initial merge to 9.9.5

26 files changed, 643 insertions, 58 deletions

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index af1b87ae..5efaf094 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -132,6 +132,7 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
 			    "compilation time");
 #endif
 	} else if (strcasecmp(cfg_obj_asstring(obj), "random") != 0 &&
+		   strcasecmp(cfg_obj_asstring(obj), "random_1") != 0 &&
 		   strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0) {
 		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
 			    "rrset-order: invalid order '%s'",
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
index a3e3e9a4..5bf850ae 100644
--- a/lib/dns/Makefile.in
+++ b/lib/dns/Makefile.in
@@ -42,7 +42,7 @@ ISCLIBS =	../../lib/isc/libisc.@A@
 
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
 
-LIBS =		@LIBS@
+LIBS =		@LIBS@ -L../../lib/isc -lcrypto @GEOIP_LIBS@
 
 # Alphabetically
 
@@ -62,7 +62,7 @@ DNSOBJS =	acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
 		cache.@O@ callbacks.@O@ clientinfo.@O@ compress.@O@ \
 		db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \
 		dlz.@O@ dns64.@O@ dnssec.@O@ ds.@O@ forward.@O@ iptable.@O@ \
-		journal.@O@ keydata.@O@ keytable.@O@ \
+		dynamic_db.@O@ journal.@O@ keydata.@O@ keytable.@O@ \
 		lib.@O@ log.@O@ lookup.@O@ \
 		master.@O@ masterdump.@O@ message.@O@ \
 		name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ order.@O@ peer.@O@ \
@@ -92,7 +92,7 @@ DNSSRCS =	acache.c acl.c adb.c byaddr.c \
 		cache.c callbacks.c clientinfo.c compress.c \
 		db.c dbiterator.c dbtable.c diff.c dispatch.c \
 		dlz.c dns64.c dnssec.c ds.c forward.c iptable.c journal.c \
-		keydata.c keytable.c lib.c log.c lookup.c \
+		dynamic_db.c keydata.c keytable.c lib.c log.c lookup.c \
 		master.c masterdump.c message.c \
 		name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \
 		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \
@@ -125,6 +125,11 @@ version.@O@: version.c
 		-DLIBAGE=${LIBAGE} \
 		-c ${srcdir}/version.c
 
+dynamic_db.@O@: dynamic_db.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+	-DDYNDB_LIBDIR=\"@libdir@/bind/\" \
+	-c ${srcdir}/dynamic_db.c
+
 libdns.@SA@: ${OBJS}
 	${AR} ${ARFLAGS} $@ ${OBJS}
 	${RANLIB} $@
@@ -134,6 +139,7 @@ libdns.la: ${OBJS}
 		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
 		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+	ln -sf .libs/libdns.so .
 
 timestamp: libdns.@A@
 	touch timestamp
@@ -148,6 +154,7 @@ clean distclean::
 	rm -f libdns.@A@ timestamp
 	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
 	rm -f include/dns/rdatastruct.h
+	rm -f libdns.so
 
 newrr::
 	rm -f code.h include/dns/enumtype.h include/dns/enumclass.h
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index dbc6f9cb..4f760ef8 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -21,10 +21,15 @@
 
 #include <config.h>
 
+#ifdef SUPPORT_GEOIP
+#include <GeoIP.h>
+#endif
+
 #include <isc/mem.h>
 #include <isc/once.h>
 #include <isc/string.h>
 #include <isc/util.h>
+#include <dns/log.h>
 
 #include <dns/acl.h>
 #include <dns/iptable.h>
@@ -320,6 +325,13 @@ dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos)
 		dest->elements[nelem + i].node_num =
 			source->elements[i].node_num + dest->node_count;
 
+#ifdef SUPPORT_GEOIP
+		/* Country */
+		if (source->elements[i].type == dns_aclelementtype_ipcountry &&
+		   source->elements[i].country != NULL) {
+			strncpy(dest->elements[nelem + i].country, source->elements[i].country, 3);
+		}
+#endif
 		/* Duplicate nested acl. */
 		if (source->elements[i].type == dns_aclelementtype_nestedacl &&
 		   source->elements[i].nestedacl != NULL)
@@ -379,7 +391,68 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr,
 	int indirectmatch;
 	isc_result_t result;
 
+	#ifdef SUPPORT_GEOIP
+	static GeoIP *geoip = NULL;
+	static isc_boolean_t geoip_init_tried = ISC_FALSE;
+	#ifdef GEOIP_V6
+	static GeoIP *geoip6 = NULL;
+	static isc_boolean_t geoip6_init_tried = ISC_FALSE;
+	#endif
+	#endif
+
 	switch (e->type) {
+#ifdef SUPPORT_GEOIP
+	case dns_aclelementtype_ipcountry:
+		/* Country match */
+		if (NULL == geoip && !geoip_init_tried) {
+			geoip_init_tried = ISC_TRUE;
+			if (GeoIP_db_avail(GEOIP_COUNTRY_EDITION)) {
+				geoip = GeoIP_open_type(GEOIP_COUNTRY_EDITION, GEOIP_MEMORY_CACHE);
+				if (NULL == geoip)
+					isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+						      DNS_LOGMODULE_ACL, ISC_LOG_NOTICE,
+						      "Failed to open geoip database for ipv4");
+			} else {
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_ACL, ISC_LOG_NOTICE,
+					      "geoip database for ipv4 is not available");
+			}
+		}
+#ifdef GEOIP_V6
+		if (NULL == geoip6 && !geoip6_init_tried) {
+			geoip6_init_tried = ISC_TRUE;
+			if (GeoIP_db_avail(GEOIP_COUNTRY_EDITION_V6)) {
+				geoip6 = GeoIP_open_type(GEOIP_COUNTRY_EDITION_V6, GEOIP_MEMORY_CACHE);
+				if (NULL == geoip6)
+					isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+						      DNS_LOGMODULE_ACL, ISC_LOG_NOTICE,
+						      "Failed to open geoip database for ipv6");
+			} else {
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_ACL, ISC_LOG_NOTICE,
+					      "geoip database for ipv6 is not available");
+			}
+		}
+#endif
+
+                const char *value = NULL;
+
+		if (reqaddr->family == AF_INET && geoip) {
+			value = GeoIP_country_code_by_addr(geoip,inet_ntoa(reqaddr->type.in));
+#ifdef GEOIP_V6
+		} else if (reqaddr->family == AF_INET6 && geoip6) {
+			value = GeoIP_country_code_by_ipnum_v6(geoip6, (geoipv6_t)reqaddr->type.in6);
+#endif
+		}
+                
+		if ((NULL != value) && (2 == strlen(value))) {
+			if ((e->country[0] == value[0]) && (e->country[1] == value[1])) {
+				return (ISC_TRUE);
+			}
+		}
+		return (ISC_FALSE);
+#endif
+
 	case dns_aclelementtype_keyname:
 		if (reqsigner != NULL &&
 		    dns_name_equal(reqsigner, &e->keyname)) {
diff --git a/lib/dns/dynamic_db.c b/lib/dns/dynamic_db.c
new file mode 100644
index 00000000..bf831617
--- /dev/null
+++ b/lib/dns/dynamic_db.c
@@ -0,0 +1,366 @@
+/*
+ * Copyright (C) 2008-2011  Red Hat, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/result.h>
+#include <isc/region.h>
+#include <isc/task.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/dynamic_db.h>
+#include <dns/log.h>
+#include <dns/types.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include <string.h>
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#ifndef DYNDB_LIBDIR
+#define DYNDB_LIBDIR ""
+#endif
+
+#define CHECK(op)						\
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto cleanup;	\
+	} while (0)
+
+
+typedef isc_result_t (*register_func_t)(isc_mem_t *mctx, const char *name,
+		const char * const *argv,
+		const dns_dyndb_arguments_t *dyndb_args);
+typedef void (*destroy_func_t)(void);
+
+typedef struct dyndb_implementation dyndb_implementation_t;
+
+struct dyndb_implementation {
+	isc_mem_t			*mctx;
+	void				*handle;
+	register_func_t			register_function;
+	destroy_func_t			destroy_function;
+	LINK(dyndb_implementation_t)	link;
+};
+
+struct dns_dyndb_arguments {
+	dns_view_t	*view;
+	dns_zonemgr_t	*zmgr;
+	isc_task_t	*task;
+	isc_timermgr_t	*timermgr;
+};
+
+/* List of implementations. Locked by dyndb_lock. */
+static LIST(dyndb_implementation_t) dyndb_implementations;
+/* Locks dyndb_implementations. */
+static isc_mutex_t dyndb_lock;
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+dyndb_initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&dyndb_lock) == ISC_R_SUCCESS);
+	INIT_LIST(dyndb_implementations);
+}
+
+
+#if HAVE_DLFCN_H
+static isc_result_t
+load_symbol(void *handle, const char *symbol_name, void **symbolp)
+{
+	const char *errmsg;
+	void *symbol;
+
+	REQUIRE(handle != NULL);
+	REQUIRE(symbolp != NULL && *symbolp == NULL);
+
+	symbol = dlsym(handle, symbol_name);
+	if (symbol == NULL) {
+		errmsg = dlerror();
+		if (errmsg == NULL)
+			errmsg = "returned function pointer is NULL";
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+			      "failed to lookup symbol %s: %s",
+			      symbol_name, errmsg);
+		return ISC_R_FAILURE;
+	}
+	dlerror();
+
+	*symbolp = symbol;
+
+	return ISC_R_SUCCESS;
+}
+
+static isc_result_t
+load_library(isc_mem_t *mctx, const char *filename, dyndb_implementation_t **impp)
+{
+	isc_result_t result;
+	size_t module_size;
+	isc_buffer_t *module_buf = NULL;
+	isc_region_t module_region;
+	void *handle = NULL;
+	dyndb_implementation_t *imp;
+	register_func_t register_function = NULL;
+	destroy_func_t destroy_function = NULL;
+
+	REQUIRE(impp != NULL && *impp == NULL);
+
+	/* Build up the full path. */
+	module_size = strlen(DYNDB_LIBDIR) + strlen(filename) + 1;
+	CHECK(isc_buffer_allocate(mctx, &module_buf, module_size));
+	isc_buffer_putstr(module_buf, DYNDB_LIBDIR);
+	isc_buffer_putstr(module_buf, filename);
+	isc_buffer_putuint8(module_buf, 0);
+	isc_buffer_region(module_buf, &module_region);
+
+	handle = dlopen((char *)module_region.base, RTLD_LAZY);
+	if (handle == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+			      "failed to dynamically load driver '%s': %s",
+			      filename, dlerror());
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+	dlerror();
+
+	CHECK(load_symbol(handle, "dynamic_driver_init",
+			  (void **)&register_function));
+	CHECK(load_symbol(handle, "dynamic_driver_destroy",
+			  (void **)&destroy_function));
+
+	imp = isc_mem_get(mctx, sizeof(dyndb_implementation_t));
+	if (imp == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	imp->mctx = NULL;
+	isc_mem_attach(mctx, &imp->mctx);
+	imp->handle = handle;
+	imp->register_function = register_function;
+	imp->destroy_function = destroy_function;
+	INIT_LINK(imp, link);
+
+	*impp = imp;
+
+cleanup:
+	if (result != ISC_R_SUCCESS && handle != NULL)
+		dlclose(handle);
+	if (module_buf != NULL)
+		isc_buffer_free(&module_buf);
+
+	return result;
+}
+
+static void
+unload_library(dyndb_implementation_t **impp)
+{
+	dyndb_implementation_t *imp;
+
+	REQUIRE(impp != NULL && *impp != NULL);
+
+	imp = *impp;
+
+	isc_mem_putanddetach(&imp->mctx, imp, sizeof(dyndb_implementation_t));
+
+	*impp = NULL;
+}
+
+#else	/* HAVE_DLFCN_H */
+static isc_result_t
+load_library(isc_mem_t *mctx, const char *filename, dyndb_implementation_t **impp)
+{
+	UNUSED(mctx);
+	UNUSED(filename);
+	UNUSED(impp);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DYNDB,
+		      ISC_LOG_ERROR,
+		      "dynamic database support is not implemented")
+
+	return ISC_R_NOTIMPLEMENTED;
+}
+
+static void
+unload_library(dyndb_implementation_t **impp)
+{
+	dyndb_implementation_t *imp;
+
+	REQUIRE(impp != NULL && *impp != NULL);
+
+	imp = *impp;
+
+	isc_mem_putanddetach(&imp->mctx, imp, sizeof(dyndb_implementation_t));
+
+	*impp = NULL;
+}
+#endif	/* HAVE_DLFCN_H */
+
+isc_result_t
+dns_dynamic_db_load(const char *libname, const char *name, isc_mem_t *mctx,
+		    const char * const *argv,
+		    const dns_dyndb_arguments_t *dyndb_args)
+{
+	isc_result_t result;
+	dyndb_implementation_t *implementation = NULL;
+
+	RUNTIME_CHECK(isc_once_do(&once, dyndb_initialize) == ISC_R_SUCCESS);
+
+	CHECK(load_library(mctx, libname, &implementation));
+	CHECK(implementation->register_function(mctx, name, argv, dyndb_args));
+
+	LOCK(&dyndb_lock);
+	APPEND(dyndb_implementations, implementation, link);
+	UNLOCK(&dyndb_lock);
+
+	return ISC_R_SUCCESS;
+
+cleanup:
+	if (implementation != NULL)
+		unload_library(&implementation);
+
+	return result;
+}
+
+void
+dns_dynamic_db_cleanup(isc_boolean_t exiting)
+{
+	dyndb_implementation_t *elem;
+	dyndb_implementation_t *prev;
+
+	RUNTIME_CHECK(isc_once_do(&once, dyndb_initialize) == ISC_R_SUCCESS);
+
+	LOCK(&dyndb_lock);
+	elem = TAIL(dyndb_implementations);
+	while (elem != NULL) {
+		prev = PREV(elem, link);
+		UNLINK(dyndb_implementations, elem, link);
+		elem->destroy_function();
+		unload_library(&elem);
+		elem = prev;
+	}
+	UNLOCK(&dyndb_lock);
+
+	if (exiting == ISC_TRUE)
+		isc_mutex_destroy(&dyndb_lock);
+}
+
+dns_dyndb_arguments_t *
+dns_dyndb_arguments_create(isc_mem_t *mctx)
+{
+	dns_dyndb_arguments_t *args;
+
+	args = isc_mem_get(mctx, sizeof(*args));
+	if (args != NULL)
+		memset(args, 0, sizeof(*args));
+
+	return args;
+}
+
+void
+dns_dyndb_arguments_destroy(isc_mem_t *mctx, dns_dyndb_arguments_t *args)
+{
+	REQUIRE(args != NULL);
+
+	dns_dyndb_set_view(args, NULL);
+	dns_dyndb_set_zonemgr(args, NULL);
+	dns_dyndb_set_task(args, NULL);
+	dns_dyndb_set_timermgr(args, NULL);
+
+	isc_mem_put(mctx, args, sizeof(*args));
+}
+
+void
+dns_dyndb_set_view(dns_dyndb_arguments_t *args, dns_view_t *view)
+{
+	REQUIRE(args != NULL);
+
+	if (args->view != NULL)
+		dns_view_detach(&args->view);
+	if (view != NULL)
+		dns_view_attach(view, &args->view);
+}
+
+dns_view_t *
+dns_dyndb_get_view(dns_dyndb_arguments_t *args)
+{
+	REQUIRE(args != NULL);
+
+	return args->view;
+}
+
+void
+dns_dyndb_set_zonemgr(dns_dyndb_arguments_t *args, dns_zonemgr_t *zmgr)
+{
+	REQUIRE(args != NULL);
+
+	if (args->zmgr != NULL)
+		dns_zonemgr_detach(&args->zmgr);
+	if (zmgr != NULL)
+		dns_zonemgr_attach(zmgr, &args->zmgr);
+}
+
+dns_zonemgr_t *
+dns_dyndb_get_zonemgr(dns_dyndb_arguments_t *args)
+{
+	REQUIRE(args != NULL);
+
+	return args->zmgr;
+}
+
+void
+dns_dyndb_set_task(dns_dyndb_arguments_t *args, isc_task_t *task)
+{
+	REQUIRE(args != NULL);
+
+	if (args->task != NULL)
+		isc_task_detach(&args->task);
+	if (task != NULL)
+		isc_task_attach(task, &args->task);
+}
+
+isc_task_t *
+dns_dyndb_get_task(dns_dyndb_arguments_t *args)
+{
+	REQUIRE(args != NULL);
+
+	return args->task;
+}
+
+void
+dns_dyndb_set_timermgr(dns_dyndb_arguments_t *args, isc_timermgr_t *timermgr)
+{
+	REQUIRE(args != NULL);
+
+	args->timermgr = timermgr;
+}
+
+isc_timermgr_t *
+dns_dyndb_get_timermgr(dns_dyndb_arguments_t *args)
+{
+	REQUIRE(args != NULL);
+
+	return args->timermgr;
+}
diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in
index 6ff682f7..79cadc5b 100644
--- a/lib/dns/include/dns/Makefile.in
+++ b/lib/dns/include/dns/Makefile.in
@@ -24,12 +24,14 @@ top_srcdir =	@top_srcdir@
 HEADERS =	acl.h adb.h byaddr.h cache.h callbacks.h cert.h compress.h \
 		client.h clientinfo.h compress.h \
 		db.h dbiterator.h dbtable.h diff.h dispatch.h \
+		dynamic_db.h \
 		dlz.h dnssec.h ds.h events.h fixedname.h iptable.h journal.h \
 		keyflags.h keytable.h keyvalues.h lib.h log.h \
 		master.h masterdump.h message.h name.h ncache.h nsec.h \
 		peer.h portlist.h private.h rbt.h rcode.h \
 		rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \
 		rdataslab.h rdatatype.h request.h resolver.h result.h \
+		rrl.h  tsec.h \
 		rootns.h rpz.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \
 		tcpmsg.h time.h tkey.h tsec.h tsig.h ttl.h types.h \
 		validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h
diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h
index f4fc4a3b..08fa468a 100644
--- a/lib/dns/include/dns/acl.h
+++ b/lib/dns/include/dns/acl.h
@@ -53,8 +53,16 @@ typedef enum {
 	dns_aclelementtype_localhost,
 	dns_aclelementtype_localnets,
 	dns_aclelementtype_any
+#ifdef SUPPORT_GEOIP
+          ,
+	dns_aclelementtype_ipcountry
+#endif
 } dns_aclelemettype_t;
 
+#ifdef SUPPORT_GEOIP
+typedef char dns_aclipcountry[3];
+#endif
+
 typedef struct dns_aclipprefix dns_aclipprefix_t;
 
 struct dns_aclipprefix {
@@ -68,6 +76,9 @@ struct dns_aclelement {
 	dns_name_t		keyname;
 	dns_acl_t		*nestedacl;
 	int			node_num;
+#ifdef SUPPORT_GEOIP
+	dns_aclipcountry        country;
+#endif
 };
 
 struct dns_acl {
diff --git a/lib/dns/include/dns/dynamic_db.h b/lib/dns/include/dns/dynamic_db.h
new file mode 100644
index 00000000..673ad4bc
--- /dev/null
+++ b/lib/dns/include/dns/dynamic_db.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2008-2011  Red Hat, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef DYNAMIC_DB_H
+#define DYNAMIC_DB_H
+
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+/*
+ * TODO:
+ * Reformat the prototypes.
+ * Add annotated comments.
+ */
+
+isc_result_t dns_dynamic_db_load(const char *libname, const char *name,
+				 isc_mem_t *mctx, const char * const *argv,
+				 const dns_dyndb_arguments_t *dyndb_args);
+
+void dns_dynamic_db_cleanup(isc_boolean_t exiting);
+
+dns_dyndb_arguments_t *dns_dyndb_arguments_create(isc_mem_t *mctx);
+void dns_dyndb_arguments_destroy(isc_mem_t *mctx, dns_dyndb_arguments_t *args);
+
+void dns_dyndb_set_view(dns_dyndb_arguments_t *args, dns_view_t *view);
+dns_view_t *dns_dyndb_get_view(dns_dyndb_arguments_t *args);
+void dns_dyndb_set_zonemgr(dns_dyndb_arguments_t *args, dns_zonemgr_t *zmgr);
+dns_zonemgr_t *dns_dyndb_get_zonemgr(dns_dyndb_arguments_t *args);
+void dns_dyndb_set_task(dns_dyndb_arguments_t *args, isc_task_t *task);
+isc_task_t *dns_dyndb_get_task(dns_dyndb_arguments_t *args);
+void dns_dyndb_set_timermgr(dns_dyndb_arguments_t *args,
+			    isc_timermgr_t *timermgr);
+isc_timermgr_t *dns_dyndb_get_timermgr(dns_dyndb_arguments_t *args);
+
+#endif
diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h
index e8c8c105..a3b7e5a7 100644
--- a/lib/dns/include/dns/log.h
+++ b/lib/dns/include/dns/log.h
@@ -77,6 +77,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
 #define DNS_LOGMODULE_DLZ		(&dns_modules[26])
 #define DNS_LOGMODULE_DNSSEC		(&dns_modules[27])
 #define DNS_LOGMODULE_CRYPTO		(&dns_modules[28])
+#define DNS_LOGMODULE_DYNDB		(&dns_modules[29])
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h
index 337e8348..14ccefd3 100644
--- a/lib/dns/include/dns/ncache.h
+++ b/lib/dns/include/dns/ncache.h
@@ -61,12 +61,12 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl,
 	       dns_rdataset_t *addedrdataset);
 isc_result_t
 dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
 		     dns_dbnode_t *node, dns_rdatatype_t covers,
-		     isc_stdtime_t now, dns_ttl_t maxttl,
+		     isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl,
 		     isc_boolean_t optout, dns_rdataset_t *addedrdataset);
 /*%<
  * Convert the authority data from 'message' into a negative cache
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index 31bcd15f..f02bc7d0 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -206,6 +206,8 @@ struct dns_rdataset {
 #define DNS_RDATASETATTR_OPTOUT		0x00100000	/*%< OPTOUT proof */
 #define DNS_RDATASETATTR_NEGATIVE	0x00200000
 
+#define DNS_RDATASETATTR_SINGLE		0x10000000	/* Only return 1 answer */
+
 /*%
  * _OMITDNSSEC:
  * 	Omit DNSSEC records when rendering ncache records.
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index 76167c2f..f5e39d45 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -60,6 +60,7 @@ typedef struct dns_dbtable			dns_dbtable_t;
 typedef void					dns_dbversion_t;
 typedef struct dns_dlzimplementation		dns_dlzimplementation_t;
 typedef struct dns_dlzdb			dns_dlzdb_t;
+typedef struct dns_dyndb_arguments		dns_dyndb_arguments_t;
 typedef struct dns_sdlzimplementation		dns_sdlzimplementation_t;
 typedef struct dns_decompress			dns_decompress_t;
 typedef struct dns_dispatch			dns_dispatch_t;
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index 704e5fe3..342f6619 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -148,6 +148,8 @@ struct dns_view {
 	isc_boolean_t			requestnsid;
 	dns_ttl_t			maxcachettl;
 	dns_ttl_t			maxncachettl;
+	dns_ttl_t			mincachettl;
+	dns_ttl_t			minncachettl;
 	in_port_t			dstport;
 	dns_aclenv_t			aclenv;
 	dns_rdatatype_t			preferred_glue;
diff --git a/lib/dns/log.c b/lib/dns/log.c
index 75e0d79b..b5c8b057 100644
--- a/lib/dns/log.c
+++ b/lib/dns/log.c
@@ -83,6 +83,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
 	{ "dns/dlz",		0 },
 	{ "dns/dnssec",		0 },
 	{ "dns/crypto",		0 },
+	{ "dns/dynamic_db",	0 },
 	{ NULL, 		0 }
 };
 
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index bcb3d057..d3ab27b4 100644
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -49,7 +49,7 @@
 
 static isc_result_t
 addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl,
 	  isc_boolean_t optout, isc_boolean_t secure,
 	  dns_rdataset_t *addedrdataset);
 
@@ -99,26 +99,26 @@ copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) {
 
 isc_result_t
 dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl,
 	       dns_rdataset_t *addedrdataset)
 {
-	return (addoptout(message, cache, node, covers, now, maxttl,
+	return (addoptout(message, cache, node, covers, now, minttl, maxttl,
 			  ISC_FALSE, ISC_FALSE, addedrdataset));
 }
 
 isc_result_t
 dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
 		     dns_dbnode_t *node, dns_rdatatype_t covers,
-		     isc_stdtime_t now, dns_ttl_t maxttl,
+		     isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl,
 		     isc_boolean_t optout, dns_rdataset_t *addedrdataset)
 {
-	return (addoptout(message, cache, node, covers, now, maxttl,
+	return (addoptout(message, cache, node, covers, now, minttl, maxttl,
 			  optout, ISC_TRUE, addedrdataset));
 }
 
 static isc_result_t
 addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl,
 	  isc_boolean_t optout, isc_boolean_t secure,
 	  dns_rdataset_t *addedrdataset)
 {
@@ -187,6 +187,8 @@ addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 				    type == dns_rdatatype_nsec3) {
 					if (ttl > rdataset->ttl)
 						ttl = rdataset->ttl;
+					if (ttl < minttl)
+						ttl = minttl;
 					if (trust > rdataset->trust)
 						trust = rdataset->trust;
 					/*
diff --git a/lib/dns/order.c b/lib/dns/order.c
index 853b0019..18dc24ea 100644
--- a/lib/dns/order.c
+++ b/lib/dns/order.c
@@ -89,6 +89,7 @@ dns_order_add(dns_order_t *order, dns_name_t *name,
 	REQUIRE(DNS_ORDER_VALID(order));
 	REQUIRE(mode == DNS_RDATASETATTR_RANDOMIZE ||
 	        mode == DNS_RDATASETATTR_FIXEDORDER ||
+		mode == (DNS_RDATASETATTR_RANDOMIZE|DNS_RDATASETATTR_SINGLE) ||
 		mode == 0 /* DNS_RDATASETATTR_CYCLIC */ );
 
 	ent = isc_mem_get(order->mctx, sizeof(*ent));
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index 026d7712..83775689 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -297,6 +297,7 @@ dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
 #define MAX_SHUFFLE	32
 #define WANT_FIXED(r)	(((r)->attributes & DNS_RDATASETATTR_FIXEDORDER) != 0)
 #define WANT_RANDOM(r)	(((r)->attributes & DNS_RDATASETATTR_RANDOMIZE) != 0)
+#define WANT_SINGLE(r)	(((r)->attributes & DNS_RDATASETATTR_SINGLE) != 0)
 
 struct towire_sort {
 	int key;
@@ -321,6 +322,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 	isc_region_t r;
 	isc_result_t result;
 	unsigned int i, count = 0, added, choice;
+	unsigned int real_count;
 	isc_buffer_t savedbuffer, rdlen, rrbuffer;
 	unsigned int headlen;
 	isc_boolean_t question = ISC_FALSE;
@@ -362,6 +364,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
+	real_count = count;
 
 	/*
 	 * Do we want to shuffle this answer?
@@ -430,6 +433,9 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 					sorted[i].key = 0; /* Unused */
 				sorted[i].rdata = &shuffled[i];
 			}
+			if (count > 1 && WANT_SINGLE(rdataset)) {
+				count = 1;
+			}
 		} else {
 			/*
 			 * "Cyclic" order.
@@ -550,9 +556,9 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 
  cleanup:
 	if (sorted != NULL && sorted != sorted_fixed)
-		isc_mem_put(cctx->mctx, sorted, count * sizeof(*sorted));
+		isc_mem_put(cctx->mctx, sorted, real_count * sizeof(*sorted));
 	if (shuffled != NULL && shuffled != shuffled_fixed)
-		isc_mem_put(cctx->mctx, shuffled, count * sizeof(*shuffled));
+		isc_mem_put(cctx->mctx, shuffled, real_count * sizeof(*shuffled));
 	return (result);
 }
 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 2e60cd84..894110f5 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -471,7 +471,9 @@ static isc_boolean_t fctx_unlink(fetchctx_t *fctx);
 static isc_result_t ncache_adderesult(dns_message_t *message,
 				      dns_db_t *cache, dns_dbnode_t *node,
 				      dns_rdatatype_t covers,
-				      isc_stdtime_t now, dns_ttl_t maxttl,
+				      isc_stdtime_t now,
+				      dns_ttl_t minttl,
+				      dns_ttl_t maxttl,
 				      isc_boolean_t optout,
 				      isc_boolean_t secure,
 				      dns_rdataset_t *ardataset,
@@ -4204,7 +4206,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 			ttl = 0;
 
 		result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
-					   covers, now, ttl, vevent->optout,
+					   covers, now, fctx->res->view->minncachettl, ttl, vevent->optout,
 					   vevent->secure, ardataset, &eresult);
 		if (result != ISC_R_SUCCESS)
 			goto noanswer_response;
@@ -4659,6 +4661,12 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 		 */
 		if (rdataset->ttl > res->view->maxcachettl)
 			rdataset->ttl = res->view->maxcachettl;
+		
+		/*
+		 * Enforce configured minimum cache TTL.
+		 */
+		if (rdataset->ttl < res->view->mincachettl)
+			rdataset->ttl = res->view->mincachettl;
 
 		/*
 		 * Find the SIG for this rdataset, if we have it.
@@ -4986,7 +4994,7 @@ cache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now)
  */
 static isc_result_t
 ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-		  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+		  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl,
 		  isc_boolean_t optout, isc_boolean_t secure,
 		  dns_rdataset_t *ardataset, isc_result_t *eresultp)
 {
@@ -4999,10 +5007,10 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	}
 	if (secure)
 		result = dns_ncache_addoptout(message, cache, node, covers,
-					      now, maxttl, optout, ardataset);
+					      now, minttl, maxttl, optout, ardataset);
 	else
 		result = dns_ncache_add(message, cache, node, covers, now,
-					maxttl, ardataset);
+					minttl, maxttl, ardataset);
 	if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
 		/*
 		 * If the cache now contains a negative entry and we
@@ -5168,7 +5176,7 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 		ttl = 0;
 
 	result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
-				   covers, now, ttl, ISC_FALSE,
+				   covers, now, fctx->res->view->minncachettl, ttl, ISC_FALSE,
 				   ISC_FALSE, ardataset, &eresult);
 	if (result != ISC_R_SUCCESS)
 		goto unlock;
diff --git a/lib/export/dns/include/dns/Makefile.in b/lib/export/dns/include/dns/Makefile.in
index b7f51b4a..7a8512e2 100644
--- a/lib/export/dns/include/dns/Makefile.in
+++ b/lib/export/dns/include/dns/Makefile.in
@@ -31,7 +31,7 @@ HEADERS =	acl.h adb.h byaddr.h \
 		peer.h portlist.h \
 		rbt.h rcode.h rdata.h rdataclass.h \
 		rdatalist.h rdataset.h rdatasetiter.h rdataslab.h rdatatype.h \
-		request.h resolver.h result.h \
+		request.h resolver.h result.h rrl.h \
 		secalg.h secproto.h soa.h stats.h \
 		tcpmsg.h time.h tsec.h tsig.h ttl.h types.h \
 		validator.h version.h view.h
diff --git a/lib/export/isc/include/isc/Makefile.in b/lib/export/isc/include/isc/Makefile.in
index 8c7eff8e..2084b750 100644
--- a/lib/export/isc/include/isc/Makefile.in
+++ b/lib/export/isc/include/isc/Makefile.in
@@ -37,7 +37,7 @@ HEADERS =	app.h assertions.h base64.h bitstring.h boolean.h \
 		print.h quota.h radix.h random.h ratelimiter.h \
 		refcount.h regex.h region.h resource.h \
 		result.h resultclass.h rwlock.h serial.h sha1.h sha2.h \
-		sockaddr.h socket.h stdio.h stdlib.h string.h \
+		sockaddr.h socket.h stat.h stdio.h stdlib.h string.h \
 		symtab.h \
 	        task.h taskpool.h timer.h types.h util.h version.h \
 		xml.h
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index f513eb97..503ccd11 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -120,12 +120,14 @@ libisc.la: ${OBJS} ${SYMTBLOBJS}
 		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
 		${OBJS} ${SYMTBLOBJS} ${LIBS}
+	ln -sf .libs/libisc.so .
 
 libisc-nosymtbl.la: ${OBJS}
 	${LIBTOOL_MODE_LINK} \
 		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
 		${OBJS} ${LIBS}
+	ln -sf .libs/libisc-nosymtbl.so .
 
 timestamp: libisc.@A@ libisc-nosymtbl.@A@
 	touch timestamp
@@ -139,3 +141,4 @@ install:: timestamp installdirs
 clean distclean::
 	rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
 	libisc-nosymtbl.la timestamp
+	rm -f libisc.so libisc-nosymtbl.so
diff --git a/lib/isc/mips/include/isc/atomic.h b/lib/isc/mips/include/isc/atomic.h
index bb739f74..e3657d73 100644
--- a/lib/isc/mips/include/isc/atomic.h
+++ b/lib/isc/mips/include/isc/atomic.h
@@ -31,18 +31,20 @@ static inline isc_int32_t
 isc_atomic_xadd(isc_int32_t *p, int val) {
 	isc_int32_t orig;
 
-	/* add is a cheat, since MIPS has no mov instruction */
-	__asm__ volatile (
-	    "1:"
-	    "ll $3, %1\n"
-	    "add %0, $0, $3\n"
-	    "add $3, $3, %2\n"
-	    "sc $3, %1\n"
-	    "beq $3, 0, 1b"
-	    : "=&r"(orig)
-	    : "m"(*p), "r"(val)
-	    : "memory", "$3"
-		);
+	__asm__ __volatile__ (
+	"	.set	push		\n"
+	"	.set	mips2		\n"
+	"	.set	noreorder	\n"
+	"	.set	noat		\n"
+	"1:	ll	$1, %1		\n"
+	"	addu	%0, $1, %2	\n"
+	"	sc	%0, %1		\n"
+	"	beqz	%0, 1b		\n"
+	"	move	%0, $1		\n"
+	"	.set	pop		\n"
+	: "=&r" (orig), "+R" (*p)
+	: "r" (val)
+	: "memory");
 
 	return (orig);
 }
@@ -52,16 +54,7 @@ isc_atomic_xadd(isc_int32_t *p, int val) {
  */
 static inline void
 isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
-	__asm__ volatile (
-	    "1:"
-	    "ll $3, %0\n"
-	    "add $3, $0, %1\n"
-	    "sc $3, %0\n"
-	    "beq $3, 0, 1b"
-	    :
-	    : "m"(*p), "r"(val)
-	    : "memory", "$3"
-		);
+	*p = val;
 }
 
 /*
@@ -72,20 +65,23 @@ isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
 static inline isc_int32_t
 isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) {
 	isc_int32_t orig;
+	isc_int32_t tmp;
 
-	__asm__ volatile(
-	    "1:"
-	    "ll $3, %1\n"
-	    "add %0, $0, $3\n"
-	    "bne $3, %2, 2f\n"
-	    "add $3, $0, %3\n"
-	    "sc $3, %1\n"
-	    "beq $3, 0, 1b\n"
-	    "2:"
-	    : "=&r"(orig)
-	    : "m"(*p), "r"(cmpval), "r"(val)
-	    : "memory", "$3"
-		);
+	__asm__ __volatile__ (
+	"	.set	push		\n"
+	"	.set	mips2		\n"
+	"	.set	noreorder	\n"
+	"	.set	noat		\n"
+	"1:	ll	$1, %1		\n"
+	"	bne	$1, %3, 2f	\n"
+	"	move	%2, %4		\n"
+	"	sc	%2, %1		\n"
+	"	beqz	%2, 1b		\n"
+	"2:	move	%0, $1		\n"
+	"	.set	pop		\n"
+	: "=&r"(orig), "+R" (*p), "=r" (tmp)
+	: "r"(cmpval), "r"(val)
+	: "memory");
 
 	return (orig);
 }
diff --git a/lib/isc/unix/resource.c b/lib/isc/unix/resource.c
index 29596e2a..cfd3e618 100644
--- a/lib/isc/unix/resource.c
+++ b/lib/isc/unix/resource.c
@@ -29,6 +29,7 @@
 #include <isc/util.h>
 
 #ifdef __linux__
+#include <inttypes.h>
 #include <linux/fs.h>	/* To get the large NR_OPEN. */
 #endif
 
diff --git a/lib/isccc/Makefile.in b/lib/isccc/Makefile.in
index efa83413..ce1d0155 100644
--- a/lib/isccc/Makefile.in
+++ b/lib/isccc/Makefile.in
@@ -36,7 +36,7 @@ ISCCCLIBS =	../../lib/isccc/libisccc.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
 ISCCCDEPLIBS =	libisccc.@A@
 
-LIBS =		@LIBS@
+LIBS =		@LIBS@ -L../../lib/isc
 
 SUBDIRS =	include
 
@@ -72,6 +72,7 @@ libisccc.la: ${OBJS}
 		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccc.la -rpath ${libdir} \
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
 		${OBJS} ${ISCLIBS} ${LIBS}
+	ln -sf .libs/libisccc.so .
 
 timestamp: libisccc.@A@
 	touch timestamp
@@ -84,3 +85,4 @@ install:: timestamp installdirs
 
 clean distclean::
 	rm -f libisccc.@A@ timestamp
+	rm -f libisccc.so 
diff --git a/lib/isccfg/Makefile.in b/lib/isccfg/Makefile.in
index 19ec61ed..e0919787 100644
--- a/lib/isccfg/Makefile.in
+++ b/lib/isccfg/Makefile.in
@@ -38,7 +38,7 @@ ISCCFGLIBS =	../../lib/cfg/libisccfg.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
 ISCCFGDEPLIBS =	libisccfg.@A@
 
-LIBS =		@LIBS@
+LIBS =		@LIBS@ -L../dns -L../isc -L../isccc
 
 SUBDIRS =	include
 
diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c
index af565990..f7ad0004 100644
--- a/lib/isccfg/aclconf.c
+++ b/lib/isccfg/aclconf.c
@@ -247,6 +247,9 @@ count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx,
 		} else if (cfg_obj_isstring(ce)) {
 			const char *name = cfg_obj_asstring(ce);
 			if (strcasecmp(name, "localhost") == 0 ||
+#ifdef SUPPORT_GEOIP
+			    strncasecmp(name, "country_", 8) == 0 ||
+#endif
 			    strcasecmp(name, "localnets") == 0) {
 				n++;
 			} else if (strcasecmp(name, "any") != 0 &&
@@ -441,6 +444,14 @@ nested_acl:
 					de->negative = !neg;
 				} else
 					continue;
+#ifdef SUPPORT_GEOIP
+			} else if ((0 == (strncmp("country_", name, 8))) && (10 == strlen(name))) {
+				/* It is a country code */
+				de->type = dns_aclelementtype_ipcountry;
+				de->country[0] = name[8];
+				de->country[1] = name[9];
+				de->country[2] = '\0';
+#endif
 			} else if (strcasecmp(name, "localhost") == 0) {
 				de->type = dns_aclelementtype_localhost;
 				de->negative = neg;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index f11e2938..452a2758 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -92,6 +92,7 @@ static cfg_type_t cfg_type_controls;
 static cfg_type_t cfg_type_controls_sockaddr;
 static cfg_type_t cfg_type_destinationlist;
 static cfg_type_t cfg_type_dialuptype;
+static cfg_type_t cfg_type_dynamic_db;
 static cfg_type_t cfg_type_ixfrdifftype;
 static cfg_type_t cfg_type_key;
 static cfg_type_t cfg_type_logfile;
@@ -897,6 +898,7 @@ namedconf_or_view_clauses[] = {
 	{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
 	/* only 1 DLZ per view allowed */
 	{ "dlz", &cfg_type_dynamically_loadable_zones, 0 },
+	{ "dynamic-db", &cfg_type_dynamic_db, CFG_CLAUSEFLAG_MULTI },
 	{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
 	{ "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
 	{ "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
@@ -1420,6 +1422,8 @@ view_clauses[] = {
 	{ "max-clients-per-query", &cfg_type_uint32, 0 },
 	{ "max-ncache-ttl", &cfg_type_uint32, 0 },
 	{ "max-udp-size", &cfg_type_uint32, 0 },
+	{ "min-cache-ttl", &cfg_type_uint32, 0 },
+	{ "min-ncache-ttl", &cfg_type_uint32, 0 },
 	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
 	{ "minimal-responses", &cfg_type_boolean, 0 },
 	{ "preferred-glue", &cfg_type_astring, 0 },
@@ -2045,6 +2049,40 @@ static cfg_type_t cfg_type_dialuptype = {
 	&cfg_rep_string, dialup_enums
 };
 
+/*
+ * Dynamic database clauses.
+ */
+
+static cfg_clausedef_t
+dynamic_db_clauses[] = {
+	{ "library", &cfg_type_qstring, 0 },
+	{ "arg", &cfg_type_qstring, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+dynamic_db_clausesets[] = {
+	dynamic_db_clauses,
+	NULL
+};
+
+static cfg_type_t cfg_type_dynamic_db_opts = {
+	"dynamically_loadable_zones_opts", cfg_parse_map,
+	cfg_print_map, cfg_doc_map, &cfg_rep_map,
+	dynamic_db_clausesets
+};
+
+static cfg_tuplefielddef_t dynamic_db_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "options", &cfg_type_dynamic_db_opts, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_dynamic_db = {
+	"dynamic_db", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, dynamic_db_fields
+};
+
 static const char *notify_enums[] = { "explicit", "master-only", NULL };
 static isc_result_t
 parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {