b));
+
+	/*
+	 * XOR ( DH value, MD5-1 | MD5-2).
+	 */
+	isc_buffer_availableregion(secret, &r);
+	isc_buffer_usedregion(shared, &r2);
 	if (r.length < sizeof(digests) || r.length < r2.length)
 		return (ISC_R_NOSPACE);
 	if (r2.length > sizeof(digests)) {
@@ -213,8 +208,8 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
 
 static isc_result_t
 process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
-	       dns_rdata_generic_tkey_t *tkeyin, dns_tkey_ctx_t *tctx,
-	       dns_rdata_generic_tkey_t *tkeyout,
+	       dns_rdata_tkey_t *tkeyin, dns_tkey_ctx_t *tctx,
+	       dns_rdata_tkey_t *tkeyout,
 	       dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
 {
 	isc_result_t result = ISC_R_SUCCESS;
@@ -228,13 +223,14 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 	isc_uint32_t ourttl;
 	unsigned char keydata[DST_KEY_MAXSIZE];
 	unsigned char namedata[1024];
-	dns_tsigkey_t *tsigkey;
 	unsigned int sharedsize;
 	isc_buffer_t randombuf, secret;
 	unsigned char *randomdata = NULL, secretdata[256];
 	isc_stdtime_t now;
 
-	/* Look for a DH KEY record that will work with ours */
+	/*
+	 * Look for a DH KEY record that will work with ours.
+	 */
 	result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
 	while (result == ISC_R_SUCCESS) {
 		keyname = NULL;
@@ -265,7 +261,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 					else
 						found_incompatible = ISC_TRUE;
 				}
-				dst_key_free(pubkey);
+				dst_key_free(&pubkey);
 				result = dns_rdataset_next(keyset);
 			}
 		}
@@ -284,25 +280,25 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 	RETERR(add_rdata_to_list(msg, keyname, &keyrdata, keyset->ttl,
 				 namelist));
 
-	isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
 	RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
-	isc_buffer_used(&ourkeybuf, &ourkeyr);
+	isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
 	dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
 			     dns_rdatatype_key, &ourkeyr);
 	isc_buffer_init(&ournamein, dst_key_name(tctx->dhkey),
-		        strlen(dst_key_name(tctx->dhkey)), ISC_BUFFERTYPE_TEXT);
+		        strlen(dst_key_name(tctx->dhkey)));
 	isc_buffer_add(&ournamein, strlen(dst_key_name(tctx->dhkey)));
-	isc_buffer_init(&ournameout, namedata, sizeof(namedata),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&ournameout, namedata, sizeof(namedata));
 	dns_name_init(&ourname, NULL);
 	RETERR(dns_name_fromtext(&ourname, &ournamein, dns_rootname, ISC_FALSE,
 				 &ournameout));
 	ourttl = 0;
 #if 0
-	/* Not sure how to do this without a view... */
+	/*
+	 * Not sure how to do this without a view...
+	 */
 	db = NULL;
-	result = dns_dbtable_find(client->view->dbtable, &ourname, &db);
+	result = dns_dbtable_find(client->view->dbtable, &ourname, 0, &db);
 	if (result == ISC_R_SUCCESS) {
 		dns_rdataset_t set;
 		dns_fixedname_t foundname;
@@ -322,32 +318,28 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 	RETERR(add_rdata_to_list(msg, &ourname, &ourkeyrdata, ourttl,
 				 namelist));
 
-	RETERR(dst_secret_size(tctx->dhkey, &sharedsize));
-	RETERR(isc_buffer_allocate(msg->mctx, &shared, sharedsize,
-				   ISC_BUFFERTYPE_BINARY));
+	RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
+	RETERR(isc_buffer_allocate(msg->mctx, &shared, sharedsize));
 
-	RETERR(dst_computesecret(pubkey, tctx->dhkey, shared));
+	RETERR(dst_key_computesecret(pubkey, tctx->dhkey, shared));
 
-	isc_buffer_init(&secret, secretdata, sizeof(secretdata),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&secret, secretdata, sizeof(secretdata));
 
 	randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
 	if (randomdata == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto failure;
 	}
-	isc_buffer_init(&randombuf, randomdata, TKEY_RANDOM_AMOUNT,
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&randombuf, randomdata, TKEY_RANDOM_AMOUNT);
 	RETERR(dst_random_get(TKEY_RANDOM_AMOUNT, &randombuf));
 
-	isc_buffer_used(&randombuf, &r);
+	isc_buffer_usedregion(&randombuf, &r);
 	r2.base = tkeyin->key;
 	r2.length = tkeyin->keylen;
 	RETERR(compute_secret(shared, &r2, &r, &secret));
 
-	dst_key_free(pubkey);
-	isc_buffer_used(&secret, &r);
-	tsigkey = NULL;
+	dst_key_free(&pubkey);
+	isc_buffer_usedregion(&secret, &r);
 	result = dns_tsigkey_create(name, &tkeyin->algorithm, r.base, r.length,
 				    ISC_TRUE, signer, tkeyin->inception,
 				    tkeyin->expire, msg->mctx, ring, NULL);
@@ -392,8 +384,8 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 
 static isc_result_t
 process_deletetkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
-		   dns_rdata_generic_tkey_t *tkeyin,
-		   dns_rdata_generic_tkey_t *tkeyout,
+		   dns_rdata_tkey_t *tkeyin,
+		   dns_rdata_tkey_t *tkeyout,
 		   dns_tsig_keyring_t *ring,
 		   dns_namelist_t *namelist)
 {
@@ -435,7 +427,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkey_ctx_t *tctx,
 		      dns_tsig_keyring_t *ring)
 {
 	isc_result_t result = ISC_R_SUCCESS;
-	dns_rdata_generic_tkey_t tkeyin, tkeyout;
+	dns_rdata_tkey_t tkeyin, tkeyout;
 	dns_name_t *qname, *name, *keyname, tempkeyname, signer;
 	dns_rdataset_t *tkeyset;
 	dns_rdata_t tkeyrdata, *rdata = NULL;
@@ -446,17 +438,23 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkey_ctx_t *tctx,
 	REQUIRE(tctx != NULL);
 	REQUIRE(ring != NULL);
 
-	/* Need to do this to determine if this should be freed later */
-	memset(&tkeyin, 0, sizeof(dns_rdata_generic_tkey_t));
+	/*
+	 * Need to do this to determine if this should be freed later.
+	 */
+	memset(&tkeyin, 0, sizeof(dns_rdata_tkey_t));
 
-	/* Interpret the question section */
+	/*
+	 * Interpret the question section.
+	 */
 	result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
-	INSIST(result == DNS_R_SUCCESS);
+	INSIST(result == ISC_R_SUCCESS);
 
 	qname = NULL;
 	dns_message_currentname(msg, DNS_SECTION_QUESTION, &qname);
 
-	/* Look for a TKEY record that matches the question */
+	/*
+	 * Look for a TKEY record that matches the question.
+	 */
 	tkeyset = NULL;
 	name = NULL;
 	result = dns_message_findname(msg, DNS_SECTION_ADDITIONAL, qname,
@@ -525,8 +523,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkey_ctx_t *tctx,
 		dns_name_init(&tempkeyname, NULL);
 		keyname = &tempkeyname;
 		dns_name_init(&prefix, NULL);
-		RETERR(isc_buffer_allocate(msg->mctx, &buf, 256,
-					   ISC_BUFFERTYPE_BINARY));
+		RETERR(isc_buffer_allocate(msg->mctx, &buf, 256));
 
 		if (!dns_name_equal(qname, dns_rootname)) {
 			unsigned int n = dns_name_countlabels(qname);
@@ -540,8 +537,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkey_ctx_t *tctx,
 			isc_buffer_t b, b2;
 			int i;
 
-			isc_buffer_init(&b, randomtext, sizeof(randomtext),
-					ISC_BUFFERTYPE_BINARY);
+			isc_buffer_init(&b, randomtext, sizeof(randomtext));
 			result = dst_random_get(sizeof(randomtext)/2, &b);
 			if (result != ISC_R_SUCCESS) {
 				dns_message_takebuffer(msg, &buf);
@@ -553,10 +549,8 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkey_ctx_t *tctx,
 				randomtext[i] = hexdigits[val >> 4];
 				randomtext[i+1] = hexdigits[val & 0xF];
 			}
-			isc_buffer_init(&b, randomtext, sizeof(randomtext),
-					ISC_BUFFERTYPE_TEXT);
-			isc_buffer_init(&b2, tdata, sizeof(tdata),
-					ISC_BUFFERTYPE_BINARY);
+			isc_buffer_init(&b, randomtext, sizeof(randomtext));
+			isc_buffer_init(&b2, tdata, sizeof(tdata));
 			isc_buffer_add(&b, sizeof(randomtext));
 			result = dns_name_fromtext(&prefix, &b, NULL,
 						   ISC_FALSE, &b2);
@@ -591,7 +585,8 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkey_ctx_t *tctx,
 	switch (tkeyin.mode) {
 		case DNS_TKEYMODE_DIFFIEHELLMAN:
 			RETERR(process_dhtkey(msg, &signer, keyname, &tkeyin,
-					      tctx, &tkeyout, ring, &namelist));
+					      tctx, &tkeyout, ring,
+					      &namelist));
 			tkeyout.error = dns_rcode_noerror;
 			break;
 		case DNS_TKEYMODE_DELETE:
@@ -613,11 +608,14 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkey_ctx_t *tctx,
 	dns_rdata_freestruct(&tkeyin);
 
 	RETERR(dns_message_gettemprdata(msg, &rdata));
-	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 128,
-				   ISC_BUFFERTYPE_BINARY));
+	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 128));
 	result = dns_rdata_fromstruct(rdata, tkeyout.common.rdclass,
 				      tkeyout.common.rdtype, &tkeyout, dynbuf);
-	dns_rdata_freestruct(&tkeyout);
+	dns_name_free(&tkeyout.algorithm, msg->mctx);
+	if (tkeyout.key != NULL)
+		isc_mem_put(msg->mctx, tkeyout.key, tkeyout.keylen);
+	if (tkeyout.other != NULL)
+		isc_mem_put(msg->mctx, tkeyout.other, tkeyout.otherlen);
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
@@ -631,7 +629,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkey_ctx_t *tctx,
 	while (name != NULL) {
 		dns_name_t *next = ISC_LIST_NEXT(name, link);
 		ISC_LIST_UNLINK(namelist, name, link);
-		dns_message_addname(msg, name, DNS_SECTION_ADDITIONAL);
+		dns_message_addname(msg, name, DNS_SECTION_ANSWER);
 		name = next;
 	}
 
@@ -649,7 +647,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkey_ctx_t *tctx,
 
 static isc_result_t
 buildquery(dns_message_t *msg, dns_name_t *name,
-	   dns_rdata_generic_tkey_t *tkey)
+	   dns_rdata_tkey_t *tkey)
 {
 	dns_name_t *qname = NULL, *aname = NULL;
 	dns_rdataset_t *question = NULL, *tkeyset = NULL;
@@ -670,8 +668,7 @@ buildquery(dns_message_t *msg, dns_name_t *name,
 	dns_rdataset_makequestion(question, dns_rdataclass_any,
 				  dns_rdatatype_tkey);
 
-	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 512,
-				   ISC_BUFFERTYPE_BINARY));
+	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 512));
 	RETERR(dns_message_gettemprdata(msg, &rdata));
 	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
 				    dns_rdatatype_tkey, tkey, dynbuf));
@@ -722,7 +719,7 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 		      dns_name_t *algorithm, isc_buffer_t *nonce,
 		      isc_uint32_t lifetime)
 {
-	dns_rdata_generic_tkey_t tkey;
+	dns_rdata_tkey_t tkey;
 	dns_rdata_t *rdata = NULL;
 	isc_buffer_t src, *dynbuf = NULL;
 	isc_region_t r;
@@ -766,19 +763,16 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 		isc_mem_put(msg->mctx, r.base, 0);
 
 	RETERR(dns_message_gettemprdata(msg, &rdata));
-	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024,
-                                   ISC_BUFFERTYPE_BINARY));
+	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
 	RETERR(dst_key_todns(key, dynbuf));
-	isc_buffer_used(dynbuf, &r);
+	isc_buffer_usedregion(dynbuf, &r);
 	dns_rdata_fromregion(rdata, dns_rdataclass_any,
 			     dns_rdatatype_key, &r);
 	dns_message_takebuffer(msg, &dynbuf);
 	RETERR(dns_message_gettempname(msg, &keyname));
-	isc_buffer_init(&src, dst_key_name(key), strlen(dst_key_name(key)),
-			ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&src, dst_key_name(key), strlen(dst_key_name(key)));
 	isc_buffer_add(&src, strlen(dst_key_name(key)));
-	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024,
-                                   ISC_BUFFERTYPE_BINARY));
+	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
 	dns_name_init(keyname, NULL);
 	RETERR(dns_name_fromtext(keyname, &src, dns_rootname, ISC_FALSE,
 				 dynbuf));
@@ -799,7 +793,7 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 
 isc_result_t
 dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key) {
-	dns_rdata_generic_tkey_t tkey;
+	dns_rdata_tkey_t tkey;
 
 	REQUIRE(msg != NULL);
 	REQUIRE(key != NULL);
@@ -820,14 +814,16 @@ dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key) {
 }
 
 static isc_result_t
-find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata) {
+find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata,
+	  int section)
+{
 	dns_rdataset_t *tkeyset;
 	isc_result_t result;
 
-	result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
+	result = dns_message_firstname(msg, section);
 	while (result == ISC_R_SUCCESS) {
 		*name = NULL;
-		dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, name);
+		dns_message_currentname(msg, section, name);
 		tkeyset = NULL;
 		result = dns_message_findtype(*name, dns_rdatatype_tkey, 0,
 					      &tkeyset);
@@ -838,7 +834,7 @@ find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata) {
 			dns_rdataset_current(tkeyset, rdata);
 			return (ISC_R_SUCCESS);
 		}
-		result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL);
+		result = dns_message_nextname(msg, section);
 	}
 	if (result == ISC_R_NOMORE)
 		return (ISC_R_NOTFOUND);
@@ -855,8 +851,7 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	dns_rdataset_t *theirkeyset = NULL, *ourkeyset = NULL;
 	dns_rdata_t theirkeyrdata;
 	dst_key_t *theirkey;
-	dns_tsigkey_t *tsigkey;
-	dns_rdata_generic_tkey_t qtkey, rtkey;
+	dns_rdata_tkey_t qtkey, rtkey;
 	unsigned char keydata[1024], secretdata[256];
 	unsigned int sharedsize;
 	isc_buffer_t keysrc, keybuf, *shared = NULL, secret;
@@ -874,10 +869,11 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 
 	if (rmsg->rcode != dns_rcode_noerror)
 		return(ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
-	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata));
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
 	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, rmsg->mctx));
 
-	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata));
+	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
+			 DNS_SECTION_ADDITIONAL));
 	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, qmsg->mctx));
 
 	if (rtkey.error != dns_rcode_noerror ||
@@ -891,25 +887,23 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 		goto failure;
 	}
 
-	isc_buffer_init(&keysrc, dst_key_name(key), strlen(dst_key_name(key)),
-			ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&keysrc, dst_key_name(key), strlen(dst_key_name(key)));
 	isc_buffer_add(&keysrc, strlen(dst_key_name(key)));
-	isc_buffer_init(&keybuf, keydata, sizeof(keydata),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&keybuf, keydata, sizeof(keydata));
 	dns_name_init(&keyname, NULL);
 	RETERR(dns_name_fromtext(&keyname, &keysrc, dns_rootname,
 				 ISC_FALSE, &keybuf));
 
 	ourkeyname = NULL;
 	ourkeyset = NULL;
-	RETERR(dns_message_findname(rmsg, DNS_SECTION_ADDITIONAL, &keyname,
+	RETERR(dns_message_findname(rmsg, DNS_SECTION_ANSWER, &keyname,
 				    dns_rdatatype_key, 0, &ourkeyname,
 				    &ourkeyset));
 
-	result = dns_message_firstname(rmsg, DNS_SECTION_ADDITIONAL);
+	result = dns_message_firstname(rmsg, DNS_SECTION_ANSWER);
 	while (result == ISC_R_SUCCESS) {
 		theirkeyname = NULL;
-		dns_message_currentname(rmsg, DNS_SECTION_ADDITIONAL,
+		dns_message_currentname(rmsg, DNS_SECTION_ANSWER,
 					&theirkeyname);
 		if (dns_name_equal(theirkeyname, ourkeyname))
 			goto next;
@@ -921,7 +915,7 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 			break;
 		}
  next:
-                result = dns_message_nextname(rmsg, DNS_SECTION_ADDITIONAL);
+                result = dns_message_nextname(rmsg, DNS_SECTION_ANSWER);
         }
 
 	if (theirkeyset == NULL) {
@@ -934,14 +928,12 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	RETERR(dns_dnssec_keyfromrdata(theirkeyname, &theirkeyrdata,
 				       rmsg->mctx, &theirkey));
 
-	RETERR(dst_secret_size(key, &sharedsize));
-	RETERR(isc_buffer_allocate(rmsg->mctx, &shared, sharedsize,
-				   ISC_BUFFERTYPE_BINARY));
+	RETERR(dst_key_secretsize(key, &sharedsize));
+	RETERR(isc_buffer_allocate(rmsg->mctx, &shared, sharedsize));
 
-	RETERR(dst_computesecret(theirkey, key, shared));
+	RETERR(dst_key_computesecret(theirkey, key, shared));
 
-	isc_buffer_init(&secret, secretdata, sizeof(secretdata),
-			ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&secret, secretdata, sizeof(secretdata));
 
 	r.base = rtkey.key;
 	r.length = rtkey.keylen;
@@ -955,8 +947,7 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	if (nonce == NULL)
 		isc_mem_put(rmsg->mctx, r2.base, 0);
 
-	isc_buffer_used(&secret, &r);
-	tsigkey = NULL;
+	isc_buffer_usedregion(&secret, &r);
 	result = dns_tsigkey_create(tkeyname, &rtkey.algorithm,
 				    r.base, r.length, ISC_TRUE,
 				    NULL, rtkey.inception, rtkey.expire,
@@ -977,7 +968,7 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 {
 	dns_rdata_t qtkeyrdata, rtkeyrdata;
 	dns_name_t *tkeyname, *tempname;
-	dns_rdata_generic_tkey_t qtkey, rtkey;
+	dns_rdata_tkey_t qtkey, rtkey;
 	dns_tsigkey_t *tsigkey = NULL;
 	isc_result_t result;
 
@@ -987,10 +978,11 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	if (rmsg->rcode != dns_rcode_noerror)
 		return(ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
 
-	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata));
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
 	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, rmsg->mctx));
 
-	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata));
+	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
+			 DNS_SECTION_ADDITIONAL));
 	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, qmsg->mctx));
 
 	if (rtkey.error != dns_rcode_noerror ||
@@ -1006,9 +998,13 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 
 	RETERR(dns_tsigkey_find(&tsigkey, tkeyname, &rtkey.algorithm, ring));
 
-	/* Mark the key as deleted */
+	/*
+	 * Mark the key as deleted.
+	 */
 	dns_tsigkey_setdeleted(tsigkey);
-	/* Release the reference */
+	/*
+	 * Release the reference.
+	 */
 	dns_tsigkey_free(&tsigkey);
 
  failure:
diff --git a/lib/dns/tkeyconf.c b/lib/dns/tkeyconf.c
index 25bbfad6..67cba362 100644
--- a/lib/dns/tkeyconf.c
+++ b/lib/dns/tkeyconf.c
@@ -17,13 +17,13 @@
 
 #include <config.h>
 
-#include <isc/base64.h>
-#include <isc/lex.h>
+#include <isc/buffer.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/mem.h>
 
-#include <dns/confctx.h>
-#include <dns/confkeys.h>
 #include <dns/keyvalues.h>
 #include <dns/name.h>
+#include <dns/tkey.h>
 #include <dns/tkeyconf.h>
 
 #define RETERR(x) do { \
@@ -67,9 +67,9 @@ dns_tkeyctx_fromconfig(dns_c_ctx_t *cfg, isc_mem_t *mctx,
 		goto failure;
 	}
 	dns_name_init(tctx->domain, NULL);
-	isc_buffer_init(&b, s, strlen(s), ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&b, s, strlen(s));
 	isc_buffer_add(&b, strlen(s));
-	isc_buffer_init(&namebuf, data, sizeof(data), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&namebuf, data, sizeof(data));
 	RETERR(dns_name_fromtext(&domain, &b, dns_rootname, ISC_FALSE,
 				 &namebuf));
 	RETERR(dns_name_dup(&domain, mctx, tctx->domain));
@@ -78,10 +78,8 @@ dns_tkeyctx_fromconfig(dns_c_ctx_t *cfg, isc_mem_t *mctx,
 	return (ISC_R_SUCCESS);
 
  failure:
-	if (tctx->dhkey != NULL) {
-		dst_key_free(tctx->dhkey);
-		tctx->dhkey = NULL;
-	}
+	if (tctx->dhkey != NULL)
+		dst_key_free(&tctx->dhkey);
 	if (tctx->domain != NULL) {
 		dns_name_free(tctx->domain, mctx);
 		isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 5ba1196a..858ebd30 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,41 +16,30 @@
  */
 
 /*
- * $Id: tsig.c,v 1.48 2000/03/16 23:13:25 bwelling Exp $
+ * $Id: tsig.c,v 1.61 2000/05/22 23:17:22 bwelling Exp $
  * Principal Author: Brian Wellington
  */
 
-
 #include <config.h>
+#include <stdlib.h>		/* Required for abs(). */
 
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/buffer.h>
-#include <isc/error.h>
-#include <isc/list.h>
-#include <isc/net.h>
+#include <isc/mem.h>
 #include <isc/once.h>
-#include <isc/result.h>
-#include <isc/rwlock.h>
-#include <isc/stdtime.h>
-#include <isc/types.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
 
 #include <dns/keyvalues.h>
-#include <dns/name.h>
 #include <dns/message.h>
 #include <dns/rdata.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
+#include <dns/result.h>
 #include <dns/tsig.h>
 
-#include <dst/dst.h>
 #include <dst/result.h>
 
 #define TSIG_MAGIC		0x54534947	/* TSIG */
-#define VALID_TSIG_KEY(x)	((x) != NULL && (x)->magic == TSIG_MAGIC)
+#define VALID_TSIG_KEY(x)	ISC_MAGIC_VALID(x, TSIG_MAGIC)
 
 #define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
 
@@ -120,19 +109,20 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
 	else
 		tkey->creator = NULL;
 
-	isc_buffer_init(&nameb, namestr, sizeof(namestr) - 1,
-			ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&nameb, namestr, sizeof(namestr) - 1);
 	ret = dns_name_totext(name, ISC_FALSE, &nameb);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_algorithm;
 
-	isc_buffer_used(&nameb, &r);
+	isc_buffer_usedregion(&nameb, &r);
 	namestr[r.length] = '\0';
 
+	tkey->key = NULL;
+	tkey->ring = NULL;
 	if (length > 0) {
 		dns_tsigkey_t *tmp;
 
-		isc_buffer_init(&b, secret, length, ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&b, secret, length);
 		isc_buffer_add(&b, length);
 		ret = dst_key_frombuffer(namestr, alg,
 					 DNS_KEYOWNER_ENTITY,
@@ -159,10 +149,6 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
 		isc_rwlock_unlock(&ring->lock, isc_rwlocktype_write);
 		tkey->ring = ring;
 	}
-	else {
-		tkey->key = NULL;
-		tkey->ring = NULL;
-	}
 
 	tkey->refs = 0;
 	if (key != NULL)
@@ -177,7 +163,7 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_mutex_init() failed: %s",
 				 isc_result_totext(ret));
-		return (DNS_R_UNEXPECTED);
+		return (ISC_R_UNEXPECTED);
 	}
 	
 	tkey->magic = TSIG_MAGIC;
@@ -217,7 +203,7 @@ tsigkey_free(dns_tsigkey_t **key) {
 	dns_name_free(&tkey->name, tkey->mctx);
 	dns_name_free(&tkey->algorithm, tkey->mctx);
 	if (tkey->key != NULL)
-		dst_key_free(tkey->key);
+		dst_key_free(&tkey->key);
 	if (tkey->creator != NULL) {
 		dns_name_free(tkey->creator, tkey->mctx);
 		isc_mem_put(tkey->mctx, tkey->creator, sizeof(dns_name_t));
@@ -255,7 +241,7 @@ dns_tsigkey_setdeleted(dns_tsigkey_t *key) {
 isc_result_t
 dns_tsig_sign(dns_message_t *msg) {
 	dns_tsigkey_t *key;
-	dns_rdata_any_tsig_t *tsig;
+	dns_rdata_any_tsig_t tsig;
 	unsigned char data[128];
 	isc_buffer_t databuf, sigbuf;
 	isc_buffer_t *dynbuf;
@@ -268,12 +254,15 @@ dns_tsig_sign(dns_message_t *msg) {
 	dst_context_t ctx;
 	isc_mem_t *mctx;
 	isc_result_t ret;
+	isc_boolean_t algfreed = ISC_FALSE;
 
 	REQUIRE(msg != NULL);
 	REQUIRE(VALID_TSIG_KEY(msg->tsigkey));
 	REQUIRE(msg->tsig == NULL);
 
-	/* If this is a response, there should be a query tsig */
+	/*
+	 * If this is a response, there should be a query tsig.
+	 */
 	if (is_response(msg) && msg->querytsig == NULL)
 		return (DNS_R_EXPECTEDTSIG);
 
@@ -282,126 +271,131 @@ dns_tsig_sign(dns_message_t *msg) {
 	mctx = msg->mctx;
 	key = msg->tsigkey;
 
-	tsig = (dns_rdata_any_tsig_t *)
-		isc_mem_get(mctx, sizeof(dns_rdata_any_tsig_t));
-	if (tsig == NULL)
-		return (ISC_R_NOMEMORY);
-	tsig->mctx = mctx;
-	tsig->common.rdclass = dns_rdataclass_any;
-	tsig->common.rdtype = dns_rdatatype_tsig;
-	ISC_LINK_INIT(&tsig->common, link);
-	dns_name_init(&tsig->algorithm, NULL);
-	ret = dns_name_dup(&key->algorithm, mctx, &tsig->algorithm);
+	tsig.mctx = mctx;
+	tsig.common.rdclass = dns_rdataclass_any;
+	tsig.common.rdtype = dns_rdatatype_tsig;
+	ISC_LINK_INIT(&tsig.common, link);
+	dns_name_init(&tsig.algorithm, NULL);
+	ret = dns_name_dup(&key->algorithm, mctx, &tsig.algorithm);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_struct;
 
 	isc_stdtime_get(&now);
-	tsig->timesigned = now;
-	tsig->fudge = DNS_TSIG_FUDGE;
+	tsig.timesigned = now;
+	tsig.fudge = DNS_TSIG_FUDGE;
 
-	tsig->originalid = msg->id;
+	tsig.originalid = msg->id;
 
-	isc_buffer_init(&databuf, data, sizeof(data), ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&databuf, data, sizeof(data));
 
 	if (is_response(msg))
-		tsig->error = msg->querytsigstatus;
+		tsig.error = msg->querytsigstatus;
 	else
-		tsig->error = dns_rcode_noerror;
+		tsig.error = dns_rcode_noerror;
 
-	if (tsig->error != dns_tsigerror_badtime) {
-		tsig->otherlen = 0;
-		tsig->other = NULL;
+	if (tsig.error != dns_tsigerror_badtime) {
+		tsig.otherlen = 0;
+		tsig.other = NULL;
 	}
 	else {
 		isc_buffer_t otherbuf;
-		tsig->otherlen = 6;
-		tsig->other = (unsigned char *) isc_mem_get(mctx, 6);
-		if (tsig->other == NULL) {
+		tsig.otherlen = 6;
+		tsig.other = (unsigned char *)isc_mem_get(mctx, tsig.otherlen);
+		if (tsig.other == NULL) {
 			ret = ISC_R_NOMEMORY;
 			goto cleanup_other;
 		}
-		isc_buffer_init(&otherbuf, tsig->other, tsig->otherlen = 6,
-				ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&otherbuf, tsig.other, tsig.otherlen);
 		isc_buffer_putuint16(&otherbuf,
-				     (isc_uint16_t)(tsig->timesigned >> 32));
+				     (isc_uint16_t)(tsig.timesigned >> 32));
 		isc_buffer_putuint32(&otherbuf,
-				     (isc_uint32_t)(tsig->timesigned &
+				     (isc_uint32_t)(tsig.timesigned &
 						    0xFFFFFFFF));
 		
 	}
-	if (!dns_tsigkey_empty(key) && tsig->error != dns_tsigerror_badsig) {
+	if (!dns_tsigkey_empty(key) && tsig.error != dns_tsigerror_badsig) {
 		unsigned char header[DNS_MESSAGE_HEADERLEN];
 		isc_buffer_t headerbuf;
 		unsigned int sigsize;
 
-		ret = dst_sign(DST_SIGMODE_INIT, key->key, &ctx, NULL, NULL);
+		ret = dst_key_sign(DST_SIGMODE_INIT, key->key, &ctx, NULL,
+				   NULL);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_algorithm;
 
-		/* If this is a response, digest the query signature */
+		/*
+		 * If this is a response, digest the query signature.
+		 */
 		if (is_response(msg)) {
 			isc_buffer_putuint16(&databuf, msg->querytsig->siglen);
-			isc_buffer_available(&databuf, &r);
+			isc_buffer_availableregion(&databuf, &r);
 			if (r.length < msg->querytsig->siglen)
 				return (ISC_R_NOSPACE);
 			memcpy(r.base, msg->querytsig->signature,
 			       msg->querytsig->siglen);
 			isc_buffer_add(&databuf, msg->querytsig->siglen);
-			isc_buffer_used(&databuf, &r);
-			ret = dst_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r,
-					NULL);
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
+					   &r, NULL);
 			if (ret != ISC_R_SUCCESS)
 				goto cleanup_algorithm;
 		}
 
-		/* Digest the header */
-		isc_buffer_init(&headerbuf, header, sizeof header,
-				ISC_BUFFERTYPE_BINARY);
+		/*
+		 * Digest the header.
+		 */
+		isc_buffer_init(&headerbuf, header, sizeof(header));
 		dns_message_renderheader(msg, &headerbuf);
-		isc_buffer_used(&headerbuf, &r);
-		ret = dst_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r, NULL);
+		isc_buffer_usedregion(&headerbuf, &r);
+		ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r,
+				   NULL);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_other;
 
-		/* Digest the remainder of the message */
-		isc_buffer_used(msg->buffer, &r);
+		/*
+		 * Digest the remainder of the message.
+		 */
+		isc_buffer_usedregion(msg->buffer, &r);
 		isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
-		ret = dst_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r, NULL);
+		ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r,
+				   NULL);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_other;
 
 		if (msg->tcp_continuation == 0) {
-			/* Digest the name, class, ttl, alg */
+			/*
+			 * Digest the name, class, ttl, alg.
+			 */
 			dns_name_toregion(&key->name, &r);
-			ret = dst_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r,
-				       NULL);
+			ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
+					   &r, NULL);
 			if (ret != ISC_R_SUCCESS)
 				goto cleanup_other;
 
 			isc_buffer_clear(&databuf);
 			isc_buffer_putuint16(&databuf, dns_rdataclass_any);
 			isc_buffer_putuint32(&databuf, 0); /* ttl */
-			isc_buffer_used(&databuf, &r);
-			ret = dst_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r,
-				       NULL);
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
+					   &r, NULL);
 			if (ret != ISC_R_SUCCESS)
 				goto cleanup_other;
 
-			dns_name_toregion(&tsig->algorithm, &r);
-			ret = dst_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r,
-				       NULL);
+			dns_name_toregion(&tsig.algorithm, &r);
+			ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
+					   &r, NULL);
 			if (ret != ISC_R_SUCCESS)
 				goto cleanup_other;
 
 		}
 		/* Digest the timesigned and fudge */
 		isc_buffer_clear(&databuf);
-		if (tsig->error != dns_tsigerror_badtime) {
+		if (tsig.error != dns_tsigerror_badtime) {
 			isc_buffer_putuint16(&databuf,
-					     (isc_uint16_t)(tsig->timesigned >>
+					     (isc_uint16_t)(tsig.timesigned >>
 							    32));
 			isc_buffer_putuint32(&databuf,
-					     (isc_uint32_t)(tsig->timesigned &
+					     (isc_uint32_t)(tsig.timesigned &
 							    0xFFFFFFFF));
 		}
 		else {
@@ -413,85 +407,106 @@ dns_tsig_sign(dns_message_t *msg) {
 					     (isc_uint16_t)(querysigned &
 							    0xFFFFFFFF));
 		}
-		isc_buffer_putuint16(&databuf, tsig->fudge);
-		isc_buffer_used(&databuf, &r);
-		ret = dst_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r, NULL);
+		isc_buffer_putuint16(&databuf, tsig.fudge);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r,
+				   NULL);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_other;
 
 		if (msg->tcp_continuation == 0) {
-			/* Digest the error and other data length */
+			/*
+			 * Digest the error and other data length.
+			 */
 			isc_buffer_clear(&databuf);
-			isc_buffer_putuint16(&databuf, tsig->error);
-			isc_buffer_putuint16(&databuf, tsig->otherlen);
+			isc_buffer_putuint16(&databuf, tsig.error);
+			isc_buffer_putuint16(&databuf, tsig.otherlen);
 
-			isc_buffer_used(&databuf, &r);
-			ret = dst_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r,
-				       NULL);
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
+					   &r, NULL);
 			if (ret != ISC_R_SUCCESS)
 				goto cleanup_other;
 
-			/* Digest the error and other data */
-			if (tsig->otherlen > 0) {
-				r.length = tsig->otherlen;
-				r.base = tsig->other;
-				ret = dst_sign(DST_SIGMODE_UPDATE, key->key,
+			/*
+			 * Digest the error and other data.
+			 */
+			if (tsig.otherlen > 0) {
+				r.length = tsig.otherlen;
+				r.base = tsig.other;
+				ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key,
 					       &ctx, &r, NULL);
 				if (ret != ISC_R_SUCCESS)
 					goto cleanup_other;
 			}
 		}
 
-		ret = dst_sig_size(key->key, &sigsize);
+		ret = dst_key_sigsize(key->key, &sigsize);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_other;
-		tsig->siglen = sigsize;
-		tsig->signature = (unsigned char *)
-				  isc_mem_get(mctx, tsig->siglen);
-		if (tsig->signature == NULL) {
+		tsig.siglen = sigsize;
+		tsig.signature = (unsigned char *)
+				  isc_mem_get(mctx, tsig.siglen);
+		if (tsig.signature == NULL) {
 			ret = ISC_R_NOMEMORY;
 			goto cleanup_other;
 		}
 
-		isc_buffer_init(&sigbuf, tsig->signature, tsig->siglen,
-				ISC_BUFFERTYPE_BINARY);
-		ret = dst_sign(DST_SIGMODE_FINAL, key->key, &ctx, NULL,
-			       &sigbuf);
+		isc_buffer_init(&sigbuf, tsig.signature, tsig.siglen);
+		ret = dst_key_sign(DST_SIGMODE_FINAL, key->key, &ctx, NULL,
+				   &sigbuf);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_signature;
 	}
 	else {
-		tsig->siglen = 0;
-		tsig->signature = NULL;
+		tsig.siglen = 0;
+		tsig.signature = NULL;
 	}
 
 	rdata = NULL;
 	ret = dns_message_gettemprdata(msg, &rdata);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_signature;
-	ret = isc_buffer_allocate(msg->mctx, &dynbuf, 512,
-				  ISC_BUFFERTYPE_BINARY);
+	ret = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_signature;
 	ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
-				   dns_rdatatype_tsig, tsig, dynbuf);
+				   dns_rdatatype_tsig, &tsig, dynbuf);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_dynbuf;
 
+	if (tsig.signature != NULL) {
+		isc_mem_put(mctx, tsig.signature, tsig.siglen);
+		tsig.signature = NULL;
+	}
+	if (tsig.other != NULL) {
+		isc_mem_put(mctx, tsig.other, tsig.otherlen);
+		tsig.other = NULL;
+	}
+	dns_name_free(&tsig.algorithm, mctx);
+	algfreed = ISC_TRUE;
+
+	msg->tsig = isc_mem_get(mctx, sizeof(dns_rdata_any_tsig_t));
+	if (msg->tsig == NULL) {
+		ret = ISC_R_NOMEMORY;
+		goto cleanup_dynbuf;
+	}
+	ret = dns_rdata_tostruct(rdata, msg->tsig, mctx);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_tsig;
+
 	dns_message_takebuffer(msg, &dynbuf);
-	msg->tsig = tsig;
 
 	owner = NULL;
 	ret = dns_message_gettempname(msg, &owner);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_dynbuf;
+		goto cleanup_tsig;
 	dns_name_toregion(&key->name, &r);
 	dynbuf = NULL;
-	ret = isc_buffer_allocate(mctx, &dynbuf, r.length,
-				  ISC_BUFFERTYPE_BINARY);
+	ret = isc_buffer_allocate(mctx, &dynbuf, r.length);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_dynbuf;
-	isc_buffer_available(dynbuf, &r2);
+		goto cleanup_tsig;
+	isc_buffer_availableregion(dynbuf, &r2);
 	memcpy(r2.base, r.base, r.length);
 	dns_name_init(owner, NULL);
 	dns_name_fromregion(owner, &r2);
@@ -500,7 +515,7 @@ dns_tsig_sign(dns_message_t *msg) {
 	datalist = NULL;
 	ret = dns_message_gettemprdatalist(msg, &datalist);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_dynbuf;
+		goto cleanup_tsig;
 	datalist->rdclass = dns_rdataclass_any;
 	datalist->type = dns_rdatatype_tsig;
 	datalist->covers = 0;
@@ -510,28 +525,31 @@ dns_tsig_sign(dns_message_t *msg) {
 	dataset = NULL;
 	ret = dns_message_gettemprdataset(msg, &dataset);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_dynbuf;
+		goto cleanup_tsig;
 	dns_rdataset_init(dataset);
 	dns_rdatalist_tordataset(datalist, dataset);
-	ISC_LIST_APPEND(owner->list, dataset, link);
-	dns_message_addname(msg, owner, DNS_SECTION_TSIG);
+	msg->tsigset = dataset;
+	msg->tsigname = owner;
 
 	return (ISC_R_SUCCESS);
 
+cleanup_tsig:
+	dns_rdata_freestruct(msg->tsig);
+	isc_mem_put(mctx, msg->tsig, sizeof *msg->tsig);
 cleanup_dynbuf:
 	if (dynbuf != NULL)
 		isc_buffer_free(&dynbuf);
 cleanup_signature:
-	if (tsig->signature != NULL)
-		isc_mem_put(mctx, tsig->signature, tsig->siglen);
+	if (tsig.signature != NULL)
+		isc_mem_put(mctx, tsig.signature, tsig.siglen);
 cleanup_other:
-	if (tsig->other != NULL)
-		isc_mem_put(mctx, tsig->other, tsig->otherlen);
+	if (tsig.other != NULL)
+		isc_mem_put(mctx, tsig.other, tsig.otherlen);
 cleanup_algorithm:
-	dns_name_free(&tsig->algorithm, mctx);
+	if (!algfreed)
+		dns_name_free(&tsig.algorithm, mctx);
 cleanup_struct:
 	msg->tsig = NULL;
-	isc_mem_put(mctx, tsig, sizeof(dns_rdata_any_tsig_t));
 
 	return (ret);
 }
@@ -545,7 +563,6 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	isc_buffer_t databuf;
 	unsigned char data[32];
 	dns_name_t *keyname;
-	dns_rdataset_t *dataset;
 	dns_rdata_t rdata;
 	isc_stdtime_t now;
 	isc_result_t ret;
@@ -567,8 +584,10 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	if (msg->tcp_continuation)
 		return(dns_tsig_verify_tcp(source, msg));
 
-	/* There should be a TSIG record... */
-	if (ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG]))
+	/*
+	 * There should be a TSIG record...
+	 */
+	if (msg->tsigset == NULL)
 		return (DNS_R_EXPECTEDTSIG);
 
 	/*
@@ -586,16 +605,11 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	 * TSIG record.
 	 */
 
-	ret = dns_message_firstname(msg, DNS_SECTION_TSIG);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	keyname = NULL;
-	dns_message_currentname(msg, DNS_SECTION_TSIG, &keyname);
-	dataset = ISC_LIST_HEAD(keyname->list);
-	ret = dns_rdataset_first(dataset);
+	keyname = msg->tsigname;
+	ret = dns_rdataset_first(msg->tsigset);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
-	dns_rdataset_current(dataset, &rdata);
+	dns_rdataset_current(msg->tsigset, &rdata);
 	tsig = (dns_rdata_any_tsig_t *)
 		isc_mem_get(mctx, sizeof(dns_rdata_any_tsig_t));
 	if (tsig == NULL)
@@ -605,7 +619,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_emptystruct;
 	
-	/* Do the key name and algorithm match that of the query? */
+	/*
+	 * Do the key name and algorithm match that of the query?
+	 */
 	if (is_response(msg) &&
 	    (!dns_name_equal(keyname, &msg->tsigkey->name) ||
 	     !dns_name_equal(&tsig->algorithm, &msg->querytsig->algorithm)))
@@ -614,10 +630,14 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		return (DNS_R_TSIGVERIFYFAILURE);
 	}
 
-	/* Get the current time */
+	/*
+	 * Get the current time.
+	 */
 	isc_stdtime_get(&now);
 
-	/* Find dns_tsigkey_t based on keyname */
+	/*
+	 * Find dns_tsigkey_t based on keyname.
+	 */
 	if (msg->tsigkey == NULL) {
 		ret = ISC_R_NOTFOUND;
 		if (sring != NULL)
@@ -648,7 +668,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 
 	key = tsigkey->key;
 
-	/* Is the time ok? */
+	/*
+	 * Is the time ok?
+	 */
 	if (abs(now - tsig->timesigned) > tsig->fudge) {
 		msg->tsigstatus = dns_tsigerror_badtime;
 		return (DNS_R_TSIGVERIFYFAILURE);
@@ -658,77 +680,89 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		sig_r.base = tsig->signature;
 		sig_r.length = tsig->siglen;
 
-		ret = dst_verify(DST_SIGMODE_INIT, key, &ctx, NULL, &sig_r);
+		ret = dst_key_verify(DST_SIGMODE_INIT, key, &ctx, NULL, &sig_r);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_key;
 
 		if (is_response(msg)) {
-			isc_buffer_init(&databuf, data, sizeof(data),
-					ISC_BUFFERTYPE_BINARY);
+			isc_buffer_init(&databuf, data, sizeof(data));
 			isc_buffer_putuint16(&databuf, msg->querytsig->siglen);
-			isc_buffer_used(&databuf, &r);
-			ret = dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
-					 NULL);
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
+					     NULL);
 			if (ret != ISC_R_SUCCESS)
 				goto cleanup_key;
 			if (msg->querytsig->siglen > 0) {
 				r.length = msg->querytsig->siglen;
 				r.base = msg->querytsig->signature;
-				ret = dst_verify(DST_SIGMODE_UPDATE, key,
-						 &ctx, &r, NULL);
+				ret = dst_key_verify(DST_SIGMODE_UPDATE, key,
+						     &ctx, &r, NULL);
 				if (ret != ISC_R_SUCCESS)
 					goto cleanup_key;
 			}
 		}
 
-		/* Extract the header */
-		isc_buffer_used(source, &r);
+		/*
+		 * Extract the header.
+		 */
+		isc_buffer_usedregion(source, &r);
 		memcpy(header, r.base, DNS_MESSAGE_HEADERLEN);
 		isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
 
-		/* Decrement the additional field counter */
+		/*
+		 * Decrement the additional field counter.
+		 */
 		memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
 		addcount = htons(ntohs(addcount) - 1);
 		memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
 
-		/* Put in the original id */
+		/*
+		 * Put in the original id.
+		 */
 		id = htons(tsig->originalid);
 		memcpy(&header[0], &id, 2);
 
-		/* Digest the modified header */
+		/*
+		 * Digest the modified header.
+		 */
 		header_r.base = (unsigned char *) header;
 		header_r.length = DNS_MESSAGE_HEADERLEN;
-		ret = dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &header_r,
-				 &sig_r);
+		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &header_r,
+				     &sig_r);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_key;
 
-		/* Digest all non-TSIG records. */
-		isc_buffer_used(source, &source_r);
+		/*
+		 * Digest all non-TSIG records.
+		 */
+		isc_buffer_usedregion(source, &source_r);
 		r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
 		r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
-		ret = dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, &sig_r);
+		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, &sig_r);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_key;
 
-		/* Digest the key name */
+		/*
+		 * Digest the key name.
+		 */
 		dns_name_toregion(&tsigkey->name, &r);
-		ret = dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, &sig_r);
+		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, &sig_r);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_key;
 
-		isc_buffer_init(&databuf, data, sizeof(data),
-				ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&databuf, data, sizeof(data));
 		isc_buffer_putuint16(&databuf, tsig->common.rdclass);
-		isc_buffer_putuint32(&databuf, dataset->ttl);
-		isc_buffer_used(&databuf, &r);
-		ret = dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, &sig_r);
+		isc_buffer_putuint32(&databuf, msg->tsigset->ttl);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, &sig_r);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_key;
 
-		/* Digest the key algorithm */
+		/*
+		 * Digest the key algorithm.
+		 */
 		dns_name_toregion(&tsigkey->algorithm, &r);
-		ret = dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, &sig_r);
+		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, &sig_r);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_key;
 
@@ -740,19 +774,20 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		isc_buffer_putuint16(&databuf, tsig->fudge);
 		isc_buffer_putuint16(&databuf, tsig->error);
 		isc_buffer_putuint16(&databuf, tsig->otherlen);
-		isc_buffer_used(&databuf, &r);
-		ret = dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, &sig_r);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, &sig_r);
 
 		if (tsig->otherlen > 0) {
 			r.base = tsig->other;
 			r.length = tsig->otherlen;
-			ret = dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
-					 &sig_r);
+			ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
+					     &sig_r);
 			if (ret != ISC_R_SUCCESS)
 				goto cleanup_key;
 		}
 
-		ret = dst_verify(DST_SIGMODE_FINAL, key, &ctx, NULL, &sig_r);
+		ret = dst_key_verify(DST_SIGMODE_FINAL, key, &ctx, NULL,
+				     &sig_r);
 		if (ret == DST_R_VERIFYFINALFAILURE) {
 			msg->tsigstatus = dns_tsigerror_badsig;
 			return (DNS_R_TSIGVERIFYFAILURE);
@@ -802,7 +837,6 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 	isc_buffer_t databuf;
 	unsigned char data[32];
 	dns_name_t *keyname;
-	dns_rdataset_t *dataset;
 	dns_rdata_t rdata;
 	isc_stdtime_t now;
 	isc_result_t ret;
@@ -822,17 +856,14 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 
 	mctx = msg->mctx;
 
-	ret = dns_message_firstname(msg, DNS_SECTION_TSIG);
-	if (ret == ISC_R_SUCCESS) {
+	if (msg->tsigset != NULL) {
 		has_tsig = ISC_TRUE;
 
-		keyname = NULL;
-		dns_message_currentname(msg, DNS_SECTION_TSIG, &keyname);
-		dataset = ISC_LIST_HEAD(keyname->list);
-		ret = dns_rdataset_first(dataset);
+		keyname = msg->tsigname;
+		ret = dns_rdataset_first(msg->tsigset);
 		if (ret != ISC_R_SUCCESS)
 			return (ret);
-		dns_rdataset_current(dataset, &rdata);
+		dns_rdataset_current(msg->tsigset, &rdata);
 		tsig = (dns_rdata_any_tsig_t *)
 			isc_mem_get(mctx, sizeof(dns_rdata_any_tsig_t));
 		if (tsig == NULL)
@@ -842,7 +873,9 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_emptystruct;
 	
-		/* Do the key name and algorithm match that of the query? */
+		/*
+		 * Do the key name and algorithm match that of the query?
+		 */
 		if (!dns_name_equal(keyname, &msg->tsigkey->name) ||
 		    !dns_name_equal(&tsig->algorithm,
 				    &msg->querytsig->algorithm))
@@ -851,7 +884,9 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 			return (DNS_R_TSIGVERIFYFAILURE);
 		}
 
-		/* Is the time ok? */
+		/*
+		 * Is the time ok?
+		 */
 		isc_stdtime_get(&now);
 		if (abs(now - tsig->timesigned) > tsig->fudge) {
 			msg->tsigstatus = dns_tsigerror_badtime;
@@ -862,76 +897,89 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 	key = msg->tsigkey->key;
 
 	if (msg->tsigctx == NULL) {
-		ret = dst_verify(DST_SIGMODE_INIT, key, &msg->tsigctx,
-				 NULL, NULL);
+		ret = dst_key_verify(DST_SIGMODE_INIT, key, &msg->tsigctx,
+				     NULL, NULL);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_struct;
 
-		isc_buffer_init(&databuf, data, sizeof(data),
-				ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&databuf, data, sizeof(data));
 		isc_buffer_putuint16(&databuf, msg->querytsig->siglen);
-		isc_buffer_used(&databuf, &r);
-		ret = dst_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx,
-				 &r, NULL);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx,
+				     &r, NULL);
 		if (ret != ISC_R_SUCCESS)
 			goto cleanup_struct;
 		if (msg->querytsig->siglen > 0) {
 			r.length = msg->querytsig->siglen;
 			r.base = msg->querytsig->signature;
-			ret = dst_verify(DST_SIGMODE_UPDATE, key,
-					 &msg->tsigctx, &r, NULL);
+			ret = dst_key_verify(DST_SIGMODE_UPDATE, key,
+					     &msg->tsigctx, &r, NULL);
 			if (ret != ISC_R_SUCCESS)
 				goto cleanup_struct;
 		}
 	}
 
-	/* Extract the header */
-	isc_buffer_used(source, &r);
+	/*
+	 * Extract the header.
+	 */
+	isc_buffer_usedregion(source, &r);
 	memcpy(header, r.base, DNS_MESSAGE_HEADERLEN);
 	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
 
-	/* Decrement the additional field counter if necessary */
+	/*
+	 * Decrement the additional field counter if necessary.
+	 */
 	if (has_tsig) {
 		memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
 		addcount = htons(ntohs(addcount) - 1);
 		memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
 	}
 
-	/* Put in the original id */
-	id = htons(tsig->originalid);
-	memcpy(&header[0], &id, 2);
+	/*
+	 * Put in the original id.
+	 */
+	/* XXX Can TCP transfers be forwarded?  How would that work? */
+	if (tsig != NULL) {
+		id = htons(tsig->originalid);
+		memcpy(&header[0], &id, 2);
+	}
 
-	/* Digest the modified header */
+	/*
+	 * Digest the modified header.
+	 */
 	header_r.base = (unsigned char *) header;
 	header_r.length = DNS_MESSAGE_HEADERLEN;
-	ret = dst_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx, &header_r,
-			 NULL);
+	ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx, &header_r,
+			     NULL);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_struct;
 
-	/* Digest all non-TSIG records. */
-	isc_buffer_used(source, &source_r);
+	/*
+	 * Digest all non-TSIG records.
+	 */
+	isc_buffer_usedregion(source, &source_r);
 	r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
 	if (has_tsig)
 		r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
 	else
 		r.length = source_r.length - DNS_MESSAGE_HEADERLEN;
-	ret = dst_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx, &r, NULL);
+	ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx, &r, NULL);
 	if (ret != ISC_R_SUCCESS)
 		goto cleanup_struct;
 
-	/* Digest the time signed and fudge */
+	/*
+	 * Digest the time signed and fudge.
+	 */
 	if (has_tsig) {
-		isc_buffer_init(&databuf, data, sizeof(data),
-				ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&databuf, data, sizeof(data));
 		isc_buffer_putuint16(&databuf, (isc_uint16_t)(tsig->timesigned
 							      >> 32));
 		isc_buffer_putuint32(&databuf, (isc_uint32_t)(tsig->timesigned
 							      & 0xFFFFFFFF));
 		isc_buffer_putuint16(&databuf, tsig->fudge);
-		isc_buffer_used(&databuf, &r);
-		ret = dst_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx, &r,
-				 NULL);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx, &r,
+				     NULL);
 
 		sig_r.base = tsig->signature;
 		sig_r.length = tsig->siglen;
@@ -943,8 +991,8 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 			goto cleanup_struct;
 		}
 
-		ret = dst_verify(DST_SIGMODE_FINAL, key, &msg->tsigctx, NULL,
-				 &sig_r);
+		ret = dst_key_verify(DST_SIGMODE_FINAL, key, &msg->tsigctx,
+				     NULL, &sig_r);
 		if (ret == DST_R_VERIFYFINALFAILURE) {
 			msg->tsigstatus = dns_tsigerror_badsig;
 			return (DNS_R_TSIGVERIFYFAILURE);
@@ -990,7 +1038,9 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
 			if (key->inception != key->expire &&
 			    key->expire < now)
 			{
-				/* the key has expired */
+				/*
+				 * The key has expired.
+				 */
 				key->deleted = ISC_TRUE;
 				continue;
 			}
@@ -1038,7 +1088,7 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ring)
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_rwlock_init() failed: %s",
 				 isc_result_totext(ret));
-		return (DNS_R_UNEXPECTED);
+		return (ISC_R_UNEXPECTED);
 	}
 	
 	ISC_LIST_INIT((*ring)->keys);
diff --git a/lib/dns/tsigconf.c b/lib/dns/tsigconf.c
index 86d30e4f..ad175b7a 100644
--- a/lib/dns/tsigconf.c
+++ b/lib/dns/tsigconf.c
@@ -18,12 +18,12 @@
 #include <config.h>
 
 #include <isc/base64.h>
+#include <isc/buffer.h>
 #include <isc/lex.h>
-#include <isc/stdtime.h>
+#include <isc/mem.h>
+#include <isc/string.h>
 
-#include <dns/confctx.h>
-#include <dns/confkeys.h>
-#include <dns/name.h>
+#include <dns/tsig.h>
 #include <dns/tsigconf.h>
 
 static isc_result_t
@@ -49,27 +49,27 @@ add_initial_keys(dns_c_kdeflist_t *list, dns_tsig_keyring_t *ring,
 		dns_name_init(&keyname, NULL);
 		dns_name_init(&alg, NULL);
 
-		/* Create the key name */
-		isc_buffer_init(&keynamesrc, key->keyid, strlen(key->keyid),
-				ISC_BUFFERTYPE_TEXT);
+		/*
+		 * Create the key name.
+		 */
+		isc_buffer_init(&keynamesrc, key->keyid, strlen(key->keyid));
 		isc_buffer_add(&keynamesrc, strlen(key->keyid));
-		isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata),
-				ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata));
 		ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname,
 					ISC_TRUE, &keynamebuf);
 		if (ret != ISC_R_SUCCESS)
 			goto failure;
 
-		/* Create the algorithm */
+		/*
+		 * Create the algorithm.
+		 */
 		if (strcasecmp(key->algorithm, "hmac-md5") == 0)
 			alg = *dns_tsig_hmacmd5_name;
 		else {
 			isc_buffer_init(&algsrc, key->algorithm,
-					strlen(key->algorithm),
-					ISC_BUFFERTYPE_TEXT);
+					strlen(key->algorithm));
 			isc_buffer_add(&algsrc, strlen(key->algorithm));
-			isc_buffer_init(&algbuf, algdata, sizeof(algdata),
-					ISC_BUFFERTYPE_BINARY);
+			isc_buffer_init(&algbuf, algdata, sizeof(algdata));
 			ret = dns_name_fromtext(&alg, &algsrc, dns_rootname,
 						ISC_TRUE, &algbuf);
 			if (ret != ISC_R_SUCCESS)
@@ -86,11 +86,9 @@ add_initial_keys(dns_c_kdeflist_t *list, dns_tsig_keyring_t *ring,
 			ret = ISC_R_NOMEMORY;
 			goto failure;
 		}
-		isc_buffer_init(&secretsrc, key->secret, strlen(key->secret),
-				ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&secretsrc, key->secret, strlen(key->secret));
 		isc_buffer_add(&secretsrc, strlen(key->secret));
-		isc_buffer_init(&secretbuf, secret, secretlen,
-				ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&secretbuf, secret, secretlen);
 		ret = isc_lex_create(mctx, strlen(key->secret), &lex);
 		if (ret != ISC_R_SUCCESS)
 			goto failure;
@@ -100,7 +98,7 @@ add_initial_keys(dns_c_kdeflist_t *list, dns_tsig_keyring_t *ring,
 		ret = isc_base64_tobuffer(lex, &secretbuf, -1);
 		if (ret != ISC_R_SUCCESS)
 			goto failure;
-		secretlen = ISC_BUFFER_USEDCOUNT(&secretbuf);
+		secretlen = isc_buffer_usedlength(&secretbuf);
 		isc_lex_close(lex);
 		isc_lex_destroy(&lex);
 
diff --git a/lib/dns/ttl.c b/lib/dns/ttl.c
index ef588ca8..1ef9ed87 100644
--- a/lib/dns/ttl.c
+++ b/lib/dns/ttl.c
@@ -18,22 +18,22 @@
 #include <config.h>
 
 #include <ctype.h>
-#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/boolean.h>
-#include <isc/region.h>
 #include <isc/buffer.h>
 #include <isc/print.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <dns/result.h>
 #include <dns/ttl.h>
 
 #define RETERR(x) do { \
-	isc_result_t __r = (x); \
-	if (__r != DNS_R_SUCCESS) \
-		return (__r); \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
 	} while (0)
 
 
@@ -54,22 +54,21 @@ ttlfmt(unsigned int t, char *s, isc_boolean_t verbose,
 			       t, s,
 			       t == 1 ? "" : "s");
 	else
-		len = snprintf(tmp, sizeof(tmp), "%u%c", t, s[0]);		
+		len = snprintf(tmp, sizeof(tmp), "%u%c", t, s[0]);
+
 	INSIST(len + 1 <= sizeof tmp);
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	if (len > region.length)
-		return (DNS_R_NOSPACE);
+		return (ISC_R_NOSPACE);
 	memcpy(region.base, tmp, len);
 	isc_buffer_add(target, len);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 /* Derived from bind8 ns_format_ttl(). */
 
 isc_result_t
-dns_ttl_totext(isc_uint32_t src, isc_boolean_t verbose,
-	       isc_buffer_t *target)
-{
+dns_ttl_totext(isc_uint32_t src, isc_boolean_t verbose, isc_buffer_t *target) {
 	unsigned secs, mins, hours, days, weeks, x;
 
 	secs = src % 60;   src /= 60;
@@ -110,12 +109,15 @@ dns_ttl_totext(isc_uint32_t src, isc_boolean_t verbose,
 		/*
 		 * The unit letter is the last character in the 
 		 * used region of the buffer.
+		 *
+		 * toupper() does not need its argument to be masked of cast
+		 * here because region.base is type unsigned char *.
 		 */
-		isc_buffer_used(target, &region);
+		isc_buffer_usedregion(target, &region);
 		region.base[region.length - 1] =
 			toupper(region.base[region.length - 1]);
 	}
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -128,7 +130,7 @@ dns_ttl_fromtext(isc_textregion_t *source, isc_uint32_t *ttl) {
 	isc_result_t result;
 
 	result = bind_ttl(source, ttl);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		result = DNS_R_BADTTL;
 	return (result);
 }
@@ -192,5 +194,5 @@ bind_ttl(isc_textregion_t *source, isc_uint32_t *ttl) {
 		}
 	} while (*s != 0);
 	*ttl = tmp;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 68ece0f1..394bf982 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -17,25 +17,40 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/buffer.h>
-#include <isc/magic.h>
-#include <isc/region.h>
-#include <isc/result.h>
-#include <isc/stdtime.h>
+#include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/task.h>
 #include <isc/util.h>
 
-#include <dns/validator.h>
 #include <dns/db.h>
+#include <dns/dnssec.h>
 #include <dns/events.h>
 #include <dns/keytable.h>
-#include <dns/name.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/nxt.h>
 #include <dns/rdata.h>
 #include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/validator.h>
 #include <dns/view.h>
 
-#include <dst/dst.h>
+/*
+ * We don't use the SIG RR's _tostruct routine because it copies things.
+ */
+typedef struct dns_siginfo {
+	dns_rdatatype_t			covers;
+	dns_secalg_t			algorithm;
+	isc_uint8_t			labels;
+	dns_ttl_t			original_ttl;
+	isc_stdtime_t			expiration;
+	isc_stdtime_t			inception;
+	dns_keytag_t			tag;
+	dns_name_t			signer;
+	isc_region_t			signature;
+} dns_siginfo_t;
 
 struct dns_validator {
 	/* Unlocked. */
@@ -48,32 +63,42 @@ struct dns_validator {
 	dns_validatorevent_t *		event;
 	dns_fetch_t *			fetch;
 	dns_validator_t *		keyvalidator;
+	dns_validator_t *		authvalidator;
 	dns_keytable_t *		keytable;
 	dns_keynode_t *			keynode;
 	dst_key_t *			key;
+	dns_siginfo_t *			siginfo;
+	isc_task_t *			task;
+	isc_taskaction_t		action;
+	void *				arg;
+	unsigned int			labels;
+	dns_rdataset_t *		currentset;
+	isc_boolean_t			seensig;
+	dns_rdataset_t *		keyset;
 };
 
 #define VALIDATOR_MAGIC			0x56616c3fU	/* Val?. */
 #define VALID_VALIDATOR(v)	 	ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
 
 #define VALATTR_SHUTDOWN		0x01
+#define VALATTR_FOUNDNONEXISTENCE	0x02
 #define SHUTDOWN(v)		(((v)->attributes & VALATTR_SHUTDOWN) != 0)
 
-/*
- * We don't use the SIG RR's _tostruct routine because it copies things.
- */
-typedef struct dns_siginfo {
-	dns_rdatatype_t			covers;
-	dns_secalg_t			algorithm;
-	isc_uint8_t			labels;
-	dns_ttl_t			original_ttl;
-	isc_stdtime_t			expiration;
-	isc_stdtime_t			inception;
-	dns_keytag_t			tag;
-	dns_name_t			signer;
-	isc_region_t			signature;
-} dns_siginfo_t;
-			
+static void nullkeyvalidated(isc_task_t *task, isc_event_t *event);
+static inline isc_boolean_t containsnullkey(dns_validator_t *val,
+					    dns_rdataset_t *rdataset);
+static inline isc_result_t get_dst_key(dns_validator_t *val,
+				       dns_siginfo_t *siginfo,
+				       dns_rdataset_t *rdataset);
+static inline isc_result_t validate(dns_validator_t *val, isc_boolean_t resume);
+static inline isc_result_t nxtvalidate(dns_validator_t *val,
+				       isc_boolean_t resume);
+static inline isc_result_t proveunsecure(dns_validator_t *val,
+					 isc_boolean_t resume);
+
+static void validator_log(dns_validator_t *val, int level,
+			  const char *fmt, ...);
+
 static void
 rdata_to_siginfo(dns_rdata_t *rdata, dns_siginfo_t *siginfo) {
 	isc_buffer_t b;
@@ -81,7 +106,7 @@ rdata_to_siginfo(dns_rdata_t *rdata, dns_siginfo_t *siginfo) {
 
 	REQUIRE(rdata->type == 24);
 
-	isc_buffer_init(&b, rdata->data, rdata->length, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_init(&b, rdata->data, rdata->length);
 	isc_buffer_add(&b, rdata->length);
 	siginfo->covers = (dns_rdatatype_t)isc_buffer_getuint16(&b);
 	siginfo->algorithm = (dns_secalg_t)isc_buffer_getuint8(&b);
@@ -91,10 +116,10 @@ rdata_to_siginfo(dns_rdata_t *rdata, dns_siginfo_t *siginfo) {
 	siginfo->inception = (isc_stdtime_t)isc_buffer_getuint32(&b);
 	siginfo->tag = (dns_keytag_t)isc_buffer_getuint16(&b);
 	dns_name_init(&siginfo->signer, NULL);
-	isc_buffer_remaining(&b, &r);
+	isc_buffer_remainingregion(&b, &r);
 	dns_name_fromregion(&siginfo->signer, &r);
 	isc_buffer_forward(&b, siginfo->signer.length);
-	isc_buffer_remaining(&b, &siginfo->signature);
+	isc_buffer_remainingregion(&b, &siginfo->signature);
 }
 
 static void
@@ -107,14 +132,445 @@ validator_done(dns_validator_t *val, isc_result_t result) {
 	 * Caller must be holding the lock.
 	 */
 
-	if (result != ISC_R_SUCCESS)
-		val->event->result = result;
-	task = val->event->sender;
-	val->event->sender = val;
+	val->event->result = result;
+	task = val->event->ev_sender;
+	val->event->ev_sender = val;
+	val->event->ev_type = DNS_EVENT_VALIDATORDONE;
+	val->event->ev_action = val->action;
+	val->event->ev_arg = val->arg;
 	isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
 	
 }
 
+static void
+fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	rdataset = devent->rdataset;
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
+	if (devent->result == ISC_R_SUCCESS) {
+		LOCK(&val->lock);
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "keyset with trust %d", rdataset->trust);
+		result = get_dst_key(val, val->siginfo, rdataset);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * No matching key.
+			 */
+			validator_done(val, result);
+			UNLOCK(&val->lock);
+			goto free_event;
+		}
+		val->keyset = devent->rdataset;
+		devent->rdataset = NULL;
+		result = validate(val, ISC_TRUE);
+		if (result != DNS_R_WAIT) {
+			validator_done(val, result);
+			UNLOCK(&val->lock);
+			goto free_event;
+		}
+		UNLOCK(&val->lock);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "fetch_callback_validator: got %s",
+			      dns_result_totext(devent->result));
+		validator_done(val, devent->result);
+	}
+
+ free_event:
+	dns_resolver_destroyfetch(&val->fetch);
+	/*
+	 * Free stuff from the event.
+	 */
+	if (devent->rdataset != NULL)
+		isc_mem_put(val->view->mctx, devent->rdataset,
+			    sizeof(dns_rdataset_t));
+	if (devent->sigrdataset != NULL)
+		isc_mem_put(val->view->mctx, devent->sigrdataset,
+			    sizeof(dns_rdataset_t));
+	isc_event_free(&event);
+}
+
+
+static void
+fetch_callback_nullkey(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset, *sigrdataset;
+	dns_fetch_t *fetch;
+	isc_result_t result;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	rdataset = devent->rdataset;
+	sigrdataset = devent->sigrdataset;
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_nullkey");
+	fetch = val->fetch;
+	val->fetch = NULL;
+	if (devent->result == ISC_R_SUCCESS) {
+		LOCK(&val->lock);
+		if (!containsnullkey(val, rdataset)) {
+			/*
+			 * No null key.
+			 */
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "found a keyset, no null key");
+			result = proveunsecure(val, ISC_TRUE);
+			if (result != DNS_R_WAIT)
+				validator_done(val, result);
+		} else {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "found a keyset with a null key");
+			if (rdataset->trust >= dns_trust_secure) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "insecurity proof succeeded");
+				val->event->rdataset->trust = dns_trust_answer;
+				validator_done(val, ISC_R_SUCCESS);
+			} else if (!dns_rdataset_isassociated(sigrdataset)) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "insecurity proof failed");
+				validator_done(val, DNS_R_NOTINSECURE);
+			} else {
+				dns_name_t *tname;
+				tname = dns_fixedname_name(&devent->foundname);
+				result = dns_validator_create(val->view, tname,
+							   dns_rdatatype_key,
+							   rdataset,
+							   sigrdataset, NULL,
+							   0, val->task,
+							   nullkeyvalidated,
+							   val,
+							   &val->keyvalidator);
+				if (result != ISC_R_SUCCESS)
+					validator_done(val, result);
+				/*
+				 * Don't free these, since they'll be
+				 * freed in nullkeyvalidated.
+				 */
+				devent->rdataset = NULL;
+				devent->sigrdataset = NULL;
+			}
+		}
+		UNLOCK(&val->lock);
+	} else if (devent->result ==  DNS_R_NCACHENXDOMAIN ||
+		   devent->result == DNS_R_NCACHENXRRSET ||
+		   devent->result == DNS_R_NXDOMAIN ||
+		   devent->result == DNS_R_NXRRSET)
+	{
+		/*
+		 * No keys.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "no keys found");
+		LOCK(&val->lock);
+		result = proveunsecure(val, ISC_TRUE);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+		UNLOCK(&val->lock);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "fetch_callback_nullkey: got %s",
+			      dns_result_totext(devent->result));
+		validator_done(val, devent->result);
+	}
+
+	dns_resolver_destroyfetch(&fetch);
+
+	/*
+	 * Free stuff from the event.
+	 */
+	if (devent->rdataset != NULL)
+		isc_mem_put(val->view->mctx, devent->rdataset,
+			    sizeof(dns_rdataset_t));
+	if (devent->sigrdataset != NULL)
+		isc_mem_put(val->view->mctx, devent->sigrdataset,
+			    sizeof(dns_rdataset_t));
+	isc_event_free(&event);
+}
+
+static void
+keyvalidated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+	devent = (dns_validatorevent_t *)event;
+	rdataset = devent->rdataset;
+	val = devent->ev_arg;
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
+	if (devent->result == ISC_R_SUCCESS) {
+		LOCK(&val->lock);
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "keyset with trust %d", rdataset->trust);
+		result = get_dst_key(val, val->siginfo, rdataset);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * No matching key.
+			 */
+			validator_done(val, result);
+			UNLOCK(&val->lock);
+			goto free_event;
+		}
+		result = validate(val, ISC_TRUE);
+		if (result != DNS_R_WAIT) {
+			validator_done(val, result);
+			UNLOCK(&val->lock);
+			goto free_event;
+		}
+		UNLOCK(&val->lock);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3), 
+			      "keyvalidated: got %s",
+			      dns_result_totext(devent->result));
+		validator_done(val, devent->result);
+	}
+
+ free_event:
+	dns_validator_destroy(&val->keyvalidator);
+	/*
+	 * free stuff from the event.
+	 */
+	isc_mem_put(val->view->mctx, devent->rdataset, sizeof(dns_rdataset_t));
+	isc_mem_put(val->view->mctx, devent->sigrdataset,
+		    sizeof(dns_rdataset_t));
+	isc_event_free(&event);
+}
+
+static void
+authvalidated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset, *sigrdataset;
+	isc_result_t result;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+	devent = (dns_validatorevent_t *)event;
+	rdataset = devent->rdataset;
+	sigrdataset = devent->sigrdataset;
+	val = devent->ev_arg;
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
+	if (devent->result != ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3), 
+			      "authvalidated: got %s",
+			      dns_result_totext(devent->result));
+		validator_done(val, devent->result);
+		goto free_event;
+	}
+
+	if (rdataset->type == dns_rdatatype_nxt) {
+		int order;
+		dns_rdata_t rdata;
+		isc_region_t r;
+		dns_name_t nextname;
+
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "authvalidated looking for relevant nxt");
+		order = dns_name_compare(val->event->name, devent->name);
+		if (order == 0) {
+			if (val->event->type >= 128) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "invalid type %d",
+					      val->event->type);
+				goto out;
+			}
+			result = dns_rdataset_first(devent->rdataset);
+			INSIST(result == ISC_R_SUCCESS);
+			dns_rdataset_current(devent->rdataset, &rdata);
+			if (dns_nxt_typepresent(&rdata, val->event->type)) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "type should not be present");
+				goto out;
+			}
+			validator_log(val, ISC_LOG_DEBUG(3),
+			      "nxt bitmask ok");
+		} else if (order > 0) {
+			result = dns_rdataset_first(devent->rdataset);
+			INSIST(result == ISC_R_SUCCESS);
+			dns_rdataset_current(devent->rdataset, &rdata);
+			dns_rdata_toregion(&rdata, &r);
+			dns_name_init(&nextname, NULL);
+			dns_name_fromregion(&nextname, &r);
+			order = dns_name_compare(val->event->name, &nextname);
+			if (order >= 0) {
+				dns_siginfo_t *siginfo;
+				siginfo = devent->validator->siginfo;
+				if (!dns_name_equal(&siginfo->signer,
+						    &nextname))
+				{
+					validator_log(val, ISC_LOG_DEBUG(3),
+						"next name is not greater");
+					goto out;
+				}
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "nxt points to zone apex, ok");
+			}
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "nxt range ok");
+		} else {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				"nxt owner name is not less");
+			goto out;
+		}
+		val->attributes |= VALATTR_FOUNDNONEXISTENCE;
+	out: ;
+	}
+
+	isc_event_free(&event);
+	dns_validator_destroy(&val->authvalidator);
+	LOCK(&val->lock);
+	result = nxtvalidate(val, ISC_TRUE);
+	if (result != DNS_R_WAIT)
+		validator_done(val, result);
+	UNLOCK(&val->lock);
+	return;
+
+ free_event:
+	/*
+	 * free stuff from the event.
+	 */
+	isc_event_free(&event);
+	dns_validator_destroy(&val->authvalidator);
+}
+
+static void
+negauthvalidated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+	devent = (dns_validatorevent_t *)event;
+	rdataset = devent->rdataset;
+	val = devent->ev_arg;
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in negauthvalidated");
+	if (devent->result != ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3), 
+			      "negauthvalidated: got %s",
+			      dns_result_totext(devent->result));
+		validator_done(val, devent->result);
+		goto free_event;
+	}
+
+	isc_mem_put(val->view->mctx, rdataset, sizeof *rdataset);
+	isc_event_free(&event);
+	dns_validator_destroy(&val->authvalidator);
+	LOCK(&val->lock);
+	val->attributes |= VALATTR_FOUNDNONEXISTENCE;
+
+	validator_log(val, ISC_LOG_DEBUG(3), "nonexistence proof found");
+	validator_done(val, ISC_R_SUCCESS);
+	UNLOCK(&val->lock);
+	return;
+
+ free_event:
+	/*
+	 * free stuff from the event.
+	 */
+	isc_mem_put(val->view->mctx, rdataset, sizeof *rdataset);
+	isc_event_free(&event);
+	dns_validator_destroy(&val->authvalidator);
+}
+
+static void
+nullkeyvalidated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	isc_result_t result;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+	devent = (dns_validatorevent_t *)event;
+	val = devent->ev_arg;
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in nullkeyvalidated");
+	if (devent->result == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "proved that name is in an unsecure domain");
+		LOCK(&val->lock);
+		validator_done(val, ISC_R_SUCCESS);
+		UNLOCK(&val->lock);
+	} else {
+		LOCK(&val->lock);
+		result = proveunsecure(val, ISC_TRUE);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+		UNLOCK(&val->lock);
+	}
+
+	dns_validator_destroy(&val->keyvalidator);
+
+	/*
+	 * free stuff from the event.
+	 */
+	isc_mem_put(val->view->mctx, devent->rdataset, sizeof(dns_rdataset_t));
+	isc_mem_put(val->view->mctx, devent->sigrdataset,
+		    sizeof(dns_rdataset_t));
+	dns_name_free(devent->name, val->view->mctx);
+	isc_mem_put(val->view->mctx, devent->name, sizeof(dns_name_t));
+	isc_event_free(&event);
+}
+
+/*
+ * Try to find a null zone key among those in 'rdataset'.  If found, build
+ * a dst_key_t for it and point val->key at it.
+ */
+static inline isc_boolean_t 
+containsnullkey(dns_validator_t *val, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	dst_key_t *key = NULL;
+	isc_buffer_t b;
+	dns_rdata_t rdata;
+	isc_boolean_t found = ISC_FALSE;
+
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+	while (result == ISC_R_SUCCESS && !found) {
+		dns_rdataset_current(rdataset, &rdata);
+		isc_buffer_init(&b, rdata.data, rdata.length);
+		isc_buffer_add(&b, rdata.length);
+		key = NULL;
+		/*
+		 * The key name is unimportant, so we can avoid any name/text
+		 * conversion.
+		 */
+		result = dst_key_fromdns("", &b, val->view->mctx, &key);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		if (dst_key_isnullkey(key))
+			found = ISC_TRUE;
+		dst_key_free(&key);
+		result = dns_rdataset_next(rdataset);
+	}
+	return (found);
+}
+
+/*
+ * Try to find a key that could have signed 'siginfo' among those
+ * in 'rdataset'.  If found, build a dst_key_t for it and point
+ * val->key at it.
+ *
+ * If val->key is non-NULL, this returns the next matching key.
+ */
 static inline isc_result_t 
 get_dst_key(dns_validator_t *val, dns_siginfo_t *siginfo,
 	    dns_rdataset_t *rdataset)
@@ -123,53 +579,69 @@ get_dst_key(dns_validator_t *val, dns_siginfo_t *siginfo,
 	isc_buffer_t b;
 	dns_rdata_t rdata;
 	char ntext[1024];
+	dst_key_t *oldkey = val->key;
+	isc_boolean_t foundold;
+
+	if (oldkey == NULL)
+		foundold = ISC_TRUE;
+	else {
+		foundold = ISC_FALSE;
+		val->key = NULL;
+	}
 
 	result = dns_rdataset_first(rdataset);
 	if (result != ISC_R_SUCCESS)
-		return (result);
+		goto failure;
 	do {
 		dns_rdataset_current(rdataset, &rdata);
 		/*
 		 * We keep one byte of ntext in reserve so
 		 * we're sure we can NUL terminate.
 		 */
-		isc_buffer_init(&b, ntext, sizeof(ntext) - 1,
-				ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&b, ntext, sizeof(ntext) - 1);
 		result = dns_name_totext(&siginfo->signer, ISC_FALSE, &b);
 		if (result != ISC_R_SUCCESS)
-			return (result);
+			goto failure;
 
 		/*
 		 * NUL-terminate the character string.
 		 */
 		isc_buffer_putuint8(&b, 0);
 
-		isc_buffer_init(&b, rdata.data, rdata.length,
-				ISC_BUFFERTYPE_BINARY);
+		isc_buffer_init(&b, rdata.data, rdata.length);
 		isc_buffer_add(&b, rdata.length);
 		INSIST(val->key == NULL);
 		result = dst_key_fromdns(ntext, &b, val->view->mctx,
 					 &val->key);
 		if (result != ISC_R_SUCCESS)
-			return (result);
+			goto failure;
 		if (siginfo->algorithm ==
 		    (dns_secalg_t)dst_key_alg(val->key) &&
 		    siginfo->tag ==
 		    (dns_keytag_t)dst_key_id(val->key) &&
-		    dst_key_iszonekey(val->key) &&
-		    dst_key_proto(val->key) == DST_KEYPROTO_DNSSEC) {
-			/*
-			 * This is the key we're looking for.
-			 */
-			return (ISC_R_SUCCESS);
+		    dst_key_iszonekey(val->key))
+		{
+			if (foundold)
+				/*
+				 * This is the key we're looking for.
+				 */
+				return (ISC_R_SUCCESS);
+			else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
+			{
+				foundold = ISC_TRUE;
+				dst_key_free(&oldkey);
+			}
 		}
-		dst_key_free(val->key);
-		val->key = NULL;
+		dst_key_free(&val->key);
 		result = dns_rdataset_next(rdataset);
 	} while (result == ISC_R_SUCCESS);
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_NOTFOUND;
 
+ failure:
+	if (oldkey != NULL)
+		dst_key_free(&oldkey);
+
 	return (result);
 }
 
@@ -185,46 +657,6 @@ get_key(dns_validator_t *val, dns_siginfo_t *siginfo) {
 	event = val->event;
 
 	/*
-	 * Is the key used for the signature a security root?
-	 */
-	INSIST(val->keynode == NULL);
-	val->keytable = val->view->secroots;
-	result = dns_keytable_findkeynode(val->view->secroots,
-					  &siginfo->signer,
-					  siginfo->algorithm, siginfo->tag,
-					  &val->keynode);
-	if (result == ISC_R_NOTFOUND) {
-		/*
-		 * Is it a trusted key that is not a security root?
-		 */
-		val->keytable = val->view->trustedkeys;
-		result = dns_keytable_findkeynode(val->view->trustedkeys,
-						  &siginfo->signer,
-						  siginfo->algorithm,
-						  siginfo->tag,
-						  &val->keynode);
-		if (result == ISC_R_SUCCESS) {
-			/*
-			 * The key is trusted.
-			 */
-			val->key = dns_keynode_key(val->keynode);
-			return (ISC_R_SUCCESS);
-		} else if (result != ISC_R_NOTFOUND)
-			return (result);
-	} else if (result == ISC_R_SUCCESS) {
-		/*
-		 * The key is a security root.
-		 */
-		val->key = dns_keynode_key(val->keynode);
-		return (ISC_R_SUCCESS);
-	} else
-		return (result);
-
-	/*
-	 * The signature was not made with a security root or trusted key.
-	 */
-
-	/*
 	 * Is the key name appropriate for this signature?
 	 */
 	namereln = dns_name_fullcompare(event->name, &siginfo->signer,
@@ -248,6 +680,23 @@ get_key(dns_validator_t *val, dns_siginfo_t *siginfo) {
 	}
 
 	/*
+	 * Is the key used for the signature a security root?
+	 */
+	INSIST(val->keynode == NULL);
+	val->keytable = val->view->secroots;
+	result = dns_keytable_findkeynode(val->view->secroots,
+					  &siginfo->signer,
+					  siginfo->algorithm, siginfo->tag,
+					  &val->keynode);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * The key is a security root.
+		 */
+		val->key = dns_keynode_key(val->keynode);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
 	 * Do we know about this key?
 	 */
 	dns_rdataset_init(&rdataset);
@@ -260,19 +709,62 @@ get_key(dns_validator_t *val, dns_siginfo_t *siginfo) {
 		/*
 		 * We have an rrset for the given keyname.
 		 */
-		if (rdataset.trust == dns_trust_pending) {
+		if (rdataset.trust == dns_trust_pending &&
+		    dns_rdataset_isassociated(&sigrdataset))
+		{
 			/*
 			 * We know the key but haven't validated it yet.
 			 */
-			result = DNS_R_NOTIMPLEMENTED;
-		} else {
+			dns_rdataset_t *frdataset, *fsigrdataset;
+			frdataset = isc_mem_get(val->view->mctx,
+						sizeof *frdataset);
+			if (frdataset == NULL)
+				return (ISC_R_NOMEMORY);
+			fsigrdataset = isc_mem_get(val->view->mctx,
+						   sizeof *fsigrdataset);
+			if (fsigrdataset == NULL) {
+				isc_mem_put(val->view->mctx, frdataset,
+					    sizeof *frdataset);
+				return (ISC_R_NOMEMORY);
+			}
+			dns_rdataset_init(frdataset);
+			dns_rdataset_init(fsigrdataset);
+			dns_rdataset_clone(&rdataset, frdataset);
+			dns_rdataset_clone(&sigrdataset, fsigrdataset);
+
+			result = dns_validator_create(val->view,
+						      &siginfo->signer,
+						      dns_rdatatype_key,
+						      frdataset,
+						      fsigrdataset,
+						      NULL,
+						      0,
+						      val->task,
+						      keyvalidated,
+						      val,
+						      &val->keyvalidator);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			return (DNS_R_WAIT);
+		} else if (rdataset.trust == dns_trust_pending) {
 			/*
-			 * XXXRTH  What should we do if this is an untrusted
-			 *         rdataset?
+			 * Having a pending key with no signature means that
+			 * something is broken.
 			 */
+			result = DNS_R_CONTINUE;
+		} else if (rdataset.trust < dns_trust_secure) {
+			/*
+			 * The key is legitimately insecure.  There's no
+			 * point in even attempting verification.
+			 */
+			val->key = NULL;
+			result = ISC_R_SUCCESS;
+		} else {
 			/*
 			 * See if we've got the key used in the signature.
 			 */
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "keyset with trust %d", rdataset.trust);
 			result = get_dst_key(val, siginfo, &rdataset);
 			if (result != ISC_R_SUCCESS) {
 				/*
@@ -286,14 +778,39 @@ get_key(dns_validator_t *val, dns_siginfo_t *siginfo) {
 	} else if (result == ISC_R_NOTFOUND) {
 		/*
 		 * We don't know anything about this key.
-		 *
-		 * XXX  Start a fetch.
 		 */
-		result = DNS_R_NOTIMPLEMENTED;
+		dns_rdataset_t *frdataset, *fsigrdataset;
+		frdataset = isc_mem_get(val->view->mctx, sizeof *frdataset);
+		if (frdataset == NULL)
+			return (ISC_R_NOMEMORY);
+		fsigrdataset = isc_mem_get(val->view->mctx,
+					   sizeof *fsigrdataset);
+		if (fsigrdataset == NULL) {
+			isc_mem_put(val->view->mctx, frdataset,
+				    sizeof *frdataset);
+			return (ISC_R_NOMEMORY);
+		}
+		dns_rdataset_init(frdataset);
+		dns_rdataset_init(fsigrdataset);
+		val->fetch = NULL;
+		result = dns_resolver_createfetch(val->view->resolver,
+						  &siginfo->signer,
+						  dns_rdatatype_key,
+						  NULL, NULL, NULL, 0,
+						  val->event->ev_sender,
+						  fetch_callback_validator,
+						  val,
+						  frdataset,
+						  fsigrdataset,
+						  &val->fetch);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		return (DNS_R_WAIT);
 	} else if (result ==  DNS_R_NCACHENXDOMAIN ||
 		   result == DNS_R_NCACHENXRRSET ||
 		   result == DNS_R_NXDOMAIN ||
-		   result == DNS_R_NXRRSET) {
+		   result == DNS_R_NXRRSET)
+	{
 		/*
 		 * This key doesn't exist.
 		 */
@@ -308,12 +825,20 @@ get_key(dns_validator_t *val, dns_siginfo_t *siginfo) {
 	return (result);
 }
 
+/*
+ * Attempts positive response validation.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Validation completed successfully
+ *	DNS_R_WAIT	Validation has started but is waiting
+ *			for an event.
+ *	Other return codes are possible and all indicate failure.
+ */
 static inline isc_result_t
 validate(dns_validator_t *val, isc_boolean_t resume) {
 	isc_result_t result;
 	dns_validatorevent_t *event;
 	dns_rdata_t rdata;
-	dns_siginfo_t siginfo;
 
 	/*
 	 * Caller must be holding the validator lock.
@@ -321,14 +846,29 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 
 	event = val->event;
 
-	if (!resume) {
+	if (resume) {
+		/*
+		 * We already have a sigrdataset.
+		 */
+		result = ISC_R_SUCCESS;
+		validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
+	} else {
 		result = dns_rdataset_first(event->sigrdataset);
-		if (result != ISC_R_SUCCESS)
-			return (result);
 	}
-	do {
+
+	for (;
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(event->sigrdataset))
+	{
 		dns_rdataset_current(event->sigrdataset, &rdata);
-		rdata_to_siginfo(&rdata, &siginfo);
+		if (val->siginfo != NULL)
+			isc_mem_put(val->view->mctx, val->siginfo,
+				    sizeof *val->siginfo);
+		val->siginfo = isc_mem_get(val->view->mctx,
+					   sizeof *val->siginfo);
+		if (val->siginfo == NULL)
+			return (ISC_R_NOMEMORY);
+		rdata_to_siginfo(&rdata, val->siginfo);
 		
 		/*
 		 * At this point we could check that the signature algorithm
@@ -337,24 +877,360 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 		 */
 		
 		if (!resume) {
-			result = get_key(val, &siginfo);
-			if (result != DNS_R_CONTINUE)
+			result = get_key(val, val->siginfo);
+			if (result == DNS_R_CONTINUE)
+				continue; /* Try the next SIG RR. */
+			if (result != ISC_R_SUCCESS)
 				return (result);
 		}
-		INSIST(val->key != NULL);
 
-		result = dns_rdataset_next(event->sigrdataset);
-	} while (result == ISC_R_SUCCESS);
+		if (val->key == NULL) {
+			event->rdataset->trust = dns_trust_answer;
+			event->sigrdataset->trust = dns_trust_answer;
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "marking as answer");
+			return (ISC_R_SUCCESS);
+
+		}
+
+		do {
+			result = dns_dnssec_verify(event->name,
+						   event->rdataset,
+						   val->key, ISC_FALSE,
+						   val->view->mctx, &rdata);
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "verify rdataset: %s",
+				      isc_result_totext(result));
+			if (result == ISC_R_SUCCESS)
+				break;
+			if (val->keynode != NULL) {
+				dns_keynode_t *nextnode = NULL;
+				result = dns_keytable_findnextkeynode(
+							val->keytable,
+							val->keynode,
+							&nextnode);
+				dns_keytable_detachkeynode(val->keytable,
+							   &val->keynode);
+				val->keynode = nextnode;
+				if (result != ISC_R_SUCCESS) {
+					val->key = NULL;
+					break;
+				}
+				val->key = dns_keynode_key(val->keynode);
+			} else {
+				if (get_dst_key(val, val->siginfo, val->keyset)
+				    != ISC_R_SUCCESS)
+					break;
+			}
+		} while (1);
+		if (result != ISC_R_SUCCESS)
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "failed to verify rdataset");
+		if (val->keynode != NULL)
+			dns_keytable_detachkeynode(val->keytable,
+						   &val->keynode);
+		else {
+			if (val->key != NULL)
+				dst_key_free(&val->key);
+			if (val->keyset != NULL)
+				isc_mem_put(val->view->mctx, val->keyset,
+					    sizeof *val->keyset);
+				val->keyset = NULL;
+		}
+		val->key = NULL;
+		if (result == ISC_R_SUCCESS) {
+			event->rdataset->trust = dns_trust_secure;
+			event->sigrdataset->trust = dns_trust_secure;
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "marking as secure");
+			return (result);
+		}
+		else
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "verify failure: %s",
+				      isc_result_totext(result));
+	}
+	INSIST(result == ISC_R_NOMORE);
+
+	validator_log(val, ISC_LOG_INFO, "no valid signature found");
+	return (DNS_R_NOVALIDSIG);
+}
+
+
+static inline isc_result_t
+nxtvalidate(dns_validator_t *val, isc_boolean_t resume) {
+	dns_name_t *name;
+	dns_message_t *message = val->event->message;
+	isc_result_t result;
+
+	if (!resume) {
+		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+		if (result != ISC_R_SUCCESS)
+			validator_done(val, ISC_R_NOTFOUND);
+	} else {
+		result = ISC_R_SUCCESS;
+		validator_log(val, ISC_LOG_DEBUG(3), "resuming nxtvalidate");
+	}
+
+	for (;
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
+	{
+		dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		if (resume) {
+			rdataset = ISC_LIST_NEXT(val->currentset, link);
+			val->currentset = NULL;
+			resume = ISC_FALSE;
+		}
+		else {
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
+				rdataset->trust = dns_trust_pending;
+
+			rdataset = ISC_LIST_HEAD(name->list);
+		}
+
+		for (;
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (rdataset->type == dns_rdatatype_sig)
+				continue;
+
+			for (sigrdataset = ISC_LIST_HEAD(name->list);
+			     sigrdataset != NULL;
+			     sigrdataset = ISC_LIST_NEXT(sigrdataset,
+							 link))
+			{
+				if (sigrdataset->type == dns_rdatatype_sig &&
+				    sigrdataset->covers == rdataset->type)
+					break;
+			}
+			if (sigrdataset == NULL)
+				continue;
+			val->seensig = ISC_TRUE;
+			val->authvalidator = NULL;
+			val->currentset = rdataset;
+			result = dns_validator_create(val->view, name,
+						      rdataset->type,
+						      rdataset,
+						      sigrdataset,
+						      NULL, 0,
+						      val->task,
+						      authvalidated,
+						      val,
+						      &val->authvalidator);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			return (DNS_R_WAIT);
+						      
+		}
+	}
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;
+	if (result != ISC_R_SUCCESS)
+		validator_done(val, result);
+
+	if ((val->attributes & VALATTR_FOUNDNONEXISTENCE) == 0) {
+		if (!val->seensig) {
+			dns_rdataset_t *rdataset;
+			rdataset = isc_mem_get(val->view->mctx,
+					       sizeof(dns_rdataset_t));
+			if (rdataset == NULL)
+				return (ISC_R_NOMEMORY);
+			dns_rdataset_init(rdataset);
+			result = dns_validator_create(val->view, name,
+						      dns_rdatatype_soa,
+						      rdataset,
+						      NULL, NULL, 0,
+						      val->task,
+						      negauthvalidated,
+						      val,
+						      &val->authvalidator);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			return (DNS_R_WAIT);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "nonexistence proof not found");
+		return (DNS_R_NOVALIDNXT);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "nonexistence proof found");
+		return (ISC_R_SUCCESS);
+	}
 
-	return (result);
 }
 
-static inline void
-validator_start(dns_validator_t *val) {
+static inline isc_result_t
+proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 	isc_result_t result;
+	dns_fixedname_t secroot, tfname;
+	dns_name_t *tname;
+
+	dns_fixedname_init(&secroot);
+	dns_fixedname_init(&tfname);
+	result = dns_keytable_finddeepestmatch(val->view->secroots,
+					       val->event->name,
+					       dns_fixedname_name(&secroot));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (!resume)
+		val->labels = dns_name_depth(dns_fixedname_name(&secroot)) + 1;
+	else {
+		validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
+		val->labels++;
+	}
+
+	for (;
+	     val->labels <= dns_name_depth(val->event->name);
+	     val->labels++)
+	{
+		dns_rdataset_t rdataset, sigrdataset;
+
+		if (val->labels == dns_name_depth(val->event->name)) {
+			if (val->event->type == dns_rdatatype_key)
+				break;
+			tname = val->event->name;
+		} else {
+			tname = dns_fixedname_name(&tfname);
+			result = dns_name_splitatdepth(val->event->name,
+						       val->labels,
+						       NULL, tname);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+		dns_rdataset_init(&rdataset);
+		dns_rdataset_init(&sigrdataset);
+		result = dns_view_simplefind(val->view, tname,
+					     dns_rdatatype_key, 0,
+					     DNS_DBFIND_PENDINGOK, ISC_FALSE,
+					     &rdataset, &sigrdataset);
+		if (result == ISC_R_SUCCESS) {
+			dns_rdataset_t *frdataset = NULL, *fsigrdataset = NULL;
+			dns_name_t *fname = NULL;
+
+			if (!dns_rdataset_isassociated(&sigrdataset))
+				return (DNS_R_NOTINSECURE);
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "found keyset, looking for null key");
+			if (!containsnullkey(val, &rdataset))
+				continue;
+		
+			if (rdataset.trust >= dns_trust_secure) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "insecurity proof succeeded");
+				val->event->rdataset->trust = dns_trust_answer;
+				return (ISC_R_SUCCESS);
+			}
+
+			frdataset = isc_mem_get(val->view->mctx,
+						sizeof *frdataset);
+			if (frdataset == NULL)
+				return (ISC_R_NOMEMORY);
+			fsigrdataset = isc_mem_get(val->view->mctx,
+						  sizeof *fsigrdataset);
+			if (fsigrdataset == NULL) {
+				isc_mem_put(val->view->mctx, frdataset,
+					    sizeof *frdataset);
+				return (ISC_R_NOMEMORY);
+			}
+			fname = isc_mem_get(val->view->mctx, sizeof *fname);
+			if (fname == NULL) {
+				isc_mem_put(val->view->mctx, fsigrdataset,
+					    sizeof *frdataset);
+				isc_mem_put(val->view->mctx, frdataset,
+					    sizeof *fsigrdataset);
+				return (ISC_R_NOMEMORY);
+			}
+			dns_name_init(fname, NULL);
+			result = dns_name_dup(tname, val->view->mctx, fname);
+			if (result != ISC_R_SUCCESS) {
+				isc_mem_put(val->view->mctx, fsigrdataset,
+					    sizeof *frdataset);
+				isc_mem_put(val->view->mctx, frdataset,
+					    sizeof *fsigrdataset);
+				isc_mem_put(val->view->mctx, fname,
+					    sizeof *fname);
+				return (ISC_R_NOMEMORY);
+			}
+			dns_rdataset_init(frdataset);
+			dns_rdataset_init(fsigrdataset);
+			dns_rdataset_clone(&rdataset, frdataset);
+			dns_rdataset_clone(&sigrdataset, fsigrdataset);
 
+			result = dns_validator_create(val->view,
+						      fname,
+						      dns_rdatatype_key,
+						      frdataset,
+						      fsigrdataset,
+						      NULL,
+						      0,
+						      val->task,
+						      nullkeyvalidated,
+						      val,
+						      &val->keyvalidator);
+			return (DNS_R_WAIT);
+		} else if (result == ISC_R_NOTFOUND) {
+			dns_rdataset_t *frdataset = NULL, *fsigrdataset = NULL;
+
+			frdataset = isc_mem_get(val->view->mctx,
+						sizeof *frdataset);
+			if (frdataset == NULL)
+				return (ISC_R_NOMEMORY);
+			fsigrdataset = isc_mem_get(val->view->mctx,
+						  sizeof *fsigrdataset);
+			if (fsigrdataset == NULL) {
+				isc_mem_put(val->view->mctx, frdataset,
+					    sizeof *frdataset);
+				return (ISC_R_NOMEMORY);
+			}
+			dns_rdataset_init(frdataset);
+			dns_rdataset_init(fsigrdataset);
+			val->fetch = NULL;
+			result = dns_resolver_createfetch(val->view->resolver,
+							tname,
+							dns_rdatatype_key,
+							NULL, NULL, NULL, 0,
+							val->event->ev_sender,
+							fetch_callback_nullkey,
+							val, frdataset,
+							fsigrdataset,
+							&val->fetch);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			return (DNS_R_WAIT);
+		} else if (result == DNS_R_NCACHENXDOMAIN ||
+			 result == DNS_R_NCACHENXRRSET ||
+			 result == DNS_R_NXDOMAIN ||
+			 result == DNS_R_NXRRSET)
+		{
+			continue;
+		} else
+			return (result);
+	}
+	validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
+	return (DNS_R_NOTINSECURE); /* Didn't find a null key */
+}
+
+static void
+validator_start(isc_task_t *task, isc_event_t *event) {
+	dns_validator_t *val;
+	dns_validatorevent_t *vevent;
+	isc_result_t result = ISC_R_FAILURE;
+
+	UNUSED(task);
+	REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
+	vevent = (dns_validatorevent_t *) event;
+	val = vevent->validator;
+
+	validator_log(val, ISC_LOG_DEBUG(3), "starting");
+	
 	LOCK(&val->lock);
 
 	if (val->event->rdataset != NULL && val->event->sigrdataset != NULL) {
@@ -363,22 +1239,44 @@ validator_start(dns_validator_t *val) {
 		 * because we don't know if wildcards are involved yet so it
 		 * could still get complicated.
 		 */
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "attempting positive response validation");
+	
 		result = validate(val, ISC_FALSE);
-	} else {
+	} else if (val->event->rdataset != NULL) {
+		/*
+		 * This is either an unsecure subdomain or a response from
+		 * a broken server.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "attempting insecurity proof");
+	
+		result = proveunsecure(val, ISC_FALSE);
+	} else if (val->event->rdataset == NULL &&
+		 val->event->sigrdataset == NULL)
+	{
 		/*
 		 * This is a nonexistence validation.
 		 */
-		result = DNS_R_NOTIMPLEMENTED;
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "attempting negative response validation");
+	
+		result = nxtvalidate(val, ISC_FALSE);
+	} else {
+		/*
+		 * This shouldn't happen.
+		 */
+		INSIST(0);
 	}
 
-	if (result != ISC_R_SUCCESS)
+	if (result != DNS_R_WAIT)
 		validator_done(val, result);
 
 	UNLOCK(&val->lock);
 }
 
 isc_result_t
-dns_validator_create(dns_view_t *view, dns_name_t *name,
+dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
 		     dns_message_t *message, unsigned int options,
 		     isc_task_t *task, isc_taskaction_t action, void *arg,
@@ -389,6 +1287,11 @@ dns_validator_create(dns_view_t *view, dns_name_t *name,
 	isc_task_t *tclone;
 	dns_validatorevent_t *event;
 
+	REQUIRE(name != NULL);
+	REQUIRE(type != 0);
+	REQUIRE(rdataset != NULL ||
+		(rdataset == NULL && sigrdataset == NULL && message != NULL));
+	REQUIRE(options == 0);
 	REQUIRE(validatorp != NULL && *validatorp == NULL);
 
 	tclone = NULL;
@@ -400,8 +1303,10 @@ dns_validator_create(dns_view_t *view, dns_name_t *name,
 	val->view = NULL;
 	dns_view_attach(view, &val->view);
 	event = (dns_validatorevent_t *)
-		isc_event_allocate(view->mctx, task, DNS_EVENT_VALIDATORDONE,
-				   action, arg, sizeof (dns_validatorevent_t));
+		isc_event_allocate(view->mctx, task,
+				   DNS_EVENT_VALIDATORSTART,
+				   validator_start, NULL,
+				   sizeof (dns_validatorevent_t));
 	if (event == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto cleanup_val;
@@ -410,6 +1315,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name,
 	event->validator = val;
 	event->result = ISC_R_FAILURE;
 	event->name = name;
+	event->type = type;
 	event->rdataset = rdataset;
 	event->sigrdataset = sigrdataset;
 	event->message = message;
@@ -421,10 +1327,20 @@ dns_validator_create(dns_view_t *view, dns_name_t *name,
 	val->attributes = 0;
 	val->fetch = NULL;
 	val->keyvalidator = NULL;
+	val->authvalidator = NULL;
 	val->keynode = NULL;
+	val->key = NULL;
+	val->siginfo = NULL;
+	val->task = task;
+	val->action = action;
+	val->arg = arg;
+	val->labels = 0;
+	val->currentset = NULL;
+	val->keyset = NULL;
+	val->seensig = ISC_FALSE;
 	val->magic = VALIDATOR_MAGIC;
 
-	validator_start(val);
+	isc_task_send(task, (isc_event_t **)&event);
 
 	*validatorp = val;
 
@@ -448,15 +1364,19 @@ dns_validator_cancel(dns_validator_t *validator) {
 	REQUIRE(VALID_VALIDATOR(validator));
 
 	LOCK(&validator->lock);
+
 	if (validator->event != NULL) {
 		validator->event->result = ISC_R_CANCELED;
-		task = validator->event->sender;
-		validator->event->sender = validator;
+		task = validator->event->ev_sender;
+		validator->event->ev_sender = validator;
 		isc_task_sendanddetach(&task,
 				       (isc_event_t **)&validator->event);
-		/*
-		 * XXXRTH  Do other cancelation stuff here.
-		 */
+
+		if (validator->fetch != NULL)
+			dns_resolver_cancelfetch(validator->fetch);
+
+		if (validator->keyvalidator != NULL)
+			dns_validator_cancel(validator->keyvalidator);
 	}
 	UNLOCK(&validator->lock);
 }
@@ -468,13 +1388,20 @@ destroy(dns_validator_t *val) {
 	REQUIRE(SHUTDOWN(val));
 	REQUIRE(val->event == NULL);
 	REQUIRE(val->fetch == NULL);
+#if 0
+	REQUIRE(val->currentset == NULL);
+#endif
 
-	if (val->key != NULL)
-		dst_key_free(val->key);
 	if (val->keynode != NULL)
 		dns_keytable_detachkeynode(val->keytable, &val->keynode);
-	isc_mutex_destroy(&val->lock);
+	else if (val->key != NULL)
+		dst_key_free(&val->key);
+	if (val->keyvalidator != NULL)
+		dns_validator_destroy(&val->keyvalidator);
 	mctx = val->view->mctx;
+	if (val->siginfo != NULL)
+		isc_mem_put(mctx, val->siginfo, sizeof *val->siginfo);
+	isc_mutex_destroy(&val->lock);
 	dns_view_detach(&val->view);
 	val->magic = 0;
 	isc_mem_put(mctx, val, sizeof *val);
@@ -504,3 +1431,50 @@ dns_validator_destroy(dns_validator_t **validatorp) {
 
 	*validatorp = NULL;
 }
+
+
+
+static void
+validator_logv(dns_validator_t *val, isc_logcategory_t *category,
+	   isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+{
+	char msgbuf[2048];
+
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+
+	if (val->event != NULL && val->event->name != NULL) {
+		char namebuf[1024];
+		char typebuf[256];
+		isc_buffer_t b;
+		isc_region_t r;
+		
+		dns_name_format(val->event->name, namebuf, sizeof(namebuf));
+
+		isc_buffer_init(&b, (unsigned char *)typebuf, sizeof(typebuf));
+		if (dns_rdatatype_totext(val->event->type, &b)
+		    != ISC_R_SUCCESS)
+		{
+			isc_buffer_clear(&b);
+			isc_buffer_putstr(&b, "<bad type>");
+		}
+		isc_buffer_usedregion(&b, &r);
+		isc_log_write(dns_lctx, category, module, level,
+			      "validating %s %.*s: %s", namebuf,
+			      (int) r.length, (char *) r.base, msgbuf);
+	} else {
+		isc_log_write(dns_lctx, category, module, level,
+			      "validator @%p: %s", val, msgbuf);
+		
+	}
+}
+
+static void
+validator_log(dns_validator_t *val, int level, const char *fmt, ...)
+{
+        va_list ap;
+	va_start(ap, fmt);
+	validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
+		       DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
+	va_end(ap);
+}
+
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 27ff4c0a..30b87a01 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -17,37 +17,32 @@
 
 #include <config.h>
 
-#include <string.h>
-
-#include <isc/types.h>
-#include <isc/result.h>
-#include <isc/mem.h>
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <isc/task.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
 
-#include <dns/types.h>
+#include <dns/acl.h>
 #include <dns/adb.h>
 #include <dns/cache.h>
-#include <dns/dbtable.h>
 #include <dns/db.h>
 #include <dns/events.h>
-#include <dns/fixedname.h>
 #include <dns/keytable.h>
 #include <dns/peer.h>
-#include <dns/rbt.h>
 #include <dns/rdataset.h>
+#include <dns/request.h>
 #include <dns/resolver.h>
+#include <dns/result.h>
 #include <dns/tsig.h>
-#include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zt.h>
 
 #define RESSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_RESSHUTDOWN) != 0)
 #define ADBSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_ADBSHUTDOWN) != 0)
+#define REQSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_REQSHUTDOWN) != 0)
 
 static void resolver_shutdown(isc_task_t *task, isc_event_t *event);
 static void adb_shutdown(isc_task_t *task, isc_event_t *event);
+static void req_shutdown(isc_task_t *task, isc_event_t *event);
 
 isc_result_t
 dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
@@ -120,20 +115,36 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->hints = NULL;
 	view->resolver = NULL;
 	view->adb = NULL;
+	view->requestmgr = NULL;
 	view->mctx = mctx;
 	view->rdclass = rdclass;
 	view->frozen = ISC_FALSE;
 	view->task = NULL;
 	view->references = 1;
-	view->attributes = (DNS_VIEWATTR_RESSHUTDOWN|DNS_VIEWATTR_ADBSHUTDOWN);
+	view->weakrefs = 0;
+	view->attributes = (DNS_VIEWATTR_RESSHUTDOWN|DNS_VIEWATTR_ADBSHUTDOWN|
+			    DNS_VIEWATTR_REQSHUTDOWN);
 	view->statickeys = NULL;
 	view->dynamickeys = NULL;
+	view->matchclients = NULL;
 	result = dns_tsigkeyring_create(view->mctx, &view->dynamickeys);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_trustedkeys;
 	view->peers = NULL;
+
+	/*
+	 * Initialize configuration data with default values.
+	 */	
+	view->recursion = ISC_TRUE;
+	view->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */
+	view->transfer_format = dns_one_answer;
+	view->queryacl = NULL;
+	view->recursionacl = NULL;
+	view->requestixfr = ISC_TRUE;
+	view->provideixfr = ISC_TRUE;
+
 	result = dns_peerlist_new(view->mctx, &view->peers);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup_dynkeys;
 	ISC_LINK_INIT(view, link);
 	ISC_EVENT_INIT(&view->resevent, sizeof view->resevent, 0, NULL,
@@ -142,6 +153,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	ISC_EVENT_INIT(&view->adbevent, sizeof view->adbevent, 0, NULL,
 		       DNS_EVENT_VIEWADBSHUTDOWN, adb_shutdown,
 		       view, NULL, NULL, NULL);
+	ISC_EVENT_INIT(&view->reqevent, sizeof view->reqevent, 0, NULL,
+		       DNS_EVENT_VIEWREQSHUTDOWN, req_shutdown,
+		       view, NULL, NULL, NULL);
 	view->magic = DNS_VIEW_MAGIC;
 	
 	*viewp = view;
@@ -175,33 +189,14 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	return (result);
 }
 
-void
-dns_view_attach(dns_view_t *source, dns_view_t **targetp) {
-
-	/*
-	 * Attach '*targetp' to 'source'.
-	 */
-
-	REQUIRE(DNS_VIEW_VALID(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	LOCK(&source->lock);
-
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);
-
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
 static inline void
 destroy(dns_view_t *view) {
 	REQUIRE(!ISC_LINK_LINKED(view, link));
 	REQUIRE(view->references == 0);
+	REQUIRE(view->weakrefs == 0);
 	REQUIRE(RESSHUTDOWN(view));
 	REQUIRE(ADBSHUTDOWN(view));
+	REQUIRE(REQSHUTDOWN(view));
 
 	if (view->peers != NULL)
 		dns_peerlist_detach(&view->peers);
@@ -213,6 +208,8 @@ destroy(dns_view_t *view) {
 		dns_adb_detach(&view->adb);
 	if (view->resolver != NULL)
 		dns_resolver_detach(&view->resolver);
+	if (view->requestmgr != NULL)
+		dns_requestmgr_detach(&view->requestmgr);
 	if (view->task != NULL)
 		isc_task_detach(&view->task);
 	if (view->hints != NULL)
@@ -221,7 +218,12 @@ destroy(dns_view_t *view) {
 		dns_db_detach(&view->cachedb);
 	if (view->cache != NULL)
 		dns_cache_detach(&view->cache);
-	dns_zt_detach(&view->zonetable);
+	if (view->matchclients != NULL)
+		dns_acl_detach(&view->matchclients);
+	if (view->queryacl != NULL)
+		dns_acl_detach(&view->queryacl);
+	if (view->recursionacl != NULL)
+		dns_acl_detach(&view->recursionacl);
 	dns_keytable_detach(&view->trustedkeys);
 	dns_keytable_detach(&view->secroots);
 	isc_mutex_destroy(&view->lock);
@@ -235,21 +237,35 @@ all_done(dns_view_t *view) {
 	 * Caller must be holding the view lock.
 	 */
 
-	if (view->references == 0 && RESSHUTDOWN(view) && ADBSHUTDOWN(view))
+	if (view->references == 0 && view->weakrefs == 0 &&
+	    RESSHUTDOWN(view) && ADBSHUTDOWN(view) && REQSHUTDOWN(view))
 		return (ISC_TRUE);
 
 	return (ISC_FALSE);
 }
 
 void
+dns_view_attach(dns_view_t *source, dns_view_t **targetp) {
+
+	REQUIRE(DNS_VIEW_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&source->lock);
+
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references != 0);
+
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
 dns_view_detach(dns_view_t **viewp) {
 	dns_view_t *view;
 	isc_boolean_t done = ISC_FALSE;
 
-	/*
-	 * Detach '*viewp' from its view.
-	 */
-
 	REQUIRE(viewp != NULL);
 	view = *viewp;
 	REQUIRE(DNS_VIEW_VALID(view));
@@ -263,6 +279,9 @@ dns_view_detach(dns_view_t **viewp) {
 			dns_resolver_shutdown(view->resolver);
 		if (!ADBSHUTDOWN(view))
 			dns_adb_shutdown(view->adb);
+		if (!REQSHUTDOWN(view))
+			dns_requestmgr_shutdown(view->requestmgr);
+		dns_zt_detach(&view->zonetable);
 		done = all_done(view);
 	}
 	UNLOCK(&view->lock);
@@ -273,15 +292,53 @@ dns_view_detach(dns_view_t **viewp) {
 		destroy(view);
 }
 
+void
+dns_view_weakattach(dns_view_t *source, dns_view_t **targetp) {
+
+	REQUIRE(DNS_VIEW_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&source->lock);
+	source->weakrefs++;
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
+dns_view_weakdetach(dns_view_t **viewp) {
+	dns_view_t *view;
+	isc_boolean_t done = ISC_FALSE;
+
+	REQUIRE(viewp != NULL);
+	view = *viewp;
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	LOCK(&view->lock);
+
+	INSIST(view->weakrefs > 0);
+	view->weakrefs--;
+	done = all_done(view);
+
+	UNLOCK(&view->lock);
+
+	*viewp = NULL;
+
+	if (done)
+		destroy(view);
+}
+
 static void
 resolver_shutdown(isc_task_t *task, isc_event_t *event) {
-	dns_view_t *view = event->arg;
+	dns_view_t *view = event->ev_arg;
 	isc_boolean_t done;
 	
-	REQUIRE(event->type == DNS_EVENT_VIEWRESSHUTDOWN);
+	REQUIRE(event->ev_type == DNS_EVENT_VIEWRESSHUTDOWN);
 	REQUIRE(DNS_VIEW_VALID(view));
 	REQUIRE(view->task == task);
 
+	UNUSED(task);
+	
 	LOCK(&view->lock);
 
 	view->attributes |= DNS_VIEWATTR_RESSHUTDOWN;
@@ -297,13 +354,15 @@ resolver_shutdown(isc_task_t *task, isc_event_t *event) {
 
 static void
 adb_shutdown(isc_task_t *task, isc_event_t *event) {
-	dns_view_t *view = event->arg;
+	dns_view_t *view = event->ev_arg;
 	isc_boolean_t done;
 	
-	REQUIRE(event->type == DNS_EVENT_VIEWADBSHUTDOWN);
+	REQUIRE(event->ev_type == DNS_EVENT_VIEWADBSHUTDOWN);
 	REQUIRE(DNS_VIEW_VALID(view));
 	REQUIRE(view->task == task);
 
+	UNUSED(task);
+	
 	LOCK(&view->lock);
 
 	view->attributes |= DNS_VIEWATTR_ADBSHUTDOWN;
@@ -317,12 +376,37 @@ adb_shutdown(isc_task_t *task, isc_event_t *event) {
 		destroy(view);
 }
 
+static void
+req_shutdown(isc_task_t *task, isc_event_t *event) {
+	dns_view_t *view = event->ev_arg;
+	isc_boolean_t done;
+	
+	REQUIRE(event->ev_type == DNS_EVENT_VIEWREQSHUTDOWN);
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->task == task);
+
+	UNUSED(task);
+	
+	LOCK(&view->lock);
+
+	view->attributes |= DNS_VIEWATTR_REQSHUTDOWN;
+	done = all_done(view);
+
+	UNLOCK(&view->lock);
+
+	isc_event_free(&event);
+
+	if (done)
+		destroy(view);
+}
+
 isc_result_t
 dns_view_createresolver(dns_view_t *view,
 			isc_taskmgr_t *taskmgr, unsigned int ntasks,
 			isc_socketmgr_t *socketmgr,
 			isc_timermgr_t *timermgr,
 			unsigned int options,
+			dns_dispatchmgr_t *dispatchmgr,
 			dns_dispatch_t *dispatchv4,
 			dns_dispatch_t *dispatchv6)
 {
@@ -337,13 +421,14 @@ dns_view_createresolver(dns_view_t *view,
 	REQUIRE(!view->frozen);
 	REQUIRE(view->resolver == NULL);
 
-	result = isc_task_create(taskmgr, view->mctx, 0, &view->task);
+	result = isc_task_create(taskmgr, 0, &view->task);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	isc_task_setname(view->task, "view", view);
 
 	result = dns_resolver_create(view, taskmgr, ntasks, socketmgr,
-				     timermgr, options, dispatchv4, dispatchv6,
+				     timermgr, options, dispatchmgr,
+				     dispatchv4, dispatchv6,
 				     &view->resolver);
 	if (result != ISC_R_SUCCESS) {
 		isc_task_detach(&view->task);
@@ -363,6 +448,21 @@ dns_view_createresolver(dns_view_t *view,
 	dns_adb_whenshutdown(view->adb, view->task, &event);
 	view->attributes &= ~DNS_VIEWATTR_ADBSHUTDOWN;
 
+	result = dns_requestmgr_create(view->mctx, timermgr, socketmgr,
+				       dns_resolver_taskmgr(view->resolver),
+				       dns_resolver_dispatchmgr(view->resolver),
+				       dns_resolver_dispatchv4(view->resolver),
+				       dns_resolver_dispatchv6(view->resolver),
+				       &view->requestmgr);
+	if (result != ISC_R_SUCCESS) {
+		dns_adb_shutdown(view->adb);
+		dns_resolver_shutdown(view->resolver);
+		return (result);
+	}
+	event = &view->reqevent;
+	dns_requestmgr_whenshutdown(view->requestmgr, view->task, &event);
+	view->attributes &= ~DNS_VIEWATTR_REQSHUTDOWN;
+
 	return (ISC_R_SUCCESS);
 }
 
@@ -424,7 +524,6 @@ dns_view_addzone(dns_view_t *view, dns_zone_t *zone) {
 	REQUIRE(!view->frozen);
 
 	result = dns_zt_mount(view->zonetable, zone);
-	dns_zone_setview(zone, view);
 
 	return (result);
 }
@@ -452,10 +551,10 @@ dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep) {
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
-	result = dns_zt_find(view->zonetable, name, NULL, zonep);
+	result = dns_zt_find(view->zonetable, name, 0, NULL, zonep);
 	if (result == DNS_R_PARTIALMATCH) {
 		dns_zone_detach(zonep);
-		result = DNS_R_NOTFOUND;
+		result = ISC_R_NOTFOUND;
 	}
 
 	return (result);
@@ -469,7 +568,6 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 {
 	isc_result_t result;
 	dns_db_t *db;
-	dns_dbversion_t *version;
 	isc_boolean_t is_zone;
 	dns_rdataset_t zrdataset, zsigrdataset;
 	dns_zone_t *zone;
@@ -494,12 +592,12 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	 */
 	zone = NULL;
 	db = NULL;
-	result = dns_zt_find(view->zonetable, name, NULL, &zone);
+	result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
 	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
 		result = dns_zone_getdb(zone, &db);
-		if (result != DNS_R_SUCCESS && view->cachedb != NULL)
+		if (result != ISC_R_SUCCESS && view->cachedb != NULL)
 			dns_db_attach(view->cachedb, &db);
-		else if (result != DNS_R_SUCCESS)
+		else if (result != ISC_R_SUCCESS)
 			goto cleanup;
 	} else if (result == ISC_R_NOTFOUND && view->cachedb != NULL)
 		dns_db_attach(view->cachedb, &db);
@@ -516,10 +614,11 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 			     now, NULL, foundname, rdataset, sigrdataset);
 
 	if (result == DNS_R_DELEGATION ||
-	    result == DNS_R_NOTFOUND) {
-		if (rdataset->methods != NULL)
+	    result == ISC_R_NOTFOUND) {
+		if (dns_rdataset_isassociated(rdataset))
 			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL && sigrdataset->methods != NULL)
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
 			dns_rdataset_disassociate(sigrdataset);
 		if (is_zone) {
 			if (view->cachedb != NULL) {
@@ -528,7 +627,6 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 				 * don't know it.
 				 */
 				is_zone = ISC_FALSE;
-				version = NULL;
 				dns_db_detach(&db);
 				dns_db_attach(view->cachedb, &db);
 				goto db_find;
@@ -538,10 +636,10 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 			 * We don't have the data in the cache.  If we've got
 			 * glue from the zone, use it.
 			 */
-			if (zrdataset.methods != NULL) {
+			if (dns_rdataset_isassociated(&zrdataset)) {
 				dns_rdataset_clone(&zrdataset, rdataset);
 				if (sigrdataset != NULL &&
-				    zsigrdataset.methods != NULL)
+				    dns_rdataset_isassociated(&zsigrdataset))
 					dns_rdataset_clone(&zsigrdataset,
 							   sigrdataset);
 				result = DNS_R_GLUE;
@@ -551,7 +649,7 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		/*
 		 * We don't know the answer.
 		 */
-		result = DNS_R_NOTFOUND;
+		result = ISC_R_NOTFOUND;
 	} else if (result == DNS_R_GLUE) {
 		if (view->cachedb != NULL) {
 			/*
@@ -559,11 +657,10 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 			 * Remember what we've got and go look in the cache.
 			 */
 			is_zone = ISC_FALSE;
-			version = NULL;
 			dns_rdataset_clone(rdataset, &zrdataset);
 			dns_rdataset_disassociate(rdataset);
 			if (sigrdataset != NULL &&
-			    sigrdataset->methods != NULL) {
+			    dns_rdataset_isassociated(sigrdataset)) {
 				dns_rdataset_clone(sigrdataset, &zsigrdataset);
 				dns_rdataset_disassociate(sigrdataset);
 			}
@@ -577,10 +674,11 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		result = ISC_R_SUCCESS;
 	}
 
-	if (result == DNS_R_NOTFOUND && use_hints && view->hints != NULL) {
-		if (rdataset->methods != NULL)
+	if (result == ISC_R_NOTFOUND && use_hints && view->hints != NULL) {
+		if (dns_rdataset_isassociated(rdataset))
 			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL && sigrdataset->methods != NULL)
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
 			dns_rdataset_disassociate(sigrdataset);
 		result = dns_db_find(view->hints, name, NULL, type, options,
 				     now, NULL, foundname,
@@ -593,8 +691,8 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 			dns_resolver_prime(view->resolver);
 			result = DNS_R_HINT;
 		} else if (result == DNS_R_NXDOMAIN ||
-			   result == DNS_R_NXRDATASET)
-			result = DNS_R_NOTFOUND;
+			   result == DNS_R_NXRRSET)
+			result = ISC_R_NOTFOUND;
 	}
 
  cleanup:
@@ -602,15 +700,16 @@ dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		/*
 		 * We don't care about any DNSSEC proof data in these cases.
 		 */
-		if (rdataset->methods != NULL)
+		if (dns_rdataset_isassociated(rdataset))
 			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL && sigrdataset->methods != NULL)
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
 			dns_rdataset_disassociate(sigrdataset);
 	}
 
-	if (zrdataset.methods != NULL) {
+	if (dns_rdataset_isassociated(&zrdataset)) {
 		dns_rdataset_disassociate(&zrdataset);
-		if (zsigrdataset.methods != NULL)
+		if (dns_rdataset_isassociated(&zsigrdataset))
 			dns_rdataset_disassociate(&zsigrdataset);
 	}
 	if (db != NULL)
@@ -641,9 +740,10 @@ dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		 * foundname is not returned by this simplified API.  We
 		 * disassociate them here to prevent any misuse by the caller.
 		 */
-		if (rdataset->methods != NULL)
+		if (dns_rdataset_isassociated(rdataset))
 			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL && sigrdataset->methods != NULL)
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
 			dns_rdataset_disassociate(sigrdataset);
 	} else if (result != ISC_R_SUCCESS &&
 		   result != DNS_R_GLUE &&
@@ -651,12 +751,13 @@ dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 		   result != DNS_R_NCACHENXDOMAIN &&
 		   result != DNS_R_NCACHENXRRSET &&
 		   result != DNS_R_NXRRSET &&
-		   result != DNS_R_NOTFOUND) {
-		if (rdataset->methods != NULL)
+		   result != ISC_R_NOTFOUND) {
+		if (dns_rdataset_isassociated(rdataset))
 			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL && sigrdataset->methods != NULL)
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
 			dns_rdataset_disassociate(sigrdataset);
-		result = DNS_R_NOTFOUND;
+		result = ISC_R_NOTFOUND;
 	}
 
 	return (result);
@@ -699,8 +800,8 @@ dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 	/*
 	 * Find the right database.
 	 */
-	result = dns_zt_find(view->zonetable, name, NULL, &zone);
-	if (result == DNS_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+	result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
 		result = dns_zone_getdb(zone, &db);
 	if (result == ISC_R_NOTFOUND) {
 		/*
@@ -751,7 +852,7 @@ dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 			dns_rdataset_clone(rdataset, &zrdataset);
 			dns_rdataset_disassociate(rdataset);
 			if (sigrdataset != NULL &&
-			    sigrdataset->methods != NULL) {
+			    dns_rdataset_isassociated(sigrdataset)) {
 				dns_rdataset_clone(sigrdataset, &zsigrdataset);
 				dns_rdataset_disassociate(sigrdataset);
 			}
@@ -795,17 +896,18 @@ dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 
  finish:
 	if (use_zone) {
-		if (rdataset->methods != NULL) {
+		if (dns_rdataset_isassociated(rdataset)) {
 			dns_rdataset_disassociate(rdataset);
 			if (sigrdataset != NULL &&
-			    sigrdataset->methods != NULL)
+			    dns_rdataset_isassociated(sigrdataset))
 				dns_rdataset_disassociate(sigrdataset);
 		}
 		result = dns_name_concatenate(zfname, NULL, fname, NULL);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		dns_rdataset_clone(&zrdataset, rdataset);
-		if (sigrdataset != NULL && zrdataset.methods != NULL)
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(&zrdataset))
 			dns_rdataset_clone(&zsigrdataset, sigrdataset);
 	} else if (try_hints && use_hints && view->hints != NULL) {
 		/*
@@ -824,9 +926,9 @@ dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 	}
 
  cleanup:
-	if (zrdataset.methods != NULL) {
+	if (dns_rdataset_isassociated(&zrdataset)) {
 		dns_rdataset_disassociate(&zrdataset);
-		if (zsigrdataset.methods != NULL)
+		if (dns_rdataset_isassociated(&zsigrdataset))
 			dns_rdataset_disassociate(&zsigrdataset);
 	}
 	if (db != NULL)
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 42c01fa0..4ae56cad 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -15,57 +15,49 @@
  * SOFTWARE.
  */
 
-/* $Id: xfrin.c,v 1.54 2000/03/20 21:07:48 gson Exp $ */
+/* $Id: xfrin.c,v 1.71 2000/05/18 16:47:14 gson Exp $ */
 
 #include <config.h>
 
-#include <stdlib.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-
-#include <sys/types.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/timer.h>
-#include <isc/net.h>
 #include <isc/print.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/timer.h>
 #include <isc/util.h>
 
 #include <dns/db.h>
-#include <dns/dbiterator.h>
 #include <dns/events.h>
-#include <dns/fixedname.h>
 #include <dns/journal.h>
 #include <dns/log.h>
 #include <dns/message.h>
-#include <dns/name.h>
-#include <dns/peer.h>
-#include <dns/rdata.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
 #include <dns/result.h>
 #include <dns/tcpmsg.h>
 #include <dns/tsig.h>
-#include <dns/types.h>
 #include <dns/view.h>
 #include <dns/xfrin.h>
 #include <dns/zone.h>
-#include <dns/zt.h>
 
 /*
  * Incoming AXFR and IXFR.
  */
 
-#define FAIL(code) do { result = (code); goto failure; } while (0)
-#define CHECK(op) do { result = (op); \
-		       if (result != DNS_R_SUCCESS) goto failure; \
-		     } while (0)
+/*
+ * It would be non-sensical (or at least obtuse) to use FAIL() with an
+ * ISC_R_SUCCESS code, but the test is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAIL(code) \
+	do { result = (code);					\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+#define CHECK(op) \
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
 
 /*
  * The states of the *XFR state machine.  We handle both IXFR and AXFR
@@ -91,6 +83,7 @@ typedef enum {
  */
 
 struct dns_xfrin_ctx {
+	unsigned int		magic;
 	isc_mem_t		*mctx;
 	dns_zone_t		*zone;
 
@@ -161,11 +154,11 @@ struct dns_xfrin_ctx {
 		dns_journal_t 	*journal;
 		
 	} ixfr;
-
-	ISC_LINK(dns_xfrin_ctx_t) link;
-	dns_xfrinlist_t	*transferlist;
 };
 
+#define XFRIN_MAGIC		  0x58667269U		/* XfrI. */
+#define VALID_XFRIN(x)		  ISC_MAGIC_VALID(x, XFRIN_MAGIC)
+
 /**************************************************************************/
 /*
  * Forward declarations.
@@ -243,7 +236,7 @@ axfr_init(dns_xfrin_ctx_t *xfr) {
 	CHECK(axfr_makedb(xfr, &xfr->db));
 	CHECK(dns_db_beginload(xfr->db, &xfr->axfr.add_func,
 			       &xfr->axfr.add_private));
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
  failure:
 	return (result);
 }
@@ -270,7 +263,7 @@ axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
 	dns_diff_append(&xfr->diff, &tuple);
 	if (++xfr->difflen > 100)
 		CHECK(axfr_apply(xfr));
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
  failure:
 	return (result);
 }
@@ -283,7 +276,7 @@ axfr_apply(dns_xfrin_ctx_t *xfr) {
 			    xfr->axfr.add_func, xfr->axfr.add_private));
 	xfr->difflen = 0;
 	dns_diff_clear(&xfr->diff);
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
  failure:
 	return (result);
 }
@@ -314,7 +307,7 @@ ixfr_init(dns_xfrin_ctx_t *xfr) {
 	xfr->difflen = 0;
         CHECK(dns_journal_open(xfr->mctx, dns_zone_getjournal(xfr->zone),
 			       ISC_TRUE, &xfr->ixfr.journal));
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
  failure:
 	return (result);
 }
@@ -330,12 +323,14 @@ ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
 	dns_diff_append(&xfr->diff, &tuple);
 	if (++xfr->difflen > 100)
 		CHECK(ixfr_apply(xfr));
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
  failure:
 	return (result);
 }
 
-/* Apply a set of IXFR changes to the database. */
+/*
+ * Apply a set of IXFR changes to the database.
+ */
 static isc_result_t
 ixfr_apply(dns_xfrin_ctx_t *xfr) {
 	isc_result_t result;
@@ -347,7 +342,7 @@ ixfr_apply(dns_xfrin_ctx_t *xfr) {
 	dns_journal_writediff(xfr->ixfr.journal, &xfr->diff);
 	dns_diff_clear(&xfr->diff);
 	xfr->difflen = 0;
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
  failure:
 	return (result);
 }
@@ -361,7 +356,7 @@ ixfr_commit(dns_xfrin_ctx_t *xfr) {
 		CHECK(dns_journal_commit(xfr->ixfr.journal));
 		dns_db_closeversion(xfr->db, &xfr->ver, ISC_TRUE);
 	}
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
  failure:
 	return (result);
 }
@@ -384,7 +379,8 @@ xfr_rr(dns_xfrin_ctx_t *xfr,
 	switch (xfr->state) {
 	case XFRST_SOAQUERY:
 		xfr->end_serial = dns_soa_getserial(rdata);
-		if (!DNS_SERIAL_GT(xfr->end_serial, xfr->ixfr.request_serial)) {
+		if (!DNS_SERIAL_GT(xfr->end_serial,
+				   xfr->ixfr.request_serial)) {
 			xfrin_log(xfr, ISC_LOG_DEBUG(3),
 				  "requested serial %u, "
 				  "master has %u, not updating",
@@ -396,12 +392,16 @@ xfr_rr(dns_xfrin_ctx_t *xfr,
 
 	case XFRST_GOTSOA:
 		/*
-		 * skip other records in the answer section
+		 * Skip other records in the answer section.
 		 */
 		break;
 
 	case XFRST_INITIALSOA:
-		INSIST(rdata->type == dns_rdatatype_soa);
+		if (rdata->type != dns_rdatatype_soa) {
+			xfrin_log(xfr, ISC_LOG_ERROR,
+				  "first RR in zone transfer must be SOA");
+			FAIL(DNS_R_FORMERR);
+		}
 		/*
 		 * Remember the serial number in the intial SOA.
 		 * We need it to recognize the end of an IXFR.
@@ -493,122 +493,27 @@ xfr_rr(dns_xfrin_ctx_t *xfr,
 		INSIST(0);
 		break;
 	}
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
  failure:
 	return (result);
 }
 
 isc_result_t
-dns_xfrin_create(dns_zone_t *zone, isc_sockaddr_t *masteraddr,
+dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		 isc_sockaddr_t *masteraddr, dns_tsigkey_t *tsigkey,
 		 isc_mem_t *mctx, isc_timermgr_t *timermgr,
 		 isc_socketmgr_t *socketmgr, isc_task_t *task,
 		 dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp)
 {
-	dns_name_t *zonename;
-	dns_xfrin_ctx_t *xfr, *x;
+	dns_name_t *zonename = dns_zone_getorigin(zone);
+	dns_xfrin_ctx_t *xfr;
 	isc_result_t result;
 	dns_db_t *db = NULL;
-	dns_rdatatype_t xfrtype;
-	dns_tsigkey_t *key = NULL;
-	isc_netaddr_t masterip;
-	dns_peer_t *peer = NULL;
-	int maxtransfersin, maxtransfersperns;
-	int nxfrsin, nxfrsperns;
-	dns_xfrinlist_t *transferlist;
-		
-	REQUIRE(xfrp != NULL && *xfrp == NULL);
-
-	zonename = dns_zone_getorigin(zone);
-
-	xfrin_log1(ISC_LOG_INFO, zonename, masteraddr, "starting");
-
-	/*
-	 * Find any configured information about the server we are about
-	 * to transfer from.
-	 */
-	isc_netaddr_fromsockaddr(&masterip, masteraddr);
-	(void) dns_peerlist_peerbyaddr(dns_zone_getview(zone)->peers,
-				       &masterip, &peer);
-
-	result = dns_zone_getdb(zone, &db);
-	if (result == DNS_R_NOTLOADED)
-		INSIST(db == NULL);
-	else
-		CHECK(result);
 
-	/*
-	 * Decide whether we should request IXFR or AXFR.
-	 */
-	if (db == NULL) {
-		xfrin_log1(ISC_LOG_DEBUG(3), zonename, masteraddr,
-			   "no database exists yet, "
-			   "requesting AXFR of initial version");
-		xfrtype = dns_rdatatype_axfr;
-	} else {
-		isc_boolean_t use_ixfr = ISC_TRUE;
-		if (peer != NULL &&
-		    dns_peer_getrequestixfr(peer, &use_ixfr) == ISC_R_SUCCESS) {
-			; /* Using peer setting */ 
-		} else {
-			use_ixfr = dns_zonemgr_getrequestixfr(dns_zone_getmgr(zone));
-		}
-		if (use_ixfr == ISC_FALSE) {
-			xfrin_log1(ISC_LOG_DEBUG(3), zonename, masteraddr,
-				   "IXFR disabled, requesting AXFR");
-			xfrtype = dns_rdatatype_axfr;			
-		} else {
-			xfrin_log1(ISC_LOG_DEBUG(3), zonename, masteraddr,
-				   "requesting IXFR");
-			xfrtype = dns_rdatatype_ixfr;
-		}
-	}
+	REQUIRE(xfrp != NULL && *xfrp == NULL);
 
-	/*
-	 * Determine the maximum number of simultaneous transfers
-	 * allowed for this server, then count the number of 
-	 * transfers already in progress and fail if the quota
-	 * is already full.
-	 * 
-	 * Count the number of transfers that are in progress from
-	 * this master.  We linearly scan a list of all transfers;
-	 * if this turns out to be too slow, we could hash on the
-	 * master address.
-	 *
-	 * Note that we must keep the transfer list locked for an
-	 * awkwardly long time because the scanning of the list
-	 * and the creation of a new entry must be done atomically,
-	 * and we don't want to create the transfer object until we
-	 * know there is quota available.
-	 */
-	maxtransfersin = 
-	    dns_zonemgr_getttransfersin(dns_zone_getmgr(zone));
-	maxtransfersperns =
-	    dns_zonemgr_getttransfersperns(dns_zone_getmgr(zone));
-	if (peer != NULL) {
-		(void) dns_peer_gettransfers(peer, &maxtransfersperns);
-	}
-	
-	transferlist = dns_zonemgr_gettransferlist(dns_zone_getmgr(zone));
-	LOCK(&transferlist->lock);
-	nxfrsin = nxfrsperns = 0;
-	for (x = ISC_LIST_HEAD(transferlist->transfers);
-	     x != NULL;
-	     x = ISC_LIST_NEXT(x, link))
-	{
-		isc_netaddr_t xip;
-		isc_netaddr_fromsockaddr(&xip, &x->masteraddr);
-		nxfrsin++;
-		if (isc_netaddr_equal(&xip, &masterip))
-			nxfrsperns++;
-	}
+	(void) dns_zone_getdb(zone, &db);
 	
-	if (nxfrsin >= maxtransfersin || nxfrsperns >= maxtransfersperns) {
-		result = ISC_R_QUOTA;
-		xfrin_log1(ISC_LOG_INFO, zonename, masteraddr,
-			   "deferred: %s", isc_result_totext(result));
-		goto unlock;
-	}
-
 	result = xfrin_create(mctx,
 			      zone,
 			      db,
@@ -617,15 +522,11 @@ dns_xfrin_create(dns_zone_t *zone, isc_sockaddr_t *masteraddr,
 			      socketmgr,
 			      zonename,
 			      dns_zone_getclass(zone), xfrtype,
-			      masteraddr, key, &xfr);
+			      masteraddr, tsigkey, &xfr);
 	if (result != ISC_R_SUCCESS)
 		goto unlock;
 
-	xfr->transferlist = transferlist;
-	ISC_LIST_APPEND(transferlist->transfers, xfr, link);
-	
  unlock:
-	UNLOCK(&transferlist->lock);
 	CHECK(result);
 
 	CHECK(xfrin_start(xfr));
@@ -637,7 +538,7 @@ dns_xfrin_create(dns_zone_t *zone, isc_sockaddr_t *masteraddr,
  failure:
 	if (db != NULL)
 		dns_db_detach(&db);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		xfrin_log1(ISC_LOG_ERROR, zonename, masteraddr,
 			   "zone transfer setup failed");
 	return (result);
@@ -671,11 +572,11 @@ xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, char *msg) {
 		isc_socket_cancel(xfr->socket, xfr->task,
 				  ISC_SOCKCANCEL_SEND);
 	}
-	xfr->shuttingdown = ISC_TRUE;
 	if (xfr->done != NULL) {
 		(xfr->done)(xfr->zone, result);
 		xfr->done = NULL;
 	}
+	xfr->shuttingdown = ISC_TRUE;
 	maybe_free(xfr);
 }
 
@@ -700,11 +601,11 @@ xfrin_create(isc_mem_t *mctx,
 	
 	xfr = isc_mem_get(mctx, sizeof(*xfr));
 	if (xfr == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 	xfr->mctx = mctx;
 	xfr->refcount = 0;
 	xfr->zone = NULL;
-	dns_zone_iattach(zone, &xfr->zone);
+	dns_zone_attach(zone, &xfr->zone);
 	xfr->task = NULL;
 	isc_task_attach(task, &xfr->task);
 	xfr->timer = NULL;
@@ -753,9 +654,6 @@ xfrin_create(isc_mem_t *mctx,
 	xfr->axfr.add_func = NULL;
 	xfr->axfr.add_private = NULL;
 
-	ISC_LINK_INIT(xfr, link);
-	xfr->transferlist = NULL;
-
 	CHECK(dns_name_dup(zonename, mctx, &xfr->name));
 	
 	isc_interval_set(&maxinterval, dns_zone_getmaxxfrin(xfr->zone), 0);
@@ -780,11 +678,11 @@ xfrin_create(isc_mem_t *mctx,
 	}
 	
 	isc_buffer_init(&xfr->qbuffer, xfr->qbuffer_data,
-			sizeof(xfr->qbuffer_data),
-			ISC_BUFFERTYPE_BINARY);
+			sizeof(xfr->qbuffer_data));
 
+	xfr->magic = XFRIN_MAGIC;
 	*xfrp = xfr;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 	
  failure:
 	xfrin_fail(xfr, result, "creating transfer context");
@@ -818,9 +716,8 @@ render(dns_message_t *msg, isc_buffer_t *buf) {
 	CHECK(dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0));
 	CHECK(dns_message_rendersection(msg, DNS_SECTION_AUTHORITY, 0));
 	CHECK(dns_message_rendersection(msg, DNS_SECTION_ADDITIONAL, 0));
-	CHECK(dns_message_rendersection(msg, DNS_SECTION_TSIG, 0));
 	CHECK(dns_message_renderend(msg));
-	result = DNS_R_SUCCESS;
+	result = ISC_R_SUCCESS;
  failure:
 	return (result);
 }
@@ -831,11 +728,15 @@ render(dns_message_t *msg, isc_buffer_t *buf) {
 static void
 xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
 	isc_socket_connev_t *cev = (isc_socket_connev_t *) event;
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->arg;
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
 	isc_result_t evresult = cev->result;
 	isc_result_t result;
-	task = task; /* Unused */
-	INSIST(event->type == ISC_SOCKEVENT_CONNECT);
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == ISC_SOCKEVENT_CONNECT);
 	isc_event_free(&event);
 
 	xfr->connects--;
@@ -852,7 +753,7 @@ xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
 
 	CHECK(xfrin_send_request(xfr));
  failure:
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		xfrin_fail(xfr, result, "connect"); 
 }
 
@@ -949,11 +850,13 @@ xfrin_send_request(dns_xfrin_ctx_t *xfr) {
 
 	CHECK(render(msg, &xfr->qbuffer));
 
-	/* Save the query TSIG and don't let message_destroy free it */
+	/*
+	 * Save the query TSIG and don't let message_destroy free it.
+	 */
 	xfr->lasttsig = msg->tsig;
 	msg->tsig = NULL;
 
-	isc_buffer_used(&xfr->qbuffer, &region);
+	isc_buffer_usedregion(&xfr->qbuffer, &region);
 	INSIST(region.length <= 65535);
 
 	length[0] = region.length >> 8;
@@ -977,16 +880,18 @@ xfrin_send_request(dns_xfrin_ctx_t *xfr) {
 /* XXX there should be library support for sending DNS TCP messages */
 
 static void
-xfrin_sendlen_done(isc_task_t *task, isc_event_t *event)
-{
+xfrin_sendlen_done(isc_task_t *task, isc_event_t *event) {
 	isc_socketevent_t *sev = (isc_socketevent_t *) event;
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->arg;
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
 	isc_result_t evresult = sev->result;
 	isc_result_t result;
 	isc_region_t region;
 
-	task = task; /* Unused */
-	INSIST(event->type == ISC_SOCKEVENT_SENDDONE);
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE);
 	isc_event_free(&event);
 	
 	xfr->sends--;
@@ -998,25 +903,27 @@ xfrin_sendlen_done(isc_task_t *task, isc_event_t *event)
 	xfrin_log(xfr, ISC_LOG_DEBUG(3), "sent request length prefix");
 	CHECK(evresult);
 
-	isc_buffer_used(&xfr->qbuffer, &region);
+	isc_buffer_usedregion(&xfr->qbuffer, &region);
 	CHECK(isc_socket_send(xfr->socket, &region, xfr->task,
 			      xfrin_send_done, xfr));
 	xfr->sends++;
  failure:
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		xfrin_fail(xfr, result, "sending request length prefix");
 }
 
 
 static void
-xfrin_send_done(isc_task_t *task, isc_event_t *event)
-{
+xfrin_send_done(isc_task_t *task, isc_event_t *event) {
 	isc_socketevent_t *sev = (isc_socketevent_t *) event;
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->arg;
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
 	isc_result_t result;
 
-	task = task; /* Unused */
-	INSIST(event->type == ISC_SOCKEVENT_SENDDONE);
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE);
 
 	xfr->sends--;	
 	xfrin_log(xfr, ISC_LOG_DEBUG(3), "sent request data");
@@ -1027,23 +934,25 @@ xfrin_send_done(isc_task_t *task, isc_event_t *event)
 	xfr->recvs++;
  failure:
 	isc_event_free(&event);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		xfrin_fail(xfr, result, "sending request data");
 }
 
 
 static void
 xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) ev->arg;
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) ev->ev_arg;
 	isc_result_t result;
 	dns_message_t *msg = NULL;
 	dns_name_t *name;
 	dns_tcpmsg_t *tcpmsg;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
 	
-	task = task; /* Unused */
-	
-	INSIST(ev->type == DNS_EVENT_TCPMSG);
-	tcpmsg = ev->sender;
+	INSIST(ev->ev_type == DNS_EVENT_TCPMSG);
+	tcpmsg = ev->ev_sender;
 	isc_event_free(&ev);
 	
 	xfr->recvs--;
@@ -1069,8 +978,8 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 
 	result = dns_message_parse(msg, &tcpmsg->buffer, ISC_TRUE);
 
-	if (result != DNS_R_SUCCESS || msg->rcode != dns_rcode_noerror) {
-		if (result == DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS || msg->rcode != dns_rcode_noerror) {
+		if (result == ISC_R_SUCCESS)
 			result = ISC_RESULTCLASS_DNSRCODE + msg->rcode; /*XXX*/
 		if (xfr->reqtype == dns_rdatatype_axfr ||
 		    xfr->reqtype == dns_rdatatype_soa)
@@ -1083,21 +992,33 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 		CHECK(xfrin_send_request(xfr));
 		return;
 	}
-	
+
+	result = dns_message_checksig(msg, dns_zone_getview(xfr->zone));
+	if (result != ISC_R_SUCCESS) {
+		xfrin_log(xfr, ISC_LOG_DEBUG(3), "TSIG check failed: %s",
+		       isc_result_totext(result));
+		return;
+	}
+
 	for (result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
-	     result == DNS_R_SUCCESS;
+	     result == ISC_R_SUCCESS;
 	     result = dns_message_nextname(msg, DNS_SECTION_ANSWER))
 	{
 		dns_rdataset_t *rds;
 		
 		name = NULL;
 		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
+		if (!dns_name_issubdomain(name, &xfr->name)) {
+			xfrin_log(xfr, ISC_LOG_WARNING,
+				  "ignoring out-of-zone data");
+			continue;
+		}
 		for (rds = ISC_LIST_HEAD(name->list);
 		     rds != NULL;
 		     rds = ISC_LIST_NEXT(rds, link))
 		{
 			for (result = dns_rdataset_first(rds);
-			     result == DNS_R_SUCCESS;
+			     result == ISC_R_SUCCESS;
 			     result = dns_rdataset_next(rds))
 			{
 				dns_rdata_t rdata;
@@ -1106,24 +1027,32 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 			}
 		}
 	}
-	if (result != DNS_R_NOMORE)
+	if (result != ISC_R_NOMORE)
 		goto failure;
 
 	if (msg->tsig != NULL) {
-		/* Reset the counter */
+		/*
+		 * Reset the counter.
+		 */
 		xfr->sincetsig = 0;
 
-		/* Free the last tsig, if there is one */
+		/*
+		 * Free the last tsig, if there is one.
+		 */
 		if (xfr->lasttsig != NULL) {
 			dns_rdata_freestruct(xfr->lasttsig);
 			isc_mem_put(xfr->mctx, xfr->lasttsig,
 				    sizeof(*xfr->lasttsig));
 		}
 
-		/* Update the last tsig pointer */
+		/*
+		 * Update the last tsig pointer.
+		 */
 		xfr->lasttsig = msg->tsig;
 
-		/* Reset msg->tsig so it doesn't get freed */
+		/*
+		 * Reset msg->tsig so it doesn't get freed.
+		 */
 		msg->tsig = NULL;
 	} else if (msg->tsigkey != NULL) {
 		xfr->sincetsig++;
@@ -1135,13 +1064,19 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 		}
 	}
 
-	/* Update the number of messages received */
+	/*
+	 * Update the number of messages received.
+	 */
 	xfr->nmsg++;
 	
-	/* Reset msg->querytsig so it doesn't get freed */
+	/*
+	 * Reset msg->querytsig so it doesn't get freed.
+	 */
 	msg->querytsig = NULL;
 
-	/* Copy the context back */
+	/*
+	 * Copy the context back.
+	 */
 	xfr->tsigctx = msg->tsigctx;
 
 	dns_message_destroy(&msg);
@@ -1151,7 +1086,6 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 		xfr->state = XFRST_INITIALSOA;
 		CHECK(xfrin_send_request(xfr));
 	} else if (xfr->state == XFRST_END) {
-		xfr->shuttingdown = ISC_TRUE;
 		/*
 		 * Inform the caller we succeeded.
 		 */
@@ -1163,9 +1097,12 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 		 * We should have no outstanding events at this
 		 * point, thus maybe_free() should succeed.
 		 */
+		xfr->shuttingdown = ISC_TRUE;
 		maybe_free(xfr);
 	} else {
-		/* Read the next message. */
+		/*
+		 * Read the next message.
+		 */
 		CHECK(dns_tcpmsg_readmessage(&xfr->tcpmsg, xfr->task,
 					     xfrin_recv_done, xfr));
 		xfr->recvs++;
@@ -1177,21 +1114,29 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 		msg->querytsig = NULL;
 		dns_message_destroy(&msg);
 	}
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		xfrin_fail(xfr, result, "receiving responses");
 }
 
 static void
 xfrin_timeout(isc_task_t *task, isc_event_t *event) {
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->arg;
-	task = task; /* Unused */
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
 	isc_event_free(&event);
-	/* This will log "giving up: timeout". */
+	/*
+	 * This will log "giving up: timeout".
+	 */
 	xfrin_fail(xfr, ISC_R_TIMEDOUT, "giving up");
 }
 
 static void
 maybe_free(dns_xfrin_ctx_t *xfr) {
+	REQUIRE(VALID_XFRIN(xfr));
+
 	if (! xfr->shuttingdown || xfr->refcount != 0 ||
 	    xfr->connects != 0 || xfr->sends != 0 ||
 	    xfr->recvs != 0)
@@ -1199,13 +1144,6 @@ maybe_free(dns_xfrin_ctx_t *xfr) {
 
 	xfrin_log(xfr, ISC_LOG_INFO, "end of transfer");
 
-	if (xfr->transferlist != NULL) {
-		LOCK(&xfr->transferlist->lock);
-		ISC_LIST_UNLINK(xfr->transferlist->transfers, xfr, link);
-		UNLOCK(&xfr->transferlist->lock);
-		xfr->transferlist = NULL;
-	}
-			    
 	if (xfr->socket != NULL)
 		isc_socket_detach(&xfr->socket);
 
@@ -1241,7 +1179,7 @@ maybe_free(dns_xfrin_ctx_t *xfr) {
 		dns_db_detach(&xfr->db);
 
 	if (xfr->zone != NULL)
-		dns_zone_idetach(&xfr->zone);
+		dns_zone_detach(&xfr->zone);
 		
 	isc_mem_put(xfr->mctx, xfr, sizeof(*xfr));
 }
@@ -1254,27 +1192,15 @@ static void
 xfrin_logv(int level, dns_name_t *zonename, isc_sockaddr_t *masteraddr, 
 	   const char *fmt, va_list ap)
 {
-	isc_buffer_t znbuf;
-	char znmem[1024];
+	char znbuf[1024];
 	isc_buffer_t masterbuf;
 	char mastermem[256];
 	isc_result_t result;
 	char msgmem[2048];
-	isc_boolean_t omit_final_dot = ISC_TRUE;
 
-	if (dns_name_equal(zonename, dns_rootname))
-		omit_final_dot = ISC_FALSE;
-
-	isc_buffer_init(&znbuf, znmem, sizeof(znmem), ISC_BUFFERTYPE_TEXT);
-	result = dns_name_totext(zonename, omit_final_dot, &znbuf);
-	if (result != DNS_R_SUCCESS) {
-		isc_buffer_clear(&znbuf);
-		isc_buffer_putmem(&znbuf, (unsigned char *)"<UNKNOWN>",
-				  strlen("<UNKNOWN>"));
-	}
+	dns_name_format(zonename, znbuf, sizeof(znbuf));
 	
-	isc_buffer_init(&masterbuf, mastermem, sizeof(mastermem),
-			ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&masterbuf, mastermem, sizeof(mastermem));
 	result = isc_sockaddr_totext(masteraddr, &masterbuf);
 	if (result != ISC_R_SUCCESS)
 		strcpy(masterbuf.base, "<UNKNOWN>");
@@ -1283,11 +1209,13 @@ xfrin_logv(int level, dns_name_t *zonename, isc_sockaddr_t *masteraddr,
 
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_XFER_IN, 
 		      DNS_LOGMODULE_XFER_IN, level,
-		      "transfer of %.*s from %s: %s", znbuf.used, znbuf.base,
+		      "transfer of '%s' from %s: %s", znbuf,
 		      masterbuf.base, msgmem);
 }
 
-/* Logging function for use when a xfrin_ctx_t has not yet been created. */
+/*
+ * Logging function for use when a xfrin_ctx_t has not yet been created.
+ */
 
 static void
 xfrin_log1(int level, dns_name_t *zonename, isc_sockaddr_t *masteraddr, 
@@ -1299,7 +1227,9 @@ xfrin_log1(int level, dns_name_t *zonename, isc_sockaddr_t *masteraddr,
 	va_end(ap);
 }
 
-/* Logging function for use when there is a xfrin_ctx_t. */
+/*
+ * Logging function for use when there is a xfrin_ctx_t.
+ */
 
 static void
 xfrin_log(dns_xfrin_ctx_t *xfr, unsigned int level, const char *fmt, ...)
@@ -1309,12 +1239,3 @@ xfrin_log(dns_xfrin_ctx_t *xfr, unsigned int level, const char *fmt, ...)
 	xfrin_logv(level, &xfr->name, &xfr->masteraddr, fmt, ap);
 	va_end(ap);
 }
-
-isc_result_t dns_xfrinlist_init(dns_xfrinlist_t *list) {
-	ISC_LIST_INIT(list->transfers);
-	return (isc_mutex_init(&list->lock));
-}
-
-void dns_xfrinlist_destroy(dns_xfrinlist_t *list) {
-	isc_mutex_destroy(&list->lock);
-}
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 56885fbc..7cd47345 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,92 +15,69 @@
  * SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.88 2000/03/21 00:17:15 marka Exp $ */
+/* $Id: zone.c,v 1.123 2000/05/23 04:38:22 gson Exp $ */
 
 #include <config.h>
 
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/magic.h>
-#include <isc/mktemplate.h>
+#include <isc/file.h>
 #include <isc/print.h>
+#include <isc/ratelimiter.h>
 #include <isc/serial.h>
+#include <isc/string.h>
 #include <isc/taskpool.h>
 #include <isc/timer.h>
-#include <isc/ufile.h>
 #include <isc/util.h>
 
 #include <dns/acl.h>
+#include <dns/adb.h>
 #include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/dispatch.h>
 #include <dns/events.h>
 #include <dns/journal.h>
 #include <dns/log.h>
-#include <dns/master.h>
 #include <dns/masterdump.h>
 #include <dns/message.h>
+#include <dns/peer.h>
 #include <dns/rcode.h>
-#include <dns/rdata.h>
 #include <dns/rdatalist.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
+#include <dns/rdataset.h>
+#include <dns/request.h>
 #include <dns/resolver.h>
+#include <dns/result.h>
 #include <dns/ssu.h>
+#include <dns/tsig.h>
 #include <dns/xfrin.h>
 #include <dns/zone.h>
-#include <dns/zt.h>
-
-/* XXX remove once config changes are in place */
-#define dns_zone_uptodate(x) zone_log(x, me, ISC_LOG_INFO, "dns_zone_uptodate")
-#define referral(x) ISC_FALSE
 
-#include <stdarg.h>
-
-#define ZONE_MAGIC 0x5a4f4e45U
-#define CHECKSERVERS_MAGIC 0x43484346U
+#define ZONE_MAGIC 0x5a4f4e45U		/* ZONE */
+#define NOTIFY_MAGIC 0x4e746679U	/* Ntfy */
 
 #define DNS_ZONE_VALID(zone) \
 	ISC_MAGIC_VALID(zone, ZONE_MAGIC)
-#define DNS_CHECKSERVERS_VALID(server) \
-	ISC_MAGIC_VALID(zone, CHECKSERVERS_MAGIC)
-
-#ifndef DNS_GLOBAL_OPTION	/* XXX MPA */
-#define DNS_GLOBAL_OPTION(o) 0
-#endif
-
-#define DEFAULT_REFRESH	900	/*XXX*/
-#define DEFAULT_RETRY 300	/*XXX*/
-#define MAX_XFER_TIME (2*3600)	/* Documented default is 2 hours. */
+#define DNS_NOTIFY_VALID(notify) \
+	ISC_MAGIC_VALID(notify, NOTIFY_MAGIC)
 
 #define RANGE(a, b, c) (((a) < (b)) ? (b) : ((a) < (c) ? (a) : (c)))
 
-#define DNS_MIN_REFRESH 2
+/*
+ * Implementation limits.
+ */
+#define DNS_MIN_REFRESH 2		/* 2 seconds */
 #define DNS_MAX_REFRESH 2419200		/* 4 weeks */
-#define DNS_MIN_RETRY	1
+#define DNS_MIN_RETRY	1		/* 1 second */
 #define DNS_MAX_RETRY	1209600		/* 2 weeks */
 #define DNS_MAX_EXPIRE	14515200	/* 24 weeks */
+
+/*
+ * Default values.
+ */
 #define DNS_DEFAULT_IDLEIN 3600		/* 1 hour */
 #define DNS_DEFAULT_IDLEOUT 3600	/* 1 hour */
+#define DEFAULT_REFRESH	900		/* 15 minutes */
+#define DEFAULT_RETRY 300		/* 5 minutes */
+#define MAX_XFER_TIME (2*3600)		/* Documented default is 2 hours */
+
 
-typedef enum {
-	get_a6, get_aaaa, get_a, get_ns, get_soa
-} dns_zone_state_t;
-
-typedef struct dns_zone_checkservers {
-	isc_uint32_t			magic;
-	isc_boolean_t			name_known;
-	dns_name_t			server;
-	isc_sockaddr_t			address;
-	dns_zone_state_t		state;
-	dns_zone_t			*zone;
-	dns_resolver_t			*res;
-	isc_mem_t			*mctx;
-	dns_fetch_t			*fetch;
-	ISC_LINK(struct dns_zone_checkservers) link;
-} dns_zone_checkservers_t;
+typedef struct notify notify_t;
 
 struct dns_zone {
 	/* Unlocked */
@@ -109,56 +86,50 @@ struct dns_zone {
 	isc_mem_t		*mctx;
 
 	/* Locked */
-	dns_db_t		*top;
+	dns_db_t		*db;
 	dns_zonemgr_t		*zmgr;
 	ISC_LINK(dns_zone_t)	link;		/* Used by zmgr. */
 	isc_timer_t		*timer;
 	unsigned int		erefs;
 	unsigned int		irefs;
-	isc_boolean_t		shuttingdown;
 	dns_name_t		origin;
-	char 			*database;
+	char 			*dbname;
 	char			*journal;
 	isc_int32_t		journalsize;
 	dns_rdataclass_t	rdclass;
 	dns_zonetype_t		type;
 	unsigned int		flags;
 	unsigned int		options;
-	unsigned int		setoptions;
-	char *			db_type;
+	char			*db_type;
 	unsigned int		db_argc;
-	char **			db_argv;
+	char			**db_argv;
 	isc_stdtime_t		expiretime;
 	isc_stdtime_t		refreshtime;
 	isc_stdtime_t		dumptime;
-	isc_stdtime_t		servertime;
-	isc_stdtime_t		parenttime;
-	isc_stdtime_t		childtime;
+	isc_time_t		loadtime;
 	isc_uint32_t		serial;
 	isc_uint32_t		refresh;
 	isc_uint32_t		retry;
 	isc_uint32_t		expire;
 	isc_uint32_t		minimum;
-	isc_sockaddr_t *	masters;
+	isc_sockaddr_t		*masters;
 	unsigned int		masterscnt;
-	in_port_t		masterport;
 	unsigned int		curmaster;
-	isc_sockaddr_t *	notify;
+	isc_sockaddr_t		masteraddr;
+	isc_sockaddr_t		*notify;
 	unsigned int		notifycnt;
 	isc_sockaddr_t		notifyfrom;
-	isc_task_t *		task;
+	isc_task_t		*task;
 	isc_sockaddr_t	 	xfrsource4;
 	isc_sockaddr_t	 	xfrsource6;
-	dns_xfrin_ctx_t *	xfr;
+	dns_xfrin_ctx_t		*xfr;
 	/* Access Control Lists */
 	dns_acl_t		*update_acl;
 	dns_acl_t		*query_acl;
 	dns_acl_t		*xfr_acl;
 	dns_severity_t		check_names;
-	ISC_LIST(dns_zone_checkservers_t)	checkservers;
-	dns_fetch_t		*fetch;
-	dns_resolver_t		*res;
-	isc_socketmgr_t		*socketmgr;
+	ISC_LIST(notify_t)	notifies;
+	dns_request_t		*request;
 	isc_uint32_t		maxxfrin;
 	isc_uint32_t		maxxfrout;
 	isc_uint32_t		idlein;
@@ -167,63 +138,90 @@ struct dns_zone {
 	isc_event_t		ctlevent;
 	dns_ssutable_t		*ssutable;
 	dns_view_t		*view;
+	/*
+	 * Zones in certain states such as "waiting for zone transfer" 
+	 * or "zone transfer in progress" are kept on per-state linked lists
+	 * in the zone manager using the 'statelink' field.  The 'statelist'
+	 * field points at the list the zone is currently on.  It the zone
+	 * is not on any such list, statelist is NULL.
+	 */
+	ISC_LINK(dns_zone_t)	statelink;	
+	dns_zonelist_t	        *statelist;
+	
 };
 
 #define DNS_ZONE_FLAG(z,f) (((z)->flags & (f)) != 0)
 	/* XXX MPA these may need to go back into zone.h */
 #define DNS_ZONE_F_REFRESH      0x00000001U     /* refresh check in progress */
 #define DNS_ZONE_F_NEEDDUMP     0x00000002U     /* zone need consolidation */
-#define DNS_ZONE_F_SERVERS      0x00000004U     /* servers check in progress */
-#define DNS_ZONE_F_PARENTS      0x00000008U     /* parents check in progress */
-#define DNS_ZONE_F_CHILDREN     0x00000010U     /* child check in progress */
+/* #define DNS_ZONE_F_UNUSED	0x00000004U */	/* unused */
+/* #define DNS_ZONE_F_UNUSED	0x00000008U */	/* unused */
+/* #define DNS_ZONE_F_UNUSED	0x00000010U */	/* unused */
 #define DNS_ZONE_F_LOADED       0x00000020U     /* database has loaded */
 #define DNS_ZONE_F_EXITING      0x00000040U     /* zone is being destroyed */
 #define DNS_ZONE_F_EXPIRED      0x00000080U     /* zone has expired */
 #define DNS_ZONE_F_NEEDREFRESH	0x00000100U	/* refresh check needed */
 #define DNS_ZONE_F_UPTODATE	0x00000200U	/* zone contents are 
 						 * uptodate */
+#define DNS_ZONE_F_NEEDNOTIFY	0x00000400U	/* need to send out notify
+						 * messages */
+#define DNS_ZONE_F_DIFFONRELOAD 0x00000800U	/* generate a journal diff on
+						 * reload */
+#define DNS_ZONE_F_NOMASTERS	0x00001000U	/* an attempt to refresh a
+						 * zone with no masters
+						 * occured */
 
-#define DNS_ZONE_OPTION(z,o) ((((z)->setoptions & (o)) != 0) ? \
-			      (((z)->options & (o)) != 0) : \
-			      DNS_GLOBAL_OPTION(o))
+#define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0)
 
 struct dns_zonemgr {
 	isc_mem_t *		mctx;
+	int			refs;
 	isc_taskmgr_t *		taskmgr;
 	isc_timermgr_t *	timermgr;
 	isc_socketmgr_t *	socketmgr;
 	isc_taskpool_t *	zonetasks;
 	isc_task_t *		task;
+	isc_ratelimiter_t *	rl;
 	isc_rwlock_t		rwlock;
 	isc_rwlock_t		conflock;
 	/* Locked by rwlock. */
-	ISC_LIST(dns_zone_t)	zones;
+	dns_zonelist_t		zones;
+	dns_zonelist_t		waiting_for_xfrin;
+	dns_zonelist_t		xfrin_in_progress;
+	
 	/* Locked by conflock. */
 	int			transfersin;
 	int			transfersperns;
-	isc_boolean_t		requestixfr;
-	/* Contains its own lock. */
-	dns_xfrinlist_t		transferlist;
+};
+
+/*
+ * Hold notify state.
+ */
+struct notify {
+	isc_int32_t		magic;
+	isc_mem_t		*mctx;
+	dns_zone_t		*zone;
+	dns_adbfind_t		*find;
+	dns_request_t		*request;
+	dns_name_t		ns;
+	isc_sockaddr_t		dst;
+	ISC_LINK(notify_t)	link;
 };
 
 static isc_result_t zone_settimer(dns_zone_t *, isc_stdtime_t);
 static void cancel_refresh(dns_zone_t *);
-static isc_result_t dns_notify(dns_name_t *, isc_sockaddr_t *, dns_rdatatype_t,
-		       dns_rdataclass_t, isc_sockaddr_t *, isc_mem_t *);
 
 static void zone_log(dns_zone_t *zone, const char *, int, const char *msg,
 		     ...);
-extern void dns_zone_transfer_in(dns_zone_t *zone);
+static void queue_xfrin(dns_zone_t *zone);
 static isc_result_t dns_zone_tostr(dns_zone_t *zone, isc_mem_t *mctx,
 				   char **s);
-static void unload(dns_zone_t *zone);
-static void expire(dns_zone_t *zone);
-static isc_result_t replacedb(dns_zone_t *zone, dns_db_t *db,
-			      isc_boolean_t dump);
+static void zone_unload(dns_zone_t *zone);
+static void zone_expire(dns_zone_t *zone);
+static isc_result_t zone_replacedb(dns_zone_t *zone, dns_db_t *db,
+			           isc_boolean_t dump);
 static isc_result_t default_journal(dns_zone_t *zone);
-static void releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
-static void xfrin_start_temporary_kludge(dns_zone_t *zone);
-static void xfrdone(dns_zone_t *zone, isc_result_t result);
+static void zone_xfrdone(dns_zone_t *zone, isc_result_t result);
 static void zone_shutdown(isc_task_t *, isc_event_t *);
 
 #if 0
@@ -231,34 +229,44 @@ static void zone_shutdown(isc_task_t *, isc_event_t *);
 static void dns_zonemgr_dbdestroyed(isc_task_t *task, isc_event_t *event);
 #endif
 
-#ifdef notyet
 static void refresh_callback(isc_task_t *, isc_event_t *);
-static void soa_query(dns_zone_t *, isc_taskaction_t);
-static void checkservers_callback(isc_task_t *task, isc_event_t *event);
+static void queue_soa_query(dns_zone_t *zone);
+static void soa_query(isc_task_t *, isc_event_t *);
 static int message_count(dns_message_t *msg, dns_section_t section,
 			 dns_rdatatype_t type);
-static void add_address_tocheck(dns_message_t *msg,
-				dns_zone_checkservers_t *checkservers,
-				dns_rdatatype_t type);
-static void record_serial(void);
-#endif
-
+static void notify_find_address(notify_t *notify);
+static void notify_send(notify_t *notify);
+static isc_result_t notify_createmessage(dns_zone_t *zone,
+					 dns_message_t **messagep);
+static void notify_done(isc_task_t *task, isc_event_t *event);
+static void notify_send_toaddr(isc_task_t *task, isc_event_t *event);
+static isc_result_t zone_dump(dns_zone_t *);
+static void got_transfer_quota(isc_task_t *task, isc_event_t *event);
+static isc_result_t zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone);
+static void zmgr_resume_xfrs(dns_zonemgr_t *zmgr);
+static void zonemgr_free(dns_zonemgr_t *zmgr);
 
+static isc_result_t
+zone_get_from_db(dns_db_t *db, dns_name_t *origin, unsigned int *nscount,
+		 unsigned int *soacount, isc_uint32_t *serial,
+		 isc_uint32_t *refresh, isc_uint32_t *retry,
+		 isc_uint32_t *expire, isc_uint32_t *minimum);
 
 #define PRINT_ZONE_REF(zone) \
 	do { \
 		char *s = NULL; \
 		isc_result_t r; \
 		r = dns_zone_tostr(zone, zone->mctx, &s); \
-		if (r == DNS_R_SUCCESS) { \
-			printf("%p: %s: erefs = %d\n", zone, s, \
-			       zone->erefs); \
+		if (r == ISC_R_SUCCESS) { \
+			printf("%p: %s: erefs=%d irefs=%d\n", zone, s, \
+			       zone->erefs, zone->irefs); \
 			isc_mem_free(zone->mctx, s); \
 		} \
 	} while (0)
 
-#define DNS_ENTER zone_log(zone, me, ISC_LOG_DEBUG(10), "enter")
-#define DNS_LEAVE zone_log(zone, me, ISC_LOG_DEBUG(10), "leave")
+#define ZONE_LOG(x,y) zone_log(zone, me, ISC_LOG_DEBUG(x), y)
+#define DNS_ENTER zone_log(zone, me, ISC_LOG_DEBUG(1), "enter")
+#define DNS_LEAVE zone_log(zone, me, ISC_LOG_DEBUG(1), "leave")
 
 /***
  ***	Public functions.
@@ -281,7 +289,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 
 	zone = isc_mem_get(mctx, sizeof *zone);
 	if (zone == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	result = isc_mutex_init(&zone->lock);
 	if (result != ISC_R_SUCCESS) {
@@ -289,35 +297,32 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_mutex_init() failed: %s",
 				 isc_result_totext(result));
-		return (DNS_R_UNEXPECTED);
+		return (ISC_R_UNEXPECTED);
 	}
 
 	/* XXX MPA check that all elements are initialised */
-	zone->mctx = mctx;
-	zone->top = NULL;
+	zone->mctx = NULL;
+	isc_mem_attach(mctx, &zone->mctx);
+	zone->db = NULL;
 	zone->zmgr = NULL;
 	ISC_LINK_INIT(zone, link);
 	zone->erefs = 1;		/* Implicit attach. */
 	zone->irefs = 0;
-	zone->shuttingdown = ISC_FALSE;
 	dns_name_init(&zone->origin, NULL);
-	zone->database = NULL;
+	zone->dbname = NULL;
 	zone->journalsize = -1;
 	zone->journal = NULL;
 	zone->rdclass = dns_rdataclass_none;
 	zone->type = dns_zone_none;
 	zone->flags = 0;
 	zone->options = 0;
-	zone->setoptions = 0;
 	zone->db_type = NULL;
 	zone->db_argc = 0;
 	zone->db_argv = NULL;
 	zone->expiretime = 0;
 	zone->refreshtime = 0;
 	zone->dumptime = 0;
-	zone->servertime = 0;
-	zone->parenttime = 0;
-	zone->childtime = 0;
+	isc_time_settoepoch(&zone->loadtime);
 	zone->serial = 0;
 	zone->refresh = DEFAULT_REFRESH;
 	zone->retry = DEFAULT_RETRY;
@@ -325,7 +330,6 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->minimum = 0;
 	zone->masters = NULL;
 	zone->masterscnt = 0;
-	zone->masterport = 0;
 	zone->curmaster = 0;
 	zone->notify = NULL;
 	zone->notifycnt = 0;
@@ -334,13 +338,11 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->query_acl = NULL;
 	zone->xfr_acl = NULL;
 	zone->check_names = dns_severity_ignore;
-	zone->fetch = NULL;
-	zone->res = NULL;
-	zone->socketmgr = NULL;
+	zone->request = NULL;
 	zone->timer = NULL;
 	zone->idlein = DNS_DEFAULT_IDLEIN;
 	zone->idleout = DNS_DEFAULT_IDLEOUT;
-	ISC_LIST_INIT(zone->checkservers);
+	ISC_LIST_INIT(zone->notifies);
 	zone->xfrsource4 = sockaddr_any4;
 	zone->xfrsource6 = sockaddr_any6;
 	zone->xfr = NULL;
@@ -349,44 +351,48 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->diff_on_reload = ISC_FALSE;
 	zone->ssutable = NULL;
 	zone->view = NULL;
+	ISC_LINK_INIT(zone, statelink);
+	zone->statelist = NULL;
+	
 	zone->magic = ZONE_MAGIC;
 	ISC_EVENT_INIT(&zone->ctlevent, sizeof(zone->ctlevent), 0, NULL,
 		       DNS_EVENT_ZONECONTROL, zone_shutdown, zone, zone,
 		       NULL, NULL);
 	*zonep = zone;
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
+/*
+ * Free a zone.  Because we require that there be no more
+ * outstanding events or references, no locking is necessary.
+ */
 static void
 zone_free(dns_zone_t *zone) {
+	isc_mem_t *mctx = NULL;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
-	LOCK(&zone->lock);
 	REQUIRE(zone->erefs == 0);
-	zone->flags |= DNS_ZONE_F_EXITING;
-	UNLOCK(&zone->lock);
+	REQUIRE(zone->irefs == 0);
 
-	/* managed objects */
-	/* order is important */
-	if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_REFRESH))
-		cancel_refresh(zone);
+	/*
+	 * Managed objects.  Order is important.
+	 */
 	if (zone->timer != NULL)
 		isc_timer_detach(&zone->timer);
-	if (zone->res != NULL)
-		dns_resolver_detach(&zone->res);
-	if (zone->fetch != NULL)
-		dns_resolver_destroyfetch(&zone->fetch);
+	if (zone->request != NULL)
+		dns_request_destroy(&zone->request); /* XXXMPA */
+
+	INSIST(zone->statelist == NULL);
+	
 	if (zone->task != NULL)
 		isc_task_detach(&zone->task);
-	if (zone->socketmgr != NULL)
-		isc_socketmgr_destroy(&zone->socketmgr);
 	if (zone->zmgr)
 		dns_zonemgr_releasezone(zone->zmgr, zone);
-
-	/* unmanaged objects */
-	if (zone->database != NULL)
-		isc_mem_free(zone->mctx, zone->database);
-	zone->database = NULL;
+	
+	/* Unmanaged objects */
+	if (zone->dbname != NULL)
+		isc_mem_free(zone->mctx, zone->dbname);
+	zone->dbname = NULL;
 	zone->journalsize = -1;
 	if (zone->journal != NULL)
 		isc_mem_free(zone->mctx, zone->journal);
@@ -394,12 +400,11 @@ zone_free(dns_zone_t *zone) {
 	if (zone->db_type != NULL)
 		isc_mem_free(zone->mctx, zone->db_type);
 	zone->db_type = NULL;
-	if (zone->top != NULL)
-		dns_db_detach(&zone->top);
+	if (zone->db != NULL)
+		dns_db_detach(&zone->db);
 	dns_zone_cleardbargs(zone);
-	dns_zone_clearmasters(zone);
-	zone->masterport = 0;
-	dns_zone_clearnotify(zone);
+	dns_zone_setmasters(zone, NULL, 0);
+	dns_zone_setnotifyalso(zone, NULL, 0);
 	zone->check_names = dns_severity_ignore;
 	if (zone->update_acl != NULL)
 		dns_acl_detach(&zone->update_acl);
@@ -415,7 +420,9 @@ zone_free(dns_zone_t *zone) {
 	/* last stuff */
 	isc_mutex_destroy(&zone->lock);
 	zone->magic = 0;
-	isc_mem_put(zone->mctx, zone, sizeof *zone);
+	mctx = zone->mctx;
+	isc_mem_put(mctx, zone, sizeof *zone);
+	isc_mem_detach(&mctx);
 }
 
 /*
@@ -427,7 +434,9 @@ dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(rdclass != dns_rdataclass_none);
 
-	/* test and set */
+	/*
+	 * Test and set.
+	 */
 	LOCK(&zone->lock);
 	REQUIRE(zone->rdclass == dns_rdataclass_none ||
 		zone->rdclass == rdclass);
@@ -451,7 +460,9 @@ dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(type != dns_zone_none);
 
-	/* test and set */
+	/*
+	 * Test and set.
+	 */
 	LOCK(&zone->lock);
 	REQUIRE(zone->type == dns_zone_none || zone->type == type);
 	zone->type = type;
@@ -460,7 +471,7 @@ dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type) {
 
 isc_result_t
 dns_zone_setdbtype(dns_zone_t *zone, char *db_type) {
-	isc_result_t result = DNS_R_SUCCESS;
+	isc_result_t result = ISC_R_SUCCESS;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
@@ -469,17 +480,21 @@ dns_zone_setdbtype(dns_zone_t *zone, char *db_type) {
 		isc_mem_free(zone->mctx, zone->db_type);
 	zone->db_type = isc_mem_strdup(zone->mctx, db_type);
 	if (zone->db_type == NULL)
-		result = DNS_R_NOMEMORY;
+		result = ISC_R_NOMEMORY;
 	UNLOCK(&zone->lock);
 	return (result);
 }
 
-void dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
-	zone->view = view;
+void
+dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
+	if (zone->view != NULL)
+		dns_view_weakdetach(&zone->view);
+	dns_view_weakattach(view, &zone->view);
 }
      
 
-dns_view_t *dns_zone_getview(dns_zone_t *zone) {
+dns_view_t *
+dns_zone_getview(dns_zone_t *zone) {
 	return (zone->view);
 }
      
@@ -502,18 +517,18 @@ dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin) {
 }
 
 isc_result_t
-dns_zone_setdatabase(dns_zone_t *zone, const char *database) {
-	isc_result_t result = DNS_R_SUCCESS;
+dns_zone_setdatabase(dns_zone_t *zone, const char *dbname) {
+	isc_result_t result = ISC_R_SUCCESS;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(database != NULL);
+	REQUIRE(dbname != NULL);
 
 	LOCK(&zone->lock);
-	if (zone->database != NULL)
-		isc_mem_free(zone->mctx, zone->database);
-	zone->database = isc_mem_strdup(zone->mctx, database);
-	if (zone->database == NULL)
-		result = DNS_R_NOMEMORY;
+	if (zone->dbname != NULL)
+		isc_mem_free(zone->mctx, zone->dbname);
+	zone->dbname = isc_mem_strdup(zone->mctx, dbname);
+	if (zone->dbname == NULL)
+		result = ISC_R_NOMEMORY;
 	else
 		result = default_journal(zone);
 	UNLOCK(&zone->lock);
@@ -525,22 +540,22 @@ default_journal(dns_zone_t *zone) {
 	int len;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(zone->database != NULL);
+	REQUIRE(zone->dbname != NULL);
 
 	if (zone->journal != NULL) 
 		isc_mem_free(zone->mctx, zone->journal);
-	len = strlen(zone->database) + sizeof ".jnl"; 	/* includes '\0' */
+	len = strlen(zone->dbname) + sizeof ".jnl"; 	/* includes '\0' */
 	zone->journal = isc_mem_allocate(zone->mctx, len);
 	if (zone->journal == NULL)
-		return (DNS_R_NOMEMORY);
-	strcpy(zone->journal, zone->database);
+		return (ISC_R_NOMEMORY);
+	strcpy(zone->journal, zone->dbname);
 	strcat(zone->journal, ".jnl");
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
 dns_zone_setjournal(dns_zone_t *zone, const char *journal) {
-	isc_result_t result = DNS_R_SUCCESS;
+	isc_result_t result = ISC_R_SUCCESS;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(journal != NULL);
@@ -550,15 +565,15 @@ dns_zone_setjournal(dns_zone_t *zone, const char *journal) {
 		isc_mem_free(zone->mctx, zone->journal);
 	zone->journal = isc_mem_strdup(zone->mctx, journal);
 	if (zone->journal == NULL)
-		result = DNS_R_NOMEMORY;
+		result = ISC_R_NOMEMORY;
 	UNLOCK(&zone->lock);
 	return (result);
 }
 
 char *
 dns_zone_getjournal(dns_zone_t *zone) {
-
 	REQUIRE(DNS_ZONE_VALID(zone));
+
 	return (zone->journal);
 }
 
@@ -573,14 +588,14 @@ dns_zone_validate(dns_zone_t *zone) {
 	case dns_zone_slave:
 	case dns_zone_stub:
 	case dns_zone_hint:
-		REQUIRE(zone->database != NULL);
+		REQUIRE(zone->dbname != NULL);
 		/*FALLTHROUGH*/
 	case dns_zone_forward:
 		REQUIRE(zone->rdclass != dns_rdataclass_none);
 		break;
 	case dns_zone_cache:
 		REQUIRE(zone->rdclass == dns_rdataclass_none);
-		REQUIRE(zone->database == NULL);
+		REQUIRE(zone->dbname == NULL);
 		break;
 	}
 
@@ -590,16 +605,14 @@ dns_zone_validate(dns_zone_t *zone) {
 isc_result_t
 dns_zone_load(dns_zone_t *zone) {
 	const char me[] = "dns_zone_load";
-	int soacount = 0;
-	int nscount = 0;
+	unsigned int soacount = 0;
+	unsigned int nscount = 0;
+	isc_uint32_t serial, refresh, retry, expire, minimum;
 	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_rdataset_t rdataset;
 	isc_boolean_t cache = ISC_FALSE;
 	dns_rdata_soa_t soa;
-	dns_rdata_t rdata;
 	isc_stdtime_t now;
+	isc_time_t loadtime, filetime;
 	dns_db_t *db = NULL;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -610,7 +623,7 @@ dns_zone_load(dns_zone_t *zone) {
 	switch (zone->type) {
 	case dns_zone_forward:
 	case dns_zone_none:
-		result = DNS_R_SUCCESS;
+		result = ISC_R_SUCCESS;
 		goto cleanup;
 	case dns_zone_master:
 	case dns_zone_slave:
@@ -625,45 +638,78 @@ dns_zone_load(dns_zone_t *zone) {
 		INSIST("bad zone type" == NULL);
 	}
 
-	REQUIRE(zone->database != NULL);
+	REQUIRE(zone->dbname != NULL);
+
+	zone_log(zone, me, ISC_LOG_DEBUG(1), "start");
+
+	/*
+	 * Don't do the load if the file that stores the zone is older
+	 * than the last time the zone was loaded.  If the zone has not
+	 * been loaded yet, zone->loadtime will be the epoch.
+	 */
+	result = isc_file_getmodtime(zone->dbname, &filetime);
+	if (result == ISC_R_SUCCESS && ! isc_time_isepoch(&zone->loadtime) &&
+	    isc_time_compare(&filetime, &zone->loadtime) < 0) {
+		zone_log(zone, me, ISC_LOG_DEBUG(1),
+			 "skipping: database file older than last load");
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	/*
+	 * Store the current time before the zone is loaded, so that if the
+	 * file changes between the time of the load and the time that
+	 * zone->loadtime is set, then the file will still be reloaded
+	 * the next time dns_zone_load is called.
+	 */
+	result = isc_time_now(&loadtime);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
 
 	result = dns_db_create(zone->mctx, zone->db_type,
 			       &zone->origin,
 			       cache, zone->rdclass,
 			       zone->db_argc, zone->db_argv, &db);
 
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
-	result = dns_db_load(db, zone->database);
+	result = dns_db_load(db, zone->dbname);
 
 	/*
 	 * Initiate zone transfer?  We may need a error code that
 	 * indicates that the "permanent" form does not exist.
 	 * XXX better error feedback to log.
 	 */
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		if (zone->type == dns_zone_slave) {
 			zone_log(zone, me, ISC_LOG_INFO,
 				 "no database file");
+			/* Mark the zone for immediate refresh. */
+			zone->refreshtime = now;
 			result = ISC_R_SUCCESS;
 		} else {
 			zone_log(zone, me, ISC_LOG_ERROR,
 				 "database %s: dns_db_load failed: %s",
-				 zone->database, dns_result_totext(result));
+				 zone->dbname, dns_result_totext(result));
 		}
 		goto cleanup;
 	}
 
+	zone->loadtime = loadtime;
+
+	zone_log(zone, me, ISC_LOG_DEBUG(1), "loaded");
+
 	/*
 	 * Apply update log, if any.
 	 */
 	if (zone->journal != NULL) {
-		result = dns_journal_rollforward(zone->mctx, db, zone->journal);
-		if (result != DNS_R_SUCCESS && result != DNS_R_NOTFOUND &&
+		result = dns_journal_rollforward(zone->mctx, db,
+						 zone->journal);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND &&
 		    result != DNS_R_UPTODATE && result != DNS_R_NOJOURNAL)
 			goto cleanup;
-		if (result == DNS_R_NOTFOUND) {
+		if (result == ISC_R_NOTFOUND) {
 			zone_log(zone, me, ISC_LOG_ERROR,
 				 "journal out of sync with zone");
 			goto cleanup;
@@ -671,7 +717,7 @@ dns_zone_load(dns_zone_t *zone) {
 		zone_log(zone, me, ISC_LOG_DEBUG(1),
 			 "dns_journal_rollforward: %s",
 			 dns_result_totext(result));
-		if (result == DNS_R_SUCCESS)
+		if (result == ISC_R_SUCCESS)
 			zone->flags |= DNS_ZONE_F_NEEDDUMP;
 	}
 
@@ -680,44 +726,14 @@ dns_zone_load(dns_zone_t *zone) {
 	 */
 	nscount = 0;
 	soacount = 0;
-	dns_db_currentversion(db, &version);
-	result = dns_db_findnode(db, &zone->origin, ISC_FALSE, &node);
-
-	if (result == DNS_R_SUCCESS) {
-		dns_rdataset_init(&rdataset);
-		result = dns_db_findrdataset(db, node, version,
-					     dns_rdatatype_ns,
-					     dns_rdatatype_none, 0, &rdataset,
-					     NULL);
-		if (result == DNS_R_SUCCESS) {
-			result = dns_rdataset_first(&rdataset);
-			while (result == DNS_R_SUCCESS) {
-				nscount++;
-				result = dns_rdataset_next(&rdataset);
-			}
-			dns_rdataset_disassociate(&rdataset);
-		}
-		result = dns_db_findrdataset(db, node, version,
-					     dns_rdatatype_soa,
-					     dns_rdatatype_none, 0, &rdataset,
-					     NULL);
-
-		if (result == DNS_R_SUCCESS) {
-			result = dns_rdataset_first(&rdataset);
-			while (result == DNS_R_SUCCESS) {
-				dns_rdataset_current(&rdataset, &rdata);
-				if (soacount == 0)
-					dns_rdata_tostruct(&rdata, &soa,
-							   zone->mctx);
-				soacount++;
-				result = dns_rdataset_next(&rdataset);
-			}
-			dns_rdataset_disassociate(&rdataset);
-		}
-		dns_rdataset_invalidate(&rdataset);
+	INSIST(db != NULL);
+	result = zone_get_from_db(db, &zone->origin, &nscount,
+				  &soacount, &serial, &refresh, &retry,
+				  &expire, &minimum);
+	if (result != ISC_R_SUCCESS) {
+		zone_log(zone, me, ISC_LOG_ERROR,
+			 "could not find NS and/or SOA records");
 	}
-	dns_db_detachnode(db, &node);
-	dns_db_closeversion(db, &version, ISC_FALSE);
 
 	/*
 	 * Master / Slave / Stub zones require both NS and SOA records at
@@ -741,25 +757,31 @@ dns_zone_load(dns_zone_t *zone) {
 			result = DNS_R_BADZONE;
 			goto cleanup;
 		}
-		if (zone->top != NULL) {
-			if (!isc_serial_ge(soa.serial, zone->serial)) {
+		if (zone->db != NULL) {
+			if (!isc_serial_ge(serial, zone->serial)) {
 				zone_log(zone, me, ISC_LOG_ERROR,
 					"zone serial has gone backwards");
 			}
 		}
-		zone->serial = soa.serial;
-		zone->refresh = RANGE(soa.refresh, DNS_MIN_REFRESH,
+		zone->serial = serial;
+		zone->refresh = RANGE(refresh, DNS_MIN_REFRESH,
 				      DNS_MAX_REFRESH);
-		zone->retry = RANGE(soa.retry, DNS_MIN_REFRESH,
-				    DNS_MAX_REFRESH);
-		zone->expire = RANGE(soa.expire, zone->refresh + zone->retry,
+		zone->retry = RANGE(retry, DNS_MIN_REFRESH, DNS_MAX_REFRESH);
+		zone->expire = RANGE(expire, zone->refresh + zone->retry,
 				     DNS_MAX_EXPIRE);
-		zone->minimum = soa.minimum;
+		zone->minimum = minimum;
 		if (zone->type == dns_zone_slave ||
 		    zone->type == dns_zone_stub) {
-			/* XXX need database modification time */
-			zone->expiretime = now /*XXX*/ + zone->expire;
-			zone->refreshtime = now /*XXX*/;
+			isc_time_t t;
+
+			result = isc_file_getmodtime(zone->dbname, &t);
+						     
+			if (result == ISC_R_SUCCESS)
+				zone->expiretime = isc_time_seconds(&t) +
+						   zone->expire;
+			else
+				zone->expiretime = now + zone->retry;
+			zone->refreshtime = now;
 		}
 		break;
 	case dns_zone_hint:
@@ -774,7 +796,7 @@ dns_zone_load(dns_zone_t *zone) {
 	default:
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "unexpected zone type %d", zone->type);
-		result = DNS_R_UNEXPECTED;
+		result = ISC_R_UNEXPECTED;
 		goto cleanup;
 	}
 
@@ -791,13 +813,13 @@ dns_zone_load(dns_zone_t *zone) {
 	}
 #endif	
 
-	if (zone->top != NULL) {
-		result = replacedb(zone, db, ISC_FALSE);
+	if (zone->db != NULL) {
+		result = zone_replacedb(zone, db, ISC_FALSE);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 	} else {
-		dns_db_attach(db, &zone->top);
-		zone->flags |= DNS_ZONE_F_LOADED;
+		dns_db_attach(db, &zone->db);
+		zone->flags |= DNS_ZONE_F_LOADED|DNS_ZONE_F_NEEDNOTIFY;
 	}
 	result = ISC_R_SUCCESS; 
 
@@ -810,461 +832,152 @@ dns_zone_load(dns_zone_t *zone) {
 	return (result);
 }
 
-#ifdef notyet
-void
-dns_zone_checkservers(dns_zone_t *zone) {
-	dns_name_t *zonename;
-	unsigned int i;
-	dns_zone_checkservers_t *checkservers;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata;
-	dns_dbnode_t *node = NULL;
-	dns_dbversion_t *version = NULL;
-	isc_result_t result;
-	dns_rdata_ns_t ns;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	/* XXX MPA */
-
-	/*
-	 * get NS list from database, add in notify also list
-	 */
-	zonename = &zone->origin;
-	dns_db_currentversion(zone->top, &version);
-	result = dns_db_findnode(zone->top, zonename, ISC_FALSE, &node);
-
-	if (result == DNS_R_SUCCESS) {
-		dns_rdataset_init(&rdataset);
-		result = dns_db_findrdataset(zone->top, node, version,
-					     dns_rdatatype_ns,
-					     dns_rdatatype_none, 0, &rdataset,
-					     NULL);
-		if (result == DNS_R_SUCCESS) {
-			result = dns_rdataset_first(&rdataset);
-			while (result == DNS_R_SUCCESS) {
-				dns_rdataset_current(&rdataset, &rdata);
-				result = dns_rdata_tostruct(&rdata, &ns, zone->mctx);
-				if (result != DNS_R_SUCCESS)
-					continue;
-				checkservers = isc_mem_get(zone->mctx,
-							  sizeof *checkservers);
-				if (checkservers == NULL)
-					break;
-				dns_name_init(&checkservers->server, NULL);
-				dns_name_dup(&ns.name, zone->mctx,
-					     &checkservers->server);
-				checkservers->name_known = ISC_TRUE;
-				checkservers->state = get_a; /* XXXMPA */
-				dns_zone_attach(zone, &checkservers->zone);
-				checkservers->mctx = zone->mctx;
-				dns_resolver_attach(zone->res, &checkservers->res);
-				checkservers->fetch = NULL;
-				ISC_LINK_INIT(checkservers, link);
-				checkservers->magic = CHECKSERVERS_MAGIC;
-
-				/* XXX lookup A/AAAA/A6 records */
-				result = dns_rdataset_next(&rdataset);
-			}
-		}
-		dns_rdataset_disassociate(&rdataset);
-		dns_rdataset_invalidate(&rdataset);
-	}
-	dns_db_detachnode(zone->top, &node);
-	dns_db_closeversion(zone->top, &version, ISC_FALSE);
-
-	/*
-	 * Foreach NS in NS list perform a non-recursive query to obtain
-	 * NS list for zone (remove self from list).
-	 *
-	 * callback to check:
-	 * If NXDOMAIN -> log error.
-	 * If NODATA -> log error.
-	 * If referral -> log error.
-	 * If non-auth -> log error.
-	 * Compare NS list returned with server list if not identical 
-	 * log error if current list is at least 3 x refresh old.
-	 * Compare glue A/AAAA/A6 records.
-	 */
-
-	/*
-	 * Foreach NS in NS list perform a non-recursive query to obtain
-	 * SOA record for zone (remove self from list).
-	 *
-	 * callback to check:
-	 * If NXDOMAIN -> log error.
-	 * If NODATA -> log error.
-	 * If referral -> log error.
-	 * If no-auth -> log error.
-	 * Compare SOA serial with ixfr list and if older that 3x refresh
-	 * log error.
-	 */
-	LOCK(&zone->lock);
-	for (i = 0 ; i < zone->notifycnt; i++) {
-		checkservers = isc_mem_get(zone->mctx, sizeof *checkservers);
-		if (checkservers == NULL)
-			break;
-		dns_name_init(&checkservers->server, NULL);
-		checkservers->name_known = ISC_FALSE;
-		checkservers->state = get_ns;
-		checkservers->address = zone->notify[i];
-		dns_zone_attach(zone, &checkservers->zone);
-		checkservers->mctx = zone->mctx;
-		dns_resolver_attach(zone->res, &checkservers->res);
-		checkservers->fetch = NULL;
-		ISC_LINK_INIT(checkservers, link);
-		checkservers->magic = CHECKSERVERS_MAGIC;
-		ISC_LIST_APPEND(zone->checkservers, checkservers, link);
-		dns_resolver_createfetch(zone->res, zonename, dns_rdatatype_ns,
-				         NULL, NULL, NULL,
-					 DNS_FETCHOPT_UNSHARED,
-					 zone->task, checkservers_callback, 
-					 checkservers, &checkservers->fetch);
-	}
-	UNLOCK(&zone->lock);
-}
-#endif
-
-#ifdef notyet
 static void
-checkservers_callback(isc_task_t *task, isc_event_t *event) {
-	const char me[] = "checkservers_callback";
-	dns_fetchdoneevent_t *devent = (dns_fetchdoneevent_t *)event;
-	dns_zone_checkservers_t *checkservers = event->arg;
-	dns_zone_state_t state;
-	dns_zone_t *zone;
-	dns_name_t *name;
-	isc_mem_t *mctx;
-	isc_sockaddr_t *address;
-	dns_resolver_t *res;
-	dns_message_t *msg; 
-
-	REQUIRE(DNS_CHECKSERVERS_VALID(checkservers));
-	state = checkservers->state;
-	zone = checkservers->zone;
-	name = &checkservers->server;
-	address = &checkservers->address;
-	mctx = checkservers->mctx;
-	res = checkservers->res;
-
-	task = task;	/* unused */
-
-	if (devent->result != DNS_R_SUCCESS) {
-		/* timeout */
-		switch (state) {
-		case get_a6:
-		case get_aaaa:
-		case get_a:
-			zone_log(zone, me, ISC_LOG_INFO,
-			         "unable to obtain address for (%s)");
-			break;
-		case get_ns:
-		case get_soa:
-			zone_log(zone, me, ISC_LOG_INFO,
-				 "unable to obtain %s RRset from %s"
-				);
-		}
-		goto cleanup;
+exit_check(dns_zone_t *zone) {
+	if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_EXITING) &&
+	    zone->irefs == 0)
+	{
+		/*
+		 * DNS_ZONE_F_EXITING can only be set if erefs == 0.
+		 */
+		INSIST(zone->erefs == 0);
+		zone_free(zone);
 	}
+}
 
-	msg = NULL;
-	dns_resolver_getanswer(event, &msg);
+static isc_result_t
+zone_count_ns_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 unsigned int *nscount)
+{
+	isc_result_t result;
+	unsigned int count;
+	dns_rdataset_t rdataset;
 
+	REQUIRE(nscount != NULL);
 
-	switch (state) {
-	case get_a6:
-		add_address_tocheck(msg, checkservers, dns_rdatatype_a6);
-		dns_resolver_createfetch(res, name, dns_rdatatype_aaaa,
-				         NULL, NULL, NULL, 0, zone->task,
-					 checkservers_callback, 
-					 checkservers, &checkservers->fetch);
-		checkservers->state = get_aaaa;
-		break;
-	case get_aaaa:
-		add_address_tocheck(msg, checkservers, dns_rdatatype_a6);
-		dns_resolver_createfetch(res, name, dns_rdatatype_a,
-				         NULL, NULL, NULL, 0, zone->task,
-					 checkservers_callback, 
-					 checkservers, &checkservers->fetch);
-		checkservers->state = get_a;
-		break;
-	case get_a:
-		add_address_tocheck(msg, checkservers, dns_rdatatype_a);
-		/* make NS query to address */
-		dns_resolver_createfetch(res, name, dns_rdatatype_ns,
-				         NULL, NULL, NULL,
-					 DNS_FETCHOPT_UNSHARED, 
-					 zone->task, checkservers_callback, 
-					 checkservers, &checkservers->fetch);
-		checkservers->state = get_ns;
-		break;
-	case get_ns:
-	case get_soa:
-		if (msg->rcode != dns_rcode_noerror) {
-			char rcode[128];
-			isc_buffer_t rb;
-
-			isc_buffer_init(&rb, rcode, sizeof rcode,
-					ISC_BUFFERTYPE_TEXT);
-			dns_rcode_totext(msg->rcode, &rb);
-			zone_log(zone, me, ISC_LOG_INFO,
-				 "server %s (%s) unexpected rcode = %.*s",
-				 rb.used, rcode);
-			break;
-		}
-		if (msg->counts[DNS_SECTION_ANSWER] == 0) {
-			if (referral(msg))
-				zone_log(zone, me, ISC_LOG_INFO,
-					"server %s (%s) referral response");
-			else
-				zone_log(zone, me, ISC_LOG_INFO,
-				   "server %s (%s) type = %s NODATA response");
-		}
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto invalidate_rdataset;
 
-		if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
-			zone_log(zone, me, ISC_LOG_INFO,
-				"server %s (%s) not authorative");
-		}
-		if (state == get_ns) {
-			/* compare NS RR sets */
-			/* make soa query to address */
-			dns_resolver_createfetch(res, name, dns_rdatatype_soa,
-						 NULL, NULL, NULL,
-						 DNS_FETCHOPT_UNSHARED, 
-						 zone->task,
-						 checkservers_callback, 
-						 checkservers,
-						 &checkservers->fetch);
-			checkservers->state = get_soa;
-			break;
-		} else {
-			/* compare SOA RR sets */
+	count = 0;
+	result = dns_rdataset_first(&rdataset);
+	while (result == ISC_R_SUCCESS) {
+		count++;
+		result = dns_rdataset_next(&rdataset);
+	}
+	dns_rdataset_disassociate(&rdataset);
 
-			goto cleanup;
-		}
+	*nscount = count;
+	result = ISC_R_SUCCESS;
 
-		break;
-	default:
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "unexpected state");
-		break;
-	}
-	isc_event_free(&event);
-	return;
+ invalidate_rdataset:
+	dns_rdataset_invalidate(&rdataset);
 
- cleanup:
-	isc_event_free(&event);
-	ISC_LIST_UNLINK(zone->checkservers, checkservers, link);
-	checkservers->magic = 0;
-	dns_zone_detach(&checkservers->zone);
-	isc_mem_put(mctx, checkservers, sizeof *checkservers);
+	return (result);
 }
-#endif
 
-#if 0
-static void
-cmp_soa(dns_message_t *msg, dns_zone_t *zone, char *server) {
-	dns_rdata_soa_t msgsoa, zonesoa;
+static isc_result_t
+zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 unsigned int *soacount,
+		 isc_uint32_t *serial, isc_uint32_t *refresh,
+		 isc_uint32_t *retry, isc_uint32_t *expire,
+		 isc_uint32_t *minimum)
+{
 	isc_result_t result;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdataset_t zonerdataset;
+	unsigned int count;
+	dns_rdataset_t rdataset;
 	dns_rdata_t rdata;
+	dns_rdata_soa_t soa;
 
-	dns_rdata_init(&rdata);
-
-	/*
-	 * extract SOA from message
-	 */
-	result = dns_message_findname(msg, DNS_SECTION_ANSWER,
-				      &zone->origin,
-				      dns_rdatatype_soa,
-				      dns_rdatatype_none, NULL, &rdataset);
-	if (result != DNS_R_SUCCESS) {
-		zone_log(zone, me, ISC_LOG_INFO,
-			 "Unable to extract SOA from answer: %s", server);
-		return;
-	}
-	result = dns_rdataset_first(rdataset); 
-	if (DNS_R_SUCCESS != result)
-		return;
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &msgsoa, zone->mctx);
-	if (DNS_R_SUCCESS != result)
-		return;
-	result = dns_rdataset_next(rdataset);
-	if (DNS_R_NOMORE != result) {
-		zone_log(zone, me, ISC_LOG_INFO,
-		         "More that one SOA record returned: %s", server);
-		goto cleanup_msgsoa;
-	}
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto invalidate_rdataset;
 
-	/*
-	 * Get SOA record for zone.
-	 */
+	count = 0;
+	result = dns_rdataset_first(&rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&rdataset, &rdata);
+		count++;
+		if (count == 1)
+			dns_rdata_tostruct(&rdata, &soa, NULL);
 
-	dns_rdataset_init(&zonerdataset);
-	LOCK(&zone->lock);
-	result = dns_db_find(zone->top, &zone->origin,
-			     NULL, dns_rdatatype_soa, dns_rdatatype_none,
-			     0, 0, NULL, NULL, &zonerdataset);
-	UNLOCK(&zone->lock);
-	if (result != DNS_R_SUCCESS) {
-		/* XXXMPA */
-		goto cleanup_msgsoa;
+		result = dns_rdataset_next(&rdataset);
 	}
+	dns_rdataset_disassociate(&rdataset);
 
-	result = dns_rdataset_first(&zonerdataset); 
-	if (DNS_R_SUCCESS != result)
-		return;
-	dns_rdataset_current(&zonerdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &msgsoa, zone->mctx);
-	if (DNS_R_SUCCESS != result)
-		return;
-	result = dns_rdataset_next(&zonerdataset);
-	if (DNS_R_NOMORE != result) {
-		zone_log(zone, me, ISC_LOG_INFO, "More than one SOA in zone");
-		goto cleanup_msgsoa;
-	}
-	dns_rdataset_disassociate(&zonerdataset);
+	if (soacount != NULL)
+		*soacount = count;
 
-	/*
-	 * Check SOA contents.  If serials do not match check to see
-	 * if the slave is ahead of us (i.e. we have reset the serial
-	 * number).
-	 *
-	 * If the serials do match then check the other values for
-	 * consistancy.
-	 */
-	if (msgsoa.serial != zonesoa.serial) {
-		if (!isc_serial_lt(msgsoa.serial, zonesoa.serial)) {
-			zone_log(zone, me, ISC_LOG_INFO,
-		   "slave serial not less than or equal to zone serial: %s",
-					   server);
-			goto cleanup_zonesoa;
-		}
-		record_serial();
-		goto cleanup_zonesoa;
+	if (count > 0) {
+		if (serial != NULL)
+			*serial = soa.serial;
+		if (refresh != NULL)
+			*refresh = soa.refresh;
+		if (retry != NULL)
+			*retry = soa.retry;
+		if (expire != NULL)
+			*expire = soa.expire;
+		if (minimum != NULL)
+			*minimum = soa.minimum;
 	}
 
-	if (msgsoa.refresh != zonesoa.refresh ||
-	    msgsoa.retry != zonesoa.retry ||
-	    msgsoa.expire != zonesoa.expire ||
-	    msgsoa.minimum != zonesoa.minimum ||
-	    dns_name_compare(&msgsoa.origin, &zonesoa.origin) != 0 ||
-	    dns_name_compare(&msgsoa.mname, &zonesoa.mname) != 0) {
+	result = ISC_R_SUCCESS;
 
-		zone_log(zone, me, ISC_LOG_INFO, "SOA contents differ: %s",
-			 server);
-	}
- cleanup_zonesoa:
-	dns_rdata_freestruct(&zonesoa);
- cleanup_msgsoa:
-	dns_rdata_freestruct(&msgsoa);
+ invalidate_rdataset:
+	dns_rdataset_invalidate(&rdataset);
+
+	return (result);
 }
-#endif
 
-#ifdef notyet
-static void
-add_address_tocheck(dns_message_t *msg, dns_zone_checkservers_t *checkservers,
-		    dns_rdatatype_t type)
+/*
+ * zone must be locked.
+ */
+static isc_result_t
+zone_get_from_db(dns_db_t *db, dns_name_t *origin, unsigned int *nscount,
+		 unsigned int *soacount, isc_uint32_t *serial,
+		 isc_uint32_t *refresh, isc_uint32_t *retry,
+		 isc_uint32_t *expire, isc_uint32_t *minimum)
 {
-	dns_rdataset_t *rdataset = NULL;
+	dns_dbversion_t *version = NULL;
 	isc_result_t result;
-	isc_sockaddr_t sockaddr;
-	dns_rdata_in_a_t a;
-	dns_rdata_in_a6_t a6;
-	dns_rdata_t rdata;
-
-	if (msg->rcode != dns_rcode_noerror)
-		return;
+	dns_dbnode_t *node;
 
-	if (msg->counts[DNS_SECTION_QUESTION] != 0 ||
-	    dns_message_findname(msg, DNS_SECTION_QUESTION,
-				 &checkservers->server,
-				 type, dns_rdatatype_none,
-				 NULL, &rdataset) != DNS_R_SUCCESS)
-		return;
-
-	result = dns_rdataset_first(rdataset);
-	while (DNS_R_SUCCESS == result) {
-		dns_rdataset_current(rdataset, &rdata);
-		switch (type) {
-		case dns_rdatatype_a:
-			result = dns_rdata_tostruct(&rdata, &a,
-						    checkservers->mctx);
-			isc_sockaddr_fromin(&sockaddr, &a.in_addr, 0);
-			dns_rdata_freestruct(&a);
-			break;
-		case dns_rdatatype_a6:
-			result = dns_rdata_tostruct(&rdata, &a6,
-						    checkservers->mctx);
-			isc_sockaddr_fromin6(&sockaddr, &a6.in6_addr, 0);
-			dns_rdata_freestruct(&a6);
-			break;
-		default:
-			INSIST(0);
-		}
-		result = dns_rdataset_next(rdataset);
-	}
-}
-#endif
+	REQUIRE(db != NULL);
+	REQUIRE(origin != NULL);
 
-void
-dns_zone_checkparents(dns_zone_t *zone) {
-	/* XXX MPA */
+	version = NULL;
+	dns_db_currentversion(db, &version);
 
-	REQUIRE(DNS_ZONE_VALID(zone));
-	/*
-	 * Obtain a parent NS list.
-	 *	Remove LSL from zone name. Check to see if we are serving
-	 *	zone otherwise make non-recursive query for NS set of
-	 *	of given name.  Follow referral until NXDOMAIN, NODATA or
-	 *	answer is found.  If NXDOMAIN or NODATA remove next LSL
-	 *	and repeat.
-	 */
+	node = NULL;
+	result = dns_db_findnode(db, origin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto closeversion;
 
-	/*
-	 * If self in NS list check masked NS list in parent against zone 
-	 * ns list.
-	 *
-	 * Foreach NS on parent NS list make non recursive query for NS set
-	 * of current zone (removed self from list if required).
-	 *
-	 * Check NS list return for agreement with zone's NS list.
-	 */
-}
+	if (nscount != NULL) {
+		result = zone_count_ns_rr(db, node, version, nscount);
+		if (result != ISC_R_SUCCESS)
+			goto detachnode;
+	}
 
-void
-dns_zone_checkchildren(dns_zone_t *zone) {
-	/* XXX MPA */
-	REQUIRE(DNS_ZONE_VALID(zone));
-	/*
-	 * For each child zone obtain NS list from parent zone.
-	 * For each NS in list send non-recursive query for child zone's
-	 * NS list for zone.
-	 *
-	 * If NXDOMAIN is returned log error.
-	 * If NODATA is return log error.
-	 * If referral is return log error.
-	 * If non-auth is return log error.
-	 * If NS list disagree's with parents NS list log error.
-	 */
-}
+	if (soacount != NULL || serial != NULL || refresh != NULL
+	    || retry != NULL || expire != NULL || minimum != NULL) {
+		result = zone_load_soa_rr(db, node, version, soacount,
+					  serial, refresh, retry, expire,
+					  minimum);
+		if (result != ISC_R_SUCCESS)
+			goto detachnode;
+	}
 
-void
-dns_zone_checkglue(dns_zone_t *zone) {
-	/* XXX MPA */
-	REQUIRE(DNS_ZONE_VALID(zone));
-	/*
-	 * For each glue record in this zone, check with an authorative
-	 * server for the zone to ensure that there have not been any
-	 * changes.
-	 */
-}
+ detachnode:
+	dns_db_detachnode(db, &node);
+ closeversion:
+	dns_db_closeversion(db, &version, ISC_FALSE);
 
-static void
-exit_check(dns_zone_t *zone)
-{
-	if (zone->irefs == 0 && zone->shuttingdown == ISC_TRUE)
-		zone_free(zone);
+	return (result);
 }
 
 void
@@ -1274,7 +987,7 @@ dns_zone_attach(dns_zone_t *source, dns_zone_t **target) {
 	LOCK(&source->lock);
 	REQUIRE(source->erefs > 0);
 	source->erefs++;
-	INSIST(source->erefs != 0xffffffffU);
+	INSIST(source->erefs != 0);
 	UNLOCK(&source->lock);
 	*target = source;
 }
@@ -1283,13 +996,19 @@ void
 dns_zone_detach(dns_zone_t **zonep) {
 	dns_zone_t *zone;
 	isc_boolean_t free_now = ISC_FALSE;
+	
 	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
+
 	zone = *zonep;
 	LOCK(&zone->lock);
+	
 	REQUIRE(zone->erefs > 0);
 	zone->erefs--;
 	if (zone->erefs == 0) {
-		if (zone->task != NULL) {
+		/*
+		 * We just detached the last external reference.
+		 */
+		if (zone->task != NULL) {	
 			/*
 			 * This zone is being managed.  Post
 			 * its control event and let it clean
@@ -1304,13 +1023,20 @@ dns_zone_detach(dns_zone_t **zonep) {
 			 * no task and can have no outstanding
 			 * events.  Free it immediately.
 			 */
+			/*
+			 * Unmanaged zones should not have non-null views;
+			 * we have no way of detaching from the view here
+			 * without causing deadlock because this code is called
+			 * with the view already locked.
+			 */
+			INSIST(zone->view == NULL);
 			free_now = ISC_TRUE;
 		}
 	}
 	UNLOCK(&zone->lock);
+	*zonep = NULL;
 	if (free_now)
 		zone_free(zone);
-	*zonep = NULL;
 }
 
 void
@@ -1318,13 +1044,14 @@ dns_zone_iattach(dns_zone_t *source, dns_zone_t **target) {
 	REQUIRE(DNS_ZONE_VALID(source));
 	REQUIRE(target != NULL && *target == NULL);
 	source->irefs++;
-	INSIST(source->irefs != 0xffffffffU);
+	INSIST(source->irefs != 0);
 	*target = source;
 }
 
 void
 dns_zone_idetach(dns_zone_t **zonep) {
 	dns_zone_t *zone;
+
 	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
 	zone = *zonep;
 	REQUIRE(zone->irefs > 0);
@@ -1359,11 +1086,10 @@ dns_zone_tostr(dns_zone_t *zone, isc_mem_t *mctx, char **s) {
 	REQUIRE(s != NULL && *s == NULL);
 	REQUIRE(DNS_ZONE_VALID(zone));
 
-	isc_buffer_init(&tbuf, outbuf, sizeof(outbuf) - 1,
-			ISC_BUFFERTYPE_TEXT);
+	isc_buffer_init(&tbuf, outbuf, sizeof(outbuf) - 1);
 	if (dns_name_countlabels(&zone->origin) > 0) {
 		result = dns_name_totext(&zone->origin, ISC_FALSE, &tbuf);
-		if (result == DNS_R_SUCCESS)
+		if (result == ISC_R_SUCCESS)
 			outbuf[tbuf.used] = '\0';
 		else {
 			strncpy(outbuf, "<name conversion failed>",
@@ -1375,7 +1101,7 @@ dns_zone_tostr(dns_zone_t *zone, isc_mem_t *mctx, char **s) {
 		outbuf[sizeof outbuf - 1] = '\0';
 	}
 	*s = isc_mem_strdup(mctx, outbuf);
-	return ((*s == NULL) ? DNS_R_NOMEMORY : DNS_R_SUCCESS);
+	return ((*s == NULL) ? ISC_R_NOMEMORY : ISC_R_SUCCESS);
 }
 
 void
@@ -1400,31 +1126,15 @@ dns_zone_setoption(dns_zone_t *zone, unsigned int option, isc_boolean_t value)
 		zone->options |= option;
 	else
 		zone->options &= ~option;
-	zone->setoptions |= option;
 	UNLOCK(&zone->lock);
 }
 
-void
-dns_zone_clearoption(dns_zone_t *zone, unsigned int option) {
-	REQUIRE(DNS_ZONE_VALID(zone));
+unsigned int
+dns_zone_getoptions(dns_zone_t *zone) {
 
-	LOCK(&zone->lock);
-	zone->setoptions &= ~option;
-	UNLOCK(&zone->lock);
-}
-
-void
-dns_zone_getoptions(dns_zone_t *zone, unsigned int *options,
-		    unsigned int *optionsmask)
-{
 	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(options != NULL);
-	REQUIRE(optionsmask != NULL);
 
-	LOCK(&zone->lock);
-	*options = zone->options;
-	*optionsmask = zone->setoptions;
-	UNLOCK(&zone->lock);
+	return (zone->options);
 }
 
 isc_result_t
@@ -1457,14 +1167,14 @@ dns_zone_adddbarg(dns_zone_t *zone, char *arg) {
 	zone->db_argv = new;
 	zone->db_argc++;
 	UNLOCK(&zone->lock);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
  cleanup:
 	if (new != NULL)
 		isc_mem_put(zone->mctx, new,
 			    (zone->db_argc + 1) * sizeof *new);
 	UNLOCK(&zone->lock);
-	return (DNS_R_NOMEMORY);
+	return (ISC_R_NOMEMORY);
 }
 
 void
@@ -1493,7 +1203,7 @@ dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource) {
 	zone->xfrsource4 = *xfrsource;
 	UNLOCK(&zone->lock);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_sockaddr_t *
@@ -1510,7 +1220,7 @@ dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource) {
 	zone->xfrsource6 = *xfrsource;
 	UNLOCK(&zone->lock);
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_sockaddr_t *
@@ -1520,97 +1230,85 @@ dns_zone_getxfrsource6(dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zone_addnotify(dns_zone_t *zone, isc_sockaddr_t *notify) {
+dns_zone_setnotifyalso(dns_zone_t *zone, isc_sockaddr_t *notify,
+		       isc_uint32_t count)
+{
 	isc_sockaddr_t *new;
-	REQUIRE(DNS_ZONE_VALID(zone));
-	
-	LOCK(&zone->lock);
-	new = isc_mem_get(zone->mctx, (zone->notifycnt + 1) * sizeof *new);
-	if (new == NULL)
-		goto cleanup;
 
-	new[zone->notifycnt] = *notify;
-	if (zone->notifycnt > 0) {
-		memcpy(new, zone->notify, zone->notifycnt * sizeof *new);
-		isc_mem_put(zone->mctx, zone->notify,
-			    zone->notifycnt * sizeof *new);
-	}
-	zone->notify = new;
-	zone->notifycnt++;
-	UNLOCK(&zone->lock);
-	return (DNS_R_SUCCESS);
-
- cleanup:
-	UNLOCK(&zone->lock);
-	return (DNS_R_NOMEMORY);
-}
-
-void
-dns_zone_clearnotify(dns_zone_t *zone) {
 	REQUIRE(DNS_ZONE_VALID(zone));
-
+	REQUIRE((notify == NULL && count == 0) ||
+		(notify != NULL && count != 0));
+	
 	LOCK(&zone->lock);
 	if (zone->notify != NULL) {
 		isc_mem_put(zone->mctx, zone->notify,
-			    zone->notifycnt * sizeof *zone->notify);
+			    zone->notifycnt * sizeof *new);
 		zone->notify = NULL;
 		zone->notifycnt = 0;
 	}
-	UNLOCK(&zone->lock);
-}
+	if (notify == NULL)
+		goto unlock;
 
-isc_result_t
-dns_zone_addmaster(dns_zone_t *zone, isc_sockaddr_t *master) {
-	isc_sockaddr_t *new;
-	REQUIRE(DNS_ZONE_VALID(zone));
-	
-	LOCK(&zone->lock);
-	new = isc_mem_get(zone->mctx, (zone->masterscnt + 1) * sizeof *new);
+	new = isc_mem_get(zone->mctx, count * sizeof *new);
 	if (new == NULL) {
 		UNLOCK(&zone->lock);
-		return (DNS_R_NOMEMORY);
-	}
-	new[zone->masterscnt] = *master;
-	if (zone->masterscnt > 0) {
-		memcpy(new, zone->masters, zone->masterscnt * sizeof *new);
-		isc_mem_put(zone->mctx, zone->masters,
-			    zone->masterscnt * sizeof *new);
+		return (ISC_R_NOMEMORY);
 	}
-	zone->masters = new;
-	zone->masterscnt++;
+	memcpy(new, notify, count * sizeof *new);
+	zone->notify = new;
+	zone->notifycnt = count;
+
+ unlock:
 	UNLOCK(&zone->lock);
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
-void
-dns_zone_clearmasters(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
+isc_result_t
+dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
+		    isc_uint32_t count)
+{
+	isc_sockaddr_t *new;
 
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE((masters == NULL && count == 0) ||
+		(masters != NULL && count != 0));
+	
 	LOCK(&zone->lock);
-	while (DNS_ZONE_FLAG(zone, DNS_ZONE_F_REFRESH)) {
-		cancel_refresh(zone);
-	}
 	if (zone->masters != NULL) {
 		isc_mem_put(zone->mctx, zone->masters,
-			    zone->masterscnt * sizeof *zone->masters);
+			    zone->masterscnt * sizeof *new);
 		zone->masters = NULL;
 		zone->masterscnt = 0;
-		zone->curmaster = 0;
 	}
+	if (masters == NULL)
+		goto unlock;
+
+	new = isc_mem_get(zone->mctx, count * sizeof *new);
+	if (new == NULL) {
+		UNLOCK(&zone->lock);
+		return (ISC_R_NOMEMORY);
+	}
+	memcpy(new, masters, count * sizeof *new);
+	zone->masters = new;
+	zone->masterscnt = count;
+	zone->flags &= ~DNS_ZONE_F_NOMASTERS;
+
+ unlock:
 	UNLOCK(&zone->lock);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
 dns_zone_getdb(dns_zone_t *zone, dns_db_t **dpb) {
-	isc_result_t result = DNS_R_SUCCESS;
+	isc_result_t result = ISC_R_SUCCESS;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK(&zone->lock);
-	if (zone->top == NULL)
+	if (zone->db == NULL)
 		result = DNS_R_NOTLOADED;
 	else
-		dns_db_attach(zone->top, dpb);
+		dns_db_attach(zone->db, dpb);
 	UNLOCK(&zone->lock);
 
 	return (result);
@@ -1624,6 +1322,7 @@ void
 dns_zone_maintenance(dns_zone_t *zone) {
 	const char me[] = "dns_zone_maintenance";
 	isc_stdtime_t now;
+	isc_result_t result;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	DNS_ENTER;
@@ -1639,7 +1338,7 @@ dns_zone_maintenance(dns_zone_t *zone) {
 		LOCK(&zone->lock);
 		if (now >= zone->expiretime && 
 		    DNS_ZONE_FLAG(zone, DNS_ZONE_F_LOADED)) {
-			expire(zone);
+			zone_expire(zone);
 			zone->refreshtime = now;
 		}
 		UNLOCK(&zone->lock);
@@ -1670,7 +1369,11 @@ dns_zone_maintenance(dns_zone_t *zone) {
 		if (now >= zone->dumptime &&
 		    DNS_ZONE_FLAG(zone, DNS_ZONE_F_LOADED) &&
 		    DNS_ZONE_FLAG(zone, DNS_ZONE_F_NEEDDUMP)) {
-			dns_zone_dump(zone);
+			result = zone_dump(zone);
+			if (result != ISC_R_SUCCESS)
+				zone_log(zone, "zone_dump", ISC_LOG_WARNING,
+					 "failed: %s",
+					 dns_result_totext(result));
 		}
 		UNLOCK(&zone->lock);
 		break;
@@ -1679,58 +1382,20 @@ dns_zone_maintenance(dns_zone_t *zone) {
 	}
 
 	/*
-	 * Check servers for zone.
+	 * Do we need to send out notify messages?
 	 */
 	switch (zone->type) {
 	case dns_zone_master:
 	case dns_zone_slave:
-	case dns_zone_stub:
-#ifdef notyet
-		if (now >= zone->servertime &&
-		    DNS_ZONE_FLAG(zone, DNS_ZONE_F_LOADED) &&
-		    DNS_ZONE_OPTION(zone, DNS_ZONE_O_SERVERS) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONE_F_SERVERS))
-			dns_zone_checkservers(zone);
-#endif
-		break;
-	default:
-		break;
-	}
-
-	/*
-	 * Check parent servers for zone.
-	 */
-	switch (zone->type) {
-	case dns_zone_master:
-	case dns_zone_slave:
-	case dns_zone_stub:
-		if (now >= zone->parenttime &&
-		    DNS_ZONE_FLAG(zone, DNS_ZONE_F_LOADED) &&
-		    DNS_ZONE_OPTION(zone, DNS_ZONE_O_PARENTS) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONE_F_PARENTS))
-			dns_zone_checkparents(zone);
-		break;
-	default:
-		break;
-	}
-
-	/*
-	 * Check child servers for zone.
-	 */
-	switch (zone->type) {
-	case dns_zone_master:
-	case dns_zone_slave:
-	case dns_zone_stub:
-		if (now >= zone->childtime &&
-		    DNS_ZONE_FLAG(zone, DNS_ZONE_F_LOADED) &&
-		    DNS_ZONE_OPTION(zone, DNS_ZONE_O_CHILDREN) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONE_F_CHILDREN))
-			dns_zone_checkchildren(zone);
-		break;
+		if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_LOADED) &&
+		    DNS_ZONE_FLAG(zone, DNS_ZONE_F_NEEDNOTIFY)) {
+			dns_zone_notify(zone);
+		}
 	default:
 		break;
 	}
-	(void) zone_settimer(zone, now); /*XXX*/
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONE_F_EXITING))
+		(void) zone_settimer(zone, now);
 }
 
 void
@@ -1738,17 +1403,26 @@ dns_zone_expire(dns_zone_t *zone) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK(&zone->lock);
-	expire(zone);
+	zone_expire(zone);
 	UNLOCK(&zone->lock);
 }
 
 static void
-expire(dns_zone_t *zone) {
-	if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_NEEDDUMP))
-		dns_zone_dump(zone);
+zone_expire(dns_zone_t *zone) {
+	isc_result_t result;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+	if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_NEEDDUMP)) {
+		result = zone_dump(zone);
+		if (result != ISC_R_SUCCESS)
+			zone_log(zone, "zone_dump", ISC_LOG_WARNING,
+				 "failure: %s", dns_result_totext(result));
+	}
 	zone->flags |= DNS_ZONE_F_EXPIRED;
 	dns_zone_setrefresh(zone, DEFAULT_REFRESH, DEFAULT_RETRY);
-	unload(zone);
+	zone_unload(zone);
 }
 
 void
@@ -1757,17 +1431,27 @@ dns_zone_refresh(dns_zone_t *zone) {
 	isc_uint32_t oldflags;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(zone->masterscnt > 0);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_EXITING))
+		return;
 
 	isc_stdtime_get(&now);
 
 	/*
 	 * Set DNS_ZONE_F_REFRESH so that there is only one refresh operation
-	 * in progress at the one time.
+	 * in progress at a time.
 	 */
 
 	LOCK(&zone->lock);
 	oldflags = zone->flags;
+	if (zone->masterscnt == 0) {
+		zone->flags |= DNS_ZONE_F_NOMASTERS;
+		if ((oldflags & DNS_ZONE_F_NOMASTERS) == 0)
+			zone_log(zone, "dns_zone_refresh", ISC_LOG_ERROR,
+				 "no masters");
+		UNLOCK(&zone->lock);
+		return;
+	}
 	zone->flags |= DNS_ZONE_F_REFRESH;
 	UNLOCK(&zone->lock);
 	if ((oldflags & DNS_ZONE_F_REFRESH) != 0)
@@ -1780,57 +1464,73 @@ dns_zone_refresh(dns_zone_t *zone) {
 
 	zone->refreshtime = now + zone->retry;
 	zone->curmaster = 0;
-#ifdef notyet
 	/* initiate soa query */
-	soa_query(zone, refresh_callback);
-#else
-	/* initiate zone transfer */
-	xfrin_start_temporary_kludge(zone);
-#endif
+	queue_soa_query(zone);
 }
 
 isc_result_t
 dns_zone_dump(dns_zone_t *zone) {
 	isc_result_t result;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK(&zone->lock);
+	result = zone_dump(zone);
+	UNLOCK(&zone->lock);
+
+	return (result);
+}
+
+static isc_result_t
+zone_dump(dns_zone_t *zone) {
+	isc_result_t result;
 	dns_dbversion_t *version = NULL;
-	dns_db_t *top = NULL;
+	dns_db_t *db = NULL;
 	char *buf;
 	int buflen;
-	FILE *f;
+	FILE *f = NULL;
 	int n;
 	
+	/*
+	 * 'zone' locked by caller.
+	 */
 	REQUIRE(DNS_ZONE_VALID(zone));
 
-	buflen = strlen(zone->database) + 20;
+	buflen = strlen(zone->dbname) + 20;
 	buf = isc_mem_get(zone->mctx, buflen);
-	result = isc_mktemplate(zone->database, buf, buflen);
+	if (buf == NULL)
+	    return (ISC_R_NOMEMORY);
+
+	result = isc_file_mktemplate(zone->dbname, buf, buflen);
 	if (result != ISC_R_SUCCESS)
-		return (result);
-	f = isc_ufile(buf);
-	if (f == NULL) {
-		result = DNS_R_UNEXPECTED;
 		goto cleanup;
-	}
-	dns_db_attach(zone->top, &top);
-	dns_db_currentversion(top, &version);
-	result = dns_master_dumptostream(zone->mctx, top, version,
+
+	result = isc_file_openunique(buf, &f);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_db_attach(zone->db, &db);
+	dns_db_currentversion(db, &version);
+	result = dns_master_dumptostream(zone->mctx, db, version,
 					 &dns_master_style_default, f);
-	dns_db_closeversion(top, &version, ISC_FALSE);
-	dns_db_detach(&top);
+	dns_db_closeversion(db, &version, ISC_FALSE);
+	dns_db_detach(&db);
 	n = fflush(f);
-	if (n != 0)
-		result = DNS_R_UNEXPECTED;
+	if (n != 0 && result == ISC_R_SUCCESS)
+		result = ISC_R_UNEXPECTED;
 	n = ferror(f);
-	if (n != 0)
-		result = DNS_R_UNEXPECTED;
+	if (n != 0 && result == ISC_R_SUCCESS)
+		result = ISC_R_UNEXPECTED;
 	n = fclose(f);
-	if (n != 0)
-		result = DNS_R_UNEXPECTED;
+	if (n != 0 && result == ISC_R_SUCCESS)
+		result = ISC_R_UNEXPECTED;
 	if (result == ISC_R_SUCCESS) {
-		n = rename(buf, zone->database);
+		n = rename(buf, zone->dbname);
 		if (n == -1) {
 			(void)remove(buf);
-			result = DNS_R_UNEXPECTED;
+			result = ISC_R_UNEXPECTED;
+		} else {
+			zone->flags &= ~DNS_ZONE_F_NEEDDUMP;
 		}
 	} else
 		(void)remove(buf);
@@ -1843,16 +1543,16 @@ isc_result_t
 dns_zone_dumptostream(dns_zone_t *zone, FILE *fd) {
 	isc_result_t result;
 	dns_dbversion_t *version = NULL;
-	dns_db_t *top = NULL;
+	dns_db_t *db = NULL;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
-	dns_db_attach(zone->top, &top);
-	dns_db_currentversion(top, &version);
-	result = dns_master_dumptostream(zone->mctx, top, version,
+	dns_db_attach(zone->db, &db);
+	dns_db_currentversion(db, &version);
+	result = dns_master_dumptostream(zone->mctx, db, version,
 					 &dns_master_style_default, fd);
-	dns_db_closeversion(top, &version, ISC_FALSE);
-	dns_db_detach(&top);
+	dns_db_closeversion(db, &version, ISC_FALSE);
+	dns_db_detach(&db);
 	return (result);
 }
 
@@ -1861,14 +1561,14 @@ dns_zone_unload(dns_zone_t *zone) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK(&zone->lock);
-	unload(zone);
+	zone_unload(zone);
 	UNLOCK(&zone->lock);
 }
 
 static void
-unload(dns_zone_t *zone) {
+zone_unload(dns_zone_t *zone) {
 	/* caller to lock */
-	dns_db_detach(&zone->top);
+	dns_db_detach(&zone->db);
 	zone->flags &= ~DNS_ZONE_F_LOADED;
 }
 
@@ -1879,219 +1579,450 @@ dns_zone_unmount(dns_zone_t *zone) {
 	/*XXX MPA*/
 }
 
-#ifdef notyet
-/*
- * For reference only.  Use dns_zonemanager_managezone() instead.
- */
-static isc_result_t
-dns_zone_manage(dns_zone_t *zone, isc_taskmgr_t *tmgr) {
-#if 1
+void
+dns_zone_setrefresh(dns_zone_t *zone, isc_uint32_t refresh,
+		    isc_uint32_t retry)
+{
 	REQUIRE(DNS_ZONE_VALID(zone));
-	(void)tmgr;
-	dns_zone_maintenance(zone);
-	return (DNS_R_SUCCESS);
-#else
-	isc_result_t result;
+	zone->refresh = refresh;
+	zone->retry = retry;
+}
+
+static isc_boolean_t
+notify_isqueued(dns_zone_t *zone, dns_name_t *name, isc_sockaddr_t *addr) {
+	notify_t *notify;
+
+	for (notify = ISC_LIST_HEAD(zone->notifies);
+	     notify != NULL;
+	     notify = ISC_LIST_NEXT(notify, link)) {
+		if (name != NULL && dns_name_dynamic(&notify->ns) &&
+		    dns_name_equal(name, &notify->ns))
+			return (ISC_TRUE);
+		if (addr != NULL && isc_sockaddr_equal(addr, &notify->dst))
+			return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
+static void
+notify_destroy(notify_t *notify) {
+	isc_mem_t *mctx;
 
 	/*
-	 * XXXRTH  Zones do not have resolvers!!!!
+	 * Caller holds zone lock.
 	 */
+	REQUIRE(DNS_NOTIFY_VALID(notify));
 
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(zone->task == NULL);
+	if (notify->zone != NULL) {
+		if (ISC_LINK_LINKED(notify, link))
+			ISC_LIST_UNLINK(notify->zone->notifies, notify, link);
+		dns_zone_idetach(&notify->zone);
+	}
+	if (notify->find != NULL)
+		dns_adb_destroyfind(&notify->find);
+	if (notify->request != NULL)
+		dns_request_destroy(&notify->request);
+	if (dns_name_dynamic(&notify->ns))
+		dns_name_free(&notify->ns, notify->mctx);
+	mctx = notify->mctx;
+	isc_mem_put(notify->mctx, notify, sizeof *notify);
+	isc_mem_detach(&mctx);
+}
 
-	result = isc_task_create(tmgr, zone->mctx, 0, &zone->task);
-	if (result != ISC_R_SUCCESS) {
-		/* XXX */
-		return (DNS_R_UNEXPECTED);
+static isc_result_t
+notify_create(isc_mem_t *mctx, notify_t **notifyp) {
+	notify_t *notify;
+
+	REQUIRE(notifyp != NULL && *notifyp == NULL);
+
+	notify = isc_mem_get(mctx, sizeof *notify);
+	if (notify == NULL)
+		return (ISC_R_NOMEMORY);
+
+	notify->mctx = NULL;
+	isc_mem_attach(mctx, &notify->mctx);
+	notify->zone = NULL;
+	notify->find = NULL;
+	notify->request = NULL;
+	isc_sockaddr_any(&notify->dst);
+	dns_name_init(&notify->ns, NULL);
+	ISC_LINK_INIT(notify, link);
+	notify->magic = NOTIFY_MAGIC;
+	*notifyp = notify;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * XXXAG should check for DNS_ZONE_F_EXITING
+ */
+static void
+process_adb_event(isc_task_t *task, isc_event_t *ev) {
+	notify_t *notify;
+	isc_eventtype_t result;
+	dns_zone_t *zone = NULL;
+
+	UNUSED(task);
+
+	notify = ev->ev_arg;
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+	result = ev->ev_type;
+	isc_event_free(&ev);
+	dns_zone_iattach(notify->zone, &zone);
+	if (result == DNS_EVENT_ADBNOMOREADDRESSES) {
+		LOCK(&notify->zone->lock);
+		notify_send(notify);
+		UNLOCK(&zone->lock);
+		goto detach;
+	}
+	if (result == DNS_EVENT_ADBMOREADDRESSES) {
+		dns_adb_destroyfind(&notify->find);
+		notify_find_address(notify);
+		goto detach;
 	}
-	result = isc_task_onshutdown(zone->task, zone_shutdown, zone);
+	LOCK(&zone->lock);
+	notify_destroy(notify);
+	UNLOCK(&zone->lock);
+ detach:
+	dns_zone_idetach(&zone);
+}
+
+static void
+notify_find_address(notify_t *notify) {
+	isc_result_t result;
+	unsigned int options;
+	dns_zone_t *zone = NULL;
+
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+	options = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_INET |
+		  DNS_ADBFIND_INET6 | DNS_ADBFIND_RETURNLAME;
+
+	dns_zone_iattach(notify->zone, &zone);
+	result = dns_adb_createfind(zone->view->adb,
+				    zone->task,
+				    process_adb_event, notify,
+				    &notify->ns, dns_rootname,
+				    options, 0, NULL, &notify->find);
+
+	/* Something failed? */
 	if (result != ISC_R_SUCCESS) {
-		/* XXX */
-		return (DNS_R_UNEXPECTED);
-	}
-	if (zone->res == NULL) {
-		isc_socket_t *s;
-		dns_dispatch_t *dispatch;
-
-		RUNTIME_CHECK(isc_socketmgr_create(zone->mctx, &zone->socketmgr)
-			      == ISC_R_SUCCESS);
-		s = NULL;
-		RUNTIME_CHECK(isc_socket_create(zone->socketmgr, PF_INET,
-			      isc_sockettype_udp, &s) == ISC_R_SUCCESS);
-		dispatch = NULL;
-		RUNTIME_CHECK(dns_dispatch_create(zone->mctx, s, zone->task,
-						  4096, 1000, 1000, 17, 19,
-						  &dispatch) == DNS_R_SUCCESS);
-		result = dns_resolver_create(zone->mctx, tmgr, 10, zone->timgr,
-				             zone->rdclass, dispatch,
-					     &zone->res); 
-		if (result != DNS_R_SUCCESS)
-			return (result);
-
-		dns_dispatch_detach(&dispatch);
-		isc_socket_detach(&s);
+		LOCK(&zone->lock);
+		notify_destroy(notify);
+		UNLOCK(&zone->lock);
+		dns_zone_idetach(&zone);
+		return;
 	}
 
-	dns_zone_maintenance(zone);
-	return (DNS_R_SUCCESS);
-#endif
+	/* More addresses pending? */
+	if ((notify->find->options & DNS_ADBFIND_WANTEVENT) != 0) {
+		dns_zone_idetach(&zone);
+		return;
+	}
+
+	/* We have as many addresses as we can get. */
+	LOCK(&zone->lock);
+	notify_send(notify);
+	UNLOCK(&zone->lock);
+	dns_zone_idetach(&zone);
 }
-#endif
 
-void
-dns_zone_setrefresh(dns_zone_t *zone, isc_uint32_t refresh,
-		    isc_uint32_t retry)
-{
-	REQUIRE(DNS_ZONE_VALID(zone));
-	zone->refresh = refresh;
-	zone->retry = retry;
+
+static isc_result_t
+notify_send_queue(notify_t *notify) {
+	isc_event_t *e;
+	isc_result_t result;
+
+	e = isc_event_allocate(notify->mctx, NULL,
+			       DNS_EVENT_NOTIFYSENDTOADDR,
+			       notify_send_toaddr,
+			       notify, sizeof(isc_event_t));
+	if (e == NULL)
+		return (ISC_R_NOMEMORY);
+	e->ev_arg = notify;
+	e->ev_sender = NULL;
+	result = isc_ratelimiter_enqueue(notify->zone->zmgr->rl,
+					 notify->zone->task, &e);
+	if (result != ISC_R_SUCCESS)
+		isc_event_free(&e);
+	return (result);
+}
+
+static void
+notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
+	notify_t *notify;
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	dns_zone_t *zone = NULL;
+
+	notify = event->ev_arg;
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+
+	UNUSED(task);
+
+	LOCK(&notify->zone->lock);
+	dns_zone_iattach(notify->zone, &zone);
+	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0 ||
+	     DNS_ZONE_FLAG(notify->zone, DNS_ZONE_F_EXITING)) {
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	result = notify_createmessage(notify->zone, &message);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_request_create(notify->zone->view->requestmgr, message,
+				    &notify->dst, 0, 15, notify->zone->task,
+				    notify_done, notify,
+				    &notify->request);
+	dns_message_destroy(&message);
+ cleanup:
+	if (result != ISC_R_SUCCESS)
+		notify_destroy(notify);
+	UNLOCK(&zone->lock);
+	dns_zone_idetach(&zone);
+	isc_event_free(&event);
+}
+
+static void
+notify_send(notify_t *notify) {
+	dns_adbaddrinfo_t *ai;
+	isc_sockaddr_t dst;
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	notify_t *new = NULL;
+
+	/*
+	 * Zone lock held by caller.
+	 */
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+
+	result = notify_createmessage(notify->zone, &message);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	for (ai = ISC_LIST_HEAD(notify->find->list);
+	     ai != NULL;
+	     ai = ISC_LIST_NEXT(ai, publink)) {
+		dst = *ai->sockaddr;
+		if (isc_sockaddr_getport(&dst) == 0)
+			isc_sockaddr_setport(&dst, 53); /* XXX */
+		if (notify_isqueued(notify->zone, NULL, &dst))
+			continue;
+		new = NULL;
+		result = notify_create(notify->mctx, &new);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		dns_zone_iattach(notify->zone, &new->zone);
+		ISC_LIST_APPEND(new->zone->notifies, new, link);
+		new->dst = dst;
+		result = notify_send_queue(new);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		new = NULL;
+	}
+
+ cleanup:
+	if (new != NULL)
+		notify_destroy(new);
+	notify_destroy(notify);
+	dns_message_destroy(&message);
 }
 
 void
 dns_zone_notify(dns_zone_t *zone) {
-	unsigned int i;
-	dns_name_t *origin = NULL;
-	isc_sockaddr_t addr;
-	dns_rdataset_t nsrdset;
-	dns_rdataset_t ardset;
-	dns_dbversion_t *version = NULL;
-	isc_result_t result;
 	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_name_t *origin = NULL;
+	dns_name_t master;
 	dns_rdata_ns_t ns;
-	dns_rdata_in_a_t a;
+	dns_rdata_soa_t soa;
 	dns_rdata_t rdata;
+	dns_rdataset_t nsrdset;
+	dns_rdataset_t soardset;
+	isc_result_t result;
+	notify_t *notify = NULL;
+	unsigned int i;
+	isc_sockaddr_t dst;
+	isc_boolean_t isqueued;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
-	if (!DNS_ZONE_OPTION(zone, DNS_ZONE_O_NOTIFY))
+	LOCK(&zone->lock);
+	zone->flags &= ~DNS_ZONE_F_NEEDNOTIFY;
+	UNLOCK(&zone->lock);
+
+	if (!DNS_ZONE_OPTION(zone, DNS_ZONE_O_NOTIFY)) {
 		return;
+	}
 
 	origin = &zone->origin;
 
 	/*
 	 * Enqueue notify request.
 	 */
+	LOCK(&zone->lock);
 	for (i = 0; i < zone->notifycnt; i++) {
-		/* XXX IPv6 */
-		(void)dns_notify(origin, &zone->notify[i], dns_rdatatype_soa,
-			         zone->rdclass, &zone->xfrsource4, zone->mctx);
+		dst = zone->notify[i];
+		if (isc_sockaddr_getport(&dst) == 0)
+			isc_sockaddr_setport(&dst, 53); /* XXX */
+		if (notify_isqueued(zone, NULL, &dst))
+			continue;
+		result = notify_create(zone->mctx, &notify);
+		if (result != ISC_R_SUCCESS) {
+			UNLOCK(&zone->lock);
+			return;
+		}
+		dns_zone_iattach(zone, &notify->zone);
+		notify->dst = dst;
+		ISC_LIST_APPEND(zone->notifies, notify, link);
+		result = notify_send_queue(notify);
+		if (result != ISC_R_SUCCESS) {
+			notify_destroy(notify);
+			UNLOCK(&zone->lock);
+			return;
+		}
+		notify = NULL;
 	}
+	UNLOCK(&zone->lock);
+
+	/*
+	 * Process NS RRset to generate notifies.
+	 */
 
-	dns_db_currentversion(zone->top, &version);
-	result = dns_db_findnode(zone->top, origin, ISC_FALSE, &node);
-	if (result != DNS_R_SUCCESS)
+	dns_db_currentversion(zone->db, &version);
+	result = dns_db_findnode(zone->db, origin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
 		goto cleanup1;
 
+	dns_rdataset_init(&soardset);
+	result = dns_db_findrdataset(zone->db, node, version,
+				     dns_rdatatype_soa,
+				     dns_rdatatype_none, 0, &soardset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup2;
+	
+	/*
+	 * Find master server's name.
+	 */
+	dns_name_init(&master, NULL);
+	result = dns_rdataset_first(&soardset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&soardset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &soa, NULL);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		result = dns_name_dup(&soa.origin, zone->mctx, &master);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		result = dns_rdataset_next(&soardset);
+		if (result != ISC_R_NOMORE)
+			break;
+	}
+	dns_rdataset_disassociate(&soardset);
+	if (result != ISC_R_NOMORE)
+		goto cleanup3;
+
 	dns_rdataset_init(&nsrdset);
-	result = dns_db_findrdataset(zone->top, node, version,
+	result = dns_db_findrdataset(zone->db, node, version,
 				     dns_rdatatype_ns,
 				     dns_rdatatype_none, 0, &nsrdset, NULL);
-	if (result != DNS_R_SUCCESS)
-		goto cleanup2;
+	if (result != ISC_R_SUCCESS)
+		goto cleanup3;
 	
 	result = dns_rdataset_first(&nsrdset);
-	while (result == DNS_R_SUCCESS) {
+	while (result == ISC_R_SUCCESS) {
 		dns_rdataset_current(&nsrdset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &ns, zone->mctx);
-		if (result != DNS_R_SUCCESS)
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		if (result != ISC_R_SUCCESS)
 			continue;
 		/*
-		 * Look up address records.
+		 * don't notify the master server.
 		 */
-		/* XXX MPA */
-
-		if (result == DNS_R_NOTFOUND) {
-			/*
-			 * Query for address.
-			 * Arrange for notify to be sent when
-			 * we have it.
-			 */
-			/* XXX MPA*/
-
+		if (dns_name_compare(&master, &ns.name) == 0) {
 			result = dns_rdataset_next(&nsrdset);
 			continue;
-		} else if (result != DNS_R_SUCCESS) {
+		}
+		LOCK(&zone->lock);
+		isqueued = notify_isqueued(zone, &ns.name, NULL);
+		UNLOCK(&zone->lock);
+		if (isqueued) {
 			result = dns_rdataset_next(&nsrdset);
 			continue;
 		}
-		result = dns_rdataset_first(&ardset);
-		while (result == DNS_R_SUCCESS) {
-			dns_rdataset_current(&ardset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &a, zone->mctx);
-			if (result != DNS_R_SUCCESS)
-				continue;
-			/*
-			 * Remove duplicates w/ notify list.
-			 */
-			isc_sockaddr_fromin(&addr, &a.in_addr, 0);
-			for (i = 0; i < zone->notifycnt; i++) {
-				if (isc_sockaddr_equal(&zone->notify[i], &addr))
-					break;
-			}
-			if (i == zone->notifycnt) {
-				/* XXX IPv6 */
-				(void)dns_notify(origin, &addr,
-						 dns_rdatatype_soa,
-						 zone->rdclass,
-						 &zone->xfrsource4, zone->mctx);
-			}
-			result = dns_rdataset_next(&ardset);
+		result = notify_create(zone->mctx, &notify);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		dns_zone_iattach(zone, &notify->zone);
+		result = dns_name_dup(&ns.name, zone->mctx, &notify->ns);
+		if (result != ISC_R_SUCCESS) {
+			LOCK(&zone->lock);
+			notify_destroy(notify);
+			UNLOCK(&zone->lock);
+			continue;
 		}
+		LOCK(&zone->lock);
+		ISC_LIST_APPEND(zone->notifies, notify, link);
+		UNLOCK(&zone->lock);
+		notify_find_address(notify);
+		notify = NULL;
 		result = dns_rdataset_next(&nsrdset);
 	}
-
 	dns_rdataset_disassociate(&nsrdset);
+
+ cleanup3:
+	if (dns_name_dynamic(&master))
+		dns_name_free(&master, zone->mctx);
  cleanup2:
-	dns_db_detachnode(zone->top, &node);
+	dns_db_detachnode(zone->db, &node);
  cleanup1:
-	dns_db_closeversion(zone->top, &version, ISC_FALSE);
+	dns_db_closeversion(zone->db, &version, ISC_FALSE);
 }
 
 /***
  *** Private
  ***/
 
-#ifdef notyet
 static void
 refresh_callback(isc_task_t *task, isc_event_t *event) {
-	dns_fetchevent_t *devent = (dns_fetchevent_t *)event;
+	const char me[] = "refresh_callback";
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
 	dns_zone_t *zone;
 	dns_message_t *msg = NULL;
 	isc_uint32_t soacnt, cnamecnt, soacount, nscount;
 	isc_stdtime_t now;
-	char *master;
-	isc_buffer_t masterbuf;
-	char mastermem[256];
+	char master[ISC_SOCKADDR_FORMATSIZE];
 	dns_rdataset_t *rdataset;
 	dns_rdata_t rdata;
 	dns_rdata_soa_t soa;
 	isc_result_t result;
 	isc_uint32_t serial;
 
-	zone = devent->arg;
+	zone = revent->ev_arg;
 	INSIST(DNS_ZONE_VALID(zone));
 
+	UNUSED(task);
+
+	DNS_ENTER;
+
 	/*
 	 * if timeout log and next master;
 	 */
 
-	isc_buffer_init(&masterbuf, mastermem, sizeof(mastermem),
-			ISC_BUFFERTYPE_TEXT);
-	result = isc_sockaddr_totext(&zone->masters[zone->curmaster],
-				     &masterbuf);
-	if (result == ISC_R_SUCCESS)
-		master = (char *) masterbuf.base;
-	else
-		master = "<UNKNOWN>";
+	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+
+	isc_stdtime_get(&now);
 	
-	if (devent->result != DNS_R_SUCCESS) {
+	if (revent->result != ISC_R_SUCCESS) {
 		zone_log(zone, me, ISC_LOG_INFO, "failure for %s: %s",
-		         master, dns_result_totext(devent->result));
+		         master, dns_result_totext(revent->result));
 		goto next_master;
 	}
 
-	dns_resolver_getanswer(event, &msg);
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	if (result != ISC_R_SUCCESS)
+		goto next_master;
+	result = dns_request_getresponse(revent->request, msg, ISC_FALSE);
+	if (result != ISC_R_SUCCESS)
+		goto next_master;
 
 	/*
 	 * Unexpected rcode.
@@ -2100,14 +2031,25 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 		char rcode[128];
 		isc_buffer_t rb;
 
-		isc_buffer_init(&rb, rcode, sizeof rcode, ISC_BUFFERTYPE_TEXT);
+		isc_buffer_init(&rb, rcode, sizeof(rcode));
 		dns_rcode_totext(msg->rcode, &rb);
 
 		zone_log(zone, me, ISC_LOG_INFO,
-			 "unexpected rcode (%.*s) from %s\n",
+			 "unexpected rcode (%.*s) from %s",
 			 rb.used, rcode, master);
 		goto next_master;
 	}
+
+	/*
+	 * If truncated punt to zone transfer which will query again.
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+		zone_log(zone, me, ISC_LOG_INFO,
+			 "truncated UDP answer initiating TCP zone xfer %s",
+			 master);
+		goto tcp_transfer;
+	}
+
 	/*
 	 * if non-auth log and next master;
 	 */
@@ -2116,27 +2058,22 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 			 "non-authorative answer from %s", master);
 		goto next_master;
 	}
-	/*
-	 * There should not be a CNAME record at top of zone.
-	 */
+
 	cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
 	soacnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_soa);
+	nscount = message_count(msg, DNS_SECTION_AUTHORITY, dns_rdatatype_ns);
+	soacount = message_count(msg, DNS_SECTION_AUTHORITY,
+				 dns_rdatatype_soa);
 
+	/*
+	 * There should not be a CNAME record at top of zone.
+	 */
 	if (cnamecnt != 0) {
 		zone_log(zone, me, ISC_LOG_INFO,
-			 "CNAME discovered: master %s", master);
-		goto next_master;
-	}
-
-	if (soacnt != 1) {
-		zone_log(zone, me, ISC_LOG_INFO,
-		   	 "SOA count (%d) != 1: master %s", soacnt, master);
+			 "CNAME at top of zone discovered: master %s", master);
 		goto next_master;
 	}
 
-	nscount = message_count(msg, DNS_SECTION_AUTHORITY, dns_rdatatype_ns);
-	soacount = message_count(msg, DNS_SECTION_AUTHORITY, dns_rdatatype_soa);
-
 	/*
 	 * if referral log and next master;
 	 */
@@ -2149,92 +2086,224 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * if nodata log and next master;
 	 */
-	if (soacnt == 0 && nscount == 0) {
+	if (soacnt == 0 && (nscount == 0 || soacount != 0)) {
 		zone_log(zone, me, ISC_LOG_INFO,
 			 "NODATA from master %s", master);
 		goto next_master;
 	}
 
 	/*
+	 * Only one soa at top of zone.
+	 */
+	if (soacnt != 1) {
+		zone_log(zone, me, ISC_LOG_INFO,
+		   	 "Answer SOA count (%d) != 1: master %s",
+			 soacnt, master);
+		goto next_master;
+	}
+	/*
 	 * Extract serial
 	 */
 	rdataset = NULL;
 	result = dns_message_findname(msg, DNS_SECTION_ANSWER, &zone->origin,
 				      dns_rdatatype_soa, dns_rdatatype_none,
 				      NULL, &rdataset);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		zone_log(zone, me, ISC_LOG_INFO,
 			 "unable to get soa record from %s", master);
 		goto next_master;
 	}
 
 	result = dns_rdataset_first(rdataset);
-	if (result != DNS_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS) {
 		zone_log(zone, me, ISC_LOG_INFO, "dns_rdataset_first failed");
 		goto next_master;
 	}
 
 	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &soa, zone->mctx);
-	if (result != DNS_R_SUCCESS) {
+	result = dns_rdata_tostruct(&rdata, &soa, NULL);
+	if (result != ISC_R_SUCCESS) {
 		zone_log(zone, me, ISC_LOG_INFO, "dns_rdata_tostruct failed");
 		goto next_master;
 	}
 
 	serial = soa.serial;
-	dns_rdata_freestruct(&soa);
+	dns_message_destroy(&msg);
 
+	zone_log(zone, me, ISC_LOG_DEBUG(1), "Serial: new %u, old %u",
+		 serial, zone->serial);
 	if (!DNS_ZONE_FLAG(zone, DNS_ZONE_F_LOADED) ||
 	    isc_serial_gt(serial, zone->serial)) {
-		dns_zone_transfer_in(zone);
+ tcp_transfer:
 		isc_event_free(&event);
-		dns_resolver_destroyfetch(zone->res, &zone->fetch);
+		dns_request_destroy(&zone->request);
+		queue_xfrin(zone);
 	} else if (isc_serial_eq(soa.serial, zone->serial)) {
-		dns_zone_uptodate(zone);
+		if (zone->dbname != NULL) {
+			isc_time_t t;
+			isc_time_set(&t, now, 0);
+			result = isc_file_settime(zone->dbname, &t);
+			if (result != ISC_R_SUCCESS)
+				zone_log(zone, me, ISC_LOG_ERROR,
+					 "isc_file_settime(%s): %s",
+					 zone->dbname,
+					 dns_result_totext(result));
+		}
+		zone->refreshtime = now + zone->refresh;
+		zone->expiretime = now + zone->expire;
 		goto next_master;
 	} else {
+		ZONE_LOG(1, "ahead");
 		goto next_master;
 	}
 	return;
 
  next_master:
+	if (msg != NULL)
+		dns_message_destroy(&msg);
 	LOCK(&zone->lock);
 	isc_event_free(&event);
-	dns_resolver_destroyfetch(zone->res, &zone->fetch);
+	dns_request_destroy(&zone->request);
 	zone->curmaster++;
 	if (zone->curmaster >= zone->masterscnt) {
 		zone->flags &= ~DNS_ZONE_F_REFRESH;
 
-		isc_stdtime_get(&now);
 		zone_settimer(zone, now);
 		UNLOCK(&zone->lock);
 		return;
 	}
 	UNLOCK(&zone->lock);
-	soa_query(zone, refresh_callback);
+	queue_soa_query(zone);
 	return;
 }
-#endif
 
-#ifdef notyet
 static void
-soa_query(dns_zone_t *zone, isc_taskaction_t callback) {
-	dns_name_t *zonename;
+queue_soa_query(dns_zone_t *zone) {
+	const char me[] = "queue_soa_query";
+	isc_event_t *e;
+	dns_zone_t *dummy = NULL;
 	isc_result_t result;
 
-	zonename = &zone->origin;
+	DNS_ENTER;
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_EXITING)) {
+		cancel_refresh(zone);
+		return;
+	}
+
+	e = isc_event_allocate(zone->mctx, NULL, DNS_EVENT_ZONE,
+			       soa_query, zone, sizeof(isc_event_t));
+	if (e == NULL) {
+		cancel_refresh(zone);
+		return;
+	}
+
+	/*
+	 * Attach so that we won't clean up
+	 * until the event is delivered.
+	 */	
+	dns_zone_iattach(zone, &dummy);
+	
+	e->ev_arg = zone;
+	e->ev_sender = NULL;
+	result = isc_ratelimiter_enqueue(zone->zmgr->rl, zone->task, &e);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_idetach(&dummy);
+		isc_event_free(&e);
+		cancel_refresh(zone);
+	}
+}
+
+static void
+soa_query(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "soa_query";
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	dns_zone_t *zone = event->ev_arg;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	UNUSED(task);
+
+	DNS_ENTER;
+
+	if (((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0) ||
+	    DNS_ZONE_FLAG(zone, DNS_ZONE_F_EXITING)) {
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONE_F_EXITING))
+			cancel_refresh(zone);
+		isc_event_free(&event);
+		dns_zone_idetach(&zone);
+		return;
+	}
+
+	/* 
+	 * XXX Optimisation: Create message when zone is setup and reuse.
+	 */
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER,
+				    &message);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	message->opcode = dns_opcode_query;
+	message->rdclass = zone->rdclass;
+
+	result = dns_message_gettempname(message, &qname);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/*
+	 * Make question.
+	 */
+	dns_name_init(qname, NULL);
+	dns_name_clone(&zone->origin, qname);
+	dns_rdataset_init(qrdataset);
+	dns_rdataset_makequestion(qrdataset, zone->rdclass, dns_rdatatype_soa);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+	qname = NULL;
+	qrdataset = NULL;
+
 	LOCK(&zone->lock);
-	result = dns_resolver_createfetch(zone->res, zonename,
-					  dns_rdatatype_soa,
-					  NULL, NULL, NULL,
-					  DNS_FETCHOPT_UNSHARED,
-					  zone->task, callback, zone,
-					  &zone->fetch);
+	INSIST(zone->masterscnt > 0);
+	INSIST(zone->curmaster < zone->masterscnt);
+	zone->masteraddr = zone->masters[zone->curmaster];
 	UNLOCK(&zone->lock);
-	if (result != DNS_R_SUCCESS)
-		cancel_refresh(zone);
+
+	if (isc_sockaddr_getport(&zone->masteraddr) == 0)
+		isc_sockaddr_setport(&zone->masteraddr, 53); /* XXX */
+	result = dns_request_create(zone->view->requestmgr, message,
+				    &zone->masteraddr, 0,
+				    15 /* XXX */, zone->task,
+				    refresh_callback, zone, &zone->request);
+	if (result != ISC_R_SUCCESS) {
+		zone_log(zone, me, ISC_LOG_DEBUG(1),
+			 "dns_request_create failed: %s",
+			 dns_result_totext(result));
+		goto cleanup;
+	}
+	dns_message_destroy(&message);
+	isc_event_free(&event);
+	dns_zone_idetach(&zone);
+	return;
+
+ cleanup:
+	if (qname != NULL)
+		dns_message_puttempname(message, &qname);
+	if (qrdataset != NULL)
+		dns_message_puttemprdataset(message, &qrdataset);
+	if (message != NULL)
+		dns_message_destroy(&message);
+	cancel_refresh(zone);
+	isc_event_free(&event);
+	dns_zone_idetach(&zone);
+	return;
 }
-#endif
 
 /*
  * Handle the control event.  Note that although this event causes the zone
@@ -2242,22 +2311,62 @@ soa_query(dns_zone_t *zone, isc_taskaction_t callback) {
  */
 static void
 zone_shutdown(isc_task_t *task, isc_event_t *event) {
-	dns_zone_t *zone = (dns_zone_t *) event->arg;
+	dns_zone_t *zone = (dns_zone_t *) event->ev_arg;
+	notify_t *notify;
+	isc_result_t result;
+
 	UNUSED(task);
 	REQUIRE(DNS_ZONE_VALID(zone));
-	INSIST(event->type == DNS_EVENT_ZONECONTROL);
-	INSIST(zone->erefs == 0);
+	INSIST(event->ev_type == DNS_EVENT_ZONECONTROL);
+	INSIST(zone->erefs == 0);	
 	zone_log(zone, "zone_shutdown", ISC_LOG_DEBUG(3), "shutting down");
-	zone->shuttingdown = ISC_TRUE;
+	LOCK(&zone->lock);
+	zone->flags |= DNS_ZONE_F_EXITING;
+	UNLOCK(&zone->lock);
+
+	/*
+	 * If we were waiting for xfrin quota, step out of
+	 * the queue.
+	 */
+	if (zone->statelist == &zone->zmgr->waiting_for_xfrin) {
+		RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+		ISC_LIST_UNLINK(zone->zmgr->waiting_for_xfrin, zone,
+				statelink);
+		RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+		zone->statelist = NULL;
+	}
+	
 	if (zone->xfr != NULL)
 		dns_xfrin_shutdown(zone->xfr);
+
+	if (zone->request != NULL)
+		dns_request_cancel(zone->request);
+
+	for (notify = ISC_LIST_HEAD(zone->notifies);
+	     notify != NULL;
+	     notify = ISC_LIST_NEXT(notify, link)) {
+		if (notify->find != NULL)
+			dns_adb_cancelfind(notify->find);
+		if (notify->request != NULL)
+			dns_request_cancel(notify->request);
+	}
+
+	if (zone->timer != NULL) {
+		result = isc_timer_reset(zone->timer, isc_timertype_inactive,
+					 NULL, NULL, ISC_TRUE);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+
+	if (zone->view != NULL)
+		dns_view_weakdetach(&zone->view);
+	    
 	exit_check(zone);
 }
 
 static void
 zone_timer(isc_task_t *task, isc_event_t *event) {
 	const char me[] = "zone_timer";
-	dns_zone_t *zone = (dns_zone_t *)event->arg;
+	dns_zone_t *zone = (dns_zone_t *)event->ev_arg;
 	UNUSED(task);
 
 	DNS_ENTER;
@@ -2282,36 +2391,23 @@ zone_settimer(dns_zone_t *zone, isc_stdtime_t now) {
 
 	switch (zone->type) {
 	case dns_zone_master:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_NEEDDUMP))
+		if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_NEEDNOTIFY))
+			next = now;
+		if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_NEEDDUMP) &&
+		    (zone->dumptime < next || next == 0))
 			next = zone->dumptime;
-		if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_LOADED)) {
-			if (DNS_ZONE_OPTION(zone, DNS_ZONE_O_SERVERS) &&
-			    (zone->servertime < next || next == 0))
-				next = zone->servertime;
-			if (DNS_ZONE_OPTION(zone, DNS_ZONE_O_PARENTS) &&
-			    (zone->parenttime < next || next == 0))
-				next = zone->parenttime;
-			if (DNS_ZONE_OPTION(zone, DNS_ZONE_O_CHILDREN) &&
-			    (zone->childtime < next || next == 0))
-				next = zone->childtime;
-		}
 		break;
 	case dns_zone_slave:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_NEEDNOTIFY))
+			next = now;
 	case dns_zone_stub:
-		if (!DNS_ZONE_FLAG(zone, DNS_ZONE_F_REFRESH))
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONE_F_REFRESH) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONE_F_NOMASTERS) &&
+		    (zone->refreshtime < next || next == 0))
 			next = zone->refreshtime;
 		if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_LOADED)) {
 		    	if (zone->expiretime < next || next == 0)
 				next = zone->expiretime;
-			if (DNS_ZONE_OPTION(zone, DNS_ZONE_O_SERVERS) &&
-			    (zone->servertime < next || next == 0))
-				next = zone->servertime;
-			if (DNS_ZONE_OPTION(zone, DNS_ZONE_O_PARENTS) &&
-			    (zone->parenttime < next || next == 0))
-				next = zone->parenttime;
-			if (DNS_ZONE_OPTION(zone, DNS_ZONE_O_CHILDREN) &&
-			    (zone->childtime < next || next == 0))
-				next = zone->childtime;
 		}
 		break;
 	default:
@@ -2334,21 +2430,23 @@ zone_settimer(dns_zone_t *zone, isc_stdtime_t now) {
 		result = isc_timer_reset(zone->timer, isc_timertype_once,
 					  &expires, &interval, ISC_TRUE);
 	}
-	if (result != ISC_R_SUCCESS) {
-		/* XXX */
-		return (DNS_R_UNEXPECTED);
-	}
-	return (DNS_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return (ISC_R_SUCCESS);
 }
 
 static void
 cancel_refresh(dns_zone_t *zone) {
+	const char me[] = "cancel_refresh";
 	isc_stdtime_t now;
 	/*
 	 * caller to lock.
 	 */
 
 	REQUIRE(DNS_ZONE_VALID(zone));
+
+	DNS_ENTER;
+
 	zone->flags &= ~DNS_ZONE_F_REFRESH;
 	isc_stdtime_get(&now);
 	if (!DNS_ZONE_FLAG(zone, DNS_ZONE_F_EXITING))
@@ -2356,66 +2454,149 @@ cancel_refresh(dns_zone_t *zone) {
 }
 
 static isc_result_t
-dns_notify(dns_name_t *name, isc_sockaddr_t *addr, dns_rdatatype_t type,
-	   dns_rdataclass_t rdclass, isc_sockaddr_t *source, isc_mem_t *mctx)
+notify_createmessage(dns_zone_t *zone, dns_message_t **messagep)
 {
-	dns_message_t *msg = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_message_t *message = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata;
+
+	dns_name_t *tempname = NULL;
+	dns_rdata_t *temprdata = NULL;
+	dns_rdatalist_t *temprdatalist = NULL;
+	dns_rdataset_t *temprdataset = NULL;
+
 	isc_result_t result;
-	isc_buffer_t target;
-	/* dns_rdatalist_t *rdatalist = NULL; */
-	dns_rdatalist_t rdatalist;
-	dns_rdataset_t *rdataset = NULL;
-	char buf[512];
+	isc_region_t r;
+	isc_buffer_t *b = NULL;
 
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &msg);
-	if (result != DNS_R_SUCCESS)
-		return (result);
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(messagep != NULL && *messagep == NULL);
 
-	msg->opcode = dns_opcode_notify;
-	msg->rdclass = rdclass;
-	msg->id = htons(3456); /* XXX */
+	message = NULL;
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER,
+				    &message);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
 
-	/* result = dns_message_gettemprdatalist(msg, &rdatalist); */
-	ISC_LIST_INIT(rdatalist.rdata);
-	ISC_LINK_INIT(&rdatalist, link);
-	rdatalist.type = type;
-	rdatalist.rdclass = rdclass;
-	rdatalist.ttl = 0;
+	message->opcode = dns_opcode_notify;
+	message->rdclass = zone->rdclass;
 
-	result = dns_message_gettemprdataset(msg, &rdataset);
-	if (result != DNS_R_SUCCESS)
-		goto cleanup;
-	dns_rdataset_init(rdataset);
-	dns_rdatalist_tordataset(&rdatalist, rdataset);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-	dns_message_addname(msg, name, DNS_SECTION_QUESTION);
-	isc_buffer_init(&target, buf, sizeof buf,  ISC_BUFFERTYPE_BINARY);
-	result = dns_message_renderbegin(msg, &target);
-	if (result != DNS_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0);
-	if (result != DNS_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0);
-	if (result != DNS_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_rendersection(msg, DNS_SECTION_AUTHORITY, 0);
-	if (result != DNS_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_rendersection(msg, DNS_SECTION_ADDITIONAL, 0);
-	if (result != DNS_R_SUCCESS)
+	result = dns_message_gettempname(message, &tempname);
+	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
-	/* XXX TSIG here */
-	result = dns_message_renderend(msg);
-	if (result != DNS_R_SUCCESS)
+	result = dns_message_gettemprdataset(message, &temprdataset);
+	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
-	/* XXX Queue for sending */
-	addr = addr; /* XXX */
-	source = source; /* XXX */
+	/*
+	 * Make question.
+	 */
+	dns_name_init(tempname, NULL);
+	dns_name_clone(&zone->origin, tempname);
+	dns_rdataset_init(temprdataset);
+	dns_rdataset_makequestion(temprdataset, zone->rdclass,
+				  dns_rdatatype_soa);
+	ISC_LIST_APPEND(tempname->list, temprdataset, link);
+	dns_message_addname(message, tempname, DNS_SECTION_QUESTION);
+	tempname = NULL;
+	temprdataset = NULL;
+	
+	/*
+	 * If the zone is dialup we are done as we don't want to send
+	 * the current soa so as to force a refresh query.
+	 */
+	if (DNS_ZONE_OPTION(zone, DNS_ZONE_O_DIALUP))
+		goto done;
+
+	result = dns_message_gettempname(message, &tempname);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+	result = dns_message_gettemprdata(message, &temprdata);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+	result = dns_message_gettemprdataset(message, &temprdataset);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+	result = dns_message_gettemprdatalist(message, &temprdatalist);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+
+	dns_name_init(tempname, NULL);
+	dns_name_clone(&zone->origin, tempname);
+	dns_db_currentversion(zone->db, &version);
+        result = dns_db_findnode(zone->db, tempname, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(zone->db, node, version,
+				     dns_rdatatype_soa,
+				     dns_rdatatype_none, 0, &rdataset,
+				     NULL);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+	result = dns_rdataset_first(&rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+	dns_rdata_init(&rdata);
+	dns_rdataset_current(&rdataset, &rdata);
+	dns_rdata_toregion(&rdata, &r);
+	result = isc_buffer_allocate(zone->mctx, &b, r.length);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+	isc_buffer_putmem(b, r.base, r.length);
+	isc_buffer_usedregion(b, &r);
+	dns_rdata_init(temprdata);
+	dns_rdata_fromregion(temprdata, rdata.rdclass, rdata.type, &r);
+	dns_message_takebuffer(message, &b);
+	result = dns_rdataset_next(&rdataset);
+	dns_rdataset_disassociate(&rdataset);
+	if (result != ISC_R_NOMORE)
+		goto done;
+	temprdatalist->rdclass = rdata.rdclass;
+	temprdatalist->type = rdata.type;
+	temprdatalist->covers = 0;
+	temprdatalist->ttl = rdataset.ttl;
+	ISC_LIST_INIT(temprdatalist->rdata);
+	ISC_LIST_APPEND(temprdatalist->rdata, temprdata, link);
+
+	dns_rdataset_init(temprdataset);
+	result = dns_rdatalist_tordataset(temprdatalist, temprdataset);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+
+	ISC_LIST_APPEND(tempname->list, temprdataset, link);
+	dns_message_addname(message, tempname, DNS_SECTION_ANSWER);
+	temprdatalist = NULL;
+	temprdataset = NULL;
+	temprdata = NULL;
+	tempname = NULL;
+
+ done:
+	*messagep = message;
+	message = NULL;
+	result = ISC_R_SUCCESS;
+
  cleanup:
-	dns_message_destroy(&msg);
+	if (node != NULL)
+		dns_db_detachnode(zone->db, &node);
+	if (version != NULL)
+		dns_db_closeversion(zone->db, &version, ISC_FALSE);
+	if (tempname != NULL)
+		dns_message_puttempname(message, &tempname);
+	if (temprdata != NULL)
+		dns_message_puttemprdata(message, &temprdata);
+	if (temprdataset != NULL)
+		dns_message_puttemprdataset(message, &temprdataset);
+	if (temprdatalist != NULL)
+		dns_message_puttemprdatalist(message, &temprdatalist);
+	if (message != NULL)
+		dns_message_destroy(&message);
+
+ fail:
 	return (result);
 }
 
@@ -2447,10 +2628,10 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 	 * If a refresh check is progress, if so just record the
 	 * fact we received a NOTIFY and from where and return. 
 	 * We will perform a new refresh check when the current one
-	 * completes. Return DNS_R_SUCCESS.
+	 * completes. Return ISC_R_SUCCESS.
 	 *
 	 * Otherwise initiate a refresh check using 'from' as the
-	 * first address to check.  Return DNS_R_SUCCESS.
+	 * first address to check.  Return ISC_R_SUCCESS.
 	 */
 
 	/*
@@ -2460,7 +2641,7 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 	if (msg->counts[DNS_SECTION_QUESTION] == 0 ||
 	    dns_message_findname(msg, DNS_SECTION_QUESTION, &zone->origin,
 				 dns_rdatatype_soa, dns_rdatatype_none,
-				 NULL, NULL) != DNS_R_SUCCESS) {
+				 NULL, NULL) != ISC_R_SUCCESS) {
 		UNLOCK(&zone->lock);
 		if (msg->counts[DNS_SECTION_QUESTION] == 0) {
 			zone_log(zone, me, ISC_LOG_NOTICE,
@@ -2475,8 +2656,10 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 	/*
 	 * If we are a master zone just succeed.
 	 */
-	if (zone->type == dns_zone_master)
-		return (DNS_R_SUCCESS);
+	if (zone->type == dns_zone_master) {
+		UNLOCK(&zone->lock);
+		return (ISC_R_SUCCESS);
+	}
 
 	for (i = 0; i < zone->masterscnt; i++)
 		if (isc_sockaddr_eqaddr(from, &zone->masters[i]))
@@ -2484,7 +2667,7 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 
 	if (i >= zone->masterscnt) {
 		UNLOCK(&zone->lock);
-		zone_log(zone, me, ISC_LOG_NOTICE,
+		zone_log(zone, me, ISC_LOG_DEBUG(3),
 			 "REFUSED notify from non master");
 		return (DNS_R_REFUSED);
 	}
@@ -2503,20 +2686,20 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 					      dns_rdatatype_soa,
 					      dns_rdatatype_none, NULL, 
 					      &rdataset);
-		if (result == DNS_R_SUCCESS)
+		if (result == ISC_R_SUCCESS)
 			result = dns_rdataset_first(rdataset);
-		if (result == DNS_R_SUCCESS) {
+		if (result == ISC_R_SUCCESS) {
 			isc_uint32_t serial = 0;
 
 			dns_rdataset_current(rdataset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &soa, zone->mctx);
-			if (result == DNS_R_SUCCESS) {
+			result = dns_rdata_tostruct(&rdata, &soa, NULL);
+			if (result == ISC_R_SUCCESS) {
 				serial = soa.serial;
-				dns_rdata_freestruct(&soa);
 				if (isc_serial_le(serial, zone->serial)) {
 					zone_log(zone, me, ISC_LOG_DEBUG(3),
 						 "zone up to date");
-					return (DNS_R_SUCCESS);
+					UNLOCK(&zone->lock);
+					return (ISC_R_SUCCESS);
 				}
 			}
 		} 
@@ -2533,7 +2716,7 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 		UNLOCK(&zone->lock);
 		zone_log(zone, me, ISC_LOG_DEBUG(3),
 			 "refresh in progress, refresh check queued");
-		return (DNS_R_SUCCESS);
+		return (ISC_R_SUCCESS);
 	}
 	isc_stdtime_get(&now);
 	zone->refreshtime = now;
@@ -2541,7 +2724,7 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 	zone_settimer(zone, now);
 	UNLOCK(&zone->lock);
 	zone_log(zone, me, ISC_LOG_DEBUG(3), "immediate refresh check queued");
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 void
@@ -2669,39 +2852,31 @@ dns_zone_getjournalsize(dns_zone_t *zone) {
 	return (zone->journalsize);
 }
 
-void
-dns_zone_setmasterport(dns_zone_t *zone,  in_port_t port) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone->masterport = port;
-}
-
-in_port_t
-dns_zone_getmasterport(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->masterport);
-}
-
 static void
-zone_log(dns_zone_t *zone, const char *me, int level,
-		  const char *fmt, ...) {
+zone_log(dns_zone_t *zone, const char *me, int level, const char *fmt, ...) {
 	va_list ap;
 	char message[4096];
 	char namebuf[1024+32];
 	isc_buffer_t buffer;
 	int len;
-	isc_result_t result;
+	isc_result_t result = ISC_R_FAILURE;
 
-	isc_buffer_init(&buffer, namebuf, sizeof namebuf, ISC_BUFFERTYPE_TEXT);
-	result = dns_name_totext(&zone->origin, ISC_FALSE, &buffer);
-	if (result != DNS_R_SUCCESS)
-		(void)isc_buffer_putstr(&buffer, "<UNKNOWN>");
-	(void)isc_buffer_putstr(&buffer, "/");
+	isc_buffer_init(&buffer, namebuf, sizeof(namebuf));
+
+	if (dns_name_dynamic(&zone->origin)) {
+		if (dns_name_equal(&zone->origin, dns_rootname))
+			result = dns_name_totext(&zone->origin, ISC_FALSE,
+						 &buffer);
+		else
+			result = dns_name_totext(&zone->origin, ISC_TRUE,
+						 &buffer);
+	}
+	if (result != ISC_R_SUCCESS)
+		isc_buffer_putstr(&buffer, "<UNKNOWN>");
+
+	isc_buffer_putstr(&buffer, "/");
 	(void)dns_rdataclass_totext(zone->rdclass, &buffer);
-	len = buffer.used;	/* XXX */
+	len = isc_buffer_usedlength(&buffer);
 
 	va_start(ap, fmt);
 	vsnprintf(message, sizeof message, fmt, ap);
@@ -2710,40 +2885,27 @@ zone_log(dns_zone_t *zone, const char *me, int level,
 		      level, "%s: zone %.*s: %s", me, len, namebuf, message);
 }
 
-#ifdef notyet
 static int
 message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type) {
 	isc_result_t result;
 	dns_name_t *name;
 	dns_rdataset_t *curr;
-	int res = 0;
+	int count = 0;
 
 	result = dns_message_firstname(msg, section);
-	while (result == DNS_R_SUCCESS) {
+	while (result == ISC_R_SUCCESS) {
 		name = NULL;
 		dns_message_currentname(msg, section, &name);
 
 		for (curr = ISC_LIST_TAIL(name->list); curr != NULL; 
 		     curr = ISC_LIST_PREV(curr, link)) {
 			if (curr->type == type)
-				res++;
+				count++;
 		}
 		result = dns_message_nextname(msg, section);
 	}
 
-	return (res);
-}
-#endif
-
-void
-dns_zone_setresolver(dns_zone_t *zone, dns_resolver_t *resolver) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK(&zone->lock);
-	if (zone->res != NULL)
-		dns_resolver_detach(&zone->res);
-	dns_resolver_attach(resolver, &zone->res);
-	UNLOCK(&zone->lock);
+	return (count);
 }
 
 void
@@ -2774,13 +2936,6 @@ dns_zone_getmaxxfrout(dns_zone_t *zone) {
 	return (zone->maxxfrout);
 }
 
-void
-dns_zone_transfer_in(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	fprintf(stdout, "dns_zone_transfer_in\n");
-}
-
 dns_zonetype_t dns_zone_gettype(dns_zone_t *zone) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
@@ -2815,7 +2970,7 @@ const char *
 dns_zone_getdatabase(dns_zone_t *zone) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
-	return (zone->database);
+	return (zone->dbname);
 }
 
 void
@@ -2856,6 +3011,27 @@ record_serial() {
 }
 #endif
 
+static void
+notify_done(isc_task_t *task, isc_event_t *event) {
+        const char me[] = "notify_done";
+	notify_t *notify;
+	dns_zone_t *zone = NULL;
+	
+	UNUSED(task);
+
+	notify = event->ev_arg;
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+
+	dns_zone_iattach(notify->zone, &zone);
+	DNS_ENTER;
+	isc_event_free(&event);
+	LOCK(&zone->lock);
+	notify_destroy(notify);
+	UNLOCK(&zone->lock);
+	dns_zone_idetach(&zone);
+}
+
+
 isc_boolean_t
 dns_zone_equal(dns_zone_t *oldzone, dns_zone_t *newzone) {
 	unsigned int i;
@@ -2874,7 +3050,6 @@ dns_zone_equal(dns_zone_t *oldzone, dns_zone_t *newzone) {
 	    oldzone->db_argc != newzone->db_argc ||
 	    oldzone->notifycnt != newzone->notifycnt ||
 	    oldzone->masterscnt != newzone->masterscnt ||
-	    oldzone->masterport != newzone->masterport ||
 	    oldzone->check_names != newzone->check_names ||
 	    oldzone->diff_on_reload != newzone->diff_on_reload ||
 	    oldzone->journalsize != newzone->journalsize)
@@ -2889,10 +3064,6 @@ dns_zone_equal(dns_zone_t *oldzone, dns_zone_t *newzone) {
 	     strcmp(oldzone->journal, newzone->journal) != 0))
 		goto false;
 
-	if ((oldzone->options & oldzone->setoptions) !=
-	    (newzone->options & newzone->setoptions))
-		goto false;
-
 	if ((oldzone->db_type == NULL && newzone->db_type != NULL) ||
 	    (oldzone->db_type != NULL && newzone->db_type == NULL) ||
 	    (oldzone->db_type != NULL &&
@@ -2950,13 +3121,13 @@ dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 	
 	REQUIRE(DNS_ZONE_VALID(zone));
 	LOCK(&zone->lock);
-	result = replacedb(zone, db, dump);
+	result = zone_replacedb(zone, db, dump);
 	UNLOCK(&zone->lock);
 	return (result);
 }
 
 static isc_result_t
-replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
+zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 	dns_dbversion_t *ver;
 	isc_result_t result;
 
@@ -2970,16 +3141,15 @@ replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 	 * subsequent versions may be journalled instead if this
 	 * is enabled in the configuration.
 	 */
-	if (zone->top != NULL && zone->journal != NULL &&
+	if (zone->db != NULL && zone->journal != NULL &&
 	    zone->diff_on_reload) {
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
 			      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
 			      "generating diffs");
-		result = dns_db_diff(zone->mctx, 
-					db, ver,
-					zone->top, NULL /* XXX */,
-					zone->journal);
-		if (result != DNS_R_SUCCESS)
+		result = dns_db_diff(zone->mctx, db, ver,
+				     zone->db, NULL /* XXX */,
+				     zone->journal);
+		if (result != ISC_R_SUCCESS)
 			goto fail;
 	} else {
 		if (dump) {
@@ -2987,15 +3157,24 @@ replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 				      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
 				      "dumping new zone version");
 			/* XXX should use temporary file and rename */
-			result = dns_db_dump(db, ver, zone->database);
-			if (result != DNS_R_SUCCESS)
+			result = dns_db_dump(db, ver, zone->dbname);
+			if (result != ISC_R_SUCCESS)
 				goto fail;
+
+			/*
+			 * Update the time the zone was updated, so
+			 * dns_zone_load can avoid loading it when
+			 * the server is reloaded.  If isc_time_now
+			 * fails for some reason, all that happens is
+			 * the timestamp is not updated.
+			 */
+			(void)isc_time_now(&zone->loadtime);
 		}
 		if (zone->journal != NULL) {
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
 				      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
 				      "removing journal file");
-			(void) remove(zone->journal);
+			(void)remove(zone->journal);
 		}
 	}
 	dns_db_closeversion(db, &ver, ISC_FALSE);
@@ -3004,11 +3183,11 @@ replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 		      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
 		      "replacing zone database");
 	
-	if (zone->top != NULL)
-		dns_db_detach(&zone->top);
-	dns_db_attach(db, &zone->top);
-	zone->flags |= DNS_ZONE_F_LOADED;
-	return (DNS_R_SUCCESS);
+	if (zone->db != NULL)
+		dns_db_detach(&zone->db);
+	dns_db_attach(db, &zone->db);
+	zone->flags |= DNS_ZONE_F_LOADED|DNS_ZONE_F_NEEDNOTIFY;
+	return (ISC_R_SUCCESS);
 	
  fail:
 	dns_db_closeversion(db, &ver, ISC_FALSE);
@@ -3016,10 +3195,13 @@ replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 }
 
 static void
-xfrdone(dns_zone_t *zone, isc_result_t result) {
-	const char me[] = "xfrdone";
+zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
+	const char me[] = "zone_xfrdone";
 	isc_stdtime_t now;
 	isc_boolean_t again = ISC_FALSE;
+	unsigned int soacount;
+	unsigned int nscount;
+	isc_uint32_t serial, refresh, retry, expire, minimum;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
@@ -3031,13 +3213,66 @@ xfrdone(dns_zone_t *zone, isc_result_t result) {
 
 	isc_stdtime_get(&now);
 	switch (result) {
+	case ISC_R_SUCCESS:
+		zone->flags |= DNS_ZONE_F_NEEDNOTIFY;
 	case DNS_R_UPTODATE:
-	case DNS_R_SUCCESS:
+		/*
+		 * This is not neccessary if we just performed a AXFR
+		 * however it is necessary for an IXFR / UPTODATE and
+		 * won't hurt with an AXFR.
+		 */
+		if (zone->dbname != NULL) {
+			isc_time_t t;
+			isc_time_set(&t, now, 0);
+			result = isc_file_settime(zone->dbname, &t);
+			if (result != ISC_R_SUCCESS)
+				zone_log(zone, me, ISC_LOG_ERROR,
+					 "isc_file_settime(%s): %s",
+					 zone->dbname,
+					 dns_result_totext(result));
+		}
+
+		/*
+		 * Update the zone structure's data from the actual
+		 * SOA received.
+		 */
+		nscount = 0;
+		soacount = 0;
+		INSIST(zone->db != NULL);
+		result = zone_get_from_db(zone->db, &zone->origin, &nscount,
+					  &soacount, &serial, &refresh,
+					  &retry, &expire, &minimum);
+		if (result == ISC_R_SUCCESS) {
+			if (soacount != 1)
+				zone_log(zone, me, ISC_LOG_ERROR,
+					 "has %d SOA record%s", soacount,
+					 (soacount != 0) ? "s" : "");
+			if (nscount == 0)
+				zone_log(zone, me, ISC_LOG_ERROR,
+					 "no NS records");
+			zone->serial = serial;
+			zone->refresh = RANGE(refresh, DNS_MIN_REFRESH,
+					      DNS_MAX_REFRESH);
+			zone->retry = RANGE(retry, DNS_MIN_REFRESH,
+					    DNS_MAX_REFRESH);
+			zone->expire = RANGE(expire,
+					     zone->refresh + zone->retry,
+					     DNS_MAX_EXPIRE);
+			zone->minimum = minimum;
+		}
+
+		/*
+		 * Set our next update/expire times.
+		 */
 		if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_NEEDREFRESH)) {
 			zone->flags &= ~DNS_ZONE_F_NEEDREFRESH;
 			zone->refreshtime = now;
-		} else
+			zone->expiretime = now + zone->expire;
+		} else {
 			zone->refreshtime = now + zone->refresh;
+			zone->expiretime = now + zone->expire;
+		}
+	
 		break;
 
 	default:
@@ -3064,10 +3299,21 @@ xfrdone(dns_zone_t *zone, isc_result_t result) {
 		dns_xfrin_detach(&zone->xfr);
 
 	/*
+	 * This transfer finishing freed up a transfer quota slot.
+	 * Let any zones waiting for quota have it.
+	 */
+	RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);	
+	ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, statelink);
+	zone->statelist = NULL;
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONE_F_EXITING))
+		zmgr_resume_xfrs(zone->zmgr);
+	RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+	
+	/*
 	 * Retry with a different server if necessary.
 	 */
-	if (again)
-		xfrin_start_temporary_kludge(zone);
+	if (again && !DNS_ZONE_FLAG(zone, DNS_ZONE_F_EXITING))
+		queue_soa_query(zone);
 }
 
 void
@@ -3085,34 +3331,136 @@ dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table) {
 	zone->ssutable = table;
 }
 
-/***
- ***	Zone manager. 
- ***/
-
 static void
-xfrin_start_temporary_kludge(dns_zone_t *zone) {
+queue_xfrin(dns_zone_t *zone) {
+	const char me[] = "queue_xfrin";
 	isc_result_t result;
-	isc_sockaddr_t master;
-	in_port_t port;
+	dns_zonemgr_t *zmgr = zone->zmgr;
 
-	if (zone->masterscnt < 1)
-		return;
+	DNS_ENTER;
+
+	INSIST(zone->statelist == NULL);
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);	
+	ISC_LIST_APPEND(zmgr->waiting_for_xfrin, zone, statelink);
+	zone->statelist = &zmgr->waiting_for_xfrin;
+	result = zmgr_start_xfrin_ifquota(zmgr, zone);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);	
+
+	if (result == ISC_R_QUOTA) {
+		zone_log(zone, me, ISC_LOG_DEBUG(1),
+			 "zone transfer deferred due to quota");
+	} else if (result != ISC_R_SUCCESS) {
+		zone_log(zone, me, ISC_LOG_ERROR,
+			 "starting zone transfer: %s",
+			 isc_result_totext(result));
+	}
+}
+
+/*
+ * This event callback is called when a zone has received
+ * any necessary zone transfer quota.  This is the time
+ * to go ahead and start the transfer.
+ */
+static void
+got_transfer_quota(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "got_transfer_quota";
+	isc_result_t result;
+	dns_peer_t *peer = NULL;
+	dns_tsigkey_t *tsigkey = NULL;
+	dns_name_t *keyname = NULL;
+	char mastertext[256];
+	dns_rdatatype_t xfrtype;
+	dns_zone_t *zone = event->ev_arg;
+	isc_netaddr_t masterip;
+	
+	UNUSED(task);
+	
+	INSIST(task == zone->task);
 
-	master = zone->masters[zone->curmaster];
+	if (DNS_ZONE_FLAG(zone, DNS_ZONE_F_EXITING)) {
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+	
+	isc_sockaddr_format(&zone->masteraddr, mastertext, sizeof(mastertext));
+	
+	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
+	(void)dns_peerlist_peerbyaddr(zone->view->peers,
+				      &masterip, &peer);
 	
-	port = zone->masterport; 
-	if (port == 0)
-		port = 53; /* XXX is this the right place? */
-	isc_sockaddr_setport(&master, port);
+	/*
+	 * Decide whether we should request IXFR or AXFR.
+	 */
+	if (zone->db == NULL) {
+		zone_log(zone, me, ISC_LOG_DEBUG(3), 
+			 "no database exists yet, requesting AXFR of "
+			 "initial version from %s", mastertext);
+		xfrtype = dns_rdatatype_axfr;
+	} else {
+		isc_boolean_t use_ixfr = ISC_TRUE;
+		if (peer != NULL &&
+		    dns_peer_getrequestixfr(peer, &use_ixfr) ==
+		    ISC_R_SUCCESS) {
+			; /* Using peer setting */ 
+		} else {
+			use_ixfr = zone->view->requestixfr;
+		}
+		if (use_ixfr == ISC_FALSE) {
+			zone_log(zone, me, ISC_LOG_DEBUG(3),
+				 "IXFR disabled, requesting AXFR from %s",
+				 mastertext);
+			xfrtype = dns_rdatatype_axfr;			
+		} else {
+			zone_log(zone, me, ISC_LOG_DEBUG(3),
+				 "requesting IXFR form %s",
+				 mastertext);
+			xfrtype = dns_rdatatype_ixfr;
+		}
+	}
 
-	result = dns_xfrin_create(zone, &master, zone->mctx,
+	/*
+	 * Determine if we should attempt to sign the request with TSIG.
+	 */
+	if (peer != NULL && dns_peer_getkey(peer, &keyname) == ISC_R_SUCCESS) {
+		dns_view_t *view = dns_zone_getview(zone);
+		result = dns_tsigkey_find(&tsigkey, keyname, NULL,
+					  view->statickeys);
+		if (result == ISC_R_NOTFOUND)
+			result = dns_tsigkey_find(&tsigkey, keyname, NULL,
+						  view->dynamickeys);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+			zone_log(zone, me, ISC_LOG_ERROR,
+				 "error getting tsig keys for zone transfer: %s",
+				 isc_result_totext(result));
+			goto cleanup;
+		}
+	}
+
+	result = dns_xfrin_create(zone, xfrtype, &zone->masteraddr,
+				  tsigkey, zone->mctx,
 				  zone->zmgr->timermgr, zone->zmgr->socketmgr,
-				  zone->task,
-				  xfrdone, &zone->xfr);
-	if (result != DNS_R_SUCCESS)
-		xfrdone(zone, result);
+				  zone->task, zone_xfrdone, &zone->xfr);
+ cleanup:
+	/*
+	 * Any failure in this function is handled like a failed
+	 * zone transfer.  This ensures that we get removed from
+	 * zmgr->xfrin_in_progress.
+	 */
+	if (result != ISC_R_SUCCESS)
+		zone_xfrdone(zone, result);
+	
+	isc_event_free(&event);
+
+	dns_zone_detach(&zone); /* XXXAG */
+	return;
+
 }
 
+/***
+ ***	Zone manager. 
+ ***/
+
 isc_result_t
 dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
@@ -3120,23 +3468,29 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 {
 	dns_zonemgr_t *zmgr;
 	isc_result_t result;
+	isc_interval_t interval;
 
 	zmgr = isc_mem_get(mctx, sizeof *zmgr);
 	if (zmgr == NULL)
 		return (ISC_R_NOMEMORY);
-	zmgr->mctx = mctx;
+	zmgr->mctx = NULL;
+	zmgr->refs = 1;
+	isc_mem_attach(mctx, &zmgr->mctx);
 	zmgr->taskmgr = taskmgr;
 	zmgr->timermgr = timermgr;
 	zmgr->socketmgr = socketmgr;
 	zmgr->zonetasks = NULL;
 	zmgr->task = NULL;
+	zmgr->rl = NULL;
 	ISC_LIST_INIT(zmgr->zones);
+	ISC_LIST_INIT(zmgr->waiting_for_xfrin);
+	ISC_LIST_INIT(zmgr->xfrin_in_progress);
 	result = isc_rwlock_init(&zmgr->rwlock, 0, 0);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_rwlock_init() failed: %s",
 				 isc_result_totext(result));
-		result = DNS_R_UNEXPECTED;
+		result = ISC_R_UNEXPECTED;
 		goto free_mem;
 	}
 	result = isc_rwlock_init(&zmgr->conflock, 1, 1);
@@ -3144,39 +3498,39 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_rwlock_init() failed: %s",
 				 isc_result_totext(result));
-		result = DNS_R_UNEXPECTED;
+		result = ISC_R_UNEXPECTED;
 		goto free_rwlock;
 	}
 
 	zmgr->transfersin = 10;
 	zmgr->transfersperns = 2;
 	
-	result = dns_xfrinlist_init(&zmgr->transferlist);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "dns_transferlist_init() failed: %s",
-				 isc_result_totext(result));
-		result = DNS_R_UNEXPECTED;
-		goto free_conflock;
-	}
-
 	/* Create the zone task pool. */
 	result = isc_taskpool_create(taskmgr, mctx, 
 				     8 /* XXX */, 0, &zmgr->zonetasks);
 	if (result != ISC_R_SUCCESS)
-		goto free_transferlist;
+		goto free_conflock;
 
 	/* Create a single task for queueing of SOA queries. */
-	result = isc_task_create(taskmgr, mctx, 1, &zmgr->task);
+	result = isc_task_create(taskmgr, 1, &zmgr->task);
 	if (result != ISC_R_SUCCESS)
 		goto free_taskpool;
 	isc_task_setname(zmgr->task, "zmgr", zmgr);
+	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
+					&zmgr->rl);
+	if (result != ISC_R_SUCCESS)
+		goto free_task;
+	/* 20 refresh queries / notifies per second. */
+	isc_interval_set(&interval, 0, 1000000000/2);
+	result = isc_ratelimiter_setinterval(zmgr->rl, &interval);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_ratelimiter_setpertic(zmgr->rl, 10);
 
 	*zmgrp = zmgr;
 	return (ISC_R_SUCCESS);
 
- free_transferlist:
-	dns_xfrinlist_destroy(&zmgr->transferlist);
+ free_task:
+	isc_task_detach(&zmgr->task);
  free_taskpool:
 	isc_taskpool_destroy(&zmgr->zonetasks);	
  free_conflock:
@@ -3185,6 +3539,7 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	isc_rwlock_destroy(&zmgr->rwlock);
  free_mem:
 	isc_mem_put(zmgr->mctx, zmgr, sizeof *zmgr);
+	isc_mem_detach(&mctx);
 	return (result);
 }
 
@@ -3205,6 +3560,13 @@ dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
 					   ISC_FALSE),
 			     &zone->task);
 
+	/*
+	 * Set the task name.  The tag will arbitrarily point to one
+	 * of the zones sharing the task (in practice, the one
+	 * to be managed last).
+	 */
+	isc_task_setname(zone->task, "zone", zone);
+
 	result = isc_timer_create(zmgr->timermgr, isc_timertype_inactive,
 				  NULL, NULL,
 				  zmgr->task, zone_timer, zone,
@@ -3212,14 +3574,14 @@ dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_task;
 
-	zone->zmgr = zmgr;
 	ISC_LIST_APPEND(zmgr->zones, zone, link);
+	zone->zmgr = zmgr;
+	zmgr->refs++;
 
 	goto unlock;
 
  cleanup_task:
-	if (zone->task != NULL)
-		isc_task_detach(&zone->task);
+	isc_task_detach(&zone->task);
 	
  unlock:
 	UNLOCK(&zone->lock);
@@ -3227,24 +3589,41 @@ dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
 	return (result);
 }
 
-static void
-releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
-	/*
-	 * Caller to lock zone and zmgr
-	 */
-	ISC_LIST_UNLINK(zmgr->zones, zone, link);
-	zone->zmgr = NULL;
-}
-
 void
 dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
+	isc_boolean_t free_now = ISC_FALSE;
+	
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
 	LOCK(&zone->lock);
-	releasezone(zmgr, zone);
+
+	ISC_LIST_UNLINK(zmgr->zones, zone, link);
+	zone->zmgr = NULL;
+	zmgr->refs--;
+	if (zmgr->refs == 0)
+		free_now = ISC_TRUE;
+	
 	UNLOCK(&zone->lock);
 	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+
+	if (free_now)
+		zonemgr_free(zmgr);
+}
+
+void
+dns_zonemgr_detach(dns_zonemgr_t **zmgrp) {
+	dns_zonemgr_t *zmgr = *zmgrp;
+	isc_boolean_t free_now = ISC_FALSE;
+	
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	zmgr->refs--;
+	if (zmgr->refs == 0)
+		free_now = ISC_TRUE;
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+
+	if (free_now)
+		zonemgr_free(zmgr);
 }
 
 isc_result_t
@@ -3264,34 +3643,28 @@ dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr) {
 
 void
 dns_zonemgr_shutdown(dns_zonemgr_t *zmgr) {
+	isc_ratelimiter_shutdown(zmgr->rl);
+}
+
+static void
+zonemgr_free(dns_zonemgr_t *zmgr) {
+	isc_mem_t *mctx;
+
+	INSIST(zmgr->refs == 0);
+	INSIST(ISC_LIST_EMPTY(zmgr->zones));
+
 	if (zmgr->task != NULL)
 		isc_task_destroy(&zmgr->task);
 	if (zmgr->zonetasks != NULL)
 		isc_taskpool_destroy(&zmgr->zonetasks);
-}
-
-void
-dns_zonemgr_destroy(dns_zonemgr_t **zmgrp) {
-	dns_zonemgr_t *zmgr = *zmgrp;
-	dns_zone_t *zone;
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	zone = ISC_LIST_HEAD(zmgr->zones);
-	while (zone != NULL) {
-		LOCK(&zone->lock);
-		releasezone(zmgr, zone);
-		UNLOCK(&zone->lock);
-		zone = ISC_LIST_HEAD(zmgr->zones);
-	}
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
 
-	/* Probably done already, but does not hurt to repeat. */
-	dns_zonemgr_shutdown(zmgr);
+	isc_ratelimiter_destroy(&zmgr->rl);
 
 	isc_rwlock_destroy(&zmgr->conflock);
 	isc_rwlock_destroy(&zmgr->rwlock);
+	mctx = zmgr->mctx;
 	isc_mem_put(zmgr->mctx, zmgr, sizeof *zmgr);
-	*zmgrp = NULL;
+	isc_mem_detach(&mctx);
 }
 
 void
@@ -3324,23 +3697,144 @@ dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr) {
 	return (zmgr->transfersperns);
 }
 
-dns_xfrinlist_t	*
-dns_zonemgr_gettransferlist(dns_zonemgr_t *zmgr) {
-	return (&zmgr->transferlist);
+/*
+ * Try to start a new incoming zone transfer to fill a quota
+ * slot that was just vacated.
+ *
+ * Requires:
+ *	The zone manager is locked by the caller.
+ */
+static void
+zmgr_resume_xfrs(dns_zonemgr_t *zmgr) {
+	static char me[] = "zmgr_resume_xfrs";
+	dns_zone_t *zone;
+	
+	for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin);
+	     zone != NULL;
+	     zone = ISC_LIST_NEXT(zone, statelink))
+	{
+		isc_result_t result;
+		result = zmgr_start_xfrin_ifquota(zmgr, zone);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * We successfully filled the slot.  We're done.
+			 */
+			break;
+		} else if (result == ISC_R_QUOTA) {
+			/*
+			 * Not enough quota.  This is probably the per-server 
+			 * quota, because we only get called when a unit of 
+			 * global quota has just been freed.  Try the next 
+			 * zone, it may succeed if it uses another master.
+			 */
+			continue;
+		} else {
+			zone_log(zone, me, ISC_LOG_DEBUG(3), 
+				 "starting zone transfer: %s",
+				 isc_result_totext(result));
+			break;
+		}
+	}
 }
+		
+/*
+ * Try to start an incoming zone transfer for 'zone', quota permitting.
+ *
+ * Requires:
+ *	The zone manager is locked by the caller.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	There was enough quota and we attempted to
+ *			start a transfer.  zone_xfrdone() has been or will
+ *			be called.
+ *	ISC_R_QUOTA	Not enough quota.
+ *	Others		Failure.
+ */
+static isc_result_t
+zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
+	dns_peer_t *peer = NULL;
+	isc_netaddr_t masterip;
+	int nxfrsin, nxfrsperns;
+	dns_zone_t *x;
+	int maxtransfersin, maxtransfersperns;
+	isc_event_t *e;
 
-void
-dns_zonemgr_setrequestixfr(dns_zonemgr_t *zmgr, isc_boolean_t value) {
-	zmgr->requestixfr = value;
-}
+	/*
+	 * Find any configured information about the server we'd
+	 * like to transfer this zone from.
+	 */
+	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
+	(void)dns_peerlist_peerbyaddr(zone->view->peers,
+				      &masterip, &peer);
 
-isc_boolean_t
-dns_zonemgr_getrequestixfr(dns_zonemgr_t *zmgr) {
-	return (zmgr->requestixfr);
+	/*
+	 * Determine the total maximum number of simultaneous
+	 * transfers allowed, and the maximum for this specific
+	 * master.
+	 */
+	maxtransfersin = zmgr->transfersin;
+	maxtransfersperns = zmgr->transfersperns;
+	if (peer != NULL)
+		(void)dns_peer_gettransfers(peer, &maxtransfersperns);
+
+	/* 
+	 * Count the total number of transfers that are in progress,
+	 * and the number of transfers in progress from this master.
+	 * We linearly scan a list of all transfers; if this turns
+	 * out to be too slow, we could hash on the master address.
+	 */
+	nxfrsin = nxfrsperns = 0;
+	for (x = ISC_LIST_HEAD(zmgr->xfrin_in_progress);
+	     x != NULL;
+	     x = ISC_LIST_NEXT(x, statelink))
+	{
+		isc_netaddr_t xip;
+		isc_netaddr_fromsockaddr(&xip, &x->masteraddr);
+		nxfrsin++;
+		if (isc_netaddr_equal(&xip, &masterip))
+			nxfrsperns++;
+	}
+
+	/* Enforce quota. */
+	if (nxfrsin >= maxtransfersin)
+		return (ISC_R_QUOTA);
+
+	if (nxfrsperns >= maxtransfersperns)
+		return (ISC_R_QUOTA);
+
+	/*
+	 * We have sufficient quota.  Move the zone to the "xfrin_in_progress"
+	 * list and send it an event to let it start the actual transfer in the
+	 * context of its own task.
+	 */
+	e = isc_event_allocate(zmgr->mctx, zmgr,
+			       DNS_EVENT_ZONESTARTXFRIN,
+			       got_transfer_quota, zone,
+			       sizeof(isc_event_t));
+	if (e == NULL)
+		return (ISC_R_NOMEMORY);
+
+	LOCK(&zone->lock);
+	INSIST(zone->statelist == &zmgr->waiting_for_xfrin);
+	ISC_LIST_UNLINK(zmgr->waiting_for_xfrin, zone, statelink);
+	ISC_LIST_APPEND(zmgr->xfrin_in_progress, zone, statelink);
+	zone->statelist = &zmgr->xfrin_in_progress;
+	/*
+	 * Make sure the zone does not go away before it has processed
+	 * the event; in effect, the event is attached to the zone.
+	 *
+	 * XXXAG This should be done as soon as the zone goes on the
+	 * queue, using irefs.
+	 */
+	zone->erefs++;
+	isc_task_send(zone->task, &e);
+	UNLOCK(&zone->lock);
+	
+	return (ISC_R_SUCCESS);
 }
 
 #if 0
-/* hook for ondestroy notifcation from a database. */
+/* Hook for ondestroy notifcation from a database. */
 
 static void
 dns_zonemgr_dbdestroyed(isc_task_t *task, isc_event_t *event) {
@@ -3353,5 +3847,4 @@ dns_zonemgr_dbdestroyed(isc_task_t *task, isc_event_t *event) {
 		      DNS_LOGMODULE_ZONE, ISC_LOG_INFO,
 		      "database (%p) destroyed", (void*) db);
 }
-
 #endif
diff --git a/lib/dns/zoneconf.c b/lib/dns/zoneconf.c
index 0b34a280..c68e44dd 100644
--- a/lib/dns/zoneconf.c
+++ b/lib/dns/zoneconf.c
@@ -17,13 +17,10 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/mem.h>
-#include <isc/result.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
 
-#include <dns/aclconf.h>
-#include <dns/types.h>
+#include <dns/acl.h>
 #include <dns/zone.h>
 #include <dns/zoneconf.h>
 #include <dns/ssu.h>
@@ -37,10 +34,14 @@
  * Convenience function for configuring a single zone ACL.
  */
 static isc_result_t
-configure_zone_acl(dns_c_zone_t *czone, dns_c_ctx_t *cctx,
+configure_zone_acl(dns_c_zone_t *czone, dns_c_ctx_t *cctx, dns_c_view_t *cview,
 		   dns_aclconfctx_t *aclconfctx, dns_zone_t *zone,
-		   isc_result_t (*getcacl)(dns_c_zone_t *, dns_c_ipmatchlist_t **),
-		   isc_result_t (*getdefaultcacl)(dns_c_ctx_t *, dns_c_ipmatchlist_t **),
+		   isc_result_t (*getcacl)(dns_c_zone_t *,
+					   dns_c_ipmatchlist_t **),
+		   isc_result_t (*getviewcacl)(dns_c_view_t *
+					       , dns_c_ipmatchlist_t **),
+		   isc_result_t (*getglobalcacl)(dns_c_ctx_t *,
+						 dns_c_ipmatchlist_t **),
 		   void (*setzacl)(dns_zone_t *, dns_acl_t *),
 		   void (*clearzacl)(dns_zone_t *))
 {
@@ -48,14 +49,17 @@ configure_zone_acl(dns_c_zone_t *czone, dns_c_ctx_t *cctx,
 	dns_c_ipmatchlist_t *cacl;
 	dns_acl_t *dacl = NULL;
 	result = (*getcacl)(czone, &cacl);
-	if (result == ISC_R_NOTFOUND && getdefaultcacl != NULL) {
-		result = (*getdefaultcacl)(cctx, &cacl);		
+	if (result == ISC_R_NOTFOUND && getviewcacl != NULL && cview != NULL) {
+		result = (*getviewcacl)(cview, &cacl);
+	}
+	if (result == ISC_R_NOTFOUND && getglobalcacl != NULL) {
+		result = (*getglobalcacl)(cctx, &cacl);
 	}
 	if (result == ISC_R_SUCCESS) {
 		result = dns_acl_fromconfig(cacl, cctx, aclconfctx,
 					   dns_zone_getmctx(zone), &dacl);
 		dns_c_ipmatchlist_detach(&cacl);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 		(*setzacl)(zone, dacl);
 		dns_acl_detach(&dacl);
@@ -88,8 +92,9 @@ dns_zonetype_fromconf(dns_c_zonetype_t cztype) {
 }
 
 isc_result_t
-dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
-		   dns_c_zone_t *czone, dns_zone_t *zone)
+dns_zone_configure(dns_c_ctx_t *cctx, dns_c_view_t *cview, 
+		   dns_c_zone_t *czone, dns_aclconfctx_t *ac, 
+		   dns_zone_t *zone)
 {
 	isc_result_t result;
 	isc_boolean_t boolean;
@@ -98,10 +103,8 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
 	dns_c_severity_t severity;
 #endif
 	dns_c_iplist_t *iplist = NULL;
-	isc_uint32_t i;
 	isc_sockaddr_t sockaddr;
 	isc_int32_t maxxfr;
-	in_port_t port;
 	struct in_addr in4addr_any;
 	isc_sockaddr_t sockaddr_any4, sockaddr_any6;
 	dns_ssutable_t *ssutable;
@@ -114,7 +117,7 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
 
 	/* XXX needs to be an zone option */
 	result = dns_zone_setdbtype(zone, "rbt");
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		return (result);
 
 	switch (czone->ztype) {
@@ -125,7 +128,7 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
 			return (result);
 
 		result = dns_zone_setdatabase(zone, filename);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 #ifdef notyet
 		result = dns_c_zone_getchecknames(czone, &severity);
@@ -134,67 +137,81 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
 		else
 			dns_zone_setchecknames(zone, dns_c_severity_fail);
 #endif
-		result = configure_zone_acl(czone, cctx, ac, zone,
+		result = configure_zone_acl(czone, cctx, NULL, ac, zone,
 					    dns_c_zone_getallowupd,
-					    NULL,
+					    NULL, NULL,
 					    dns_zone_setupdateacl,
 					    dns_zone_clearupdateacl);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 
-		result = configure_zone_acl(czone, cctx, ac, zone,
+		result = configure_zone_acl(czone, cctx, cview, ac, zone,
 					    dns_c_zone_getallowquery,
-					    dns_c_ctx_getqueryacl,
+					    dns_c_view_getallowquery,
+					    dns_c_ctx_getallowquery,
 					    dns_zone_setqueryacl,
 					    dns_zone_clearqueryacl);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 
-		result = configure_zone_acl(czone, cctx, ac, zone,
+		result = configure_zone_acl(czone, cctx, cview, ac, zone,
 					    dns_c_zone_getallowtransfer,
-					    dns_c_ctx_gettransferacl,
+					    dns_c_view_gettransferacl,
+					    dns_c_ctx_getallowtransfer,
 					    dns_zone_setxfracl,
 					    dns_zone_clearxfracl);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 
 		result = dns_c_zone_getdialup(czone, &boolean);
-		if (result == ISC_R_SUCCESS)  
-			dns_zone_setoption(zone, DNS_ZONE_O_DIALUP, boolean);
-		else
-			dns_zone_clearoption(zone, DNS_ZONE_O_DIALUP);
+#ifdef notyet
+		if (result != ISC_R_SUCCESS && cview != NULL)
+			result = dns_c_view_getdialup(cview, &boolean);
+#endif
+		if (result != ISC_R_SUCCESS)
+			result = dns_c_ctx_getdialup(cctx, &boolean);
+		if (result != ISC_R_SUCCESS)
+			boolean = ISC_FALSE;
+		dns_zone_setoption(zone, DNS_ZONE_O_DIALUP, boolean);
 
 		result = dns_c_zone_getnotify(czone, &boolean);
-		if (result == ISC_R_SUCCESS)  
-			dns_zone_setoption(zone, DNS_ZONE_O_NOTIFY, boolean);
-		else
-			dns_zone_clearoption(zone, DNS_ZONE_O_NOTIFY);
+		if (result != ISC_R_SUCCESS && cview != NULL)
+			result = dns_c_view_getnotify(cview, &boolean);
+		if (result != ISC_R_SUCCESS)
+			result = dns_c_ctx_getnotify(cctx, &boolean);
+		if (result != ISC_R_SUCCESS)
+			boolean = ISC_TRUE;
+		dns_zone_setoption(zone, DNS_ZONE_O_NOTIFY, boolean);
 
 		result = dns_c_zone_getalsonotify(czone, &iplist);
-		if (result == ISC_R_SUCCESS) {
-			for (i = 0; i < iplist->nextidx; i++) {
-				result = dns_zone_addnotify(zone,
-							    &iplist->ips[i]);
-				if (result != DNS_R_SUCCESS)
-					return (result);
-			}
-		} else
-			dns_zone_clearnotify(zone);
+		if (result == ISC_R_SUCCESS)
+			result = dns_zone_setnotifyalso(zone, iplist->ips,
+						        iplist->nextidx);
+		else
+			result = dns_zone_setnotifyalso(zone, NULL, 0);
+		if (result != ISC_R_SUCCESS)
+			return (result);
 
 		result = dns_c_zone_getmaxtranstimeout(czone, &maxxfr);
-		if (result != ISC_R_SUCCESS) {
-			result = dns_c_ctx_getmaxtransfertimeout(cctx, &maxxfr);
-			if (result != DNS_R_SUCCESS)
-				maxxfr = MAX_XFER_TIME;
-		}
+		if (result != ISC_R_SUCCESS && cview != NULL)
+			result = dns_c_view_getmaxtransfertimeout(cview,
+								  &maxxfr);
+		if (result != ISC_R_SUCCESS)
+			result = dns_c_ctx_getmaxtransfertimeout(cctx,
+								 &maxxfr);
+		if (result != ISC_R_SUCCESS)
+			maxxfr = MAX_XFER_TIME;
 		dns_zone_setmaxxfrout(zone, maxxfr);
 
 		result = dns_c_zone_getmaxtransidleout(czone, &maxxfr);
-		if (result != ISC_R_SUCCESS) {
-			result = dns_c_ctx_getmaxtransferidleout(cctx, &maxxfr);
-			if (result != DNS_R_SUCCESS)
-				maxxfr = DNS_DEFAULT_IDLEOUT;
-		}
+		if (result != ISC_R_SUCCESS && cview != NULL) 
+			result = dns_c_view_getmaxtransferidleout(cview,
+								  &maxxfr);
+		if (result != ISC_R_SUCCESS) 
+			result = dns_c_ctx_getmaxtransferidleout(cctx,
+								 &maxxfr);
+		if (result != ISC_R_SUCCESS)
+			maxxfr = DNS_DEFAULT_IDLEOUT;
 		dns_zone_setidleout(zone, maxxfr);
 
 		ssutable = NULL;
@@ -207,11 +224,10 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
 
 		break;
 		
-		
 	case dns_c_zone_forward:
 #ifdef notyet
 		/*
-		 * forward zones are still in a state of flux
+		 * Forward zones are still in a state of flux.
 		 */
 		czone->u.fzone.check_names; /* XXX unused in BIND 8 */
 		czone->u.fzone.forward; /* XXX*/
@@ -225,7 +241,7 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
 		if (result != ISC_R_SUCCESS)
 			return (result);
 		result = dns_zone_setdatabase(zone, filename);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 #ifdef notyet
 		result = dns_c_zone_getchecknames(czone, &severity);
@@ -234,81 +250,110 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
 		else
 			dns_zone_setchecknames(zone, dns_c_severity_warn);
 #endif
-		result = configure_zone_acl(czone, cctx, ac, zone,
+		result = configure_zone_acl(czone, cctx, cview, ac, zone,
 					    dns_c_zone_getallowquery,
-					    dns_c_ctx_getqueryacl,					    
+					    dns_c_view_getallowquery,
+					    dns_c_ctx_getallowquery,
 					    dns_zone_setqueryacl,
 					    dns_zone_clearqueryacl);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
-
 		
-		result = dns_c_zone_getmasterport(czone, &port);
-		if (result != ISC_R_SUCCESS)
-			port = 53;
-		dns_zone_setmasterport(zone, port);
-
 		result = dns_c_zone_getmasterips(czone, &iplist);
-		if (result == ISC_R_SUCCESS) {
-			for (i = 0; i < iplist->nextidx; i++) {
-				result = dns_zone_addmaster(zone,
-							    &iplist->ips[i]);
-				if (result != DNS_R_SUCCESS)
-					return (result);
-			}
-		} else 
-			dns_zone_clearmasters(zone);
+		if (result == ISC_R_SUCCESS)
+			result = dns_zone_setmasters(zone, iplist->ips,
+						     iplist->nextidx);
+		else
+			result = dns_zone_setmasters(zone, NULL, 0);
+		if (result != ISC_R_SUCCESS)
+			return (result);
 
 		result = dns_c_zone_getmaxtranstimein(czone, &maxxfr);
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) 
 			result = dns_c_ctx_getmaxtransfertimein(cctx, &maxxfr);
-			if (result != ISC_R_SUCCESS)
-				maxxfr = MAX_XFER_TIME;
-		}
+		if (result != ISC_R_SUCCESS)
+			maxxfr = MAX_XFER_TIME;
 		dns_zone_setmaxxfrin(zone, maxxfr);
 
 		result = dns_c_zone_getmaxtransidlein(czone, &maxxfr);
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) 
 			result = dns_c_ctx_getmaxtransferidlein(cctx, &maxxfr);
-			if (result != ISC_R_SUCCESS)
-				maxxfr = DNS_DEFAULT_IDLEIN;
-		}
+		if (result != ISC_R_SUCCESS)
+			maxxfr = DNS_DEFAULT_IDLEIN;
 		dns_zone_setidlein(zone, maxxfr);
 
 		result = dns_c_zone_gettransfersource(czone, &sockaddr);
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS && cview != NULL)
+			result = dns_c_view_gettransfersource(cview,
+							      &sockaddr);
+		if (result != ISC_R_SUCCESS)
 			result = dns_c_ctx_gettransfersource(cctx, &sockaddr);
-			if (result != ISC_R_SUCCESS) {
-				sockaddr = sockaddr_any4;
-			}
-		}
+		if (result != ISC_R_SUCCESS)
+			sockaddr = sockaddr_any4;
 		dns_zone_setxfrsource4(zone, &sockaddr);
 
 		result = dns_c_zone_gettransfersourcev6(czone, &sockaddr);
-		if (result != ISC_R_SUCCESS) {
-			result = dns_c_ctx_gettransfersourcev6(cctx, &sockaddr);
-			if (result != ISC_R_SUCCESS) {
-				sockaddr = sockaddr_any6;
-			}
-		}
+		if (result != ISC_R_SUCCESS && cview != NULL) 
+			result = dns_c_view_gettransfersourcev6(cview,
+								&sockaddr);
+		if (result != ISC_R_SUCCESS) 
+			result = dns_c_ctx_gettransfersourcev6(cctx,
+							       &sockaddr);
+		if (result != ISC_R_SUCCESS)
+			sockaddr = sockaddr_any6;
 		dns_zone_setxfrsource6(zone, &sockaddr);
 
 		result = dns_c_zone_getmaxtranstimeout(czone, &maxxfr);
-		if (result != ISC_R_SUCCESS) {
-			result = dns_c_ctx_getmaxtransfertimeout(cctx, &maxxfr);
-			if (result != DNS_R_SUCCESS)
-				maxxfr = MAX_XFER_TIME;
-		}
+		if (result != ISC_R_SUCCESS && cview != NULL)
+			result = dns_c_view_getmaxtransfertimeout(cview,
+								  &maxxfr);
+		if (result != ISC_R_SUCCESS)
+			result = dns_c_ctx_getmaxtransfertimeout(cctx,
+								 &maxxfr);
+		if (result != ISC_R_SUCCESS)
+			maxxfr = MAX_XFER_TIME;
 		dns_zone_setmaxxfrout(zone, maxxfr);
 
 		result = dns_c_zone_getmaxtransidleout(czone, &maxxfr);
-		if (result != ISC_R_SUCCESS) {
-			result = dns_c_ctx_getmaxtransferidleout(cctx, &maxxfr);
-			if (result != DNS_R_SUCCESS)
-				maxxfr = DNS_DEFAULT_IDLEOUT;
-		}
+		if (result != ISC_R_SUCCESS && cview != NULL) 
+			result = dns_c_view_getmaxtransferidleout(cview,
+								  &maxxfr);
+		if (result != ISC_R_SUCCESS) 
+			result = dns_c_ctx_getmaxtransferidleout(cctx,
+								 &maxxfr);
+		if (result != ISC_R_SUCCESS)
+			maxxfr = DNS_DEFAULT_IDLEOUT;
 		dns_zone_setidleout(zone, maxxfr);
 
+		result = dns_c_zone_getdialup(czone, &boolean);
+#ifdef notyet
+		if (result != ISC_R_SUCCESS && cview != NULL)
+			result = dns_c_view_getdialup(cview, &boolean);
+#endif
+		if (result != ISC_R_SUCCESS)
+			result = dns_c_ctx_getdialup(cctx, &boolean);
+		if (result != ISC_R_SUCCESS)
+			boolean = ISC_FALSE;
+		dns_zone_setoption(zone, DNS_ZONE_O_DIALUP, boolean);
+
+		result = dns_c_zone_getnotify(czone, &boolean);
+		if (result != ISC_R_SUCCESS && cview != NULL)
+			result = dns_c_view_getnotify(cview, &boolean);
+		if (result != ISC_R_SUCCESS)
+			result = dns_c_ctx_getnotify(cctx, &boolean);
+		if (result != ISC_R_SUCCESS)
+			boolean = ISC_TRUE;
+		dns_zone_setoption(zone, DNS_ZONE_O_NOTIFY, boolean);
+
+		result = dns_c_zone_getalsonotify(czone, &iplist);
+		if (result == ISC_R_SUCCESS)
+			result = dns_zone_setnotifyalso(zone, iplist->ips,
+						        iplist->nextidx);
+		else
+			result = dns_zone_setnotifyalso(zone, NULL, 0);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
 		break;
 
 	case dns_c_zone_stub:
@@ -317,7 +362,7 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
 		if (result != ISC_R_SUCCESS)
 			return (result);
 		result = dns_zone_setdatabase(zone, filename);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 #ifdef notyet
 		result = dns_c_zone_getchecknames(czone, &severity);
@@ -326,62 +371,57 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
 		else
 			dns_zone_setchecknames(zone, dns_c_severity_warn);
 #endif
-		result = configure_zone_acl(czone, cctx, ac, zone,
-       				    dns_c_zone_getallowquery,
-					    dns_c_ctx_getqueryacl,					    
+		result = configure_zone_acl(czone, cctx, cview, ac, zone,
+					    dns_c_zone_getallowquery,
+					    dns_c_view_getallowquery,
+					    dns_c_ctx_getallowquery,
 					    dns_zone_setqueryacl,
 					    dns_zone_clearqueryacl);
-		if (result != DNS_R_SUCCESS)
-			return (result);
-
-		result = dns_c_zone_getmasterport(czone, &port);
 		if (result != ISC_R_SUCCESS)
-			port = 53;
-		dns_zone_setmasterport(zone, port);
+			return (result);
 
 		result = dns_c_zone_getmasterips(czone, &iplist);
-		if (result == ISC_R_SUCCESS) {
-			for (i = 0; i < iplist->nextidx; i++) {
-				result = dns_zone_addmaster(zone,
-							    &iplist->ips[i]);
-				if (result != DNS_R_SUCCESS)
-					return (result);
-			}
-		} else 
-			dns_zone_clearmasters(zone);
+		if (result == ISC_R_SUCCESS)
+			result = dns_zone_setmasters(zone, iplist->ips,
+						     iplist->nextidx);
+		else
+			result = dns_zone_setmasters(zone, NULL, 0);
+		if (result != ISC_R_SUCCESS)
+			return (result);
 
 		result = dns_c_zone_getmaxtranstimein(czone, &maxxfr);
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) 
 			result = dns_c_ctx_getmaxtransfertimein(cctx, &maxxfr);
-			if (result != ISC_R_SUCCESS)
-				maxxfr = MAX_XFER_TIME;
-		}
+		if (result != ISC_R_SUCCESS)
+			maxxfr = MAX_XFER_TIME;
 		dns_zone_setmaxxfrin(zone, maxxfr);
 
 		result = dns_c_zone_getmaxtransidlein(czone, &maxxfr);
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS) 
 			result = dns_c_ctx_getmaxtransferidlein(cctx, &maxxfr);
-			if (result != ISC_R_SUCCESS)
-				maxxfr = DNS_DEFAULT_IDLEIN;
-		}
+		if (result != ISC_R_SUCCESS)
+			maxxfr = DNS_DEFAULT_IDLEIN;
 		dns_zone_setidlein(zone, maxxfr);
 
 		result = dns_c_zone_gettransfersource(czone, &sockaddr);
-		if (result != ISC_R_SUCCESS) {
+		if (result != ISC_R_SUCCESS && cview != NULL)
+			result = dns_c_view_gettransfersource(cview,
+							      &sockaddr);
+		if (result != ISC_R_SUCCESS)
 			result = dns_c_ctx_gettransfersource(cctx, &sockaddr);
-			if (result != ISC_R_SUCCESS) {
-				sockaddr = sockaddr_any4;
-			}
-		}
+		if (result != ISC_R_SUCCESS)
+			sockaddr = sockaddr_any4;
 		dns_zone_setxfrsource4(zone, &sockaddr);
 
 		result = dns_c_zone_gettransfersourcev6(czone, &sockaddr);
-		if (result != ISC_R_SUCCESS) {
-			result = dns_c_ctx_gettransfersourcev6(cctx, &sockaddr);
-			if (result != ISC_R_SUCCESS) {
-				sockaddr = sockaddr_any6;
-			}
-		}
+		if (result != ISC_R_SUCCESS && cview != NULL) 
+			result = dns_c_view_gettransfersourcev6(cview,
+								&sockaddr);
+		if (result != ISC_R_SUCCESS) 
+			result = dns_c_ctx_gettransfersourcev6(cctx,
+							       &sockaddr);
+		if (result != ISC_R_SUCCESS)
+			sockaddr = sockaddr_any6;
 		dns_zone_setxfrsource6(zone, &sockaddr);
 
 	case dns_c_zone_hint:
@@ -390,7 +430,7 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
 		if (result != ISC_R_SUCCESS)
 			return (result);
 		result = dns_zone_setdatabase(zone, filename);
-		if (result != DNS_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 			return (result);
 #ifdef notyet
 		result = dns_c_zone_getchecknames(czone, &severity);
@@ -403,12 +443,11 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
 
 	}
 
-	return (DNS_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_boolean_t
-dns_zone_reusable(dns_zone_t *zone, dns_c_zone_t *czone)
-{
+dns_zone_reusable(dns_zone_t *zone, dns_c_zone_t *czone) {
 	const char *cfilename;
 	const char *zfilename;
 
@@ -428,13 +467,12 @@ dns_zone_reusable(dns_zone_t *zone, dns_c_zone_t *czone)
 }
 	
 isc_result_t
-dns_zonemgr_configure(dns_c_ctx_t *cctx, dns_zonemgr_t *zmgr)
-{
+dns_zonemgr_configure(dns_c_ctx_t *cctx, dns_zonemgr_t *zmgr) {
 	isc_int32_t val;
 	isc_result_t result;
 	
 	result = dns_c_ctx_gettransfersin(cctx, &val);
-	if (result != DNS_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		val = 10;
 	dns_zonemgr_settransfersin(zmgr, val);
 
diff --git a/lib/dns/zt.c b/lib/dns/zt.c
index 6c860b6c..c2ca2a39 100644
--- a/lib/dns/zt.c
+++ b/lib/dns/zt.c
@@ -17,14 +17,14 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
 #include <isc/magic.h>
-#include <isc/rwlock.h>
-#include <isc/result.h>
+#include <isc/mem.h>
 #include <isc/util.h>
 
-#include <dns/zt.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
 #include <dns/zone.h>
+#include <dns/zt.h>
 
 struct dns_zt {
 	/* Unlocked. */
@@ -34,14 +34,17 @@ struct dns_zt {
 	isc_rwlock_t		rwlock;
 	/* Locked by lock. */
 	isc_uint32_t		references;
-	dns_rbt_t		*table; 
+	dns_rbt_t		*table;
 };
 
 #define ZTMAGIC			0x5a54626cU	/* ZTbl */
 #define VALID_ZT(zt) 		ISC_MAGIC_VALID(zt, ZTMAGIC)
 
-static void auto_detach(void *, void *);
-static isc_result_t load(dns_zone_t *zone, void *uap);
+static void
+auto_detach(void *, void *);
+
+static isc_result_t
+load(dns_zone_t *zone, void *uap);
 
 isc_result_t
 dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp) {
@@ -52,10 +55,10 @@ dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp) {
 
 	zt = isc_mem_get(mctx, sizeof *zt);
 	if (zt == NULL)
-		return (DNS_R_NOMEMORY);
+		return (ISC_R_NOMEMORY);
 
 	zt->table = NULL;
-	result = dns_rbt_create(mctx, auto_detach, NULL, &zt->table);
+	result = dns_rbt_create(mctx, auto_detach, zt, &zt->table);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_zt;
 
@@ -125,18 +128,23 @@ dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone) {
 }
 
 isc_result_t
-dns_zt_find(dns_zt_t *zt, dns_name_t *name, dns_name_t *foundname,
-	    dns_zone_t **zonep)
+dns_zt_find(dns_zt_t *zt, dns_name_t *name, unsigned int options,
+	    dns_name_t *foundname, dns_zone_t **zonep)
 {
 	isc_result_t result;
 	dns_zone_t *dummy = NULL;
+	unsigned int rbtoptions = 0;
 
 	REQUIRE(VALID_ZT(zt));
 
+	if ((options & DNS_ZTFIND_NOEXACT) != 0)
+		rbtoptions |= DNS_RBTFIND_NOEXACT;
+
 	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
 
-	result = dns_rbt_findname(zt->table, name, foundname, (void **)&dummy);
-	if (result == DNS_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+	result = dns_rbt_findname(zt->table, name, rbtoptions, foundname,
+				  (void **)&dummy);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
 		dns_zone_attach(dummy, zonep);
 
 	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
@@ -202,10 +210,10 @@ dns_zt_print(dns_zt_t *zt) {
 
 	dns_rbtnodechain_init(&chain, zt->mctx);
 	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
-	while (result == DNS_R_NEWORIGIN || result == DNS_R_SUCCESS) {
+	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
 		result = dns_rbtnodechain_current(&chain, NULL, NULL,
 						  &node);
-		if (result == DNS_R_SUCCESS) {
+		if (result == ISC_R_SUCCESS) {
 			zone = node->data;
 			if (zone != NULL)
 				(void)dns_zone_print(zone);
@@ -219,12 +227,16 @@ dns_zt_print(dns_zt_t *zt) {
 
 isc_result_t
 dns_zt_load(dns_zt_t *zt, isc_boolean_t stop) {
-	return (dns_zt_apply(zt, stop, load, NULL));
+	isc_result_t result;
+	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+	result = dns_zt_apply(zt, stop, load, NULL);
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+	return (result);
 }
 
 static isc_result_t
 load(dns_zone_t *zone, void *uap) {
-	uap = uap;
+	UNUSED(uap);
 	return (dns_zone_load(zone));
 }
 
@@ -240,36 +252,32 @@ dns_zt_apply(dns_zt_t *zt, isc_boolean_t stop,
 	REQUIRE(VALID_ZT(zt));
 	REQUIRE(action != NULL);
 
-	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
-
 	dns_rbtnodechain_init(&chain, zt->mctx);
 	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
-	if (result == DNS_R_NOTFOUND) {
+	if (result == ISC_R_NOTFOUND) {
 		/*
 		 * The tree is empty.
 		 */
-		result = DNS_R_NOMORE; 
+		result = ISC_R_NOMORE; 
 	}
-	while (result == DNS_R_NEWORIGIN || result == DNS_R_SUCCESS) {
+	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
 		result = dns_rbtnodechain_current(&chain, NULL, NULL,
 						  &node);
-		if (result == DNS_R_SUCCESS) {
+		if (result == ISC_R_SUCCESS) {
 			zone = node->data;
 			if (zone != NULL)
 				result = (action)(zone, uap);
-			if (result != DNS_R_SUCCESS && stop)
+			if (result != ISC_R_SUCCESS && stop)
 				goto cleanup;	/* don't break */
 		}
 		result = dns_rbtnodechain_next(&chain, NULL, NULL);
 	}
-	if (result == DNS_R_NOMORE)
-		result = DNS_R_SUCCESS;
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
 
  cleanup:
 	dns_rbtnodechain_invalidate(&chain);
 
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
-
 	return (result);
 }
 
@@ -281,7 +289,7 @@ static void
 auto_detach(void *data, void *arg) {
 	dns_zone_t *zone = data;
 
-	(void)arg;
-
+	UNUSED(arg);
+	
 	dns_zone_detach(&zone);
 }
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index 3c1143ae..d02eaa63 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -30,17 +30,18 @@ CWARNINGS =
 
 # Alphabetically
 UNIXOBJS =	@ISC_ISCIPV6_O@ \
-		unix/app.@O@ unix/dir.@O@ unix/interfaceiter.@O@ \
-		unix/mktemplate.@O@ unix/net.@O@ unix/socket.@O@ \
-		unix/time.@O@ unix/stdtime.@O@ unix/ufile.@O@
+		unix/app.@O@ unix/dir.@O@ unix/errno2result.@O@ unix/file.@O@ \
+		unix/interfaceiter.@O@ unix/net.@O@ unix/socket.@O@ \
+		unix/time.@O@ unix/stdio.@O@ unix/stdtime.@O@
 
 
 NLSOBJS =	nls/msgcat.@O@
 
-PTHREADOBJS =	pthreads/condition.@O@
+PTHREADOBJS =	pthreads/condition.@O@ pthreads/thread.@O@
 
-WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/once.@O@ \
-		win32/stdtime.@O@ win32/thread.@O@ win32/time.@O@
+WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
+		win32/once.@O@ win32/stdtime.@O@ win32/thread.@O@ \
+		win32/time.@O@
 
 # Alphabetically
 OBJS =		@ISC_EXTRA_OBJS@ \
@@ -50,7 +51,7 @@ OBJS =		@ISC_EXTRA_OBJS@ \
 		mem.@O@ mutexblock.@O@ netaddr.@O@ ondestroy.@O@ \
 		quota.@O@ random.@O@ \
 		ratelimiter.@O@ result.@O@ rwlock.@O@ \
-		serial.@O@ sockaddr.@O@ str.@O@ symtab.@O@ \
+		serial.@O@ sockaddr.@O@ string.@O@ symtab.@O@ \
 		task.@O@ taskpool.@O@ timer.@O@ version.@O@ \
 		${UNIXOBJS} ${NLSOBJS} ${PTHREADOBJS}
 
@@ -62,7 +63,7 @@ SRCS =		@ISC_EXTRA_SRCS@ \
 		mem.c mutexblock.c netaddr.c ondestroy.c \
 		quota.c random.c \
 		ratelimiter.c result.c rwlock.c \
-		serial.c sockaddr.c str.c symtab.c \
+		serial.c sockaddr.c string.c symtab.c \
 		task.c taskpool.c timer.c version.c
 
 LIBS =		@LIBS@
diff --git a/lib/isc/assertions.c b/lib/isc/assertions.c
index ff70219a..abd11d4a 100644
--- a/lib/isc/assertions.c
+++ b/lib/isc/assertions.c
@@ -17,10 +17,8 @@
 
 #include <config.h>
 
-#include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
 #include <isc/assertions.h>
 
diff --git a/lib/isc/base64.c b/lib/isc/base64.c
index 3661c84c..0afa4f34 100644
--- a/lib/isc/base64.c
+++ b/lib/isc/base64.c
@@ -15,30 +15,25 @@
  * SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.8 2000/03/17 17:45:50 gson Exp $ */
+/* $Id: base64.c,v 1.13 2000/05/16 05:19:46 tale Exp $ */
 
 #include <config.h>
 
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <time.h>
-
 #include <isc/base64.h>
 #include <isc/buffer.h>
 #include <isc/lex.h>
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #define RETERR(x) do { \
-	isc_result_t __r = (x); \
-	if (__r != ISC_R_SUCCESS) \
-		return (__r); \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
 	} while (0)
 
 
-/* These static functions are also present in lib/dns/rdata.c.  I'm not
+/*
+ * These static functions are also present in lib/dns/rdata.c.  I'm not
  * sure where they should go. -- bwelling
  */
 static isc_result_t	str_totext(char *source, isc_buffer_t *target);
@@ -166,7 +161,7 @@ str_totext(char *source, isc_buffer_t *target) {
 	unsigned int l;
 	isc_region_t region;
 
-	isc_buffer_available(target, &region);
+	isc_buffer_availableregion(target, &region);
 	l = strlen(source);
 
 	if (l > region.length)
@@ -181,7 +176,7 @@ static isc_result_t
 mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
 	isc_region_t tr;
 
-	isc_buffer_available(target, &tr);
+	isc_buffer_availableregion(target, &tr);
 	if (length > tr.length)
 		return (ISC_R_NOSPACE);
 	memcpy(tr.base, base, length);
diff --git a/lib/isc/bitstring.c b/lib/isc/bitstring.c
index ce2b848a..ab9f8be7 100644
--- a/lib/isc/bitstring.c
+++ b/lib/isc/bitstring.c
@@ -19,9 +19,8 @@
 
 #include <stddef.h>
 
-#include <isc/types.h>
-#include <isc/assertions.h>
 #include <isc/bitstring.h>
+#include <isc/util.h>
 
 #define DIV8(x)			((x) >> 3)
 #define MOD8(x)			((x) & 0x00000007U)
diff --git a/lib/isc/buffer.c b/lib/isc/buffer.c
index 6699f6e1..ba84b302 100644
--- a/lib/isc/buffer.c
+++ b/lib/isc/buffer.c
@@ -17,34 +17,25 @@
 
 #include <config.h>
 
-#include <string.h>
-
-#include <isc/assertions.h>
 #include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 void
-isc_buffer_init(isc_buffer_t *b, void *base, unsigned int length,
-		unsigned int type)
-{
+isc__buffer_init(isc_buffer_t *b, void *base, unsigned int length) {
 	/*
 	 * Make 'b' refer to the 'length'-byte region starting at base.
 	 */
 
 	REQUIRE(b != NULL);
 
-	b->magic = ISC_BUFFER_MAGIC;
-	b->type = type;
-	b->base = base;
-	b->length = length;
-	b->used = 0;
-	b->current = 0;
-	b->active = 0;
-	b->mctx = NULL;
-	ISC_LINK_INIT(b, link);
+	ISC__BUFFER_INIT(b, base, length);
 }
 
 void
-isc_buffer_invalidate(isc_buffer_t *b) {
+isc__buffer_invalidate(isc_buffer_t *b) {
 	/*
 	 * Make 'b' an invalid buffer.
 	 */
@@ -53,28 +44,11 @@ isc_buffer_invalidate(isc_buffer_t *b) {
 	REQUIRE(!ISC_LINK_LINKED(b, link));
 	REQUIRE(b->mctx == NULL);
 	
-	b->magic = 0;
-	b->type = 0;
-	b->base = NULL;
-	b->length = 0;
-	b->used = 0;
-	b->current = 0;
-	b->active = 0;
-}
-
-unsigned int
-isc_buffer_type(isc_buffer_t *b) {
-	/*
-	 * The type of 'b'.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-
-	return (b->type);
+	ISC__BUFFER_INVALIDATE(b);
 }
 
 void
-isc_buffer_region(isc_buffer_t *b, isc_region_t *r) {
+isc__buffer_region(isc_buffer_t *b, isc_region_t *r) {
 	/*
 	 * Make 'r' refer to the region of 'b'.
 	 */
@@ -82,12 +56,11 @@ isc_buffer_region(isc_buffer_t *b, isc_region_t *r) {
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(r != NULL);
 
-	r->base = b->base;
-	r->length = b->length;
+	ISC__BUFFER_REGION(b, r);
 }
 
 void
-isc_buffer_used(isc_buffer_t *b, isc_region_t *r) {
+isc__buffer_usedregion(isc_buffer_t *b, isc_region_t *r) {
 	/*
 	 * Make 'r' refer to the used region of 'b'.
 	 */
@@ -95,12 +68,11 @@ isc_buffer_used(isc_buffer_t *b, isc_region_t *r) {
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(r != NULL);
 
-	r->base = b->base;
-	r->length = b->used;
+	ISC__BUFFER_USEDREGION(b, r);
 }
 
 void
-isc_buffer_available(isc_buffer_t *b, isc_region_t *r) {
+isc__buffer_availableregion(isc_buffer_t *b, isc_region_t *r) {
 	/*
 	 * Make 'r' refer to the available region of 'b'.
 	 */
@@ -108,12 +80,11 @@ isc_buffer_available(isc_buffer_t *b, isc_region_t *r) {
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(r != NULL);
 
-	r->base = (unsigned char *)b->base + b->used;
-	r->length = b->length - b->used;
+	ISC__BUFFER_AVAILABLEREGION(b, r);
 }
 
 void
-isc_buffer_add(isc_buffer_t *b, unsigned int n) {
+isc__buffer_add(isc_buffer_t *b, unsigned int n) {
 	/*
 	 * Increase the 'used' region of 'b' by 'n' bytes.
 	 */
@@ -121,11 +92,11 @@ isc_buffer_add(isc_buffer_t *b, unsigned int n) {
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(b->used + n <= b->length);
 
-	b->used += n;
+	ISC__BUFFER_ADD(b, n);
 }
 
 void
-isc_buffer_subtract(isc_buffer_t *b, unsigned int n) {
+isc__buffer_subtract(isc_buffer_t *b, unsigned int n) {
 	/*
 	 * Decrease the 'used' region of 'b' by 'n' bytes.
 	 */
@@ -133,28 +104,22 @@ isc_buffer_subtract(isc_buffer_t *b, unsigned int n) {
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(b->used >= n);
 
-	b->used -= n;
-	if (b->current > b->used)
-		b->current = b->used;
-	if (b->active > b->used)
-		b->active = b->used;
+	ISC__BUFFER_SUBTRACT(b, n);
 }
 
 void
-isc_buffer_clear(isc_buffer_t *b) {
+isc__buffer_clear(isc_buffer_t *b) {
 	/*
 	 * Make the used region empty.
 	 */
 
 	REQUIRE(ISC_BUFFER_VALID(b));
 
-	b->used = 0;
-	b->current = 0;
-	b->active = 0;
+	ISC__BUFFER_CLEAR(b);
 }
 
 void
-isc_buffer_consumed(isc_buffer_t *b, isc_region_t *r) {
+isc__buffer_consumedregion(isc_buffer_t *b, isc_region_t *r) {
 	/*
 	 * Make 'r' refer to the consumed region of 'b'.
 	 */
@@ -162,12 +127,11 @@ isc_buffer_consumed(isc_buffer_t *b, isc_region_t *r) {
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(r != NULL);
 
-	r->base = b->base;
-	r->length = b->current;
+	ISC__BUFFER_CONSUMEDREGION(b, r);
 }
 
 void
-isc_buffer_remaining(isc_buffer_t *b, isc_region_t *r) {
+isc__buffer_remainingregion(isc_buffer_t *b, isc_region_t *r) {
 	/*
 	 * Make 'r' refer to the remaining region of 'b'.
 	 */
@@ -175,12 +139,11 @@ isc_buffer_remaining(isc_buffer_t *b, isc_region_t *r) {
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(r != NULL);
 
-	r->base = (unsigned char *)b->base + b->current;
-	r->length = b->used - b->current;
+	ISC__BUFFER_REMAININGREGION(b, r);
 }
 
 void
-isc_buffer_active(isc_buffer_t *b, isc_region_t *r) {
+isc__buffer_activeregion(isc_buffer_t *b, isc_region_t *r) {
 	/*
 	 * Make 'r' refer to the active region of 'b'.
 	 */
@@ -188,43 +151,34 @@ isc_buffer_active(isc_buffer_t *b, isc_region_t *r) {
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(r != NULL);
 
-	if (b->current < b->active) {
-		r->base = (unsigned char *)b->base + b->current;
-		r->length = b->active - b->current;
-	} else {
-		r->base = NULL;
-		r->length = 0;
-	}
+	ISC__BUFFER_ACTIVEREGION(b, r);
 }
 
 void
-isc_buffer_setactive(isc_buffer_t *b, unsigned int n) {
-	unsigned int active;
-
+isc__buffer_setactive(isc_buffer_t *b, unsigned int n) {
 	/*
 	 * Sets the end of the active region 'n' bytes after current.
 	 */
 
 	REQUIRE(ISC_BUFFER_VALID(b));
-	active = b->current + n;
-	REQUIRE(active <= b->used);
+	REQUIRE(b->current + n <= b->used);
 
-	b->active = active;
+	ISC__BUFFER_SETACTIVE(b, n);
 }
 
 void
-isc_buffer_first(isc_buffer_t *b) {
+isc__buffer_first(isc_buffer_t *b) {
 	/*
 	 * Make the consumed region empty.
 	 */
 
 	REQUIRE(ISC_BUFFER_VALID(b));
 
-	b->current = 0;
+	ISC__BUFFER_FIRST(b);
 }
 
 void
-isc_buffer_forward(isc_buffer_t *b, unsigned int n) {
+isc__buffer_forward(isc_buffer_t *b, unsigned int n) {
 	/*
 	 * Increase the 'consumed' region of 'b' by 'n' bytes.
 	 */
@@ -232,11 +186,11 @@ isc_buffer_forward(isc_buffer_t *b, unsigned int n) {
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(b->current + n <= b->used);
 
-	b->current += n;
+	ISC__BUFFER_FORWARD(b, n);
 }
 
 void
-isc_buffer_back(isc_buffer_t *b, unsigned int n) {
+isc__buffer_back(isc_buffer_t *b, unsigned int n) {
 	/*
 	 * Decrease the 'consumed' region of 'b' by 'n' bytes.
 	 */
@@ -244,7 +198,7 @@ isc_buffer_back(isc_buffer_t *b, unsigned int n) {
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(n <= b->current);
 
-	b->current -= n;
+	ISC__BUFFER_BACK(b, n);
 }
 
 void
@@ -293,17 +247,12 @@ isc_buffer_getuint8(isc_buffer_t *b) {
 }
 
 void
-isc_buffer_putuint8(isc_buffer_t *b, isc_uint8_t val)
+isc__buffer_putuint8(isc_buffer_t *b, isc_uint8_t val)
 {
-	unsigned char *cp;
-
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(b->used + 1 <= b->length);
 
-	cp = b->base;
-	cp += b->used;
-	b->used += 1;
-	cp[0] = (val & 0x00ff);
+	ISC__BUFFER_PUTUINT8(b, val);
 }
 
 isc_uint16_t
@@ -329,18 +278,12 @@ isc_buffer_getuint16(isc_buffer_t *b) {
 }
 
 void
-isc_buffer_putuint16(isc_buffer_t *b, isc_uint16_t val)
+isc__buffer_putuint16(isc_buffer_t *b, isc_uint16_t val)
 {
-	unsigned char *cp;
-
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(b->used + 2 <= b->length);
 
-	cp = b->base;
-	cp += b->used;
-	b->used += 2;
-	cp[0] = (val & 0xff00) >> 8;
-	cp[1] = (val & 0x00ff);
+	ISC__BUFFER_PUTUINT16(b, val);
 }
 
 isc_uint32_t
@@ -368,52 +311,37 @@ isc_buffer_getuint32(isc_buffer_t *b) {
 }
 
 void
-isc_buffer_putuint32(isc_buffer_t *b, isc_uint32_t val)
+isc__buffer_putuint32(isc_buffer_t *b, isc_uint32_t val)
 {
-	unsigned char *cp;
-
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(b->used + 4 <= b->length);
 
-	cp = b->base;
-	cp += b->used;
-	b->used += 4;
-	cp[0] = (unsigned char)((val & 0xff000000) >> 24);
-	cp[1] = (unsigned char)((val & 0x00ff0000) >> 16);
-	cp[2] = (unsigned char)((val & 0x0000ff00) >> 8);
-	cp[3] = (unsigned char)(val & 0x000000ff);
+	ISC__BUFFER_PUTUINT32(b, val);
 }
 
 void
-isc_buffer_putmem(isc_buffer_t *b, unsigned char *base, unsigned int length)
-{
-	unsigned char *cp;
-
+isc__buffer_putmem(isc_buffer_t *b, unsigned char *base, unsigned int length) {
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(b->used + length <= b->length);
 
-	cp = (unsigned char *)b->base + b->used;
-	memcpy(cp, base, length);
-	b->used += length;
+	ISC__BUFFER_PUTMEM(b, base, length);
 }	
 
-isc_result_t
+void
 isc_buffer_putstr(isc_buffer_t *b, const char *source) {
-        unsigned int l;
+	unsigned int l;
 	unsigned char *cp;
 
 	REQUIRE(ISC_BUFFER_VALID(b));
 	REQUIRE(source != NULL);
 
 	l = strlen(source);
-	if (l > (b->length - b->used))
-		return (ISC_R_NOSPACE);
 
-	cp = (unsigned char *)b->base + b->used;
+	REQUIRE(l <= isc_buffer_availablelength(b));
+
+	cp = isc_buffer_used(b);
 	memcpy(cp, source, l);
 	b->used += l;
-
-	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -436,7 +364,7 @@ isc_buffer_copyregion(isc_buffer_t *b, isc_region_t *r) {
 
 isc_result_t
 isc_buffer_allocate(isc_mem_t *mctx, isc_buffer_t **dynbuffer,
-		    unsigned int length, unsigned int type)
+		    unsigned int length)
 {
 	isc_buffer_t *dbuf;
 
@@ -448,7 +376,7 @@ isc_buffer_allocate(isc_mem_t *mctx, isc_buffer_t **dynbuffer,
 		return (ISC_R_NOMEMORY);
 
 	isc_buffer_init(dbuf, ((unsigned char *)dbuf) + sizeof(isc_buffer_t),
-			length, type);
+			length);
 	dbuf->mctx = mctx;
 
 	*dynbuffer = dbuf;
diff --git a/lib/isc/bufferlist.c b/lib/isc/bufferlist.c
index 3fa9e16b..cbac4500 100644
--- a/lib/isc/bufferlist.c
+++ b/lib/isc/bufferlist.c
@@ -17,14 +17,14 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
+#include <stddef.h>
+
 #include <isc/buffer.h>
 #include <isc/bufferlist.h>
-#include <isc/list.h>
+#include <isc/util.h>
 
 unsigned int
-isc_bufferlist_usedcount(isc_bufferlist_t *bl)
-{
+isc_bufferlist_usedcount(isc_bufferlist_t *bl) {
 	isc_buffer_t *buffer;
 	unsigned int length;
 
@@ -34,7 +34,7 @@ isc_bufferlist_usedcount(isc_bufferlist_t *bl)
 	buffer = ISC_LIST_HEAD(*bl);
 	while (buffer != NULL) {
 		REQUIRE(ISC_BUFFER_VALID(buffer));
-		length += ISC_BUFFER_USEDCOUNT(buffer);
+		length += isc_buffer_usedlength(buffer);
 		buffer = ISC_LIST_NEXT(buffer, link);
 	}
 
@@ -42,8 +42,7 @@ isc_bufferlist_usedcount(isc_bufferlist_t *bl)
 }
 
 unsigned int
-isc_bufferlist_availablecount(isc_bufferlist_t *bl)
-{
+isc_bufferlist_availablecount(isc_bufferlist_t *bl) {
 	isc_buffer_t *buffer;
 	unsigned int length;
 
@@ -53,7 +52,7 @@ isc_bufferlist_availablecount(isc_bufferlist_t *bl)
 	buffer = ISC_LIST_HEAD(*bl);
 	while (buffer != NULL) {
 		REQUIRE(ISC_BUFFER_VALID(buffer));
-		length += ISC_BUFFER_AVAILABLECOUNT(buffer);
+		length += isc_buffer_availablelength(buffer);
 		buffer = ISC_LIST_NEXT(buffer, link);
 	}
 
diff --git a/lib/isc/commandline.c b/lib/isc/commandline.c
index f7a88c09..4c016317 100644
--- a/lib/isc/commandline.c
+++ b/lib/isc/commandline.c
@@ -48,7 +48,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: commandline.c,v 1.3 2000/02/03 23:08:23 halley Exp $ */
+/* $Id: commandline.c,v 1.6 2000/05/08 14:37:20 tale Exp $ */
 
 /*
  * This file was adapted from the NetBSD project's source tree, RCS ID:
@@ -63,12 +63,13 @@
  * Principal ISC caretaker: DCL
  */
 
+#include <config.h>
+
 #include <stdio.h>
-#include <string.h>
 
-#include <isc/assertions.h>
-#include <isc/boolean.h>
 #include <isc/commandline.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 int isc_commandline_index = 1;		/* Index into parent argv vector. */
 int isc_commandline_option;		/* Character checked for validity. */
diff --git a/lib/isc/error.c b/lib/isc/error.c
index b72818e1..da210f39 100644
--- a/lib/isc/error.c
+++ b/lib/isc/error.c
@@ -19,12 +19,14 @@
 
 #include <stdio.h>
 #include <stdlib.h>
-#include <stddef.h>
 
 #include <isc/error.h>
 
-static void default_unexpected_callback(char *, int, char *, va_list);
-static void default_fatal_callback(char *, int, char *, va_list);
+static void
+default_unexpected_callback(char *, int, char *, va_list);
+
+static void
+default_fatal_callback(char *, int, char *, va_list);
 
 static isc_errorcallback_t unexpected_callback = default_unexpected_callback;
 static isc_errorcallback_t fatal_callback = default_fatal_callback;
diff --git a/lib/isc/event.c b/lib/isc/event.c
index 12f75401..8be9d64c 100644
--- a/lib/isc/event.c
+++ b/lib/isc/event.c
@@ -21,9 +21,9 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
 #include <isc/event.h>
 #include <isc/mem.h>
+#include <isc/util.h>
 
 /***
  *** Events.
@@ -31,9 +31,9 @@
 
 static void
 destroy(isc_event_t *event) {
-	isc_mem_t *mctx = event->destroy_arg;
+	isc_mem_t *mctx = event->ev_destroy_arg;
 
-	isc_mem_put(mctx, event, event->size);
+	isc_mem_put(mctx, event, event->ev_size);
 }
 
 isc_event_t *
@@ -64,8 +64,8 @@ isc_event_free(isc_event_t **eventp) {
 	event = *eventp;
 	REQUIRE(event != NULL);
 
-	if (event->destroy != NULL)
-		(event->destroy)(event);
+	if (event->ev_destroy != NULL)
+		(event->ev_destroy)(event);
 
 	*eventp = NULL;
 }
diff --git a/lib/isc/heap.c b/lib/isc/heap.c
index f0b42678..ca577e4c 100644
--- a/lib/isc/heap.c
+++ b/lib/isc/heap.c
@@ -27,11 +27,10 @@
 
 #include <config.h>
 
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/assertions.h>
 #include <isc/heap.h>
+#include <isc/mem.h>
+#include <isc/string.h>		/* Required for memcpy. */
+#include <isc/util.h>
 
 /*
  * Note: to make heap_parent and heap_left easy to compute, the first
@@ -47,6 +46,15 @@
 #define VALID_HEAP(h)			((h) != NULL && \
 					 (h)->magic == HEAP_MAGIC)
 
+/*
+ * When the heap is in a consistent state, the following invariant
+ * holds true: for every element i > 1, heap_parent(i) has a priority
+ * higher than or equal to that of i.
+ */
+#define HEAPCONDITION(i) ((i) == 1 || \
+			  ! heap->compare(heap->array[(i)], \
+					  heap->array[heap_parent(i)]))
+
 struct isc_heap {
 	unsigned int			magic;
 	isc_mem_t *			mctx;
@@ -131,9 +139,9 @@ static void
 float_up(isc_heap_t *heap, unsigned int i, void *elt) {
 	unsigned int p;
 
-	for ( p = heap_parent(i); 
-	      i > 1 && heap->compare(elt, heap->array[p]);
-	      i = p, p = heap_parent(i) ) {
+	for (p = heap_parent(i); 
+	     i > 1 && heap->compare(elt, heap->array[p]);
+	     i = p, p = heap_parent(i)) {
 		heap->array[i] = heap->array[p];
 		if (heap->index != NULL)
 			(heap->index)(heap->array[i], i);
@@ -141,19 +149,20 @@ float_up(isc_heap_t *heap, unsigned int i, void *elt) {
 	heap->array[i] = elt;
 	if (heap->index != NULL)
 		(heap->index)(heap->array[i], i);
+
+	INSIST(HEAPCONDITION(i));
 }
 
 static void
 sink_down(isc_heap_t *heap, unsigned int i, void *elt) {
 	unsigned int j, size, half_size;
-
 	size = heap->last;
 	half_size = size / 2;
 	while (i <= half_size) {
-		/* find smallest of the (at most) two children */
+		/* Find the smallest of the (at most) two children. */
 		j = heap_left(i);
 		if (j < size && heap->compare(heap->array[j+1],
-						     heap->array[j]))
+					      heap->array[j]))
 			j++;
 		if (heap->compare(elt, heap->array[j]))
 			break;
@@ -165,6 +174,8 @@ sink_down(isc_heap_t *heap, unsigned int i, void *elt) {
 	heap->array[i] = elt;
 	if (heap->index != NULL)
 		(heap->index)(heap->array[i], i);
+
+	INSIST(HEAPCONDITION(i));
 }
 
 isc_result_t
@@ -185,13 +196,22 @@ isc_heap_insert(isc_heap_t *heap, void *elt) {
 void
 isc_heap_delete(isc_heap_t *heap, unsigned int i) {
 	void *elt;
+	isc_boolean_t less;
 
 	REQUIRE(VALID_HEAP(heap));
 	REQUIRE(i >= 1 && i <= heap->last);
 
-	elt = heap->array[heap->last];
-	if (--heap->last > 0)
-		sink_down(heap, i, elt);
+	if (i == heap->last) {
+		heap->last--;
+	} else {
+		elt = heap->array[heap->last--];
+		less = heap->compare(elt, heap->array[i]);
+		heap->array[i] = elt;
+		if (less)
+			float_up(heap, i, heap->array[i]);
+		else
+			sink_down(heap, i, heap->array[i]);
+	}
 }
 
 void
diff --git a/lib/isc/include/isc/Makefile.in b/lib/isc/include/isc/Makefile.in
index 926a8e1f..cbddb443 100644
--- a/lib/isc/include/isc/Makefile.in
+++ b/lib/isc/include/isc/Makefile.in
@@ -24,12 +24,13 @@ top_srcdir =	@top_srcdir@
 #
 HEADERS =	assertions.h base64.h bitstring.h boolean.h buffer.h \
 		bufferlist.h commandline.h error.h event.h eventclass.h \
-		heap.h interfaceiter.h lang.h lex.h lfsr.h lib.h \
-		list.h magic.h mem.h mktemplate.h msgcat.h mutexblock.h \
-		netaddr.h platform.h print.h quota.h random.h ratelimiter.h \
-		rbtgen.h region.h result.h resultclass.h rwlock.h serial.h \
-		sockaddr.h socket.h str.h symtab.h task.h taskpool.h timer.h \
-		types.h ufile.h util.h
+		file.h heap.h interfaceiter.h  @ISC_IPV6_H@ lang.h lex.h \
+		lfsr.h lib.h list.h log.h magic.h mem.h msgcat.h \
+		mutexblock.h netaddr.h ondestroy.h platform.h \
+		print.h quota.h random.h ratelimiter.h region.h \
+		result.h resultclass.h rwlock.h serial.h sockaddr.h \
+		socket.h stdio.h string.h symtab.h task.h taskpool.h timer.h \
+		types.h util.h
 
 SUBDIRS =
 TARGETS =
diff --git a/lib/isc/include/isc/assertions.h b/lib/isc/include/isc/assertions.h
index c9ed15e0..7ce75c02 100644
--- a/lib/isc/include/isc/assertions.h
+++ b/lib/isc/include/isc/assertions.h
@@ -16,11 +16,11 @@
  */
 
 /*
- * $Id: assertions.h,v 1.7 2000/02/03 23:07:47 halley Exp $
+ * $Id: assertions.h,v 1.9 2000/04/28 16:54:53 tale Exp $
  */
 
 #ifndef ISC_ASSERTIONS_H
-#define ISC_ASSERTIONS_H	1
+#define ISC_ASSERTIONS_H 1
 
 #include <isc/lang.h>
 
@@ -41,75 +41,75 @@ extern isc_assertioncallback_t isc_assertion_failed;
 void isc_assertion_setcallback(isc_assertioncallback_t);
 char *isc_assertion_typetotext(isc_assertiontype_t type);
 
-#ifdef CHECK_ALL
-#define CHECK_REQUIRE		1
-#define CHECK_ENSURE		1
-#define CHECK_INSIST		1
-#define CHECK_INVARIANT		1
+#ifdef ISC_CHECK_ALL
+#define ISC_CHECK_REQUIRE		1
+#define ISC_CHECK_ENSURE		1
+#define ISC_CHECK_INSIST		1
+#define ISC_CHECK_INVARIANT		1
 #endif
 
-#ifdef CHECK_NONE
-#define CHECK_REQUIRE		0
-#define CHECK_ENSURE		0
-#define CHECK_INSIST		0
-#define CHECK_INVARIANT		0
+#ifdef ISC_CHECK_NONE
+#define ISC_CHECK_REQUIRE		0
+#define ISC_CHECK_ENSURE		0
+#define ISC_CHECK_INSIST		0
+#define ISC_CHECK_INVARIANT		0
 #endif
 
-#ifndef CHECK_REQUIRE
-#define CHECK_REQUIRE		1
+#ifndef ISC_CHECK_REQUIRE
+#define ISC_CHECK_REQUIRE		1
 #endif
 
-#ifndef CHECK_ENSURE
-#define CHECK_ENSURE		1
+#ifndef ISC_CHECK_ENSURE
+#define ISC_CHECK_ENSURE		1
 #endif
 
-#ifndef CHECK_INSIST
-#define CHECK_INSIST		1
+#ifndef ISC_CHECK_INSIST
+#define ISC_CHECK_INSIST		1
 #endif
 
-#ifndef CHECK_INVARIANT
-#define CHECK_INVARIANT		1
+#ifndef ISC_CHECK_INVARIANT
+#define ISC_CHECK_INVARIANT		1
 #endif
 
-#if CHECK_REQUIRE != 0
-#define REQUIRE(cond) \
+#if ISC_CHECK_REQUIRE != 0
+#define ISC_REQUIRE(cond) \
 	((void) ((cond) || \
 		 ((isc_assertion_failed)(__FILE__, __LINE__, \
 					 isc_assertiontype_require, \
 					 #cond), 0)))
 #else
-#define REQUIRE(cond)		((void) 0)
-#endif /* CHECK_REQUIRE */
+#define ISC_REQUIRE(cond)	((void) 0)
+#endif /* ISC_CHECK_REQUIRE */
 
-#if CHECK_ENSURE != 0
-#define ENSURE(cond) \
+#if ISC_CHECK_ENSURE != 0
+#define ISC_ENSURE(cond) \
 	((void) ((cond) || \
 		 ((isc_assertion_failed)(__FILE__, __LINE__, \
 					 isc_assertiontype_ensure, \
 					 #cond), 0)))
 #else
-#define ENSURE(cond)		((void) 0)
-#endif /* CHECK_ENSURE */
+#define ISC_ENSURE(cond)	((void) 0)
+#endif /* ISC_CHECK_ENSURE */
 
-#if CHECK_INSIST != 0
-#define INSIST(cond) \
+#if ISC_CHECK_INSIST != 0
+#define ISC_INSIST(cond) \
 	((void) ((cond) || \
 		 ((isc_assertion_failed)(__FILE__, __LINE__, \
 					 isc_assertiontype_insist, \
 					 #cond), 0)))
 #else
-#define INSIST(cond)		((void) 0)
-#endif /* CHECK_INSIST */
+#define ISC_INSIST(cond)	((void) 0)
+#endif /* ISC_CHECK_INSIST */
 
-#if CHECK_INVARIANT != 0
-#define INVARIANT(cond) \
+#if ISC_CHECK_INVARIANT != 0
+#define ISC_INVARIANT(cond) \
 	((void) ((cond) || \
 		 ((isc_assertion_failed)(__FILE__, __LINE__, \
 					 isc_assertiontype_invariant, \
 					 #cond), 0)))
 #else
-#define INVARIANT(cond)		((void) 0)
-#endif /* CHECK_INVARIANT */
+#define ISC_INVARIANT(cond)	((void) 0)
+#endif /* ISC_CHECK_INVARIANT */
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/isc/include/isc/base64.h b/lib/isc/include/isc/base64.h
index ac77501d..ddcb9154 100644
--- a/lib/isc/include/isc/base64.h
+++ b/lib/isc/include/isc/base64.h
@@ -15,16 +15,12 @@
  * SOFTWARE.
  */
 
-/* $Id: base64.h,v 1.4 2000/03/21 00:37:35 gson Exp $ */
+/* $Id: base64.h,v 1.6 2000/04/10 21:52:31 gson Exp $ */
 
 #ifndef ISC_BASE64_H
 #define ISC_BASE64_H 1
 
-#include <isc/buffer.h>
 #include <isc/lang.h>
-#include <isc/lex.h>
-#include <isc/region.h>
-#include <isc/result.h>
 #include <isc/types.h>
 
 ISC_LANG_BEGINDECLS
diff --git a/lib/isc/include/isc/boolean.h b/lib/isc/include/isc/boolean.h
index 88cee1f7..7b510385 100644
--- a/lib/isc/include/isc/boolean.h
+++ b/lib/isc/include/isc/boolean.h
@@ -18,16 +18,10 @@
 #ifndef ISC_BOOLEAN_H
 #define ISC_BOOLEAN_H 1
 
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
 typedef enum { isc_boolean_false = 0, isc_boolean_true = 1 } isc_boolean_t;
 
 #define ISC_FALSE isc_boolean_false
 #define ISC_TRUE isc_boolean_true
 #define ISC_TF(x) ((x) ? ISC_TRUE : ISC_FALSE)
 
-ISC_LANG_ENDDECLS
-
 #endif /* ISC_BOOLEAN_H */
diff --git a/lib/isc/include/isc/buffer.h b/lib/isc/include/isc/buffer.h
index 4532d081..0b685a78 100644
--- a/lib/isc/include/isc/buffer.h
+++ b/lib/isc/include/isc/buffer.h
@@ -49,6 +49,7 @@
  * is empty.  If the current offset advances beyond the chosen offset, the
  * active region will also be empty.
  *
+ *  /------------entire length---------------\
  *  /----- used region -----\/-- available --\
  *  +----------------------------------------+
  *  | consumed  | remaining |                |
@@ -102,10 +103,16 @@
  ***/
 
 #include <isc/lang.h>
-#include <isc/list.h>
-#include <isc/mem.h>
-#include <isc/region.h>
-#include <isc/int.h>
+#include <isc/magic.h>
+#include <isc/types.h>
+
+/*
+ * To make many functions be inline macros (via #define) define this.
+ * If it is undefined, a function will be used.
+ */
+#if 0
+#define ISC_BUFFER_USEINLINE
+#endif
 
 ISC_LANG_BEGINDECLS
 
@@ -113,9 +120,7 @@ ISC_LANG_BEGINDECLS
  *** Magic numbers
  ***/
 #define ISC_BUFFER_MAGIC		0x42756621U	/* Buf!. */
-
-#define ISC_BUFFER_VALID(b)		((b) != NULL && \
-					 (b)->magic == ISC_BUFFER_MAGIC)
+#define ISC_BUFFER_VALID(b)		ISC_MAGIC_VALID(b, ISC_BUFFER_MAGIC)
 
 /*
  * The following macros MUST be used only on valid buffers.  It is the
@@ -125,24 +130,22 @@ ISC_LANG_BEGINDECLS
  */
 
 /*
- * Get the length of the used region of buffer "b"
+ * Fundamental buffer elements.  (A through E in the introductory comment.)
  */
-#define ISC_BUFFER_USEDCOUNT(b)		((b)->used)
+#define isc_buffer_base(b)    ((unsigned char *)(b)->base) 	          /*a*/
+#define isc_buffer_current(b) ((unsigned char *)(b)->base + (b)->current) /*b*/
+#define isc_buffer_active(b)  ((unsigned char *)(b)->base + (b)->active)  /*c*/
+#define isc_buffer_used(b)    ((unsigned char *)(b)->base + (b)->used)    /*d*/
+#define isc_buffer_length(b)  ((b)->length)                               /*e*/
 
 /*
- * Get the length of the available region of buffer "b"
+ * Derived lengths.  (Described in the introductory comment.)
  */
-#define ISC_BUFFER_AVAILABLECOUNT(b)	((b)->length - (b)->used)
-
-/***
- *** Types
- ***/
-
-#define ISC_BUFFERTYPE_GENERIC			0
-#define ISC_BUFFERTYPE_BINARY			1
-#define ISC_BUFFERTYPE_TEXT			2
-
-/* Types >= 1024 are reserved for application use. */
+#define isc_buffer_usedlength(b)	((b)->used)		      /* d-a */
+#define isc_buffer_consumedlength(b)	((b)->current)		      /* b-a */
+#define isc_buffer_remaininglength(b)	((b)->used - (b)->current)    /* d-b */
+#define isc_buffer_activelength(b)	((b)->active - (b)->current)  /* c-b */
+#define isc_buffer_availablelength(b)	((b)->length - (b)->used)     /* e-d */
 
 /*
  * Note that the buffer structure is public.  This is principally so buffer
@@ -150,10 +153,8 @@ ISC_LANG_BEGINDECLS
  * discouraged from directly manipulating the structure.
  */
 
-typedef struct isc_buffer isc_buffer_t;
 struct isc_buffer {
 	unsigned int		magic;
-	unsigned int		type;
 	void		       *base;
 	/* The following integers are byte offsets from 'base'. */
 	unsigned int		length;
@@ -172,7 +173,7 @@ struct isc_buffer {
 
 isc_result_t
 isc_buffer_allocate(isc_mem_t *mctx, isc_buffer_t **dynbuffer,
-		    unsigned int length, unsigned int type);
+		    unsigned int length);
 /*
  * Allocate a dynamic linkable buffer which has "length" bytes in the
  * data region.
@@ -207,8 +208,7 @@ isc_buffer_free(isc_buffer_t **dynbuffer);
  */
 
 void
-isc_buffer_init(isc_buffer_t *b, void *base, unsigned int length,
-		unsigned int type);
+isc__buffer_init(isc_buffer_t *b, void *base, unsigned int length);
 /*
  * Make 'b' refer to the 'length'-byte region starting at base.
  *
@@ -221,7 +221,7 @@ isc_buffer_init(isc_buffer_t *b, void *base, unsigned int length,
  */
 
 void
-isc_buffer_invalidate(isc_buffer_t *b);
+isc__buffer_invalidate(isc_buffer_t *b);
 /*
  * Make 'b' an invalid buffer.
  *
@@ -233,22 +233,8 @@ isc_buffer_invalidate(isc_buffer_t *b);
  *	calling isc_buffer_init() on it will cause an assertion failure.
  */
 		
-unsigned int
-isc_buffer_type(isc_buffer_t *b);
-/*
- * The type of 'b'.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- * Returns:
- *
- *	The type of 'b'.
- */
-			
 void
-isc_buffer_region(isc_buffer_t *b, isc_region_t *r);
+isc__buffer_region(isc_buffer_t *b, isc_region_t *r);
 /*
  * Make 'r' refer to the region of 'b'.
  *
@@ -260,7 +246,7 @@ isc_buffer_region(isc_buffer_t *b, isc_region_t *r);
  */
 
 void
-isc_buffer_used(isc_buffer_t *b, isc_region_t *r);
+isc__buffer_usedregion(isc_buffer_t *b, isc_region_t *r);
 /*
  * Make 'r' refer to the used region of 'b'.
  *
@@ -272,7 +258,7 @@ isc_buffer_used(isc_buffer_t *b, isc_region_t *r);
  */
 
 void
-isc_buffer_available(isc_buffer_t *b, isc_region_t *r);
+isc__buffer_availableregion(isc_buffer_t *b, isc_region_t *r);
 /*
  * Make 'r' refer to the available region of 'b'.
  *
@@ -284,7 +270,7 @@ isc_buffer_available(isc_buffer_t *b, isc_region_t *r);
  */
 
 void
-isc_buffer_add(isc_buffer_t *b, unsigned int n);
+isc__buffer_add(isc_buffer_t *b, unsigned int n);
 /*
  * Increase the 'used' region of 'b' by 'n' bytes.
  *
@@ -297,7 +283,7 @@ isc_buffer_add(isc_buffer_t *b, unsigned int n);
  */
 
 void
-isc_buffer_subtract(isc_buffer_t *b, unsigned int n);
+isc__buffer_subtract(isc_buffer_t *b, unsigned int n);
 /*
  * Decrease the 'used' region of 'b' by 'n' bytes.
  *
@@ -310,7 +296,7 @@ isc_buffer_subtract(isc_buffer_t *b, unsigned int n);
  */
 
 void
-isc_buffer_clear(isc_buffer_t *b);
+isc__buffer_clear(isc_buffer_t *b);
 /*
  * Make the used region empty.
  *
@@ -325,7 +311,7 @@ isc_buffer_clear(isc_buffer_t *b);
  */
 
 void
-isc_buffer_consumed(isc_buffer_t *b, isc_region_t *r);
+isc__buffer_consumedregion(isc_buffer_t *b, isc_region_t *r);
 /*
  * Make 'r' refer to the consumed region of 'b'.
  *
@@ -337,7 +323,7 @@ isc_buffer_consumed(isc_buffer_t *b, isc_region_t *r);
  */
 
 void
-isc_buffer_remaining(isc_buffer_t *b, isc_region_t *r);
+isc__buffer_remainingregion(isc_buffer_t *b, isc_region_t *r);
 /*
  * Make 'r' refer to the remaining region of 'b'.
  *
@@ -349,7 +335,7 @@ isc_buffer_remaining(isc_buffer_t *b, isc_region_t *r);
  */
 
 void
-isc_buffer_active(isc_buffer_t *b, isc_region_t *r);
+isc__buffer_activeregion(isc_buffer_t *b, isc_region_t *r);
 /*
  * Make 'r' refer to the active region of 'b'.
  *
@@ -361,7 +347,7 @@ isc_buffer_active(isc_buffer_t *b, isc_region_t *r);
  */
 
 void
-isc_buffer_setactive(isc_buffer_t *b, unsigned int n);
+isc__buffer_setactive(isc_buffer_t *b, unsigned int n);
 /*
  * Sets the end of the active region 'n' bytes after current.
  *
@@ -373,7 +359,7 @@ isc_buffer_setactive(isc_buffer_t *b, unsigned int n);
  */
 
 void
-isc_buffer_first(isc_buffer_t *b);
+isc__buffer_first(isc_buffer_t *b);
 /*
  * Make the consumed region empty.
  *
@@ -388,7 +374,7 @@ isc_buffer_first(isc_buffer_t *b);
  */
 
 void
-isc_buffer_forward(isc_buffer_t *b, unsigned int n);
+isc__buffer_forward(isc_buffer_t *b, unsigned int n);
 /*
  * Increase the 'consumed' region of 'b' by 'n' bytes.
  *
@@ -401,7 +387,7 @@ isc_buffer_forward(isc_buffer_t *b, unsigned int n);
  */
 
 void
-isc_buffer_back(isc_buffer_t *b, unsigned int n);
+isc__buffer_back(isc_buffer_t *b, unsigned int n);
 /*
  * Decrease the 'consumed' region of 'b' by 'n' bytes.
  *
@@ -454,7 +440,7 @@ isc_buffer_getuint8(isc_buffer_t *b);
  */
 
 void
-isc_buffer_putuint8(isc_buffer_t *b, isc_uint8_t val);
+isc__buffer_putuint8(isc_buffer_t *b, isc_uint8_t val);
 /*
  * Store an unsigned 8-bit integer from 'val' into 'b'.
  *
@@ -489,7 +475,7 @@ isc_buffer_getuint16(isc_buffer_t *b);
  */
 
 void
-isc_buffer_putuint16(isc_buffer_t *b, isc_uint16_t val);
+isc__buffer_putuint16(isc_buffer_t *b, isc_uint16_t val);
 /*
  * Store an unsigned 16-bit integer in host byte order from 'val'
  * into 'b' in network byte order.
@@ -513,11 +499,11 @@ isc_buffer_getuint32(isc_buffer_t *b);
  *
  *	'b' is a valid buffer.
  *
- *	The length of the available region of 'b' is at least 2.
+ *	The length of the available region of 'b' is at least 4.
  *
  * Ensures:
  *
- *	The current pointer in 'b' is advanced by 2.
+ *	The current pointer in 'b' is advanced by 4.
  *
  * Returns:
  *
@@ -525,7 +511,7 @@ isc_buffer_getuint32(isc_buffer_t *b);
  */
 
 void
-isc_buffer_putuint32(isc_buffer_t *b, isc_uint32_t val);
+isc__buffer_putuint32(isc_buffer_t *b, isc_uint32_t val);
 /*
  * Store an unsigned 32-bit integer in host byte order from 'val'
  * into 'b' in network byte order.
@@ -539,8 +525,14 @@ isc_buffer_putuint32(isc_buffer_t *b, isc_uint32_t val);
  *	The used pointer in 'b' is advanced by 4.
  */
 
+#define ISC__BUFFER_PUTMEM(_b, _base, _length) \
+	do { \
+		memcpy((unsigned char *)(_b)->base + (_b)->used, \
+			(_base), (_length)); \
+		(_b)->used += (_length); \
+	} while (0)
 void
-isc_buffer_putmem(isc_buffer_t *b, unsigned char *base, unsigned int length);
+isc__buffer_putmem(isc_buffer_t *b, unsigned char *base, unsigned int length);
 /*
  * Copy 'length' bytes of memory at 'base' into 'b'.
  *
@@ -551,21 +543,17 @@ isc_buffer_putmem(isc_buffer_t *b, unsigned char *base, unsigned int length);
  *
  */
 
-isc_result_t
+void
 isc_buffer_putstr(isc_buffer_t *b, const char *source);
 /*
- * Copy 'length' bytes of memory at 'base' into 'b'.
+ * Copy 'source' into 'b', not including terminating NUL.
  *
  * Requires:
  *	'b' is a valid buffer.
  *
  *	'source' to be a valid NULL terminated string.
  *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE			The available region of 'b' is not
- *					big enough.
+ *	strlen(source) <= isc_buffer_available(b)
  */
 
 isc_result_t
@@ -585,6 +573,193 @@ isc_buffer_copyregion(isc_buffer_t *b, isc_region_t *r);
  *					big enough.
  */
 
+/*
+ * Inline macro versions of the functions.  These should never be called
+ * directly by an application, but will be used by the functions within
+ * buffer.c.  The callers should always use "isc_buffer_*()" names, never
+ * ones beginning with "isc__"
+ */
+
+#define ISC__BUFFER_INIT(_b, _base, _length) \
+	do { \
+		(_b)->magic = ISC_BUFFER_MAGIC; \
+		(_b)->base = (_base); \
+		(_b)->length = (_length); \
+		(_b)->used = 0; \
+		(_b)->current = 0; \
+		(_b)->active = 0; \
+		(_b)->mctx = NULL; \
+		ISC_LINK_INIT(b, link); \
+	} while (0)
+
+#define ISC__BUFFER_INVALIDATE(_b) \
+	do { \
+		(_b)->magic = 0; \
+		(_b)->base = NULL; \
+		(_b)->length = 0; \
+		(_b)->used = 0; \
+		(_b)->current = 0; \
+		(_b)->active = 0; \
+	} while (0)
+
+#define ISC__BUFFER_REGION(_b, _r) \
+	do { \
+		(_r)->base = (_b)->base; \
+		(_r)->length = (_b)->length; \
+	} while (0)
+
+#define ISC__BUFFER_USEDREGION(_b, _r) \
+	do { \
+		(_r)->base = (_b)->base; \
+		(_r)->length = (_b)->used; \
+	} while (0)
+
+#define ISC__BUFFER_AVAILABLEREGION(_b, _r) \
+	do { \
+		(_r)->base = ((unsigned char *)(_b)->base) + (_b)->used; \
+		(_r)->length = (_b)->length - (_b)->used; \
+	} while (0)
+
+#define ISC__BUFFER_ADD(_b, _n) \
+	do { \
+		(_b)->used += (_n); \
+	} while (0)
+
+#define ISC__BUFFER_SUBTRACT(_b, _n) \
+	do { \
+		(_b)->used -= (_n); \
+		if ((_b)->current > (_b)->used) \
+			(_b)->current = (_b)->used; \
+		if ((_b)->active > (_b)->used) \
+			(_b)->active = (_b)->used; \
+	} while (0)
+
+#define ISC__BUFFER_CLEAR(_b) \
+	do { \
+		(_b)->used = 0; \
+		(_b)->current = 0; \
+		(_b)->active = 0; \
+	} while (0)
+
+#define ISC__BUFFER_CONSUMEDREGION(_b, _r) \
+	do { \
+		(_r)->base = (_b)->base; \
+		(_r)->length = (_b)->current; \
+	} while (0)
+
+#define ISC__BUFFER_REMAININGREGION(_b, _r) \
+	do { \
+		(_r)->base = ((unsigned char *)(_b)->base) + (_b)->current; \
+		(_r)->length = (_b)->used - (_b)->current; \
+	} while (0)
+
+#define ISC__BUFFER_ACTIVEREGION(_b, _r) \
+	do { \
+		if ((_b)->current < (_b)->active) { \
+			(_r)->base = (unsigned char *)(_b)->base \
+				     + (_b)->current; \
+			(_r)->length = (_b)->active - (_b)->current; \
+		} else { \
+			(_r)->base = NULL; \
+			(_r)->length = 0; \
+		} \
+	} while (0)
+
+#define ISC__BUFFER_SETACTIVE(_b, _n) \
+	do { \
+		(_b)->active = (_b)->current + (_n); \
+	} while (0)
+
+#define ISC__BUFFER_FIRST(_b) \
+	do { \
+		(_b)->current = 0; \
+	} while (0)
+
+#define ISC__BUFFER_FORWARD(_b, _n) \
+	do { \
+		(_b)->current += (_n); \
+	} while (0)
+
+#define ISC__BUFFER_BACK(_b, _n) \
+	do { \
+		(_b)->current -= (_n); \
+	} while (0)
+
+#define ISC__BUFFER_PUTUINT8(_b, _val) \
+	do { \
+		unsigned char *_cp; \
+		isc_uint8_t _val2 = (_val); \
+		_cp = (_b)->base; \
+		_cp += (_b)->used; \
+		(_b)->used++; \
+		_cp[0] = (_val2 & 0x00ff); \
+	} while (0)
+
+#define ISC__BUFFER_PUTUINT16(_b, _val) \
+	do { \
+		unsigned char *_cp; \
+		isc_uint16_t _val2 = (_val); \
+		_cp = (_b)->base; \
+		_cp += (_b)->used; \
+		(_b)->used += 2; \
+		_cp[0] = (_val2 & 0xff00U) >> 8; \
+		_cp[1] = (_val2 & 0x00ffU); \
+	} while (0)
+
+#define ISC__BUFFER_PUTUINT32(_b, _val) \
+	do { \
+		unsigned char *_cp; \
+		isc_uint32_t _val2 = (_val); \
+		_cp = (_b)->base; \
+		_cp += (_b)->used; \
+		(_b)->used += 4; \
+		_cp[0] = (_val2 & 0xff000000) >> 24; \
+		_cp[1] = (_val2 & 0x00ff0000) >> 16; \
+		_cp[2] = (_val2 & 0x0000ff00) >> 8; \
+		_cp[3] = (_val2 & 0x000000ff); \
+	} while (0)
+
+#if defined(ISC_BUFFER_USEINLINE)
+#define isc_buffer_init			ISC__BUFFER_INIT
+#define isc_buffer_invalidate		ISC__BUFFER_INVALIDATE
+#define isc_buffer_region		ISC__BUFFER_REGION
+#define isc_buffer_usedregion		ISC__BUFFER_USEDREGION
+#define isc_buffer_availableregion	ISC__BUFFER_AVAILABLEREGION
+#define isc_buffer_add			ISC__BUFFER_ADD
+#define isc_buffer_subtract		ISC__BUFFER_SUBTRACT
+#define isc_buffer_clear		ISC__BUFFER_CLEAR
+#define isc_buffer_consumedregion	ISC__BUFFER_CONSUMEDREGION
+#define isc_buffer_remainingregion	ISC__BUFFER_REMAININGREGION
+#define isc_buffer_activeregion		ISC__BUFFER_ACTIVEREGION
+#define isc_buffer_setactive		ISC__BUFFER_SETACTIVE
+#define isc_buffer_first		ISC__BUFFER_FIRST
+#define isc_buffer_forward		ISC__BUFFER_FORWARD
+#define isc_buffer_back			ISC__BUFFER_BACK
+#define isc_buffer_putuint8		ISC__BUFFER_PUTUINT8
+#define isc_buffer_putuint16		ISC__BUFFER_PUTUINT16
+#define isc_buffer_putuint32		ISC__BUFFER_PUTUINT32
+#define isc_buffer_putmem		ISC__BUFFER_PUTMEM
+#else
+#define isc_buffer_init			isc__buffer_init
+#define isc_buffer_invalidate		isc__buffer_invalidate
+#define isc_buffer_region		isc__buffer_region
+#define isc_buffer_usedregion		isc__buffer_usedregion
+#define isc_buffer_availableregion	isc__buffer_availableregion
+#define isc_buffer_add			isc__buffer_add
+#define isc_buffer_subtract		isc__buffer_subtract
+#define isc_buffer_clear		isc__buffer_clear
+#define isc_buffer_consumedregion	isc__buffer_consumedregion
+#define isc_buffer_remainingregion	isc__buffer_remainingregion
+#define isc_buffer_activeregion		isc__buffer_activeregion
+#define isc_buffer_setactive		isc__buffer_setactive
+#define isc_buffer_first		isc__buffer_first
+#define isc_buffer_forward		isc__buffer_forward
+#define isc_buffer_back			isc__buffer_back
+#define isc_buffer_putuint8		isc__buffer_putuint8
+#define isc_buffer_putuint16		isc__buffer_putuint16
+#define isc_buffer_putuint32		isc__buffer_putuint32
+#define isc_buffer_putmem		isc__buffer_putmem
+#endif
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/isc/include/isc/bufferlist.h b/lib/isc/include/isc/bufferlist.h
index 21cd311f..efb5201c 100644
--- a/lib/isc/include/isc/bufferlist.h
+++ b/lib/isc/include/isc/bufferlist.h
@@ -43,22 +43,11 @@
  ***/
 
 #include <isc/lang.h>
-#include <isc/buffer.h>
-#include <isc/bufferlist.h>
-#include <isc/list.h>
-#include <isc/mem.h>
-#include <isc/region.h>
-#include <isc/int.h>
+#include <isc/types.h>
 
 ISC_LANG_BEGINDECLS
 
 /***
- *** Types
- ***/
-
-typedef ISC_LIST(isc_buffer_t)	isc_bufferlist_t;
-
-/***
  *** Functions
  ***/
 
diff --git a/lib/isc/include/isc/commandline.h b/lib/isc/include/isc/commandline.h
index 9379ca7b..e37aad97 100644
--- a/lib/isc/include/isc/commandline.h
+++ b/lib/isc/include/isc/commandline.h
@@ -15,9 +15,13 @@
  * SOFTWARE.
  */
 
-/* $Id: commandline.h,v 1.2 2000/02/03 23:07:48 halley Exp $ */
+/* $Id: commandline.h,v 1.4 2000/04/28 22:13:14 tale Exp $ */
+
+#ifndef ISC_COMMANDLINE_H
+#define ISC_COMMANDLINE_H 1
 
 #include <isc/boolean.h>
+#include <isc/lang.h>
 
 extern int isc_commandline_index;	/* Index into parent argv vector. */
 extern int isc_commandline_option;	/* Character checked for validity. */
@@ -28,5 +32,11 @@ extern char *isc_commandline_progname;	/* For printing error messages. */
 extern isc_boolean_t isc_commandline_errprint;	/* Print error message. */
 extern isc_boolean_t isc_commandline_reset;    	/* Reset getopt. */
 
+ISC_LANG_BEGINDECLS
+
 int
 isc_commandline_parse(int argc, char * const *argv, const char *options);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_COMMANDLINE_H */
diff --git a/lib/isc/include/isc/error.h b/lib/isc/include/isc/error.h
index 7b29f0c0..27dfec09 100644
--- a/lib/isc/include/isc/error.h
+++ b/lib/isc/include/isc/error.h
@@ -32,9 +32,7 @@ void isc_error_unexpected(char *, int, char *, ...);
 void isc_error_fatal(char *, int, char *, ...);
 void isc_error_runtimecheck(char *, int, char *);
 
-#define UNEXPECTED_ERROR	isc_error_unexpected
-#define FATAL_ERROR		isc_error_fatal
-#define RUNTIME_CHECK(cond) \
+#define ISC_ERROR_RUNTIMECHECK(cond) \
 	((void) ((cond) || \
 		 ((isc_error_runtimecheck)(__FILE__, __LINE__, #cond), 0)))
 
diff --git a/lib/isc/include/isc/event.h b/lib/isc/include/isc/event.h
index 3f06e1eb..160298e9 100644
--- a/lib/isc/include/isc/event.h
+++ b/lib/isc/include/isc/event.h
@@ -18,39 +18,26 @@
 #ifndef ISC_EVENT_H
 #define ISC_EVENT_H 1
 
-#include <stddef.h>
-
 #include <isc/lang.h>
 #include <isc/types.h>
 
-ISC_LANG_BEGINDECLS
-
 /*****
  ***** Events.
  *****/
 
 typedef void (*isc_eventdestructor_t)(isc_event_t *);
 
-/*
- * XXXRTH  These fields may soon be prefixed with something like "ev_"
- *         so that there's no way someone using ISC_EVENT_COMMON could
- *         have a namespace conflict with us.
- *
- *	   On the other hand, if we ever changed the contents of this
- *	   structure, we'd break binary compatibility, so maybe this isn't
- *         really an issue.
- */
 #define ISC_EVENT_COMMON(ltype)		\
-	size_t				size; \
-	unsigned int			attributes; \
-	void *				tag; \
-	isc_eventtype_t			type; \
-	isc_taskaction_t		action; \
-	void *				arg; \
-	void *				sender; \
-	isc_eventdestructor_t		destroy; \
-	void *				destroy_arg; \
-	ISC_LINK(ltype)			link
+	size_t				ev_size; \
+	unsigned int			ev_attributes; \
+	void *				ev_tag; \
+	isc_eventtype_t			ev_type; \
+	isc_taskaction_t		ev_action; \
+	void *				ev_arg; \
+	void *				ev_sender; \
+	isc_eventdestructor_t		ev_destroy; \
+	void *				ev_destroy_arg; \
+	ISC_LINK(ltype)			ev_link
 
 /*
  * Attributes matching a mask of 0x000000ff are reserved for the task library's
@@ -59,18 +46,27 @@ typedef void (*isc_eventdestructor_t)(isc_event_t *);
  */
 #define ISC_EVENTATTR_NOPURGE		0x00000001
 
+/*
+ * The ISC_EVENTATTR_CANCELED attribute is intended to indicate
+ * that an event is delivered as a result of a canceled operation
+ * rather than successful completion, by mutual agreement
+ * between the sender and receiver.  It is not set or used by 
+ * the task system.
+ */
+#define ISC_EVENTATTR_CANCELED		0x00000002
+
 #define ISC_EVENT_INIT(event, sz, at, ta, ty, ac, ar, sn, df, da) \
 do { \
-	(event)->size = (sz); \
-	(event)->attributes = (at); \
-	(event)->tag = (ta); \
-	(event)->type = (ty); \
-	(event)->action = (ac); \
-	(event)->arg = (ar); \
-	(event)->sender = (sn); \
-	(event)->destroy = (df); \
-	(event)->destroy_arg = (da); \
-	ISC_LINK_INIT((event), link); \
+	(event)->ev_size = (sz); \
+	(event)->ev_attributes = (at); \
+	(event)->ev_tag = (ta); \
+	(event)->ev_type = (ty); \
+	(event)->ev_action = (ac); \
+	(event)->ev_arg = (ar); \
+	(event)->ev_sender = (sn); \
+	(event)->ev_destroy = (df); \
+	(event)->ev_destroy_arg = (da); \
+	ISC_LINK_INIT((event), ev_link); \
 } while (0)
 	
 /*
@@ -84,13 +80,14 @@ struct isc_event {
 #define ISC_EVENTTYPE_FIRSTEVENT	0x00000000
 #define ISC_EVENTTYPE_LASTEVENT		0xffffffff
 
-isc_event_t *				isc_event_allocate(isc_mem_t *,
-							   void *,
-							   isc_eventtype_t,
-							   isc_taskaction_t,
-							   void *arg,
-							   size_t);
-void					isc_event_free(isc_event_t **);
+ISC_LANG_BEGINDECLS
+
+isc_event_t *
+isc_event_allocate(isc_mem_t *, void *, isc_eventtype_t, isc_taskaction_t,
+		   void *arg, size_t);
+
+void
+isc_event_free(isc_event_t **);
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/isc/include/isc/eventclass.h b/lib/isc/include/isc/eventclass.h
index 1f773505..b1eb683a 100644
--- a/lib/isc/include/isc/eventclass.h
+++ b/lib/isc/include/isc/eventclass.h
@@ -18,10 +18,6 @@
 #ifndef ISC_EVENTCLASS_H
 #define ISC_EVENTCLASS_H 1
 
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
 /*****
  ***** Registry of Predefined Event Type Classes
  *****/
@@ -45,11 +41,10 @@ ISC_LANG_BEGINDECLS
 #define	ISC_EVENTCLASS_DNS		ISC_EVENTCLASS(4)
 #define	ISC_EVENTCLASS_APP		ISC_EVENTCLASS(5)
 #define	ISC_EVENTCLASS_OMAPI		ISC_EVENTCLASS(6)
+#define	ISC_EVENTCLASS_RATELIMITER	ISC_EVENTCLASS(7)
 
 /*
  * Event classes >= 1024 and <= 65535 are reserved for application use.
  */
 
-ISC_LANG_ENDDECLS
-
 #endif /* ISC_EVENTCLASS_H */
diff --git a/lib/isc/include/isc/file.h b/lib/isc/include/isc/file.h
new file mode 100644
index 00000000..7967a178
--- /dev/null
+++ b/lib/isc/include/isc/file.h
@@ -0,0 +1,169 @@
+/*
+ * Copyright (C) 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef ISC_FILE_H
+#define ISC_FILE_H 1
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_file_settime(const char *file, isc_time_t *time);
+
+isc_result_t
+isc_file_getmodtime(const char *file, isc_time_t *time);
+/*
+ * Get the time of last modication of a file.
+ *
+ * Notes:
+ *	The time that is set is relative to the (OS-specific) epoch, as are
+ *	all isc_time_t structures.
+ *
+ * Requires:
+ *	file != NULL.
+ *	time != NULL.
+ *
+ * Ensures:
+ *	If the file could not be accessed, 'time' is unchanged.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *		Success.
+ *	ISC_R_NOTFOUND
+ *		No such file exists.
+ *	ISC_R_INVALIDFILE
+ *		The path specified was not usable by the operating system.
+ *	ISC_R_NOPERM
+ *		The file's metainformation could not be retrieved because
+ *		permission was denied to some part of the file's path.
+ *	ISC_R_EIO
+ *		Hardware error interacting with the filesystem.
+ *	ISC_R_UNEXPECTED
+ *		Something totally unexpected happened.
+ *	
+ */
+
+isc_result_t
+isc_file_mktemplate(const char *path, char *buf, size_t buflen);
+/*
+ * Generate a template string suitable for use with isc_file_openunique.
+ *
+ * Notes:
+ *	This function is intended to make creating temporary files
+ *	portable between different operating systems.
+ *
+ *	The path is prepended to an implementation-defined string and
+ *	placed into buf.  The string has no path characters in it,
+ *	and its maximum length is 14 characters plus a NUL.  Thus
+ *	buflen should be at least strlen(path) + 15 characters or
+ *	an error will be returned.
+ *
+ * Requires:
+ *	buf != NULL.
+ *
+ * Ensures:
+ *	If result == ISC_R_SUCCESS:
+ *		buf contains a string suitable for use as the template argument
+ *		to isc_file_openunique.
+ *
+ *	If result != ISC_R_SUCCESS:
+ *		buf is unchanged.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS 	Success.
+ *	ISC_R_NOSPACE	buflen indicates buf is too small for the catenation
+ *				of the path with the internal template string.
+ */
+
+
+isc_result_t
+isc_file_openunique(char *templet, FILE **fp);
+/*
+ * Create and open a file with a unique name based on 'templet'.
+ * 
+ * Notes:
+ *	'template' is a reserved work in C++.  If you want to complain
+ *	about the spelling of 'templet', first look it up in the
+ *	Merriam-Webster English dictionary. (http://www.m-w.com/)
+ *
+ *	This function works by using the template to generate file names.
+ *	The template must be a writable string, as it is modified in place.
+ *	Trailing X characters in the file name (full file name on Unix,
+ *	basename on Win32 -- eg, tmp-XXXXXX vs XXXXXX.tmp, respectively)
+ *	are replaced with ASCII characters until a non-existent filename
+ *	is found.  If the template does not include pathname information,
+ *	the files in the working directory of the program are searched.
+ *
+ *	isc_file_mktemplate is a good, portable way to get a template.
+ *
+ * Requires:
+ *	'fp' is non-NULL and '*fp' is NULL.
+ *
+ *	'template' is non-NULL, and of a form suitable for use by
+ *	the system as described above.
+ *
+ * Ensures:
+ *	If result is ISC_R_SUCCESS:
+ *		*fp points to an stream opening in stdio's "w+" mode.
+ *
+ *	If result is not ISC_R_SUCCESS:
+ *		*fp is NULL.
+ *
+ *		No file is open.  Even if one was created (but unable
+ *		to be reopened as a stdio FILE pointer) then it has been
+ *		removed.
+ *
+ *	This function does *not* ensure that the template string has not been
+ *	modified, even if the operation was unsuccessful.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *		Success.
+ *	ISC_R_EXISTS
+ *		No file with a unique name could be created based on the
+ *		template.
+ *	ISC_R_INVALIDFILE
+ *		The path specified was not usable by the operating system.
+ *	ISC_R_NOPERM
+ *		The file could not be created because permission was denied
+ *		to some part of the file's path.
+ *	ISC_R_EIO
+ *		Hardware error interacting with the filesystem.
+ *	ISC_R_UNEXPECTED
+ *		Something totally unexpected happened.
+ */
+
+isc_result_t
+isc_file_remove(const char *filename);
+/*
+ * Remove the file named by 'filename'.
+ */
+
+/*
+ * XXX We should also have a isc_file_writeeopen() function
+ * for safely open a file in a publicly writable directory
+ * (see write_open() in BIND 8's ns_config.c).
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_FILE_H */
diff --git a/lib/isc/include/isc/heap.h b/lib/isc/include/isc/heap.h
index 1da78ba6..2a3b1520 100644
--- a/lib/isc/include/isc/heap.h
+++ b/lib/isc/include/isc/heap.h
@@ -19,9 +19,7 @@
 #define ISC_HEAP_H 1
 
 #include <isc/lang.h>
-#include <isc/result.h>
-#include <isc/boolean.h>
-#include <isc/mem.h>
+#include <isc/types.h>
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/isc/include/isc/interfaceiter.h b/lib/isc/include/isc/interfaceiter.h
index 8e2deee5..2e41ef09 100644
--- a/lib/isc/include/isc/interfaceiter.h
+++ b/lib/isc/include/isc/interfaceiter.h
@@ -40,21 +40,15 @@
  *** Imports
  ***/
 
-#include <isc/result.h>
-#include <isc/mem.h>
+#include <isc/lang.h>
 #include <isc/netaddr.h>
-
-/***
- *** Types
- ***/
-
-typedef struct isc_interfaceiter isc_interfaceiter_t;
+#include <isc/types.h>
 
 /*
  * Public structure describing a network interface.
  */
 
-typedef struct {
+struct isc_interface {
 	char name[32];			/* Interface name, null-terminated. */
 	unsigned int af;		/* Address family. */ 
 	isc_netaddr_t address;		/* Local address. */
@@ -62,7 +56,7 @@ typedef struct {
 	isc_netaddr_t dstaddress; 	/* Destination address
 					   (point-to-point only). */
 	isc_uint32_t flags;		/* Flags; see below. */
-} isc_interface_t;
+};
 
 /* Interface flags. */
 
@@ -74,6 +68,8 @@ typedef struct {
  *** Functions
  ***/
 
+ISC_LANG_BEGINDECLS
+
 isc_result_t
 isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp);
 /*
@@ -131,4 +127,6 @@ isc_interfaceiter_destroy(isc_interfaceiter_t **iterp);
  * Destroy the iterator.
  */
 
+ISC_LANG_ENDDECLS
+
 #endif /* ISC_INTERFACEITER_H */
diff --git a/lib/isc/unix/include/isc/ipv6.h b/lib/isc/include/isc/ipv6.h
index 988cb656..3b3e5fe5 100644
--- a/lib/isc/unix/include/isc/ipv6.h
+++ b/lib/isc/include/isc/ipv6.h
@@ -45,10 +45,8 @@
  *** Imports.
  ***/
 
-#include <isc/lang.h>
 #include <isc/int.h>
-
-ISC_LANG_BEGINDECLS
+#include <isc/platform.h>
 
 /***
  *** Types.
@@ -89,11 +87,6 @@ struct sockaddr_in6 {
 #define SIN6_LEN 1
 #endif
 
-struct in6_pktinfo {
-	struct in6_addr ipi6_addr;    /* src/dst IPv6 address */
-	unsigned int    ipi6_ifindex; /* send/recv interface index */
-};
-
 /*
  * Unspecified
  */
@@ -130,6 +123,4 @@ struct in6_pktinfo {
          ((a)->s6_addr32[1] == 0) &&          \
          ((a)->s6_addr32[2] == htonl(0x0000ffff)))
 
-ISC_LANG_ENDDECLS
-
 #endif /* ISC_IPV6_H */
diff --git a/lib/isc/include/isc/lex.h b/lib/isc/include/isc/lex.h
index e8127f13..dae5f96d 100644
--- a/lib/isc/include/isc/lex.h
+++ b/lib/isc/include/isc/lex.h
@@ -52,12 +52,10 @@
  ***/
 
 #include <stdio.h>
-#include <stddef.h>
 
 #include <isc/lang.h>
-#include <isc/buffer.h>
-#include <isc/result.h>
-#include <isc/mem.h>
+#include <isc/region.h>
+#include <isc/types.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -105,8 +103,6 @@ ISC_LANG_BEGINDECLS
 
 /* Lex */
 
-typedef struct isc_lex isc_lex_t;
-
 typedef char isc_lexspecials_t[256];
 
 /* Tokens */
diff --git a/lib/isc/include/isc/lfsr.h b/lib/isc/include/isc/lfsr.h
index fdd51042..5c14e8e9 100644
--- a/lib/isc/include/isc/lfsr.h
+++ b/lib/isc/include/isc/lfsr.h
@@ -18,6 +18,7 @@
 #ifndef ISC_LFSR_H
 #define ISC_LFSR_H 1
 
+#include <isc/lang.h>
 #include <isc/types.h>
 
 typedef struct isc_lfsr isc_lfsr_t;
diff --git a/lib/isc/include/isc/log.h b/lib/isc/include/isc/log.h
index 87915afc..c3cbb219 100644
--- a/lib/isc/include/isc/log.h
+++ b/lib/isc/include/isc/log.h
@@ -15,18 +15,17 @@
  * SOFTWARE.
  */
 
-/* $Id: log.h,v 1.14 2000/03/23 00:53:05 gson Exp $ */
+/* $Id: log.h,v 1.20 2000/05/16 03:37:39 tale Exp $ */
 
 #ifndef ISC_LOG_H
 #define ISC_LOG_H 1
 
-#include <syslog.h>
 #include <stdio.h>
 #include <stdarg.h>
-#include <sys/types.h>
+#include <syslog.h> /* XXXDCL NT */
 
 #include <isc/lang.h>
-#include <isc/result.h>
+#include <isc/types.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -59,8 +58,9 @@ ISC_LANG_BEGINDECLS
 #define ISC_LOG_PRINTLEVEL	0x0002
 #define ISC_LOG_PRINTCATEGORY	0x0004
 #define ISC_LOG_PRINTMODULE	0x0008
-#define ISC_LOG_PRINTALL	0x000F
-#define ISC_LOG_DEBUGONLY	0x0010
+#define ISC_LOG_PRINTTAG	0x0010
+#define ISC_LOG_PRINTALL	0x001F
+#define ISC_LOG_DEBUGONLY	0x1000
 
 /*
  * Other options.
@@ -72,32 +72,22 @@ ISC_LANG_BEGINDECLS
 #define ISC_LOG_ROLLNEVER	(-2)
 
 /*
- * A logging context.  Details are internal to the implementation.
- */
-typedef struct isc_log isc_log_t;
-
-/*
- * Channel configuration.  Details are internal to the implementation.
- */
-typedef struct isc_logconfig isc_logconfig_t;
-
-/*
  * Used to name the categories used by a library.  An array of isc_logcategory
  * structures names each category, and the id value is initialized by calling
  * isc_log_registercategories.
  */
-typedef struct isc_logcategory {
+struct isc_logcategory {
 	const char *name;
 	unsigned int id;
-} isc_logcategory_t;
+};
 
 /*
  * Similar to isc_logcategory above, but for all the modules a library defines.
  */
-typedef struct isc_logmodule {
+struct isc_logmodule {
 	const char *name;
 	unsigned int id;
-} isc_logmodule_t;
+};
 
 /*
  * The isc_logfile structure is initialized as part of an isc_logdestination
@@ -117,8 +107,7 @@ typedef struct isc_logfile {
 	 * anyone would want).  st_size returned by fstat should be typedef'd
 	 * to a size large enough for the largest possible file on a system.
 	 */
-	/* XXXDCL NT */
-	off_t maximum_size;
+	isc_offset_t maximum_size;
 } isc_logfile_t;
 
 /*
@@ -131,19 +120,25 @@ typedef union isc_logdestination {
 } isc_logdestination_t;
 
 /*
- * The built-in categories of libisc.a.  Currently only one is available,
- * the category named "default".
+ * The built-in categories of libisc.
  *
  * Each library registering categories should provide library_LOGCATEGORY_name
  * definitions with indexes into its isc_logcategory structure corresponding to
- * the order of the names.  This should also be done for modules, but currently
- * libisc.a has no defined modules.
+ * the order of the names.
  */
 extern isc_logcategory_t isc_categories[];
+extern isc_log_t *isc_lctx;
+extern isc_logmodule_t isc_modules[];
 
+/*
+ * Do not log directly to DEFAULT.  Use another category.  When in doubt,
+ * use GENERAL.
+ */
 #define ISC_LOGCATEGORY_DEFAULT	(&isc_categories[0])
 #define ISC_LOGCATEGORY_GENERAL	(&isc_categories[1])
 
+#define ISC_LOGMODULE_SOCKET (&isc_modules[0])
+
 isc_result_t
 isc_log_create(isc_mem_t *mctx, isc_log_t **lctxp, isc_logconfig_t **lcfgp);
 /*
@@ -192,11 +187,11 @@ isc_logconfig_create(isc_log_t *lctx, isc_logconfig_t **lcfgp);
  *
  *	Four default channels are established:
  *	    	default_syslog
- *		 - log to syslog's daemon facility LOG_INFO or higher
+ *		 - log to syslog's daemon facility ISC_LOG_INFO or higher
  *		default_stderr
- *		 - log to stderr LOG_INFO or higher
+ *		 - log to stderr ISC_LOG_INFO or higher
  *		default_debug
- *		 - log to stderr LOG_DEBUG dynamically
+ *		 - log to stderr ISC_LOG_DEBUG dynamically
  *		null
  *		 - log nothing
  *
@@ -396,8 +391,8 @@ isc_log_createchannel(isc_logconfig_t *lcfg, const char *name,
  *	call by defining a new channel and then calling isc_log_usechannel()
  *	for ISC_LOGCATEGORY_DEFAULT.)
  *
- *	Specifying ISC_LOG_PRINTTIME for syslog is allowed, but probably
- *	not what you wanted to do.
+ *	Specifying ISC_LOG_PRINTTIME or ISC_LOG_PRINTTAG for syslog is allowed,
+ *	but probably not what you wanted to do.
  *
  *	ISC_LOG_DEBUGONLY will mark the channel as usable only when the
  *	debug level of the logging context (see isc_log_setdebuglevel)
@@ -643,9 +638,6 @@ isc_log_setduplicateinterval(isc_logconfig_t *lcfg, unsigned int interval);
  *
  * Requires:
  *	lctx is a valid logging context.
- *
- * Ensures:
- *	The duplicate interval is set to the current	
  */
 
 unsigned int
@@ -656,8 +648,54 @@ isc_log_getduplicateinterval(isc_logconfig_t *lcfg);
  * Requires:
  *	lctx is a valid logging context.
  *
- * Ensures:
- *	The current duplicate filtering interval is returned.
+ * Returns:
+ *	The current duplicate filtering interval.
+ */
+
+void
+isc_log_settag(isc_logconfig_t *lcfg, char *tag);
+/*
+ * Set the program name or other identifier for ISC_LOG_PRINTTAG.
+ *
+ * Requires:
+ *	lcfg is a valid logging configuration.
+ *
+ * Notes:
+ *	If this function has not set the tag to a non-NULL, non-empty value,
+ *	then the ISC_LOG_PRINTTAG channel flag will not print anything.
+ *	Unlike some implementations of syslog on Unix systems, you *must* set
+ *	the tag in order to get it logged.  It is not implicitly derived from
+ *	the program name (which is pretty impossible to infer portably).
+ *
+ *	Setting the tag to NULL or the empty string will also cause the
+ *	ISC_LOG_PRINTTAG channel flag to not print anything.  If tag equals the
+ *	empty string, calls to isc_log_gettag will return NULL.
+ *
+ *	Because the name is used by ISC_LOG_PRINTTAG, it should not be
+ *	altered or destroyed after isc_log_settag().
+ *
+ * XXXDCL when creating a new isc_logconfig_t, it might be nice if the tag
+ * of the currently active isc_logconfig_t was inherited.  this does not
+ * currently happen.
+ */
+
+char *
+isc_log_gettag(isc_logconfig_t *lcfg);
+/*
+ * Get the current identifier printed with ISC_LOG_PRINTTAG.
+ *
+ * Requires:
+ *	lcfg is a valid logging configuration.
+ *
+ * Notes:
+ *	Since isc_log_settag() will not associate a zero-length string
+ *	with the logging configuration, attempts to do so will cause
+ *	this function to return NULL.  However, a determined programmer
+ *	will observe that (currently) a tag of length greater than zero
+ *	could be set, and then modified to be zero length.
+ *
+ * Returns:
+ *	A pointer to the current identifier, or NULL if none has been set.
  */
 
 void
@@ -756,6 +794,16 @@ isc_log_modulebyname(isc_log_t *lctx, const char *name);
  *	NULL if no module exists by that name.
  */
 
+void
+isc_log_setcontext(isc_log_t *lctx);
+/*
+ * Sets the context used by the libisc for logging.
+ *
+ * Requires:
+ *	lctx be a valid context.
+ *	This function must not have been previously called.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_LOG_H */
diff --git a/lib/isc/include/isc/magic.h b/lib/isc/include/isc/magic.h
index 31d58be0..e0665158 100644
--- a/lib/isc/include/isc/magic.h
+++ b/lib/isc/include/isc/magic.h
@@ -16,14 +16,23 @@
  */
 
 #ifndef ISC_MAGIC_H
-#define ISC_MAGIC_H
+#define ISC_MAGIC_H 1
 
-#include <isc/lang.h>
+typedef struct {
+	unsigned int magic;
+} isc__magic_t;
 
-ISC_LANG_BEGINDECLS
 
-#define ISC_MAGIC_VALID(a,b)	(((a) != NULL) && ((a)->magic == (b)))
+/*
+ * To use this macro the magic number MUST be the first thing in the
+ * structure, and MUST be of type "unsigned int".
+ *
+ * The intent of this is to allow magic numbers to be checked even though
+ * the object is otherwise opaque.
+ */
+#define ISC_MAGIC_VALID(a,b)	(((a) != NULL) \
+				 && (((isc__magic_t *)(a))->magic == (b)))
 
-ISC_LANG_ENDDECLS
+#define ISC_MAGIC(a, b, c, d)	((a) << 24 | (b) << 16 | (c) << 8 | (d))
 
 #endif /* ISC_MAGIC_H */
diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h
index 125feb4a..429debac 100644
--- a/lib/isc/include/isc/mem.h
+++ b/lib/isc/include/isc/mem.h
@@ -19,68 +19,69 @@
 #define ISC_MEM_H 1
 
 #include <stdio.h>
-#include <stddef.h>
 
-#include <isc/boolean.h>
 #include <isc/lang.h>
 #include <isc/mutex.h>
-#include <isc/result.h>
 #include <isc/types.h>
 
-#include <isc/ondestroy.h>
-
 ISC_LANG_BEGINDECLS
 
 typedef void * (*isc_memalloc_t)(void *, size_t);
 typedef void (*isc_memfree_t)(void *, void *);
 
 #ifdef ISC_MEM_DEBUG
-#define isc_mem_get(c, s)	__isc_mem_getdebug(c, s, __FILE__, __LINE__)
-#define isc_mem_put(c, p, s)	__isc_mem_putdebug(c, p, s, __FILE__, __LINE__)
-#define isc_mem_allocate(c, s)	__isc_mem_allocatedebug(c, s, \
+#define isc_mem_get(c, s)	isc__mem_getdebug(c, s, __FILE__, __LINE__)
+#define isc_mem_put(c, p, s)	isc__mem_putdebug(c, p, s, __FILE__, __LINE__)
+#define isc_mem_allocate(c, s)	isc__mem_allocatedebug(c, s, \
 							    __FILE__, __LINE__)
-#define isc_mem_free(c, p)	__isc_mem_freedebug(c, p, __FILE__, __LINE__)
-#define isc_mem_strdup(c, p)	__isc_mem_strdupdebug(c, p, \
+#define isc_mem_free(c, p)	isc__mem_freedebug(c, p, __FILE__, __LINE__)
+#define isc_mem_strdup(c, p)	isc__mem_strdupdebug(c, p, \
 						      __FILE__, __LINE__)
-#define isc_mempool_get(c)	__isc_mempool_getdebug(c, __FILE__, __LINE__)
-#define isc_mempool_put(c, p)	__isc_mempool_putdebug(c, p, \
+#define isc_mempool_get(c)	isc__mempool_getdebug(c, __FILE__, __LINE__)
+#define isc_mempool_put(c, p)	isc__mempool_putdebug(c, p, \
 						       __FILE__, __LINE__)
 #else
-#define isc_mem_get		__isc_mem_get
-#define isc_mem_put		__isc_mem_put
-#define isc_mem_allocate	__isc_mem_allocate
-#define isc_mem_free		__isc_mem_free
-#define isc_mem_strdup		__isc_mem_strdup
-#define isc_mempool_get		__isc_mempool_get
-#define isc_mempool_put		__isc_mempool_put
+#define isc_mem_get		isc__mem_get
+#define isc_mem_put		isc__mem_put
+#define isc_mem_allocate	isc__mem_allocate
+#define isc_mem_free		isc__mem_free
+#define isc_mem_strdup		isc__mem_strdup
+#define isc_mempool_get		isc__mempool_get
+#define isc_mempool_put		isc__mempool_put
 #endif /* ISC_MEM_DEBUG */
 
 isc_result_t			isc_mem_create(size_t, size_t, isc_mem_t **);
+void				isc_mem_attach(isc_mem_t *, isc_mem_t **);
+void				isc_mem_detach(isc_mem_t **);
 void				isc_mem_destroy(isc_mem_t **);
 isc_result_t			isc_mem_ondestroy(isc_mem_t *ctx,
 						  isc_task_t *task,
 						  isc_event_t **event);
-void *				__isc_mem_get(isc_mem_t *, size_t);
-void 				__isc_mem_put(isc_mem_t *, void *, size_t);
-void *				__isc_mem_getdebug(isc_mem_t *, size_t,
-						   const char *, int);
-void 				__isc_mem_putdebug(isc_mem_t *, void *,
-						   size_t, const char *, int);
+void *				isc__mem_get(isc_mem_t *, size_t);
+void 				isc__mem_put(isc_mem_t *, void *, size_t);
+void *				isc__mem_getdebug(isc_mem_t *, size_t,
+						  const char *, int);
+void 				isc__mem_putdebug(isc_mem_t *, void *,
+						  size_t, const char *, int);
+isc_result_t			isc_mem_preallocate(isc_mem_t *);
 void 				isc_mem_stats(isc_mem_t *, FILE *);
 isc_boolean_t			isc_mem_valid(isc_mem_t *, void *);
-void *				__isc_mem_allocate(isc_mem_t *, size_t);
-void *				__isc_mem_allocatedebug(isc_mem_t *, size_t,
-							const char *, int);
-void				__isc_mem_free(isc_mem_t *, void *);
-void				__isc_mem_freedebug(isc_mem_t *, void *,
-						    const char *, int);
-char *				__isc_mem_strdup(isc_mem_t *, const char *);
-char *				__isc_mem_strdupdebug(isc_mem_t *,
-						      const char *,
-						      const char *, int);
-isc_boolean_t			isc_mem_destroy_check(isc_mem_t *, isc_boolean_t);
+void *				isc__mem_allocate(isc_mem_t *, size_t);
+void *				isc__mem_allocatedebug(isc_mem_t *, size_t,
+						       const char *, int);
+void				isc__mem_free(isc_mem_t *, void *);
+void				isc__mem_freedebug(isc_mem_t *, void *,
+						   const char *, int);
+char *				isc__mem_strdup(isc_mem_t *, const char *);
+char *				isc__mem_strdupdebug(isc_mem_t *,
+						     const char *,
+						     const char *, int);
+void				isc_mem_setdestroycheck(isc_mem_t *,
+							isc_boolean_t);
+void				isc_mem_setsplit(isc_mem_t *, isc_boolean_t);
 void				isc_mem_setquota(isc_mem_t *, size_t);
 size_t				isc_mem_getquota(isc_mem_t *);
+size_t				isc_mem_inuse(isc_mem_t *);
 
 isc_result_t			isc_mem_createx(size_t, size_t,
 						isc_memalloc_t memalloc,
@@ -94,25 +95,27 @@ isc_result_t			isc_mem_restore(isc_mem_t *);
  * Legacy.
  */
 
-#define meminit			__meminit
-#define mem_default_context	__mem_default_context
+#define meminit			isc__legacy_meminit
+#define mem_default_context	isc__legacy_mem_default_context
 #ifdef MEMCLUSTER_DEBUG
-#define memget(s)		__memget_debug(s, __FILE__, __LINE__)
-#define memput(p, s)		__memput_debug(p, s, __FILE__, __LINE__)
+#define memget(s)		isc__legacy_memget_debug(s, __FILE__, __LINE__)
+#define memput(p, s)		isc__legacy_memput_debug(p, s, \
+							 __FILE__, __LINE__)
 #else
-#define memget			__memget
-#define memput			__memput
+#define memget			isc__legacy_memget
+#define memput			isc__legacy_memput
 #endif
-#define memvalid		__memvalid
-#define memstats		__memstats
+#define memvalid		isc__legacy_memvalid
+#define memstats		isc__legacy_memstats
 
 int				meminit(size_t, size_t);
 isc_mem_t *			mem_default_context(void);
-void *				__memget(size_t);
-void 				__memput(void *, size_t);
-void *				__memget_debug(size_t, const char *, int);
-void				__memput_debug(void *, size_t, const char *,
-					       int);
+void *				isc__legacy_memget(size_t);
+void 				isc__legacy_memput(void *, size_t);
+void *				isc__legacy_memget_debug(size_t, const char *,
+							 int);
+void				isc__legacy_memput_debug(void *, size_t,
+							 const char *, int);
 int				memvalid(void *);
 void 				memstats(FILE *);
 
@@ -126,11 +129,11 @@ void 				memstats(FILE *);
  * Internal (but public) functions.  Don't call these from application
  * code.  Use isc_mempool_get() and isc_mempool_put() instead.
  */
-void *		__isc_mempool_get(isc_mempool_t *);
-void 		__isc_mempool_put(isc_mempool_t *, void *);
-void *		__isc_mempool_getdebug(isc_mempool_t *, const char *, int);
-void 		__isc_mempool_putdebug(isc_mempool_t *, void *,
-				       const char *, int);
+void *		isc__mempool_get(isc_mempool_t *);
+void 		isc__mempool_put(isc_mempool_t *, void *);
+void *		isc__mempool_getdebug(isc_mempool_t *, const char *, int);
+void 		isc__mempool_putdebug(isc_mempool_t *, void *,
+				      const char *, int);
 
 isc_result_t
 isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp);
@@ -213,29 +216,32 @@ isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock);
  *	mpctx is a valid memory pool
  */
 
-unsigned int	isc_mempool_getfreemax(isc_mempool_t *mpctx);
+unsigned int
+isc_mempool_getfreemax(isc_mempool_t *mpctx);
 /*
  * Returns the maximum allowed size of the free list.
  */
 
-void		isc_mempool_setfreemax(isc_mempool_t *mpctx,
-				       unsigned int limit);
+void
+isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit);
 /*
  * Sets the maximum allowed size of the free list.
  */
 
-unsigned int	isc_mempool_getfreecount(isc_mempool_t *mpctx);
+unsigned int
+isc_mempool_getfreecount(isc_mempool_t *mpctx);
 /*
  * Returns current size of the free list.
  */
 
-unsigned int	isc_mempool_getmaxalloc(isc_mempool_t *mpctx);
+unsigned int
+isc_mempool_getmaxalloc(isc_mempool_t *mpctx);
 /*
  * Returns the maximum allowed number of allocations.
  */
 
-void		isc_mempool_setmaxalloc(isc_mempool_t *mpctx,
-					unsigned int limit);
+void
+isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit);
 /*
  * Sets the maximum allowed number of allocations.
  *
@@ -243,19 +249,21 @@ void		isc_mempool_setmaxalloc(isc_mempool_t *mpctx,
  *	limit > 0
  */
 
-unsigned int	isc_mempool_getallocated(isc_mempool_t *mpctx);
+unsigned int
+isc_mempool_getallocated(isc_mempool_t *mpctx);
 /*
  * Returns the number of items allocated from this pool.
  */
 
-unsigned int	isc_mempool_getfillcount(isc_mempool_t *mpctx);
+unsigned int
+isc_mempool_getfillcount(isc_mempool_t *mpctx);
 /*
  * Returns the number of items allocated as a block from the parent memory
  * context when the free list is empty.
  */
 
-void		isc_mempool_setfillcount(isc_mempool_t *mpctx,
-					 unsigned int limit);
+void
+isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
 /*
  * Sets the fillcount.
  *
@@ -265,4 +273,4 @@ void		isc_mempool_setfillcount(isc_mempool_t *mpctx,
 
 ISC_LANG_ENDDECLS
 
-#endif /* MEM_H */
+#endif /* ISC_MEM_H */
diff --git a/lib/isc/include/isc/msgcat.h b/lib/isc/include/isc/msgcat.h
index cc7f0d23..2b0856a5 100644
--- a/lib/isc/include/isc/msgcat.h
+++ b/lib/isc/include/isc/msgcat.h
@@ -59,7 +59,6 @@
 
 #include <isc/lang.h>
 #include <isc/types.h>
-#include <isc/result.h>
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/isc/include/isc/mutexblock.h b/lib/isc/include/isc/mutexblock.h
index f70e40b8..91c090cd 100644
--- a/lib/isc/include/isc/mutexblock.h
+++ b/lib/isc/include/isc/mutexblock.h
@@ -20,7 +20,7 @@
 
 #include <isc/lang.h>
 #include <isc/mutex.h>
-#include <isc/result.h>
+#include <isc/types.h>
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/isc/include/isc/ondestroy.h b/lib/isc/include/isc/ondestroy.h
index 1709f5cf..d62f1d02 100644
--- a/lib/isc/include/isc/ondestroy.h
+++ b/lib/isc/include/isc/ondestroy.h
@@ -18,9 +18,8 @@
 #ifndef ISC_ONDESTROY_H
 #define ISC_ONDESTROY_H 1
 
-#include <stddef.h>
-
-#include <isc/event.h>
+#include <isc/lang.h>
+#include <isc/types.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -69,20 +68,21 @@ ISC_LANG_BEGINDECLS
  * see dns/zone.c for an ifdef'd-out example.
  */
 
-typedef struct {
+struct isc_ondestroy {
 	unsigned int magic;
 	isc_eventlist_t events;
-} isc_ondestroy_t;
+};
 
-void		isc_ondestroy_init(isc_ondestroy_t *ondest);
+void
+isc_ondestroy_init(isc_ondestroy_t *ondest);
 /*
  * Initialize the on ondest structure. *must* be called before first call
  * to isc_ondestroy_register().
  */
 
-isc_result_t	isc_ondestroy_register(isc_ondestroy_t *ondest,
-				       isc_task_t *task,
-				       isc_event_t **eventp);
+isc_result_t
+isc_ondestroy_register(isc_ondestroy_t *ondest, isc_task_t *task,
+		       isc_event_t **eventp);
 
 /*
  * Stores task and *eventp away inside *ondest.  Ownership of **event is
@@ -90,8 +90,8 @@ isc_result_t	isc_ondestroy_register(isc_ondestroy_t *ondest,
  * to.
  */
 
-
-void 		isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender);
+void
+isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender);
 /*
  * Dispatches the event(s) to the task(s) that were given in
  * isc_ondestroy_register call(s) (done via calls to
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
index f3def179..19a2f1b2 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
@@ -27,9 +27,16 @@
  ***/
 
 /*
- * Define if this system has the <netinet6/in6.h> header file.
+ * Define if this system needs the <netinet/in6.h> header file included
+ * for full IPv6 support (pretty much only UnixWare).
  */
-@ISC_PLATFORM_HAVENETINET6IN6H@
+@ISC_PLATFORM_NEEDNETINETIN6H@
+
+/*
+ * Define if this system needs the <netinet6/in6.h> header file included
+ * to support in6_pkinfo (pretty much only BSD/OS).
+ */
+@ISC_PLATFORM_NEEDNETINET6IN6H@
 
 /*
  * If sockaddrs on this system have an sa_len field, ISC_PLATFORM_HAVESALEN
@@ -50,6 +57,12 @@
 @ISC_PLATFORM_NEEDIN6ADDRANY@
 
 /*
+ * If this system has in6_pktinfo, ISC_PLATFORM_HAVEIN6PKTINFO will be
+ * defined.
+ */
+@ISC_PLATFORM_HAVEIN6PKTINFO@
+
+/*
  * If this system needs inet_ntop(), ISC_PLATFORM_NEEDNTOP will be defined.
  */
 @ISC_PLATFORM_NEEDNTOP@
diff --git a/lib/isc/include/isc/print.h b/lib/isc/include/isc/print.h
index 22333102..19963735 100644
--- a/lib/isc/include/isc/print.h
+++ b/lib/isc/include/isc/print.h
@@ -16,16 +16,12 @@
  */
 
 #ifndef ISC_PRINT_H
-#define ISC_PRINT_H
+#define ISC_PRINT_H 1
 
 /***
  *** Imports
  ***/
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <stdarg.h>
-
 #include <isc/lang.h>
 #include <isc/platform.h>
 
@@ -33,9 +29,12 @@
  *** Functions
  ***/
 
+#ifdef ISC_PLATFORM_NEEDVSNPRINTF
+#include <stdarg.h>
+#include <stddef.h>
+
 ISC_LANG_BEGINDECLS
 
-#ifdef ISC_PLATFORM_NEEDVSNPRINTF
 int
 isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap);
 #define vsnprintf isc_print_vsnprintf
@@ -43,8 +42,8 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap);
 int
 isc_print_snprintf(char *str, size_t size, const char *format, ...);
 #define snprintf isc_print_snprintf
-#endif
 
 ISC_LANG_ENDDECLS
+#endif /* ISC_PLATFORM_NEEDVSNPRINTF */
 
 #endif /* ISC_PRINT_H */
diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h
index 079a5c9c..10089521 100644
--- a/lib/isc/include/isc/quota.h
+++ b/lib/isc/include/isc/quota.h
@@ -36,9 +36,9 @@
  *** Imports.
  ***/
 
+#include <isc/lang.h>
 #include <isc/mutex.h>
-#include <isc/result.h>
-
+#include <isc/types.h>
 
 /*****
  ***** Types.
@@ -46,8 +46,6 @@
 
 ISC_LANG_BEGINDECLS
 
-typedef struct isc_quota isc_quota_t;
-
 struct isc_quota {
 	isc_mutex_t	lock;
 	/* Locked by lock. */
@@ -101,7 +99,6 @@ isc_quota_detach(isc_quota_t **p);
  * quota.
  */
 
-
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_QUOTA_H */
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
index 7971fff0..232f81a7 100644
--- a/lib/isc/include/isc/random.h
+++ b/lib/isc/include/isc/random.h
@@ -19,9 +19,7 @@
 #define ISC_RANDOM_H 1
 
 #include <isc/lang.h>
-#include <isc/int.h>
-#include <isc/mutex.h>
-#include <isc/result.h>
+#include <isc/types.h>
 
 /*
  * Implements a random state pool which will let the caller return a
@@ -32,16 +30,18 @@
 
 ISC_LANG_BEGINDECLS
 
-typedef struct {
+struct isc_random {
 	unsigned int	magic;
 #if 0
 	isc_mutex_t	lock;
 #endif
-} isc_random_t;
+};
+
 #define ISC_RANDOM_MAGIC	0x52416e64	/* RAnd. */
 #define ISC_RANDOM_VALID(x)	((x) != NULL && (x->magic) == ISC_RANDOM_MAGIC)
 
-isc_result_t	isc_random_init(isc_random_t *r);
+isc_result_t
+isc_random_init(isc_random_t *r);
 /*
  * Initialize a random state.
  *
@@ -51,7 +51,8 @@ isc_result_t	isc_random_init(isc_random_t *r);
  *	r != NULL.
  */
 
-isc_result_t	isc_random_invalidate(isc_random_t *r);
+isc_result_t
+isc_random_invalidate(isc_random_t *r);
 /*
  * Invalidate a random state.  This will wipe any information contained in
  * the state and make it unusable.
@@ -60,7 +61,8 @@ isc_result_t	isc_random_invalidate(isc_random_t *r);
  *	r be a valid pool.
  */
 
-void		isc_random_seed(isc_random_t *r, isc_uint32_t seed);
+void
+isc_random_seed(isc_random_t *r, isc_uint32_t seed);
 /*
  * Set the initial seed of the random state.  Note that on some systems
  * the private state isn't all that private, and setting the seed may
@@ -70,7 +72,8 @@ void		isc_random_seed(isc_random_t *r, isc_uint32_t seed);
  *	r be a valid pool.
  */
 
-void		isc_random_get(isc_random_t *r, isc_uint32_t *val);
+void
+isc_random_get(isc_random_t *r, isc_uint32_t *val);
 /*
  * Get a random value.  Note that on some systems the private state isn't
  * all that private, and getting a value may alter what other state pools
diff --git a/lib/isc/include/isc/ratelimiter.h b/lib/isc/include/isc/ratelimiter.h
index 9900a0fd..bdf71e53 100644
--- a/lib/isc/include/isc/ratelimiter.h
+++ b/lib/isc/include/isc/ratelimiter.h
@@ -32,23 +32,12 @@
  *** Imports.
  ***/
 
-#include <isc/task.h>
-#include <isc/timer.h>
+#include <isc/lang.h>
+#include <isc/types.h>
 
 ISC_LANG_BEGINDECLS
 
 /*****
- ***** Types.
- *****/
-
-typedef struct isc_ratelimiter isc_ratelimiter_t;
-
-typedef enum {
-	isc_ratelimiter_ratelimited,
-	isc_ratelimiter_worklimited
-} isc_ratelimiter_state_t;
-
-/*****
  ***** Functions.
  *****/
 
@@ -56,8 +45,7 @@ isc_result_t
 isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
 		       isc_task_t *task, isc_ratelimiter_t **ratelimiterp);
 /*
- * Create a rate limiter.  It will execute events in the context
- * of 'task' with a guaranteed minimum interval, initially zero.
+ * Create a rate limiter.  The execution interval is initially undefined.
  */
 
 isc_result_t
@@ -65,23 +53,61 @@ isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval);
 /*
  * Set the mininum interval between event executions.
  * The interval value is copied, so the caller need not preserve it.
+ *
+ * Requires:
+ *	'*interval' is a nonzero interval.
+ */
+
+void
+isc_ratelimiter_setpertic(isc_ratelimiter_t *rl, isc_uint32_t perint);
+/*
+ * Set the number of events procesed per interval timer tic.
+ * If 'perint' is zero it is trated as 1.
  */
 
 isc_result_t
-isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_event_t **eventp);
+isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
+			isc_event_t **eventp);
 /*
  * Queue an event for rate-limited execution.  This is similar
- * to doing an isc_task_send() to the rate limiter's task, except
- * that the execution may be delayed to achieve the desired rate
- * of execution.
+ * to doing an isc_task_send() to the 'task', except that the
+ * execution may be delayed to achieve the desired rate of
+ * execution.
+ *
+ * '(*eventp)->ev_sender' is used to hold the task.  The caller
+ * must ensure that the task exists until the event is delivered.
+ *
+ * Requires:
+ *	An interval has been set by calling
+ *	isc_ratelimiter_setinterval().
+ * 	
+ *	'task' to be non NULL.
+ *	'(*eventp)->ev_sender' to be NULL.
+ */
+
+void
+isc_ratelimiter_shutdown(isc_ratelimiter_t *ratelimiter);
+/*
+ * Shut down a rate limiter.  All events that have not yet been
+ * dispatched to the task are dispatched immediately with
+ * the ISC_EVENTATTR_CANCELED bit set in ev_attributes.
+ * Further attempts to enqueue events will fail with
+ * ISC_R_SHUTTINGDOWN.
  */
 
 void
 isc_ratelimiter_destroy(isc_ratelimiter_t **ratelimiterp);
 /*
- * Destroy a rate limiter.  All events that have not yet been
- * dispatched to the task are freed immedately.
+ * Destroy a rate limiter.
  * Does not destroy the task or events already queued on it.
+ *
+ * Requires:
+ *	The rate limiter to have been shut down.
+ *
+ * Ensures:
+ *	Resources used by the rate limiter will be freed.
  */
 
+ISC_LANG_ENDDECLS
+
 #endif /* ISC_RATELIMITER_H */
diff --git a/lib/isc/include/isc/rbtgen.h b/lib/isc/include/isc/rbtgen.h
deleted file mode 100644
index 5b51323c..00000000
--- a/lib/isc/include/isc/rbtgen.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright (C) 1998, 1999, 2000  Internet Software Consortium.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Note that we do not do the usual #ifdef ... #endif protection since this
- * file is used as a template.
- */
-
-#include <isc/result.h>
-
-typedef struct _isc_rbt_node {
-	enum { red, black } color;
-	void *data;
-	struct _isc_rbt_node *parent;
-	struct _isc_rbt_node *right;
-	struct _isc_rbt_node *left;
-} RBT_NODE;
-
-isc_result_t RBT_INSERT(RBT_NODE *, RBT_NODE **,
-			int (*compare)(void *, void*));
-isc_result_t RBT_DELETE(RBT_NODE *, RBT_NODE **);
-RBT_NODE *RBT_SEARCH(RBT_NODE *, void *, int (*compare)(void *, void*));
-void RBT_PRINT(RBT_NODE *, void (*print_key)(void *));
diff --git a/lib/isc/include/isc/region.h b/lib/isc/include/isc/region.h
index 68c7b58f..ad8f9991 100644
--- a/lib/isc/include/isc/region.h
+++ b/lib/isc/include/isc/region.h
@@ -18,19 +18,17 @@
 #ifndef ISC_REGION_H
 #define ISC_REGION_H 1
 
-#include <isc/lang.h>
+#include <isc/types.h>
 
-ISC_LANG_BEGINDECLS
-
-typedef struct isc_region {
+struct isc_region {
 	unsigned char *	base;
 	unsigned int	length;
-} isc_region_t;
+};
 
-typedef struct isc_textregion {
+struct isc_textregion {
 	char *		base;
 	unsigned int	length;
-} isc_textregion_t;
+};
 
 /*
  * The region structure is not opaque, and is usually directly manipulated.
@@ -39,22 +37,20 @@ typedef struct isc_textregion {
 
 #define isc_region_consume(r,l) \
 	do { \
-		isc_region_t *__r = (r); \
-		unsigned int __l = (l); \
-		INSIST(__r->length >= __l); \
-		__r->base += __l; \
-		__r->length -= __l; \
+		isc_region_t *_r = (r); \
+		unsigned int _l = (l); \
+		INSIST(_r->length >= _l); \
+		_r->base += _l; \
+		_r->length -= _l; \
 	} while (0)
 
 #define isc_textregion_consume(r,l) \
 	do { \
-		isc_textregion_t *__r = (r); \
-		unsigned int __l = (l); \
-		INSIST(__r->length >= __l); \
-		__r->base += __l; \
-		__r->length -= __l; \
+		isc_textregion_t *_r = (r); \
+		unsigned int _l = (l); \
+		INSIST(_r->length >= _l); \
+		_r->base += _l; \
+		_r->length -= _l; \
 	} while (0)
 
-ISC_LANG_ENDDECLS
-
 #endif /* ISC_REGION_H */
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
index 7cbb61e3..09e5c9bb 100644
--- a/lib/isc/include/isc/result.h
+++ b/lib/isc/include/isc/result.h
@@ -18,13 +18,9 @@
 #ifndef ISC_RESULT_H
 #define ISC_RESULT_H 1
 
-#include <isc/boolean.h>
 #include <isc/lang.h>
-#include <isc/list.h>
 #include <isc/types.h>
 
-ISC_LANG_BEGINDECLS
-
 #define ISC_R_SUCCESS			0
 #define ISC_R_NOMEMORY			1
 #define ISC_R_TIMEDOUT			2
@@ -46,7 +42,7 @@ ISC_LANG_BEGINDECLS
 #define ISC_R_EXISTS			18
 #define ISC_R_NOSPACE			19	/* ran out of space */
 #define ISC_R_CANCELED			20
-/* AVAILABLE CODE			21 */
+#define ISC_R_NOTBOUND			21	/* socket is not bound */
 #define ISC_R_SHUTTINGDOWN		22	/* shutting down */
 #define ISC_R_NOTFOUND			23
 #define ISC_R_UNEXPECTEDEND		24	/* unexpected end of input */
@@ -63,15 +59,24 @@ ISC_LANG_BEGINDECLS
 #define ISC_R_ALREADYRUNNING		35
 #define ISC_R_IGNORE			36
 #define ISC_R_MASKNONCONTIG             37
+#define ISC_R_FILENOTFOUND		38
+#define ISC_R_FILEEXISTS		39
+#define ISC_R_NOTCONNECTED		40	/* socket is not connected */
+#define ISC_R_RANGE			41	/* out of range */
 
-#define ISC_R_NRESULTS 			38	/* Number of results */
+#define ISC_R_NRESULTS 			42	/* Number of results */
+
+ISC_LANG_BEGINDECLS
+
+char *
+isc_result_totext(isc_result_t);
+/*
+ * Convert an isc_result_t into a string message describing the result.
+ */
 
-char *			isc_result_totext(isc_result_t);
-isc_result_t		isc_result_register(unsigned int base,
-					    unsigned int nresults,
-					    char **text,
-					    isc_msgcat_t *msgcat,
-					    int set);
+isc_result_t
+isc_result_register(unsigned int base, unsigned int nresults, char **text,
+		    isc_msgcat_t *msgcat, int set);
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/isc/include/isc/resultclass.h b/lib/isc/include/isc/resultclass.h
index 970817cb..75d35c6f 100644
--- a/lib/isc/include/isc/resultclass.h
+++ b/lib/isc/include/isc/resultclass.h
@@ -18,10 +18,6 @@
 #ifndef ISC_RESULTCLASS_H
 #define ISC_RESULTCLASS_H 1
 
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
 /*****
  ***** Registry of Predefined Result Type Classes
  *****/
@@ -52,6 +48,4 @@ ISC_LANG_BEGINDECLS
  * Result classes >= 1024 and <= 65535 are reserved for application use.
  */
 
-ISC_LANG_ENDDECLS
-
 #endif /* ISC_RESULTCLASS_H */
diff --git a/lib/isc/include/isc/rwlock.h b/lib/isc/include/isc/rwlock.h
index 857ca0c9..c98ef09b 100644
--- a/lib/isc/include/isc/rwlock.h
+++ b/lib/isc/include/isc/rwlock.h
@@ -20,8 +20,6 @@
 
 #include <isc/lang.h>
 #include <isc/types.h>
-#include <isc/result.h>
-#include <isc/mutex.h>
 #include <isc/condition.h>
 
 ISC_LANG_BEGINDECLS
diff --git a/lib/isc/include/isc/serial.h b/lib/isc/include/isc/serial.h
index e045bd86..2e4a85c4 100644
--- a/lib/isc/include/isc/serial.h
+++ b/lib/isc/include/isc/serial.h
@@ -15,16 +15,13 @@
  * SOFTWARE.
  */
 
-	/* $Id: serial.h,v 1.4 2000/02/03 23:07:53 halley Exp $ */
+/* $Id: serial.h,v 1.6 2000/04/28 22:13:15 tale Exp $ */
 
 #ifndef ISC_SERIAL_H
-#define ISC_SERIAL_H
+#define ISC_SERIAL_H 1
 
-#include <isc/types.h>
-#include <isc/boolean.h>
 #include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
+#include <isc/types.h>
 
 /*
  *	Implement 32 bit serial space arithmetic comparision functions.
@@ -36,32 +33,40 @@ ISC_LANG_BEGINDECLS
  ***	Functions
  ***/
 
-isc_boolean_t isc_serial_lt(isc_uint32_t a, isc_uint32_t b);
+ISC_LANG_BEGINDECLS
+
+isc_boolean_t
+isc_serial_lt(isc_uint32_t a, isc_uint32_t b);
 /*
  *	Return true if 'a' < 'b' otherwise false.
  */
 
-isc_boolean_t isc_serial_gt(isc_uint32_t a, isc_uint32_t b);
+isc_boolean_t
+isc_serial_gt(isc_uint32_t a, isc_uint32_t b);
 /*
  *	Return true if 'a' > 'b' otherwise false.
  */
 
-isc_boolean_t isc_serial_le(isc_uint32_t a, isc_uint32_t b);
+isc_boolean_t
+isc_serial_le(isc_uint32_t a, isc_uint32_t b);
 /*
  *	Return true if 'a' <= 'b' otherwise false.
  */
 
-isc_boolean_t isc_serial_ge(isc_uint32_t a, isc_uint32_t b);
+isc_boolean_t
+isc_serial_ge(isc_uint32_t a, isc_uint32_t b);
 /*
  *	Return true if 'a' >= 'b' otherwise false.
  */
 
-isc_boolean_t isc_serial_eq(isc_uint32_t a, isc_uint32_t b);
+isc_boolean_t
+isc_serial_eq(isc_uint32_t a, isc_uint32_t b);
 /*
  *	Return true if 'a' == 'b' otherwise false.
  */
 
-isc_boolean_t isc_serial_ne(isc_uint32_t a, isc_uint32_t b);
+isc_boolean_t
+isc_serial_ne(isc_uint32_t a, isc_uint32_t b);
 /*
  *	Return true if 'a' != 'b' otherwise false.
  */
diff --git a/lib/isc/include/isc/sockaddr.h b/lib/isc/include/isc/sockaddr.h
index 84bf4e65..cf447698 100644
--- a/lib/isc/include/isc/sockaddr.h
+++ b/lib/isc/include/isc/sockaddr.h
@@ -18,14 +18,10 @@
 #ifndef ISC_SOCKADDR_H
 #define ISC_SOCKADDR_H 1
 
-#include <isc/buffer.h>
 #include <isc/net.h>
-#include <isc/list.h>
 #include <isc/lang.h>
 #include <isc/types.h>
 
-ISC_LANG_BEGINDECLS
-
 struct isc_sockaddr {
 	union {
 		struct sockaddr		sa;
@@ -38,6 +34,8 @@ struct isc_sockaddr {
 
 typedef ISC_LIST(struct isc_sockaddr)	isc_sockaddrlist_t;
 
+ISC_LANG_BEGINDECLS
+
 isc_boolean_t
 isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b);
 
@@ -52,6 +50,12 @@ unsigned int
 isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, isc_boolean_t address_only);
 
 void
+isc_sockaddr_any(isc_sockaddr_t *sockaddr);
+
+void
+isc_sockaddr_any6(isc_sockaddr_t *sockaddr);
+
+void
 isc_sockaddr_fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
 		    in_port_t port);
 
@@ -107,6 +111,17 @@ isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target);
  *	ISC_R_NOSPACE	The text or the null termination did not fit.
  */
 
+void
+isc_sockaddr_format(isc_sockaddr_t *sa, char *array, unsigned int size);
+/*
+ * Format a human-readable representation of the socket address '*sa'
+ * into the character array 'array', which is of size 'size'.
+ * The resulting string is guaranteed to be null-terminated.
+ */
+
+#define ISC_SOCKADDR_FORMATSIZE \
+	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX#YYYYY")
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_SOCKADDR_H */
diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h
index d68d5cb1..f8c4e715 100644
--- a/lib/isc/include/isc/socket.h
+++ b/lib/isc/include/isc/socket.h
@@ -61,16 +61,10 @@
 
 #include <isc/lang.h>
 #include <isc/types.h>
-#include <isc/boolean.h>
-#include <isc/bufferlist.h>
-#include <isc/result.h>
 #include <isc/event.h>
 #include <isc/eventclass.h>
-#include <isc/task.h>
 #include <isc/time.h>
 #include <isc/region.h>
-#include <isc/mem.h>
-#include <isc/net.h>
 #include <isc/sockaddr.h>
 
 ISC_LANG_BEGINDECLS
@@ -100,6 +94,7 @@ struct isc_socketevent {
 	isc_sockaddr_t		address;	/* source address */
 	isc_time_t		timestamp;	/* timestamp of packet recv */
 	struct in6_pktinfo	pktinfo;	/* ipv6 pktinfo */
+	isc_uint32_t		attributes;	/* see below */
 };
 
 typedef struct isc_socket_newconnev isc_socket_newconnev_t;
@@ -343,7 +338,7 @@ isc_socket_listen(isc_socket_t *sock, unsigned int backlog);
  *
  * Requires:
  *
- *	'socket' is a valid TCP socket.
+ *	'socket' is a valid, bound TCP socket.
  *
  * Returns:
  *
@@ -361,8 +356,8 @@ isc_socket_accept(isc_socket_t *sock,
  * event type, and is attached to the task 'task'.
  *
  * REQUIRES:
- *	'socket' is a valid TCP socket that isc_socket_listen() has been
- *	called on
+ *	'socket' is a valid TCP socket that isc_socket_listen() was called
+ *	on.
  *
  *	'task' is a valid task
  *
@@ -478,7 +473,7 @@ isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
  *
  * Requires:
  *
- *	'socket' is a valid socket
+ *	'socket' is a valid, bound socket.
  *
  *	For isc_socket_recv():
  *	'region' is a valid region
@@ -539,7 +534,7 @@ isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
  *
  * Requires:
  *
- *	'socket' is a valid socket
+ *	'socket' is a valid, bound socket.
  *
  *	For isc_socket_send():
  *	'region' is a valid region
@@ -578,7 +573,7 @@ isc_socket_sendmark(isc_socket_t *sock,
  *
  * Requires:
  *
- *	'sock' to be a valid socket.
+ *	'socket' is a valid, bound socket.
  *
  *	'task' is a valid task, 'action' is a valid action.
  *
@@ -660,6 +655,9 @@ isc_socket_gettype(isc_socket_t *sock);
  *	"sock" is a valid socket.
  */
 
+isc_boolean_t
+isc_socket_isbound(isc_socket_t *sock);
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_SOCKET_H */
diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h
new file mode 100644
index 00000000..251fb5f9
--- /dev/null
+++ b/lib/isc/include/isc/stdio.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include <stdio.h>
+
+#include <isc/result.h>
+
+isc_result_t
+isc_stdio_open(const char *filename, const char *mode, FILE **fp);
+
+isc_result_t
+isc_stdio_close(FILE *f);
+
+isc_result_t
+isc_stdio_seek(FILE *f, long offset, int whence);
+
+isc_result_t
+isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f,
+	       size_t *nret);
+
+isc_result_t
+isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
+		size_t *nret);
+
+isc_result_t
+isc_stdio_flush(FILE *f);
+/*
+ * These functions are wrappers around the corresponding stdio functions,
+ * returning a detailed error code in the form of an an isc_result_t.  ANSI C
+ * does not guarantee that stdio functions set errno, hence these functions
+ * must use platform dependent methods (e.g., the POSIX errno) to construct the
+ * error code.
+ */
+
+isc_result_t
+isc_stdio_sync(FILE *f);
+/*
+ * Invoke fsync() on the file descriptor underlying an stdio stream, or an
+ * equivalent system-dependent operation.  Note that this function has no
+ * direct counterpart in the stdio library.
+ */
diff --git a/lib/isc/include/isc/str.h b/lib/isc/include/isc/str.h
deleted file mode 100644
index 6abe5c7e..00000000
--- a/lib/isc/include/isc/str.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 1999, 2000  Internet Software Consortium.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/* $Id: str.h,v 1.4 2000/03/21 00:37:36 gson Exp $ */
-
-#ifndef ISC_STR_H
-#define ISC_STR_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_uint64_t isc_strtouq(char *source, char **endp, int base);
-/*
- * Convert the string pointed to by 'source' to isc_uint64_t.
- * 
- * On successful conversion 'endp' points to the first character
- * after conversion is complete.
- * 
- * 'base': 0 or 2..36
- *
- * If base is 0 the base is computed from the string type.
- *
- * On error 'endp' points to 'source'.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_INT_H */
diff --git a/lib/isc/include/isc/string.h b/lib/isc/include/isc/string.h
index 40182c49..febc9c16 100644
--- a/lib/isc/include/isc/string.h
+++ b/lib/isc/include/isc/string.h
@@ -15,17 +15,40 @@
  * SOFTWARE.
  */
 
+#ifndef ISC_STRING_H
+#define ISC_STRING_H 1
+
 #include <string.h>
 
+#include <isc/int.h>
 #include <isc/lang.h>
 #include <isc/platform.h>
 
 ISC_LANG_BEGINDECLS
 
-#ifdef ISC_PLATFORM_NEEDSTRSEP
+isc_uint64_t
+isc_string_touint64(char *source, char **endp, int base);
+/*
+ * Convert the string pointed to by 'source' to isc_uint64_t.
+ * 
+ * On successful conversion 'endp' points to the first character
+ * after conversion is complete.
+ * 
+ * 'base': 0 or 2..36
+ *
+ * If base is 0 the base is computed from the string type.
+ *
+ * On error 'endp' points to 'source'.
+ */
+
+
 char *
-isc_strsep(char **stringp, const char *delim); 
-#define strsep isc_strsep
+isc_string_separate(char **stringp, const char *delim); 
+
+#ifdef ISC_PLATFORM_NEEDSTRSEP
+#define strsep isc_string_separate
 #endif
 
 ISC_LANG_ENDDECLS
+
+#endif /* ISC_STRING_H */
diff --git a/lib/isc/include/isc/symtab.h b/lib/isc/include/isc/symtab.h
index 724b3d12..77a61a1d 100644
--- a/lib/isc/include/isc/symtab.h
+++ b/lib/isc/include/isc/symtab.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef ISC_SYMBOL_H
-#define ISC_SYMBOL_H 1
+#ifndef ISC_SYMTAB_H
+#define ISC_SYMTAB_H 1
 
 /*****
  ***** Module Info
@@ -77,11 +77,8 @@
  *** Imports.
  ***/
 
-#include <isc/mem.h>
-#include <isc/result.h>
 #include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
+#include <isc/types.h>
 
 /***
  *** Symbol Tables.
@@ -102,14 +99,12 @@ typedef enum {
 	isc_symexists_add = 2
 } isc_symexists_t;
 
-typedef struct isc_symtab		isc_symtab_t;
+ISC_LANG_BEGINDECLS
 
 isc_result_t
 isc_symtab_create(isc_mem_t *mctx, unsigned int size,
-		  isc_symtabaction_t undefine_action,
-		  void *undefine_arg,
-		  isc_boolean_t case_sensitive,
-		  isc_symtab_t **symtabp);
+		  isc_symtabaction_t undefine_action, void *undefine_arg,
+		  isc_boolean_t case_sensitive, isc_symtab_t **symtabp);
 
 void
 isc_symtab_destroy(isc_symtab_t **symtabp);
@@ -127,4 +122,4 @@ isc_symtab_undefine(isc_symtab_t *symtab, char *key, unsigned int type);
 
 ISC_LANG_ENDDECLS
 
-#endif /* ISC_SYMBOL_H */
+#endif /* ISC_SYMTAB_H */
diff --git a/lib/isc/include/isc/task.h b/lib/isc/include/isc/task.h
index 24e8c0e7..cd032a6f 100644
--- a/lib/isc/include/isc/task.h
+++ b/lib/isc/include/isc/task.h
@@ -59,10 +59,6 @@
 #include <isc/lang.h>
 #include <isc/types.h>
 #include <isc/eventclass.h>
-#include <isc/mem.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
 
 #define ISC_TASKEVENT_FIRSTEVENT	(ISC_EVENTCLASS_TASK + 0)
 #define ISC_TASKEVENT_SHUTDOWN		(ISC_EVENTCLASS_TASK + 1)
@@ -72,9 +68,11 @@ ISC_LANG_BEGINDECLS
  ***** Tasks.
  *****/
 
+ISC_LANG_BEGINDECLS
+
 isc_result_t
-isc_task_create(isc_taskmgr_t *manager, isc_mem_t *mctx,
-		unsigned int quantum, isc_task_t **taskp);
+isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
+		isc_task_t **taskp);
 /*
  * Create a task.
  *
@@ -93,8 +91,6 @@ isc_task_create(isc_taskmgr_t *manager, isc_mem_t *mctx,
  *
  *	'manager' is a valid task manager.
  *
- *	'mctx' is a valid memory context.
- *
  *	taskp != NULL && *taskp == NULL
  *
  * Ensures:
@@ -148,20 +144,6 @@ isc_task_detach(isc_task_t **taskp);
  *		All resources used by the task will be freed.
  */
 
-isc_mem_t *
-isc_task_mem(isc_task_t *task);
-/*
- * Get the task's memory context.
- *
- * Requires:
- *
- *	'task' is a valid task.
- *
- * Returns:
- *
- *	The memory context specified when the task was created.
- */
-
 void
 isc_task_send(isc_task_t *task, isc_event_t **eventp);
 /*
diff --git a/lib/isc/include/isc/taskpool.h b/lib/isc/include/isc/taskpool.h
index 23c26118..79415fc2 100644
--- a/lib/isc/include/isc/taskpool.h
+++ b/lib/isc/include/isc/taskpool.h
@@ -41,6 +41,7 @@
  *** Imports.
  ***/
 
+#include <isc/lang.h>
 #include <isc/task.h>
 
 ISC_LANG_BEGINDECLS
diff --git a/lib/isc/include/isc/timer.h b/lib/isc/include/isc/timer.h
index 9f4a189d..faaaf720 100644
--- a/lib/isc/include/isc/timer.h
+++ b/lib/isc/include/isc/timer.h
@@ -27,7 +27,7 @@
  *
  * Provides timers which are event sources in the task system.
  *
- * Two kinds of timer are supported.
+ * Three types of timers are supported:
  *
  *	'ticker' timers generate a periodic tick event.
  *
@@ -36,9 +36,11 @@
  *	They are used to implement both (possibly expiring) idle timers and
  *	'one-shot' timers.
  *
- * Note: unlike in eventlib, a timer's resources are never reclaimed merely
- * because it generated an event.  A timer reference will remain valid until
- * it is explicitly detached.
+ *	'inactive' timers generate no events.
+ *
+ * Timers can change type.  It is typical to create a timer as
+ * an 'inactive' timer and then change it into a 'ticker' or 
+ * 'once' timer.
  *
  * MP:
  *	The module ensures appropriate synchronization of data structures it
@@ -70,10 +72,6 @@
  ***/
 
 #include <isc/types.h>
-#include <isc/result.h>
-#include <isc/boolean.h>
-#include <isc/time.h>
-#include <isc/task.h>
 #include <isc/event.h>
 #include <isc/eventclass.h>
 #include <isc/lang.h>
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
index 16b42a91..35e0ead7 100644
--- a/lib/isc/include/isc/types.h
+++ b/lib/isc/include/isc/types.h
@@ -18,32 +18,63 @@
 #ifndef ISC_TYPES_H
 #define ISC_TYPES_H 1
 
+/*
+ * OS-specific types, from the OS-specific include directories.
+ */
 #include <isc/int.h>
+#include <isc/offset.h>
+
+/*
+ * XXXDCL should isc_boolean_t be moved here, requiring an explicit include
+ * of <isc/boolean.h> when ISC_TRUE/ISC_FALSE/ISC_TF() are desired?
+ */
 #include <isc/boolean.h>
+/*
+ * XXXDCL This is just for ISC_LIST and ISC_LINK, but gets all of the other
+ * list macros too.
+ */
 #include <isc/list.h>
 
 /***
- *** Core Types.
+ *** Core Types.  Alphabetized by defined type.
  ***/
 
-typedef unsigned int			isc_result_t;
+typedef struct isc_bitstring		isc_bitstring_t;
+typedef struct isc_buffer		isc_buffer_t;
+typedef ISC_LIST(isc_buffer_t)		isc_bufferlist_t;
+typedef struct isc_event		isc_event_t;
+typedef ISC_LIST(isc_event_t)		isc_eventlist_t;
+typedef unsigned int			isc_eventtype_t;
+typedef struct isc_interface		isc_interface_t;
+typedef struct isc_interfaceiter	isc_interfaceiter_t;
+typedef struct isc_interval		isc_interval_t;
+typedef struct isc_lex			isc_lex_t;
+typedef struct isc_log 			isc_log_t;
+typedef struct isc_logcategory		isc_logcategory_t;
+typedef struct isc_logconfig		isc_logconfig_t;
+typedef struct isc_logmodule		isc_logmodule_t;
 typedef struct isc_mem			isc_mem_t;
 typedef struct isc_mempool		isc_mempool_t;
 typedef struct isc_msgcat		isc_msgcat_t;
-typedef unsigned int			isc_eventtype_t;
-typedef struct isc_event		isc_event_t;
-typedef ISC_LIST(struct isc_event)	isc_eventlist_t;
-typedef struct isc_task			isc_task_t;
+typedef struct isc_ondestroy		isc_ondestroy_t;
+typedef struct isc_netaddr		isc_netaddr_t;
+typedef struct isc_quota		isc_quota_t;
+typedef struct isc_random		isc_random_t;
+typedef struct isc_ratelimiter		isc_ratelimiter_t;
+typedef struct isc_region		isc_region_t;
+typedef unsigned int			isc_result_t;
+typedef struct isc_rwlock		isc_rwlock_t;
+typedef struct isc_sockaddr		isc_sockaddr_t;
 typedef struct isc_socket		isc_socket_t;
-typedef struct isc_socketmgr		isc_socketmgr_t;
 typedef struct isc_socketevent		isc_socketevent_t;
+typedef struct isc_socketmgr		isc_socketmgr_t;
+typedef struct isc_symtab		isc_symtab_t;
+typedef struct isc_task			isc_task_t;
 typedef struct isc_taskmgr		isc_taskmgr_t;
+typedef struct isc_textregion		isc_textregion_t;
+typedef struct isc_time			isc_time_t;
 typedef struct isc_timer		isc_timer_t;
 typedef struct isc_timermgr		isc_timermgr_t;
-typedef struct isc_rwlock		isc_rwlock_t;
-typedef struct isc_bitstring		isc_bitstring_t;
-typedef struct isc_sockaddr		isc_sockaddr_t;
-typedef struct isc_netaddr		isc_netaddr_t;
 
 typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
 
diff --git a/lib/isc/include/isc/ufile.h b/lib/isc/include/isc/ufile.h
deleted file mode 100644
index cbafebe6..00000000
--- a/lib/isc/include/isc/ufile.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (C) 2000  Internet Software Consortium.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#ifndef ISC_UFILE_H
-#define ISC_UFILE_H
-
-#include <stdio.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-FILE * isc_ufile(char *template);
-
-/*
- * Create and open a file with a unique name based on 'template'.
- * 
- * Requires:
- *	'template' to be non-NULL string containing a trailing
- *	string of X's.
- *
- * Returns:
- *	A file handle opened for 'w+' on success.  'template'
- *	will contain the file name associated with this handle.
- *	NULL if a unique name could not be generate or an other
- *	error occured when opening.  'template' may or may not
- *	have been destroyed.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_UFILE_H */
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
index c3f340c0..7ac2b89e 100644
--- a/lib/isc/include/isc/util.h
+++ b/lib/isc/include/isc/util.h
@@ -18,8 +18,6 @@
 #ifndef ISC_UTIL_H
 #define ISC_UTIL_H 1
 
-#include <isc/error.h>
-
 /*
  * NOTE:
  *
@@ -59,11 +57,13 @@
 
 #ifdef ISC_UTIL_TRACEON
 #define ISC_UTIL_TRACE(a) a
-#include <stdio.h>
+#include <stdio.h>		/* Required for fprintf/stderr when tracing. */
 #else
 #define ISC_UTIL_TRACE(a)
 #endif
 
+#include <isc/result.h>		/* Contractual promise. */
+
 #define LOCK(lp) do { \
 	ISC_UTIL_TRACE(fprintf(stderr, "LOCKING %p %s %d\n", (lp), __FILE__, __LINE__)); \
 	RUNTIME_CHECK(isc_mutex_lock((lp)) == ISC_R_SUCCESS); \
@@ -110,12 +110,8 @@
 
 /*
  * List Macros.
- *
- * These are provided as a temporary measure to ease the transition
- * to the renamed list macros in <isc/list.h>.
  */
-
-#include <isc/list.h>
+#include <isc/list.h>		/* Contractual promise. */
 
 #define LIST(type)			ISC_LIST(type)
 #define INIT_LIST(type)			ISC_LIST_INIT(type)
@@ -135,4 +131,23 @@
 #define INSERTAFTER(li, a, e, ln)	ISC_LIST_INSERTAFTER(li, a, e, ln)
 #define APPENDLIST(list1, list2, link)	ISC_LIST_APPENDLIST(list1, list2, link)
 
+/*
+ * Assertions
+ */
+#include <isc/assertions.h>	/* Contractual promise. */
+
+#define REQUIRE(e)			ISC_REQUIRE(e)
+#define ENSURE(e)			ISC_ENSURE(e)
+#define INSIST(e)			ISC_INSIST(e)
+#define INVARIANT(e)			ISC_INVARIANT(e)
+
+/*
+ * Errors
+ */
+#include <isc/error.h>		/* Contractual promise. */
+
+#define UNEXPECTED_ERROR		isc_error_unexpected
+#define FATAL_ERROR			isc_error_fatal
+#define RUNTIME_CHECK(cond)		ISC_ERROR_RUNTIMECHECK(cond)
+
 #endif /* ISC_UTIL_H */
diff --git a/lib/isc/inet_aton.c b/lib/isc/inet_aton.c
index 26c71201..0c0cee04 100644
--- a/lib/isc/inet_aton.c
+++ b/lib/isc/inet_aton.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: inet_aton.c,v 1.8 1999/10/29 04:25:11 marka Exp $";
+static char rcsid[] = "$Id: inet_aton.c,v 1.9 2000/05/09 22:22:18 tale Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -88,8 +88,7 @@ static char rcsid[] = "$Id: inet_aton.c,v 1.8 1999/10/29 04:25:11 marka Exp $";
  * cannot distinguish between failure and a local broadcast address.
  */
 int
-isc_net_aton(const char *cp, struct in_addr *addr)
-{
+isc_net_aton(const char *cp, struct in_addr *addr) {
 	unsigned long val;
 	int base, n;
 	char c;
@@ -117,16 +116,21 @@ isc_net_aton(const char *cp, struct in_addr *addr)
 			}
 		}
 		for (;;) {
-			if (isascii(c & 0xff) && isdigit(c & 0xff)) {
+			/*
+			 * isascii() is valid for all integer values, and
+			 * when it is true, c is known to be in scope
+			 * for isdigit().  No cast necessary.  Similar
+			 * comment applies for later ctype uses.
+			 */
+			if (isascii(c) && isdigit(c)) {
 				if (base == 8 && (c == '8' || c == '9'))
 					return (0);
 				val = (val * base) + (c - '0');
 				c = *++cp;
 				digit = 1;
-			} else if (base == 16 && isascii(c & 0xff) &&
-						 isxdigit(c & 0xff)) {
+			} else if (base == 16 && isascii(c) && isxdigit(c)) {
 				val = (val << 4) |
-					(c + 10 - (islower(c & 0xff) ? 'a' : 'A'));
+					(c + 10 - (islower(c) ? 'a' : 'A'));
 				c = *++cp;
 				digit = 1;
 			} else
@@ -149,7 +153,7 @@ isc_net_aton(const char *cp, struct in_addr *addr)
 	/*
 	 * Check for trailing characters.
 	 */
-	if (c != '\0' && (!isascii(c & 0xff) || !isspace(c & 0xff)))
+	if (c != '\0' && (!isascii(c) || !isspace(c)))
 		return (0);
 	/*
 	 * Did we get a valid digit?
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
index 0bb07c5e..40d9d8ac 100644
--- a/lib/isc/lex.c
+++ b/lib/isc/lex.c
@@ -18,16 +18,14 @@
 #include <config.h>
 
 #include <ctype.h>
-#include <limits.h>
-#include <string.h>
 #include <stdlib.h>
 
-#include <sys/types.h>
-
-#include <isc/assertions.h>
-#include <isc/boolean.h>
-#include <isc/error.h>
+#include <isc/buffer.h>
+#include <isc/file.h>
 #include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
 #include <isc/util.h>
 
 typedef struct inputsource {
@@ -69,7 +67,7 @@ grow_data(isc_lex_t *lex, size_t *remainingp, char **currp, char **prevp) {
 	char *new;
 
 	new = isc_mem_get(lex->mctx, lex->max_token * 2 + 1);
-	if (lex == NULL)
+	if (new == NULL)
 		return (ISC_R_NOMEMORY);
 	memcpy(new, lex->data, lex->max_token + 1);
 	*currp = new + (*currp - lex->data);
@@ -79,7 +77,6 @@ grow_data(isc_lex_t *lex, size_t *remainingp, char **currp, char **prevp) {
 	lex->data = new;
 	*remainingp += lex->max_token;
 	lex->max_token *= 2;
-	fprintf(stderr, "max_token now %d\n", lex->max_token);
 	return (ISC_R_SUCCESS);
 }
 
@@ -215,7 +212,8 @@ new_source(isc_lex_t *lex, isc_boolean_t is_file, isc_boolean_t need_close,
 
 isc_result_t
 isc_lex_openfile(isc_lex_t *lex, const char *filename) {
-	FILE *stream;
+	isc_result_t result;
+	FILE *stream = NULL;
 
 	/*
 	 * Open 'filename' and make it the current input source for 'lex'.
@@ -223,17 +221,10 @@ isc_lex_openfile(isc_lex_t *lex, const char *filename) {
 
 	REQUIRE(VALID_LEX(lex));
 
-	/*
-	 * XXX we should really call something like isc_file_open() to
-	 * get maximally safe file opening.
-	 */
-	stream = fopen(filename, "r");
-	/*
-	 * The C standard doesn't say that errno is set by fopen(), so
-	 * we just return a generic error.
-	 */
-	if (stream == NULL)
-		return (ISC_R_FAILURE);
+	result = isc_stdio_open(filename, "r", &stream);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
 	flockfile(stream);
 	
 	return (new_source(lex, ISC_TRUE, ISC_TRUE, stream, filename));
@@ -494,7 +485,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 				tokenp->type = isc_tokentype_special;
 				tokenp->value.as_char = c;
 				done = ISC_TRUE;
-			} else if (isdigit(c) &&
+			} else if (isdigit((unsigned char)c) &&
 				   (options & ISC_LEXOPT_NUMBER) != 0) {
 				lex->last_was_eol = ISC_FALSE;
 				state = lexstate_number;
@@ -513,7 +504,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 			lex->last_was_eol = ISC_TRUE;
 			break;
 		case lexstate_number:
-			if (!isdigit(c)) {
+			if (c == EOF || !isdigit((unsigned char)c)) {
 				if (c == ' ' || c == '\t' || c == '\r' ||
 				    c == '\n' || c == EOF ||
 				    lex->specials[c]) {
diff --git a/lib/isc/lfsr.c b/lib/isc/lfsr.c
index 9da68744..cc6570bb 100644
--- a/lib/isc/lfsr.c
+++ b/lib/isc/lfsr.c
@@ -21,6 +21,7 @@
 
 #include <isc/assertions.h>
 #include <isc/lfsr.h>
+#include <isc/util.h>
 
 #define VALID_LFSR(x)	(x != NULL)
 
diff --git a/lib/isc/lib.c b/lib/isc/lib.c
index 59f4a063..b076a2a6 100644
--- a/lib/isc/lib.c
+++ b/lib/isc/lib.c
@@ -19,10 +19,8 @@
 
 #include <stdio.h>
 #include <stdlib.h>
-#include <stddef.h>
 
 #include <isc/once.h>
-#include <isc/error.h>
 #include <isc/msgcat.h>
 #include <isc/lib.h>
 
diff --git a/lib/isc/log.c b/lib/isc/log.c
index e46a78bb..3be41db7 100644
--- a/lib/isc/log.c
+++ b/lib/isc/log.c
@@ -15,33 +15,31 @@
  * SOFTWARE.
  */
 
-/* $Id: log.c,v 1.24 2000/03/23 00:53:04 gson Exp $ */
+/* $Id: log.c,v 1.34 2000/05/18 22:38:49 tale Exp $ */
 
 /* Principal Authors: DCL */
 
+#include <config.h>
+
 #include <errno.h>
 #include <stdlib.h>
-#include <string.h>
-#include <time.h>
 #include <limits.h>
+
 #include <sys/stat.h>
 
-#include <isc/assertions.h>
-#include <isc/boolean.h>
 #include <isc/dir.h>
-#include <isc/error.h>
-#include <isc/list.h>
 #include <isc/log.h>
+#include <isc/magic.h>
 #include <isc/mem.h>
-#include <isc/mutex.h>
 #include <isc/print.h>
+#include <isc/string.h>
 #include <isc/time.h>
 #include <isc/util.h>
 
 #define LCTX_MAGIC		0x4C637478U	/* Lctx. */
-#define VALID_CONTEXT(lctx)	((lctx) != NULL && (lctx)->magic == LCTX_MAGIC)
+#define VALID_CONTEXT(lctx)	ISC_MAGIC_VALID(lctx, LCTX_MAGIC)
 #define LCFG_MAGIC		0x4C636667U	/* Lcfg. */
-#define VALID_CONFIG(lcfg)	((lcfg) != NULL && (lcfg)->magic == LCFG_MAGIC)
+#define VALID_CONFIG(lcfg)	ISC_MAGIC_VALID(lcfg, LCFG_MAGIC)
 
 /*
  * XXXDCL make dynamic?
@@ -110,6 +108,9 @@ struct isc_logconfig {
 	ISC_LIST(isc_logchannellist_t) *channellists;
 	unsigned int			channellist_count;
 	unsigned int			duplicate_interval;
+	int				highest_level;
+	char *				tag;
+	isc_boolean_t			dynamic;
 };
 
 /*
@@ -149,7 +150,12 @@ struct isc_log {
  * Used when ISC_LOG_PRINTLEVEL is enabled for a channel.
  */
 static const char *log_level_strings[] = {
-	"debug", "info", "notice", "warning", "error", "critical"
+	"debug",
+	"info",
+	"notice",
+	"warning",
+	"error",
+	"critical"
 };
 
 /*
@@ -157,7 +163,12 @@ static const char *log_level_strings[] = {
  * XXXDCL This will need modification for NT.
  */
 static const int syslog_map[] = {
-	LOG_DEBUG, LOG_INFO, LOG_NOTICE, LOG_WARNING, LOG_ERR, LOG_CRIT
+	LOG_DEBUG,
+	LOG_INFO,
+	LOG_NOTICE,
+	LOG_WARNING,
+	LOG_ERR,
+	LOG_CRIT
 };
 
 /*
@@ -175,11 +186,24 @@ isc_logcategory_t isc_categories[] = {
 };
 
 /*
- * This essentially static structure must be filled in at run time,
+ * See above comment for categories, and apply it to modules.
+ */
+isc_logmodule_t isc_modules[] = {
+	{ "socket", 0 },
+	{ NULL, 0 }
+};
+
+/*
+ * This essentially constant structure must be filled in at run time,
  * because its channel member is pointed to a channel that is created
  * dynamically with isc_log_createchannel.
  */
-isc_logchannellist_t default_channel;
+static isc_logchannellist_t default_channel;
+
+/*
+ * libisc logs to this context.
+ */
+isc_log_t *isc_lctx = NULL;
 
 /*
  * Forward declarations.
@@ -251,6 +275,7 @@ isc_log_create(isc_mem_t *mctx, isc_log_t **lctxp, isc_logconfig_t **lcfgp) {
 		lctx->magic = LCTX_MAGIC;
 
 		isc_log_registercategories(lctx, isc_categories);
+		isc_log_registermodules(lctx, isc_modules);
 		result = isc_logconfig_create(lctx, &lcfg);
 
 	} else
@@ -286,6 +311,9 @@ isc_logconfig_create(isc_log_t *lctx, isc_logconfig_t **lcfgp) {
 		lcfg->channellists = NULL;
 		lcfg->channellist_count = 0;
 		lcfg->duplicate_interval = 0;
+		lcfg->highest_level = ISC_LOG_CRITICAL;
+		lcfg->tag = NULL;
+		lcfg->dynamic = ISC_FALSE;
 
 		ISC_LIST_INIT(lcfg->channels);
 
@@ -481,6 +509,9 @@ isc_logconfig_destroy(isc_logconfig_t **lcfgp) {
 		    lcfg->channellist_count *
 		    sizeof(ISC_LIST(isc_logchannellist_t)));
 
+	lcfg->dynamic = ISC_FALSE;
+	lcfg->tag = NULL;
+	lcfg->highest_level = 0;
 	lcfg->duplicate_interval = 0;
 	lcfg->magic = 0;
 
@@ -779,6 +810,13 @@ isc_log_vwrite1(isc_log_t *lctx, isc_logcategory_t *category,
 }
 
 void
+isc_log_setcontext(isc_log_t *lctx) {
+	REQUIRE(isc_lctx == NULL);
+
+	isc_lctx = lctx;
+}
+
+void
 isc_log_setdebuglevel(isc_log_t *lctx, unsigned int level) {
 	REQUIRE(VALID_CONTEXT(lctx));
 
@@ -806,6 +844,23 @@ isc_log_getduplicateinterval(isc_logconfig_t *lcfg) {
 	return (lcfg->duplicate_interval);
 }
 
+void
+isc_log_settag(isc_logconfig_t *lcfg, char *tag) {
+	REQUIRE(VALID_CONFIG(lcfg));
+	
+	if (tag != NULL && *tag != '\0')
+		lcfg->tag = tag;
+	else
+		lcfg->tag = NULL;
+}
+
+char *
+isc_log_gettag(isc_logconfig_t *lcfg) {
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	return (lcfg->tag);
+}
+
 /* XXXDCL NT  -- This interface will assuredly be changing. */
 void
 isc_log_opensyslog(const char *tag, int options, int facility) {
@@ -864,6 +919,18 @@ assignchannel(isc_logconfig_t *lcfg, unsigned int category_id,
 	new_item->module = module;
 	ISC_LIST_PREPEND(lcfg->channellists[category_id], new_item, link);
 
+	/*
+	 * Remember the highest logging level set by any channel in the
+	 * logging config, so isc_log_doit() can quickly return if the
+	 * message is too high to be logged by any channel.
+	 */
+	if (channel->type != ISC_LOG_TONULL) {
+		if (lcfg->highest_level < channel->level)
+			lcfg->highest_level = channel->level;
+		if (channel->level == ISC_LOG_DYNAMIC)
+			lcfg->dynamic = ISC_TRUE;
+	}
+
 	return (ISC_R_SUCCESS);
 }
 
@@ -1082,6 +1149,8 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 	char level_string[24];
 	struct stat statbuf;
 	isc_boolean_t matched = ISC_FALSE;
+	isc_boolean_t printtime, printtag;
+	isc_boolean_t printcategory, printmodule, printlevel;
 	isc_logconfig_t *lcfg;
 	isc_logchannel_t *channel;
 	isc_logchannellist_t *category_channels;
@@ -1089,6 +1158,10 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 	isc_result_t result;
 
 	REQUIRE(lctx == NULL || VALID_CONTEXT(lctx));
+	REQUIRE(category != NULL);
+	REQUIRE(module != NULL);
+	REQUIRE(level != ISC_LOG_DYNAMIC);
+	REQUIRE(format != NULL);
 
 	/*
 	 * Programs can use libraries that use this logging code without
@@ -1098,12 +1171,30 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 	if (lctx == NULL)
 		return;
 
-	REQUIRE(category != NULL && category->id < lctx->category_count);
-	REQUIRE(module != NULL && module->id < lctx->module_count);
-	REQUIRE(level != ISC_LOG_DYNAMIC);
-	REQUIRE(format != NULL);
+	REQUIRE(category->id < lctx->category_count);
+	REQUIRE(module->id < lctx->module_count);
+
+	/*
+	 * Try to avoid locking the mutex for messages which can't
+	 * possibly be logged to any channels -- primarily debugging
+	 * messages that the debug level is not high enough to print.
+	 *
+	 * If the level is (mathematically) less than or equal to the
+	 * highest_level, or if there is a dynamic channel and the level is 
+	 * less than or equal to the debug level, the main loop must be
+	 * entered to see if the message should really be output.
+	 *
+	 * NOTE: this is UNLOCKED access to the logconfig.  However,
+	 * the worst thing that can happen is that a bad decision is made
+	 * about returning without logging, and that's not a big concern,
+	 * because that's a risk anyway if the logconfig is being
+	 * dynamically changed.
+	 */
+	if (! (level <= lctx->logconfig->highest_level ||
+	       (lctx->logconfig->dynamic && level <= lctx->debug_level)))
+		return;
 
-	time_string[0] = '\0';
+	time_string[0]  = '\0';
 	level_string[0] = '\0';
 	lctx->buffer[0] = '\0';
 
@@ -1154,7 +1245,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 		channel = category_channels->channel;
 		category_channels = ISC_LIST_NEXT(category_channels, link);
 
-		if (((channel->flags & ISC_LOG_DEBUGONLY) > 0) &&
+		if (((channel->flags & ISC_LOG_DEBUGONLY) != 0) &&
 		    lctx->debug_level == 0)
 			continue;
 
@@ -1164,17 +1255,18 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 		} else if (channel->level < level)
 			continue;
 
-		if ((channel->flags & ISC_LOG_PRINTTIME) &&
+		if ((channel->flags & ISC_LOG_PRINTTIME) != 0 &&
 		    time_string[0] == '\0') {
+			time_t now;
+
 			result = isc_time_now(&time);
+			if (result == ISC_R_SUCCESS)
+				result = isc_time_secondsastimet(&time, &now);
 
 			if (result == ISC_R_SUCCESS) {
-				time_t now;
 				unsigned int len;
 				struct tm *timeptr;
 
-				now = isc_time_seconds(&time);
-
 				timeptr = localtime(&now);
 				/*
 				 * Emulate syslog's time format,
@@ -1203,7 +1295,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 
 		}
 
-		if ((channel->flags & ISC_LOG_PRINTLEVEL) &&
+		if ((channel->flags & ISC_LOG_PRINTLEVEL) != 0 &&
 		    level_string[0] == '\0') {
 			if (level < ISC_LOG_CRITICAL)
 				sprintf(level_string, "level %d: ", level);
@@ -1238,13 +1330,18 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 				 * which fall within the duplicate_interval
 				 * range.
 				 */
-				if (isc_time_now(&oldest) != ISC_R_SUCCESS)
+				if (isc_time_now(&oldest) != ISC_R_SUCCESS ||
+				    isc_time_subtract(&oldest, &interval,
+						      &oldest) !=
+				    ISC_R_SUCCESS)
+					/*
+					 * Can't effectively do the checking
+					 * without having a valid time.
+					 */
 					message = NULL;
 				else
-					isc_time_subtract(&oldest, &interval,
-							  &oldest);
+					message =ISC_LIST_HEAD(lctx->messages);
 
-				message = ISC_LIST_HEAD(lctx->messages);
 				while (message != NULL) {
 					if (isc_time_compare(&message->time,
 							     &oldest) < 0) {
@@ -1325,6 +1422,17 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 			}
 		}
 
+		printtime     = ISC_TF((channel->flags & ISC_LOG_PRINTTIME)
+				       != 0);
+		printtag      = ISC_TF((channel->flags & ISC_LOG_PRINTTAG)
+				       != 0 && lcfg->tag != NULL);
+		printcategory = ISC_TF((channel->flags & ISC_LOG_PRINTCATEGORY)
+				       != 0);
+		printmodule   = ISC_TF((channel->flags & ISC_LOG_PRINTMODULE)
+				       != 0);
+		printlevel    = ISC_TF((channel->flags & ISC_LOG_PRINTLEVEL)
+				       != 0);
+
 		switch (channel->type) {
 		case ISC_LOG_TOFILE:
 			if (FILE_STREAM(channel) == NULL) {
@@ -1339,21 +1447,17 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 			/* FALLTHROUGH */
 
 		case ISC_LOG_TOFILEDESC:
-			fprintf(FILE_STREAM(channel), "%s%s%s%s%s%s%s\n",
-				(channel->flags & ISC_LOG_PRINTTIME) ?
-					time_string : "",
-				(channel->flags & ISC_LOG_PRINTCATEGORY) ?
-					category->name : "",
-				(channel->flags & ISC_LOG_PRINTCATEGORY) ?
-					": " : "",
-				(channel->flags & ISC_LOG_PRINTMODULE) ?
-					(module != NULL ? module->name :
-					                  "no_module")
-					: "",
-				(channel->flags & ISC_LOG_PRINTMODULE) ?
-					": " : "",
-				(channel->flags & ISC_LOG_PRINTLEVEL) ?
-					level_string : "",
+			fprintf(FILE_STREAM(channel), "%s%s%s%s%s%s%s%s%s\n",
+				printtime     ? time_string	: "",
+				printtag      ? lcfg->tag	: "",
+				printtag      ? ": "		: "",
+				printcategory ? category->name	: "",
+				printcategory ? ": "		: "",
+				printmodule   ? (module != NULL ? module->name
+						 		: "no_module")
+					      			: "",
+				printmodule   ? ": "		: "",
+				printlevel    ? level_string	: "",
 				lctx->buffer);
 
 			fflush(FILE_STREAM(channel));
@@ -1387,21 +1491,17 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 				syslog_level = syslog_map[-level];
 
 			syslog(FACILITY(channel) | syslog_level,
-			       "%s%s%s%s%s%s%s",
-			       (channel->flags & ISC_LOG_PRINTTIME) ?
-			       		time_string : "",
-			       (channel->flags & ISC_LOG_PRINTCATEGORY) ?
-			       		category->name : "",
-			       (channel->flags & ISC_LOG_PRINTCATEGORY) ?
-			       		": " : "",
-			       (channel->flags & ISC_LOG_PRINTMODULE) ?
-					(module != NULL ? module->name :
-					                  "no_module")
-			       		: "",
-			       (channel->flags & ISC_LOG_PRINTMODULE) ?
-			       		": " : "",
-			       (channel->flags & ISC_LOG_PRINTLEVEL) ?
-			       		level_string : "",
+			       "%s%s%s%s%s%s%s%s%s",
+			       printtime     ? time_string	: "",
+			       printtag      ? lcfg->tag	: "",
+			       printtag      ? ": "		: "",
+			       printcategory ? category->name	: "",
+			       printcategory ? ": "		: "",
+			       printmodule   ? (module != NULL	? module->name
+						 		: "no_module")
+					      			: "",
+			       printmodule   ? ": "		: "",
+			       printlevel    ? level_string	: "",
 			       lctx->buffer);
 			break;
 
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index 2e868420..d19a2358 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -20,13 +20,12 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <stddef.h>
-#include <string.h>
 
 #include <limits.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/mem.h>
+#include <isc/ondestroy.h>
+#include <isc/string.h>
 
 #ifndef ISC_SINGLETHREADED
 #include <isc/mutex.h>
@@ -112,9 +111,12 @@ struct isc_mem {
 	unsigned char *		lowest;
 	unsigned char *		highest;
 	isc_boolean_t		checkfree;
+	isc_boolean_t		trysplit;
 	struct stats *		stats;
+	unsigned int		references;
 	size_t			quota;
 	size_t			total;
+	size_t			inuse;
 	ISC_LIST(isc_mempool_t)	pools;
 };
 
@@ -224,6 +226,7 @@ isc_mem_createx(size_t init_max_size, size_t target_size,
 		return (ISC_R_NOMEMORY);
 	}
 	ctx->checkfree = ISC_TRUE;
+	ctx->trysplit = ISC_FALSE;
 	memset(ctx->freelists, 0,
 	       ctx->max_size * sizeof (element *));
 	ctx->stats = (memalloc)(arg,
@@ -248,8 +251,10 @@ isc_mem_createx(size_t init_max_size, size_t target_size,
 				 "isc_mutex_init() failed");
 		return (ISC_R_UNEXPECTED);
 	}
+	ctx->references = 1;
 	ctx->quota = 0;
 	ctx->total = 0;
+	ctx->inuse = 0;
 	ctx->magic = MEM_MAGIC;
 	isc_ondestroy_init(&ctx->ondestroy);
 	ISC_LIST_INIT(ctx->pools);
@@ -267,19 +272,15 @@ isc_mem_create(size_t init_max_size, size_t target_size,
 				ctxp));
 }
 
-void
-isc_mem_destroy(isc_mem_t **ctxp) {
+static void
+destroy(isc_mem_t *ctx) {
 	unsigned int i;
-	isc_mem_t *ctx;
 	isc_ondestroy_t ondest;
 
-	REQUIRE(ctxp != NULL);
-	ctx = *ctxp;
-	REQUIRE(VALID_CONTEXT(ctx));
-
 	ctx->magic = 0;
 
 	INSIST(ISC_LIST_EMPTY(ctx->pools));
+	INSIST(ctx->references == 0);
 
 	if (ctx->checkfree) {
 		for (i = 0; i <= ctx->max_size; i++)
@@ -305,6 +306,65 @@ isc_mem_destroy(isc_mem_t **ctxp) {
 	(ctx->memfree)(ctx->arg, ctx);
 
 	isc_ondestroy_notify(&ondest, ctx);
+}
+
+void
+isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
+	REQUIRE(VALID_CONTEXT(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&source->lock);
+	source->references++;
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
+isc_mem_detach(isc_mem_t **ctxp) {
+	isc_mem_t *ctx;
+	isc_boolean_t want_destroy = ISC_FALSE;
+
+	REQUIRE(ctxp != NULL);
+	ctx = *ctxp;
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	LOCK(&ctx->lock);
+	INSIST(ctx->references > 0);
+	ctx->references--;
+	if (ctx->references == 0)
+		want_destroy = ISC_TRUE;
+	UNLOCK(&ctx->lock);
+
+	if (want_destroy)
+		destroy(ctx);
+
+	*ctxp = NULL;
+}
+
+void
+isc_mem_destroy(isc_mem_t **ctxp) {
+	isc_mem_t *ctx;
+	isc_boolean_t want_destroy = ISC_FALSE;
+
+	/*
+	 * This routine provides legacy support for callers who use mctxs
+	 * without attaching/detaching.
+	 */
+
+	REQUIRE(ctxp != NULL);
+	ctx = *ctxp;
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	LOCK(&ctx->lock);
+	REQUIRE(ctx->references == 1);
+	ctx->references--;
+	if (ctx->references == 0)
+		want_destroy = ISC_TRUE;
+	UNLOCK(&ctx->lock);
+
+	if (want_destroy)
+		destroy(ctx);
 
 	*ctxp = NULL;
 }
@@ -332,7 +392,7 @@ isc_mem_restore(isc_mem_t *ctx) {
 	return (result);
 }
 
-static void
+static inline isc_boolean_t
 more_basic_blocks(isc_mem_t *ctx) {
 	void *new;
 	unsigned char *curr, *next;
@@ -349,7 +409,7 @@ more_basic_blocks(isc_mem_t *ctx) {
 	 */
 	increment = NUM_BASIC_BLOCKS * ctx->mem_target;
 	if (ctx->quota != 0 && ctx->total + increment > ctx->quota)
-		return;
+		return (ISC_FALSE);
 
 	INSIST(ctx->basic_table_count <= ctx->basic_table_size);
 	if (ctx->basic_table_count == ctx->basic_table_size) {
@@ -357,7 +417,7 @@ more_basic_blocks(isc_mem_t *ctx) {
 		table = (ctx->memalloc)(ctx->arg,
 					table_size * sizeof (unsigned char *));
 		if (table == NULL)
-			return;
+			return (ISC_FALSE);
 		if (ctx->basic_table_size != 0) {
 			memcpy(table, ctx->basic_table,
 			       ctx->basic_table_size *
@@ -370,7 +430,7 @@ more_basic_blocks(isc_mem_t *ctx) {
 
 	new = (ctx->memalloc)(ctx->arg, NUM_BASIC_BLOCKS * ctx->mem_target);
 	if (new == NULL)
-		return;
+		return (ISC_FALSE);
 	ctx->total += increment;
 	ctx->basic_table[ctx->basic_table_count] = new;
 	ctx->basic_table_count++;
@@ -394,11 +454,12 @@ more_basic_blocks(isc_mem_t *ctx) {
 	if (last > ctx->highest)
 		ctx->highest = last;
 	ctx->basic_blocks = new;
+
+	return (ISC_TRUE);
 }
 
 void *
-__isc_mem_get(isc_mem_t *ctx, size_t size)
-{
+isc__mem_get(isc_mem_t *ctx, size_t size) {
 	void *ret;
 
 	REQUIRE(VALID_CONTEXT(ctx));
@@ -410,6 +471,7 @@ __isc_mem_get(isc_mem_t *ctx, size_t size)
 	return (ret);
 }
 
+#if ISC_MEM_FILL != 0 && ISC_MEM_CHECKOVERRUN != 0
 static inline void
 check_overrun(void *mem, size_t size, size_t new_size) {
 	unsigned char *cp;
@@ -422,15 +484,137 @@ check_overrun(void *mem, size_t size, size_t new_size) {
 		size++;
 	}
 }
+#endif
+
+static inline void
+split(isc_mem_t *ctx, size_t size, size_t new_size) {
+	unsigned char *ptr;
+	size_t remaining_size;
+
+	/*
+	 * Unlink a frag of size 'size'.
+	 */
+	ptr = (unsigned char *)ctx->freelists[size];
+	ctx->freelists[size] = ctx->freelists[size]->next;
+	ctx->stats[size].freefrags--;
+
+	/*
+	 * Create a frag of size 'new_size' and link it in.
+	 */
+	((element *)ptr)->next = ctx->freelists[new_size];
+	ctx->freelists[new_size] = (element *)ptr;
+	ctx->stats[new_size].freefrags++;
+
+	/*
+	 * Create a frag of size 'size - new_size' and link it in.
+	 */
+	remaining_size = size - new_size;
+	ptr += new_size;
+	((element *)ptr)->next = ctx->freelists[remaining_size];
+	ctx->freelists[remaining_size] = (element *)ptr;
+	ctx->stats[remaining_size].freefrags++;
+}
+
+static inline isc_boolean_t
+try_split(isc_mem_t *ctx, size_t new_size) {
+	size_t i, doubled_size;
+
+	if (!ctx->trysplit)
+		return (ISC_FALSE);
+
+	/*
+	 * Try splitting a frag that's at least twice as big as the size
+	 * we want.
+	 */
+	doubled_size = new_size * 2;
+	for (i = doubled_size;
+	     i < ctx->max_size;
+	     i += ALIGNMENT_SIZE) {
+		if (ctx->freelists[i] != NULL) {
+			split(ctx, i, new_size);
+			return (ISC_TRUE);
+		}
+	}
+
+	/*
+	 * No luck.  Try splitting any frag bigger than the size we need.
+	 */
+	for (i = new_size + ALIGNMENT_SIZE;
+	     i < doubled_size;
+	     i += ALIGNMENT_SIZE) {
+		if (ctx->freelists[i] != NULL) {
+			split(ctx, i, new_size);
+			return (ISC_TRUE);
+		}
+	}
+
+	return (ISC_FALSE);
+}
+
+static inline isc_boolean_t
+more_frags(isc_mem_t *ctx, size_t new_size) {
+	int i, frags;
+	size_t total_size;
+	void *new;
+	unsigned char *curr, *next;
+
+	/*
+	 * Try to get more fragments by chopping up a basic block.
+	 */
+
+	if (ctx->basic_blocks == NULL) {
+		if (!more_basic_blocks(ctx)) {
+			/*
+			 * We can't get more memory from the OS, or we've
+			 * hit the quota for this context.
+			 */
+			/*
+			 * XXXRTH  "At quota" notification here. 
+			 */
+			/*
+			 * Maybe we can split one of our existing
+			 * list frags.
+			 */
+			return (try_split(ctx, new_size));
+		}
+	}
+
+	total_size = ctx->mem_target;
+	new = ctx->basic_blocks;
+	ctx->basic_blocks = ctx->basic_blocks->next;
+	frags = total_size / new_size;
+	ctx->stats[new_size].blocks++;
+	ctx->stats[new_size].freefrags += frags;
+	/*
+	 * Set up a linked-list of blocks of size
+	 * "new_size".
+	 */
+	curr = new;
+	next = curr + new_size;
+	for (i = 0; i < (frags - 1); i++) {
+		((element *)curr)->next = (element *)next;
+		curr = next;
+		next += new_size;
+	}
+	/*
+	 * curr is now pointing at the last block in the
+	 * array.
+	 */
+	((element *)curr)->next = NULL;
+	ctx->freelists[new_size] = new;
+
+	return (ISC_TRUE);
+}
 
 static inline void *
-mem_getunlocked(isc_mem_t *ctx, size_t size)
-{
+mem_getunlocked(isc_mem_t *ctx, size_t size) {
 	size_t new_size = quantize(size);
 	void *ret;
 
 	if (size >= ctx->max_size || new_size >= ctx->max_size) {
-		/* memget() was called on something beyond our upper limit. */
+		/*
+		 * memget() was called on something beyond our upper limit.
+		 */
 		if (ctx->quota != 0 && ctx->total + size > ctx->quota) {
 			ret = NULL;
 			goto done;
@@ -438,6 +622,7 @@ mem_getunlocked(isc_mem_t *ctx, size_t size)
 		ret = (ctx->memalloc)(ctx->arg, size);
 		if (ret != NULL) {
 			ctx->total += size;
+			ctx->inuse += size;
 			ctx->stats[ctx->max_size].gets++;
 			ctx->stats[ctx->max_size].totalgets++;
 			/*
@@ -455,39 +640,12 @@ mem_getunlocked(isc_mem_t *ctx, size_t size)
 	 * of memory and then break it up into "new_size"-sized blocks, adding
 	 * them to the free list.
 	 */
-	if (ctx->freelists[new_size] == NULL) {
-		int i, frags;
-		size_t total_size;
-		void *new;
-		unsigned char *curr, *next;
-
-		if (ctx->basic_blocks == NULL) {
-			more_basic_blocks(ctx);
-			if (ctx->basic_blocks == NULL) {
-				ret = NULL;
-				goto done;
-			}
-		}
-		total_size = ctx->mem_target;
-		new = ctx->basic_blocks;
-		ctx->basic_blocks = ctx->basic_blocks->next;
-		frags = total_size / new_size;
-		ctx->stats[new_size].blocks++;
-		ctx->stats[new_size].freefrags += frags;
-		/* Set up a linked-list of blocks of size "new_size". */
-		curr = new;
-		next = curr + new_size;
-		for (i = 0; i < (frags - 1); i++) {
-			((element *)curr)->next = (element *)next;
-			curr = next;
-			next += new_size;
-		}
-		/* curr is now pointing at the last block in the array. */
-		((element *)curr)->next = NULL;
-		ctx->freelists[new_size] = new;
-	}
+	if (ctx->freelists[new_size] == NULL && !more_frags(ctx, new_size))
+		return (NULL);
 
-	/* The free list uses the "rounded-up" size "new_size": */
+	/*
+	 * The free list uses the "rounded-up" size "new_size".
+	 */
 	ret = ctx->freelists[new_size];
 	ctx->freelists[new_size] = ctx->freelists[new_size]->next;
 
@@ -500,6 +658,7 @@ mem_getunlocked(isc_mem_t *ctx, size_t size)
 	ctx->stats[size].gets++;
 	ctx->stats[size].totalgets++;
 	ctx->stats[new_size].freefrags--;
+	ctx->inuse += new_size;
 
  done:
 
@@ -512,8 +671,7 @@ mem_getunlocked(isc_mem_t *ctx, size_t size)
 }
 
 void
-__isc_mem_put(isc_mem_t *ctx, void *mem, size_t size)
-{
+isc__mem_put(isc_mem_t *ctx, void *mem, size_t size) {
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	LOCK(&ctx->lock);
@@ -522,12 +680,13 @@ __isc_mem_put(isc_mem_t *ctx, void *mem, size_t size)
 }
 
 static inline void
-mem_putunlocked(isc_mem_t *ctx, void *mem, size_t size)
-{
+mem_putunlocked(isc_mem_t *ctx, void *mem, size_t size) {
 	size_t new_size = quantize(size);
 
 	if (size == ctx->max_size || new_size >= ctx->max_size) {
-		/* memput() called on something beyond our upper limit */
+		/*
+		 * memput() called on something beyond our upper limit.
+		 */
 #if ISC_MEM_FILL
 		memset(mem, 0xde, size); /* Mnemonic for "dead". */
 #endif
@@ -535,6 +694,7 @@ mem_putunlocked(isc_mem_t *ctx, void *mem, size_t size)
 		INSIST(ctx->stats[ctx->max_size].gets != 0);
 		ctx->stats[ctx->max_size].gets--;
 		INSIST(size <= ctx->total);
+		ctx->inuse -= size;
 		ctx->total -= size;
 		return;
 	}
@@ -546,7 +706,9 @@ mem_putunlocked(isc_mem_t *ctx, void *mem, size_t size)
 	memset(mem, 0xde, new_size); /* Mnemonic for "dead". */
 #endif
 
-	/* The free list uses the "rounded-up" size "new_size": */
+	/*
+	 * The free list uses the "rounded-up" size "new_size".
+	 */
 	((element *)mem)->next = ctx->freelists[new_size];
 	ctx->freelists[new_size] = (element *)mem;
 
@@ -559,25 +721,50 @@ mem_putunlocked(isc_mem_t *ctx, void *mem, size_t size)
 	INSIST(ctx->stats[size].gets != 0);
 	ctx->stats[size].gets--;
 	ctx->stats[new_size].freefrags++;
+	ctx->inuse -= new_size;
 }
 
 void *
-__isc_mem_getdebug(isc_mem_t *ctx, size_t size, const char *file, int line) {
+isc__mem_getdebug(isc_mem_t *ctx, size_t size, const char *file, int line) {
 	void *ptr;
 
-	ptr = __isc_mem_get(ctx, size);
+	ptr = isc__mem_get(ctx, size);
 	fprintf(stderr, "%s:%d: mem_get(%p, %lu) -> %p\n", file, line,
 		ctx, (unsigned long)size, ptr);
 	return (ptr);
 }
 
 void
-__isc_mem_putdebug(isc_mem_t *ctx, void *ptr, size_t size, const char *file,
+isc__mem_putdebug(isc_mem_t *ctx, void *ptr, size_t size, const char *file,
 		 int line)
 {
 	fprintf(stderr, "%s:%d: mem_put(%p, %p, %lu)\n", file, line, 
 		ctx, ptr, (unsigned long)size);
-	__isc_mem_put(ctx, ptr, size);
+	isc__mem_put(ctx, ptr, size);
+}
+
+isc_result_t
+isc_mem_preallocate(isc_mem_t *ctx) {
+	size_t i;
+	isc_result_t result = ISC_R_SUCCESS;
+	void *ptr;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	LOCK(&ctx->lock);
+
+	for (i = 0; i < ctx->max_size; i += ALIGNMENT_SIZE) {
+		ptr = mem_getunlocked(ctx, i);
+		if (ptr == NULL) {
+			result = ISC_R_NOMEMORY;
+			break;
+		}
+		mem_putunlocked(ctx, ptr, i);
+	}
+		
+	UNLOCK(&ctx->lock);
+
+	return (result);
 }
 
 /*
@@ -656,11 +843,11 @@ isc_mem_valid(isc_mem_t *ctx, void *ptr) {
  */
 
 void *
-__isc_mem_allocate(isc_mem_t *ctx, size_t size) {
+isc__mem_allocate(isc_mem_t *ctx, size_t size) {
 	size_info *si;
 
 	size += ALIGNMENT_SIZE;
-	si = __isc_mem_get(ctx, size);
+	si = isc__mem_get(ctx, size);
 	if (si == NULL)
 		return (NULL);
 	si->u.size = size;
@@ -668,11 +855,11 @@ __isc_mem_allocate(isc_mem_t *ctx, size_t size) {
 }
 
 void *
-__isc_mem_allocatedebug(isc_mem_t *ctx, size_t size, const char *file,
+isc__mem_allocatedebug(isc_mem_t *ctx, size_t size, const char *file,
 			int line) {
 	size_info *si;
 
-	si = __isc_mem_allocate(ctx, size);
+	si = isc__mem_allocate(ctx, size);
 	if (si == NULL)
 		return (NULL);
 	fprintf(stderr, "%s:%d: mem_get(%p, %lu) -> %p\n", file, line,
@@ -681,21 +868,21 @@ __isc_mem_allocatedebug(isc_mem_t *ctx, size_t size, const char *file,
 }
 
 void
-__isc_mem_free(isc_mem_t *ctx, void *ptr) {
+isc__mem_free(isc_mem_t *ctx, void *ptr) {
 	size_info *si;
 
 	si = &(((size_info *)ptr)[-1]);
-	__isc_mem_put(ctx, si, si->u.size);
+	isc__mem_put(ctx, si, si->u.size);
 }
 
 void
-__isc_mem_freedebug(isc_mem_t *ctx, void *ptr, const char *file, int line) {
+isc__mem_freedebug(isc_mem_t *ctx, void *ptr, const char *file, int line) {
 	size_info *si;
 
 	si = &(((size_info *)ptr)[-1]);
 	fprintf(stderr, "%s:%d: mem_put(%p, %p, %lu)\n", file, line, 
 		ctx, ptr, (unsigned long)si->u.size);
-	__isc_mem_put(ctx, si, si->u.size);
+	isc__mem_put(ctx, si, si->u.size);
 }
 
 /*
@@ -703,12 +890,12 @@ __isc_mem_freedebug(isc_mem_t *ctx, void *ptr, const char *file, int line) {
  */
 
 char *
-__isc_mem_strdup(isc_mem_t *mctx, const char *s) {
+isc__mem_strdup(isc_mem_t *mctx, const char *s) {
 	size_t len;
 	char *ns;
 
 	len = strlen(s);
-	ns = __isc_mem_allocate(mctx, len + 1);
+	ns = isc__mem_allocate(mctx, len + 1);
 	if (ns == NULL)
 		return (NULL);
 	strncpy(ns, s, len + 1);
@@ -717,27 +904,36 @@ __isc_mem_strdup(isc_mem_t *mctx, const char *s) {
 }
 
 char *
-__isc_mem_strdupdebug(isc_mem_t *mctx, const char *s, const char *file,
+isc__mem_strdupdebug(isc_mem_t *mctx, const char *s, const char *file,
 		      int line) {
 	char *ptr;
 	size_info *si;
 
-	ptr = __isc_mem_strdup(mctx, s);
+	ptr = isc__mem_strdup(mctx, s);
 	si = &(((size_info *)ptr)[-1]);
 	fprintf(stderr, "%s:%d: mem_get(%p, %lu) -> %p\n", file, line,
 		mctx, (unsigned long)si->u.size, ptr);
 	return (ptr);
 }
 
-isc_boolean_t
-isc_mem_destroy_check(isc_mem_t *mctx, isc_boolean_t flag) {
-	isc_boolean_t oldval;
+void
+isc_mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag) {
+	REQUIRE(VALID_CONTEXT(ctx));
+	LOCK(&ctx->lock);
+
+	ctx->checkfree = flag;
+
+	UNLOCK(&ctx->lock);
+}
+
+void
+isc_mem_setsplit(isc_mem_t *ctx, isc_boolean_t flag) {
+	REQUIRE(VALID_CONTEXT(ctx));
+	LOCK(&ctx->lock);
 
-	INSIST(mctx != NULL);
+	ctx->trysplit = flag;
 
-	oldval = mctx->checkfree;
-	mctx->checkfree = flag;
-	return (oldval);
+	UNLOCK(&ctx->lock);
 }
 
 
@@ -769,6 +965,20 @@ isc_mem_getquota(isc_mem_t *ctx) {
 	return (quota);
 }
 
+size_t
+isc_mem_inuse(isc_mem_t *ctx) {
+	size_t inuse;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	LOCK(&ctx->lock);
+
+	inuse = ctx->inuse;
+
+	UNLOCK(&ctx->lock);
+
+	return (inuse);
+}
+
 #ifdef ISC_MEMCLUSTER_LEGACY
 
 /*
@@ -779,7 +989,9 @@ static isc_mem_t *default_context = NULL;
 
 int
 meminit(size_t init_max_size, size_t target_size) {
-	/* need default_context lock here */
+	/*
+	 * Need default_context lock here.
+	 */
 	if (default_context != NULL)
 		return (-1);
 	return (isc_mem_create(init_max_size, target_size, &default_context));
@@ -787,55 +999,65 @@ meminit(size_t init_max_size, size_t target_size) {
 
 isc_mem_t *
 mem_default_context(void) {
-	/* need default_context lock here */
+	/*
+	 * Need default_context lock here.
+	 */
 	if (default_context == NULL && meminit(0, 0) == -1)
 		return (NULL);
 	return (default_context);
 }
 
 void *
-__memget(size_t size) {
-	/* need default_context lock here */
+isc__legacy_memget(size_t size) {
+	/*
+	 * Need default_context lock here.
+	 */
 	if (default_context == NULL && meminit(0, 0) == -1)
 		return (NULL);
-	return (__mem_get(default_context, size));
+	return (isc__mem_get(default_context, size));
 }
 
 void
-__memput(void *mem, size_t size) {
-	/* need default_context lock here */
+isc__legacy_memput(void *mem, size_t size) {
+	/*
+	 * Need default_context lock here.
+	 */
 	REQUIRE(default_context != NULL);
-	__mem_put(default_context, mem, size);
+	isc__mem_put(default_context, mem, size);
 }
 
 void *
-__memget_debug(size_t size, const char *file, int line) {
+isc__legacy_memget_debug(size_t size, const char *file, int line) {
 	void *ptr;
-	ptr = __memget(size);
+	ptr = isc__legacy_memget(size);
 	fprintf(stderr, "%s:%d: memget(%lu) -> %p\n", file, line,
 		(unsigned long)size, ptr);
 	return (ptr);
 }
 
 void
-__memput_debug(void *ptr, size_t size, const char *file, int line) {
+isc__legacy_memput_debug(void *ptr, size_t size, const char *file, int line) {
 	fprintf(stderr, "%s:%d: memput(%p, %lu)\n", file, line, 
 		ptr, (unsigned long)size);
-	__memput(ptr, size);
+	isc__legacy_memput(ptr, size);
 }
 
 int
 memvalid(void *ptr) {
-	/* need default_context lock here */
+	/*
+	 * Need default_context lock here.
+	 */
 	REQUIRE(default_context != NULL);
-	return (mem_valid(default_context, ptr));
+	return (isc_mem_valid(default_context, ptr));
 }
 
 void
 memstats(FILE *out) {
-	/* need default_context lock here */
+	/*
+	 * Need default_context lock here.
+	 */
 	REQUIRE(default_context != NULL);
-	mem_stats(default_context, out);
+	isc_mem_stats(default_context, out);
 }
 
 #endif /* ISC_MEMCLUSTER_LEGACY */
@@ -852,8 +1074,7 @@ memstats(FILE *out) {
  * will be returned to the mctx.
  */
 static void
-mempool_release(isc_mempool_t *mpctx, unsigned int n)
-{
+mempool_release(isc_mempool_t *mpctx, unsigned int n) {
 	isc_mem_t *mctx;
 	element *item;
 	element *next;
@@ -892,8 +1113,7 @@ mempool_release(isc_mempool_t *mpctx, unsigned int n)
  * context must be locked, and the pool if needed.
  */
 static void
-mempool_releaseall(isc_mempool_t *mpctx)
-{
+mempool_releaseall(isc_mempool_t *mpctx) {
 	isc_mem_t *mctx;
 	element *item;
 	element *next;
@@ -916,8 +1136,7 @@ mempool_releaseall(isc_mempool_t *mpctx)
 }
 
 isc_result_t
-isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp)
-{
+isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
 	isc_mempool_t *mpctx;
 
 	REQUIRE(VALID_CONTEXT(mctx));
@@ -961,8 +1180,7 @@ isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp)
 }
 
 void
-isc_mempool_setname(isc_mempool_t *mpctx, char *name)
-{
+isc_mempool_setname(isc_mempool_t *mpctx, char *name) {
 	REQUIRE(name != NULL);
 
 #if ISC_MEMPOOL_NAMES
@@ -981,8 +1199,7 @@ isc_mempool_setname(isc_mempool_t *mpctx, char *name)
 }
 
 void
-isc_mempool_destroy(isc_mempool_t **mpctxp)
-{
+isc_mempool_destroy(isc_mempool_t **mpctxp) {
 	isc_mempool_t *mpctx;
 	isc_mem_t *mctx;
 	isc_mutex_t *lock;
@@ -1024,8 +1241,7 @@ isc_mempool_destroy(isc_mempool_t **mpctxp)
 }
 
 void
-isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock)
-{
+isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock) {
 	REQUIRE(VALID_MEMPOOL(mpctx));
 	REQUIRE(mpctx->lock == NULL);
 	REQUIRE(lock != NULL);
@@ -1034,8 +1250,7 @@ isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock)
 }
 
 void *
-__isc_mempool_get(isc_mempool_t *mpctx)
-{
+isc__mempool_get(isc_mempool_t *mpctx) {
 	element *item;
 	isc_mem_t *mctx;
 	unsigned int i;
@@ -1103,8 +1318,7 @@ __isc_mempool_get(isc_mempool_t *mpctx)
 }
 
 void
-__isc_mempool_put(isc_mempool_t *mpctx, void *mem)
-{
+isc__mempool_put(isc_mempool_t *mpctx, void *mem) {
 	isc_mem_t *mctx;
 	element *item;
 
@@ -1123,7 +1337,7 @@ __isc_mempool_put(isc_mempool_t *mpctx, void *mem)
 	 * If our free list is full, return this to the mctx directly.
 	 */
 	if (mpctx->freecount >= mpctx->freemax) {
-		__isc_mem_put(mctx, mem, mpctx->size);
+		isc__mem_put(mctx, mem, mpctx->size);
 		if (mpctx->lock != NULL)
 			UNLOCK(mpctx->lock);
 		return;
@@ -1142,12 +1356,10 @@ __isc_mempool_put(isc_mempool_t *mpctx, void *mem)
 }
 
 void *
-__isc_mempool_getdebug(isc_mempool_t *mpctx,
-		       const char *file, int line)
-{
+isc__mempool_getdebug(isc_mempool_t *mpctx, const char *file, int line) {
 	void *ptr;
 
-	ptr = __isc_mempool_get(mpctx);
+	ptr = isc__mempool_get(mpctx);
 	fprintf(stderr, "%s:%d: mempool_get(%p) -> %p\n", file, line,
 		mpctx, ptr);
 
@@ -1155,12 +1367,12 @@ __isc_mempool_getdebug(isc_mempool_t *mpctx,
 }
 
 void
-__isc_mempool_putdebug(isc_mempool_t *mpctx, void *ptr,
-		       const char *file, int line)
+isc__mempool_putdebug(isc_mempool_t *mpctx, void *ptr, const char *file,
+		      int line)
 {
 	fprintf(stderr, "%s:%d: mempool_put(%p, %p)\n", file, line, 
 		mpctx, ptr);
-	__isc_mempool_put(mpctx, ptr);
+	isc__mempool_put(mpctx, ptr);
 }
 
 /*
@@ -1168,8 +1380,7 @@ __isc_mempool_putdebug(isc_mempool_t *mpctx, void *ptr,
  */
 
 void
-isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit)
-{
+isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit) {
 	REQUIRE(VALID_MEMPOOL(mpctx));
 
 	if (mpctx->lock != NULL)
@@ -1182,8 +1393,7 @@ isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit)
 }
 
 unsigned int
-isc_mempool_getfreemax(isc_mempool_t *mpctx)
-{
+isc_mempool_getfreemax(isc_mempool_t *mpctx) {
 	unsigned int freemax;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1200,8 +1410,7 @@ isc_mempool_getfreemax(isc_mempool_t *mpctx)
 }
 
 unsigned int
-isc_mempool_getfreecount(isc_mempool_t *mpctx)
-{
+isc_mempool_getfreecount(isc_mempool_t *mpctx) {
 	unsigned int freecount;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1218,8 +1427,7 @@ isc_mempool_getfreecount(isc_mempool_t *mpctx)
 }
 
 void
-isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit)
-{
+isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit) {
 	REQUIRE(limit > 0);
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1234,8 +1442,7 @@ isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit)
 }
 
 unsigned int
-isc_mempool_getmaxalloc(isc_mempool_t *mpctx)
-{
+isc_mempool_getmaxalloc(isc_mempool_t *mpctx) {
 	unsigned int maxalloc;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1252,8 +1459,7 @@ isc_mempool_getmaxalloc(isc_mempool_t *mpctx)
 }
 
 unsigned int
-isc_mempool_getallocated(isc_mempool_t *mpctx)
-{
+isc_mempool_getallocated(isc_mempool_t *mpctx) {
 	unsigned int allocated;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
@@ -1270,8 +1476,7 @@ isc_mempool_getallocated(isc_mempool_t *mpctx)
 }
 
 void
-isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit)
-{
+isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit) {
 	REQUIRE(limit > 0);
 	REQUIRE(VALID_MEMPOOL(mpctx));
 
@@ -1285,8 +1490,7 @@ isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit)
 }
 
 unsigned int
-isc_mempool_getfillcount(isc_mempool_t *mpctx)
-{
+isc_mempool_getfillcount(isc_mempool_t *mpctx) {
 	unsigned int fillcount;
 
 	REQUIRE(VALID_MEMPOOL(mpctx));
diff --git a/lib/isc/mutexblock.c b/lib/isc/mutexblock.c
index c115fabd..47ff91b8 100644
--- a/lib/isc/mutexblock.c
+++ b/lib/isc/mutexblock.c
@@ -17,12 +17,10 @@
 
 #include <config.h>
 
-#include <isc/mutex.h>
 #include <isc/mutexblock.h>
 
 isc_result_t
-isc_mutexblock_init(isc_mutex_t *block, unsigned int count)
-{
+isc_mutexblock_init(isc_mutex_t *block, unsigned int count) {
 	isc_result_t result;
 	unsigned int i;
 
@@ -42,8 +40,7 @@ isc_mutexblock_init(isc_mutex_t *block, unsigned int count)
 }
 
 isc_result_t
-isc_mutexblock_destroy(isc_mutex_t *block, unsigned int count)
-{
+isc_mutexblock_destroy(isc_mutex_t *block, unsigned int count) {
 	isc_result_t result;
 	unsigned int i;
 
diff --git a/lib/isc/netaddr.c b/lib/isc/netaddr.c
index 08710a88..51f01167 100644
--- a/lib/isc/netaddr.c
+++ b/lib/isc/netaddr.c
@@ -17,15 +17,11 @@
 
 #include <config.h>
 
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/netaddr.h>
 #include <isc/sockaddr.h>
-#include <isc/types.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 isc_boolean_t
 isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b) {
diff --git a/lib/isc/nls/msgcat.c b/lib/isc/nls/msgcat.c
index 43068005..77e86854 100644
--- a/lib/isc/nls/msgcat.c
+++ b/lib/isc/nls/msgcat.c
@@ -22,13 +22,12 @@
 #include <config.h>
 
 #include <stdlib.h>
-#include <stddef.h>
 
-#include <isc/assertions.h>
 #include <isc/msgcat.h>
+#include <isc/util.h>
 
 #ifdef HAVE_CATGETS
-#include <nl_types.h>
+#include <nl_types.h>		/* Required for nl_catd. */
 #endif
 
 /*
diff --git a/lib/isc/ondestroy.c b/lib/isc/ondestroy.c
index fd8afae5..16d464c1 100644
--- a/lib/isc/ondestroy.c
+++ b/lib/isc/ondestroy.c
@@ -17,25 +17,26 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
+#include <stddef.h>
+
+#include <isc/event.h>
+#include <isc/magic.h>
 #include <isc/ondestroy.h>
-#include <isc/result.h>
 #include <isc/task.h>
+#include <isc/util.h>
 
 #define ONDESTROY_MAGIC		0x44655374 /* DeSt */
-#define VALID_ONDESTROY(s)	(s != NULL && (s->magic == ONDESTROY_MAGIC))
+#define VALID_ONDESTROY(s)	ISC_MAGIC_VALID(s, ONDESTROY_MAGIC)
 
 void
-isc_ondestroy_init(isc_ondestroy_t *ondest)
-{
+isc_ondestroy_init(isc_ondestroy_t *ondest) {
 	ondest->magic = ONDESTROY_MAGIC;
 	ISC_LIST_INIT(ondest->events);
 }
 
-
 isc_result_t
-isc_ondestroy_register(isc_ondestroy_t *ondest,
-		       isc_task_t *task, isc_event_t **eventp)
+isc_ondestroy_register(isc_ondestroy_t *ondest, isc_task_t *task,
+		       isc_event_t **eventp)
 {
 	isc_event_t *theevent;
 	isc_task_t *thetask = NULL;
@@ -50,18 +51,15 @@ isc_ondestroy_register(isc_ondestroy_t *ondest,
 
 	isc_task_attach(task, &thetask);
 
-	theevent->sender = thetask;
+	theevent->ev_sender = thetask;
 	
-	ISC_LIST_APPEND(ondest->events, theevent, link);
+	ISC_LIST_APPEND(ondest->events, theevent, ev_link);
 
 	return (ISC_R_SUCCESS);
 }
 
-
-
 void
-isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender)
-{
+isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender) {
 	isc_event_t *eventp;
 	isc_task_t *task;
 	
@@ -69,10 +67,10 @@ isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender)
 
 	eventp = ISC_LIST_HEAD(ondest->events);
 	while (eventp != NULL) {
-		ISC_LIST_UNLINK(ondest->events, eventp, link);
+		ISC_LIST_UNLINK(ondest->events, eventp, ev_link);
 
-		task = eventp->sender;
-		eventp->sender = sender;
+		task = eventp->ev_sender;
+		eventp->ev_sender = sender;
 		
 		isc_task_sendanddetach(&task, &eventp);
 
diff --git a/lib/isc/print.c b/lib/isc/print.c
index c49c2e84..51611035 100644
--- a/lib/isc/print.c
+++ b/lib/isc/print.c
@@ -17,9 +17,18 @@
 
 #include <config.h>
 
+#include <ctype.h>
+#include <stdio.h>		/* for sprintf */
+#include <stdlib.h>
+
 #include <isc/assertions.h>
 #include <isc/print.h>
 #include <isc/platform.h>
+#include <isc/util.h>
+
+#ifndef ISC_PLATFORM_NEEDVSNPRINTF
+#error ISC_PLATFORM_NEEDVSPRINTF needs to be defined to compile this file.
+#endif
 
 /*
  * Return length of string that would have been written if not truncated.
@@ -56,6 +65,7 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
 	unsigned long long tmpui;
 	unsigned long width;
 	unsigned long precision;
+	unsigned int length;
 	char buf[1024];
 	char *cp;
 	char *save = str;
@@ -63,7 +73,6 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
 	void *v;
 	char *head;
 	int count = 0;
-	int length;
 	int pad;
 	int zeropad;
 	int dot;
@@ -88,7 +97,9 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
 		}
 		format++;
 
-		/* reset flags */
+		/*
+		 * Reset flags.
+		 */
 		dot = neg = space = plus = left = zero = alt = h = l = q = 0;
 		width = precision = 0;
 		head = "";
@@ -118,24 +129,28 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
 				break;
 		} while (1);
 
-		/* width */
+		/*
+		 * Width.
+		 */
 		if (*format == '*') {
 			width = va_arg(ap, int);
 			format++;
-		} else if (isdigit(*format)) {
+		} else if (isdigit((unsigned char)*format)) {
 			char *e;
 			width = strtoul(format, &e, 10);
 			format = e;
 		} 
 
-		/* precision */
+		/*
+		 * Precision.
+		 */
 		if (*format == '.') {
 			format++;
 			dot = 1;
 			if (*format == '*') {
 				precision = va_arg(ap, int);
 				format++;
-			} else if (isdigit(*format)) {
+			} else if (isdigit((unsigned char)*format)) {
 				char *e;
 				precision = strtoul(format, &e, 10);
 				format = e;
@@ -226,9 +241,9 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
 				if (q)
 					tmpui = va_arg(ap, unsigned long long);
 				else if (l)
-					tmpi = va_arg(ap, long int);
+					tmpui = va_arg(ap, long int);
 				else
-					tmpi = va_arg(ap, int);
+					tmpui = va_arg(ap, int);
 #ifdef ISC_PLATFORM_LONGLONGEQUALLONG
 				sprintf(buf, alt ? "%#lo" : "%lo", tmpui);
 #else
@@ -289,7 +304,9 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
 					length = strlen(buf);
 					if (length < precision)
 						zeropad = precision - length;
-					if (width) {
+					else if (length < width && zero)
+						zeropad = width - length;
+					if (width != 0) {
 						pad = width - length -
 						      zeropad - strlen(head);
 						if (pad < 0)
@@ -335,7 +352,9 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
 			REQUIRE(cp != NULL);
 
 			if (precision != 0) {
-				/* cp need not be NULL terminated */
+				/*
+				 * cp need not be NULL terminated.
+				 */
 				char *tp;
 				unsigned long n;
 
@@ -480,7 +499,7 @@ isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
 			 */
 			if (precision > 512)
 				precision = 512;
-			sprintf(fmt, "%%%s%s.%d%s%c", alt ? "#" : "",
+			sprintf(fmt, "%%%s%s.%lu%s%c", alt ? "#" : "",
 				plus ? "+" : space ? " " : "",
 				precision, l ? "L" : "", *format);
 			switch (*format) {
diff --git a/lib/isc/pthreads/Makefile.in b/lib/isc/pthreads/Makefile.in
index cd47c1e8..6608d8e5 100644
--- a/lib/isc/pthreads/Makefile.in
+++ b/lib/isc/pthreads/Makefile.in
@@ -26,9 +26,9 @@ CINCLUDES =	-I${srcdir}/include \
 CDEFINES =
 CWARNINGS =
 
-OBJS =		condition.@O@
+OBJS =		condition.@O@ thread.@O@
 
-SRCS =		condition.c
+SRCS =		condition.c thread.c
 
 SUBDIRS =	include
 TARGETS =	${OBJS}
diff --git a/lib/isc/pthreads/condition.c b/lib/isc/pthreads/condition.c
index e225d2e4..eea2331e 100644
--- a/lib/isc/pthreads/condition.c
+++ b/lib/isc/pthreads/condition.c
@@ -18,22 +18,33 @@
 #include <config.h>
 
 #include <errno.h>
-#include <string.h>
 
-#include <isc/assertions.h>
 #include <isc/condition.h>
-#include <isc/error.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
 
 isc_result_t
-isc_condition_waituntil(isc_condition_t *c, isc_mutex_t *m, isc_time_t *t)
-{
+isc_condition_waituntil(isc_condition_t *c, isc_mutex_t *m, isc_time_t *t) {
 	int presult;
+	isc_result_t result;
 	struct timespec ts;
 
 	REQUIRE(c != NULL && m != NULL && t != NULL);
 
-	ts.tv_sec = t->seconds;
-	ts.tv_nsec = t->nanoseconds;
+	/*
+	 * POSIX defines a timepsec's tv_sec as time_t.
+	 */
+	result = isc_time_secondsastimet(t, &ts.tv_sec);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * POSIX defines a timespec's tv_nsec as long.  isc_time_nanoseconds
+	 * ensures its return value is < 1 billion, which will fit in a long.
+	 */
+	ts.tv_nsec = (long)isc_time_nanoseconds(t);
+
 	do {
 		presult = pthread_cond_timedwait(c, m, &ts);
 		if (presult == 0)
diff --git a/lib/isc/pthreads/include/isc/condition.h b/lib/isc/pthreads/include/isc/condition.h
index d4e4681e..490610a1 100644
--- a/lib/isc/pthreads/include/isc/condition.h
+++ b/lib/isc/pthreads/include/isc/condition.h
@@ -18,15 +18,10 @@
 #ifndef ISC_CONDITION_H
 #define ISC_CONDITION_H 1
 
-#include <pthread.h>
-
-#include <isc/boolean.h>
-#include <isc/result.h>
-#include <isc/mutex.h>
-#include <isc/time.h>
 #include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
+#include <isc/mutex.h>
+#include <isc/result.h>
+#include <isc/types.h>
 
 typedef pthread_cond_t isc_condition_t;
 
@@ -50,8 +45,10 @@ typedef pthread_cond_t isc_condition_t;
 	((pthread_cond_destroy((cp)) == 0) ? \
 	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
 
-isc_result_t isc_condition_waituntil(isc_condition_t *, isc_mutex_t *,
-				     isc_time_t *);
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_condition_waituntil(isc_condition_t *, isc_mutex_t *, isc_time_t *);
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/isc/pthreads/include/isc/mutex.h b/lib/isc/pthreads/include/isc/mutex.h
index c0d5a881..832a547f 100644
--- a/lib/isc/pthreads/include/isc/mutex.h
+++ b/lib/isc/pthreads/include/isc/mutex.h
@@ -20,10 +20,7 @@
 
 #include <pthread.h>
 
-#include <isc/lang.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
+#include <isc/result.h>		/* for ISC_R_ codes */
 
 typedef pthread_mutex_t	isc_mutex_t;
 
@@ -45,6 +42,4 @@ typedef pthread_mutex_t	isc_mutex_t;
 	((pthread_mutex_destroy((mp)) == 0) ? \
 	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
 
-ISC_LANG_ENDDECLS
-
 #endif /* ISC_MUTEX_H */
diff --git a/lib/isc/pthreads/include/isc/once.h b/lib/isc/pthreads/include/isc/once.h
index 2aabfff2..54661832 100644
--- a/lib/isc/pthreads/include/isc/once.h
+++ b/lib/isc/pthreads/include/isc/once.h
@@ -20,11 +20,8 @@
 
 #include <pthread.h>
 
-#include <isc/lang.h>
 #include <isc/result.h>
 
-ISC_LANG_BEGINDECLS
-
 typedef pthread_once_t	isc_once_t;
 
 #define ISC_ONCE_INIT PTHREAD_ONCE_INIT
@@ -35,6 +32,4 @@ typedef pthread_once_t	isc_once_t;
 	((pthread_once((op), (f)) == 0) ? \
 	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
 
-ISC_LANG_ENDDECLS
-
 #endif /* ISC_ONCE_H */
diff --git a/lib/isc/pthreads/include/isc/thread.h b/lib/isc/pthreads/include/isc/thread.h
index 57fb6c9f..25bf9e4d 100644
--- a/lib/isc/pthreads/include/isc/thread.h
+++ b/lib/isc/pthreads/include/isc/thread.h
@@ -30,11 +30,10 @@ typedef void * isc_threadresult_t;
 typedef void * isc_threadarg_t;
 typedef isc_threadresult_t (*isc_threadfunc_t)(isc_threadarg_t);
 
-/* XXX We could do fancier error handling... */
+isc_result_t
+isc_thread_create(isc_threadfunc_t, isc_threadarg_t, isc_thread_t *);
 
-#define isc_thread_create(s, a, tp) \
-	((pthread_create((tp), NULL, (s), (a)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+/* XXX We could do fancier error handling... */
 
 #define isc_thread_join(t, rp) \
 	((pthread_join((t), (rp)) == 0) ? \
diff --git a/lib/isc/strsep.c b/lib/isc/pthreads/thread.c
index 5c71c711..5941300b 100644
--- a/lib/isc/strsep.c
+++ b/lib/isc/pthreads/thread.c
@@ -16,25 +16,38 @@
  */
 
 #include <config.h>
-#include <isc/string.h>
-
-char *
-isc_strsep(char **stringp, const char *delim) {
-	char *string = *stringp;
-	char *s;
-	const char *d;
-	char sc, dc;
-
-	if (string == NULL)
-		return (NULL);
-
-	for (s = string; (sc = *s) != '\0'; s++)
-		for (d = delim; (dc = *d) != '\0'; d++)
-			if (sc == dc) {
-				*s++ = '\0';
-				*stringp = s;
-				return (string);
-			}
-	*stringp = NULL;
-	return (string);
+
+#include <isc/thread.h>
+
+#ifndef THREAD_MINSTACKSIZE
+#define THREAD_MINSTACKSIZE		(64 * 1024)
+#endif
+
+isc_result_t
+isc_thread_create(isc_threadfunc_t func, isc_threadarg_t arg,
+		  isc_thread_t *thread)
+{
+	pthread_attr_t attr;
+	size_t stacksize;
+	int ret;
+
+	pthread_attr_init(&attr);
+
+	ret = pthread_attr_getstacksize(&attr, &stacksize);
+	if (ret != 0)
+		return (ISC_R_UNEXPECTED);
+
+	if (stacksize < THREAD_MINSTACKSIZE) {
+		ret = pthread_attr_setstacksize(&attr, THREAD_MINSTACKSIZE);
+		if (ret != 0)
+			return (ISC_R_UNEXPECTED);
+	}
+
+	ret = pthread_create(thread, &attr, func, arg);
+	if (ret != 0)
+		return (ISC_R_UNEXPECTED);
+
+	pthread_attr_destroy(&attr);
+
+	return (ISC_R_SUCCESS);
 }
diff --git a/lib/isc/quota.c b/lib/isc/quota.c
index 460eec4c..55865025 100644
--- a/lib/isc/quota.c
+++ b/lib/isc/quota.c
@@ -14,8 +14,8 @@
  * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
  * SOFTWARE.
  */
+#include <config.h>
 
-#include <isc/assertions.h>
 #include <isc/quota.h>
 #include <isc/util.h>
 
diff --git a/lib/isc/random.c b/lib/isc/random.c
index 08113239..a403e26f 100644
--- a/lib/isc/random.c
+++ b/lib/isc/random.c
@@ -18,12 +18,11 @@
 #include <config.h>
 
 #include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
 #include <isc/mutex.h>
 #include <isc/once.h>
 #include <isc/random.h>
+#include <isc/string.h>
 #include <isc/util.h>
 
 static isc_once_t once = ISC_ONCE_INIT;
@@ -77,6 +76,8 @@ isc_random_seed(isc_random_t *r, isc_uint32_t seed)
 {
 	REQUIRE(ISC_RANDOM_VALID(r));
 
+	UNUSED(r);
+
 	initialize();
 
 #if 0
@@ -96,6 +97,8 @@ isc_random_get(isc_random_t *r, isc_uint32_t *val)
 	REQUIRE(ISC_RANDOM_VALID(r));
 	REQUIRE(val != NULL);
 
+	UNUSED(r);
+	
 	initialize();
 
 #if 0
diff --git a/lib/isc/ratelimiter.c b/lib/isc/ratelimiter.c
index a9f05554..dd3d50d9 100644
--- a/lib/isc/ratelimiter.c
+++ b/lib/isc/ratelimiter.c
@@ -17,23 +17,43 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/boolean.h>
-#include <isc/error.h>
+#include <isc/mem.h>
 #include <isc/ratelimiter.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
 #include <isc/util.h>
 
+typedef enum {
+	isc_ratelimiter_ratelimited,
+	isc_ratelimiter_worklimited,
+	isc_ratelimiter_shuttingdown
+} isc_ratelimiter_state_t;
+
 struct isc_ratelimiter {
 	isc_mem_t *		mctx;
 	isc_mutex_t		lock;
 	isc_task_t *		task;
 	isc_timer_t *		timer;
 	isc_interval_t		interval;
+	isc_uint32_t		pertic;
 	isc_ratelimiter_state_t	state;
+	isc_event_t		shutdownevent;
 	ISC_LIST(isc_event_t)	pending;
 };
 
-static void ratelimiter_tick(isc_task_t *task, isc_event_t *event);
+#define ISC_RATELIMITEREVENT_SHUTDOWN (ISC_EVENTCLASS_RATELIMITER + 1)
+
+static void
+ratelimiter_tick(isc_task_t *task, isc_event_t *event);
+
+static void
+ratelimiter_shutdowncomplete(isc_task_t *task, isc_event_t *event) {
+	isc_ratelimiter_t *rl = (isc_ratelimiter_t *)event->ev_arg;
+	UNUSED(task);
+	isc_mutex_destroy(&rl->lock);
+	isc_mem_put(rl->mctx, rl, sizeof(*rl));
+}
 
 isc_result_t
 isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
@@ -50,6 +70,7 @@ isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
 	rl->task = task;
 	isc_interval_set(&rl->interval, 0, 0);
 	rl->timer = NULL;
+	rl->pertic = 1;
 	rl->state = isc_ratelimiter_worklimited;
 	ISC_LIST_INIT(rl->pending);
 
@@ -62,6 +83,11 @@ isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
 	if (result != ISC_R_SUCCESS)
 		goto free_mutex;
 
+	ISC_EVENT_INIT(&rl->shutdownevent,
+		       sizeof(isc_event_t),
+		       0, NULL, ISC_RATELIMITEREVENT_SHUTDOWN,
+		       ratelimiter_shutdowncomplete, rl, rl, NULL, NULL);
+
 	*ratelimiterp = rl;
 	return (ISC_R_SUCCESS);
 
@@ -73,8 +99,7 @@ free_mem:
 }
 
 isc_result_t
-isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval)
-{
+isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval) {
 	isc_result_t result = ISC_R_SUCCESS;
 	LOCK(&rl->lock);
 	rl->interval = *interval;
@@ -88,80 +113,117 @@ isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval)
 	UNLOCK(&rl->lock);
 	return (result);
 }
-			    
+
+void
+isc_ratelimiter_setpertic(isc_ratelimiter_t *rl, isc_uint32_t pertic) {
+	if (pertic == 0)
+		pertic = 1;
+	rl->pertic = pertic;
+}
 			
 isc_result_t
-isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_event_t **eventp)
+isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
+			isc_event_t **eventp)
 {
 	isc_result_t result = ISC_R_SUCCESS;
-	INSIST(eventp != NULL && *eventp != NULL);
+	isc_event_t *ev;
+
+	REQUIRE(eventp != NULL && *eventp != NULL);
+	REQUIRE(task != NULL);
+	ev = *eventp;
+	REQUIRE(ev->ev_sender == NULL);
+
 	LOCK(&rl->lock);
         if (rl->state == isc_ratelimiter_ratelimited) {
 		isc_event_t *ev = *eventp;
-                ISC_LIST_APPEND(rl->pending, ev, link);
+		ev->ev_sender = task;
+                ISC_LIST_APPEND(rl->pending, ev, ev_link);
 		*eventp = NULL;
-        } else {
+        } else if (rl->state == isc_ratelimiter_worklimited) {
 		result = isc_timer_reset(rl->timer, isc_timertype_ticker, NULL,
 					 &rl->interval, ISC_FALSE);
-		if (result == ISC_R_SUCCESS)
+		if (result == ISC_R_SUCCESS) {
+			ev->ev_sender = task;
 			rl->state = isc_ratelimiter_ratelimited;
+		}
+	} else {
+		INSIST(rl->state == isc_ratelimiter_shuttingdown);
+		result = ISC_R_SHUTTINGDOWN;
 	}
 	UNLOCK(&rl->lock);
-	if (*eventp != NULL)
-		isc_task_send(rl->task, eventp);
-	ENSURE(*eventp == NULL);
+	if (*eventp != NULL && result == ISC_R_SUCCESS)
+		isc_task_send(task, eventp);
 	return (result);
 }
 
 static void
-ratelimiter_tick(isc_task_t *task, isc_event_t *event)
-{
+ratelimiter_tick(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result = ISC_R_SUCCESS;
-	isc_ratelimiter_t *rl = (isc_ratelimiter_t *) event->arg;
+	isc_ratelimiter_t *rl = (isc_ratelimiter_t *)event->ev_arg;
 	isc_event_t *p;
-	(void) task; /* Unused */
-	LOCK(&rl->lock);
-        p = ISC_LIST_HEAD(rl->pending);
-        if (p != NULL) {
-		/*
-		 * There is work to do.  Let's do it after unlocking.
-		 */
-                ISC_LIST_UNLINK(rl->pending, p, link);
-	} else {
-		/*
-		 * No work left to do.  Stop the timer so that we don't
-		 * waste resources by having it fire periodically.
-		 */
-		result = isc_timer_reset(rl->timer, isc_timertype_inactive,
-					 NULL, NULL, ISC_FALSE);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		rl->state = isc_ratelimiter_worklimited;
-	}
-        UNLOCK(&rl->lock);
+	isc_uint32_t pertic;
+
+	UNUSED(task);
+
 	isc_event_free(&event);
-	/*
-	 * If we have an event, dispatch it.
-	 * There is potential for optimization here since
-	 * we are already executing in the context of "task".
-	 */
-	if (p != NULL)
-		isc_task_send(rl->task, &p);
-	INSIST(p == NULL);
+
+	pertic = rl->pertic;
+        while (pertic != 0) {
+		pertic--;
+		LOCK(&rl->lock);
+		p = ISC_LIST_HEAD(rl->pending);
+		if (p != NULL) {
+			/*
+			 * There is work to do.  Let's do it after unlocking.
+			 */
+			ISC_LIST_UNLINK(rl->pending, p, ev_link);
+		} else {
+			/*
+			 * No work left to do.  Stop the timer so that we don't
+			 * waste resources by having it fire periodically.
+			 */
+			result = isc_timer_reset(rl->timer, isc_timertype_inactive,
+						 NULL, NULL, ISC_FALSE);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			rl->state = isc_ratelimiter_worklimited;
+			pertic = 0;	/* Force the loop to exit. */
+		}
+		UNLOCK(&rl->lock);
+		if (p != NULL) {
+			isc_task_t *evtask = p->ev_sender;
+			isc_task_send(evtask, &p);
+		}
+		INSIST(p == NULL);
+	}
 }
 
 void
-isc_ratelimiter_destroy(isc_ratelimiter_t **ratelimiterp) 
-{
-	isc_ratelimiter_t *rl = *ratelimiterp;
-	isc_event_t *p;
+isc_ratelimiter_shutdown(isc_ratelimiter_t *rl) {
+	isc_event_t *ev;
+	isc_task_t *task;
+	LOCK(&rl->lock);
+	rl->state = isc_ratelimiter_shuttingdown;
 	(void) isc_timer_reset(rl->timer, isc_timertype_inactive,
 			       NULL, NULL, ISC_FALSE);
-	isc_timer_detach(&rl->timer);
-	while ((p = ISC_LIST_HEAD(rl->pending)) != NULL) {
-		ISC_LIST_UNLINK(rl->pending, p, link);
-		isc_event_free(&p);
+	while ((ev = ISC_LIST_HEAD(rl->pending)) != NULL) {
+		ISC_LIST_UNLINK(rl->pending, ev, ev_link);
+		ev->ev_attributes |= ISC_EVENTATTR_CANCELED;
+		task = ev->ev_sender;
+		isc_task_send(task, &ev);
 	}
-	isc_mutex_destroy(&rl->lock);
-	isc_mem_put(rl->mctx, rl, sizeof(*rl));
+	UNLOCK(&rl->lock);
+}
+
+void
+isc_ratelimiter_destroy(isc_ratelimiter_t **ratelimiterp) {
+	isc_ratelimiter_t *rl = *ratelimiterp;
+	isc_event_t *ev = &rl->shutdownevent;
+	isc_timer_detach(&rl->timer);
+	/*
+	 * Send an event to our task and wait for it to be delivered
+	 * before freeing memory.  This guarantees that any timer
+	 * event still in the task's queue are delivered first.
+	 */
+	isc_task_send(rl->task, &ev);
 	*ratelimiterp = NULL;
 }
diff --git a/lib/isc/rbtgen.c b/lib/isc/rbtgen.c
deleted file mode 100644
index 14e595f9..00000000
--- a/lib/isc/rbtgen.c
+++ /dev/null
@@ -1,530 +0,0 @@
-/*
- * Copyright (C) 1998, 1999, 2000  Internet Software Consortium.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * This file is a generic template that can be used to create a red-black
- * tree library for a specified node type.
- */
-
-/*
- * Red-Black Tree algorithms adapted from:
- *
- *	_Introduction to Algorithms_, Cormen, Leiserson, and Rivest,
- *	MIT Press / McGraw Hill, 1990, ISBN 0-262-03141-8, chapter 14.
- */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <stddef.h>
-
-#include <isc/rbtgen.h>
-#include <isc/boolean.h>
-#include <isc/assertions.h>
-
-#ifdef RBT_TRACE
-#define TRACE_CASE(n)		printf("case %d\n", (n))
-#define TRACE_NODE(n) \
-	do { \
-		printf("%p ", (n)); \
-		PRINT_KEY(KEY(n)); \
-		printf(" (%s)\n", IS_RED((n)) ? "red" : "black"); \
-	} while (0)
-#else
-#define TRACE_CASE(n)
-#define TRACE_NODE(n)
-#endif
-
-#define COLOR(node)		((node)->color)
-#define KEY(node)		((node)->data)
-#define LEFT(node)		((node)->left)
-#define RIGHT(node)		((node)->right)
-#define PARENT(node)		((node)->parent)
-
-#define SET_COLOR(node, value)	((node)->color  = (value))
-#define SET_KEY(node, value)	((node)->data   = (value))
-#define SET_LEFT(node, child)	((node)->left   = (child))
-#define SET_RIGHT(node, child)	((node)->right  = (child))
-#define SET_PARENT(node, child)	((node)->parent = (child))
-
-#define IS_RED(node)		((node) != NULL && (node)->color == red)
-#define IS_BLACK(node)		((node) == NULL || (node)->color == black)
-#define MAKE_RED(node)		((node)->color = red)
-#define MAKE_BLACK(node)	((node)->color = black)
-
-static inline void
-rotate_left(RBT_NODE *node, RBT_NODE **rootp) {
-	RBT_NODE *child;
-
-	REQUIRE(node != NULL);
-	REQUIRE(rootp != NULL);
-
-	child = RIGHT(node);
-	REQUIRE(child != NULL);
-
-	SET_RIGHT(node, LEFT(child));
-	if (LEFT(child) != NULL)
-		SET_PARENT(LEFT(child), node);
-
-	SET_LEFT(child, node);
-	SET_PARENT(child, PARENT(node));
-	if (PARENT(node) != NULL) {
-		if (LEFT(PARENT(node)) == node)
-			SET_LEFT(PARENT(node), child);
-		else {
-			SET_RIGHT(PARENT(node), child);
-		}
-	} else
-		*rootp = child;
-
-	SET_PARENT(node, child);
-}
-
-static inline void
-rotate_right(RBT_NODE *node, RBT_NODE **rootp) {
-	RBT_NODE *child;
-
-	REQUIRE(node != NULL);
-	REQUIRE(rootp != NULL);
-
-	child = LEFT(node);
-	REQUIRE(child != NULL);
-
-	SET_LEFT(node, RIGHT(child));
-	if (RIGHT(child) != NULL)
-		SET_PARENT(RIGHT(child), node);
-
-	SET_RIGHT(child, node);
-	SET_PARENT(child, PARENT(node));
-	if (PARENT(node) != NULL) {
-		if (LEFT(PARENT(node)) == node)
-			SET_LEFT(PARENT(node), child);
-		else
-			SET_RIGHT(PARENT(node), child);
-	} else
-		*rootp = child;
-
-	SET_PARENT(node, child);
-}
-
-isc_result_t
-RBT_INSERT(RBT_NODE *node, RBT_NODE **rootp, int (*compare)(void *, void *)) {
-	RBT_NODE *current, *child, *root, *parent, *grandparent;
-	int i;
-
-	REQUIRE(rootp != NULL);
-	REQUIRE(LEFT(node) == NULL && RIGHT(node) == NULL);
-	REQUIRE(KEY(node) != NULL);
-
-	root = *rootp;
-	if (root == NULL) {
-		MAKE_BLACK(node);
-		*rootp = node;
-		return (ISC_R_SUCCESS);
-	}
-
-	current = NULL;
-	child = root;
-	do {
-		current = child;
-		i = compare(KEY(node), KEY(current));
-		if (i == 0)
-			return (ISC_R_EXISTS);
-		if (i < 0)
-			child = LEFT(current);
-		else
-			child = RIGHT(current);
-	} while (child != NULL);
-	if (i < 0)
-		SET_LEFT(current, node);
-	else
-		SET_RIGHT(current, node);
-	MAKE_RED(node);
-	SET_PARENT(node, current);
-
-	while (node != root && IS_RED(PARENT(node))) {
-		parent = PARENT(node);
-		grandparent = PARENT(PARENT(node));
-
-		TRACE_NODE(n);
-
-		if (parent == LEFT(grandparent)) {
-			child = RIGHT(grandparent);
-			if (child != NULL && IS_RED(child)) {
-				TRACE_CASE(1);
-				MAKE_BLACK(parent);
-				MAKE_BLACK(child);
-				MAKE_RED(grandparent);
-				node = grandparent;
-			} else {
-				if (node == RIGHT(parent)) {
-					TRACE_CASE(2);
-					node = parent;
-					rotate_left(node, &root);
-					parent = PARENT(node);
-					grandparent = PARENT(PARENT(node));
-				}
-				TRACE_CASE(3);
-				MAKE_BLACK(parent);
-				MAKE_RED(grandparent);
-				rotate_right(grandparent, &root);
-			}
-		} else {
-			child = LEFT(grandparent);
-			if (child != NULL && IS_RED(child)) {
-				TRACE_CASE(4);
-				MAKE_BLACK(parent);
-				MAKE_BLACK(child);
-				MAKE_RED(grandparent);
-				node = grandparent;
-			} else {
-				if (node == LEFT(parent)) {
-					TRACE_CASE(5);
-					node = parent;
-					rotate_right(node, &root);
-					parent = PARENT(node);
-					grandparent = PARENT(PARENT(node));
-				}
-				TRACE_CASE(6);
-				MAKE_BLACK(parent);
-				MAKE_RED(grandparent);
-				rotate_left(grandparent, &root);
-			}
-		}
-	}
-
-	MAKE_BLACK(root);
-	*rootp = root;
-
-	return (ISC_R_SUCCESS);
-}
-
-/* node must belong to a pointer in the tree; how could this be ensured? */
-isc_result_t
-RBT_DELETE(RBT_NODE *delete, RBT_NODE **rootp) {
-	RBT_NODE *successor, *sibling, *child = NULL;
-
-	REQUIRE(rootp != NULL);
-	REQUIRE(delete);
-
-	if (LEFT(delete) == NULL)
-		if (RIGHT(delete) == NULL) {
-			if (*rootp == delete) {
-				/* this is the only item in the tree */
-				*rootp = NULL;
-				return(ISC_R_SUCCESS);
-			}
-		} else
-			/* this node has one child, on the right */
-			child = RIGHT(delete);
-
-	else if (RIGHT(delete) == NULL)
-		/* this node has one child, on the left */
-		child = LEFT(delete);
-
-	else {
-		RBT_NODE holder, *tmp = &holder;
-
-		/* this node has two children, so it cannot be directly
-		   deleted.  find its immediate in-order successor and
-		   move it to this location, then do the deletion at the
-		   old site of the successor */
-		successor = RIGHT(delete);
-		while (LEFT(successor) != NULL)
-			successor = LEFT(successor);
-
-		/* the successor cannot possibly have a left child;
-		   if there is any child, it is on the right */
-		if (RIGHT(successor))
-			child = RIGHT(successor);
-
-		/* swap the two nodes; it would be simpler to just replace
-		   the value being deleted with that of the successor,
-		   but this rigamarole is done so the caller has complete
-		   control over the pointers (and memory allocation) of
-		   all of nodes.  if just the key value were removed from
-		   the tree, the pointer to the node would would be
-		   unchanged. */
-
-		/* first, put the successor in the tree location of the
-		   node to be deleted */
-
-		memcpy(tmp, successor, sizeof(RBT_NODE));
-
-		if (LEFT(PARENT(delete)) == delete)
-			SET_LEFT(PARENT(delete), successor);
-		else
-			SET_RIGHT(PARENT(delete), successor);
-
-		SET_PARENT(successor, PARENT(delete));
-
-		if (LEFT(delete) != NULL)
-			SET_PARENT(LEFT(delete), successor);
-
-		if (RIGHT(delete) != NULL && RIGHT(delete) != successor)
-			SET_PARENT(RIGHT(delete), successor);
-
-		SET_COLOR(successor, COLOR(delete));
-		SET_LEFT(successor, LEFT(delete));
-		SET_RIGHT(successor, RIGHT(delete));
-
-		/* now relink the node to be deleted into the
-		   successor's previous tree location */
-		if (PARENT(tmp) != delete) {
-			if (LEFT(PARENT(tmp)) == successor)
-				SET_LEFT(PARENT(tmp), delete);
-			else
-				SET_RIGHT(PARENT(tmp), delete);
-			SET_PARENT(delete, PARENT(tmp));
-		} else
-			SET_PARENT(delete, successor);
-
-		/* original successor node has no left */
-		if (RIGHT(tmp) != NULL)
-			SET_PARENT(RIGHT(tmp), delete);
-
-		SET_COLOR(delete, COLOR(tmp));
-		SET_LEFT(delete, LEFT(tmp));
-		SET_RIGHT(delete, RIGHT(tmp));
-
-	}
-
-
-	/* fix the parent chain if a non-leaf is being deleted */
-	if (PARENT(delete) != NULL) {
-		if (LEFT(PARENT(delete)) == delete) {
-			SET_LEFT(PARENT(delete), child);
-			sibling = RIGHT(PARENT(delete));
-		} else {
-			SET_RIGHT(PARENT(delete), child);
-			sibling = LEFT(PARENT(delete));
-		}
-
-		if (child != NULL)
-			SET_PARENT(child, PARENT(delete));
-	} else {
-		/* this is the root being deleted, with just one child */
-		SET_PARENT(child, NULL);
-		sibling= NULL;
-		*rootp = child;
-	} 
-
-	/* fix color violations */
-	if (IS_BLACK(delete)) {
-		RBT_NODE *parent;
-		parent = PARENT(delete);
-
-		while (child != *rootp && IS_BLACK(child)) {
-			/* parent = PARENT(parent_pointer); */
-
-			if (LEFT(parent) == child) {
-				sibling = RIGHT(parent);
-				if (IS_RED(sibling)) {
-					MAKE_BLACK(sibling);
-					MAKE_RED(parent);
-					rotate_left(parent, rootp);
-					sibling = RIGHT(parent);
-				}
-				if (IS_BLACK(LEFT(sibling)) &&
-				    IS_BLACK(RIGHT(sibling))) {
-					MAKE_RED(sibling);
-					child = parent;
-				} else {
-					if (IS_BLACK(RIGHT(sibling))) {
-						MAKE_BLACK(LEFT(sibling));
-						MAKE_RED(sibling);
-						rotate_right(sibling, rootp);
-						sibling = RIGHT(parent);
-					}
-					SET_COLOR(sibling, COLOR(parent));
-					MAKE_BLACK(parent);
-					MAKE_BLACK(RIGHT(sibling));
-					rotate_left(parent, rootp);
-					child = *rootp;
-				}
-			} else {
-				sibling = LEFT(parent);
-				if (IS_RED(sibling)) {
-					MAKE_BLACK(sibling);
-					MAKE_RED(parent);
-					rotate_right(parent, rootp);
-					sibling = LEFT(parent);
-				}
-				if (IS_BLACK(LEFT(sibling)) &&
-				    IS_BLACK(RIGHT(sibling))) {
-					MAKE_RED(sibling);
-					child = parent;
-				} else {
-					if (IS_BLACK(LEFT(sibling))) {
-						MAKE_BLACK(RIGHT(sibling));
-						MAKE_RED(sibling);
-						rotate_left(sibling, rootp);
-						sibling = LEFT(parent);
-					}
-					SET_COLOR(sibling, COLOR(parent));
-					MAKE_BLACK(parent);
-					MAKE_BLACK(LEFT(sibling));
-					rotate_right(parent, rootp);
-					child = *rootp;
-				}
-			}
-					
-			parent = PARENT(child);
-		}
-
-		if (IS_RED(child))
-			MAKE_BLACK(child);
-	}
-
-	return(ISC_R_SUCCESS);
-}
-
-RBT_NODE *
-RBT_SEARCH(RBT_NODE *current, void *key, int (*compare)(void *, void *)) {
-	int i;
-
-	while (current != NULL) {
-		i = compare(key, KEY(current));
-		if (i == 0)
-			break;
-		if (i < 0)
-			current = LEFT(current);
-		else
-			current = RIGHT(current);
-	}
-
-	return(current);
-}
-
-static inline void
-print_tree(RBT_NODE *root, void (*print_key)(void *), int depth) {
-	int i;
-
-	for (i = 0; i < depth; i++)
-		putchar('\t');
-	if (root != NULL) {
-		print_key(KEY(root));
-		printf(" (%s", IS_RED(root) ? "RED" : "black");
-		if (root->parent) {
-			printf(" from ");
-			print_key(KEY(root->parent));
-		}
-		printf(")\n");
-		depth++;
-
-		if (IS_RED(root) && IS_RED(LEFT(root)))
-		    printf("** Red/Red color violation on left\n");
-		print_tree(LEFT(root), print_key, depth);
-
-		if (IS_RED(root) && IS_RED(RIGHT(root)))
-		    printf("** Red/Red color violation on right\n");
-		print_tree(RIGHT(root), print_key, depth);
-	} else
-		printf("NULL\n");
-}
-
-void
-RBT_PRINT(RBT_NODE *root, void (*print_key)(void *)) {
-	print_tree(root, print_key, 0);
-}
-
-#ifdef WANT_RBTGEN_MAIN
-
-int compare_int(void *, void *);
-void print_int(void *);
-
-int ints[] = {	12679, 26804, 7389, 20562, 24355, 23584,
-		10713, 8094, 19071, 6732, 2709, 6058,
-		3995, 3896, 15121, 1142, 2679, 26340,
-		30541, 29186,
-#if 0
-		6584, 13201, 21238, 30455, 6500, 30669,
-		10370, 2963, 26576, 17353, 19150, 19951,
-		12540, 21381, 17882, 23051, 24808, 8961,
-		26022, 3047, 9108, 28221, 13874, 32643,
-		25856, 12601, 894, 4319, 20780, 10229,
-#endif
-		0 };
-
-int
-compare_int(void *a, void *b) {
-	int i = *(int *)a, j = *(int *)b;
-	return(i == j ? 0 : (i < j ? -1 : 1));
-}
-
-void
-print_int(void *num) {
-	int i = *(int *)num;
-	(void)printf("%d", i);
-}
-
-#define KEY_VALUE(node, type)	(*(type *)((node)->data))
-
-void
-main() {
-	RBT_NODE nodes[sizeof(ints)/sizeof(int)], *p, *root;
-	int *i, j;
-
-	setbuf(stdout, NULL);
-
-	printf("For any two successive numbers at the same depth, the\n");
-	printf("first number (and all its descendants) should be less than\n");
-	printf("the number which immediately precedes it one depth level\n");
-	printf("higher, and the second number (and all its descendants)\n");
-	printf("should be greater than that preceding number\n\n");
-
-	for (i = &ints[0], p = &nodes[0]; *i != 0; i++, p++) {
-		printf("inserting %d\n", *i);
-		KEY(p) = i;
-		RBT_INSERT(p, &root, compare_int);
-
-		RBT_PRINT(root, print_int);
-	}
-
-	j = 2679;
-	i = &j;
-
-	printf("searching for %d ...", j);
-	p = RBT_SEARCH(root, i, compare_int);
-	if (p != NULL) {
-		printf("found %d\n", KEY_VALUE(p, int));
-	} else {
-		printf("not found!\n");
-	}
-
-	j = 9999;
-	i = &j;
-
-	printf("searching for %d ...", j);
-	p = RBT_SEARCH(root, i, compare_int);
-	if (p != NULL) {
-		printf("found %d\n", KEY_VALUE(p, int));
-	} else {
-		printf("not found!\n");
-	}
-
-	p = &nodes[sizeof(ints) / sizeof(int) - 2];
-	do {
-		printf("deleting %d\n", KEY_VALUE(p, int));
-		RBT_DELETE(p, &root);
-		RBT_PRINT(root, print_int);
-	} while (p-- != &nodes[0]);
-
-	exit(0);
-}
-#endif
diff --git a/lib/isc/result.c b/lib/isc/result.c
index d20c4630..79d42f96 100644
--- a/lib/isc/result.c
+++ b/lib/isc/result.c
@@ -17,17 +17,13 @@
 
 #include <config.h>
 
-#include <stddef.h>
 #include <stdlib.h>
 
-#include <isc/result.h>
-#include <isc/resultclass.h>
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <isc/lib.h>
+#include <isc/msgcat.h>
 #include <isc/mutex.h>
 #include <isc/once.h>
-#include <isc/msgcat.h>
-#include <isc/lib.h>
+#include <isc/resultclass.h>
 #include <isc/util.h>
 
 typedef struct resulttable {
@@ -61,7 +57,7 @@ static char *text[ISC_R_NRESULTS] = {
 	"already exists",			/* 18 */
 	"ran out of space",			/* 19 */
 	"operation canceled",			/* 20 */
-	"<available code 21>",			/* 21 */
+	"socket is not bound",			/* 21 */
 	"shutting down",			/* 22 */
 	"not found",				/* 23 */
 	"unexpected end of input",		/* 24 */
@@ -77,7 +73,11 @@ static char *text[ISC_R_NRESULTS] = {
 	"unexpected error",			/* 34 */
 	"already running",			/* 35 */
 	"ignore",				/* 36 */
-	"address mask not contiguous"		/* 37 */
+	"address mask not contiguous",		/* 37 */
+	"file not found",			/* 38 */
+	"file already exists",			/* 39 */
+	"socket is not connected",		/* 40 */
+	"out of range"				/* 41 */
 };
 
 #define ISC_RESULT_RESULTSET			2
diff --git a/lib/isc/rwlock.c b/lib/isc/rwlock.c
index 5c7ed83e..e08e4463 100644
--- a/lib/isc/rwlock.c
+++ b/lib/isc/rwlock.c
@@ -17,23 +17,21 @@
 
 #include <config.h>
 
-#include <stdio.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/boolean.h>
+#include <isc/magic.h>
 #include <isc/rwlock.h>
 #include <isc/util.h>
 
-#define RWLOCK_MAGIC			0x52574C6BU	/* RWLk. */
-#define VALID_RWLOCK(rwl)		((rwl) != NULL && \
-					 (rwl)->magic == RWLOCK_MAGIC)
+#define RWLOCK_MAGIC		0x52574C6BU	/* RWLk. */
+#define VALID_RWLOCK(rwl)	ISC_MAGIC_VALID(rwl, RWLOCK_MAGIC)
 
 #ifdef ISC_RWLOCK_TRACE
+#include <stdio.h>		/* Required for fprintf/stderr. */
+
 static void
 print_lock(char *operation, isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 	fprintf(stderr,
-		"%s(%s): %s, %u active, %u granted, %u rwaiting, %u wwaiting\n",
+		"%s(%s): %s, %u active, %u granted, "
+		"%u rwaiting, %u wwaiting\n",
 		operation, (type == isc_rwlocktype_read ? "read" : "write"),
 	        (rwl->type == isc_rwlocktype_read ? "reading" : "writing"),
 	        rwl->active, rwl->granted, rwl->readers_waiting,
@@ -42,8 +40,7 @@ print_lock(char *operation, isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 #endif
 
 isc_result_t
-isc_rwlock_init(isc_rwlock_t *rwl,
-		unsigned int read_quota,
+isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
 		unsigned int write_quota)
 {
 	isc_result_t result;
@@ -160,6 +157,8 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 	LOCK(&rwl->lock);
 	REQUIRE(rwl->type == type);
 
+	UNUSED(type);
+
 #ifdef ISC_RWLOCK_TRACE
 	print_lock("preunlock", rwl, type);
 #endif
@@ -213,8 +212,8 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 
 void
 isc_rwlock_destroy(isc_rwlock_t *rwl) {
-
 	REQUIRE(VALID_RWLOCK(rwl));
+
 	LOCK(&rwl->lock);
 	REQUIRE(rwl->active == 0 &&
 		rwl->readers_waiting == 0 &&
diff --git a/lib/isc/serial.c b/lib/isc/serial.c
index e66a275c..141a316a 100644
--- a/lib/isc/serial.c
+++ b/lib/isc/serial.c
@@ -15,7 +15,8 @@
  * SOFTWARE.
  */
 
-	/* $Id: serial.c,v 1.3 2000/02/03 23:08:27 halley Exp $ */
+/* $Id: serial.c,v 1.4 2000/05/08 14:37:37 tale Exp $ */
+#include <config.h>
 
 #include <isc/serial.h>
 
diff --git a/lib/isc/sockaddr.c b/lib/isc/sockaddr.c
index 264a9a45..e3187bb7 100644
--- a/lib/isc/sockaddr.c
+++ b/lib/isc/sockaddr.c
@@ -17,20 +17,18 @@
 
 #include <config.h>
 
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
 #include <stdio.h>
 
-#include <isc/types.h>
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/sockaddr.h>
+#include <isc/buffer.h>
 #include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 isc_boolean_t
-isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b)
-{
+isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
 	REQUIRE(a != NULL && b != NULL);
 
 	if (a->length != b->length)
@@ -65,13 +63,11 @@ isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b)
 	return (ISC_TRUE);
 }
 
-
 /*
  * Compare just the addresses (ignore ports)
  */
 isc_boolean_t
-isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b)
-{
+isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
 	REQUIRE(a != NULL && b != NULL);
 
 	if (a->length != b->length)
@@ -144,7 +140,7 @@ isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target) {
 	alen = strlen(abuf);
 	plen = strlen(pbuf);
 
-	isc_buffer_available(target, &avail);
+	isc_buffer_availableregion(target, &avail);
 	if (alen + 1 + plen + 1 > avail.length)
 		return (ISC_R_NOSPACE);
 	    
@@ -153,13 +149,28 @@ isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target) {
 	isc_buffer_putmem(target, (unsigned char *) pbuf, plen);
 
 	/* Null terminate after used region. */
-	isc_buffer_available(target, &avail);
+	isc_buffer_availableregion(target, &avail);
 	INSIST(avail.length >= 1);
 	avail.base[0] = '\0';
 
 	return (ISC_R_SUCCESS);
 }
 
+void
+isc_sockaddr_format(isc_sockaddr_t *sa, char *array, unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	isc_buffer_init(&buf, array, size);
+	result = isc_sockaddr_totext(sa, &buf);
+	if (result != ISC_R_SUCCESS) {
+		snprintf(array, size,
+			 "<unknown address, family %u>",
+			 sa->type.sa.sa_family);
+		array[size - 1] = '\0';
+	}
+}
+
 unsigned int
 isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, isc_boolean_t address_only) {
 	unsigned int length;
@@ -206,6 +217,34 @@ isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, isc_boolean_t address_only) {
 }
 
 void
+isc_sockaddr_any(isc_sockaddr_t *sockaddr)
+{
+	memset(sockaddr, 0, sizeof *sockaddr);
+	sockaddr->type.sin.sin_family = AF_INET;
+#ifdef ISC_PLATFORM_HAVESALEN
+	sockaddr->type.sin.sin_len = sizeof sockaddr->type.sin;
+#endif
+	sockaddr->type.sin.sin_addr.s_addr = INADDR_ANY;
+	sockaddr->type.sin.sin_port = 0;
+	sockaddr->length = sizeof sockaddr->type.sin;
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_any6(isc_sockaddr_t *sockaddr)
+{
+	memset(sockaddr, 0, sizeof *sockaddr);
+	sockaddr->type.sin6.sin6_family = AF_INET6;
+#ifdef ISC_PLATFORM_HAVESALEN
+	sockaddr->type.sin6.sin6_len = sizeof sockaddr->type.sin6;
+#endif
+	sockaddr->type.sin6.sin6_addr = in6addr_any;
+	sockaddr->type.sin6.sin6_port = 0;
+	sockaddr->length = sizeof sockaddr->type.sin6;
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
 isc_sockaddr_fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
 		    in_port_t port)
 {
diff --git a/lib/isc/str.c b/lib/isc/string.c
index a7b48a2d..6e3e587c 100644
--- a/lib/isc/str.c
+++ b/lib/isc/string.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * Copyright (C) 2000  Internet Software Consortium.
  * 
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,14 +15,16 @@
  * SOFTWARE.
  */
 
+#include <config.h>
+
 #include <ctype.h>
-#include <string.h>
-#include <isc/str.h>
+
+#include <isc/string.h>
 
 static char digits[] = "0123456789abcdefghijklmnoprstuvwxyz";
 
 isc_uint64_t
-isc_strtouq(char *source, char **end, int base) {
+isc_string_touint64(char *source, char **end, int base) {
 	isc_uint64_t tmp;
 	isc_uint64_t overflow;
 	char *s = source;
@@ -84,3 +86,24 @@ isc_strtouq(char *source, char **end, int base) {
 	*end = s;
 	return (tmp);
 }
+
+char *
+isc_string_separate(char **stringp, const char *delim) {
+	char *string = *stringp;
+	char *s;
+	const char *d;
+	char sc, dc;
+
+	if (string == NULL)
+		return (NULL);
+
+	for (s = string; (sc = *s) != '\0'; s++)
+		for (d = delim; (dc = *d) != '\0'; d++)
+			if (sc == dc) {
+				*s++ = '\0';
+				*stringp = s;
+				return (string);
+			}
+	*stringp = NULL;
+	return (string);
+}
diff --git a/lib/isc/symtab.c b/lib/isc/symtab.c
index 6600a0a1..00b0eafb 100644
--- a/lib/isc/symtab.c
+++ b/lib/isc/symtab.c
@@ -18,11 +18,9 @@
 #include <config.h>
 
 #include <ctype.h>
-#include <stdlib.h>
-#include <string.h>
 
-#include <isc/assertions.h>
-#include <isc/list.h>
+#include <isc/mem.h>
+#include <isc/string.h>
 #include <isc/symtab.h>
 #include <isc/util.h>
 
@@ -140,8 +138,7 @@ hash(const char *key, isc_boolean_t case_sensitive) {
 	} else {
 		for (s = key; *s != '\0'; s++) {
 			c = *s;
-			if (isascii(c) && isupper(c))
-				c = tolower(c);
+			c = tolower((unsigned char)c);
 			h = ( h << 4 ) + c;
 			if ((g = ( h & 0xf0000000 )) != 0) {
 				h = h ^ (g >> 24);
diff --git a/lib/isc/task.c b/lib/isc/task.c
index f2673078..00fac42b 100644
--- a/lib/isc/task.c
+++ b/lib/isc/task.c
@@ -26,16 +26,12 @@
 
 #include <config.h>
 
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/boolean.h>
-#include <isc/thread.h>
-#include <isc/mutex.h>
 #include <isc/condition.h>
-#include <isc/error.h>
 #include <isc/event.h>
+#include <isc/mem.h>
+#include <isc/string.h>
 #include <isc/task.h>
+#include <isc/thread.h>
 #include <isc/util.h>
 
 #define ISC_TASK_NAMES 1
@@ -71,7 +67,6 @@ struct isc_task {
 	unsigned int			magic;
 	isc_taskmgr_t *			manager;
 	isc_mutex_t			lock;
-	isc_mem_t *			mctx;
 	/* Locked by task lock. */
 	task_state_t			state;
 	unsigned int			references;
@@ -145,11 +140,11 @@ task_finished(isc_task_t *task) {
 
 	(void)isc_mutex_destroy(&task->lock);
 	task->magic = 0;
-	isc_mem_put(task->mctx, task, sizeof *task);
+	isc_mem_put(manager->mctx, task, sizeof *task);
 }
 
 isc_result_t
-isc_task_create(isc_taskmgr_t *manager, isc_mem_t *mctx, unsigned int quantum,
+isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
 		isc_task_t **taskp)
 {
 	isc_task_t *task;
@@ -158,16 +153,13 @@ isc_task_create(isc_taskmgr_t *manager, isc_mem_t *mctx, unsigned int quantum,
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(taskp != NULL && *taskp == NULL);
 
-	if (mctx == NULL)
-		mctx = manager->mctx;
-	task = isc_mem_get(mctx, sizeof *task);
+	task = isc_mem_get(manager->mctx, sizeof *task);
 	if (task == NULL)
 		return (ISC_R_NOMEMORY);
 	XTRACE("create");
 	task->manager = manager;
-	task->mctx = mctx;
 	if (isc_mutex_init(&task->lock) != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, task, sizeof *task);
+		isc_mem_put(manager->mctx, task, sizeof *task);
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_mutex_init() failed");
 		return (ISC_R_UNEXPECTED);
@@ -179,7 +171,7 @@ isc_task_create(isc_taskmgr_t *manager, isc_mem_t *mctx, unsigned int quantum,
 	task->quantum = quantum;
 	task->flags = 0;
 #ifdef ISC_TASK_NAMES
-	task->name[0] = '\0';
+	memset(task->name, 0, sizeof task->name);
 	task->tag = NULL;
 #endif
 	INIT_LINK(task, link);
@@ -197,7 +189,7 @@ isc_task_create(isc_taskmgr_t *manager, isc_mem_t *mctx, unsigned int quantum,
 
 	if (exiting) {
 		isc_mutex_destroy(&task->lock);
-		isc_mem_put(mctx, task, sizeof *task);
+		isc_mem_put(manager->mctx, task, sizeof *task);
 		return (ISC_R_SHUTTINGDOWN);
 	}
 
@@ -253,9 +245,9 @@ task_shutdown(isc_task_t *task) {
 		for (event = TAIL(task->on_shutdown);
 		     event != NULL;
 		     event = prev) {
-			prev = PREV(event, link);
-			DEQUEUE(task->on_shutdown, event, link);
-			ENQUEUE(task->events, event, link);
+			prev = PREV(event, ev_link);
+			DEQUEUE(task->on_shutdown, event, ev_link);
+			ENQUEUE(task->events, event, ev_link);
 		}
 	}
 
@@ -333,18 +325,6 @@ isc_task_detach(isc_task_t **taskp) {
 	*taskp = NULL;
 }
 
-isc_mem_t *
-isc_task_mem(isc_task_t *task) {
-
-	/*
-	 * Get the task's memory context.
-	 */
-
-	REQUIRE(VALID_TASK(task));
-	
-	return (task->mctx);
-}
-
 static inline isc_boolean_t
 task_send(isc_task_t *task, isc_event_t **eventp) {
 	isc_boolean_t was_idle = ISC_FALSE;
@@ -357,8 +337,8 @@ task_send(isc_task_t *task, isc_event_t **eventp) {
 	REQUIRE(eventp != NULL);
 	event = *eventp;
 	REQUIRE(event != NULL);
-	REQUIRE(event->sender != NULL);
-	REQUIRE(event->type > 0);
+	REQUIRE(event->ev_sender != NULL);
+	REQUIRE(event->ev_type > 0);
 	REQUIRE(task->state != task_state_done);
 
 	XTRACE("task_send");
@@ -370,7 +350,7 @@ task_send(isc_task_t *task, isc_event_t **eventp) {
 	}
 	INSIST(task->state == task_state_ready ||
 	       task->state == task_state_running);
-	ENQUEUE(task->events, event, link);
+	ENQUEUE(task->events, event, ev_link);
 	*eventp = NULL;
 
 	return (was_idle);
@@ -451,7 +431,7 @@ isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
 	*taskp = NULL;
 }
 
-#define PURGE_OK(event)	(((event)->attributes & ISC_EVENTATTR_NOPURGE) == 0)
+#define PURGE_OK(event)	(((event)->ev_attributes & ISC_EVENTATTR_NOPURGE) == 0)
 
 static unsigned int
 dequeue_events(isc_task_t *task, void *sender, isc_eventtype_t first,
@@ -477,13 +457,13 @@ dequeue_events(isc_task_t *task, void *sender, isc_eventtype_t first,
 	LOCK(&task->lock);
 
 	for (event = HEAD(task->events); event != NULL; event = next_event) {
-		next_event = NEXT(event, link);
-		if (event->type >= first && event->type <= last &&
-		    (sender == NULL || event->sender == sender) &&
-		    (tag == NULL || event->tag == tag) &&
+		next_event = NEXT(event, ev_link);
+		if (event->ev_type >= first && event->ev_type <= last &&
+		    (sender == NULL || event->ev_sender == sender) &&
+		    (tag == NULL || event->ev_tag == tag) &&
 		    (!purging || PURGE_OK(event))) {
-			DEQUEUE(task->events, event, link);
-			ENQUEUE(*events, event, link);
+			DEQUEUE(task->events, event, ev_link);
+			ENQUEUE(*events, event, ev_link);
 			count++;
 		}
 	}
@@ -513,7 +493,7 @@ isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
 			       ISC_TRUE);
 
 	for (event = HEAD(events); event != NULL; event = next_event) {
-		next_event = NEXT(event, link);
+		next_event = NEXT(event, ev_link);
 		isc_event_free(&event);
 	}
 
@@ -563,9 +543,9 @@ isc_task_purgeevent(isc_task_t *task, isc_event_t *event) {
 	for (curr_event = HEAD(task->events);
 	     curr_event != NULL;
 	     curr_event = next_event) {
-		next_event = NEXT(curr_event, link);
+		next_event = NEXT(curr_event, ev_link);
 		if (curr_event == event && PURGE_OK(event)) {
-			DEQUEUE(task->events, curr_event, link);
+			DEQUEUE(task->events, curr_event, ev_link);
 			break;
 		}
 	}
@@ -622,7 +602,7 @@ isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, void *arg) {
 	REQUIRE(VALID_TASK(task));
 	REQUIRE(action != NULL);
 
-	event = isc_event_allocate(task->mctx,
+	event = isc_event_allocate(task->manager->mctx,
 				   NULL,
 				   ISC_TASKEVENT_SHUTDOWN,
 				   action,
@@ -636,11 +616,11 @@ isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, void *arg) {
 		disallowed = ISC_TRUE;
 		result = ISC_R_SHUTTINGDOWN;
 	} else
-		ENQUEUE(task->on_shutdown, event, link);
+		ENQUEUE(task->on_shutdown, event, ev_link);
 	UNLOCK(&task->lock);
 
 	if (disallowed)
-		isc_mem_put(task->mctx, event, sizeof *event);
+		isc_mem_put(task->manager->mctx, event, sizeof *event);
 
 	return (result);
 }
@@ -805,15 +785,15 @@ run(void *uap) {
 			do {
 				if (!EMPTY(task->events)) {
 					event = HEAD(task->events);
-					DEQUEUE(task->events, event, link);
+					DEQUEUE(task->events, event, ev_link);
 
 					/*
 					 * Execute the event action.
 					 */
 					XTRACE("execute action");
-					if (event->action != NULL) {
+					if (event->ev_action != NULL) {
 						UNLOCK(&task->lock);
-						(event->action)(task, event);
+						(event->ev_action)(task,event);
 						LOCK(&task->lock);
 					}
 					dispatch_count++;
@@ -924,12 +904,16 @@ run(void *uap) {
 
 static void
 manager_free(isc_taskmgr_t *manager) {
+	isc_mem_t *mctx;
+
 	(void)isc_condition_destroy(&manager->work_available);
 	(void)isc_mutex_destroy(&manager->lock);
 	isc_mem_put(manager->mctx, manager->threads,
 		    manager->workers * sizeof (isc_thread_t));
 	manager->magic = 0;
-	isc_mem_put(manager->mctx, manager, sizeof *manager);
+	mctx = manager->mctx;
+	isc_mem_put(mctx, manager, sizeof *manager);
+	isc_mem_detach(&mctx);
 }
 
 isc_result_t
@@ -951,7 +935,7 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 	if (manager == NULL)
 		return (ISC_R_NOMEMORY);
 	manager->magic = TASK_MANAGER_MAGIC;
-	manager->mctx = mctx;
+	manager->mctx = NULL;
 	threads = isc_mem_get(mctx, workers * sizeof (isc_thread_t));
 	if (threads == NULL) {
 		isc_mem_put(mctx, manager, sizeof *manager);
@@ -982,6 +966,8 @@ isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 	manager->exiting = ISC_FALSE;
 	manager->workers = 0;
 
+	isc_mem_attach(mctx, &manager->mctx);
+
 	LOCK(&manager->lock);
 	/*
 	 * Start workers.
diff --git a/lib/isc/taskpool.c b/lib/isc/taskpool.c
index cf96d747..bba1ef75 100644
--- a/lib/isc/taskpool.c
+++ b/lib/isc/taskpool.c
@@ -17,10 +17,10 @@
 
 #include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/boolean.h>
-#include <isc/error.h>
+#include <isc/mem.h>
 #include <isc/taskpool.h>
+#include <isc/util.h>
+
 /***
  *** Types.
  ***/
@@ -53,7 +53,7 @@ isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx,
 	for (i = 0; i < ntasks; i++) 
 		pool->tasks[i] = NULL;
 	for (i = 0; i < ntasks; i++) {
-		result = isc_task_create(tmgr, mctx, quantum, &pool->tasks[i]);
+		result = isc_task_create(tmgr, quantum, &pool->tasks[i]);
 		if (result != ISC_R_SUCCESS) {
 			isc_taskpool_destroy(&pool);
 			return (result);
diff --git a/lib/isc/timer.c b/lib/isc/timer.c
index 446b2c60..617b27e3 100644
--- a/lib/isc/timer.c
+++ b/lib/isc/timer.c
@@ -17,24 +17,21 @@
 
 #include <config.h>
 
-#include <stddef.h>
-#include <stdlib.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
-#include <isc/thread.h>
-#include <isc/mutex.h>
 #include <isc/condition.h>
 #include <isc/heap.h>
+#include <isc/mem.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/time.h>
 #include <isc/timer.h>
 #include <isc/util.h>
 
 #ifdef ISC_TIMER_TRACE
 #define XTRACE(s)			printf("%s\n", (s))
 #define XTRACEID(s, t)			printf("%s %p\n", (s), (t))
-#define XTRACETIME(s, d)		printf("%s %lu.%09lu\n", (s), \
+#define XTRACETIME(s, d)		printf("%s %u.%09u\n", (s), \
 					       (d).seconds, (d).nanoseconds)
-#define XTRACETIMER(s, t, d)		printf("%s %p %lu.%09lu\n", (s), (t), \
+#define XTRACETIMER(s, t, d)		printf("%s %p %u.%09u\n", (s), (t), \
 					       (d).seconds, (d).nanoseconds)
 #else
 #define XTRACE(s)
@@ -102,9 +99,11 @@ schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
 	/*
 	 * Compute the new due time.
 	 */
-	if (timer->type == isc_timertype_ticker)
-		isc_time_add(now, &timer->interval, &due);
-	else {
+	if (timer->type == isc_timertype_ticker) {
+		result = isc_time_add(now, &timer->interval, &due);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} else {
 		if (isc_time_isepoch(&timer->idle))
 			due = timer->expires;
 		else if (isc_time_isepoch(&timer->expires))
@@ -209,7 +208,7 @@ destroy(isc_timer_t *timer) {
 	isc_task_detach(&timer->task);
 	(void)isc_mutex_destroy(&timer->lock);
 	timer->magic = 0;
-	isc_mem_put(timer->mctx, timer, sizeof *timer);
+	isc_mem_put(manager->mctx, timer, sizeof *timer);
 }
 
 isc_result_t
@@ -221,7 +220,6 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 	isc_timer_t *timer;
 	isc_result_t result;
 	isc_time_t now;
-	isc_mem_t *mctx;
 
 	/*
 	 * Create a new 'type' timer managed by 'manager'.  The timers
@@ -263,18 +261,20 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 	}
 
 
-	mctx = isc_task_mem(task);
-	timer = isc_mem_get(mctx, sizeof *timer);
+	timer = isc_mem_get(manager->mctx, sizeof *timer);
 	if (timer == NULL)
 		return (ISC_R_NOMEMORY);
 
 	timer->manager = manager;
-	timer->mctx = mctx;
 	timer->references = 1;
-	if (type == isc_timertype_once && !isc_interval_iszero(interval))
-		isc_time_add(&now, interval, &timer->idle);
-	else
+
+	if (type == isc_timertype_once && !isc_interval_iszero(interval)) {
+		result = isc_time_add(&now, interval, &timer->idle);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} else
 		isc_time_settoepoch(&timer->idle);
+
 	timer->type = type;
 	timer->expires = *expires;
 	timer->interval = *interval;
@@ -285,7 +285,7 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 	timer->index = 0;
 	if (isc_mutex_init(&timer->lock) != ISC_R_SUCCESS) {
 		isc_task_detach(&timer->task);
-		isc_mem_put(mctx, timer, sizeof *timer);
+		isc_mem_put(manager->mctx, timer, sizeof *timer);
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_mutex_init() failed");
 		return (ISC_R_UNEXPECTED);
@@ -312,7 +312,7 @@ isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
 		timer->magic = 0;
 		(void)isc_mutex_destroy(&timer->lock);
 		isc_task_detach(&timer->task);
-		isc_mem_put(mctx, timer, sizeof *timer);
+		isc_mem_put(manager->mctx, timer, sizeof *timer);
 		return (result);
 	}
 
@@ -380,15 +380,20 @@ isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
 	timer->type = type;
 	timer->expires = *expires;
 	timer->interval = *interval;
-	if (type == isc_timertype_once && !isc_interval_iszero(interval))
-		isc_time_add(&now, interval, &timer->idle);
-	else
+	if (type == isc_timertype_once && !isc_interval_iszero(interval)) {
+		result = isc_time_add(&now, interval, &timer->idle);
+	} else {
 		isc_time_settoepoch(&timer->idle);
-	if (type == isc_timertype_inactive) {
-		deschedule(timer);
 		result = ISC_R_SUCCESS;
-	} else
-		result = schedule(timer, &now, ISC_TRUE);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		if (type == isc_timertype_inactive) {
+			deschedule(timer);
+			result = ISC_R_SUCCESS;
+		} else
+			result = schedule(timer, &now, ISC_TRUE);
+	}
 
 	UNLOCK(&timer->lock);
 	UNLOCK(&manager->lock);
@@ -423,13 +428,13 @@ isc_timer_touch(isc_timer_t *timer) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_time_now() failed: %s",
 				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-	isc_time_add(&now, &timer->interval, &timer->idle);
+		result = ISC_R_UNEXPECTED;
+	} else
+		result = isc_time_add(&now, &timer->interval, &timer->idle);
 
 	UNLOCK(&timer->lock);
 
-	return (ISC_R_SUCCESS);
+	return (result);
 }
 
 void
@@ -520,7 +525,7 @@ dispatch(isc_timermgr_t *manager, isc_time_t *now) {
 				/*
 				 * XXX We could preallocate this event.
 				 */
-				event = isc_event_allocate(timer->mctx,
+				event = isc_event_allocate(manager->mctx,
 							   timer,
 							   type,
 							   timer->action,
@@ -553,7 +558,7 @@ dispatch(isc_timermgr_t *manager, isc_time_t *now) {
 }
 
 static isc_threadresult_t
-#ifdef _WIN32
+#ifdef _WIN32			/* XXXDCL */
 WINAPI
 #endif
 run(void *uap) {
@@ -626,7 +631,7 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 		return (ISC_R_NOMEMORY);
 	
 	manager->magic = TIMER_MANAGER_MAGIC;
-	manager->mctx = mctx;
+	manager->mctx = NULL;
 	manager->done = ISC_FALSE;
 	INIT_LIST(manager->timers);
 	manager->nscheduled = 0;
@@ -653,8 +658,10 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 				 "isc_condition_init() failed");
 		return (ISC_R_UNEXPECTED);
 	}
+	isc_mem_attach(mctx, &manager->mctx);
 	if (isc_thread_create(run, manager, &manager->thread) !=
 	    ISC_R_SUCCESS) {
+		isc_mem_detach(&manager->mctx);
 		(void)isc_condition_destroy(&manager->wakeup);
 		(void)isc_mutex_destroy(&manager->lock);
 		isc_heap_destroy(&manager->heap);
@@ -672,6 +679,7 @@ isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 void
 isc_timermgr_destroy(isc_timermgr_t **managerp) {
 	isc_timermgr_t *manager;
+	isc_mem_t *mctx;
 
 	/*
 	 * Destroy a timer manager.
@@ -705,7 +713,9 @@ isc_timermgr_destroy(isc_timermgr_t **managerp) {
 	(void)isc_mutex_destroy(&manager->lock);
 	isc_heap_destroy(&manager->heap);
 	manager->magic = 0;
-	isc_mem_put(manager->mctx, manager, sizeof *manager);
+	mctx = manager->mctx;
+	isc_mem_put(mctx, manager, sizeof *manager);
+	isc_mem_detach(&mctx);
 
 	*managerp = NULL;
 }
diff --git a/lib/isc/unix/Makefile.in b/lib/isc/unix/Makefile.in
index a6fae6a0..af0f25d4 100644
--- a/lib/isc/unix/Makefile.in
+++ b/lib/isc/unix/Makefile.in
@@ -28,13 +28,13 @@ CWARNINGS =
 
 # Alphabetically
 OBJS =		@ISC_IPV6_O@ \
-		app.@O@ dir.@O@ interfaceiter.@O@ mktemplate.@O@ net.@O@ \
-		socket.@O@ stdtime.@O@ time.@O@ ufile.@O@
+		app.@O@ dir.@O@ errno2result.@O@ file.@O@ interfaceiter.@O@ \
+		net.@O@ socket.@O@ stdio.@O@ stdtime.@O@ time.@O@
 
 # Alphabetically
 SRCS =		@ISC_IPV6_C@ \
-		app.c dir.c interfaceiter.c mktemplate.c net.c socket.c \
-		stdtime.c time.c ufile.c
+		app.c dir.c errno2result.c file.c interfaceiter.c \
+		net.c socket.c stdio.c stdtime.c time.c
 
 SUBDIRS =	include
 TARGETS =	${OBJS}
diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
index 5ce4e0f0..752ce83a 100644
--- a/lib/isc/unix/app.c
+++ b/lib/isc/unix/app.c
@@ -22,17 +22,16 @@
 #include <sys/types.h>
 
 #include <stddef.h>
-#include <string.h>
 #include <errno.h>
 #include <unistd.h>
 #include <signal.h>
 
 #include <isc/app.h>
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/boolean.h>
 #include <isc/mutex.h>
 #include <isc/event.h>
+#include <isc/string.h>
+#include <isc/task.h>
 #include <isc/util.h>
 
 static isc_eventlist_t		on_run;
@@ -65,13 +64,13 @@ static pthread_t		main_thread;
 #ifndef HAVE_SIGWAIT
 static void
 exit_action(int arg) {
-        (void)arg;
+        UNUSED(arg);
 	want_shutdown = ISC_TRUE;
 }
 
 static void
 reload_action(int arg) {
-        (void)arg;
+        UNUSED(arg);
 	want_reload = ISC_TRUE;
 }
 #endif
@@ -210,7 +209,7 @@ isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
 		goto unlock;
 	}
 	
-	ISC_LIST_APPEND(on_run, event, link);
+	ISC_LIST_APPEND(on_run, event, ev_link);
 
 	result = ISC_R_SUCCESS;
 
@@ -249,10 +248,10 @@ isc_app_run(void) {
 		for (event = ISC_LIST_HEAD(on_run);
 		     event != NULL;
 		     event = next_event) {
-			next_event = ISC_LIST_NEXT(event, link);
-			ISC_LIST_UNLINK(on_run, event, link);
-			task = event->sender;
-			event->sender = (void *)&running;
+			next_event = ISC_LIST_NEXT(event, ev_link);
+			ISC_LIST_UNLINK(on_run, event, ev_link);
+			task = event->ev_sender;
+			event->ev_sender = (void *)&running;
 			isc_task_sendanddetach(&task, &event);
 		}
 
@@ -292,6 +291,8 @@ isc_app_run(void) {
 					 strerror(errno));
 			return (ISC_R_UNEXPECTED);
 		}
+
+#ifndef HAVE_UNIXWARE_SIGWAIT
 		result = sigwait(&sset, &sig);
 		if (result == 0) {
 			if (sig == SIGINT ||
@@ -300,7 +301,19 @@ isc_app_run(void) {
 			else if (sig == SIGHUP)
 				want_reload = ISC_TRUE;
 		}
-#else
+
+#else /* Using UnixWare sigwait semantics. */
+		sig = sigwait(&sset);
+		if (sig >= 0) {
+			if (sig == SIGINT ||
+			    sig == SIGTERM)
+				want_shutdown = ISC_TRUE;
+			else if (sig == SIGHUP)
+				want_reload = ISC_TRUE;
+		}
+
+#endif /* HAVE_UNIXWARE_SIGWAIT */
+#else  /* Don't have sigwait(). */
 		/*
 		 * Listen for all signals.
 		 */
@@ -311,7 +324,7 @@ isc_app_run(void) {
 			return (ISC_R_UNEXPECTED);
 		}
 		result = sigsuspend(&sset);
-#endif
+#endif /* HAVE_SIGWAIT */
 
 		if (want_reload) {
 			want_reload = ISC_FALSE;
diff --git a/lib/isc/unix/dir.c b/lib/isc/unix/dir.c
index a2ed0667..33d5742e 100644
--- a/lib/isc/unix/dir.c
+++ b/lib/isc/unix/dir.c
@@ -15,22 +15,24 @@
  * SOFTWARE.
  */
 
-/* $Id: dir.c,v 1.7 2000/02/03 23:08:01 halley Exp $ */
+/* $Id: dir.c,v 1.10 2000/05/11 15:09:27 tale Exp $ */
 
 /* Principal Authors: DCL */
 
-#include <stdlib.h>
-#include <string.h>
+#include <config.h>
+
 #include <errno.h>
 #include <unistd.h>
 
 #include <isc/dir.h>
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <isc/magic.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
 
 #define ISC_DIR_MAGIC		0x4449522aU	/* DIR*. */
-#define VALID_DIR(dir)		((dir) != NULL && \
-				 (dir)->magic == ISC_DIR_MAGIC)
+#define VALID_DIR(dir)		ISC_MAGIC_VALID(dir, ISC_DIR_MAGIC)
 
 void
 isc_dir_init(isc_dir_t *dir) {
@@ -60,20 +62,8 @@ isc_dir_open(isc_dir_t *dir, const char *dirname) {
 	 */
 	dir->handle = opendir(dirname);
 
-	if (dir->handle == NULL) {
-		if (errno == ENOMEM)
-			result = ISC_R_NOMEMORY;
-		else if (errno == EPERM)
-			result = ISC_R_NOPERM;
-		else if (errno == ENOENT)
-			result = ISC_R_NOTFOUND;
-		else {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "opendir(%s) failed: %s",
-					 dirname, strerror(errno));
-			return (ISC_R_UNEXPECTED);
-		}
-	}
+	if (dir->handle == NULL)
+		return isc__errno2result(errno);
 
 	return (result);
 }
@@ -148,20 +138,8 @@ isc_dir_chdir(const char *dirname) {
 
 	REQUIRE(dirname != NULL);
 
-	if (chdir(dirname) < 0) {
-		if (errno == ENOENT)
-			return (ISC_R_NOTFOUND);
-		else if (errno == EACCES)
-			return (ISC_R_NOPERM);
-		else if (errno == ENOMEM)
-			return (ISC_R_NOMEMORY);
-		else {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "chdir(%s) failed: %s",
-					 dirname, strerror(errno));
-			return (ISC_R_UNEXPECTED);
-		}
-	}
+	if (chdir(dirname) < 0)
+		return (isc__errno2result(errno));
 
 	return (ISC_R_SUCCESS);
 }
diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
new file mode 100644
index 00000000..7eba8955
--- /dev/null
+++ b/lib/isc/unix/errno2result.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/* $Id: errno2result.c,v 1.2 2000/05/16 03:00:53 tale Exp $ */
+
+#include <config.h>
+
+#include <errno.h>
+
+#include <isc/result.h>
+
+#include "errno2result.h"
+
+/*
+ * Convert a POSIX errno value into an isc_result_t.  The
+ * list of supported errno values is not complete; new users
+ * of this function should add any expected errors that are
+ * not already there.
+ */
+isc_result_t
+isc__errno2result(int posixerrno) {
+	switch (posixerrno) {
+	case ENOTDIR:
+	case ELOOP:
+	case EINVAL:
+	case ENAMETOOLONG:
+	case EBADF:
+		return (ISC_R_INVALIDFILE);
+	case ENOENT:
+		return (ISC_R_FILENOTFOUND);
+	case EACCES:
+		return (ISC_R_NOPERM);
+	case EEXIST:
+		return (ISC_R_FILEEXISTS);
+	case EIO:
+		return (ISC_R_IOERROR);
+	case ENOMEM:
+		return (ISC_R_NOMEMORY);
+	default:
+		/*
+		 * XXXDCL would be nice if perhaps this function could
+		 * return the system's error string, so the caller
+		 * might have something more descriptive than "unexpected
+		 * error" to log with.
+		 */
+		return (ISC_R_UNEXPECTED);
+	}
+}
diff --git a/lib/isc/include/isc/mktemplate.h b/lib/isc/unix/errno2result.h
index 56b03f66..6128ee84 100644
--- a/lib/isc/include/isc/mktemplate.h
+++ b/lib/isc/unix/errno2result.h
@@ -15,26 +15,7 @@
  * SOFTWARE.
  */
 
-#ifndef ISC_MKTEMPLATE_H
-#define ISC_MKTEMPLATE_H
-
-#include <isc/lang.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
+#include <isc/types.h>
 
 isc_result_t
-isc_mktemplate(const char *name, char *buf, size_t buflen);
-
-/*
- * create a template file name suitable for isc_ufile() such
- * that it could be renamed to 'name'.
- *
- * Requires:
- * 	'name' to be non null.
- *	'buf' to be non null.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_MKTEMPLATE_H */
+isc__errno2result(int posixerrno);
diff --git a/lib/isc/unix/file.c b/lib/isc/unix/file.c
new file mode 100644
index 00000000..eb1df121
--- /dev/null
+++ b/lib/isc/unix/file.c
@@ -0,0 +1,169 @@
+/*
+ * Copyright (C) 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>            /* Required for mkstemp on NetBSD. */
+
+#include <sys/stat.h>
+#include <sys/time.h>
+
+#include <isc/file.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+/*
+ * XXXDCL As the API for accessing file statistics undoubtedly gets expanded,
+ * it might be good to provide a mechanism that allows for the results
+ * of a previous stat() to be used again without having to do another stat,
+ * such as perl's mechanism of using "_" in place of a file name to indicate
+ * that the results of the last stat should be used.  But then you get into
+ * annoying MP issues.   BTW, Win32 has stat().
+ */
+static isc_result_t
+file_stats(const char *file, struct stat *stats) {
+	isc_result_t result = ISC_R_SUCCESS;
+	
+	if (stat(file, stats) != 0)
+		result = isc__errno2result(errno);
+		
+	return (result);
+}
+
+isc_result_t
+isc_file_getmodtime(const char *file, isc_time_t *time) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(file != NULL && time != NULL);
+
+	result = file_stats(file, &stats);
+
+	if (result == ISC_R_SUCCESS)
+		/*
+		 * XXXDCL some operating systems provide nanoseconds, too,
+		 * such as BSD/OS via st_mtimespec.
+		 */
+		isc_time_set(time, stats.st_mtime, 0);
+
+	return (result);
+}
+
+isc_result_t
+isc_file_settime(const char *file, isc_time_t *time) {
+	struct timeval times[2];
+
+	REQUIRE(file != NULL && time != NULL);
+
+	/*
+	 * tv_sec is at least a 32 bit quantity on all platforms we're
+	 * dealing with, but it is signed on most (all?) of them,
+	 * so we need to make sure the high bit isn't set.
+	 */
+	times[0].tv_sec = times[1].tv_sec = isc_time_seconds(time);
+	if ((times[0].tv_sec & (1 << (sizeof(times[0].tv_sec) * 8 - 1))) != 0)
+		return (ISC_R_RANGE);
+
+	/*
+	 * isc_time_nanoseconds guarantees a value that divided by 1000 will
+	 * fit into the minimum possible size tv_usec field.  Unfortunately,
+	 * we don't know what that type is so can't cast directly ... but
+	 * we can at least cast to signed so the IRIX compiler shuts up.
+	 */
+	times[0].tv_usec = times[1].tv_usec =
+		(isc_int32_t)(isc_time_nanoseconds(time) / 1000);
+
+	if (utimes(file, times) < 0)
+		return (isc__errno2result(errno));
+
+	return (ISC_R_SUCCESS);
+
+}
+
+#undef TEMPLATE
+#define TEMPLATE "tmp-XXXXXXXXXX" /* 14 characters. */
+
+isc_result_t
+isc_file_mktemplate(const char *path, char *buf, size_t buflen) {
+	char *s;
+
+	REQUIRE(buf != NULL);
+
+	s = strrchr(path, '/');
+
+	if (s != NULL) {
+		if ((s - path + 1 + sizeof(TEMPLATE)) > buflen)
+			return (ISC_R_NOSPACE);
+		
+		strncpy(buf, path, s - path + 1);
+		buf[s - path + 1] = '\0';
+		strcat(buf, TEMPLATE);
+	} else {
+		if (sizeof(TEMPLATE) > buflen)
+			return (ISC_R_NOSPACE);
+		
+		strcpy(buf, TEMPLATE);
+	}
+	
+	return (ISC_R_SUCCESS);
+}
+ 
+isc_result_t
+isc_file_openunique(char *templet, FILE **fp) {
+	int fd;
+	FILE *f;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(templet != NULL);
+	REQUIRE(fp != NULL && *fp == NULL);
+
+	/*
+	 * Win32 does not have mkstemp.
+	 */
+	fd = mkstemp(templet);
+
+	if (fd == -1)
+		result = isc__errno2result(errno);
+	if (result == ISC_R_SUCCESS) {
+		f = fdopen(fd, "w+");
+		if (f == NULL) {
+			result = isc__errno2result(errno);
+			(void)remove(templet);
+			(void)close(fd);
+
+		} else
+			*fp = f;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_file_remove(const char *filename) {
+	int r;
+	
+	r = unlink(filename);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
diff --git a/lib/isc/unix/ifiter_ioctl.c b/lib/isc/unix/ifiter_ioctl.c
index 6ea3e0c9..9116e48a 100644
--- a/lib/isc/unix/ifiter_ioctl.c
+++ b/lib/isc/unix/ifiter_ioctl.c
@@ -68,8 +68,7 @@ struct isc_interfaceiter {
 #define IFCONF_BUFSIZE_MAX	1048576
 
 isc_result_t
-isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp)
-{
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 	isc_interfaceiter_t *iter;
 	isc_result_t result;
 
@@ -84,7 +83,9 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp)
 	iter->mctx = mctx;
 	iter->buf = NULL;
 
-	/* Create an unbound datagram socket to do the SIOCGLIFADDR ioctl on. */
+	/*
+	 * Create an unbound datagram socket to do the SIOCGLIFADDR ioctl on.
+	 */
 	if ((iter->socket = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "making interface scan socket: %s",
@@ -115,15 +116,23 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp)
 #endif
 		iter->ifc.lifc_len = iter->bufsize;
 		iter->ifc.lifc_buf = iter->buf;
-		if (ioctl(iter->socket, SIOCGLIFCONF, (char *) &iter->ifc) == -1) {
+		/*
+		 * Ignore the HP/UX warning about "interger overflow during
+		 * conversion.  It comes from its own macro definition,
+		 * and is really hard to shut up.
+		 */
+		if (ioctl(iter->socket, SIOCGLIFCONF, (char *)&iter->ifc)
+		    == -1) {
 			if (errno != EINVAL) {
 				UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 "get interface configuration: %s",
+					     "get interface configuration: %s",
 						 strerror(errno));
 				result = ISC_R_UNEXPECTED;
 				goto ioctl_failure;
 			}
-			/* EINVAL.  Retry with a bigger buffer. */
+			/*
+			 * EINVAL.  Retry with a bigger buffer.
+			 */
 		} else {
 			/*
 			 * The ioctl succeeded.
@@ -207,10 +216,17 @@ internal_current(isc_interfaceiter_t *iter) {
 	get_addr(family, &iter->current.address,
 		 (struct sockaddr *)&lifreq.lifr_addr);
 
-	/* Get interface flags. */
+	/*
+	 * Get interface flags.
+	 */
 
 	iter->current.flags = 0;
 	
+	/*
+	 * Ignore the HP/UX warning about "interger overflow during
+	 * conversion.  It comes from its own macro definition,
+	 * and is really hard to shut up.
+	 */
 	if (ioctl(iter->socket, SIOCGLIFFLAGS, (char *) &lifreq) < 0) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__, 
 				 "%s: getting interface flags: %s",
@@ -228,9 +244,17 @@ internal_current(isc_interfaceiter_t *iter) {
 	if ((lifreq.lifr_flags & IFF_LOOPBACK) != 0)
 		iter->current.flags |= INTERFACE_F_LOOPBACK;
 
-	/* If the interface is point-to-point, get the destination address. */
+	/*
+	 * If the interface is point-to-point, get the destination address.
+	 */
 	if ((iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0) {
-		if (ioctl(iter->socket, SIOCGLIFDSTADDR, (char *) &lifreq) < 0) {
+		/*
+		 * Ignore the HP/UX warning about "interger overflow during
+		 * conversion.  It comes from its own macro definition,
+		 * and is really hard to shut up.
+		 */
+		if (ioctl(iter->socket, SIOCGLIFDSTADDR, (char *)&lifreq)
+		    < 0) {
 			UNEXPECTED_ERROR(__FILE__, __LINE__, 
 					 "%s: getting destination address: %s",
 					 lifreq.lifr_name,
@@ -241,12 +265,20 @@ internal_current(isc_interfaceiter_t *iter) {
 			 (struct sockaddr *)&lifreq.lifr_dstaddr);
 	}
 
-	/* Get the network mask. */ 
+	/*
+	 * Get the network mask.
+	 */ 
 	memset(&lifreq, 0, sizeof lifreq);
 	memcpy(&lifreq, ifrp, sizeof lifreq);
 	switch (family) {
 	case AF_INET:
-		if (ioctl(iter->socket, SIOCGLIFNETMASK, (char *) &lifreq) < 0) {
+		/*
+		 * Ignore the HP/UX warning about "interger overflow during
+		 * conversion.  It comes from its own macro definition,
+		 * and is really hard to shut up.
+		 */
+		if (ioctl(iter->socket, SIOCGLIFNETMASK, (char *)&lifreq)
+		    < 0) {
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "%s: getting netmask: %s",
 					 lifreq.lifr_name,
@@ -260,7 +292,9 @@ internal_current(isc_interfaceiter_t *iter) {
 #ifdef lifr_addrlen
 		int i, bits;
 
-		/* netmask already zeroed */
+		/*
+		 * Netmask already zeroed.
+		 */
 		iter->current.netmask.family = family;
 		for (i = 0 ; i < lifreq.lifr_addrlen; i += 8) {
 			bits = lifreq.lifr_addrlen - i;
@@ -270,7 +304,7 @@ internal_current(isc_interfaceiter_t *iter) {
 		}
 #endif
 		break;
-		}
+	}
 	}
 	
 	return (ISC_R_SUCCESS);
diff --git a/lib/isc/unix/ifiter_sysctl.c b/lib/isc/unix/ifiter_sysctl.c
index aba22db6..c51f2638 100644
--- a/lib/isc/unix/ifiter_sysctl.c
+++ b/lib/isc/unix/ifiter_sysctl.c
@@ -62,8 +62,7 @@ static int mib[6] = {
 };
 	
 isc_result_t
-isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp)
-{
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 	isc_interfaceiter_t *iter;
 	isc_result_t result;
 	size_t bufsize;
@@ -79,7 +78,9 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp)
 	iter->mctx = mctx;
 	iter->buf = 0;
 
-	/* Determine the amount of memory needed. */
+	/*
+	 * Determine the amount of memory needed.
+	 */
 	bufsize = 0;
 	if (sysctl(mib, 6, NULL, &bufsize, NULL, (size_t) 0) < 0) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__, 
@@ -205,7 +206,9 @@ internal_current(isc_interfaceiter_t *iter) {
 					 + ROUNDUP(sa->sa_len));
 #else
 #ifdef sgi
-			/* Do as the contributed SGI code does. */
+			/*
+			 * Do as the contributed SGI code does.
+			 */
 			sa = (struct sockaddr *)((char*)(sa)
 					 + ROUNDUP(_FAKE_SA_LEN_DST(sa)));
 #else
@@ -265,7 +268,9 @@ internal_next(isc_interfaceiter_t *iter) {
 
 static void
 internal_destroy(isc_interfaceiter_t *iter) {
-	iter = iter; /* Unused. */
-	/* Do nothing. */
+	UNUSED(iter); /* Unused. */
+	/*
+	 * Do nothing.
+	 */
 }
 
diff --git a/lib/isc/unix/include/isc/Makefile.in b/lib/isc/unix/include/isc/Makefile.in
index e1899d0a..9ab0f058 100644
--- a/lib/isc/unix/include/isc/Makefile.in
+++ b/lib/isc/unix/include/isc/Makefile.in
@@ -19,7 +19,7 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-HEADERS =	app.h dir.h int.h net.h netdb.h stdtime.h time.h @ISC_IPV6_H@
+HEADERS =	app.h dir.h int.h net.h netdb.h offset.h stdtime.h time.h
 
 SUBDIRS =
 TARGETS =
@@ -30,7 +30,7 @@ installdirs:
 	if [ ! -d ${DESTDIR}${includedir} ]; then \
 		mkdir ${DESTDIR}${includedir} ; \
 	fi
-	if [ ! -d ${DESTDIR)${includedir}/isc ]; then \
+	if [ ! -d ${DESTDIR}${includedir}/isc ]; then \
 		mkdir ${DESTDIR}${includedir}/isc ; \
 	fi
 
diff --git a/lib/isc/unix/include/isc/app.h b/lib/isc/unix/include/isc/app.h
index 4329a967..55752cdf 100644
--- a/lib/isc/unix/include/isc/app.h
+++ b/lib/isc/unix/include/isc/app.h
@@ -71,11 +71,9 @@
  *	None.
  */
 
+#include <isc/eventclass.h>
 #include <isc/lang.h>
 #include <isc/result.h>
-#include <isc/task.h>
-
-ISC_LANG_BEGINDECLS
 
 typedef isc_event_t isc_appevent_t;
 
@@ -83,6 +81,8 @@ typedef isc_event_t isc_appevent_t;
 #define ISC_APPEVENT_SHUTDOWN		(ISC_EVENTCLASS_APP + 1)
 #define ISC_APPEVENT_LASTEVENT		(ISC_EVENTCLASS_APP + 65535)
 
+ISC_LANG_BEGINDECLS
+
 isc_result_t
 isc_app_start(void);
 /*
diff --git a/lib/isc/unix/include/isc/dir.h b/lib/isc/unix/include/isc/dir.h
index a0fe405b..94c8a407 100644
--- a/lib/isc/unix/include/isc/dir.h
+++ b/lib/isc/unix/include/isc/dir.h
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: dir.h,v 1.5 2000/02/03 23:08:05 halley Exp $ */
+/* $Id: dir.h,v 1.7 2000/04/28 21:29:27 tale Exp $ */
 
 /* Principal Authors: DCL */
 
@@ -24,13 +24,10 @@
 
 #include <sys/types.h>
 #include <dirent.h>
-#include <limits.h>
 
 #include <isc/lang.h>
 #include <isc/result.h>
 
-ISC_LANG_BEGINDECLS
-
 #define ISC_DIR_NAMEMAX 256
 #define ISC_DIR_PATHMAX 1024
 
@@ -56,6 +53,8 @@ typedef struct {
 	DIR *		handle;
 } isc_dir_t;
 
+ISC_LANG_BEGINDECLS
+
 void
 isc_dir_init(isc_dir_t *dir);
 
@@ -74,6 +73,6 @@ isc_dir_close(isc_dir_t *dir);
 isc_result_t
 isc_dir_chdir(const char *dirname);
 
-ISC_LANG_BEGINDECLS
+ISC_LANG_ENDDECLS
 
 #endif /* ISC_DIR_H */
diff --git a/lib/isc/unix/include/isc/int.h b/lib/isc/unix/include/isc/int.h
index a32a01d9..bfd55199 100644
--- a/lib/isc/unix/include/isc/int.h
+++ b/lib/isc/unix/include/isc/int.h
@@ -18,10 +18,6 @@
 #ifndef ISC_INT_H
 #define ISC_INT_H 1
 
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
 typedef char				isc_int8_t;
 typedef unsigned char			isc_uint8_t;
 typedef short				isc_int16_t;
@@ -31,6 +27,4 @@ typedef unsigned int			isc_uint32_t;
 typedef long long			isc_int64_t;
 typedef unsigned long long		isc_uint64_t;
 
-ISC_LANG_ENDDECLS
-
 #endif /* ISC_INT_H */
diff --git a/lib/isc/unix/include/isc/net.h b/lib/isc/unix/include/isc/net.h
index 7aceabad..710e3ea1 100644
--- a/lib/isc/unix/include/isc/net.h
+++ b/lib/isc/unix/include/isc/net.h
@@ -30,6 +30,7 @@
  *
  *		struct in_addr
  *		struct in6_addr
+ *		struct in6_pktinfo
  *		struct sockaddr
  *		struct sockaddr_in
  *		struct sockaddr_in6
@@ -64,18 +65,22 @@
 /***
  *** Imports.
  ***/
+#include <isc/lang.h>
 #include <isc/platform.h>
 
 #include <sys/types.h>
-#include <sys/socket.h>
+#include <sys/socket.h>		/* Contractual promise. */
 
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#ifdef ISC_PLATFORM_HAVENETINET6IN6H
-#include <netinet6/in6.h>
+#include <netinet/in.h>		/* Contractual promise. */
+#include <arpa/inet.h>		/* Contractual promise. */
+#ifdef ISC_PLATFORM_NEEDNETINETIN6H
+#include <netinet/in6.h>	/* Required on UnixWare. */
+#endif
+#ifdef ISC_PLATFORM_NEEDNETINET6IN6H
+#include <netinet6/in6.h>	/* Required on BSD/OS for in6_pktinfo. */
 #endif
 
-#include <isc/result.h>
+#include <isc/types.h>
 
 #ifndef AF_INET6
 #define AF_INET6 99
@@ -86,7 +91,14 @@
 #endif
 
 #ifndef ISC_PLATFORM_HAVEIPV6
-#include <isc/ipv6.h>
+#include <isc/ipv6.h>		/* Contractual promise. */
+#endif
+
+#ifndef ISC_PLATFORM_HAVEIN6PKTINFO
+struct in6_pktinfo {
+	struct in6_addr ipi6_addr;    /* src/dst IPv6 address */
+	unsigned int    ipi6_ifindex; /* send/recv interface index */
+};
 #endif
 
 /*
@@ -101,8 +113,6 @@ extern const struct in6_addr isc_net_in6addrany;
  * Ensure type in_port_t is defined.
  */
 #ifdef ISC_PLATFORM_NEEDPORTT
-#include <isc/int.h>
-
 typedef isc_uint16_t in_port_t;
 #endif
 
@@ -119,6 +129,8 @@ typedef isc_uint16_t in_port_t;
  *** Functions.
  ***/
 
+ISC_LANG_BEGINDECLS
+
 isc_result_t
 isc_net_probeipv4(void);
 /*
@@ -144,26 +156,23 @@ isc_net_probeipv6(void);
  */
 
 #ifdef ISC_PLATFORM_NEEDNTOP
-const char *isc_net_ntop(int af, const void *src, char *dst, size_t size);
+const char *
+isc_net_ntop(int af, const void *src, char *dst, size_t size);
 #define inet_ntop isc_net_ntop
 #endif
 
 #ifdef ISC_PLATFORM_NEEDPTON
-int isc_net_pton(int af, const char *src, void *dst);
+int
+isc_net_pton(int af, const char *src, void *dst);
 #define inet_pton isc_net_pton
 #endif
 
 #ifdef ISC_PLATFORM_NEEDATON
-int isc_net_aton(const char *cp, struct in_addr *addr);
+int
+isc_net_aton(const char *cp, struct in_addr *addr);
 #define inet_aton isc_net_aton
 #endif
 
-/*
- * Tell emacs to use C mode for this file.
- *
- * Local Variables:
- * mode: c
- * End:
- */
+ISC_LANG_ENDDECLS
 
 #endif /* ISC_NET_H */
diff --git a/lib/isc/unix/ufile.c b/lib/isc/unix/include/isc/offset.h
index 969353c2..5f2b7646 100644
--- a/lib/isc/unix/ufile.c
+++ b/lib/isc/unix/include/isc/offset.h
@@ -15,24 +15,17 @@
  * SOFTWARE.
  */
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
+/* $Id: offset.h,v 1.3 2000/04/28 22:13:15 tale Exp $ */
 
-#include <isc/ufile.h>
+#ifndef ISC_OFFSET_H
+#define ISC_OFFSET_H 1
 
-FILE *
-isc_ufile(char *template) {
-	int fd;
-	FILE *f;
+/*
+ * File offsets are operating-system dependent.
+ */
+
+#include <sys/types.h>
+
+typedef off_t isc_offset_t;
 
-	fd = mkstemp(template);
-	if (fd == -1)
-		return(NULL);
-	f = fdopen(fd, "w+");
-	if (f == NULL) {
-		(void)remove(template);
-		(void)close(fd);
-	}
-	return (f);
-}
+#endif /* ISC_OFFSET_H */
diff --git a/lib/isc/unix/include/isc/stdtime.h b/lib/isc/unix/include/isc/stdtime.h
index f79221e8..27aa8391 100644
--- a/lib/isc/unix/include/isc/stdtime.h
+++ b/lib/isc/unix/include/isc/stdtime.h
@@ -18,13 +18,8 @@
 #ifndef ISC_STDTIME_H
 #define ISC_STDTIME_H 1
 
-#include <time.h>
-
 #include <isc/lang.h>
 #include <isc/int.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
 
 /*
  * It's public information that 'isc_stdtime_t' is an unsigned integral type.
@@ -33,6 +28,8 @@ ISC_LANG_BEGINDECLS
  */
 typedef isc_uint32_t isc_stdtime_t;
 
+ISC_LANG_BEGINDECLS
+
 void
 isc_stdtime_get(isc_stdtime_t *t);
 /*
diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
index d2913ccd..372bf670 100644
--- a/lib/isc/unix/include/isc/time.h
+++ b/lib/isc/unix/include/isc/time.h
@@ -18,13 +18,8 @@
 #ifndef ISC_TIME_H
 #define ISC_TIME_H 1
 
-#include <time.h>
-
 #include <isc/lang.h>
-#include <isc/result.h>
-#include <isc/boolean.h>
-
-ISC_LANG_BEGINDECLS
+#include <isc/types.h>
 
 /***
  *** Intervals
@@ -36,13 +31,15 @@ ISC_LANG_BEGINDECLS
  *
  * The contents are exposed only to allow callers to avoid dynamic allocation.
  */
-typedef struct isc_interval {
+struct isc_interval {
 	unsigned int seconds;
 	unsigned int nanoseconds;
-} isc_interval_t;
+};
 
 extern isc_interval_t *isc_interval_zero;
 
+ISC_LANG_BEGINDECLS
+
 void
 isc_interval_set(isc_interval_t *i,
 		 unsigned int seconds, unsigned int nanoseconds);
@@ -53,9 +50,8 @@ isc_interval_set(isc_interval_t *i,
  *
  * Requires:
  *
- *	't' is a valid.
- *
- *	nanoseconds < 1000000000
+ *	't' is a valid pointer.
+ *	nanoseconds < 1000000000.
  */
 
 isc_boolean_t
@@ -65,8 +61,7 @@ isc_interval_iszero(isc_interval_t *i);
  *
  * Requires:
  *
- *	't' is a valid.
- *
+ *	'i' is a valid pointer.
  */
 
 /***
@@ -80,14 +75,31 @@ isc_interval_iszero(isc_interval_t *i);
  * The contents are exposed only to allow callers to avoid dynamic allocation.
  */
 
-typedef struct isc_time {
-	time_t		seconds;
+struct isc_time {
+	unsigned int	seconds;
 	unsigned int	nanoseconds;
-} isc_time_t;
+};
 
 extern isc_time_t *isc_time_epoch;
 
 void
+isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds);
+/*
+ * Set 't' to a particular number of seconds + nanoseconds since the epoch.
+ *
+ * Notes:
+ *	This call is equivalent to:
+ *
+ *	isc_time_settoepoch(t);
+ *	isc_interval_set(i, seconds, nanoseconds);
+ *	isc_time_add(t, i, t);
+ *
+ * Requires:
+ *	't' is a valid pointer.
+ *	nanoseconds < 1000000000.
+ */
+
+void
 isc_time_settoepoch(isc_time_t *t);
 /*
  * Set 't' to the time of the epoch.
@@ -97,8 +109,7 @@ isc_time_settoepoch(isc_time_t *t);
  *
  * Requires:
  *
- *	't' is a valid.
- *
+ *	't' is a valid pointer.
  */
 
 isc_boolean_t
@@ -108,8 +119,7 @@ isc_time_isepoch(isc_time_t *t);
  *
  * Requires:
  *
- *	't' is a valid.
- *
+ *	't' is a valid pointer.
  */
 
 isc_result_t
@@ -125,6 +135,10 @@ isc_time_now(isc_time_t *t);
  *
  *	Success
  *	Unexpected error
+ *		Getting the time from the system failed.
+ *	Out of range
+ *		The time from the system is too large to be represented
+ *		in the current definition of isc_time_t.
  */
 
 isc_result_t
@@ -133,7 +147,6 @@ isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i);
  * Set *t to the current absolute time + i.
  *
  * Note:
- *
  *	This call is equivalent to:
  *
  *		isc_time_now(t);
@@ -141,12 +154,16 @@ isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i);
  *
  * Requires:
  *
- *	't' and 'i' are valid.
+ *	't' and 'i' are valid pointers.
  *
  * Returns:
  *
  *	Success
  *	Unexpected error
+ *		Getting the time from the system failed.
+ *	Out of range
+ *		The interval added to the time from the system is too large to
+ *		be represented in the current definition of isc_time_t.
  */
 
 int
@@ -156,7 +173,7 @@ isc_time_compare(isc_time_t *t1, isc_time_t *t2);
  *
  * Requires:
  *
- *	't1' and 't2' are a valid.
+ *	't1' and 't2' are valid pointers.
  *
  * Returns:
  *
@@ -165,26 +182,35 @@ isc_time_compare(isc_time_t *t1, isc_time_t *t2);
  *	1		t1 > t2
  */
 
-void
+isc_result_t
 isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result);
 /*
  * Add 'i' to 't', storing the result in 'result'.
  *
  * Requires:
  *
- *	't', 'i', and 'result' are valid.
+ *	't', 'i', and 'result' are valid pointers.
+ *
+ * Returns:
+ * 	Success
+ *	Out of range
+ * 		The interval added to the time is too large to
+ *		be represented in the current definition of isc_time_t.
  */
 
-void
+isc_result_t
 isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result);
 /*
  * Subtract 'i' from 't', storing the result in 'result'.
  *
  * Requires:
  *
- *	't', 'i', and 'result' are valid.
+ *	't', 'i', and 'result' are valid pointers.
  *
- *	t >= epoch + i			(comparing times, not pointers)
+ * Returns:
+ *	Success
+ *	Out of range
+ *		The interval is larger than the time since the epoch.
  */
 
 isc_uint64_t
@@ -194,7 +220,8 @@ isc_time_microdiff(isc_time_t *t1, isc_time_t *t2);
  * t2 is the subtrahend of t1; ie, difference = t1 - t2.
  *
  * Requires:
- *	No formal requirements are asserted.
+ *
+ *	't1' and 't2' are valid pointers.
  */
 
 isc_uint32_t
@@ -203,7 +230,31 @@ isc_time_seconds(isc_time_t *t);
  * Return the number of seconds since the epoch stored in a time structure.
  *
  * Requires:
- *	No formal requirements are asserted.
+ *
+ *	't' is a valid pointer.
+ */
+
+isc_result_t
+isc_time_secondsastimet(isc_time_t *t, time_t *secondsp);
+/*
+ * Ensure the number of seconds in an isc_time_t is representable by a time_t.
+ *
+ * Notes:
+ *	The number of seconds stored in an isc_time_t might be larger
+ *	than the number of seconds a time_t is able to handle.  Since
+ *	time_t is mostly opaque according to the ANSI/ISO standard
+ *	(essentially, all you can be sure of is that it is an arithmetic type,
+ *	not even necessarily integral), it can be tricky to ensure that
+ *	the isc_time_t is in the range a time_t can handle.  Use this
+ *	function in place of isc_time_seconds() any time you need to set a
+ *	time_t from an isc_time_t.
+ *
+ * Requires:
+ *	't' is a valid pointer.
+ *
+ * Returns:
+ *	Success
+ *	Out of range
  */
 
 isc_uint32_t
@@ -217,7 +268,7 @@ isc_time_nanoseconds(isc_time_t *t);
  *	full second.
  *
  * Requires:
- *	No formal requirements are asserted.
+ *	't' is a valid pointer.
  *
  * Ensures:
  *	The returned value is less than 1*10^9.
diff --git a/lib/isc/unix/interfaceiter.c b/lib/isc/unix/interfaceiter.c
index 9714cd04..770c20ea 100644
--- a/lib/isc/unix/interfaceiter.c
+++ b/lib/isc/unix/interfaceiter.c
@@ -20,22 +20,21 @@
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #ifdef HAVE_SYS_SOCKIO_H
-#include <sys/sockio.h>
+#include <sys/sockio.h>		/* Required for ifiter_ioctl.c. */
 #endif
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
-#include <string.h>
 #include <errno.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/mem.h>
 #include <isc/net.h>
 #include <isc/result.h>
+#include <isc/string.h>
 #include <isc/types.h>
 #include <isc/interfaceiter.h>
+#include <isc/util.h>
 
 #include <net/if.h>		/* Must follow <isc/net.h>. */
 
diff --git a/lib/isc/unix/mktemplate.c b/lib/isc/unix/mktemplate.c
deleted file mode 100644
index 791608a4..00000000
--- a/lib/isc/unix/mktemplate.c
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2000  Internet Software Consortium.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#include <string.h>
-#include <isc/mktemplate.h>
-
-#define TEMPLATE "tmp-XXXXXX"
-
-isc_result_t
-isc_mktemplate(const char *file, char *buf, size_t buflen) {
-	char *s;
-
-	s = strrchr(file, '/');
-	if (s != NULL) {
-		if ((s - file + 1 + sizeof(TEMPLATE)) > buflen)
-			return (ISC_R_NOSPACE);
-		strncpy(buf, file, s - file + 1);
-		buf[s - file + 1] = '\0';
-		strcat(buf, TEMPLATE);
-		return(ISC_R_SUCCESS);
-	}
-	if (sizeof(TEMPLATE) > buflen)
-		return (ISC_R_NOSPACE);
-	strcpy(buf, TEMPLATE);
-	return(ISC_R_SUCCESS);
-}
diff --git a/lib/isc/unix/net.c b/lib/isc/unix/net.c
index 89c41a0a..c5d54061 100644
--- a/lib/isc/unix/net.c
+++ b/lib/isc/unix/net.c
@@ -18,13 +18,12 @@
 #include <config.h>
 
 #include <errno.h>
-#include <string.h>
 #include <unistd.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/net.h>
 #include <isc/once.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRANY)
 const struct in6_addr isc_net_in6addrany = IN6ADDR_ANY_INIT;
@@ -67,7 +66,11 @@ static void
 initialize_action(void) {
 	ipv4_result = try_proto(PF_INET);
 #ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
 	ipv6_result = try_proto(PF_INET6);
+#else
+	ipv6_result = 0;
+#endif
 #endif
 }
 
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 43fb6a04..ed2c563b 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -17,6 +17,7 @@
 
 #include <config.h>
 
+#include <sys/param.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/time.h>
@@ -29,15 +30,17 @@
 #include <unistd.h>
 #include <fcntl.h>
 
-#include <isc/assertions.h>
 #include <isc/buffer.h>
+#include <isc/bufferlist.h>
 #include <isc/condition.h>
-#include <isc/error.h>
 #include <isc/list.h>
-#include <isc/mutex.h>
+#include <isc/log.h>
+#include <isc/mem.h>
 #include <isc/net.h>
+#include <isc/print.h>
 #include <isc/region.h>
 #include <isc/socket.h>
+#include <isc/task.h>
 #include <isc/thread.h>
 #include <isc/util.h>
 
@@ -62,39 +65,20 @@
 			 (e) == EINTR || \
 			 (e) == 0)
 
-#if 0
-#define ISC_SOCKET_DEBUG
-#endif
+#define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
 
-#if defined(ISC_SOCKET_DEBUG)
-#define TRACE_WATCHER	0x0001
-#define TRACE_LISTEN	0x0002
-#define TRACE_CONNECT	0x0004
-#define TRACE_RECV	0x0008
-#define TRACE_SEND    	0x0010
-#define TRACE_MANAGER	0x0020
-
-int trace_level = TRACE_RECV;
-#define XTRACE(l, a)	do {						\
-				if ((l) & trace_level) {		\
-					printf("[%s:%d] ", __FILE__, __LINE__); \
-					printf a;			\
-					fflush(stdout);			\
-				}					\
-			} while (0)
-#define XENTER(l, a)	do {						\
-				if ((l) & trace_level)			\
-					fprintf(stderr, "ENTER %s\n", (a)); \
-			} while (0)
-#define XEXIT(l, a)	do {						\
-				if ((l) & trace_level)			\
-					fprintf(stderr, "EXIT %s\n", (a)); \
-			} while (0)
-#else
-#define XTRACE(l, a)
-#define XENTER(l, a)
-#define XEXIT(l, a)
-#endif
+/*
+ * DLVL(90)  --  Function entry/exit and other tracing.
+ * DLVL(70)  --  Socket "correctness" -- including returning of events, etc.
+ * DLVL(60)  --  Socket data send/receive
+ * DLVL(50)  --  Event tracing, including receiving/sending completion events.
+ * DLVL(20)  --  Socket creation/destruction.
+ */
+#define TRACE		DLVL(90)
+#define CORRECTNESS	DLVL(70)
+#define IOEVENT		DLVL(60)
+#define EVENT		DLVL(50)
+#define CREATION	DLVL(20)
 
 typedef isc_event_t intev_t;
 
@@ -133,16 +117,16 @@ typedef isc_event_t intev_t;
 
 struct isc_socket {
 	/* Not locked. */
-	unsigned int			magic;
-	isc_socketmgr_t		       *manager;
-	isc_mutex_t			lock;
-	isc_sockettype_t		type;
+	unsigned int		magic;
+	isc_socketmgr_t	       *manager;
+	isc_mutex_t		lock;
+	isc_sockettype_t	type;
 
 	/* Locked by socket lock. */
-	unsigned int			references;
-	int				fd;
-	isc_result_t			recv_result;
-	isc_result_t			send_result;
+	unsigned int		references;
+	int			fd;
+	isc_result_t		recv_result;
+	isc_result_t		send_result;
 
 	ISC_LIST(isc_socketevent_t)		send_list;
 	ISC_LIST(isc_socketevent_t)		recv_list;
@@ -154,45 +138,46 @@ struct isc_socket {
 	 * writable.  These are statically allocated and never freed.
 	 * They will be set to non-purgable before use.
 	 */
-	intev_t				readable_ev;
-	intev_t				writable_ev;
+	intev_t			readable_ev;
+	intev_t			writable_ev;
 
-	isc_sockaddr_t			address;  /* remote address */
+	isc_sockaddr_t		address;  /* remote address */
 
-	unsigned int			pending_recv : 1,
-					pending_send : 1,
-					pending_accept : 1,
-					listener : 1, /* listener socket */
-					connected : 1,
-					connecting : 1; /* connect pending */
+	unsigned int		pending_recv : 1,
+				pending_send : 1,
+				pending_accept : 1,
+				listener : 1, /* listener socket */
+				connected : 1,
+				connecting : 1, /* connect pending */
+				bound : 1; /* bound to local addr */
 
 #ifdef ISC_NET_RECVOVERFLOW
-	unsigned char			overflow; /* used for MSG_TRUNC fake */
+	unsigned char		overflow; /* used for MSG_TRUNC fake */
 #endif
 #ifdef USE_CMSG
-	unsigned char		       *cmsg;
-	unsigned int			cmsglen;
+	unsigned char	       *cmsg;
+	unsigned int		cmsglen;
 #endif
 };
 
-#define SOCKET_MANAGER_MAGIC		0x494f6d67U	/* IOmg */
-#define VALID_MANAGER(m)		((m) != NULL && \
-					 (m)->magic == SOCKET_MANAGER_MAGIC)
+#define SOCKET_MANAGER_MAGIC	0x494f6d67U	/* IOmg */
+#define VALID_MANAGER(m)	((m) != NULL && \
+				 (m)->magic == SOCKET_MANAGER_MAGIC)
 struct isc_socketmgr {
 	/* Not locked. */
-	unsigned int			magic;
-	isc_mem_t		       *mctx;
-	isc_mutex_t			lock;
+	unsigned int		magic;
+	isc_mem_t	       *mctx;
+	isc_mutex_t		lock;
 	/* Locked by manager lock. */
-	unsigned int			nsockets;  /* sockets managed */
-	isc_thread_t			watcher;
-	isc_condition_t			shutdown_ok;
-	fd_set				read_fds;
-	fd_set				write_fds;
-	isc_socket_t		       *fds[FD_SETSIZE];
-	int				fdstate[FD_SETSIZE];
-	int				maxfd;
-	int				pipe_fds[2];
+	unsigned int		nsockets;  /* sockets managed */
+	isc_thread_t		watcher;
+	isc_condition_t		shutdown_ok;
+	fd_set			read_fds;
+	fd_set			write_fds;
+	isc_socket_t	       *fds[FD_SETSIZE];
+	int			fdstate[FD_SETSIZE];
+	int			maxfd;
+	int			pipe_fds[2];
 };
 
 #define CLOSED		0	/* this one must be zero */
@@ -234,14 +219,52 @@ static void build_msghdr_recv(isc_socket_t *, isc_socketevent_t *,
 
 #define SOCK_DEAD(s)			((s)->references == 0)
 
+static void
+manager_log(isc_socketmgr_t *sockmgr,
+	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	    const char *fmt, ...)
+{
+	char msgbuf[2048];
+	va_list ap;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(isc_lctx, category, module, level,
+		      "sockmgr %p: %s", sockmgr, msgbuf);
+}
+
+static void
+socket_log(isc_socket_t *sock, isc_sockaddr_t *address,
+	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	   const char *fmt, ...)
+{
+	char msgbuf[2048];
+	char peerbuf[256];
+	va_list ap;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	if (address == NULL) {
+		isc_log_write(isc_lctx, category, module, level,
+			      "socket %p: %s", sock, msgbuf);
+	} else {
+		isc_sockaddr_format(address, peerbuf, sizeof peerbuf);
+		isc_log_write(isc_lctx, category, module, level,
+			      "socket %p %s: %s", sock, peerbuf, msgbuf);
+	}
+}
+
 /*
  * Poke the select loop when there is something for us to do.
  * We assume that if a write completes here, it will be inserted into the
  * queue fully.  That is, we will not get partial writes.
  */
 static void
-select_poke(isc_socketmgr_t *mgr, int msg)
-{
+select_poke(isc_socketmgr_t *mgr, int msg) {
 	int cc;
 
 	do {
@@ -260,8 +283,7 @@ select_poke(isc_socketmgr_t *mgr, int msg)
  * read a message on the internal fd.
  */
 static int
-select_readmsg(isc_socketmgr_t *mgr)
-{
+select_readmsg(isc_socketmgr_t *mgr) {
 	int msg;
 	int cc;
 
@@ -284,8 +306,7 @@ select_readmsg(isc_socketmgr_t *mgr)
  * Make a fd non-blocking
  */
 static isc_result_t
-make_nonblock(int fd)
-{
+make_nonblock(int fd) {
 	int ret;
 	int flags;
 
@@ -308,8 +329,7 @@ make_nonblock(int fd)
  * Process control messages received on a socket.
  */
 static void
-process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev)
-{
+process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
 #ifdef USE_CMSG
 	struct cmsghdr *cmsgp;
 #ifdef ISC_PLATFORM_HAVEIPV6
@@ -320,9 +340,21 @@ process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev)
 #endif
 #endif
 
-	(void)sock;
+	/*
+	 * sock is used only when ISC_NET_BSD44MSGHDR and USE_CMSG are defined.
+	 * msg and dev are used only when ISC_NET_BSD44MSGHDR is defined.
+	 * They are all here, outside of the CPP tests, because it is
+	 * more consistent with the usual ISC coding style.
+	 */
+	UNUSED(sock);
+	UNUSED(msg);
+	UNUSED(dev);
+
+#ifndef ISC_NET_BSD44MSGHDR
+	return;
+
+#else  /* defined ISC_NET_BSD44MSGHDR */
 
-#ifdef ISC_NET_BSD44MSGHDR
 #ifdef MSG_TRUNC
 	if ((msg->msg_flags & MSG_TRUNC) == MSG_TRUNC)
 		dev->attributes |= ISC_SOCKEVENTATTR_TRUNC;
@@ -348,15 +380,19 @@ process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev)
 
 	cmsgp = CMSG_FIRSTHDR(msg);
 	while (cmsgp != NULL) {
-		XTRACE(TRACE_RECV, ("Processing cmsg %p\n", cmsgp));
+		socket_log(sock, NULL, TRACE, "processing cmsg %p", cmsgp);
 
 #ifdef ISC_PLATFORM_HAVEIPV6
 		if (cmsgp->cmsg_level == IPPROTO_IPV6
 		    && cmsgp->cmsg_type == IPV6_PKTINFO) {
+			isc_sockaddr_t sa;
+
 			pktinfop = (struct in6_pktinfo *)CMSG_DATA(cmsgp);
 			memcpy(&dev->pktinfo, pktinfop,
 			       sizeof(struct in6_pktinfo));
 			dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
+			isc_sockaddr_fromin6(&sa, &dev->pktinfo.ipi6_addr, 53);
+			socket_log(sock, &sa, TRACE, "interface received on ifindex %u", dev->pktinfo.ipi6_ifindex);
 			goto next;
 		}
 #endif
@@ -437,16 +473,16 @@ build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
 	skip_count = dev->n;
 	while (buffer != NULL) {
 		REQUIRE(ISC_BUFFER_VALID(buffer));
-		if (skip_count < ISC_BUFFER_USEDCOUNT(buffer))
+		if (skip_count < isc_buffer_usedlength(buffer))
 			break;
-		skip_count -= ISC_BUFFER_USEDCOUNT(buffer);
+		skip_count -= isc_buffer_usedlength(buffer);
 		buffer = ISC_LIST_NEXT(buffer, link);
 	}
 
 	while (buffer != NULL) {
 		INSIST(iovcount < maxiov);
 
-		isc_buffer_used(buffer, &used);
+		isc_buffer_usedregion(buffer, &used);
 
 		if (used.length > 0) {
 			iov[iovcount].iov_base = (void *)(used.base
@@ -474,6 +510,10 @@ build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
 	    && ((dev->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0)) {
 		struct cmsghdr *cmsgp;
 		struct in6_pktinfo *pktinfop;
+		isc_sockaddr_t sa;
+
+		isc_sockaddr_fromin6(&sa, &dev->pktinfo.ipi6_addr, 53);
+		socket_log(sock, &sa, TRACE, "sendto pktinfo data, ifindex %u", dev->pktinfo.ipi6_ifindex);
 
 		msg->msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo));
 		msg->msg_control = (void *)sock->cmsg;
@@ -554,7 +594,7 @@ build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 	 */
 	while (buffer != NULL) {
 		REQUIRE(ISC_BUFFER_VALID(buffer));
-		if (ISC_BUFFER_AVAILABLECOUNT(buffer) != 0)
+		if (isc_buffer_availablelength(buffer) != 0)
 			break;
 		buffer = ISC_LIST_NEXT(buffer, link);
 	}
@@ -563,7 +603,7 @@ build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 	while (buffer != NULL) {
 		INSIST(iovcount < maxiov);
 
-		isc_buffer_available(buffer, &available);
+		isc_buffer_availableregion(buffer, &available);
 
 		if (available.length > 0) {
 			iov[iovcount].iov_base = (void *)(available.base);
@@ -641,19 +681,19 @@ allocate_socketevent(isc_socket_t *sock, isc_eventtype_t eventtype,
 		return (NULL);
 
 	ev->result = ISC_R_UNEXPECTED;
-	ISC_LINK_INIT(ev, link);
+	ISC_LINK_INIT(ev, ev_link);
 	ISC_LIST_INIT(ev->bufferlist);
 	ev->region.base = NULL;
 	ev->n = 0;
 	ev->offset = 0;
+	ev->attributes = 0;
 
 	return (ev);
 }
 
 #if defined(ISC_SOCKET_DEBUG)
 static void
-dump_msg(struct msghdr *msg)
-{
+dump_msg(struct msghdr *msg) {
 	unsigned int i;
 
 	printf("MSGHDR %p\n", msg);
@@ -677,8 +717,7 @@ dump_msg(struct msghdr *msg)
 #define DOIO_UNEXPECTED		(-1)	/* bad stuff, no event sent */
 
 static int
-doio_recv(isc_socket_t *sock, isc_socketevent_t *dev)
-{
+doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
 	int cc;
 	struct iovec iov[MAXSCATTERGATHER_RECV];
 	size_t read_count;
@@ -699,9 +738,9 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev)
 		if (SOFT_ERROR(errno))
 			return (DOIO_SOFT);
 
-	XTRACE(TRACE_RECV,
-	       ("doio_recv: recvmsg(%d) %d bytes, err %d/%s\n",
-		sock->fd, cc, errno, strerror(errno)));
+		socket_log(sock, NULL, IOEVENT,
+			   "doio_recv: recvmsg(%d) %d bytes, err %d/%s",
+			   sock->fd, cc, errno, strerror(errno));
 
 #define SOFT_OR_HARD(_system, _isc) \
 	if (errno == _system) { \
@@ -713,19 +752,20 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev)
 		} \
 		return (DOIO_SOFT); \
 	}
+#define ALWAYS_HARD(_system, _isc) \
+	if (errno == _system) { \
+		sock->recv_result = _isc; \
+		send_recvdone_event(sock, &dev, _isc); \
+		return (DOIO_HARD); \
+	}
 
 		SOFT_OR_HARD(ECONNREFUSED, ISC_R_CONNREFUSED);
-		SOFT_OR_HARD(ENETUNREACH, ISC_R_NETUNREACH);
-		SOFT_OR_HARD(EHOSTUNREACH, ISC_R_HOSTUNREACH);
-#undef SOFT_OR_HARD
+		ALWAYS_HARD(ENETUNREACH, ISC_R_NETUNREACH);
+		ALWAYS_HARD(EHOSTUNREACH, ISC_R_HOSTUNREACH);
+		ALWAYS_HARD(ENOBUFS, ISC_R_NORESOURCES);
 
-		/*
-		 * This might not be a permanent error.
-		 */
-		if (errno == ENOBUFS) {
-			send_recvdone_event(sock, &dev, ISC_R_NORESOURCES);
-			return (DOIO_HARD);
-		}
+#undef SOFT_OR_HARD
+#undef ALWAYS_HARD
 
 		sock->recv_result = ISC_R_UNEXPECTED;
 		send_recvdone_event(sock, &dev, ISC_R_UNEXPECTED);
@@ -745,6 +785,8 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev)
 	if (sock->type == isc_sockettype_udp)
 		dev->address.length = msghdr.msg_namelen;
 
+	socket_log(sock, &dev->address, IOEVENT, "packet received correctly");
+
 	/*
 	 * Overflow bit detection.  If we received MORE bytes than we should,
 	 * this indicates an overflow situation.  Set the flag in the
@@ -772,10 +814,10 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev)
 	buffer = ISC_LIST_HEAD(dev->bufferlist);
 	while (buffer != NULL && actual_count > 0) {
 		REQUIRE(ISC_BUFFER_VALID(buffer));
-		if (ISC_BUFFER_AVAILABLECOUNT(buffer) <= actual_count) {
-			actual_count -= ISC_BUFFER_AVAILABLECOUNT(buffer);
+		if (isc_buffer_availablelength(buffer) <= actual_count) {
+			actual_count -= isc_buffer_availablelength(buffer);
 			isc_buffer_add(buffer,
-				       ISC_BUFFER_AVAILABLECOUNT(buffer));
+				       isc_buffer_availablelength(buffer));
 		} else {
 			isc_buffer_add(buffer, actual_count);
 			actual_count = 0;
@@ -802,13 +844,13 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev)
 }
 
 static int
-doio_send(isc_socket_t *sock, isc_socketevent_t *dev)
-{
+doio_send(isc_socket_t *sock, isc_socketevent_t *dev) {
 	int cc;
 	struct iovec iov[MAXSCATTERGATHER_SEND];
 	size_t write_count;
 	struct msghdr msghdr;
 
+	/* XXXMLG Should verify that we didn't overflow MAXSCATTERGATHER? */
 	build_msghdr_send(sock, dev, &msghdr, iov,
 			  MAXSCATTERGATHER_SEND, &write_count);
 
@@ -831,19 +873,22 @@ doio_send(isc_socket_t *sock, isc_socketevent_t *dev)
 		} \
 		return (DOIO_SOFT); \
 	}
+#define ALWAYS_HARD(_system, _isc) \
+	if (errno == _system) { \
+		if (sock->connected && sock->type == isc_sockettype_tcp) \
+			sock->send_result = _isc; \
+		send_senddone_event(sock, &dev, _isc); \
+		return (DOIO_HARD); \
+	}
 
 		SOFT_OR_HARD(ECONNREFUSED, ISC_R_CONNREFUSED);
-		SOFT_OR_HARD(ENETUNREACH, ISC_R_NETUNREACH);
-		SOFT_OR_HARD(EHOSTUNREACH, ISC_R_HOSTUNREACH);
-#undef SOFT_OR_HARD
+		ALWAYS_HARD(ENETUNREACH, ISC_R_NETUNREACH);
+		ALWAYS_HARD(EHOSTUNREACH, ISC_R_HOSTUNREACH);
+		ALWAYS_HARD(ENOBUFS, ISC_R_NORESOURCES);
+		ALWAYS_HARD(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
 
-		/*
-		 * This might not be a permanent error.
-		 */
-		if (errno == ENOBUFS) {
-			send_senddone_event(sock, &dev, ISC_R_NORESOURCES);
-			return (DOIO_HARD);
-		}
+#undef SOFT_OR_HARD
+#undef ALWAYS_HARD
 
 		/*
 		 * The other error types depend on whether or not the
@@ -857,7 +902,8 @@ doio_send(isc_socket_t *sock, isc_socketevent_t *dev)
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "internal_send: %s",
 				 strerror(errno));
-		sock->send_result = ISC_R_UNEXPECTED;
+		if (sock->connected && sock->type == isc_sockettype_tcp)
+			sock->send_result = ISC_R_UNEXPECTED;
 		send_senddone_event(sock, &dev, ISC_R_UNEXPECTED);
 		return (DOIO_HARD);
 	}
@@ -889,13 +935,11 @@ doio_send(isc_socket_t *sock, isc_socketevent_t *dev)
  * references exist.
  */
 static void
-destroy(isc_socket_t **sockp)
-{
+destroy(isc_socket_t **sockp) {
 	isc_socket_t *sock = *sockp;
 	isc_socketmgr_t *manager = sock->manager;
 
-	XTRACE(TRACE_MANAGER,
-	       ("destroy sockp = %p, sock = %p\n", sockp, sock));
+	socket_log(sock, NULL, CREATION, "destroying");
 
 	INSIST(ISC_LIST_EMPTY(sock->accept_list));
 	INSIST(ISC_LIST_EMPTY(sock->recv_list));
@@ -912,7 +956,9 @@ destroy(isc_socket_t **sockp)
 	manager->fdstate[sock->fd] = CLOSE_PENDING;
 	select_poke(sock->manager, sock->fd);
 	manager->nsockets--;
-	XTRACE(TRACE_MANAGER, ("nsockets == %d\n", manager->nsockets));
+	manager_log(manager, CREATION,
+		    "sockets %d", manager->nsockets);
+
 	if (manager->nsockets == 0)
 		SIGNAL(&manager->shutdown_ok);
 
@@ -974,6 +1020,7 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 	sock->listener = 0;
 	sock->connected = 0;
 	sock->connecting = 0;
+	sock->bound = 0;
 
 	sock->recv_result = ISC_R_SUCCESS;
 	sock->send_result = ISC_R_SUCCESS;
@@ -1009,8 +1056,8 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 	isc_mem_put(manager->mctx, sock->cmsg, sock->cmsglen);
 	sock->cmsglen = 0;
 	sock->cmsg = NULL;
-#endif
  err1: /* socket allocated */
+#endif
 	isc_mem_put(manager->mctx, sock, sizeof *sock);
 
 	return (ret);
@@ -1024,8 +1071,7 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
  * also close the socket.
  */
 static void
-free_socket(isc_socket_t **socketp)
-{
+free_socket(isc_socket_t **socketp) {
 	isc_socket_t *sock = *socketp;
 
 	INSIST(sock->references == 0);
@@ -1070,8 +1116,6 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(socketp != NULL && *socketp == NULL);
 
-	XENTER(TRACE_MANAGER, "isc_socket_create");
-	
 	ret = allocate_socket(manager, type, &sock);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
@@ -1143,13 +1187,14 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 	manager->fds[sock->fd] = sock;
 	manager->fdstate[sock->fd] = MANAGED;
 	manager->nsockets++;
-	XTRACE(TRACE_MANAGER, ("nsockets == %d\n", manager->nsockets));
+	manager_log(manager, CREATION,
+		    "sockets %d", manager->nsockets);
 	if (manager->maxfd < sock->fd)
 		manager->maxfd = sock->fd;
 
 	UNLOCK(&manager->lock);
 
-	XEXIT(TRACE_MANAGER, "isc_socket_create");
+	socket_log(sock, NULL, CREATION, "created");
 
 	return (ISC_R_SUCCESS);
 }
@@ -1158,8 +1203,7 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
  * Attach to a socket.  Caller must explicitly detach when it is done.
  */
 void
-isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp)
-{
+isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
 	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE(socketp != NULL && *socketp == NULL);
 
@@ -1175,8 +1219,7 @@ isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp)
  * up by destroying the socket.
  */
 void 
-isc_socket_detach(isc_socket_t **socketp)
-{
+isc_socket_detach(isc_socket_t **socketp) {
 	isc_socket_t *sock;
 	isc_boolean_t kill_socket = ISC_FALSE;
 
@@ -1184,8 +1227,6 @@ isc_socket_detach(isc_socket_t **socketp)
 	sock = *socketp;
 	REQUIRE(VALID_SOCKET(sock));
 
-	XENTER(TRACE_MANAGER, "isc_socket_detach");
-
 	LOCK(&sock->lock);
 	REQUIRE(sock->references > 0);
 	sock->references--;
@@ -1196,8 +1237,6 @@ isc_socket_detach(isc_socket_t **socketp)
 	if (kill_socket)
 		destroy(&sock);
 
-	XEXIT(TRACE_MANAGER, "isc_socket_detach");
-
 	*socketp = NULL;
 }
 
@@ -1210,8 +1249,7 @@ isc_socket_detach(isc_socket_t **socketp)
  * The socket and manager must be locked before calling this function.
  */
 static void
-dispatch_read(isc_socket_t *sock)
-{
+dispatch_recv(isc_socket_t *sock) {
 	intev_t *iev;
 	isc_socketevent_t *ev;
 
@@ -1224,20 +1262,19 @@ dispatch_read(isc_socket_t *sock)
 	sock->pending_recv = 1;
 	iev = &sock->readable_ev;
 
-	XTRACE(TRACE_WATCHER, ("dispatch_read:  posted event %p to task %p\n",
-			       ev, ev->sender));
+	socket_log(sock, NULL, EVENT, "dispatch_recv:  event %p -> task %p",
+		   ev, ev->ev_sender);
 
 	sock->references++;
-	iev->sender = sock;
-	iev->action = internal_recv;
-	iev->arg = sock;
+	iev->ev_sender = sock;
+	iev->ev_action = internal_recv;
+	iev->ev_arg = sock;
 
-	isc_task_send(ev->sender, (isc_event_t **)&iev);
+	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
 }
 
 static void
-dispatch_write(isc_socket_t *sock)
-{
+dispatch_send(isc_socket_t *sock) {
 	intev_t *iev;
 	isc_socketevent_t *ev;
 
@@ -1250,23 +1287,22 @@ dispatch_write(isc_socket_t *sock)
 	sock->pending_send = 1;
 	iev = &sock->writable_ev;
 
-	XTRACE(TRACE_WATCHER, ("dispatch_send:  posted event %p to task %p\n",
-			       ev, ev->sender));
+	socket_log(sock, NULL, EVENT, "dispatch_send:  event %p -> task %p",
+		   ev, ev->ev_sender);
 
 	sock->references++;
-	iev->sender = sock;
-	iev->action = internal_send;
-	iev->arg = sock;
+	iev->ev_sender = sock;
+	iev->ev_action = internal_send;
+	iev->ev_arg = sock;
 
-	isc_task_send(ev->sender, (isc_event_t **)&iev);
+	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
 }
 
 /*
  * Dispatch an internal accept event.
  */
 static void
-dispatch_accept(isc_socket_t *sock)
-{
+dispatch_accept(isc_socket_t *sock) {
 	intev_t *iev;
 	isc_socket_newconnev_t *ev;
 
@@ -1284,16 +1320,15 @@ dispatch_accept(isc_socket_t *sock)
 	iev = &sock->readable_ev;
 
 	sock->references++;  /* keep socket around for this internal event */
-	iev->sender = sock;
-	iev->action = internal_accept;
-	iev->arg = sock;
+	iev->ev_sender = sock;
+	iev->ev_action = internal_accept;
+	iev->ev_arg = sock;
 
-	isc_task_send(ev->sender, (isc_event_t **)&iev);
+	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
 }
 
 static void
-dispatch_connect(isc_socket_t *sock)
-{
+dispatch_connect(isc_socket_t *sock) {
 	intev_t *iev;
 	isc_socket_connev_t *ev;
 
@@ -1305,11 +1340,11 @@ dispatch_connect(isc_socket_t *sock)
 	INSIST(sock->connecting);
 
 	sock->references++;  /* keep socket around for this internal event */
-	iev->sender = sock;
-	iev->action = internal_connect;
-	iev->arg = sock;
+	iev->ev_sender = sock;
+	iev->ev_action = internal_connect;
+	iev->ev_arg = sock;
 
-	isc_task_send(ev->sender, (isc_event_t **)&iev);
+	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
 }
 
 /*
@@ -1328,13 +1363,13 @@ send_recvdone_event(isc_socket_t *sock, isc_socketevent_t **dev,
 {
 	isc_task_t *task;
 
-	task = (*dev)->sender;
+	task = (*dev)->ev_sender;
 
 	(*dev)->result = resultcode;
-	(*dev)->sender = sock;
+	(*dev)->ev_sender = sock;
 
-	if (ISC_LINK_LINKED(*dev, link))
-		ISC_LIST_DEQUEUE(sock->recv_list, *dev, link);
+	if (ISC_LINK_LINKED(*dev, ev_link))
+		ISC_LIST_DEQUEUE(sock->recv_list, *dev, ev_link);
 
 	if (sock->recv_result != ISC_R_SUCCESS)
 		(*dev)->attributes |= ISC_SOCKEVENTATTR_FATALERROR;
@@ -1357,13 +1392,14 @@ send_senddone_event(isc_socket_t *sock, isc_socketevent_t **dev,
 {
 	isc_task_t *task;
 
-	task = (*dev)->sender;
+	INSIST(dev != NULL && *dev != NULL);
 
+	task = (*dev)->ev_sender;
 	(*dev)->result = resultcode;
-	(*dev)->sender = sock;
+	(*dev)->ev_sender = sock;
 
-	if (ISC_LINK_LINKED(*dev, link))
-		ISC_LIST_DEQUEUE(sock->send_list, *dev, link);
+	if (ISC_LINK_LINKED(*dev, ev_link))
+		ISC_LIST_DEQUEUE(sock->send_list, *dev, ev_link);
 
 	if (sock->send_result != ISC_R_SUCCESS)
 		(*dev)->attributes |= ISC_SOCKEVENTATTR_FATALERROR;
@@ -1387,8 +1423,7 @@ send_senddone_event(isc_socket_t *sock, isc_socketevent_t **dev,
  * so just unlock and return.
  */
 static void
-internal_accept(isc_task_t *me, isc_event_t *ev)
-{
+internal_accept(isc_task_t *me, isc_event_t *ev) {
 	isc_socket_t *sock;
 	isc_socketmgr_t *manager;
 	isc_socket_newconnev_t *dev;
@@ -1397,14 +1432,13 @@ internal_accept(isc_task_t *me, isc_event_t *ev)
 	int fd;
 	isc_result_t result = ISC_R_SUCCESS;
 
-	(void)me;
+	UNUSED(me);
 
-	sock = ev->sender;
+	sock = ev->ev_sender;
 	INSIST(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
-	XTRACE(TRACE_LISTEN,
-	       ("internal_accept called, locked parent sock %p\n", sock));
+	socket_log(sock, NULL, TRACE, "internal_accept called, locked socket");
 
 	manager = sock->manager;
 	INSIST(VALID_MANAGER(manager));
@@ -1437,7 +1471,8 @@ internal_accept(isc_task_t *me, isc_event_t *ev)
 	 * again.
 	 */
 	addrlen = sizeof dev->newsocket->address.type;
-	fd = accept(sock->fd, &dev->newsocket->address.type.sa, (void *)&addrlen);
+	fd = accept(sock->fd, &dev->newsocket->address.type.sa,
+		    (void *)&addrlen);
 	dev->newsocket->address.length = addrlen;
 	if (fd < 0) {
 		if (SOFT_ERROR(errno)) {
@@ -1450,8 +1485,8 @@ internal_accept(isc_task_t *me, isc_event_t *ev)
 		 * If some other error, ignore it as well and hope
 		 * for the best, but log it.
 		 */
-		XTRACE(TRACE_LISTEN, ("internal_accept: accept returned %s\n",
-				      strerror(errno)));
+		socket_log(sock, NULL, TRACE,
+			   "accept() returned %d/%s", errno, strerror(errno));
 
 		fd = -1;
 
@@ -1465,7 +1500,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev)
 	/*
 	 * Pull off the done event.
 	 */
-	ISC_LIST_UNLINK(sock->accept_list, dev, link);
+	ISC_LIST_UNLINK(sock->accept_list, dev, ev_link);
 
 	/*
 	 * Poke watcher if there are more pending accepts.
@@ -1491,6 +1526,8 @@ internal_accept(isc_task_t *me, isc_event_t *ev)
 	 */
 	if (fd != -1) {
 		dev->newsocket->fd = fd;
+		dev->newsocket->bound = 1;
+		dev->newsocket->connected = 1;
 
 		/*
 		 * Save away the remote address
@@ -1503,41 +1540,38 @@ internal_accept(isc_task_t *me, isc_event_t *ev)
 		if (manager->maxfd < fd)
 			manager->maxfd = fd;
 		manager->nsockets++;
-		XTRACE(TRACE_MANAGER, ("nsockets == %d\n", manager->nsockets));
+		manager_log(manager, CREATION,
+			    "sockets %d", manager->nsockets);
 		UNLOCK(&manager->lock);
 
-		XTRACE(TRACE_LISTEN, ("internal_accept: newsock %p, fd %d\n",
-				      dev->newsocket, fd));
+		socket_log(sock, &dev->newsocket->address, CREATION,
+			   "accepted connection, new socket %p",
+			   dev->newsocket);
 	}
 
 	/*
 	 * Fill in the done event details and send it off.
 	 */
 	dev->result = result;
-	task = dev->sender;
-	dev->sender = sock;
+	task = dev->ev_sender;
+	dev->ev_sender = sock;
 
 	isc_task_sendanddetach(&task, (isc_event_t **)&dev);
 }
 
 static void
-internal_recv(isc_task_t *me, isc_event_t *ev)
-{
+internal_recv(isc_task_t *me, isc_event_t *ev) {
 	isc_socketevent_t *dev;
 	isc_socket_t *sock;
-	isc_task_t *task;
-
-	(void)me;
 
-	INSIST(ev->type == ISC_SOCKEVENT_INTR);
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTR);
 
-	sock = ev->sender;
+	sock = ev->ev_sender;
 	INSIST(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
-	XTRACE(TRACE_SEND,
-	       ("internal_recv: task %p got event %p, sock %p, fd %d\n",
-		me, ev, sock, sock->fd));
+	socket_log(sock, NULL, IOEVENT,
+		   "internal_recv: task %p got event %p", me, ev, sock);
 
 	INSIST(sock->pending_recv == 1);
 	sock->pending_recv = 0;
@@ -1558,20 +1592,18 @@ internal_recv(isc_task_t *me, isc_event_t *ev)
 	 */
 	dev = ISC_LIST_HEAD(sock->recv_list);
 	while (dev != NULL) {
-		task = dev->sender;
-
 		/*
 		 * If this is a marker event, post its completion and
 		 * continue the loop.
 		 */
-		if (dev->type == ISC_SOCKEVENT_RECVMARK) {
+		if (dev->ev_type == ISC_SOCKEVENT_RECVMARK) {
 			send_recvdone_event(sock, &dev, sock->recv_result);
 			goto next;
 		}
 
 		if (sock->recv_result != ISC_R_SUCCESS) {
-			XTRACE(TRACE_RECV, ("STICKY RESULT: %d\n",
-					    sock->recv_result));
+			socket_log(sock, NULL, IOEVENT,
+				   "STICKY RESULT: %d", sock->recv_result);
 			send_recvdone_event(sock, &dev, sock->recv_result);
 			goto next;
 		}
@@ -1612,26 +1644,21 @@ internal_recv(isc_task_t *me, isc_event_t *ev)
 }
 
 static void
-internal_send(isc_task_t *me, isc_event_t *ev)
-{
+internal_send(isc_task_t *me, isc_event_t *ev) {
 	isc_socketevent_t *dev;
 	isc_socket_t *sock;
-	isc_task_t *task;
-
-	(void)me;
 
-	INSIST(ev->type == ISC_SOCKEVENT_INTW);
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
 
 	/*
 	 * Find out what socket this is and lock it.
 	 */
-	sock = (isc_socket_t *)ev->sender;
+	sock = (isc_socket_t *)ev->ev_sender;
 	INSIST(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
-	XTRACE(TRACE_SEND,
-	       ("internal_send: task %p got event %p, sock %p, fd %d\n",
-		me, ev, sock, sock->fd));
+	socket_log(sock, NULL, IOEVENT,
+		   "internal_send: task %p got event %p", me, ev, sock);
 
 	INSIST(sock->pending_send == 1);
 	sock->pending_send = 0;
@@ -1652,13 +1679,11 @@ internal_send(isc_task_t *me, isc_event_t *ev)
 	 */
 	dev = ISC_LIST_HEAD(sock->send_list);
 	while (dev != NULL) {
-		task = dev->sender;
-
 		/*
 		 * If this is a marker event, post its completion and
 		 * continue the loop.
 		 */
-		if (dev->type == ISC_SOCKEVENT_SENDMARK) {
+		if (dev->ev_type == ISC_SOCKEVENT_SENDMARK) {
 			send_senddone_event(sock, &dev, sock->send_result);
 			goto next;
 		}
@@ -1697,8 +1722,7 @@ internal_send(isc_task_t *me, isc_event_t *ev)
  * this I/O and post the event to it.
  */
 static isc_threadresult_t
-watcher(void *uap)
-{
+watcher(void *uap) {
 	isc_socketmgr_t *manager = uap;
 	isc_socket_t *sock;
 	isc_boolean_t done;
@@ -1727,20 +1751,15 @@ watcher(void *uap)
 			maxfd = manager->maxfd + 1;
 
 #ifdef ISC_SOCKET_DEBUG
-			XTRACE(TRACE_WATCHER, ("select maxfd %d\n", maxfd));
 			for (i = 0 ; i < FD_SETSIZE ; i++) {
 				int printit;
 
 				printit = 0;
 
 				if (FD_ISSET(i, &readfds)) {
-					XTRACE(TRACE_WATCHER,
-					       ("select r on %d\n", i));
 					printit = 1;
 				}
 				if (FD_ISSET(i, &writefds)) {
-					XTRACE(TRACE_WATCHER,
-					       ("select w on %d\n", i));
 					printit = 1;
 				}
 			}
@@ -1749,9 +1768,9 @@ watcher(void *uap)
 			UNLOCK(&manager->lock);
 
 			cc = select(maxfd, &readfds, &writefds, NULL, NULL);
-			XTRACE(TRACE_WATCHER,
-			       ("select(%d, ...) == %d, errno %d\n",
-				maxfd, cc, errno));
+			manager_log(manager, IOEVENT,
+				    "select(%d, ...) == %d, errno %d/%s",
+				    maxfd, cc, errno, strerror(errno));
 			if (cc < 0) {
 				if (!SOFT_ERROR(errno))
 					FATAL_ERROR(__FILE__, __LINE__,
@@ -1770,8 +1789,8 @@ watcher(void *uap)
 			for (;;) {
 				msg = select_readmsg(manager);
 
-				XTRACE(TRACE_WATCHER,
-				       ("watcher got message %d\n", msg));
+				manager_log(manager, IOEVENT,
+					    "watcher got message %d", msg);
 
 				/*
 				 * Nothing to read?
@@ -1786,8 +1805,6 @@ watcher(void *uap)
 				 * more work first.
 				 */
 				if (msg == SELECT_POKE_SHUTDOWN) {
-					XTRACE(TRACE_WATCHER,
-					       ("watcher got SHUTDOWN\n"));
 					done = ISC_TRUE;
 
 					break;
@@ -1811,9 +1828,6 @@ watcher(void *uap)
 						       &manager->write_fds);
 
 						close(msg);
-						XTRACE(TRACE_WATCHER,
-						       ("Watcher closed %d\n",
-							msg));
 
 						continue;
 					}
@@ -1824,9 +1838,6 @@ watcher(void *uap)
 					sock = manager->fds[msg];
 
 					LOCK(&sock->lock);
-					XTRACE(TRACE_WATCHER,
-					       ("watcher locked socket %p\n",
-						sock));
 
 					/*
 					 * If there are no events, or there
@@ -1836,19 +1847,16 @@ watcher(void *uap)
 					 * Otherwise, set it.
 					 */
 					rev = ISC_LIST_HEAD(sock->recv_list);
-					ev2 = (isc_event_t *)ISC_LIST_HEAD(sock->accept_list);
+					ev2 = (isc_event_t *)
+					      ISC_LIST_HEAD(sock->accept_list);
 					if ((rev == NULL && ev2 == NULL)
 					    || sock->pending_recv
 					    || sock->pending_accept) {
 						FD_CLR(sock->fd,
 						       &manager->read_fds);
-						XTRACE(TRACE_WATCHER,
-						       ("watch cleared r\n"));
 					} else {
 						FD_SET(sock->fd,
 						       &manager->read_fds);
-						XTRACE(TRACE_WATCHER,
-						       ("watch set r\n"));
 					}
 
 					rev = ISC_LIST_HEAD(sock->send_list);
@@ -1857,13 +1865,9 @@ watcher(void *uap)
 					    && !sock->connecting) {
 						FD_CLR(sock->fd,
 						       &manager->write_fds);
-						XTRACE(TRACE_WATCHER,
-						       ("watch cleared w\n"));
 					} else {
 						FD_SET(sock->fd,
 						       &manager->write_fds);
-						XTRACE(TRACE_WATCHER,
-						       ("watch set w\n"));
 					}
 
 					UNLOCK(&sock->lock);
@@ -1886,8 +1890,6 @@ watcher(void *uap)
 				FD_CLR(i, &manager->write_fds);
 				
 				close(i);
-				XTRACE(TRACE_WATCHER,
-				       ("Watcher closed %d\n", i));
 				
 				continue;
 			}
@@ -1899,16 +1901,13 @@ watcher(void *uap)
 					FD_CLR(i, &manager->read_fds);
 					goto check_write;
 				}
-				XTRACE(TRACE_WATCHER,
-				       ("watcher r on %d, sock %p\n",
-					i, manager->fds[i]));
 				unlock_sock = ISC_TRUE;
 				LOCK(&sock->lock);
 				if (!SOCK_DEAD(sock)) {
 					if (sock->listener)
 						dispatch_accept(sock);
 					else
-						dispatch_read(sock);
+						dispatch_recv(sock);
 				}
 				FD_CLR(i, &manager->read_fds);
 			}
@@ -1918,9 +1917,6 @@ watcher(void *uap)
 					FD_CLR(i, &manager->write_fds);
 					continue;
 				}
-				XTRACE(TRACE_WATCHER,
-				       ("watcher w on %d, sock %p\n",
-					i, manager->fds[i]));
 				if (!unlock_sock) {
 					unlock_sock = ISC_TRUE;
 					LOCK(&sock->lock);
@@ -1929,7 +1925,7 @@ watcher(void *uap)
 					if (sock->connecting)
 						dispatch_connect(sock);
 					else
-						dispatch_write(sock);
+						dispatch_send(sock);
 				}
 				FD_CLR(i, &manager->write_fds);
 			}
@@ -1938,7 +1934,7 @@ watcher(void *uap)
 		}
 	}
 
-	XTRACE(TRACE_WATCHER, ("Watcher exiting\n"));
+	manager_log(manager, TRACE, "watcher exiting");
 
 	UNLOCK(&manager->lock);
 	return ((isc_threadresult_t)0);
@@ -1948,14 +1944,11 @@ watcher(void *uap)
  * Create a new socket manager.
  */
 isc_result_t
-isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp)
-{
+isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
 	isc_socketmgr_t *manager;
 
 	REQUIRE(managerp != NULL && *managerp == NULL);
 
-	XENTER(TRACE_MANAGER, "isc_socketmgr_create");
-
 	manager = isc_mem_get(mctx, sizeof *manager);
 	if (manager == NULL)
 		return (ISC_R_NOMEMORY);
@@ -2023,13 +2016,11 @@ isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp)
 
 	*managerp = manager;
 
-	XEXIT(TRACE_MANAGER, "isc_socketmgr_create (normal)");
 	return (ISC_R_SUCCESS);
 }
 
 void
-isc_socketmgr_destroy(isc_socketmgr_t **managerp)
-{
+isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 	isc_socketmgr_t *manager;
 	int i;
 
@@ -2043,12 +2034,14 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp)
 
 	LOCK(&manager->lock);
 
-	XTRACE(TRACE_MANAGER, ("nsockets == %d\n", manager->nsockets));
+	manager_log(manager, CREATION,
+		    "sockets %d", manager->nsockets);
 	/*
 	 * Wait for all sockets to be destroyed.
 	 */
 	while (manager->nsockets != 0) {
-		XTRACE(TRACE_MANAGER, ("nsockets == %d\n", manager->nsockets));
+		manager_log(manager, CREATION,
+			    "sockets %d", manager->nsockets);
 		WAIT(&manager->shutdown_ok, &manager->lock);
 	}
 
@@ -2111,6 +2104,10 @@ isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
 
 	LOCK(&sock->lock);
 
+#if 0 /* XXXMLG */
+	INSIST(sock->bound);
+#endif
+
 	dev = allocate_socketevent(sock, ISC_SOCKEVENT_RECVDONE, action, arg);
 	if (dev == NULL) {
 		UNLOCK(&sock->lock);
@@ -2135,7 +2132,7 @@ isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
 			dev->minimum = minimum;
 	}
 
-	dev->sender = task;
+	dev->ev_sender = task;
 
 	/*
 	 * Move each buffer from the passed in list to our internal one.
@@ -2190,12 +2187,12 @@ isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
 	 * Enqueue the request.  If the socket was previously not being
 	 * watched, poke the watcher to start paying attention to it.
 	 */
-	ISC_LIST_ENQUEUE(sock->recv_list, dev, link);
+	ISC_LIST_ENQUEUE(sock->recv_list, dev, ev_link);
 	if (was_empty)
 		select_poke(sock->manager, sock->fd);
 
-	XTRACE(TRACE_RECV,
-	       ("isc_socket_recvv: queued event %p, task %p\n", dev, ntask));
+	socket_log(sock, NULL, EVENT,
+		   "isc_socket_recvv: event %p -> task %p", dev, ntask);
 
 	UNLOCK(&sock->lock);
 	return (ISC_R_SUCCESS);
@@ -2221,6 +2218,10 @@ isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
 
 	LOCK(&sock->lock);
 
+#if 0 /* XXXMLG */
+	INSIST(sock->bound);
+#endif
+
 	dev = allocate_socketevent(sock, ISC_SOCKEVENT_RECVDONE, action, arg);
 	if (dev == NULL) {
 		UNLOCK(&sock->lock);
@@ -2242,7 +2243,7 @@ isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
 	dev->result = ISC_R_SUCCESS;
 	dev->n = 0;
 	dev->region = *region;
-	dev->sender = task;
+	dev->ev_sender = task;
 
 	was_empty = ISC_LIST_EMPTY(sock->recv_list);
 
@@ -2288,12 +2289,12 @@ isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
 	 * Enqueue the request.  If the socket was previously not being
 	 * watched, poke the watcher to start paying attention to it.
 	 */
-	ISC_LIST_ENQUEUE(sock->recv_list, dev, link);
+	ISC_LIST_ENQUEUE(sock->recv_list, dev, ev_link);
 	if (was_empty)
 		select_poke(sock->manager, sock->fd);
 
-	XTRACE(TRACE_RECV,
-	       ("isc_socket_recv: queued event %p, task %p\n", dev, ntask));
+	socket_log(sock, NULL, EVENT,
+		   "isc_socket_recv: event %p -> task %p", dev, ntask);
 
 	UNLOCK(&sock->lock);
 	return (ISC_R_SUCCESS);
@@ -2330,6 +2331,10 @@ isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
 
 	LOCK(&sock->lock);
 
+#if 0 /* XXXMLG */
+	INSIST(sock->bound);
+#endif
+
 	dev = allocate_socketevent(sock, ISC_SOCKEVENT_SENDDONE, action, arg);
 	if (dev == NULL) {
 		UNLOCK(&sock->lock);
@@ -2337,12 +2342,20 @@ isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
 	}
 
 	dev->region = *region;
-	dev->sender = task;
+	dev->ev_sender = task;
 
 	set_dev_address(address, sock, dev);
 	if (pktinfo != NULL) {
+		isc_sockaddr_t sa;
+
+		isc_sockaddr_fromin6(&sa, &pktinfo->ipi6_addr, 53);
+		socket_log(sock, &sa, TRACE,
+			   "pktinfo structure provided, ifindex %u",
+			   pktinfo->ipi6_ifindex);
+
 		dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
 		dev->pktinfo = *pktinfo;
+		dev->pktinfo.ipi6_ifindex = 0; /* XXXMLG */
 	}
 
 	/*
@@ -2381,12 +2394,12 @@ isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
 	 * Enqueue the request.  If the socket was previously not being
 	 * watched, poke the watcher to start paying attention to it.
 	 */
-	ISC_LIST_ENQUEUE(sock->send_list, dev, link);
+	ISC_LIST_ENQUEUE(sock->send_list, dev, ev_link);
 	if (was_empty)
 		select_poke(sock->manager, sock->fd);
 
-	XTRACE(TRACE_SEND,
-	       ("isc_socket_send: queued event %p, task %p\n", dev, ntask));
+	socket_log(sock, NULL, EVENT,
+		   "isc_socket_sendto: event %p -> task %p", dev, ntask);
 
 	UNLOCK(&sock->lock);
 	return (ISC_R_SUCCESS);
@@ -2438,7 +2451,7 @@ isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
 	 *** to the task rather than this function failing.
 	 ***/
 
-	dev->sender = task;
+	dev->ev_sender = task;
 
 	set_dev_address(address, sock, dev);
 	if (pktinfo != NULL) {
@@ -2492,24 +2505,27 @@ isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
 	 * Enqueue the request.  If the socket was previously not being
 	 * watched, poke the watcher to start paying attention to it.
 	 */
-	ISC_LIST_ENQUEUE(sock->send_list, dev, link);
+	ISC_LIST_ENQUEUE(sock->send_list, dev, ev_link);
 	if (was_empty)
 		select_poke(sock->manager, sock->fd);
 
-	XTRACE(TRACE_SEND,
-	       ("isc_socket_send: queued event %p, task %p\n", dev, ntask));
+	socket_log(sock, NULL, EVENT,
+		   "isc_socket_sendtov: event %p -> task %p", dev, ntask);
 
 	UNLOCK(&sock->lock);
 	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
-isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr)
-{
+isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr) {
 	int on = 1;
 
 	LOCK(&sock->lock);
 
+#if 0 /* XXXMLG */
+	INSIST(!sock->bound);
+#endif
+
 	if (setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
 		       sizeof on) < 0) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__, "setsockopt(%d) failed",
@@ -2534,12 +2550,15 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr)
 		}
 	}
 
+	socket_log(sock, sockaddr, TRACE, "bound");
+	sock->bound = 1;
+
 	UNLOCK(&sock->lock);
 	return (ISC_R_SUCCESS);
 }
 
 /*
- * set up to listen on a given socket.  We do this by creating an internal
+ * Set up to listen on a given socket.  We do this by creating an internal
  * event that will be dispatched when the socket has read activity.  The
  * watcher will send the internal event to the task when there is a new
  * connection.
@@ -2549,13 +2568,15 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr)
  * as well keep things simple rather than having to track them.
  */
 isc_result_t
-isc_socket_listen(isc_socket_t *sock, unsigned int backlog)
-{
+isc_socket_listen(isc_socket_t *sock, unsigned int backlog) {
 	REQUIRE(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
 
 	REQUIRE(!sock->listener);
+#if 0 /* XXXMLG */
+	REQUIRE(sock->bound);
+#endif
 	REQUIRE(sock->type == isc_sockettype_tcp);
 
 	if (backlog == 0)
@@ -2588,8 +2609,6 @@ isc_socket_accept(isc_socket_t *sock,
 	isc_socket_t *nsock;
 	isc_result_t ret;
 
-	XENTER(TRACE_LISTEN, "isc_socket_accept");
-
 	REQUIRE(VALID_SOCKET(sock));
 	manager = sock->manager;
 	REQUIRE(VALID_MANAGER(manager));
@@ -2601,7 +2620,7 @@ isc_socket_accept(isc_socket_t *sock,
 	/*
 	 * Sender field is overloaded here with the task we will be sending
 	 * this event to.  Just before the actual event is delivered the
-	 * actual sender will be touched up to be the socket.
+	 * actual ev_sender will be touched up to be the socket.
 	 */
 	dev = (isc_socket_newconnev_t *)
 		isc_event_allocate(manager->mctx, task, ISC_SOCKEVENT_NEWCONN,
@@ -2610,7 +2629,7 @@ isc_socket_accept(isc_socket_t *sock,
 		UNLOCK(&sock->lock);
 		return (ISC_R_NOMEMORY);
 	}
-	ISC_LINK_INIT(dev, link);
+	ISC_LINK_INIT(dev, ev_link);
 
 	ret = allocate_socket(manager, sock->type, &nsock);
 	if (ret != ISC_R_SUCCESS) {
@@ -2625,7 +2644,7 @@ isc_socket_accept(isc_socket_t *sock,
 	isc_task_attach(task, &ntask);
 	nsock->references++;
 
-	dev->sender = ntask;
+	dev->ev_sender = ntask;
 	dev->newsocket = nsock;
 
 	/*
@@ -2636,7 +2655,7 @@ isc_socket_accept(isc_socket_t *sock,
 	if (EMPTY(sock->accept_list))
 		select_poke(manager, sock->fd);
 
-	ISC_LIST_ENQUEUE(sock->accept_list, dev, link);
+	ISC_LIST_ENQUEUE(sock->accept_list, dev, ev_link);
 
 	UNLOCK(&sock->lock);
 	return (ISC_R_SUCCESS);
@@ -2651,8 +2670,6 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 	isc_socketmgr_t *manager;
 	int cc;
 
-	XENTER(TRACE_CONNECT, "isc_socket_connect");
-
 	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE(addr != NULL);
 	REQUIRE(task != NULL);
@@ -2674,7 +2691,7 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 		UNLOCK(&sock->lock);
 		return (ISC_R_NOMEMORY);
 	}
-	ISC_LINK_INIT(dev, link);
+	ISC_LINK_INIT(dev, ev_link);
 
 	/*
 	 * Try to do the connect right away, as there can be only one
@@ -2697,8 +2714,8 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 
 		sock->connected = 0;
 
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "%s", strerror(errno));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "%d/%s",
+				 errno, strerror(errno));
 
 		UNLOCK(&sock->lock);
 		isc_event_free((isc_event_t **)&dev);
@@ -2717,6 +2734,7 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 	 */
 	if (cc == 0) {
 		sock->connected = 1;
+		sock->bound = 1;
 		dev->result = ISC_R_SUCCESS;
 		isc_task_send(task, (isc_event_t **)&dev);
 
@@ -2726,7 +2744,6 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 
  queue:
 
-	XTRACE(TRACE_CONNECT, ("queueing connect internal event\n"));
 	/*
 	 * Attach to to task
 	 */
@@ -2734,7 +2751,7 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 
 	sock->connecting = 1;
 
-	dev->sender = ntask;
+	dev->ev_sender = ntask;
 
 	/*
 	 * poke watcher here.  We still have the socket locked, so there
@@ -2754,23 +2771,20 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
  * Called when a socket with a pending connect() finishes.
  */
 static void
-internal_connect(isc_task_t *me, isc_event_t *ev)
-{
+internal_connect(isc_task_t *me, isc_event_t *ev) {
 	isc_socket_t *sock;
 	isc_socket_connev_t *dev;
 	isc_task_t *task;
 	int cc;
 	ISC_SOCKADDR_LEN_T optlen;
 
-	(void)me;
-	INSIST(ev->type == ISC_SOCKEVENT_INTW);
+	UNUSED(me);
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
 
-	sock = ev->sender;
+	sock = ev->ev_sender;
 	INSIST(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
-	XTRACE(TRACE_CONNECT,
-	       ("internal_connect called, locked parent sock %p\n", sock));
 
 	/*
 	 * When the internal event was sent the reference count was bumped
@@ -2846,47 +2860,62 @@ internal_connect(isc_task_t *me, isc_event_t *ev)
 
 	UNLOCK(&sock->lock);
 
-	task = dev->sender;
-	dev->sender = sock;
+	task = dev->ev_sender;
+	dev->ev_sender = sock;
 	isc_task_sendanddetach(&task, (isc_event_t **)&dev);
 }
 
 isc_result_t
-isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp)
-{
+isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+	isc_result_t ret;
+
 	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE(addressp != NULL);
 
 	LOCK(&sock->lock);
 
-	*addressp = sock->address;
+	if (sock->connected) {
+		*addressp = sock->address;
+		ret = ISC_R_SUCCESS;
+	} else {
+		ret = ISC_R_NOTCONNECTED;
+	}
 
 	UNLOCK(&sock->lock);
 
-	return (ISC_R_SUCCESS);
+	return (ret);
 }
 
 isc_result_t
-isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp)
-{
+isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
 	ISC_SOCKADDR_LEN_T len;
+	isc_result_t ret;
 
 	REQUIRE(VALID_SOCKET(sock));
 	REQUIRE(addressp != NULL);
 
 	LOCK(&sock->lock);
 
+	if (!sock->bound) {
+		ret = ISC_R_NOTBOUND;
+		goto out;
+	}
+
+	ret = ISC_R_SUCCESS;
+
 	len = sizeof addressp->type;
 	if (getsockname(sock->fd, &addressp->type.sa, (void *)&len) < 0) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "getsockname: %s", strerror(errno));
-		UNLOCK(&sock->lock);
-		return (ISC_R_UNEXPECTED);
+		ret = ISC_R_UNEXPECTED;
+		goto out;
 	}
 	addressp->length = (unsigned int)len;
 
+ out:
 	UNLOCK(&sock->lock);
-	return (ISC_R_SUCCESS);
+
+	return (ret);
 }
 
 /*
@@ -2894,8 +2923,7 @@ isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp)
  * queued for task "task" of type "how".  "how" is a bitmask.
  */
 void
-isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how)
-{
+isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
 	isc_boolean_t poke_needed;
 
 	REQUIRE(VALID_SOCKET(sock));
@@ -2930,8 +2958,8 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how)
 		dev = ISC_LIST_HEAD(sock->recv_list);
 
 		while (dev != NULL) {
-			current_task = dev->sender;
-			next = ISC_LIST_NEXT(dev, link);
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
 
 			if ((task == NULL) || (task == current_task))
 				send_recvdone_event(sock, &dev,
@@ -2949,8 +2977,8 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how)
 		dev = ISC_LIST_HEAD(sock->send_list);
 
 		while (dev != NULL) {
-			current_task = dev->sender;
-			next = ISC_LIST_NEXT(dev, link);
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
 
 			if ((task == NULL) || (task == current_task))
 				send_senddone_event(sock, &dev,
@@ -2967,18 +2995,19 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how)
 
 		dev = ISC_LIST_HEAD(sock->accept_list);
 		while (dev != NULL) {
-			current_task = dev->sender;
-			next = ISC_LIST_NEXT(dev, link);
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
 
 			if ((task == NULL) || (task == current_task)) {
 
-				ISC_LIST_UNLINK(sock->accept_list, dev, link);
+				ISC_LIST_UNLINK(sock->accept_list, dev,
+						ev_link);
 
 				dev->newsocket->references--;
 				free_socket(&dev->newsocket);
 
 				dev->result = ISC_R_CANCELED;
-				dev->sender = sock;
+				dev->ev_sender = sock;
 				isc_task_sendanddetach(&current_task,
 						       (isc_event_t **)&dev);
 			}
@@ -2999,13 +3028,13 @@ isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how)
 		sock->connecting = 0;
 
 		dev = sock->connect_ev;
-		current_task = dev->sender;
+		current_task = dev->ev_sender;
 
 		if ((task == NULL) || (task == current_task)) {
 			sock->connect_ev = NULL;
 
 			dev->result = ISC_R_CANCELED;
-			dev->sender = sock;
+			dev->ev_sender = sock;
 			isc_task_sendanddetach(&current_task,
 					       (isc_event_t **)&dev);
 		}
@@ -3036,6 +3065,10 @@ isc_socket_recvmark(isc_socket_t *sock,
 
 	LOCK(&sock->lock);
 
+#if 0 /* XXXMLG */
+	INSIST(sock->bound);
+#endif
+
 	dev = allocate_socketevent(sock, ISC_SOCKEVENT_RECVMARK, action, arg);
 	if (dev == NULL) {
 		UNLOCK(&sock->lock);
@@ -3061,13 +3094,12 @@ isc_socket_recvmark(isc_socket_t *sock,
 	 */
 	isc_task_attach(task, &ntask);
 
-	dev->sender = ntask;
+	dev->ev_sender = ntask;
 
-	ISC_LIST_ENQUEUE(sock->recv_list, dev, link);
+	ISC_LIST_ENQUEUE(sock->recv_list, dev, ev_link);
 
-	XTRACE(TRACE_RECV,
-	       ("isc_socket_recvmark: queued event dev %p, task %p\n",
-		dev, task));
+	socket_log(sock, NULL, EVENT,
+		   "isc_socket_recvmark: event %p -> task %p", dev, ntask);
 
 	UNLOCK(&sock->lock);
 	return (ISC_R_SUCCESS);
@@ -3090,6 +3122,10 @@ isc_socket_sendmark(isc_socket_t *sock,
 
 	LOCK(&sock->lock);
 
+#if 0 /* XXXMLG */
+	INSIST(sock->bound);
+#endif
+
 	dev = allocate_socketevent(sock, ISC_SOCKEVENT_SENDMARK, action, arg);
 	if (dev == NULL) {
 		UNLOCK(&sock->lock);
@@ -3115,22 +3151,31 @@ isc_socket_sendmark(isc_socket_t *sock,
 	 */
 	isc_task_attach(task, &ntask);
 
-	dev->sender = ntask;
+	dev->ev_sender = ntask;
 
-	ISC_LIST_ENQUEUE(sock->send_list, dev, link);
+	ISC_LIST_ENQUEUE(sock->send_list, dev, ev_link);
 
-	XTRACE(TRACE_SEND,
-	       ("isc_socket_sendmark: queued event dev %p, task %p\n",
-		dev, task));
+	socket_log(sock, NULL, EVENT,
+		   "isc_socket_sendmark: event %p -> task %p", dev, ntask);
 
 	UNLOCK(&sock->lock);
 	return (ISC_R_SUCCESS);
 }
 
 isc_sockettype_t
-isc_socket_gettype(isc_socket_t *sock)
-{
+isc_socket_gettype(isc_socket_t *sock) {
 	REQUIRE(VALID_SOCKET(sock));
 
 	return (sock->type);
 }
+
+isc_boolean_t
+isc_socket_isbound(isc_socket_t *sock) {
+	isc_boolean_t val;
+
+	LOCK(&sock->lock);
+	val = ((sock->bound) ? ISC_TRUE : ISC_FALSE);
+	UNLOCK(&sock->lock);
+
+	return (val);
+}
diff --git a/lib/isc/unix/stdio.c b/lib/isc/unix/stdio.c
new file mode 100644
index 00000000..77bf1ef3
--- /dev/null
+++ b/lib/isc/unix/stdio.c
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <isc/stdio.h>
+
+#include "errno2result.h"
+
+isc_result_t
+isc_stdio_open(const char *filename, const char *mode, FILE **fp) {
+	FILE *f;
+	
+	f = fopen(filename, mode);
+	if (f == NULL)
+		return (isc__errno2result(errno));
+	*fp = f;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_stdio_close(FILE *f) {
+	int r;
+
+	r = fclose(f);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_stdio_seek(FILE *f, long offset, int whence) {
+	int r;
+
+	r = fseek(f, offset, whence);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f, size_t *nret) {
+	isc_result_t result = ISC_R_SUCCESS;
+	size_t r;
+	
+	clearerr(f);
+	r = fread(ptr, size, nmemb, f);
+	if (r != nmemb) {
+		if (feof(f))
+			result = ISC_R_EOF;
+		else
+			result = isc__errno2result(errno);
+	}
+	if (nret != NULL)
+		*nret = r;
+	return (result);
+}
+
+isc_result_t
+isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
+	       size_t *nret)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	size_t r;
+	
+	clearerr(f);
+	r = fwrite(ptr, size, nmemb, f);
+	if (r != nmemb)
+		result = isc__errno2result(errno);
+	if (nret != NULL)
+		*nret = r;
+	return (result);
+}
+
+isc_result_t
+isc_stdio_flush(FILE *f) {
+	int r;
+	
+	r = fflush(f);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_stdio_sync(FILE *f) {
+	int r;
+	
+	r = fsync(fileno(f));
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
diff --git a/lib/isc/unix/stdtime.c b/lib/isc/unix/stdtime.c
index 76b640ad..a5c68718 100644
--- a/lib/isc/unix/stdtime.c
+++ b/lib/isc/unix/stdtime.c
@@ -17,22 +17,13 @@
 
 #include <config.h>
 
-#include <sys/types.h>
 #include <sys/time.h>
 
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <errno.h>
-
-#include <isc/assertions.h>
-#include <isc/error.h>
 #include <isc/stdtime.h>
+#include <isc/util.h>
 
 void
-isc_stdtime_get(isc_stdtime_t *t)
-{
+isc_stdtime_get(isc_stdtime_t *t) {
 	struct timeval tv;
 
 	/*
diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
index 17d3cacf..4466d023 100644
--- a/lib/isc/unix/time.c
+++ b/lib/isc/unix/time.c
@@ -17,18 +17,26 @@
 
 #include <config.h>
 
-#include <sys/types.h>
-#include <sys/time.h>
-
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
 #include <errno.h>
+#include <limits.h>
+#include <time.h>
+
+#include <sys/time.h>	/* Required for struct timeval on some platforms. */
 
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <isc/string.h>
 #include <isc/time.h>
+#include <isc/util.h>
+
+#define NS_PER_S	1000000000	/* Nanoseconds per second. */
+#define NS_PER_US	1000		/* Nanoseconds per microsecond. */
+#define US_PER_S	1000000		/* Microseconds per second. */
+
+/*
+ * All of the INSIST()s checks of nanoseconds < NS_PER_S are for 
+ * consistency checking of the type. In lieu of magic numbers, it
+ * is the best we've got.  The check is only performed on functions which
+ * need an initialized type.
+ */
 
 /***
  *** Intervals
@@ -39,7 +47,8 @@ isc_interval_t *isc_interval_zero = &zero_interval;
 
 void
 isc_interval_set(isc_interval_t *i,
-		 unsigned int seconds, unsigned int nanoseconds) {
+		 unsigned int seconds, unsigned int nanoseconds)
+{
 
 	/*
 	 * Set 'i' to a value representing an interval of 'seconds' seconds
@@ -48,7 +57,7 @@ isc_interval_set(isc_interval_t *i,
 	 */
 
 	REQUIRE(i != NULL);
-	REQUIRE(nanoseconds < 1000000000);
+	REQUIRE(nanoseconds < NS_PER_S);
 
 	i->seconds = seconds;
 	i->nanoseconds = nanoseconds;
@@ -62,6 +71,7 @@ isc_interval_iszero(isc_interval_t *i) {
 	 */
 
 	REQUIRE(i != NULL);
+	INSIST(i->nanoseconds < NS_PER_S);
 
 	if (i->seconds == 0 && i->nanoseconds == 0)
 		return (ISC_TRUE);
@@ -78,6 +88,19 @@ static isc_time_t epoch = { 0, 0 };
 isc_time_t *isc_time_epoch = &epoch;
 
 void
+isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds) {
+	/*
+	 * Set 't' to a particular number of seconds + nanoseconds since the
+	 * epoch.
+	 */
+	REQUIRE(t != NULL);
+	REQUIRE(nanoseconds < NS_PER_S);
+
+	t->seconds = seconds;
+	t->nanoseconds = nanoseconds;
+}
+
+void
 isc_time_settoepoch(isc_time_t *t) {
 	/*
 	 * Set 't' to the time of the epoch.
@@ -97,6 +120,7 @@ isc_time_isepoch(isc_time_t *t) {
 	 */
 
 	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
 
 	if (t->seconds == 0 && t->nanoseconds == 0)
 		return (ISC_TRUE);
@@ -119,8 +143,25 @@ isc_time_now(isc_time_t *t) {
 		return (ISC_R_UNEXPECTED);
 	}
 
+	/*
+	 * Does POSIX guarantee the signedness of tv_sec and tv_usec?  If not,
+	 * then this test will generate warnings for platforms on which it is
+	 * unsigned.  In any event, the chances of any of these problems
+	 * happening are pretty much zero, but since the libisc library ensures
+	 * certain things to be true ...
+	 */
+	if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
+		return (ISC_R_UNEXPECTED);
+
+	/*
+	 * Ensure the tv_sec value fits in t->seconds. 
+	 */
+	if (sizeof(tv.tv_sec) > sizeof(t->seconds) &&
+	    ((tv.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0)
+		return (ISC_R_RANGE);
+
 	t->seconds = tv.tv_sec;
-	t->nanoseconds = tv.tv_usec * 1000;
+	t->nanoseconds = tv.tv_usec * NS_PER_US;
 
 	return (ISC_R_SUCCESS);
 }
@@ -135,17 +176,38 @@ isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i) {
 	
 	REQUIRE(t != NULL);
 	REQUIRE(i != NULL);
-	
+	INSIST(i->nanoseconds < NS_PER_S);
+
 	if (gettimeofday(&tv, NULL) == -1) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__, strerror(errno));
 		return (ISC_R_UNEXPECTED);
 	}
 
+	/*
+	 * Does POSIX guarantee the signedness of tv_sec and tv_usec?  If not,
+	 * then this test will generate warnings for platforms on which it is
+	 * unsigned.  In any event, the chances of any of these problems
+	 * happening are pretty much zero, but since the libisc library ensures
+	 * certain things to be true ...
+	 */
+	if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
+		return (ISC_R_UNEXPECTED);
+
+	/*
+	 * Ensure the resulting seconds value fits in the size of an
+	 * unsigned int.  (It is written this way as a slight optimization;
+	 * note that even if both values == INT_MAX, then when added
+	 * and getting another 1 added below the result is UINT_MAX.)
+	 */
+	if ((tv.tv_sec > INT_MAX || i->seconds > INT_MAX) &&
+	    ((long long)tv.tv_sec + i->seconds > UINT_MAX))
+		return (ISC_R_RANGE);
+
 	t->seconds = tv.tv_sec + i->seconds;
-	t->nanoseconds = tv.tv_usec * 1000 + i->nanoseconds;
-	if (t->nanoseconds > 1000000000) {
+	t->nanoseconds = tv.tv_usec * NS_PER_US + i->nanoseconds;
+	if (t->nanoseconds > NS_PER_S) {
 		t->seconds++;
-		t->nanoseconds -= 1000000000;
+		t->nanoseconds -= NS_PER_S;
 	}
 
 	return (ISC_R_SUCCESS);
@@ -159,6 +221,7 @@ isc_time_compare(isc_time_t *t1, isc_time_t *t2) {
 	 */
 
 	REQUIRE(t1 != NULL && t2 != NULL);
+	INSIST(t1->nanoseconds < NS_PER_S && t2->nanoseconds < NS_PER_S);
 
 	if (t1->seconds < t2->seconds)
 		return (-1);
@@ -171,39 +234,59 @@ isc_time_compare(isc_time_t *t1, isc_time_t *t2) {
 	return (0);
 }
 
-void
-isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result)
-{
+isc_result_t
+isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
 	/*
 	 * Add 't' to 'i', storing the result in 'result'.
 	 */
 
 	REQUIRE(t != NULL && i != NULL && result != NULL);
+	INSIST(t->nanoseconds < NS_PER_S && i->nanoseconds < NS_PER_S);
+
+	/*
+	 * Ensure the resulting seconds value fits in the size of an
+	 * unsigned int.  (It is written this way as a slight optimization;
+	 * note that even if both values == INT_MAX, then when added
+	 * and getting another 1 added below the result is UINT_MAX.)
+	 */
+	if ((t->seconds > INT_MAX || i->seconds > INT_MAX) &&
+	    ((long long)t->seconds + i->seconds > UINT_MAX))
+		return (ISC_R_RANGE);
 
 	result->seconds = t->seconds + i->seconds;
 	result->nanoseconds = t->nanoseconds + i->nanoseconds;
-	if (result->nanoseconds > 1000000000) {
+	if (result->nanoseconds > NS_PER_S) {
 		result->seconds++;
-		result->nanoseconds -= 1000000000;
+		result->nanoseconds -= NS_PER_S;
 	}
+
+	return (ISC_R_SUCCESS);
 }
 
-void
+isc_result_t
 isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
 	/*
 	 * Subtract 'i' from 't', storing the result in 'result'.
 	 */
 
 	REQUIRE(t != NULL && i != NULL && result != NULL);
-	
+	INSIST(t->nanoseconds < NS_PER_S && i->nanoseconds < NS_PER_S);
+
+	if ((unsigned int)t->seconds < i->seconds ||
+	    ((unsigned int)t->seconds == i->seconds &&
+	     t->nanoseconds < i->nanoseconds))
+	    return (ISC_R_RANGE);
+
 	result->seconds = t->seconds - i->seconds;
 	if (t->nanoseconds >= i->nanoseconds)
 		result->nanoseconds = t->nanoseconds - i->nanoseconds;
 	else {
-		result->nanoseconds = 1000000000 - i->nanoseconds +
+		result->nanoseconds = NS_PER_S - i->nanoseconds +
 			t->nanoseconds;
 		result->seconds--;
 	}
+
+	return (ISC_R_SUCCESS);
 }
 
 isc_uint64_t
@@ -211,9 +294,10 @@ isc_time_microdiff(isc_time_t *t1, isc_time_t *t2) {
 	isc_uint64_t i1, i2, i3;
 
 	REQUIRE(t1 != NULL && t2 != NULL);
+	INSIST(t1->nanoseconds < NS_PER_S && t2->nanoseconds < NS_PER_S);
 
-	i1 = t1->seconds * 1000000000 + t1->nanoseconds;
-	i2 = t2->seconds * 1000000000 + t2->nanoseconds;
+	i1 = (isc_uint64_t)t1->seconds * NS_PER_S + t1->nanoseconds;
+	i2 = (isc_uint64_t)t2->seconds * NS_PER_S + t2->nanoseconds;
 
 	if (i1 <= i2)
 		return (0);
@@ -223,19 +307,65 @@ isc_time_microdiff(isc_time_t *t1, isc_time_t *t2) {
 	/*
 	 * Convert to microseconds.
 	 */
-	i3 = (i1 - i2) / 1000;
+	i3 = (i1 - i2) / NS_PER_US;
 
 	return (i3);
 }
 
 isc_uint32_t
 isc_time_seconds(isc_time_t *t) {
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+
 	return ((isc_uint32_t)t->seconds);
 }
 
+isc_result_t
+isc_time_secondsastimet(isc_time_t *t, time_t *secondsp) {
+	isc_uint64_t i;
+	time_t seconds;
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+
+	/*
+	 * Ensure that the number of seconds represented by t->seconds
+	 * can be represented by a time_t.  Since t->seconds is an unsigned
+	 * int and since time_t is mostly opaque, this is trickier than
+	 * it seems.  (This standardized opaqueness of time_t is *very*
+	 * frustrating; time_t is not even limited to being an integral
+	 * type.)
+	 *
+	 * The mission, then, is to avoid generating any kind of warning
+	 * about "signed versus unsigned" while trying to determine if the
+	 * the unsigned int t->seconds is out range for tv_sec, which is
+	 * pretty much only true if time_t is a signed integer of the same
+	 * size as the return value of isc_time_seconds. 
+	 *
+	 * The use of a 64 bit integer takes advantage of C's conversion rules
+	 * to either zero fill or sign extend the widened type.
+	 */
+	seconds = (time_t)t->seconds;
+
+	INSIST(sizeof(unsigned int) == sizeof(isc_uint32_t));
+	INSIST(sizeof(time_t) >= sizeof(isc_uint32_t));
+
+	if (sizeof(time_t) == sizeof(isc_uint32_t) &&	       /* Same size. */
+	    (time_t)0.5 != 0.5 &&	       /* Not a floating point type. */
+	    (i = (time_t)-1) != 4294967295u &&		       /* Is signed. */
+	    (seconds & (1 << (sizeof(time_t) * 8 - 1))) != 0)	/* Negative. */
+		return (ISC_R_RANGE);
+
+	*secondsp = seconds;
+
+	return (ISC_R_SUCCESS);
+}
+
 isc_uint32_t
 isc_time_nanoseconds(isc_time_t *t) {
-	ENSURE(t->nanoseconds < 1000000000);
+	REQUIRE(t != NULL);
+
+	ENSURE(t->nanoseconds < NS_PER_S);
 
 	return ((isc_uint32_t)t->nanoseconds);
 }
diff --git a/lib/isc/win32/Makefile.in b/lib/isc/win32/Makefile.in
index 13639045..43bf6fef 100644
--- a/lib/isc/win32/Makefile.in
+++ b/lib/isc/win32/Makefile.in
@@ -25,10 +25,12 @@ CDEFINES =
 CWARNINGS =
 
 # Alphabetically
-OBJS =		condition.@O@ dir.@O@ once.@O@ stdtime.@O@ thread.@O@ time.@O@
+OBJS =		condition.@O@ dir.@O@ file.@O@ once.@O@ stdtime.@O@ \
+		thread.@O@ time.@O@
 
 # Alphabetically
-SRCS =		condition.c dir.c once.c stdtime.c thread.c time.c
+SRCS =		condition.c dir.c file.c once.c stdtime.c \
+		thread.c time.c
 
 SUBDIRS =	include
 TARGETS =	${OBJS}
diff --git a/lib/isc/win32/mktemplate.c b/lib/isc/win32/file.c
index beb1d5c5..eda62505 100644
--- a/lib/isc/win32/mktemplate.c
+++ b/lib/isc/win32/file.c
@@ -16,35 +16,38 @@
  */
 
 #include <string.h>
-#include <isc/mktemplate.h>
 
-#define TEMPLATE "tmp-XXXXXX"
+#undef TEMPLATE
+#define TEMPLATE "tXXXXXXX.tmp"
 
 isc_result_t
-isc_mktemplate(const char *file, char *buf, size_t buflen) {
+isc_file_mktemplate(const char *file, char *buf, size_t buflen) {
 	char *s;
 
-	s = strrchr(file, '\\');
-	if (s != NULL) {
+	s = ;
+	if ((s = strrchr(file, '\\')) != NULL) {
 		if ((s - file + 1 + sizeof(TEMPLATE)) > buflen)
 			return (ISC_R_NOSPACE);
+
 		strncpy(buf, file, s - file + 1);
 		buf[s - file + 1] = '\0';
 		strcat(buf, TEMPLATE);
-		return(ISC_R_SUCCESS);
-	}
-	s = strrchr(file, ':');
-	if (s != NULL) {
+
+	} else if ((s = strrchr(file, ':')) != NULL) {
 		if ((s - file + 2 + sizeof(TEMPLATE)) > buflen)
 			return (ISC_R_NOSPACE);
+
 		strncpy(buf, file, s - file + 1);
 		buf[s - file + 1] = '\\';
 		buf[s - file + 2] = '\0';
 		strcat(buf, TEMPLATE);
-		return(ISC_R_SUCCESS);
+
+	} else {
+		if (sizeof(TEMPLATE) > buflen)
+			return (ISC_R_NOSPACE);
+
+		strcpy(buf, TEMPLATE);
 	}
-	if (sizeof(TEMPLATE) > buflen)
-		return (ISC_R_NOSPACE);
-	strcpy(buf, TEMPLATE);
+
 	return(ISC_R_SUCCESS);
 }
diff --git a/lib/isc/win32/include/isc/Makefile.in b/lib/isc/win32/include/isc/Makefile.in
index a8710362..52765fe9 100644
--- a/lib/isc/win32/include/isc/Makefile.in
+++ b/lib/isc/win32/include/isc/Makefile.in
@@ -19,7 +19,7 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-HEADERS =	dir.h int.h ipv6.h mutex.h net.h netdb.h once.h \
+HEADERS =	dir.h int.h mutex.h net.h netdb.h once.h \
 		stdtime.h thread.h time.h
 
 SUBDIRS =
@@ -39,6 +39,3 @@ install:: installdirs
 	for i in $(HEADERS); do \
 		$(INSTALL_DATA) $(srcdir)\$$i $(includedir)\isc ; \
 	done
-
-distclean::
-	rm -f net.h
diff --git a/lib/isc/win32/include/isc/condition.h b/lib/isc/win32/include/isc/condition.h
index 21619ce3..fb0f686b 100644
--- a/lib/isc/win32/include/isc/condition.h
+++ b/lib/isc/win32/include/isc/condition.h
@@ -20,22 +20,35 @@
 
 #include <windows.h>
 
-#include <isc/boolean.h>
-#include <isc/result.h>
+#include <isc/lang.h>
 #include <isc/mutex.h>
-#include <isc/time.h>
+#include <isc/types.h>
 
 typedef struct isc_condition {
-	HANDLE			events[2];	
+	HANDLE 		events[2];	
 	unsigned int	waiters;
 } isc_condition_t;
 
-isc_result_t isc_condition_init(isc_condition_t *);
-isc_result_t isc_condition_wait(isc_condition_t *, isc_mutex_t *);
-isc_result_t isc_condition_signal(isc_condition_t *);
-isc_result_t isc_condition_broadcast(isc_condition_t *);
-isc_result_t isc_condition_destroy(isc_condition_t *);
-isc_result_t isc_condition_waituntil(isc_condition_t *, isc_mutex_t *,
-				     isc_time_t *);
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_condition_init(isc_condition_t *);
+
+isc_result_t
+isc_condition_wait(isc_condition_t *, isc_mutex_t *);
+
+isc_result_t
+isc_condition_signal(isc_condition_t *);
+
+isc_result_t
+isc_condition_broadcast(isc_condition_t *);
+
+isc_result_t
+isc_condition_destroy(isc_condition_t *);
+
+isc_result_t
+isc_condition_waituntil(isc_condition_t *, isc_mutex_t *, isc_time_t *);
+
+ISC_LANG_ENDDECLS
 
 #endif /* ISC_CONDITION_H */
diff --git a/lib/isc/win32/include/isc/dir.h b/lib/isc/win32/include/isc/dir.h
index 03f70952..e70eb3bb 100644
--- a/lib/isc/win32/include/isc/dir.h
+++ b/lib/isc/win32/include/isc/dir.h
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: dir.h,v 1.4 2000/02/03 23:08:12 halley Exp $ */
+/* $Id: dir.h,v 1.5 2000/04/28 17:46:30 tale Exp $ */
 
 /* Principal Authors: DCL */
 
@@ -29,8 +29,6 @@
 #include <isc/boolean.h>
 #include <isc/result.h>
 
-ISC_LANG_BEGINDECLS
-
 #define ISC_DIR_NAMEMAX _MAX_FNAME
 #define ISC_DIR_PATHMAX _MAX_PATH
 
@@ -48,6 +46,8 @@ typedef struct {
 	HANDLE        	search_handle;
 } isc_dir_t;
 
+ISC_LANG_BEGINDECLS
+
 void
 isc_dir_init(isc_dir_t *dir);
 
@@ -66,6 +66,6 @@ isc_dir_close(isc_dir_t *dir);
 isc_result_t
 isc_dir_chdir(const char *dirname);
 
-ISC_LANG_BEGINDECLS
+ISC_LANG_ENDDECLS
 
 #endif /* ISC_DIR_H */
diff --git a/lib/isc/win32/include/isc/int.h b/lib/isc/win32/include/isc/int.h
index 31221ba9..3c6b2ec7 100644
--- a/lib/isc/win32/include/isc/int.h
+++ b/lib/isc/win32/include/isc/int.h
@@ -18,10 +18,6 @@
 #ifndef ISC_INT_H
 #define ISC_INT_H 1
 
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
 typedef __int8				isc_int8_t;
 typedef unsigned __int8			isc_uint8_t;
 typedef __int16				isc_int16_t;
@@ -31,6 +27,4 @@ typedef unsigned __int32		isc_uint32_t;
 typedef __int64				isc_int64_t;
 typedef unsigned __int64		isc_uint64_t;
 
-ISC_LANG_ENDDECLS
-
 #endif /* ISC_INT_H */
diff --git a/lib/isc/win32/include/isc/ipv6.h b/lib/isc/win32/include/isc/ipv6.h
index 90d2ebfd..7d7b8a9c 100644
--- a/lib/isc/win32/include/isc/ipv6.h
+++ b/lib/isc/win32/include/isc/ipv6.h
@@ -45,10 +45,10 @@
  *** Imports.
  ***/
 
-#include <isc/lang.h>
 #include <isc/int.h>
+#include <isc/platform.h>
 
-ISC_LANG_BEGINDECLS
+#undef ISC_PLATFORM_HAVESALEN
 
 /***
  *** Types.
@@ -86,6 +86,4 @@ struct sockaddr_in6 {
 #define SIN6_LEN 1
 #endif
 
-ISC_LANG_ENDDECLS
-
 #endif /* ISC_IPV6_H */
diff --git a/lib/isc/win32/include/isc/mutex.h b/lib/isc/win32/include/isc/mutex.h
index 3679bbd8..58572e42 100644
--- a/lib/isc/win32/include/isc/mutex.h
+++ b/lib/isc/win32/include/isc/mutex.h
@@ -20,11 +20,8 @@
 
 #include <windows.h>
 
-#include <isc/lang.h>
 #include <isc/result.h>
 
-ISC_LANG_BEGINDECLS
-
 typedef CRITICAL_SECTION isc_mutex_t;
 
 #define isc_mutex_init(mp) \
@@ -38,6 +35,4 @@ typedef CRITICAL_SECTION isc_mutex_t;
 #define isc_mutex_destroy(mp) \
 	(DeleteCriticalSection((mp)), ISC_R_SUCCESS)
 
-ISC_LANG_ENDDECLS
-
 #endif /* ISC_MUTEX_H */
diff --git a/lib/isc/win32/include/isc/net.h b/lib/isc/win32/include/isc/net.h
index 32f7cf4c..136ae4be 100644
--- a/lib/isc/win32/include/isc/net.h
+++ b/lib/isc/win32/include/isc/net.h
@@ -64,14 +64,6 @@
  *** Defines.
  ***/
 
-/* XXXRTH  ISC_NET_ should be converted to ISC_PLATFORM_ */
-
-/*
- * If sockaddrs on this system have an sa_len field, ISC_PLATFORM_HAVESALEN
- * will be defined.
- */
-#undef ISC_PLATFORM_HAVESALEN
-
 /*
  * If this system has the IPv6 structure definitions, ISC_NET_HAVEIPV6
  * will be defined.
@@ -116,6 +108,7 @@
 
 #include <sys/types.h>
 
+#include <isc/lang.h>
 #include <isc/result.h>
 
 #ifndef AF_INET6
@@ -143,6 +136,8 @@ typedef isc_uint16_t in_port_t;
  *** Functions.
  ***/
 
+ISC_LANG_BEGINDECLS
+
 isc_result_t
 isc_net_probeipv4(void);
 /*
@@ -182,12 +177,6 @@ int isc_net_aton(const char *cp, struct in_addr *addr);
 #define inet_aton isc_net_aton
 #endif
 
-#endif /* ISC_NET_H */
+ISC_LANG_ENDDECLS
 
-/*
- * Tell emacs to use C mode for this file.
- *
- * Local Variables:
- * mode: c
- * End:
- */
+#endif /* ISC_NET_H */
diff --git a/lib/isc/win32/include/isc/stdtime.h b/lib/isc/win32/include/isc/stdtime.h
index 34764ac9..01405dca 100644
--- a/lib/isc/win32/include/isc/stdtime.h
+++ b/lib/isc/win32/include/isc/stdtime.h
@@ -15,18 +15,13 @@
  * SOFTWARE.
  */
 
-/* $Id: stdtime.h,v 1.3 2000/02/03 23:08:13 halley Exp $ */
+/* $Id: stdtime.h,v 1.4 2000/04/28 23:53:55 tale Exp $ */
 
 #ifndef ISC_STDTIME_H
 #define ISC_STDTIME_H 1
 
-#include <time.h>
-
 #include <isc/lang.h>
 #include <isc/int.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
 
 /*
  * It's public information that 'isc_stdtime_t' is an unsigned integral type.
@@ -35,6 +30,8 @@ ISC_LANG_BEGINDECLS
  */
 typedef isc_uint32_t isc_stdtime_t;
 
+ISC_LANG_BEGINDECLS
+
 void
 isc_stdtime_get(isc_stdtime_t *t);
 /*
diff --git a/lib/isc/win32/include/isc/thread.h b/lib/isc/win32/include/isc/thread.h
index 03471732..58e743f3 100644
--- a/lib/isc/win32/include/isc/thread.h
+++ b/lib/isc/win32/include/isc/thread.h
@@ -20,6 +20,7 @@
 
 #include <windows.h>
 
+#include <isc/lang.h>
 #include <isc/result.h>
 
 typedef HANDLE isc_thread_t;
@@ -27,10 +28,16 @@ typedef unsigned int isc_threadresult_t;
 typedef void * isc_threadarg_t;
 typedef isc_threadresult_t (WINAPI *isc_threadfunc_t)(isc_threadarg_t);
 
-isc_result_t isc_thread_create(isc_threadfunc_t, isc_threadarg_t, 
-			       isc_thread_t *);
-isc_result_t isc_thread_join(isc_thread_t, isc_threadresult_t *);
-#define isc_thread_self \
-	(unsigned long)GetCurrentThreadId
+#define isc_thread_self (unsigned long)GetCurrentThreadId
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_thread_create(isc_threadfunc_t, isc_threadarg_t, isc_thread_t *);
+
+isc_result_t
+isc_thread_join(isc_thread_t, isc_threadresult_t *);
+
+ISC_LANG_ENDDECLS
 
 #endif /* ISC_THREAD_H */
diff --git a/lib/isc/win32/include/isc/time.h b/lib/isc/win32/include/isc/time.h
index fd74dae0..0d44439b 100644
--- a/lib/isc/win32/include/isc/time.h
+++ b/lib/isc/win32/include/isc/time.h
@@ -20,12 +20,8 @@
 
 #include <windows.h>
 
-#include <isc/int.h>
 #include <isc/lang.h>
-#include <isc/result.h>
-#include <isc/boolean.h>
-
-ISC_LANG_BEGINDECLS
+#include <isc/types.h>
 
 /***
  *** Intervals
@@ -37,12 +33,14 @@ ISC_LANG_BEGINDECLS
  *
  * The contents are exposed only to allow callers to avoid dynamic allocation.
  */
-typedef struct isc_interval {
+struct isc_interval {
 	isc_int64_t interval;
-} isc_interval_t;
+};
 
 extern isc_interval_t *isc_interval_zero;
 
+ISC_LANG_BEGINDECLS
+
 void
 isc_interval_set(isc_interval_t *i,
 		 unsigned int seconds, unsigned int nanoseconds);
@@ -53,9 +51,8 @@ isc_interval_set(isc_interval_t *i,
  *
  * Requires:
  *
- *	't' is a valid.
- *
- *	nanoseconds < 1000000000
+ *	't' is a valid pointer.
+ *	nanoseconds < 1000000000.
  */
 
 isc_boolean_t
@@ -65,8 +62,7 @@ isc_interval_iszero(isc_interval_t *i);
  *
  * Requires:
  *
- *	't' is a valid.
- *
+ *	'i' is a valid pointer.
  */
 
 /***
@@ -80,21 +76,40 @@ isc_interval_iszero(isc_interval_t *i);
  * The contents are exposed only to allow callers to avoid dynamic allocation.
  */
 
-typedef struct isc_time {
+struct isc_time {
 	FILETIME absolute;
-} isc_time_t;
+};
 
 extern isc_time_t *isc_time_epoch;
 
 void
+isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds);
+/*
+ * Set 't' to a particular number of seconds + nanoseconds since the epoch.
+ *
+ * Notes:
+ *	This call is equivalent to:
+ *
+ *	isc_time_settoepoch(t);
+ *	isc_interval_set(i, seconds, nanoseconds);
+ *	isc_time_add(t, i, t);
+ *
+ * Requires:
+ *	't' is a valid pointer.
+ *	nanoseconds < 1000000000.
+ */
+
+void
 isc_time_settoepoch(isc_time_t *t);
 /*
  * Set 't' to the time of the epoch.
  *
- * Requires:
+ * Notes:
+ * 	The date of the epoch is platform-dependent.
  *
- *	't' is a valid.
+ * Requires:
  *
+ *	't' is a valid pointer.
  */
 
 isc_boolean_t
@@ -104,8 +119,7 @@ isc_time_isepoch(isc_time_t *t);
  *
  * Requires:
  *
- *	't' is a valid.
- *
+ *	't' is a valid pointer.
  */
 
 isc_result_t
@@ -121,6 +135,10 @@ isc_time_now(isc_time_t *t);
  *
  *	Success
  *	Unexpected error
+ *		Getting the time from the system failed.
+ *	Out of range
+ *		The time from the system is too large to be represented
+ *		in the current definition of isc_time_t.
  */
 
 isc_result_t
@@ -129,7 +147,6 @@ isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i);
  * Set *t to the current absolute time + i.
  *
  * Note:
- *
  *	This call is equivalent to:
  *
  *		isc_time_now(t);
@@ -137,12 +154,16 @@ isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i);
  *
  * Requires:
  *
- *	't' and 'i' are valid.
+ *	't' and 'i' are valid pointers.
  *
  * Returns:
  *
  *	Success
  *	Unexpected error
+ *		Getting the time from the system failed.
+ *	Out of range
+ *		The interval added to the time from the system is too large to
+ *		be represented in the current definition of isc_time_t.
  */
 
 int
@@ -152,7 +173,7 @@ isc_time_compare(isc_time_t *t1, isc_time_t *t2);
  *
  * Requires:
  *
- *	't1' and 't2' are a valid.
+ *	't1' and 't2' are valid pointers.
  *
  * Returns:
  *
@@ -161,26 +182,35 @@ isc_time_compare(isc_time_t *t1, isc_time_t *t2);
  *	1		t1 > t2
  */
 
-void
+isc_result_t
 isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result);
 /*
  * Add 'i' to 't', storing the result in 'result'.
  *
  * Requires:
  *
- *	't', 'i', and 'result' are valid.
+ *	't', 'i', and 'result' are valid pointers.
+ *
+ * Returns:
+ * 	Success
+ *	Out of range
+ * 		The interval added to the time is too large to
+ *		be represented in the current definition of isc_time_t.
  */
 
-void
+isc_result_t
 isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result);
 /*
  * Subtract 'i' from 't', storing the result in 'result'.
  *
  * Requires:
  *
- *	't', 'i', and 'result' are valid.
+ *	't', 'i', and 'result' are valid pointers.
  *
- *	t >= epoch + i			(comparing times, not pointers)
+ * Returns:
+ *	Success
+ *	Out of range
+ *		The interval is larger than the time since the epoch.
  */
 
 isc_uint64_t
@@ -190,7 +220,8 @@ isc_time_microdiff(isc_time_t *t1, isc_time_t *t2);
  * t2 is the subtrahend of t1; ie, difference = t1 - t2.
  *
  * Requires:
- *	No formal requirements are asserted.
+ *
+ *	't1' and 't2' are valid pointers.
  */
 
 isc_uint32_t
@@ -199,7 +230,31 @@ isc_time_seconds(isc_time_t *t);
  * Return the number of seconds since the epoch stored in a time structure.
  *
  * Requires:
- *	No formal requirements are asserted.
+ *
+ *	't' is a valid pointer.
+ */
+
+isc_result_t
+isc_time_secondsastimet(isc_time_t *t, time_t *secondsp);
+/*
+ * Ensure the number of seconds in an isc_time_t is representable by a time_t.
+ *
+ * Notes:
+ *	The number of seconds stored in an isc_time_t might be larger
+ *	than the number of seconds a time_t is able to handle.  Since
+ *	time_t is mostly opaque according to the ANSI/ISO standard
+ *	(essentially, all you can be sure of is that it is an arithmetic type,
+ *	not even necessarily integral), it can be tricky to ensure that
+ *	the isc_time_t is in the range a time_t can handle.  Use this
+ *	function in place of isc_time_seconds() any time you need to set a
+ *	time_t from an isc_time_t.
+ *
+ * Requires:
+ *	't' is a valid pointer.
+ *
+ * Returns:
+ *	Success
+ *	Out of range
  */
 
 isc_uint32_t
@@ -213,10 +268,12 @@ isc_time_nanoseconds(isc_time_t *t);
  *	full second.
  *
  * Requires:
- *	No formal requirements are asserted.
+ *	't' is a valid pointer.
  *
  * Ensures:
  *	The returned value is less than 1*10^9.
  */
 
+ISC_LANG_ENDDECLS
+
 #endif /* ISC_TIME_H */
diff --git a/lib/isc/win32/time.c b/lib/isc/win32/time.c
index 20cae495..4a6bb711 100644
--- a/lib/isc/win32/time.c
+++ b/lib/isc/win32/time.c
@@ -17,11 +17,12 @@
 
 #include <config.h>
 
+#include <errno.h>
+#include <limits.h>
 #include <stddef.h>
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
-#include <errno.h>
 
 #include <windows.h>
 
@@ -29,7 +30,7 @@
 #include <isc/time.h>
 
 /*
- * struct FILETIME uses "100-nanoseconds intevals".
+ * struct FILETIME uses "100-nanoseconds intervals".
  * NS / S = 1000000000 (10^9).
  * While it is reasonably obvious that this makes the needed
  * conversion factor 10^7, it is coded this way for additional clarity.
@@ -37,6 +38,7 @@
 #define NS_PER_S 	1000000000
 #define NS_INTERVAL	100
 #define INTERVALS_PER_S (NS_PER_S / NS_INTERVAL)
+#define UINT64_MAX	0xffffffffffffffffui64
 
 /***
  *** Intervals
@@ -85,6 +87,25 @@ static isc_time_t epoch = { 0, 0 };
 isc_time_t *isc_time_epoch = &epoch;
 
 void
+isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds) {
+	ULARGE_INTEGER i;
+
+	/*
+	 * Set 't' to a particular number of seconds + nanoseconds since the
+	 * epoch.
+	 */
+	REQUIRE(t != NULL);
+	REQUIRE(nanoseconds < 1000000000);
+
+	i.QuadPart = (LONGLONG)seconds * INTERVALS_PER_S
+		+ nanoseconds / NS_INTERVAL;
+
+	t->absolute.dwLowDateTime = i.LowPart;
+	t->absolute.dwHighDateTime = i.HighPart;
+
+}
+
+void
 isc_time_settoepoch(isc_time_t *t) {
 	/*
 	 * Set 't' to the time of the epoch.
@@ -140,6 +161,9 @@ isc_time_nowplusinterval(isc_time_t *t, isc_interval_t *i) {
 	i1.LowPart = t->absolute.dwLowDateTime;
 	i1.HighPart = t->absolute.dwHighDateTime;
 
+	if (UINT64_MAX - i1.QuadPart < i->interval)
+		return (ISC_R_RANGE);
+
 	i1.QuadPart += i->interval;
 
 	t->absolute.dwLowDateTime  = i1.LowPart;
@@ -159,10 +183,9 @@ isc_time_compare(isc_time_t *t1, isc_time_t *t2) {
 	return ((int)CompareFileTime(&t1->absolute, &t2->absolute));
 }
 
-void
-isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result)
-{
-	ULARGE_INTEGER i1, i2;
+isc_result_t
+isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
+	ULARGE_INTEGER i1;
 
 	/*
 	 * Add 't' to 'i', storing the result in 'result'.
@@ -173,15 +196,20 @@ isc_time_add(isc_time_t *t, isc_interval_t *i, isc_time_t *result)
 	i1.LowPart = t->absolute.dwLowDateTime;
 	i1.HighPart = t->absolute.dwHighDateTime;
 
-	i2.QuadPart = i1.QuadPart + i->interval;
-	
-	result->absolute.dwLowDateTime = i2.LowPart;
-	result->absolute.dwHighDateTime = i2.HighPart;
+	if (UINT64_MAX - i1.QuadPart < i->interval)
+		return (ISC_R_RANGE);
+
+	i1.QuadPart += i->interval;
+
+	result->absolute.dwLowDateTime = i1.LowPart;
+	result->absolute.dwHighDateTime = i1.HighPart;
+
+	return (ISC_R_SUCCESS);
 }
 
-void
+isc_result_t
 isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
-	ULARGE_INTEGER i1, i2;
+	ULARGE_INTEGER i1;
 
 	/*
 	 * Subtract 'i' from 't', storing the result in 'result'.
@@ -192,10 +220,13 @@ isc_time_subtract(isc_time_t *t, isc_interval_t *i, isc_time_t *result) {
 	i1.LowPart = t->absolute.dwLowDateTime;
 	i1.HighPart = t->absolute.dwHighDateTime;
 
-	i2.QuadPart = i1.QuadPart - i->interval;
-	
-	result->absolute.dwLowDateTime = i2.LowPart;
-	result->absolute.dwHighDateTime = i2.HighPart;
+	if (i.QuadPart < i->interval)
+		return (ISC_R_RANGE);
+
+	i1.QuadPart -= i->interval;
+
+	result->absolute.dwLowDateTime = i1.LowPart;
+	result->absolute.dwHighDateTime = i1.HighPart;
 }
 
 isc_uint64_t
@@ -225,6 +256,8 @@ isc_uint32_t
 isc_time_seconds(isc_time_t *t) {
 	ULARGE_INTEGER i;
 
+	REQUIRE(t != NULL);
+
 	i.LowPart = t->absolute.dwLowDateTime;
 	i.HighPart = t->absolute.dwHighDateTime;
 
@@ -233,10 +266,105 @@ isc_time_seconds(isc_time_t *t) {
 	return ((isc_uint32_t)(i.QuadPart / INTERVALS_PER_S));
 }
 
+isc_result_t
+isc_time_secondsastimet(isc_time_t *t, time_t *secondsp) {
+	ULARGE_INTEGER i1, i2;
+	time_t seconds;
+
+	REQUIRE(t != NULL);
+
+	i1.LowPart = t->absolute.dwLowDateTime;
+	i1.HighPart = t->absolute.dwHighDateTime;
+
+	i1.QuadPart /= INTERVALS_PER_S;
+
+	/*
+	 * Ensure that the number of seconds can be represented by a time_t.
+	 * Since the number seconds is an unsigned int and since time_t is
+	 * mostly opaque, this is trickier than it seems.  (This standardized
+	 * opaqueness of time_t is *very* * frustrating; time_t is not even
+	 * limited to being an integral type.)  Thought it is known at the
+	 * time of this writing that time_t is a signed long on the Win32
+	 * platform, the full treatment is given to figuring out if things
+	 * fit to allow for future Windows platforms where time_t is *not*
+	 * a signed long, or where perhaps a signed long is longer than
+	 * it currently is.
+	 */
+	seconds = (time_t)i1.QuadPart;
+
+	/*
+	 * First, only do the range tests if the type of size_t is integral.
+	 * Float/double easily include the maximum possible values.
+	 */
+	if ((time_t)0.5 != 0.5) {
+		/*
+		 * Did all the bits make it in?
+		 */
+		if ((seconds & i1.QuadPart) != i1.QuadPart)
+			return (ISC_R_RANGE);
+
+		/*
+		 * Is time_t signed with the high bit set?
+		 *
+		 * The first test (the sizeof comparison) determines
+		 * whether we can even deduce the signedness of time_t
+		 * by using ANSI's rule about integer conversion to
+		 * wider integers.
+		 *
+		 * The second test uses that ANSI rule to see whether
+		 * the value of time_t was sign extended into QuadPart.
+		 * If the test is true, then time_t is signed.
+		 *
+		 * The final test ensures the high bit is not set, or
+		 * the value is negative and hence there is a range error.
+		 */
+		if (sizeof(time_t) < sizeof(i2.QuadPart) &&
+		    ((i2.QuadPart = (time_t)-1) ^ (time_t)-1) != 0 &&
+		    (seconds & (1 << (sizeof(time_t) * 8 - 1))) != 0)
+			return (ISC_R_RANGE);
+
+		/*
+		 * Last test ... the size of time_t is >= that of i2.QuadPart,
+		 * so we can't determine its signedness.  Unconditionally
+		 * declare anything with the high bit set as out of range.
+		 * Since even the maxed signed value is ludicrously far from
+		 * when this is being written, this rule shall not impact
+		 * anything for all intents and purposes.
+		 *
+		 * How far?  Well ... if FILETIME is in 100 ns intervals since
+		 * 1600, and a QuadPart can store 9223372036854775808 such
+		 * intervals when interpreted as signed (ie, if sizeof(time_t)
+		 * == sizeof(QuadPart) but time_t is signed), that means
+		 * 9223372036854775808 / INTERVALS_PER_S = 922,337,203,685
+		 * seconds.  That number divided by 60 * 60 * 24 * 365 seconds
+		 * per year means a signed time_t can store at least 29,247
+		 * years, with only 400 of those years used up since 1600 as I
+		 * write this in May, 2000.
+		 *
+		 * (Real date calculations are of course incredibly more
+		 * complex; I'm only describing the approximate scale of
+		 * the numbers involved here.)
+		 *
+		 * If the Galactic Federation is still running libisc's time
+		 * libray on a Windows platform in the year 27647 A.D., then
+		 * feel free to hunt down my greatgreatgreatgreatgreat(etc)
+		 * grandchildren and whine at them about what I did.
+		 */
+		if ((seconds & (1 << (sizeof(time_t) * 8 - 1))) != 0)
+			return (ISC_R_RANGE);
+	}
+
+	*secondsp = seconds;
+
+	return (ISC_R_SUCCESS);
+}
+
 isc_uint32_t
 isc_time_nanoseconds(isc_time_t *t) {
 	ULARGE_INTEGER i;
 
+	REQUIRE(t != NULL);
+
 	i.LowPart = t->absolute.dwLowDateTime;
 	i.HighPart = t->absolute.dwHighDateTime;
 
diff --git a/lib/lwres/Makefile.in b/lib/lwres/Makefile.in
index e8a53bb7..2e5c91a5 100644
--- a/lib/lwres/Makefile.in
+++ b/lib/lwres/Makefile.in
@@ -29,17 +29,16 @@ CWARNINGS =
 
 # Alphabetically
 OBJS =		context.@O@ gai_strerror.@O@ getaddrinfo.@O@ gethost.@O@ \
-		getipnode.@O@ getnameinfo.@O@ getnet.@O@ herror.@O@ \
+		getipnode.@O@ getnameinfo.@O@ herror.@O@ \
 		lwbuffer.@O@ lwconfig.@O@ lwpacket.@O@ lwresutil.@O@ \
-		lwres_gabn.@O@ \
-		lwres_gnba.@O@ lwres_noop.@O@ \
+		lwres_gabn.@O@ lwres_gnba.@O@ lwres_noop.@O@ \
 		lwinetaton.@O@ lwinetpton.@O@ lwinetntop.@O@
 
 # Alphabetically
-SRCS =		context.c gai_strerror.c getaddrinfo.c gethost.c getipnode.c \
-		getnameinfo.c getnet.c herror.c lwbuffer.c lwpacket.c \
-		lwconfig.c \
-		lwresutil.c lwres_gabn.c lwres_gnba.c lwres_noop.c \
+SRCS =		context.c gai_strerror.c getaddrinfo.c gethost.c \
+		getipnode.c getnameinfo.c herror.c \
+		lwbuffer.c lwconfig.c lwpacket.c lwresutil.c \
+		lwres_gabn.c lwres_gnba.c lwres_noop.c \
 		lwinetaton.c lwinetpton.c lwinetntop.c
 
 LIBS =		@LIBS@
diff --git a/lib/lwres/context.c b/lib/lwres/context.c
index cce57eb6..69c58f07 100644
--- a/lib/lwres/context.c
+++ b/lib/lwres/context.c
@@ -17,8 +17,8 @@
 
 #include <config.h>
 
-#include <assert.h>
 #include <fcntl.h>
+#include <limits.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
@@ -29,9 +29,7 @@
 
 #include <netinet/in.h>
 
-#include <lwres/context.h>
 #include <lwres/lwres.h>
-#include <lwres/result.h>
 
 #include "context_p.h"
 #include "assert_p.h"
@@ -87,8 +85,7 @@ lwres_context_create(lwres_context_t **contextp, void *arg,
 }
 
 void
-lwres_context_destroy(lwres_context_t **contextp)
-{
+lwres_context_destroy(lwres_context_t **contextp) {
 	lwres_context_t *ctx;
 
 	REQUIRE(contextp != NULL && *contextp != NULL);
@@ -105,24 +102,21 @@ lwres_context_destroy(lwres_context_t **contextp)
 }
 
 lwres_uint32_t
-lwres_context_nextserial(lwres_context_t *ctx)
-{
+lwres_context_nextserial(lwres_context_t *ctx) {
 	REQUIRE(ctx != NULL);
 
 	return (ctx->serial++);
 }
 
 void
-lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial)
-{
+lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial) {
 	REQUIRE(ctx != NULL);
 
 	ctx->serial = serial;
 }
 
 void
-lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len)
-{
+lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len) {
 	REQUIRE(mem != NULL);
 	REQUIRE(len != 0);
 
@@ -130,16 +124,14 @@ lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len)
 }
 
 void *
-lwres_context_allocmem(lwres_context_t *ctx, size_t len)
-{
+lwres_context_allocmem(lwres_context_t *ctx, size_t len) {
 	REQUIRE(len != 0);
 
 	return (CTXMALLOC(len));
 }
 
 static void *
-lwres_malloc(void *arg, size_t len)
-{
+lwres_malloc(void *arg, size_t len) {
 	void *mem;
 
 	(void)arg;
@@ -154,8 +146,7 @@ lwres_malloc(void *arg, size_t len)
 }
 
 static void
-lwres_free(void *arg, void *mem, size_t len)
-{
+lwres_free(void *arg, void *mem, size_t len) {
 	(void)arg;
 
 	memset(mem, 0xa9, len);
@@ -163,8 +154,7 @@ lwres_free(void *arg, void *mem, size_t len)
 }
 
 static lwres_result_t
-context_connect(lwres_context_t *ctx)
-{
+context_connect(lwres_context_t *ctx) {
 	int s;
 	int ret;
 	struct sockaddr_in localhost;
@@ -199,11 +189,20 @@ lwres_context_sendrecv(lwres_context_t *ctx,
 	int ret2;
 	int flags;
 	struct sockaddr_in sin;
-	int fromlen;
+	unsigned int fromlen;
 	fd_set readfds;
 	struct timeval timeout;
 
-	timeout.tv_sec = ctx->timeout;
+
+	/*
+	 * Type of tv_sec is long, so make sure the unsigned long timeout
+	 * does not overflow it.
+	 */
+	if (ctx->timeout <= LONG_MAX)
+		timeout.tv_sec = (long)ctx->timeout;
+	else
+		timeout.tv_sec = LONG_MAX;
+
 	timeout.tv_usec = 0;
 
 	ret = sendto(ctx->sock, sendbase, sendlen, 0, NULL, 0);
@@ -238,6 +237,11 @@ lwres_context_sendrecv(lwres_context_t *ctx,
 		return (LWRES_R_TIMEOUT);
 
 	fromlen = sizeof(sin);
+	/*
+	 * Compilers that use an older prototype for recvfrom() will
+	 * warn about the type of the sixth parameter, fromlen.  It
+	 * is now standardized as unsigned, specifically as socklen_t.
+	 */
 	ret = recvfrom(ctx->sock, recvbase, recvlen, 0,
 		       (struct sockaddr *)&sin, &fromlen);
 
diff --git a/lib/lwres/getaddrinfo.c b/lib/lwres/getaddrinfo.c
index 1dcf1691..e6266549 100644
--- a/lib/lwres/getaddrinfo.c
+++ b/lib/lwres/getaddrinfo.c
@@ -3,9 +3,10 @@
  * The Berkeley Software Design Inc. software License Agreement specifies
  * the terms and conditions for redistribution.
  *
- *	BSDI $Id: getaddrinfo.c,v 1.14 2000/03/10 23:11:27 explorer Exp $
+ *	BSDI $Id: getaddrinfo.c,v 1.17 2000/05/14 03:26:31 tale Exp $
  */
 
+#include <config.h>
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -218,7 +219,9 @@ lwres_getaddrinfo(const char *hostname, const char *servname,
 
 		if (lwres_net_aton(hostname, (struct in_addr *)abuf)) {
 			if (family == AF_INET6) {
-				/* Convert to a V4 mapped address */
+				/*
+				 * Convert to a V4 mapped address.
+				 */
 				struct in6_addr *a6 = (struct in6_addr *)abuf;
 				memcpy(&a6->s6_addr[12], &a6->s6_addr[0], 4);
 				memset(&a6->s6_addr[10], 0xff, 2);
@@ -297,10 +300,8 @@ lwres_strsep(char **stringp, const char *delim) {
 }
 
 static void
-set_order(family, net_order)
-	int family;
-	int (**net_order)(const char *, int, struct addrinfo **,
-		 int, int);
+set_order(int family, int (**net_order)(const char *, int, struct addrinfo **,
+					int, int))
 {
 	char *order, *tok;
 	int found;
@@ -318,7 +319,9 @@ set_order(family, net_order)
 		order = getenv("NET_ORDER");
 		found = 0;
 		while (order != NULL) {
-			/* We ignore any unknown names.  */
+			/*
+			 * We ignore any unknown names.
+			 */
 			tok = lwres_strsep(&order, ":");
 			if (strcasecmp(tok, "inet6") == 0) {
 				if ((found & FOUND_IPV6) == 0)
@@ -332,7 +335,9 @@ set_order(family, net_order)
 			}
 		}
 
-		/* Add in anything that we didn't find */
+		/*
+		 * Add in anything that we didn't find.
+		 */
 		if ((found & FOUND_IPV4) == 0)
 			*net_order++ = add_ipv4;
 		if ((found & FOUND_IPV6) == 0)
@@ -344,11 +349,18 @@ set_order(family, net_order)
 
 static char v4_loop[4] = { 127, 0, 0, 1 };
 
-#define ERR(x) do { result = (x); goto cleanup; } while (0)
+/*
+ * The test against 0 is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define ERR(code) \
+	do { result = (code);			\
+		if (result != 0) goto cleanup;	\
+	} while (0)
 
 static int
 add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
-    int socktype, int port)
+	int socktype, int port)
 {
 	struct addrinfo *ai;
 	lwres_context_t *lwrctx = NULL;
@@ -550,10 +562,14 @@ ai_reverse(struct addrinfo *oai) {
 	nai = NULL;
 
 	while (oai) {
-		/* grab one off the old list */
+		/*
+		 * Grab one off the old list.
+		 */
 		tai = oai;
 		oai = oai->ai_next;
-		/* put it on the front of the new list */
+		/*
+		 * Put it on the front of the new list.
+		 */
 		tai->ai_next = nai;
 		nai = tai;
 	}
diff --git a/lib/lwres/gethost.c b/lib/lwres/gethost.c
index c97877ef..44d09fa4 100644
--- a/lib/lwres/gethost.c
+++ b/lib/lwres/gethost.c
@@ -15,12 +15,13 @@
  * SOFTWARE.
  */
 
+#include <config.h>
+
 #include <sys/types.h>
 #include <sys/socket.h>
 
-#include <stdio.h>
-#include <string.h>
 #include <errno.h>
+#include <string.h>
 
 #include <lwres/netdb.h>
 
@@ -84,7 +85,9 @@ lwres_sethostent(int stayopen) {
 
 void
 lwres_endhostent(void) {
-	/* empty */
+	/*
+	 * Empty.
+	 */
 }
 
 struct hostent *
@@ -137,12 +140,16 @@ lwres_gethostent_r(struct hostent *resbuf, char *buf, int buflen, int *error) {
 void
 lwres_sethostent_r(int stayopen) {
 	(void)stayopen;
-	/* empty */
+	/*
+	 * Empty.
+	 */
 }
 
 void
 lwres_endhostent_r(void) {
-	/* empty */
+	/*
+	 * Empty.
+	 */
 }
 
 static int
@@ -152,7 +159,9 @@ copytobuf(struct hostent *he, struct hostent *hptr, char *buf, int buflen) {
         int i, n;
         int nptr, len;
 
-        /* Find out the amount of space required to store the answer. */
+        /*
+	 * Find out the amount of space required to store the answer.
+	 */
         nptr = 2; /* NULL ptrs */
         len = (char *)LWRES_ALIGN(buf) - buf;
         for (i = 0; he->h_addr_list[i]; i++, nptr++) {
@@ -168,14 +177,18 @@ copytobuf(struct hostent *he, struct hostent *hptr, char *buf, int buflen) {
                 return (-1);
         }
 
-        /* copy address size and type */
+        /*
+	 * Copy address size and type.
+	 */
         hptr->h_addrtype = he->h_addrtype;
         n = hptr->h_length = he->h_length;
 
         ptr = (char **)LWRES_ALIGN(buf);
         cp = (char *)LWRES_ALIGN(buf) + nptr * sizeof(char *);
 
-        /* copy address list */
+        /*
+	 * Copy address list.
+	 */
         hptr->h_addr_list = ptr;
         for (i = 0; he->h_addr_list[i]; i++ , ptr++) {
                 memcpy(cp, he->h_addr_list[i], n);
@@ -186,13 +199,17 @@ copytobuf(struct hostent *he, struct hostent *hptr, char *buf, int buflen) {
         hptr->h_addr_list[i] = NULL;
         ptr++;
 
-        /* copy official name */
+        /*
+	 * Copy official name.
+	 */
         n = strlen(he->h_name) + 1;
         strcpy(cp, he->h_name);
         hptr->h_name = cp;
         cp += n;
 
-        /* copy aliases */
+        /*
+	 * Copy aliases.
+	 */
         hptr->h_aliases = ptr;
         for (i = 0 ; he->h_aliases[i]; i++) {
                 n = strlen(he->h_aliases[i]) + 1;
diff --git a/lib/lwres/getipnode.c b/lib/lwres/getipnode.c
index a5e11c0c..3df0797e 100644
--- a/lib/lwres/getipnode.c
+++ b/lib/lwres/getipnode.c
@@ -15,6 +15,8 @@
  * SOFTWARE.
  */
 
+#include <config.h>
+
 #include <sys/types.h>
 #include <sys/socket.h>
 
diff --git a/lib/lwres/getnameinfo.c b/lib/lwres/getnameinfo.c
index 4d28192e..9c66b696 100644
--- a/lib/lwres/getnameinfo.c
+++ b/lib/lwres/getnameinfo.c
@@ -74,7 +74,14 @@ static struct afd {
 #define ENI_FAMILY	5
 #define ENI_SALEN	6
 
-#define ERR(x) do { result = (x); goto cleanup; } while (0)
+/*
+ * The test against 0 is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define ERR(code) \
+	do { result = (code);			\
+		if (result != 0) goto cleanup;	\
+	} while (0)
 
 int
 lwres_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
diff --git a/lib/lwres/getnet.c b/lib/lwres/getnet.c
deleted file mode 100644
index 383acb73..00000000
--- a/lib/lwres/getnet.c
+++ /dev/null
@@ -1,91 +0,0 @@
-/*
- * Copyright (C) 2000  Internet Software Consortium.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <stdio.h>
-
-#include <lwres/netdb.h>
-
-#include "assert_p.h"
-
-struct netent *
-lwres_getnetbyname(const char *name) {
-
-	/* XXX */
-	UNUSED(name);
-	return (NULL);
-}
-
-struct netent *
-lwres_getnetbyaddr(unsigned long net, int type) {
-
-	if (type == AF_INET) 
-		return (NULL);
-
-	/* XXX */
-	UNUSED(net);
-	return (NULL);
-}
-
-struct netent *
-lwres_getnetent() {
-
-	return (NULL);
-}
-
-void
-lwres_setnetent(int stayopen) {
-	
-	UNUSED(stayopen);
-	/* empty */
-}
-
-void
-lwres_endnetent() {
-	/* empty */
-}
-
-struct netent *
-lwres_getnetbyname_r(const char *name, struct netent *resbuf, char *buf,
-	       int buflen)
-{
-	return (NULL);
-}
-
-struct netent *
-lwres_getnetbyaddr_r(long addr, int type, struct netent *resbuf, char *buf,
-	       int buflen)
-{
-	return (NULL);
-}
-
-struct netent *
-lwres_getnetent_r(struct netent *resbuf, char *buf, int buflen) {
-	return (NULL);
-}
-
-void
-lwres_setnetent_r(int stayopen) {
-	(void)stayopen;
-}
-
-void
-lwres_endnetent_r(void) {
-	/* empty */
-}
diff --git a/lib/lwres/herror.c b/lib/lwres/herror.c
index 9a6f5d8c..f31d61b8 100644
--- a/lib/lwres/herror.c
+++ b/lib/lwres/herror.c
@@ -50,9 +50,11 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: herror.c,v 1.2 2000/02/03 21:54:10 marka Exp $";
+static const char rcsid[] = "$Id: herror.c,v 1.3 2000/04/28 02:08:14 tale Exp $";
 #endif /* LIBC_SCCS and not lint */
 
+#include <config.h>
+
 #include <stdio.h>
 #include <lwres/netdb.h>
 
diff --git a/lib/lwres/include/lwres/context.h b/lib/lwres/include/lwres/context.h
index 2253d19c..78f44cda 100644
--- a/lib/lwres/include/lwres/context.h
+++ b/lib/lwres/include/lwres/context.h
@@ -34,6 +34,21 @@ LWRES_LANG_BEGINDECLS
 typedef void *(*lwres_malloc_t)(void *arg, size_t length);
 typedef void (*lwres_free_t)(void *arg, void *mem, size_t length);
 
+/*
+ * XXXMLG
+ *
+ * Make the server reload /etc/resolv.conf periodlically.
+ *
+ * Make the server do sortlist/searchlist.
+ *
+ * Client side can disable the search/sortlist processing.
+ *
+ * Use an array of addresses/masks and searchlist for client-side, and
+ * if added to the client disable the processing on the server.
+ *
+ * Share /etc/resolv.conf data between contexts.
+ */
+
 lwres_result_t
 lwres_context_create(lwres_context_t **contextp, void *arg,
 		     lwres_malloc_t malloc_function,
@@ -45,6 +60,9 @@ lwres_context_create(lwres_context_t **contextp, void *arg,
  * If one is non-NULL, they must both be non-NULL.  "arg" is passed to
  * these functions.
  *
+ * Contexts are not thread safe.  Document at the top of the file.
+ * XXXMLG
+ *
  * If they are NULL, the standard malloc() and free() will be used.
  *
  * Requires:
@@ -68,6 +86,9 @@ lwres_context_destroy(lwres_context_t **contextp);
 
 lwres_uint32_t
 lwres_context_nextserial(lwres_context_t *ctx);
+/*
+ * XXXMLG Document
+ */
 
 void
 lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial);
diff --git a/lib/lwres/include/lwres/lwbuffer.h b/lib/lwres/include/lwres/lwbuffer.h
index c5f1eae1..35041bf9 100644
--- a/lib/lwres/include/lwres/lwbuffer.h
+++ b/lib/lwres/include/lwres/lwbuffer.h
@@ -15,8 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef LWRES_BUFFER_H
-#define LWRES_BUFFER_H 1
+#ifndef LWRES_LWBUFFER_H
+#define LWRES_LWBUFFER_H 1
 
 /*****
  ***** Module Info
@@ -397,4 +397,4 @@ lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base,
 
 LWRES_LANG_ENDDECLS
 
-#endif /* LWRES_BUFFER_H */
+#endif /* LWRES_LWBUFFER_H */
diff --git a/lib/lwres/include/lwres/lwpacket.h b/lib/lwres/include/lwres/lwpacket.h
index 2e614432..851a969c 100644
--- a/lib/lwres/include/lwres/lwpacket.h
+++ b/lib/lwres/include/lwres/lwpacket.h
@@ -30,7 +30,7 @@ typedef struct lwres_lwpacket lwres_lwpacket_t;
 struct lwres_lwpacket {
 	lwres_uint32_t		length;
 	lwres_uint16_t		version;
-	lwres_uint16_t		flags;
+	lwres_uint16_t		pktflags;
 	lwres_uint32_t		serial;
 	lwres_uint32_t		opcode;
 	lwres_uint32_t		result;
@@ -43,6 +43,7 @@ struct lwres_lwpacket {
 
 #define LWRES_LWPACKETFLAG_RESPONSE	0x0001U	/* if set, pkt is a response */
 
+
 #define LWRES_LWPACKETVERSION_0		0
 
 /*
@@ -79,10 +80,12 @@ struct lwres_lwpacket {
  *
  * "authtype" is the packet level auth type used.
  * Authtypes between 0x1000 and 0xffff are application defined.  Authtypes
- * between 0x0000 and 0x0fff are reserved for library use.
+ * between 0x0000 and 0x0fff are reserved for library use.  This is currently
+ * unused and MUST be set to zero.
  *
  * "authlen" is the length of the authentication data.  See the specific
- * authtypes for more information on what is contained in this field.
+ * authtypes for more information on what is contained in this field.  This
+ * is currently unused, and MUST be set to zero.
  *
  * The remainder of the packet consists of two regions, one described by
  * "authlen" and one of "length - authlen - sizeof(lwres_lwpacket_t)".
@@ -94,9 +97,8 @@ struct lwres_lwpacket {
  *	data bytes
  */
 
-/* XXXMLG Some of this belongs here, some elsewhere.
- *
- * Initially, we will define only a few opcodes:
+/*
+ * Currently defined opcodes:
  *
  *	NOOP.  Success is always returned, with the packet contents echoed.
  *
@@ -107,14 +109,11 @@ struct lwres_lwpacket {
  *
  *	GETNAMEBYADDR.	Return the hostname for the given address.  Once
  *		again, it will return data from multiple sources.
- *
- *	GETDNSTYPE.  Return information about a given name using DNS
- *		specific structure formats.  That is, one can request MX,
- *		NS, SOA, etc. using this opcode.
  */
 
 LWRES_LANG_BEGINDECLS
 
+/* XXXMLG document */
 lwres_result_t
 lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
 
diff --git a/lib/lwres/include/lwres/lwres.h b/lib/lwres/include/lwres/lwres.h
index e95fc78b..f2dc91b1 100644
--- a/lib/lwres/include/lwres/lwres.h
+++ b/lib/lwres/include/lwres/lwres.h
@@ -78,17 +78,9 @@
  *	response_free().
  */
 
-/*
- * Helper macro to calculate a string's length.  Strings are encoded
- * using a 16-bit length, the string itself, and a trailing NUL.  The
- * length does not include this NUL character -- it is there merely to
- * help reduce copying on the receive side, since most strings are
- * printable character strings, and C needs the trailing NUL.
- */
-
 #define LWRES_UDP_PORT		921	/* XXXMLG */
-#define LWRES_RECVLENGTH	2048	/* XXXMLG */
-#define LWRES_ADDR_MAXLEN	16	/* XXXMLG changing this breaks ABI */
+#define LWRES_RECVLENGTH	4096	/* XXXMLG */
+#define LWRES_ADDR_MAXLEN	16	/* changing this breaks ABI */
 
 /*
  * XXXMLG
@@ -98,7 +90,30 @@
 #endif
 
 /*
- * NO-OP
+ * Flags.
+ *
+ * TRUST* define a two-bit value:
+ *
+ *	TRUSTDEFAULT:  Let the server decide what to do.
+ *
+ *	TRUSTNOTREQUIRED:  DNSSEC (or NIS equavalent) is not required.
+ *
+ *	TRUSTREQUIRED:  DNSSEC (if present) must validate, and the
+ *		daemon the client is talking to must be DNSSEC aware.
+ *
+ *	TRUSTRESERVED:  No not used, reserved for future.
+ *
+ * XXXMLG -- currently not implemented!
+ *
+ */
+#define LWRES_FLAG_TRUSTDEFAULT		0x00000000U
+#define LWRES_FLAG_TRUSTNOTREQUIRED	0x00000001U
+#define LWRES_FLAG_TRUSTREQUIRED	0x00000010U
+#define LWRES_FLAG_TRUSTRESERVED	0x00000011U
+#define LWRES_FLAG_TRUSTMASK		0x00000011U  /* mask for the above */
+
+/*
+ * no-op
  */
 #define LWRES_OPCODE_NOOP		0x00000000U
 
@@ -115,7 +130,7 @@ typedef struct {
 } lwres_noopresponse_t;
 
 /*
- * GET ADDRESSES BY NAME
+ * get addresses by name
  */
 #define LWRES_OPCODE_GETADDRSBYNAME	0x00010001U
 
@@ -131,6 +146,7 @@ struct lwres_addr {
 
 typedef struct {
 	/* public */
+	lwres_uint32_t			flags;
 	lwres_uint32_t			addrtypes;
 	lwres_uint16_t			namelen;
 	char			       *name;
@@ -138,6 +154,7 @@ typedef struct {
 
 typedef struct {
 	/* public */
+	lwres_uint32_t			flags;
 	lwres_uint16_t			naliases;
 	lwres_uint16_t			naddrs;
 	char			       *realname;
@@ -151,16 +168,18 @@ typedef struct {
 } lwres_gabnresponse_t;
 
 /*
- * GET NAME BY ADDRESS
+ * get name by address
  */
 #define LWRES_OPCODE_GETNAMEBYADDR	0x00010002U
 typedef struct {
 	/* public */
+	lwres_uint32_t			flags;
 	lwres_addr_t			addr;
 } lwres_gnbarequest_t;
 
 typedef struct {
 	/* public */
+	lwres_uint32_t			flags;
 	lwres_uint16_t			naliases;
 	char			       *realname;
 	char			      **aliases;
@@ -171,9 +190,8 @@ typedef struct {
 	size_t				baselen;
 } lwres_gnbaresponse_t;
 
-
 /*
- * resolv.conf DATA
+ * resolv.conf data
  */
 
 #define LWRES_CONFMAXNAMESERVERS 3	/* max 3 "nameserver" entries */
@@ -205,8 +223,8 @@ typedef struct {
 #define LWRES_ADDRTYPE_V4		0x00000001U	/* ipv4 */
 #define LWRES_ADDRTYPE_V6		0x00000002U	/* ipv6 */
 
-#define LWRES_MAX_ALIASES		8		/* max # of aliases */
-#define LWRES_MAX_ADDRS			32		/* max # of addrs */
+#define LWRES_MAX_ALIASES		16		/* max # of aliases */
+#define LWRES_MAX_ADDRS			64		/* max # of addrs */
 
 LWRES_LANG_BEGINDECLS
 
@@ -430,8 +448,7 @@ void
 lwres_conf_clear(lwres_context_t *ctx);
 /*
  * frees all internally allocated memory in confdata. Uses the memory 
- * routines supplies by ctx (so that should probably be the same value as
- * given to lwres_conf_parse()).
+ * routines supplied by ctx.
  */
 
 lwres_conf_t *
diff --git a/lib/lwres/include/lwres/net.h b/lib/lwres/include/lwres/net.h
index c2242fb7..18d01d94 100644
--- a/lib/lwres/include/lwres/net.h
+++ b/lib/lwres/include/lwres/net.h
@@ -54,8 +54,11 @@
 
 #include <netinet/in.h>
 #include <arpa/inet.h>
-#ifdef LWRES_PLATFORM_HAVENETINET6IN6H
-#include <netinet6/in6.h>
+#ifdef LWRES_PLATFORM_NEEDNETINETIN6H
+#include <netinet/in6.h>	/* Required on UnixWare. */
+#endif
+#ifdef LWRES_PLATFORM_NEEDNETINET6IN6H
+#include <netinet6/in6.h>	/* Required on BSD/OS for in6_pktinfo. */
 #endif
 
 #include <lwres/result.h>
@@ -72,10 +75,13 @@
 #include <lwres/ipv6.h>
 #endif
 
-const char *lwres_net_ntop(int af, const void *src, char *dst, size_t size);
+const char *
+lwres_net_ntop(int af, const void *src, char *dst, size_t size);
 
-int lwres_net_pton(int af, const char *src, void *dst);
+int
+lwres_net_pton(int af, const char *src, void *dst);
 
-int lwres_net_aton(const char *cp, struct in_addr *addr);
+int
+lwres_net_aton(const char *cp, struct in_addr *addr);
 
 #endif /* LWRES_NET_H */
diff --git a/lib/lwres/include/lwres/netdb.h.in b/lib/lwres/include/lwres/netdb.h.in
index ae3f0a4b..042adcbb 100644
--- a/lib/lwres/include/lwres/netdb.h.in
+++ b/lib/lwres/include/lwres/netdb.h.in
@@ -286,7 +286,6 @@ struct	addrinfo {
 #define getprotoent_r lwres_getprotoent_r
 #define setprotoent_r lwres_setprotoent_r
 #define endprotoent_r lwres_endprotoent_r
-#endif
 
 #ifdef getnetbyname
 #undef getnetbyname
@@ -338,13 +337,14 @@ struct	addrinfo {
 #undef endnetent_r
 #endif
 #define endnetent_r lwres_endnetent_r
+#endif	/* notyet */
 
 #ifdef h_errno
 #undef h_errno
 #endif
 #define h_errno lwres_h_errno
 
-#endif
+#endif	/* LWRES_NAMESPACE */
 
 LWRES_LANG_BEGINDECLS
 
@@ -368,13 +368,13 @@ void		lwres_sethostent(int);
 /* void		lwres_sethostfile(const char *); */
 void		lwres_freehostent(struct hostent *);
 
+#ifdef notyet
 struct netent	*lwres_getnetbyaddr(unsigned long, int);
 struct netent	*lwres_getnetbyname(const char *);
 struct netent	*lwres_getnetent(void);
 void		lwres_endnetent(void);
 void		lwres_setnetent(int);
 
-#ifdef notyet
 struct protoent	*lwres_getprotobyname(const char *);
 struct protoent	*lwres_getprotobynumber(int);
 struct protoent	*lwres_getprotoent(void);
@@ -401,6 +401,7 @@ struct hostent	*lwres_gethostent_r(struct hostent *, char *, int, int *);
 void		lwres_sethostent_r(int);
 void		lwres_endhostent_r(void);
 
+#ifdef notyet
 struct netent	*lwres_getnetbyname_r(const char *, struct netent *,
 					char *, int);
 struct netent	*lwres_getnetbyaddr_r(long, int, struct netent *,
@@ -409,7 +410,6 @@ struct netent	*lwres_getnetent_r(struct netent *, char *, int);
 void		lwres_setnetent_r(int);
 void		lwres_endnetent_r(void);
 
-#ifdef notyet
 struct protoent	*lwres_getprotobyname_r(const char *,
 				struct protoent *, char *, int);
 struct protoent	*lwres_getprotobynumber_r(int,
diff --git a/lib/lwres/include/lwres/platform.h.in b/lib/lwres/include/lwres/platform.h.in
index 90f1ae84..a20452c0 100644
--- a/lib/lwres/include/lwres/platform.h.in
+++ b/lib/lwres/include/lwres/platform.h.in
@@ -27,9 +27,14 @@
  ***/
 
 /*
- * Define if this system has the <netinet6/in6.h> header file.
+ * Define if this system needs the <netinet/in6.h> header file for IPv6.
  */
-@LWRES_PLATFORM_HAVENETINET6IN6H@
+@LWRES_PLATFORM_NEEDNETINETIN6H@
+
+/*
+ * Define if this system needs the <netinet6/in6.h> header file for IPv6.
+ */
+@LWRES_PLATFORM_NEEDNETINET6IN6H@
 
 /*
  * If sockaddrs on this system have an sa_len field, LWRES_PLATFORM_HAVESALEN
diff --git a/lib/lwres/lwconfig.c b/lib/lwres/lwconfig.c
index 2b5cd182..08620311 100644
--- a/lib/lwres/lwconfig.c
+++ b/lib/lwres/lwconfig.c
@@ -96,8 +96,7 @@ lwres_create_addr(const char *buff, lwres_addr_t *addr);
  * that caused the reading to stop.
  */
 static int
-getword(FILE *fp, char *buffer, size_t size)
-{
+getword(FILE *fp, char *buffer, size_t size) {
 	int ch;
 	char *p = buffer;
 
@@ -107,7 +106,7 @@ getword(FILE *fp, char *buffer, size_t size)
 	*p = '\0';
 
 	ch = fgetc(fp);
-	while (ch != '\n' && isspace(ch))
+	while (ch != '\n' && ch != EOF && isspace((unsigned char)ch))
 		ch = fgetc(fp);
 
 	if (ch == EOF)
@@ -116,10 +115,10 @@ getword(FILE *fp, char *buffer, size_t size)
 	do {
 		*p = '\0';
 
-		if (ch == EOF || isspace(ch))
+		if (ch == EOF || isspace((unsigned char)ch))
 			break;
 		else if ((size_t) (p - buffer) == size - 1)
-			return (EOF);	/* not enough space */
+			return (EOF);	/* Not enough space. */
 
 		*p++ = (char)ch;
 		ch = fgetc(fp);
@@ -129,8 +128,7 @@ getword(FILE *fp, char *buffer, size_t size)
 }
 
 static void
-lwres_resetaddr(lwres_addr_t *addr)
-{
+lwres_resetaddr(lwres_addr_t *addr) {
 	REQUIRE(addr != NULL);
 
 	memset(addr->address, 0, LWRES_ADDR_MAXLEN);
@@ -139,8 +137,7 @@ lwres_resetaddr(lwres_addr_t *addr)
 }
 
 static char *
-lwres_strdup(lwres_context_t *ctx, const char *str)
-{
+lwres_strdup(lwres_context_t *ctx, const char *str) {
 	char *p;
 
 	REQUIRE(str != NULL);
@@ -154,8 +151,7 @@ lwres_strdup(lwres_context_t *ctx, const char *str)
 }
 
 void
-lwres_conf_init(lwres_context_t *ctx)
-{
+lwres_conf_init(lwres_context_t *ctx) {
 	int i;
 	lwres_conf_t *confdata;
 
@@ -183,8 +179,7 @@ lwres_conf_init(lwres_context_t *ctx)
 }
 
 void
-lwres_conf_clear(lwres_context_t *ctx)
-{
+lwres_conf_clear(lwres_context_t *ctx) {
 	int i;
 	lwres_conf_t *confdata;
 
@@ -223,8 +218,7 @@ lwres_conf_clear(lwres_context_t *ctx)
 }
 
 static lwres_result_t
-lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp)
-{
+lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp) {
 	char word[LWRES_CONFMAXLINELEN];
 	int res;
 	lwres_conf_t *confdata;
@@ -236,9 +230,9 @@ lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp)
 
 	res = getword(fp, word, sizeof(word));
 	if (strlen(word) == 0)
-		return (LWRES_R_FAILURE); /* nothing on line */
+		return (LWRES_R_FAILURE); /* Nothing on line. */
 	else if (res != EOF && res != '\n')
-		return (LWRES_R_FAILURE); /* extra junk on line */
+		return (LWRES_R_FAILURE); /* Extra junk on line. */
 
 	res = lwres_create_addr(word,
 				&confdata->nameservers[confdata->nsnext++]);
@@ -249,8 +243,7 @@ lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp)
 }
 
 static lwres_result_t
-lwres_conf_parsedomain(lwres_context_t *ctx,  FILE *fp)
-{
+lwres_conf_parsedomain(lwres_context_t *ctx,  FILE *fp) {
 	char word[LWRES_CONFMAXLINELEN];
 	int res, i;
 	lwres_conf_t *confdata;
@@ -259,15 +252,17 @@ lwres_conf_parsedomain(lwres_context_t *ctx,  FILE *fp)
 
 	res = getword(fp, word, sizeof(word));
 	if (strlen(word) == 0)
-		return (LWRES_R_FAILURE); /* nothing else on line */
+		return (LWRES_R_FAILURE); /* Nothing else on line. */
 	else if (res != EOF && res != '\n')
-		return (LWRES_R_FAILURE); /* extra junk on line */
+		return (LWRES_R_FAILURE); /* Extra junk on line. */
 
 	if (confdata->domainname != NULL)
 		CTXFREE(confdata->domainname,
 			strlen(confdata->domainname) + 1); /*  */
 
-	/* search and domain are mutually exclusive */
+	/*
+	 * Search and domain are mutually exclusive.
+	 */
 	for (i = 0 ; i < LWRES_CONFMAXSEARCH ; i++) {
 		if (confdata->search[i] != NULL) {
 			CTXFREE(confdata->search[i],
@@ -286,8 +281,7 @@ lwres_conf_parsedomain(lwres_context_t *ctx,  FILE *fp)
 }
 
 static lwres_result_t
-lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp)
-{
+lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp) {
 	int idx, delim;
 	char word[LWRES_CONFMAXLINELEN];
 	lwres_conf_t *confdata;
@@ -295,13 +289,17 @@ lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp)
 	confdata = &ctx->confdata;
 
 	if (confdata->domainname != NULL) {
-		/* search and domain are mutually exclusive */
+		/*
+		 * Search and domain are mutually exclusive.
+		 */
 		CTXFREE(confdata->domainname,
 			strlen(confdata->domainname) + 1);
 		confdata->domainname = NULL;
 	}
 
-	/* remove any previous search definitions. */
+	/*
+	 * Remove any previous search definitions.
+	 */
 	for (idx = 0 ; idx < LWRES_CONFMAXSEARCH ; idx++) {
 		if (confdata->search[idx] != NULL) {
 			CTXFREE(confdata->search[idx],
@@ -313,12 +311,12 @@ lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp)
 
 	delim = getword(fp, word, sizeof(word));
 	if (strlen(word) == 0)
-		return (LWRES_R_FAILURE); /* nothing else on line */
+		return (LWRES_R_FAILURE); /* Nothing else on line. */
 
 	idx = 0;
 	while (strlen(word) > 0) {
 		if (confdata->searchnxt == LWRES_CONFMAXSEARCH)
-			return (LWRES_R_FAILURE); /* too many domains */
+			return (LWRES_R_FAILURE); /* Too many domains. */
 
 		confdata->search[idx] = lwres_strdup(ctx, word);
 		if (confdata->search[idx] == NULL)
@@ -336,8 +334,7 @@ lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp)
 }
 
 static lwres_result_t
-lwres_create_addr(const char *buffer, lwres_addr_t *addr)
-{
+lwres_create_addr(const char *buffer, lwres_addr_t *addr) {
 	unsigned char addrbuff[NS_IN6ADDRSZ];
 	unsigned int len;
 
@@ -352,7 +349,7 @@ lwres_create_addr(const char *buffer, lwres_addr_t *addr)
 		len = 16;
 #endif
 	} else {
-		return (LWRES_R_FAILURE); /* unrecongnised format */
+		return (LWRES_R_FAILURE); /* Unrecongnised format. */
 	}
 
 	memcpy((void *)addr->address, addrbuff, len);
@@ -361,8 +358,7 @@ lwres_create_addr(const char *buffer, lwres_addr_t *addr)
 }
 
 static lwres_result_t
-lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp)
-{
+lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp) {
 	int delim, res, idx;
 	char word[LWRES_CONFMAXLINELEN];
 	char *p;
@@ -372,11 +368,11 @@ lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp)
 
 	delim = getword(fp, word, sizeof(word));
 	if (strlen(word) == 0)
-		return (LWRES_R_FAILURE); /* empty line after keyword */
+		return (LWRES_R_FAILURE); /* Empty line after keyword. */
 
 	while (strlen(word) > 0) {
 		if (confdata->sortlistnxt == LWRES_CONFMAXSORTLIST)
-			return (LWRES_R_FAILURE); /* too many values. */
+			return (LWRES_R_FAILURE); /* Too many values. */
 
 		p = strchr(word, '/');
 		if (p != NULL)
@@ -393,7 +389,9 @@ lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp)
 			if (res != LWRES_R_SUCCESS)
 				return (res);
 		} else {
-			/* Make up a mask. */
+			/*
+			 * Make up a mask.
+			 */
 			confdata->sortlist[idx].mask =
 				confdata->sortlist[idx].addr;
 
@@ -413,8 +411,7 @@ lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp)
 }
 
 static lwres_result_t
-lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp)
-{
+lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp) {
 	int delim;
 	long ndots;
 	char *p;
@@ -426,7 +423,7 @@ lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp)
 
 	delim = getword(fp, word, sizeof(word));
 	if (strlen(word) == 0)
-		return (LWRES_R_FAILURE); /* empty line after keyword */
+		return (LWRES_R_FAILURE); /* Empty line after keyword. */
 
 	while (strlen(word) > 0) {
 		if (strcmp("debug", word) == 0) {
@@ -435,7 +432,9 @@ lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp)
 			confdata->no_tld_query = 1;
 		} else if (strncmp("ndots:", word, 6) == 0) {
 			ndots = strtol(word + 6, &p, 10);
-			if (*p != '\0') /* bad string */
+			if (*p != '\0') /* Bad string. */
+				return (LWRES_R_FAILURE);
+			if (ndots < 0 || ndots > 0xff) /* Out of range. */
 				return (LWRES_R_FAILURE);
 			confdata->ndots = ndots;
 		}
@@ -450,11 +449,9 @@ lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp)
 }
 
 lwres_result_t
-lwres_conf_parse(lwres_context_t *ctx, const char *filename)
-{
+lwres_conf_parse(lwres_context_t *ctx, const char *filename) {
 	FILE *fp = NULL;
 	char word[256];
-	int delim;
 	lwres_result_t rval;
 	lwres_conf_t *confdata;
 
@@ -471,7 +468,7 @@ lwres_conf_parse(lwres_context_t *ctx, const char *filename)
 		return (LWRES_R_FAILURE);
 
 	do {
-		delim = getword(fp, word, sizeof(word));
+		(void)getword(fp, word, sizeof(word));
 		if (strlen(word) == 0) {
 			rval = LWRES_R_SUCCESS;
 			break;
@@ -495,8 +492,7 @@ lwres_conf_parse(lwres_context_t *ctx, const char *filename)
 }
 
 lwres_result_t
-lwres_conf_print(lwres_context_t *ctx, FILE *fp)
-{
+lwres_conf_print(lwres_context_t *ctx, FILE *fp) {
 	int i;
 	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"];
 	const char *p;
@@ -568,8 +564,7 @@ lwres_conf_print(lwres_context_t *ctx, FILE *fp)
 }
 
 lwres_conf_t *
-lwres_conf_get(lwres_context_t *ctx)
-{
+lwres_conf_get(lwres_context_t *ctx) {
 	REQUIRE(ctx != NULL);
 
 	return (&ctx->confdata);
diff --git a/lib/lwres/lwinetaton.c b/lib/lwres/lwinetaton.c
index e5b61e61..47003d41 100644
--- a/lib/lwres/lwinetaton.c
+++ b/lib/lwres/lwinetaton.c
@@ -70,7 +70,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: lwinetaton.c,v 1.2 2000/02/04 06:50:06 halley Exp $";
+static char rcsid[] = "$Id: lwinetaton.c,v 1.3 2000/05/09 22:22:24 tale Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -90,8 +90,7 @@ static char rcsid[] = "$Id: lwinetaton.c,v 1.2 2000/02/04 06:50:06 halley Exp $"
  * cannot distinguish between failure and a local broadcast address.
  */
 int
-lwres_net_aton(const char *cp, struct in_addr *addr)
-{
+lwres_net_aton(const char *cp, struct in_addr *addr) {
 	unsigned long val;
 	int base, n;
 	char c;
@@ -119,16 +118,21 @@ lwres_net_aton(const char *cp, struct in_addr *addr)
 			}
 		}
 		for (;;) {
-			if (isascii(c & 0xff) && isdigit(c & 0xff)) {
+			/*
+			 * isascii() is valid for all integer values, and
+			 * when it is true, c is known to be in scope
+			 * for isdigit().  No cast necessary.  Similar
+			 * comment applies for later ctype uses.
+			 */
+			if (isascii(c) && isdigit(c)) {
 				if (base == 8 && (c == '8' || c == '9'))
 					return (0);
 				val = (val * base) + (c - '0');
 				c = *++cp;
 				digit = 1;
-			} else if (base == 16 && isascii(c & 0xff) &&
-						 isxdigit(c & 0xff)) {
+			} else if (base == 16 && isascii(c) && isxdigit(c)) {
 				val = (val << 4) |
-					(c + 10 - (islower(c & 0xff) ? 'a' : 'A'));
+					(c + 10 - (islower(c) ? 'a' : 'A'));
 				c = *++cp;
 				digit = 1;
 			} else
@@ -151,7 +155,7 @@ lwres_net_aton(const char *cp, struct in_addr *addr)
 	/*
 	 * Check for trailing characters.
 	 */
-	if (c != '\0' && (!isascii(c & 0xff) || !isspace(c & 0xff)))
+	if (c != '\0' && (!isascii(c) || !isspace(c)))
 		return (0);
 	/*
 	 * Did we get a valid digit?
diff --git a/lib/lwres/lwinetpton.c b/lib/lwres/lwinetpton.c
index b5012b27..800ad80d 100644
--- a/lib/lwres/lwinetpton.c
+++ b/lib/lwres/lwinetpton.c
@@ -16,7 +16,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$Id: lwinetpton.c,v 1.1 2000/02/04 06:02:50 halley Exp $";
+static char rcsid[] = "$Id: lwinetpton.c,v 1.2 2000/05/14 03:52:36 tale Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -50,11 +50,7 @@ static int inet_pton6(const char *src, unsigned char *dst);
  *	Paul Vixie, 1996.
  */
 int
-lwres_net_pton(af, src, dst)
-	int af;
-	const char *src;
-	void *dst;
-{
+lwres_net_pton(int af, const char *src, void *dst) {
 	switch (af) {
 	case AF_INET:
 		return (inet_pton4(src, dst));
@@ -78,10 +74,7 @@ lwres_net_pton(af, src, dst)
  *	Paul Vixie, 1996.
  */
 static int
-inet_pton4(src, dst)
-	const char *src;
-	unsigned char *dst;
-{
+inet_pton4(const char *src, unsigned char *dst) {
 	static const char digits[] = "0123456789";
 	int saw_digit, octets, ch;
 	unsigned char tmp[NS_INADDRSZ], *tp;
@@ -131,10 +124,7 @@ inet_pton4(src, dst)
  *	Paul Vixie, 1996.
  */
 static int
-inet_pton6(src, dst)
-	const char *src;
-	unsigned char *dst;
-{
+inet_pton6(const char *src, unsigned char *dst) {
 	static const char xdigits_l[] = "0123456789abcdef",
 			  xdigits_u[] = "0123456789ABCDEF";
 	unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
diff --git a/lib/lwres/lwpacket.c b/lib/lwres/lwpacket.c
index 6e061532..f499a528 100644
--- a/lib/lwres/lwpacket.c
+++ b/lib/lwres/lwpacket.c
@@ -40,7 +40,7 @@ lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt)
 
 	lwres_buffer_putuint32(b, pkt->length);
 	lwres_buffer_putuint16(b, pkt->version);
-	lwres_buffer_putuint16(b, pkt->flags);
+	lwres_buffer_putuint16(b, pkt->pktflags);
 	lwres_buffer_putuint32(b, pkt->serial);
 	lwres_buffer_putuint32(b, pkt->opcode);
 	lwres_buffer_putuint32(b, pkt->result);
@@ -67,7 +67,7 @@ lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt)
 	if (pkt->length > space)
 		return (LWRES_R_UNEXPECTEDEND);
 	pkt->version = lwres_buffer_getuint16(b);
-	pkt->flags = lwres_buffer_getuint16(b);
+	pkt->pktflags = lwres_buffer_getuint16(b);
 	pkt->serial = lwres_buffer_getuint32(b);
 	pkt->opcode = lwres_buffer_getuint32(b);
 	pkt->result = lwres_buffer_getuint32(b);
diff --git a/lib/lwres/lwres_gabn.c b/lib/lwres/lwres_gabn.c
index be0588b4..3b6ffd6c 100644
--- a/lib/lwres/lwres_gabn.c
+++ b/lib/lwres/lwres_gabn.c
@@ -112,7 +112,7 @@ lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
 
 	datalen = strlen(req->name);
 
-	payload_length = 2 + req->namelen + 1 + 4;
+	payload_length = 4 + 4 + 2 + req->namelen + 1;
 
 	buflen = LWRES_LWPACKET_LENGTH + payload_length;
 	buf = CTXMALLOC(buflen);
@@ -123,7 +123,7 @@ lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
 
 	pkt->length = buflen;
 	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->flags &= ~LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
 	pkt->opcode = LWRES_OPCODE_GETADDRSBYNAME;
 	pkt->result = 0;
 	pkt->authtype = 0;
@@ -139,6 +139,11 @@ lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
 	INSIST(SPACE_OK(b, payload_length));
 
 	/*
+	 * Flags.
+	 */
+	lwres_buffer_putuint32(b, req->flags);
+
+	/*
 	 * Address types we'll accept.
 	 */
 	lwres_buffer_putuint32(b, req->addrtypes);
@@ -148,7 +153,7 @@ lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
 	 * just checked for it.
 	 */
 	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, req->name, datalen);
+	lwres_buffer_putmem(b, (unsigned char *)req->name, datalen);
 	lwres_buffer_putuint8(b, 0); /* trailing NUL */
 
 	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
@@ -174,7 +179,7 @@ lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
 	REQUIRE(b != NULL);
 
 	/* naliases, naddrs */
-	payload_length = 2 * 2;
+	payload_length = 4 + 2 + 2;
 	/* real name encoding */
 	payload_length += 2 + req->realnamelen + 1;
 	/* each alias */
@@ -199,7 +204,7 @@ lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
 
 	pkt->length = buflen;
 	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->flags |= LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
 	pkt->opcode = LWRES_OPCODE_GETADDRSBYNAME;
 	pkt->authtype = 0;
 	pkt->authlength = 0;
@@ -211,25 +216,30 @@ lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
 		return (ret);
 	}
 
-	/* encode naliases and naddrs */
+	/*
+	 * Check space needed here.
+	 */
+	INSIST(SPACE_OK(b, payload_length));
 
-	INSIST(SPACE_OK(b, sizeof(lwres_uint16_t) * 2));
+	/* Flags. */
+	lwres_buffer_putuint32(b, req->flags);
+
+	/* encode naliases and naddrs */
 	lwres_buffer_putuint16(b, req->naliases);
 	lwres_buffer_putuint16(b, req->naddrs);
 
 	/* encode the real name */
 	datalen = req->realnamelen;
-	INSIST(SPACE_OK(b, (unsigned int)(datalen + 2 + 1)));
 	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, req->realname, datalen);
+	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
 	lwres_buffer_putuint8(b, 0);
 
 	/* encode the aliases */
 	for (x = 0 ; x < req->naliases ; x++) {
 		datalen = req->aliaslen[x];
-		INSIST(SPACE_OK(b, (unsigned int)(datalen + 2 + 1)));
 		lwres_buffer_putuint16(b, datalen);
-		lwres_buffer_putmem(b, req->aliases[x], datalen);
+		lwres_buffer_putmem(b, (unsigned char *)req->aliases[x],
+				    datalen);
 		lwres_buffer_putuint8(b, 0);
 	}
 
@@ -237,7 +247,6 @@ lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
 	addr = LWRES_LIST_HEAD(req->addrs);
 	while (addr != NULL) {
 		datalen = addr->length + 2 + 4;
-		INSIST(SPACE_OK(b, datalen));
 		lwres_buffer_putuint32(b, addr->family);
 		lwres_buffer_putuint16(b, addr->length);
 		lwres_buffer_putmem(b, addr->address, addr->length);
@@ -258,6 +267,7 @@ lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	char *name;
 	lwres_gabnrequest_t *gabn;
 	lwres_uint32_t addrtypes;
+	lwres_uint32_t flags;
 	lwres_uint16_t namelen;
 
 	REQUIRE(ctx != NULL);
@@ -265,12 +275,13 @@ lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	REQUIRE(b != NULL);
 	REQUIRE(structp != NULL && *structp == NULL);
 
-	if ((pkt->flags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
 		return (LWRES_R_FAILURE);
 
-	if (!SPACE_REMAINING(b, 4))
+	if (!SPACE_REMAINING(b, 4 + 4))
 		return (LWRES_R_UNEXPECTEDEND);
 
+	flags = lwres_buffer_getuint32(b);
 	addrtypes = lwres_buffer_getuint32(b);
 
 	/*
@@ -287,6 +298,7 @@ lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	if (gabn == NULL)
 		return (LWRES_R_NOMEMORY);
 
+	gabn->flags = flags;
 	gabn->addrtypes = addrtypes;
 	gabn->name = name;
 	gabn->namelen = namelen;
@@ -301,6 +313,7 @@ lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 {
 	lwres_result_t			ret;
 	unsigned int			x;
+	lwres_uint32_t			flags;
 	lwres_uint16_t			naliases;
 	lwres_uint16_t			naddrs;
 	lwres_gabnresponse_t	       *gabn;
@@ -314,14 +327,15 @@ lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 
 	gabn = NULL;
 
-	if ((pkt->flags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
 		return (LWRES_R_FAILURE);
 
 	/*
 	 * Pull off the name itself
 	 */
-	if (!SPACE_REMAINING(b, sizeof(lwres_uint16_t) * 2))
+	if (!SPACE_REMAINING(b, 4 + 2 + 2))
 		return (LWRES_R_UNEXPECTEDEND);
+	flags = lwres_buffer_getuint32(b);
 	naliases = lwres_buffer_getuint16(b);
 	naddrs = lwres_buffer_getuint16(b);
 
@@ -333,6 +347,7 @@ lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	LWRES_LIST_INIT(gabn->addrs);
 	gabn->base = NULL;
 
+	gabn->flags = flags;
 	gabn->naliases = naliases;
 	gabn->naddrs = naddrs;
 
diff --git a/lib/lwres/lwres_gnba.c b/lib/lwres/lwres_gnba.c
index f9cbfe70..11c77912 100644
--- a/lib/lwres/lwres_gnba.c
+++ b/lib/lwres/lwres_gnba.c
@@ -46,8 +46,7 @@ lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
 	REQUIRE(pkt != NULL);
 	REQUIRE(b != NULL);
 
-	payload_length = sizeof(lwres_uint32_t) + sizeof(lwres_uint16_t)
-		+ req->addr.length;
+	payload_length = 4 + 4 + 2 + + req->addr.length;
 
 	buflen = LWRES_LWPACKET_LENGTH + payload_length;
 	buf = CTXMALLOC(buflen);
@@ -57,7 +56,7 @@ lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
 
 	pkt->length = buflen;
 	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->flags &= ~LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
 	pkt->opcode = LWRES_OPCODE_GETNAMEBYADDR;
 	pkt->result = 0;
 	pkt->authtype = 0;
@@ -76,9 +75,11 @@ lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
 	 * Put the length and the data.  We know this will fit because we
 	 * just checked for it.
 	 */
+	lwres_buffer_putuint32(b, req->flags);
 	lwres_buffer_putuint32(b, req->addr.family);
 	lwres_buffer_putuint16(b, req->addr.length);
-	lwres_buffer_putmem(b, req->addr.address, req->addr.length);
+	lwres_buffer_putmem(b, (unsigned char *)req->addr.address, 
+			    req->addr.length);
 
 	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
 
@@ -101,12 +102,13 @@ lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
 	REQUIRE(pkt != NULL);
 	REQUIRE(b != NULL);
 
-	/* naliases */
-	payload_length = sizeof(lwres_uint16_t);
-	/* real name encoding */
-	payload_length += 2 + req->realnamelen + 1;
-	/* each alias */
-	for (x = 0 ; x < req->naliases ; x++)
+	/*
+	 * Calculate packet size.
+	 */
+	payload_length = 4;			       /* flags */
+	payload_length += 2;			       /* naliases */
+	payload_length += 2 + req->realnamelen + 1;    /* real name encoding */
+	for (x = 0 ; x < req->naliases ; x++)	       /* each alias */
 		payload_length += 2 + req->aliaslen[x] + 1;
 
 	buflen = LWRES_LWPACKET_LENGTH + payload_length;
@@ -117,7 +119,7 @@ lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
 
 	pkt->length = buflen;
 	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->flags |= LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
 	pkt->opcode = LWRES_OPCODE_GETNAMEBYADDR;
 	pkt->authtype = 0;
 	pkt->authlength = 0;
@@ -129,23 +131,24 @@ lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
 		return (ret);
 	}
 
+	INSIST(SPACE_OK(b, payload_length));
+	lwres_buffer_putuint32(b, req->flags);
+
 	/* encode naliases */
-	INSIST(SPACE_OK(b, sizeof(lwres_uint16_t) * 2));
 	lwres_buffer_putuint16(b, req->naliases);
 
 	/* encode the real name */
 	datalen = req->realnamelen;
-	INSIST(SPACE_OK(b, (unsigned int)(2 + req->realnamelen + 1)));
 	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, req->realname, datalen);
+	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
 	lwres_buffer_putuint8(b, 0);
 
 	/* encode the aliases */
 	for (x = 0 ; x < req->naliases ; x++) {
 		datalen = req->aliaslen[x];
-		INSIST(SPACE_OK(b, (unsigned int)(2 + req->aliaslen[x] + 1)));
 		lwres_buffer_putuint16(b, datalen);
-		lwres_buffer_putmem(b, req->aliases[x], datalen);
+		lwres_buffer_putmem(b, (unsigned char *)req->aliases[x],
+				    datalen);
 		lwres_buffer_putuint8(b, 0);
 	}
 
@@ -166,13 +169,18 @@ lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	REQUIRE(b != NULL);
 	REQUIRE(structp != NULL && *structp == NULL);
 
-	if ((pkt->flags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
 		return (LWRES_R_FAILURE);
 
 	gnba = CTXMALLOC(sizeof(lwres_gnbarequest_t));
 	if (gnba == NULL)
 		return (LWRES_R_NOMEMORY);
 
+	if (!SPACE_REMAINING(b, 4))
+		return (LWRES_R_UNEXPECTEDEND);
+
+	gnba->flags = lwres_buffer_getuint32(b);
+
 	ret = lwres_addr_parse(b, &gnba->addr);
 	if (ret != LWRES_R_SUCCESS)
 		goto out;
@@ -198,6 +206,7 @@ lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 {
 	int ret;
 	unsigned int x;
+	lwres_uint32_t flags;
 	lwres_uint16_t naliases;
 	lwres_gnbaresponse_t *gnba;
 
@@ -208,14 +217,15 @@ lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 
 	gnba = NULL;
 
-	if ((pkt->flags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
 		return (LWRES_R_FAILURE);
 
 	/*
 	 * Pull off the name itself
 	 */
-	if (!SPACE_REMAINING(b, sizeof(lwres_uint16_t)))
+	if (!SPACE_REMAINING(b, 4 + 2))
 		return (LWRES_R_UNEXPECTEDEND);
+	flags = lwres_buffer_getuint32(b);
 	naliases = lwres_buffer_getuint16(b);
 
 	gnba = CTXMALLOC(sizeof(lwres_gnbaresponse_t));
@@ -225,6 +235,7 @@ lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	gnba->aliases = NULL;
 	gnba->aliaslen = NULL;
 
+	gnba->flags = flags;
 	gnba->naliases = naliases;
 
 	if (naliases > 0) {
@@ -306,7 +317,8 @@ lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp)
 
 	if (gnba->naliases > 0) {
 		CTXFREE(gnba->aliases, sizeof(char *) * gnba->naliases);
-		CTXFREE(gnba->aliaslen, sizeof(lwres_uint16_t) * gnba->naliases);
+		CTXFREE(gnba->aliaslen,
+			sizeof(lwres_uint16_t) * gnba->naliases);
 	}
 	if (gnba->base != NULL)
 		CTXFREE(gnba->base, gnba->baselen);
diff --git a/lib/lwres/lwres_noop.c b/lib/lwres/lwres_noop.c
index 07f09b60..1254d2da 100644
--- a/lib/lwres/lwres_noop.c
+++ b/lib/lwres/lwres_noop.c
@@ -53,7 +53,7 @@ lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req,
 
 	pkt->length = buflen;
 	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->flags &= ~LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
 	pkt->opcode = LWRES_OPCODE_NOOP;
 	pkt->result = 0;
 	pkt->authtype = 0;
@@ -104,7 +104,7 @@ lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req,
 
 	pkt->length = buflen;
 	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->flags |= LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
 	pkt->opcode = LWRES_OPCODE_NOOP;
 	pkt->authtype = 0;
 	pkt->authlength = 0;
@@ -142,7 +142,7 @@ lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	REQUIRE(pkt != NULL);
 	REQUIRE(structp != NULL && *structp == NULL);
 
-	if ((pkt->flags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
 		return (LWRES_R_FAILURE);
 
 	req = CTXMALLOC(sizeof(lwres_nooprequest_t));
@@ -189,7 +189,7 @@ lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
 	REQUIRE(pkt != NULL);
 	REQUIRE(structp != NULL && *structp == NULL);
 
-	if ((pkt->flags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
 		return (LWRES_R_FAILURE);
 
 	req = CTXMALLOC(sizeof(lwres_noopresponse_t));
diff --git a/lib/lwres/lwresutil.c b/lib/lwres/lwresutil.c
index 9a88390c..ab4f08df 100644
--- a/lib/lwres/lwresutil.c
+++ b/lib/lwres/lwresutil.c
@@ -227,7 +227,7 @@ lwres_getaddrsbyname(lwres_context_t *ctx, const char *name,
 	request.addrtypes = addrtypes;
 	request.name = target_name;
 	request.namelen = target_length;
-	pkt.flags = 0;
+	pkt.pktflags = 0;
 	pkt.serial = serial;
 	pkt.result = 0;
 	pkt.recvlength = LWRES_RECVLENGTH;
@@ -338,7 +338,7 @@ lwres_getnamebyaddr(lwres_context_t *ctx, lwres_uint32_t addrtype,
 	request.addr.family = addrtype;
 	request.addr.length = addrlen;
 	memcpy(request.addr.address, addr, addrlen);
-	pkt.flags = 0;
+	pkt.pktflags = 0;
 	pkt.serial = serial;
 	pkt.result = 0;
 	pkt.recvlength = LWRES_RECVLENGTH;
diff --git a/lib/omapi/auth.c b/lib/omapi/auth.c
index 8b0a1494..75db9fdb 100644
--- a/lib/omapi/auth.c
+++ b/lib/omapi/auth.c
@@ -15,7 +15,7 @@
  * SOFTWARE.
  */
 
-/* $Id: auth.c,v 1.2 2000/03/14 20:00:37 tale Exp $ */
+/* $Id: auth.c,v 1.6 2000/05/08 14:38:08 tale Exp $ */
 
 /* Principal Author: DCL */
 
@@ -33,13 +33,16 @@
 /*
  * Subroutines for dealing with authorization.
  */
-#include <errno.h>
-#include <stddef.h>		/* NULL */
-#include <string.h>		/* memset */
 
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
 #include <isc/once.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
 
 #include <omapi/private.h>
 
@@ -129,8 +132,7 @@ auth_makekey(const char *name, unsigned int algorithm, dst_key_t **key) {
 
 		secret_len = strlen(auth->secret);
 
-		isc_buffer_init(&secret, auth->secret, secret_len,
-				ISC_BUFFERTYPE_GENERIC);
+		isc_buffer_init(&secret, auth->secret, secret_len);
 
 		isc_buffer_add(&secret, secret_len);
 
diff --git a/lib/omapi/connection.c b/lib/omapi/connection.c
index c7c8ecc0..77a9aacb 100644
--- a/lib/omapi/connection.c
+++ b/lib/omapi/connection.c
@@ -15,22 +15,25 @@
  * SOFTWARE.
  */
 
-/* $Id: connection.c,v 1.17 2000/03/14 03:46:14 tale Exp $ */
+/* $Id: connection.c,v 1.27 2000/05/17 22:48:07 bwelling Exp $ */
 
 /* Principal Author: DCL */
 
 /*
  * Subroutines for dealing with connections.
  */
-#include <errno.h>
-#include <stddef.h>		/* NULL */
-#include <string.h>		/* memset */
 
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/bufferlist.h>
 #include <isc/netdb.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/util.h>
 
 #include <omapi/private.h>
+#include <omapi/result.h>
 
 /*
  * Swiped from bin/tests/sdig.c.
@@ -249,8 +252,10 @@ connect_done(isc_task_t *task, isc_event_t *event) {
 	isc_socket_t *socket;
 	omapi_connection_t *connection;
 
-	socket = event->sender;
-	connection = event->arg;
+	UNUSED(task);
+
+	socket = event->ev_sender;
+	connection = event->ev_arg;
 	result = ((isc_socket_connev_t *)event)->result;
 
 	isc_event_free(&event);
@@ -308,8 +313,10 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	omapi_connection_t *connection;
 	unsigned int bytes_read;
 
-	socket = event->sender;
-	connection = event->arg;
+	UNUSED(task);
+	
+	socket = event->ev_sender;
+	connection = event->ev_arg;
 	socketevent = (isc_socketevent_t *)event;
 	bufferlist = socketevent->bufferlist;
 	bytes_read = socketevent->n;
@@ -394,8 +401,10 @@ send_done(isc_task_t *task, isc_event_t *event) {
 	omapi_connection_t *connection;
 	unsigned int sent_bytes;
 
-	socket = event->sender;
-	connection = event->arg;
+	UNUSED(task);
+	
+	socket = event->ev_sender;
+	connection = event->ev_arg;
 	socketevent = (isc_socketevent_t *)event;
 	sent_bytes = socketevent->n;
 	bufferlist = socketevent->bufferlist;
@@ -518,17 +527,15 @@ connect_toserver(omapi_object_t *protocol, const char *server_name, int port) {
 	/*
 	 * Prepare the task that will wait for the connection to be made.
 	 */
-	result = isc_task_create(omapi_taskmgr, NULL, 0, &task);
+	result = isc_task_create(omapi_taskmgr, 0, &task);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	result = isc_buffer_allocate(omapi_mctx, &ibuffer, OMAPI_BUFFER_SIZE,
-				     ISC_BUFFERTYPE_BINARY);
+	result = isc_buffer_allocate(omapi_mctx, &ibuffer, OMAPI_BUFFER_SIZE);
 	if (result != ISC_R_SUCCESS)
 		goto free_task;
 
-	result = isc_buffer_allocate(omapi_mctx, &obuffer, OMAPI_BUFFER_SIZE,
-				     ISC_BUFFERTYPE_BINARY);
+	result = isc_buffer_allocate(omapi_mctx, &obuffer, OMAPI_BUFFER_SIZE);
 	if (result != ISC_R_SUCCESS)
 		goto free_ibuffer;
 
@@ -636,8 +643,8 @@ omapi_connection_putmem(omapi_object_t *c, unsigned char *src,
 	if (protocol->dst_update) {
 		region.base = src;
 		region.length = len;
-		result = dst_sign(DST_SIGMODE_UPDATE, protocol->key,
-				  &protocol->dstctx, &region, NULL);
+		result = dst_key_sign(DST_SIGMODE_UPDATE, protocol->key,
+				      &protocol->dstctx, &region, NULL);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
@@ -654,8 +661,7 @@ omapi_connection_putmem(omapi_object_t *c, unsigned char *src,
 		 */
 		buffer = NULL;
 		result = isc_buffer_allocate(omapi_mctx, &buffer,
-					     OMAPI_BUFFER_SIZE,
-					     ISC_BUFFERTYPE_BINARY);
+					     OMAPI_BUFFER_SIZE);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 
@@ -672,7 +678,7 @@ omapi_connection_putmem(omapi_object_t *c, unsigned char *src,
 	for (buffer = ISC_LIST_HEAD(bufferlist); len > 0;
 	     buffer = ISC_LIST_NEXT(buffer, link)) {
 
-		space_available = ISC_BUFFER_AVAILABLECOUNT(buffer);
+		space_available = isc_buffer_availablelength(buffer);
 		if (space_available > len)
 			space_available = len;
 
@@ -733,8 +739,10 @@ connection_copyout(unsigned char *dst, omapi_connection_t *connection,
 		if (protocol->dst_update &&
 		    protocol->verify_result == ISC_R_SUCCESS)
 			protocol->verify_result =
-				dst_verify(DST_SIGMODE_UPDATE, protocol->key,
-					   &protocol->dstctx, &region, NULL);
+				dst_key_verify(DST_SIGMODE_UPDATE,
+					       protocol->key,
+					       &protocol->dstctx,
+					       &region, NULL);
 
 		isc_buffer_forward(buffer, copy_bytes);
 
@@ -852,7 +860,7 @@ connection_require(omapi_connection_t *connection, unsigned int bytes) {
 		/*
 		 * Lop off any completely used buffers, except the last one.
 		 */
-		while (ISC_BUFFER_AVAILABLECOUNT(buffer) == 0 &&
+		while (isc_buffer_availablelength(buffer) == 0 &&
 		       buffer != ISC_LIST_TAIL(bufferlist)) {
 
 			ISC_LIST_UNLINK(bufferlist, buffer, link);
@@ -876,8 +884,7 @@ connection_require(omapi_connection_t *connection, unsigned int bytes) {
 
 			buffer = NULL;
 			result = isc_buffer_allocate(omapi_mctx, &buffer,
-						     OMAPI_BUFFER_SIZE,
-						     ISC_BUFFERTYPE_BINARY);
+						     OMAPI_BUFFER_SIZE);
 			if (result != ISC_R_SUCCESS)
 				return (result);
 
@@ -1019,7 +1026,7 @@ omapi_connection_putname(omapi_object_t *c, const char *name) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	return (omapi_connection_putmem(c, (char *)name, len));
+	return (omapi_connection_putmem(c, (unsigned char *)name, len));
 }
 
 isc_result_t
@@ -1035,7 +1042,8 @@ omapi_connection_putstring(omapi_object_t *c, const char *string) {
 	result = omapi_connection_putuint32(c, len);
 
 	if (result == ISC_R_SUCCESS && len > 0)
-		result = omapi_connection_putmem(c, (char *)string, len);
+		result = omapi_connection_putmem(c, (unsigned char *)string,
+						 len);
 	return (result);
 }
 
diff --git a/lib/omapi/data.c b/lib/omapi/data.c
index 7264d452..11c2b962 100644
--- a/lib/omapi/data.c
+++ b/lib/omapi/data.c
@@ -15,18 +15,20 @@
  * SOFTWARE.
  */
 
-/* $Id: data.c,v 1.10 2000/03/14 03:37:48 tale Exp $ */
+/* $Id: data.c,v 1.12 2000/05/08 14:38:10 tale Exp $ */
 
 /* Principal Author: Ted Lemon */
 
 /*
  * Functions supporting memory allocation for the object management protocol.
  */
-#include <stdlib.h>		/* abort() */
-#include <string.h>		/* memset */
 
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <config.h>
+
+
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <omapi/private.h>
 
diff --git a/lib/omapi/generic.c b/lib/omapi/generic.c
index f7e54133..03c11754 100644
--- a/lib/omapi/generic.c
+++ b/lib/omapi/generic.c
@@ -15,17 +15,19 @@
  * SOFTWARE.
  */
 
-/* $Id: generic.c,v 1.11 2000/03/14 03:38:54 tale Exp $ */
+/* $Id: generic.c,v 1.13 2000/05/08 14:38:11 tale Exp $ */
 
 /* Principal Author: Ted Lemon */
 
 /*
  * Subroutines that support the generic object.
  */
-#include <stddef.h>		/* NULL */
-#include <string.h>		/* memset */
 
-#include <isc/assertions.h>
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <omapi/private.h>
 
diff --git a/lib/omapi/handle.c b/lib/omapi/handle.c
index dcd34565..022854e9 100644
--- a/lib/omapi/handle.c
+++ b/lib/omapi/handle.c
@@ -15,19 +15,20 @@
  * SOFTWARE.
  */
 
-/* $Id: handle.c,v 1.9 2000/03/14 03:46:41 tale Exp $ */
+/* $Id: handle.c,v 1.12 2000/05/14 03:51:39 tale Exp $ */
 
 /* Principal Author: Ted Lemon */
 
 /*
  * Functions for maintaining handles on objects.
  */
-#include <stddef.h>		/* NULL */
-#include <string.h>		/* memset */
 
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <config.h>
+
+#include <isc/mem.h>
 #include <isc/once.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <omapi/private.h>
 
@@ -303,7 +304,7 @@ lookup_iterate(omapi_object_t **o, omapi_handle_t h,
 	index = (h - table->first) / scale;
 	inner = table->children[index].table;
 
-	return (lookup_iterate(o, h, table->children[index].table));
+	return (lookup_iterate(o, h, inner));
 }
 
 isc_result_t
diff --git a/lib/omapi/include/omapi/compatibility.h b/lib/omapi/include/omapi/compatibility.h
index c8145eb8..ea8bab5d 100644
--- a/lib/omapi/include/omapi/compatibility.h
+++ b/lib/omapi/include/omapi/compatibility.h
@@ -15,6 +15,11 @@
  * SOFTWARE.
  */
 
+#ifndef OMAPI_COMPATIBILITY_H
+#define OMAPI_COMPATIBILITY_H 1
+
+#include <isc/result.h>
+
 /*****
  ***** Macro definitions for partial compatability with Ted Lemon's original
  ***** design of OMAPI for DCHP.  The intent is that with by using this header
@@ -82,3 +87,5 @@
 #define omapi_connection_put_string	omapi_connection_putstring
 #define omapi_connection_put_handle	omapi_connection_puthandle
 #define omapi_connection_write_typed_data	omapi_connection_putdata
+
+#endif /* OMAPI_COMPATIBILITY_H */
diff --git a/lib/omapi/include/omapi/omapi.h b/lib/omapi/include/omapi/omapi.h
index 823b68b5..fa9ac3db 100644
--- a/lib/omapi/include/omapi/omapi.h
+++ b/lib/omapi/include/omapi/omapi.h
@@ -19,18 +19,14 @@
  * Definitions for the object management API and protocol.
  */
 
-#ifndef _OMAPI_OMAPI_H_
-#define _OMAPI_OMAPI_H_
+#ifndef OMAPI_OMAPI_H
+#define OMAPI_OMAPI_H 1
 
 #include <stdarg.h>
 
 #include <isc/boolean.h>
+#include <isc/eventclass.h>
 #include <isc/lang.h>
-#include <isc/time.h>
-#include <isc/region.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
-#include <isc/task.h>
 
 #include <dns/acl.h>
 
@@ -367,4 +363,4 @@ omapi_value_getregion(omapi_value_t *value, isc_region_t *region);
 
 ISC_LANG_ENDDECLS
 
-#endif /* _OMAPI_OMAPI_H_ */
+#endif /* OMAPI_OMAPI_H */
diff --git a/lib/omapi/include/omapi/private.h b/lib/omapi/include/omapi/private.h
index 779d230e..3d65e4d9 100644
--- a/lib/omapi/include/omapi/private.h
+++ b/lib/omapi/include/omapi/private.h
@@ -20,24 +20,15 @@
  *****/
 
 #ifndef OMAPI_PRIVATE_H
-#define OMAPI_PRIVATE_H
+#define OMAPI_PRIVATE_H 1
 
 #include <isc/condition.h>
 #include <isc/lang.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/net.h>
 #include <isc/socket.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
 
 #include <dst/dst.h>
 
 #include <omapi/omapi.h>
-#include <omapi/result.h>
-
-ISC_LANG_BEGINDECLS
 
 #define OMAPI_BUFFER_SIZE 4096
 
@@ -294,7 +285,7 @@ extern isc_socketmgr_t *omapi_socketmgr;
 #define PASS_CHECK(object, function) \
 	(object->inner != NULL && object->inner->type->function != NULL)
 
-
+ISC_LANG_BEGINDECLS
 
 /*
  * Private library functions defined in auth.c.
@@ -414,4 +405,4 @@ send_update(omapi_object_t *protocol, unsigned int response_id,
 
 ISC_LANG_ENDDECLS
 
-#endif /* OMAPIP_PRIVATE_H */
+#endif /* OMAPI_PRIVATE_H */
diff --git a/lib/omapi/include/omapi/result.h b/lib/omapi/include/omapi/result.h
index 3c73562a..359e46a2 100644
--- a/lib/omapi/include/omapi/result.h
+++ b/lib/omapi/include/omapi/result.h
@@ -16,10 +16,10 @@
  */
 
 #ifndef OMAPI_RESULT_H
-#define DNS_RESULT_H 1
+#define OMAPI_RESULT_H 1
 
 #include <isc/lang.h>
-#include <isc/result.h>
+#include <isc/result.h>		/* Contractual promise. */
 #include <isc/resultclass.h>
 
 ISC_LANG_BEGINDECLS
@@ -33,9 +33,12 @@ ISC_LANG_BEGINDECLS
 
 #define OMAPI_R_NRESULTS		6	/* Number of results */
 
-char *				omapi_result_totext(isc_result_t);
-void				omapi_result_register(void);
+char *
+omapi_result_totext(isc_result_t);
+
+void
+omapi_result_register(void);
 
 ISC_LANG_ENDDECLS
 
-#endif /* DNS_RESULT_H */
+#endif /* OMAPI_RESULT_H */
diff --git a/lib/omapi/include/omapi/types.h b/lib/omapi/include/omapi/types.h
index 52658172..87fe9c99 100644
--- a/lib/omapi/include/omapi/types.h
+++ b/lib/omapi/include/omapi/types.h
@@ -15,12 +15,8 @@
  * SOFTWARE.
  */
 
-#ifndef _OMAPI_TYPES_H_
-#define _OMAPI_TYPES_H_
-
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
+#ifndef OMAPI_TYPES_H
+#define OMAPI_TYPES_H 1
 
 /*****
  ***** Type definitions.
@@ -45,6 +41,4 @@ typedef enum {
 	omapi_datatype_object
 } omapi_datatype_t;
 
-ISC_LANG_ENDDECLS
-
-#endif /* _OMAPI_OMAPIP_H_ */
+#endif /* OMAPI_TYPES_H */
diff --git a/lib/omapi/lib.c b/lib/omapi/lib.c
index 78302859..ba459210 100644
--- a/lib/omapi/lib.c
+++ b/lib/omapi/lib.c
@@ -15,14 +15,14 @@
  * SOFTWARE.
  */
 
-/* $ID: $ */
+/* $Id: lib.c,v 1.11 2000/05/14 03:51:07 tale Exp $ */
 
-#include <stddef.h>
+#include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/once.h>
-#include <isc/error.h>
 #include <isc/msgcat.h>
+#include <isc/once.h>
+#include <isc/task.h>
+#include <isc/util.h>
 
 #include <omapi/lib.h>
 #include <omapi/private.h>
@@ -91,7 +91,7 @@ omapi_lib_init(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	omapi_taskmgr = taskmgr;
 	omapi_socketmgr = socketmgr;
 
-	result = isc_task_create(omapi_taskmgr, omapi_mctx, 0, &omapi_task);
+	result = isc_task_create(omapi_taskmgr, 0, &omapi_task);
 	if (result == ISC_R_SUCCESS)
 		isc_task_setname(omapi_task, "omapi", NULL);
 
@@ -123,7 +123,7 @@ omapi_lib_init(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
  * omapi_object_dereference).
  */
 void
-omapi_lib_destroy() {
+omapi_lib_destroy(void) {
 	object_destroytypes();
 
 	handle_destroy();
diff --git a/lib/omapi/listener.c b/lib/omapi/listener.c
index e9cce196..5cc51099 100644
--- a/lib/omapi/listener.c
+++ b/lib/omapi/listener.c
@@ -18,13 +18,17 @@
 /*
  * Subroutines that support the generic listener object.
  */
+
+#include <config.h>
+
 #include <stdlib.h>		/* NULL and abort() */
-#include <string.h>		/* memset */
 
-#include <isc/assertions.h>
+#include <isc/buffer.h>
 #include <isc/bufferlist.h>
-#include <isc/error.h>
 #include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
 
 #include <omapi/private.h>
 
@@ -81,7 +85,7 @@ listener_accept(isc_task_t *task, isc_event_t *event) {
 
 	result = ((isc_socket_newconnev_t *)event)->result;
 	socket = ((isc_socket_newconnev_t *)event)->newsocket;
-	listener = (omapi_listener_t *)event->arg;
+	listener = (omapi_listener_t *)event->ev_arg;
 
 	/*
 	 * No more need for the event, once all the desired data has been
@@ -168,19 +172,17 @@ listener_accept(isc_task_t *task, isc_event_t *event) {
 	 * The new connection is good to go.  Allocate the buffers for it and
 	 * prepare its own task.
 	 */
-	if (isc_task_create(omapi_taskmgr, NULL, 0, &connection_task) !=
+	if (isc_task_create(omapi_taskmgr, 0, &connection_task) !=
 	    ISC_R_SUCCESS)
 		goto free_task;
 
 	ibuffer = NULL;
-	result = isc_buffer_allocate(omapi_mctx, &ibuffer, OMAPI_BUFFER_SIZE,
-				     ISC_BUFFERTYPE_BINARY);
+	result = isc_buffer_allocate(omapi_mctx, &ibuffer, OMAPI_BUFFER_SIZE);
 	if (result != ISC_R_SUCCESS)
 		goto free_ibuffer;
 
 	obuffer = NULL;
-	result = isc_buffer_allocate(omapi_mctx, &obuffer, OMAPI_BUFFER_SIZE,
-				     ISC_BUFFERTYPE_BINARY);
+	result = isc_buffer_allocate(omapi_mctx, &obuffer, OMAPI_BUFFER_SIZE);
 	if (result != ISC_R_SUCCESS)
 		goto free_obuffer;
 
@@ -282,7 +284,7 @@ omapi_listener_listen(omapi_object_t *caller, isc_sockaddr_t *addr,
 	REQUIRE(addr != NULL && isc_sockaddr_getport(addr) != 0);
 
 	task = NULL;
-	result = isc_task_create(omapi_taskmgr, NULL, 0, &task);
+	result = isc_task_create(omapi_taskmgr, 0, &task);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
diff --git a/lib/omapi/message.c b/lib/omapi/message.c
index f373294c..78b0a7b5 100644
--- a/lib/omapi/message.c
+++ b/lib/omapi/message.c
@@ -18,13 +18,17 @@
 /*
  * Subroutines for dealing with message objects.
  */
-#include <stddef.h>		/* NULL */
-#include <string.h>		/* memset */
 
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/buffer.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <omapi/private.h>
+#include <omapi/result.h>
 
 omapi_message_t *registered_messages;
 
@@ -137,7 +141,7 @@ omapi_message_send(omapi_object_t *message, omapi_object_t *protocol) {
 	omapi_connection_t *c;
 	omapi_message_t *m;
 	omapi_object_t *connection;
-	int authlen = 0;
+	unsigned int authlen = 0;
 	isc_result_t result = ISC_R_SUCCESS;
 
 	REQUIRE(message != NULL && message->type == omapi_type_message);
@@ -163,11 +167,11 @@ omapi_message_send(omapi_object_t *message, omapi_object_t *protocol) {
 	m = (omapi_message_t *)message;
 
 	if (p->key != NULL) {
-		result = dst_sign(DST_SIGMODE_INIT, p->key, &p->dstctx,
-				  NULL, NULL);
+		result = dst_key_sign(DST_SIGMODE_INIT, p->key, &p->dstctx,
+				      NULL, NULL);
 
 		if (result == ISC_R_SUCCESS)
-			result = dst_sig_size(p->key, &authlen);
+			result = dst_key_sigsize(p->key, &authlen);
 
 		p->dst_update = ISC_TRUE;
 	}
@@ -245,8 +249,8 @@ omapi_message_send(omapi_object_t *message, omapi_object_t *protocol) {
 
 		isc_buffer_clear(p->signature_out);
 
-		result = dst_sign(DST_SIGMODE_FINAL, p->key, &p->dstctx,
-				  NULL, p->signature_out);
+		result = dst_key_sign(DST_SIGMODE_FINAL, p->key, &p->dstctx,
+				      NULL, p->signature_out);
 
 		isc_buffer_region(p->signature_out, &r);
 
@@ -372,7 +376,7 @@ message_process(omapi_object_t *mo, omapi_object_t *po) {
 	if (protocol->key != NULL) {
 		if (protocol->verify_result == ISC_R_SUCCESS)
 			protocol->verify_result =
-				dst_verify(DST_SIGMODE_FINAL, protocol->key,
+				dst_key_verify(DST_SIGMODE_FINAL, protocol->key,
 					   &protocol->dstctx, NULL,
 					   &protocol->signature_in);
 
diff --git a/lib/omapi/object.c b/lib/omapi/object.c
index 98d509f7..47ec1801 100644
--- a/lib/omapi/object.c
+++ b/lib/omapi/object.c
@@ -15,14 +15,17 @@
  * SOFTWARE.
  */
 
-/* $Id: object.c,v 1.14 2000/03/18 00:34:53 tale Exp $ */
+/* $Id: object.c,v 1.16 2000/05/08 14:38:17 tale Exp $ */
 
 /* Principal Author: Ted Lemon */
 
-#include <string.h>		/* memset */
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
 
 #include <omapi/private.h>
 
diff --git a/lib/omapi/protocol.c b/lib/omapi/protocol.c
index a2d0e780..efc1dc85 100644
--- a/lib/omapi/protocol.c
+++ b/lib/omapi/protocol.c
@@ -18,14 +18,21 @@
 /*
  * Functions supporting the object management protocol.
  */
+
+#include <config.h>
+
 #include <stddef.h>		/* NULL */
 #include <stdlib.h>		/* random */
-#include <string.h>		/* memset */
 
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
 
 #include <omapi/private.h>
+#include <omapi/result.h>
 
 /*
  * OMAPI protocol header, version 1.00
@@ -351,8 +358,8 @@ dispatch_messages(omapi_protocol_t *protocol,
 
 		if (protocol->key != NULL) {
 			protocol->verify_result =
-				dst_verify(DST_SIGMODE_INIT, protocol->key,
-					   &protocol->dstctx, NULL, NULL);
+				dst_key_verify(DST_SIGMODE_INIT, protocol->key,
+					       &protocol->dstctx, NULL, NULL);
 			protocol->dst_update = ISC_TRUE;
 		}
 
@@ -637,7 +644,6 @@ static isc_result_t
 protocol_signalhandler(omapi_object_t *h, const char *name, va_list ap) {
 	isc_result_t result;
 	omapi_protocol_t *p;
-	omapi_object_t *connection;
 	omapi_connection_t *c;
 
 	REQUIRE(h != NULL && h->type == omapi_type_protocol);
@@ -653,8 +659,6 @@ protocol_signalhandler(omapi_object_t *h, const char *name, va_list ap) {
 
 	INSIST(p->outer != NULL && p->outer->type == omapi_type_connection);
 
-	connection = p->outer;
-
 	do {
 		result = dispatch_messages(p, c);
 	} while (result == ISC_R_SUCCESS);
@@ -708,17 +712,16 @@ protocol_setvalue(omapi_object_t *h, omapi_string_t *name, omapi_data_t *value)
 		result = auth_makekey(p->authname, p->algorithm, &p->key);
 
 		if (result == ISC_R_SUCCESS)
-			result = dst_sig_size(p->key, &sigsize);
+			result = dst_key_sigsize(p->key, &sigsize);
 
 		if (result == ISC_R_SUCCESS)
 			result = isc_buffer_allocate(omapi_mctx,
 						     &p->signature_out,
-						     sigsize,
-						     ISC_BUFFERTYPE_GENERIC);
+						     sigsize);
 
 		if (result != ISC_R_SUCCESS) {
 			if (p->key != NULL)
-				dst_key_free(p->key);
+				dst_key_free(&p->key);
 			isc_mem_put(omapi_mctx, p->authname,
 				    strlen(p->authname) + 1);
 			p->authname = NULL;
@@ -764,7 +767,7 @@ protocol_destroy(omapi_object_t *h) {
 	}
 
 	if (p->key != NULL) {
-		dst_key_free(p->key);
+		dst_key_free(&p->key);
 		p->key = NULL;
 	}
 }
diff --git a/lib/omapi/result.c b/lib/omapi/result.c
index 446dba15..72ee23e1 100644
--- a/lib/omapi/result.c
+++ b/lib/omapi/result.c
@@ -15,13 +15,11 @@
  * SOFTWARE.
  */
 
-/* $Id: result.c,v 1.5 2000/02/03 23:14:35 halley Exp $ */
+/* $Id: result.c,v 1.7 2000/05/08 14:38:20 tale Exp $ */
+#include <config.h>
 
-#include <stddef.h>
-
-#include <isc/resultclass.h>
 #include <isc/once.h>
-#include <isc/error.h>
+#include <isc/util.h>
 
 #include <omapi/result.h>
 #include <omapi/lib.h>
diff --git a/lib/omapi/string.c b/lib/omapi/string.c
index 2fa038ba..11f51c4e 100644
--- a/lib/omapi/string.c
+++ b/lib/omapi/string.c
@@ -15,14 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: string.c,v 1.4 2000/02/03 23:14:35 halley Exp $ */
+/* $Id: string.c,v 1.6 2000/05/08 14:38:21 tale Exp $ */
 
 /* Principal Author: Ted Lemon */
 
-#include <string.h>		/* memset */
+#include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <omapi/private.h>
 
diff --git a/lib/omapi/value.c b/lib/omapi/value.c
index 0b9bb65f..d45a4a30 100644
--- a/lib/omapi/value.c
+++ b/lib/omapi/value.c
@@ -15,14 +15,15 @@
  * SOFTWARE.
  */
 
-/* $Id: value.c,v 1.4 2000/02/03 23:14:35 halley Exp $ */
+/* $Id: value.c,v 1.6 2000/05/08 14:38:22 tale Exp $ */
 
 /* Principal Author: Ted Lemon */
 
-#include <string.h>		/* memset */
+#include <config.h>
 
-#include <isc/assertions.h>
-#include <isc/error.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #include <omapi/private.h>
 
diff --git a/lib/tests/t_api.c b/lib/tests/t_api.c
index 3284c237..32909250 100644
--- a/lib/tests/t_api.c
+++ b/lib/tests/t_api.c
@@ -15,32 +15,36 @@
  * SOFTWARE.
  */
 
-#include	<ctype.h>
-#include	<errno.h>
-#include	<limits.h>
-#include	<stdarg.h>
-#include	<stdio.h>
-#include	<stdlib.h>
-#include	<string.h>
-#include	<sys/wait.h>
-#include	<signal.h>
-#include	<time.h>
-#include	<unistd.h>
-
-#include	<isc/commandline.h>
-
-#include	"include/tests/t_api.h"
+#include <config.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <sys/wait.h>
+
+#include <isc/boolean.h>
+#include <isc/commandline.h>
+#include <isc/string.h>
+
+#include "include/tests/t_api.h"
 
 static char *Usage =	"\t-a               : run all tests\n"
-			"\t-b <dir>         : chdir to dir before running tests"
-			"\t-c <config_file> : use specified config file\n"
-			"\t-d <debug_level> : set debug level to debug_level\n"
-			"\t-h               : print test info\n"
-			"\t-u               : print usage info\n"
-			"\t-n <test_name>   : run specified test name\n"
-			"\t-t <test_number> : run specified test number\n"
-			"\t-x               : don't execute tests in a subproc\n"
-			"\t-q <timeout>     : use 'timeout' as the timeout value\n";
+		"\t-b <dir>         : chdir to dir before running tests"
+		"\t-c <config_file> : use specified config file\n"
+		"\t-d <debug_level> : set debug level to debug_level\n"
+		"\t-h               : print test info\n"
+		"\t-u               : print usage info\n"
+		"\t-n <test_name>   : run specified test name\n"
+		"\t-t <test_number> : run specified test number\n"
+		"\t-x               : don't execute tests in a subproc\n"
+		"\t-q <timeout>     : use 'timeout' as the timeout value\n";
 /*
  *		-a		-->	run all tests
  *		-b dir		-->	chdir to dir before running tests
@@ -77,53 +81,44 @@ static int	t_putinfo(const char *key, const char *info);
 static char	*t_getdate(char *buf, size_t buflen);
 static void	printhelp(void);
 static void	printusage(void);
-static void	t_sighandler();
 
 static int	T_int;
 
-/*
- * XXXMLG NetBSD's "default" pthreads implementation has a broken signal
- * interface.
- *
- * Here, if using NetBSD, define SIGACTION() as pthread_sigaction(),
- * otherwise make it sigaction().
- */
-#if defined(__NetBSD__)
-#define SIGACTION(a, b, c)	pthread_sigaction((a), (b), (c))
-#else
-#define SIGACTION(a, b, c)	sigaction((a), (b), (c))
-#endif
-
 static void
 t_sighandler(int sig) {
 	T_int = sig;
 }
 
 int
-main(int argc, char **argv)
-{
-
+main(int argc, char **argv) {
 	int			c;
 	int			tnum;
 	int			subprocs;
 	pid_t			deadpid;
 	int			status;
 	int			len;
-	int			first;
+	isc_boolean_t		first;
 	testspec_t		*pts;
 	struct sigaction	sa;
 
-	first = 1;
+	first = ISC_TRUE;
 	subprocs = 1;
 	T_timeout = T_TCTOUT;
 
-	/* -a option is now default */
+	/*
+	 * -a option is now default.
+	 */
 	memset(T_tvec, 0xffff, sizeof(T_tvec));
 
-	/* parse args */
-	while ((c = isc_commandline_parse(argc, argv, ":at:c:d:n:huxq:b:")) != -1) {
+	/*
+	 * Parse args.
+	 */
+	while ((c = isc_commandline_parse(argc, argv, ":at:c:d:n:huxq:b:"))
+	       != -1) {
 		if (c == 'a') {
-			/* flag all tests to be run */
+			/*
+			 * Flag all tests to be run.
+			 */
 			memset(T_tvec, 0xffff, sizeof(T_tvec));
 		}
 		else if (c == 'b') {
@@ -134,14 +129,16 @@ main(int argc, char **argv)
 			if ((tnum > 0) && (tnum < T_MAXTESTS)) {
 				if (first) {
 					/*
-					 * turn off effect of -a default
+					 * Turn off effect of -a default
 					 * and allow multiple -t and -n
-					 * options
+					 * options.
 					 */
 					memset(T_tvec, 0, sizeof(T_tvec));
-					first = 0;
+					first = ISC_FALSE;
 				}
-				/* flag test tnum to be run */
+				/*
+				 * Flag test tnum to be run.
+				 */
 				tnum -= 1;
 				T_tvec[tnum / 8] |= (0x01 << (tnum % 8));
 			}
@@ -159,8 +156,9 @@ main(int argc, char **argv)
 				if (! strcmp(pts->func_name,
 					     isc_commandline_argument)) {
 					if (first) {
-						memset(T_tvec, 0, sizeof(T_tvec));
-						first = 0;
+						memset(T_tvec, 0,
+						       sizeof(T_tvec));
+						first = ISC_FALSE;
 					}
 					T_tvec[tnum/8] |= (0x01 << (tnum%8));
 					break;
@@ -200,32 +198,52 @@ main(int argc, char **argv)
 		}
 	}
 
-	/* set cwd */
+	/*
+	 * Set cwd.
+	 */
 
 	if (T_dir != NULL)
 		(void) chdir(T_dir);
 
-	/* we don't want buffered output */
+	/*
+	 * We don't want buffered output.
+	 */
 
-	(void) setbuf(stdout, NULL);
-	(void) setbuf(stderr, NULL);
+	(void)setbuf(stdout, NULL);
+	(void)setbuf(stderr, NULL);
 
-	/* setup signals */
+	/*
+	 * Setup signals.
+	 */
 
 	sa.sa_flags = 0;
 	sigfillset(&sa.sa_mask);
+
+#ifdef SIGCHLD
+	/*
+	 * This is mostly here for NetBSD's pthread implementation, until
+	 * people catch up to the latest unproven-pthread package.
+	 */
+	sa.sa_handler = SIG_DFL;
+	(void)sigaction(SIGCHLD, &sa, NULL);
+#endif
+
 	sa.sa_handler = t_sighandler;
-	(void)SIGACTION(SIGALRM, &sa, NULL);
-	(void)SIGACTION(SIGINT,  &sa, NULL);
+	(void)sigaction(SIGINT,  &sa, NULL);
+	(void)sigaction(SIGALRM, &sa, NULL);
 
-	/* output start stanza to journal */
+	/*
+	 * Output start stanza to journal.
+	 */
 
 	sprintf(T_buf, "%s:", argv[0]);
 	len = strlen(T_buf);
 	(void) t_getdate(T_buf + len, T_BIGBUF - len);
 	t_putinfo("S", T_buf);
 
-	/* setup the test environment using the config file */
+	/*
+	 * Setup the test environment using the config file.
+	 */
 
 	if (T_config == NULL)
 		T_config = T_DEFAULT_CONFIG;
@@ -234,7 +252,9 @@ main(int argc, char **argv)
 	if (T_debug)
 		t_dumpconf(T_config);
 
-	/* now invoke all the test cases */
+	/*
+	 * Now invoke all the test cases.
+	 */
 
 	tnum = 0;
 	pts = &T_testlist[0];
@@ -245,41 +265,47 @@ main(int argc, char **argv)
 				if (T_pid == 0) {
 					(*pts->pfv)();
 					exit(0);
-				}
-				else if (T_pid > 0) {
+				} else if (T_pid > 0) {
 
 					T_int = 0;
 					sa.sa_handler = t_sighandler;
-					(void)SIGACTION(SIGALRM, &sa, NULL);
+					(void)sigaction(SIGALRM, &sa, NULL);
 					alarm(T_timeout);
 
 					deadpid = (pid_t) -1;
 					while (deadpid != T_pid) {
-						deadpid = waitpid(T_pid, &status, 0);
-						if (deadpid == T_pid) {
-							if (WIFSIGNALED(status)) {
-								if (WTERMSIG(status) == SIGTERM)
-									t_info("the test case timed out\n");
-								else
-									t_info("the test case caused exception %d\n", WTERMSIG(status));
-								t_result(T_UNRESOLVED);
-							}
-						}
-						else if ((deadpid == -1) && (errno == EINTR) && T_int) {
-							kill(T_pid, SIGTERM);
-							T_int = 0;
-						}
-						else if ((deadpid == -1) &&
-							 ((errno == ECHILD) || (errno == ESRCH)))
-							break;
+					    deadpid =
+						    waitpid(T_pid, &status, 0);
+					    if (deadpid == T_pid) {
+						    if (WIFSIGNALED(status)) {
+							if (WTERMSIG(status) ==
+							    SIGTERM)
+								t_info(
+						  "the test case timed out\n");
+							else
+								t_info(
+				         "the test case caused exception %d\n",
+					 		     WTERMSIG(status));
+							t_result(T_UNRESOLVED);
+						    }
+					    } else if ((deadpid == -1) &&
+						       (errno == EINTR) &&
+						       T_int) {
+						    kill(T_pid, SIGTERM);
+						    T_int = 0;
+					    }
+					    else if ((deadpid == -1) &&
+						     ((errno == ECHILD) ||
+						      (errno == ESRCH)))
+						    break;
 					}
 
 					alarm(0);
 					sa.sa_handler = SIG_IGN;
-					(void)SIGACTION(SIGALRM, &sa, NULL);
-				}
-				else {
-					t_info("fork failed, errno == %d\n", errno);
+					(void)sigaction(SIGALRM, &sa, NULL);
+				} else {
+					t_info("fork failed, errno == %d\n",
+					       errno);
 					t_result(T_UNRESOLVED);
 				}
 			}
@@ -300,27 +326,25 @@ main(int argc, char **argv)
 }
 
 void
-t_assert(const char *component, int anum, int class,
-		const char *what, ...)
-{
-	int	n;
+t_assert(const char *component, int anum, int class, const char *what, ...) {
 	va_list	args;
 
-	(void) printf ("T:%s:%d:%s\n", component, anum, class == T_REQUIRED ?
-		"A" : "C");
+	(void)printf("T:%s:%d:%s\n", component, anum, class == T_REQUIRED ?
+		     "A" : "C");
 
-	/* format text to a buffer */
+	/*
+	 * Format text to a buffer.
+	 */
 	va_start(args, what);
-	n = vsprintf(T_buf, what, args);
+	(void)vsprintf(T_buf, what, args);
 	va_end(args);
 
-	(void) t_putinfo("A", T_buf);
-	(void) printf("\n");
+	(void)t_putinfo("A", T_buf);
+	(void)printf("\n");
 }
 
 void
-t_info(const char *format, ...)
-{
+t_info(const char *format, ...) {
 	va_list	args;
 
 	va_start(args, format);
@@ -330,9 +354,7 @@ t_info(const char *format, ...)
 }
 
 void
-t_result(int result)
-{
-
+t_result(int result) {
 	char	*p;
 
 	switch (result) {
@@ -359,8 +381,7 @@ t_result(int result)
 }
 
 char *
-t_getenv(const char *name)
-{
+t_getenv(const char *name) {
 	char	*n;
 	char	**p;
 	size_t	len;
@@ -386,15 +407,14 @@ t_getenv(const char *name)
 
 /*
  *
- * read in the config file at path, initializing T_env
+ * Read in the config file at path, initializing T_env.
  *
  * note: no format checking for now ...
  *
  */
 
 static int
-t_initconf(char *path)
-{
+t_initconf(char *path) {
 
 	int	n;
 	int	rval;
@@ -412,28 +432,29 @@ t_initconf(char *path)
 			if (*p == NULL)
 				break;
 			if ((**p == '#') || (strchr(*p, '=') == NULL)) {
-				/* skip comments and other junk */
-				(void) free(*p);
+				/*
+				 * Skip comments and other junk.
+				 */
+				(void)free(*p);
 				continue;
 			}
 			++p; ++n;
 		}
-		(void) fclose(fp);
+		(void)fclose(fp);
 		rval = 0;
 	}
 
-	return(rval);
+	return (rval);
 }
 
 /*
  *
- * dump T_env to stdout
+ * Dump T_env to stdout.
  *
  */
 
 static int
-t_dumpconf(char *path)
-{
+t_dumpconf(char *path) {
 	int	rval;
 	char	**p;
 	FILE	*fp;
@@ -454,21 +475,19 @@ t_dumpconf(char *path)
 
 /*
  *
- * read a newline or EOF terminated string from fp
- * on success:
+ * Read a newline or EOF terminated string from fp.
+ * On success:
  *	return a malloc'd buf containing the string with
  *	the newline converted to a '\0'.
- * on error:
- *	return NULL
+ * On error:
+ *	return NULL.
  *
- * caller is responsible for freeing buf
+ * Caller is responsible for freeing buf.
  *
  */
 
 char *
-t_fgetbs(FILE *fp)
-{
-
+t_fgetbs(FILE *fp) {
 	int	c;
 	size_t	n;
 	size_t	size;
@@ -490,7 +509,8 @@ t_fgetbs(FILE *fp)
 			++n;
 			if ( n >= size ) {
 				size += T_BUFSIZ;
-				buf = (char *) realloc(buf, size * sizeof(char));
+				buf = (char *)realloc(buf,
+						      size * sizeof(char));
 				if (buf == NULL)
 					break;
 				p = buf + n;
@@ -498,8 +518,7 @@ t_fgetbs(FILE *fp)
 		}
 		*p = '\0';
 		return(((c == EOF) && (n == 0)) ? NULL : buf);
-	}
-	else {
+	} else {
 		fprintf(stderr, "malloc failed %d", errno);
 		return(NULL);
 	}
@@ -507,25 +526,25 @@ t_fgetbs(FILE *fp)
 
 /*
  *
- * put info to log, using key
- * for now, just dump it out.
- * later format into pretty lines
+ * Put info to log, using key.
+ * For now, just dump it out.
+ * Later format into pretty lines.
  *
  */
 
 static int
-t_putinfo(const char *key, const char *info)
-{
+t_putinfo(const char *key, const char *info) {
 	int	rval;
 
-	/* for now */
+	/*
+	 * For now.
+	 */
 	rval = printf("%s:%s", key, info);
 	return(rval);
 }
 
 static char *
-t_getdate(char *buf, size_t buflen)
-{
+t_getdate(char *buf, size_t buflen) {
 	size_t		n;
 	time_t		t;
 	struct tm	*p;
@@ -536,58 +555,55 @@ t_getdate(char *buf, size_t buflen)
 	return(n != 0 ? buf : NULL);
 }
 
-/* some generally used utilities */
-
+/*
+ * Some generally used utilities.
+ */
 struct dns_errormap {
 	isc_result_t	result;
 	char		*text;
 } dns_errormap[] = {
-	{	DNS_R_SUCCESS,		"DNS_R_SUCCESS"		},
-	{	DNS_R_NOMEMORY,		"DNS_R_NOMEMORY"	},
-	{	DNS_R_NOSPACE,		"DNS_R_NOSPACE"		},
-	{	DNS_R_LABELTOOLONG,	"DNS_R_LABELTOOLONG"	},
-	{	DNS_R_BADESCAPE,	"DNS_R_BADESCAPE"	},
-	{	DNS_R_BADBITSTRING,	"DNS_R_BADBITSTRING"	},
-	{	DNS_R_BITSTRINGTOOLONG,	"DNS_R_BITSTRINGTOOLONG"},
-	{	DNS_R_EMPTYLABEL,	"DNS_R_EMPTYLABEL"	},
-	{	DNS_R_BADDOTTEDQUAD,	"DNS_R_BADDOTTEDQUAD"	},
-	{	DNS_R_UNEXPECTEDEND,	"DNS_R_UNEXPECTEDEND"	},
-	{	DNS_R_NOTIMPLEMENTED,	"DNS_R_NOTIMPLEMENTED"	},
-	{	DNS_R_UNKNOWN,		"DNS_R_UNKNOWN"		},
-	{	DNS_R_BADLABELTYPE,	"DNS_R_BADLABELTYPE"	},
-	{	DNS_R_BADPOINTER,	"DNS_R_BADPOINTER"	},
-	{	DNS_R_TOOMANYHOPS,	"DNS_R_TOOMANYHOPS"	},
-	{	DNS_R_DISALLOWED,	"DNS_R_DISALLOWED"	},
-	{	DNS_R_NOMORE,		"DNS_R_NOMORE"		},
-	{	DNS_R_EXTRATOKEN,	"DNS_R_EXTRATOKEN"	},
-	{	DNS_R_EXTRADATA,	"DNS_R_EXTRADATA"	},
-	{	DNS_R_TEXTTOOLONG,	"DNS_R_TEXTTOOLONG"	},
-	{	DNS_R_RANGE,		"DNS_R_RANGE"		},
-	{	DNS_R_EXISTS,		"DNS_R_EXISTS"		},
-	{	DNS_R_NOTFOUND,		"DNS_R_NOTFOUND"	},
-	{	DNS_R_SYNTAX,		"DNS_R_SYNTAX"		},
-	{	DNS_R_BADCKSUM,		"DNS_R_BADCKSUM"	},
-	{	DNS_R_BADAAAA,		"DNS_R_BADAAAA"		},
-	{	DNS_R_NOOWNER,		"DNS_R_NOOWNER"		},
-	{	DNS_R_NOTTL,		"DNS_R_NOTTL"		},
-	{	DNS_R_BADCLASS,		"DNS_R_BADCLASS"	},
-	{	DNS_R_UNEXPECTEDTOKEN,	"DNS_R_UNEXPECTEDTOKEN"	},
-	{	DNS_R_BADBASE64,	"DNS_R_BADBASE64"	},
-	{	DNS_R_PARTIALMATCH,	"DNS_R_PARTIALMATCH"	},
-	{	DNS_R_NEWORIGIN,	"DNS_R_NEWORIGIN"	},
-	{	DNS_R_UNCHANGED,	"DNS_R_UNCHANGED"	},
-	{	DNS_R_BADTTL,		"DNS_R_BADTTL"		},
-	{	DNS_R_NOREDATA,		"DNS_R_NOREDATA"	},
-	{	DNS_R_CONTINUE,		"DNS_R_CONTINUE"	},
-	{	DNS_R_DELEGATION,	"DNS_R_DELEGATION"	},
-	{	DNS_R_GLUE,		"DNS_R_GLUE"		},
-	{	DNS_R_DNAME,		"DNS_R_DNAME"		},
-	{	DNS_R_CNAME,		"DNS_R_CNAME"		},
-	{	DNS_R_NXDOMAIN,		"DNS_R_NXDOMAIN"	},
-	{	DNS_R_NXRDATASET,	"DNS_R_NXRDATASET"	},
-	{	DNS_R_BADDB,		"DNS_R_BADDB"		},
-	{	DNS_R_ZONECUT,		"DNS_R_ZONECUT"		},
-	{	(isc_result_t) 0,	NULL			}
+	{ ISC_R_SUCCESS,		"ISC_R_SUCCESS"		},
+	{ ISC_R_EXISTS,			"ISC_R_EXISTS"		},
+	{ ISC_R_NOTFOUND,		"ISC_R_NOTFOUND"	},
+	{ ISC_R_NOSPACE,		"ISC_R_NOSPACE"		},
+	{ ISC_R_UNEXPECTED,		"ISC_R_UNEXPECTED"	},
+	{ ISC_R_UNEXPECTEDEND,		"ISC_R_UNEXPECTEDEND"	},
+	{ ISC_R_RANGE,			"ISC_R_RANGE"		},
+	{ DNS_R_LABELTOOLONG,		"DNS_R_LABELTOOLONG"	},
+	{ DNS_R_BADESCAPE,		"DNS_R_BADESCAPE"	},
+	{ DNS_R_BADBITSTRING,		"DNS_R_BADBITSTRING"	},
+	{ DNS_R_BITSTRINGTOOLONG,	"DNS_R_BITSTRINGTOOLONG"},
+	{ DNS_R_EMPTYLABEL,		"DNS_R_EMPTYLABEL"	},
+	{ DNS_R_BADDOTTEDQUAD,		"DNS_R_BADDOTTEDQUAD"	},
+	{ DNS_R_UNKNOWN,		"DNS_R_UNKNOWN"		},
+	{ DNS_R_BADLABELTYPE,		"DNS_R_BADLABELTYPE"	},
+	{ DNS_R_BADPOINTER,		"DNS_R_BADPOINTER"	},
+	{ DNS_R_TOOMANYHOPS,		"DNS_R_TOOMANYHOPS"	},
+	{ DNS_R_DISALLOWED,		"DNS_R_DISALLOWED"	},
+	{ DNS_R_EXTRATOKEN,		"DNS_R_EXTRATOKEN"	},
+	{ DNS_R_EXTRADATA,		"DNS_R_EXTRADATA"	},
+	{ DNS_R_TEXTTOOLONG,		"DNS_R_TEXTTOOLONG"	},
+	{ DNS_R_SYNTAX,			"DNS_R_SYNTAX"		},
+	{ DNS_R_BADCKSUM,		"DNS_R_BADCKSUM"	},
+	{ DNS_R_BADAAAA,		"DNS_R_BADAAAA"		},
+	{ DNS_R_NOOWNER,		"DNS_R_NOOWNER"		},
+	{ DNS_R_NOTTL,			"DNS_R_NOTTL"		},
+	{ DNS_R_BADCLASS,		"DNS_R_BADCLASS"	},
+	{ DNS_R_PARTIALMATCH,		"DNS_R_PARTIALMATCH"	},
+	{ DNS_R_NEWORIGIN,		"DNS_R_NEWORIGIN"	},
+	{ DNS_R_UNCHANGED,		"DNS_R_UNCHANGED"	},
+	{ DNS_R_BADTTL,			"DNS_R_BADTTL"		},
+	{ DNS_R_NOREDATA,		"DNS_R_NOREDATA"	},
+	{ DNS_R_CONTINUE,		"DNS_R_CONTINUE"	},
+	{ DNS_R_DELEGATION,		"DNS_R_DELEGATION"	},
+	{ DNS_R_GLUE,			"DNS_R_GLUE"		},
+	{ DNS_R_DNAME,			"DNS_R_DNAME"		},
+	{ DNS_R_CNAME,			"DNS_R_CNAME"		},
+	{ DNS_R_NXDOMAIN,		"DNS_R_NXDOMAIN"	},
+	{ DNS_R_NXRRSET,		"DNS_R_NXRRSET"		},
+	{ DNS_R_BADDB,			"DNS_R_BADDB"		},
+	{ DNS_R_ZONECUT,		"DNS_R_ZONECUT"		},
+	{ (isc_result_t)0, NULL }
 };
 
 isc_result_t
@@ -596,7 +612,7 @@ t_dns_result_fromtext(char *name) {
 	isc_result_t		result;
 	struct dns_errormap	*pmap;
 
-	result = DNS_R_UNEXPECTED;
+	result = ISC_R_UNEXPECTED;
 
 	pmap = dns_errormap;
 	while (pmap->text != NULL) {
@@ -608,7 +624,7 @@ t_dns_result_fromtext(char *name) {
 	if (pmap->text != NULL)
 		result = pmap->result;
 
-	return(result);
+	return (result);
 }
 
 struct dc_method_map {
@@ -663,7 +679,7 @@ t_bustline(char *line, char **toks) {
 }
 
 static void
-printhelp() {
+printhelp(void) {
 	int		cnt;
 	testspec_t	*pts;
 
@@ -679,14 +695,12 @@ printhelp() {
 }
 
 static void
-printusage() {
+printusage(void) {
 	printf("Usage:\n%s\n", Usage);
 }
 
 int
 t_eval(char *filename, int (*func)(char **), int nargs) {
-
-
 	FILE		*fp;
 	char		*p;
 	int		line;
@@ -706,8 +720,10 @@ t_eval(char *filename, int (*func)(char **), int nargs) {
 
 			++line;
 
-			/* skip comment lines */
-			if ((isspace((int)*p)) || (*p == '#'))
+			/*
+			 * Skip comment lines.
+			 */
+			if ((isspace((unsigned char)*p)) || (*p == '#'))
 				continue;
 
 			cnt = t_bustline(p, tokens);
@@ -719,18 +735,16 @@ t_eval(char *filename, int (*func)(char **), int nargs) {
 					else
 						++nprobs;
 				}
-			}
-			else {
+			} else {
 				t_info("bad format in %s at line %d\n",
 						filename, line);
 				++nprobs;
 			}
 
-			(void) free(p);
+			(void)free(p);
 		}
-		(void) fclose(fp);
-	}
-	else {
+		(void)fclose(fp);
+	} else {
 		t_info("Missing datafile %s\n", filename);
 		++nprobs;
 	}
@@ -742,6 +756,5 @@ t_eval(char *filename, int (*func)(char **), int nargs) {
 	else if (nfails)
 		result = T_FAIL;
 
-	return(result);
+	return (result);
 }
-
diff --git a/libtool.m4 b/libtool.m4
new file mode 100644
index 00000000..0cfc80b5
--- /dev/null
+++ b/libtool.m4
@@ -0,0 +1,427 @@
+## libtool.m4 - Configure libtool for the target system. -*-Shell-script-*-
+## Copyright (C) 1996-1999 Free Software Foundation, Inc.
+## Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful, but
+## WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+## General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+##
+## As a special exception to the GNU General Public License, if you
+## distribute this file as part of a program that contains a
+## configuration script generated by Autoconf, you may include it under
+## the same distribution terms that you use for the rest of that program.
+
+# serial 40 AC_PROG_LIBTOOL
+AC_DEFUN(AC_PROG_LIBTOOL,
+[AC_REQUIRE([AC_LIBTOOL_SETUP])dnl
+
+# Save cache, so that ltconfig can load it
+AC_CACHE_SAVE
+
+# Actually configure libtool.  ac_aux_dir is where install-sh is found.
+CC="$CC" CFLAGS="$CFLAGS" CPPFLAGS="$CPPFLAGS" \
+LD="$LD" LDFLAGS="$LDFLAGS" LIBS="$LIBS" \
+LN_S="$LN_S" NM="$NM" RANLIB="$RANLIB" \
+DLLTOOL="$DLLTOOL" AS="$AS" OBJDUMP="$OBJDUMP" \
+${CONFIG_SHELL-/bin/sh} $ac_aux_dir/ltconfig --no-reexec \
+$libtool_flags --no-verify $ac_aux_dir/ltmain.sh $host \
+|| AC_MSG_ERROR([libtool configure failed])
+
+# Reload cache, that may have been modified by ltconfig
+AC_CACHE_LOAD
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ac_aux_dir/ltconfig $ac_aux_dir/ltmain.sh"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+AC_SUBST(LIBTOOL)dnl
+
+# Redirect the config.log output again, so that the ltconfig log is not
+# clobbered by the next message.
+exec 5>>./config.log
+])
+
+AC_DEFUN(AC_LIBTOOL_SETUP,
+[AC_PREREQ(2.13)dnl
+AC_REQUIRE([AC_ENABLE_SHARED])dnl
+AC_REQUIRE([AC_ENABLE_STATIC])dnl
+AC_REQUIRE([AC_ENABLE_FAST_INSTALL])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_REQUIRE([AC_PROG_RANLIB])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_PROG_LD])dnl
+AC_REQUIRE([AC_PROG_NM])dnl
+AC_REQUIRE([AC_PROG_LN_S])dnl
+dnl
+
+# Check for any special flags to pass to ltconfig.
+libtool_flags="--cache-file=$cache_file"
+test "$enable_shared" = no && libtool_flags="$libtool_flags --disable-shared"
+test "$enable_static" = no && libtool_flags="$libtool_flags --disable-static"
+test "$enable_fast_install" = no && libtool_flags="$libtool_flags --disable-fast-install"
+test "$ac_cv_prog_gcc" = yes && libtool_flags="$libtool_flags --with-gcc"
+test "$ac_cv_prog_gnu_ld" = yes && libtool_flags="$libtool_flags --with-gnu-ld"
+ifdef([AC_PROVIDE_AC_LIBTOOL_DLOPEN],
+[libtool_flags="$libtool_flags --enable-dlopen"])
+ifdef([AC_PROVIDE_AC_LIBTOOL_WIN32_DLL],
+[libtool_flags="$libtool_flags --enable-win32-dll"])
+AC_ARG_ENABLE(libtool-lock,
+  [    --disable-libtool-lock  avoid locking (might break parallel builds)])
+test "x$enable_libtool_lock" = xno && libtool_flags="$libtool_flags --disable-lock"
+test x"$silent" = xyes && libtool_flags="$libtool_flags --silent"
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case "$host" in
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case "`/usr/bin/file conftest.o`" in
+    *32-bit*)
+      LD="${LD-ld} -32"
+      ;;
+    *N32*)
+      LD="${LD-ld} -n32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -64"
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -belf"
+  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
+    [AC_TRY_LINK([],[],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])])
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
+  ;;
+
+ifdef([AC_PROVIDE_AC_LIBTOOL_WIN32_DLL],
+[*-*-cygwin* | *-*-mingw*)
+  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+  AC_CHECK_TOOL(AS, as, false)
+  AC_CHECK_TOOL(OBJDUMP, objdump, false)
+  ;;
+])
+esac
+])
+
+# AC_LIBTOOL_DLOPEN - enable checks for dlopen support
+AC_DEFUN(AC_LIBTOOL_DLOPEN, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])])
+
+# AC_LIBTOOL_WIN32_DLL - declare package support for building win32 dll's
+AC_DEFUN(AC_LIBTOOL_WIN32_DLL, [AC_BEFORE([$0], [AC_LIBTOOL_SETUP])])
+
+# AC_ENABLE_SHARED - implement the --enable-shared flag
+# Usage: AC_ENABLE_SHARED[(DEFAULT)]
+#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
+#   `yes'.
+AC_DEFUN(AC_ENABLE_SHARED, [dnl
+define([AC_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE(shared,
+changequote(<<, >>)dnl
+<<    --enable-shared[=PKGS]  build shared libraries [default=>>AC_ENABLE_SHARED_DEFAULT],
+changequote([, ])dnl
+[p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_shared=yes ;;
+no) enable_shared=no ;;
+*)
+  enable_shared=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_shared=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac],
+enable_shared=AC_ENABLE_SHARED_DEFAULT)dnl
+])
+
+# AC_DISABLE_SHARED - set the default shared flag to --disable-shared
+AC_DEFUN(AC_DISABLE_SHARED, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_SHARED(no)])
+
+# AC_ENABLE_STATIC - implement the --enable-static flag
+# Usage: AC_ENABLE_STATIC[(DEFAULT)]
+#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
+#   `yes'.
+AC_DEFUN(AC_ENABLE_STATIC, [dnl
+define([AC_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE(static,
+changequote(<<, >>)dnl
+<<    --enable-static[=PKGS]  build static libraries [default=>>AC_ENABLE_STATIC_DEFAULT],
+changequote([, ])dnl
+[p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_static=yes ;;
+no) enable_static=no ;;
+*)
+  enable_static=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_static=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac],
+enable_static=AC_ENABLE_STATIC_DEFAULT)dnl
+])
+
+# AC_DISABLE_STATIC - set the default static flag to --disable-static
+AC_DEFUN(AC_DISABLE_STATIC, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_STATIC(no)])
+
+
+# AC_ENABLE_FAST_INSTALL - implement the --enable-fast-install flag
+# Usage: AC_ENABLE_FAST_INSTALL[(DEFAULT)]
+#   Where DEFAULT is either `yes' or `no'.  If omitted, it defaults to
+#   `yes'.
+AC_DEFUN(AC_ENABLE_FAST_INSTALL, [dnl
+define([AC_ENABLE_FAST_INSTALL_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE(fast-install,
+changequote(<<, >>)dnl
+<<    --enable-fast-install[=PKGS]  optimize for fast installation [default=>>AC_ENABLE_FAST_INSTALL_DEFAULT],
+changequote([, ])dnl
+[p=${PACKAGE-default}
+case "$enableval" in
+yes) enable_fast_install=yes ;;
+no) enable_fast_install=no ;;
+*)
+  enable_fast_install=no
+  # Look at the argument we got.  We use all the common list separators.
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}:,"
+  for pkg in $enableval; do
+    if test "X$pkg" = "X$p"; then
+      enable_fast_install=yes
+    fi
+  done
+  IFS="$ac_save_ifs"
+  ;;
+esac],
+enable_fast_install=AC_ENABLE_FAST_INSTALL_DEFAULT)dnl
+])
+
+# AC_ENABLE_FAST_INSTALL - set the default to --disable-fast-install
+AC_DEFUN(AC_DISABLE_FAST_INSTALL, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_FAST_INSTALL(no)])
+
+# AC_PROG_LD - find the path to the GNU or non-GNU linker
+AC_DEFUN(AC_PROG_LD,
+[AC_ARG_WITH(gnu-ld,
+[    --with-gnu-ld           assume the C compiler uses GNU ld [default=no]],
+test "$withval" = no || with_gnu_ld=yes, with_gnu_ld=no)
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+ac_prog=ld
+if test "$ac_cv_prog_gcc" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  AC_MSG_CHECKING([for ld used by GCC])
+  ac_prog=`($CC -print-prog-name=ld) 2>&5`
+  case "$ac_prog" in
+    # Accept absolute paths.
+changequote(,)dnl
+    [\\/]* | [A-Za-z]:[\\/]*)
+      re_direlt='/[^/][^/]*/\.\./'
+changequote([,])dnl
+      # Canonicalize the path of ld
+      ac_prog=`echo $ac_prog| sed 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| sed "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  AC_MSG_CHECKING([for GNU ld])
+else
+  AC_MSG_CHECKING([for non-GNU ld])
+fi
+AC_CACHE_VAL(ac_cv_path_LD,
+[if test -z "$LD"; then
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR-:}"
+  for ac_dir in $PATH; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      ac_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some GNU ld's only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      if "$ac_cv_path_LD" -v 2>&1 < /dev/null | egrep '(GNU|with BFD)' > /dev/null; then
+	test "$with_gnu_ld" != no && break
+      else
+	test "$with_gnu_ld" != yes && break
+      fi
+    fi
+  done
+  IFS="$ac_save_ifs"
+else
+  ac_cv_path_LD="$LD" # Let the user override the test with a path.
+fi])
+LD="$ac_cv_path_LD"
+if test -n "$LD"; then
+  AC_MSG_RESULT($LD)
+else
+  AC_MSG_RESULT(no)
+fi
+test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
+AC_SUBST(LD)
+AC_PROG_LD_GNU
+])
+
+AC_DEFUN(AC_PROG_LD_GNU,
+[AC_CACHE_CHECK([if the linker ($LD) is GNU ld], ac_cv_prog_gnu_ld,
+[# I'd rather use --version here, but apparently some GNU ld's only accept -v.
+if $LD -v 2>&1 </dev/null | egrep '(GNU|with BFD)' 1>&5; then
+  ac_cv_prog_gnu_ld=yes
+else
+  ac_cv_prog_gnu_ld=no
+fi])
+])
+
+# AC_PROG_NM - find the path to a BSD-compatible name lister
+AC_DEFUN(AC_PROG_NM,
+[AC_MSG_CHECKING([for BSD-compatible nm])
+AC_CACHE_VAL(ac_cv_path_NM,
+[if test -n "$NM"; then
+  # Let the user override the test.
+  ac_cv_path_NM="$NM"
+else
+  IFS="${IFS= 	}"; ac_save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR-:}"
+  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/nm || test -f $ac_dir/nm$ac_exeext ; then
+      # Check to see if the nm accepts a BSD-compat flag.
+      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
+      #   nm: unknown option "B" ignored
+      if ($ac_dir/nm -B /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+	ac_cv_path_NM="$ac_dir/nm -B"
+	break
+      elif ($ac_dir/nm -p /dev/null 2>&1 | sed '1q'; exit 0) | egrep /dev/null >/dev/null; then
+	ac_cv_path_NM="$ac_dir/nm -p"
+	break
+      else
+	ac_cv_path_NM=${ac_cv_path_NM="$ac_dir/nm"} # keep the first match, but
+	continue # so that we can try to find one that supports BSD flags
+      fi
+    fi
+  done
+  IFS="$ac_save_ifs"
+  test -z "$ac_cv_path_NM" && ac_cv_path_NM=nm
+fi])
+NM="$ac_cv_path_NM"
+AC_MSG_RESULT([$NM])
+AC_SUBST(NM)
+])
+
+# AC_CHECK_LIBM - check for math library
+AC_DEFUN(AC_CHECK_LIBM,
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+LIBM=
+case "$host" in
+*-*-beos* | *-*-cygwin*)
+  # These system don't have libm
+  ;;
+*-ncr-sysv4.3*)
+  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw")
+  AC_CHECK_LIB(m, main, LIBM="$LIBM -lm")
+  ;;
+*)
+  AC_CHECK_LIB(m, main, LIBM="-lm")
+  ;;
+esac
+])
+
+# AC_LIBLTDL_CONVENIENCE[(dir)] - sets LIBLTDL to the link flags for
+# the libltdl convenience library, adds --enable-ltdl-convenience to
+# the configure arguments.  Note that LIBLTDL is not AC_SUBSTed, nor
+# is AC_CONFIG_SUBDIRS called.  If DIR is not provided, it is assumed
+# to be `${top_builddir}/libltdl'.  Make sure you start DIR with
+# '${top_builddir}/' (note the single quotes!) if your package is not
+# flat, and, if you're not using automake, define top_builddir as
+# appropriate in the Makefiles.
+AC_DEFUN(AC_LIBLTDL_CONVENIENCE, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  case "$enable_ltdl_convenience" in
+  no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;;
+  "") enable_ltdl_convenience=yes
+      ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;;
+  esac
+  LIBLTDL=ifelse($#,1,$1,['${top_builddir}/libltdl'])/libltdlc.la
+  INCLTDL=ifelse($#,1,-I$1,['-I${top_builddir}/libltdl'])
+])
+
+# AC_LIBLTDL_INSTALLABLE[(dir)] - sets LIBLTDL to the link flags for
+# the libltdl installable library, and adds --enable-ltdl-install to
+# the configure arguments.  Note that LIBLTDL is not AC_SUBSTed, nor
+# is AC_CONFIG_SUBDIRS called.  If DIR is not provided, it is assumed
+# to be `${top_builddir}/libltdl'.  Make sure you start DIR with
+# '${top_builddir}/' (note the single quotes!) if your package is not
+# flat, and, if you're not using automake, define top_builddir as
+# appropriate in the Makefiles.
+# In the future, this macro may have to be called after AC_PROG_LIBTOOL.
+AC_DEFUN(AC_LIBLTDL_INSTALLABLE, [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  AC_CHECK_LIB(ltdl, main,
+  [test x"$enable_ltdl_install" != xyes && enable_ltdl_install=no],
+  [if test x"$enable_ltdl_install" = xno; then
+     AC_MSG_WARN([libltdl not installed, but installation disabled])
+   else
+     enable_ltdl_install=yes
+   fi
+  ])
+  if test x"$enable_ltdl_install" = x"yes"; then
+    ac_configure_args="$ac_configure_args --enable-ltdl-install"
+    LIBLTDL=ifelse($#,1,$1,['${top_builddir}/libltdl'])/libltdl.la
+    INCLTDL=ifelse($#,1,-I$1,['-I${top_builddir}/libltdl'])
+  else
+    ac_configure_args="$ac_configure_args --enable-ltdl-install=no"
+    LIBLTDL="-lltdl"
+    INCLTDL=
+  fi
+])
+
+dnl old names
+AC_DEFUN(AM_PROG_LIBTOOL, [indir([AC_PROG_LIBTOOL])])dnl
+AC_DEFUN(AM_ENABLE_SHARED, [indir([AC_ENABLE_SHARED], $@)])dnl
+AC_DEFUN(AM_ENABLE_STATIC, [indir([AC_ENABLE_STATIC], $@)])dnl
+AC_DEFUN(AM_DISABLE_SHARED, [indir([AC_DISABLE_SHARED], $@)])dnl
+AC_DEFUN(AM_DISABLE_STATIC, [indir([AC_DISABLE_STATIC], $@)])dnl
+AC_DEFUN(AM_PROG_LD, [indir([AC_PROG_LD])])dnl
+AC_DEFUN(AM_PROG_NM, [indir([AC_PROG_NM])])dnl
+
+dnl This is just to silence aclocal about the macro not being used
+ifelse([AC_DISABLE_FAST_INSTALL])dnl
diff --git a/make/rules.in b/make/rules.in
index 5d199459..62a3c4b2 100644
--- a/make/rules.in
+++ b/make/rules.in
@@ -85,6 +85,8 @@ install clean distclean::
 ###	CINCLUDES
 ###	CDEFINES
 ###	CWARNINGS
+### User may define externally
+###     EXT_CFLAGS
 
 CC = 		@CC@
 CFLAGS =	@CFLAGS@
@@ -100,10 +102,10 @@ ALWAYS_DEFINES = -D_REENTRANT
 ALWAYS_WARNINGS =
 
 ALL_CPPFLAGS = \
-	${ALWAYS_INCLUDES} ${STD_CINCLUDES} ${CINCLUDES} \
-	${ALWAYS_DEFINES} ${STD_CDEFINES} ${CDEFINES}
+	${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \
+	${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES}
 
-ALL_CFLAGS = ${CFLAGS} \
+ALL_CFLAGS = ${EXT_CFLAGS} ${CFLAGS} \
 	${ALL_CPPFLAGS} \
 	${ALWAYS_WARNINGS} ${STD_CWARNINGS} ${CWARNINGS}
 
diff --git a/version b/version
index 2b5fb227..5facf5e7 100644
--- a/version
+++ b/version
@@ -1,7 +1,10 @@
-MAJORVER =	9
-MINORVER =	0
-PATCHVER =	0
-RELEASETYPE =	b
-RELEASEVER =	2
-
-VERSION =	${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}
+# $Id: version,v 1.13 2000/04/27 23:47:49 explorer Exp $
+#
+# This file must follow /bin/sh rules.  It is imported directly via
+# configure.
+#
+MAJORVER=9
+MINORVER=0
+PATCHVER=0
+RELEASETYPE=b
+RELEASEVER=3