9.0.0b1

74 files changed, 16422 insertions, 0 deletions

diff --git a/lib/dns/include/.cvsignore b/lib/dns/include/.cvsignore
new file mode 100644
index 00000000..f3c7a7c5
--- /dev/null
+++ b/lib/dns/include/.cvsignore
@@ -0,0 +1 @@
+Makefile
diff --git a/lib/dns/include/Makefile.in b/lib/dns/include/Makefile.in
new file mode 100644
index 00000000..ca29ecaf
--- /dev/null
+++ b/lib/dns/include/Makefile.in
@@ -0,0 +1,23 @@
+# Copyright (C) 1998, 1999, 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	dns
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/dns/include/dns/.cvsignore b/lib/dns/include/dns/.cvsignore
new file mode 100644
index 00000000..5aa676e5
--- /dev/null
+++ b/lib/dns/include/dns/.cvsignore
@@ -0,0 +1,4 @@
+Makefile
+enumtype.h
+enumclass.h
+rdatastruct.h
diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in
new file mode 100644
index 00000000..1032d9e1
--- /dev/null
+++ b/lib/dns/include/dns/Makefile.in
@@ -0,0 +1,57 @@
+# Copyright (C) 1998, 1999, 2000  Internet Software Consortium.
+# 
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+# CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+# PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+# SOFTWARE.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	a6.h acl.h aclconf.h adb.h byaddr.h cache.h callbacks.h \
+		cert.h compress.h \
+		confacl.h confcache.h confcommon.h confctl.h confctx.h \
+		confip.h confkeys.h conflog.h conflsn.h confparser.h \
+		confresolv.h confrrset.h confserv.h confview.h confzone.h \
+		db.h dbiterator.h dbtable.h dispatch.h \
+		dnssec.h events.h fixedname.h journal.h keyflags.h \
+		keyvalues.h lib.h log.h master.h masterdump.h message.h \
+		name.h namedconf.h ncache.h nxt.h rbt.h rcode.h rdata.h \
+		rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \
+		rdataslab.h rdatatype.h resolver.h result.h rootns.h \
+		secalg.h secproto.h tcpmsg.h time.h tkey.h tkeyconf.h tsig.h \
+		ttl.h types.h view.h xfrin.h zone.h zoneconf.h zt.h
+
+GENHEADERS =	enumclass.h enumtype.h rdatastruct.h
+
+SUBDIRS =	
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	if [ ! -d ${includedir} ]; then \
+		mkdir ${includedir} ; \
+	fi
+	if [ ! -d ${includedir}/dns ]; then \
+		mkdir ${includedir}/dns ; \
+	fi
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${includedir}/dns ; \
+	done
+	for i in ${GENHEADERS}; do \
+		${INSTALL_DATA} $$i ${includedir}/dns ; \
+	done
diff --git a/lib/dns/include/dns/a6.h b/lib/dns/include/dns/a6.h
new file mode 100644
index 00000000..25b10ff5
--- /dev/null
+++ b/lib/dns/include/dns/a6.h
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_A6_H
+#define DNS_A6_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+#include <isc/stdtime.h>
+#include <isc/bitstring.h>
+#include <isc/net.h>
+#include <isc/result.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef isc_result_t (*dns_findfunc_t)(void *arg, dns_name_t *name,
+				       dns_rdatatype_t type,
+				       isc_stdtime_t now,
+				       dns_rdataset_t *rdataset,
+				       dns_rdataset_t *sigrdataset);
+
+typedef void (*dns_rrsetfunc_t)(void *arg, dns_name_t *name,
+				dns_rdataset_t *rdataset,
+				dns_rdataset_t *sigrdataset);
+
+typedef void (*dns_in6addrfunc_t)(dns_a6context_t *a6ctx);
+
+typedef void (*dns_a6missingfunc_t)(dns_a6context_t *a6ctx, dns_name_t *name);
+
+struct dns_a6context {
+	unsigned int			magic;
+	/* Public. */
+	dns_findfunc_t			find;
+	dns_rrsetfunc_t			rrset;
+	dns_in6addrfunc_t		address;
+	dns_a6missingfunc_t		missing;
+	void *				arg;
+	unsigned int			chains;
+	unsigned int			depth;
+	isc_stdtime_t			now;
+	isc_stdtime_t			expiration;
+	unsigned int			prefixlen;
+	struct in6_addr			in6addr;
+	isc_bitstring_t			bitstring;
+};
+
+void
+dns_a6_init(dns_a6context_t *a6ctx, dns_findfunc_t find, dns_rrsetfunc_t rrset,
+	    dns_in6addrfunc_t address, dns_a6missingfunc_t missing, void *arg);
+
+void
+dns_a6_reset(dns_a6context_t *a6ctx);
+
+void
+dns_a6_invalidate(dns_a6context_t *a6ctx);
+
+void
+dns_a6_copy(dns_a6context_t *source, dns_a6context_t *target);
+
+isc_result_t
+dns_a6_foreach(dns_a6context_t *a6ctx, dns_rdataset_t *rdataset,
+	       isc_stdtime_t now);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RESULT_H */
diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h
new file mode 100644
index 00000000..12f45dec
--- /dev/null
+++ b/lib/dns/include/dns/acl.h
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_ACL_H
+#define DNS_ACL_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Address match list handling.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <dns/types.h>
+#include <dns/name.h>
+#include <isc/sockaddr.h>
+
+/***
+ *** Types
+ ***/
+
+typedef enum {
+	dns_aclelementtype_ipprefix,
+	dns_aclelementtype_keyname,
+	dns_aclelementtype_nestedacl,
+	dns_aclelementtype_localhost,
+	dns_aclelementtype_localnets,
+	dns_aclelementtype_any
+} dns_aclelemettype_t;
+
+struct dns_aclelement {
+	dns_aclelemettype_t type;
+	isc_boolean_t negative;
+	union {
+		struct {
+			isc_sockaddr_t address; /* IP4/IP6 */
+			unsigned int prefixlen;
+		} ip_prefix;
+		dns_name_t keyname;
+		dns_acl_t *nestedacl;
+	} u;
+};
+
+struct dns_acl {
+	isc_uint32_t		magic;
+	isc_mem_t		*mctx;
+	unsigned int		refcount;
+	dns_aclelement_t	*elements;
+	unsigned int 		alloc;		/* Elements allocated */
+	unsigned int 		length;		/* Elements initialized */
+	char 			*name;		/* Temporary use only */
+	ISC_LINK(dns_acl_t) 	nextincache;	/* Ditto */
+};
+
+#define DNS_ACL_MAGIC		0x4461636c	/* Dacl */
+#define DNS_ACL_VALID(a)	((a) != NULL && \
+				 (a)->magic == DNS_ACL_MAGIC)
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
+/*
+ * Create a new ACL with place for 'n' elements.
+ * The elements are uninitialized and the length is 0.
+ */
+
+isc_result_t dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
+/*
+ * Create a new ACL that matches everything.
+ */
+
+isc_result_t dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
+/*
+ * Create a new ACL that matches nothing.
+ */
+
+void dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
+
+void dns_acl_detach(dns_acl_t **aclp);
+
+isc_boolean_t
+dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb);
+
+isc_boolean_t dns_acl_equal(dns_acl_t *a, dns_acl_t *b);
+
+isc_result_t
+dns_acl_checkrequest(dns_name_t *signer, isc_sockaddr_t *reqaddr,
+		     const char *opname,
+		     dns_acl_t *main_acl,
+		     dns_acl_t *fallback_acl,
+		     isc_boolean_t default_allow);
+/*
+ * Convenience function for "typical" DNS request permission checking.
+ *
+ * Check the DNS request signed by the key whose name is 'signer',
+ * from IP address 'reqaddr', against 'main_acl'.  If main_acl is NULL,
+ * check against 'fallback_acl' instead.  If fallback_acl
+ * is also NULL, allow the request iff 'default_allow' is ISC_TRUE.
+ * Log the outcome of the check if deemed appropriate.
+ * Log messages will refer to the request as an 'opname' request.
+ *
+ * Notes:
+ *	This is appropriate for checking allow-update, 
+ * 	allow-query, allow-transfer, etc.  It is not appropriate
+ * 	for checking the blackhole list because we treat positive
+ * 	matches as "allow" and negative matches as "deny"; in
+ *	the case of the blackhole list this would be backwards.
+ *
+ * Requires:
+ *	'signer' points to a valid name or is NULL.
+ *	'reqaddr' points to a valid socket address.
+ *	'opname' points to a null-terminated string.
+ *	'main_acl' points to a valid address match list, or is NULL.
+ *	'fallback_acl' points to a valid address match list, or is NULL.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	if the request should be allowed
+ * 	ISC_R_REFUSED	if the request should be denied
+ *	No other return values are possible.
+ */
+
+isc_result_t
+dns_acl_match(isc_sockaddr_t *reqaddr,
+	      dns_name_t *reqsigner,
+	      dns_acl_t *acl,
+	      int *match,
+	      dns_aclelement_t **matchelt);
+/*
+ * General, low-level ACL matching.  This is expected to
+ * be useful even for weird stuff like the topology and sortlist statements.
+ *
+ * Match the address 'reqaddr', and optionally the key name 'reqsigner',
+ * against 'acl'.  'reqsigner' may be NULL.
+ *
+ * If there is a positive match, '*match' will be set to a positive value
+ * indicating the distance from the beginning of the list.
+ *
+ * If there is a negative match, '*match' will be set to a negative value
+ * whose absoluate value indicates the distance from the beginning of
+ * the list.
+ *
+ * If there is a match (either positive or negative) and 'matchelt' is  
+ * non-NULL, *matchelt will be attached to the primitive
+ * (non-indirect) address match list element that matched.
+ *
+ * If there is no match, *match will be set to zero.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		Always succeeds.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ACL_H */
diff --git a/lib/dns/include/dns/aclconf.h b/lib/dns/include/dns/aclconf.h
new file mode 100644
index 00000000..2a4476c0
--- /dev/null
+++ b/lib/dns/include/dns/aclconf.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_ACLCONF_H
+#define DNS_ACLCONF_H 1
+
+#include <dns/acl.h>
+#include <dns/confacl.h>
+#include <dns/confctx.h>
+#include <dns/confip.h>
+
+typedef struct {
+	ISC_LIST(dns_acl_t) named_acl_cache;
+} dns_aclconfctx_t;
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+void dns_aclconfctx_init(dns_aclconfctx_t *ctx);
+
+void dns_aclconfctx_destroy(dns_aclconfctx_t *ctx);
+
+isc_result_t
+dns_acl_fromconfig(dns_c_ipmatchlist_t *caml,
+		   dns_c_ctx_t *cctx,
+		   dns_aclconfctx_t *ctx,
+		   isc_mem_t *mctx,
+		   dns_acl_t **target);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ACLCONF_H */
diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
new file mode 100644
index 00000000..52422764
--- /dev/null
+++ b/lib/dns/include/dns/adb.h
@@ -0,0 +1,561 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_ADB_H
+#define DNS_ADB_H
+
+/***** 
+ ***** Module Info 
+ *****/ 
+
+
+/*
+ * DNS Address Database
+ *
+ * This module implements an address database (ADB) for mapping a name
+ * to an isc_sockaddr_t. It also provides statistical information on
+ * how good that address might be.
+ *
+ * A client will pass in a dns_name_t, and the ADB will walk through
+ * the rdataset looking up addresses associated with the name.  If it
+ * is found on the internal lists, a structure is filled in with the
+ * address information and stats for found addresses.
+ *
+ * If the name cannot be found on the internal lists, a new entry will
+ * be created for a name if all the information needed can be found
+ * in the zone table or cache.  This new address will then be returned.
+ *
+ * If a request must be made to remote servers to satisfy a name lookup,
+ * this module will start fetches to try to complete these addresses.  When
+ * at least one more completes, an event is sent to the caller.  If none of
+ * them resolve before the fetch times out, an event indicating this is
+ * sent instead.
+ *
+ * Records are stored internally until a timer expires. The timer is the
+ * smaller of the TTL or signature validity period. For A6 records, the timer
+ * is the smallest of all the TTL or signature validity periods in the A6
+ * chain.
+ *
+ * Lameness is stored per-zone, and this data hangs off each address field.
+ * When an address is marked lame for a given zone the address will not
+ * be returned to a caller.
+ *
+ *
+ * MP:
+ *
+ *	The ADB takes care of all necessary locking. 
+ *
+ *	Only the task which initiated the name lookup can cancel the lookup.
+ *
+ *
+ * Security:
+ *
+ *	None, since all data stored is required to be pre-filtered.
+ *	(Cache needs to be sane, fetches return bounds-checked and sanity-
+ *       checked data, caller passes a good dns_name_t for the zone, etc)
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdio.h>
+
+#include <isc/event.h>
+#include <isc/lang.h>
+#include <isc/list.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+#include <isc/stdtime.h>
+#include <isc/task.h>
+
+#include <dns/types.h>
+#include <dns/rdataset.h>
+#include <dns/view.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Magic number checks
+ ***/
+
+#define DNS_ADBFIND_MAGIC	  0x61646248	/* adbH. */
+#define DNS_ADBFIND_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBFIND_MAGIC)
+#define DNS_ADBADDRINFO_MAGIC	  0x61644149	/* adAI. */
+#define DNS_ADBADDRINFO_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBADDRINFO_MAGIC)
+
+
+/***
+ *** TYPES
+ ***/
+
+typedef struct dns_adbname		dns_adbname_t;
+
+/* dns_adbfind_t
+ *
+ * Represents a lookup for a single name.
+ *
+ * On return, the client can safely use "list", and can reorder the list.
+ * Items may not be _deleted_ from this list, however, or added to it
+ * other than by using the dns_adb_*() API.
+ */
+struct dns_adbfind {
+	/* Public */
+	unsigned int			magic;		/* RO: magic */
+	dns_adbaddrinfolist_t		list;		/* RO: list of addrs */
+	unsigned int			query_pending;	/* RO: partial list */
+	unsigned int			partial_result;	/* RO: addrs missing */
+	unsigned int			options;	/* RO: options */
+	ISC_LINK(dns_adbfind_t)		publink;	/* RW: client use */
+
+	/* Private */
+	isc_mutex_t			lock;		/* locks all below */
+	int				name_bucket;
+	unsigned int			flags;
+	dns_adbname_t		       *adbname;
+	dns_adb_t		       *adb;
+	isc_event_t			event;
+	ISC_LINK(dns_adbfind_t)		plink;
+};
+
+/*
+ * _INET:
+ * _INET6:
+ *	return addresses of that type.
+ *
+ * _EMPTYEVENT:
+ *	Only schedule an event if no addresses are known.
+ *	Must set _WANTEVENT for this to be meaningful.
+ *
+ * _WANTEVENT:
+ *	An event is desired.  Check this bit in the returned find to see
+ *	if one will actually be generated.
+ *
+ * _AVOIDFETCHES:
+ *
+ * _STARTATROOT:
+ *
+ * _GLUEOK:
+ * _HINTOK:
+ *	Glue or hints are ok.  These are used when matching names already
+ *	in the adb, and when dns databases are searched.
+ *
+ * _RETURNLAME:
+ *	Return lame servers in a find, so that all addresses are returned.
+ *
+ * _LAMEPRUNED:
+ *	At least one address was omitted from the list because it was lame.
+ *	This bit will NEVER be set if _RETURNLAME is set in the createfind().
+ */
+#define DNS_ADBFIND_INET		0x00000001
+#define DNS_ADBFIND_INET6		0x00000002
+#define DNS_ADBFIND_ADDRESSMASK		0x00000003
+
+#define DNS_ADBFIND_EMPTYEVENT		0x00000004
+#define DNS_ADBFIND_WANTEVENT		0x00000008
+#define DNS_ADBFIND_AVOIDFETCHES	0x00000010
+#define DNS_ADBFIND_STARTATROOT		0x00000020
+#define DNS_ADBFIND_GLUEOK		0x00000040
+#define DNS_ADBFIND_HINTOK		0x00000080
+#define DNS_ADBFIND_RETURNLAME		0x00000100
+#define DNS_ADBFIND_LAMEPRUNED		0x00000200
+
+/* dns_adbaddrinfo_t
+ *
+ * The answers to queries come back as a list of these.
+ */
+struct dns_adbaddrinfo {
+	unsigned int			magic;		/* private */
+
+	isc_sockaddr_t		       *sockaddr;	/* read only */
+	int				goodness;
+	unsigned int			srtt;		/* microseconds */
+	unsigned int			flags;
+	dns_adbentry_t		       *entry;		/* private */
+	ISC_LINK(dns_adbaddrinfo_t)	publink;
+};
+
+/*
+ * The event sent to the caller task is just a plain old isc_event_t.  It
+ * contains no data other than a simple status, passed in the "type" field
+ * to indicate that another address resolved, or all partially resolved
+ * addresses have failed to resolve.
+ *
+ * "sender" is the dns_adbfind_t used to issue this query.
+ *
+ * This is simply a standard event, with the "type" set to:
+ *
+ *	DNS_EVENT_ADBMOREADDRESSES   -- another address resolved.
+ *	DNS_EVENT_ADBNOMOREADDRESSES -- all pending addresses failed,
+ *					were canceled, or otherwise will
+ *					not be usable.
+ *	DNS_EVENT_ADBCANCELED	     -- The request was canceled by a
+ *					3rd party.
+ *	DNS_EVENT_ADBNAMEDELETED     -- The name was deleted, so this request
+ *					was canceled.
+ *
+ * In each of these cases, the addresses returned by the initial call
+ * to dns_adb_createfind() can still be used until they are no longer needed.
+ */
+
+/****
+ **** FUNCTIONS
+ ****/
+
+
+isc_result_t
+dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *tmgr,
+	       isc_taskmgr_t *taskmgr, dns_adb_t **newadb);
+/*
+ * Create a new ADB.
+ *
+ * Notes:
+ *
+ *	Generally, applications should not create an ADB directly, but
+ *	should instead call dns_view_createresolver().
+ *
+ * Requires:
+ *
+ *	'mem' must be a valid memory context.
+ *
+ *	'view' be a pointer to a valid view.
+ *
+ *	'tmgr' be a pointer to a valid timer manager.
+ *
+ *	'taskmgr' be a pointer to a valid task manager.
+ *
+ *	'newadb' != NULL && '*newadb' == NULL.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS	after happiness.
+ *	ISC_R_NOMEMORY	after resource allocation failure.
+ */
+
+void
+dns_adb_detach(dns_adb_t **adb);
+/*
+ * Delete the ADB. Sets *ADB to NULL. Cancels any outstanding requests.
+ *
+ * Requires:
+ *
+ *	'adb' be non-NULL and '*adb' be a valid dns_adb_t, created via
+ *	dns_adb_create().
+ */
+
+void
+dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp);
+/*
+ * Send '*eventp' to 'task' when 'adb' has shutdown.
+ *
+ * Requires:
+ *
+ *	'*adb' is a valid dns_adb_t.
+ *
+ *	eventp != NULL && *eventp is a valid event.
+ *
+ * Ensures:
+ *
+ *	*eventp == NULL
+ *
+ *	The event's sender field is set to the value of adb when the event
+ *	is sent.
+ */
+
+void
+dns_adb_shutdown(dns_adb_t *adb);
+/*
+ * Shutdown 'adb'.
+ *
+ * Requires:
+ *
+ * 	'*adb' is a valid dns_adb_t.
+ */
+
+isc_result_t
+dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+		   void *arg, dns_name_t *name, dns_name_t *zone,
+		   unsigned int options, isc_stdtime_t now, dns_name_t *target,
+		   dns_adbfind_t **find);
+/*
+ * Main interface for clients. The adb will look up the name given in
+ * "name" and will build up a list of found addresses, and perhaps start
+ * internal fetches to resolve names that are unknown currently.
+ *
+ * If other addresses resolve after this call completes, an event will
+ * be sent to the <task, taskaction, arg> with the sender of that event
+ * set to a pointer to the dns_adbfind_t returned by this function.
+ *
+ * The list of addresses returned is unordered.  The caller must impose
+ * any ordering required.  The list will not contain "known bad" addresses,
+ * however.  For instance, it will not return hosts that are known to be
+ * lame for the zone in question.
+ *
+ * The caller cannot (directly) modify the contents of the address list's
+ * fields other than the "link" field.  All values can be read at any
+ * time, however.
+ *
+ * The "now" parameter is used only for determining which entries that
+ * have a specific time to live or expire time should be removed from
+ * the running database.  If specified as zero, the current time will
+ * be retrieved and used.
+ *
+ * If 'target' is not NULL and 'name' is an alias (i.e. the name is
+ * CNAME'd or DNAME'd to another name), then 'target' will be updated with
+ * the domain name that 'name' is aliased to.
+ *
+ * XXXMLG  Document options, especially the flags which control how
+ *         events are sent.
+ *
+ * Requires:
+ *
+ *	*adb be a valid isc_adb_t object.
+ *
+ *	If events are to be sent, *task be a valid task,
+ *	and isc_taskaction_t != NULL.
+ *
+ *	*name is a valid dns_name_t.
+ *
+ *	zone != NULL and *zone be a valid dns_name_t.
+ *
+ *	target == NULL or target is a valid name with a buffer.
+ *
+ *	find != NULL && *find == NULL.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS	Addresses might have been returned, and events will be
+ *			delivered for unresolved addresses.
+ *	ISC_R_NOMORE	Addresses might have been returned, but no events
+ *			will ever be posted for this context.  This is only
+ *			returned if task != NULL.
+ *	ISC_R_NOMEMORY	insufficient resources
+ *	DNS_R_ALIAS	'name' is an alias for another name.
+ *
+ * Calls, and returns error codes from:
+ *
+ *	isc_stdtime_get()
+ *
+ * Notes:
+ *
+ *	No internal reference to "name" exists after this function
+ *	returns.
+ */
+
+void
+dns_adb_cancelfind(dns_adbfind_t *find);
+/*
+ * Cancels the find, and sends the event off to the caller.
+ *
+ * It is an error to call dns_adb_cancelfind() on a find where
+ * no event is wanted, or will ever be sent.
+ *
+ * Note:
+ *
+ *	It is possible that the real completion event was posted just
+ *	before the dns_adb_cancelfind() call was made.  In this case,
+ *	dns_adb_cancelfind() will do nothing.  The event callback needs
+ *	to be prepared to find this situation (i.e. result is valid but
+ *	the caller expects it to be canceled).
+ *
+ * Requires:
+ *
+ *	'find' be a valid dns_adbfind_t pointer.
+ *
+ *	events would have been posted to the task.  This can be checked
+ *	with (find->options & DNS_ADBFIND_WANTEVENT).
+ *
+ * Ensures:
+ *
+ *	The event was posted to the task.
+ */
+
+void
+dns_adb_destroyfind(dns_adbfind_t **find);
+/*
+ * Destroys the find reference.
+ *
+ * Note:
+ *
+ *	This can only be called after the event was delivered for a
+ *	find.  Additionally, the event MUST have been freed via
+ *	isc_event_free() BEFORE this function is called.
+ *
+ * Requires:
+ *
+ *	'find' != NULL and *find be valid dns_adbfind_t pointer.
+ *
+ * Ensures:
+ *
+ *	No "address found" events will be posted to the originating task
+ *	after this function returns.
+ */
+
+void
+dns_adb_dump(dns_adb_t *adb, FILE *f);
+/*
+ * This function is only used for debugging.  It will dump as much of the
+ * state of the running system as possible.
+ *
+ * Requires:
+ *
+ *	adb be valid.
+ *
+ *	f != NULL, and is a file open for writing.
+ */
+
+void
+dns_adb_dumpfind(dns_adbfind_t *find, FILE *f);
+/*
+ * This function is only used for debugging.  Dump the data associated
+ * with a find.
+ *
+ * Requires:
+ *
+ *	find is valid.
+ *
+ * 	f != NULL, and is a file open for writing.
+ */
+
+isc_result_t
+dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *zone,
+		 isc_stdtime_t expire_time);
+/*
+ * Mark the given address as lame for the zone "zone".  expire_time should
+ * be set to the time when the entry should expire.  That is, if it is to
+ * expire 10 minutes in the future, it should set it to (now + 10 * 60).
+ *
+ * Requires:
+ *
+ *	adb be valid.
+ *
+ *	addr be valid.
+ *
+ *	zone be the zone used in the dns_adb_createfind() call.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		-- all is well.
+ *	ISC_R_NOMEMORY		-- could not mark address as lame.
+ */
+
+void
+dns_adb_adjustgoodness(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		       int goodness_adjustment);
+/*
+ * Increase or decrease the address's goodness value.
+ *
+ * Note:
+ *
+ *	Goodness values are silently clamped to INT_MAX and INT_MIN.
+ *
+ *	The goodness in addr will be updated to reflect the new global
+ *	goodness value.  This may include changes made by others.
+ *
+ * Requires:
+ *
+ *	adb be valid.
+ *
+ *	addr be valid.
+ */
+
+/*
+ * A reasonable default for RTT adjustments
+ */
+#define DNS_ADB_RTTADJDEFAULT		7	/* default scale */
+#define DNS_ADB_RTTADJREPLACE		0	/* replace with our rtt */
+
+void
+dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		   unsigned int rtt, unsigned int factor);
+/*
+ * Mix the round trip time into the existing smoothed rtt.  The formula used
+ * (where srtt is the existing rtt value, and rtt and factor are arguments to
+ * this function):
+ *
+ *	new_srtt = (old_srtt / 10 * factor) + (rtt / 10 * (10 - factor));
+ *
+ * XXXRTH  Do we want to publish the formula?  What if we want to change how
+ *         this works later on?  Recommend/require that the units are
+ *	   microseconds?
+ *
+ * Requires:
+ *
+ *	adb be valid.
+ *
+ *	addr be valid.
+ *
+ *	0 <= factor <= 10
+ *
+ * Note:
+ *
+ *	The srtt in addr will be updated to reflect the new global
+ *	srtt value.  This may include changes made by others.
+ */
+
+void
+dns_adb_changeflags(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		    unsigned int bits, unsigned int mask);
+/*
+ * Set the flags as given by:
+ *
+ *	newflags = (oldflags & ~mask) | (bits & mask);
+ *
+ * Requires:
+ *
+ *	adb be valid.
+ *
+ *	addr be valid.
+ */
+
+isc_result_t
+dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa,
+		     dns_adbaddrinfo_t **addrp);
+/*
+ * Return a dns_adbaddrinfo_t that is associated with address 'sa'.
+ *
+ * Requires:
+ *
+ *	adb is valid.
+ *
+ *	sa is valid.
+ *
+ *	addrp != NULL && *addrp == NULL
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_SHUTTINGDOWN
+ */
+
+void
+dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp);
+/*
+ * Free a dns_adbaddrinfo_t allocated by dns_adb_findaddrinfo().
+ *
+ * Requires:
+ *
+ *	adb is valid.
+ *
+ *	*addrp is a valid dns_adbaddrinfo_t *.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ADB_H */
diff --git a/lib/dns/include/dns/byaddr.h b/lib/dns/include/dns/byaddr.h
new file mode 100644
index 00000000..728b7e37
--- /dev/null
+++ b/lib/dns/include/dns/byaddr.h
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_BYADDR_H
+#define DNS_BYADDR_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS ByAddr
+ *
+ * The byaddr module provides reverse lookup services for IPv4 and IPv6
+ * addresses.
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	RFCs:	1034, 1035, 2181, <TBS>
+ *	Drafts:	<TBS>
+ */
+
+#include <isc/types.h>
+#include <isc/lang.h>
+#include <isc/event.h>
+#include <isc/netaddr.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * A 'dns_byaddrevent_t' is returned when a byaddr completes.
+ * The sender field will be set to the byaddr that completed.  If 'result'
+ * is ISC_R_SUCCESS, then 'names' will contain a list of names associated
+ * with the address.  The recipient of the event must not change the list
+ * and must not refer to any of the name data after the event is freed.
+ */
+typedef struct dns_byaddrevent {
+	ISC_EVENT_COMMON(struct dns_byaddrevent);
+	isc_result_t			result;
+	dns_namelist_t			names;
+} dns_byaddrevent_t;
+
+#define DNS_BYADDROPT_IPV6NIBBLE	0x0001
+
+isc_result_t
+dns_byaddr_create(isc_mem_t *mctx, isc_netaddr_t *address, dns_view_t *view,
+		  unsigned int options, isc_task_t *task,
+		  isc_taskaction_t action, void *arg, dns_byaddr_t **byaddrp);
+/*
+ * Find the domain name of 'address'.
+ *
+ * Notes:
+ *
+ *	There are two reverse lookup formats for IPv6 addresses, 'bitstring'
+ *	and 'nibble'.  The newer 'bitstring' format for the address fe80::1 is
+ *
+ *		\[xfe800000000000000000000000000001].ip6.int.
+ *
+ *	The 'nibble' format for that address is
+ *
+ *   1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.int.
+ *
+ *	The 'bitstring' format will be used unless the DNS_BYADDROPT_IPV6NIBBLE
+ *	option has been set.
+ *
+ * Requires:
+ *
+ *	'mctx' is a valid mctx.
+ *
+ *	'address' is a valid IPv4 or IPv6 address.
+ *
+ *	'view' is a valid view which has a resolver.
+ *
+ *	'task' is a valid task.
+ *
+ *	byaddrp != NULL && *byaddrp == NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *
+ *	Any resolver-related error (e.g. ISC_R_SHUTTINGDOWN) may also be
+ *	returned.
+ */
+
+void
+dns_byaddr_cancel(dns_byaddr_t *byaddr);
+/*
+ * Cancel 'byaddr'.
+ *
+ * Notes:
+ *
+ *	If 'byaddr' has not completed, post its BYADDRDONE event with a
+ *	result code of ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *	'byaddr' is a valid byaddr.
+ */
+
+void
+dns_byaddr_destroy(dns_byaddr_t **byaddrp);
+/*
+ * Destroy 'byaddr'.
+ *
+ * Requires:
+ *
+ *	'*byaddrp' is a valid byaddr.
+ *
+ *	The caller has received the BYADDRDONE event (either because the
+ *	byaddr completed or because dns_byaddr_cancel() was called).
+ *
+ * Ensures:
+ *
+ *	*byaddrp == NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_BYADDR_H */
diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h
new file mode 100644
index 00000000..ba12b3d7
--- /dev/null
+++ b/lib/dns/include/dns/cache.h
@@ -0,0 +1,227 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CACHE_H
+#define DNS_CACHE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * cache
+ *
+ * Defines dns_cache_t, the cache object.  
+ *
+ * Notes:
+ * 	A cache object contains DNS data of a single class.
+ *	Multiple classes will be handled by creating multiple
+ *	views, each with a different class and its own cache.
+ *
+ * MP:
+ *	See notes at the individual functions.
+ *
+ * Reliability:
+ *
+ * Resources:
+ *
+ * Security:
+ *
+ * Standards:
+ */
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/mem.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t 
+dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		 isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
+		 char *db_type, unsigned int db_argc, char **db_argv,
+		 dns_cache_t **cachep);
+/*
+ * Create a new DNS cache.  
+ *
+ * Requires:
+ *
+ *	'mctx' is a valid memory context
+ *
+ *	'taskmgr' is a valid task manager and 'timermgr' is a valid timer
+ * 	manager, or both are NULL.  If NULL, no periodic cleaning of the
+ * 	cache will take place.
+ *
+ *	'cachep' is a valid pointer, and *cachep == NULL
+ *
+ * Ensures:
+ *
+ *	'*cachep' is attached to the newly created cache
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY
+ */
+
+void
+dns_cache_attach(dns_cache_t *cache, dns_cache_t **targetp);
+/*
+ * Attach *targetp to cache.
+ *
+ * Requires:
+ *
+ *	'cache' is a valid cache.
+ *
+ *	'targetp' points to a NULL dns_cache_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to cache.
+ */
+
+void
+dns_cache_detach(dns_cache_t **cachep);
+/*
+ * Detach *cachep from its cache.
+ *
+ * Requires:
+ *
+ *	'cachep' points to a valid cache.
+ *
+ * Ensures:
+ *
+ *	*cachep is NULL.
+ *
+ *	If '*cachep' is the last reference to the cache,
+ *
+ *		All resources used by the cache will be freed
+ */
+
+void
+dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp);
+/*
+ * Attach *dbp to the cache's database.
+ *
+ * Notes:
+ *
+ *	This may be used to get a reference to the database for
+ *	the purpose of cache lookups (XXX currently it is also
+ * 	the way to add data to the cache, but having a
+ * 	separate dns_cache_add() interface instead would allow 
+ * 	more control over memory usage).
+ *	The caller should call dns_db_detach() on the reference 
+ *	when it is no longer needed.
+ *
+ * Requires:
+ *
+ *	'cache' is a valid cache.
+ *
+ *	'dbp' points to a NULL dns_db *.
+ *
+ * Ensures:
+ *
+ *	*dbp is attached to the database.
+ */
+
+
+isc_result_t
+dns_cache_setfilename(dns_cache_t *cahce, char *filename);
+/*
+ * If 'filename' is non-NULL, make the cache persistent.
+ * The cache's data will be stored in the given file.
+ * If 'filename' is NULL, make the cache non-persistent.
+ * Files that are no longer used are not unlinked automatically.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY
+ *	Various file-related failures
+ */
+
+isc_result_t
+dns_cache_load(dns_cache_t *cache);
+/*
+ * If the cache has a file name, load the cache contents from the file.
+ * Previous cache contents are not discarded.
+ * If no file name has been set, do nothing and return success.
+ *
+ * MT:
+ *	Multiple simultaneous attempts to load or dump the cache 
+ * 	will be serialized with respect to one another, but
+ *	the cache may be read and updated while the dump is
+ *	in progress.  Updates performed during loading 
+ *	may or may not be preserved, and reads may return
+ * 	either the old or the newly loaded data.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *      Various failures depending on the database implementation type
+ */
+
+isc_result_t
+dns_cache_dump(dns_cache_t *cache);
+/*
+ * If the cache has a file name, write the cache contents to disk,
+ * overwriting any preexisting file.  If no file name has been set,
+ * do nothing and return success.
+ *
+ * MT:
+ *	Multiple simultaneous attempts to load or dump the cache 
+ * 	will be serialized with respect to one another, but
+ *	the cache may be read and updated while the dump is
+ *	in progress.  Updates performed during the dump may
+ * 	or may not be reflected in the dumped file.
+ * 
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *      Various failures depending on the database implementation type
+ */
+
+isc_result_t
+dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now);
+/*
+ * Force immediate cleaning of the cache, freeing all rdatasets
+ * whose TTL has expired as of 'now' and that have no pending
+ * references.
+ */
+
+void
+dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int interval);
+/*
+ * Set the periodic cache cleaning interval to 'interval' seconds.
+ */ 
+
+ISC_LANG_ENDDECLS
+
+#endif	/* DNS_CACHE_H */
+
diff --git a/lib/dns/include/dns/callbacks.h b/lib/dns/include/dns/callbacks.h
new file mode 100644
index 00000000..b20935eb
--- /dev/null
+++ b/lib/dns/include/dns/callbacks.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CALLBACKS_H
+#define DNS_CALLBACKS_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+
+ISC_LANG_BEGINDECLS
+ 
+/***
+ ***	Types
+ ***/
+
+typedef struct dns_rdatacallbacks {
+	/* dns_load_master calls this when it has rdatasets to commit */
+	dns_addrdatasetfunc_t add;
+	/* dns_load_master / dns_rdata_fromtext call this to issue a error */
+	void		(*error)(struct dns_rdatacallbacks *, char *, ...);
+	/* dns_load_master / dns_rdata_fromtext call this to issue a warning */
+	void		(*warn)(struct dns_rdatacallbacks *, char *, ...);
+	/* private data handles for use by the above callback functions */
+	void		*add_private;
+	void		*error_private;
+	void		*warn_private;
+} dns_rdatacallbacks_t;
+
+/***
+ ***	Initialization
+ ***/
+
+void dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks);
+/*
+ * Initalise 'callbacks'.
+ * 	'error' and 'warn' are set to default callbacks that print the
+ *	error message through the DNS library log context.
+ * 
+ *	All other elements are initalised to NULL.
+ *
+ * Requires:
+ *      'callbacks' is a valid dns_rdatacallbacks_t,
+ */
+
+void dns_rdatacallbacks_init_stdio(dns_rdatacallbacks_t *callbacks);
+/*
+ * Like dns_rdatacallbacks_init, but logs to stdio.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CALLBACKS_H */
diff --git a/lib/dns/include/dns/cert.h b/lib/dns/include/dns/cert.h
new file mode 100644
index 00000000..2a243b81
--- /dev/null
+++ b/lib/dns/include/dns/cert.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CERT_H
+#define DNS_CERT_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a certificate type.
+ * The text may contain either a mnemonic type name or a decimal type number.
+ *
+ * Requires:
+ *	'certp' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS			on success
+ *	DNS_R_UNKNOWN			mnemonic type is unknown
+ *	DNS_R_RANGE			numeric type is out of range
+ */
+
+isc_result_t dns_cert_totext(dns_cert_t cert, isc_buffer_t *target);
+/*
+ * Put a textual representation of certificate type 'cert' into 'target'.
+ *
+ * Requires:
+ *	'cert' is a valid cert.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS			on success
+ *	DNS_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CERT_H */
diff --git a/lib/dns/include/dns/compress.h b/lib/dns/include/dns/compress.h
new file mode 100644
index 00000000..7c5d92cb
--- /dev/null
+++ b/lib/dns/include/dns/compress.h
@@ -0,0 +1,323 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_COMPRESS_H
+#define DNS_COMPRESS_H 1
+
+#include <isc/mem.h>
+#include <isc/lang.h>
+
+#include <dns/types.h>
+#include <dns/rbt.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_COMPRESS_NONE		0x00	/* no compression */
+#define DNS_COMPRESS_GLOBAL14		0x01	/* "normal" compression. */
+#define DNS_COMPRESS_GLOBAL16		0x02	/* 16-bit global comp. */
+#define DNS_COMPRESS_GLOBAL		0x03	/* all global comp. */
+#define DNS_COMPRESS_LOCAL		0x04	/* local compression. */
+#define DNS_COMPRESS_ALL		0x07	/* all compression. */
+
+/*
+ * XXX  An API for manipulating these structures will be forthcoming.
+ *	Also magic numbers, _init() and _invalidate(), etc.  At that time,
+ *	direct manipulation of the structures will be strongly discouraged.
+ */
+
+struct dns_compress {
+	unsigned int	magic;			/* Magic number. */
+	unsigned int	allowed;		/* Allowed methods. */
+	unsigned int	rdata;			/* Start of local rdata. */
+	isc_boolean_t	global16;		/* 16 bit offsets allowed. */
+	int		edns;			/* Edns version or -1. */
+	dns_rbt_t	*local;			/* Local RBT. */
+	dns_rbt_t	*global;		/* Global RBT. */
+	isc_mem_t	*mctx;			/* Memeory context. */
+};
+
+struct dns_decompress {
+	unsigned int	magic;			/* Magic number. */
+	unsigned int	allowed;		/* Allowed methods. */
+	unsigned int	rdata;			/* Start of local rdata. */
+	int		edns;			/* Edns version or -1. */
+	isc_boolean_t	strict;			/* Strict checking */
+	dns_name_t	owner_name;		/* For local compression. */
+};
+
+isc_result_t dns_compress_init(dns_compress_t *cctx, int edns,
+			       isc_mem_t *mctx);
+/*
+ *	Inialise the compression context structure pointed to by 'cctx'.
+ *
+ *	Requires:
+ *		'cctx' is a valid dns_compress_t structure.
+ *		'mctx' is a initalised memory context.
+ *	Ensures:
+ *		cctx->global is initalised.
+ *
+ *	Returns:
+ *		DNS_R_SUCCESS
+ *		failures from dns_rbt_create()
+ */
+
+isc_result_t
+dns_compress_localinit(dns_compress_t *cctx, dns_name_t *owner,
+		       isc_buffer_t *target);
+
+/*
+ *	Initalise 'cctx->local'. 
+ *	All compression pointers pointing to logical labels in owner.
+ *	Record start of rdata 'target->used'.
+ *
+ *	Ensures:
+ *		'cctx->local' is valid.
+ *
+ *	Requires:
+ *		'cctx' initaliased
+ *		'cctx->local' be NULL
+ *		'owner' is a absolute name
+ *		'target' is a valid buffer
+ *
+ *	Returns:
+ *		DNS_R_SUCCESS
+ *		failures from dns_rbt_create()
+ */
+
+void
+dns_compress_invalidate(dns_compress_t *cctx);
+
+/*
+ *	Invalidate the compression structure pointed to by cctx.
+ *	Destroys 'cctx->glocal' and 'cctx->local' RBT.
+ *
+ *	Requires:
+ *		'cctx' to be initalised.
+ */
+
+void
+dns_compress_localinvalidate(dns_compress_t *cctx);
+
+/*
+ *	Destroys 'cctx->local'.
+ *
+ *	Requires:
+ *		'cctx' to be initalised.
+ */
+
+void
+dns_compress_setmethods(dns_compress_t *cctx, unsigned int allowed);
+
+/*
+ *	Sets allowed compression methods.
+ *
+ *	Requires:
+ *		'cctx' to be initalised.
+ */
+
+unsigned int
+dns_compress_getmethods(dns_compress_t *cctx);
+
+/*
+ *	Gets allowed compression methods.
+ *
+ *	Requires:
+ *		'cctx' to be initalised.
+ *
+ *	Returns:
+ *		allowed compression bitmap.
+ */
+
+int
+dns_compress_getedns(dns_compress_t *cctx);
+
+/*
+ *	Gets edns value.
+ *
+ *	Requires:
+ *		'cctx' to be initalised.
+ *
+ *	Returns:
+ *		-1 .. 255
+ */
+
+isc_boolean_t
+dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
+			dns_name_t *prefix, dns_name_t *suffix,
+			isc_uint16_t *offset, isc_buffer_t *workspace);
+/*
+ *	Finds longest possible match of 'name' in the global compression
+ *	RBT.  Workspace needs to be large enough to hold 'name' when split
+ *	in two (length->name + 3).
+ *
+ *	Requires:
+ *		'cctx' to be initalised.
+ *		'name' to be a absolute name.
+ *		'prefix' to be initalised.
+ *		'suffix' to be initalised.
+ *		'offset' to point it a isc_uint16_t.
+ *		'workspace' to be initalised.
+ *
+ *	Ensures:
+ *		'prefix', 'suffix' and 'offset' are valid if ISC_TRUE is
+ *		returned.
+ *
+ *	Returns:
+ *		ISC_TRUE / ISC_FALSE
+ */
+
+isc_boolean_t
+dns_compress_findlocal(dns_compress_t *cctx, dns_name_t *name,
+		       dns_name_t *prefix, dns_name_t *suffix,
+		       isc_uint16_t *offset, isc_buffer_t *workspace);
+
+/*
+ *	Finds longest possible match of 'name' in the local compression
+ *	RBT.  Workspace needs to be large enough to hold 'name' when split
+ *	in two (length->name + 3).
+ *
+ *	Requires:
+ *		'cctx' to be initalised.
+ *		'name' to be a absolute name.
+ *		'prefix' to be initalised.
+ *		'suffix' to be initalised.
+ *		'offset' to point to a isc_uint16_t.
+ *		'workspace' to be initalised.
+ *
+ *	Ensures:
+ *		'prefix', 'suffix' and 'offset' are valid is ISC_TRUE is
+ *		returned.
+ *
+ *	Returns:
+ *		ISC_TRUE / ISC_FALSE
+ */
+
+void
+dns_compress_add(dns_compress_t *cctx, dns_name_t *prefix,
+		 dns_name_t *suffix, isc_uint16_t offset,
+		 isc_boolean_t local);
+/*
+ *	Add compression pointers for labels in prefix to RBT's.
+ *	If 'prefix' is absolute 'suffix' must be NULL otherwise
+ *	suffix must be absolute.
+ *	'local' indicates that the domain name at offset contains
+ *	a local compression pointer.
+ *
+ *	Requires:
+ *		'cctx' initalised
+ *		'prefix' to be initalised
+ *		'suffix' to be initalised or NULL
+ */
+
+void
+dns_compress_rollback(dns_compress_t *cctx, isc_uint16_t offset);
+
+/*
+ *	Remove any compression pointers from global RBT >= offset.
+ *
+ *	Requires:
+ *		'cctx' is initalised.
+ */
+
+void
+dns_decompress_init(dns_decompress_t *dctx, int edns, isc_boolean_t strict);
+
+/*
+ *	Initalises 'dctx'.
+ *	Records 'edns' and 'strict' into the structure.
+ *
+ *	Requires:
+ *		'dctx' to be a valid pointer.
+ */
+
+void
+dns_decompress_localinit(dns_decompress_t *dctx, dns_name_t *name,
+		         isc_buffer_t *source);
+
+/*
+ *	Initalises 'dctx->name' from name.
+ *	Records 'source->current' as the start of the rdata section.
+ *
+ *	Requires:
+ *		'dctx' to be initalised
+ *		'name' to be absolute
+ *		'source' to be a BINARY buffer.
+ */
+
+void
+dns_decompress_invalidate(dns_decompress_t *dctx);
+
+/*
+ *	Invalidates 'dctx'.
+ *
+ *	Requires:
+ *		'dctx' to be initalised
+ */
+
+void
+dns_decompress_localinvalidate(dns_decompress_t *dctx);
+
+/*
+ *	Invalidates 'dctx->name'.
+ *
+ *	Requires:
+ *		'dctx' to be initalised
+ */
+		    
+void
+dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed);
+
+/*
+ *	Sets 'dctx->allowed' to 'allowed'.
+ *
+ *	Requires:
+ *		'dctx' to be initalised
+ */
+
+unsigned int
+dns_decompress_getmethods(dns_decompress_t *dctx);
+
+/*
+ *	Returns 'dctx->allowed'
+ *
+ *	Requires:
+ *		'dctx' to be initalised
+ */
+
+int
+dns_decompress_edns(dns_decompress_t *dctx);
+
+/*
+ *	Returns 'dctx->edns'
+ *
+ *	Requires:
+ *		'dctx' to be initalised
+ */
+
+isc_boolean_t
+dns_decompress_strict(dns_decompress_t *dctx);
+
+/*
+ *	Returns 'dctx->strict'
+ *
+ *	Requires:
+ *		'dctx' to be initalised
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_COMPRESS_H */
diff --git a/lib/dns/include/dns/confacl.h b/lib/dns/include/dns/confacl.h
new file mode 100644
index 00000000..387c056e
--- /dev/null
+++ b/lib/dns/include/dns/confacl.h
@@ -0,0 +1,309 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CONFIG_CONFACL_H
+#define DNS_CONFIG_CONFACL_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * ADT for ACLs as used by the config file module. An ACL is a name and a
+ * list of ipmatch lists or references to other acls. ACLS are created in
+ * ACL tables, and ACLs that reference other ACLs must be created in the
+ * same table.
+ */
+
+
+/*
+ * MP:
+ *	Caller must do necessary locking.
+ *      
+ * Reliability:
+ *
+ *	No known problems.
+ *
+ * Resources:
+ *
+ *	Uses memory managers supplied by caller.
+ *
+ * Security:
+ *
+ *	N/A.
+ *
+ * Standards:
+ *
+ *	N/A.
+ *      
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <isc/list.h>
+#include <isc/mem.h>
+
+#include <dns/confip.h>
+
+
+#define DNS_C_CONFACL_MAGIC	0x4361636cU
+#define DNS_C_CONFACLTABLE_MAGIC 0x32616354U
+
+#define DNS_C_CONFACL_VALID(confacl) \
+	ISC_MAGIC_VALID(confacl, DNS_C_CONFACL_MAGIC)
+#define DNS_C_CONFACLTABLE_VALID(confacltable) \
+	ISC_MAGIC_VALID(confacltable, DNS_C_CONFACLTABLE_MAGIC)
+
+
+/***
+ *** Types
+ ***/
+
+typedef struct dns_c_acl		dns_c_acl_t;
+typedef struct dns_c_acl_table		dns_c_acltable_t;
+
+
+struct dns_c_acl 
+{
+	isc_uint32_t		magic;
+
+	dns_c_acltable_t       *mytable;
+	
+	char		       *name;
+	dns_c_ipmatchlist_t    *ipml;
+	isc_boolean_t		is_special;
+
+	ISC_LINK(dns_c_acl_t)	next;
+};
+
+
+struct dns_c_acl_table 
+{
+	isc_uint32_t		magic;
+	
+	isc_mem_t	       *mem;
+	
+	ISC_LIST(dns_c_acl_t)	acl_list;
+};
+
+
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t	dns_c_acltable_new(isc_mem_t *mem,
+				   dns_c_acltable_t **newtable);
+
+/*
+ * Creates a new ACL table. Returns pointer to the new table through
+ * NEWTABLE paramater. The memory is allocated from the MEM memory pool.
+ *
+ * Requires:
+ *	mem is a valid memory pool
+ *	newtable is a valid non-NULL pointer.
+ *	mem remain a valuid memory pool until the table is destroyed.
+ * 	
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well.
+ *	ISC_R_NOMEMORY		-- not enough memory.
+ * 
+ */
+
+
+isc_result_t	dns_c_acltable_delete(dns_c_acltable_t **table);
+
+/*
+ * Destroys the table pointed to by *TABLE and all the ACLs in it. The
+ * value of *TABLE can be NULL.
+ *
+ * Requires:
+ *	table is a valid pointer.
+ *	The memory pool used at creation time still be valid.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS
+ * 
+ */
+
+
+isc_result_t	dns_c_acltable_getacl(dns_c_acltable_t *table,
+				      const char *aclname,
+				      dns_c_acl_t **retval);
+
+/*
+ * Looks up an ACL by name in the given table. The result is returned
+ * through the parameter RETVAL. The returned ACL must not be modified.
+ *
+ * Requires:
+ *	TABLE be a value ACL table.
+ * 	
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOTFOUND		-- acl was not found
+ * 
+ */
+
+isc_result_t	dns_c_acltable_removeacl(dns_c_acltable_t *table,
+					 const char *aclname);
+
+/*
+ * Removes an acl from a table. The acl is looked up by name.
+ *
+ * Requires:
+ *	table be a valid pointer to an acl table
+ *	aclname be a valid pointer to string of positive length.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOTFOUND		-- acl was not in the table.
+ * 
+ */
+
+void		dns_c_acltable_print(FILE *fp, int indent,
+				     dns_c_acltable_t *table);
+/*
+ * Prints the ACL table and the ACLs in it to the give stdio stream.
+ * indent is the indentation level (number of tabs) printed before
+ * each line of the table
+ *
+ * Requires:
+ *	fp be a valid stdio stream
+ *	indent be a non-negative number
+ *	table be a valid acl table.
+ * 	
+*/
+
+
+isc_result_t	dns_c_acltable_clear(dns_c_acltable_t *table);
+
+/*
+ * Deletes all the acls from the table.
+ *
+ * Requires:
+ *	table must point to a valid ACL table.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS
+ * 
+ */
+
+
+
+isc_result_t	dns_c_acl_new(dns_c_acltable_t *table,
+			      const char *aclname,
+			      isc_boolean_t isspecial,
+			      dns_c_acl_t **newacl);
+/*
+ * Creates a new ACL. The acl is placed in the given table. If isspecial is 
+ * true then the acl is not printed by dns_c_acl_print. The new acl is
+ * returned via the newacl parameter
+ *
+ * Requires:
+ *	table be a pointer to a valid acl table.
+ *	aclname be a pointer to a valid string of positive length
+ *	newacl be a valid non-NULL pointer.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOMEMORY		-- out of memory
+ * 
+ */
+
+
+void		dns_c_acl_print(FILE *fp, int indent,
+				dns_c_acl_t *acl);
+/*
+ * Prints out the acl to the stdio stream. The outupt is indented by INDENT 
+ * tabs.
+ *
+ * Requires:
+ *	fp be a pointer to a valid stdio stream
+ *	indent be non-negative,
+ *	acl be a pointer to a valid acl.
+ * 
+ */
+
+
+isc_result_t	dns_c_acl_setipml(dns_c_acl_t *acl,
+				  dns_c_ipmatchlist_t *ipml,
+				  isc_boolean_t deepcopy);
+
+/*
+ * Sets the ipmatch list of the ACL to the IPML. If DEEPCOPY is true, then
+ * a full copy of IPML is made using the MEM memory pool. In which case the 
+ * caller still is the owner the memory IPML points to. If DEEPCOPY is 
+ * false, then the acl takes ownership of the memory IPML points to. If the 
+ * acl already has an ipmatch list, then it is deleted before the new one
+ * is added.
+ *
+ * Requires:
+ *	mem be a pointer to a valid memory manager
+ *	ipml be a valid dns_c_ipmatchlist_t
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOMEMORY		-- memory could not be allocated for the
+ *				   deepcopy  .
+ * 
+ */
+
+
+isc_result_t	dns_c_acl_getipmlexpanded(isc_mem_t *mem, dns_c_acl_t *acl,
+					  dns_c_ipmatchlist_t **retval);
+
+/*
+ * Retuns a copy through the RETVAL parameter (the caller is responsible
+ * for deleting the returned value) of the given ACLs ipmatch list. Any
+ * references in the acl list are recursivly expanded so that the end
+ * result has no references in it. Memory allocation for the copy is done
+ * via the memory pool pointed to by the MEM paramater.
+ *
+ * Requires:
+ *	mem be a pointer to a valid memory manager
+ *	acl be a pointer to a valid acl.
+ *	retval be a valid non-NULL pointer.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOMEMORY		-- not enough memory to make copy.
+ *	ISC_R_FAILURE		-- an acl reference couldn't be expanded.
+ * 
+ */
+
+
+
+isc_result_t dns_c_acl_expandacls(dns_c_acltable_t *table,
+				  dns_c_ipmatchlist_t *list);
+
+/*
+ * Goes through all the entires (direct and indirect) of LIST and
+ * expands all references to ACLs using the definitions in TABLE
+ *
+ * Requires:
+ *	table be a pointer to a valid dns_c_acltable_t
+ *	list be a pointer to a valid (but possibly empty dns_c_ipmatchlist_t
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_FAILURE		-- some acl(s) couldn't be resolved.
+ */
+#endif /* DNS_CONFIG_CONFACL_H */
diff --git a/lib/dns/include/dns/confcache.h b/lib/dns/include/dns/confcache.h
new file mode 100644
index 00000000..5bbee4b9
--- /dev/null
+++ b/lib/dns/include/dns/confcache.h
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CONFIG_CONFCACHE_H
+#define DNS_CONFIG_CONFCACHE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * A container for the cache configuration data pulled from a
+ * named.conf-style config file.
+ */
+
+/*
+ *
+ * MP:
+ *	Client must do necessary locking.
+ *      
+ * Reliability:
+ *
+ *	No problems.
+ *
+ * Resources:
+ *
+ *	Use memory managers supplied by client.
+ *
+ * Security:
+ *
+ *	N/A
+ *      
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <isc/types.h>
+
+
+/***
+ *** Types
+ ***/
+
+typedef struct dns_c_cache		dns_c_cache_t;
+
+struct dns_c_cache
+{
+	isc_mem_t	       *mem;
+
+	/* XXX need this fleshed out */
+};
+
+
+
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t dns_c_cache_new(isc_mem_t *mem, dns_c_cache_t **cfgres);
+/*
+ * Creates a new cache-config object.
+ *
+ * Requires:
+ *	mem be a pointer to a valid memory manager.
+ *	newres be a valid non-NULL pointer.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOMEMORY		-- out of memory
+ * 
+ */
+
+isc_result_t dns_c_cache_delete(dns_c_cache_t **cfgres);
+/*
+ * Deletes the config-cache object and its contents.
+ *
+ * Requires:
+ *	cfgres be a valid non-NULL pointer. The pointer it points to
+ *	can be NULL or must be a valid dns_c_cache_t object.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ * 
+ */
+
+
+#endif /* DNS_CONFIG_CONFCACHE_H */
diff --git a/lib/dns/include/dns/confcommon.h b/lib/dns/include/dns/confcommon.h
new file mode 100644
index 00000000..36d569ba
--- /dev/null
+++ b/lib/dns/include/dns/confcommon.h
@@ -0,0 +1,311 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CONFIG_CONFCOMMON_H
+#define DNS_CONFIG_CONFCOMMON_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Various declarations of types and functions that are used by multiple
+ * headers in the config file module (put here to avoid circular include
+ * dependencies).
+ *
+ * Also some memory debugging aids that should eventually get moved to
+ * isc/mem.h or removed.
+ */
+
+/*
+ * MP:
+ *
+ *	N/A
+ *
+ * Reliability:
+ *
+ * 	No problems known.
+ *
+ * Resources:
+ *
+ *	N/A
+ *
+ * Security:
+ *
+ *	N/A
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <sys/types.h>
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+#include <limits.h>
+
+#include <isc/int.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/net.h>
+#include <isc/sockaddr.h>
+
+#include <dns/types.h>
+
+/* Constants used in the defintions of default logging channels and
+   categories */
+#define DNS_C_DEFAULT_SYSLOG "default_syslog"
+#define DNS_C_DEFAULT_DEBUG "default_debug"
+#define DNS_C_DEFAULT_DEBUG_PATH "named.run"
+#define DNS_C_NULL "null"
+#define DNS_C_DEFAULT_STDERR  "default_stderr"
+#define DNS_C_STDERR_PATH " <stderr> "	/* not really a path */
+
+
+
+/* The value we use in config files if the user doesn't specify the port or 
+ *   in some statements
+ */
+#define DNS_C_DEFAULTPORT	53	/* XXX this should be imported */
+
+
+/* What an 'unlimited' value for a size_spec is stored as internally */
+#define DNS_C_SIZE_SPEC_UNLIM (~((isc_uint32_t) 0x0))
+
+/* What a 'default' value for a size_spec is stored as internally */
+#define DNS_C_SIZE_SPEC_DEFAULT (DNS_C_SIZE_SPEC_UNLIM - 1)
+
+/* What 'unlimited' is stored as internally for logging file versions */
+#define DNS_C_UNLIM_VERSIONS DNS_C_SIZE_SPEC_UNLIM
+
+/* The default ordering given to rrset-order statements when the type given 
+   is illegal (so parsing can continue). */
+#define DNS_DEFAULT_ORDERING dns_c_ordering_fixed
+
+
+
+/***
+ *** Types
+ ***/
+
+/* Value of a 'forward' statement */
+typedef enum {
+	dns_c_forw_only,
+	dns_c_forw_first,
+	dns_c_forw_noanswer,
+	dns_c_forw_nodomain
+} dns_c_forw_t;
+
+/* value of a 'check-names' method  */
+#if 0
+typedef enum {
+	dns_c_severity_ignore,
+	dns_c_severity_warn,
+	dns_c_severity_fail
+} dns_c_severity_t;
+#endif
+
+/* Value of a 'check-names' type. */
+typedef enum {
+	dns_trans_primary,
+	dns_trans_secondary,
+	dns_trans_response
+} dns_c_trans_t ;
+#define DNS_C_TRANSCOUNT 3	  /* number of items in dns_c_trans_t enum */
+
+
+/* The tag values for the different types of control channels */
+typedef enum {
+	dns_c_inet_control,
+	dns_c_unix_control
+} dns_c_control_t;
+
+
+/* The possible rrset-order ordering values. */
+typedef enum {
+	dns_c_ordering_fixed,
+	dns_c_ordering_random,
+	dns_c_ordering_cyclic
+} dns_c_ordering_t;
+
+
+
+#if 0
+typedef enum {
+	dns_one_answer, dns_many_answers
+} dns_c_transferformat_t;
+#endif
+
+/* Possible zone types */
+typedef enum {
+	dns_c_zone_master,
+	dns_c_zone_slave,
+	dns_c_zone_hint,
+	dns_c_zone_stub,
+	dns_c_zone_forward
+} dns_c_zonetype_t;
+
+
+/* Possible address-match-element types */ 
+typedef enum {
+	dns_c_ipmatch_pattern,
+	dns_c_ipmatch_indirect,
+	dns_c_ipmatch_localhost,
+	dns_c_ipmatch_localnets,
+	dns_c_ipmatch_key,
+	dns_c_ipmatch_acl,
+	dns_c_ipmatch_none
+} dns_c_ipmatch_type_t;
+
+
+/* Tag values for the different types of log channel */
+typedef enum {
+	dns_c_logchan_file,
+	dns_c_logchan_syslog,
+	dns_c_logchan_null
+} dns_c_logchantype_t;
+
+
+/* Possible logging severity values */
+typedef enum {
+	dns_c_log_critical,
+	dns_c_log_error,
+	dns_c_log_warn,
+	dns_c_log_notice,
+	dns_c_log_info,
+	dns_c_log_debug,
+	dns_c_log_dynamic,
+	dns_c_log_no_severity
+} dns_c_logseverity_t;
+
+
+/* Possible logging categories. */
+typedef enum {
+	dns_c_cat_default,
+	dns_c_cat_config,
+	dns_c_cat_parser,
+	dns_c_cat_queries,  
+	dns_c_cat_lameservers,
+	dns_c_cat_statistics,
+	dns_c_cat_panic, 
+	dns_c_cat_update,
+	dns_c_cat_ncache,
+	dns_c_cat_xferin,
+	dns_c_cat_xferout,  
+	dns_c_cat_db,
+	dns_c_cat_eventlib,
+	dns_c_cat_packet,
+	dns_c_cat_notify, 
+	dns_c_cat_cname,
+	dns_c_cat_security,
+	dns_c_cat_os,
+	dns_c_cat_insist, 
+	dns_c_cat_maint,
+	dns_c_cat_load,
+	dns_c_cat_respchecks,
+	dns_c_cat_control, 
+	dns_c_cat_none
+} dns_c_category_t;
+
+
+/* Type of the bit sets used in various structures. Macros in confpvt.h
+ * depending on this being an integer type, and some structures need more
+ * than 32 bits.
+ */
+typedef isc_int64_t	dns_c_setbits_t;
+
+typedef isc_sockaddr_t dns_c_addr_t;
+
+
+typedef struct dns_c_view		dns_c_view_t;
+typedef struct dns_c_zone_list		dns_c_zonelist_t;
+
+
+/*
+ * Set this variable to a true value to get output by the wrapper
+ * functions (if the memory debugging hack is compiled in--it isn't by
+ * default
+ */ 
+
+extern isc_boolean_t debug_mem_print;
+extern FILE *debug_mem_print_stream;	/* NULL means stderr */
+
+
+/***
+ *** Functions
+ ***/
+
+/* The following dns_c_xxx2string() functions convert the first argument into 
+ * a string value and returns that value. If the first argument is not a
+ * legal value, then NULL is returned, unless PRINTABLE is true, in which 
+ * case an ugly, but safe-to-pass-to-printf string is returned.
+ *
+ * e.g. dns_c_ordering2string(dns_c_ordering_cyclic,ISC_FALSE) returns the 
+ * string "cyclic", but
+ * dns_c_ordering2string((dns_c_ordering_t)0xffff,ISC_TRUE) returns the
+ * value "UNKNOWN_ORDERING"
+ */
+const char *		dns_c_ordering2string(dns_c_ordering_t ordering,
+					      isc_boolean_t printable);
+const char *		dns_c_logseverity2string(dns_c_logseverity_t level,
+					      isc_boolean_t printable);
+const char *		dns_c_category2string(dns_c_category_t cat,
+					      isc_boolean_t printable);
+const char *		dns_c_facility2string(int facility,
+					      isc_boolean_t printable);
+const char *		dns_c_transformat2string(dns_transfer_format_t tform,
+						isc_boolean_t printable);
+const char *		dns_c_transport2string(dns_c_trans_t transport,
+					       isc_boolean_t printable);
+const char *		dns_c_nameseverity2string(dns_severity_t severity,
+						  isc_boolean_t printable);
+const char *		dns_c_forward2string(dns_c_forw_t forw,
+					     isc_boolean_t printable);
+
+/*
+ * The following dns_c_string2xxx() functions will look up the string
+ * argument in a table of values and will return the appropriate enum/integer 
+ * through the second argument and ISC_R_SUCCESS is returned. If the string
+ * doesn't match a valid value then ISC_R_FAILURE is returned.
+ */
+isc_result_t		dns_c_string2ordering(char *name,
+					      dns_c_ordering_t *ordering);
+isc_result_t		dns_c_string2logseverity(const char *string,
+					      dns_c_logseverity_t *result);
+isc_result_t		dns_c_string2category(const char *string,
+					      dns_c_category_t *category);
+isc_result_t		dns_c_string2facility(const char *string, int *res);
+
+
+
+int			dns_c_isanyaddr(isc_sockaddr_t *inaddr);
+void 			dns_c_print_ipaddr(FILE *fp, isc_sockaddr_t *addr);
+isc_boolean_t		dns_c_need_quote(const char *string);
+
+void			dns_c_printtabs(FILE *fp, int count); 
+void			dns_c_printinunits(FILE *fp, isc_uint32_t val);
+
+void			dns_c_dataclass_tostream(FILE *fp,
+						 dns_rdataclass_t rclass);
+void			dns_c_datatype_tostream(FILE *fp,
+						dns_rdatatype_t rtype);
+
+#endif /* DNS_CONFIG_CONFCOMMON_H */
diff --git a/lib/dns/include/dns/confctl.h b/lib/dns/include/dns/confctl.h
new file mode 100644
index 00000000..d2a741f6
--- /dev/null
+++ b/lib/dns/include/dns/confctl.h
@@ -0,0 +1,223 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CONFIG_CONFCTL_H
+#define DNS_CONFIG_CONFCTL_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * ADTs for the data defined by a named.conf ``control'' statement.
+ */
+
+/*
+ * 
+ * MP:
+ *
+ *	Caller must do necessary locking.
+ *
+ * Reliability:
+ *
+ *	No known problems.
+ *
+ * Resources:
+ *
+ *	Uses memory managers supplied by caller.
+ *
+ * Security:
+ *
+ *	N/A.
+ *
+ * Standards:
+ *
+ *	N/A.
+ *      
+ */
+
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <sys/types.h>
+
+#include <isc/mem.h>
+#include <isc/net.h>
+
+#include <dns/confip.h>
+
+
+#define DNS_C_CONFCTL_MAGIC	0x4363746cU
+#define DNS_C_CONFCTLLIST_MAGIC	0x4354424cU
+
+#define DNS_C_CONFCTLLIST_VALID(ptr) \
+		ISC_MAGIC_VALID(ptr, DNS_C_CONFCTLLIST_MAGIC)
+#define DNS_C_CONFCTL_VALID(ptr) \
+		ISC_MAGIC_VALID(ptr, DNS_C_CONFCTL_MAGIC)
+
+
+
+/***
+ *** Types
+ ***/
+
+typedef struct dns_c_ctrl		dns_c_ctrl_t;
+typedef struct dns_c_ctrl_list		dns_c_ctrllist_t;
+
+struct dns_c_ctrl
+{
+	isc_uint32_t	magic;
+	isc_mem_t	*mem;		/* where it's memory came from */
+
+	dns_c_control_t control_type;
+	union {
+		struct {
+			isc_sockaddr_t addr;
+			in_port_t port;
+			dns_c_ipmatchlist_t *matchlist;
+		} inet_v; /* when control_type == dns_c_inet_control  */
+		struct {
+			char *pathname;
+			int perm;
+			uid_t owner;
+			gid_t group;
+		} unix_v; /* when control_type == dns_c_unix_control  */
+	} u;
+	
+	ISC_LINK(dns_c_ctrl_t) next;
+};
+
+
+struct dns_c_ctrl_list
+{
+	isc_uint32_t		magic;
+	isc_mem_t	       *mem;
+
+	ISC_LIST(dns_c_ctrl_t)	elements;
+};
+
+
+
+/***
+ *** Functions
+ ***/
+
+
+isc_result_t	dns_c_ctrlinet_new(isc_mem_t *mem, dns_c_ctrl_t **control,
+				   isc_sockaddr_t addr, in_port_t port,
+				   dns_c_ipmatchlist_t *iml,
+				   isc_boolean_t copy);
+/*
+ * Creates a new INET control object. If COPY is true then a deep copy is
+ * made of IML, otherwise the value of IML is stored directly in the new
+ * object.
+ *
+ * Requires:
+ *	mem be a valid memoery manager
+ *	control be a valid non-NULL pointer.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOMEMORY		-- insufficient memory available
+ */
+
+
+isc_result_t	dns_c_ctrlunix_new(isc_mem_t *mem, dns_c_ctrl_t **control,
+				   const char *path,
+				   int perm, uid_t uid, gid_t gid);
+/*
+ * Creates a new UNIX control object. A copy is made of the PATH argument.
+ *
+ * Requires:
+ *	mem be a valid memoery manager
+ *	control be a valid non-NULL pointer.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOMEMORY		-- insufficient memory available
+ *	
+ */
+
+
+isc_result_t	dns_c_ctrl_delete(dns_c_ctrl_t **control);
+/*
+ * Deletes the object pointed to by *CONTROL. *CONTROL may be NULL.
+ *
+ * Requires:
+ *	control be a valid non-NULL pointer.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ */
+
+
+void		dns_c_ctrl_print(FILE *fp, int indent, dns_c_ctrl_t *ctl);
+/*
+ * Prints the control object ctl in standard named.conf format. The output
+ * is indented by indent number of tabs.
+ *
+ * Requires:
+ *	fp be a pointer to a valid stdio stream.
+ *	indent be a non-negative number.
+ *
+ */
+
+
+isc_result_t	dns_c_ctrllist_new(isc_mem_t *mem, dns_c_ctrllist_t **newlist);
+/*
+ * Creates a new control object list using the MEM memory manager.
+ *
+ * Requires:
+ * 	mem be a pointer to a valid memory manager,
+ *	newlist be a valid non-NULL pointer.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well.
+ *	ISC_R_NOMEMORY		-- insufficient memory available.
+ */
+
+
+isc_result_t	dns_c_ctrllist_delete(dns_c_ctrllist_t **list);
+/*
+ * Deletes the control list. The value of *list may be NULL. Sets *list to
+ * NULL when done.
+ *
+ * Requires:
+ *	list be a valid non-NULL pointer.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *
+ */
+
+void		dns_c_ctrllist_print(FILE *fp, int indent,
+				     dns_c_ctrllist_t *cl);
+/*
+ * Prints the control objects inside the list. The output is indented with
+ * indent number of tabs.
+ *
+ * Requires:
+ *	fp be a pointer to a valid stdio stream.
+ *
+ */
+
+
+#endif /* DNS_CONFIG_CONFCTL_H */
diff --git a/lib/dns/include/dns/confctx.h b/lib/dns/include/dns/confctx.h
new file mode 100644
index 00000000..04bd2b74
--- /dev/null
+++ b/lib/dns/include/dns/confctx.h
@@ -0,0 +1,551 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CONFIG_CONFCTX_H
+#define DNS_CONFIG_CONFCTX_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Defines the structures and accessor/modifier functions for the top level 
+ * structures created by the config file parsing routines.
+ */
+
+/*
+ *
+ * MP:
+ *	
+ *
+ * Reliability:
+ *	
+ *
+ * Resources:
+ *	
+ *
+ * Security:
+ *	
+ *
+ * Standards:
+ *	
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/int.h>
+#include <isc/list.h>
+
+#include <dns/confcommon.h>
+#include <dns/confip.h>
+#include <dns/confzone.h>
+#include <dns/confkeys.h>
+#include <dns/conflog.h>
+#include <dns/confacl.h>
+#include <dns/conflsn.h>
+#include <dns/confrrset.h>
+#include <dns/confctl.h>
+#include <dns/confserv.h>
+#include <dns/confview.h>
+#include <dns/confcache.h>
+#include <dns/confresolv.h>
+
+#define DNS_C_CONFIG_MAGIC		0x434f4e46U /* CONF */
+#define DNS_C_OPTION_MAGIC		0x4f707473U /* Opts */
+
+#define DNS_C_CONFCTX_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_CONFIG_MAGIC)
+#define DNS_C_CONFOPT_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_OPTION_MAGIC)
+
+
+
+/***
+ *** Types
+ ***/
+
+typedef struct dns_c_options		dns_c_options_t;
+typedef struct dns_c_ctx		dns_c_ctx_t;
+
+
+/*
+ * The main baby. A pointer to one of these is what the caller gets back
+ * when the parsing routine is called.
+ */
+struct dns_c_ctx
+{
+	isc_uint32_t		magic;
+	isc_mem_t	       *mem;
+
+	int			warnings; /* semantic warning count */
+	int			errors;	/* semantic error count */
+	
+	dns_c_options_t	       *options;
+	dns_c_cache_t	       *cache;
+	dns_c_resolv_t	       *resolver;
+	dns_c_ctrllist_t       *controls;
+	dns_c_srvlist_t	       *servers;
+	dns_c_acltable_t       *acls;
+	dns_c_kdeflist_t       *keydefs;
+	dns_c_zonelist_t       *zlist;
+	dns_c_tkeylist_t       *trusted_keys;
+	dns_c_logginglist_t    *logging;
+	dns_c_viewtable_t      *views;
+
+	dns_c_zone_t	       *currzone;
+	dns_c_view_t	       *currview;
+};
+
+
+
+
+/*
+ * This structure holds all the values defined by a config file 'options'
+ * statement
+ */
+struct dns_c_options 
+{
+	isc_mem_t	       *mem;
+	isc_uint32_t		magic;
+	
+	char		       *directory;
+	char		       *version;
+	char		       *dump_filename;
+	char		       *pid_filename;
+	char		       *stats_filename;
+	char		       *memstats_filename;
+	char		       *named_xfer;
+	char 		       *tkeydomain;
+
+	char 		       *tkeydhkeycp;
+	isc_int32_t		tkeydhkeyi;
+	
+	isc_uint32_t		flags;
+	isc_uint32_t		max_ncache_ttl;
+
+	isc_int32_t		transfers_in;
+	isc_int32_t		transfers_per_ns;
+	isc_int32_t		transfers_out;
+	isc_int32_t		max_log_size_ixfr;
+	isc_int32_t		clean_interval;
+	isc_int32_t		interface_interval;
+	isc_int32_t		stats_interval;
+	isc_int32_t		heartbeat_interval;
+
+	isc_int32_t		max_transfer_time_in;
+	isc_int32_t		max_transfer_time_out;
+	isc_int32_t		max_transfer_idle_in;
+	isc_int32_t		max_transfer_idle_out;
+	isc_int32_t		lamettl; /* XXX not implemented yet */
+	isc_int32_t		tcp_clients;
+	isc_int32_t		recursive_clients;
+	
+	isc_uint32_t		data_size;
+	isc_uint32_t		stack_size;
+	isc_uint32_t		core_size;
+	isc_uint32_t		files;
+
+	isc_boolean_t		expert_mode;
+	isc_boolean_t		fake_iquery;
+	isc_boolean_t		recursion;
+	isc_boolean_t		fetch_glue;
+	isc_boolean_t		notify;
+	isc_boolean_t		host_statistics;
+	isc_boolean_t		dealloc_on_exit;
+	isc_boolean_t		use_ixfr;
+	isc_boolean_t		maintain_ixfr_base;
+	isc_boolean_t		has_old_clients;
+	isc_boolean_t		auth_nx_domain;
+	isc_boolean_t		multiple_cnames;
+	isc_boolean_t		use_id_pool;
+	isc_boolean_t		dialup;
+	isc_boolean_t		rfc2308_type1;
+	
+	isc_sockaddr_t		transfer_source;
+	isc_sockaddr_t		query_source_addr;
+	in_port_t		query_source_port;
+
+	dns_c_iplist_t	       *also_notify;
+
+	dns_severity_t 		check_names[DNS_C_TRANSCOUNT];
+
+	dns_transfer_format_t	transfer_format;
+
+	dns_c_ipmatchlist_t   *queryacl;
+	dns_c_ipmatchlist_t   *transferacl;
+	dns_c_ipmatchlist_t   *recursionacl;
+	dns_c_ipmatchlist_t   *blackhole;
+	dns_c_ipmatchlist_t   *topology;
+	dns_c_ipmatchlist_t   *sortlist;
+
+	dns_c_lstnlist_t      *listens;
+
+	dns_c_forw_t		forward;
+	dns_c_iplist_t   *forwarders;
+
+	dns_c_rrsolist_t      *ordering;
+
+	/*
+	 * For the non-pointer fields of the struct a bit will be set in
+	 * this field if a field value was explicitly set.
+	 */
+	dns_c_setbits_t		setflags1;
+};
+
+
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t	dns_c_checkconfig(dns_c_ctx_t *ctx);
+
+
+
+
+isc_result_t	dns_c_ctx_new(isc_mem_t *mem, dns_c_ctx_t **cfg);
+isc_result_t	dns_c_ctx_delete(dns_c_ctx_t **cfg);
+
+void		dns_c_ctx_print(FILE *fp, int indent, dns_c_ctx_t *cfg);
+void		dns_c_ctx_optionsprint(FILE *fp, int indent,
+				       dns_c_options_t *options);
+void		dns_c_ctx_forwarderprint(FILE *fp, int indent,
+					 dns_c_options_t *options);
+
+isc_result_t    dns_c_ctx_getcontrols(dns_c_ctx_t *cfg,
+                                      dns_c_ctrllist_t **ctrls);
+isc_result_t	dns_c_ctx_setcontrols(dns_c_ctx_t *cfg,
+				      dns_c_ctrllist_t *ctrls);
+isc_result_t	dns_c_ctx_getoptions(dns_c_ctx_t *cfg,
+				     dns_c_options_t **options);
+
+isc_result_t	dns_c_ctx_setlogging(dns_c_ctx_t *cfg,
+				     dns_c_logginglist_t *newval,
+				     isc_boolean_t deepcopy);
+isc_result_t	dns_c_ctx_getlogging(dns_c_ctx_t *cfg,
+				     dns_c_logginglist_t **retval);
+
+isc_result_t	dns_c_ctx_getkdeflist(dns_c_ctx_t *cfg,
+                                      dns_c_kdeflist_t **retval);
+isc_result_t	dns_c_ctx_setkdeflist(dns_c_ctx_t *cfg,
+                                      dns_c_kdeflist_t *newval,
+                                      isc_boolean_t deepcopy);
+
+
+isc_result_t	dns_c_ctx_addfile_channel(dns_c_ctx_t *cfg, const char *name,
+					  dns_c_logchan_t **chan);
+isc_result_t	dns_c_ctx_addsyslogchannel(dns_c_ctx_t *cfg,
+					   const char *name,
+					   dns_c_logchan_t **chan);
+isc_result_t	dns_c_ctx_addnullchannel(dns_c_ctx_t *cfg, const char *name,
+					 dns_c_logchan_t **chan);
+isc_result_t	dns_c_ctx_addcategory(dns_c_ctx_t *cfg,
+				      dns_c_category_t category,
+				      dns_c_logcat_t **newcat);
+isc_result_t	dns_c_ctx_currchannel(dns_c_ctx_t *cfg,
+				      dns_c_logchan_t **channel);
+isc_result_t	dns_c_ctx_currcategory(dns_c_ctx_t *cfg,
+				       dns_c_logcat_t **category);
+isc_boolean_t	dns_c_ctx_keydefinedp(dns_c_ctx_t *ctx, const char *keyname);
+
+
+
+isc_boolean_t	dns_c_ctx_channeldefinedp(dns_c_ctx_t *cfg,
+					  const char *name);
+isc_result_t	dns_c_ctx_optionsnew(isc_mem_t *mem,
+				     dns_c_options_t **options);
+isc_result_t	dns_c_ctx_optionsdelete(dns_c_options_t **options);
+
+
+
+/* The modifier functions below all return ISC_R_SUCCESS when the value is
+ * successfully set. If the value had already been set, then the value
+ * ISC_R_EXISTS is returned (the value is still set).
+ *
+ * In a few functions there is a boolean parameter named 'copy'. If that is
+ * true, then a deep copy is made of the parameter and the parameter itself
+ * is not touched. If the value is false, then the parameter is stored
+ * directly in the dns_c_ctx_t structure, and the client looses ownership
+ * of it. ISC_R_NOMEMORY is a possible return value for many of these
+ * functions.
+ *
+ */
+isc_result_t	dns_c_ctx_setcurrzone(dns_c_ctx_t *cfg, dns_c_zone_t *zone);
+isc_result_t	dns_c_ctx_setcurrview(dns_c_ctx_t *cfg, dns_c_view_t *view);
+isc_result_t	dns_c_ctx_setdirectory(dns_c_ctx_t *cfg, const char *newval);
+isc_result_t	dns_c_ctx_setversion(dns_c_ctx_t *cfg, const char *newval);
+isc_result_t	dns_c_ctx_setdumpfilename(dns_c_ctx_t *cfg,
+					  const char *newval);
+isc_result_t	dns_c_ctx_setpidfilename(dns_c_ctx_t *cfg,
+					 const char *newval);
+isc_result_t	dns_c_ctx_setstatsfilename(dns_c_ctx_t *cfg,
+					   const char *newval);
+isc_result_t	dns_c_ctx_setmemstatsfilename(dns_c_ctx_t *cfg,
+					      const char *newval);
+isc_result_t	dns_c_ctx_setnamedxfer(dns_c_ctx_t *cfg, const char *newval);
+isc_result_t	dns_c_ctx_settkeydomain(dns_c_ctx_t *cfg, const char *newval);
+isc_result_t	dns_c_ctx_settkeydhkey(dns_c_ctx_t *cfg,
+				       const char *newcpval,
+				       isc_int32_t newival);
+isc_result_t	dns_c_ctx_setmaxncachettl(dns_c_ctx_t *cfg,
+					  isc_uint32_t newval);
+isc_result_t	dns_c_ctx_settransfersin(dns_c_ctx_t *cfg,
+					 isc_int32_t newval);
+isc_result_t	dns_c_ctx_settransfersperns(dns_c_ctx_t *cfg,
+					    isc_int32_t newval);
+isc_result_t	dns_c_ctx_settransfersout(dns_c_ctx_t *cfg,
+					  isc_int32_t newval);
+isc_result_t	dns_c_ctx_setmaxlogsizeixfr(dns_c_ctx_t *cfg,
+					    isc_int32_t newval);
+isc_result_t	dns_c_ctx_setcleaninterval(dns_c_ctx_t *cfg,
+					   isc_int32_t newval);
+isc_result_t	dns_c_ctx_setinterfaceinterval(dns_c_ctx_t *cfg,
+					       isc_int32_t newval);
+isc_result_t	dns_c_ctx_setstatsinterval(dns_c_ctx_t *cfg,
+					   isc_int32_t newval);
+isc_result_t	dns_c_ctx_setheartbeat_interval(dns_c_ctx_t *cfg,
+						isc_int32_t newval);
+isc_result_t	dns_c_ctx_setmaxtransfertimein(dns_c_ctx_t *cfg,
+					       isc_int32_t newval);
+isc_result_t	dns_c_ctx_setmaxtransfertimeout(dns_c_ctx_t *cfg,
+					       isc_int32_t newval);
+isc_result_t	dns_c_ctx_setmaxtransferidlein(dns_c_ctx_t *cfg,
+					       isc_int32_t newval);
+isc_result_t	dns_c_ctx_setmaxtransferidleout(dns_c_ctx_t *cfg,
+					       isc_int32_t newval);
+isc_result_t	dns_c_ctx_settcpclients(dns_c_ctx_t *cfg, isc_int32_t newval);
+isc_result_t	dns_c_ctx_setrecursiveclients(dns_c_ctx_t *cfg,
+					      isc_int32_t newval);
+
+isc_result_t	dns_c_ctx_setdatasize(dns_c_ctx_t *cfg, isc_uint32_t newval);
+isc_result_t	dns_c_ctx_setstacksize(dns_c_ctx_t *cfg,
+				       isc_uint32_t newval);
+isc_result_t	dns_c_ctx_setcoresize(dns_c_ctx_t *cfg, isc_uint32_t newval);
+isc_result_t	dns_c_ctx_setfiles(dns_c_ctx_t *cfg, isc_uint32_t newval);
+
+isc_result_t	dns_c_ctx_setexpertmode(dns_c_ctx_t *cfg,
+					isc_boolean_t newval);
+isc_result_t	dns_c_ctx_setfakeiquery(dns_c_ctx_t *cfg,
+					isc_boolean_t newval);
+isc_result_t	dns_c_ctx_setrecursion(dns_c_ctx_t *cfg,
+				       isc_boolean_t newval);
+isc_result_t	dns_c_ctx_setfetchglue(dns_c_ctx_t *cfg,
+				       isc_boolean_t newval);
+isc_result_t	dns_c_ctx_setnotify(dns_c_ctx_t *cfg, isc_boolean_t newval);
+isc_result_t	dns_c_ctx_sethoststatistics(dns_c_ctx_t *cfg,
+					    isc_boolean_t newval);
+isc_result_t	dns_c_ctx_setdealloconexit(dns_c_ctx_t *cfg,
+					   isc_boolean_t newval);
+isc_result_t	dns_c_ctx_setuseixfr(dns_c_ctx_t *cfg, isc_boolean_t newval);
+isc_result_t	dns_c_ctx_setmaintainixfrbase(dns_c_ctx_t *cfg,
+					      isc_boolean_t newval);
+isc_result_t	dns_c_ctx_sethasoldclients(dns_c_ctx_t *cfg,
+					   isc_boolean_t newval);
+isc_result_t	dns_c_ctx_setauthnxdomain(dns_c_ctx_t *cfg,
+					  isc_boolean_t newval);
+isc_result_t	dns_c_ctx_setmultiplecnames(dns_c_ctx_t *cfg,
+					    isc_boolean_t newval);
+isc_result_t	dns_c_ctx_setuseidpool(dns_c_ctx_t *cfg,
+				       isc_boolean_t newval);
+isc_result_t	dns_c_ctx_setrfc2308type1(dns_c_ctx_t *cfg,
+					  isc_boolean_t newval);
+isc_result_t	dns_c_ctx_setdialup(dns_c_ctx_t *cfg, isc_boolean_t newval);
+isc_result_t	dns_c_ctx_setalsonotify(dns_c_ctx_t *ctx,
+					dns_c_iplist_t *newval,
+					isc_boolean_t deepcopy);
+isc_result_t	dns_c_ctx_settransfersource(dns_c_ctx_t *ctx,
+					    isc_sockaddr_t newval);
+
+isc_result_t	dns_c_ctx_setquerysourceaddr(dns_c_ctx_t *cfg,
+					     isc_sockaddr_t addr);
+isc_result_t	dns_c_ctx_setquerysourceport(dns_c_ctx_t *cfg, in_port_t port);
+isc_result_t	dns_c_ctx_setchecknames(dns_c_ctx_t *cfg,
+					dns_c_trans_t transtype,
+					dns_severity_t sever);
+isc_result_t	dns_c_ctx_settransferformat(dns_c_ctx_t *cfg,
+					    dns_transfer_format_t newval);
+isc_result_t	dns_c_ctx_setqueryacl(dns_c_ctx_t *cfg, isc_boolean_t copy,
+				      dns_c_ipmatchlist_t *iml);
+isc_result_t	dns_c_ctx_settransferacl(dns_c_ctx_t *cfg, isc_boolean_t copy,
+					 dns_c_ipmatchlist_t *iml);
+isc_result_t	dns_c_ctx_setrecursionacl(dns_c_ctx_t *cfg, isc_boolean_t copy,
+					  dns_c_ipmatchlist_t *iml);
+isc_result_t	dns_c_ctx_setblackhole(dns_c_ctx_t *cfg, isc_boolean_t copy,
+				       dns_c_ipmatchlist_t *iml);
+isc_result_t	dns_c_ctx_settopology(dns_c_ctx_t *cfg, isc_boolean_t copy,
+				      dns_c_ipmatchlist_t *iml);
+isc_result_t	dns_c_ctx_setsortlist(dns_c_ctx_t *cfg, isc_boolean_t copy,
+				      dns_c_ipmatchlist_t *iml);
+isc_result_t	dns_c_ctx_setforward(dns_c_ctx_t *cfg, dns_c_forw_t forw);
+isc_result_t	dns_c_ctx_setforwarders(dns_c_ctx_t *cfg, isc_boolean_t copy,
+					dns_c_iplist_t *iml);
+isc_result_t	dns_c_ctx_setrrsetorderlist(dns_c_ctx_t *cfg,
+					    isc_boolean_t copy,
+					    dns_c_rrsolist_t *olist);
+
+isc_result_t	dns_c_ctx_addlisten_on(dns_c_ctx_t *cfg, int port,
+				       dns_c_ipmatchlist_t *ml,
+				       isc_boolean_t copy);
+isc_result_t	dns_c_ctx_settrustedkeys(dns_c_ctx_t *cfg,
+					 dns_c_tkeylist_t *list,
+					 isc_boolean_t copy);
+
+
+
+
+
+
+
+
+/*
+ * Accessor functions for the various fields in the config structure. The
+ * value of the field is copied into the location pointed to by the RETVAL
+ * paramater and ISC_R_SUCCESS is returned. The caller must not modify the
+ * returned value, and should copy the value if it needs to hold on to it.
+ *
+ * If the value has not been set in the config structure, then
+ * ISC_R_NOTFOUND is returned and the location pointed to by the RETVAL
+ * paramater is not modified (i.e. the library assumes no particular
+ * defaults for any unset values).
+ */
+
+
+dns_c_zone_t   *dns_c_ctx_getcurrzone(dns_c_ctx_t *cfg);
+dns_c_view_t   *dns_c_ctx_getcurrview(dns_c_ctx_t *cfg);
+isc_result_t	dns_c_ctx_getdirectory(dns_c_ctx_t *cfg, char **retval);
+isc_result_t	dns_c_ctx_getversion(dns_c_ctx_t *cfg, char **retval);
+isc_result_t	dns_c_ctx_getdumpfilename(dns_c_ctx_t *cfg, char **retval);
+isc_result_t	dns_c_ctx_getpidfilename(dns_c_ctx_t *cfg, char **retval);
+isc_result_t	dns_c_ctx_getstatsfilename(dns_c_ctx_t *cfg, char **retval);
+isc_result_t	dns_c_ctx_getmemstatsfilename(dns_c_ctx_t *cfg,
+					      char **retval);
+isc_result_t	dns_c_ctx_getnamedxfer(dns_c_ctx_t *cfg, char **retval);
+isc_result_t	dns_c_ctx_gettkeydomain(dns_c_ctx_t *cfg, char **retval);
+isc_result_t	dns_c_ctx_gettkeydhkey(dns_c_ctx_t *cfg,
+				       char **retcpval, isc_int32_t *retival);
+isc_result_t	dns_c_ctx_getmaxncachettl(dns_c_ctx_t *cfg,
+					  isc_uint32_t *retval);
+isc_result_t	dns_c_ctx_gettransfersin(dns_c_ctx_t *cfg,
+					 isc_int32_t *retval);
+isc_result_t	dns_c_ctx_gettransfersperns(dns_c_ctx_t *cfg,
+					    isc_int32_t *retval);
+isc_result_t	dns_c_ctx_gettransfersout(dns_c_ctx_t *cfg,
+					  isc_int32_t *retval);
+isc_result_t	dns_c_ctx_getmaxlogsizeixfr(dns_c_ctx_t *cfg,
+					    isc_int32_t *retval);
+isc_result_t	dns_c_ctx_getcleaninterval(dns_c_ctx_t *cfg,
+					   isc_int32_t *retval);
+isc_result_t	dns_c_ctx_getinterfaceinterval(dns_c_ctx_t *cfg,
+					       isc_int32_t *retval);
+isc_result_t	dns_c_ctx_getstatsinterval(dns_c_ctx_t *cfg,
+					   isc_int32_t *retval);
+isc_result_t	dns_c_ctx_getheartbeatinterval(dns_c_ctx_t *cfg,
+					       isc_int32_t *retval);
+isc_result_t	dns_c_ctx_getmaxtransfertimein(dns_c_ctx_t *cfg,
+					       isc_int32_t *retval);
+isc_result_t	dns_c_ctx_getmaxtransfertimeout(dns_c_ctx_t *cfg,
+					       isc_int32_t *retval);
+isc_result_t	dns_c_ctx_getmaxtransferidlein(dns_c_ctx_t *cfg,
+					       isc_int32_t *retval);
+isc_result_t	dns_c_ctx_getmaxtransferidleout(dns_c_ctx_t *cfg,
+					       isc_int32_t *retval);
+isc_result_t	dns_c_ctx_gettcpclients(dns_c_ctx_t *cfg,
+					isc_int32_t *retval);
+isc_result_t	dns_c_ctx_getrecursiveclients(dns_c_ctx_t *cfg,
+					      isc_int32_t *retval);
+
+isc_result_t	dns_c_ctx_getdatasize(dns_c_ctx_t *cfg,
+				      isc_uint32_t *retval);
+isc_result_t	dns_c_ctx_getstacksize(dns_c_ctx_t *cfg,
+				       isc_uint32_t *retval);
+isc_result_t	dns_c_ctx_getcoresize(dns_c_ctx_t *cfg,
+				      isc_uint32_t *retval);
+isc_result_t	dns_c_ctx_getfiles(dns_c_ctx_t *cfg, isc_uint32_t *retval);
+isc_result_t	dns_c_ctx_getexpertmode(dns_c_ctx_t *cfg,
+					isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_getfakeiquery(dns_c_ctx_t *cfg,
+					isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_getrecursion(dns_c_ctx_t *cfg,
+				       isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_getfetchglue(dns_c_ctx_t *cfg,
+				       isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_getnotify(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_gethoststatistics(dns_c_ctx_t *cfg,
+					    isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_getdealloconexit(dns_c_ctx_t *cfg,
+					   isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_getuseixfr(dns_c_ctx_t *cfg,
+				     isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_getmaintainixfrbase(dns_c_ctx_t *cfg,
+					      isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_gethasoldclients(dns_c_ctx_t *cfg,
+					   isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_getauthnxdomain(dns_c_ctx_t *cfg,
+					    isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_getmultiplecnames(dns_c_ctx_t *cfg,
+					    isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_getuseidpool(dns_c_ctx_t *cfg,
+				       isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_getrfc2308type1(dns_c_ctx_t *cfg,
+					  isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_getdialup(dns_c_ctx_t *cfg, isc_boolean_t *retval);
+isc_result_t	dns_c_ctx_getalsonotify(dns_c_ctx_t *ctx,
+					dns_c_iplist_t **ret);
+isc_result_t	dns_c_ctx_gettransfersource(dns_c_ctx_t *ctx,
+					    isc_sockaddr_t *retval);
+
+isc_result_t	dns_c_ctx_getquerysourceaddr(dns_c_ctx_t *cfg,
+					     isc_sockaddr_t *addr);
+isc_result_t	dns_c_ctx_getquerysourceport(dns_c_ctx_t *cfg,
+					     in_port_t *port);
+isc_result_t	dns_c_ctx_getchecknames(dns_c_ctx_t *cfg,
+					dns_c_trans_t transtype,
+					dns_severity_t *sever);
+isc_result_t	dns_c_ctx_gettransferformat(dns_c_ctx_t *cfg,
+					    dns_transfer_format_t *retval);
+isc_result_t	dns_c_ctx_getqueryacl(dns_c_ctx_t *cfg,
+				      dns_c_ipmatchlist_t **list);
+isc_result_t	dns_c_ctx_gettransferacl(dns_c_ctx_t *cfg,
+					 dns_c_ipmatchlist_t **list);
+isc_result_t	dns_c_ctx_getrecursionacl(dns_c_ctx_t *cfg,
+					  dns_c_ipmatchlist_t **list);
+isc_result_t	dns_c_ctx_getblackhole(dns_c_ctx_t *cfg,
+				       dns_c_ipmatchlist_t **list);
+isc_result_t	dns_c_ctx_gettopology(dns_c_ctx_t *cfg,
+				      dns_c_ipmatchlist_t **list);
+isc_result_t	dns_c_ctx_getsortlist(dns_c_ctx_t *cfg,
+				      dns_c_ipmatchlist_t **list);
+isc_result_t	dns_c_ctx_getlistenlist(dns_c_ctx_t *cfg,
+					dns_c_lstnlist_t **ll);
+isc_result_t	dns_c_ctx_getforward(dns_c_ctx_t *cfg, dns_c_forw_t *forw);
+isc_result_t	dns_c_ctx_getforwarders(dns_c_ctx_t *cfg,
+					dns_c_iplist_t **list);
+isc_result_t	dns_c_ctx_getrrsetorderlist(dns_c_ctx_t *cfg,
+					    dns_c_rrsolist_t **olist);
+isc_result_t	dns_c_ctx_gettrustedkeys(dns_c_ctx_t *cfg,
+					 dns_c_tkeylist_t **retval);
+isc_result_t	dns_c_ctx_getlogging(dns_c_ctx_t *cfg,
+				     dns_c_logginglist_t **retval);
+
+
+
+
+
+#endif /* DNS_CONFIG_CONFCTX_H */
diff --git a/lib/dns/include/dns/confip.h b/lib/dns/include/dns/confip.h
new file mode 100644
index 00000000..b83eb4b8
--- /dev/null
+++ b/lib/dns/include/dns/confip.h
@@ -0,0 +1,237 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CONFIG_CONFIP_H
+#define DNS_CONFIG_CONFIP_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Data structures used by the config file parser for managing address
+ * lists and address-match lists. These structures are reference counted,
+ * so clients can call 'attach' to increment the reference count. The
+ * normal destructors won't delete the data until the counter goes to zero.
+ */
+
+/*
+ * MP:
+ *	Caller must do necessary locking
+ *
+ * Reliability:
+ *
+ *	No problems known.
+ *
+ * Resources:
+ *
+ *	Uses memory managers supplied by caller.
+ *
+ * Security:
+ *
+ *	No issues.
+ *
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <sys/types.h>
+
+#include <isc/region.h>
+#include <isc/list.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+
+#include <dns/confcommon.h>
+
+
+#define DNS_C_IPLIST_MAGIC 0x49706c73	/* Ipls */ /* dns_c_iplist */
+#define DNS_C_IPMDIRECT_MAGIC 0x49506d64 /* IPmd */ /* dns_c_ipmatch_direct */
+#define DNS_C_IPMINDIRECT_MAGIC 0x69506d69 /* iPmi */ /* dns_c_ipmatch_indirect */
+#define DNS_C_IPMELEM_MAGIC 0x49704d65	/* IpMe */ /* dns_c_ipmatch_element */
+#define DNS_C_IPMLIST_MAGIC 0x69706d6c	/* ipml */ /* dns_c_ipmatchlist */
+
+#define DNS_C_IPLIST_VALID(ptr)	ISC_MAGIC_VALID(ptr,DNS_C_IPLIST_MAGIC)
+#define DNS_C_IPDIRECT_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_IPMDIRECT_MAGIC)
+#define DNS_C_IPINDIRECT_VALID(ptr) \
+	ISC_MAGIC_VALID(ptr, DNS_C_IPMINDIRECT_MAGIC)
+#define DNS_C_IPMELEM_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_IPMELEM_MAGIC)
+#define DNS_C_IPMLIST_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_IPMLIST_MAGIC)
+
+
+
+
+/***
+ *** Types
+ ***/
+
+
+typedef struct dns_c_iplist		dns_c_iplist_t;
+typedef struct dns_c_ipmatch_direct	dns_c_ipmatch_direct_t ;
+typedef struct dns_c_ipmatch_indirect	dns_c_ipmatch_indirect_t;
+typedef struct dns_c_ipmatch_key	dns_c_ipmatch_key_t;
+typedef struct dns_c_ipmatch_element	dns_c_ipmatchelement_t;
+typedef struct dns_c_ipmatch_list	dns_c_ipmatchlist_t;
+
+
+/* A list of IP addresses (IPv4 or IPv6) */
+struct dns_c_iplist {
+	isc_uint32_t		magic;
+	
+	isc_mem_t	       *mem;
+	int			refcount;
+	isc_sockaddr_t	       *ips;
+	isc_uint32_t		size;
+	isc_uint32_t		nextidx;
+};
+
+
+
+struct dns_c_ipmatch_direct
+{
+	isc_uint32_t	magic;
+	
+	isc_sockaddr_t	address;		/* XXX IPv6??? */
+	isc_uint32_t	mask;
+};
+
+
+
+struct dns_c_ipmatch_indirect
+{
+	isc_uint32_t	magic;
+	
+	isc_textregion_t refname;	/* for acls, mostly. */
+	dns_c_ipmatchlist_t *list;
+};
+
+
+
+struct dns_c_ipmatch_element
+{
+	isc_uint32_t	magic;
+	
+	dns_c_ipmatch_type_t type;
+	u_int flags;
+	union {
+		dns_c_ipmatch_direct_t		direct;
+		dns_c_ipmatch_indirect_t	indirect;
+		char			       *key;
+		char			       *aclname;
+	} u;
+
+	ISC_LINK(dns_c_ipmatchelement_t) next;
+};
+
+
+struct dns_c_ipmatch_list
+{
+	isc_uint32_t	magic;
+	
+	isc_mem_t *mem;
+	int refcount;
+
+	ISC_LIST(dns_c_ipmatchelement_t) elements;
+};
+
+
+/***
+ *** Functions
+ ***/
+
+/*
+ * In all the functions below where an isc_mem_t is a parameter, that
+ * paramater will be used for all memory allocation.
+ */
+
+
+isc_result_t	dns_c_ipmatchelement_new(isc_mem_t *mem,
+					 dns_c_ipmatchelement_t **result);
+isc_result_t	dns_c_ipmatchelement_delete(isc_mem_t *mem,
+					    dns_c_ipmatchelement_t **ipme);
+isc_result_t	dns_c_ipmatchelement_copy(isc_mem_t *mem,
+					  dns_c_ipmatchelement_t **dest,
+					  dns_c_ipmatchelement_t *src);
+isc_result_t	dns_c_ipmatchelement_print(FILE *fp, int indent,
+					   dns_c_ipmatchelement_t *ime);
+isc_boolean_t	dns_c_ipmatchelement_isneg(dns_c_ipmatchelement_t *elem);
+
+isc_result_t	dns_c_ipmatch_negate(dns_c_ipmatchelement_t *ipe);
+isc_result_t	dns_c_ipmatch_aclnew(isc_mem_t *mem,
+				     dns_c_ipmatchelement_t **result,
+				     const char *aclname);
+isc_result_t	dns_c_ipmatchkey_new(isc_mem_t *mem,
+				     dns_c_ipmatchelement_t **result,
+				     const char *key);
+isc_result_t	dns_c_ipmatchlocalhost_new(isc_mem_t *mem,
+					   dns_c_ipmatchelement_t **result); 
+isc_result_t	dns_c_ipmatchlocalnets_new(isc_mem_t *mem,
+					   dns_c_ipmatchelement_t **result); 
+isc_result_t	dns_c_ipmatchpattern_new(isc_mem_t *mem,
+					 dns_c_ipmatchelement_t **result,
+					 isc_sockaddr_t address,
+					 isc_uint32_t maskbits);
+isc_result_t	dns_c_ipmatchindirect_new(isc_mem_t *mem,
+					  dns_c_ipmatchelement_t **result,
+					  dns_c_ipmatchlist_t *iml,
+					  const char *name);
+
+isc_result_t	dns_c_ipmatchlist_new(isc_mem_t *mem,
+				      dns_c_ipmatchlist_t **ptr);
+isc_result_t	dns_c_ipmatchlist_detach(dns_c_ipmatchlist_t **ml);
+void		dns_c_ipmatchlist_attach(dns_c_ipmatchlist_t *source,
+					  dns_c_ipmatchlist_t **target);
+isc_result_t	dns_c_ipmatchlist_copy(isc_mem_t *mem,
+				       dns_c_ipmatchlist_t **dest,
+				       dns_c_ipmatchlist_t *src);
+isc_result_t	dns_c_ipmatchlist_empty(dns_c_ipmatchlist_t *ipml);
+isc_result_t	dns_c_ipmatchlist_append(dns_c_ipmatchlist_t *dest,
+					 dns_c_ipmatchlist_t *src,
+					 isc_boolean_t negate);
+isc_result_t	dns_c_ipmatchlist_print(FILE *fp, int indent,
+					dns_c_ipmatchlist_t *iml);
+
+
+
+isc_result_t	dns_c_iplist_new(isc_mem_t *mem, int length,
+				 dns_c_iplist_t **newlist);
+isc_result_t	dns_c_iplist_detach(dns_c_iplist_t **list);
+isc_result_t	dns_c_iplist_copy(isc_mem_t *mem, dns_c_iplist_t **dest,
+				  dns_c_iplist_t *src);
+void	        dns_c_iplist_attach(dns_c_iplist_t *source,
+				    dns_c_iplist_t **target);
+isc_result_t	dns_c_iplist_append(dns_c_iplist_t *list,
+				    isc_sockaddr_t newaddr);
+isc_result_t	dns_c_iplist_remove(dns_c_iplist_t *list,
+				    isc_sockaddr_t newaddr);
+void		dns_c_iplist_print(FILE *fp, int indent,
+				   dns_c_iplist_t *list);
+isc_boolean_t	dns_c_iplist_equal(dns_c_iplist_t *list1,
+				   dns_c_iplist_t *list2);
+
+isc_boolean_t dns_c_ipmatchelement_equal(dns_c_ipmatchelement_t *e1,
+					 dns_c_ipmatchelement_t *e2);
+
+isc_boolean_t dns_c_ipmatchlist_equal(dns_c_ipmatchlist_t *l1,
+				      dns_c_ipmatchlist_t *l2);
+
+#endif /* DNS_CONFIG_CONFIP_H */
diff --git a/lib/dns/include/dns/confkeys.h b/lib/dns/include/dns/confkeys.h
new file mode 100644
index 00000000..7a456bff
--- /dev/null
+++ b/lib/dns/include/dns/confkeys.h
@@ -0,0 +1,304 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CONFIG_CONFKEYS_H
+#define DNS_CONFIG_CONFKEYS_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * The ADTs for the key values defined in a named.conf config file.
+ */
+
+/*
+ * 
+ * MP:
+ *
+ *	Caller must to all necessary locking.
+ *
+ * Reliability:
+ *
+ *	Not applicable.
+ *
+ * Resources:
+ *
+ *	Memory allocators supplied by caller
+ *
+ * Security:
+ *	
+ *	Not applicable.
+ *
+ * Standards:
+ *	
+ *	Not applicable.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdio.h>
+
+#include <config.h>
+
+#include <isc/types.h>
+#include <isc/list.h>
+
+
+#define DNS_C_TKEY_MAGIC		0x544b4559 /* TKEY */
+#define DNS_C_TKEYLIST_MAGIC		0x544b4c53 /* TKLS */
+#define DNS_C_PUBKEY_MAGIC		0x5055424b /* PUBK */
+#define DNS_C_PKLIST_MAGIC		0x504b4c53 /* PKLS */
+#define DNS_C_KDEF_MAGIC		0x4b444546 /* KDEF */
+#define DNS_C_KDEFLIST_MAGIC		0x4b4c5354 /* KLST */
+#define DNS_C_KEYID_MAGIC		0x4b455949 /* KEYI */
+#define DNS_C_KEYIDLIST_MAGIC		0x4b494c53 /* KILS */
+
+#define DNS_C_TKEY_VALID(ptr)	   ISC_MAGIC_VALID(ptr, DNS_C_TKEY_MAGIC)
+#define DNS_C_TKEYLIST_VALID(ptr)  ISC_MAGIC_VALID(ptr, DNS_C_TKEYLIST_MAGIC)
+#define DNS_C_PUBKEY_VALID(ptr)	   ISC_MAGIC_VALID(ptr, DNS_C_PUBKEY_MAGIC)
+#define DNS_C_PKLIST_VALID(ptr)	   ISC_MAGIC_VALID(ptr, DNS_C_PKLIST_MAGIC)
+#define DNS_C_KDEF_VALID(ptr)	   ISC_MAGIC_VALID(ptr, DNS_C_KDEF_MAGIC)
+#define DNS_C_KDEFLIST_VALID(ptr)  ISC_MAGIC_VALID(ptr, DNS_C_KDEFLIST_MAGIC)
+#define DNS_C_KEYID_VALID(ptr)	   ISC_MAGIC_VALID(ptr, DNS_C_KEYID_MAGIC)
+#define DNS_C_KEYIDLIST_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_KEYIDLIST_MAGIC)
+
+
+
+/***
+ *** Types
+ ***/
+
+
+typedef struct dns_c_pubkey		dns_c_pubkey_t;
+typedef struct dns_c_pklist		dns_c_pklist_t;
+typedef struct dns_c_tkey		dns_c_tkey_t;
+typedef struct dns_c_tkey_list		dns_c_tkeylist_t;
+typedef struct dns_c_kdef		dns_c_kdef_t;
+typedef struct dns_c_kdef_list		dns_c_kdeflist_t;
+typedef struct dns_c_kid		dns_c_kid_t;
+typedef struct dns_c_kid_list		dns_c_kidlist_t;
+
+
+/* The type for holding a trusted key value. */
+struct dns_c_tkey
+{
+	isc_uint32_t		magic;
+	isc_mem_t	       *mem;
+	
+	char		       *domain;
+	dns_c_pubkey_t	       *pubkey;
+
+	ISC_LINK(dns_c_tkey_t)	next;
+};
+
+/* A list of trusted keys. */
+struct dns_c_tkey_list
+{
+	isc_uint32_t		magic;
+	isc_mem_t	       *mem;
+
+	ISC_LIST(dns_c_tkey_t)	tkeylist;
+};
+	
+	
+/* A public key value */
+struct dns_c_pubkey
+{
+	isc_uint32_t	magic;
+	isc_mem_t      *mem;
+	isc_int32_t	flags;
+	isc_int32_t	protocol;
+	isc_int32_t	algorithm;
+	char	       *key;
+
+	ISC_LINK(dns_c_pubkey_t)	next;
+};
+
+/* A list of pubkeys */
+struct dns_c_pklist
+{
+	isc_uint32_t			magic;
+	isc_mem_t		       *mem;
+
+	ISC_LIST(dns_c_pubkey_t)	keylist;
+};
+
+
+/* A private key definition from a 'key' statement */
+struct dns_c_kdef 
+{
+	isc_uint32_t		magic;
+	dns_c_kdeflist_t      *mylist;	
+
+	char		       *keyid;
+	char		       *algorithm;
+	char		       *secret;
+
+	ISC_LINK(dns_c_kdef_t)	next;
+};
+
+
+/* A list of private keys */
+struct dns_c_kdef_list
+{
+	isc_uint32_t		magic;
+	isc_mem_t	       *mem;
+
+	ISC_LIST(dns_c_kdef_t)	keydefs;
+};
+
+
+/* A key id for in a server statement 'keys' list */
+struct dns_c_kid
+{
+	isc_uint32_t		magic;
+	dns_c_kidlist_t	      *mylist;
+	char		       *keyid;
+
+	ISC_LINK(dns_c_kid_t)	next;
+};
+
+
+/* List of key ids for a 'server' statement */
+struct dns_c_kid_list
+{
+	isc_mem_t	       *mem;
+	isc_uint32_t		magic;
+
+	ISC_LIST(dns_c_kid_t)	keyids;
+};
+
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t	dns_c_pklist_new(isc_mem_t *mem,
+                                 dns_c_pklist_t **pklist);
+isc_result_t	dns_c_pklist_delete(dns_c_pklist_t **list);
+isc_result_t	dns_c_pklist_addpubkey(dns_c_pklist_t *list,
+                                       dns_c_pubkey_t *pkey,
+                                       isc_boolean_t deepcopy);
+isc_result_t	dns_c_pklist_findpubkey(dns_c_pklist_t *list,
+					dns_c_pubkey_t **pubkey,
+					isc_int32_t flags,
+					isc_int32_t protocol,
+					isc_int32_t algorithm,
+					const char *key);
+isc_result_t	dns_c_pklist_rmpubkey(dns_c_pklist_t *list,
+				      isc_int32_t flags,
+				      isc_int32_t protocol,
+				      isc_int32_t algorithm,
+				      const char *key);
+void		dns_c_pklist_print(FILE *fp, int indent,
+				   dns_c_pklist_t *pubkey);
+
+
+
+isc_result_t	dns_c_pubkey_new(isc_mem_t *mem, isc_int32_t flags,
+				 isc_int32_t protocol,
+				 isc_int32_t algorithm,
+				 const char *key, dns_c_pubkey_t **pubkey);
+isc_result_t	dns_c_pubkey_delete(dns_c_pubkey_t **pubkey);
+isc_result_t	dns_c_pubkey_copy(isc_mem_t *mem, dns_c_pubkey_t **dest,
+				  dns_c_pubkey_t *src);
+isc_boolean_t	dns_c_pubkey_equal(dns_c_pubkey_t *k1, dns_c_pubkey_t *k2);
+void		dns_c_pubkey_print(FILE *fp, int indent,
+				   dns_c_pubkey_t *pubkey);
+
+
+isc_result_t	dns_c_kidlist_new(isc_mem_t *mem,
+				  dns_c_kidlist_t **list);
+isc_result_t	dns_c_kidlist_delete(dns_c_kidlist_t **list);
+isc_result_t	dns_c_kidlist_undef(dns_c_kidlist_t *list,
+				    const char *keyid);
+isc_result_t	dns_c_kidlist_find(dns_c_kidlist_t *list,
+				   const char *keyid,
+				   dns_c_kid_t **retval);
+void		dns_c_kidlist_print(FILE *fp, int indent,
+				    dns_c_kidlist_t *list);
+isc_result_t	dns_c_kid_new(dns_c_kidlist_t *list, const char *name,
+			      dns_c_kid_t **keyid);
+
+isc_result_t	dns_c_kdeflist_new(isc_mem_t *mem,
+				   dns_c_kdeflist_t **list);
+isc_result_t	dns_c_kdeflist_delete(dns_c_kdeflist_t **list);
+isc_result_t	dns_c_kdeflist_copy(isc_mem_t *mem,
+				    dns_c_kdeflist_t **dest,
+				    dns_c_kdeflist_t *src);
+isc_result_t	dns_c_kdeflist_append(dns_c_kdeflist_t *list,
+				      dns_c_kdef_t *key, isc_boolean_t copy);
+
+isc_result_t	dns_c_kdeflist_undef(dns_c_kdeflist_t *list,
+				     const char *keyid);
+isc_result_t	dns_c_kdeflist_find(dns_c_kdeflist_t *list,
+				    const char *keyid,
+				    dns_c_kdef_t **retval);
+void		dns_c_kdeflist_print(FILE *fp, int indent,
+				     dns_c_kdeflist_t *list);
+
+isc_result_t	dns_c_kdef_new(dns_c_kdeflist_t *list, const char *name,
+			       dns_c_kdef_t **keyid);
+isc_result_t	dns_c_kdef_delete(dns_c_kdef_t **keydef);
+isc_result_t	dns_c_kdef_copy(isc_mem_t *mem,
+				dns_c_kdef_t **dest, dns_c_kdef_t *src);
+
+void		dns_c_kdef_print(FILE *fp, int indent, dns_c_kdef_t *keydef);
+
+
+isc_result_t	dns_c_kdef_setalgorithm(dns_c_kdef_t *elem,
+					const char *algorithm);
+isc_result_t	dns_c_kdef_setsecret(dns_c_kdef_t *elem,
+				     const char *secret);
+
+isc_result_t	dns_c_tkeylist_new(isc_mem_t *mem,
+				   dns_c_tkeylist_t **newlist);
+isc_result_t	dns_c_tkeylist_delete(dns_c_tkeylist_t **list);
+isc_result_t	dns_c_tkeylist_copy(isc_mem_t *mem,
+				    dns_c_tkeylist_t **dest,
+				    dns_c_tkeylist_t *src);
+void		dns_c_tkeylist_print(FILE *fp, int indent,
+				     dns_c_tkeylist_t *list);
+isc_result_t	dns_c_tkeylist_append(dns_c_tkeylist_t *list,
+				      dns_c_tkey_t *element,
+				      isc_boolean_t copy);
+
+isc_result_t	dns_c_tkey_new(isc_mem_t *mem, const char *domain,
+			       isc_int32_t flags,
+			       isc_int32_t protocol,
+			       isc_int32_t algorithm,
+			       const char *key, dns_c_tkey_t **newkey);
+isc_result_t	dns_c_tkey_delete(dns_c_tkey_t **tkey);
+isc_result_t	dns_c_tkey_copy(isc_mem_t *mem,
+				dns_c_tkey_t **dest, dns_c_tkey_t *src);
+
+isc_result_t	dns_c_tkey_getflags(dns_c_tkey_t *tkey,
+				    isc_int32_t *flags);
+isc_result_t	dns_c_tkey_getprotocol(dns_c_tkey_t *tkey,
+				       isc_int32_t *protocol);
+isc_result_t	dns_c_tkey_getalgorithm(dns_c_tkey_t *tkey,
+					isc_int32_t *algorithm);
+isc_result_t	dns_c_tkey_getkey(dns_c_tkey_t *tkey,
+				  const char **key);
+void		dns_c_tkey_print(FILE *fp, int indent, dns_c_tkey_t *tkey);
+
+
+
+#endif /* DNS_CONFIG_CONFKEYS_H */
diff --git a/lib/dns/include/dns/conflog.h b/lib/dns/include/dns/conflog.h
new file mode 100644
index 00000000..b1910d83
--- /dev/null
+++ b/lib/dns/include/dns/conflog.h
@@ -0,0 +1,263 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CONFIG_CONFLOG_H
+#define DNS_CONFIG_CONFLOG_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Various ADTs for holding the values defined inside a config
+ * file's "logging" statement.
+ */
+
+/*
+ * MP:
+ *
+ *	Caller must do appropriate locking
+ *	
+ * Reliability:
+ *
+ *	No impact.
+ *
+ * Resources:
+ *
+ *	Caller supplies memory allocators
+ *	
+ * Security:
+ *
+ *	No impact.
+ *
+ * Standards:
+ *
+ *	N/A
+ *	
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <isc/mem.h>
+
+#include <dns/confcommon.h>
+
+#define DNS_C_LOGCHAN_MAGIC		0x4c434841 /* LCHA */
+#define DNS_C_LOGCAT_MAGIC		0x4c434154 /* LCAT */
+#define DNS_C_LOGLIST_MAGIC		0x4c4c5354 /* LLST */
+
+
+#define DNS_C_LOGCHAN_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_LOGCHAN_MAGIC)
+#define DNS_C_LOGCAT_VALID(ptr)	ISC_MAGIC_VALID(ptr, DNS_C_LOGCAT_MAGIC)
+#define DNS_C_LOGLIST_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_LOGLIST_MAGIC)
+
+
+/***
+ *** Types
+ ***/
+
+typedef struct dns_c_logchan		dns_c_logchan_t;
+typedef struct dns_c_logcat		dns_c_logcat_t;
+typedef struct dns_c_logging_list	dns_c_logginglist_t;
+
+/* The structure that holds the list of channel and category definitions */
+struct dns_c_logging_list
+{
+	isc_uint32_t			magic;
+	isc_mem_t		       *mem;
+	
+	ISC_LIST(dns_c_logchan_t)	channels;
+	ISC_LIST(dns_c_logcat_t)	categories;
+};
+
+
+/* Definition of a logging channel */
+struct dns_c_logchan
+{
+	isc_uint32_t			magic;
+	isc_mem_t		       *mem;
+
+	char			       *name;
+
+	dns_c_logchantype_t		ctype; 
+	union {
+		struct
+		{			/* when ctype == dns_c_logchan_file */
+			char		*path;
+			isc_uint32_t	versions;
+			isc_uint32_t	size;
+		} filec;
+		struct			/* when ctype == dns_c_logchan_syslog*/
+		{
+			int		facility;
+		} syslogc;
+	} u;
+
+	dns_c_logseverity_t		severity;
+	isc_int32_t			debug_level;
+
+	isc_boolean_t			print_category;
+	isc_boolean_t			print_severity;
+	isc_boolean_t			print_time;
+
+	/* Some channels are predefined e.g. default_syslog, in which case
+	 * this is true
+	 */
+	isc_boolean_t			predefined; 
+	
+	ISC_LINK(dns_c_logchan_t)	next;
+	dns_c_setbits_t			setflags;
+};
+
+
+/* Structure for holding a category definition */
+struct dns_c_logcat
+{
+	isc_uint32_t			magic;
+	isc_mem_t		       *mem;
+
+	dns_c_category_t		category;
+
+	char			      **channel_names;
+	size_t				cnames_len; /* size, in elements of 
+						     channel_names */
+	size_t				nextcname; /* index in
+						      channel_names of next 
+						      free spot. */
+	
+	isc_boolean_t			predefined;
+
+	ISC_LINK(dns_c_logcat_t)	next;
+};
+
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t	dns_c_logginglist_new(isc_mem_t *mem,
+				      dns_c_logginglist_t **list);
+isc_result_t	dns_c_logginglist_delete(dns_c_logginglist_t **list);
+void		dns_c_logginglist_print(FILE *fp, int indent,
+					dns_c_logginglist_t *ll,
+					isc_boolean_t if_predef_too);
+isc_result_t	dns_c_logginglist_copy(isc_mem_t *mem,
+				       dns_c_logginglist_t **dest,
+				       dns_c_logginglist_t *src);
+
+isc_result_t	dns_c_logginglist_addchannel(dns_c_logginglist_t *list,
+					     dns_c_logchan_t *newchan,
+					     isc_boolean_t deepcopy);
+isc_result_t	dns_c_logginglist_addcategory(dns_c_logginglist_t *list,
+					      dns_c_logcat_t *newcat,
+					      isc_boolean_t deepcopy);
+isc_result_t	dns_c_logginglist_delchannel(dns_c_logginglist_t *list,
+					     const char *name);
+isc_result_t	dns_c_logginglist_delcategory(dns_c_logginglist_t *list,
+					      const char *name);
+
+isc_result_t	dns_c_logginglist_chanbyname(dns_c_logginglist_t *list,
+					     const char *name,
+					     dns_c_logchan_t **chan);
+isc_result_t	dns_c_logginglist_catbyname(dns_c_logginglist_t *list,
+					    const char *name,
+					    dns_c_logcat_t **cat);
+isc_result_t	dns_c_logginglist_catbytype(dns_c_logginglist_t *list,
+					    dns_c_category_t cattype,
+					    dns_c_logcat_t **cat);
+
+
+isc_result_t	dns_c_logchan_new(isc_mem_t *mem, const char *name,
+				  dns_c_logchantype_t ctype,
+				  dns_c_logchan_t **newchan);
+isc_result_t	dns_c_logchan_delete(dns_c_logchan_t **channel);
+isc_result_t	dns_c_logchan_copy(isc_mem_t *mem, dns_c_logchan_t **dest,
+				   dns_c_logchan_t *src);
+void		dns_c_logchan_print(FILE *fp, int indent,
+				    dns_c_logchan_t *logchan,
+				    isc_boolean_t if_predef_too);
+
+
+isc_result_t	dns_c_logchan_setpath(dns_c_logchan_t *channel,
+				      const char *path);
+isc_result_t	dns_c_logchan_setversions(dns_c_logchan_t *channel,
+					  isc_uint32_t versions);
+isc_result_t	dns_c_logchan_setsize(dns_c_logchan_t *channel,
+				      isc_uint32_t size);
+isc_result_t	dns_c_logchan_setfacility(dns_c_logchan_t *channel,
+					  int facility);
+isc_result_t	dns_c_logchan_setseverity(dns_c_logchan_t *channel,
+					  dns_c_logseverity_t severity);
+isc_result_t	dns_c_logchan_setdebuglevel(dns_c_logchan_t *channel,
+					    isc_int32_t level);
+isc_result_t	dns_c_logchan_setprintcat(dns_c_logchan_t *channel,
+					  isc_boolean_t newval);
+isc_result_t	dns_c_logchan_setprintsev(dns_c_logchan_t *channel,
+					  isc_boolean_t newval);
+isc_result_t	dns_c_logchan_setprinttime(dns_c_logchan_t *channel,
+					   isc_boolean_t newval);
+isc_result_t	dns_c_logchan_setpredef(dns_c_logchan_t *channel,
+					isc_boolean_t newval);
+
+isc_result_t	dns_c_logchan_getpath(dns_c_logchan_t *channel,
+				      const char **path);
+isc_result_t	dns_c_logchan_getversions(dns_c_logchan_t *channel,
+					  isc_uint32_t *versions);
+isc_result_t	dns_c_logchan_getsize(dns_c_logchan_t *channel,
+				      isc_uint32_t *size);
+isc_result_t	dns_c_logchan_getfacility(dns_c_logchan_t *channel,
+					  int *facility);
+isc_result_t	dns_c_logchan_getseverity(dns_c_logchan_t *channel,
+					  dns_c_logseverity_t *severity);
+isc_result_t	dns_c_logchan_getdebuglevel(dns_c_logchan_t *channel,
+					    isc_int32_t *level);
+isc_result_t	dns_c_logchan_getprintcat(dns_c_logchan_t *channel,
+					  isc_boolean_t *retval);
+isc_result_t	dns_c_logchan_getprintsev(dns_c_logchan_t *channel,
+					  isc_boolean_t *retval);
+isc_result_t	dns_c_logchan_getprinttime(dns_c_logchan_t *channel,
+					   isc_boolean_t *retval);
+isc_result_t	dns_c_logchan_getpredef(dns_c_logchan_t *channel,
+					isc_boolean_t *retval);
+
+
+
+/*
+ * Logging category
+ */
+isc_result_t	dns_c_logcat_new(isc_mem_t *mem, dns_c_category_t cat,
+				 dns_c_logcat_t **newlc);
+isc_result_t	dns_c_logcat_delete(dns_c_logcat_t **logcat);
+void		dns_c_logcat_print(FILE *fp, int indent,
+				   dns_c_logcat_t *logcat,
+				   isc_boolean_t if_predef_too);
+isc_result_t	dns_c_logcat_copy(isc_mem_t *mem, dns_c_logcat_t **dest,
+				  dns_c_logcat_t *src);
+isc_result_t	dns_c_logcat_addname(dns_c_logcat_t *logcat,
+				     const char *name);
+isc_result_t	dns_c_logcat_delname(dns_c_logcat_t *logcat,
+				     const char *name);
+isc_result_t	dns_c_logcat_setpredef(dns_c_logcat_t *logcat,
+				       isc_boolean_t newval);
+isc_result_t	dns_c_logcat_getpredef(dns_c_logcat_t *logcat,
+					isc_boolean_t *retval);
+
+#endif /* ISC_WHATEVER_H */
diff --git a/lib/dns/include/dns/conflsn.h b/lib/dns/include/dns/conflsn.h
new file mode 100644
index 00000000..fa5059e0
--- /dev/null
+++ b/lib/dns/include/dns/conflsn.h
@@ -0,0 +1,197 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CONFIG_CONFLSN_H
+#define DNS_CONFIG_CONFLSN_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Data structures to hold information related to ``listen-on'' statements
+ * in the named.conf file.
+ */
+ 
+/*
+ *
+ * MP:
+ *
+ *	Caller must do necessary locking
+ *
+ * Reliability:
+ *
+ *	No issues.
+ *
+ * Resources:
+ *
+ *	Uses memory managers supplied by callers.
+ *
+ * Security:
+ *
+ *	N/A
+ *
+ * Standards:
+ *
+ *	N/A
+ *	
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/int.h>
+
+#include <dns/confip.h>
+
+#define DNS_C_LISTEN_MAGIC	0x4c49534eU /* LISN */
+#define DNS_C_LLIST_MAGIC		0x4c6c6973U /* Llis */
+
+#define DNS_C_LISTEN_VALID(l)	ISC_MAGIC_VALID(l, DNS_C_LISTEN_MAGIC)
+#define DNS_C_LISTENLIST_VALID(l) ISC_MAGIC_VALID(l, DNS_C_LLIST_MAGIC)
+
+
+
+/***
+ *** Types
+ ***/
+
+typedef struct dns_c_lstn_on		dns_c_lstnon_t;
+typedef struct dns_c_lstn_list		dns_c_lstnlist_t;
+
+
+/* Structure for holing value of a single listen-on statement. */
+struct dns_c_lstn_on
+{
+	isc_mem_t		       *mem;
+	isc_uint32_t			magic;
+	
+	in_port_t			port;
+	dns_c_ipmatchlist_t	       *iml;
+
+	ISC_LINK(dns_c_lstnon_t)	next;
+};
+
+
+/* A list of listen-on statements */
+struct dns_c_lstn_list
+{
+	isc_mem_t		       *mem;
+	isc_uint32_t			magic;
+
+	ISC_LIST(dns_c_lstnon_t)	elements;
+};
+
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t	dns_c_lstnlist_new(isc_mem_t *mem,
+				   dns_c_lstnlist_t **llist);
+/*
+ * Creates a new dns_c_lstnlist_t structure from the allocator pointed to
+ * by MEM, and stores the pointer to the new structure in *LLIST.
+ *
+ * Requires:
+ *	mem be a pointer to a valid allocator.
+ *	llist be a valid non-NULL pointer.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		on success.
+ *	ISC_R_NOMEMORY		on allocation failure.
+ */
+
+isc_result_t	dns_c_lstnlist_delete(dns_c_lstnlist_t **llist);
+/*
+ * Deletes the list pointed to by **LLIST, and all the elements in it.
+ * Sets *LLIST to NULL when done.
+ *
+ * Requires:
+ * 
+ * Returns:
+ *
+ *	ISC_R_SUCCESS on success.
+ */
+
+
+isc_result_t	dns_c_lstnlist_print(FILE *fp, int indent,
+				     dns_c_lstnlist_t *ll);
+/*
+ * Prints the given the list LL to the stream FP. INDENT number of tabs
+ * preceed each line of output.
+ *
+ * Requires:
+ *
+ *	fp be a pointer to a valid FILE.
+ *
+ */
+
+
+isc_result_t	dns_c_lstnon_new(isc_mem_t *mem,
+				 dns_c_lstnon_t **listen);
+/*
+ * Creates a new dns_c_lstnon_t structure and stores the pointer
+ * in *LISTEN.
+ *
+ * Requires:
+ *	mem be pointer to a valid memory allocator.
+ *	listen be a valid non-NULL pointer.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS on success.
+ *	ISC_R_NOMEMORY on allocation failure.
+ */
+
+isc_result_t	dns_c_lstnon_delete(dns_c_lstnon_t **listen);
+/*
+ * Deletes the dns_c_lstnon_t structure pointed to by *LISTEN.
+ *
+ * Requires:
+ *
+ *	listen be a valid non-NULL pointer.
+ *
+ * Returns:
+ */
+
+isc_result_t	dns_c_lstnon_setiml(dns_c_lstnon_t *listen,
+				    dns_c_ipmatchlist_t *iml,
+				    isc_boolean_t deepcopy);
+/*
+ * Sets the iml field of the structure to the value of the IML
+ * parameter. If deepcopy paramater is true the structure field is
+ * assigned a depp copy of the IML parameter.
+ *
+ * Requires:
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS on happiness
+ *	ISC_R_NOMEMORY on allocation failure.
+ */
+
+isc_result_t	dns_c_lstnon_print(FILE *fp, int indent,
+				   dns_c_lstnon_t *lo);
+
+
+
+
+#endif /* DNS_CONFIG_CONFLSN_H */
diff --git a/lib/dns/include/dns/confparser.h b/lib/dns/include/dns/confparser.h
new file mode 100644
index 00000000..65bcc2ba
--- /dev/null
+++ b/lib/dns/include/dns/confparser.h
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Main entry point in the config file parser module.
+ *
+ * The parser module handles the parsing of config files. The entry point
+ * is:
+ *
+ * isc_result_t dns_c_parse_namedconf(const char *filename, isc_mem_t *mem,
+ *				   dns_c_ctx_t **configctx,
+ *				   dns_c_cbks_t *callbacks);
+ *
+ * MP:
+ * 	Only a single thread is let through the module at once.
+ *
+ * Reliability:
+ * 	No anticipated impact.
+ *
+ * Resources:
+ * 	Long-term memory allocation done with memory allocator supplied by
+ * 	caller. 
+ *
+ * Security:
+ * 	<TBS>
+ *
+ * Standards:
+ * 	None.
+ */
+
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+#include <isc/types.h>
+
+#include <dns/confctx.h>
+
+
+/***
+ *** Functions
+ ***/
+
+/*
+ * Typedefs for the callbacks done while parsing. If the callback functions 
+ * return anything other than ISC_R_SUCCESS, then the parse routine
+ * terminates with an error.
+ */
+ 
+typedef isc_result_t (*dns_c_zonecbk_t)(dns_c_ctx_t *ctx,
+					dns_c_zone_t *zone,
+					dns_c_view_t *view,
+					void *uap);
+typedef isc_result_t (*dns_c_optscbk_t)(dns_c_ctx_t *ctx, void *uap);
+
+typedef struct dns_c_cbks
+{
+	dns_c_zonecbk_t	zonecbk;
+	void	       *zonecbkuap;
+
+	dns_c_optscbk_t optscbk;
+	void	       *optscbkuap;
+} dns_c_cbks_t;
+
+
+isc_result_t dns_c_parse_namedconf(const char *filename, isc_mem_t *mem,
+				   dns_c_ctx_t **configctx,
+				   dns_c_cbks_t *callbacks);
+
+/*
+ * Parse a named confile file. Fills up a new config context with the config
+ * data. All memory allocations for the contents of configctx are done
+ * using the MEM argument. Caller must destroy the config context with
+ * dns_c_ctx_delete() when done.
+ *
+ * Requires:
+ *	*filename is a valid filename.
+ *	*mem is a valid memory manager.
+ *	*configctx is a valid isc_config_ctx_t pointer
+ *	callbacks is NULL or it points to a valid dns_c_cbks_t structure.
+ *
+ * Ensures:
+ *	On success, *configctx is attached to the newly created config context.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_INVALIDFILE		file doesn't exist or is unreadable
+ *	ISC_R_FAILURE			file contains errors.
+ */
+
diff --git a/lib/dns/include/dns/confresolv.h b/lib/dns/include/dns/confresolv.h
new file mode 100644
index 00000000..5b2396d7
--- /dev/null
+++ b/lib/dns/include/dns/confresolv.h
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CONFIG_CONFRESOLV_H
+#define DNS_CONFIG_CONFRESOLV_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * A container for the resolver configuration data pulled from a
+ * named.conf-style config file.
+ */
+
+/*
+ *
+ * MP:
+ *	Client must do necessary locking.
+ *      
+ * Reliability:
+ *
+ *	No problems.
+ *
+ * Resources:
+ *
+ *	Use memory managers supplied by client.
+ *
+ * Security:
+ *
+ *	N/A
+ *      
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <isc/types.h>
+
+/***
+ *** Types
+ ***/
+
+typedef struct dns_c_resolv		dns_c_resolv_t;
+
+struct dns_c_resolv
+{
+	isc_mem_t	       *mem;
+
+	/* XXX need this fleshed out */
+};
+
+
+
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t dns_c_resolv_new(isc_mem_t *mem, dns_c_resolv_t **cfgres);
+/*
+ * Creates a new resolver-config object.
+ *
+ * Requires:
+ *	mem be a pointer to a valid memory manager.
+ *	newres be a valid non-NULL pointer.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOMEMORY		-- out of memory
+ * 
+ */
+
+isc_result_t dns_c_resolv_delete(dns_c_resolv_t **cfgres);
+/*
+ * Deletes the config-resolv object and its contents.
+ *
+ * Requires:
+ *	cfgres be a valid non-NULL pointer. The pointer it points to
+ *	can be NULL or must be a valid dns_c_resolv_t object.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ * 
+ */
+
+
+#endif /* DNS_CONFIG_CONFRESOLV_H */
diff --git a/lib/dns/include/dns/confrrset.h b/lib/dns/include/dns/confrrset.h
new file mode 100644
index 00000000..a87569ef
--- /dev/null
+++ b/lib/dns/include/dns/confrrset.h
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CONFIG_CONFRRSET_H
+#define DNS_CONFIG_CONFRRSET_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * 
+ * MP:
+ *	
+ *
+ * Reliability:
+ *	
+ *
+ * Resources:
+ *	
+ *
+ * Security:
+ *	
+ *
+ * Standards:
+ *	
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <isc/mem.h>
+
+/* XXX these next two are needed by rdatatype.h. It should be fixed to
+ * include them itself.
+ */
+#include <isc/buffer.h>
+#include <dns/result.h>
+
+#include <dns/rdatatype.h>
+
+#include <dns/confcommon.h>
+
+
+#define DNS_C_RRSOLIST_MAGIC		0x5252534c /* RRSL */
+#define DNS_C_RRSO_MAGIC			0x7272736f /* rrso */
+
+#define DNS_C_RRSOLIST_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_RRSOLIST_MAGIC)
+#define DNS_C_RRSO_VALID(ptr)	ISC_MAGIC_VALID(ptr, DNS_C_RRSO_MAGIC)
+
+
+
+/***
+ *** Types
+ ***/
+
+
+typedef struct dns_c_rrso		dns_c_rrso_t;
+typedef struct dns_c_rrso_list		dns_c_rrsolist_t;
+
+
+struct dns_c_rrso 
+{
+	isc_uint32_t		magic;
+	
+	isc_mem_t	       *mem;
+	
+	dns_rdataclass_t	oclass;
+	dns_rdatatype_t		otype;
+	char		       *name;
+	dns_c_ordering_t	ordering;
+
+	ISC_LINK(dns_c_rrso_t)	next;
+};
+
+
+struct dns_c_rrso_list
+{
+	isc_uint32_t		magic;
+	
+	isc_mem_t	       *mem;
+
+	ISC_LIST(dns_c_rrso_t)	elements;
+
+};
+
+
+/***
+ *** Functions
+ ***/
+
+
+isc_result_t	dns_c_rrsolist_new(isc_mem_t *mem,
+				   dns_c_rrsolist_t **rval);
+isc_result_t	dns_c_rrsolist_delete(dns_c_rrsolist_t **list);
+isc_result_t	dns_c_rrsolist_copy(isc_mem_t *mem,
+				    dns_c_rrsolist_t **dest,
+				    dns_c_rrsolist_t *source);
+isc_result_t	dns_c_rrsolist_clear(dns_c_rrsolist_t *olist);
+isc_result_t	dns_c_rrsolist_append(dns_c_rrsolist_t *dest,
+				      dns_c_rrsolist_t *src);
+
+isc_result_t	dns_c_rrso_new(isc_mem_t *mem,
+			       dns_c_rrso_t **res,
+			       dns_rdataclass_t oclass,
+			       dns_rdatatype_t otype,
+			       char *name,
+			       dns_c_ordering_t ordering);
+isc_result_t	dns_c_rrso_delete(dns_c_rrso_t **order);
+isc_result_t	dns_c_rrso_copy(isc_mem_t *mem,
+				dns_c_rrso_t **dest,
+				dns_c_rrso_t *source);
+void		dns_c_rrsolist_print(FILE *fp, int indent,
+				     dns_c_rrsolist_t *rrlist);
+void		dns_c_rrso_print(FILE *fp, int indent,
+				 dns_c_rrso_t *rrlist);
+
+
+#endif /* DNS_CONFIG_CONFRRSET_H */
diff --git a/lib/dns/include/dns/confserv.h b/lib/dns/include/dns/confserv.h
new file mode 100644
index 00000000..8e097dd9
--- /dev/null
+++ b/lib/dns/include/dns/confserv.h
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CONFIG_CONFSERV_H
+#define DNS_CONFIG_CONFSERV_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * 
+ *
+ * 
+ *
+ * 
+ *
+ * MP:
+ *	
+ *
+ * Reliability:
+ *	
+ *
+ * Resources:
+ *	
+ *
+ * Security:
+ *	
+ *
+ * Standards:
+ *	
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <sys/types.h>
+
+#include <isc/mem.h>
+#include <isc/net.h>
+
+#include <dns/types.h>
+#include <dns/confcommon.h>
+#include <dns/confkeys.h>
+
+
+#define DNS_C_SRVLIST_MAGIC	0x7365524c /* seRL */
+#define DNS_C_SRV_MAGIC		0x53457276 /* SErv */
+
+#define DNS_C_SRVLIST_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_SRVLIST_MAGIC)
+#define DNS_C_SRV_VALID(ptr)	 ISC_MAGIC_VALID(ptr, DNS_C_SRV_MAGIC)
+
+
+/***
+ *** Types
+ ***/
+
+typedef struct dns_c_srv		dns_c_srv_t;
+typedef struct dns_c_srv_list		dns_c_srvlist_t;
+
+struct dns_c_srv_list
+{
+	isc_uint32_t		magic;
+	
+	isc_mem_t	       *mem;
+
+	ISC_LIST(dns_c_srv_t) elements;
+};
+
+
+struct dns_c_srv 
+{
+	isc_uint32_t		magic;
+	
+	isc_mem_t	       *mem;
+
+	isc_sockaddr_t		address;
+	isc_boolean_t		bogus;
+	dns_transfer_format_t	transfer_format;
+	int			transfers;
+	isc_boolean_t		support_ixfr;
+	dns_c_kidlist_t	       *keys;
+
+	dns_c_setbits_t		bitflags;
+	
+	ISC_LINK(dns_c_srv_t)	next;
+};
+
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t	dns_c_srvlist_new(isc_mem_t *mem,
+				  dns_c_srvlist_t **list);
+isc_result_t	dns_c_srvlist_delete(dns_c_srvlist_t **list);
+void		dns_c_srvlist_print(FILE *fp, int indent,
+				    dns_c_srvlist_t *servers);
+isc_result_t	dns_c_srvlist_servbyaddr(dns_c_srvlist_t *servers,
+					 isc_sockaddr_t addr,
+					 dns_c_srv_t **retval);
+
+
+isc_result_t	dns_c_srv_new(isc_mem_t *mem,
+			      isc_sockaddr_t ipaddr,
+			      dns_c_srv_t **server);
+isc_result_t	dns_c_srv_delete(dns_c_srv_t **server);
+void		dns_c_srv_print(FILE *fp, int indent,
+				dns_c_srv_t *server);
+
+isc_result_t	dns_c_srv_setbogus(dns_c_srv_t *server,
+				   isc_boolean_t newval);
+isc_result_t	dns_c_srv_getbogus(dns_c_srv_t *server,
+				   isc_boolean_t *retval);
+isc_result_t	dns_c_srv_setsupportixfr(dns_c_srv_t *server,
+					 isc_boolean_t newval);
+isc_result_t	dns_c_srv_getsupportixfr(dns_c_srv_t *server,
+					 isc_boolean_t *retval);
+isc_result_t	dns_c_srv_settransfers(dns_c_srv_t *server,
+				       isc_int32_t newval);
+isc_result_t	dns_c_srv_gettransfers(dns_c_srv_t *server,
+				       isc_int32_t *retval);
+isc_result_t	dns_c_srv_settransferformat(dns_c_srv_t *server,
+					    dns_transfer_format_t newval);
+isc_result_t	dns_c_srv_gettransferformat(dns_c_srv_t *server,
+					    dns_transfer_format_t *retval);
+isc_result_t	dns_c_srv_get_keylist(dns_c_srv_t *server,
+				      dns_c_kidlist_t **keylist);
+
+isc_result_t	dns_c_srv_settkeydomain(dns_c_srv_t *server,
+					char *newval);
+isc_result_t	dns_c_srv_gettkeydomain(dns_c_srv_t *server,
+					char **retval);
+isc_result_t	dns_c_srv_getkeys(dns_c_srv_t *server,
+				  dns_c_kidlist_t **retval);
+isc_result_t	dns_c_srv_setkeys(dns_c_srv_t *server,
+				  dns_c_kidlist_t *newval);
+
+
+#endif /* DNS_CONFIG_CONFSERV_H */
diff --git a/lib/dns/include/dns/confview.h b/lib/dns/include/dns/confview.h
new file mode 100644
index 00000000..f07f67c4
--- /dev/null
+++ b/lib/dns/include/dns/confview.h
@@ -0,0 +1,449 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CONFIG_CONFVIEW_H
+#define DNS_CONFIG_CONFVIEW_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Zones as seen by the config file parser. The data structures here define 
+ * the zone data as it is in the config file. The data structures here do
+ * *not* define the things like red-black trees for named's internal data
+ * structures.
+ *
+ */
+
+/*
+ *
+ * MP:
+ *	Client must do necessary locking.
+ *      
+ * Reliability:
+ *
+ *	No problems.
+ *
+ * Resources:
+ *
+ *	Use memory managers supplied by client.
+ *
+ * Security:
+ *
+ *	N/A
+ *      
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <isc/mem.h>
+
+/* XXX these next two are needed by rdatatype.h. It should be fixed to
+ * include them itself.
+ */
+#include <isc/buffer.h>
+#include <dns/result.h>
+
+#include <dns/rdatatype.h>
+
+#include <dns/confcommon.h>
+#include <dns/confip.h>
+#include <dns/confkeys.h>
+#include <dns/confacl.h>
+#include <dns/confip.h>
+#include <dns/conflsn.h>
+#include <dns/confrrset.h>
+
+#define DNS_C_VIEWTABLE_MAGIC		0x76497774 /* vIwt */
+#define DNS_C_VIEW_MAGIC 		0x56696557 /* VieW */
+
+#define DNS_C_VIEWTABLE_VALID(ptr)  ISC_MAGIC_VALID(ptr, DNS_C_VIEWTABLE_MAGIC)
+#define DNS_C_VIEW_VALID(ptr)       ISC_MAGIC_VALID(ptr, DNS_C_VIEW_MAGIC)
+/***
+ *** Types
+ ***/
+
+#if 0
+/* this typedef moved to confcommon.h for confzone.h to get at (due to
+ * circulare include file dependancies).
+ */
+typedef struct dns_c_view		dns_c_view_t;
+#endif
+typedef struct dns_c_viewtable		dns_c_viewtable_t;
+
+
+struct dns_c_viewtable
+{
+	isc_uint32_t		magic;
+	
+	isc_mem_t	       *mem;
+
+	ISC_LIST(dns_c_view_t)	views;
+};
+
+
+struct dns_c_view
+{
+	isc_uint32_t		magic;
+	
+	isc_mem_t	       *mem;
+	
+	char 		       *name;
+
+	dns_c_zonelist_t       *zonelist;
+
+	dns_c_forw_t		forward;
+	
+	dns_c_ipmatchlist_t    *allowquery;
+	dns_c_ipmatchlist_t    *transferacl;
+	dns_c_ipmatchlist_t    *recursionacl;
+	dns_c_ipmatchlist_t    *blackhole;
+	dns_c_ipmatchlist_t    *sortlist;
+	dns_c_ipmatchlist_t    *topology;
+
+	dns_c_iplist_t         *forwarders;
+
+	dns_c_lstnlist_t       *listens;
+	
+	dns_c_rrsolist_t       *ordering;
+	
+	dns_severity_t	check_names[DNS_C_TRANSCOUNT];
+	
+	dns_transfer_format_t	transfer_format;
+	
+	isc_boolean_t		auth_nx_domain;
+	isc_boolean_t		dialup;
+	isc_boolean_t		fetch_glue;
+	isc_boolean_t		has_old_clients;
+	isc_boolean_t		host_statistics;
+	isc_boolean_t		maintain_ixfr_base;
+	isc_boolean_t		multiple_cnames;
+	isc_boolean_t		notify;
+	isc_boolean_t		recursion;
+	isc_boolean_t		rfc2308_type1;
+	isc_boolean_t		use_id_pool;
+	isc_boolean_t		fake_iquery;
+	isc_boolean_t		use_ixfr;
+
+	isc_int32_t		clean_interval;
+	isc_int32_t		lamettl;
+	isc_int32_t		max_log_size_ixfr;
+	isc_int32_t		max_ncache_ttl;
+	isc_int32_t		max_transfer_time_in;
+	isc_int32_t		max_transfer_time_out;
+	isc_int32_t		max_transfer_idle_in;
+	isc_int32_t		max_transfer_idle_out;
+	isc_int32_t		stats_interval;
+	isc_int32_t		transfers_in;
+	isc_int32_t		transfers_out;
+	isc_int32_t		transfers_per_ns;
+
+	dns_c_setbits_t		setflags;
+
+	ISC_LINK(dns_c_view_t)	next;
+};
+
+
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t dns_c_viewtable_new(isc_mem_t *mem,
+				 dns_c_viewtable_t **viewtable);
+
+/*
+ * Creates a new viewtable. Returns pointer to the new table through
+ * NEWTABLE paramater. The memory is allocated from the MEM memory pool.
+ *
+ * Requires:
+ *	mem is a valid memory pool
+ *	newtable is a valid non-NULL pointer.
+ *	mem remain a valuid memory pool until the table is destroyed.
+ * 	
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well.
+ *	ISC_R_NOMEMORY		-- not enough memory.
+ * 
+ */
+
+isc_result_t dns_c_viewtable_delete(dns_c_viewtable_t **viewtable);
+/*
+ * Destroys the table pointed to by *VIEWTABLE and all the views in it. The
+ * value of *VIEWTABLE can be NULL (which is a no-op).
+ *
+ * Requires:
+ *	viewtable is a valid pointer.
+ *	The memory pool used at creation time still be valid.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS
+ * 
+ */
+
+
+void dns_c_viewtable_addview(dns_c_viewtable_t *viewtable,
+			     dns_c_view_t *view);
+
+/*
+ * Inserts the given view into the viewtable. The viewtable takes ownership 
+ * of the view's allocations.
+ *
+ * Requires:
+ *	viewtable be a pointer to a valid dns_c_viewtable_t
+ *	view be a pointer to a valie dns_c_view_t
+ *
+ */
+
+void dns_c_viewtable_rmview(dns_c_viewtable_t *viewtable,
+			    dns_c_view_t *view);
+
+/*
+ * Removes the view from the given table. Does not memory
+ * deallocations. Caller owns the view.
+ *
+ * Requires:
+ *	viewtable be a pointer to a valid dns_c_viewtable_t
+ *	view be a pointer to a valid dns_c_view_t
+ *
+ */
+
+isc_result_t dns_c_viewtable_viewbyname(dns_c_viewtable_t *viewtable,
+					const char *viewname,
+					dns_c_view_t **retval);
+
+/*
+ * Looks up a view by name in the given table. The result is returned
+ * through the parameter RETVAL. The returned view must not be modified.
+ *
+ * Requires:
+ *	VIEWTABLE be a valid dns_c_viewtable_t
+ * 	
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOTFOUND		-- view was not found
+ * 
+ */
+
+isc_result_t dns_c_viewtable_rmviewbyname(dns_c_viewtable_t *viewtable,
+					  const char *name);
+/*
+ * Removes a view from a view table. The view is looked up by name.
+ *
+ * Requires:
+ *	viewtable be a pointer to a valie dns_viewtable_t
+ *	name be a valid pointer to string of positive length.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOTFOUND		-- view was not in the table.
+ * 
+ */
+
+
+isc_result_t dns_c_viewtable_clear(dns_c_viewtable_t *viewtable);
+/*
+ * Removes (and deletes) all the views in the viewtable.
+ *
+ * Requires:
+ *	viewtable to be a pointer to a valid dns_c_viewtable_t
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ */
+
+void dns_c_viewtable_print(FILE *fp, int indent,
+			   dns_c_viewtable_t *table);
+
+/*
+ * Prints the viewtable TABLE to the stdio stream FP. An INDENT number of
+ * tabs is printed at the start of each line.
+ *
+ * Requires:
+ *	FP be a valid stdio stream
+ *	table be a pointer to a valid dns_c_viewtable_t
+ */
+
+
+isc_result_t dns_c_view_new(isc_mem_t *mem, const char *name,
+			    dns_c_view_t **newview);
+/*
+ * Creates a new view. The view is placed in the given viewtable.
+ * The new view is returned via the newview parameter
+ *
+ * Requires:
+ *	viewtable be a pointer to a valid view table.
+ *	name be a pointer to a valid string of positive length
+ *	newview be a valid non-NULL pointer.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOMEMORY		-- out of memory
+ * 
+ */
+
+isc_result_t dns_c_view_delete(dns_c_view_t **view);
+/*
+ * Deletes the view and its contents.
+ *
+ * Requires:
+ *	view be a pointer to a valid view.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *  
+ */
+
+isc_result_t dns_c_view_addzone(dns_c_view_t *view, dns_c_zone_t *zone);
+/*
+ * Puts the zone in the view's zonetable. Dosn't alter the 'owner' view of 
+ * the zone.
+ */
+
+isc_result_t dns_c_view_setallowquery(dns_c_view_t *view,
+				      dns_c_ipmatchlist_t *ipml,
+				      isc_boolean_t deepcopy);
+/*
+ * Sets the ipmatch list of the allow-query field to the IPML. If DEEPCOPY
+ * is true, then a full copy of IPML is made using the MEM memory pool. In
+ * which case the caller still is the owner the memory IPML points to. If
+ * DEEPCOPY is false, then the view takes ownership of the memory IPML
+ * points to. If the view already has an allow-query list, then it is deleted
+ * before the new one is added.
+ *
+ * Requires:
+ *	mem be a pointer to a valid memory manager
+ *	ipml be a valid dns_c_ipmatchlist_t
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOMEMORY		-- memory could not be allocated for the
+ *				   deepcopy  .
+ * 
+ */
+
+
+isc_result_t dns_c_view_setallowtransfer(dns_c_view_t *view,
+					 dns_c_ipmatchlist_t *ipml,
+					 isc_boolean_t deepcopy);
+isc_result_t dns_c_view_setallowrecursion(dns_c_view_t *view,
+					  dns_c_ipmatchlist_t *ipml,
+					  isc_boolean_t deepcopy);
+isc_result_t dns_c_view_setblackhole(dns_c_view_t *view,
+				     dns_c_ipmatchlist_t *ipml,
+				     isc_boolean_t deepcopy);
+isc_result_t dns_c_view_setforwarders(dns_c_view_t *view,
+				      dns_c_iplist_t *ipml,
+				      isc_boolean_t deepcopy);
+isc_result_t dns_c_view_setsortlist(dns_c_view_t *view,
+				    dns_c_ipmatchlist_t *ipml,
+				    isc_boolean_t deepcopy);
+isc_result_t dns_c_view_settopology(dns_c_view_t *view,
+				    dns_c_ipmatchlist_t *ipml,
+				    isc_boolean_t deepcopy);
+isc_result_t dns_c_view_addlisten_on(dns_c_view_t *view, in_port_t port,
+				     dns_c_ipmatchlist_t *ml,
+				     isc_boolean_t copy);
+isc_result_t dns_c_view_setrrsetorderlist(dns_c_view_t *view,
+					  isc_boolean_t copy,
+					  dns_c_rrsolist_t *olist);
+isc_result_t dns_c_view_setchecknames(dns_c_view_t *view,
+				      dns_c_trans_t transtype,
+				      dns_severity_t sever);
+isc_result_t dns_c_view_settransferformat(dns_c_view_t *view,
+					  dns_transfer_format_t format);
+					  
+/* caller must not modifiy or delete returned values */
+isc_result_t dns_c_view_getallowquery(dns_c_view_t *view,
+				      dns_c_ipmatchlist_t **ipml);
+isc_result_t dns_c_view_getallowtransfer(dns_c_view_t *view,
+					 dns_c_ipmatchlist_t **ipml);
+isc_result_t dns_c_view_getallowrecursion(dns_c_view_t *view,
+					  dns_c_ipmatchlist_t **ipml);
+isc_result_t dns_c_view_getblackhole(dns_c_view_t *view,
+				     dns_c_ipmatchlist_t **ipml);
+isc_result_t dns_c_view_getforwarders(dns_c_view_t *view,
+				      dns_c_iplist_t **ipml);
+isc_result_t dns_c_view_getsortlist(dns_c_view_t *view,
+				    dns_c_ipmatchlist_t **ipml);
+isc_result_t dns_c_view_gettopology(dns_c_view_t *view,
+				    dns_c_ipmatchlist_t **ipml);
+isc_result_t dns_c_view_getlistenlist(dns_c_view_t *cfg,
+				      dns_c_lstnlist_t **ll);
+isc_result_t dns_c_view_getrrsetorderlist(dns_c_view_t *view,
+					  dns_c_rrsolist_t **olist);
+isc_result_t dns_c_view_getchecknames(dns_c_view_t *view,
+				      dns_c_trans_t transtype,
+				      dns_severity_t *sever);
+isc_result_t dns_c_view_gettransferformat(dns_c_view_t *view,
+					  dns_transfer_format_t *format);
+
+
+
+isc_result_t dns_c_view_getallowqueryexpanded(isc_mem_t *mem,
+					      dns_c_view_t *view,
+					      dns_c_acltable_t *acltable,
+					      dns_c_ipmatchlist_t **retval);
+/*
+ * Retuns a copy through the RETVAL parameter (the caller is responsible
+ * for deleting the returned value) of the allow-query address-match
+ * list. Any references in the list to acls or indirect address-match
+ * lists. are recursivly expanded ((using the definitions in ACLTABLE) so
+ * that the end result has no references in it. Memory allocation for the
+ * copy is done via the memory pool pointed to by the MEM paramater.
+ *
+ * Requires:
+ *	mem be a pointer to a valid memory manager
+ *	acl be a pointer to a valid acl.
+ *	retval be a valid non-NULL pointer.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOMEMORY		-- not enough memory to make copy.
+ *	ISC_R_FAILURE		-- an acl reference couldn't be expanded.
+ * 
+ */
+
+
+void dns_c_view_print(FILE *fp, int indent,
+		      dns_c_view_t *view);
+
+/*	
+ * Prints the view VIEW to the stdio stream FP. An INDENT number of
+ * tabs is printed at the start of each line.
+ *
+ * Requires:
+ *	FP be a valid stdio stream
+ *	view be a pointer to a valid dns_c_view_t
+ */
+
+
+isc_result_t dns_c_view_getname(dns_c_view_t *view,
+				const char **retval);
+
+/*
+ * Returns the name of the view. Caller must NOT free or touch the returned 
+ * array.
+ */
+
+
+#endif /* DNS_CONFIG_CONFVIEW_H */
diff --git a/lib/dns/include/dns/confzone.h b/lib/dns/include/dns/confzone.h
new file mode 100644
index 00000000..ed19e66e
--- /dev/null
+++ b/lib/dns/include/dns/confzone.h
@@ -0,0 +1,376 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_CONFIG_CONFZONE_H
+#define DNS_CONFIG_CONFZONE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Zones as seen by the config file parser. The data structures here define 
+ * the zone data as it is in the config file. The data structures here do
+ * *not* define the things like red-black trees for named's internal data
+ * structures.
+ *
+ */
+
+/*
+ *
+ * MP:
+ *	Client must do necessary locking.
+ *	
+ * Reliability:
+ *
+ *	No problems.
+ *
+ * Resources:
+ *
+ *	Use memory managers supplied by client.
+ *
+ * Security:
+ *
+ *	N/A
+ *	
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <isc/mem.h>
+
+/* XXX these next two are needed by rdatatype.h. It should be fixed to
+ * include them itself.
+ */
+#include <isc/buffer.h>
+#include <dns/result.h>
+
+#include <dns/rdatatype.h>
+
+#include <dns/confcommon.h>
+#include <dns/confip.h>
+#include <dns/confkeys.h>
+
+#define DNS_C_ZONELIST_MAGIC		0x5a4c5354 /* ZLST */
+#define DNS_C_ZONE_MAGIC		0x7a4f6e45 /* zOnE */
+
+#define DNS_C_ZONELIST_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_ZONELIST_MAGIC)
+#define DNS_C_ZONE_VALID(ptr) ISC_MAGIC_VALID(ptr, DNS_C_ZONE_MAGIC)
+
+
+/***
+ *** Types
+ ***/
+
+typedef struct dns_c_master_zone	dns_c_masterzone_t;
+typedef struct dns_c_slave_zone		dns_c_slavezone_t;
+typedef struct dns_c_stub_zone		dns_c_stubzone_t;
+typedef struct dns_c_forward_zone	dns_c_forwardzone_t;
+typedef struct dns_c_hint_zone		dns_c_hintzone_t;
+typedef struct dns_c_zone		dns_c_zone_t;
+typedef struct dns_c_zonelem		dns_c_zonelem_t;
+
+#if 0
+/* this typedef moved to confcommon.h for confview.h to get at (circular
+ * include dependencies between view and zone structures.
+ */
+typedef struct dns_c_zone_list		dns_c_zonelist_t;
+#endif
+
+
+struct dns_c_zonelem
+{
+	dns_c_zone_t	*thezone;
+	ISC_LINK(dns_c_zonelem_t) next;
+};
+
+
+struct dns_c_zone_list
+{
+	isc_int32_t 		magic;
+	isc_mem_t	       *mem;
+
+	ISC_LIST(dns_c_zonelem_t)	zones;
+};
+
+
+struct dns_c_master_zone
+{
+	char		       *file;
+	dns_severity_t	check_names;
+	dns_c_ipmatchlist_t    *allow_update;
+	dns_c_ipmatchlist_t    *allow_query;
+	dns_c_ipmatchlist_t    *allow_transfer;
+	isc_boolean_t		dialup;
+	isc_boolean_t		notify;
+	dns_c_iplist_t	       *also_notify;
+	char		       *ixfr_base;
+	char		       *ixfr_tmp;
+	isc_int32_t		max_ixfr_log;
+	isc_boolean_t		maint_ixfr_base;
+	dns_c_pklist_t	       *pubkeylist;
+	isc_int32_t		max_trans_time_out;
+	isc_int32_t		max_trans_idle_out;
+
+	dns_c_forw_t		forward;
+	dns_c_iplist_t	       *forwarders;
+
+	dns_c_setbits_t		setflags;
+};
+
+
+struct dns_c_slave_zone
+{
+	char		       *file;
+	dns_severity_t	check_names;
+	dns_c_ipmatchlist_t    *allow_update;
+	dns_c_ipmatchlist_t    *allow_query;
+	dns_c_ipmatchlist_t    *allow_transfer;
+	dns_c_iplist_t	       *also_notify;
+	isc_boolean_t		notify;
+	isc_boolean_t		dialup;
+	char		       *ixfr_base;
+	char		       *ixfr_tmp;
+	isc_boolean_t		maint_ixfr_base;
+	isc_int32_t		max_ixfr_log;
+	dns_c_pklist_t	       *pubkeylist;
+	in_port_t		master_port;
+	dns_c_iplist_t	       *master_ips;
+	isc_sockaddr_t		transfer_source;
+	isc_int32_t		max_trans_time_in;
+	isc_int32_t		max_trans_time_out;
+	isc_int32_t		max_trans_idle_in;
+	isc_int32_t		max_trans_idle_out;
+
+	dns_c_forw_t		forward;
+	dns_c_iplist_t	       *forwarders;
+
+	dns_c_setbits_t		setflags;
+};
+
+
+struct dns_c_stub_zone
+{
+	char		       *file;
+	dns_severity_t	check_names;
+	dns_c_ipmatchlist_t    *allow_update; /* should be here??? */
+	dns_c_ipmatchlist_t    *allow_query;
+	dns_c_ipmatchlist_t    *allow_transfer; /* should be here??? */
+	isc_boolean_t		dialup;
+	dns_c_pklist_t	       *pubkeylist;
+	in_port_t		master_port;
+	dns_c_iplist_t	       *master_ips;
+	isc_sockaddr_t		transfer_source; 
+	isc_int32_t		max_trans_time_in;
+	isc_int32_t		max_trans_idle_in;
+
+	dns_c_forw_t		forward;
+	dns_c_iplist_t	       *forwarders;
+
+	dns_c_setbits_t		setflags;
+};
+
+
+
+struct dns_c_forward_zone
+{
+	dns_severity_t	check_names;
+	dns_c_forw_t		forward;
+	dns_c_iplist_t	       *forwarders;
+
+	dns_c_setbits_t		setflags;
+};
+
+
+struct dns_c_hint_zone
+{
+	char		       *file;
+	dns_severity_t	check_names;
+	dns_c_pklist_t	       *pubkeylist;
+
+	dns_c_setbits_t		setflags;
+};
+
+
+struct dns_c_zone
+{
+	isc_int32_t			magic;
+	
+	isc_mem_t		       *mem;
+	isc_uint8_t			refcount;
+	
+	char			       *name; /* e.g. "foo.com" */
+	char			       *internalname; /* e.g. "foo.com.ext" */
+	dns_rdataclass_t		zclass; 
+	dns_c_view_t		       *view;
+	
+	dns_c_zonetype_t		ztype;
+	union 
+	{
+		dns_c_masterzone_t	mzone;
+		dns_c_slavezone_t	szone;
+		dns_c_stubzone_t	tzone;
+		dns_c_forwardzone_t	fzone;
+		dns_c_hintzone_t	hzone;
+	} u;
+
+	isc_boolean_t			afteropts;
+};
+
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t	dns_c_zonelist_new(isc_mem_t *mem,
+				   dns_c_zonelist_t **zlist);
+isc_result_t	dns_c_zonelist_delete(dns_c_zonelist_t **zlist);
+#if 0
+dns_c_zone_t   *dns_c_zonelist_currzone(dns_c_zonelist_t *zlist);
+#endif
+
+isc_result_t	dns_c_zonelist_find(dns_c_zonelist_t *zlist,
+				    const char *name, dns_c_zone_t **retval);
+isc_result_t	dns_c_zonelist_rmbyname(dns_c_zonelist_t *zlist,
+					const char *name);
+isc_result_t	dns_c_zonelist_addzone(dns_c_zonelist_t *zlist,
+				       dns_c_zone_t *zone);
+isc_result_t	dns_c_zonelist_rmzone(dns_c_zonelist_t *zlist,
+				      dns_c_zone_t *zone);
+void		dns_c_zonelist_print(FILE *fp, int indent,
+				     dns_c_zonelist_t *list);
+void		dns_c_zonelist_printpostopts(FILE *fp,
+					     int indent,
+					     dns_c_zonelist_t *list);
+void		dns_c_zonelist_printpreopts(FILE *fp,
+					    int indent,
+					    dns_c_zonelist_t *list);
+isc_result_t	dns_c_zone_new(isc_mem_t *mem,
+			       dns_c_zonetype_t ztype, dns_rdataclass_t zclass,
+			       const char *name, const char *internalname,
+			       dns_c_zone_t **zone);
+isc_result_t	dns_c_zone_detach(dns_c_zone_t **zone);
+void		dns_c_zone_attach(dns_c_zone_t *source,
+				  dns_c_zone_t **target);
+void		dns_c_zone_print(FILE *fp, int indent,
+				 dns_c_zone_t *zone);
+isc_result_t	dns_c_zone_setfile(dns_c_zone_t *zone,
+				   const char *newfile);
+isc_result_t	dns_c_zone_setchecknames(dns_c_zone_t *zone,
+					 dns_severity_t severity);
+isc_result_t	dns_c_zone_setallowupd(dns_c_zone_t *zone,
+				       dns_c_ipmatchlist_t *ipml,
+				       isc_boolean_t deepcopy);
+isc_result_t	dns_c_zone_setallowquery(dns_c_zone_t *zone,
+					 dns_c_ipmatchlist_t *ipml,
+					 isc_boolean_t deepcopy);
+isc_result_t	dns_c_zone_setallowtransfer(dns_c_zone_t *zone,
+					    dns_c_ipmatchlist_t *ipml,
+					    isc_boolean_t deepcopy);
+isc_result_t	dns_c_zone_setdialup(dns_c_zone_t *zone,
+				     isc_boolean_t newval);
+isc_result_t	dns_c_zone_setnotify(dns_c_zone_t *zone,
+				     isc_boolean_t newval);
+isc_result_t	dns_c_zone_setmaintixfrbase(dns_c_zone_t *zone,
+					    isc_boolean_t newval);
+isc_result_t	dns_c_zone_setalsonotify(dns_c_zone_t *zone,
+					 dns_c_iplist_t *newval,
+					 isc_boolean_t deepcopy);
+isc_result_t	dns_c_zone_setixfrbase(dns_c_zone_t *zone,
+				       const char *newval);
+isc_result_t	dns_c_zone_setixfrtmp(dns_c_zone_t *zone,
+				      const char *newval);
+isc_result_t	dns_c_zone_addpubkey(dns_c_zone_t *zone,
+				     dns_c_pubkey_t *pubkey,
+				     isc_boolean_t deepcopy);
+isc_result_t	dns_c_zone_setmasterport(dns_c_zone_t *zone,
+					 in_port_t port);
+isc_result_t	dns_c_zone_setmasterips(dns_c_zone_t *zone,
+					dns_c_iplist_t *newval,
+					isc_boolean_t deepcopy);
+isc_result_t	dns_c_zone_settransfersource(dns_c_zone_t *zone,
+					     isc_sockaddr_t newval);
+isc_result_t	dns_c_zone_setmaxtranstimein(dns_c_zone_t *zone,
+					     isc_int32_t newval);
+isc_result_t	dns_c_zone_setmaxtranstimeout(dns_c_zone_t *zone,
+					     isc_int32_t newval);
+isc_result_t	dns_c_zone_setmaxtransidlein(dns_c_zone_t *zone,
+					     isc_int32_t newval);
+isc_result_t	dns_c_zone_setmaxtransidleout(dns_c_zone_t *zone,
+					     isc_int32_t newval);
+isc_result_t	dns_c_zone_setmaxixfrlog(dns_c_zone_t *zone,
+					 isc_int32_t new);
+isc_result_t	dns_c_zone_setforward(dns_c_zone_t *zone,
+				      dns_c_forw_t newval);
+isc_result_t	dns_c_zone_setforwarders(dns_c_zone_t *zone,
+					 dns_c_iplist_t *ipml,
+					 isc_boolean_t deepcopy);
+isc_result_t	dns_c_zone_getname(dns_c_zone_t *zone,
+				   const char **retval);
+isc_result_t	dns_c_zone_getinternalname(dns_c_zone_t *zone,
+					   const char **retval);
+isc_result_t	dns_c_zone_getfile(dns_c_zone_t *zone,
+				   const char **retval);
+isc_result_t	dns_c_zone_getchecknames(dns_c_zone_t *zone,
+					 dns_severity_t *retval);
+isc_result_t	dns_c_zone_getallowupd(dns_c_zone_t *zone,
+				       dns_c_ipmatchlist_t **retval);
+isc_result_t	dns_c_zone_getallowquery(dns_c_zone_t *zone,
+					 dns_c_ipmatchlist_t **retval);
+isc_result_t	dns_c_zone_getallowtransfer(dns_c_zone_t *zone,
+					    dns_c_ipmatchlist_t **retval);
+isc_result_t	dns_c_zone_getdialup(dns_c_zone_t *zone,
+				     isc_boolean_t *retval);
+isc_result_t	dns_c_zone_getnotify(dns_c_zone_t *zone,
+				     isc_boolean_t *retval);
+isc_result_t	dns_c_zone_getmaintixfrbase(dns_c_zone_t *zone,
+					    isc_boolean_t *retval);
+isc_result_t	dns_c_zone_getalsonotify(dns_c_zone_t *zone,
+					 dns_c_iplist_t **retval);
+isc_result_t	dns_c_zone_getixfrbase(dns_c_zone_t *zone,
+				       const char **retval);
+isc_result_t	dns_c_zone_getixfrtmp(dns_c_zone_t *zone,
+				      const char **retval);
+isc_result_t	dns_c_zone_getpubkeylist(dns_c_zone_t *zone,
+				     dns_c_pklist_t **retval);
+isc_result_t	dns_c_zone_getmasterport(dns_c_zone_t *zone,
+					 in_port_t *retval);
+isc_result_t	dns_c_zone_getmasterips(dns_c_zone_t *zone,
+					dns_c_iplist_t **retval);
+isc_result_t	dns_c_zone_gettransfersource(dns_c_zone_t *zone,
+					     isc_sockaddr_t *retval);
+isc_result_t	dns_c_zone_getmaxtranstimein(dns_c_zone_t *zone,
+					     isc_int32_t *retval);
+isc_result_t	dns_c_zone_getmaxtranstimeout(dns_c_zone_t *zone,
+					     isc_int32_t *retval);
+isc_result_t	dns_c_zone_getmaxtransidlein(dns_c_zone_t *zone,
+					     isc_int32_t *retval);
+isc_result_t	dns_c_zone_getmaxtransidleout(dns_c_zone_t *zone,
+					     isc_int32_t *retval);
+isc_result_t	dns_c_zone_getmaxixfrlog(dns_c_zone_t *zone,
+					 isc_int32_t *retval);
+isc_result_t	dns_c_zone_getforward(dns_c_zone_t *zone,
+				      dns_c_forw_t *retval);
+isc_result_t	dns_c_zone_getforwarders(dns_c_zone_t *zone,
+					 dns_c_iplist_t **retval);
+
+
+#endif /* DNS_CONFIG_CONFZONE_H */
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
new file mode 100644
index 00000000..c9ccde65
--- /dev/null
+++ b/lib/dns/include/dns/db.h
@@ -0,0 +1,1106 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_DB_H
+#define DNS_DB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS DB
+ *
+ * The DNS DB interface allows named rdatasets to be stored and retrieved.
+ *
+ * The dns_db_t type is like a "virtual class".  To actually use
+ * DBs, an implementation of the class is required.
+ *
+ * XXX <more> XXX
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <stdio.h>
+
+#include <isc/boolean.h>
+#include <isc/mem.h>
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+#include <dns/name.h>
+#include <dns/callbacks.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types
+ *****/
+
+typedef struct dns_dbmethods {
+	void		(*attach)(dns_db_t *source, dns_db_t **targetp);
+	void		(*detach)(dns_db_t **dbp);
+	isc_result_t	(*beginload)(dns_db_t *db, dns_addrdatasetfunc_t *addp,
+				     dns_dbload_t **dbloadp);
+	isc_result_t	(*endload)(dns_db_t *db, dns_dbload_t **dbloadp);
+	isc_result_t	(*dump)(dns_db_t *db, dns_dbversion_t *version, 
+				const char *filename);
+	void		(*currentversion)(dns_db_t *db,
+					  dns_dbversion_t **versionp);
+	isc_result_t	(*newversion)(dns_db_t *db,
+				      dns_dbversion_t **versionp);
+	void		(*attachversion)(dns_db_t *db, dns_dbversion_t *source,
+					 dns_dbversion_t **targetp);
+	void		(*closeversion)(dns_db_t *db,
+					dns_dbversion_t **versionp,
+					isc_boolean_t commit);
+	isc_result_t	(*findnode)(dns_db_t *db, dns_name_t *name,
+				    isc_boolean_t create,
+				    dns_dbnode_t **nodep);
+	isc_result_t	(*find)(dns_db_t *db, dns_name_t *name,
+				dns_dbversion_t *version,
+				dns_rdatatype_t type, unsigned int options,
+				isc_stdtime_t now,
+				dns_dbnode_t **nodep, dns_name_t *foundname,
+				dns_rdataset_t *rdataset,
+				dns_rdataset_t *sigrdataset);
+	isc_result_t	(*findzonecut)(dns_db_t *db, dns_name_t *name,
+				       unsigned int options, isc_stdtime_t now,
+				       dns_dbnode_t **nodep,
+				       dns_name_t *foundname,
+				       dns_rdataset_t *rdataset,
+				       dns_rdataset_t *sigrdataset);
+	void		(*attachnode)(dns_db_t *db,
+				      dns_dbnode_t *source,
+				      dns_dbnode_t **targetp);
+	void		(*detachnode)(dns_db_t *db,
+				      dns_dbnode_t **targetp);
+	isc_result_t	(*expirenode)(dns_db_t *db, dns_dbnode_t *node,
+				      isc_stdtime_t now);
+	void		(*printnode)(dns_db_t *db, dns_dbnode_t *node,
+				     FILE *out);
+	isc_result_t 	(*createiterator)(dns_db_t *db,
+					  isc_boolean_t relative_names,
+					  dns_dbiterator_t **iteratorp);
+	isc_result_t	(*findrdataset)(dns_db_t *db, dns_dbnode_t *node,
+					dns_dbversion_t *version,
+					dns_rdatatype_t type,
+					dns_rdatatype_t covers,
+					isc_stdtime_t now,
+					dns_rdataset_t *rdataset,
+					dns_rdataset_t *sigrdataset);
+	isc_result_t	(*allrdatasets)(dns_db_t *db, dns_dbnode_t *node,
+					dns_dbversion_t *version,
+					isc_stdtime_t now,
+					dns_rdatasetiter_t **iteratorp);
+	isc_result_t	(*addrdataset)(dns_db_t *db, dns_dbnode_t *node,
+				       dns_dbversion_t *version,
+				       isc_stdtime_t now,
+				       dns_rdataset_t *rdataset,
+				       unsigned int options,
+				       dns_rdataset_t *addedrdataset);
+	isc_result_t	(*subtractrdataset)(dns_db_t *db, dns_dbnode_t *node,
+					    dns_dbversion_t *version,
+					    dns_rdataset_t *rdataset,
+					    dns_rdataset_t *newrdataset);
+	isc_result_t	(*deleterdataset)(dns_db_t *db, dns_dbnode_t *node,
+					  dns_dbversion_t *version,
+					  dns_rdatatype_t type);
+	isc_boolean_t	(*issecure)(dns_db_t *db);
+} dns_dbmethods_t;
+
+#define DNS_DB_MAGIC			0x444E5344U		/* DNSD. */
+#define DNS_DB_VALID(db)		((db) != NULL && \
+					 (db)->magic == DNS_DB_MAGIC)
+
+/*
+ * This structure is actually just the common prefix of a DNS db
+ * implementation's version of a dns_db_t.
+ *
+ * Direct use of this structure by clients is forbidden.  DB implementations
+ * may change the structure.  'magic' must be DNS_DB_MAGIC for any of the
+ * dns_db_ routines to work.  DB implementations must maintain all DB
+ * invariants.
+ */
+struct dns_db {
+	unsigned int			magic;
+	unsigned int			impmagic;
+	dns_dbmethods_t *		methods;
+	isc_uint16_t			attributes;
+	dns_rdataclass_t		rdclass;
+	dns_name_t			origin;
+	isc_mem_t *			mctx;
+};
+
+#define DNS_DBATTR_CACHE		0x01
+
+/*
+ * Options that can be specified for dns_db_find().
+ */
+#define DNS_DBFIND_GLUEOK		0x01
+#define DNS_DBFIND_VALIDATEGLUE		0x02
+#define DNS_DBFIND_NOWILD		0x04
+#define DNS_DBFIND_PENDINGOK		0x08
+
+/*
+ * Options that can be specified for dns_db_addrdataset().
+ */
+#define DNS_DBADD_MERGE			0x01
+#define DNS_DBADD_FORCE			0x02
+
+/*****
+ ***** Methods
+ *****/
+
+/***
+ *** Basic DB Methods
+ ***/
+
+isc_result_t
+dns_db_create(isc_mem_t *mctx, char *db_type, dns_name_t *origin,
+	      isc_boolean_t cache, dns_rdataclass_t rdclass,
+	      unsigned int argc, char *argv[], dns_db_t **dbp);
+/*
+ * Create a new database using implementation 'db_type'.
+ *
+ * Notes:
+ *	All names in the database must be subdomains of 'origin' and in class
+ *	'rdclass'.  The database makes its own copy of the origin, so the caller
+ *	may do whatever they like with 'origin' and its storage once the
+ *	call returns.
+ *
+ *	If 'cache' is ISC_TRUE, then cache semantics will be used, otherwise
+ *	zone semantics will apply.
+ *
+ *	DB implementation-specific parameters are passed using argc and argv.
+ *
+ * Requires:
+ *
+ *	dbp != NULL and *dbp == NULL
+ *
+ *	'origin' is a valid absolute domain name.
+ *
+ *	mctx is a valid memory context
+ *
+ * Ensures:
+ *
+ *	A copy of 'origin' has been made for the databases use, and the
+ *	caller is free to do whatever they want with the name and storage
+ *	associated with 'origin'.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY
+ *	DNS_R_NOTFOUND				db_type not found
+ *
+ *	Many other errors are possible, depending on what db_type was
+ *	specified.
+ */
+
+void
+dns_db_attach(dns_db_t *source, dns_db_t **targetp);
+/*
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ *	'source' is a valid database.
+ *
+ *	'targetp' points to a NULL dns_db_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to source.
+ */
+
+void
+dns_db_detach(dns_db_t **dbp);
+/*
+ * Detach *dbp from its database.
+ *
+ * Requires:
+ *
+ *	'dbp' points to a valid database.
+ *
+ * Ensures:
+ *
+ *	*dbp is NULL.
+ *
+ *	If '*dbp' is the last reference to the database,
+ *
+ *		All resources used by the database will be freed
+ */
+
+isc_boolean_t
+dns_db_iscache(dns_db_t *db);
+/*
+ * Does 'db' have cache semantics?
+ *
+ * Note: dns_db_iscache(db) == !dns_db_iszone(db)
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ * Returns:
+ *	ISC_TRUE	'db' has cache semantics
+ *	ISC_FALSE	otherwise
+ */
+
+isc_boolean_t
+dns_db_iszone(dns_db_t *db);
+/*
+ * Does 'db' have zone semantics?
+ *
+ * Note: dns_db_iszone(db) == !dns_db_iscache(db)
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ * Returns:
+ *	ISC_TRUE	'db' has zone semantics
+ *	ISC_FALSE	otherwise
+ */
+
+isc_boolean_t
+dns_db_issecure(dns_db_t *db);
+/*
+ * Is 'db' secure?
+ *
+ * Requires:
+ *
+ *	'db' is a valid database with zone semantics.
+ *
+ * Returns:
+ *	ISC_TRUE	'db' is secure.
+ *	ISC_FALSE	'db' is not secure.
+ */
+
+dns_name_t *
+dns_db_origin(dns_db_t *db);
+/*
+ * The origin of the database.
+ *
+ * Note: caller must not try to change this name.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ * Returns:
+ *
+ *	The origin of the database.
+ */
+
+dns_rdataclass_t
+dns_db_class(dns_db_t *db);
+/*
+ * The class of the database.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ * Returns:
+ *
+ *	The class of the database.
+ */
+
+isc_result_t
+dns_db_beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp,
+		 dns_dbload_t **dbloadp);
+/*
+ * Begin loading 'db'.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	This is the first attempt to load 'db'.
+ *
+ *	addp != NULL && *addp == NULL
+ *
+ *	dbloadp != NULL && *dbloadp == NULL
+ *
+ * Ensures:
+ *
+ *	On success, *addp will be a valid dns_addrdatasetfunc_t suitable
+ *	for loading 'db'.  *dbloadp will be a valid DB load context which
+ *	should be used as 'arg' when *addp is called.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used, syntax errors in the master file, etc.
+ */
+
+isc_result_t
+dns_db_endload(dns_db_t *db, dns_dbload_t **dbloadp);
+/*
+ * Finish loading 'db'.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database that is being loaded.
+ *
+ *	dbloadp != NULL and *dbloadp is a valid database load context.
+ *
+ * Ensures:
+ *
+ *	*dbloadp == NULL
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used, syntax errors in the master file, etc.
+ */
+
+isc_result_t
+dns_db_load(dns_db_t *db, const char *filename);
+/*
+ * Load master file 'filename' into 'db'.
+ *
+ * Notes:
+ *	This routine is equivalent to calling
+ *
+ *		dns_db_beginload();
+ *		dns_master_loadfile();
+ *		dns_db_endload();
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	This is the first attempt to load 'db'.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used, syntax errors in the master file, etc.
+ */
+
+isc_result_t
+dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename);
+/*
+ * Dump version 'version' of 'db' to master file 'filename'.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'version' is a valid version.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used, OS file errors, etc.
+ */
+
+/***
+ *** Version Methods
+ ***/
+
+void
+dns_db_currentversion(dns_db_t *db, dns_dbversion_t **versionp);
+/*
+ * Open the current version for reading.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database with zone semantics.
+ *
+ *	versionp != NULL && *verisonp == NULL
+ *
+ * Ensures:
+ *
+ *	On success, '*versionp' is attached to the current version.
+ *
+ */
+
+isc_result_t
+dns_db_newversion(dns_db_t *db, dns_dbversion_t **versionp);
+/*
+ * Open a new version for reading and writing.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database with zone semantics.
+ *
+ *	versionp != NULL && *verisonp == NULL
+ *
+ * Ensures:
+ *
+ *	On success, '*versionp' is attached to the current version.
+ * 
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+void
+dns_db_attachversion(dns_db_t *db, dns_dbversion_t *source,
+		     dns_dbversion_t **targetp);
+/*
+ * Attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database with zone semantics.
+ *
+ *	source is a valid open version
+ *
+ *	targetp != NULL && *targetp == NULL
+ *
+ * Ensures:
+ *
+ *	'*targetp' is attached to source.
+ */
+
+void
+dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp,
+		    isc_boolean_t commit);
+/*
+ * Close version '*versionp'.
+ *
+ * Note: if '*versionp' is a read-write version and 'commit' is ISC_TRUE,
+ * then all changes made in the version will take effect, otherwise they
+ * will be rolled back.  The value if 'commit' is ignored for read-only
+ * versions.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database with zone semantics.
+ *
+ *	'*versionp' refers to a valid version.
+ *
+ *	If committing a writable version, then there must be no other
+ *	outstanding references to the version (e.g. an active rdataset
+ *	iterator).
+ *
+ * Ensures:
+ *
+ *	*versionp == NULL
+ *
+ *	If *versionp is a read-write version, and commit is ISC_TRUE, then
+ *	the version will become the current version.  If !commit, then all
+ *	changes made in the version will be undone, and the version will
+ *	not become the current version.
+ */
+
+/***
+ *** Node Methods
+ ***/
+
+isc_result_t
+dns_db_findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
+		dns_dbnode_t **nodep);
+/*
+ * Find the node with name 'name'.
+ *
+ * Notes:
+ *	If 'create' is ISC_TRUE and no node with name 'name' exists, then
+ *	such a node will be created.
+ *
+ *	This routine is for finding or creating a node with the specified
+ *	name.  There are no partial matches.  It is not suitable for use
+ *	in building responses to ordinary DNS queries; clients which wish
+ *	to do that should use dns_db_find() instead.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'name' is a valid, non-empty, absolute name that is a subdomain of
+ *	the database's origin.  (It need not be a proper subdomain.)
+ *
+ *	nodep != NULL && *nodep == NULL
+ *
+ * Ensures:
+ *
+ *	On success, *nodep is attached to the node with name 'name'.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOTFOUND			If !create and name not found.
+ *	DNS_R_NOMEMORY		        Can only happen if create is ISC_TRUE.
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+	    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	    dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*
+ * Find the best match for 'name' and 'type' in version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ *	If type == dns_rdataset_any, then rdataset will not be bound.
+ *
+ *	If 'options' does not have DNS_DBFIND_GLUEOK set, then no glue will
+ *	be returned.  For zone databases, glue is as defined in RFC 2181.
+ *	For cache databases, glue is any rdataset with a trust of
+ *	dns_trust_glue.
+ *
+ *	If 'options' does not have DNS_DBFIND_PENDINGOK set, then no
+ *	pending data will be returned.  This option is only meaningful for
+ *	cache databases.
+ *
+ *	If the DNS_DBFIND_NOWILD option is set, then wildcard matching will
+ *	be disabled.  This option is only meaningful for zone databases.
+ *
+ *	To respond to a query for SIG records, the caller should create a
+ *	rdataset iterator and extract the signatures from each rdataset.
+ *
+ *	Making queries of type ANY with DNS_DBFIND_GLUEOK is not recommended,
+ *	because the burden of determining whether a given rdataset is valid
+ *	glue or not falls upon the caller.
+ *
+ *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ *	cache database, an rdataset will not be found unless it expires after
+ *	'now'.  Any ANY query will not match unless at least one rdataset at
+ *	the node expires after 'now'.  If 'now' is zero, then the current time
+ *	will be used.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'type' is not SIG, or a meta-RR type other than 'ANY' (e.g. 'OPT').
+ *
+ *	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
+ *
+ *	'foundname' is a valid name with a dedicated buffer.
+ *
+ *	'rdataset' is NULL, or is a valid unassociated rdataset.
+ *
+ * Ensures:
+ *	On a non-error completion:
+ *
+ *		If nodep != NULL, then it is bound to the found node.
+ *
+ *		If foundname != NULL, then it contains the full name of the
+ *		found node.
+ *
+ *		If rdataset != NULL and type != dns_rdatatype_any, then
+ *		rdataset is bound to the found rdataset.
+ *
+ * Returns:
+ *
+ *	Non-error results are:
+ *
+ *		DNS_R_SUCCESS			The desired node and type were
+ *						found.
+ *
+ *		DNS_R_GLUE			The desired node and type were
+ *						found, but are glue.  This
+ *						result can only occur if
+ *						the DNS_DBFIND_GLUEOK option
+ *						is set.  This result can only
+ *						occur if 'db' is a zone
+ *						database.  If type ==
+ *						dns_rdatatype_any, then the
+ *						node returned may contain, or
+ *						consist entirely of invalid
+ *						glue (i.e. data occluded by a
+ *						zone cut).  The caller must
+ *						take care not to return invalid
+ *						glue to a client.
+ *
+ *		DNS_R_DELEGATION		The data requested is beneath
+ *						a zone cut.  node, foundname,
+ *						and rdataset reference the
+ *						NS RRset of the zone cut.
+ *						If 'db' is a cache database,
+ *						then this is the deepest known
+ *						delegation.
+ *
+ *		DNS_R_ZONECUT			type == dns_rdatatype_any, and
+ *						the desired node is a zonecut.
+ *						The caller must take care not
+ *						to return inappropriate glue
+ *						to a client.  This result can
+ *						only occur if 'db' is a zone
+ *						database.
+ *
+ *		DNS_R_DNAME			The data requested is beneath
+ *						a DNAME.  node, foundname,
+ *						and rdataset reference the
+ *						DNAME RRset.
+ *
+ *		DNS_R_CNAME			The rdataset requested was not
+ *						found, but there is a CNAME
+ *						at the desired name.  node,
+ *						foundname, and rdataset
+ *						reference the CNAME RRset.
+ *
+ *		DNS_R_NXDOMAIN			The desired name does not
+ *						exist.
+ *
+ *		DNS_R_NXRRSET			The desired name exists, but
+ *						the desired type does not.
+ *
+ *		DNS_R_NOTFOUND			The desired name does not
+ *						exist, and no delegation could
+ *						be found.  This result can only
+ *						occur if 'db' is a cache
+ *						database.  The caller should
+ *						use its nameserver(s) of last
+ *						resort (e.g. root hints).
+ *
+ *		DNS_R_NCACHENXDOMAIN		The desired name does not
+ *						exist.  'node' is bound to the
+ *						cache node with the desired
+ *						name, and 'rdataset' contains
+ *						the negative caching proof.
+ *
+ *		DNS_R_NCACHENXRRSET		The desired type does not
+ *						exist.  'node' is bound to the
+ *						cache node with the desired
+ *						name, and 'rdataset' contains
+ *						the negative caching proof.
+ *
+ *	Error results:
+ *
+ *		DNS_R_NOMEMORY
+ *
+ *		DNS_R_BADDB			Data that is required to be
+ *						present in the DB, e.g. an NXT
+ *						record in a secure zone, is not
+ *						present.
+ *
+ *		Other results are possible, and should all be treated as
+ *		errors.
+ */
+
+isc_result_t
+dns_db_findzonecut(dns_db_t *db, dns_name_t *name,
+		   unsigned int options, isc_stdtime_t now,
+		   dns_dbnode_t **nodep, dns_name_t *foundname,
+		   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*
+ * Find the deepest known zonecut which encloses 'name' in 'db'.
+ *
+ * Notes:
+ *
+ *	If 'options' has DNS_DBFIND_ONLYANCESTORS set, then 'name' will
+ *	be returned as the deepest match if it has an NS rdataset.
+ *
+ *	If 'now' is zero, then the current time will be used.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database with cache semantics.
+ *
+ *	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
+ *
+ *	'foundname' is a valid name with a dedicated buffer.
+ *
+ *	'rdataset' is NULL, or is a valid unassociated rdataset.
+ *
+ * Ensures:
+ *	On a non-error completion:
+ *
+ *		If nodep != NULL, then it is bound to the found node.
+ *
+ *		If foundname != NULL, then it contains the full name of the
+ *		found node.
+ *
+ *		If rdataset != NULL and type != dns_rdatatype_any, then
+ *		rdataset is bound to the found rdataset.
+ *
+ * Returns:
+ *
+ *	Non-error results are:
+ *
+ *		DNS_R_SUCCESS
+ *
+ *		DNS_R_NOTFOUND
+ *
+ *		Other results are possible, and should all be treated as
+ *		errors.
+ */
+
+void
+dns_db_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp);
+/*
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'source' is a valid node.
+ *
+ *	'targetp' points to a NULL dns_node_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to source.
+ */
+
+void
+dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep);
+/*
+ * Detach *nodep from its node.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'nodep' points to a valid node.
+ *
+ * Ensures:
+ *
+ *	*nodep is NULL.
+ */
+
+isc_result_t
+dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now);
+/*
+ * Mark as stale all records at 'node' which expire at or before 'now'.
+ *
+ * Note: if 'now' is zero, then the current time will be used.
+ *
+ * Requires:
+ *
+ *	'db' is a valid cache database.
+ *
+ *	'node' is a valid node.
+ */
+
+void
+dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out);
+/*
+ * Print a textual representation of the contents of the node to
+ * 'out'.
+ *
+ * Note: this function is intended for debugging, not general use.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'node' is a valid node.
+ */
+
+/***
+ *** DB Iterator Creation
+ ***/
+
+isc_result_t
+dns_db_createiterator(dns_db_t *db, isc_boolean_t relative_names,
+		      dns_dbiterator_t **iteratorp);
+/*
+ * Create an iterator for version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ *	If 'relative_names' is ISC_TRUE, then node names returned by the
+ *	iterator will be relative to the iterator's current origin.  If
+ *	ISC_FALSE, then the node names will be absolute.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	iteratorp != NULL && *iteratorp == NULL
+ *
+ * Ensures:
+ *
+ *	On success, *iteratorp will be a valid database iterator.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY
+ */
+
+/***
+ *** Rdataset Methods
+ ***/
+
+/*
+ * XXXRTH  Should we check for glue and pending data in dns_db_findrdataset()?
+ */
+
+isc_result_t
+dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		    dns_rdatatype_t type, dns_rdatatype_t covers,
+		    isc_stdtime_t now, dns_rdataset_t *rdataset,
+		    dns_rdataset_t *sigrdataset);
+/*
+ * Search for an rdataset of type 'type' at 'node' that are in version
+ * 'version' of 'db'.  If found, make 'rdataset' refer to it.
+ *
+ * Notes:
+ *
+ *	If 'version' is NULL, then the current version will be used.
+ *
+ *	Care must be used when using this routine to build a DNS response:
+ *	'node' should have been found with dns_db_find(), not
+ *	dns_db_findnode().  No glue checking is done.  No checking for
+ *	pending data is done.
+ *
+ *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ *	cache database, an rdataset will not be found unless it expires after
+ *	'now'.  If 'now' is zero, then the current time will be used.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'node' is a valid node.
+ *
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ *	'sigrdataset' is a valid, disassociated rdataset, or it is NULL.
+ *
+ *	If 'covers' != 0, 'type' must be SIG.
+ *
+ *	'type' is not a meta-RR type such as 'ANY' or 'OPT'.
+ *
+ * Ensures:
+ *
+ *	On success, 'rdataset' is associated with the found rdataset.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOTFOUND
+ *	
+ *	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		    isc_stdtime_t now, dns_rdatasetiter_t **iteratorp);
+/*
+ * Make '*iteratorp' an rdataset iteratator for all rdatasets at 'node' in
+ * version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ *	If 'version' is NULL, then the current version will be used.
+ *
+ *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ *	cache database, an rdataset will not be found unless it expires after
+ *	'now'.  Any ANY query will not match unless at least one rdataset at
+ *	the node expires after 'now'.  If 'now' is zero, then the current time
+ *	will be used.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'node' is a valid node.
+ *
+ *	iteratorp != NULL && *iteratorp == NULL
+ *
+ * Ensures:
+ *
+ *	On success, '*iteratorp' is a valid rdataset iterator.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOTFOUND
+ *	
+ *	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		   isc_stdtime_t now, dns_rdataset_t *rdataset,
+		   unsigned int options, dns_rdataset_t *addedrdataset);
+/*
+ * Add 'rdataset' to 'node' in version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ *	If the database has zone semantics, the DNS_DBADD_MERGE option is set,
+ *	and an rdataset of the same type as 'rdataset' already exists at
+ *	'node' then the contents of 'rdataset' will be merged with the existing
+ *	rdataset.  If the option is not set, then rdataset will replace any
+ *	existing rdataset of the same type.  If not merging and the
+ *	DNS_DBADD_FORCE option is set, then the data will update the database
+ *	without regard to trust levels.  If not forcing the data, then the
+ *	rdataset will only be added if its trust level is >= the trust level of
+ *	any existing rdataset.  Forcing is only meaningful for cache databases.
+ *
+ *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is
+ *	a cache database, then the added rdataset will expire no later than
+ *	now + rdataset->ttl.
+ *
+ *	If 'addedrdataset' is not NULL, then it will be attached to the
+ *	resulting new rdataset in the database, or to the existing data if
+ *	the existing data was better.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'node' is a valid node.
+ *
+ *	'rdataset' is a valid, associated rdataset with the same class
+ *	as 'db'.
+ *
+ *	'addedrdataset' is NULL, or a valid, unassociated rdataset.
+ *
+ *	The database has zone semantics and 'version' is a valid
+ *	read-write version, or the database has cache semantics
+ *	and version is NULL.
+ *
+ *	If the database has cache semantics, the DNS_DBADD_MERGE option must
+ *	not be set.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_UNCHANGED			The operation did not change anything.
+ *	DNS_R_NOMEMORY
+ *	
+ *	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_subtractrdataset(dns_db_t *db, dns_dbnode_t *node,
+			dns_dbversion_t *version, dns_rdataset_t *rdataset,
+			dns_rdataset_t *newrdataset);
+/*
+ * Remove any rdata in 'rdataset' from 'node' in version 'version' of
+ * 'db'.
+ *
+ * Notes:
+ *
+ *	If 'newrdataset' is not NULL, then it will be attached to the
+ *	resulting new rdataset in the database, unless the rdataset has 
+ *	become nonexistent.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'node' is a valid node.
+ *
+ *	'rdataset' is a valid, associated rdataset with the same class
+ *	as 'db'.
+ *
+ *	'newrdataset' is NULL, or a valid, unassociated rdataset.
+ *
+ *	The database has zone semantics and 'version' is a valid
+ *	read-write version.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_UNCHANGED			The operation did not change anything.
+ *	DNS_R_NXRDATASET		All rdata of the same type as those
+ *					in 'rdataset' have been deleted.
+ *	
+ *	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
+		      dns_dbversion_t *version, dns_rdatatype_t type);
+/*
+ * Make it so that no rdataset of type 'type' exists at 'node' in version
+ * version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ *	If 'type' is dns_rdatatype_any, then no rdatasets will exist in
+ *	'version' (provided that the dns_db_deleterdataset() isn't followed
+ *	by one or more dns_db_addrdataset() calls).
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'node' is a valid node.
+ *
+ *	The database has zone semantics and 'version' is a valid
+ *	read-write version, or the database has cache semantics
+ *	and version is NULL.
+ *
+ *	'type' is not a meta-RR type, except for dns_rdatatype_any, which is
+ *	allowed.
+ *
+ * Ensures:
+ *
+ *	On success, 'rdataset' is associated with the found rdataset.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_UNCHANGED			No rdatasets of 'type' existed before
+ *					the operation was attempted.
+ *	
+ *	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DB_H */
diff --git a/lib/dns/include/dns/dbiterator.h b/lib/dns/include/dns/dbiterator.h
new file mode 100644
index 00000000..9e1ce34d
--- /dev/null
+++ b/lib/dns/include/dns/dbiterator.h
@@ -0,0 +1,288 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_DBITERATOR_H
+#define DNS_DBITERATOR_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS DB Iterator
+ *
+ * The DNS DB Iterator interface allows iteration of all of the nodes in a
+ * database.
+ *
+ * The dns_dbiterator_t type is like a "virtual class".  To actually use
+ * it, an implementation of the class is required.  This implementation is
+ * supplied by the database.
+ *
+ * It is the client's responsibility to call dns_db_detachnode() on all
+ * nodes returned.
+ *
+ * XXX <more> XXX
+ *
+ * MP:
+ *	The iterator itself is not locked.  The caller must ensure
+ *	synchronization.
+ *	
+ *	The iterator methods ensure appropriate database locking.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <isc/boolean.h>
+#include <isc/buffer.h>
+#include <isc/lang.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types
+ *****/
+
+typedef struct dns_dbiteratormethods {
+	void		(*destroy)(dns_dbiterator_t **iteratorp);
+	isc_result_t	(*first)(dns_dbiterator_t *iterator);
+	isc_result_t	(*last)(dns_dbiterator_t *iterator);
+	isc_result_t	(*seek)(dns_dbiterator_t *iterator, dns_name_t *name);
+	isc_result_t	(*prev)(dns_dbiterator_t *iterator);
+	isc_result_t	(*next)(dns_dbiterator_t *iterator);
+	isc_result_t	(*current)(dns_dbiterator_t *iterator,
+				   dns_dbnode_t **nodep, dns_name_t *name);
+	isc_result_t	(*pause)(dns_dbiterator_t *iterator);
+	isc_result_t	(*origin)(dns_dbiterator_t *iterator,
+				  dns_name_t *name);
+} dns_dbiteratormethods_t;
+
+#define DNS_DBITERATOR_MAGIC		0x444E5349U		/* DNSI. */
+#define DNS_DBITERATOR_VALID(dbi)	((dbi) != NULL && \
+					 (dbi)->magic == DNS_DBITERATOR_MAGIC)
+/*
+ * This structure is actually just the common prefix of a DNS db
+ * implementation's version of a dns_dbiterator_t.
+ *
+ * Clients may use the 'db' field of this structure.  Except for that field,
+ * direct use of this structure by clients is forbidden.  DB implementations
+ * may change the structure.  'magic' must be DNS_DBITERATOR_MAGIC for any of
+ * the dns_dbiterator routines to work.  DB iterator implementations must
+ * maintain all DB iterator invariants.
+ */
+struct dns_dbiterator {
+	/* Unlocked. */
+	unsigned int			magic;
+	dns_dbiteratormethods_t *	methods;
+	dns_db_t *			db;
+	isc_boolean_t			relative_names;
+};
+
+void
+dns_dbiterator_destroy(dns_dbiterator_t **iteratorp);
+/*
+ * Destroy '*iteratorp'.
+ *
+ * Requires:
+ *
+ *	'*iteratorp' is a valid iterator.
+ *
+ * Ensures:
+ *
+ *	All resources used by the iterator are freed.
+ *
+ *	*iteratorp == NULL.
+ */
+
+isc_result_t
+dns_dbiterator_first(dns_dbiterator_t *iterator);
+/*
+ * Move the node cursor to the first node in the database (if any).
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMORE			There are no nodes in the database.
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_last(dns_dbiterator_t *iterator);
+/*
+ * Move the node cursor to the last node in the database (if any).
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMORE			There are no nodes in the database.
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name);
+/*
+ * Move the node cursor to the node with name 'name'.
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ *	'name' is a valid name.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOTFOUND
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_prev(dns_dbiterator_t *iterator);
+/*
+ * Move the node cursor to the previous node in the database (if any).
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMORE			There are no more nodes in the
+ *					database.
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_next(dns_dbiterator_t *iterator);
+/*
+ * Move the node cursor to the next node in the database (if any).
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMORE			There are no more nodes in the
+ *					database.
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		       dns_name_t *name);
+/*
+ * Return the current node.
+ *
+ * Notes:
+ *	If 'name' is not NULL, it will be set to the name of the node.
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ *	nodep != NULL && *nodep == NULL
+ *
+ *	The node cursor of 'iterator' is at a valid location (i.e. the
+ *	result of last call to a cursor movement command was DNS_R_SUCCESS).
+ *
+ *	'name' is NULL, or is a valid name with a dedicated buffer.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_NEWORIGIN			If this iterator was created with
+ *					'relative_names' set to ISC_TRUE,
+ *					then DNS_R_NEWORIGIN will be returned
+ *					when the origin the names are
+ *					relative to changes.  This result
+ *					can occur only when 'name' is not
+ *					NULL.  This is also a successful
+ *					result.
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_pause(dns_dbiterator_t *iterator);
+/*
+ * Pause iteration.
+ *
+ * Calling a cursor movement method or dns_dbiterator_current() may cause
+ * database locks to be acquired.  Rather than reacquire these locks every
+ * time one of these routines is called, the locks may simply be held.
+ * Calling dns_dbiterator_pause() releases any such locks.  Iterator clients
+ * should call this routine any time they are not going to execute another
+ * iterator method in the immediate future.
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ *	'iterator' has not been paused already.
+ *
+ * Ensures:
+ *	Any database locks being held for efficiency of iterator access are
+ *	released.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name);
+/*
+ * Return the origin to which returned node names are relative.
+ *
+ * Requires:
+ *
+ *	'iterator' is a valid relative_names iterator.
+ *
+ *	'name' is a valid name with a dedicated buffer.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOSPACE
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DBITERATOR_H */
diff --git a/lib/dns/include/dns/dbtable.h b/lib/dns/include/dns/dbtable.h
new file mode 100644
index 00000000..d95c5e6d
--- /dev/null
+++ b/lib/dns/include/dns/dbtable.h
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS DB Tables
+ *
+ * XXX <TBS> XXX
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	None.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+#include <isc/mem.h>
+
+#include <dns/result.h>
+#include <dns/types.h>
+
+isc_result_t
+dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		   dns_dbtable_t **dbtablep);
+/*
+ * Make a new dbtable of class 'rdclass'
+ *
+ * Requires:
+ *	mctx != NULL
+ * 	dbtablep != NULL && *dptablep == NULL
+ *	'rdclass' is a valid class
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY
+ *	DNS_R_UNEXPECTED
+ */
+
+void
+dns_dbtable_attach(dns_dbtable_t *source, dns_dbtable_t **targetp);
+/*
+ * Attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ *	'source' is a valid dbtable.
+ *
+ *	'targetp' points to a NULL dns_dbtable_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to source.
+ */
+
+void
+dns_dbtable_detach(dns_dbtable_t **dbtablep);
+/*
+ * Detach *dbtablep from its dbtable.
+ *
+ * Requires:
+ *
+ *	'*dbtablep' points to a valid dbtable.
+ *
+ * Ensures:
+ *
+ *	*dbtablep is NULL.
+ *
+ *	If '*dbtablep' is the last reference to the dbtable,
+ *
+ *		All resources used by the dbtable will be freed
+ */
+
+isc_result_t
+dns_dbtable_add(dns_dbtable_t *dbtable, dns_db_t *db);
+/*
+ * Add 'db' to 'dbtable'.
+ *
+ * Requires:
+ *	'dbtable' is a valid dbtable.
+ *
+ *	'db' is a valid database with the same class as 'dbtable'
+ */
+
+void
+dns_dbtable_remove(dns_dbtable_t *dbtable, dns_db_t *db);
+/*
+ * Remove 'db' from 'dbtable'.
+ *
+ * Requires:
+ *	'db' was previously added to 'dbtable'.
+ */
+
+void
+dns_dbtable_adddefault(dns_dbtable_t *dbtable, dns_db_t *db);
+/*
+ * Use 'db' as the result of a dns_dbtable_find() if no better match is
+ * available.
+ */
+
+void
+dns_dbtable_getdefault(dns_dbtable_t *dbtable, dns_db_t **db);
+/*
+ * Get the 'db' used as the result of a dns_dbtable_find()
+ * if no better match is available.
+ */
+
+void
+dns_dbtable_removedefault(dns_dbtable_t *dbtable);
+/*
+ * Remove the default db from 'dbtable'.
+ */
+
+isc_result_t
+dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name, dns_db_t **dbp);
+/*
+ * Find the deepest match to 'name' in the dbtable, and return it
+ *
+ * Returns:  DNS_R_SUCCESS		on success
+ *	     <something else>		no default and match
+ */
diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h
new file mode 100644
index 00000000..a7757372
--- /dev/null
+++ b/lib/dns/include/dns/dispatch.h
@@ -0,0 +1,305 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_DISPATCH_H
+#define DNS_DISPATCH_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Dispatch Management
+ *
+ * 	Shared UDP and single-use TCP dispatches for queries and responses.
+ *
+ * MP:
+ *
+ *     	All locking is performed internally to each dispatch.
+ *
+ * Reliability:
+ *
+ * Resources:
+ *
+ * Security:
+ *
+ *	Depends on the isc_socket_t and dns_message_t for prevention of
+ *	buffer overruns.
+ *
+ * Standards:
+ *
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/boolean.h>
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_DISPATCHEVENT_RECV	(ISC_EVENTCLASS_DNS + 1) /* XXXMLG */
+
+/*
+ * This event is sent to a task when a response (or request) comes in.
+ * No part of this structure should ever be modified by the caller,
+ * other than parts of the buffer.  The holy parts of the buffer are
+ * the base and size of the buffer.  All other parts of the buffer may
+ * be used.  On event delivery the used region contains the packet.
+ *
+ * "id" is the received message id,
+ *
+ * "addr" is the host that sent it to us,
+ *
+ * "buffer" holds state on the received data.
+ *
+ * The "free" routine for this event will clean up itself as well as
+ * any buffer space allocated from common pools.
+ */
+
+struct dns_dispatchevent {
+	ISC_EVENT_COMMON(dns_dispatchevent_t);	/* standard event common */
+	isc_result_t		result;		/* result code */
+	isc_int32_t		id;		/* message id */
+	isc_sockaddr_t		addr;		/* address recv'd from */
+	isc_buffer_t	        buffer;		/* data buffer */
+};
+
+/*
+ * Functions to:
+ *
+ *	Return if a packet is a query or a response,
+ *	Hash IDs,
+ *	Generate a new random ID,
+ *	Compare entries (IDs) for equality,
+ */
+struct dns_dispatchmethods {
+	isc_uint32_t (*randomid)(dns_dispatch_t *);
+	isc_uint32_t (*hash)(dns_dispatch_t *, isc_sockaddr_t *,
+			     isc_uint32_t);
+};
+typedef struct dns_dispatchmethods dns_dispatchmethods_t;
+
+isc_result_t
+dns_dispatch_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
+		    unsigned int maxbuffersize,
+		    unsigned int maxbuffers, unsigned int maxrequests,
+		    unsigned int buckets, unsigned int increment,
+		    dns_dispatchmethods_t *methods,
+		    dns_dispatch_t **dispp);
+/*
+ * Create a new dns_dispatch and attach it to the provided isc_socket_t.
+ *
+ * For all dispatches, "maxbuffersize" is the maximum packet size we will
+ * accept.
+ *
+ * "maxbuffers" and "maxrequests" control the number of buffers in the
+ * overall system and the number of buffers which can be allocated to
+ * requests.
+ *
+ * "buckets" is the number of buckets to use, and should be prime.
+ *
+ * "increment" is used in a collision avoidance function, and needs to be
+ * a prime > buckets, and not 2.
+ *
+ * "methods" be NULL for normal DNS wire format, or all elements in that
+ * structure be filled in with function pointers to control dispatch
+ * behavior.
+ *
+ * Requires:
+ *
+ *	mctx is a valid memory context.
+ *
+ *	sock is a valid.
+ *
+ *	task is a valid task that can be used internally to this dispatcher.
+ *
+ * 	"buffersize" >= 512, which is the minimum receive size for a
+ *	DNS message.
+ *
+ *	maxbuffers > 0.
+ *
+ *	maxrequests <= maxbuffers.
+ *
+ *	buckets < 2097169 (the next prime after 65536 * 32)
+ *
+ *	increment > buckets (and prime)
+ */
+
+void
+dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp);
+/*
+ * Attach to a dispatch handle.
+ *
+ * Requires:
+ *	< mumble >
+ *
+ * Ensures:
+ *	< mumble >
+ *
+ * Returns:
+ *	< mumble >
+ */
+
+void
+dns_dispatch_detach(dns_dispatch_t **dispp);
+/*
+ * Detaches from the dispatch.
+ *
+ * Requires:
+ *	< mumble >
+ *
+ * Ensures:
+ *	< mumble >
+ *
+ * Returns:
+ *	< mumble >
+ */
+
+isc_result_t
+dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
+			 isc_task_t *task, isc_taskaction_t action, void *arg,
+			 isc_uint16_t *idp, dns_dispentry_t **resp);
+/*
+ * Add a response entry for this dispatch.
+ *
+ * "*idp" is filled in with the assigned message ID, and *resp is filled in
+ * to contain the magic token used to request event flow stop.
+ *
+ * Arranges for the given task to get a callback for response packets.  When
+ * the event is delivered, it must be returned using dns_dispatch_freeevent()
+ * or through dns_dispatch_removeresponse() for another to be delivered.
+ *
+ * Requires:
+ *	"idp" be non-NULL.
+ *
+ *	"task" "action" and "arg" be set as appropriate.
+ *
+ *	"dest" be non-NULL and valid.
+ *
+ *	"resp" be non-NULL and *resp be NULL
+ *
+ * Ensures:
+ *
+ *	<id, dest> is a unique tuple.  That means incoming messages
+ *	are identifiable.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS		-- all is well.
+ *	DNS_R_NOMEMORY		-- memory could not be allocated.
+ *	DNS_R_NOMORE		-- no more message ids can be allocated
+ *				   for this destination.
+ */
+
+void
+dns_dispatch_removeresponse(dns_dispatch_t *disp, dns_dispentry_t **resp,
+			    dns_dispatchevent_t **sockevent);
+/*
+ * Stops the flow of responses for the provided id and destination.
+ * If "sockevent" is non-NULL, the dispatch event and associated buffer is
+ * also returned to the system.
+ *
+ * Requires:
+ *	"resp" != NULL and "*resp" contain a value previously allocated
+ *	by dns_dispatch_addresponse();
+ *
+ * Ensures:
+ *	< mumble >
+ *
+ * Returns:
+ *	< mumble >
+ */
+
+isc_result_t
+dns_dispatch_addrequest(dns_dispatch_t *disp,
+			isc_task_t *task, isc_taskaction_t action, void *arg,
+			dns_dispentry_t **resp);
+/*
+ * Arranges for the given task to get a callback for request packets.  When
+ * the event is delivered, it must be returned using dns_dispatch_freeevent()
+ * or through dns_dispatch_removerequest() for another to be delivered.
+ *
+ * Requires:
+ *	< mumble >
+ *
+ * Ensures:
+ *	< mumble >
+ *
+ * Returns:
+ *	< mumble >
+ */
+
+void
+dns_dispatch_removerequest(dns_dispatch_t *disp, dns_dispentry_t **resp,
+			   dns_dispatchevent_t **sockevent);
+/*
+ * Stops the flow of requests for the provided id and destination.
+ * If "sockevent" is non-NULL, the dispatch event and associated buffer is
+ * also returned to the system.
+ *
+ * Requires:
+ *	< mumble >
+ *
+ * Ensures:
+ *	< mumble >
+ *
+ * Returns:
+ *	< mumble >
+ */
+
+void
+dns_dispatch_freeevent(dns_dispatch_t *disp, dns_dispentry_t *resp,
+		       dns_dispatchevent_t **sockevent);
+/*
+ * Return a dispatchevent and associated buffer to the dispatch.  This needs
+ * to be called if more events are desired but a particular event is fully
+ * processed, and the associated buffer is no longer needed.
+ *
+ * Requires:
+ *	< mumble >
+ *
+ * Ensures:
+ *	< mumble >
+ *
+ * Returns:
+ *	< mumble >
+ */
+
+isc_socket_t *
+dns_dispatch_getsocket(dns_dispatch_t *disp);
+/*
+ * Return the socket associated with this dispatcher
+ */
+
+void
+dns_dispatch_cancel(dns_dispatch_t *disp);
+/*
+ * cancel outstanding clients
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DISPATCH_H */
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
new file mode 100644
index 00000000..ea438fa9
--- /dev/null
+++ b/lib/dns/include/dns/dnssec.h
@@ -0,0 +1,186 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_DNSSEC_H
+#define DNS_DNSSEC_H 1
+
+#include <isc/mem.h>
+#include <isc/lang.h>
+#include <isc/time.h>
+
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_dnssec_add_trusted_key(dst_key_t *key, isc_mem_t *mctx);
+/*
+ *	Adds a key to the set of trusted keys.
+ *
+ *	Requires:
+ *		'key' must be a valid DST_KEY *
+ *		'mctx' must be a valid isc_mem_t
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
+			dst_key_t **key);
+/*
+ *	Creates a DST key from a DNS record.  Basically a wrapper around
+ *	dst_key_fromdns().
+ *
+ *	Requires:
+ *		'name' is not NULL
+ *		'rdata' is not NULL
+ *		'mctx' is not NULL
+ *		'key' is not NULL
+ *		'*key' is NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		DST_R_INVALIDPUBLICKEY
+ *		various errors from dns_name_totext
+ */
+
+isc_result_t
+dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		isc_stdtime_t *inception, isc_stdtime_t *expire,
+		isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata);
+/*
+ *	Generates a SIG record covering this rdataset.  This has no effect
+ *	on existing SIG records.
+ *
+ *	Requires:
+ *		'name' (the owner name of the record) is a valid name
+ *		'set' is a valid rdataset
+ *		'key' is a valid key
+ *		'inception' is not NULL
+ *		'expire' is not NULL
+ *		'mctx' is not NULL
+ *		'buffer' is not NULL
+ *		'sigrdata' is not NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		ISC_R_NOSPACE
+ *		DNS_R_INVALIDTIME - the expiration is before the inception
+ *		DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
+ *			it is not a zone key or its flags prevent
+ *			authentication)
+ *		DST_R_*
+ */
+
+isc_result_t
+dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		  isc_mem_t *mctx, dns_rdata_t *sigrdata);
+/*
+ *	Verifies the SIG record covering this rdataset signed by a specific
+ *	key.  This does not determine if the key's owner is authorized to
+ *	sign this record, as this requires a resolver or database.
+ *
+ *	Requires:
+ *		'name' (the owner name of the record) is a valid name
+ *		'set' is a valid rdataset
+ *		'key' is a valid key
+ *		'mctx' is not NULL
+ *		'sigrdata' is a valid rdata containing a SIG record
+ *
+ *	Returns:
+ *		DNS_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		DNS_R_SIGINVALID - the signature fails to verify
+ *		DNS_R_SIGEXPIRED - the signature has expired
+ *		DNS_R_SIGFUTURE - the signature's validity period has not begun
+ *		DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
+ *			it is not a zone key or its flags prevent
+ *			authentication)
+ *		DST_R_*
+ */
+
+isc_result_t
+dns_dnssec_init(void);
+/*
+ *	Initializes the DNSSEC subsystem
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_UNEXPECTED
+ */
+
+void
+dns_dnssec_destroy(void);
+/*
+ *	Frees all data associated with the DNSSEC subsystem
+ */
+
+isc_result_t
+dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, 
+			dns_name_t *name, isc_mem_t *mctx, unsigned int maxkeys,
+			dst_key_t **keys, unsigned int *nkeys);
+/*
+ * 	Finds a set of zone keys.
+ * 	XXX temporary - this should be handled in dns_zone_t.
+ */
+
+isc_result_t
+dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key);
+/*
+ *	Signs a message with a SIG(0) record.  This is implicitly called by
+ *	dns_message_renderend() if msg->sig0key is not NULL.
+ *
+ *	Requires:
+ *		'msg' is a valid message
+ *		'key' is a valid key that can be used for signing
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		DST_R_*
+ */
+
+isc_result_t
+dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key);
+/*
+ *	Verifies a message signed by a SIG(0) record.  This is not
+ *	called implicitly by dns_message_parse().  If dns_message_signer()
+ *	is called before dns_dnssec_verifymessage(), it will return
+ *	DNS_R_SIGNOTVERIFIEDYET.  dns_dnssec_verifymessage() will set
+ *	the verified_sig0 flag in msg if the verify succeeds, and
+ *	the sig0status field otherwise.
+ *
+ *	Requires:
+ *		'msg' is a valid message
+ *		'key' is a valid key
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		ISC_R_NOTFOUND - no SIG(0) was found
+ *		DST_R_*
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DNSSEC_H */
diff --git a/lib/dns/include/dns/events.h b/lib/dns/include/dns/events.h
new file mode 100644
index 00000000..68b34b38
--- /dev/null
+++ b/lib/dns/include/dns/events.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_EVENTS_H
+#define DNS_EVENTS_H 1
+
+#include <isc/eventclass.h>
+#include <isc/lang.h>
+
+/*
+ * Registry of DNS event numbers.
+ */
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_EVENT_FETCHCONTROL			(ISC_EVENTCLASS_DNS + 0)
+#define DNS_EVENT_FETCHDONE			(ISC_EVENTCLASS_DNS + 1)
+#define DNS_EVENT_VIEWRESSHUTDOWN		(ISC_EVENTCLASS_DNS + 2)
+#define DNS_EVENT_VIEWADBSHUTDOWN		(ISC_EVENTCLASS_DNS + 3)
+#define DNS_EVENT_UPDATE			(ISC_EVENTCLASS_DNS + 4)
+#define DNS_EVENT_UPDATEDONE			(ISC_EVENTCLASS_DNS + 5)
+#define DNS_EVENT_DISPATCH			(ISC_EVENTCLASS_DNS + 6)
+#define DNS_EVENT_TCPMSG			(ISC_EVENTCLASS_DNS + 7)
+#define DNS_EVENT_ADBMOREADDRESSES		(ISC_EVENTCLASS_DNS + 8)
+#define DNS_EVENT_ADBNOMOREADDRESSES		(ISC_EVENTCLASS_DNS + 9)
+#define DNS_EVENT_ADBCANCELED			(ISC_EVENTCLASS_DNS + 10)
+#define DNS_EVENT_ADBNAMEDELETED		(ISC_EVENTCLASS_DNS + 11)
+#define DNS_EVENT_ADBSHUTDOWN			(ISC_EVENTCLASS_DNS + 12)
+#define DNS_EVENT_ADBEXPIRED			(ISC_EVENTCLASS_DNS + 13)
+#define DNS_EVENT_ADBCONTROL			(ISC_EVENTCLASS_DNS + 14)
+#define DNS_EVENT_CACHECLEAN			(ISC_EVENTCLASS_DNS + 15)
+#define DNS_EVENT_BYADDRDONE			(ISC_EVENTCLASS_DNS + 16)
+
+#define DNS_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_DNS + 0)
+#define DNS_EVENT_LASTEVENT			(ISC_EVENTCLASS_DNS + 65535)
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_EVENTS_H */
diff --git a/lib/dns/include/dns/fixedname.h b/lib/dns/include/dns/fixedname.h
new file mode 100644
index 00000000..3545ef9f
--- /dev/null
+++ b/lib/dns/include/dns/fixedname.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_FIXEDNAME_H
+#define DNS_FIXEDNAME_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Fixed-size Names
+ *
+ * dns_fixedname_t is a convenience type containing a name, an offsets table,
+ * and a dedicated buffer big enough for the longest possible name.
+ *
+ * MP:
+ *	The caller must ensure any required synchronization.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	Per dns_fixedname_t:
+ *		sizeof(dns_name_t) + sizeof(dns_offsets_t) +
+ *		sizeof(isc_buffer_t) + 255 bytes + structure padding
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+
+#include <dns/types.h>
+#include <dns/name.h>
+#include <dns/result.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types
+ *****/
+
+struct dns_fixedname {
+	dns_name_t			name;
+	dns_offsets_t			offsets;
+	isc_buffer_t			buffer;
+	unsigned char			data[255];
+};
+
+#define dns_fixedname_init(fn) \
+	do { \
+		dns_name_init(&((fn)->name), (fn)->offsets); \
+		isc_buffer_init(&((fn)->buffer), (fn)->data, 255, \
+				ISC_BUFFERTYPE_BINARY); \
+		dns_name_setbuffer(&((fn)->name), &((fn)->buffer)); \
+	} while (0)
+
+#define dns_fixedname_invalidate(fn) \
+	dns_name_invalidate(&((fn)->name))
+
+#define dns_fixedname_name(fn)		(&((fn)->name))
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_FIXEDNAME_H */
diff --git a/lib/dns/include/dns/journal.h b/lib/dns/include/dns/journal.h
new file mode 100644
index 00000000..79441d86
--- /dev/null
+++ b/lib/dns/include/dns/journal.h
@@ -0,0 +1,502 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_JOURNAL_H
+#define DNS_JOURNAL_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Database journalling.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/types.h>
+
+#include <dns/result.h>
+#include <dns/types.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+
+/***
+ *** Types
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * A dns_difftuple_t represents a single RR being added or deleted.
+ * The RR type and class are in the 'rdata' member; the class is always
+ * the real one, not a DynDNS meta-class, so that the rdatas can be
+ * compared using dns_rdata_compare().  The TTL is significant 
+ * even for deletions, because a deletion/addition pair cannot
+ * be canceled out if the TTL differs (it might be an explicit
+ * TTL update).
+ *
+ * Tuples are also used to represent complete RRs with owner
+ * names for a couple of other purposes, such as the 
+ * individual RRs of a "RRset exists (value dependent)"
+ * prerequisite set.  In this case, op==DNS_DIFFOP_EXISTS,
+ * and the TTL is ignored.
+ */
+
+typedef enum {
+	DNS_DIFFOP_ADD,	        /* Add an RR. */
+	DNS_DIFFOP_DEL,		/* Delete an RR. */
+	DNS_DIFFOP_EXISTS	/* Assert RR existence. */
+} dns_diffop_t;
+
+typedef struct dns_difftuple dns_difftuple_t;
+
+#define DNS_DIFFTUPLE_MAGIC	0x44494654U	/* DIFT. */
+#define DNS_DIFFTUPLE_VALID(t)	((t) != NULL && \
+				 (t)->magic == DNS_DIFFTUPLE_MAGIC)
+
+struct dns_difftuple {
+        unsigned int			magic;
+	isc_mem_t			*mctx;
+	dns_diffop_t			op;        
+	dns_name_t			name;
+	dns_ttl_t			ttl;
+	dns_rdata_t			rdata;
+	ISC_LINK(dns_difftuple_t)	link;
+	/* Variable-size name data and rdata follows. */
+};
+
+/*
+ * A dns_diff_t represents a set of changes being applied to
+ * a zone.  Diffs are also used to represent "RRset exists 
+ * (value dependent)" prerequisites.
+ */
+typedef struct dns_diff dns_diff_t;
+
+#define DNS_DIFF_MAGIC		0x44494646U	/* DIFF. */
+#define DNS_DIFF_VALID(t)	((t) != NULL && \
+					 (t)->magic == DNS_DIFF_MAGIC)
+
+struct dns_diff {
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	ISC_LIST(dns_difftuple_t)	tuples;
+};
+
+/* Type of comparision function for sorting diffs. */
+typedef int dns_diff_compare_func(const void *, const void *);
+
+/*
+ * A dns_journal_t represents an open journal file.  This is an opaque type.
+ *
+ * A particular dns_journal_t object may be opened for writing, in which case
+ * it can be used for writing transactions to a journal file, or it can be
+ * opened for reading, in which case it can be used for reading transactions
+ * from (iterating over) a journal file.  A single dns_journal_t object may
+ * not be used for both purposes.
+ */
+typedef struct dns_journal dns_journal_t;
+
+
+/***
+ *** Functions
+ ***/
+
+/**************************************************************************/
+/*
+ * Maniuplation of diffs and tuples.
+ */
+
+isc_result_t
+dns_difftuple_create(isc_mem_t *mctx,
+		     dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+		     dns_rdata_t *rdata, dns_difftuple_t **tp);
+/*
+ * Create a tuple.  Deep copies are made of the name and rdata, so
+ * they need not remain valid after the call.
+ *
+ * Requires:
+ *	*tp != NULL && *tp == NULL.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *      ISC_R_NOMEMORY
+ */
+
+void
+dns_difftuple_free(dns_difftuple_t **tp);
+/*
+ * Free a tuple.
+ *
+ * Requires:
+ *       **tp is a valid tuple.
+ *
+ * Ensures:
+ *       *tp == NULL
+ *       All memory used by the tuple is freed.
+ */
+
+isc_result_t
+dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp);
+/*
+ * Copy a tuple.
+ *
+ * Requires:
+ * 	'orig' points to a valid tuple 
+ *	copyp != NULL && *copyp == NULL
+ */
+
+void dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff);
+/*
+ * Initialize a diff.
+ *
+ * Requires:
+ *    'diff' points to an uninitialized dns_diff_t
+ *    allocated by the caller.
+ *
+ * Ensures:
+ *    '*diff' is a valid, empty diff.
+ */ 
+
+void dns_diff_clear(dns_diff_t *diff);
+/*
+ * Clear a diff, destroying all its tuples.
+ *
+ * Requires:
+ *    'diff' points to a valid dns_diff_t.
+ *
+ * Ensures:
+ *     Any tuples in the diff are destroyed.
+ *     The diff now empty, but it is still valid
+ *     and may be reused without calling dns_diff_init
+ *     again.  The only memory used is that of the
+ *     dns_diff_t structure itself.
+ *
+ * Notes:
+ *     Managing the memory of the dns_diff_t structure itself
+ *     is the caller's responsibility.
+ */
+
+void
+dns_diff_append(dns_diff_t *diff, dns_difftuple_t **tuple);
+/*
+ * Append a single tuple to a diff.
+ *
+ *	'diff' is a valid diff.
+ * 	'*tuple' is a valid tuple.
+ *
+ * Ensures:
+ *	*tuple is NULL.
+ *	The tuple has been freed, or will be freed when the diff is cleared.
+ */
+
+void
+dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuple);
+/*
+ * Append 'tuple' to 'diff', removing any duplicate
+ * or conflicting updates as needed to create a minimal diff.
+ *
+ * Requires:
+ *	'diff' is a minimal diff.
+ *
+ * Ensures:
+ *	'diff' is still a minimal diff.
+ *   	*tuple is NULL.
+ *   	The tuple has been freed, or will be freed when the diff is cleared.
+ *
+ */
+
+isc_result_t
+dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare);
+/*
+ * Sort 'diff' in-place according to the comparison function 'compare'.
+ */
+
+isc_result_t 
+dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
+/*
+ * Apply 'diff' to the database 'db'.
+ *
+ * For efficiency, the diff should be sorted by owner name.
+ * If it is not sorted, operation will still be correct,
+ * but less efficient.
+ *
+ * Requires:
+ *	*diff is a valid diff (possibly empty), containing
+ *   	tuples of type DNS_DIFFOP_ADD and/or 
+ *   	For DNS_DIFFOP_DEL tuples, the TTL is ignored.
+ *
+ */
+
+isc_result_t 
+dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
+	      void *add_private);
+/*
+ * Like dns_diff_apply, but for use when loading a new database
+ * instead of modifying an existing one.  This bypasses the
+ * database transaction mechanisms.
+ *
+ * Requires:
+ * 	'addfunc' is a valid dns_addradatasetfunc_t obtained from
+ * 	dns_db_beginload()
+ * 
+ *	'add_private' points to a corresponding dns_dbload_t *
+ *      (XXX why is it a void pointer, then?)
+ */
+
+isc_result_t
+dns_diff_print(dns_diff_t *diff, FILE *file);
+
+/* 
+ * Print the differences to 'file' or if 'file' is NULL via the
+ * logging system.
+ *
+ * Require:
+ *	'diff' to be valid.
+ *	'file' to refer to a open file or NULL.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY
+ *	DNS_R_UNEXPECTED
+ *	any error from dns_rdataset_totext()
+ */
+	
+/**************************************************************************/
+/* 
+ * Misc. utilities
+ * XXX these belong in a general-purpose DNS library
+ */
+
+isc_uint32_t dns_soa_getserial(dns_rdata_t *rdata);
+/*
+ * Extract the serial number from the rdata of a SOA record.
+ *  
+ * Requires:
+ *	rdata refers to the rdata of a well-formed SOA record.
+ */
+
+void dns_soa_setserial(isc_uint32_t val, dns_rdata_t *rdata);
+/*
+ * Change the serial number of a SOA record by modifying the
+ * rdata in-place.
+ *
+ * Requires:
+ *	rdata refers to the rdata of a well-formed SOA record.
+ */
+
+isc_result_t
+dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp);
+/*
+ * Get the current SOA serial number from a zone database.
+ *
+ * Requires:
+ *      'db' is a valid database with zone semantics.
+ *      'ver' is a valid version.
+ */
+
+isc_result_t
+dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
+		   dns_diffop_t op, dns_difftuple_t **tp);
+/*
+ * Create a diff tuple for the current database SOA.
+ */
+
+
+#define DNS_SERIAL_GT(a, b) ((int)(((a) - (b)) & 0xFFFFFFFF) > 0)
+#define DNS_SERIAL_GE(a, b) ((int)(((a) - (b)) & 0xFFFFFFFF) >= 0)
+/*
+ * Compare SOA serial numbers.  DNS_SERIAL_GT(a, b) returns true iff 
+ * a is "greater than" b where "greater than" is as defined in RFC1982.
+ * DNS_SERIAL_GE(a, b) returns true iff a is "greater than or equal to" b.
+ */
+
+/**************************************************************************/
+/*
+ * Journal object creation and destruction.
+ */
+
+isc_result_t
+dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
+		 dns_journal_t **journalp);
+/*
+ * Open the journal file 'filename' and create a dns_journal_t object for it.
+ *
+ * If 'write' is ISC_TRUE, the journal is open for writing.  If it does 
+ * not exist, it is created.
+ *
+ * If 'write' is ISC_FALSE, the journal is open for reading.  If it does 
+ * not exist, ISC_R_NOTFOUND is returned.
+ */
+
+void
+dns_journal_destroy(dns_journal_t **journalp);
+/*
+ * Destroy a dns_journal_t, closing any open files and freeing its memory.
+ */
+
+/**************************************************************************/
+/*
+ * Writing transactions to journals.
+ */
+
+isc_result_t
+dns_journal_begin_transaction(dns_journal_t *j);
+/*
+ * Prepare to write a new transaction to the open journal file 'j'.
+ *
+ * Requires:
+ *      'j' is open for writing.
+ */
+
+isc_result_t
+dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff);
+/*
+ * Write 'diff' to the current transaction of journal file 'j'.
+ *
+ * Requires:
+ *      'j' is open for writing and dns_journal_begin_transaction()
+ * 	has been called.
+ * 
+ * 	'diff' is a full or partial, correctly ordered IXFR
+ *      difference sequence.
+ */
+
+isc_result_t
+dns_journal_commit(dns_journal_t *j);
+/*
+ * Commit the current transaction of journal file 'j'.
+ *
+ * Requires:
+ *      'j' is open for writing and dns_journal_begin_transaction()
+ * 	has been called.
+ *
+ *      dns_journal_writediff() has been called one or more times
+ * 	to form a complete, correctly ordered IXFR difference
+ *      sequence.
+ */
+
+isc_result_t
+dns_journal_write_transaction(dns_journal_t *j, dns_diff_t *diff);
+/*
+ * Write a complete transaction at once to a journal file,
+ * sorting it if necessary, and commit it.  Equivalent to calling
+ * dns_diff_sort(), dns_journal_begin_transaction(),
+ * dns_journal_writediff(), and dns_journal_commit().
+ *
+ * Requires:
+ *      'j' is open for writing.
+ *
+ * 	'diff' contains exactly one SOA deletion, one SOA addition
+ *       with a greater serial number, and possibly other changes,
+ *       in arbitrary order.
+ */
+
+/**************************************************************************/
+/*
+ * Reading transactions from journals.
+ */
+
+isc_uint32_t dns_journal_first_serial(dns_journal_t *j);
+isc_uint32_t dns_journal_last_serial(dns_journal_t *j);
+/*
+ * Get the first and last addressable serial number in the journal.
+ */
+
+isc_result_t
+dns_journal_iter_init(dns_journal_t *j,
+		      isc_uint32_t begin_serial, isc_uint32_t end_serial);
+/*
+ * Prepare to iterate over the transactions that will bring the database
+ * from SOA serial number 'begin_serial' to 'end_serial'.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS	
+ *	DNS_R_NOTFOUND	begin_serial is within the range of adressable
+ *			serial numbers covered by the journal, but
+ *			this particular serial number does not exist.
+ *	DNS_R_RANGE	begin_serial is outside the addressable range.
+ */
+
+isc_result_t dns_journal_first_rr(dns_journal_t *j);
+isc_result_t dns_journal_next_rr(dns_journal_t *j);
+/*
+ * Position the iterator at the first/next RR in a journal
+ * transaction sequence established using dns_journal_iter_init().
+ *
+ * Requires:
+ *      dns_journal_iter_init() has been called.
+ *
+ */
+
+void dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, 
+			    isc_uint32_t *ttl, dns_rdata_t **rdata);
+/*
+ * Get the name, ttl, and rdata of the current journal RR.
+ *
+ * Requires:
+ *      The last call to dns_journal_first_rr() or dns_journal_next_rr()
+ *      returned DNS_R_SUCCESS.
+ */
+
+/**************************************************************************/
+/*
+ * Database roll-forward.
+ */
+
+isc_result_t
+dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, const char *filename);
+/*
+ * Roll forward (play back) the journal file "filename" into the
+ * database "db".  This should be called when the server starts
+ * after a shutdown or crash.
+ *
+ * Requires:
+ *      'mctx' is a valid memory context.
+ *	'db' is a valid database which does not have a version
+ *           open for writing.
+ *      'filename' is the name of the journal file belonging to 'db'.
+ *
+ * Returns:
+ *	DNS_R_NOJOURNAL when journal does not exist.
+ *	DNS_R_NOTFOUND when current serial in not in journal.
+ *	DNS_R_SUCCESS journal has been applied successfully to database.
+ *	others
+ */
+
+isc_result_t dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file);
+/* For debugging not general use */
+
+isc_result_t
+dns_db_diff(isc_mem_t *mctx,
+	    dns_db_t *dba, dns_dbversion_t *dbvera,
+	    dns_db_t *dbb, dns_dbversion_t *dbverb,
+	    const char *journal_filename);
+/*
+ * Compare the databases 'dba' and 'dbb' and generate a journal
+ * entry containing the changes to make 'dba' from 'dbb' (note
+ * the order).  This journal entry will consist of a single,
+ * possibly very large transaction.  Append the journal
+ * entry to the journal file specified by 'journal_filename'.
+ */ 
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_JOURNAL_H */
diff --git a/lib/dns/include/dns/keyflags.h b/lib/dns/include/dns/keyflags.h
new file mode 100644
index 00000000..343fe2f9
--- /dev/null
+++ b/lib/dns/include/dns/keyflags.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_KEYFLAGS_H
+#define DNS_KEYFLAGS_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_keyflags_fromtext(dns_keyflags_t *flagsp,
+				   isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a DNSSEC KEY flags value.
+ * The text may contain either a set of flag mnemonics separated by
+ * vertical bars or a decimal flags value.  For compatibility with
+ * older versions of BIND and the DNSSEC signer, octal values 
+ * prefixed with a zero and hexadecimal values prefixed with "0x"
+ * are also accepted.
+ *
+ * Requires:
+ *	'flagsp' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS			on success
+ *	DNS_R_UNKNOWN			mnemonic flag is unknown
+ *	DNS_R_RANGE			numeric flag value is out of range
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_KEYFLAGS_H */
diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
new file mode 100644
index 00000000..f61a3615
--- /dev/null
+++ b/lib/dns/include/dns/keyvalues.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_KEYVALUES_H
+#define DNS_KEYVALUES_H 1
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * Flags field of the KEY RR rdata
+ */
+#define DNS_KEYFLAG_TYPEMASK	0xC000	/* Mask for "type" bits */
+#define DNS_KEYTYPE_AUTHCONF	0x0000	/* Key usable for both */
+#define DNS_KEYTYPE_CONFONLY	0x8000	/* Key usable for confidentiality */
+#define DNS_KEYTYPE_AUTHONLY	0x4000	/* Key usable for authentication */
+#define DNS_KEYTYPE_NOKEY	0xC000	/* No key usable for either; no key */
+#define DNS_KEYTYPE_NOAUTH	DNS_KEYTYPE_CONFONLY
+#define DNS_KEYTYPE_NOCONF	DNS_KEYTYPE_AUTHONLY
+
+#define DNS_KEYFLAG_RESERVED2	0x2000	/* Security is *mandatory* if bit=0 */
+#define DNS_KEYFLAG_EXTENDED	0x1000	/* key has extended flags */
+#define DNS_KEYFLAG_RESERVED4	0x0800	/* reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED5	0x0400	/* reserved - must be zero */
+#define DNS_KEYFLAG_OWNERMASK	0x0300	/* these bits determine the type */
+#define DNS_KEYOWNER_USER	0x0000	/* key is assoc. with user */
+#define DNS_KEYOWNER_ENTITY	0x0200	/* key is assoc. with entity eg host */
+#define DNS_KEYOWNER_ZONE	0x0100	/* key is zone key */
+#define DNS_KEYOWNER_RESERVED	0x0300	/* reserved meaning */
+#define DNS_KEYFLAG_RESERVED8	0x0080	/* reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED9	0x0040	/* reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED10	0x0020	/* reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED11	0x0010	/* reserved - must be zero */
+#define DNS_KEYFLAG_SIGNATORYMASK	0x000F	/* key can sign RR's of same name */
+
+#define DNS_KEYFLAG_RESERVEDMASK (DNS_KEYFLAG_RESERVED2 | \
+				  DNS_KEYFLAG_RESERVED4 | \
+				  DNS_KEYFLAG_RESERVED5 | \
+				  DNS_KEYFLAG_RESERVED8 | \
+				  DNS_KEYFLAG_RESERVED9 | \
+				  DNS_KEYFLAG_RESERVED10 | \
+				  DNS_KEYFLAG_RESERVED11 )
+
+#define DNS_KEYFLAG_RESERVEDMASK2 0xFFFF	/* no bits defined here */
+
+/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
+#define DNS_KEYALG_MD5RSA	1       /* MD5 with RSA */
+#define DNS_KEYALG_RSA		DNS_KEYALG_MD5RSA
+#define DNS_KEYALG_DH		2       /* Diffie Hellman KEY */
+#define DNS_KEYALG_DSA		3       /* DSA KEY */
+#define DNS_KEYALG_DSS		NS_ALG_DSA
+#define DNS_KEYALG_EXPIREONLY	253     /* No alg, no security */
+#define DNS_KEYALG_PRIVATEOID	254     /* Key begins with OID giving alg */
+
+/* Protocol values  */
+#define	DNS_KEYPROTO_RESERVED	0
+#define DNS_KEYPROTO_TLS	1
+#define DNS_KEYPROTO_EMAIL	2
+#define DNS_KEYPROTO_DNSSEC	3
+#define DNS_KEYPROTO_IPSEC	4
+#define DNS_KEYPROTO_ANY	255
+
+/* Signatures */
+#define DNS_SIG_RSAMINBITS	512	/* Size of a mod or exp in bits */
+#define DNS_SIG_RSAMAXBITS	2552
+	/* Total of binary mod and exp */
+#define DNS_SIG_RSAMAXBYTES	((DNS_SIG_RSAMAXBITS+7/8)*2+3)
+	/* Max length of text sig block */
+#define DNS_SIG_RSAMAXBASE64	(((DNS_SIG_RSAMAXBYTES+2)/3)*4)
+#define DNS_SIG_RSAMINSIZE	((DNS_SIG_RSAMINBITS+7)/8)
+#define DNS_SIG_RSAMAXSIZE	((DNS_SIG_RSAMAXBITS+7)/8)
+
+#define DNS_SIG_DSASIGSIZE	41
+#define DNS_SIG_DSAMINBITS	512
+#define DNS_SIG_DSAMAXBITS	1024
+#define DNS_SIG_DSAMINBYTES	213
+#define DNS_SIG_DSAMAXBYTES	405
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_KEYVALUES_H */
diff --git a/lib/dns/include/dns/lib.h b/lib/dns/include/dns/lib.h
new file mode 100644
index 00000000..52d56374
--- /dev/null
+++ b/lib/dns/include/dns/lib.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_LIB_H
+#define DNS_LIB_H 1
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+extern isc_msgcat_t *dns_msgcat;
+
+void
+dns_lib_initmsgcat(void);
+/*
+ * Initialize the DNS library's message catalog, dns_msgcat, if it
+ * has not already been initialized.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_LIB_H */
diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h
new file mode 100644
index 00000000..8af09f38
--- /dev/null
+++ b/lib/dns/include/dns/log.h
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/* $Id: log.h,v 1.11 2000/02/03 23:40:57 halley Exp $ */
+
+/* Principal Authors: DCL */
+
+#ifndef DNS_LOG_H
+#define DNS_LOG_H 1
+
+#include <isc/log.h>
+
+#include <dns/result.h>
+
+ISC_LANG_BEGINDECLS
+
+extern isc_log_t *dns_lctx;
+extern isc_logcategory_t dns_categories[];
+extern isc_logmodule_t dns_modules[];
+
+#define DNS_LOGCATEGORY_GENERAL		(&dns_categories[0])
+#define DNS_LOGCATEGORY_DATABASE	(&dns_categories[1])
+#define DNS_LOGCATEGORY_SECURITY	(&dns_categories[2])
+#define DNS_LOGCATEGORY_CONFIG		(&dns_categories[3])
+#define DNS_LOGCATEGORY_PARSER		(&dns_categories[4])
+#define DNS_LOGCATEGORY_RESOLVER	(&dns_categories[5])
+#define DNS_LOGCATEGORY_XFER_IN		(&dns_categories[6])
+#define DNS_LOGCATEGORY_XFER_OUT	(&dns_categories[7])
+
+#define DNS_LOGMODULE_DB		(&dns_modules[0])
+#define DNS_LOGMODULE_RBTDB		(&dns_modules[1])
+#define DNS_LOGMODULE_RBTDB64		(&dns_modules[2])
+#define DNS_LOGMODULE_RBT		(&dns_modules[3])
+#define DNS_LOGMODULE_RDATA		(&dns_modules[4])
+#define DNS_LOGMODULE_MASTER		(&dns_modules[5])
+#define DNS_LOGMODULE_MESSAGE		(&dns_modules[6])
+#define DNS_LOGMODULE_CACHE		(&dns_modules[7])
+#define DNS_LOGMODULE_CONFIG		(&dns_modules[8])
+#define DNS_LOGMODULE_RESOLVER		(&dns_modules[9])
+#define DNS_LOGMODULE_ZONE		(&dns_modules[10])
+#define DNS_LOGMODULE_JOURNAL		(&dns_modules[11])
+#define DNS_LOGMODULE_ADB		(&dns_modules[12])
+#define DNS_LOGMODULE_XFER_IN		(&dns_modules[13])
+#define DNS_LOGMODULE_XFER_OUT		(&dns_modules[14])
+#define DNS_LOGMODULE_ACL		(&dns_modules[15])
+
+isc_result_t
+dns_log_init(isc_log_t *lctx);
+/*
+ * Make the libdns.a categories and modules available for use with the
+ * ISC logging library.
+ *
+ * Requires:
+ *	lctx is a valid logging context.
+ *
+ *	dns_log_init() is called only once.
+ *
+ * Ensures:
+ *	ISC_R_SUCCESS
+ *		The catgories and modules defined above are available for
+ *		use by isc_log_usechannnel() and isc_log_write().
+ *
+ *	ISC_R_NOMEMORY
+ *		The catgories and modules defined above are not available for
+ *		use by isc_log_usechannnel() and isc_log_write(), and no
+ *		additional memory is being used because of the call to
+ *		dns_log_init().
+ *		
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Success
+ *	ISC_R_NOMEMORY	Resource limit: Out of memory
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_LOG_H */
diff --git a/lib/dns/include/dns/master.h b/lib/dns/include/dns/master.h
new file mode 100644
index 00000000..9ba14451
--- /dev/null
+++ b/lib/dns/include/dns/master.h
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_MASTER_H
+#define DNS_MASTER_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/mem.h>
+#include <isc/lex.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+#include <dns/name.h>
+#include <dns/rdataset.h>
+#include <dns/callbacks.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Function
+ ***/
+
+isc_result_t dns_master_loadfile(const char *master_file,
+				 dns_name_t *top,
+				 dns_name_t *origin,
+				 dns_rdataclass_t zclass,
+				 isc_boolean_t age_ttl,
+				 int *soacount,
+				 int *nscount,
+				 dns_rdatacallbacks_t *callbacks,
+				 isc_mem_t *mctx);
+
+isc_result_t dns_master_loadstream(FILE *stream,
+				   dns_name_t *top,
+				   dns_name_t *origin,
+				   dns_rdataclass_t zclass,
+				   isc_boolean_t age_ttl,
+				   int *soacount,
+				   int *nscount,
+				   dns_rdatacallbacks_t *callbacks,
+				   isc_mem_t *mctx);
+
+isc_result_t dns_master_loadbuffer(isc_buffer_t *buffer,
+				   dns_name_t *top,
+				   dns_name_t *origin,
+				   dns_rdataclass_t zclass,
+				   isc_boolean_t age_ttl,
+				   int *soacount,
+				   int *nscount,
+				   dns_rdatacallbacks_t *callbacks,
+				   isc_mem_t *mctx);
+
+/*
+ * Loads a RFC 1305 master file from a file, stream, or buffer into rdatasets
+ * and then calls 'callbacks->commit' to commit the rdatasets.  Rdata memory belongs
+ * to dns_master_load and will be reused / released when the callback
+ * completes.  dns_load_master will abort if callbacks->commit returns
+ * any value other than DNS_R_SUCCESS.
+ *
+ * If 'age_ttl' is ISC_TRUE and the master file contains one or more
+ * $DATE directives, the TTLs of the data will be aged accordingly.
+ * 
+ * 'callbacks->commit' is assumed to call 'callbacks->error' or
+ * 'callbacks->warn' to generate any error messages required.
+ *
+ * Requires:
+ *	'master_file' to point to a valid string.
+ *	'top' to point to a valid name.
+ *	'origin' to point to a valid name.
+ *	'soacount' to point to a int.
+ *	'nscount' to point to a int.
+ *	'callbacks->commit' to point ta a valid function.
+ *	'callbacks->error' to point ta a valid function.
+ *	'callbacks->warn' to point ta a valid function.
+ *	'mctx' to point to a memory context.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS upon successfully loading the master file.
+ *	DNS_R_NOMEMORY out of memory.
+ *	DNS_R_UNEXPECTEDEND expected to be able to read a input token and
+ *		there was not one.
+ *	DNS_R_UNEXPECTED
+ *	DNS_R_NOOWNER failed to specify a ownername.
+ *	DNS_R_NOTTL failed to specify a ttl.
+ *	DNS_R_BADCLASS record class did not match zone class.
+ *	Any dns_rdata_fromtext() error code.
+ *	Any error code from callbacks->commit().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif	/* DNS_MASTER_H */
diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h
new file mode 100644
index 00000000..76a538d1
--- /dev/null
+++ b/lib/dns/include/dns/masterdump.h
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_MASTERDUMP_H
+#define DNS_MASTERDUMP_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/mem.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+#include <dns/name.h>
+#include <dns/rdataset.h>
+
+/***
+ *** Types
+ ***/
+
+/*
+ * Style options for masterfile dumps.  This struct is currently
+ * opaque, so applications cannot define their own style but have
+ * to choose a predefined style.  A more flexible interface may 
+ * be exported in the future.
+ */
+
+typedef struct dns_master_style dns_master_style_t;
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Constants
+ ***/
+
+/*
+ * The default masterfile style.  
+ */
+extern const dns_master_style_t dns_master_style_default;
+
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
+		dns_dbversion_t *version,
+		const dns_master_style_t *style, FILE *f);
+/*
+ * Dump the database 'db' to the steam 'f' in RFC1035 master 
+ * file format, in the style defined by 'style'
+ * (e.g., &dns_default_master_style_default)
+ *
+ * Temporary dynamic memory may be allocated from 'mctx'.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS 
+ *	DNS_R_NOMEMORY
+ * 	Any database or rrset iterator error.
+ *	Any dns_rdata_totext() error code.
+ */
+
+isc_result_t
+dns_master_dump(isc_mem_t *mctx, dns_db_t *db,
+		dns_dbversion_t *version,
+		const dns_master_style_t *style, const char *filename);
+/*
+ * Dump the database 'db' to the file 'filename' in RFC1035 master 
+ * file format, in the style defined by 'style'
+ * (e.g., &dns_default_master_style_default)
+ *
+ * Temporary dynamic memory may be allocated from 'mctx'.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS 
+ *	DNS_R_NOMEMORY
+ * 	Any database or rrset iterator error.
+ *	Any dns_rdata_totext() error code.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif	/* DNS_MASTERDUMP_H */
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
new file mode 100644
index 00000000..0025da59
--- /dev/null
+++ b/lib/dns/include/dns/message.h
@@ -0,0 +1,910 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_MESSAGE_H
+#define DNS_MESSAGE_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/buffer.h>
+#include <isc/bufferlist.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+#include <dns/name.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/compress.h>
+
+#include <dst/dst.h>
+
+/*
+ * How this beast works:
+ *
+ * When a dns message is received in a buffer, dns_message_fromwire() is called
+ * on the memory region.  Various items are checked including the format
+ * of the message (if counts are right, if counts consume the entire sections,
+ * and if sections consume the entire message) and known pseudo-RRs in the
+ * additional data section are analyzed and removed.
+ *
+ * TSIG checking is also done at this layer, and any DNSSEC information should
+ * also be performed at this time.
+ *
+ * If dns_message_fromwire() returns DNS_R_MOREDATA additional
+ * message packets are required.  This implies an EDNS message.
+ *
+ * When going from structure to wire, dns_message_towire() will return
+ * DNS_R_MOREDATA if there is more data left in the output buffer that
+ * could not be rendered into the exisiting buffer.
+ *
+ *
+ * Notes on using the gettemp*() and puttemp*() functions:
+ *
+ * These functions return items (names, rdatasets, etc) allocated from some
+ * internal state of the dns_message_t.  These items must be put back into
+ * the dns_message_t in one of two ways.  Assume a name was allocated via
+ * dns_message_gettempname():
+ *
+ *	(1) insert it into a section, using dns_message_addname().
+ *
+ *	(2) return it to the message using dns_message_puttempname().
+ *
+ * The same applies to rdata, rdatasets, and rdatalists which were
+ * allocated using this group of functions.
+ *
+ * Buffers allocated using isc_buffer_allocate() can be automatically freed
+ * as well by giving the buffer to the message using dns_message_takebuffer().
+ * Doing this will cause the buffer to be freed using isc_buffer_free()
+ * when the section lists are cleared, such as in a reset or in a destroy.
+ * Since the buffer itself exists until the message is destroyed, this sort
+ * of code can be written:
+ *
+ *	buffer = isc_buffer_allocate(mctx, 512, ISC_BUFFERTYPE_BINARY);
+ *	name = NULL;
+ *	name = dns_message_gettempname(message, &name);
+ *	dns_name_init(name, NULL);
+ *	result = dns_name_fromtext(name, &source, dns_rootname, ISC_FALSE,
+ *				   buffer);
+ *	dns_message_takebuffer(message, &buffer);
+ *
+ *
+ * TODO:
+ *
+ * XXX Needed:  ways to handle TSIG and DNSSEC, supply TSIG and DNSSEC
+ * keys, set and retrieve EDNS information, add rdata to a section,
+ * move rdata from one section to another, remove rdata, etc.
+ */
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_MESSAGEFLAG_QR		0x8000U
+#define DNS_MESSAGEFLAG_AA		0x0400U
+#define DNS_MESSAGEFLAG_TC		0x0200U
+#define DNS_MESSAGEFLAG_RD		0x0100U
+#define DNS_MESSAGEFLAG_RA		0x0080U
+#define DNS_MESSAGEFLAG_AD		0x0020U
+#define DNS_MESSAGEFLAG_CD		0x0010U
+
+#define DNS_MESSAGE_REPLYPRESERVE	(DNS_MESSAGEFLAG_RD)
+
+#define DNS_MESSAGE_HEADERLEN		12 /* 6 isc_uint16_t's */
+
+#define DNS_MESSAGE_MAGIC		0x4d534740U	/* MSG@ */
+#define DNS_MESSAGE_VALID(msg)		ISC_MAGIC_VALID(msg, DNS_MESSAGE_MAGIC)
+
+/*
+ * Ordering here matters.  DNS_SECTION_ANY must be the lowest and negative,
+ * and DNS_SECTION_MAX must be one greater than the last used section.
+ */
+typedef int dns_section_t;
+#define DNS_SECTION_ANY			(-1)
+#define DNS_SECTION_QUESTION		0
+#define DNS_SECTION_ANSWER		1
+#define DNS_SECTION_AUTHORITY		2
+#define DNS_SECTION_ADDITIONAL		3
+#define DNS_SECTION_TSIG		4 /* pseudo-section */
+#define DNS_SECTION_SIG0		5 /* pseudo-section */
+#define DNS_SECTION_MAX			6
+
+/*
+ * Dynamic update names for these sections.
+ */
+#define DNS_SECTION_ZONE		DNS_SECTION_QUESTION
+#define DNS_SECTION_PREREQUISITE	DNS_SECTION_ANSWER
+#define DNS_SECTION_UPDATE		DNS_SECTION_AUTHORITY
+
+/*
+ * These tell the message library how the created dns_message_t will be used.
+ */
+#define DNS_MESSAGE_INTENTUNKNOWN	0 /* internal use only */
+#define DNS_MESSAGE_INTENTPARSE		1 /* parsing messages */
+#define DNS_MESSAGE_INTENTRENDER	2 /* rendering */
+
+/*
+ * Control behavior of rendering
+ */
+#define DNS_MESSAGERENDER_ORDERED	0x0001	/* don't change order */
+
+typedef struct dns_msgblock dns_msgblock_t;
+
+struct dns_message {
+	/* public from here down */
+	unsigned int			magic;
+
+	dns_messageid_t			id;
+	unsigned int			flags;
+	unsigned int			rcode;
+	unsigned int			opcode;
+	dns_rdataclass_t		rdclass;
+
+	/* 4 real, 1 pseudo */
+	unsigned int			counts[DNS_SECTION_MAX];
+
+	/* private from here down */
+	dns_namelist_t			sections[DNS_SECTION_MAX];
+	dns_name_t		       *cursors[DNS_SECTION_MAX];
+	dns_rdataset_t		       *opt;
+
+	int				state;
+	unsigned int			from_to_wire : 2;
+	unsigned int			need_cctx_cleanup : 1;
+	unsigned int			header_ok : 1;
+	unsigned int			question_ok : 1;
+	unsigned int			tcp_continuation : 1;
+	unsigned int			verified_sig0 : 1;
+
+	unsigned int			opt_reserved;
+	unsigned int			reserved; /* reserved space (render) */
+
+	isc_buffer_t		       *buffer;
+	dns_compress_t			cctx;
+
+	isc_mem_t		       *mctx;
+	isc_mempool_t		       *namepool;
+	isc_mempool_t		       *rdspool;
+
+	isc_bufferlist_t		scratchpad;
+	isc_bufferlist_t		cleanup;
+
+	ISC_LIST(dns_msgblock_t)	rdatas;
+	ISC_LIST(dns_msgblock_t)	rdatalists;
+
+	ISC_LIST(dns_rdata_t)		freerdata;
+	ISC_LIST(dns_rdatalist_t)	freerdatalist;
+
+	dns_rcode_t			tsigstatus;
+	dns_rcode_t			querytsigstatus;
+	dns_rdata_any_tsig_t	       *tsig;
+	dns_rdata_any_tsig_t	       *querytsig;
+	dns_tsigkey_t		       *tsigkey;
+	void			       *tsigctx;
+	int				sigstart;
+
+	dst_key_t		       *sig0key;
+	dns_rcode_t			sig0status;
+	isc_region_t		       *query;
+	isc_region_t		       *saved;
+};
+
+isc_result_t
+dns_message_create(isc_mem_t *mctx, unsigned int intent,
+		   dns_message_t **msgp);
+		   
+/*
+ * Create msg structure.
+ *
+ * This function will allocate some internal blocks of memory that are
+ * expected to be needed for parsing or rendering nearly any type of message.
+ *
+ * Requires:
+ *	'mctx' be a valid memory context.
+ *
+ *	'msgp' be non-null and '*msg' be NULL.
+ *
+ *	'intent' must be one of DNS_MESSAGE_INTENTPARSE or
+ *	DNS_MESSAGE_INTENTRENDER.
+ *
+ * Ensures:
+ *	The data in "*msg" is set to indicate an unused and empty msg
+ *	structure.
+ *
+ * Returns:
+ *	DNS_R_NOMEMORY		-- out of memory
+ *	DNS_R_SUCCESS		-- success
+ */
+
+void
+dns_message_reset(dns_message_t *msg, unsigned int intent);
+/*
+ * Reset a message structure to default state.  All internal lists are freed
+ * or reset to a default state as well.  This is simply a more efficient
+ * way to call dns_message_destroy() followed by dns_message_allocate(),
+ * since it avoid many memory allocations.
+ *
+ * If any data loanouts (buffers, names, rdatas, etc) were requested,
+ * the caller must no longer use them after this call.
+ *
+ * The intended next use of the message will be 'intent'.
+ *
+ * Requires:
+ *
+ *	'msg' be valid.
+ *
+ *	'intent' is DNS_MESSAGE_INTENTPARSE or DNS_MESSAGE_INTENTRENDER
+ */
+
+void
+dns_message_destroy(dns_message_t **msgp);
+/*
+ * Destroy all state in the message.
+ *
+ * Requires:
+ *
+ *	'msgp' be valid.
+ *
+ * Ensures:
+ *	'*msgp' == NULL
+ */
+
+isc_result_t
+dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
+		  isc_boolean_t preserve_order);
+/*
+ * Parse raw wire data pointed to by "buffer" and bounded by "buflen" as a
+ * DNS message.
+ *
+ * OPT records are detected and stored in the pseudo-section "opt".
+ * TSIGs are detected and stored in the pseudo-section "tsig".
+ *
+ * If 'preserve_order' is true, or if the opcode of the message is UPDATE,
+ * a separate dns_name_t object will be created for each RR in the message.
+ * Each such dns_name_t will have a single rdataset containing the single RR,
+ * and the order of the RRs in the message is preserved.
+ * Otherwise, only one dns_name_t object will be created for each unique
+ * owner name in the section, and each such dns_name_t will have a list
+ * of rdatasets.  To access the names and their data, use 
+ * dns_message_firstname() and dns_message_nextname(). 
+ *
+ * OPT and TSIG records are always handled specially, regardless of the
+ * 'preserve_order' setting.
+ *
+ * If this is a multi-packet message (edns) and more data is required to
+ * build the full message state, DNS_R_MOREDATA is returned.  In this case,
+ * this function should be repeated with all input buffers until DNS_R_SUCCESS
+ * (or an error) is returned.
+ *
+ * Requires:
+ *	"msg" be valid.
+ *
+ *	"buffer" be a wire format binary buffer.
+ *
+ * Ensures:
+ *	The buffer's data format is correct.
+ *
+ *	The buffer's contents verify as correct regarding header bits, buffer
+ * 	and rdata sizes, etc.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		-- all is well
+ *	DNS_R_NOMEMORY		-- no memory
+ *	DNS_R_MOREDATA		-- more packets needed for complete message
+ *	DNS_R_???		-- bad signature (XXXMLG need more of these)
+ *	Many other errors possible XXXMLG
+ */
+
+isc_result_t
+dns_message_renderbegin(dns_message_t *msg, isc_buffer_t *buffer);
+/*
+ * Begin rendering on a message.  Only one call can be made to this function
+ * per message.
+ *
+ * The buffer is "owned" by the message library until dns_message_renderend()
+ * is called.
+ *
+ * Requires:
+ *
+ *	'msg' be valid.
+ *
+ *	buffer is a valid binary buffer.
+ *
+ * Side Effects:
+ *
+ *	The buffer is cleared before it is used.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		-- all is well
+ *	DNS_R_NOSPACE		-- output buffer is too small
+ *	Anything that dns_compress_init() can return.
+ */
+
+isc_result_t
+dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer);
+/*
+ * Reset the buffer.  This can be used after growing the old buffer
+ * on a DNS_R_NOSPACE return from most of the render functions.
+ *
+ * On successful completion, the old buffer is no longer used by the
+ * library.  The new buffer is owned by the library until
+ * dns_message_renderend() is called.
+ *
+ * Requires:
+ *
+ *	'msg' be valid.
+ *
+ *	dns_message_renderbegin() was called.
+ *
+ *	buffer != NULL.
+ *
+ * Returns:
+ *	DNS_R_NOSPACE		-- new buffer is too small
+ *	DNS_R_SUCCESS		-- all is well.
+ */
+
+isc_result_t
+dns_message_renderreserve(dns_message_t *msg, unsigned int space);
+/*
+ * XXXMLG should use size_t rather than unsigned int once the buffer
+ * API is cleaned up
+ *
+ * Reserve "space" bytes in the given buffer.
+ *
+ * Requires:
+ *
+ *	'msg' be valid.
+ *
+ *	dns_message_renderbegin() was called.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		-- all is well.
+ *	DNS_R_NOSPACE		-- not enough free space in the buffer.
+ */
+
+void
+dns_message_renderrelease(dns_message_t *msg, unsigned int space);
+/*
+ * XXXMLG should use size_t rather than unsigned int once the buffer
+ * API is cleaned up
+ *
+ * Release "space" bytes in the given buffer that was previously reserved.
+ *
+ * Requires:
+ *
+ *	'msg' be valid.
+ *
+ *	'space' is less than or equal to the total amount of space reserved
+ *	via prior calls to dns_message_renderreserve().
+ *
+ *	dns_message_renderbegin() was called.
+ */
+
+isc_result_t
+dns_message_rendersection(dns_message_t *msg, dns_section_t section,
+			  unsigned int options);
+/*
+ * Render all names, rdatalists, etc from the given section at the
+ * specified priority or higher.
+ *
+ * Requires:
+ *	'msg' be valid.
+ *
+ *	'section' be a valid section.
+ *
+ *	dns_message_renderbegin() was called.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		-- all records were written, and there are
+ *				   no more records for this section.
+ *	DNS_R_NOSPACE		-- Not enough room in the buffer to write
+ *				   all records requested.
+ *	DNS_R_MOREDATA		-- All requested records written, and there
+ *				   are records remaining for this section.
+ */
+
+void
+dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target);
+/*
+ * Render the message header.  This is implicitly called by
+ * dns_message_renderend().
+ *
+ * Requires:
+ *
+ *	'msg' be a valid message.
+ *
+ *	dns_message_renderbegin() was called.
+ *
+ *	'target' is a valid buffer with enough space to hold a message header
+ */
+
+isc_result_t
+dns_message_renderend(dns_message_t *msg);
+/*
+ * Finish rendering to the buffer.  Note that more data can be in the
+ * 'msg' structure.  Destroying the structure will free this, or in a multi-
+ * part EDNS1 message this data can be rendered to another buffer later.
+ *
+ * Requires:
+ *
+ *	'msg' be a valid message.
+ *
+ *	dns_message_renderbegin() was called.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		-- all is well.
+ */
+		      
+
+isc_result_t
+dns_message_firstname(dns_message_t *msg, dns_section_t section);
+/*
+ * Set internal per-section name pointer to the beginning of the section.
+ *
+ * The functions dns_message_firstname() and dns_message_nextname() may
+ * be used for iterating over the owner names in a section. 
+ *
+ * Requires:
+ *
+ *   	'msg' be valid.
+ *
+ *	'section' be a valid section.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		-- All is well.
+ *	DNS_R_NOMORE		-- No names on given section.
+ */
+
+isc_result_t
+dns_message_nextname(dns_message_t *msg, dns_section_t section);
+/*
+ * Sets the internal per-section name pointer to point to the next name
+ * in that section.
+ *
+ * Requires:
+ *
+ *   	'msg' be valid.
+ *
+ *	'section' be a valid section.
+ *
+ *	dns_message_firstname() must have been called on this section,
+ *	and the result was DNS_R_SUCCESS.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		-- All is well.
+ *	DNS_R_NOMORE		-- No names in given section.
+ */
+
+void
+dns_message_currentname(dns_message_t *msg, dns_section_t section,
+			dns_name_t **name);
+/*
+ * Sets 'name' to point to the name where the per-section internal name
+ * pointer is currently set.
+ *
+ * This function returns the name in the database, so any data associated
+ * with it (via the name's "list" member) contains the actual rdatasets.
+ *
+ * Requires:
+ *
+ *	'msg' be valid.
+ *
+ *	'name' be non-NULL, and *name be NULL.
+ *
+ *	'section' be a valid section.
+ *
+ *	dns_message_firstname() must have been called on this section,
+ *	and the result of it and any dns_message_nextname() calls was
+ *	DNS_R_SUCCESS.
+ */
+
+isc_result_t
+dns_message_findname(dns_message_t *msg, dns_section_t section,
+		     dns_name_t *target, dns_rdatatype_t type,
+		     dns_rdatatype_t covers, dns_name_t **foundname,
+		     dns_rdataset_t **rdataset);
+/*
+ * Search for a name in the specified section.  If it is found, *name is
+ * set to point to the name, and *rdataset is set to point to the found
+ * rdataset (if type is specified as other than dns_rdatatype_any).
+ *
+ * Requires:
+ *	'msg' be valid.
+ *
+ *	'section' be a valid section.
+ *
+ *	If a pointer to the name is desired, 'foundname' should be non-NULL.
+ *	If it is non-NULL, '*foundname' MUST be NULL.
+ *
+ *	If a type other than dns_datatype_any is searched for, 'rdataset'
+ *	may be non-NULL, '*rdataset' be NULL, and will point at the found
+ *	rdataset.  If the type is dns_datatype_any, 'rdataset' must be NULL.
+ *
+ *	'target' be a valid name.
+ *
+ *	'type' be a valid type.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		-- all is well.
+ *	DNS_R_NXDOMAIN		-- name does not exist in that section.
+ *	DNS_R_NXRDATASET	-- The name does exist, but the desired
+ *				   type does not.
+ */
+
+isc_result_t
+dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
+		     dns_rdatatype_t covers, dns_rdataset_t **rdataset);
+/*
+ * Search the name for the specified type.  If it is found, *rdataset is
+ * filled in with a pointer to that rdataset.
+ *
+ * Requires:
+ *	if '**rdataset' is non-NULL, *rdataset needs to be NULL.
+ *
+ *	'type' be a valid type, and NOT dns_rdatatype_any.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		-- all is well.
+ *	DNS_R_NOTFOUND		-- the desired type does not exist.
+ */
+
+void
+dns_message_movename(dns_message_t *msg, dns_name_t *name,
+		     dns_section_t fromsection,
+		     dns_section_t tosection);
+/*
+ * Move a name from one section to another.
+ *
+ * Requires:
+ *
+ *	'msg' be valid.
+ *
+ *	'name' must be a name already in 'fromsection'.
+ *
+ *	'fromsection' must be a valid section.
+ *
+ *	'tosection' must be a valid section.
+ */
+
+void
+dns_message_addname(dns_message_t *msg, dns_name_t *name,
+		    dns_section_t section);
+/*
+ * Adds the name to the given section.
+ *
+ * It is the caller's responsibility to enforce any unique name requirements
+ * in a section.
+ *
+ * Requires:
+ *
+ *	'msg' be valid, and be a renderable message.
+ *
+ *	'name' be a valid name.
+ *
+ *	'section' be a named section.
+ */
+
+/*
+ * LOANOUT FUNCTIONS
+ *
+ * Each of these functions loan a particular type of data to the caller.
+ * The storage for these will vanish when the message is destroyed or
+ * reset, and must NOT be used after these operations.
+ */
+
+isc_result_t
+dns_message_gettempname(dns_message_t *msg, dns_name_t **item);
+/*
+ * Return a name that can be used for any temporary purpose, including
+ * inserting into the message's linked lists.  The name must be returned
+ * to the message code using dns_message_puttempname() or inserted into
+ * one of the message's sections before the message is destroyed.
+ *
+ * It is the caller's responsibility to initialize this name.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item == NULL
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		-- All is well.
+ *	DNS_R_NOMEMORY		-- No item can be allocated.
+ */
+
+isc_result_t
+dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item);
+/*
+ * Return a rdata that can be used for any temporary purpose, including
+ * inserting into the message's linked lists.  The storage associated with
+ * this rdata will be destroyed when the message is destroyed or reset.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item == NULL
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		-- All is well.
+ *	DNS_R_NOMEMORY		-- No item can be allocated.
+ */
+
+isc_result_t
+dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item);
+/*
+ * Return a rdataset that can be used for any temporary purpose, including
+ * inserting into the message's linked lists.  The storage associated with
+ * this rdataset will be destroyed when the message is destroyed or reset.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item == NULL
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		-- All is well.
+ *	DNS_R_NOMEMORY		-- No item can be allocated.
+ */
+
+isc_result_t
+dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
+/*
+ * Return a rdatalist that can be used for any temporary purpose, including
+ * inserting into the message's linked lists.  The storage associated with
+ * this rdatalist will be destroyed when the message is destroyed or reset.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item == NULL
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		-- All is well.
+ *	DNS_R_NOMEMORY		-- No item can be allocated.
+ */
+
+void
+dns_message_puttempname(dns_message_t *msg, dns_name_t **item);
+/*
+ * Return a borrowed name to the message's name free list.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item point to a name returned by
+ *	dns_message_gettempname()
+ *
+ * Ensures:
+ *	*item == NULL
+ */
+
+void
+dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item);
+/*
+ * Return a borrowed rdata to the message's rdata free list.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item point to a rdata returned by
+ *	dns_message_gettemprdata()
+ *
+ * Ensures:
+ *	*item == NULL
+ */
+
+void
+dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item);
+/*
+ * Return a borrowed rdataset to the message's rdataset free list.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item point to a rdataset returned by
+ *	dns_message_gettemprdataset()
+ *
+ * Ensures:
+ *	*item == NULL
+ */
+
+void
+dns_message_puttemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
+/*
+ * Return a borrowed rdatalist to the message's rdatalist free list.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item point to a rdatalist returned by
+ *	dns_message_gettemprdatalist()
+ *
+ * Ensures:
+ *	*item == NULL
+ */
+
+isc_result_t
+dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
+		       unsigned int *flagsp);
+/*
+ * Assume the remaining region of "source" is a DNS message.  Peek into
+ * it and fill in "*idp" with the message id, and "*flagsp" with the flags.
+ *
+ * Requires:
+ *
+ *	source != NULL
+ *
+ * Ensures:
+ *
+ *	if (idp != NULL) *idp == message id.
+ *
+ *	if (flagsp != NULL) *flagsp == message flags.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS		-- all is well.
+ *
+ *	DNS_R_UNEXPECTEDEND	-- buffer doesn't contain enough for a header.
+ */
+
+isc_result_t
+dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section);
+/*
+ * Start formatting a reply to the query in 'msg'.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message with parsing intent, and contains a query.
+ * 
+ * Ensures:
+ *
+ *	The message will have a rendering intent.  If 'want_question_section'
+ *	is true, the message opcode is query or notify, and the question
+ *	section is present and properly formatted, then the question section
+ *	will be included in the reply.  All other sections will be cleared.
+ *	The QR flag will be set, the RD flag will be preserved, and all other
+ *	flags will be cleared.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS		-- all is well.
+ *
+ *	DNS_R_FORMERR		-- the header or question section of the
+ *				   message is invalid, replying is impossible.
+ *				   If DNS_R_FORMERR is returned when
+ *				   want_question_section is ISC_FALSE, then
+ *				   it's the header section that's bad;
+ *				   otherwise either of the header or question
+ *				   sections may be bad.
+ */
+
+dns_rdataset_t *
+dns_message_getopt(dns_message_t *msg);
+/*
+ * Get the OPT record for 'msg'.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message.
+ *
+ * Returns:
+ *
+ *	The OPT rdataset of 'msg', or NULL if there isn't one.
+ */
+
+isc_result_t
+dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt);
+/*
+ * Set the OPT record for 'msg'.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message with rendering intent,
+ *	dns_message_renderbegin() has been called, and no sections have been
+ *	rendered.
+ *
+ *	'opt' is a valid OPT record.
+ *
+ * Ensures:
+ *
+ *	The OPT record will be rendered when dns_message_renderend() is
+ *	called.
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS		-- all is well.
+ *
+ *	DNS_R_NOSPACE		-- there is no space for the OPT record.
+ */
+
+void
+dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
+/*
+ * Give the *buffer to the message code to clean up when it is no
+ * longer needed.  This is usually when the message is reset or
+ * destroyed.
+ *
+ * Requires:
+ *
+ *	msg be a valid message.
+ *
+ *	buffer != NULL && *buffer is a valid isc_buffer_t, which was
+ *	dynamincally allocated via isc_buffer_allocate().
+ */
+
+isc_result_t
+dns_message_signer(dns_message_t *msg, dns_name_t *signer);
+/*
+ * If this message was signed, return the identity of the signer.
+ * Unless ISC_R_NOTFOUND is returned, signer will reflect the name of the
+ * key that signed the message.
+ *
+ * Requires:
+ *
+ *	msg is a valid parsed message.
+ *	signer is a valid name
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		- the message was signed, and *signer
+ *				  contains the signing identity
+ *
+ *	ISC_R_NOTFOUND		- no TSIG or SIG(0) record is present in the
+ *				  message
+ *
+ *	DNS_R_TSIGVERIFYFAILURE	- the message was signed by a TSIG, but the
+ *				  signature failed to verify
+ *
+ *	DNS_R_TSIGERRORSET	- the message was signed by a TSIG and
+ *				  verified, but the query was rejected by
+ *				  the server
+ *
+ *	DNS_R_NOIDENTITY	- the message was signed by a TSIG and
+ *				  verified, but the key has no identity since
+ *				  it was generated by an unsigned TKEY process
+ *
+ *	DNS_R_SIGINVALID	- the message was signed by a SIG(0), but
+ *				  the signature failed to verify
+ *
+ *	DNS_R_SIGNOTVERIFIEDYET	- the message was signed by a SIG(0), but
+ *				  the signature has not been verified yet
+ */
+
+isc_result_t
+dns_message_checksig(dns_message_t *msg, dns_view_t *view);
+/*
+ * If this message was signed, verify the signature.
+ *
+ * Requires:
+ *
+ *	msg is a valid parsed message.
+ *	view is a valid view
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		- the message was unsigned, or the message
+ *				  was signed correctly.
+ *
+ *	DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
+ *	DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
+ *	DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif	/* DNS_MESSAGE_H */
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
new file mode 100644
index 00000000..08d4b412
--- /dev/null
+++ b/lib/dns/include/dns/name.h
@@ -0,0 +1,1051 @@
+/*
+ * Copyright (C) 1998, 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_NAME_H
+#define DNS_NAME_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Names and Labels
+ *
+ * Provides facilities for manipulating DNS names and labels, including
+ * conversions to and from wire format and text format.
+ *
+ * Given the large number of names possible in a nameserver, and because
+ * names occur in rdata, it was important to come up with a very efficient
+ * way of storing name data, but at the same time allow names to be
+ * manipulated.  The decision was to store names in uncompressed wire format,
+ * and not to make them fully abstracted objects; i.e. certain parts of the
+ * server know names are stored that way.  This saves a lot of memory, and
+ * makes adding names to messages easy.  Having much of the server know
+ * the representation would be perilous, and we certainly don't want each
+ * user of names to be manipulating such a low-level structure.  This is
+ * where the Names and Labels module comes in.  The module allows name or
+ * label handles to be created and attached to uncompressed wire format
+ * regions.  All name operations and conversions are done through these
+ * handles.
+ *
+ * MP:
+ *	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *	This module deals with low-level byte streams.  Errors in any of
+ *	the functions are likely to crash the server or corrupt memory.
+ *
+ * Resources:
+ *	None.
+ *
+ * Security:
+ *
+ *	*** WARNING ***
+ *
+ *	dns_name_fromwire() deals with raw network data.  An error in
+ *	this routine could result in the failure or hijacking of the server.
+ *
+ * Standards:
+ *	RFC 1035
+ *	Draft EDNS0 (0)
+ *	Draft EDNS1 (0)
+ *	Draft Binary Labels (2)
+ *	Draft Local Compression (1)
+ *
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/boolean.h>
+#include <isc/buffer.h>
+#include <isc/lang.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+
+#include <stdio.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Labels
+ *****
+ ***** A 'label' is basically a region.  It contains one DNS wire format
+ ***** label of either type 00 (ordinary) or type 01000001 (bitstring).
+ *****/
+
+/***
+ *** Extended Label Types
+ ***/
+
+#define DNS_LABELTYPE_GLOBALCOMP16	0x40
+#define DNS_LABELTYPE_BITSTRING		0x41
+#define DNS_LABELTYPE_LOCALCOMP		0x42
+
+/***
+ *** Properties
+ ***/
+
+dns_labeltype_t dns_label_type(dns_label_t *label);
+/*
+ * Get the type of 'label'.
+ *
+ * Requires:
+ *	'label' is a valid label (i.e. not NULL, points to a
+ *	struct dns_label)
+ *	'label' is a type 00 or type 01000001 label (i.e. not compressed).
+ *
+ * Returns:
+ *	dns_labeltype_ordinary		type 00 label
+ *	dns_labeltype_bitstring		type 01000001 label
+ */
+
+/***
+ *** Bitstring Labels
+ ***/
+
+unsigned int dns_label_countbits(dns_label_t *label);
+/*
+ * The number of bits in a bitstring label.
+ *
+ * Requires:
+ *	'label' is a valid label
+ *
+ *	dns_label_type(label) == dns_labeltype_bitstring
+ *
+ * Ensures:
+ *	Result is <= 256.
+ *
+ * Returns:
+ *	The number of bits in the bitstring label.
+ */
+
+dns_bitlabel_t dns_label_getbit(dns_label_t *label, unsigned int n);
+/*
+ * The 'n'th most significant bit of 'label'.
+ *
+ * Notes:
+ *	Numbering starts at 0.
+ *
+ * Require:
+ *	n < dns_label_countbits(label)
+ *
+ * Returns:
+ *	dns_bitlabel_0		The bit was 0.
+ *	dns_bitlabel_1		The bit was 1.
+ */
+
+/***
+ *** Note
+ ***
+ *** Some provision still needs to be made for splitting bitstring labels.
+ ***/
+
+
+
+/*****
+ ***** Names
+ *****
+ ***** A 'name' is a handle to a binary region.  It contains a sequence of one
+ ***** or more DNS wire format labels of either type 00 (ordinary) or type
+ ***** 01000001 (bitstring).  Note that all names are not required to end
+ ***** with the root label, as they are in the actual DNS wire protocol.
+ *****/
+
+/***
+ *** Compression pointer chaining limit
+ ***/
+
+#define DNS_POINTER_MAXHOPS		16
+
+/***
+ *** Types
+ ***/
+
+/*
+ * Clients are strongly discouraged from using this type directly,  with
+ * the exception of the 'link' and 'list' fields which may be used directly
+ * for whatever purpose the client desires.
+ */
+struct dns_name {
+	unsigned int			magic;
+	unsigned char *			ndata;
+	unsigned int			length;
+	unsigned int			labels;
+	unsigned int			attributes;
+	unsigned char *			offsets;
+	isc_buffer_t *			buffer;
+	ISC_LINK(dns_name_t)		link;
+	ISC_LIST(dns_rdataset_t)	list;
+};
+
+#define DNS_NAMEATTR_ABSOLUTE		0x0001
+#define DNS_NAMEATTR_READONLY		0x0002
+#define DNS_NAMEATTR_DYNAMIC		0x0004
+/*
+ * Attributes below 0x0100 reserved for name.c usage.
+ */
+#define DNS_NAMEATTR_CACHE		0x0100		/* Used by resolver. */
+#define DNS_NAMEATTR_ANSWER		0x0200		/* Used by resolver. */
+#define DNS_NAMEATTR_NCACHE		0x0400		/* Used by resolver. */
+#define DNS_NAMEATTR_CNAME		0x0800		/* Used by message. */
+#define DNS_NAMEATTR_DNAME		0x1000		/* Used by message. */
+
+extern dns_name_t *dns_rootname;
+extern dns_name_t *dns_wildcardname;
+
+/***
+ *** Initialization
+ ***/
+
+void dns_name_init(dns_name_t *name, unsigned char *offsets);
+/*
+ * Initialize 'name'.
+ *
+ * Notes:
+ *	'offsets' is never required to be non-NULL, but specifying a
+ *	dns_offsets_t for 'offsets' will improve the performance of most
+ *	name operations if the name is used more than once.
+ *
+ * Requires:
+ *	'name' is not NULL and points to a struct dns_name.
+ *
+ *	offsets == NULL or offsets is a dns_offsets_t.
+ *
+ * Ensures:
+ *	'name' is a valid name.
+ *	dns_name_countlabels(name) == 0
+ */
+
+void dns_name_invalidate(dns_name_t *name);
+/*
+ * Make 'name' invalid.
+ *
+ * Requires:
+ *	'name' is a valid name.
+ *
+ * Ensures:
+ *	If assertion checking is enabled, future attempts to use 'name'
+ *	without initializing it will cause an assertion failure.
+ *
+ *	If the name had a dedicated buffer, that association is ended.
+ */
+
+
+/***
+ *** Dedicated Buffers
+ ***/
+
+void
+dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer);
+/*
+ * Dedicate a binary buffer for use with 'name'.
+ *
+ * Notes:
+ *	Specification of a target buffer in dns_name_fromwire(),
+ *	dns_name_fromtext(), and dns_name_concatentate() is optional if
+ *	'name' has a dedicated buffer.
+ *
+ *	The caller must not write to buffer until the name has been
+ *	invalidated or is otherwise known not to be in use.
+ *
+ *	If buffer is NULL and the name previously had a dedicated buffer,
+ *	than that buffer is no longer dedicated to use with this name.
+ *	The caller is responsible for ensuring that the storage used by
+ *	the name remains valid.
+ *
+ * Requires:
+ *	'name' is a valid name.
+ *
+ *	'buffer' is a valid binary buffer and 'name' doesn't have a
+ *	dedicated buffer already, or 'buffer' is NULL.
+ */
+
+isc_boolean_t
+dns_name_hasbuffer(dns_name_t *name);
+/*
+ * Does 'name' have a dedicated buffer?
+ *
+ * Requires:
+ *	'name' is a valid name.
+ *
+ * Returns:
+ *	ISC_TRUE	'name' has a dedicated buffer.
+ *	ISC_FALSE	'name' does not have a dedicated buffer.
+ */
+
+
+/***
+ *** Properties
+ ***/
+
+isc_boolean_t dns_name_isabsolute(dns_name_t *name);
+/*
+ * Does 'name' end in the root label?
+ *
+ * Requires:
+ *	'name' is a valid name
+ *
+ *	dns_name_countlabels(name) > 0
+ *
+ * Returns:
+ *	TRUE		The last label in 'name' is the root label.
+ *	FALSE		The last label in 'name' is not the root label.
+ */
+
+isc_boolean_t dns_name_iswildcard(dns_name_t *name);
+/*
+ * Is 'name' a wildcard name?
+ *
+ * Requires:
+ *	'name' is a valid name
+ *
+ *	dns_name_countlabels(name) > 0
+ *
+ * Returns:
+ *	TRUE		The least significant label of 'name' is '*'.
+ *	FALSE		The least significant label of 'name' is not '*'.
+ */
+
+unsigned int dns_name_hash(dns_name_t *name, isc_boolean_t case_sensitive);
+/*
+ * Provide a hash value for 'name'.
+ *
+ * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
+ * case will have the same hash value.
+ *
+ * Requires:
+ *	'name' is a valid name
+ *
+ * Returns:
+ *	A hash value
+ */
+
+/***
+ *** Comparisons
+ ***/
+
+dns_namereln_t
+dns_name_fullcompare(dns_name_t *name1, dns_name_t *name2,
+		     int *orderp,
+		     unsigned int *nlabelsp, unsigned int *nbitsp);
+/*
+ * Determine the relative ordering under the DNSSEC order relation of
+ * 'name1' and 'name2', and also determine the hierarchical
+ * relationship of the names.
+ *
+ * Note: It makes no sense for one of the names to be relative and the
+ * other absolute.  If both names are relative, then to be meaningfully
+ * compared the caller must ensure that they are both relative to the
+ * same domain.
+ *
+ * Requires:
+ *	'name1' is a valid name
+ *
+ *	dns_name_countlabels(name1) > 0
+ *
+ *	'name2' is a valid name
+ *
+ *	dns_name_countlabels(name2) > 0
+ *
+ *	orderp, nlabelsp, and nbitsp are valid pointers.
+ *
+ *	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Ensures:
+ *
+ *	*orderp is -1 if name1 < name2, 0 if name1 = name2, 1 if
+ *	name1 > name2.
+ *
+ *	*nlabelsp is the number of common significant labels.
+ *
+ *	If *nbitsp is non-zero, then the least-signficant of the
+ *	common significant labels is a bitstring label, and the
+ *	two names have *nbitsp significant bits in common.
+ *
+ * Returns:
+ *	dns_namereln_none		There's no hierarchical relationship
+ *					between name1 and name2.
+ *	dns_namereln_contains		name1 properly contains name2; i.e.
+ *					name2 is a proper subdomain of name1.
+ *	dns_namereln_subdomain		name1 is a proper subdomain of name2.
+ *	dns_namereln_equal		name1 and name2 are equal.
+ *	dns_namereln_commonancestor	name1 and name2 share a common
+ *					ancestor.
+ */
+
+int
+dns_name_compare(dns_name_t *name1, dns_name_t *name2);
+/*
+ * Determine the relative ordering under the DNSSEC order relation of
+ * 'name1' and 'name2'.
+ *
+ * Note: It makes no sense for one of the names to be relative and the
+ * other absolute.  If both names are relative, then to be meaningfully
+ * compared the caller must ensure that they are both relative to the
+ * same domain.
+ *
+ * Requires:
+ *	'name1' is a valid name
+ *
+ *	dns_name_countlabels(name1) > 0
+ *
+ *	'name2' is a valid name
+ *
+ *	dns_name_countlabels(name2) > 0
+ *
+ *	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Returns:
+ *	-1		'name1' is less than 'name2'
+ *	0		'name1' is equal to 'name2'
+ *	1		'name1' is greater than 'name2'
+ */
+
+isc_boolean_t
+dns_name_equal(dns_name_t *name1, dns_name_t *name2);
+/*
+ * Are 'name1' and 'name2' equal?
+ *
+ * Notes:
+ *	Because it only needs to test for equality, dns_name_equal() can be
+ *	significantly faster than dns_name_fullcompare() or dns_name_compare().
+ *
+ *	Offsets tables are not used in the comparision.
+ *
+ * 	It makes no sense for one of the names to be relative and the
+ *	other absolute.  If both names are relative, then to be meaningfully
+ * 	compared the caller must ensure that they are both relative to the
+ * 	same domain.
+ *
+ * Requires:
+ *	'name1' is a valid name
+ *
+ *	'name2' is a valid name
+ *
+ *	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Returns:
+ *	ISC_TRUE	'name1' and 'name2' are equal
+ *	ISC_FALSE	'name1' and 'name2' are not equal
+ */
+
+int
+dns_name_rdatacompare(dns_name_t *name1, dns_name_t *name2);
+/*
+ * Compare two names as if they are part of rdata in DNSSEC canonical
+ * form.
+ *
+ * Requires:
+ *	'name1' is a valid absolute name
+ *
+ *	dns_name_countlabels(name1) > 0
+ *
+ *	'name2' is a valid absolute name
+ *
+ *	dns_name_countlabels(name2) > 0
+ *
+ * Returns:
+ *	-1		'name1' is less than 'name2'
+ *	0		'name1' is equal to 'name2'
+ *	1		'name1' is greater than 'name2'
+ */
+
+isc_boolean_t
+dns_name_issubdomain(dns_name_t *name1, dns_name_t *name2);
+/*
+ * Is 'name1' a subdomain of 'name2'?
+ *
+ * Notes:
+ *	name1 is a subdomain of name2 if name1 is contained in name2, or
+ *	name1 equals name2.
+ *
+ *	It makes no sense for one of the names to be relative and the
+ *	other absolute.  If both names are relative, then to be meaningfully
+ *	compared the caller must ensure that they are both relative to the
+ *	same domain.
+ *
+ * Requires:
+ *	'name1' is a valid name
+ *
+ *	dns_name_countlabels(name1) > 0
+ *
+ *	'name2' is a valid name
+ *
+ *	dns_name_countlabels(name2) > 0
+ *
+ *	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Returns:
+ *	TRUE		'name1' is a subdomain of 'name2'
+ *	FALSE		'name1' is not a subdomain of 'name2'
+ */
+
+isc_boolean_t
+dns_name_matcheswildcard(dns_name_t *name, dns_name_t *wname);
+/*
+ * Does 'name' match the wildcard specified in 'wname'?
+ *
+ * Notes:
+ *	name matches the wildcard specified in wname if all labels
+ *	following the wildcard in wname are identical to the same number
+ *	of labels at the end of name.
+ *
+ *	It makes no sense for one of the names to be relative and the
+ *	other absolute.  If both names are relative, then to be meaningfully
+ *	compared the caller must ensure that they are both relative to the
+ *	same domain.
+ *
+ * Requires:
+ *	'name' is a valid name
+ *
+ *	dns_name_countlabels(name) > 0
+ *
+ *	'wname' is a valid name
+ *
+ *	dns_name_countlabels(wname) > 0
+ *
+ *	dns_name_iswildcard(wname) is true
+ *
+ *	Either name is absolute and wname is absolute, or neither is.
+ *
+ * Returns:
+ *	TRUE		'name' matches the wildcard specified in 'wname'
+ *	FALSE		'name' does not match the wildcard specified in 'wname'
+ */
+
+
+/***
+ *** Labels
+ ***/
+	
+unsigned int dns_name_countlabels(dns_name_t *name);
+/*
+ * How many labels does 'name' have?
+ *
+ * Notes:
+ *	In this case, as in other places, a 'label' is an ordinary label
+ *	or a bitstring label.  The term is not meant to refer to individual
+ *	bit labels.
+ *
+ * Requires:
+ *	'name' is a valid name
+ *
+ * Ensures:
+ *	The result is <= 128.
+ *
+ * Returns:
+ *	The number of labels in 'name'.
+ */
+
+void dns_name_getlabel(dns_name_t *name, unsigned int n, dns_label_t *label);
+/*
+ * Make 'label' refer to the 'n'th least significant label of 'name'.
+ *
+ * Notes:
+ *	Numbering starts at 0.
+ *
+ *	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
+ *	root label.
+ *
+ *	'label' refers to the same memory as 'name', so 'name' must not
+ *	be changed while 'label' is still in use.
+ *
+ * Requires:
+ *	n < dns_label_countlabels(name)
+ */
+
+void dns_name_getlabelsequence(dns_name_t *source,
+			       unsigned int first,
+			       unsigned int n,
+			       dns_name_t *target);
+/*
+ * Make 'target' refer to the 'n' labels including and following 'first'
+ * in 'source'.
+ *
+ * Notes:
+ *	Numbering starts at 0.
+ *
+ *	'target' refers to the same memory as 'source', so 'source'
+ *	must not be changed while 'target' is still in use.
+ *
+ * Requires:
+ *	'source' and 'target' are valid names.
+ *
+ *	first < dns_label_countlabels(name)
+ *
+ *	first + n <= dns_label_countlabels(name)
+ */
+
+
+void
+dns_name_clone(dns_name_t *source, dns_name_t *target);
+/*
+ * Make 'target' refer to the same name as 'source'.
+ *
+ * Notes:
+ *
+ *	'target' refers to the same memory as 'source', so 'source'
+ *	must not be changed while 'target' is still in use.
+ *
+ *	This call is functionally equivalent to:
+ *
+ *		dns_name_getlabelsequence(source, 0, 
+ *					  dns_label_countlabels(source),
+ *					  target);
+ *
+ *	but is more efficient.  Also, dns_name_clone() works even if 'source'
+ *	is empty.
+ *
+ * Requires:
+ *
+ *	'source' is a valid name.
+ *
+ *	'target' is a valid name that is not read-only.
+ */
+
+/***
+ *** Conversions
+ ***/
+
+void dns_name_fromregion(dns_name_t *name, isc_region_t *r);
+/*
+ * Make 'name' refer to region 'r'.
+ *
+ * Note:
+ *	If the conversion encounters a root label before the end of the
+ *	region the conversion stops and the length is set to the length
+ *	so far converted.  A maximum of 255 bytes is converted.
+ *
+ * Requires:
+ *	The data in 'r' is a sequence of one or more type 00 or type 01000001
+ *	labels.
+ */
+
+void dns_name_toregion(dns_name_t *name, isc_region_t *r);
+/*
+ * Make 'r' refer to 'name'.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name.
+ *
+ *	'r' is a valid region.
+ */
+
+isc_result_t dns_name_fromwire(dns_name_t *name,
+			       isc_buffer_t *source,
+			       dns_decompress_t *dctx,
+			       isc_boolean_t downcase,
+			       isc_buffer_t *target);
+/*
+ * Copy the possibly-compressed name at source (active region) into target,
+ * decompressing it.
+ *
+ * Notes:
+ *	Decompression policy is controlled by 'dctx'.
+ *
+ *	If 'downcase' is true, any uppercase letters in 'source' will be
+ *	downcased when they are copied into 'target'.
+ *
+ * Security:
+ *
+ *	*** WARNING ***
+ *
+ *	This routine will often be used when 'source' contains raw network
+ *	data.  A programming error in this routine could result in a denial
+ *	of service, or in the hijacking of the server.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name.
+ *
+ *	'source' is a valid buffer of type ISC_BUFFERTYPE_BINARY, and the
+ *	first byte of the active region should be the first byte of a DNS
+ *	wire format domain name.
+ *
+ *	'target' is a valid buffer of type ISC_BUFFERTYPE_BINARY or 
+ *	'target' is NULL and 'name' has a dedicated buffer.
+ *
+ *	'dctx' is a valid decompression context.
+ *
+ * Ensures:
+ *
+ *	If result is success:
+ *	 	If 'target' is not NULL, 'name' is attached to it.
+ *
+ *		Uppercase letters are downcased in the copy iff. 'downcase' is
+ *		true.
+ *
+ *		Any bitstring labels in source are canonicalized.
+ *		(i.e. maximally packed and any padding bits zeroed.)
+ *
+ *		The current location in source is advanced, and the used space
+ *		in target is updated.
+ *
+ * Result:
+ *	Success
+ *	Bad Form: Label Length
+ *	Bad Form: Unknown Label Type
+ *	Bad Form: Name Length
+ *	Bad Form: Compression type not allowed
+ *	Bad Form: Bad compression pointer
+ *	Bad Form: Input too short
+ *	Resource Limit: Too many compression pointers
+ *	Resource Limit: Not enough space in buffer
+ */
+
+isc_result_t dns_name_towire(dns_name_t *name,
+			     dns_compress_t *cctx,
+			     isc_buffer_t *target);
+/*
+ * Convert 'name' into wire format, compressing it as specified by the
+ * compression context 'cctx', and storing the result in 'target'.
+ *	
+ * Notes:
+ *	If the compression context allows global compression, then the
+ *	global compression table may be updated.
+ *
+ * Requires:
+ *	'name' is a valid name
+ *
+ *	dns_name_countlabels(name) > 0
+ *
+ *	dns_name_isabsolute(name) == TRUE
+ *
+ *	target is a valid buffer of type ISC_BUFFERTYPE_BINARY.
+ *
+ *	Any offsets specified in a global compression table are valid
+ *	for buffer.
+ *
+ * Ensures:
+ *
+ *	If the result is success:
+ *
+ *		Any bitstring labels are in canonical form.
+ *
+ *		The used space in target is updated.
+ *
+ * Returns:
+ *	Success
+ *	Resource Limit: Not enough space in buffer
+ */
+
+isc_result_t dns_name_fromtext(dns_name_t *name,
+			       isc_buffer_t *source,
+			       dns_name_t *origin,
+			       isc_boolean_t downcase,
+			       isc_buffer_t *target);
+/*
+ * Convert the textual representation of a DNS name at source
+ * into uncompressed wire form stored in target.
+ *
+ * Notes:
+ *	Relative domain names will have 'origin' appended to them
+ *	unless 'origin' is NULL, in which case relative domain names
+ *	will remain relative.
+ *
+ *	If 'downcase' is true, any uppercase letters in 'source' will be
+ *	downcased when they are copied into 'target'.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name.
+ *
+ *	'source' is a valid buffer of type ISC_BUFFERTYPE_TEXT.
+ *
+ *	'target' is a valid buffer of type ISC_BUFFERTYPE_BINARY or 
+ *	'target' is NULL and 'name' has a dedicated buffer.
+ *
+ * Ensures:
+ *
+ *	If result is success:
+ *	 	If 'target' is not NULL, 'name' is attached to it.
+ *
+ *		Any bitstring labels in source are canonicalized.
+ *
+ *		Uppercase letters are downcased in the copy iff. 'downcase' is
+ *		true.
+ *
+ *		The current location in source is advanced, and the used space
+ *		in target is updated.
+ *
+ * Result:
+ *	DNS_R_SUCCESS
+ *	DNS_R_EMPTYLABEL
+ *	DNS_R_LABELTOOLONG
+ *	DNS_R_BADESCAPE
+ *	DNS_R_BADBITSTRING
+ *	DNS_R_BITSTRINGTOOLONG
+ *	DNS_R_BADDOTTEDQUAD
+ *	DNS_R_NOSPACE
+ *	DNS_R_UNEXPECTEDEND
+ */
+
+isc_result_t dns_name_totext(dns_name_t *name,
+			     isc_boolean_t omit_final_dot,
+			     isc_buffer_t *target);
+/*
+ * Convert 'name' into text format, storing the result in 'target'.
+ *	
+ * Notes:
+ *	If 'omit_final_dot' is true, then the final '.' in an absolute
+ *	name will not be emitted.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name
+ *
+ *	'target' is a valid buffer of type ISC_BUFFERTYPE_TEXT
+ *
+ *	dns_name_countlabels(name) > 0
+ *
+ *	if dns_name_isabsolute == FALSE, then omit_final_dot == FALSE
+ *
+ * Ensures:
+ *
+ *	If the result is success:
+ *
+ *		Any bitstring labels are in canonical form.
+ *
+ *		The used space in target is updated.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOSPACE
+ */
+
+isc_result_t
+dns_name_downcase(dns_name_t *source, dns_name_t *name,
+		  isc_buffer_t *target);
+/*
+ * Downcase 'source'.
+ *
+ * Requires:
+ *
+ *	'source' and 'name' are valid names.
+ *
+ *	If source == name, then
+ *
+ *		'source' must not be read-only
+ *
+ *	Otherwise,
+ *
+ *		'target' is a valid buffer of type ISC_BUFFERTYPE_BINARY, or 
+ *		'target' is NULL and 'name' has a dedicated buffer.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOSPACE
+ *
+ *	Note: if source == name, then the result will always be DNS_R_SUCCESS.
+ */
+
+isc_result_t dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix,
+				  dns_name_t *name, isc_buffer_t *target);
+/*
+ *	Concatenate 'prefix' and 'suffix'.
+ *
+ * Requires:
+ *
+ *	'prefix' is a valid name or NULL.
+ *
+ *	'suffix' is a valid name or NULL.
+ *
+ *	'name' is a valid name or NULL.
+ *
+ *	'target' is a valid buffer of type ISC_BUFFERTYPE_BINARY, or 
+ *	'target' is NULL and 'name' has a dedicated buffer.
+ *
+ *	If 'prefix' is absolute, 'suffix' must be NULL or the empty name.
+ *
+ * Ensures:
+ *
+ *	On success,
+ *	 	If 'target' is not NULL and 'name' is not NULL, then 'name'
+ *		is attached to it.
+ *
+ *		Any bitstring labels are in canonical form.
+ *
+ *		The used space in target is updated.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOSPACE
+ */
+
+isc_result_t
+dns_name_split(dns_name_t *name,
+	       unsigned int suffixlabels, unsigned int nbits,
+	       dns_name_t *prefix, dns_name_t *suffix);
+/*
+ *
+ * Split 'name' into two pieces on a label or bitlabel boundary.
+ *
+ * Notes:
+ *	Copying name data is avoided as much as possible, so 'prefix'
+ *	and 'suffix' will usually end up pointing at the data for 'name',
+ *	except when 'nbits' > 0.  The name data is copied to the
+ *	the dedicated buffers when splitting on bitlabel boundaries
+ *	because of the bit fiddling that must be done.
+ *
+ *	It is legitimate to pass a 'prefix' or 'suffix' that has
+ *	its name data stored someplace other than the dedicate buffer.
+ *	This is useful to avoid name copying in the calling function.
+ *
+ *	It is also legitimate to pass a 'prefix' or 'suffix' that is
+ *	the same dns_name_t as 'name', but note well the requirement
+ *	below if splitting on a bitlabel boundary.
+ *
+ * Requires:
+ *	'name' is a valid name.
+ *
+ * 	'suffixlabels' cannot exceed the number of labels in 'name'.
+ *
+ *	'nbits' can be greater than zero only when the least significant
+ *	label of 'suffixlabels' is a bitstring label.
+ *
+ *	'nbits' cannot exceed the number of bits in the bitstring label.
+ *
+ *	'prefix' is a valid name or NULL, and cannot be read-only.
+ *
+ *	'suffix' is a valid name or NULL, and cannot be read-only.
+ *
+ *	If non-NULL, 'prefix' and 'suffix' must have dedicated buffers.
+ *
+ *	'prefix' and 'suffix' cannot point to the same buffer.
+ *
+ *	If 'nbits' > 0 and 'prefix' and 'suffix' are both non-NULL,
+ *	the buffer for 'prefix' cannot be storing the labels for 'name'.
+ *
+ * Ensures:
+ *
+ *	On success:
+ *		If 'prefix' is not NULL it will contain the least significcant
+ *		labels and bits.  dns_name_countlabels(name) - suffixlabels
+ *		will be equal to dns_name_countlabels(prefix).
+ *
+ *		If 'suffix' is not NULL it will contain the most significant
+ *		labels and bits.  dns_name_countlabels(suffix) will be
+ *		equal to suffixlabels.
+ *
+ *	On failure:
+ *		Either 'prefix' or 'suffix' is invalidated (depending
+ *		on which one the problem was encountered with).
+ *
+ * Returns:
+ *	DNS_R_SUCCESS	No worries.
+ *	DNS_R_NOSPACE	An attempt was made to split a name on a bitlabel
+ *			boundary but either 'prefix' or 'suffix' did not
+ *			have enough room to receive the split name.
+ */
+
+isc_result_t
+dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target);
+/*
+ * Make 'target' a dynamically allocated copy of 'source'.
+ *
+ * Requires:
+ *
+ *	'source' is a valid non-empty name.
+ *	
+ *	'target' is a valid name that is not read-only.
+ *	
+ *	'mctx' is a valid memory context.
+ */
+
+void
+dns_name_free(dns_name_t *name, isc_mem_t *mctx);
+/*
+ * Free 'name'.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name created previously in 'mctx' by dns_name_dup().
+ *
+ *	'mctx' is a valid memory context.
+ *
+ * Ensures:
+ *
+ *	All dynamic resources used by 'name' are freed and the name is
+ *	invalidated.
+ */
+
+isc_result_t
+dns_name_digest(dns_name_t *name, dns_digestfunc_t digest, void *arg);
+/*
+ * Send 'name' in DNSSEC canonical form to 'digest'.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name.
+ *
+ *	'digest' is a valid dns_digestfunc_t.
+ *
+ * Ensures:
+ *
+ *	If successful, the DNSSEC canonical form of 'name' will have been
+ *	sent to 'digest'.
+ *
+ *	If digest() returns something other than DNS_R_SUCCESS, that result
+ *	will be returned as the result of dns_name_digest().
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *
+ *	Many other results are possible if not successful.
+ *	
+ */
+
+isc_boolean_t
+dns_name_dynamic(dns_name_t *name);
+/*
+ * Returns whether there is dynamic memory associated with this name.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name.
+ *
+ * Returns:
+ *
+ *	'ISC_TRUE' if the name is dynamic othewise 'ISC_FALSE'.
+ */
+
+isc_result_t
+dns_name_print(dns_name_t *name, FILE *stream);
+/*
+ * Print 'name' on 'stream'.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name.
+ *
+ *	'stream' is a valid stream.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *
+ *	Any error that dns_name_totext() can return.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NAME_H */
diff --git a/lib/dns/include/dns/namedconf.h b/lib/dns/include/dns/namedconf.h
new file mode 100644
index 00000000..070ba478
--- /dev/null
+++ b/lib/dns/include/dns/namedconf.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_NAMEDCONF_H
+#define DNS_NAMEDCONF_H 1
+
+#include <dns/confacl.h>
+#include <dns/confcommon.h>
+#include <dns/confctl.h>
+#include <dns/confctx.h>
+#include <dns/confip.h>
+#include <dns/confkeys.h>
+#include <dns/conflog.h>
+#include <dns/conflsn.h>
+#include <dns/confparser.h>
+#include <dns/confrrset.h>
+#include <dns/confserv.h>
+#include <dns/confzone.h>
+
+#endif
diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h
new file mode 100644
index 00000000..dd2c9f7f
--- /dev/null
+++ b/lib/dns/include/dns/ncache.h
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_NCACHE_H
+#define DNS_NCACHE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Ncache
+ *
+ * XXX <TBS> XXX
+ *
+ * MP:
+ *	The caller must ensure any required synchronization.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	RFC 2308
+ */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+#include <isc/stdtime.h>
+#include <isc/buffer.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+	       dns_rdatatype_t covers, isc_stdtime_t now,
+	       dns_rdataset_t *addedrdataset);
+/*
+ * Convert the authority data from 'message' into a negative cache
+ * rdataset, and store it in 'cache' at 'node'.
+ *
+ * Note:
+ *	If 'addedrdataset' is not NULL, then it will be attached to the added
+ *	rdataset.  See dns_db_addrdataset() for more details.
+ *
+ * Requires:
+ *	'message' is a valid message with a properly formatting negative cache
+ *	authority section.
+ *
+ *	The requirements of dns_db_addrdataset() apply to 'cache', 'node',
+ *	'now', and 'addedrdataset'.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
+ *
+ *	Any result code of dns_db_addrdataset() is a possible result code
+ *	of dns_ncache_add().
+ */
+
+isc_result_t
+dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
+		  isc_buffer_t *target, unsigned int *countp);
+/*
+ * Convert the negative caching rdataset 'rdataset' to wire format,
+ * compressing names as specified in 'cctx', and storing the result in
+ * 'target'.
+ *
+ * Notes:
+ *	The number of RRs added to target will be added to *countp.
+ *
+ * Requires:
+ *	'rdataset' is a valid negative caching rdataset.
+ *
+ *	'rdataset' is not empty.
+ *
+ *	'countp' is a valid pointer.
+ *
+ * Ensures:
+ *	On a return of DNS_R_SUCCESS, 'target' contains a wire format
+ *	for the data contained in 'rdataset'.  Any error return leaves
+ *	the buffer unchanged.
+ *
+ *	*countp has been incremented by the number of RRs added to
+ *	target.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		- all ok
+ *	DNS_R_NOSPACE		- 'target' doesn't have enough room
+ *
+ *	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
+ *	dns_name_towire().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NCACHE_H */
diff --git a/lib/dns/include/dns/nxt.h b/lib/dns/include/dns/nxt.h
new file mode 100644
index 00000000..f9f4e9e4
--- /dev/null
+++ b/lib/dns/include/dns/nxt.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_NXT_H
+#define DNS_NXT_H 1
+
+#include <isc/lang.h>
+
+#include <dns/result.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_NXT_BUFFERSIZE (256 + 16)
+
+isc_result_t
+dns_buildnxtrdata(dns_db_t *db, dns_dbversion_t *version,
+		  dns_dbnode_t *node, dns_name_t *target,
+		  unsigned char *buffer, dns_rdata_t *rdata);
+/*
+ * Build the rdata of a NXT record.
+ *
+ * Requires:
+ *	buffer	Points to a temporary buffer of at least
+ * 		DNS_NXT_BUFFERSIZE bytes.
+ *	rdata	Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *      *rdata	Contains a valid NXT rdata.  The 'data' member refers
+ *		to 'buffer'.
+ */
+
+isc_result_t
+dns_buildnxt(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
+	     dns_name_t *target);
+/*
+ * Build a NXT record and add it to a database.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NXT_H */
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
new file mode 100644
index 00000000..6c2711b9
--- /dev/null
+++ b/lib/dns/include/dns/rbt.h
@@ -0,0 +1,712 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef	DNS_RBT_H
+#define	DNS_RBT_H 1
+
+#include <isc/lang.h>
+#include <isc/result.h>
+#include <isc/mem.h>
+
+#include <dns/types.h>
+#include <dns/name.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * These should add up to 30.
+ */
+#define DNS_RBT_LOCKLENGTH			10
+#define DNS_RBT_REFLENGTH			20
+
+/*
+ * This is the structure that is used for each node in the red/black
+ * tree of trees.  NOTE WELL:  the implementation manages this as a variable
+ * length structure, with the actual wire-format name and other data appended
+ * appended to this structure.  Allocating a contiguous block of memory for
+ * multiple dns_rbtnode structures will not work.
+ */
+typedef struct dns_rbtnode {
+	struct dns_rbtnode *left;
+	struct dns_rbtnode *right;
+	struct dns_rbtnode *down;
+	/*
+	 * The following bitfields add up to a total bitwidth of 32.
+	 * The range of values necessary for each item is indicated,
+	 * but in the case of "attributes" the field is wider to accomodate
+	 * possible future expansion.  "offsetlen" could be one bit
+	 * narrower by always adjusting its value by 1 to find the real
+	 * offsetlen, but doing so does not gain anything (except perhaps
+	 * another bit for "attributes", which doesn't yet need any more).
+	 *
+	 * In each case below the "range" indicated is what's _necessary_ for
+	 * the bitfield to hold, not what it actually _can_ hold.
+	 */
+	unsigned int color:1;	      /* range is 0..1 */
+	unsigned int find_callback:1; /* range is 0..1 */
+	unsigned int attributes:5;    /* range is 0..2 */
+	unsigned int namelen:8;	      /* range is 1..255 */
+	unsigned int offsetlen:8;     /* range is 1..128 */
+	unsigned int padbytes:9;      /* range is 0..380 */
+	/*
+	 * These values are used in the RBT DB implementation.  The appropriate
+	 * node lock must be held before accessing them.
+	 */
+	void *data;
+	unsigned int dirty:1;
+	unsigned int wild:1;
+	unsigned int locknum:DNS_RBT_LOCKLENGTH;
+	unsigned int references:DNS_RBT_REFLENGTH;
+} dns_rbtnode_t;
+
+typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
+					      dns_name_t *name,
+					      void *callback_arg);
+
+/*****
+ *****	Chain Info
+ *****/
+
+/*
+ * A chain is used to keep track of the sequence of nodes to reach any given
+ * node from the root of the tree.  Since no parent pointer is stored with
+ * each node, it is the only way to know what is "up" from any particular
+ * node, which is necessary information for iterating through the tree or
+ * for basic internal tree maintenance issues (ie, the rotations that are
+ * done to rebalance the tree when a node is added).  The obvious implication
+ * of this is that for a chain to remain valid, the tree has to be locked
+ * down against writes for the duration of the useful life of the chain,
+ * because additions or removals can change the path from the root to the node
+ * the chain has targetted.
+ *
+ * The dns_rbtnodechain_ functions _first, _last, _prev and _next all take
+ * dns_name_t parameters for the name and the origin, which can be NULL.  If
+ * non-NULL, 'name' will end up pointing to the name data and offsets that are
+ * stored at the node (and thus it will be read-only), so it should be a
+ * regular dns_name_t that has been initialized with dns_name_init.  When
+ * 'origin' is non-NULL, it will get the name of the origin stored in it, so it
+ * needs to have its own buffer space and offsets, which is most easily
+ * accomplished with a dns_fixedname_t.  It is _not_ necessary to reinitialize
+ * either 'name' or 'origin' between calls to the chain functions.
+ *
+ * dns_rbtnodechain_current is similar to the _first, _last, _prev and _next
+ * functions but additionally can provide the node to which the chain points.
+ */
+
+/*
+ * For use in allocating space for the chain of ancestor nodes.
+ *
+ * The maximum number of ancestors is theoretically not limited by the
+ * data tree.  This initial value of 24 ancestors would be able to scan
+ * the full height of a single level of 16,777,216 nodes, more than double
+ * the current size of .com.
+ */
+#define DNS_RBT_ANCESTORBLOCK 24
+
+/*
+ * The number of level blocks to allocate at a time.  Currently the maximum
+ * number of levels is allocated directly in the structure, but future
+ * revisions of this code might treat levels like ancestors -- that is, have
+ * a static initial block with dynamic growth.  Allocating space for 256
+ * levels when the tree is almost never that deep is wasteful, but it's not
+ * clear that it matters, since the waste is only 2MB for 1000 concurrently
+ * active chains on a system with 64-bit pointers.
+ */
+#define DNS_RBT_LEVELBLOCK 254
+
+typedef struct dns_rbtnodechain {
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	/*
+	 * The terminal node of the chain.  It is not in levels[] or
+	 * ancestors[].  This is ostensibly private ... but in a pinch
+	 * it could be used tell that the chain points nowhere without
+	 * needing to call dns_rbtnodechain_current().
+	 */
+	dns_rbtnode_t *		end;
+	dns_rbtnode_t **	ancestors;
+	/*
+	 * ancestor_block avoids doing any memory allocation (a MP
+	 * bottleneck) in 99%+ of the real-world cases.
+	 */
+	dns_rbtnode_t *		ancestor_block[DNS_RBT_ANCESTORBLOCK];
+	unsigned int		ancestor_count;
+	unsigned int		ancestor_maxitems;
+	/*
+	 * The maximum number of labels in a name is 128; bitstrings mean
+	 * a conceptually very large number (which I have not bothered to
+	 * compute) of logical levels because splitting can potentially occur
+	 * at each bit.  However, DNSSEC restricts the number of "logical"
+	 * labels in a name to 255, meaning only 254 pointers are needed
+	 * in the worst case.
+	 */
+	dns_rbtnode_t *		levels[DNS_RBT_LEVELBLOCK];
+	/*
+	 * level_count indicates how deep the chain points into the
+	 * tree of trees, and is the index into the levels[] array.
+	 * Thus, levels[level_count - 1] is the last level node stored.
+	 * A chain that points to the top level of the tree of trees has
+	 * a level_count of 0, the first level has a level_count of 1, and
+	 * so on.
+	 */
+	unsigned int		level_count;
+	/*
+	 * level_matches tells how many levels matched above the node
+	 * returned by dns_rbt_findnode().  A match (partial or exact) found
+	 * in the first level thus results in level_matches being set to 1.
+	 * This is used by the rbtdb to set the start point for a recursive
+	 * search of superdomains until the RR it is looking for is found.
+	 */
+	unsigned int		level_matches;
+} dns_rbtnodechain_t;
+
+/*****
+ ***** Public interfaces.
+ *****/
+
+isc_result_t
+dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
+	       void *deleter_arg, dns_rbt_t **rbtp);
+/*
+ * Initialize a red-black tree of trees.
+ *
+ * Notes:
+ *	The deleter argument, if non-null, points to a function that is
+ *	responsible for cleaning up any memory associated with the data
+ *	pointer of a node when the node is deleted.  It is passed the
+ *	deleted node's data pointer as its first argument and deleter_arg
+ *	as its second argument.  
+ *
+ * Requires:
+ * 	mctx is a pointer to a valid memory context.
+ *	rbtp != NULL && *rbtp == NULL
+ *	arg == NULL iff deleter == NULL
+ *
+ * Ensures:
+ *	If result is DNS_R_SUCCESS:
+ *		*rbtp points to a valid red-black tree manager
+ *
+ *	If result is failure:
+ *		*rbtp does not point to a valid red-black tree manager.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS	Success
+ *	DNS_R_NOMEMORY	Resource limit: Out of Memory
+ */
+
+isc_result_t
+dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data);
+/*
+ * Add 'name' to the tree of trees, associated with 'data'.
+ *
+ * Notes:
+ *	'data' is never required to be non-NULL, but specifying it
+ *	when the name is added is faster than searching for 'name'
+ *	again and then setting the data pointer.  The lack of a data pointer
+ *	for a node also has other ramifications regarding whether
+ *	dns_rbt_findname considers a node to exist, or dns_rbt_deletename
+ *	joins nodes.
+ *
+ * Requires:
+ *	rbt is a valid rbt manager.
+ *	dns_name_isabsolute(name) == TRUE
+ *
+ * Ensures:
+ *	'name' is not altered in any way.
+ *
+ *	Any external references to nodes in the tree are unaffected by
+ *	node splits that are necessary to insert the new name.
+ *
+ *	If result is DNS_R_SUCCESS:
+ *		'name' is findable in the red/black tree of trees in O(log N).
+ *
+ *		The data pointer of the node for 'name' is set to 'data'.
+ *
+ *	If result is DNS_R_EXISTS or DNS_R_NOSPACE:
+ *		The tree of trees is unaltered.
+ *
+ *	If result is DNS_R_NOMEMORY:
+ *		No guarantees.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS	Success
+ *	DNS_R_EXISTS	The name already exists with associated data.
+ *	DNS_R_NOSPACE 	The name had more logical labels than are allowed.
+ *	DNS_R_NOMEMORY	Resource Limit: Out of Memory
+ */
+
+isc_result_t
+dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep);
+
+/*
+ * Just like dns_rbt_addname, but returns the address of the node.
+ *
+ * Requires:
+ *	rbt is a valid rbt structure.
+ *	dns_name_isabsolute(name) == TRUE
+ *	nodep != NULL && *nodep == NULL
+ *
+ * Ensures:
+ *	'name' is not altered in any way.
+ *
+ *	Any external references to nodes in the tree are unaffected by
+ *	node splits that are necessary to insert the new name.
+ *
+ *	If result is DNS_R_SUCCESS:
+ *		'name' is findable in the red/black tree of trees in O(log N).
+ *
+ *		*nodep is the node that was added for 'name'.
+ *
+ *	If result is DNS_R_EXISTS:
+ *		The tree of trees is unaltered.
+ *
+ *		*nodep is the existing node for 'name'.
+ *
+ *	If result is DNS_R_NOMEMORY:
+ *		No guarantees.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS	Success
+ *	DNS_R_EXISTS	The name already exists, possibly without data.
+ *	DNS_R_NOMEMORY	Resource Limit: Out of Memory
+ */
+
+isc_result_t
+dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name,
+		 dns_name_t *foundname, void **data);
+/*
+ * Get the data pointer associated with 'name'.
+ *
+ * Notes:
+ *	A node that has no data is considered not to exist for this function.
+ *
+ * Requires:
+ *	rbt is a valid rbt manager.
+ *	dns_name_isabsolute(name) == TRUE
+ *	data != NULL && *data == NULL
+ *
+ * Ensures:
+ *	'name' and the tree are not altered in any way.
+ *
+ *	If result is DNS_R_SUCCESS:
+ *		*data is the data associated with 'name'.
+ *
+ *	If result is DNS_R_PARTIALMATCH:
+ *		*data is the data associated with the deepest superdomain
+ * 		of 'name' which has data.
+ *
+ *	If result is DNS_R_NOTFOUND:
+ *		Neither the name nor a superdomain was found with data.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		Success
+ *	DNS_R_PARTIALMATCH	Superdomain found with data
+ *	DNS_R_NOTFOUND		No match
+ *	DNS_R_NOSPACE		Concatenating nodes to form foundname failed
+ */
+
+isc_result_t
+dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
+		 dns_rbtnode_t **node, dns_rbtnodechain_t *chain,
+		 isc_boolean_t empty_data_ok, dns_rbtfindcallback_t callback,
+		 void *callback_arg);
+/*
+ * Find the node for 'name'.
+ *
+ * Notes:
+ *	It is _not_ required that the node associated with 'name' has a
+ *	non-NULL data pointer for an exact match.  A partial match must
+ *	have associated data, unless the empty_data_ok flag is true.
+ *
+ *	If the chain parameter is non-NULL, then the path through the tree
+ *	to the DNSSEC predecessor of the searched for name is maintained.
+ *	If there is no predecessor, then the chain will point to nowhere, as
+ *	indicated by chain->end being NULL or dns_rbtnodechain_current
+ *	returning DNS_R_NOTFOUND.  Note that in a normal Internet DNS RBT
+ *	there will always be a predecessor for all names except the root
+ *	name, because '.' will exist and '.' is the predecessor of
+ *	everything.  But you can certainly construct a trivial tree and a
+ *	search for it that has no predecessor.
+ *
+ *	Within the chain structure, 'ancestors' will point
+ *	to each successive node encountered in the search, with the root
+ *	of each level searched indicated by a NULL.  ancestor_count
+ *	indicates how many node pointers are in the ancestor list.  The
+ *	'levels' member of the structure holds the root node of each level
+ *	except the first; it corresponds with the NULL pointers in
+ *	'ancestors' (except the first).  That is, for the [n+1]'th NULL
+ *	'ancestors' pointer, the [n]'th 'levels' pointer is the node with
+ *	the down pointer to the next level.  That node is not stored
+ *	at all in the 'ancestors' list.
+ *
+ *	The 'level_count' of the chain indicates how deep the chain to the
+ *	predecessor name is, as an index into the 'levels[]' array.  It does
+ *	not count name elements, per se, but only levels of the tree of trees,
+ *	the distinction arrising because multiple labels from a name can be
+ *	stored on only one level.  It is also does not include the level
+ *	that has the node, since that level is not stored in levels[].
+ *
+ *	The chain's 'level_matches' is not directly related to the predecessor.
+ *	It is the number of levels above the level of the found 'node',
+ *	regardless of whether it was a partial match or exact match.  When
+ *	the node is found in the top level tree, or no node is found at all,
+ *	level_matches is 0.
+ *
+ *	If any space was allocated to hold 'ancestors' in the chain,
+ *	the 'ancestor_maxitems' member will be greater than
+ *	DNS_RBT_ANCESTORBLOCK and will indicate how many ancestors
+ *	could have been stored; the amount to be freed from the rbt->mctx
+ *	is ancestor_maxitems * sizeof(dns_rbtnode_t *).
+ *
+ * Requires:
+ *	rbt is a valid rbt manager.
+ *	dns_name_isabsolute(name) == TRUE
+ *	node != NULL && *node == NULL
+ *
+ * Ensures:
+ *	'name' and the tree are not altered in any way.
+ *
+ *	If result is DNS_R_SUCCESS:
+ *		*node is the terminal node for 'name'.
+ *
+ *		'foundname' and 'name' represent the same name (though not
+ *		the same memory).
+ *
+ *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *
+ *		chain->level_matches and chain->level_count are equal.
+ *
+ * 	If result is DNS_R_PARTIALMATCH:
+ *		*node is the data associated with the deepest superdomain
+ * 		of 'name' which has data.
+ *
+ *		'foundname' is the name of deepest superdomain (which has
+ *		data, unless 'empty_data_ok').
+ *
+ *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *
+ *	If result is DNS_R_NOTFOUND:
+ *		Neither the name nor a superdomain was found.  *node is NULL.
+ *
+ *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *
+ *		chain->level_matches is 0.
+ *
+ *	If result is DNS_R_NOMEMORY:
+ *		The function could not complete because memory could not
+ *		be allocated to maintain the chain.  However, it
+ *		is possible that some memory was allocated;
+ *		the chain's ancestor_maxitems will be greater than
+ *		DNS_RBT_ANCESTORBLOCK if so.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		Success
+ *	DNS_R_PARTIALMATCH	Superdomain found with data
+ *	DNS_R_NOTFOUND		No match, or superdomain with no data
+ *	DNS_R_NOMEMORY		Resource Limit: Out of Memory building chain
+ *	DNS_R_NOSPACE 		Concatenating nodes to form foundname failed
+ */
+
+isc_result_t
+dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse);
+/*
+ * Delete 'name' from the tree of trees.
+ *
+ * Notes:
+ *	When 'name' is removed, if recurse is ISC_TRUE then all of its
+ *      subnames are removed too.
+ *
+ * Requires:
+ *	rbt is a valid rbt manager.
+ *	dns_name_isabsolute(name) == TRUE
+ *
+ * Ensures:
+ *	'name' is not altered in any way.
+ *
+ *	Does NOT ensure that any external references to nodes in the tree
+ *	are unaffected by node joins.
+ *
+ *	If result is DNS_R_SUCCESS:
+ *		'name' does not appear in the tree with data; however,
+ *		the node for the name might still exist which can be
+ *		found with dns_rbt_findnode (but not dns_rbt_findname).
+ *
+ *	If result is DNS_R_NOTFOUND:
+ *		'name' does not appear in the tree with data, because
+ *		it did not appear in the tree before the function was called.
+ *
+ *	If result is DNS_R_NOMEMORY:
+ *		'name' remains in the tree, if it was there to begin with.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS	Success
+ *	DNS_R_NOTFOUND	No match
+ *	DNS_R_NOMEMORY	Resource Limit: Out of Memory
+ */
+
+void
+dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name);
+/*
+ * Convert the sequence of labels stored at 'node' into a 'name'.
+ *
+ * Notes:
+ *	This function does not return the full name, from the root, but
+ *	just the labels at the indicated node.
+ *
+ *	The name data pointed to by 'name' is the information stored
+ *	in the node, not a copy.  Altering the data at this pointer
+ *	will likely cause grief.
+ *
+ * Requires:
+ *	name->offsets == NULL
+ *
+ * Ensures:
+ *	'name' is DNS_NAMEATTR_READONLY.
+ *
+ *	'name' will point directly to the labels stored after the
+ *	dns_rbtnode_t struct.
+ *
+ *	'name' will have offsets that also point to the information stored
+ *	as part of the node.
+ */
+
+void
+dns_rbt_destroy(dns_rbt_t **rbtp);
+/*
+ * Stop working with a red-black tree of trees.
+ *
+ * Requires:
+ * 	*rbt is a valid rbt manager.
+ *
+ * Ensures:
+ *	All space allocated by the RBT library has been returned.
+ *
+ *	*rbt is invalidated as an rbt manager.
+ */
+
+void
+dns_rbt_printall(dns_rbt_t *rbt);
+/*
+ * Print an ASCII representation of the internal structure of the red-black
+ * tree of trees.
+ *
+ * Notes:
+ *	The name stored at each node, along with the node's color, is printed.
+ *	Then the down pointer, left and right pointers are displayed 
+ *	recursively in turn.  NULL down pointers are silently omitted;
+ *	NULL left and right pointers are printed.
+ */
+
+/*****
+ ***** Chain Functions
+ *****/
+
+void
+dns_rbtnodechain_init(dns_rbtnodechain_t *chain, isc_mem_t *mctx);
+/*
+ * Initialize 'chain'.
+ *
+ * Requires:
+ *	'chain' is a valid pointer.
+ *
+ *	'mctx' is a valid memory context.
+ *
+ * Ensures:
+ *	'chain' is suitable for use.
+ */
+
+void
+dns_rbtnodechain_reset(dns_rbtnodechain_t *chain);
+/*
+ * Free any dynamic storage associated with 'chain', and then reinitialize
+ * 'chain'.
+ *
+ * Requires:
+ *	'chain' is a valid pointer.
+ *
+ * Ensures:
+ *	'chain' is suitable for use, and uses no dynamic storage.
+ */
+
+void
+dns_rbtnodechain_invalidate(dns_rbtnodechain_t *chain);
+/*
+ * Free any dynamic storage associated with 'chain', and then invalidates it.
+ *
+ * Notes:
+ * 	Future calls to any dns_rbtnodechain_ function will need to call
+ * 	dns_rbtnodechain_init on the chain first (except, of course,
+ *	dns_rbtnodechain_init itself).
+ *
+ * Requires:
+ *	'chain' is a valid chain.
+ *
+ * Ensures:
+ *	'chain' is no longer suitable for use, and uses no dynamic storage.
+ */
+
+isc_result_t
+dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
+			 dns_name_t *origin, dns_rbtnode_t **node);
+/*
+ * Provide the name, origin and node to which the chain is currently pointed.
+ *
+ * Notes:
+ *	The tree need not have be locked against additions for the chain
+ *	to remain valid, however there are no guarantees if any deletion
+ *	has been made since the chain was established.
+ *
+ * Requires:
+ *	'chain' is a valid chain.
+ *
+ * Ensures:
+ *	'node', if non-NULL, is the node to which the chain was pointed
+ *	by dns_rbt_findnode, dns_rbtnodechain_first or dns_rbtnodechain_last.
+ *	If none were called for the chain since it was initialized or reset,
+ *	or if the was no predecessor to the name searched for with
+ *	dns_rbt_findnode, then '*node' is NULL and DNS_R_NOTFOUND is returned.
+ *
+ *	'name', if non-NULL, is the name stored at the terminal level of
+ *	the chain.  This is typically a single label, like the "www" of
+ *	"www.isc.org", but need not be so.  At the root of the tree of trees,
+ *	if the node is "." then 'name' is ".", otherwise it is relative to ".".
+ *	(Minimalist and atypical case:  if the tree has just the name
+ *	"isc.org." then the root node's stored name is "isc.org." but 'name'
+ *	will be "isc.org".)
+ *
+ *	'origin', if non-NULL, is the sequence of labels in the levels
+ *	above the terminal level, such as "isc.org." in the above example.
+ *	'origin' is always "." for the root node.
+ *	
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		name, origin & node were successfully set.
+ *	DNS_R_NOTFOUND		The chain does not point to any node.
+ *	<something_else>	Any error return from dns_name_concatenate.
+ */
+
+isc_result_t
+dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
+		       dns_name_t *name, dns_name_t *origin);
+/*
+ * Set the chain to the lexically first node in the tree of trees.
+ *
+ * Notes:
+ *	By the definition of ordering for DNS names, the root of the tree of
+ *	trees is the very first node, since everything else in the megatree
+ *	uses it as a common suffix.
+ *
+ * Requires:
+ *	'chain' is a valid chain.
+ *	'rbt' is a valid rbt manager.
+ *
+ * Ensures:
+ *	The chain points to the very first node of the tree.
+ *
+ *	'name' and 'origin', if non-NULL, are set as described for
+ *	dns_rbtnodechain_current.  Thus 'origin' will always be ".".
+ *
+ * Returns:
+ *	DNS_R_NEWORIGIN		The name & origin were successfully set.
+ *	<something_else>	Any error result from dns_rbtnodechain_current.
+ */
+
+isc_result_t
+dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
+		       dns_name_t *name, dns_name_t *origin);
+/*
+ * Set the chain to the lexically last node in the tree of trees.
+ *
+ * Requires:
+ *	'chain' is a valid chain.
+ *	'rbt' is a valid rbt manager.
+ *
+ * Ensures:
+ *	The chain points to the very last node of the tree.
+ *
+ *	'name' and 'origin', if non-NULL, are set as described for
+ *	dns_rbtnodechain_current.
+ *
+ * Returns:
+ *	DNS_R_NEWORIGIN		The name & origin were successfully set.
+ *	DNS_R_NOMEMORY		Resource Limit: Out of Memory building chain.
+ *	<something_else>	Any error result from dns_name_concatenate.
+ */
+
+isc_result_t
+dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin);
+/*
+ * Adjusts chain to point the DNSSEC predecessor of the name to which it
+ * is currently pointed.
+ *
+ * Requires:
+ *	'chain' is a valid chain.
+ *	'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
+ *	dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
+ *	dns_rbt_findnode is not guaranteed to point the chain somewhere,
+ *	since there may have been no predecessor to the searched for name.
+ *
+ * Ensures:
+ *	The chain is pointed to the predecessor of its current target.
+ *
+ *	'name' and 'origin', if non-NULL, are set as described for
+ *	dns_rbtnodechain_current.
+ *
+ *	'origin' is only if a new origin was found.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		The predecessor was found and 'name' was set.
+ *	DNS_R_NEWORIGIN		The predecessor was found with a different
+ *				origin and 'name' and 'origin' were set.
+ *	DNS_R_NOMORE		There was no predecessor.
+ *	<something_else>	Any error result from dns_rbtnodechain_current.
+ */
+
+isc_result_t
+dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin);
+/*
+ * Adjusts chain to point the DNSSEC successor of the name to which it
+ * is currently pointed.
+ *
+ * Requires:
+ *	'chain' is a valid chain.
+ *	'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
+ *	dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
+ *	dns_rbt_findnode is not guaranteed to point the chain somewhere,
+ *	since there may have been no predecessor to the searched for name.
+ *
+ * Ensures:
+ *	The chain is pointed to the successor of its current target.
+ *
+ *	'name' and 'origin', if non-NULL, are set as described for
+ *	dns_rbtnodechain_current.
+ *
+ *	'origin' is only if a new origin was found.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		The successor was found and 'name' was set.
+ *	DNS_R_NEWORIGIN		The successor was found with a different
+ *				origin and 'name' and 'origin' were set.
+ *	DNS_R_NOMORE		There was no successor.
+ *	<something_else>	Any error result from dns_name_concatenate.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RBT_H */
diff --git a/lib/dns/include/dns/rcode.h b/lib/dns/include/dns/rcode.h
new file mode 100644
index 00000000..d15f2ec4
--- /dev/null
+++ b/lib/dns/include/dns/rcode.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_RCODE_H
+#define DNS_RCODE_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a DNS error value.
+ *
+ * Requires:
+ *	'rcodep' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS			on success
+ *	DNS_R_UNKNOWN			type is unknown
+ */
+
+isc_result_t dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
+/*
+ * Put a textual representation of error 'rcode' into 'target'.
+ *
+ * Requires:
+ *	'rcode' is a valid rcode.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS			on success
+ *	DNS_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RCODE_H */
diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
new file mode 100644
index 00000000..7ed4b69e
--- /dev/null
+++ b/lib/dns/include/dns/rdata.h
@@ -0,0 +1,550 @@
+/*
+ * Copyright (C) 1998, 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_RDATA_H
+#define DNS_RDATA_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Rdata
+ *
+ * Provides facilities for manipulating DNS rdata, including conversions to
+ * and from wire format and text format.
+ *
+ * Given the large amount of rdata possible in a nameserver, it was important
+ * to come up with a very efficient way of storing rdata, but at the same
+ * time allow it to be manipulated.
+ *
+ * The decision was to store rdata in uncompressed wire format,
+ * and not to make it a fully abstracted object; i.e. certain parts of the
+ * server know rdata is stored that way.  This saves a lot of memory, and
+ * makes adding rdata to messages easy.  Having much of the server know
+ * the representation would be perilous, and we certainly don't want each
+ * user of rdata to be manipulating such a low-level structure.  This is
+ * where the rdata module comes in.  The module allows rdata handles to be
+ * created and attached to uncompressed wire format regions.  All rdata
+ * operations and conversions are done through these handles.
+ *
+ * Implementation Notes:
+ *
+ *	The routines in this module are expected to be synthesized by the
+ *	build process from a set of source files, one per rdata type.  For
+ *	portability, it's probably best that the building be done by a C
+ *	program.  Adding a new rdata type will be a simple matter of adding
+ *	a file to a directory and rebuilding the server.  *All* knowlege of
+ *	the format of a particular rdata type is in this file.
+ *
+ * MP:
+ *	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *	This module deals with low-level byte streams.  Errors in any of
+ *	the functions are likely to crash the server or corrupt memory.
+ *
+ *	Rdata is typed, and the caller must know what type of rdata it has.
+ *	A caller that gets this wrong could crash the server.
+ *
+ *	The fromstruct() and tostruct() routines use a void * pointer to
+ *	represent the structure.  The caller must ensure that it passes a
+ *	pointer to the appropriate type, or the server could crash or memory
+ *	could be corrupted.
+ *
+ * Resources:
+ *	None.
+ *
+ * Security:
+ *
+ *	*** WARNING ***
+ *
+ *	dns_rdata_fromwire() deals with raw network data.  An error in
+ *	this routine could result in the failure or hijacking of the server.
+ *
+ * Standards:
+ *	RFC 1035
+ *	Draft EDNS0 (0)
+ *	Draft EDNS1 (0)
+ *	Draft Binary Labels (2)
+ *	Draft Local Compression (1)
+ *	<Various RFCs for particular types; these will be documented in the
+ *	 sources files of the types.>
+ *
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/lex.h>
+
+#include <dns/types.h>
+#include <dns/name.h>
+#include <dns/callbacks.h>
+#include <dns/compress.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** RData
+ *****
+ ***** An 'rdata' is a handle to a binary region.  The handle has an RR
+ ***** class and type, and the data in the binary region is in the format
+ ***** of the given class and type.
+ *****/
+
+/***
+ *** Types
+ ***/
+
+/*
+ * Clients are strongly discouraged from using this type directly, with
+ * the exception of the 'link' field which may be used directly for whatever
+ * purpose the client desires.
+ */
+struct dns_rdata {
+	unsigned char *			data;
+	unsigned int			length;
+	dns_rdataclass_t		rdclass;
+	dns_rdatatype_t			type;
+	ISC_LINK(dns_rdata_t)		link;
+};
+
+/*
+ * Flags affecting rdata formatting style.  Flags 0xFFFF0000
+ * are used by masterfile-level formatting and defined elsewhere.
+ * See additional comments at dns_rdata_tofmttext().
+ */
+
+/* Split the rdata into multiple lines to try to keep it
+ within the "width". */
+#define DNS_STYLEFLAG_MULTILINE		0x00000001U
+
+/* Output explanatory comments. */
+#define DNS_STYLEFLAG_COMMENT		0x00000002U
+
+/***
+ *** Initialization
+ ***/
+
+void dns_rdata_init(dns_rdata_t *rdata);
+/*
+ * Make 'rdata' empty.
+ *
+ * Requires:
+ *	'rdata' is a valid rdata (i.e. not NULL, points to a struct dns_rdata)
+ */
+
+/***
+ *** Comparisons
+ ***/
+
+int dns_rdata_compare(dns_rdata_t *rdata1, dns_rdata_t *rdata2);
+/*
+ * Determine the relative ordering under the DNSSEC order relation of
+ * 'rdata1' and 'rdata2'.
+ *
+ * Requires:
+ *
+ *	'rdata1' is a valid, non-empty rdata
+ *
+ *	'rdata2' is a valid, non-empty rdata
+ *
+ * Returns:
+ *	-1		'rdata1' is less than 'rdata2'
+ *	0		'rdata1' is equal to 'rdata2'
+ *	1		'rdata1' is greater than 'rdata2'
+ */
+
+/***
+ *** Conversions
+ ***/
+
+void dns_rdata_fromregion(dns_rdata_t *rdata,
+			  dns_rdataclass_t rdclass, dns_rdatatype_t type,
+			  isc_region_t *r);
+/*
+ * Make 'rdata' refer to region 'r'.
+ *
+ * Requires:
+ *
+ *	The data in 'r' is properly formatted for whatever type it is.
+ */
+
+void dns_rdata_toregion(dns_rdata_t *rdata, isc_region_t *r);
+/*
+ * Make 'r' refer to 'rdata'.
+ */
+
+isc_result_t dns_rdata_fromwire(dns_rdata_t *rdata,
+				dns_rdataclass_t rdclass, dns_rdatatype_t type,
+				isc_buffer_t *source,
+				dns_decompress_t *dctx,
+				isc_boolean_t downcase,
+				isc_buffer_t *target);
+/*
+ * Copy the possibly-compressed rdata at source into the target region.
+ *
+ * Notes:
+ *	Name decompression policy is controlled by 'dctx'.
+ *
+ *	If 'downcase' is true, any uppercase letters in domain names in
+ * 	'source' will be downcased when they are copied into 'target'.
+ *
+ * Requires:
+ *
+ *	'rdclass' and 'type' are valid.
+ *
+ *	'source' is a valid binary buffer, and the active region of 'source'
+ *	references the rdata to be processed.
+ *
+ *	'target' is a valid binary buffer.
+ *
+ *	'dctx' is a valid decompression context.
+ *
+ * Ensures:
+ *
+ *	If result is success:
+ *	 	If 'rdata' is not NULL, it is attached to the target.
+ *
+ *		The conditions dns_name_fromwire() ensures for names hold
+ *		for all names in the rdata.
+ *
+ *		The current location in source is advanced, and the used space
+ *		in target is updated.
+ *
+ * Result:
+ *	Success
+ *	<Any non-success status from dns_name_fromwire()>
+ *	<Various 'Bad Form' class failures depending on class and type>
+ *	Bad Form: Input too short
+ *	Resource Limit: Not enough space
+ */
+
+isc_result_t dns_rdata_towire(dns_rdata_t *rdata,
+			      dns_compress_t *cctx,
+			      isc_buffer_t *target);
+/*
+ * Convert 'rdata' into wire format, compressing it as specified by the
+ * compression context 'cctx', and storing the result in 'target'.
+ *	
+ * Notes:
+ *	If the compression context allows global compression, then the
+ *	global compression table may be updated.
+ *
+ * Requires:
+ *	'rdata' is a valid, non-empty rdata
+ *
+ *	target is a valid binary buffer
+ *
+ *	Any offsets specified in a global compression table are valid
+ *	for target.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in target is updated.
+ *
+ * Returns:
+ *	Success
+ *	<Any non-success status from dns_name_towire()>
+ *	Resource Limit: Not enough space
+ */
+
+isc_result_t dns_rdata_fromtext(dns_rdata_t *rdata,
+				dns_rdataclass_t rdclass, dns_rdatatype_t type,
+				isc_lex_t *lexer,
+				dns_name_t *origin,
+				isc_boolean_t downcase,
+				isc_buffer_t *target,
+				dns_rdatacallbacks_t *callbacks);
+/*
+ * Convert the textual representation of a DNS rdata into uncompressed wire
+ * form stored in the target region.  Tokens constituting the text of the rdata
+ * are taken from 'lexer'.
+ *
+ * Notes:
+ *	Relative domain names in the rdata will have 'origin' appended to them.
+ *	A NULL origin implies "origin == dns_rootname".
+ *
+ *	If 'downcase' is true, any uppercase letters in domain names in
+ * 	'source' will be downcased when they are copied into 'target'.
+ *
+ * Requires:
+ *
+ *	'rdclass' and 'type' are valid.
+ *
+ *	'lexer' is a valid isc_lex_t.
+ *
+ *	'target' is a valid region.
+ *
+ *	'origin' if non NULL it must be absolute.
+ *
+ * Ensures:
+ *	If result is success:
+ *	 	If 'rdata' is not NULL, it is attached to the target.
+ *
+ *		The conditions dns_name_fromtext() ensures for names hold
+ *		for all names in the rdata.
+ *
+ *		The used space in target is updated.
+ *
+ * Result:
+ *	Success
+ *	<Translated result codes from isc_lex_gettoken>
+ *	<Various 'Bad Form' class failures depending on class and type>
+ *	Bad Form: Input too short
+ *	Resource Limit: Not enough space
+ */
+
+isc_result_t dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin,
+			      isc_buffer_t *target);
+/*
+ * Convert 'rdata' into text format, storing the result in 'target'.
+ * The text will consist of a single line, with fields separated by
+ * single spaces.
+ *
+ * Notes:
+ *	If 'origin' is not NULL, then any names in the rdata that are
+ *	subdomains of 'origin' will be made relative it.
+ *
+ *	XXX Do we *really* want to support 'origin'?  I'm inclined towards "no"
+ *	at the moment.
+ *
+ * Requires:
+ *
+ *	'rdata' is a valid, non-empty rdata
+ *
+ *	'origin' is NULL, or is a valid name
+ *
+ *	'target' is a valid text buffer
+ *
+ * Ensures:
+ *	If the result is success:
+ *
+ *		The used space in target is updated.
+ *
+ * Returns:
+ *	Success
+ *	<Any non-success status from dns_name_totext()>
+ *	Resource Limit: Not enough space
+ */
+
+isc_result_t dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin,
+				 unsigned int flags, unsigned int width,
+				 char *linebreak, isc_buffer_t *target);
+/*
+ * Like dns_rdata_totext, but do formatted output suitable for 
+ * database dumps.  This is intended for use by dns_db_dump();
+ * library users are discouraged from calling it directly.
+ *
+ * If (flags & DNS_STYLEFLAG_MULTILINE) != 0, attempt to stay
+ * within 'width' by breaking the text into multiple lines.
+ * The string 'linebreak' is inserted between lines, and parentheses
+ * are added when necessary.  Because RRs contain unbreakable elements
+ * such as domain names whose length is variable, unpredictable, and
+ * potentially large, there is no guarantee that the lines will
+ * not exceed 'width' anyway.  
+ *
+ * If (flags & DNS_STYLEFLAG_MULTILINE) == 0, the rdata is always
+ * printed as a single line, and no parentheses are used.
+ * The 'width' and 'linebreak' arguments are ignored.
+ *
+ * If (flags & DNS_STYLEFLAG_COMMENT) != 0, output explanatory
+ * comments next to things like the SOA timer fields.  Some 
+ * comments (e.g., the SOA ones) are only printed when multiline
+ * output is selected. 
+ */
+
+isc_result_t dns_rdata_fromstruct(dns_rdata_t *rdata,
+				  dns_rdataclass_t rdclass,
+				  dns_rdatatype_t type,
+				  void *source,
+				  isc_buffer_t *target);
+/*
+ * Convert the C structure representation of an rdata into uncompressed wire
+ * format in 'target'.
+ *
+ * XXX  Should we have a 'size' parameter as a sanity check on target?
+ *
+ * Requires:
+ *
+ *	'rdclass' and 'type' are valid.
+ *
+ *	'source' points to a valid C struct for the class and type.
+ *
+ *	'target' is a valid binary buffer.
+ *
+ * Ensures:
+ *	If result is success:
+ *	 	If 'rdata' is not NULL, it is attached to the target.
+ *
+ *		The used space in 'target' is updated.
+ *
+ * Result:
+ *	Success
+ *	<Various 'Bad Form' class failures depending on class and type>
+ *	Resource Limit: Not enough space
+ */
+
+isc_result_t dns_rdata_tostruct(dns_rdata_t *rdata, void *target,
+				isc_mem_t *mctx);
+/*
+ * Convert an rdata into its C structure representation.
+ *
+ * Requires:
+ *
+ *	'rdata' is a valid, non-empty rdata.
+ *
+ *	'target' to point to a valid pointer for the type and class.
+ *
+ * Result:
+ *	Success
+ *	Resource Limit: Not enough memory
+ */
+
+void dns_rdata_freestruct(void *source);
+
+/*
+ * Free dynamic memory attached to 'source' (if any).
+ *
+ * Requires:
+ *
+ *	'source' to point to the structure previously filled in by
+ *	dns_rdata_tostruct().
+ */
+
+isc_boolean_t dns_rdatatype_ismeta(dns_rdatatype_t type);
+/*
+ * Return true iff the rdata type 'type' is a meta-type
+ * like ANY or AXFR.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ *
+ */
+
+isc_boolean_t dns_rdataclass_ismeta(dns_rdataclass_t rdclass);
+/*
+ * Return true iff the rdata class 'rdclass' is a meta-class
+ * like ANY or NONE.
+ *
+ * Requires:
+ * 	'rdclass' is a valid rdata class.
+ *
+ */
+
+isc_boolean_t dns_rdatatype_isdnssec(dns_rdatatype_t type);
+/*
+ * Return true iff 'type' is one of the DNSSEC
+ * rdata types that may exist alongside a CNAME record.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ */
+
+isc_boolean_t dns_rdatatype_iszonecutauth(dns_rdatatype_t type);
+/*
+ * Return true iff rdata of type 'type' is considered authoritative
+ * data (not glue) in the NXT chain when it occurs in the parent zone
+ * at a zone cut.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ *
+ */
+
+isc_result_t
+dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
+			 void *arg);
+/*
+ * Call 'add' for each name and type from 'rdata' which is subject to
+ * additional section processing.
+ *
+ * Requires:
+ *
+ *	'rdata' is a valid, non-empty rdata.
+ *
+ *	'add' is a valid dns_additionalfunc_t.
+ *
+ * Ensures:
+ *
+ *	If successful, then add() will have been called for each name
+ *	and type subject to additional section processing.
+ *
+ *	If add() returns something other than DNS_R_SUCCESS, that result
+ *	will be returned as the result of dns_rdata_additionaldata().
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *
+ *	Many other results are possible if not successful.
+ */
+
+isc_result_t
+dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg);
+/*
+ * Send 'rdata' in DNSSEC canonical form to 'digest'.
+ *
+ * Note:
+ *	'digest' may be called more than once by dns_rdata_digest().  The
+ *	concatenation of all the regions, in the order they were given
+ *	to 'digest', will be the DNSSEC canonical form of 'rdata'.
+ *
+ * Requires:
+ *
+ *	'rdata' is a valid, non-empty rdata.
+ *
+ *	'digest' is a valid dns_digestfunc_t.
+ *
+ * Ensures:
+ *
+ *	If successful, then all of the rdata's data has been sent, in
+ *	DNSSEC canonical form, to 'digest'.
+ *
+ *	If digest() returns something other than DNS_R_SUCCESS, that result
+ *	will be returned as the result of dns_rdata_digest().
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *
+ *	Many other results are possible if not successful.
+ */
+
+dns_rdatatype_t
+dns_rdata_covers(dns_rdata_t *rdata);
+/*
+ * Return the rdatatype that this type covers.
+ *
+ * Requires:
+ *	'rdata' is a valid, non-empty rdata.
+ *
+ *	'rdata' is a type that covers other rdata types.
+ *
+ * Returns:
+ *	The type covered.
+ */
+
+isc_result_t
+dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATA_H */
diff --git a/lib/dns/include/dns/rdataclass.h b/lib/dns/include/dns/rdataclass.h
new file mode 100644
index 00000000..6e4b5186
--- /dev/null
+++ b/lib/dns/include/dns/rdataclass.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 1998, 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_RDATACLASS_H
+#define DNS_RDATACLASS_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_rdataclass_fromtext(dns_rdataclass_t *classp,
+				     isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a DNS class.
+ *
+ * Requires:
+ *	'classp' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS			on success
+ *	DNS_R_UNKNOWN			class is unknown
+ *	DNS_R_NOTIMPLEMENTED		class is known, but not implemented
+ */
+
+isc_result_t dns_rdataclass_totext(dns_rdataclass_t rdclass,
+				   isc_buffer_t *target);
+/*
+ * Put a textual representation of class 'rdclass' into 'target'.
+ *
+ * Requires:
+ *	'rdclass' is a valid class.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS			on success
+ *	DNS_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATACLASS_H */
diff --git a/lib/dns/include/dns/rdatalist.h b/lib/dns/include/dns/rdatalist.h
new file mode 100644
index 00000000..ecb2f1c5
--- /dev/null
+++ b/lib/dns/include/dns/rdatalist.h
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_RDATALIST_H
+#define DNS_RDATALIST_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Rdatalist
+ *
+ * A DNS rdatalist is a list of rdata of a common type and class.
+ *
+ * MP:
+ *	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * Clients may use this type directly.
+ */
+struct dns_rdatalist {
+	dns_rdataclass_t		rdclass;
+	dns_rdatatype_t			type;
+	dns_rdatatype_t			covers;
+	dns_ttl_t			ttl;
+	ISC_LIST(dns_rdata_t)		rdata;
+	ISC_LINK(dns_rdatalist_t)	link;
+};
+
+void
+dns_rdatalist_init(dns_rdatalist_t *rdatalist);
+/*
+ * Initialize rdatalist.
+ *
+ * Ensures:
+ *	All fields of rdatalist have been initialized to their default
+ *	values.
+ */
+
+isc_result_t
+dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
+			 dns_rdataset_t *rdataset);
+/*
+ * Make 'rdataset' refer to the rdata in 'rdatalist'.
+ *
+ * Note:
+ *	The caller must ensure that 'rdatalist' remains valid and unchanged
+ *	while 'rdataset' is associated with it.
+ *
+ * Requires:
+ *
+ *	'rdatalist' is a valid rdatalist.
+ *
+ *	'rdataset' is a valid rdataset that is not currently associated with
+ *	any rdata.
+ *
+ * Ensures:
+ *	On success,
+ *
+ *		'rdataset' is associated with the rdata in rdatalist.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATALIST_H */
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
new file mode 100644
index 00000000..35b81cc1
--- /dev/null
+++ b/lib/dns/include/dns/rdataset.h
@@ -0,0 +1,366 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_RDATASET_H
+#define DNS_RDATASET_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Rdataset
+ *
+ * A DNS rdataset is a handle that can be associated with a collection of
+ * rdata all having a common owner name, class, and type.
+ *
+ * The dns_rdataset_t type is like a "virtual class".  To actually use
+ * rdatasets, an implementation of the method suite (e.g. "slabbed rdata") is
+ * required.
+ *
+ * XXX <more> XXX
+ *
+ * MP:
+ *	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+#include <isc/boolean.h>
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef struct dns_rdatasetmethods {
+	void			(*disassociate)(dns_rdataset_t *rdataset);
+	isc_result_t		(*first)(dns_rdataset_t *rdataset);
+	isc_result_t		(*next)(dns_rdataset_t *rdataset);
+	void			(*current)(dns_rdataset_t *rdataset,
+					   dns_rdata_t *rdata);
+	void			(*clone)(dns_rdataset_t *source,
+					 dns_rdataset_t *target);
+	unsigned int		(*count)(dns_rdataset_t *rdataset);
+} dns_rdatasetmethods_t;
+
+#define DNS_RDATASET_MAGIC		0x444E5352U	/* DNSR. */
+#define DNS_RDATASET_VALID(rdataset)	((rdataset) != NULL && \
+					 (rdataset)->magic == \
+					  DNS_RDATASET_MAGIC)
+
+/*
+ * Direct use of this structure by clients is strongly discouraged, except
+ * for the 'link' field which may be used however the client wishes.  The
+ * 'private', 'current', and 'index' fields MUST NOT be changed by clients.
+ * rdataset implementations may change any of the fields.
+ */
+struct dns_rdataset {
+	unsigned int			magic;		/* XXX ? */
+	dns_rdatasetmethods_t *		methods;
+	ISC_LINK(dns_rdataset_t)	link;
+	/*
+	 * XXX do we need these, or should they be retrieved by methods?
+	 * Leaning towards the latter, since they are not frequently required
+	 * once you have the rdataset.
+	 */
+	dns_rdataclass_t		rdclass;
+	dns_rdatatype_t			type;
+	dns_ttl_t			ttl;
+	dns_trust_t			trust;
+	dns_rdatatype_t			covers;
+	/*
+	 * attributes
+	 */
+	unsigned int			attributes;
+	/*
+	 * These are for use by the rdataset implementation, and MUST NOT
+	 * be changed by clients.
+	 */
+	void *				private1;
+	void *				private2;
+	void *				private3;
+	void *				private4;
+	void *				private5;
+};
+
+/*
+ * _RENDERED:
+ *	Used by message.c to indicate that the rdataset was rendered.
+ *
+ * _TTLADJUSTED:
+ *	Used by message.c to indicate that the rdataset's rdata had differing
+ *	TTL values, and the rdataset->ttl holds the smallest.
+ */
+#define DNS_RDATASETATTR_QUESTION	0x0001
+#define DNS_RDATASETATTR_RENDERED	0x0002		/* Used by message.c */
+#define DNS_RDATASETATTR_ANSWERED	0x0004		/* Used by server. */
+#define DNS_RDATASETATTR_CACHE		0x0008		/* Used by resolver. */
+#define DNS_RDATASETATTR_ANSWER		0x0010		/* Used by resolver. */
+#define DNS_RDATASETATTR_ANSWERSIG	0x0020		/* Used by resolver. */
+#define DNS_RDATASETATTR_EXTERNAL	0x0040		/* Used by resolver. */
+#define DNS_RDATASETATTR_NCACHE		0x0080		/* Used by resolver. */
+#define DNS_RDATASETATTR_CHAINING	0x0100		/* Used by resolver. */
+#define DNS_RDATASETATTR_TTLADJUSTED	0x0200		/* Used by message.c */
+
+void
+dns_rdataset_init(dns_rdataset_t *rdataset);
+/*
+ * Make 'rdataset' a valid, disassociated rdataset.
+ *
+ * Requires:
+ *	'rdataset' is not NULL.
+ *
+ * Ensures:
+ *	'rdataset' is a valid, disassociated rdataset.
+ */
+
+void
+dns_rdataset_invalidate(dns_rdataset_t *rdataset);
+/*
+ * Invalidate 'rdataset'.
+ *
+ * Requires:
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *	If assertion checking is enabled, future attempts to use 'rdataset'
+ *	without initializing it will cause an assertion failure.
+ */
+
+void
+dns_rdataset_disassociate(dns_rdataset_t *rdataset);
+/*
+ * Disassociate 'rdataset' from its rdata, allowing it to be reused.
+ *
+ * Notes:
+ *	The client must ensure it has no references to rdata in the rdataset
+ *	before disassociating.
+ *
+ * Requires:
+ *	'rdataset' is a valid, associated rdataset.
+ *
+ * Ensures:
+ *	'rdataset' is a valid, disassociated rdataset.
+ */
+
+isc_boolean_t
+dns_rdataset_isassociated(dns_rdataset_t *rdataset);
+/*
+ * Is 'rdataset' associated?
+ *
+ * Requires:
+ *	'rdataset' is a valid rdataset.
+ *
+ * Returns:
+ *	ISC_TRUE			'rdataset' is associated.
+ *	ISC_FALSE			'rdataset' is not associated.
+ */
+
+void
+dns_rdataset_makequestion(dns_rdataset_t *rdataset, dns_rdataclass_t rdclass,
+			  dns_rdatatype_t type);
+/*
+ * Make 'rdataset' a valid, associated, question rdataset, with a
+ * question class of 'rdclass' and type 'type'.
+ *
+ * Notes:
+ *	Question rdatasets have a class and type, but no rdata.
+ *
+ * Requires:
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *	'rdataset' is a valid, associated, question rdataset.
+ */
+
+void
+dns_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+/*
+ * Make 'target' refer to the same rdataset as 'source'.
+ *
+ * Requires:
+ *	'source' is a valid, associated rdataset.
+ *
+ *	'target' is a valid, dissociated rdataset.
+ *
+ * Ensures:
+ *	'target' references the same rdataset as 'source.
+ */
+
+unsigned int
+dns_rdataset_count(dns_rdataset_t *rdataset);
+/*
+ * Return the number of records in 'rdataset'.
+ *
+ * Requires:
+ *	'rdataset' is a valid, associated rdataset.
+ *
+ * Returns:
+ *	The number of records in 'rdataset'.	
+ */
+
+isc_result_t
+dns_rdataset_first(dns_rdataset_t *rdataset);
+/*
+ * Move the rdata cursor to the first rdata in the rdataset (if any).
+ *
+ * Requires:
+ *	'rdataset' is a valid, associated rdataset.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMORE			There are no rdata in the set.
+ */
+
+isc_result_t
+dns_rdataset_next(dns_rdataset_t *rdataset);
+/*
+ * Move the rdata cursor to the next rdata in the rdataset (if any).
+ *
+ * Requires:
+ *	'rdataset' is a valid, associated rdataset.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMORE			There are no more rdata in the set.
+ */
+
+void
+dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+/*
+ * Make 'rdata' refer to the current rdata.
+ *
+ * Requires:
+ *	'rdataset' is a valid, associated rdataset.
+ *
+ *	The rdata cursor of 'rdataset' is at a valid location (i.e. the
+ *	result of last call to a cursor movement command was DNS_R_SUCCESS).
+ *
+ * Ensures:
+ *	'rdata' refers to the rdata at the rdata cursor location of
+ *	'rdataset'.
+ */
+
+isc_result_t
+dns_rdataset_totext(dns_rdataset_t *rdataset,
+		    dns_name_t *owner_name,
+		    isc_boolean_t omit_final_dot,
+		    isc_boolean_t no_rdata_or_ttl,
+		    isc_buffer_t *target);
+/*
+ * Convert 'rdataset' to text format, storing the result in 'target'.
+ *
+ * Notes:
+ *	The rdata cursor position will be changed.
+ *
+ *	The no_rdata_or_ttl should normally be ISC_FALSE.  If it is ISC_TRUE
+ *	the ttl and rdata fields are not printed.  This is mainly for use
+ *	in the question section.
+ *
+ *	XXX may need to add 'origin' parameter if we go with that in rdata.
+ *
+ * Requires:
+ *	'rdataset' is a valid rdataset.
+ *
+ *	'rdataset' is not empty.
+ *
+ * XXX Supply more Requires and Ensures XXX
+ */
+
+isc_result_t
+dns_rdataset_towire(dns_rdataset_t *rdataset,
+		    dns_name_t *owner_name,
+		    dns_compress_t *cctx,
+		    isc_buffer_t *target,
+		    unsigned int *countp);
+/*
+ * Convert 'rdataset' to wire format, compressing names as specified
+ * in 'cctx', and storing the result in 'target'.
+ *
+ * Notes:
+ *	The rdata cursor position will be changed.
+ *
+ *	The number of RRs added to target will be added to *countp.
+ *
+ * Requires:
+ *	'rdataset' is a valid rdataset.
+ *
+ *	'rdataset' is not empty.
+ *
+ *	'countp' is a valid pointer.
+ *
+ * Ensures:
+ *	On a return of DNS_R_SUCCESS, 'target' contains a wire format
+ *	for the data contained in 'rdataset'.  Any error return leaves
+ *	the buffer unchanged.
+ *
+ *	*countp has been incremented by the number of RRs added to
+ *	target.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		- all ok
+ *	DNS_R_NOSPACE		- 'target' doesn't have enough room
+ *
+ *	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
+ *	dns_name_towire().
+ */
+
+isc_result_t
+dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+			    dns_additionaldatafunc_t add, void *arg);
+/*
+ * For each rdata in rdataset, call 'add' for each name and type in the
+ * rdata which is subject to additional section processing.
+ *
+ * Requires:
+ *
+ *	'rdataset' is a valid, non-question rdataset.
+ *
+ *	'add' is a valid dns_additionaldatafunc_t
+ *
+ * Ensures:
+ *
+ *	If successful, dns_rdata_additionaldata() will have been called for
+ *	each rdata in 'rdataset'.
+ *
+ *	If a call to dns_rdata_additionaldata() is not successful, the
+ *	result returned will be the result of dns_rdataset_additionaldata().
+ *
+ * Returns:
+ *
+ *	DNS_R_SUCCESS
+ *
+ *	Any error that dns_rdata_additionaldata() can return.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATASET_H */
diff --git a/lib/dns/include/dns/rdatasetiter.h b/lib/dns/include/dns/rdatasetiter.h
new file mode 100644
index 00000000..6dd677da
--- /dev/null
+++ b/lib/dns/include/dns/rdatasetiter.h
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_RDATASETITER_H
+#define DNS_RDATASETITER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Rdataset Iterator
+ *
+ * The DNS Rdataset Iterator interface allows iteration of all of the
+ * rdatasets at a node.
+ *
+ * The dns_rdatasetiter_t type is like a "virtual class".  To actually use
+ * it, an implementation of the class is required.  This implementation is
+ * supplied by the database.
+ *
+ * It is the client's responsibility to call dns_rdataset_disassociate() 
+ * on all rdatasets returned.
+ *
+ * XXX <more> XXX
+ *
+ * MP:
+ *	The iterator itself is not locked.  The caller must ensure
+ *	synchronization.
+ *	
+ *	The iterator methods ensure appropriate database locking.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <isc/boolean.h>
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types
+ *****/
+
+typedef struct dns_rdatasetitermethods {
+	void		(*destroy)(dns_rdatasetiter_t **iteratorp);
+	isc_result_t	(*first)(dns_rdatasetiter_t *iterator);
+	isc_result_t	(*next)(dns_rdatasetiter_t *iterator);
+	void		(*current)(dns_rdatasetiter_t *iterator,
+				   dns_rdataset_t *rdataset);
+} dns_rdatasetitermethods_t;
+
+#define DNS_RDATASETITER_MAGIC		0x444E5369U		/* DNSi. */
+#define DNS_RDATASETITER_VALID(dbi)	((dbi) != NULL && \
+					 (dbi)->magic == \
+					 DNS_RDATASETITER_MAGIC)
+
+/*
+ * This structure is actually just the common prefix of a DNS db
+ * implementation's version of a dns_rdatasetiter_t.
+ *
+ * Direct use of this structure by clients is forbidden.  DB implementations
+ * may change the structure.  'magic' must be DNS_RDATASETITER_MAGIC for
+ * any of the dns_rdatasetiter routines to work.  DB implementations must
+ * maintain all DB rdataset iterator invariants.
+ */
+struct dns_rdatasetiter {
+	/* Unlocked. */
+	unsigned int			magic;
+	dns_rdatasetitermethods_t *	methods;
+	dns_db_t *			db;
+	dns_dbnode_t *			node;
+	dns_dbversion_t *		version;
+	isc_stdtime_t			now;
+};
+
+void
+dns_rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
+/*
+ * Destroy '*iteratorp'.
+ *
+ * Requires:
+ *
+ *	'*iteratorp' is a valid iterator.
+ *
+ * Ensures:
+ *
+ *	All resources used by the iterator are freed.
+ *
+ *	*iteratorp == NULL.
+ */
+
+isc_result_t
+dns_rdatasetiter_first(dns_rdatasetiter_t *iterator);
+/*
+ * Move the rdataset cursor to the first rdataset at the node (if any).
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMORE			There are no rdatasets at the node.
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_rdatasetiter_next(dns_rdatasetiter_t *iterator);
+/*
+ * Move the rdataset cursor to the next rdataset at the node (if any).
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMORE			There are no more rdatasets at the
+ *					node.
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+void
+dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
+			 dns_rdataset_t *rdataset);
+/*
+ * Return the current rdataset.
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ *	The rdataset cursor of 'iterator' is at a valid location (i.e. the
+ *	result of last call to a cursor movement command was DNS_R_SUCCESS).
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATASETITER_H */
diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h
new file mode 100644
index 00000000..6c9afa86
--- /dev/null
+++ b/lib/dns/include/dns/rdataslab.h
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_RDATASLAB_H
+#define DNS_RDATASLAB_H 1
+
+/*
+ * DNS Rdata Slab
+ *
+ * Implements storage of rdatasets into slabs of memory.
+ *
+ * MP:
+ *	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *	This module deals with low-level byte streams.  Errors in any of
+ *	the functions are likely to crash the server or corrupt memory.
+ *
+ *	If the caller passes invalid memory references, these functions are
+ *	likely to crash the server or corrupt memory.
+ *
+ * Resources:
+ *	None.
+ *
+ * Security:
+ *	None.
+ *
+ * Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/region.h>
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+			   isc_region_t *region, unsigned int reservelen);
+/*
+ * Slabify a rdataset.  The slab area will be allocated and returned
+ * in 'region'.
+ *
+ * Requires:
+ *	'rdataset' is valid.
+ *
+ * Ensures:
+ *	'region' will have base pointing to the start of allocated memory,
+ *	with the slabified region beginning at region->base + reservelen.
+ *	region->length contains the total length allocated.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		- successful completion
+ *	DNS_R_NOMEM		- no memory.
+ *	<XXX others>
+ */
+
+unsigned int
+dns_rdataslab_size(unsigned char *slab, unsigned int reservelen);
+/*
+ * Return the total size of an rdataslab.
+ *
+ * Requires:
+ *	'slab' points to a slab.
+ *
+ * Returns:
+ *	The number of bytes in the slab, including the reservelen.
+ */
+
+isc_result_t
+dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
+		    unsigned int reservelen, isc_mem_t *mctx,
+		    dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		    isc_boolean_t force, unsigned char **tslabp);
+/*
+ * Merge 'oslab' and 'nslab'.
+ *
+ * XXX
+ */
+
+isc_result_t
+dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
+		       unsigned int reservelen, isc_mem_t *mctx,
+		       dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		       unsigned char **tslabp);
+/*
+ * Subtract 'sslab' from 'mslab'.
+ *
+ * XXX
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATADLAB_H */
diff --git a/lib/dns/include/dns/rdatatype.h b/lib/dns/include/dns/rdatatype.h
new file mode 100644
index 00000000..aa623687
--- /dev/null
+++ b/lib/dns/include/dns/rdatatype.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 1998, 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_RDATATYPE_H
+#define DNS_RDATATYPE_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_rdatatype_fromtext(dns_rdatatype_t *typep,
+				    isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a DNS rdata type.
+ *
+ * Requires:
+ *	'typep' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS			on success
+ *	DNS_R_UNKNOWN			type is unknown
+ *	DNS_R_NOTIMPLEMENTED		type is known, but not implemented
+ */
+
+isc_result_t dns_rdatatype_totext(dns_rdatatype_t type,
+				  isc_buffer_t *target);
+/*
+ * Put a textual representation of type 'type' into 'target'.
+ *
+ * Requires:
+ *	'type' is a valid type.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS			on success
+ *	DNS_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATATYPE_H */
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
new file mode 100644
index 00000000..ff559d27
--- /dev/null
+++ b/lib/dns/include/dns/resolver.h
@@ -0,0 +1,347 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_RESOLVER_H
+#define DNS_RESOLVER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Resolver
+ *
+ * XXX <TBS> XXX
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	RFCs:	1034, 1035, 2181, <TBS>
+ *	Drafts:	<TBS>
+ */
+
+#include <isc/types.h>
+#include <isc/lang.h>
+#include <isc/event.h>
+#include <isc/socket.h>
+
+#include <dns/types.h>
+#include <dns/name.h>
+#include <dns/fixedname.h>
+#include <dns/result.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * A dns_fetchevent_t is sent when a 'fetch' completes.  Any of 'db',
+ * 'node', 'rdataset', and 'sigrdataset' may be bound.  It is the
+ * receiver's responsibility to detach before freeing the event.
+ *
+ * 'rdataset' and 'sigrdataset' are the values that were supplied when
+ * dns_resolver_createfetch() was called.  They are returned to the
+ * caller so that they may be freed.
+ */
+typedef struct dns_fetchevent {
+	ISC_EVENT_COMMON(struct dns_fetchevent);
+	dns_fetch_t *			fetch;
+	isc_result_t			result;
+	dns_rdatatype_t			qtype;
+	dns_db_t *			db;
+	dns_dbnode_t *			node;
+	dns_rdataset_t *		rdataset;
+	dns_rdataset_t *		sigrdataset;
+	dns_fixedname_t			foundname;
+} dns_fetchevent_t;
+
+/*
+ * Options that modify how a 'fetch' is done.
+ */
+#define DNS_FETCHOPT_TCP		0x01		/* Use TCP. */
+#define DNS_FETCHOPT_UNSHARED		0x02		/* See below. */
+#define DNS_FETCHOPT_RECURSIVE		0x04		/* Set RD? */
+#define DNS_FETCHOPT_NOEDNS0		0x08		/* Do not use EDNS. */
+
+/*
+ * XXXRTH  Should this API be made semi-private?  (I.e.
+ * _dns_resolver_create()).
+ */
+
+isc_result_t
+dns_resolver_create(dns_view_t *view,
+		    isc_taskmgr_t *taskmgr, unsigned int ntasks,
+		    isc_socketmgr_t *socketmgr,
+		    isc_timermgr_t *timermgr,
+		    unsigned int options,
+		    dns_dispatch_t *dispatchv4,
+		    dns_dispatch_t *dispatchv6,
+		    dns_resolver_t **resp);
+/*
+ * Create a resolver.
+ *
+ * Notes:
+ *
+ *	Generally, applications should not create a resolver directly, but
+ *	should instead call dns_view_createresolver().
+ *
+ *	No options are currently defined.
+ *
+ * Requires:
+ *
+ *	'view' is a valid view.
+ *
+ *	'taskmgr' is a valid task manager.
+ *
+ *	'ntasks' > 0.
+ *
+ *	'socketmgr' is a valid socket manager.
+ *
+ *	'timermgr' is a valid timer manager.
+ *
+ *	'dispatchv4' is a valid dispatcher with an IPv4 socket, or is NULL.
+ *
+ *	'dispatchv6' is a valid dispatcher with an IPv6 socket, or is NULL.
+ *
+ *	*resp != NULL && *resp == NULL.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS				On success.
+ *
+ *	Anything else				Failure.
+ */
+
+isc_result_t
+dns_resolver_setforwarders(dns_resolver_t *res,
+			   isc_sockaddrlist_t *forwarders);
+/*
+ * Set the default forwarders to be used by the resolver.
+ *
+ * Requires:
+ *
+ *	'res' is a valid, unfrozen resolver.
+ *
+ *	'forwarders' is a valid nonempty list.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_resolver_setfwdpolicy(dns_resolver_t *res, dns_fwdpolicy_t fwdpolicy);
+/*
+ * Set the default forwarding policy to be used by the resolver.
+ *
+ * Requires:
+ *
+ *	'res' is a valid, unfrozen resolver.
+ *
+ *	'fwdpolicy' is a valid dns_fwdpolicy_t.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ */
+
+void
+dns_resolver_freeze(dns_resolver_t *res);
+/*
+ * Freeze resolver.
+ *
+ * Notes:
+ *
+ *	Certain configuration changes, e.g. setting forwarders,
+ *	cannot be made after the resolver is frozen.  Fetches
+ *	cannot be created until the resolver is frozen.
+ *
+ * Requires:
+ *
+ *	'res' is a valid, unfrozen resolver.
+ *
+ * Ensures:
+ *
+ *	'res' is frozen.
+ */
+
+void
+dns_resolver_prime(dns_resolver_t *res);
+/*
+ * Prime resolver.
+ *
+ * Notes:
+ *
+ *	Resolvers which have a forwarding policy other than dns_fwdpolicy_only
+ *	need to be primed with the root nameservers, otherwise the root
+ *	nameserver hints data may be used indefinitely.  This function requests
+ *	that the resolver start a priming fetch, if it isn't already priming.
+ *
+ * Requires:
+ *
+ *	'res' is a valid, frozen resolver.
+ */
+
+
+void
+dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
+			  isc_event_t **eventp);
+/*
+ * Send '*eventp' to 'task' when 'res' has completed shutdown.
+ *
+ * Notes:
+ *
+ *	It is not safe to detach the last reference to 'res' until
+ *	shutdown is complete.
+ *
+ * Requires:
+ *
+ *	'res' is a valid resolver.
+ *
+ *	'task' is a valid task.
+ *
+ *	*eventp is a valid event.
+ *
+ * Ensures:
+ *
+ *	*eventp == NULL.
+ */
+
+void
+dns_resolver_shutdown(dns_resolver_t *res);
+/*
+ * Start the shutdown process for 'res'.
+ *
+ * Notes:
+ *
+ *	This call has no effect if the resolver is already shutting down.
+ *
+ * Requires:
+ *
+ *	'res' is a valid resolver.
+ */
+
+void
+dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp);
+
+void
+dns_resolver_detach(dns_resolver_t **resp);
+
+isc_result_t
+dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
+			 dns_rdatatype_t type,
+			 dns_name_t *domain, dns_rdataset_t *nameservers,
+			 dns_forwarders_t *forwarders,
+			 unsigned int options, isc_task_t *task,
+			 isc_taskaction_t action, void *arg,
+			 dns_rdataset_t *rdataset,
+			 dns_rdataset_t *sigrdataset, 
+			 dns_fetch_t **fetchp);
+/*
+ * Recurse to answer a question.
+ *
+ * Notes:
+ *
+ *	This call starts a query for 'name', type 'type'.
+ *
+ *	XXXRTH  Explain query domain and nameservers.
+ *		'forwarders' is unimplmented, and subject to change when
+ *		we figure out how selective forwarding will work.
+ *
+ *	When the fetch completes (successfully or otherwise), a 
+ *	DNS_EVENT_FETCHDONE event with action 'action' and arg 'arg' will be
+ *	posted to 'task'.
+ *
+ *	The values of 'rdataset' and 'sigrdataset' will be returned in
+ *	the FETCHDONE event.
+ *
+ * Requires:
+ *
+ *	'res' is a valid resolver that has been frozen.
+ *
+ *	'name' is a valid name.
+ *
+ *	'type' is not a meta type other than ANY.
+ *
+ *	'domain' is a valid name or NULL.
+ *
+ *	'nameservers' is a valid NS rdataset (whose owner name is 'domain')
+ *	iff. 'domain' is not NULL.
+ *
+ *	'forwarders' is NULL.
+ *
+ *	'options' contains valid options.
+ *
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ *	fetchp != NULL && *fetchp == NULL.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS					Success
+ *
+ *	Many other values are possible, all of which indicate failure.
+ */
+ 
+
+void
+dns_resolver_cancelfetch(dns_fetch_t *fetch);
+/*
+ * Cancel 'fetch'.
+ *
+ * Notes:
+ *
+ *	If 'fetch' has not completed, post its FETCHDONE event with a
+ *	result code of ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *	'fetch' is a valid fetch.
+ */
+
+void
+dns_resolver_destroyfetch(dns_fetch_t **fetchp);
+/*
+ * Destroy 'fetch'.
+ *
+ * Requires:
+ *
+ *	'*fetchp' is a valid fetch.
+ *
+ *	The caller has received the FETCHDONE event (either because the
+ *	fetch completed or because dns_resolver_cancelfetch() was called).
+ *
+ * Ensures:
+ *
+ *	*fetchp == NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RESOLVER_H */
diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
new file mode 100644
index 00000000..db72afe5
--- /dev/null
+++ b/lib/dns/include/dns/result.h
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) 1998, 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_RESULT_H
+#define DNS_RESULT_H 1
+
+#include <isc/lang.h>
+#include <isc/result.h>
+#include <isc/resultclass.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * XXXRTH  Legacy result codes, to be eliminated before public release.
+ */
+#define DNS_R_SUCCESS			ISC_R_SUCCESS
+#define DNS_R_NOMEMORY			ISC_R_NOMEMORY
+#define DNS_R_NOSPACE			ISC_R_NOSPACE
+#define DNS_R_NOTIMPLEMENTED		ISC_R_NOTIMPLEMENTED
+#define DNS_R_NOMORE			ISC_R_NOMORE
+#define DNS_R_EXISTS			ISC_R_EXISTS
+#define DNS_R_NOTFOUND			ISC_R_NOTFOUND
+#define DNS_R_BADBASE64			ISC_R_BADBASE64
+#define DNS_R_TIMEDOUT			ISC_R_TIMEDOUT
+#define DNS_R_CANCELED			ISC_R_CANCELED
+#define DNS_R_UNEXPECTED		ISC_R_UNEXPECTED
+#define DNS_R_NXRDATASET		DNS_R_NXRRSET
+
+/*
+ * DNS library result codes
+ */
+#define DNS_R_LABELTOOLONG		(ISC_RESULTCLASS_DNS + 0)
+#define DNS_R_BADESCAPE			(ISC_RESULTCLASS_DNS + 1)
+#define DNS_R_BADBITSTRING		(ISC_RESULTCLASS_DNS + 2)
+#define DNS_R_BITSTRINGTOOLONG		(ISC_RESULTCLASS_DNS + 3)
+#define DNS_R_EMPTYLABEL		(ISC_RESULTCLASS_DNS + 4)
+#define DNS_R_BADDOTTEDQUAD		(ISC_RESULTCLASS_DNS + 5)
+#define DNS_R_UNEXPECTEDEND		(ISC_RESULTCLASS_DNS + 6)
+#define DNS_R_UNKNOWN			(ISC_RESULTCLASS_DNS + 7)
+#define DNS_R_BADLABELTYPE		(ISC_RESULTCLASS_DNS + 8)
+#define DNS_R_BADPOINTER		(ISC_RESULTCLASS_DNS + 9)
+#define DNS_R_TOOMANYHOPS		(ISC_RESULTCLASS_DNS + 10)
+#define DNS_R_DISALLOWED		(ISC_RESULTCLASS_DNS + 11)
+#define DNS_R_EXTRATOKEN		(ISC_RESULTCLASS_DNS + 12)
+#define DNS_R_EXTRADATA			(ISC_RESULTCLASS_DNS + 13)
+#define DNS_R_TEXTTOOLONG		(ISC_RESULTCLASS_DNS + 14)
+#define DNS_R_RANGE			(ISC_RESULTCLASS_DNS + 15)
+#define DNS_R_SYNTAX			(ISC_RESULTCLASS_DNS + 16)
+#define DNS_R_BADCKSUM			(ISC_RESULTCLASS_DNS + 17)
+#define DNS_R_BADAAAA			(ISC_RESULTCLASS_DNS + 18)
+#define DNS_R_NOOWNER			(ISC_RESULTCLASS_DNS + 19)
+#define DNS_R_NOTTL			(ISC_RESULTCLASS_DNS + 20)
+#define DNS_R_BADCLASS			(ISC_RESULTCLASS_DNS + 21)
+#define DNS_R_UNEXPECTEDTOKEN		(ISC_RESULTCLASS_DNS + 22)
+#define DNS_R_PARTIALMATCH		(ISC_RESULTCLASS_DNS + 23)
+#define DNS_R_NEWORIGIN			(ISC_RESULTCLASS_DNS + 24)
+#define DNS_R_UNCHANGED			(ISC_RESULTCLASS_DNS + 25)
+#define DNS_R_BADTTL			(ISC_RESULTCLASS_DNS + 26)
+#define DNS_R_NOREDATA			(ISC_RESULTCLASS_DNS + 27)
+#define DNS_R_CONTINUE			(ISC_RESULTCLASS_DNS + 28)
+#define DNS_R_DELEGATION		(ISC_RESULTCLASS_DNS + 29)
+#define DNS_R_GLUE			(ISC_RESULTCLASS_DNS + 30)
+#define DNS_R_DNAME			(ISC_RESULTCLASS_DNS + 31)
+#define DNS_R_CNAME			(ISC_RESULTCLASS_DNS + 32)
+#define DNS_R_BADDB			(ISC_RESULTCLASS_DNS + 33)
+#define DNS_R_ZONECUT			(ISC_RESULTCLASS_DNS + 34)
+#define DNS_R_BADZONE			(ISC_RESULTCLASS_DNS + 35) /* XXX MPA*/
+#define DNS_R_MOREDATA			(ISC_RESULTCLASS_DNS + 36)
+#define DNS_R_UPTODATE			(ISC_RESULTCLASS_DNS + 37)
+#define DNS_R_TSIGVERIFYFAILURE		(ISC_RESULTCLASS_DNS + 38)
+#define DNS_R_TSIGERRORSET		(ISC_RESULTCLASS_DNS + 39)
+#define DNS_R_SIGINVALID		(ISC_RESULTCLASS_DNS + 40)
+#define DNS_R_SIGEXPIRED		(ISC_RESULTCLASS_DNS + 41)
+#define DNS_R_SIGFUTURE			(ISC_RESULTCLASS_DNS + 42)
+#define DNS_R_KEYUNAUTHORIZED		(ISC_RESULTCLASS_DNS + 43)
+#define DNS_R_INVALIDTIME		(ISC_RESULTCLASS_DNS + 44)
+#define DNS_R_EXPECTEDTSIG		(ISC_RESULTCLASS_DNS + 45)
+#define DNS_R_UNEXPECTEDTSIG		(ISC_RESULTCLASS_DNS + 46)
+#define DNS_R_INVALIDTKEY		(ISC_RESULTCLASS_DNS + 47)
+#define DNS_R_HINT			(ISC_RESULTCLASS_DNS + 48)
+#define DNS_R_DROP			(ISC_RESULTCLASS_DNS + 49)
+#define DNS_R_NOTLOADED			(ISC_RESULTCLASS_DNS + 50)
+#define DNS_R_NCACHENXDOMAIN		(ISC_RESULTCLASS_DNS + 51)
+#define DNS_R_NCACHENXRRSET		(ISC_RESULTCLASS_DNS + 52)
+#define DNS_R_WAIT			(ISC_RESULTCLASS_DNS + 53)
+#define DNS_R_NOTVERIFIEDYET		(ISC_RESULTCLASS_DNS + 54)
+#define DNS_R_NOIDENTITY		(ISC_RESULTCLASS_DNS + 55)
+#define DNS_R_NOJOURNAL			(ISC_RESULTCLASS_DNS + 56)
+#define DNS_R_ALIAS			(ISC_RESULTCLASS_DNS + 57)
+
+#define DNS_R_NRESULTS			58	/* Number of results */
+
+/*
+ * DNS wire format rcodes
+ *
+ * By making these their own class we can easily convert them into the
+ * wire-format rcode value simply by masking off the resultclass 
+ */
+#define DNS_R_NOERROR			(ISC_RESULTCLASS_DNSRCODE + 0)
+#define DNS_R_FORMERR			(ISC_RESULTCLASS_DNSRCODE + 1)
+#define DNS_R_SERVFAIL			(ISC_RESULTCLASS_DNSRCODE + 2)
+#define DNS_R_NXDOMAIN			(ISC_RESULTCLASS_DNSRCODE + 3)
+#define DNS_R_NOTIMP			(ISC_RESULTCLASS_DNSRCODE + 4)
+#define DNS_R_REFUSED			(ISC_RESULTCLASS_DNSRCODE + 5)
+#define DNS_R_YXDOMAIN			(ISC_RESULTCLASS_DNSRCODE + 6)
+#define DNS_R_YXRRSET			(ISC_RESULTCLASS_DNSRCODE + 7)
+#define DNS_R_NXRRSET			(ISC_RESULTCLASS_DNSRCODE + 8)
+#define DNS_R_NOTAUTH			(ISC_RESULTCLASS_DNSRCODE + 9)
+#define DNS_R_NOTZONE			(ISC_RESULTCLASS_DNSRCODE + 10)
+#define DNS_R_BADVERS			(ISC_RESULTCLASS_DNSRCODE + 16)
+
+#define DNS_R_NRCODERESULTS		17	/* Number of rcode results */
+
+#define DNS_RESULT_ISRCODE(result) \
+	(ISC_RESULTCLASS_INCLASS(ISC_RESULTCLASS_DNSRCODE, (result)))
+
+char *				dns_result_totext(isc_result_t);
+void				dns_result_register(void);
+dns_rcode_t			dns_result_torcode(isc_result_t result);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RESULT_H */
diff --git a/lib/dns/include/dns/rootns.h b/lib/dns/include/dns/rootns.h
new file mode 100644
index 00000000..87bfa1fb
--- /dev/null
+++ b/lib/dns/include/dns/rootns.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_ROOTNS_H
+#define DNS_ROOTNS_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+#include <isc/result.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+			       const char *filename, dns_db_t **target);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ROOTNS_H */
diff --git a/lib/dns/include/dns/secalg.h b/lib/dns/include/dns/secalg.h
new file mode 100644
index 00000000..30886f14
--- /dev/null
+++ b/lib/dns/include/dns/secalg.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_SECALG_H
+#define DNS_SECALG_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_secalg_fromtext(dns_secalg_t *secalgp,
+				 isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a DNSSEC security algorithm value.
+ * The text may contain either a mnemonic algorithm name or a decimal algorithm
+ * number.
+ *
+ * Requires:
+ *	'secalgp' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS			on success
+ *	DNS_R_UNKNOWN			mnemonic type is unknown
+ *	DNS_R_RANGE			numeric type is out of range
+ */
+
+isc_result_t dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target);
+/*
+ * Put a textual representation of the DNSSEC security algorithm 'secalg'
+ * into 'target'.
+ *
+ * Requires:
+ *	'secalg' is a valid secalg.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS			on success
+ *	DNS_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SECALG_H */
diff --git a/lib/dns/include/dns/secproto.h b/lib/dns/include/dns/secproto.h
new file mode 100644
index 00000000..4f4e8a3f
--- /dev/null
+++ b/lib/dns/include/dns/secproto.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_SECPROTO_H
+#define DNS_SECPROTO_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_secproto_fromtext(dns_secproto_t *secprotop,
+				   isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a DNSSEC security protocol value.
+ * The text may contain either a mnemonic protocol name or a decimal protocol
+ * number.
+ *
+ * Requires:
+ *	'secprotop' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS			on success
+ *	DNS_R_UNKNOWN			mnemonic type is unknown
+ *	DNS_R_RANGE			numeric type is out of range
+ */
+
+isc_result_t
+dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target);
+/*
+ * Put a textual representation of the DNSSEC security protocol 'secproto'
+ * into 'target'.
+ *
+ * Requires:
+ *	'secproto' is a valid secproto.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS			on success
+ *	DNS_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SECPROTO_H */
diff --git a/lib/dns/include/dns/tcpmsg.h b/lib/dns/include/dns/tcpmsg.h
new file mode 100644
index 00000000..ab94280e
--- /dev/null
+++ b/lib/dns/include/dns/tcpmsg.h
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_TCPMSG_H
+#define DNS_TCPMSG_H
+
+#include <isc/buffer.h>
+#include <isc/int.h>
+#include <isc/socket.h>
+
+typedef struct {
+	/* private (don't touch!) */
+	unsigned int		magic;
+	isc_uint16_t		size;
+	isc_buffer_t		buffer;
+	unsigned int		maxsize;
+	isc_mem_t	       *mctx;
+	isc_socket_t	       *sock;
+	isc_task_t	       *task;
+	isc_taskaction_t	action;
+	void		       *arg;
+	isc_event_t		event;
+	/* public (read-only) */
+	isc_result_t		result;
+	isc_sockaddr_t		address;
+} dns_tcpmsg_t;
+
+void
+dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg);
+/*
+ * Associate a tcp message state with a given memory context and
+ * TCP socket.
+ *
+ * Requires:
+ *
+ *	"mctx" and "sock" be non-NULL and valid types.
+ *
+ *	"sock" be a read/write TCP socket.
+ *
+ *	"tcpmsg" be non-NULL and an uninitialized or invalidated structure.
+ *
+ * Ensures:
+ *
+ *	"tcpmsg" is a valid structure.
+ */
+
+void
+dns_tcpmsg_setmaxsize(dns_tcpmsg_t *tcpmsg, unsigned int maxsize);
+/*
+ * Set the maximum packet size to "maxsize"
+ *
+ * Requires:
+ *
+ *	"tcpmsg" be valid.
+ *
+ *	512 <= "maxsize" <= 65536
+ */
+
+isc_result_t
+dns_tcpmsg_readmessage(dns_tcpmsg_t *tcpmsg,
+		       isc_task_t *task, isc_taskaction_t action, void *arg);
+/*
+ * Schedule an event to be delivered when a DNS message is readable, or
+ * when an error occurs on the socket.
+ *
+ * Requires:
+ *
+ *	"tcpmsg" be valid.
+ *
+ *	"task", "taskaction", and "arg" be valid.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		-- no error
+ *	Anything that the isc_socket_recv() call can return.  XXXMLG
+ *
+ * Notes:
+ *
+ *	The event delivered is a fully generic event.  It will contain no
+ *	actual data.  The sender will be a pointer to the dns_tcpmsg_t.
+ *	The result code inside that structure should be checked to see
+ *	what the final result was.
+ */
+
+void
+dns_tcpmsg_cancelread(dns_tcpmsg_t *tcpmsg);
+/*
+ * Cancel a readmessage() call.  The event will still be posted with a
+ * CANCELED result code.
+ *
+ * Requires:
+ *
+ *	"tcpmsg" be valid.
+ */
+
+void
+dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer);
+/*
+ * If a dns buffer is to be kept between calls, this function marks the
+ * internal state-machine buffer as invalid, and copies all the contents
+ * of the state into "buffer".
+ *
+ * Requires:
+ *
+ *	"tcpmsg" be valid.
+ *
+ *	"buffer" be non-NULL.
+ */
+
+void
+dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg);
+/*
+ * Clean up all allocated state, and invalidate the structure.
+ *
+ * Requires:
+ *
+ *	"tcpmsg" be valid.
+ *
+ * Ensures:
+ *
+ *	"tcpmsg" is invalidated and disassociated with all memory contexts,
+ *	sockets, etc.
+ */
+
+#endif /* DNS_TCPMSG_H */
diff --git a/lib/dns/include/dns/time.h b/lib/dns/include/dns/time.h
new file mode 100644
index 00000000..12953ff5
--- /dev/null
+++ b/lib/dns/include/dns/time.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_TIME_H
+#define DNS_TIME_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/int.h>
+#include <isc/buffer.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t dns_time64_fromtext(char *source, isc_int64_t *target);
+/*
+ * Convert a date and time in YYYYMMDDHHMMSS text format at 'source'
+ * into to a 64-bit count of seconds since Jan 1 1970 0:00 GMT.  
+ * Store the count at 'target'.
+ */ 
+
+isc_result_t dns_time32_fromtext(char *source, isc_uint32_t *target);
+/*
+ * Like dns_time64_fromtext, but returns the second count modulo 2^32
+ * as per RFC2535.
+ */
+	
+
+isc_result_t dns_time64_totext(isc_int64_t value, isc_buffer_t *target);
+/*
+ * Convert a 64-bit count of seconds since Jan 1 1970 0:00 GMT into 
+ * a YYYYMMDDHHMMSS text representation and append it to 'target'.
+ */
+
+isc_result_t dns_time32_totext(isc_uint32_t value, isc_buffer_t *target);
+/*
+ * Like dns_time64_totext, but for a 32-bit cyclic time value.
+ * Of those dates whose counts of seconds since Jan 1 1970 0:00 GMT
+ * are congruent with 'value' modulo 2^32, the one closest to the
+ * current date is chosen.
+ */ 
+
+ISC_LANG_ENDDECLS
+
+#endif	/* DNS_TIME_H */
diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h
new file mode 100644
index 00000000..3ed6b04c
--- /dev/null
+++ b/lib/dns/include/dns/tkey.h
@@ -0,0 +1,178 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_TKEY_H
+#define DNS_TKEY_H 1
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+#include <dns/types.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+/* Key agreement modes */
+#define DNS_TKEYMODE_SERVERASSIGNED		1
+#define DNS_TKEYMODE_DIFFIEHELLMAN		2
+#define DNS_TKEYMODE_GSSAPI			3
+#define DNS_TKEYMODE_RESOLVERASSIGNED		4
+#define DNS_TKEYMODE_DELETE			5
+
+struct dns_tkey_ctx {
+	dst_key_t *dhkey;
+	dns_name_t *domain;
+	isc_mem_t *mctx;
+};
+
+isc_result_t
+dns_tkeyctx_create(isc_mem_t *mctx, dns_tkey_ctx_t **tctx);
+/*
+ *	Create an empty TKEY context.
+ *
+ * 	Requires:
+ *		'mctx' is not NULL
+ *		'tctx' is not NULL
+ *		'*tctx' is NULL
+ *
+ *	Returns
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		return codes from dns_name_fromtext()
+ */
+
+void
+dns_tkeyctx_destroy(dns_tkey_ctx_t **tctx);
+/*
+ *      Frees all data associated with the TKEY context
+ *
+ * 	Requires:
+ *		'tctx' is not NULL
+ *		'*tctx' is not NULL
+ */
+
+isc_result_t
+dns_tkey_processquery(dns_message_t *msg, dns_tkey_ctx_t *tctx,
+		      dns_tsig_keyring_t *ring);
+/*
+ *	Processes a query containing a TKEY record, adding or deleting TSIG
+ *	keys if necessary, and modifies the message to contain the response.
+ *
+ *	Requires:
+ *		'msg' is a valid message
+ *		'tctx' is a valid TKEY context
+ *		'ring' is a valid TSIG keyring
+ *
+ *	Returns
+ *		ISC_R_SUCCESS	msg was updated (the TKEY operation succeeded,
+ *				or msg now includes a TKEY with an error set)
+ *		DNS_R_FORMERR	the packet was malformed (missing a TKEY
+ *				or KEY).
+ *		other		An error occurred while processing the message
+ */
+
+isc_result_t
+dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
+		      dns_name_t *algorithm, isc_buffer_t *nonce,
+		      isc_uint32_t lifetime);
+/*
+ *	Builds a query containing a TKEY that will generate a shared
+ *	secret using a Diffie-Hellman key exchange.  The shared key
+ *	will be of the specified algorithm (only DNS_TSIG_HMACMD5_NAME
+ *	is supported), and will be named either 'name',
+ *	'name' + server chosen domain, or random data + server chosen domain
+ *	if 'name' == dns_rootname.  If nonce is not NULL, it supplies
+ *	random data used in the shared secret computation.  The key is
+ *	requested to have the specified lifetime (in seconds)
+ *
+ *
+ *	Requires:
+ *		'msg' is a valid message
+ *		'key' is a valid Diffie Hellman dst key
+ *		'name' is a valid name
+ *		'algorithm' is a valid name
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS	msg was successfully updated to include the
+ *				query to be sent
+ *		other		an error occurred while building the message
+ */
+
+isc_result_t
+dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
+/*
+ *	Builds a query containing a TKEY record that will delete the
+ *	specified shared secret from the server.
+ *
+ *	Requires:
+ *		'msg' is a valid message
+ *		'key' is a valid TSIG key
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS	msg was successfully updated to include the
+ *				query to be sent
+ *		other		an error occurred while building the message
+ */
+
+isc_result_t
+dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+                           dst_key_t *key, isc_buffer_t *nonce,
+			   dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
+/*
+ *	Processes a response to a query containing a TKEY that was
+ *	designed to generate a shared secret using a Diffie-Hellman key
+ *	exchange.  If the query was successful, a new shared key
+ *	is created and added to the list of shared keys.
+ *
+ *	Requires:
+ *		'qmsg' is a valid message (the query)
+ *		'rmsg' is a valid message (the response)
+ *		'key' is a valid Diffie Hellman dst key
+ *		'outkey' is either NULL or a pointer to NULL
+ *		'ring' is not NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS	the shared key was successfully added
+ *		ISC_R_NOTFOUND	an error occurred while looking for a
+ *				component of the query or response
+ */
+
+isc_result_t
+dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			       dns_tsig_keyring_t *ring);
+/*
+ *	Processes a response to a query containing a TKEY that was
+ *	designed to delete a shared secret.  If the query was successful,
+ *	the shared key is deleted from the list of shared keys.
+ *
+ *	Requires:
+ *		'qmsg' is a valid message (the query)
+ *		'rmsg' is a valid message (the response)
+ *		'ring' is not NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS	the shared key was successfully deleted
+ *		ISC_R_NOTFOUND	an error occurred while looking for a
+ *				component of the query or response
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TKEY_H */
diff --git a/lib/dns/include/dns/tkeyconf.h b/lib/dns/include/dns/tkeyconf.h
new file mode 100644
index 00000000..16588515
--- /dev/null
+++ b/lib/dns/include/dns/tkeyconf.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_TKEYCONF_H
+#define DNS_TKEYCONF_H 1
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+#include <dns/tkey.h>
+#include <dns/confctx.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_tkeyctx_fromconfig(dns_c_ctx_t *cfg, isc_mem_t *mctx, dns_tkey_ctx_t **tctxp);
+/*
+ * 	Create a TKEY context and configure it, including the default DH key
+ *	and default domain, according to 'cfg'.
+ *
+ *	Requires:
+ *		'cfg' is a valid configuration context.
+ *		'mctx' is not NULL
+ *		'tctx' is not NULL
+ *		'*tctx' is NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ */
+ 
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TKEYCONF_H */
diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h
new file mode 100644
index 00000000..30803722
--- /dev/null
+++ b/lib/dns/include/dns/tsig.h
@@ -0,0 +1,208 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_TSIG_H
+#define DNS_TSIG_H 1
+
+#include <isc/types.h>
+#include <isc/lang.h>
+#include <isc/rwlock.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+/* Standard algorithm */
+#define DNS_TSIG_HMACMD5		"HMAC-MD5.SIG-ALG.REG.INT."
+extern dns_name_t *dns_tsig_hmacmd5_name;
+#define DNS_TSIG_HMACMD5_NAME		dns_tsig_hmacmd5_name
+
+/* Default fudge value. */
+#define DNS_TSIG_FUDGE			300
+
+struct dns_tsig_keyring {
+	ISC_LIST(dns_tsigkey_t) keys;
+	isc_rwlock_t lock;
+	isc_mem_t *mctx;
+}; 
+
+struct dns_tsigkey {
+	/* Unlocked */
+	unsigned int		magic;		/* Magic number. */
+	isc_mem_t		*mctx;
+	dst_key_t		*key;		/* Key */
+	dns_name_t		name;		/* Key name */
+	dns_name_t		algorithm;	/* Algorithm name */
+	dns_name_t		*creator;	/* name that created secret */
+	isc_boolean_t		generated;	/* was this generated? */
+	isc_stdtime_t		inception;	/* start of validity period */
+	isc_stdtime_t		expire;		/* end of validity period */
+	dns_tsig_keyring_t	*ring;		/* the enclosing keyring */
+	isc_mutex_t		lock;
+	/* Locked */
+	isc_boolean_t		deleted;	/* has this been deleted? */
+	isc_uint32_t		refs;		/* reference counter */
+	/* Unlocked */
+	ISC_LINK(dns_tsigkey_t)	link;
+};
+
+#define dns_tsigkey_empty(tsigkey) ((tsigkey)->key == NULL)
+#define dns_tsigkey_identity(tsigkey) \
+	((tsigkey)->generated ? ((tsigkey)->creator) : (&((tsigkey)->name)))
+
+isc_result_t
+dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
+		   unsigned char *secret, int length, isc_boolean_t generated,
+		   dns_name_t *creator, isc_stdtime_t inception,
+		   isc_stdtime_t expire, isc_mem_t *mctx,
+		   dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
+/*
+ *	Creates a tsig key structure and saves it in the keyring.  If key is
+ *	not NULL, *key will contain a copy of the key.  The keys validity
+ *	period is specified by (inception, expire), and will not expire if
+ *	inception == expire.  If the key was generated, the creating identity,
+ *	if there is one, should be in the creator parameter.
+ *
+ *	Requires:
+ *		'name' is a valid dns_name_t
+ *		'algorithm' is a valid dns_name_t
+ *		'secret' is a valid pointer
+ *		'length' is an integer greater than 0
+ *		'creator' points to a valid dns_name_t or is NULL
+ *		'mctx' is a valid memory context
+ *		'ring' is a valid TSIG keyring
+ *		'key' or '*key' must be NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_EXISTS - a key with this name already exists
+ *		DNS_R_NOTIMPLEMENTED - algorithm is not implemented
+ *		ISC_R_NOMEMORY
+ */
+
+void
+dns_tsigkey_free(dns_tsigkey_t **key);
+/*
+ *	Frees the tsig key structure pointed to by 'key'.
+ *
+ *	Requires:
+ *		'key' is a valid TSIG key
+ *		'ring' is a valid TSIG keyring containing the key
+ */
+
+void
+dns_tsigkey_setdeleted(dns_tsigkey_t *key);
+/*
+ *	Marks this key as deleted.  It will be deleted when no references exist.
+ *
+ *	Requires:
+ *		'key' is a valid TSIG key
+ */
+
+isc_result_t
+dns_tsig_sign(dns_message_t *msg);
+/*
+ *	Generates a TSIG record for this message
+ *
+ *	Requires:
+ *		'msg' is a valid message
+ *		'msg->tsigkey' is a valid TSIG key
+ *		'msg->tsig' is NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		ISC_R_NOSPACE
+ *		DNS_R_EXPECTEDTSIG - this is a response & msg->querytsig is NULL
+ */
+
+isc_result_t
+dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+		dns_tsig_keyring_t *sring, dns_tsig_keyring_t *dring);
+/*
+ *	Verifies the TSIG record in this message
+ *
+ *	Requires:
+ *		'source' is a valid buffer containing the unparsed message
+ *		'msg' is a valid message
+ *		'msg->tsigkey' is a valid TSIG key if this is a response
+ *		'msg->tsig' is NULL
+ *		'msg->querytsig' is not NULL if this is a response
+ *		'sring' is a valid keyring or NULL
+ *		'dring' is a valid keyring or NULL
+ *
+ *	Returns:
+ *		DNS_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		DNS_R_EXPECTEDTSIG - A TSIG was expected but not seen
+ *		DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected
+ *		DNS_R_TSIGERRORSET - the TSIG verified but ->error was set
+ *				     and this is a query
+ *		DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
+ */
+
+isc_result_t
+dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
+		 dns_name_t *algorithm, dns_tsig_keyring_t *ring);
+/*
+ *	Returns the TSIG key corresponding to this name and (possibly)
+ *	algorithm.  Also increments the key's reference counter.
+ *
+ *	Requires:
+ *		'tsigkey' is not NULL
+ *		'*tsigkey' is NULL
+ *		'name' is a valid dns_name_t
+ *		'algorithm' is a valid dns_name_t or NULL
+ *		'ring' is a valid keyring
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOTFOUND
+ */
+
+
+isc_result_t
+dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ring);
+/*
+ *	Create an empty TSIG key ring.
+ *
+ *	Requires:
+ *		'mctx' is not NULL
+ *		'ring' is not NULL, and '*ring' is NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ */
+
+
+void
+dns_tsigkeyring_destroy(dns_tsig_keyring_t **ring);
+/*
+ *	Destroy a TSIG key ring.
+ *
+ *	Requires:
+ *		'ring' is not NULL
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TSIG_H */
diff --git a/lib/dns/include/dns/tsigconf.h b/lib/dns/include/dns/tsigconf.h
new file mode 100644
index 00000000..c43067f6
--- /dev/null
+++ b/lib/dns/include/dns/tsigconf.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_TSIGCONF_H
+#define DNS_TSIGCONF_H 1
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+#include <dns/tsig.h>
+#include <dns/confctx.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_tsigkeyring_fromconfig(dns_c_ctx_t *confctx, isc_mem_t *mctx,
+			   dns_tsig_keyring_t **ring);
+/*
+ * Create a TSIG key ring and configure it according to 'confctx'.
+ *
+ *	Requires:
+ *		'confctx' is a valid configuration context.
+ *		'mctx' is not NULL
+ *		'ring' is not NULL, and '*ring' is NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ */
+ 
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TSIGCONF_H */
diff --git a/lib/dns/include/dns/ttl.h b/lib/dns/include/dns/ttl.h
new file mode 100644
index 00000000..0f594b94
--- /dev/null
+++ b/lib/dns/include/dns/ttl.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_TTL_H
+#define DNS_TTL_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/types.h>
+#include <isc/buffer.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_ttl_totext(isc_uint32_t src, isc_boolean_t verbose,
+	       isc_buffer_t *target);
+/*
+ * Output a TTL or other time interval in a human-readable form.
+ * The time interval is given as a count of seconds in 'src'.
+ * The text representation is appended to 'target'.
+ *
+ * If 'verbose' is ISC_FALSE, use the terse BIND 8 style, like "1w2d3h4m5s".
+ *
+ * If 'verbose' is ISC_TRUE, use a verbose style like the SOA comments 
+ * in "dig", like "1 week 2 days 3 hours 4 minutes 5 seconds".
+ *
+ * Returns:
+ * 	DNS_R_SUCCESS
+ * 	DNS_R_NOSPACE
+ */
+
+isc_result_t
+dns_counter_fromtext(isc_textregion_t *source, isc_uint32_t *ttl);
+/*
+ * Converts a counter from either a plain number or a BIND 8 style value.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_SYNTAX
+ */
+
+isc_result_t
+dns_ttl_fromtext(isc_textregion_t *source, isc_uint32_t *ttl);
+/*
+ * Converts a ttl from either a plain number or a BIND 8 style value.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_BADTTL
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif	/* DNS_MASTER_H */
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
new file mode 100644
index 00000000..91df5777
--- /dev/null
+++ b/lib/dns/include/dns/types.h
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) 1998, 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_TYPES_H
+#define DNS_TYPES_H 1
+
+/*
+ * Including this file gives you type declarations suitable for use in
+ * .h files, which lets us avoid circular type reference problems.
+ *
+ * To actually use a type or get declarations of its methods, you must
+ * include the appropriate .h file too.
+ */
+
+#include <isc/types.h>
+#include <isc/lang.h>
+#include <isc/region.h>
+#include <isc/int.h>
+#include <isc/list.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef isc_region_t				dns_label_t;
+typedef struct dns_name				dns_name_t;
+typedef ISC_LIST(dns_name_t)			dns_namelist_t;
+typedef struct dns_fixedname			dns_fixedname_t;
+typedef struct dns_db				dns_db_t;
+typedef void					dns_dbnode_t;
+typedef void					dns_dbload_t;
+typedef void					dns_dbversion_t;
+typedef struct dns_dbiterator			dns_dbiterator_t;
+typedef unsigned char				dns_offsets_t[128];
+typedef struct dns_compress			dns_compress_t;
+typedef struct dns_decompress			dns_decompress_t;
+typedef isc_uint8_t				dns_secalg_t;
+typedef isc_uint8_t				dns_secproto_t;
+typedef isc_uint16_t				dns_keyflags_t;
+typedef isc_uint16_t				dns_rdataclass_t;
+typedef isc_uint16_t				dns_rdatatype_t;
+typedef isc_uint16_t				dns_rcode_t;
+typedef isc_uint16_t				dns_opcode_t;
+typedef isc_uint16_t				dns_cert_t;
+typedef isc_uint32_t				dns_ttl_t;
+typedef struct dns_rdata			dns_rdata_t;
+typedef struct dns_rdatalist			dns_rdatalist_t;
+typedef struct dns_signature			dns_signature_t;
+typedef struct dns_rdataset			dns_rdataset_t;
+typedef ISC_LIST(dns_rdataset_t)		dns_rdatasetlist_t;
+typedef struct dns_rdatasetiter			dns_rdatasetiter_t;
+typedef struct dns_dbtable			dns_dbtable_t;
+typedef struct dns_resolver			dns_resolver_t;
+typedef struct dns_fetch			dns_fetch_t;
+typedef struct dns_adb				dns_adb_t;
+typedef struct dns_adbentry			dns_adbentry_t;
+typedef struct dns_adbaddrinfo			dns_adbaddrinfo_t;
+typedef ISC_LIST(dns_adbaddrinfo_t)		dns_adbaddrinfolist_t;
+typedef struct dns_adbfind			dns_adbfind_t;
+typedef ISC_LIST(dns_adbfind_t)			dns_adbfindlist_t;
+typedef struct dns_forwarders			dns_forwarders_t;
+typedef struct dns_message			dns_message_t;
+typedef isc_uint16_t				dns_messageid_t;
+typedef isc_uint16_t				dns_trust_t;
+typedef struct dns_dispatch			dns_dispatch_t;
+typedef struct dns_dispentry			dns_dispentry_t;
+typedef struct dns_dispatchevent		dns_dispatchevent_t;
+typedef struct dns_tsigkey			dns_tsigkey_t;
+typedef struct dns_tsig_keyring			dns_tsig_keyring_t;
+typedef struct dns_tkey_ctx			dns_tkey_ctx_t;
+typedef struct dns_view				dns_view_t;
+typedef ISC_LIST(dns_view_t)			dns_viewlist_t;
+typedef struct dns_zone				dns_zone_t;
+typedef struct dns_zonemgr			dns_zonemgr_t;
+typedef struct dns_zone_callbackarg		dns_zone_callbackarg_t;
+typedef struct dns_a6context			dns_a6context_t;
+typedef struct dns_rbt				dns_rbt_t;
+typedef struct dns_zt				dns_zt_t;
+typedef struct dns_cache			dns_cache_t;
+typedef struct dns_aclelement 			dns_aclelement_t;
+typedef struct dns_acl 				dns_acl_t;
+typedef struct dns_byaddr			dns_byaddr_t;
+
+typedef enum {
+	dns_labeltype_ordinary = 0,
+	dns_labeltype_bitstring = 1
+} dns_labeltype_t;
+
+typedef enum {
+	dns_bitlabel_0 = 0,
+	dns_bitlabel_1 = 1
+} dns_bitlabel_t;
+
+typedef enum {
+	dns_one_answer, dns_many_answers
+} dns_transfer_format_t;
+
+typedef enum {
+	dns_namereln_none = 0,
+	dns_namereln_contains = 1,
+	dns_namereln_subdomain = 2,
+	dns_namereln_equal = 3,
+	dns_namereln_commonancestor = 4
+} dns_namereln_t;
+
+typedef enum {
+	dns_fwdpolicy_none = 0,
+	dns_fwdpolicy_first = 1,
+	dns_fwdpolicy_only = 2
+} dns_fwdpolicy_t;
+
+#include <dns/enumtype.h>
+
+enum {
+	dns_rdatatype_none = 0,
+	TYPEENUM
+	dns_rdatatype_ixfr = 251,
+	dns_rdatatype_axfr = 252,
+	dns_rdatatype_mailb = 253,
+	dns_rdatatype_maila = 254,
+	dns_rdatatype_any = 255
+};
+
+#include <dns/enumclass.h>
+enum {
+	CLASSENUM
+	dns_rdataclass_ch = 3,
+	dns_rdataclass_none = 254	/* RFC2136 */
+};
+
+/*
+ * rcodes
+ */
+enum {
+	/* standard rcodes */
+	dns_rcode_noerror = 0,
+	dns_rcode_formerr = 1,
+	dns_rcode_servfail = 2,
+	dns_rcode_nxdomain = 3,
+	dns_rcode_notimp = 4,
+	dns_rcode_refused = 5,
+	dns_rcode_yxdomain = 6,
+	dns_rcode_yxrrset = 7,
+	dns_rcode_nxrrset = 8,
+	dns_rcode_notauth = 9,
+	dns_rcode_notzone = 10,
+	/* extended rcodes */
+	dns_rcode_badvers = 16
+};
+
+/*
+ * TSIG errors
+ */
+enum {
+	dns_tsigerror_badsig = 16,
+	dns_tsigerror_badkey = 17,
+	dns_tsigerror_badtime = 18,
+	dns_tsigerror_badmode = 19,
+	dns_tsigerror_badname = 20,
+	dns_tsigerror_badalg = 21
+};
+
+/*
+ * Opcodes
+ */
+enum {
+	dns_opcode_query = 0,
+	dns_opcode_iquery = 1,
+	dns_opcode_status = 2,
+	dns_opcode_notify = 4,
+	dns_opcode_update = 5		/* dynamic update */
+};
+
+/*
+ * Trust levels.
+ */
+enum {
+	dns_trust_none = 0,
+	dns_trust_pending = 1,
+	dns_trust_additional = 2,
+	dns_trust_glue = 3,
+	dns_trust_answer = 4,
+	dns_trust_authauthority = 5,
+	dns_trust_authanswer = 6,
+	dns_trust_secure = 7,
+	dns_trust_authsecure = 8
+};
+
+/*
+ * Name checking severites.
+ */
+typedef enum {
+	dns_severity_ignore,
+	dns_severity_warn,
+	dns_severity_fail
+} dns_severity_t;
+
+/*
+ * Functions.
+ */
+
+typedef isc_result_t
+(*dns_addrdatasetfunc_t)(void *, dns_name_t *, dns_rdataset_t *);
+
+typedef isc_result_t
+(*dns_additionaldatafunc_t)(void *, dns_name_t *, dns_rdatatype_t);
+
+typedef isc_result_t
+(*dns_digestfunc_t)(void *, isc_region_t *);
+
+typedef void
+(*dns_xfrindone_t)(dns_zone_t *, isc_result_t);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TYPES_H */
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
new file mode 100644
index 00000000..8586ac8b
--- /dev/null
+++ b/lib/dns/include/dns/view.h
@@ -0,0 +1,471 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_VIEW_H
+#define DNS_VIEW_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS View
+ *
+ * A "view" is a DNS namespace, together with an optional resolver and a
+ * forwarding policy.  A "DNS namespace" is a (possibly empty) set of
+ * authoritative zones together with an optional cache and optional
+ * "hints" information.
+ *
+ * XXXRTH  Not all of this items can be set currently, but future revisions
+ * of this code will support them.
+ *
+ * Views start out "unfrozen".  In this state, core attributes like
+ * the cache, set of zones, and forwarding policy may be set.  While
+ * "unfrozen", the caller (e.g. nameserver configuration loading
+ * code), must ensure exclusive access to the view.  When the view is
+ * "frozen", the core attributes become immutable, and the view module
+ * will ensure synchronization.  Freezing allows the view's core attributes
+ * to be accessed without locking.
+ *
+ * MP:
+ *	Before the view is frozen, the caller must ensure synchronization.
+ *
+ *	After the view is frozen, the module guarantees appropriate
+ *	synchronization of any data structures it creates and manipulates.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ * None.  */
+
+#include <isc/types.h>
+#include <isc/lang.h>
+#include <isc/event.h>
+#include <isc/mutex.h>
+#include <isc/rwlock.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+
+ISC_LANG_BEGINDECLS
+
+struct dns_view {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	dns_rdataclass_t		rdclass;
+	char *				name;
+	dns_zt_t *			zonetable;
+	dns_resolver_t *		resolver;
+	dns_adb_t *			adb;
+	dns_cache_t *			cache;
+	dns_db_t *			cachedb;
+	dns_db_t *			hints;
+	dns_rbt_t *			secroots;
+	isc_mutex_t			lock;
+	isc_rwlock_t			conflock;
+	isc_boolean_t			frozen;
+	isc_task_t *			task;
+	isc_event_t			resevent;
+	isc_event_t			adbevent;
+	/* Configurable data, locked by conflock. */
+	dns_tsig_keyring_t *		statickeys;
+	dns_tsig_keyring_t *		dynamickeys;
+	/* Locked by lock. */
+	unsigned int			references;
+	unsigned int			attributes;
+	/* Under owner's locking control. */
+	ISC_LINK(struct dns_view)	link;
+};
+
+#define DNS_VIEW_MAGIC			0x56696577	/* View. */
+#define DNS_VIEW_VALID(view)		((view) != NULL && \
+					 (view)->magic == DNS_VIEW_MAGIC)
+
+#define DNS_VIEWATTR_RESSHUTDOWN	0x01
+#define DNS_VIEWATTR_ADBSHUTDOWN	0x02
+
+isc_result_t
+dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		const char *name, dns_view_t **viewp);
+/*
+ * Create a view.
+ *
+ * Notes:
+ *
+ *	The newly created view has no cache, no resolver, and an empty
+ *	zone table.  The view is not frozen.
+ *
+ * Requires:
+ *
+ *	'mctx' is a valid memory context.
+ *
+ *	'rdclass' is a valid class.
+ *
+ *	'name' is a valid C string.
+ *
+ *	viewp != NULL && *viewp == NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *
+ *	Other errors are possible.
+ */
+
+void
+dns_view_attach(dns_view_t *source, dns_view_t **targetp);
+/*
+ * Attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ *	'source' is a valid, frozen view.
+ *
+ *	'targetp' points to a NULL dns_view_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to source.
+ */
+
+void
+dns_view_detach(dns_view_t **viewp);
+/*
+ * Detach '*viewp' from its view.
+ *
+ * Requires:
+ *
+ *	'viewp' points to a valid dns_view_t *.
+ *
+ * Ensures:
+ *
+ *	*viewp is NULL.
+ *
+ *	If '*viewp' is the last reference to the view,
+ *
+ *		All resources used by the view will be freed.
+ */
+
+isc_result_t
+dns_view_createresolver(dns_view_t *view,
+			isc_taskmgr_t *taskmgr, unsigned int ntasks,
+			isc_socketmgr_t *socketmgr,
+			isc_timermgr_t *timermgr,
+			unsigned int options,
+			dns_dispatch_t *dispatchv4,
+			dns_dispatch_t *dispatchv6);
+/*
+ * Create a resolver and address database for the view.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, unfrozen view.
+ *
+ *	'view' does not have a resolver already.
+ *
+ *	The requirements of dns_resolver_create() apply to 'taskmgr',
+ *	'ntasks', 'socketmgr', 'timermgr', 'options', 'dispatchv4', and
+ *	'dispatchv6'.
+ *
+ * Returns:
+ *
+ *     	ISC_R_SUCCESS
+ *
+ *	Any error that dns_resolver_create() can return.
+ */
+
+void
+dns_view_setcache(dns_view_t *view, dns_cache_t *cache);
+/*
+ * Set the view's cache database.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, unfrozen view.
+ *
+ *	'cache' is a valid cache.
+ *
+ * Ensures:
+ *
+ *     	The cache of 'view' is 'cached.
+ *
+ *	If this is not the first call to dns_view_setcache() for this
+ *	view, then previously set cache is detached.
+ */
+
+void
+dns_view_sethints(dns_view_t *view, dns_db_t *hints);
+/*
+ * Set the view's hints database.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, unfrozen view, whose hints database has not been
+ *	set.
+ *
+ *	'hints' is a valid zone database.
+ *
+ * Ensures:
+ *
+ *     	The hints database of 'view' is 'hints'.
+ */
+
+void
+dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring);
+/*
+ * Set the view's static TSIG keys
+ *
+ * Requires:
+ *
+ *      'view' is a valid, unfrozen view, whose static TSIG keyring has not
+ *	been set.
+ *
+ *      'ring' is a valid TSIG keyring
+ *
+ * Ensures:
+ *
+ *      The static TSIG keyring of 'view' is 'ring'.
+ */
+
+
+
+
+isc_result_t
+dns_view_addzone(dns_view_t *view, dns_zone_t *zone);
+/*
+ * Add zone 'zone' to 'view'.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, unfrozen view.
+ *
+ *	'zone' is a valid zone.
+ */
+
+void
+dns_view_freeze(dns_view_t *view);
+/*
+ * Freeze view.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, unfrozen view.
+ *
+ * Ensures:
+ *
+ *	'view' is frozen.
+ */
+
+isc_result_t
+dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+	      isc_stdtime_t now, unsigned int options,
+	      isc_boolean_t use_hints, dns_name_t *foundname,
+	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*
+ * Find an rdataset whose owner name is 'name', and whose type is
+ * 'type'.
+ *
+ * Notes:
+ *
+ *	See the description of dns_db_find() for information about 'options'.
+ *	If the caller sets DNS_DBFIND_GLUEOK, it must ensure that 'name'
+ *	and 'type' are appropriate for glue retrieval.
+ *
+ *	If 'now' is zero, then the current time will be used.
+ *
+ *	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
+ *	it will be searched last.  If the answer is found in the hints
+ *	database, the result code will be DNS_R_HINT.
+ *
+ *	'foundname' must meet the requirements of dns_db_find().
+ *
+ *	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *	covers 'type', then 'sigrdataset' will be bound to it.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, frozen view.
+ *
+ *	'name' is valid name.
+ *
+ *	'type' is a valid dns_rdatatype_t, and is not a meta query type
+ *	(e.g. dns_rdatatype_any), or dns_rdatatype_sig.
+ *
+ *	'foundname' is 
+ *
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *
+ *	In successful cases, 'rdataset', and possibly 'sigrdataset', are
+ *	bound to the found data.
+ *
+ * Returns:
+ *
+ *	Any result that dns_db_find() can return, with the exception of
+ *	DNS_R_DELEGATION.
+ */
+
+isc_result_t
+dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+		    isc_stdtime_t now, unsigned int options,
+		    isc_boolean_t use_hints,
+		    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*
+ * Find an rdataset whose owner name is 'name', and whose type is
+ * 'type'.
+ *
+ * Notes:
+ *
+ *	This routine is appropriate for simple, exact-match queries of the
+ *	view.  'name' must be a canonical name; there is no DNAME or CNAME
+ *	processing.
+ *
+ *	See the description of dns_db_find() for information about 'options'.
+ *	If the caller sets DNS_DBFIND_GLUEOK, it must ensure that 'name'
+ *	and 'type' are appropriate for glue retrieval.
+ *
+ *	If 'now' is zero, then the current time will be used.
+ *
+ *	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
+ *	it will be searched last.  If the answer is found in the hints
+ *	database, the result code will be DNS_R_HINT.
+ *
+ *	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *	covers 'type', then 'sigrdataset' will be bound to it.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, frozen view.
+ *
+ *	'name' is valid name.
+ *
+ *	'type' is a valid dns_rdatatype_t, and is not a meta query type
+ *	(e.g. dns_rdatatype_any), or dns_rdatatype_sig.
+ *
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *
+ *	In successful cases, 'rdataset', and possibly 'sigrdataset', are
+ *	bound to the found data.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS			Success; result is desired type.
+ *	DNS_R_GLUE			Success; result is glue.
+ *	DNS_R_HINT			Success; result is a hint.
+ *	DNS_R_NCACHENXDOMAIN		Success; result is a ncache entry.
+ *	DNS_R_NCACHENXRRSET		Success; result is a ncache entry.
+ *	DNS_R_NXDOMAIN			The name does not exist.
+ *	DNS_R_NXRRSET			The rrset does not exist.
+ *	ISC_R_NOTFOUND			No matching data found,
+ *					or an error occurred.
+ */
+
+isc_result_t
+dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
+		     isc_stdtime_t now, unsigned int options,
+		     isc_boolean_t use_hints,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*
+ * Find the best known zonecut containing 'name'.
+ *
+ * Notes:
+ *
+ *	If 'now' is zero, then the current time will be used.
+ *
+ *	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
+ *	it will be searched last.
+ *
+ *	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *	covers 'type', then 'sigrdataset' will be bound to it.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, frozen view.
+ *
+ *	'name' is valid name.
+ *
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS				Success.
+ *
+ *	Many other results are possible.
+ */
+
+isc_result_t
+dns_viewlist_find(dns_viewlist_t *list, const char *name,
+		  dns_rdataclass_t rdclass, dns_view_t **viewp);
+/*
+ * XXX
+ */
+
+isc_result_t
+dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zone);
+/*
+ * XXX
+ */
+
+isc_result_t
+dns_view_load(dns_view_t *view, isc_boolean_t stop);
+/*
+ * Load all zones attached to this view.  If 'stop' is ISC_TRUE,
+ * stop on the first error and return it.  If 'stop'
+ * is ISC_FALSE, ignore errors. 
+ *
+ * Requires:
+ *
+ *	'view' is a valid.
+ */
+
+isc_result_t
+dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg);
+/*
+ * Verifies the signature of a message.
+ *
+ * Requires:
+ *
+ *	'view' is a valid view.
+ *	'source' is a valid buffer containing the message
+ *	'msg' is a valid message
+ *
+ * Returns:
+ *	see dns_tsig_verify()
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_VIEW_H */
diff --git a/lib/dns/include/dns/xfrin.h b/lib/dns/include/dns/xfrin.h
new file mode 100644
index 00000000..99dfea8d
--- /dev/null
+++ b/lib/dns/include/dns/xfrin.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_XFRIN_H
+#define DNS_XFRIN_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Incoming zone transfers (AXFR + IXFR).
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+typedef struct dns_xfrin_ctx dns_xfrin_ctx_t;
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_xfrin_create(dns_zone_t *zone, isc_sockaddr_t *masteraddr, 
+		 isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		 isc_socketmgr_t *socketmgr, isc_task_t *task,
+		 dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp);
+/*
+ * Attempt to start an incoming zone transfer of 'zone'
+ * from 'masteraddr', creating a dns_xfrin_ctx_t object to 
+ * manage it.  Attach '*xfrp' to the newly created object.
+ *
+ * Iff ISC_R_SUCCESS is returned, '*done' is guaranteed to be
+ * called in the context of 'task', with 'zone' and a result
+ * code as arguments when the transfer finishes. 
+ */
+
+void dns_xfrin_shutdown(dns_xfrin_ctx_t *xfr);
+/*
+ * If the zone transfer 'xfr' has already finished,
+ * do nothing.  Otherwise, abort it and cause it to call
+ * its done callback with a status of ISC_R_CANCELLED.
+ */
+
+void dns_xfrin_detach(dns_xfrin_ctx_t **xfrp);
+/*
+ * Detach a reference to a zone transfer object.  
+ *
+ * (Because there is no attach() method, there can currently 
+ * only be one reference).
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_XFRIN_H */
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
new file mode 100644
index 00000000..5f8e2390
--- /dev/null
+++ b/lib/dns/include/dns/zone.h
@@ -0,0 +1,843 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef DNS_ZONE_H
+#define DNS_ZONE_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/rwlock.h>
+#include <isc/sockaddr.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+#include <dns/result.h>
+#include <dns/name.h>
+#include <dns/fixedname.h>
+#include <dns/rdataset.h>
+#include <dns/callbacks.h>
+
+typedef enum {
+	dns_zone_none,
+	dns_zone_master,
+	dns_zone_slave,
+	dns_zone_hint,
+	dns_zone_stub,
+	dns_zone_cache,
+	dns_zone_forward
+} dns_zonetype_t;
+
+#define DNS_ZONE_O_SERVERS	0x00000001U	/* perform server checks */
+#define DNS_ZONE_O_PARENTS	0x00000002U	/* perform parent checks */
+#define DNS_ZONE_O_CHILDREN	0x00000004U	/* perform child checks */
+#define DNS_ZONE_O_DIALUP	0x00000008U	/* zone xfr over dialup link */
+#define DNS_ZONE_O_NOTIFY	0x00000010U	/* perform NOTIFY */
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx);
+
+/*
+ *	Creates a new empty zone and attach to it.
+ *
+ * Requires:
+ *	'zonep' to point to a NULL pointer.
+ *	'mctx' to be a valid memory context.
+ *
+ * Ensures:
+ *	'*zonep' refers to a valid zone.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY
+ *	DNS_R_UNEXPECTED
+ */
+
+void dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass);
+/*
+ *	Sets the class of a zone.  This operation can only be performed
+ *	once on a zone.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ *	dns_zone_setclass() not to have been called since the zone was
+ *	initalised.
+ *	'rdclass' != dns_rdataclass_none.
+ */	
+
+dns_rdataclass_t dns_zone_getclass(dns_zone_t *zone);
+/*
+ *	Returns the current zone class.
+ *
+ * Requires:
+ *	'zone' to be a valid initalised zone.
+ */
+
+void dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type);
+/*
+ *	Sets the zone type. This operation can only be performed once on
+ *	a zone.
+ *
+ * Requires:
+ *	'zone' to be a valid initalised zone.
+ *	dns_zone_settype() not to have been called since the zone was
+ *	initalised.
+ *	'type' != dns_zone_none
+ */
+
+isc_result_t dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin);
+/*
+ *	Sets the zones origin to 'origin'.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ *	'origin' to be non NULL.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ * 	ISC_R_NOMEMORY
+ */
+
+dns_name_t * dns_zone_getorigin(dns_zone_t *zone);
+/*
+ *	Returns the value of the origin.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ */
+
+isc_result_t dns_zone_setdatabase(dns_zone_t *zone, const char *database);
+/*
+ *	Sets the name of the database to be loaded. 
+ *	For databases loaded from MASTER files this corresponds to the
+ *	file name of the MASTER file.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ *	'database' to be non NULL.
+ *
+ * Returns:
+ *	DNS_R_NOMEMORY
+ *	DNS_R_SUCCESS
+ */
+
+isc_result_t dns_zone_load(dns_zone_t *zone);
+/*
+ *	Cause the database to be loaded from its backing store.
+ *	Confirm that the mimimum requirements for the zone type are
+ *	met, otherwise DNS_R_BADZONE is return.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ *
+ * Returns:
+ *	DNS_R_UNEXPECTED
+ *	DNS_R_SUCCESS
+ *	DNS_R_BADZONE
+ *	Any result value from dns_db_load().
+ */
+
+void dns_zone_checkservers(dns_zone_t *zone);
+/*
+ *	Initiate a consistancy check of the zones servers.
+ *	XXX MPA to be implemented.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ */
+
+void dns_zone_checkparents(dns_zone_t *zone);
+/*
+ *	Initiate a consistancy check of the zone and the parent zone servers.
+ *	XXX MPA to be implemented.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ */
+
+void dns_zone_checkchildren(dns_zone_t *zone);
+/*
+ *	Initiate a consistancy check of the child delegations from this zone.
+ *	XXX MPA to be implemented.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ */
+
+void dns_zone_checkglue(dns_zone_t *zone);
+/*
+ *	Initiate a consistancy check of the glue records in this zone.
+ *	XXX MPA to be implemented.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ */
+
+void dns_zone_attach(dns_zone_t *source, dns_zone_t **target);
+/*
+ *	Attach 'zone' to 'target'.  Increment reference count.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ *	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void dns_zone_detach(dns_zone_t **zonep);
+/*
+ *	Detach the current zone.  If this is the last reference to the
+ *	zone it will be destroyed.
+ *
+ * Require:
+ *	'zonep' to point to a valid initalised zone.
+ */
+
+void dns_zone_setflag(dns_zone_t *zone, unsigned int flags,
+		      isc_boolean_t value);
+/*
+ *	Sets ('value' == 'ISC_TRUE') / clears ('value' == 'IS_FALSE')
+ *	zone flags.  Valid flag bits are DNS_ZONE_F_*.
+ *
+ * Requires
+ *	'zone' to be a valid initalised zone.
+ */
+
+isc_result_t dns_zone_adddbarg(dns_zone_t *zone, char *arg);
+/*
+ *	Add 'arg' to the end of the list of database arguements.
+ *	No attempt in made to validate the arguements.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ *	'arg' to be non NULL.
+ *
+ * Returns:
+ *	DNS_R_NOMEMORY
+ *	DNS_R_SUCCESS
+ */
+
+void dns_zone_cleardbargs(dns_zone_t *zone);
+/*
+ *	Clear all database arguements.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ */
+
+isc_result_t dns_zone_getdb(dns_zone_t *zone, dns_db_t **dbp);
+/*
+ * 	Attach the database to '*dbp' if it exists otherwise
+ *	return DNS_R_NOTLOADED.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ *	'dbp' to be != NULL && '*dbp' == NULL.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOTLOADED
+ */
+
+isc_result_t dns_zone_setdbtype(dns_zone_t *zone, char *db_type);
+/*
+ *	Sets the database type. Current database types are: "rbt", "rbt64".
+ *	'db_type' is not checked to see if it is a valid database type. 
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ *	'database' to be non NULL.
+ *
+ * Returns:
+ *	DNS_R_NOMEMORY
+ *	DNS_R_SUCCESS
+ */
+
+void dns_zone_validate(dns_zone_t *zone);
+
+	/* XXX MPA */
+
+void dns_zone_expire(dns_zone_t *zone);
+/*
+ *	Mark the zone as expired.  If the zone requires dumping cause it to
+ *	be initiated.  Set the refresh and retry intervals to there default
+ *	values and unload the zone.
+ *
+ * Require
+ *	'zone' to be a valid initalised zone.
+ */
+
+void dns_zone_refresh(dns_zone_t *zone);
+/*
+ *	Initiate zone up to date checks.  The zone must already be being
+ *	managed.
+ *
+ * Require
+ *	'zone' to be a valid initalised zone.
+ */
+
+isc_result_t dns_zone_dump(dns_zone_t *zone);
+/*
+ *	Write the zone to database.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ */
+
+isc_result_t dns_zone_dumptostream(dns_zone_t *zone, FILE *fd);
+/*
+ *	Write the zone to stream 'fd'.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ *	'fd' to be a stream open for writing.
+ */
+
+void dns_zone_maintenance(dns_zone_t *zone);
+/*
+ *	Perform regular maintenace on the zone.  This is called as a
+ *	result of a zone being managed.
+ *
+ * Require
+ *	'zone' to be a valid initalised zone.
+ */
+
+void dns_zone_clearmasters(dns_zone_t *zone);
+/*
+ *	Clear the set of master servers the zone transfers from.
+ *
+ * Require
+ *	'zone' to be a valid initalised zone.
+ */
+
+isc_result_t dns_zone_addmaster(dns_zone_t *zone, isc_sockaddr_t *master);
+/*
+ *	Add a master server to the end of the set of master servers for
+ *	the zone.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ *	'master' to be non NULL.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY
+ */
+
+void dns_zone_clearnotify(dns_zone_t *zone);
+/*
+ *	Clear the set of additional servers to be notified when the zone
+ *	changes.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ */
+
+isc_result_t dns_zone_addnotify(dns_zone_t *zone, isc_sockaddr_t *notify);
+/*
+ *	Add a server to the end of the list of additional servers to be
+ *	notified when a zone changes.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ *	'notify' to be non NULL.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY
+ */
+
+void dns_zone_unmount(dns_zone_t *zone);
+	/* XXX MPA */
+
+void dns_zone_unload(dns_zone_t *zone);
+/*
+ *	detach the database from the zone structure.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ */
+
+void dns_zone_setoption(dns_zone_t *zone, unsigned int option,
+		        isc_boolean_t value);
+/*
+ *	Set given options on ('value' == ISC_TRUE) or off ('value' ==
+ *	ISC_FALSE).
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ */
+
+void dns_zone_clearoption(dns_zone_t *zone, unsigned int option);
+/*
+ *	Clear the given options from the zone and allow system wide value
+ *	to be used.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ */
+
+void dns_zone_getoptions(dns_zone_t *zone, unsigned int *options,
+			 unsigned int *optionsmask);
+/*
+ *	Return which options a set ('options') and which are active
+ *	('optionsmask').
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ *	'options' to be non NULL.
+ *	'optionsmask' to be non NULL.
+ */
+
+void dns_zone_setrefresh(dns_zone_t *zone, isc_uint32_t refresh,
+			 isc_uint32_t retry);
+/*
+ *	Set the refresh and retry values.  Normally this are set as a
+ *	result of loading the zone (dns_zone_load).
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ */
+
+isc_result_t
+dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+/*
+ * 	Set the source address to be used in IPv4 zone transfers.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ *	'xfrsource' to contain the address.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getxfrsource4(dns_zone_t *zone);
+/*
+ *	Returns the source address set by a previous dns_zone_setxfrsource4
+ *	call, or the default of inaddr_any, port 0.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ */
+
+isc_result_t
+dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+/*
+ * 	Set the source address to be used in IPv6 zone transfers.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ *	'xfrsource' to contain the address.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getxfrsource6(dns_zone_t *zone);
+/*
+ *	Returns the source address set by a previous dns_zone_setxfrsource6
+ *	call, or the default of in6addr_any, port 0.
+ *
+ * Require:
+ *	'zone' to be a valid initalised zone.
+ */
+
+void dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl);
+/*
+ *	Sets the query acl list for the zone.
+ *
+ * Require:
+ *	'zone' to be initalised.
+ *	'acl' to be initalised.
+ */
+
+void dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl);
+/*
+ *	Sets the update acl list for the zone.
+ *
+ * Require:
+ *	'zone' to be initalised.
+ *	'acl' to be initalised.
+ */
+
+void dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl);
+/*
+ *	Sets the transfer acl list for the zone.
+ *
+ * Require:
+ *	'zone' to be initalised.
+ *	'acl' to be initalised.
+ */
+
+dns_acl_t * dns_zone_getqueryacl(dns_zone_t *zone);
+/*
+ * 	Returns the current query acl or NULL.
+ *
+ * Require:
+ *	'zone' to be initalised.
+ *
+ * Returns:
+ *	acl a pointer to the acl.
+ *	NULL
+ */
+
+dns_acl_t * dns_zone_getupdateacl(dns_zone_t *zone);
+/*
+ * 	Returns the current update acl or NULL.
+ *
+ * Require:
+ *	'zone' to be initalised.
+ *
+ * Returns:
+ *	acl a pointer to the acl.
+ *	NULL
+ */
+
+dns_acl_t * dns_zone_getxfracl(dns_zone_t *zone);
+/*
+ * 	Returns the current transfer acl or NULL.
+ *
+ * Require:
+ *	'zone' to be initalised.
+ *
+ * Returns:
+ *	acl a pointer to the acl.
+ *	NULL
+ */
+
+void dns_zone_clearupdateacl(dns_zone_t *zone);
+/*
+ *	Clear the current update acl.
+ *
+ * Require:
+ *	'zone' to be initalised.
+ */
+
+void dns_zone_clearqueryacl(dns_zone_t *zone);
+/*
+ *	Clear the current query acl.
+ *
+ * Require:
+ *	'zone' to be initalised.
+ */
+
+void dns_zone_clearxfracl(dns_zone_t *zone);
+/*
+ *	Clear the current transfer acl.
+ *
+ * Require:
+ *	'zone' to be initalised.
+ */
+
+void dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity);
+/*
+ * 	Set the severity of name checking when loading a zone.
+ *
+ * Require:
+ *      'zone' to be initalised.
+ */
+
+dns_severity_t dns_zone_getchecknames(dns_zone_t *zone);
+/*
+ *	Return the current severity of name checking.
+ *
+ * Require:
+ *	'zone' to be initalised.
+ */
+
+void dns_zone_setjournalsize(dns_zone_t *zone, isc_int32_t size);
+isc_int32_t dns_zone_getjournalsize(dns_zone_t *zone);
+
+void dns_zone_setmasterport(dns_zone_t *zone,  isc_uint16_t port);
+isc_uint16_t dns_zone_getmasterport(dns_zone_t *zone);
+
+void dns_zone_setresolver(dns_zone_t *zone, dns_resolver_t *resolver);
+
+isc_result_t dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
+				dns_message_t *msg);
+
+void
+dns_zone_setmaxxfrin(dns_zone_t *zone, isc_uint32_t maxxfrin);
+/*
+ * Set the maximum time (in seconds) that a zone transfer in (AXFR/IXFR)
+ * of this zone will use before being aborted.
+ *
+ * Requires:
+ * 	'zone' to be valid initialised zone.
+ *	'xfrtime' to be non zero.
+ */
+
+isc_uint32_t dns_zone_getmaxxfrin(dns_zone_t *zone);
+/*
+ * Returns the maximum transfer time for this zone.  This will be
+ * either the value set by the last call to dns_zone_setmaxxfrin() or
+ * the default value of 1 hour.
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ */
+
+void
+dns_zone_setmaxxfrout(dns_zone_t *zone, isc_uint32_t maxxfrout);
+/*
+ * Set the maximum time (in seconds) that a zone transfer out (AXFR/IXFR)
+ * of this zone will use before being aborted.
+ *
+ * Requires:
+ * 	'zone' to be valid initialised zone.
+ *	'xfrtime' to be non zero.
+ */
+
+isc_uint32_t dns_zone_getmaxxfrout(dns_zone_t *zone);
+/*
+ * Returns the maximum transfer time for this zone.  This will be
+ * either the value set by the last call to dns_zone_setmaxxfrout() or
+ * the default value of 1 hour.
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ */
+
+isc_result_t dns_zone_setjournal(dns_zone_t *zone, const char *journal);
+
+/*
+ * Sets the filename used for journaling updates / IXFR transfers.
+ * The default journal name is set by dns_zone_setdatabase() to be
+ * "database.jnl".
+ *
+ * Requires:
+ *	'zone' to be initalised.
+ *	'journal' to be non NULL.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_NOMEMORY 
+ */
+
+char * dns_zone_getjournal(dns_zone_t *zone);
+
+/*
+ * Returns the journal name associated with this zone.
+ * If not journal has been set this will be NULL.
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ */
+
+dns_zonetype_t dns_zone_gettype(dns_zone_t *zone);
+/*
+ * Returns the type of the zone (master/slave/etc.)
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ */
+
+void
+dns_zone_settask(dns_zone_t *zone, isc_task_t *task);
+/*
+ * Give a zone a task to work with.  Any current task will be detached.
+ *
+ * Requires:
+ *	'zone' to be valid.
+ *	'task' to be valid.
+ */
+
+void
+dns_zone_gettask(dns_zone_t *zone, isc_task_t **target);
+/*
+ * Attach the zone's task to '*target'.
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ *	'zone' to have a task.
+ *	'target' to be != NULL && '*target' == NULL.
+ */
+
+const char *dns_zone_getdatabase(dns_zone_t *zone);
+/*
+ * Gets the name of the database.  For databases loaded from
+ * master files, this corresponds to the file name of the master file.
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ */
+
+void dns_zone_notify(dns_zone_t *zone);
+/*
+ * Generate notify events for this zone.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db,
+                   isc_boolean_t dump);
+/*
+ * Replace the database of "zone" with a new database "db".
+ *
+ * If "dump" is ISC_TRUE, then the new zone contents are dumped
+ * into to the zone's master file for persistence.  When replacing
+ * a zone database by one just loaded from a master file, set
+ * "dump" to ISC_FALSE to avoid a redunant redump of the data just
+ * loaded.  Otherwise, it should be set to ISC_TRUE.
+ *
+ * If the "diff-on-reload" option is enabled in the configuration file,
+ * the differences between the old and the new database are added to the
+ * journal file, and the master file dump is postponed.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+isc_boolean_t
+dns_zone_equal(dns_zone_t *oldzone, dns_zone_t *newzone);
+
+/*
+ * Tests whether the configuration of two zones is equal.
+ * Zone contents and state information is not tested.
+ *
+ * Requires:
+ *	'oldzone' and 'newzone' to be valid.
+ *
+ * Returns:
+ *	ISC_TRUE if the configurations are equal.
+ *	ISC_FALSE if the configurations differ.
+ */
+
+isc_uint32_t
+dns_zone_getidlein(dns_zone_t *zone);
+/*
+ * Requires 'zone' to be valid.
+ *
+ * Returns:
+ *	number of seconds of idle time before we abort the transfer in.
+ */
+
+void
+dns_zone_setidlein(dns_zone_t *zone, isc_uint32_t idlein);
+/*
+ *	Set the idle timeout for transfer the.
+ *	Zero set the default value, 1 hour.
+ *
+ * Requires 'zone' to be valid.
+ */
+
+isc_uint32_t
+dns_zone_getidleout(dns_zone_t *zone);
+/*
+ * Requires 'zone' to be valid.
+ *
+ * Returns:
+ *	number of seconds of idle time before we abort a transfer out.
+ */
+
+void
+dns_zone_setidleout(dns_zone_t *zone, isc_uint32_t idleout);
+/*
+ *	Set the idle timeout for transfers out.
+ *	Zero set the default value, 1 hour.
+ *
+ * Requires 'zone' to be valid.
+ */
+
+void
+dns_zone_print(dns_zone_t *zone);
+/*
+ * test use only
+ */
+
+isc_mem_t *
+dns_zone_getmctx(dns_zone_t *zone);
+/*
+ * Get the memory context of a zone.
+ */
+
+isc_result_t
+dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		   dns_zonemgr_t **zmgrp);
+/*
+ * Create a zone manager.
+ *
+ * Requires:
+ *	'mctx' to be a valid memory context.
+ *	'taskmgr' to be a valid task manager.
+ *	'timermgr' to be a valid timer manager.
+ *	'zmgrp'	to point to a NULL pointer.
+ */
+
+isc_result_t
+dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
+/*
+ *	Bring the zone under control of a zone manager.
+ *
+ * Require:
+ *	'zmgr' to be a valid zone manager.
+ *	'zone' to be a valid initalised zone.
+ */
+
+isc_result_t
+dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr);
+/*
+ * Force zone maintenance of all zones managed by 'zmgr' at its
+ * earliest conveniene.
+ */
+
+void
+dns_zonemgr_shutdown(dns_zonemgr_t *zmgr);
+/*
+ * Shut down and detach the task of the zone manager.
+ */
+
+void
+dns_zonemgr_destroy(dns_zonemgr_t **zmgrp);
+/*
+ * Destroy a zone manager.
+ *
+ * Requires:
+ *	'*zmgrp' is a valid, non-NULL zone manager pointer.
+ * Ensures:
+ *	'*zmgrp' is NULL.
+ */
+
+void
+dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
+
+void
+dns_zonemgr_lockconf(dns_zonemgr_t *zmgr, isc_rwlocktype_t type);
+
+void
+dns_zonemgr_unlockconf(dns_zonemgr_t *zmgr, isc_rwlocktype_t type);
+
+void
+dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, int value);
+
+int
+dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr);
+
+ISC_LANG_ENDDECLS
+
+#endif	/* DNS_ZONE_H */
diff --git a/lib/dns/include/dns/zoneconf.h b/lib/dns/include/dns/zoneconf.h
new file mode 100644
index 00000000..c920b7f0
--- /dev/null
+++ b/lib/dns/include/dns/zoneconf.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef NS_ZONECONF_H
+#define NS_ZONECONF_H 1
+
+#include <isc/log.h>
+#include <isc/types.h>
+
+#include <dns/acl.h>
+#include <dns/confacl.h>
+#include <dns/confip.h>
+
+/*
+ * Create a dns_acl_t from the corresponding configuration data structure,
+ * 'caml'.  References to named ACLs in caml are resolved against the ACL
+ * table in 'cctx'.
+ */
+
+isc_result_t dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
+				dns_c_zone_t *czone, dns_zone_t *zone);
+/*
+ * Configure or reconfigure a zone according to the named.conf
+ * data in 'cctx' and 'czone'.
+ *
+ * The zone origin is not configured, it is assumed to have been set
+ * at zone creation time.
+ *
+ * Require:
+ *	'lctx' to be initalised or NULL.
+ *	'cctx' to be initalised or NULL.
+ *	'ac' to point to an initialized ns_aclconfctx_t.
+ *	'czone' to be initalised.
+ *	'zone' to be initalised.
+ */
+
+isc_boolean_t
+dns_zone_reusable(dns_zone_t *zone, dns_c_zone_t *czone);
+/*
+ * If 'zone' can be safely reconfigured according to the configuration
+ * data in 'czone', return ISC_TRUE.  If the configuration data is so
+ * different from the current zone state that the zone needs to be destroyed
+ * and recreated, return ISC_FALSE.
+ */
+
+isc_result_t
+dns_zonemgr_configure(dns_c_ctx_t *cctx, dns_zonemgr_t *zonemgr);
+/*
+ * Configure the zone manager according to the named.conf data
+ * in 'cctx'.
+ */
+ISC_LANG_ENDDECLS
+
+#endif /* NS_ZONECONF_H */
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
new file mode 100644
index 00000000..c42266a6
--- /dev/null
+++ b/lib/dns/include/dns/zt.h
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) 1999, 2000  Internet Software Consortium.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef	DNS_ZT_H
+#define DNS_ZT_H
+
+#include <isc/lang.h>
+
+#include <isc/mem.h>
+#include <dns/name.h>
+#include <dns/types.h>
+#include <dns/rbt.h>
+
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+			   dns_zt_t **zt);
+/*
+ * Creates a new zone table.
+ *
+ * Requires:
+ * 	'mctx' to be initalised.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS on success.
+ *	DNS_R_NOMEMORY
+ */
+
+isc_result_t dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone);
+
+/*
+ * Mounts the zone on the zone table.
+ *
+ * Requires:
+ *	'zt' to be valid
+ *	'zone' to be valid
+ *
+ * Returns:
+ *	DNS_R_SUCCESS
+ *	DNS_R_EXISTS
+ *	DNS_R_NOSPACE
+ *	DNS_R_NOMEMORY
+ */
+
+isc_result_t dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone);
+
+/*
+ * Unmount the given zone from the table.
+ *
+ * Requires:
+ * 	'zt' to be valid
+ *	'zone' to be valid
+ *
+ * Returns:
+ * 	DNS_R_SUCCESS
+ *	DNS_R_NOTFOUND
+ *	DNS_R_NOMEMORY
+ */
+
+isc_result_t dns_zt_find(dns_zt_t *zt, dns_name_t *name,
+				dns_name_t *foundname, dns_zone_t **zone);
+
+/*
+ * Find the best match for 'name' in 'zt'.  If foundname is non NULL
+ * then the name of the zone found is returned.
+ *
+ * Requires:
+ *	'zt' to be valid
+ *	'name' to be valid
+ *	'foundname' to be initalised and associated with a fixedname or NULL
+ *	'zone' to be non NULL and '*zone' to be NULL
+ *
+ * Returns:
+ * 	DNS_R_SUCCESS
+ *	DNS_R_PARTIALMATCH
+ *	DNS_R_NOTFOUND
+ *	DNS_R_NOSPACE
+ */
+
+void dns_zt_detach(dns_zt_t **ztp);
+
+/*
+ * Detach the give zonetable, if the reference count goes to zero the
+ * zonetable will be freed.  In either case 'ztp' is set to NULL.
+ *
+ * Requires:
+ *	'*ztp' to be valid
+ */
+
+void dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp);
+
+/*
+ * Attach 'zt' to '*ztp'.
+ *
+ * Requires:
+ *	'zt' to be valid
+ *	'*ztp' to be NULL
+ */
+
+isc_result_t dns_zt_load(dns_zt_t *zt, isc_boolean_t stop);
+
+/*
+ * Load all zones in the table.  If 'stop' is ISC_TRUE,
+ * stop on the first error and return it.  If 'stop'
+ * is ISC_FALSE, ignore errors.
+ *
+ * Requires:
+ *	'zt' to be valid
+ */
+
+
+void dns_zt_print(dns_zt_t *zt);
+
+/*
+ * Print zones in zonetable, address, name and reference count.
+ *
+ * Requires
+ *	'zt' to be valid.
+ */
+
+isc_result_t
+dns_zt_apply(dns_zt_t *zt, isc_boolean_t stop,
+	     isc_result_t (*action)(dns_zone_t *, void *), void *uap);
+
+/*
+ * Apply a given 'action' to all zone zones in the table.
+ * If 'stop' is 'ISC_TRUE' then walking the zone tree will stop if
+ * 'action' does not return DNS_R_SUCCESS.
+ *
+ * Requires:
+ *	'zt' to be valid.
+ *	'action' to be non NULL.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS if action was applied to all nodes.
+ *	any error code from 'action'.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif