9 files changed, 1017 insertions, 314 deletions
diff --git a/CHANGES b/CHANGES
index 9135d200..3e48dd63 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+	--- 9.8.1 released ---
+
 	--- 9.8.1rc1 released ---
 
 3141.	[bug]		Silence spurious "zone serial (0) unchanged" messages
@@ -10,6 +12,11 @@
 			empty zones switched on by the 'empty-zones-enable'
 			option. [RT #24990]
 
+			Note: empty-zones-enable must be "yes;" or a empty
+			zone needs to be disabled in named.conf for RFC 1918
+			zones to be activated.  This requirement may be
+			removed in future releases.
+
 3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
 			See http://www.freebsd.org/cgi/query-pr.cgi?pr=158307
 			[RT #24950]
diff --git a/README b/README
index 97e0be21..708def9d 100644
--- a/README
+++ b/README
@@ -48,7 +48,7 @@ BIND 9
 	For a detailed list of user-visible changes from
 	previous releases, see the CHANGES file.
 
-BIND 9.8.1b1
+BIND 9.8.1
 
         BIND 9.8.1 includes a number of bug fixes and enhancements from
 	BIND 9.8 and earlier releases.  New features include:
diff --git a/RELEASE-NOTES-BIND-9.8.1.html b/RELEASE-NOTES-BIND-9.8.1.html
new file mode 100644
index 00000000..c4deae43
--- /dev/null
+++ b/RELEASE-NOTES-BIND-9.8.1.html
@@ -0,0 +1,368 @@
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title></title><link rel="stylesheet" href="release-notes.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article" lang="en"><div class="titlepage"><hr></div>
+
+  <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3359008"></a>Introduction</h2></div></div></div>
+    
+    <p>
+			BIND 9.8.1 is the current production release of BIND 9.8.
+		</p>
+    <p>
+			This document summarizes changes from BIND 9.8.0 to BIND 9.8.1.
+			Please see the CHANGES file in the source code release for a
+			complete list of all changes.
+		</p>
+  </div>
+
+  <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3359050"></a>Download</h2></div></div></div>
+    
+    <p>
+			The latest versions of BIND 9 software can always be found
+	 		on our web site at
+ <a href="http://www.isc.org/downloads/all" target="_top">http://www.isc.org/downloads/all</a>.
+                There you will find additional information about each
+		release, source code, and some pre-compiled versions for certain operating systems.
+		</p>
+  </div>
+
+  <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2545549"></a>Support</h2></div></div></div>
+    
+    <p>Product support information is available on
+      <a href="http://www.isc.org/services/support" target="_top">http://www.isc.org/services/support</a>
+      for paid support options.  Free support is provided by our user
+ 			community via a mailing list.  Information on all public email
+ 			lists is available at
+      <a href="https://lists.isc.org/mailman/listinfo" target="_top">https://lists.isc.org/mailman/listinfo</a>.
+    </p>
+  </div>
+
+  <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3358108"></a>New Features</h2></div></div></div>
+    
+		<div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3358149"></a>9.8.1</h3></div></div></div>
+			
+	    <div class="itemizedlist"><ul type="disc"><li>
+Added a new include file with function typedefs
+for the DLZ "dlopen" driver. [RT #23629]
+</li><li>
+Added a tool able to generate malformed packets to allow testing
+of how named handles them.
+[RT #24096]
+</li><li>
+The root key is now provided in the file bind.keys allowing DNSSEC validation to be switched on at start up by adding "dnssec-validation auto;" to named.conf. If the root key provided has expired, named will log the expiration and validation will not work.  More information and the most current copy of bind.keys can be found at http://www.isc.org/bind-keys. *Please note this feature was actually added in 9.8.0 but was not included in the 9.8.0 release notes. [RT #21727]
+</li></ul></div>
+		</div>
+  </div>
+
+  <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3358206"></a>Security Fixes</h2></div></div></div>
+    
+		<div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3358226"></a>9.8.1</h3></div></div></div>
+			
+	    <div class="itemizedlist"><ul type="disc"><li>
+If named is configured with a response policy zone (RPZ) and a query
+of type RRSIG is received for a name configured for RRset replacement
+in that RPZ, it will trigger an INSIST and crash the server.
+RRSIG. [RT #24280]
+</li><li>
+named, set up to be a caching resolver, is vulnerable to a
+user querying a domain with very large resource record sets (RRSets)
+when trying to negatively cache the response. Due to an off-by-one
+error, caching the response could cause named to crash. [RT #24650]
+[CVE-2011-1910]
+</li><li>
+Using Response Policy Zone (RPZ) to query a wildcard CNAME label with
+QUERY type SIG/RRSIG, it can cause named to crash. Fix is query type
+independant.
+[RT #24715]
+</li><li>
+Using Response Policy Zone (RPZ) with DNAME records and querying the
+subdomain of that label can cause named to crash. Now logs that DNAME
+is not supported.
+[RT #24766]
+</li><li>
+Change #2912 populated the message section in replies to UPDATE requests,
+which some Windows clients wanted. This exposed a latent bug that allowed
+the response message to crash named. With this fix, change 2912 has been
+reduced to copy only the zone section to the reply. A more complete fix
+for the latent bug will be released later.
+[RT #24777]
+</li></ul></div>
+		</div>
+  </div>
+
+
+  <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3358283"></a>Feature Changes</h2></div></div></div>
+    
+		<div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3358291"></a>9.8.1</h3></div></div></div>
+			
+	    <div class="itemizedlist"><ul type="disc"><li>
+Merged in the NetBSD ATF test framework (currently
+version 0.12) for development of future unit tests.
+Use configure --with-atf to build ATF internally
+or configure --with-atf=prefix to use an external
+copy. [RT #23209]
+</li><li>
+Added more verbose error reporting from DLZ LDAP. [RT #23402]
+</li><li>
+The DLZ "dlopen" driver is now built by default,
+no longer requiring a configure option. To
+disable it, use "configure --without-dlopen".
+(Note: driver not supported on win32.) [RT #23467]
+</li><li>
+Replaced compile time constant with STDTIME_ON_32BITS.
+[RT #23587]
+</li><li>
+Make --with-gssapi default for ./configure. [RT #23738]
+</li><li>
+Improved the startup time for an authoritative server with a large 
+number of zones by making the zone task table of variable size
+rather than fixed size.  This means that authoritative servers with
+lots of zones will be serving that zone data much sooner. [RT #24406]
+</li><li>
+Per RFC 6303, RFC 1918 reverse zones are now part of the built-in list of empty zones. [RT #24990]
+</li></ul></div>
+		</div>
+  </div>
+  <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3358460"></a>Bug Fixes</h2></div></div></div>
+    
+		<div class="section" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id3358468"></a>9.8.1</h3></div></div></div>
+			
+	    <div class="itemizedlist"><ul type="disc"><li>
+During RFC5011 processing some journal write errors were not detected.
+This could lead to managed-keys changes being committed but not 
+recorded in the journal files, causing potential inconsistencies  
+during later processing.  [RT #20256]
+</li><li>
+A potential NULL pointer deference in the DNS64 code could cause 
+named to terminate unexpectedly. [RT #20256]
+</li><li>
+A state variable relating to DNSSEC could fail to be set during 
+some infrequently-executed code paths, allowing it to be used whilst
+in an unitialized state during cache updates, with unpredictable results.
+[RT #20256]
+</li><li>
+A potential NULL pointer deference in DNSSEC signing code could 
+cause named to terminate unexpectedly  [RT #20256]
+</li><li>
+Several cosmetic code changes were made to silence warnings
+generated by a static code analysis tool. [RT #20256]
+</li><li>
+When using the -x (sign with only KSK) option on dnssec-signzone,
+it could incorrectly count the number of ZSKs in the zone. (And in 9.9.0,
+some code cleanup and improved warning messages). [RT #20852]
+</li><li>
+When using _builtin in named.conf, named.conf changes were not found
+when reloading the config file. Now checks _builtin zone arguments
+to see if the zone is re-usable or not. [RT #21914]
+</li><li>
+Running dnssec-settime -f on an old-style key will
+now force the key to be rewritten to the new key format even if no
+other change has been specified, using "-P now -A now"
+as default values. [RT #22474]
+</li><li>
+After an external code review, a code cleanup was done. [RT #22521]
+</li><li>
+Cause named to terminate at startup or rndc reconfig
+reload to fail, if a log file specified in the
+conf file isn't a plain file. (RT #22771]
+</li><li>
+named now forces the ADB cache time for glue related data to zero  
+instead of relying on TTL.  This corrects problematic behavior in cases  
+where a server was authoritative for the A record of a nameserver for a  
+delegated zone and was queried to recursively resolve records within  
+that zone.  [RT #22842]
+</li><li>
+When a validating resolver got a NODATA response for DNSKEY, it was
+not caching the NODATA. Fixed and test added. [RT #22908]
+</li><li>
+Fixed a bug in which zone keys that were published
+and but not immediately activated, automatic signing could fail to trigger.
+[RT #22911]
+</li><li>
+Fixed precedence order bug with NS and DNAME records if both are present.
+(Also fixed timing of autosign test in 9.7+) [RT #23035]
+</li><li>
+When a DNSSEC signed dynamic zone's signatures need to be refreshed,
+named would first delete the old signatures in the zone. If a private
+key of the same algorithm isn't available to named, the signing would
+fail but the old signatures would already be deleted. named now checks
+if it can access the private key before deleting the old signatures and 
+leaves the old signature if no private key is found. [RT #23136]
+</li><li>
+When using "auto-dnssec maintain" and rolling to a new key, a
+private-type record (only used internally by named) could be created
+and not marked as complete. [RT #23253]
+</li><li>
+Fixed last autosign test report. [RT #23256]
+</li><li>
+named didn't save gid at startup and later assumed gid 0.
+named now saves/restores the gid when creating creating
+named.pid at startup. [RT #23290]
+</li><li>
+If the server has an IPv6 address but does not have IPv6 connectivity
+to the internet, dig +trace could fail attempting to use IPv6
+addresses. [RT #23297]
+</li><li>
+If named is configured with managed zones, the managed key maint timer
+can exercise a race condition that can crash the server.
+[RT #23303]
+</li><li>
+Changing TTL did not cause dnssec-signzone to generate new signatures.
+[RT #23330]
+</li><li>
+Have the validating resolver use RRSIG original TTL to compute
+validated RRset and RRSIG TTL. [RT #23332]
+</li><li>
+In "make test" bin/tests/resolver, hold the socket manager lock
+while freeing the socket.
+[RT #23333]
+</li><li>
+If named encountered a CNAME instead of a DS record when walking
+the chain of trust down from the trust anchor, it incorrectly stopped
+validating. [RT #23338]
+</li><li>
+dns/view.h needed dns/rpz.h but it wasn't in the Makfile.in
+HEADERS variable. [RT #23342]
+</li><li>
+RRSIG records could have time stamps too far in the future.
+[RT #23356]
+</li><li>
+named stores cached data in an in-memory database and keeps track of
+how recently the data is used with a heap. The heap is stored within the
+cache's memory space. Under a sustained high query load and with a small
+cache size, this could lead to the heap exhausting the cache space. This
+would result in cache misses and SERVFAILs, with named never releasing
+the cache memory the heap used up and never recovering.
+
+This fix removes the heap into its own memory space, preventing the heap
+from exhausting the cache space and allowing named to recover gracefully
+when the high query load abates. [RT #23371]
+</li><li>
+Fully separated key management on a per view basis. [RT #23419]
+</li><li>
+If running on a powerpc CPU and with atomic operations enabled,
+named could lock up. Added sync instructions to the end of atomic
+operations. [RT #23469]
+</li><li>
+If OpenSSL was built without engine support, named would have
+compile errors and fail to build.
+[RT #23473]
+</li><li>
+If ./configure finds GOST but not elliptic curve, named fails to
+build. Added elliptic curve support check in GOST OpenSSL engine
+detection. [RT #23485]
+</li><li>
+"rndc secroots" would abort on the first error
+and so could miss remaining views. [RT #23488]
+</li><li>
+Handle isc_event_allocate failures in t_tasks test.
+[RT #23572]
+</li><li>
+ixfr-from-differences {master|slave};
+failed to select the master/slave zones, resulting in on diff/journal
+file being created.
+[RT #23580]
+</li><li>
+If a DNAME substitution failed, named returned NOERROR. The correct
+response should be YXDOMAIN.
+[RT #23591]
+</li><li>
+dns_dnssec_findzonekeys{2} used a inconsistant
+timestamp when determining which keys are active. This could result in
+some RRsets not being signed/re-signed.
+[RT #23642]
+</li><li>
+Remove bin/tests/system/logfileconfig/ns1/named.conf and
+add setup.sh in order to resolve changing named.conf issue. [RT #23687]
+</li><li>
+NOTIFY messages were not being sent when generating
+a NSEC3 chain incrementally. [RT #23702]
+</li><li>
+DDNS updates using SIG(0) with update-policy match
+type "external" could cause a crash. Also fixed nsupdate core
+dump on shutdown when using a SIG(0) key, due to the key
+not being freed. [RT #23735]
+</li><li>
+Zones using automatic key maintenance could fail to check the key
+repository for updates. named now checks once per hour and the
+automatic check bug has been fixed. [RT #23744]
+</li><li>
+named now uses the correct strtok/strtok_r/strtok_s based on OS.
+[RT #23747]
+</li><li>
+Signatures for records at the zone apex could go
+stale due to an incorrect timer setting. [RT #23769]
+</li><li>
+The autosign tests attempted to open ports within reserved ranges. Test
+now avoids those ports.
+[RT #23957]
+</li><li>
+GSS TGIS test was failing, since log_cred() caused KRB5_KTNAME to
+be cached. Now sets KRB5_KTNAME before calling log_cred() in
+dst_gssapi_acceptctx(). [RT #24004]
+</li><li>
+named, acting as authoritative server for DLZ zones, was not correctly
+setting the authoritative (AA) bit.
+[RT #24146]
+</li><li>
+Clean up some cross-compiling issues and added two undocumented
+configure options, --with-gost and --with-rlimtype, to allow over-riding
+default settings (gost=no and rlimtype="long int") when cross-compiling.
+[RT #24367]
+</li><li>
+When trying sign with NSEC3, if dnssec-signzone couldn't find the
+KSK, it would give an incorrect error "NSEC3 iterations too big for
+weakest DNSKEY strength" rather than the correct "failed to find
+keys at the zone apex: not found" [RT #24369]
+</li><li>
+Configuring 'dnssec-validation auto' in a view instead of in the
+options statement could trigger an assertion failure in named-checkconf.
+[RT #24382]
+</li><li>
+Improved consistency checks for dnssec-enable and
+dnssec-validation, added test cases to the
+checkconf system test. [RT #24398]
+</li><li>
+If named is configured to be both authoritative and recursive and receives
+a recursive query for a CNAME in a zone that it is authoritative for, if that
+CNAME also points to a zone the server is authoritative for, the recursive part of name will not follow the CNAME change and the response will not be a
+complete CNAME chain. [RT #24455]
+</li><li>
+nsupdate could dump core on shutdown when using SIG(0) keys. [RT #24604]
+</li><li>
+Named could fail to validate zones list in a DLV that validated insecure
+without using DLV and had DS records in the parent zone. [RT #24631]
+</li><li>
+dnssec-signzone now records timestamps just before and just after signing, improving the accuracy of signing statistics. [RT #16030]
+</li><li>
+If allow-new-zones was set to yes and name-based ACLs were used, named could crash when "rndc reconfig" was issued. [RT #22739]
+</li><li>
+RT #23136 fixed a problem where named would delete old signatures even
+when the private key wasn't available to re-sign the zone, resulting in
+a zone with missing signatures. This fix (CHANGES 3114) did not
+completely fix all issues. [RT #24577]
+</li><li>
+A bug in FreeBSD kernels causes IPv6 UDP responses greater than
+1280 bytes to not fragment as they should. Until there is a kernel
+fix, named will work around this by setting IPV6_USE_MIN_MTU on a
+per packet basis. [RT #24950]
+</li></ul></div>
+		</div>
+  </div>
+
+  <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3359134"></a>Known issues in this release</h2></div></div></div>
+    
+    <div class="itemizedlist"><ul type="disc"><li>
+        <p>
+          None.
+        </p>
+      </li></ul></div>
+  </div>
+
+  <div class="section" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id3359152"></a>Thank You</h2></div></div></div>
+    
+    <p>
+      Thank you to everyone who assisted us in making this release possible.
+      If you would like to contribute to ISC to assist us in continuing to make
+      quality open source software, please visit our donations page at
+      <a href="http://www.isc.org/supportisc" target="_top">http://www.isc.org/supportisc</a>.
+    </p>
+  </div>
+</div></body></html>
diff --git a/RELEASE-NOTES-BIND-9.8.1.pdf b/RELEASE-NOTES-BIND-9.8.1.pdf
new file mode 100644
index 00000000..b2b5de5d
--- /dev/null
+++ b/RELEASE-NOTES-BIND-9.8.1.pdf
diff --git a/RELEASE-NOTES-BIND-9.8.1.txt b/RELEASE-NOTES-BIND-9.8.1.txt
new file mode 100644
index 00000000..3fdb9b0a
--- /dev/null
+++ b/RELEASE-NOTES-BIND-9.8.1.txt
@@ -0,0 +1,268 @@
+     __________________________________________________________________
+
+Introduction
+
+   BIND 9.8.1 is the current production release of BIND 9.8.
+
+   This document summarizes changes from BIND 9.8.0 to BIND 9.8.1. Please
+   see the CHANGES file in the source code release for a complete list of
+   all changes.
+
+Download
+
+   The latest versions of BIND 9 software can always be found on our web
+   site at http://www.isc.org/downloads/all. There you will find
+   additional information about each release, source code, and some
+   pre-compiled versions for certain operating systems.
+
+Support
+
+   Product support information is available on
+   http://www.isc.org/services/support for paid support options. Free
+   support is provided by our user community via a mailing list.
+   Information on all public email lists is available at
+   https://lists.isc.org/mailman/listinfo.
+
+New Features
+
+9.8.1
+
+     * Added a new include file with function typedefs for the DLZ
+       "dlopen" driver. [RT #23629]
+     * Added a tool able to generate malformed packets to allow testing of
+       how named handles them. [RT #24096]
+     * The root key is now provided in the file bind.keys allowing DNSSEC
+       validation to be switched on at start up by adding
+       "dnssec-validation auto;" to named.conf. If the root key provided
+       has expired, named will log the expiration and validation will not
+       work. More information and the most current copy of bind.keys can
+       be found at http://www.isc.org/bind-keys. *Please note this feature
+       was actually added in 9.8.0 but was not included in the 9.8.0
+       release notes. [RT #21727]
+
+Security Fixes
+
+9.8.1
+
+     * If named is configured with a response policy zone (RPZ) and a
+       query of type RRSIG is received for a name configured for RRset
+       replacement in that RPZ, it will trigger an INSIST and crash the
+       server. RRSIG. [RT #24280]
+     * named, set up to be a caching resolver, is vulnerable to a user
+       querying a domain with very large resource record sets (RRSets)
+       when trying to negatively cache the response. Due to an off-by-one
+       error, caching the response could cause named to crash. [RT #24650]
+       [CVE-2011-1910]
+     * Using Response Policy Zone (RPZ) to query a wildcard CNAME label
+       with QUERY type SIG/RRSIG, it can cause named to crash. Fix is
+       query type independant. [RT #24715]
+     * Using Response Policy Zone (RPZ) with DNAME records and querying
+       the subdomain of that label can cause named to crash. Now logs that
+       DNAME is not supported. [RT #24766]
+     * Change #2912 populated the message section in replies to UPDATE
+       requests, which some Windows clients wanted. This exposed a latent
+       bug that allowed the response message to crash named. With this
+       fix, change 2912 has been reduced to copy only the zone section to
+       the reply. A more complete fix for the latent bug will be released
+       later. [RT #24777]
+
+Feature Changes
+
+9.8.1
+
+     * Merged in the NetBSD ATF test framework (currently version 0.12)
+       for development of future unit tests. Use configure --with-atf to
+       build ATF internally or configure --with-atf=prefix to use an
+       external copy. [RT #23209]
+     * Added more verbose error reporting from DLZ LDAP. [RT #23402]
+     * The DLZ "dlopen" driver is now built by default, no longer
+       requiring a configure option. To disable it, use "configure
+       --without-dlopen". (Note: driver not supported on win32.) [RT
+       #23467]
+     * Replaced compile time constant with STDTIME_ON_32BITS. [RT #23587]
+     * Make --with-gssapi default for ./configure. [RT #23738]
+     * Improved the startup time for an authoritative server with a large
+       number of zones by making the zone task table of variable size
+       rather than fixed size. This means that authoritative servers with
+       lots of zones will be serving that zone data much sooner. [RT
+       #24406]
+     * Per RFC 6303, RFC 1918 reverse zones are now part of the built-in
+       list of empty zones. [RT #24990]
+
+Bug Fixes
+
+9.8.1
+
+     * During RFC5011 processing some journal write errors were not
+       detected. This could lead to managed-keys changes being committed
+       but not recorded in the journal files, causing potential
+       inconsistencies during later processing. [RT #20256]
+     * A potential NULL pointer deference in the DNS64 code could cause
+       named to terminate unexpectedly. [RT #20256]
+     * A state variable relating to DNSSEC could fail to be set during
+       some infrequently-executed code paths, allowing it to be used
+       whilst in an unitialized state during cache updates, with
+       unpredictable results. [RT #20256]
+     * A potential NULL pointer deference in DNSSEC signing code could
+       cause named to terminate unexpectedly [RT #20256]
+     * Several cosmetic code changes were made to silence warnings
+       generated by a static code analysis tool. [RT #20256]
+     * When using the -x (sign with only KSK) option on dnssec-signzone,
+       it could incorrectly count the number of ZSKs in the zone. (And in
+       9.9.0, some code cleanup and improved warning messages). [RT
+       #20852]
+     * When using _builtin in named.conf, named.conf changes were not
+       found when reloading the config file. Now checks _builtin zone
+       arguments to see if the zone is re-usable or not. [RT #21914]
+     * Running dnssec-settime -f on an old-style key will now force the
+       key to be rewritten to the new key format even if no other change
+       has been specified, using "-P now -A now" as default values. [RT
+       #22474]
+     * After an external code review, a code cleanup was done. [RT #22521]
+     * Cause named to terminate at startup or rndc reconfig reload to
+       fail, if a log file specified in the conf file isn't a plain file.
+       (RT #22771]
+     * named now forces the ADB cache time for glue related data to zero
+       instead of relying on TTL. This corrects problematic behavior in
+       cases where a server was authoritative for the A record of a
+       nameserver for a delegated zone and was queried to recursively
+       resolve records within that zone. [RT #22842]
+     * When a validating resolver got a NODATA response for DNSKEY, it was
+       not caching the NODATA. Fixed and test added. [RT #22908]
+     * Fixed a bug in which zone keys that were published and but not
+       immediately activated, automatic signing could fail to trigger. [RT
+       #22911]
+     * Fixed precedence order bug with NS and DNAME records if both are
+       present. (Also fixed timing of autosign test in 9.7+) [RT #23035]
+     * When a DNSSEC signed dynamic zone's signatures need to be
+       refreshed, named would first delete the old signatures in the zone.
+       If a private key of the same algorithm isn't available to named,
+       the signing would fail but the old signatures would already be
+       deleted. named now checks if it can access the private key before
+       deleting the old signatures and leaves the old signature if no
+       private key is found. [RT #23136]
+     * When using "auto-dnssec maintain" and rolling to a new key, a
+       private-type record (only used internally by named) could be
+       created and not marked as complete. [RT #23253]
+     * Fixed last autosign test report. [RT #23256]
+     * named didn't save gid at startup and later assumed gid 0. named now
+       saves/restores the gid when creating creating named.pid at startup.
+       [RT #23290]
+     * If the server has an IPv6 address but does not have IPv6
+       connectivity to the internet, dig +trace could fail attempting to
+       use IPv6 addresses. [RT #23297]
+     * If named is configured with managed zones, the managed key maint
+       timer can exercise a race condition that can crash the server. [RT
+       #23303]
+     * Changing TTL did not cause dnssec-signzone to generate new
+       signatures. [RT #23330]
+     * Have the validating resolver use RRSIG original TTL to compute
+       validated RRset and RRSIG TTL. [RT #23332]
+     * In "make test" bin/tests/resolver, hold the socket manager lock
+       while freeing the socket. [RT #23333]
+     * If named encountered a CNAME instead of a DS record when walking
+       the chain of trust down from the trust anchor, it incorrectly
+       stopped validating. [RT #23338]
+     * dns/view.h needed dns/rpz.h but it wasn't in the Makfile.in HEADERS
+       variable. [RT #23342]
+     * RRSIG records could have time stamps too far in the future. [RT
+       #23356]
+     * named stores cached data in an in-memory database and keeps track
+       of how recently the data is used with a heap. The heap is stored
+       within the cache's memory space. Under a sustained high query load
+       and with a small cache size, this could lead to the heap exhausting
+       the cache space. This would result in cache misses and SERVFAILs,
+       with named never releasing the cache memory the heap used up and
+       never recovering. This fix removes the heap into its own memory
+       space, preventing the heap from exhausting the cache space and
+       allowing named to recover gracefully when the high query load
+       abates. [RT #23371]
+     * Fully separated key management on a per view basis. [RT #23419]
+     * If running on a powerpc CPU and with atomic operations enabled,
+       named could lock up. Added sync instructions to the end of atomic
+       operations. [RT #23469]
+     * If OpenSSL was built without engine support, named would have
+       compile errors and fail to build. [RT #23473]
+     * If ./configure finds GOST but not elliptic curve, named fails to
+       build. Added elliptic curve support check in GOST OpenSSL engine
+       detection. [RT #23485]
+     * "rndc secroots" would abort on the first error and so could miss
+       remaining views. [RT #23488]
+     * Handle isc_event_allocate failures in t_tasks test. [RT #23572]
+     * ixfr-from-differences {master|slave}; failed to select the
+       master/slave zones, resulting in on diff/journal file being
+       created. [RT #23580]
+     * If a DNAME substitution failed, named returned NOERROR. The correct
+       response should be YXDOMAIN. [RT #23591]
+     * dns_dnssec_findzonekeys{2} used a inconsistant timestamp when
+       determining which keys are active. This could result in some RRsets
+       not being signed/re-signed. [RT #23642]
+     * Remove bin/tests/system/logfileconfig/ns1/named.conf and add
+       setup.sh in order to resolve changing named.conf issue. [RT #23687]
+     * NOTIFY messages were not being sent when generating a NSEC3 chain
+       incrementally. [RT #23702]
+     * DDNS updates using SIG(0) with update-policy match type "external"
+       could cause a crash. Also fixed nsupdate core dump on shutdown when
+       using a SIG(0) key, due to the key not being freed. [RT #23735]
+     * Zones using automatic key maintenance could fail to check the key
+       repository for updates. named now checks once per hour and the
+       automatic check bug has been fixed. [RT #23744]
+     * named now uses the correct strtok/strtok_r/strtok_s based on OS.
+       [RT #23747]
+     * Signatures for records at the zone apex could go stale due to an
+       incorrect timer setting. [RT #23769]
+     * The autosign tests attempted to open ports within reserved ranges.
+       Test now avoids those ports. [RT #23957]
+     * GSS TGIS test was failing, since log_cred() caused KRB5_KTNAME to
+       be cached. Now sets KRB5_KTNAME before calling log_cred() in
+       dst_gssapi_acceptctx(). [RT #24004]
+     * named, acting as authoritative server for DLZ zones, was not
+       correctly setting the authoritative (AA) bit. [RT #24146]
+     * Clean up some cross-compiling issues and added two undocumented
+       configure options, --with-gost and --with-rlimtype, to allow
+       over-riding default settings (gost=no and rlimtype="long int") when
+       cross-compiling. [RT #24367]
+     * When trying sign with NSEC3, if dnssec-signzone couldn't find the
+       KSK, it would give an incorrect error "NSEC3 iterations too big for
+       weakest DNSKEY strength" rather than the correct "failed to find
+       keys at the zone apex: not found" [RT #24369]
+     * Configuring 'dnssec-validation auto' in a view instead of in the
+       options statement could trigger an assertion failure in
+       named-checkconf. [RT #24382]
+     * Improved consistency checks for dnssec-enable and
+       dnssec-validation, added test cases to the checkconf system test.
+       [RT #24398]
+     * If named is configured to be both authoritative and recursive and
+       receives a recursive query for a CNAME in a zone that it is
+       authoritative for, if that CNAME also points to a zone the server
+       is authoritative for, the recursive part of name will not follow
+       the CNAME change and the response will not be a complete CNAME
+       chain. [RT #24455]
+     * nsupdate could dump core on shutdown when using SIG(0) keys. [RT
+       #24604]
+     * Named could fail to validate zones list in a DLV that validated
+       insecure without using DLV and had DS records in the parent zone.
+       [RT #24631]
+     * dnssec-signzone now records timestamps just before and just after
+       signing, improving the accuracy of signing statistics. [RT #16030]
+     * If allow-new-zones was set to yes and name-based ACLs were used,
+       named could crash when "rndc reconfig" was issued. [RT #22739]
+     * RT #23136 fixed a problem where named would delete old signatures
+       even when the private key wasn't available to re-sign the zone,
+       resulting in a zone with missing signatures. This fix (CHANGES
+       3114) did not completely fix all issues. [RT #24577]
+     * A bug in FreeBSD kernels causes IPv6 UDP responses greater than
+       1280 bytes to not fragment as they should. Until there is a kernel
+       fix, named will work around this by setting IPV6_USE_MIN_MTU on a
+       per packet basis. [RT #24950]
+
+Known issues in this release
+
+     * None.
+
+Thank You
+
+   Thank you to everyone who assisted us in making this release possible.
+   If you would like to contribute to ISC to assist us in continuing to
+   make quality open source software, please visit our donations page at
+   http://www.isc.org/supportisc.
diff --git a/release-notes.css b/release-notes.css
new file mode 100644
index 00000000..3add5055
--- /dev/null
+++ b/release-notes.css
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: release-notes.css,v 1.1.38.2 2011-08-24 01:53:51 marka Exp $ */
+
+body {
+	background-color: #ffffff;
+	color: #333333;
+	font-family: "Helvetica Neue", "ArialMT", "Verdana", "Arial", "Helvetica", sans-serif;
+	font-size: 14px;
+	line-height: 18px;
+	margin: 2em auto;
+	width: 700px;
+}
+
+.command {
+	font-family: "Courier New", "Courier", monospace;
+	font-weight: normal;
+}
+
+.note {
+	background-color: #ddeedd;
+	border: 1px solid #aaccaa;
+	margin: 1em 0 1em 0;
+	padding: 0.5em 1em 0.5em 1em;
+	-moz-border-radius: 10px;
+	-webkit-border-radius: 10px;
+}
+
+.screen {
+	background-color: #ffffee;
+	border: 1px solid #ddddaa;
+	padding: 0.25em 1em 0.25em 1em;
+	margin: 1em 0 1em 0;
+	-moz-border-radius: 10px;
+	-webkit-border-radius: 10px;
+}
+
+.section.title {
+	font-size: 150%;
+	font-weight: bold;
+}
+
+.section.section.title {
+  font-size: 130%;
+  font-weight: bold;
+}
diff --git a/version b/version
index bf870895..ede0ba05 100644
--- a/version
+++ b/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.53.8.8 2011-08-09 04:05:24 marka Exp $
+# $Id: version,v 1.53.8.9 2011-08-24 02:08:26 marka Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -6,5 +6,5 @@
 MAJORVER=9
 MINORVER=8
 PATCHVER=1
-RELEASETYPE=rc
-RELEASEVER=1
+RELEASETYPE=
+RELEASEVER=
diff --git a/win32utils/readme1st.txt b/win32utils/readme1st.txt
index 538c5bf2..1e401907 100644
--- a/win32utils/readme1st.txt
+++ b/win32utils/readme1st.txt
@@ -1,159 +1,159 @@
-Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2001, 2003  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: readme1st.txt,v 1.24 2009-09-01 06:51:47 marka Exp $
-
-	   Release of BIND 9.7 for Windows and later.
-
-This is a release of BIND 9.7 for Windows XP and later.
-  
-	Important Kit Installation Information
-
-As of release 9.3.0, BINDInstall requires that you install it under
-a account with restricted privileges. The installer will prompt
-you for an account name, the default is "named", and a password for
-that account. It will also check for the existence of that account.
-If it does not exist is will create it with only the privileges
-required to run BIND. If the account does exist it will check that
-it has only the one privilege required: "Log on as a service". If
-it has too many privileges it will prompt you if you want to continue.
-
-With BIND running under an account name it is necessary for all
-files and directories that BIND uses to have permissions set up for
-the named account if the files are on an NTFS disk. BIND requires
-that the account have read and write access to the directory for
-the pid file, any files that are maintained either for slave zones
-or for master zones supporting dynamic updates. The account will
-also need read access to the named.conf and any other file that it
-needs to read.
-
-"NT AUTHORITY\LocalService" is also an acceptable account.  This
-account is built into Windows and no password is required.  Appropriate
-file permissions will also need to be set for "NT AUTHORITY\LocalService"
-similar to those that would have been required for the "named" account.
-
-It is important that on Windows the directory directive is used in
-the options section to tell BIND where to find the files used in
-named.conf (default %WINDOWS%\system32\dns\etc\named.conf).
-
-e.g.
-	options {
-		directory "C:\WINDOWS\system32\dns\etc";
-	};
-
-If you have previously installed BIND 8 or BIND 4 on the system
-that you wish to install this kit, you MUST use the BIND 8 or BIND
-4 installer to uninstall the previous kit.  For BIND 8.2.x, you can
-use the BINDInstall that comes with the BIND 8 kit to uninstall it.
-The BIND 9 installer will NOT uninstall the BIND 8 binaries.  That
-will be fixed in a future release.
-
-Unpack the kit into any convenient directory and run the BINDInstall
-program.  This will install the named and associated programs into
-the correct directories and set up the required registry keys.
-
-Messages are logged to the Application log in the EventViewer.
-
-	Controlling BIND
-
-Windows uses the same rndc program as is used on Unix systems.  The
-rndc.conf file must be configured for your system in order to work.
-You will need to generate a key for this. To do this use the
-rndc-confgen program. The program will be installed in the same
-directory as named: dns/bin/.  From the DOS prompt, use the command
-this way:
-
-rndc-confgen -a
-
-which will create a rndc.key file in the dns/etc directory. This will
-allow you to run rndc without an explicit rndc.conf file or key and
-control entry in named.conf file. See section 3.4.1.2 of the ARM for
-details of this. An rndc.conf can also be generated by running:
-
-rndc-confgen > rndc.conf
-
-which will create the rndc.conf file in the current directory, but
-not copy it to the dns/etc directory where it needs to reside. If
-you create rndc.conf this way you will need to copy the same key
-statement into named.conf.
-
-The additions look like the following:
-
-key "rndc-key" { algorithm hmac-md5; secret "xxxxxxxxx=="; };
-
-controls {
-	inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };
-};
-
-Note that the value of the secret must come from the key generated
-above for rndc and must be the same key value for both. Details of
-this may be found in section 3.4.1.2 of the ARM. If you have rndc
-on a Unix box you can use it to control BIND on the Windows box as
-well as using the Windows version of rndc to control a BIND 9 daemon
-on a Unix box. However you must have key statements valid for the
-servers you wish to control, specifically the IP address and key
-in both named.conf and rndc.conf. Again see section 3.4.1.2 of the
-ARM for details.
-
-In order to you rndc from a different system it is important to
-ensure that the clocks are synchronized. The clocks must be kept
-within 5 minutes of each other or the rndc commands will fail
-authentication. Use NTP or other time synchronization software to
-keep your clocks accurate. NTP can be found at http://www.ntp.org/.
-
-In addition BIND is installed as a win32 system service, can be
-started and stopped in the same way as any other service and
-automatically starts whenever the system is booted. Signals are not
-supported and are in fact ignored.
-
-Note: Unlike most Windows applications, named does not, change its
-working directory when started as a service.  If you wish to use
-relative files in named.conf you will need to specify a working
-directory using the directory directive options.
-
-	Documentation
-
-This kit includes Documentation in HTML format.  The documentation
-is not copied during the installation process so you should move
-it to any convenient location for later reference. Of particular
-importance is the BIND 9 Administrator's Reference Manual (Bv9ARM*.html)
-which provides detailed information on BIND 9. In addition, there
-are HTML pages for each of the BIND 9 applications.
-
-	DNS Tools
-
-The following tools have been built for Windows: dig, nslookup,
-host, nsupdate, rndc, rndc-confgen, named-checkconf, named-checkzone,
-dnssec-keygen, dnssec-signzone, dnssec-dsfromkey and dnssec-keyfromlabel.
-The latter tools are for use with DNSSEC.  All tools are installed
-in the dns/bin directory.
-
-IMPORTANT NOTE ON USING THE TOOLS:
-
-It is no longer necessary to create a resolv.conf file on Windows
-as the tools will look in the registry for the required nameserver
-information. However if you wish to create a resolv.conf file as
-follows it will use it in preference to the registry nameserver
-entries.
-
-To create a resolv.conf you need to place it in the System32\Drivers\etc
-directory and it needs to contain a list of nameserver addresses
-to use to find the nameserver authoritative for the zone. The format
-of this file is:
-
-nameserver 1.2.3.4
-nameserver 5.6.7.8
-
-Replace the IP addresses with your real addresses.  127.0.0.1 is a
-valid address if you are running a nameserver on the localhost.
-
-	Problems
-
-Please report all problems to bind9-bugs@isc.org and not to me. All
-other questions should go to the bind-users@isc.org mailing list
-or the comp.protocol.dns.bind news group.
-
-	Danny Mayer
-	mayer@ntp.isc.org
-
+Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2001, 2003  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: readme1st.txt,v 1.24 2009-09-01 06:51:47 marka Exp $
+
+	   Release of BIND 9.7 for Windows and later.
+
+This is a release of BIND 9.7 for Windows XP and later.
+  
+	Important Kit Installation Information
+
+As of release 9.3.0, BINDInstall requires that you install it under
+a account with restricted privileges. The installer will prompt
+you for an account name, the default is "named", and a password for
+that account. It will also check for the existence of that account.
+If it does not exist is will create it with only the privileges
+required to run BIND. If the account does exist it will check that
+it has only the one privilege required: "Log on as a service". If
+it has too many privileges it will prompt you if you want to continue.
+
+With BIND running under an account name it is necessary for all
+files and directories that BIND uses to have permissions set up for
+the named account if the files are on an NTFS disk. BIND requires
+that the account have read and write access to the directory for
+the pid file, any files that are maintained either for slave zones
+or for master zones supporting dynamic updates. The account will
+also need read access to the named.conf and any other file that it
+needs to read.
+
+"NT AUTHORITY\LocalService" is also an acceptable account.  This
+account is built into Windows and no password is required.  Appropriate
+file permissions will also need to be set for "NT AUTHORITY\LocalService"
+similar to those that would have been required for the "named" account.
+
+It is important that on Windows the directory directive is used in
+the options section to tell BIND where to find the files used in
+named.conf (default %WINDOWS%\system32\dns\etc\named.conf).
+
+e.g.
+	options {
+		directory "C:\WINDOWS\system32\dns\etc";
+	};
+
+If you have previously installed BIND 8 or BIND 4 on the system
+that you wish to install this kit, you MUST use the BIND 8 or BIND
+4 installer to uninstall the previous kit.  For BIND 8.2.x, you can
+use the BINDInstall that comes with the BIND 8 kit to uninstall it.
+The BIND 9 installer will NOT uninstall the BIND 8 binaries.  That
+will be fixed in a future release.
+
+Unpack the kit into any convenient directory and run the BINDInstall
+program.  This will install the named and associated programs into
+the correct directories and set up the required registry keys.
+
+Messages are logged to the Application log in the EventViewer.
+
+	Controlling BIND
+
+Windows uses the same rndc program as is used on Unix systems.  The
+rndc.conf file must be configured for your system in order to work.
+You will need to generate a key for this. To do this use the
+rndc-confgen program. The program will be installed in the same
+directory as named: dns/bin/.  From the DOS prompt, use the command
+this way:
+
+rndc-confgen -a
+
+which will create a rndc.key file in the dns/etc directory. This will
+allow you to run rndc without an explicit rndc.conf file or key and
+control entry in named.conf file. See section 3.4.1.2 of the ARM for
+details of this. An rndc.conf can also be generated by running:
+
+rndc-confgen > rndc.conf
+
+which will create the rndc.conf file in the current directory, but
+not copy it to the dns/etc directory where it needs to reside. If
+you create rndc.conf this way you will need to copy the same key
+statement into named.conf.
+
+The additions look like the following:
+
+key "rndc-key" { algorithm hmac-md5; secret "xxxxxxxxx=="; };
+
+controls {
+	inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };
+};
+
+Note that the value of the secret must come from the key generated
+above for rndc and must be the same key value for both. Details of
+this may be found in section 3.4.1.2 of the ARM. If you have rndc
+on a Unix box you can use it to control BIND on the Windows box as
+well as using the Windows version of rndc to control a BIND 9 daemon
+on a Unix box. However you must have key statements valid for the
+servers you wish to control, specifically the IP address and key
+in both named.conf and rndc.conf. Again see section 3.4.1.2 of the
+ARM for details.
+
+In order to you rndc from a different system it is important to
+ensure that the clocks are synchronized. The clocks must be kept
+within 5 minutes of each other or the rndc commands will fail
+authentication. Use NTP or other time synchronization software to
+keep your clocks accurate. NTP can be found at http://www.ntp.org/.
+
+In addition BIND is installed as a win32 system service, can be
+started and stopped in the same way as any other service and
+automatically starts whenever the system is booted. Signals are not
+supported and are in fact ignored.
+
+Note: Unlike most Windows applications, named does not, change its
+working directory when started as a service.  If you wish to use
+relative files in named.conf you will need to specify a working
+directory using the directory directive options.
+
+	Documentation
+
+This kit includes Documentation in HTML format.  The documentation
+is not copied during the installation process so you should move
+it to any convenient location for later reference. Of particular
+importance is the BIND 9 Administrator's Reference Manual (Bv9ARM*.html)
+which provides detailed information on BIND 9. In addition, there
+are HTML pages for each of the BIND 9 applications.
+
+	DNS Tools
+
+The following tools have been built for Windows: dig, nslookup,
+host, nsupdate, rndc, rndc-confgen, named-checkconf, named-checkzone,
+dnssec-keygen, dnssec-signzone, dnssec-dsfromkey and dnssec-keyfromlabel.
+The latter tools are for use with DNSSEC.  All tools are installed
+in the dns/bin directory.
+
+IMPORTANT NOTE ON USING THE TOOLS:
+
+It is no longer necessary to create a resolv.conf file on Windows
+as the tools will look in the registry for the required nameserver
+information. However if you wish to create a resolv.conf file as
+follows it will use it in preference to the registry nameserver
+entries.
+
+To create a resolv.conf you need to place it in the System32\Drivers\etc
+directory and it needs to contain a list of nameserver addresses
+to use to find the nameserver authoritative for the zone. The format
+of this file is:
+
+nameserver 1.2.3.4
+nameserver 5.6.7.8
+
+Replace the IP addresses with your real addresses.  127.0.0.1 is a
+valid address if you are running a nameserver on the localhost.
+
+	Problems
+
+Please report all problems to bind9-bugs@isc.org and not to me. All
+other questions should go to the bind-users@isc.org mailing list
+or the comp.protocol.dns.bind news group.
+
+	Danny Mayer
+	mayer@ntp.isc.org
+
diff --git a/win32utils/win32-build.txt b/win32utils/win32-build.txt
index 5eeaed5e..25f0c5a4 100644
--- a/win32utils/win32-build.txt
+++ b/win32utils/win32-build.txt
@@ -1,151 +1,151 @@
-Copyright (C) 2004, 2005, 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2001, 2002  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: win32-build.txt,v 1.19 2009-11-06 03:14:10 each Exp $
-
-       BIND 9.7 for Win32 Source Build Instructions.  02-Jul-2009
-
-Building BIND 9.7 on Windows XP/2003/2008 has the following prerequisites:
-
-1) You need to install Perl for Windows.  ActivePerl
-(http://www.activestate.com/) and Strawberry Perl
-(http://www.strawberryperl.com) have both been tested and found
-to work.
-
-2) OpenSSL (http://www.openssl.org) needs to be downloaded and built
-on the system on which you are building BIND.
-
-3) If you wish to use the statistics channel, LibXML2
-(ftp://xmlsoft.org/libxml2) needs to be downloaded and built on
-the system on which you are building BIND.  (If you do not wish
-to use the statistics channel, remove HAVE_LIBXML2 from config.h.win32.)
-
-4) If you want to build using Visual C++ 6.0, you'll need some extra
-files that are to be found in the Platform SDK (which you will need
-to install), namely:
-
-iphlpapi.h
-iptypes.h
-ipexport.h
-iphlpapi.lib
-
-You'll also need an updated Iprtrmib.h - using the VC++6.0 one will
-get you some compilation errors. You can just overwrite the old one if
-you're not using it for any purposes, and maybe keep a backup of it. 
-
-You can copy the header files under VC98\INCLUDE and the library file
-under VC98\LIB. I think you can also put them in a separate directory
-and add it to the include search list, but I don't know if that can be
-made persistent. 
-
-For building on VC++ 7.0 no extra files are required. 
-
-The instructions assume a Visual C++ 6.0 compiler with Visual Studio and
-Visual Studio Service Pack 3 or later. It may build and work with earlier
-versions but it has not been tested. The binaries may be built and run on
-any of the following platforms: NT 4.0 Workstation (SP3 or later), NT 4.0
-Server (SP3 or later), Windows 2000 Professional (SP1 or later),
-Windows 2000 Server or any kind (SP1 or later), Windows XP, Windows 2003
-Server. It will NOT build or run on Windows 95, Windows 98, etc. platforms.
-
-Step 1: Download and build OpenSSL
-
-Download and untar the OpenSSL sources from http://www.openssl.org/.
-Extract them at in the same directory in which you extracted the BIND9
-source:  If BIND9 is in \build\bind-9.7.0, for instance, OpenSSL should be
-in \build\openssl-0.9.8l (subject to version number changes).
-
-Note: Building OpenSSL requires that you install Perl as it uses
-it during its build process. The following commands work as of
-openssl-0.9.8l, but you should check the OpenSSL distribution 
-to see if the build instructions have changed:
-
-  cd openssl-0.9.8l
-  perl Configure VC-WIN32 --prefix=c:/openssl
-  ms\do_masm
-  nmake /f ms\ntdll.mak
-
-If you wish to use PKCS #11 to control a cryptographic hardware service
-module, please see bind9\README.pkcs11.  You will need to apply the patch
-in bind9\bin\pkcs11\openssl-0.9.8l-patch (this can be done using the Cygwin
-'patch' utility) and add --pk11-libname and --pk11-flavor to the Configure
-command above.
-
-Step 2: Download and build libxml2
-
-Download and untar the libxml2 sources from ftp://xmlsoft.org/libxml2.
-Extract them at in the same directory in which you extracted the BIND9
-source:  If BIND9 is in \build\bind-9.7.0, for instance, libxml2 should
-be in \build\libxml2-2.7.3 (subject to version number changes).
-
-Now build libxml2, and copy the resulting files into the include and lib
-directories:
-
- cd libxml2-2.7.3\win32
- cscript configure.js compiler=msvc vcmanifest=yes static=yes debug=no iconv=no
- nmake /f Makefile.msvc libxml
-
-Step 3: Building BIND
-
-You must build openssl and libxml2 first. 
-
-From the command prompt cd to the win32utils directory under
-the BIND9 root:
-
-  cd bind-9.7.0\win32utils
-
-If you wish to use PKCS #11 to control a cryptographic hardware service
-module, set the path to the PKCS #11 provider library:
-
-  perl setpk11provider.pl <DLL path>
-  
-If using VC++ 6.0, run the BuildAll.bat file:
-
-  BuildAll
-
-This will do the following:
-1) copy config.h.win32 to config.h in the root.
-2) create the versions.h file in the root.
-3) Build the gen application in the lib/dns directory.
-4) Run the gen application and build the required lib/dns header
-   files.
-5) Create the Build/Release subdirectory under the root of the BIND
-   source tree which will hold the binaries being built.
-6) Build the libraries, named, application tools like dig, rndc
-   dnssec tools, installer, checkconf and checkzones programs,
-   BIND 9 Installer.
-7) Copies the release notes and the OpenSSL DLL to the BUILD/Release
-   directory.
-8) Copies the BIND 9 ARM HTML files and the application HTML files
-   to the Build\Release area.
-
-If you wish to use the Visual Studio GUI for building, you can just
-run the BuildSetup.bat file:
-
-  BuildSetup
-  
-This will create or find and copy into place several files which are
-necessary for the build to proceed.  It also locates and copies into place
-the DLLs for OpenSSL and libxml2.
-
-Use BINDBuild.dsw (also located in the win32utils directory) to open the
-workspace for all of the BIND9 libraries and applications.  Select
-"Build->Batch Build", click "Select All", then click "Build".
-
-After the build has completed, run the BuildPost.bat file:
-
-  BuildPost
-
-...which does post-build processing.
-
-Installation is accomplished by running the BINDInstall program. All DLL's
-are copied to the system32 area and all applications (including BINDInstall
-which may be necessary for uninstalling BIND 9) to the dns/bin directory.
-If BIND 8 has previously been installed on the system it must be uninstalled
-first by running it's own BINDInstall program.  The BIND 9 installer does
-not yet do this.
-
-All bugs found, whether in the process of building the application or
-running BIND or the tools should be reported to the bind9 bugs email
-account at bind9-bugs@isc.org.
+Copyright (C) 2004, 2005, 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2001, 2002  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: win32-build.txt,v 1.19 2009-11-06 03:14:10 each Exp $
+
+       BIND 9.7 for Win32 Source Build Instructions.  02-Jul-2009
+
+Building BIND 9.7 on Windows XP/2003/2008 has the following prerequisites:
+
+1) You need to install Perl for Windows.  ActivePerl
+(http://www.activestate.com/) and Strawberry Perl
+(http://www.strawberryperl.com) have both been tested and found
+to work.
+
+2) OpenSSL (http://www.openssl.org) needs to be downloaded and built
+on the system on which you are building BIND.
+
+3) If you wish to use the statistics channel, LibXML2
+(ftp://xmlsoft.org/libxml2) needs to be downloaded and built on
+the system on which you are building BIND.  (If you do not wish
+to use the statistics channel, remove HAVE_LIBXML2 from config.h.win32.)
+
+4) If you want to build using Visual C++ 6.0, you'll need some extra
+files that are to be found in the Platform SDK (which you will need
+to install), namely:
+
+iphlpapi.h
+iptypes.h
+ipexport.h
+iphlpapi.lib
+
+You'll also need an updated Iprtrmib.h - using the VC++6.0 one will
+get you some compilation errors. You can just overwrite the old one if
+you're not using it for any purposes, and maybe keep a backup of it. 
+
+You can copy the header files under VC98\INCLUDE and the library file
+under VC98\LIB. I think you can also put them in a separate directory
+and add it to the include search list, but I don't know if that can be
+made persistent. 
+
+For building on VC++ 7.0 no extra files are required. 
+
+The instructions assume a Visual C++ 6.0 compiler with Visual Studio and
+Visual Studio Service Pack 3 or later. It may build and work with earlier
+versions but it has not been tested. The binaries may be built and run on
+any of the following platforms: NT 4.0 Workstation (SP3 or later), NT 4.0
+Server (SP3 or later), Windows 2000 Professional (SP1 or later),
+Windows 2000 Server or any kind (SP1 or later), Windows XP, Windows 2003
+Server. It will NOT build or run on Windows 95, Windows 98, etc. platforms.
+
+Step 1: Download and build OpenSSL
+
+Download and untar the OpenSSL sources from http://www.openssl.org/.
+Extract them at in the same directory in which you extracted the BIND9
+source:  If BIND9 is in \build\bind-9.7.0, for instance, OpenSSL should be
+in \build\openssl-0.9.8l (subject to version number changes).
+
+Note: Building OpenSSL requires that you install Perl as it uses
+it during its build process. The following commands work as of
+openssl-0.9.8l, but you should check the OpenSSL distribution 
+to see if the build instructions have changed:
+
+  cd openssl-0.9.8l
+  perl Configure VC-WIN32 --prefix=c:/openssl
+  ms\do_masm
+  nmake /f ms\ntdll.mak
+
+If you wish to use PKCS #11 to control a cryptographic hardware service
+module, please see bind9\README.pkcs11.  You will need to apply the patch
+in bind9\bin\pkcs11\openssl-0.9.8l-patch (this can be done using the Cygwin
+'patch' utility) and add --pk11-libname and --pk11-flavor to the Configure
+command above.
+
+Step 2: Download and build libxml2
+
+Download and untar the libxml2 sources from ftp://xmlsoft.org/libxml2.
+Extract them at in the same directory in which you extracted the BIND9
+source:  If BIND9 is in \build\bind-9.7.0, for instance, libxml2 should
+be in \build\libxml2-2.7.3 (subject to version number changes).
+
+Now build libxml2, and copy the resulting files into the include and lib
+directories:
+
+ cd libxml2-2.7.3\win32
+ cscript configure.js compiler=msvc vcmanifest=yes static=yes debug=no iconv=no
+ nmake /f Makefile.msvc libxml
+
+Step 3: Building BIND
+
+You must build openssl and libxml2 first. 
+
+From the command prompt cd to the win32utils directory under
+the BIND9 root:
+
+  cd bind-9.7.0\win32utils
+
+If you wish to use PKCS #11 to control a cryptographic hardware service
+module, set the path to the PKCS #11 provider library:
+
+  perl setpk11provider.pl <DLL path>
+  
+If using VC++ 6.0, run the BuildAll.bat file:
+
+  BuildAll
+
+This will do the following:
+1) copy config.h.win32 to config.h in the root.
+2) create the versions.h file in the root.
+3) Build the gen application in the lib/dns directory.
+4) Run the gen application and build the required lib/dns header
+   files.
+5) Create the Build/Release subdirectory under the root of the BIND
+   source tree which will hold the binaries being built.
+6) Build the libraries, named, application tools like dig, rndc
+   dnssec tools, installer, checkconf and checkzones programs,
+   BIND 9 Installer.
+7) Copies the release notes and the OpenSSL DLL to the BUILD/Release
+   directory.
+8) Copies the BIND 9 ARM HTML files and the application HTML files
+   to the Build\Release area.
+
+If you wish to use the Visual Studio GUI for building, you can just
+run the BuildSetup.bat file:
+
+  BuildSetup
+  
+This will create or find and copy into place several files which are
+necessary for the build to proceed.  It also locates and copies into place
+the DLLs for OpenSSL and libxml2.
+
+Use BINDBuild.dsw (also located in the win32utils directory) to open the
+workspace for all of the BIND9 libraries and applications.  Select
+"Build->Batch Build", click "Select All", then click "Build".
+
+After the build has completed, run the BuildPost.bat file:
+
+  BuildPost
+
+...which does post-build processing.
+
+Installation is accomplished by running the BINDInstall program. All DLL's
+are copied to the system32 area and all applications (including BINDInstall
+which may be necessary for uninstalling BIND 9) to the dns/bin directory.
+If BIND 8 has previously been installed on the system it must be uninstalled
+first by running it's own BINDInstall program.  The BIND 9 installer does
+not yet do this.
+
+All bugs found, whether in the process of building the application or
+running BIND or the tools should be reported to the bind9 bugs email
+account at bind9-bugs@isc.org.