422 files changed, 18280 insertions, 9100 deletions
diff --git a/CHANGES b/CHANGES
index 2fc7dff3..fbfdab0f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,8 +1,41 @@
+2613.	[placeholder]
+
+	--- 9.7.0a1 released ---
+
+2612.	[func]		Add default values for the arguments to
+			dnssec-keygen.  Without arguments, it will now
+			generate a 1024-bit RSASHA1 zone-signing key,
+			or with the -f KSK option, a 2048-bit RSASHA1
+			key-signing key. [RT #19300]
+
+2611.	[func]		Add -l option to dnssec-dsfromkey to generate 
+			DLV records instead of DS records. [RT #19300]
+
+2610.	[port]		sunos: Change #2363 was not complete. [RT #19796]
+
+2609.	[func]		Simplify the configuration of dynamic zones:
+			- add ddns-confgen command to generate
+			  configuration text for named.conf
+			- add zone option "ddns-autoconf yes;", which
+			  causes named to generate a TSIG session key
+			  and allow updates to the zone using that key
+			- add '-l' (localhost) option to nsupdate, which
+			  causes nsupdate to connect to a locally-running
+			  named process using the session key generated
+			  by named
+			[RT #19284]
+			
+2608.	[func]		Perform post signing verification checks in
+			dnssec-signzone.  These can be disabled with -P.
 
-	--- 9.6.1 released ---
+			The post sign verification test ensures that for each
+			algorithm in use there is at least one non revoked
+			self signed KSK key.  That all revoked KSK keys are
+			self signed.  That all records in the zone are signed
+			by the algorithm.  [RT #19653]
 
 2607.	[bug]		named could incorrectly delete NSEC3 records for
-			empty nodes when processing a update request.  
+			empty nodes when processing a update request.
 			[RT #19749]
 
 2606.	[bug]		"delegation-only" was not being accepted in
@@ -11,6 +44,11 @@
 2605.	[bug]		Accept DS responses from delegation only zones.
 			[RT # 19296]
 
+2604.	[func]		Add support for DNS rebinding attack prevention through
+			new options, deny-answer-addresses and
+			deny-answer-aliases.  Based on contributed code from
+			JD Nurmi, Google. [RT #18192]
+
 2603.	[port]		win32: handle .exe extension of named-checkzone and
 			named-comilezone argv[0] names under windows.
 			[RT #19767]
@@ -18,11 +56,17 @@
 2602.	[port]		win32: fix debugging command line build of libisccfg.
 			[RT #19767]
 
-	--- 9.6.1rc1 released ---
+2601.	[doc]		Mention file creation mode mask in the
+			named manual page.
+
+2600.	[doc]		ARM: miscellaneous reformatting for different
+			page widths. [RT #19574]
 
 2599.	[bug]		Address rapid memory growth when validation fails.
 			[RT #19654]
 
+2598.	[func]		Reserve the -F flag. [RT #19657]
+
 2597.	[bug]		Handle a validation failure with a insecure delegation
 			from a NSEC3 signed master/slave zone.  [RT #19464]
 
@@ -32,16 +76,31 @@
 
 2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]
 
+2594.	[func]		Have rndc warn if using its default configuration
+			file when the key file also exists. [RT #19424]
+
+2593.	[bug]		Improve a corner source of SERVFAILs [RT #19632]
+
 2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]
 
 2591.	[bug]		named could die when processing a update in
 			removed_orphaned_ds(). [RT #19507]
 
+2590.	[func]		Report zone/class of "update with no effect".
+			[RT #19542]
+
+2589.	[bug]		dns_db_unregister() failed to clear '*dbimp'.
+		        [RT #19626]
+
 2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
 			of bind(2) call.  This should be rare and mostly
 			harmless, but may cause interference with other
 			processes that happen to use the same port. [RT #19642]
 
+2587.	[func]		Improve logging by reporting serial numbers for
+			when zone serial has gone backwards or unchanged.
+			[RT #19506]
+
 2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
 			or SDB. [RT #19577]
 
@@ -58,28 +117,57 @@
 2582.	[bug]		Don't emit warning log message when we attempt to
 			remove non-existant journal. [RT #19516]
 
+2581.	[contrib]	dlz/mysql set MYSQL_OPT_RECONNECT option on connection.
+			Requires MySQL 5.0.19 or later. [RT #19084]
+
+2580.	[bug]		UpdateRej statistics counter could be incremented twice
+			for one rejection. [RT #19476]
+
 2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
 			algorithms. [RT #19479]
 
 2578.	[bug]		Changed default sig-signing-type to 65534, because
 			65535 turns out to be reserved.  [RT #19477]
 
-2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
-			[RT #18837]
-
-	--- 9.6.1b1 released ---
-
 2577.	[doc]		Clarified some statistics counters. [RT #19454]
 
 2576.	[bug]		NSEC record were not being correctly signed when
 			a zone transitions from insecure to secure.
 			Handle such incorrectly signed zones. [RT #19114]
 
+2575.	[func]		New functions dns_name_fromstring() and
+			dns_name_tostring(), to simplify conversion
+			of a string to a dns_name structure and vice
+			versa. [RT #19451]
+
 2574.	[doc]		Document nsupdate -g and -o. [RT #19351]
 
 2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
 			single transaction in a signed zone failed. [RT #19397]
 
+2572.	[func]		Simplify DLV configuration, with a new option
+			"dnssec-lookaside auto;"  This is the equivalent
+			of "dnssec-lookaside . trust-anchor dlv.isc.org;"
+			plus setting a trusted-key for dlv.isc.org.
+
+			Note: The trusted key is hard-coded into named,
+			but is also stored in (and can be overridden
+			by) $sysconfdir/bind.keys.  As the ISC DLV key
+			rolls over it can be kept up to date by replacing
+			the bind.keys file with a key downloaded from
+			https://www.isc.org/solutions/dlv. [RT #18685]
+
+2571.	[func]		Add a new tool "arpaname" which translates IP addresses
+			to the corresponding IN-ADDR.ARPA or IP6.ARPA name.
+			[RT #18976]
+
+2570.	[func]		Log the destination address the query was sent to.
+			[RT #19209]
+
+2569.	[func]		Move journalprint, nsec3hash, and genrandom
+			commands from bin/tests into bin/tools; 
+			"make install" will put them in $sbindir. [RT #19301]
+
 2568.	[bug]		Report when the write to indicate a otherwise
 			successful start fails. [RT #19360]
 
@@ -88,6 +176,15 @@
 			dnssec-dsfromkey could miss write errors.
 			[RT #19360]
 
+2566.	[cleanup]	Clarify logged message when an insecure DNSSEC
+			response arrives from a zone thought to be secure:
+			"insecurity proof failed" instead of "not
+			insecure". [RT #19400]
+
+2565.	[func]		Add support for HIP record.  Includes new functions
+			dns_rdata_hip_first(), dns_rdata_hip_next()
+			and dns_rdata_hip_current().  [RT #19384]
+
 2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
 			[RT #19405]
 
@@ -104,6 +201,10 @@
 2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
 			reading from a K* files.  [RT #19357]
 
+2558.	[func]		Set the ownership of missing directories created
+			for pid-file if -u has been specified on the command
+			line. [RT #19328]
+
 2557.	[cleanup]	PCI compliance:
 			* new libisc log module file
 			* isc_dir_chroot() now also changes the working
@@ -115,6 +216,9 @@
 			error checks in the correct order resulting in the
 			wrong error code sometimes being returned. [RT #19249]
 			
+2555.	[func]		dig: when emitting a hex dump also display the
+			corresponding characters. [RT #19258]
+
 2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
 			fail. [RT #19297]
 
@@ -138,6 +242,10 @@
 			function isc_mem_reallocate() was introduced to address
 			this bug. [RT #19313]
 
+2546.	[func]		Add --enable-openssl-hash configure flag to use
+			OpenSSL (in place of internal routine) for hash
+			functions (MD5, SHA[12] and HMAC). [RT #18815]
+
 2545.	[doc]		ARM: Legal hostname checking (check-names) is
 			for SRV RDATA too. [RT #19304]
 
@@ -150,6 +258,8 @@
 2541.	[bug]		Conditionally update dispatch manager statistics.
 			[RT #19247]
 
+2540.	[func]		Add a nibble mode to $GENERATE. [RT #18872]
+
 2539.	[security]	Update the interaction between recursion, allow-query,
 			allow-query-cache and allow-recursion.  [RT #19198]
 
@@ -157,13 +267,19 @@
 			especially with threads and smaller max-cache-size
 			values. [RT #19240]
 
-2537.	[experimental]	Added more statistics counters including those on socket
+2537.	[func]		Added more statistics counters including those on socket
 			I/O events and query RTT histograms. [RT #18802]
 
 2536.	[cleanup]	Silence some warnings when -Werror=format-security is
 			specified. [RT #19083]
 
-2535.	[bug]		dig +showsearh and +trace interacted badly. [RT #19091]
+2535.	[bug]		dig +showsearch and +trace interacted badly. [RT #19091]
+
+2534.	[func]		Check NAPTR records regular expressions and
+			replacement strings to ensure they are syntactically
+			valid and consistant. [RT #18168]
+
+2533.	[doc]		ARM: document @ (at-sign). [RT #17144]
 
 2532.	[bug]		dig: check the question section of the response to
 			see if it matches the asked question. [RT #18495]
@@ -179,10 +295,14 @@
 2528.   [cleanup]       Silence spurious configure warning about
                         --datarootdir [RT #19096]
 
-2527.	[bug]		named could reuse cache on reload with
-			enabling/disabling validation. [RT #19119]
+2527.	[placeholder]
+
+2526.	[func]		New named option "attach-cache" that allows multiple
+			views to share a single cache to save memory and
+			improve lookup efficiency.  Based on contributed code
+			from Barclay Osborn, Google. [RT #18905]
 
-2525.	[experimental]	New logging category "query-errors" to provide detailed
+2525.	[func]		New logging category "query-errors" to provide detailed
 			internal information about query failures, especially
 			about server failures. [RT #19027]
 
@@ -195,10 +315,17 @@
 
 2521.	[bug]		Improve epoll cross compilation support. [RT #19047]
 
+2520.	[bug]		Update xml statistics version number to 2.0 as change
+			#2388 made the schema incompatible to the previous
+			version. [RT #19080]
+
 2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
 			nameserver addresses of the excluded address family
 			preceded in resolv.conf. [RT #19081]
 
+2518.	[func]		Add support for the new CERT types from RFC 4398.
+			[RT #19077]
+
 2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
 			nameserver address of the excluded address.
 			[RT #18843]
@@ -206,45 +333,56 @@
 2516.	[bug]		glue sort for responses was performed even when not
 			needed. [RT #19039]
 
+2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
+			[RT #19063]
+
 2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
 			a nameserver of the excluded address family.
 			[RT #18848]
 
+2513.	[bug]		Fix windows cli build. [RT #19062]
+
+2512.	[func]		Print a summary of the cached records which make up
+			the negative response.  [RT #18885]
+
 2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
 			[RT #18885]
 
+2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
+			[RT #19033]
+
+2509.	[bug]		Specifying a fixed query source port was broken.
+			[RT #19051]
+
+2508.	[placeholder]
+
+2507.	[func]		Log the recursion quota values when killing the
+			oldest query or refusing to recurse due to quota.
+			[RT #19022]
+
 2506.	[port]		solaris: Check at configure time if 
 			hack_shutup_pthreadonceinit is needed. [RT #19037]
 
 2505.	[port]		Treat amd64 similarly to x86_64 when determining
 			atomic operation support. [RT #19031]
 
+2504.	[bug]		Address race condition in the socket code. [RT #18899]
+
 2503.	[port]		linux: improve compatibility with Linux Standard
 			Base. [RT #18793]
 
 2502.	[cleanup]	isc_radix: Improve compliance with coding style,
 			document function in <isc/radix.h>. [RT #18534]
 
-	--- 9.6.0 released ---
+2501.	[func]		$GENERATE now supports all rdata types.  Multi-field
+			rdata types need to be quoted.  See the ARM for
+			details. [RT #18368]
 
-2520.	[bug]		Update xml statistics version number to 2.0 as change
-			#2388 made the schema incompatible to the previous
-			version. [RT #19080]
-
-	--- 9.6.0rc2 released ---
-
-2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
-			[RT #19063]
-
-2513	[bug]		Fix windows cli build. [RT #19062]
-
-2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
-			[RT #19033]
-
-2509.	[bug]		Specifying a fixed query source port was broken.
-			[RT #19051]
+2500.	[contrib]	contrib/sdb/pgsql/zonetodb.c called non-existent
+			function. [RT #18582]
 
-2504.	[bug]		Address race condition in the socket code. [RT #18899]
+2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
+			[RT #18837]
 
 	--- 9.6.0rc1 released ---
 
diff --git a/COPYRIGHT b/COPYRIGHT
index 620ee985..452f97d7 100644
--- a/COPYRIGHT
+++ b/COPYRIGHT
@@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.
 
-$Id: COPYRIGHT,v 1.14.176.1 2009/01/05 23:47:22 tbox Exp $
+$Id: COPYRIGHT,v 1.15 2009/01/05 23:47:53 tbox Exp $
 
 Portions Copyright (C) 1996-2001  Nominum, Inc.
 
diff --git a/FAQ.xml b/FAQ.xml
index 95346f7d..8c671140 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: FAQ.xml,v 1.46.56.4 2009/02/19 01:51:58 tbox Exp $ -->
+<!-- $Id: FAQ.xml,v 1.49 2009/02/18 22:48:52 jreed Exp $ -->
 
 <article class="faq">
   <title>Frequently Asked Questions about BIND 9</title>
diff --git a/KNOWN-DEFECTS b/KNOWN-DEFECTS
deleted file mode 100644
index 83d71759..00000000
--- a/KNOWN-DEFECTS
+++ /dev/null
@@ -1,15 +0,0 @@
-dnssec-signzone was designed so that it could sign a zone partially, using
-only a subset of the DNSSEC keys needed to produce a fully-signed zone.
-This permits a zone administrator, for example, to sign a zone with one
-key on one machine, move the resulting partially-signed zone to a second
-machine, and sign it again with a second key.
-
-An unfortunate side-effect of this flexibility is that dnssec-signzone
-does not check to make sure it's signing a zone with any valid keys at
-all.  An attempt to sign a zone without any keys will appear to succeed,
-producing a "signed" zone with no signatures.  There is no warning issued
-when a zone is not signed.
-
-This will be corrected in a future release.  In the meantime, ISC
-recommends examining the output of dnssec-signzone to confirm that
-the zone is properly signed by all keys before using it.
diff --git a/Makefile.in b/Makefile.in
index 662ee0f9..39822832 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.52.48.2 2009/02/20 23:47:23 tbox Exp $
+# $Id: Makefile.in,v 1.55 2009/03/04 02:42:30 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -55,6 +55,7 @@ installdirs:
 install:: isc-config.sh installdirs
 	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
 	${INSTALL_DATA} ${srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
+	${INSTALL_SCRIPT} bind.keys ${DESTDIR}${sysconfdir}
 
 tags:
 	rm -f TAGS
diff --git a/README b/README
index d1519884..a613a31b 100644
--- a/README
+++ b/README
@@ -42,6 +42,31 @@ BIND 9
 		Stichting NLnet - NLnet Foundation
 		Nominum, Inc.
 
+BIND 9.7.0
+
+        BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
+        releases.  Most are intended to simplify DNSSEC configuration.
+        New features include:
+
+        - Simplified configuration of DNSSEC Lookaside Validation (DLV).
+        - Simplified configuration of Dynamic DNS, using the "ddns-confgen"
+          command line tool or the "ddns-autoconf" zone option.  (As a side
+          effect, this also makes it easier to configure automatic zone
+          re-signing.)
+	- New named option "attach-cache" that allows multiple views to
+	  share a single cache.
+	- New logging category "query-errors" to provide detailed
+	  internal information about query failures, especially about
+	  server failures.
+	- DNS rebinding attack prevention.
+        - New default values for dnssec-keygen parameters.
+
+        Planned but not complete in alpha:
+
+        - Support for RFC 5011 (automated trust anchor maintenance)
+        - Simplified tools for zone signing and key maintenance
+        - Fully automatic signing of zones by "named"
+
 BIND 9.6.0
 
         BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
@@ -390,7 +415,7 @@ Building
 		FreeBSD 4.10, 5.2.1, 6.2
 		HP-UX 11.11
 		Mac OS X 10.5
-		NetBSD 3.x and 4.0-beta
+		NetBSD 3.x, 4.0-beta, 5.0-beta
 		OpenBSD 3.3 and up
 		Solaris 8, 9, 9 (x86), 10
 		Ubuntu 7.04, 7.10
diff --git a/README.idnkit b/README.idnkit
index 0eda0a5e..44face23 100644
--- a/README.idnkit
+++ b/README.idnkit
@@ -109,4 +109,4 @@ about idnkit and this patch.
 Bug reports and comments on this kit should be sent to
 mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
 
-; $Id: README.idnkit,v 1.2.762.1 2009/01/18 23:25:14 marka Exp $
+; $Id: README.idnkit,v 1.3 2009/01/17 09:43:50 fdupont Exp $
diff --git a/acconfig.h b/acconfig.h
index eb191505..736d1bcd 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acconfig.h,v 1.51.334.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: acconfig.h,v 1.53 2008/12/01 23:47:44 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/Makefile.in b/bin/Makefile.in
index ef28e0c6..2218ae3a 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,13 +13,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.25 2007/06/19 23:46:59 tbox Exp $
+# $Id: Makefile.in,v 1.28 2009/06/10 00:27:21 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-SUBDIRS =	named rndc dig dnssec tests nsupdate check
+SUBDIRS =	named rndc dig dnssec tests tools nsupdate check confgen
 TARGETS =
 
 @BIND9_MAKE_RULES@
diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c
index e0a7208f..0bad407a 100644
--- a/bin/check/check-tool.c
+++ b/bin/check/check-tool.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.c,v 1.35.36.3 2009/01/20 02:03:18 marka Exp $ */
+/* $Id: check-tool.c,v 1.38 2009/01/20 02:01:11 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
index eba0d93b..4ed050bc 100644
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkconf.c,v 1.46.222.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: named-checkconf.c,v 1.48 2009/02/16 23:48:04 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8
index 5520da34..4d4153be 100644
--- a/bin/check/named-checkzone.8
+++ b/bin/check/named-checkzone.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkzone.8,v 1.42.334.1 2009/01/23 01:53:33 tbox Exp $
+.\" $Id: named-checkzone.8,v 1.43 2009/01/21 01:12:07 tbox Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c
index 83b3bbe9..88f33474 100644
--- a/bin/check/named-checkzone.c
+++ b/bin/check/named-checkzone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkzone.c,v 1.51.34.3 2009/05/29 02:17:43 marka Exp $ */
+/* $Id: named-checkzone.c,v 1.54 2009/05/29 02:14:31 marka Exp $ */
 
 /*! \file */
 
diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook
index d8634473..488c16f8 100644
--- a/bin/check/named-checkzone.docbook
+++ b/bin/check/named-checkzone.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkzone.docbook,v 1.34.334.2 2009/01/22 23:47:04 tbox Exp $ -->
+<!-- $Id: named-checkzone.docbook,v 1.36 2009/01/20 23:47:56 tbox Exp $ -->
 <refentry id="man.named-checkzone">
   <refentryinfo>
     <date>June 13, 2000</date>
diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html
index 71dc445e..52ab314e 100644
--- a/bin/check/named-checkzone.html
+++ b/bin/check/named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named-checkzone.html,v 1.42.334.1 2009/01/23 01:53:33 tbox Exp $ -->
+<!-- $Id: named-checkzone.html,v 1.43 2009/01/21 01:12:07 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
new file mode 100644
index 00000000..08b55166
--- /dev/null
+++ b/bin/confgen/Makefile.in
@@ -0,0 +1,99 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3 2009/06/11 23:47:55 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
+	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+
+RNDCLIBS =	${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
+RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+CONFLIBS =	${DNSLIBS} ${ISCLIBS} @LIBS@
+CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+SRCS=		rndc-confgen.c ddns-confgen.c
+
+SUBDIRS =	unix
+
+TARGETS =	rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@
+
+MANPAGES =	rndc-confgen.8 ddns-confgen.8
+
+HTMLPAGES =	rndc-confgen.html ddns-confgen.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+UOBJS =		unix/os.@O@
+
+@BIND9_MAKE_RULES@
+
+rndc-confgen.@O@: rndc-confgen.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
+		-c ${srcdir}/rndc-confgen.c
+
+ddns-confgen.@O@: ddns-confgen.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DDDNS_KEYFILE=\"${localstatedir}/run/named/ddns.key\" \
+		-c ${srcdir}/ddns-confgen.c
+
+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} 
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc-confgen.@O@ util.@O@ keygen.@O@ \
+		${UOBJS} ${CONFLIBS}
+
+ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} 
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ddns-confgen.@O@ util.@O@ keygen.@O@ \
+		${UOBJS} ${CONFLIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+	${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
+	${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
diff --git a/bin/confgen/ddns-confgen.8 b/bin/confgen/ddns-confgen.8
new file mode 100644
index 00000000..6066e47b
--- /dev/null
+++ b/bin/confgen/ddns-confgen.8
@@ -0,0 +1,143 @@
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: ddns-confgen.8,v 1.7 2009/06/17 01:12:48 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\"     Title: ddns\-confgen
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: Jan 29, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "DDNS\-CONFGEN" "8" "Jan 29, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+ddns\-confgen \- ddns key generation tool
+.SH "SYNOPSIS"
+.HP 13
+\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ name\ |\ \-z\ zone\fR] [\fB\-q\fR] [name]
+.SH "DESCRIPTION"
+.PP
+\fBddns\-confgen\fR
+generates a key for use by
+\fBnsupdate\fR
+and
+\fBnamed\fR. It simplifies configuration of dynamic zones by generating a key and providing the
+\fBnsupdate\fR
+and
+\fBnamed.conf\fR
+syntax that will be needed to use it, including an example
+\fBupdate\-policy\fR
+statement.
+.PP
+If a domain name is specified on the command line, it will be used in the name of the generated key and in the sample
+\fBnamed.conf\fR
+syntax. For example,
+\fBddns\-confgen example.com\fR
+would generate a key called "ddns\-key.example.com", and sample
+\fBnamed.conf\fR
+command that could be used in the zone definition for "example.com".
+.PP
+Note that
+\fBnamed\fR
+itself can configure a local DDNS key for use with
+\fBnsupdate \-l\fR.
+\fBddns\-confgen\fR
+is only needed when a more elaborate configuration is required: for instance, if
+\fBnsupdate\fR
+is to be used from a remote system.
+.SH "OPTIONS"
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-sha256.
+.RE
+.PP
+\-h
+.RS 4
+Prints a short summary of the options and arguments to
+\fBddns\-confgen\fR.
+.RE
+.PP
+\-k \fIkeyname\fR
+.RS 4
+Specifies the key name of the DDNS authentication key. The default is
+\fBddns\-key\fR
+when neither the
+\fB\-s\fR
+nor
+\fB\-z\fR
+option is specified; otherwise, the default is
+\fBddns\-key\fR
+as a separate label followed by the argument of the option, e.g.,
+\fBddns\-key.example.com.\fR
+The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods.
+.RE
+.PP
+\-q
+.RS 4
+Quiet mode: Print only the key, with no explanatory text or usage examples.
+.RE
+.PP
+\-r \fIrandomfile\fR
+.RS 4
+Specifies a source of random data for generating the authorization. If the operating system does not provide a
+\fI/dev/random\fR
+or equivalent device, the default source of randomness is keyboard input.
+\fIrandomdev\fR
+specifies the name of a character device or file containing random data to be used instead of the default. The special value
+\fIkeyboard\fR
+indicates that keyboard input should be used.
+.RE
+.PP
+\-s \fIname\fR
+.RS 4
+Self mode: The example
+\fBnamed.conf\fR
+text shows how to set an update policy for the specified
+\fIname\fR
+using the "self" nametype, instead of the "subdomain" nametype which allows matching on any name within a specified domain. This option cannot be used with the
+\fB\-z\fR
+option.
+.RE
+.PP
+\-z \fIzone\fR
+.RS 4
+zone mode: The example
+\fBnamed.conf\fR
+text shows how to set an update policy for the specified
+\fIzone\fR
+using the "zonesub" nametype, allowing updates to all subdomain names within that
+\fIzone\fR. This option cannot be used with the
+\fB\-s\fR
+option.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBnsupdate\fR(1),
+\fBnamed.conf\fR(5),
+\fBnamed\fR(8),
+BIND 9 Administrator Reference Manual.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/confgen/ddns-confgen.c b/bin/confgen/ddns-confgen.c
new file mode 100644
index 00000000..fe3d20b3
--- /dev/null
+++ b/bin/confgen/ddns-confgen.c
@@ -0,0 +1,253 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ddns-confgen.c,v 1.6 2009/06/17 19:18:37 jinmei Exp $ */
+
+/*! \file */
+
+/**
+ * ddns-confgen generates configuration files for dynamic DNS. It can
+ * be used as a convenient alternative to writing the ddns.key file
+ * and the corresponding key and update-policy statements in named.conf.
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/assertions.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/keyboard.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+#include <confgen/os.h>
+
+#include "util.h"
+#include "keygen.h"
+
+#define DEFAULT_KEYNAME		"ddns-key"
+
+static char program[256];
+const char *progname;
+
+isc_boolean_t verbose = ISC_FALSE;
+
+static void
+usage(int status) {
+
+	fprintf(stderr, "\
+Usage:\n\
+ %s [-a alg] [-k keyname] [-r randomfile] [-q] [-s name | -z zone]\n\
+  -a alg:        algorithm (default hmac-sha256)\n\
+  -k keyname:    name of the key as it will be used in named.conf\n\
+  -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+  -s name:       domain name to be updated using the created key\n\
+  -z zone:       name of the zone as it will be used in named.conf\n\
+  -q:            quiet mode: print the key, with no explanatory text\n",
+		 progname);
+
+	exit (status);
+}
+
+int
+main(int argc, char **argv) {
+	isc_boolean_t show_final_mem = ISC_FALSE;
+	isc_boolean_t quiet = ISC_FALSE;
+	isc_buffer_t key_txtbuffer;
+	char key_txtsecret[256];
+	isc_mem_t *mctx = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	const char *randomfile = NULL;
+	const char *keyname = NULL;
+	const char *zone = NULL;
+	const char *self_domain = NULL;
+	char *keybuf = NULL;
+	dns_secalg_t alg = DST_ALG_HMACSHA256;
+	const char *algname = alg_totext(alg);
+	int keysize = 256;
+	int len = 0;
+	int ch;
+
+	result = isc_file_progname(*argv, program, sizeof(program));
+	if (result != ISC_R_SUCCESS)
+		memcpy(program, "ddns-confgen", 13);
+	progname = program;
+
+	isc_commandline_errprint = ISC_FALSE;
+
+	while ((ch = isc_commandline_parse(argc, argv,
+					   "a:hk:Mmr:qs:Vy:z:")) != -1) {
+		switch (ch) {
+		case 'a':
+			algname = isc_commandline_argument;
+			alg = alg_fromtext(algname);
+			if (alg == DST_ALG_UNKNOWN)
+				fatal("Unsupported algorithm '%s'", algname);
+			keysize = alg_bits(alg);
+			break;
+		case 'h':
+			usage(0);
+		case 'k':
+		case 'y':
+			keyname = isc_commandline_argument;
+			break;
+		case 'M':
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+			break;
+		case 'm':
+			show_final_mem = ISC_TRUE;
+			break;
+		case 'q':
+			quiet = ISC_TRUE;
+			break;
+		case 'r':
+			randomfile = isc_commandline_argument;
+			break;
+		case 's':
+			self_domain = isc_commandline_argument;
+			break;
+		case 'V':
+			verbose = ISC_TRUE;
+			break;
+		case 'z':
+			zone = isc_commandline_argument;
+			break;
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+				usage(1);
+			} else
+				usage(0);
+			break;
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (self_domain != NULL && zone != NULL)
+		usage(1);	/* -s and -z cannot coexist */
+
+	if (argc > 0)
+		usage(1);
+
+	DO("create memory context", isc_mem_create(0, 0, &mctx));
+
+	if (keyname == NULL) {
+		const char *suffix = NULL;
+
+		keyname = DEFAULT_KEYNAME;
+		if (self_domain != NULL)
+			suffix = self_domain;
+		else if (zone != NULL)
+			suffix = zone;
+		if (suffix != NULL) {
+			len = strlen(keyname) + strlen(suffix) + 2;
+			keybuf = isc_mem_get(mctx, len);
+			if (keybuf == NULL)
+				fatal("failed to allocate memory for keyname");
+			snprintf(keybuf, len, "%s.%s", keyname, suffix);
+			keyname = (const char *) keybuf;
+		}
+	}
+
+	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+
+	generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
+
+
+	if (!quiet)
+		printf("\
+# To activate this key, place the following in named.conf, and\n\
+# in a separate keyfile on the system or systems from which nsupdate\n\
+# will be run:\n");
+
+	printf("\
+key \"%s\" {\n\
+	algorithm %s;\n\
+	secret \"%.*s\";\n\
+};\n",
+	       keyname, algname,
+	       (int)isc_buffer_usedlength(&key_txtbuffer),
+	       (char *)isc_buffer_base(&key_txtbuffer));
+
+	if (!quiet) {
+		if (self_domain != NULL) {
+			printf("\n\
+# Then, in the \"zone\" statement for the zone containing the\n\
+# name \"%s\", place an \"update-policy\" statement\n\
+# like this one, adjusted as needed for your preferred permissions:\n\
+update-policy {\n\
+	  grant %s self . ANY;\n\
+};\n",
+			       self_domain, keyname);
+		} else if (zone != NULL) {
+			printf("\n\
+# Then, in the \"zone\" definition statement for \"%s\",\n\
+# place an \"update-policy\" statement like this one, adjusted as \n\
+# needed for your preferred permissions:\n\
+update-policy {\n\
+	  grant %s zonesub ANY;\n\
+};\n",
+			       zone, keyname);
+		} else {
+			printf("\n\
+# Then, in the \"zone\" statement for each zone you wish to dynamically\n\
+# update, place an \"update-policy\" statement granting update permission\n\
+# to this key.  For example, the following statement grants this key\n\
+# permission to update any name within the zone:\n\
+update-policy {\n\
+	grant %s zonesub ANY;\n\
+};\n",
+			       keyname);
+		}
+	}
+
+	printf("\n\
+# After the keyfile has been placed, the following command will\n\
+# execute nsupdate using this key:\n\
+nsupdate -k <keyfile>\n");
+
+	if (keybuf != NULL)
+		isc_mem_put(mctx, keybuf, len);
+
+	if (show_final_mem)
+		isc_mem_stats(mctx, stderr);
+
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/confgen/ddns-confgen.docbook b/bin/confgen/ddns-confgen.docbook
new file mode 100644
index 00000000..a7e6eb9c
--- /dev/null
+++ b/bin/confgen/ddns-confgen.docbook
@@ -0,0 +1,213 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+	       "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: ddns-confgen.docbook,v 1.4 2009/06/16 22:36:53 jinmei Exp $ -->
+<refentry id="man.ddns-confgen">
+  <refentryinfo>
+    <date>Jan 29, 2009</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>ddns-confgen</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>ddns-confgen</application></refname>
+    <refpurpose>ddns key generation tool</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>ddns-confgen</command>
+      <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+      <arg><option>-h</option></arg>
+      <arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
+      <arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
+      <arg><option>-s name | -z zone</option></arg>
+      <arg><option>-q</option></arg>
+      <arg choice="opt">name</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para><command>ddns-confgen</command>
+      generates a key for use by <command>nsupdate</command>
+      and <command>named</command>.  It simplifies configuration
+      of dynamic zones by generating a key and providing the
+      <command>nsupdate</command> and <command>named.conf</command>
+      syntax that will be needed to use it, including an example
+      <command>update-policy</command> statement.
+    </para>
+
+    <para>
+      If a domain name is specified on the command line, it will
+      be used in the name of the generated key and in the sample
+      <command>named.conf</command> syntax.  For example,
+      <command>ddns-confgen example.com</command> would
+      generate a key called "ddns-key.example.com", and sample
+      <command>named.conf</command> command that could be used
+      in the zone definition for "example.com".
+    </para>
+
+    <para>
+      Note that <command>named</command> itself can configure a
+      local DDNS key for use with <command>nsupdate -l</command>.
+      <command>ddns-confgen</command> is only needed when a 
+      more elaborate configuration is required: for instance, if
+      <command>nsupdate</command> is to be used from a remote system.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
+	<listitem>
+	  <para>
+            Specifies the algorithm to use for the TSIG key.  Available
+            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-h</term>
+	<listitem>
+	  <para>
+	    Prints a short summary of the options and arguments to
+	    <command>ddns-confgen</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-k <replaceable class="parameter">keyname</replaceable></term>
+	<listitem>
+	  <para>
+	    Specifies the key name of the DDNS authentication key.
+	    The default is <constant>ddns-key</constant> when neither
+	    the <command>-s</command> nor <command>-z</command> option is
+	    specified; otherwise, the default
+	    is <constant>ddns-key</constant> as a separate label
+	    followed by the argument of the option, e.g.,
+	    <constant>ddns-key.example.com.</constant>
+	    The key name must have the format of a valid domain name,
+	    consisting of letters, digits, hyphens and periods.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-q</term>
+	<listitem>
+	  <para>
+	    Quiet mode:  Print only the key, with no explanatory text or
+            usage examples.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-r <replaceable class="parameter">randomfile</replaceable></term>
+	<listitem>
+	  <para>
+            Specifies a source of random data for generating the
+            authorization.  If the operating system does not provide a
+            <filename>/dev/random</filename> or equivalent device, the
+            default source of randomness is keyboard input.
+            <filename>randomdev</filename> specifies the name of a
+            character device or file containing random data to be used
+            instead of the default.  The special value
+            <filename>keyboard</filename> indicates that keyboard input
+            should be used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-s <replaceable class="parameter">name</replaceable></term>
+	<listitem>
+	  <para>
+	    Self mode:  The example <command>named.conf</command> text
+            shows how to set an update policy for the specified
+	    <replaceable class="parameter">name</replaceable>
+	    using the "self" nametype, instead of the "subdomain"
+	    nametype which allows matching on any name within a
+	    specified domain.
+	    This option cannot be used with the <command>-z</command> option.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-z <replaceable class="parameter">zone</replaceable></term>
+	<listitem>
+	  <para>
+	    zone mode:  The example <command>named.conf</command> text
+            shows how to set an update policy for the specified
+	    <replaceable class="parameter">zone</replaceable>
+	    using the "zonesub" nametype, allowing updates to all subdomain
+	    names within
+	    that <replaceable class="parameter">zone</replaceable>.
+	    This option cannot be used with the <command>-s</command> option.
+	  </para>
+	</listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+	<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/confgen/ddns-confgen.html b/bin/confgen/ddns-confgen.html
new file mode 100644
index 00000000..47997a9c
--- /dev/null
+++ b/bin/confgen/ddns-confgen.html
@@ -0,0 +1,139 @@
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: ddns-confgen.html,v 1.7 2009/06/17 01:12:48 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>ddns-confgen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.ddns-confgen"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s name | -z zone</code>] [<code class="option">-q</code>] [name]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543377"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">ddns-confgen</strong></span>
+      generates a key for use by <span><strong class="command">nsupdate</strong></span>
+      and <span><strong class="command">named</strong></span>.  It simplifies configuration
+      of dynamic zones by generating a key and providing the
+      <span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span>
+      syntax that will be needed to use it, including an example
+      <span><strong class="command">update-policy</strong></span> statement.
+    </p>
+<p>
+      If a domain name is specified on the command line, it will
+      be used in the name of the generated key and in the sample
+      <span><strong class="command">named.conf</strong></span> syntax.  For example,
+      <span><strong class="command">ddns-confgen example.com</strong></span> would
+      generate a key called "ddns-key.example.com", and sample
+      <span><strong class="command">named.conf</strong></span> command that could be used
+      in the zone definition for "example.com".
+    </p>
+<p>
+      Note that <span><strong class="command">named</strong></span> itself can configure a
+      local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>.
+      <span><strong class="command">ddns-confgen</strong></span> is only needed when a 
+      more elaborate configuration is required: for instance, if
+      <span><strong class="command">nsupdate</strong></span> is to be used from a remote system.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543436"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd><p>
+            Specifies the algorithm to use for the TSIG key.  Available
+            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
+	  </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+	    Prints a short summary of the options and arguments to
+	    <span><strong class="command">ddns-confgen</strong></span>.
+	  </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
+<dd><p>
+	    Specifies the key name of the DDNS authentication key.
+	    The default is <code class="constant">ddns-key</code> when neither
+	    the <span><strong class="command">-s</strong></span> nor <span><strong class="command">-z</strong></span> option is
+	    specified; otherwise, the default
+	    is <code class="constant">ddns-key</code> as a separate label
+	    followed by the argument of the option, e.g.,
+	    <code class="constant">ddns-key.example.com.</code>
+	    The key name must have the format of a valid domain name,
+	    consisting of letters, digits, hyphens and periods.
+	  </p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+	    Quiet mode:  Print only the key, with no explanatory text or
+            usage examples.
+	  </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
+<dd><p>
+            Specifies a source of random data for generating the
+            authorization.  If the operating system does not provide a
+            <code class="filename">/dev/random</code> or equivalent device, the
+            default source of randomness is keyboard input.
+            <code class="filename">randomdev</code> specifies the name of a
+            character device or file containing random data to be used
+            instead of the default.  The special value
+            <code class="filename">keyboard</code> indicates that keyboard input
+            should be used.
+	  </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
+<dd><p>
+	    Self mode:  The example <span><strong class="command">named.conf</strong></span> text
+            shows how to set an update policy for the specified
+	    <em class="replaceable"><code>name</code></em>
+	    using the "self" nametype, instead of the "subdomain"
+	    nametype which allows matching on any name within a
+	    specified domain.
+	    This option cannot be used with the <span><strong class="command">-z</strong></span> option.
+	  </p></dd>
+<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
+<dd><p>
+	    zone mode:  The example <span><strong class="command">named.conf</strong></span> text
+            shows how to set an update policy for the specified
+	    <em class="replaceable"><code>zone</code></em>
+	    using the "zonesub" nametype, allowing updates to all subdomain
+	    names within
+	    that <em class="replaceable"><code>zone</code></em>.
+	    This option cannot be used with the <span><strong class="command">-s</strong></span> option.
+	  </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543618"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543656"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/confgen/include/confgen/os.h b/bin/confgen/include/confgen/os.h
new file mode 100644
index 00000000..2019701f
--- /dev/null
+++ b/bin/confgen/include/confgen/os.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: os.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
+
+/*! \file */
+
+#ifndef RNDC_OS_H
+#define RNDC_OS_H 1
+
+#include <isc/lang.h>
+#include <stdio.h>
+
+ISC_LANG_BEGINDECLS
+
+int set_user(FILE *fd, const char *user);
+/*%<
+ * Set the owner of the file referenced by 'fd' to 'user'.
+ * Returns:
+ *   0 		success
+ *   -1 	insufficient permissions, or 'user' does not exist.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
new file mode 100644
index 00000000..bdeac94d
--- /dev/null
+++ b/bin/confgen/keygen.c
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keygen.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/keyboard.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/string.h>
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+#include <confgen/os.h>
+
+#include "util.h"
+#include "keygen.h"
+
+/*%
+ * Convert algorithm type to string.
+ */
+const char *
+alg_totext(dns_secalg_t alg) {
+	switch (alg) {
+	    case DST_ALG_HMACMD5:
+		return "hmac-md5";
+	    case DST_ALG_HMACSHA1:
+		return "hmac-sha1";
+	    case DST_ALG_HMACSHA224:
+		return "hmac-sha224";
+	    case DST_ALG_HMACSHA256:
+		return "hmac-sha256";
+	    case DST_ALG_HMACSHA384:
+		return "hmac-sha384";
+	    case DST_ALG_HMACSHA512:
+		return "hmac-sha512";
+	    default:
+		return "(unknown)";
+	}
+}
+
+/*%
+ * Convert string to algorithm type.
+ */
+dns_secalg_t
+alg_fromtext(const char *name) {
+	if (strcmp(name, "hmac-md5") == 0)
+		return DST_ALG_HMACMD5;
+	if (strcmp(name, "hmac-sha1") == 0)
+		return DST_ALG_HMACSHA1;
+	if (strcmp(name, "hmac-sha224") == 0)
+		return DST_ALG_HMACSHA224;
+	if (strcmp(name, "hmac-sha256") == 0)
+		return DST_ALG_HMACSHA256;
+	if (strcmp(name, "hmac-sha384") == 0)
+		return DST_ALG_HMACSHA384;
+	if (strcmp(name, "hmac-sha512") == 0)
+		return DST_ALG_HMACSHA512;
+	return DST_ALG_UNKNOWN;
+}
+
+/*%
+ * Return default keysize for a given algorithm type.
+ */
+int
+alg_bits(dns_secalg_t alg) {
+	switch (alg) {
+	    case DST_ALG_HMACMD5:
+		return 128;
+	    case DST_ALG_HMACSHA1:
+		return 160;
+	    case DST_ALG_HMACSHA224:
+		return 224;
+	    case DST_ALG_HMACSHA256:
+		return 256;
+	    case DST_ALG_HMACSHA384:
+		return 384;
+	    case DST_ALG_HMACSHA512:
+		return 512;
+	    default:
+		return 0;
+	}
+}
+
+/*%
+ * Generate a key of size 'keysize' using entropy source 'randomfile',
+ * and place it in 'key_txtbuffer'
+ */
+void
+generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
+	     int keysize, isc_buffer_t *key_txtbuffer) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_entropysource_t *entropy_source = NULL;
+	int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
+	int entropy_flags = 0;
+	isc_entropy_t *ectx = NULL;
+	isc_buffer_t key_rawbuffer;
+	isc_region_t key_rawregion;
+	char key_rawsecret[64];
+	dst_key_t *key = NULL;
+
+	switch (alg) {
+	    case DST_ALG_HMACMD5:
+		if (keysize < 1 || keysize > 512)
+			fatal("keysize %d out of range (must be 1-512)\n",
+			      keysize);
+		break;
+	    case DST_ALG_HMACSHA256:
+		if (keysize < 1 || keysize > 256)
+			fatal("keysize %d out of range (must be 1-256)\n",
+			      keysize);
+		break;
+	    default:
+		fatal("unsupported algorithm %d\n", alg);
+	}
+
+
+	DO("create entropy context", isc_entropy_create(mctx, &ectx));
+
+	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
+		randomfile = NULL;
+		open_keyboard = ISC_ENTROPY_KEYBOARDYES;
+	}
+	DO("start entropy source", isc_entropy_usebestsource(ectx,
+							     &entropy_source,
+							     randomfile,
+							     open_keyboard));
+
+	entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
+
+	DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
+
+	DO("generate key", dst_key_generate(dns_rootname, alg,
+					    keysize, 0, 0,
+					    DNS_KEYPROTO_ANY,
+					    dns_rdataclass_in, mctx, &key));
+
+	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
+
+	DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
+
+	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
+
+	DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
+						     key_txtbuffer));
+
+	/*
+	 * Shut down the entropy source now so the "stop typing" message
+	 * does not muck with the output.
+	 */
+	if (entropy_source != NULL)
+		isc_entropy_destroysource(&entropy_source);
+
+	if (key != NULL)
+		dst_key_free(&key);
+
+	isc_entropy_detach(&ectx);
+	dst_lib_destroy();
+}
+
+/*%
+ * Write a key file to 'keyfile'.  If 'user' is non-NULL,
+ * make that user the owner of the file.  The key will have
+ * the name 'keyname' and the secret in the buffer 'secret'.
+ */
+void
+write_key_file(const char *keyfile, const char *user,
+	       const char *keyname, isc_buffer_t *secret,
+	       dns_secalg_t alg) {
+	isc_result_t result;
+	const char *algname = alg_totext(alg);
+	FILE *fd;
+
+	DO("create keyfile", isc_file_safecreate(keyfile, &fd));
+
+	if (user != NULL) {
+		if (set_user(fd, user) == -1)
+			fatal("unable to set file owner\n");
+	}
+
+	fprintf(fd, "key \"%s\" {\n\talgorithm %s;\n"
+		"\tsecret \"%.*s\";\n};\n",
+		keyname, algname,
+		(int)isc_buffer_usedlength(secret),
+		(char *)isc_buffer_base(secret));
+	fflush(fd);
+	if (ferror(fd))
+		fatal("write to %s failed\n", keyfile);
+	if (fclose(fd))
+		fatal("fclose(%s) failed\n", keyfile);
+	fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
+}
+
diff --git a/bin/confgen/keygen.h b/bin/confgen/keygen.h
new file mode 100644
index 00000000..a9ded409
--- /dev/null
+++ b/bin/confgen/keygen.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keygen.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
+
+#ifndef RNDC_KEYGEN_H
+#define RNDC_KEYGEN_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+void generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
+		  int keysize, isc_buffer_t *key_txtbuffer);
+
+void write_key_file(const char *keyfile, const char *user,
+		    const char *keyname, isc_buffer_t *secret,
+		    dns_secalg_t alg);
+
+const char *alg_totext(dns_secalg_t alg);
+dns_secalg_t alg_fromtext(const char *name);
+int alg_bits(dns_secalg_t alg);
+
+ISC_LANG_ENDDECLS
+
+#endif /* RNDC_KEYGEN_H */
diff --git a/bin/rndc/rndc-confgen.8 b/bin/confgen/rndc-confgen.8
index 440870a5..bd29785b 100644
--- a/bin/rndc/rndc-confgen.8
+++ b/bin/confgen/rndc-confgen.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc-confgen.8,v 1.20 2007/01/30 00:24:59 marka Exp $
+.\" $Id: rndc-confgen.8,v 1.6 2009/06/16 01:12:45 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -205,7 +205,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2001, 2003 Internet Software Consortium.
 .br
diff --git a/bin/rndc/rndc-confgen.c b/bin/confgen/rndc-confgen.c
index 221135ea..33647eea 100644
--- a/bin/rndc/rndc-confgen.c
+++ b/bin/confgen/rndc-confgen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc-confgen.c,v 1.26 2008/10/15 23:47:31 tbox Exp $ */
+/* $Id: rndc-confgen.c,v 1.4 2009/06/15 23:47:59 tbox Exp $ */
 
 /*! \file */
 
@@ -52,9 +52,10 @@
 #include <dns/name.h>
 
 #include <dst/dst.h>
-#include <rndc/os.h>
+#include <confgen/os.h>
 
 #include "util.h"
+#include "keygen.h"
 
 #define DEFAULT_KEYLENGTH	128		/*% Bits. */
 #define DEFAULT_KEYNAME		"rndc-key"
@@ -75,72 +76,36 @@ usage(int status) {
 Usage:\n\
  %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
 [-s addr] [-t chrootdir] [-u user]\n\
-  -a:		generate just the key clause and write it to keyfile (%s)\n\
-  -b bits:	from 1 through 512, default %d; total length of the secret\n\
-  -c keyfile:	specify an alternate key file (requires -a)\n\
-  -k keyname:	the name as it will be used  in named.conf and rndc.conf\n\
-  -p port:	the port named will listen on and rndc will connect to\n\
-  -r randomfile: a file containing random data\n\
-  -s addr:	the address to which rndc should connect\n\
-  -t chrootdir:	write a keyfile in chrootdir as well (requires -a)\n\
-  -u user:	set the keyfile owner to \"user\" (requires -a)\n",
-		progname, keydef, DEFAULT_KEYLENGTH);
+  -a:		 generate just the key clause and write it to keyfile (%s)\n\
+  -b bits:	 from 1 through 512, default %d; total length of the secret\n\
+  -c keyfile:	 specify an alternate key file (requires -a)\n\
+  -k keyname:	 the name as it will be used  in named.conf and rndc.conf\n\
+  -p port:	 the port named will listen on and rndc will connect to\n\
+  -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+  -s addr:	 the address to which rndc should connect\n\
+  -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
+  -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
+		 progname, keydef, DEFAULT_KEYLENGTH);
 
 	exit (status);
 }
 
-/*%
- * Write an rndc.key file to 'keyfile'.  If 'user' is non-NULL,
- * make that user the owner of the file.  The key will have
- * the name 'keyname' and the secret in the buffer 'secret'.
- */
-static void
-write_key_file(const char *keyfile, const char *user,
-	       const char *keyname, isc_buffer_t *secret )
-{
-	FILE *fd;
-
-	fd = safe_create(keyfile);
-	if (fd == NULL)
-		fatal( "unable to create \"%s\"\n", keyfile);
-	if (user != NULL) {
-		if (set_user(fd, user) == -1)
-			fatal("unable to set file owner\n");
-	}
-	fprintf(fd, "key \"%s\" {\n\talgorithm hmac-md5;\n"
-		"\tsecret \"%.*s\";\n};\n", keyname,
-		(int)isc_buffer_usedlength(secret),
-		(char *)isc_buffer_base(secret));
-	fflush(fd);
-	if (ferror(fd))
-		fatal("write to %s failed\n", keyfile);
-	if (fclose(fd))
-		fatal("fclose(%s) failed\n", keyfile);
-	fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
-}
-
 int
 main(int argc, char **argv) {
 	isc_boolean_t show_final_mem = ISC_FALSE;
-	isc_buffer_t key_rawbuffer;
 	isc_buffer_t key_txtbuffer;
-	isc_region_t key_rawregion;
+	char key_txtsecret[256];
 	isc_mem_t *mctx = NULL;
-	isc_entropy_t *ectx = NULL;
-	isc_entropysource_t *entropy_source = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
-	dst_key_t *key = NULL;
 	const char *keyname = NULL;
 	const char *randomfile = NULL;
 	const char *serveraddr = NULL;
-	char key_rawsecret[64];
-	char key_txtsecret[256];
+	dns_secalg_t alg = DST_ALG_HMACMD5;
+	const char *algname = alg_totext(alg);
 	char *p;
 	int ch;
 	int port;
 	int keysize;
-	int entropy_flags = 0;
-	int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
 	struct in_addr addr4_dummy;
 	struct in6_addr addr6_dummy;
 	char *chrootdir = NULL;
@@ -237,53 +202,13 @@ main(int argc, char **argv) {
 		usage(1);
 
 	DO("create memory context", isc_mem_create(0, 0, &mctx));
-
-	DO("create entropy context", isc_entropy_create(mctx, &ectx));
-
-	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
-		randomfile = NULL;
-		open_keyboard = ISC_ENTROPY_KEYBOARDYES;
-	}
-	DO("start entropy source", isc_entropy_usebestsource(ectx,
-							     &entropy_source,
-							     randomfile,
-							     open_keyboard));
-
-	entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
-
-	DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
-
-	DO("generate key", dst_key_generate(dns_rootname, DST_ALG_HMACMD5,
-					    keysize, 0, 0,
-					    DNS_KEYPROTO_ANY,
-					    dns_rdataclass_in, mctx, &key));
-
-	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
-
-	DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
-
 	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
-	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
-
-	DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
-						     &key_txtbuffer));
-
-	/*
-	 * Shut down the entropy source now so the "stop typing" message
-	 * does not muck with the output.
-	 */
-	if (entropy_source != NULL)
-		isc_entropy_destroysource(&entropy_source);
-
-	if (key != NULL)
-		dst_key_free(&key);
 
-	isc_entropy_detach(&ectx);
-	dst_lib_destroy();
+	generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
 
 	if (keyonly) {
 		write_key_file(keyfile, chrootdir == NULL ? user : NULL,
-			       keyname, &key_txtbuffer);
+			       keyname, &key_txtbuffer, alg);
 
 		if (chrootdir != NULL) {
 			char *buf;
@@ -294,14 +219,14 @@ main(int argc, char **argv) {
 			snprintf(buf, len, "%s%s%s", chrootdir,
 				 (*keyfile != '/') ? "/" : "", keyfile);
 
-			write_key_file(buf, user, keyname, &key_txtbuffer);
+			write_key_file(buf, user, keyname, &key_txtbuffer, alg);
 			isc_mem_put(mctx, buf, len);
 		}
 	} else {
 		printf("\
 # Start of rndc.conf\n\
 key \"%s\" {\n\
-	algorithm hmac-md5;\n\
+	algorithm %s;\n\
 	secret \"%.*s\";\n\
 };\n\
 \n\
@@ -314,7 +239,7 @@ options {\n\
 \n\
 # Use with the following in named.conf, adjusting the allow list as needed:\n\
 # key \"%s\" {\n\
-# 	algorithm hmac-md5;\n\
+# 	algorithm %s;\n\
 # 	secret \"%.*s\";\n\
 # };\n\
 # \n\
@@ -323,11 +248,11 @@ options {\n\
 # 		allow { %s; } keys { \"%s\"; };\n\
 # };\n\
 # End of named.conf\n",
-		       keyname,
+		       keyname, algname,
 		       (int)isc_buffer_usedlength(&key_txtbuffer),
 		       (char *)isc_buffer_base(&key_txtbuffer),
 		       keyname, serveraddr, port,
-		       keyname,
+		       keyname, algname,
 		       (int)isc_buffer_usedlength(&key_txtbuffer),
 		       (char *)isc_buffer_base(&key_txtbuffer),
 		       serveraddr, port, serveraddr, keyname);
diff --git a/bin/rndc/rndc-confgen.docbook b/bin/confgen/rndc-confgen.docbook
index 4c51da57..af2cc432 100644
--- a/bin/rndc/rndc-confgen.docbook
+++ b/bin/confgen/rndc-confgen.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc-confgen.docbook,v 1.13 2007/06/18 23:47:25 tbox Exp $ -->
+<!-- $Id: rndc-confgen.docbook,v 1.4 2009/06/15 23:47:59 tbox Exp $ -->
 <refentry id="man.rndc-confgen">
   <refentryinfo>
     <date>Aug 27, 2001</date>
@@ -40,6 +40,7 @@
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
+      <year>2009</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
diff --git a/bin/rndc/rndc-confgen.html b/bin/confgen/rndc-confgen.html
index 4be87afb..e702af64 100644
--- a/bin/rndc/rndc-confgen.html
+++ b/bin/confgen/rndc-confgen.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc-confgen.html,v 1.25 2007/01/30 00:24:59 marka Exp $ -->
+<!-- $Id: rndc-confgen.html,v 1.6 2009/06/16 01:12:45 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543429"></a><h2>DESCRIPTION</h2>
+<a name="id2543432"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc-confgen</strong></span>
       generates configuration files
       for <span><strong class="command">rndc</strong></span>.  It can be used as a
@@ -48,7 +48,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543474"></a><h2>OPTIONS</h2>
+<a name="id2543477"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd>
@@ -155,7 +155,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543787"></a><h2>EXAMPLES</h2>
+<a name="id2543790"></a><h2>EXAMPLES</h2>
 <p>
       To allow <span><strong class="command">rndc</strong></span> to be used with
       no manual configuration, run
@@ -172,7 +172,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543829"></a><h2>SEE ALSO</h2>
+<a name="id2543832"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -180,7 +180,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543867"></a><h2>AUTHOR</h2>
+<a name="id2543870"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/rndc/unix/Makefile.in b/bin/confgen/unix/Makefile.in
index 31a05325..924701e6 100644
--- a/bin/rndc/unix/Makefile.in
+++ b/bin/confgen/unix/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5 2007/06/19 23:46:59 tbox Exp $
+# $Id: Makefile.in,v 1.3 2009/06/11 23:47:55 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/rndc/unix/os.c b/bin/confgen/unix/os.c
index ddf82598..3901350d 100644
--- a/bin/rndc/unix/os.c
+++ b/bin/confgen/unix/os.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,13 +14,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.10 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: os.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
 
 /*! \file */
 
 #include <config.h>
 
-#include <rndc/os.h>
+#include <confgen/os.h>
 
 #include <fcntl.h>
 #include <unistd.h>
@@ -42,29 +41,3 @@ set_user(FILE *fd, const char *user) {
 	}
 	return (fchown(fileno(fd), pw->pw_uid, -1));
 }
-
-FILE *
-safe_create(const char *filename) {
-	int fd;
-	FILE *f;
-        struct stat sb;
-	int flags = O_WRONLY;
-
-        if (stat(filename, &sb) == -1) {
-                if (errno != ENOENT)
-			return (NULL);
-		flags = O_WRONLY | O_CREAT | O_EXCL;
-        } else if ((sb.st_mode & S_IFREG) == 0) {
-		errno = EOPNOTSUPP;
-		return (NULL);
-	} else
-		flags = O_WRONLY | O_TRUNC;
-
-	fd = open(filename, flags, S_IRUSR | S_IWUSR);
-	if (fd == -1)
-		return (NULL);
-	f = fdopen(fd, "w");
-	if (f == NULL)
-		close(fd);
-	return (f);
-}
diff --git a/bin/confgen/util.c b/bin/confgen/util.c
new file mode 100644
index 00000000..5f5f817a
--- /dev/null
+++ b/bin/confgen/util.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: util.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdarg.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include <isc/boolean.h>
+
+#include "util.h"
+
+extern isc_boolean_t verbose;
+extern const char *progname;
+
+void
+notify(const char *fmt, ...) {
+	va_list ap;
+
+	if (verbose) {
+		va_start(ap, fmt);
+		vfprintf(stderr, fmt, ap);
+		va_end(ap);
+		fputs("\n", stderr);
+	}
+}
+
+void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", progname);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
diff --git a/bin/confgen/util.h b/bin/confgen/util.h
new file mode 100644
index 00000000..89a09d7c
--- /dev/null
+++ b/bin/confgen/util.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: util.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
+
+#ifndef RNDC_UTIL_H
+#define RNDC_UTIL_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+
+#include <isc/formatcheck.h>
+
+#define NS_CONTROL_PORT		953
+
+#undef DO
+#define DO(name, function) \
+	do { \
+		result = function; \
+		if (result != ISC_R_SUCCESS) \
+			fatal("%s: %s", name, isc_result_totext(result)); \
+		else \
+			notify("%s", name); \
+	} while (0)
+
+ISC_LANG_BEGINDECLS
+
+void
+notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
+
+void
+fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+ISC_LANG_ENDDECLS
+
+#endif /* RNDC_UTIL_H */
diff --git a/bin/confgen/win32/confgentool.dsp b/bin/confgen/win32/confgentool.dsp
new file mode 100644
index 00000000..af684af2
--- /dev/null
+++ b/bin/confgen/win32/confgentool.dsp
@@ -0,0 +1,135 @@
+# Microsoft Developer Studio Project File - Name="confgentool" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Static-Link Library" 0x0104
+
+CFG=confgentool - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "confgentool.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "confgentool.mak" CFG="confgentool - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "confgentool - Win32 Release" (based on "Win32 (x86) Static-Link Library")
+!MESSAGE "confgentool - Win32 Debug" (based on "Win32 (x86) Static-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "confgentool - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fdconfgentool
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 
+# ADD LINK32 /out:"Release/confgentool.lib"
+LIB32=lib.exe
+# ADD BASE LIB32
+# ADD LIB32 /out:"Release/confgentool.lib"
+
+!ELSEIF  "$(CFG)" == "confgentool - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fdconfgentool
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 
+# ADD LINK32 /debug /out:"Debug/confgentool.lib"
+LIB32=lib.exe
+# ADD BASE LIB32
+# ADD LIB32 /out:"Debug/confgentool.lib"
+
+!ENDIF 
+
+# Begin Target
+
+# Name "confgentool - Win32 Release"
+# Name "confgentool - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\keygen.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\util.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Group "Main Dns Lib"
+
+# PROP Default_Filter "c"
+# Begin Source File
+
+SOURCE=..\keygen.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\util.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\os.c
+# End Source File
+# End Group
+# End Target
+# End Project
diff --git a/bin/confgen/win32/confgentool.dsw b/bin/confgen/win32/confgentool.dsw
new file mode 100644
index 00000000..5a271747
--- /dev/null
+++ b/bin/confgen/win32/confgentool.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "confgentool"=".\confgentool.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/confgen/win32/ddnsconfgen.dsp b/bin/confgen/win32/ddnsconfgen.dsp
new file mode 100644
index 00000000..380fc6dd
--- /dev/null
+++ b/bin/confgen/win32/ddnsconfgen.dsp
@@ -0,0 +1,103 @@
+# Microsoft Developer Studio Project File - Name="ddnsconfgen" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "Win32 (x86) Console Application" 0x0103
+
+CFG=ddnsconfgen - Win32 Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "ddnsconfgen.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "ddnsconfgen.mak" CFG="ddnsconfgen - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "ddnsconfgen - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "ddnsconfgen - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "ddnsconfgen - Win32 Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/confgentool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/ddns-confgen.exe"
+
+!ELSEIF  "$(CFG)" == "ddnsconfgen - Win32 Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X /YX
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/confgentool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/ddns-confgen.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "ddnsconfgen - Win32 Release"
+# Name "ddnsconfgen - Win32 Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\ddns-confgen.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/bin/confgen/win32/ddnsconfgen.dsw b/bin/confgen/win32/ddnsconfgen.dsw
new file mode 100644
index 00000000..d331818d
--- /dev/null
+++ b/bin/confgen/win32/ddnsconfgen.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "ddnsconfgen"=".\ddnsconfgen.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/bin/confgen/win32/ddnsconfgen.mak b/bin/confgen/win32/ddnsconfgen.mak
new file mode 100644
index 00000000..2efbfd09
--- /dev/null
+++ b/bin/confgen/win32/ddnsconfgen.mak
@@ -0,0 +1,337 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on ddnsconfgen.dsp
+!IF "$(CFG)" == ""
+CFG=ddnsconfgen - Win32 Debug
+!MESSAGE No configuration specified. Defaulting to ddnsconfgen - Win32 Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "ddnsconfgen - Win32 Release" && "$(CFG)" != "ddnsconfgen - Win32 Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "ddnsconfgen.mak" CFG="ddnsconfgen - Win32 Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "ddnsconfgen - Win32 Release" (based on "Win32 (x86) Console Application")
+!MESSAGE "ddnsconfgen - Win32 Debug" (based on "Win32 (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "ddnsconfgen - Win32 Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "ddnsconfgen - Win32 Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\ddns-confgen.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\os.obj"
+	-@erase "$(INTDIR)\ddns-confgen.obj"
+	-@erase "$(INTDIR)\keygen.obj"
+	-@erase "$(INTDIR)\util.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\ddns-confgen.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\ddnsconfgen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\ddnsconfgen.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\ddns-confgen.pdb" /machine:I386 /out:"../../../Build/Release/ddns-confgen.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\os.obj" \
+	"$(INTDIR)\ddns-confgen.obj" \
+	"$(INTDIR)\keygen.obj" \
+	"$(INTDIR)\util.obj"
+
+"..\..\..\Build\Release\ddns-confgen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "ddnsconfgen - Win32 Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\ddns-confgen.exe" "$(OUTDIR)\ddnsconfgen.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\os.obj"
+	-@erase "$(INTDIR)\os.sbr"
+	-@erase "$(INTDIR)\ddns-confgen.obj"
+	-@erase "$(INTDIR)\ddns-confgen.sbr"
+	-@erase "$(INTDIR)\keygen.obj"
+	-@erase "$(INTDIR)\keygen.sbr"
+	-@erase "$(INTDIR)\util.obj"
+	-@erase "$(INTDIR)\util.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\ddnsconfgen.bsc"
+	-@erase "$(OUTDIR)\ddns-confgen.pdb"
+	-@erase "..\..\..\Build\Debug\ddns-confgen.exe"
+	-@erase "..\..\..\Build\Debug\ddns-confgen.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\ddnsconfgen.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\os.sbr" \
+	"$(INTDIR)\ddns-confgen.sbr" \
+	"$(INTDIR)\keygen.sbr" \
+	"$(INTDIR)\util.sbr"
+
+"$(OUTDIR)\ddnsconfgen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\ddns-confgen.pdb" /debug /machine:I386 /out:"../../../Build/Debug/ddns-confgen.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\os.obj" \
+	"$(INTDIR)\ddns-confgen.obj" \
+	"$(INTDIR)\keygen.obj" \
+	"$(INTDIR)\util.obj"
+
+"..\..\..\Build\Debug\ddns-confgen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("ddnsconfgen.dep")
+!INCLUDE "ddnsconfgen.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "ddnsconfgen.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "ddnsconfgen - Win32 Release" || "$(CFG)" == "ddnsconfgen - Win32 Debug"
+SOURCE=.\os.c
+
+!IF  "$(CFG)" == "ddnsconfgen - Win32 Release"
+
+
+"$(INTDIR)\os.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "ddnsconfgen - Win32 Debug"
+
+
+"$(INTDIR)\os.obj"	"$(INTDIR)\os.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE="..\ddns-confgen.c"
+
+!IF  "$(CFG)" == "ddnsconfgen - Win32 Release"
+
+
+"$(INTDIR)\ddns-confgen.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "ddnsconfgen - Win32 Debug"
+
+
+"$(INTDIR)\ddns-confgen.obj"	"$(INTDIR)\ddns-confgen.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\keygen.c
+
+!IF  "$(CFG)" == "ddnsconfgen - Win32 Release"
+
+
+"$(INTDIR)\keygen.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "ddnsconfgen - Win32 Debug"
+
+
+"$(INTDIR)\keygen.obj"	"$(INTDIR)\keygen.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\util.c
+
+!IF  "$(CFG)" == "ddnsconfgen - Win32 Release"
+
+
+"$(INTDIR)\util.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "ddnsconfgen - Win32 Debug"
+
+
+"$(INTDIR)\util.obj"	"$(INTDIR)\util.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/bin/rndc/win32/os.c b/bin/confgen/win32/os.c
index cf9d3115..a428c5f9 100644
--- a/bin/rndc/win32/os.c
+++ b/bin/confgen/win32/os.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,11 +14,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.6 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: os.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
 
 #include <config.h>
 
-#include <rndc/os.h>
+#include <confgen/os.h>
 
 #include <fcntl.h>
 #include <unistd.h>
@@ -33,33 +32,3 @@ int
 set_user(FILE *fd, const char *user) {
 	return (0);
 }
-
-/*
- * Note that the error code EOPNOTSUPP does not exist
- * on win32 so we are forced to fall back to using
- * ENOENT for now. WSAEOPNOTSUPP does exist but it
- * should only be used for sockets.
- */
-
-FILE *
-safe_create(const char *filename) {
-	int fd;
-	FILE *f;
-        struct stat sb;
-
-        if (stat(filename, &sb) == -1) {
-                if (errno != ENOENT)
-			return (NULL);
-        } else if ((sb.st_mode & S_IFREG) == 0) {
-		errno = ENOENT;
-		return (NULL);
-	}
-
-	fd = open(filename, O_WRONLY | O_CREAT | O_EXCL, S_IRUSR | S_IWUSR);
-	if (fd == -1)
-		return (NULL);
-	f = fdopen(fd, "w");
-	if (f == NULL)
-		close(fd);
-	return (f);
-}
diff --git a/bin/rndc/win32/confgen.dsp b/bin/confgen/win32/rndcconfgen.dsp
index 3cdd722b..6ba75906 100644
--- a/bin/rndc/win32/confgen.dsp
+++ b/bin/confgen/win32/rndcconfgen.dsp
@@ -8,12 +8,12 @@ CFG=rndcconfgen - Win32 Debug
 !MESSAGE This is not a valid makefile. To build this project using NMAKE,
 !MESSAGE use the Export Makefile command and run
 !MESSAGE 
-!MESSAGE NMAKE /f "confgen.mak".
+!MESSAGE NMAKE /f "rndcconfgen.mak".
 !MESSAGE 
 !MESSAGE You can specify a configuration when running NMAKE
 !MESSAGE by defining the macro CFG on the command line. For example:
 !MESSAGE 
-!MESSAGE NMAKE /f "confgen.mak" CFG="rndcconfgen - Win32 Debug"
+!MESSAGE NMAKE /f "rndcconfgen.mak" CFG="rndcconfgen - Win32 Debug"
 !MESSAGE 
 !MESSAGE Possible choices for configuration are:
 !MESSAGE 
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/util.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/rndc-confgen.exe"
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/confgentool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/rndc-confgen.exe"
 
 !ELSEIF  "$(CFG)" == "rndcconfgen - Win32 Debug"
 
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/util.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/rndc-confgen.exe" /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/confgentool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/rndc-confgen.exe" /pdbtype:sept
 
 !ENDIF 
 
@@ -88,20 +88,12 @@ LINK32=link.exe
 # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
 # Begin Source File
 
-SOURCE=.\os.c
-# End Source File
-# Begin Source File
-
 SOURCE="..\rndc-confgen.c"
 # End Source File
 # End Group
 # Begin Group "Header Files"
 
 # PROP Default_Filter "h;hpp;hxx;hm;inl"
-# Begin Source File
-
-SOURCE=..\util.h
-# End Source File
 # End Group
 # Begin Group "Resource Files"
 
diff --git a/bin/rndc/win32/confgen.dsw b/bin/confgen/win32/rndcconfgen.dsw
index 1b1f8884..cf17691a 100644
--- a/bin/rndc/win32/confgen.dsw
+++ b/bin/confgen/win32/rndcconfgen.dsw
@@ -3,7 +3,7 @@ Microsoft Developer Studio Workspace File, Format Version 6.00
 
 ###############################################################################
 
-Project: "confgen"=".\confgen.dsp" - Package Owner=<4>
+Project: "rndconfgen"=".\rndconfgen.dsp" - Package Owner=<4>
 
 Package=<5>
 {{{
diff --git a/bin/rndc/win32/confgen.mak b/bin/confgen/win32/rndcconfgen.mak
index 02299e2e..834a6e2a 100644
--- a/bin/rndc/win32/confgen.mak
+++ b/bin/confgen/win32/rndcconfgen.mak
@@ -9,7 +9,7 @@ CFG=rndcconfgen - Win32 Debug
 !MESSAGE You can specify a configuration when running NMAKE
 !MESSAGE by defining the macro CFG on the command line. For example:
 !MESSAGE 
-!MESSAGE NMAKE /f "confgen.mak" CFG="rndcconfgen - Win32 Debug"
+!MESSAGE NMAKE /f "rndcconfgen.mak" CFG="rndcconfgen - Win32 Debug"
 !MESSAGE 
 !MESSAGE Possible choices for configuration are:
 !MESSAGE 
@@ -114,6 +114,7 @@ ALL : "..\..\..\Build\Release\rndc-confgen.exe"
 CLEAN :
 	-@erase "$(INTDIR)\os.obj"
 	-@erase "$(INTDIR)\rndc-confgen.obj"
+	-@erase "$(INTDIR)\keygen.obj"
 	-@erase "$(INTDIR)\util.obj"
 	-@erase "$(INTDIR)\vc60.idb"
 	-@erase "..\..\..\Build\Release\rndc-confgen.exe"
@@ -132,6 +133,7 @@ LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/l
 LINK32_OBJS= \
 	"$(INTDIR)\os.obj" \
 	"$(INTDIR)\rndc-confgen.obj" \
+	"$(INTDIR)\keygen.obj" \
 	"$(INTDIR)\util.obj"
 
 "..\..\..\Build\Release\rndc-confgen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
@@ -156,6 +158,8 @@ CLEAN :
 	-@erase "$(INTDIR)\os.sbr"
 	-@erase "$(INTDIR)\rndc-confgen.obj"
 	-@erase "$(INTDIR)\rndc-confgen.sbr"
+	-@erase "$(INTDIR)\keygen.obj"
+	-@erase "$(INTDIR)\keygen.sbr"
 	-@erase "$(INTDIR)\util.obj"
 	-@erase "$(INTDIR)\util.sbr"
 	-@erase "$(INTDIR)\vc60.idb"
@@ -175,6 +179,7 @@ BSC32_FLAGS=/nologo /o"$(OUTDIR)\confgen.bsc"
 BSC32_SBRS= \
 	"$(INTDIR)\os.sbr" \
 	"$(INTDIR)\rndc-confgen.sbr" \
+	"$(INTDIR)\keygen.sbr" \
 	"$(INTDIR)\util.sbr"
 
 "$(OUTDIR)\confgen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
@@ -187,6 +192,7 @@ LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/lib
 LINK32_OBJS= \
 	"$(INTDIR)\os.obj" \
 	"$(INTDIR)\rndc-confgen.obj" \
+	"$(INTDIR)\keygen.obj" \
 	"$(INTDIR)\util.obj"
 
 "..\..\..\Build\Debug\rndc-confgen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
@@ -272,6 +278,24 @@ SOURCE="..\rndc-confgen.c"
 
 !ENDIF 
 
+SOURCE=..\keygen.c
+
+!IF  "$(CFG)" == "rndcconfgen - Win32 Release"
+
+
+"$(INTDIR)\keygen.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "rndcconfgen - Win32 Debug"
+
+
+"$(INTDIR)\keygen.obj"	"$(INTDIR)\keygen.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
 SOURCE=..\util.c
 
 !IF  "$(CFG)" == "rndcconfgen - Win32 Release"
@@ -290,7 +314,6 @@ SOURCE=..\util.c
 
 !ENDIF 
 
-
 !ENDIF 
 
 ####################################################
diff --git a/bin/dig/dig.1 b/bin/dig/dig.1
index f7f4370a..fc7e462b 100644
--- a/bin/dig/dig.1
+++ b/bin/dig/dig.1
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dig.1,v 1.50.44.2 2009/02/03 01:52:10 tbox Exp $
+.\" $Id: dig.1,v 1.52 2009/02/03 01:11:46 tbox Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index f740a1d6..ad9269f5 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.c,v 1.225.26.4 2009/05/06 10:18:33 fdupont Exp $ */
+/* $Id: dig.c,v 1.229 2009/05/06 10:16:32 fdupont Exp $ */
 
 /*! \file */
 
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index f987465b..de38d594 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dig.docbook,v 1.42.44.3 2009/02/02 04:42:48 marka Exp $ -->
+<!-- $Id: dig.docbook,v 1.45 2009/02/02 04:41:28 marka Exp $ -->
 <refentry id="man.dig">
 
   <refentryinfo>
diff --git a/bin/dig/dig.html b/bin/dig/dig.html
index 11b55cc7..4cf1007c 100644
--- a/bin/dig/dig.html
+++ b/bin/dig/dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dig.html,v 1.45.44.2 2009/02/03 01:52:10 tbox Exp $ -->
+<!-- $Id: dig.html,v 1.47 2009/02/03 01:11:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 470261cb..4402e47e 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.311.70.8 2009/02/25 02:39:21 marka Exp $ */
+/* $Id: dighost.c,v 1.321 2009/02/25 02:34:21 marka Exp $ */
 
 /*! \file
  *  \note
@@ -393,7 +393,7 @@ count_dots(char *string) {
 
 static void
 hex_dump(isc_buffer_t *b) {
-	unsigned int len;
+	unsigned int len, i;
 	isc_region_t r;
 
 	isc_buffer_usedregion(b, &r);
@@ -401,11 +401,29 @@ hex_dump(isc_buffer_t *b) {
 	printf("%d bytes\n", r.length);
 	for (len = 0; len < r.length; len++) {
 		printf("%02x ", r.base[len]);
-		if (len % 16 == 15)
+		if (len % 16 == 15) {
+			fputs("         ", stdout);
+			for (i = len - 15; i <= len; i++) {
+				if (r.base[i] >= '!' && r.base[i] <= '}')
+					putchar(r.base[i]);
+				else
+					putchar('.');
+			}
 			printf("\n");
+		}
 	}
-	if (len % 16 != 0)
+	if (len % 16 != 0) {
+		for (i = len; (i % 16) != 0; i++)
+			fputs("   ", stdout);
+		fputs("         ", stdout);
+		for (i = ((len>>4)<<4); i < len; i++) {
+			if (r.base[i] >= '!' && r.base[i] <= '}')
+				putchar(r.base[i]);
+			else
+				putchar('.');
+		}
 		printf("\n");
+	}
 }
 
 /*%
diff --git a/bin/dig/host.1 b/bin/dig/host.1
index eebdad8f..f96f2746 100644
--- a/bin/dig/host.1
+++ b/bin/dig/host.1
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: host.1,v 1.29.114.1 2009/01/23 01:53:33 tbox Exp $
+.\" $Id: host.1,v 1.30 2009/01/21 01:12:07 tbox Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/dig/host.c b/bin/dig/host.c
index 9f302068..8e414a48 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: host.c,v 1.116.216.2 2009/05/06 23:47:18 tbox Exp $ */
+/* $Id: host.c,v 1.118 2009/05/06 23:47:50 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
index 3e75b051..bc435f92 100644
--- a/bin/dig/host.docbook
+++ b/bin/dig/host.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: host.docbook,v 1.18.114.2 2009/01/22 23:47:05 tbox Exp $ -->
+<!-- $Id: host.docbook,v 1.20 2009/01/20 23:47:56 tbox Exp $ -->
 <refentry id="man.host">
 
   <refentryinfo>
diff --git a/bin/dig/host.html b/bin/dig/host.html
index f2107317..30ece618 100644
--- a/bin/dig/host.html
+++ b/bin/dig/host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: host.html,v 1.28.114.1 2009/01/23 01:53:33 tbox Exp $ -->
+<!-- $Id: host.html,v 1.29 2009/01/21 01:12:07 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h
index d9ee7570..bf8a06ca 100644
--- a/bin/dig/include/dig/dig.h
+++ b/bin/dig/include/dig/dig.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.h,v 1.107.120.2 2009/01/06 23:47:26 tbox Exp $ */
+/* $Id: dig.h,v 1.108 2008/12/16 02:57:24 jinmei Exp $ */
 
 #ifndef DIG_H
 #define DIG_H
diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index 56796268..9340eb3f 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nslookup.c,v 1.117.334.4 2009/05/06 11:41:57 fdupont Exp $ */
+/* $Id: nslookup.c,v 1.122 2009/05/06 23:47:50 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8
index 4d4cbc96..9388d520 100644
--- a/bin/dnssec/dnssec-dsfromkey.8
+++ b/bin/dnssec/dnssec-dsfromkey.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
 .\"
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-dsfromkey.8,v 1.5 2008/11/08 01:11:47 tbox Exp $
+.\" $Id: dnssec-dsfromkey.8,v 1.9 2009/06/18 01:13:02 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -63,6 +63,13 @@ must be one of SHA\-1 (SHA1) or SHA\-256 (SHA256). These values are case insensi
 Sets the debugging level.
 .RE
 .PP
+\-l \fIdomain\fR
+.RS 4
+Generate a DLV set instead of a DS set. The specified
+\fBdomain\fR
+is appended to the name for each record in the set.
+.RE
+.PP
 \-s
 .RS 4
 Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode.
@@ -120,5 +127,5 @@ RFC 4509.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2008 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
index 653aa3ea..a92b7424 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-dsfromkey.c,v 1.2.14.3 2009/03/02 02:54:15 marka Exp $ */
+/* $Id: dnssec-dsfromkey.c,v 1.8 2009/06/17 23:53:04 tbox Exp $ */
 
 /*! \file */
 
@@ -52,19 +52,19 @@ const char *program = "dnssec-dsfromkey";
 int verbose;
 
 static dns_rdataclass_t rdclass;
-static dns_fixedname_t  fixed;
-static dns_name_t       *name = NULL;
-static dns_db_t         *db = NULL;
-static dns_dbnode_t     *node = NULL;
-static dns_rdataset_t   keyset;
-static isc_mem_t        *mctx = NULL;
+static dns_fixedname_t	fixed;
+static dns_name_t	*name = NULL;
+static dns_db_t		*db = NULL;
+static dns_dbnode_t	*node = NULL;
+static dns_rdataset_t	keyset;
+static isc_mem_t	*mctx = NULL;
 
 static void
 loadkeys(char *dirname, char *setname)
 {
-	isc_result_t     result;
-	char             filename[1024];
-	isc_buffer_t     buf;
+	isc_result_t	 result;
+	char		 filename[1024];
+	isc_buffer_t	 buf;
 
 	dns_rdataset_init(&keyset);
 	dns_fixedname_init(&fixed);
@@ -78,10 +78,18 @@ loadkeys(char *dirname, char *setname)
 
 	isc_buffer_init(&buf, filename, sizeof(filename));
 	if (dirname != NULL) {
+		if (isc_buffer_availablelength(&buf) < strlen(dirname))
+			fatal("directory name '%s' too long", dirname);
 		isc_buffer_putstr(&buf, dirname);
-		if (dirname[strlen(dirname) - 1] != '/')
+		if (dirname[strlen(dirname) - 1] != '/') {
+			if (isc_buffer_availablelength(&buf) < 1)
+				fatal("directory name '%s' too long", dirname);
 			isc_buffer_putstr(&buf, "/");
+		}
 	}
+
+	if (isc_buffer_availablelength(&buf) < strlen("keyset-"))
+		fatal("directory name '%s' too long", dirname);
 	isc_buffer_putstr(&buf, "keyset-");
 	result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
 	check_result(result, "dns_name_tofilenametext()");
@@ -161,7 +169,7 @@ logkey(dns_rdata_t *rdata)
 	isc_result_t result;
 	dst_key_t    *key = NULL;
 	isc_buffer_t buf;
-	char         keystr[KEY_FORMATSIZE];
+	char	     keystr[KEY_FORMATSIZE];
 
 	isc_buffer_init(&buf, rdata->data, rdata->length);
 	isc_buffer_add(&buf, rdata->length);
@@ -176,43 +184,63 @@ logkey(dns_rdata_t *rdata)
 }
 
 static void
-emitds(unsigned int dtype, dns_rdata_t *rdata)
+emit(unsigned int dtype, dns_rdata_t *rdata, char *lookaside)
 {
-	isc_result_t   result;
-	unsigned char  buf[DNS_DS_BUFFERSIZE];
-	char           text_buf[DST_KEY_MAXTEXTSIZE];
-	char           class_buf[10];
-	isc_buffer_t   textb, classb;
-	isc_region_t   r;
-	dns_rdata_t    ds;
+	isc_result_t	result;
+	unsigned char	buf[DNS_DS_BUFFERSIZE];
+	char		text_buf[DST_KEY_MAXTEXTSIZE];
+	char		name_buf[DNS_NAME_MAXWIRE];
+	char		class_buf[10];
+	isc_buffer_t	textb, nameb, classb;
+	isc_region_t	r;
+	dns_rdata_t	ds;
 
 	isc_buffer_init(&textb, text_buf, sizeof(text_buf));
+	isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
 	isc_buffer_init(&classb, class_buf, sizeof(class_buf));
 
 	dns_rdata_init(&ds);
 
 	result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
 	if (result != ISC_R_SUCCESS)
-		fatal("can't build DS");
+		fatal("can't build record");
+
+	result = dns_name_totext(name, ISC_FALSE, &nameb);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't print name");
+
+	/* Add lookaside origin, if set */
+	if (lookaside != NULL) {
+		if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
+			fatal("DLV origin '%s' is too long", lookaside);
+		isc_buffer_putstr(&nameb, lookaside);
+		if (lookaside[strlen(lookaside) - 1] != '.') {
+			if (isc_buffer_availablelength(&nameb) < 1)
+				fatal("DLV origin '%s' is too long", lookaside);
+			isc_buffer_putstr(&nameb, ".");
+		}
+	}
 
 	result = dns_rdata_totext(&ds, (dns_name_t *) NULL, &textb);
 	if (result != ISC_R_SUCCESS)
-		fatal("can't print DS rdata");
+		fatal("can't print rdata");
 
 	result = dns_rdataclass_totext(rdclass, &classb);
 	if (result != ISC_R_SUCCESS)
-		fatal("can't print DS class");
+		fatal("can't print class");
 
-	result = dns_name_print(name, stdout);
-	if (result != ISC_R_SUCCESS)
-		fatal("can't print DS name");
+	isc_buffer_usedregion(&nameb, &r);
+	fwrite(r.base, 1, r.length, stdout);
 
 	putchar(' ');
 
 	isc_buffer_usedregion(&classb, &r);
 	fwrite(r.base, 1, r.length, stdout);
 
-	printf(" DS ");
+	if (lookaside == NULL)
+		printf(" DS ");
+	else
+		printf(" DLV ");
 
 	isc_buffer_usedregion(&textb, &r);
 	fwrite(r.base, 1, r.length, stdout);
@@ -223,7 +251,7 @@ static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr,	"    %s options keyfile\n\n", program);
-	fprintf(stderr, "    %s options [-c class] [-d dir] -s dnsname\n\n",
+	fprintf(stderr, "    %s options [-c class] [-d dir] [-l lookaside] -s dnsname\n\n",
 		program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Options:\n");
@@ -233,25 +261,27 @@ usage(void) {
 	fprintf(stderr, "    -a algorithm: use algorithm\n");
 	fprintf(stderr, "Keyset options:\n");
 	fprintf(stderr, "    -s: keyset mode\n");
+	fprintf(stderr, "    -l: add lookaside zone and print DLV records\n");
 	fprintf(stderr, "    -c class\n");
 	fprintf(stderr, "    -d directory\n");
-	fprintf(stderr, "Output: DS RRs\n");
+	fprintf(stderr, "Output: DS or DLV RRs\n");
 
 	exit (-1);
 }
 
 int
 main(int argc, char **argv) {
-	char           *algname = NULL, *classname = NULL, *dirname = NULL;
-	char           *endp;
-	int            ch;
-	unsigned int   dtype = DNS_DSDIGEST_SHA1;
-	isc_boolean_t  both = ISC_TRUE;
-	isc_boolean_t  usekeyset = ISC_FALSE;
-	isc_result_t   result;
-	isc_log_t      *log = NULL;
-	isc_entropy_t  *ectx = NULL;
-	dns_rdata_t    rdata;
+	char		*algname = NULL, *classname = NULL, *dirname = NULL;
+	char		*lookaside = NULL;
+	char		*endp;
+	int		ch;
+	unsigned int	dtype = DNS_DSDIGEST_SHA1;
+	isc_boolean_t	both = ISC_TRUE;
+	isc_boolean_t	usekeyset = ISC_FALSE;
+	isc_result_t	result;
+	isc_log_t       *log = NULL;
+	isc_entropy_t	*ectx = NULL;
+	dns_rdata_t	rdata;
 
 	dns_rdata_init(&rdata);
 
@@ -267,7 +297,7 @@ main(int argc, char **argv) {
 	isc_commandline_errprint = ISC_FALSE;
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "12a:c:d:sv:h")) != -1) {
+					   "12a:c:d:l:sv:Fh")) != -1) {
 		switch (ch) {
 		case '1':
 			dtype = DNS_DSDIGEST_SHA1;
@@ -286,6 +316,13 @@ main(int argc, char **argv) {
 			break;
 		case 'd':
 			dirname = isc_commandline_argument;
+			if (strlen(dirname) == 0)
+				fatal("dir must be a non-empty string");
+			break;
+		case 'l':
+			lookaside = isc_commandline_argument;
+			if (strlen(lookaside) == 0)
+				fatal("lookaside must be a non-empty string");
 			break;
 		case 's':
 			usekeyset = ISC_TRUE;
@@ -295,11 +332,14 @@ main(int argc, char **argv) {
 			if (*endp != '\0')
 				fatal("-v must be followed by a number");
 			break;
+		case 'F':
+			/* Reserved for FIPS mode */
+			/* FALLTHROUGH */
 		case '?':
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
-			/* Falls into */
+			/* FALLTHROUGH */
 		case 'h':
 			usage();
 
@@ -354,10 +394,10 @@ main(int argc, char **argv) {
 				logkey(&rdata);
 
 			if (both) {
-				emitds(DNS_DSDIGEST_SHA1, &rdata);
-				emitds(DNS_DSDIGEST_SHA256, &rdata);
+				emit(DNS_DSDIGEST_SHA1, &rdata, lookaside);
+				emit(DNS_DSDIGEST_SHA256, &rdata, lookaside);
 			} else
-				emitds(dtype, &rdata);
+				emit(dtype, &rdata, lookaside);
 		}
 	} else {
 		unsigned char key_buf[DST_KEY_MAXSIZE];
@@ -366,10 +406,10 @@ main(int argc, char **argv) {
 			DST_KEY_MAXSIZE, &rdata);
 
 		if (both) {
-			emitds(DNS_DSDIGEST_SHA1, &rdata);
-			emitds(DNS_DSDIGEST_SHA256, &rdata);
+			emit(DNS_DSDIGEST_SHA1, &rdata, lookaside);
+			emit(DNS_DSDIGEST_SHA256, &rdata, lookaside);
 		} else
-			emitds(dtype, &rdata);
+			emit(dtype, &rdata, lookaside);
 	}
 
 	if (dns_rdataset_isassociated(&keyset))
diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook
index c2c6b853..bd8f468b 100644
--- a/bin/dnssec/dnssec-dsfromkey.docbook
+++ b/bin/dnssec/dnssec-dsfromkey.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
                [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-dsfromkey.docbook,v 1.6 2008/11/07 13:54:11 jreed Exp $ -->
+<!-- $Id: dnssec-dsfromkey.docbook,v 1.8 2009/06/17 23:53:04 tbox Exp $ -->
 <refentry id="man.dnssec-dsfromkey">
   <refentryinfo>
     <date>November 29, 2008</date>
@@ -37,6 +37,7 @@
   <docinfo>
     <copyright>
       <year>2008</year>
+      <year>2009</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
@@ -115,6 +116,17 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-l <replaceable class="parameter">domain</replaceable></term>
+        <listitem>
+          <para>
+            Generate a DLV set instead of a DS set.  The specified
+            <option>domain</option> is appended to the name for each
+            record in the set.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-s</term>
         <listitem>
           <para>
diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html
index 72dfd3a5..6ea4c595 100644
--- a/bin/dnssec/dnssec-dsfromkey.html
+++ b/bin/dnssec/dnssec-dsfromkey.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-dsfromkey.html,v 1.5 2008/11/08 01:11:47 tbox Exp $ -->
+<!-- $Id: dnssec-dsfromkey.html,v 1.9 2009/06/18 01:13:02 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -33,14 +33,14 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543424"></a><h2>DESCRIPTION</h2>
+<a name="id2543427"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-dsfromkey</strong></span>
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543435"></a><h2>OPTIONS</h2>
+<a name="id2543438"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-1</span></dt>
 <dd><p>
@@ -61,6 +61,12 @@
 <dd><p>
             Sets the debugging level.
           </p></dd>
+<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
+<dd><p>
+            Generate a DLV set instead of a DS set.  The specified
+            <code class="option">domain</code> is appended to the name for each
+            record in the set.
+          </p></dd>
 <dt><span class="term">-s</span></dt>
 <dd><p>
             Keyset mode: in place of the keyfile name, the argument is
@@ -81,7 +87,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543563"></a><h2>EXAMPLE</h2>
+<a name="id2543587"></a><h2>EXAMPLE</h2>
 <p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@@ -96,7 +102,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543593"></a><h2>FILES</h2>
+<a name="id2543617"></a><h2>FILES</h2>
 <p>
       The keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@@ -110,13 +116,13 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543628"></a><h2>CAVEAT</h2>
+<a name="id2543652"></a><h2>CAVEAT</h2>
 <p>
       A keyfile error can give a "file not found" even if the file exists.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543638"></a><h2>SEE ALSO</h2>
+<a name="id2543661"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -125,7 +131,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543674"></a><h2>AUTHOR</h2>
+<a name="id2543698"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index e7587c39..1ad66d70 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.4 2008/09/24 02:46:21 marka Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.6 2009/05/07 23:47:44 tbox Exp $ */
 
 /*! \file */
 
@@ -113,7 +113,7 @@ main(int argc, char **argv) {
 	isc_commandline_errprint = ISC_FALSE;
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					 "a:c:f:kl:n:p:t:v:h")) != -1)
+					 "a:c:f:kl:n:p:t:v:Fh")) != -1)
 	{
 	    switch (ch) {
 		case 'a':
@@ -152,11 +152,14 @@ main(int argc, char **argv) {
 			if (*endp != '\0')
 				fatal("-v must be followed by a number");
 			break;
-
+		case 'F':
+			/* Reserved for FIPS mode */
+			/* FALLTHROUGH */
 		case '?':
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
+			/* FALLTHROUGH */
 		case 'h':
 			usage();
 
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index 13db3d9d..6820edef 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.40 2008/10/15 01:11:35 tbox Exp $
+.\" $Id: dnssec-keygen.8,v 1.43 2009/06/18 01:13:02 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -33,7 +33,7 @@
 dnssec\-keygen \- DNSSEC key generation tool
 .SH "SYNOPSIS"
 .HP 14
-\fBdnssec\-keygen\fR {\-a\ \fIalgorithm\fR} {\-b\ \fIkeysize\fR} {\-n\ \fInametype\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-k\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-k\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-keygen\fR
@@ -44,7 +44,7 @@ generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It
 .RS 4
 Selects the cryptographic algorithm. The value of
 \fBalgorithm\fR
-must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive.
+must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive. The default is RSASHA1 for DNSSEC key generation.
 .sp
 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
 .sp
@@ -54,6 +54,9 @@ Note 2: HMAC\-MD5 and DH automatically set the \-k flag.
 \-b \fIkeysize\fR
 .RS 4
 Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits.
+.sp
+            When generating a DNSSEC key with the default algorithm, this
+            value defaults to 1024, or 2048 if the KSK flag is set.
 .RE
 .PP
 \-n \fInametype\fR
@@ -194,7 +197,7 @@ RFC 4033.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 614d388e..3f521b2d 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.81 2008/09/25 04:02:38 tbox Exp $ */
+/* $Id: dnssec-keygen.c,v 1.85 2009/06/17 23:53:04 tbox Exp $ */
 
 /*! \file */
 
@@ -67,6 +67,8 @@ static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | NSEC3DSA |"
 			  " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 |"
 			  " HMAC-SHA384 | HMAC-SHA512";
 
+#define DEFAULT_ALGORITHM "RSASHA1"
+
 static isc_boolean_t
 dsa_size_ok(int size) {
 	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
@@ -75,11 +77,12 @@ dsa_size_ok(int size) {
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "    %s -a alg -b bits [-n type] [options] name\n\n",
+	fprintf(stderr, "    %s [options] name\n\n",
 		program);
 	fprintf(stderr, "Version: %s\n", VERSION);
-	fprintf(stderr, "Required options:\n");
-	fprintf(stderr, "    -a algorithm: %s\n", algs);
+	fprintf(stderr, "    name: owner of the key\n");
+	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "    -a algorithm: %s (default RSASHA1)\n", algs);
 	fprintf(stderr, "    -b key size, in bits:\n");
 	fprintf(stderr, "        RSAMD5:\t\t[512..%d]\n", MAX_RSA);
 	fprintf(stderr, "        RSASHA1:\t\t[512..%d]\n", MAX_RSA);
@@ -93,10 +96,9 @@ usage(void) {
 	fprintf(stderr, "        HMAC-SHA256:\t[1..256]\n");
 	fprintf(stderr, "        HMAC-SHA384:\t[1..384]\n");
 	fprintf(stderr, "        HMAC-SHA512:\t[1..512]\n");
+	fprintf(stderr, "       (default 1024 for RSASHA1 ZSK, 2048 for KSK\n");
 	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
-	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
-	fprintf(stderr, "    name: owner of the key\n");
-	fprintf(stderr, "Other options:\n");
+	fprintf(stderr, "        (DNSKEY generation defaults to ZONE)\n");
 	fprintf(stderr, "    -c <class> (default: IN)\n");
 	fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
 	fprintf(stderr, "    -e use large exponent (RSAMD5/RSASHA1 only)\n");
@@ -122,7 +124,7 @@ usage(void) {
 
 int
 main(int argc, char **argv) {
-	char		*algname = NULL, *nametype = NULL, *type = NULL;
+	char	        *algname = NULL, *nametype = NULL, *type = NULL;
 	char		*classname = NULL;
 	char		*endp;
 	dst_key_t	*key = NULL, *oldkey;
@@ -143,6 +145,7 @@ main(int argc, char **argv) {
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
 	int		dbits = 0;
+	isc_boolean_t	use_default = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
@@ -154,7 +157,7 @@ main(int argc, char **argv) {
 	isc_commandline_errprint = ISC_FALSE;
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					 "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
+					"a:b:c:d:ef:g:kn:t:p:s:r:v:Fh")) != -1)
 	{
 	    switch (ch) {
 		case 'a':
@@ -220,11 +223,14 @@ main(int argc, char **argv) {
 			if (*endp != '\0')
 				fatal("-v must be followed by a number");
 			break;
-
+		case 'F':
+			/* Reserved for FIPS mode */
+			/* FALLTHROUGH */
 		case '?':
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					program, isc_commandline_option);
+			/* FALLTHROUGH */
 		case 'h':
 			usage();
 
@@ -249,8 +255,14 @@ main(int argc, char **argv) {
 	if (argc > isc_commandline_index + 1)
 		fatal("extraneous arguments");
 
-	if (algname == NULL)
-		fatal("no algorithm was specified");
+	if (algname == NULL) {
+		algname = strdup(DEFAULT_ALGORITHM);
+		use_default = ISC_TRUE;
+		if (verbose > 0)
+			fprintf(stderr, "no algorithm specified; "
+				"defaulting to %s\n", algname);
+	}
+
 	if (strcasecmp(algname, "RSA") == 0) {
 		fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
 				"If you still wish to use RSA (RSAMD5) please "
@@ -300,8 +312,16 @@ main(int argc, char **argv) {
 			fatal("invalid type %s", type);
 	}
 
-	if (size < 0)
-		fatal("key size not specified (-b option)");
+	if (size < 0) {
+		if (use_default) {
+			size = (ksk != 0) ? 2048 : 1024;
+			if (verbose > 0)
+				fprintf(stderr, "key size not specified; "
+					"defaulting to %d\n", size);
+		} else {
+			fatal("key size not specified (-b option)");
+		}
+	}
 
 	switch (alg) {
 	case DNS_KEYALG_RSAMD5:
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index c267a1b4..903da941 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keygen.docbook,v 1.22 2008/10/14 14:32:50 jreed Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.24 2009/06/17 23:53:04 tbox Exp $ -->
 <refentry id="man.dnssec-keygen">
   <refentryinfo>
     <date>June 30, 2000</date>
@@ -41,6 +41,7 @@
       <year>2005</year>
       <year>2007</year>
       <year>2008</year>
+      <year>2009</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -55,9 +56,9 @@
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>dnssec-keygen</command>
-      <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
-      <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
-      <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
+      <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+      <arg ><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
+      <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg><option>-e</option></arg>
       <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
@@ -93,7 +94,8 @@
             Selects the cryptographic algorithm.  The value of
             <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
-	    These values are case insensitive.
+	    These values are case insensitive.  The default is RSASHA1 for
+            DNSSEC key generation.
           </para>
           <para>
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@@ -112,12 +114,15 @@
           <para>
             Specifies the number of bits in the key.  The choice of key
             size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
-            between
-            512 and 2048 bits.  Diffie Hellman keys must be between
+            between 512 and 2048 bits.  Diffie Hellman keys must be between
             128 and 4096 bits.  DSA keys must be between 512 and 1024
             bits and an exact multiple of 64.  HMAC-MD5 keys must be
             between 1 and 512 bits.
           </para>
+            When generating a DNSSEC key with the default algorithm, this
+            value defaults to 1024, or 2048 if the KSK flag is set.
+          <para>
+          </para>
         </listitem>
       </varlistentry>
 
@@ -160,7 +165,7 @@
         <listitem>
           <para>
             Set the specified flag in the flag field of the KEY/DNSKEY record.
-            		The only recognized flag is KSK (Key Signing Key) DNSKEY.
+    	    The only recognized flag is KSK (Key Signing Key) DNSKEY.
           </para>
         </listitem>
       </varlistentry>
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 696ef88c..00d05dac 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-keygen.html,v 1.32 2008/10/15 01:11:35 tbox Exp $ -->
+<!-- $Id: dnssec-keygen.html,v 1.35 2009/06/18 01:13:02 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -29,7 +29,7 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
 <a name="id2543477"></a><h2>DESCRIPTION</h2>
@@ -48,7 +48,8 @@
             Selects the cryptographic algorithm.  The value of
             <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
-	    These values are case insensitive.
+	    These values are case insensitive.  The default is RSASHA1 for
+            DNSSEC key generation.
           </p>
 <p>
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@@ -60,15 +61,20 @@
           </p>
 </dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd><p>
+<dd>
+<p>
             Specifies the number of bits in the key.  The choice of key
             size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
-            between
-            512 and 2048 bits.  Diffie Hellman keys must be between
+            between 512 and 2048 bits.  Diffie Hellman keys must be between
             128 and 4096 bits.  DSA keys must be between 512 and 1024
             bits and an exact multiple of 64.  HMAC-MD5 keys must be
             between 1 and 512 bits.
-          </p></dd>
+          </p>
+            When generating a DNSSEC key with the default algorithm, this
+            value defaults to 1024, or 2048 if the KSK flag is set.
+          <p>
+          </p>
+</dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
 <dd><p>
             Specifies the owner type of the key.  The value of
@@ -91,7 +97,7 @@
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
 <dd><p>
             Set the specified flag in the flag field of the KEY/DNSKEY record.
-            		The only recognized flag is KSK (Key Signing Key) DNSKEY.
+    	    The only recognized flag is KSK (Key Signing Key) DNSKEY.
           </p></dd>
 <dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
 <dd><p>
@@ -148,7 +154,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543824"></a><h2>GENERATED KEYS</h2>
+<a name="id2543827"></a><h2>GENERATED KEYS</h2>
 <p>
       When <span><strong class="command">dnssec-keygen</strong></span> completes
       successfully,
@@ -194,7 +200,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543906"></a><h2>EXAMPLE</h2>
+<a name="id2543909"></a><h2>EXAMPLE</h2>
 <p>
       To generate a 768-bit DSA key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -215,7 +221,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543949"></a><h2>SEE ALSO</h2>
+<a name="id2543953"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2539</em>,
@@ -224,7 +230,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544049"></a><h2>AUTHOR</h2>
+<a name="id2544052"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index 84e613f7..e3230c64 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -13,163 +13,282 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.47.44.4 2009/06/09 01:47:19 each Exp $
+.\" $Id: dnssec-signzone.8,v 1.49 2009/06/06 01:12:32 tbox Exp $
 .\"
 .hy 0
 .ad l
-.\"Generated by db2man.xsl. Don't modify this, modify the source.
-.de Sh \" Subsection
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
-.TH "DNSSEC-SIGNZONE" 8 "June 08, 2009" "" ""
-.SH NAME
-dnssec-signzone \- DNSSEC zone signing tool
+.\"     Title: dnssec\-signzone
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: June 05, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "DNSSEC\-SIGNZONE" "8" "June 05, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-signzone \- DNSSEC zone signing tool
 .SH "SYNOPSIS"
 .HP 16
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fIclass\fR\fR] [\fB\-d\ \fIdirectory\fR\fR] [\fB\-e\ \fIend\-time\fR\fR] [\fB\-f\ \fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fIkey\fR\fR] [\fB\-l\ \fIdomain\fR\fR] [\fB\-i\ \fIinterval\fR\fR] [\fB\-I\ \fIinput\-format\fR\fR] [\fB\-j\ \fIjitter\fR\fR] [\fB\-N\ \fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fIorigin\fR\fR] [\fB\-O\ \fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fIrandomdev\fR\fR] [\fB\-s\ \fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fIsalt\fR\fR] [\fB\-H\ \fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
+\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
 .SH "DESCRIPTION"
 .PP
-\fBdnssec\-signzone\fR signs a zone\&. It generates NSEC and RRSIG records and produces a signed version of the zone\&. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a \fIkeyset\fR file for each child zone\&.
+\fBdnssec\-signzone\fR
+signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a
+\fIkeyset\fR
+file for each child zone.
 .SH "OPTIONS"
-.TP
+.PP
 \-a
-Verify all generated signatures\&.
-.TP
+.RS 4
+Verify all generated signatures.
+.RE
+.PP
 \-c \fIclass\fR
-Specifies the DNS class of the zone\&.
-.TP
+.RS 4
+Specifies the DNS class of the zone.
+.RE
+.PP
 \-k \fIkey\fR
-Treat specified key as a key signing key ignoring any key flags\&. This option may be specified multiple times\&.
-.TP
+.RS 4
+Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
+.RE
+.PP
 \-l \fIdomain\fR
-Generate a DLV set in addition to the key (DNSKEY) and DS sets\&. The domain is appended to the name of the records\&.
-.TP
+.RS 4
+Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
+.RE
+.PP
 \-d \fIdirectory\fR
-Look for \fIkeyset\fR files in \fBdirectory\fR as the directory
-.TP
+.RS 4
+Look for
+\fIkeyset\fR
+files in
+\fBdirectory\fR
+as the directory
+.RE
+.PP
 \-g
-Generate DS records for child zones from keyset files\&. Existing DS records will be removed\&.
-.TP
+.RS 4
+Generate DS records for child zones from keyset files. Existing DS records will be removed.
+.RE
+.PP
 \-s \fIstart\-time\fR
-Specify the date and time when the generated RRSIG records become valid\&. This can be either an absolute or relative time\&. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000\&. A relative start time is indicated by +N, which is N seconds from the current time\&. If no \fBstart\-time\fR is specified, the current time minus 1 hour (to allow for clock skew) is used\&.
-.TP
+.RS 4
+Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
+\fBstart\-time\fR
+is specified, the current time minus 1 hour (to allow for clock skew) is used.
+.RE
+.PP
 \-e \fIend\-time\fR
-Specify the date and time when the generated RRSIG records expire\&. As with \fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation\&. A time relative to the start time is indicated with +N, which is N seconds from the start time\&. A time relative to the current time is indicated with now+N\&. If no \fBend\-time\fR is specified, 30 days from the start time is used as a default\&.
-.TP
+.RS 4
+Specify the date and time when the generated RRSIG records expire. As with
+\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
+\fBend\-time\fR
+is specified, 30 days from the start time is used as a default.
+.RE
+.PP
 \-f \fIoutput\-file\fR
-The name of the output file containing the signed zone\&. The default is to append \fI\&.signed\fR to the input filename\&.
-.TP
+.RS 4
+The name of the output file containing the signed zone. The default is to append
+\fI.signed\fR
+to the input filename.
+.RE
+.PP
 \-h
-Prints a short summary of the options and arguments to \fBdnssec\-signzone\fR\&.
-.TP
+.RS 4
+Prints a short summary of the options and arguments to
+\fBdnssec\-signzone\fR.
+.RE
+.PP
 \-i \fIinterval\fR
-When a previously\-signed zone is passed as input, records may be resigned\&. The \fBinterval\fR option specifies the cycle interval as an offset from the current time (in seconds)\&. If a RRSIG record expires after the cycle interval, it is retained\&. Otherwise, it is considered to be expiring soon, and it will be replaced\&.
-The default cycle interval is one quarter of the difference between the signature end and start times\&. So if neither \fBend\-time\fR or \fBstart\-time\fR are specified, \fBdnssec\-signzone\fR generates signatures that are valid for 30 days, with a cycle interval of 7\&.5 days\&. Therefore, if any existing RRSIG records are due to expire in less than 7\&.5 days, they would be replaced\&.
-.TP
+.RS 4
+When a previously\-signed zone is passed as input, records may be resigned. The
+\fBinterval\fR
+option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.
+.sp
+The default cycle interval is one quarter of the difference between the signature end and start times. So if neither
+\fBend\-time\fR
+or
+\fBstart\-time\fR
+are specified,
+\fBdnssec\-signzone\fR
+generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.
+.RE
+.PP
 \-I \fIinput\-format\fR
-The format of the input zone file\&. Possible formats are \fB"text"\fR (default) and \fB"raw"\fR\&. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly\&. The use of this option does not make much sense for non\-dynamic zones\&.
-.TP
+.RS 4
+The format of the input zone file. Possible formats are
+\fB"text"\fR
+(default) and
+\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones.
+.RE
+.PP
 \-j \fIjitter\fR
-When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously\&. If the zone is incrementally signed, i\&.e\&. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time\&. The \fBjitter\fR option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time\&.
-Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i\&.e\&. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time\&.
-.TP
+.RS 4
+When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time. The
+\fBjitter\fR
+option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time.
+.sp
+Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time.
+.RE
+.PP
 \-n \fIncpus\fR
-Specifies the number of threads to use\&. By default, one thread is started for each detected CPU\&.
-.TP
+.RS 4
+Specifies the number of threads to use. By default, one thread is started for each detected CPU.
+.RE
+.PP
 \-N \fIsoa\-serial\-format\fR
-The SOA serial number format of the signed zone\&. Possible formats are \fB"keep"\fR (default), \fB"increment"\fR and \fB"unixtime"\fR\&.
-.RS
-.TP
+.RS 4
+The SOA serial number format of the signed zone. Possible formats are
 \fB"keep"\fR
-Do not modify the SOA serial number\&.
-.TP
+(default),
 \fB"increment"\fR
-Increment the SOA serial number using RFC 1982 arithmetics\&.
-.TP
+and
+\fB"unixtime"\fR.
+.RS 4
+.PP
+\fB"keep"\fR
+.RS 4
+Do not modify the SOA serial number.
+.RE
+.PP
+\fB"increment"\fR
+.RS 4
+Increment the SOA serial number using RFC 1982 arithmetics.
+.RE
+.PP
 \fB"unixtime"\fR
-Set the SOA serial number to the number of seconds since epoch\&.
+.RS 4
+Set the SOA serial number to the number of seconds since epoch.
+.RE
+.RE
 .RE
-.IP
-.TP
+.PP
 \-o \fIorigin\fR
-The zone origin\&. If not specified, the name of the zone file is assumed to be the origin\&.
-.TP
+.RS 4
+The zone origin. If not specified, the name of the zone file is assumed to be the origin.
+.RE
+.PP
 \-O \fIoutput\-format\fR
-The format of the output file containing the signed zone\&. Possible formats are \fB"text"\fR (default) and \fB"raw"\fR\&.
-.TP
+.RS 4
+The format of the output file containing the signed zone. Possible formats are
+\fB"text"\fR
+(default) and
+\fB"raw"\fR.
+.RE
+.PP
 \-p
-Use pseudo\-random data when signing the zone\&. This is faster, but less secure, than using real random data\&. This option may be useful when signing large zones or when the entropy source is limited\&.
-.TP
+.RS 4
+Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
+.RE
+.PP
+\-P
+.RS 4
+Disable post sign verification tests.
+.sp
+The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm. This option skips these tests.
+.RE
+.PP
 \-r \fIrandomdev\fR
-Specifies the source of randomness\&. If the operating system does not provide a \fI/dev/random\fR or equivalent device, the default source of randomness is keyboard input\&. \fIrandomdev\fR specifies the name of a character device or file containing random data to be used instead of the default\&. The special value \fIkeyboard\fR indicates that keyboard input should be used\&.
-.TP
+.RS 4
+Specifies the source of randomness. If the operating system does not provide a
+\fI/dev/random\fR
+or equivalent device, the default source of randomness is keyboard input.
+\fIrandomdev\fR
+specifies the name of a character device or file containing random data to be used instead of the default. The special value
+\fIkeyboard\fR
+indicates that keyboard input should be used.
+.RE
+.PP
 \-t
-Print statistics at completion\&.
-.TP
+.RS 4
+Print statistics at completion.
+.RE
+.PP
 \-v \fIlevel\fR
-Sets the debugging level\&.
-.TP
+.RS 4
+Sets the debugging level.
+.RE
+.PP
 \-z
-Ignore KSK flag on key when determining what to sign\&.
-.TP
+.RS 4
+Ignore KSK flag on key when determining what to sign.
+.RE
+.PP
 \-3 \fIsalt\fR
-Generate a NSEC3 chain with the given hex encoded salt\&. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain\&.
-.TP
+.RS 4
+Generate a NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain.
+.RE
+.PP
 \-H \fIiterations\fR
-When generating a NSEC3 chain use this many interations\&. The default is 100\&.
-.TP
+.RS 4
+When generating a NSEC3 chain use this many interations. The default is 100.
+.RE
+.PP
 \-A
-When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations\&.
-.TP
+.RS 4
+When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.
+.RE
+.PP
 zonefile
-The file containing the zone to be signed\&.
-.TP
+.RS 4
+The file containing the zone to be signed.
+.RE
+.PP
 key
-Specify which keys should be used to sign the zone\&. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex\&. If these are found and there are matching private keys, in the current directory, then these will be used for signing\&.
+.RS 4
+Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing.
+.RE
 .SH "EXAMPLE"
 .PP
-The following command signs the \fBexample\&.com\fR zone with the DSA key generated by \fBdnssec\-keygen\fR (Kexample\&.com\&.+003+17247)\&. The zone's keys must be in the master file (\fIdb\&.example\&.com\fR)\&. This invocation looks for \fIkeyset\fR files, in the current directory, so that DS records can be generated from them (\fB\-g\fR)\&.
+The following command signs the
+\fBexample.com\fR
+zone with the DSA key generated by
+\fBdnssec\-keygen\fR
+(Kexample.com.+003+17247). The zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
+\fIkeyset\fR
+files, in the current directory, so that DS records can be generated from them (\fB\-g\fR).
+.sp
+.RS 4
 .nf
-% dnssec\-signzone \-g \-o example\&.com db\&.example\&.com \\
-Kexample\&.com\&.+003+17247
-db\&.example\&.com\&.signed
+% dnssec\-signzone \-g \-o example.com db.example.com \\
+Kexample.com.+003+17247
+db.example.com.signed
 %
 .fi
+.RE
 .PP
-In the above example, \fBdnssec\-signzone\fR creates the file \fIdb\&.example\&.com\&.signed\fR\&. This file should be referenced in a zone statement in a \fInamed\&.conf\fR file\&.
+In the above example,
+\fBdnssec\-signzone\fR
+creates the file
+\fIdb.example.com.signed\fR. This file should be referenced in a zone statement in a
+\fInamed.conf\fR
+file.
 .PP
-This example re\-signs a previously signed zone with default parameters\&. The private keys are assumed to be in the current directory\&.
+This example re\-signs a previously signed zone with default parameters. The private keys are assumed to be in the current directory.
+.sp
+.RS 4
 .nf
-% cp db\&.example\&.com\&.signed db\&.example\&.com
-% dnssec\-signzone \-o example\&.com db\&.example\&.com
-db\&.example\&.com\&.signed
+% cp db.example.com.signed db.example.com
+% dnssec\-signzone \-o example.com db.example.com
+db.example.com.signed
 %
 .fi
-.SH "KNOWN BUGS"
-.PP
- \fBdnssec\-signzone\fR was designed so that it could sign a zone partially, using only a subset of the DNSSEC keys needed to produce a fully\-signed zone\&. This permits a zone administrator, for example, to sign a zone with one key on one machine, move the resulting partially\-signed zone to a second machine, and sign it again with a second key\&.
-.PP
-An unfortunate side\-effect of this flexibility is that \fBdnssec\-signzone\fR does not check to make sure it's signing a zone with any valid keys at all\&. An attempt to sign a zone without any keys will appear to succeed, producing a "signed" zone with no signatures\&. There is no warning issued when a zone is not fully signed\&.
-.PP
-This will be corrected in a future release\&. In the meantime, ISC recommends examining the output of \fBdnssec\-signzone\fR to confirm that the zone is properly signed by all keys before using it\&.
+.RE
 .SH "SEE ALSO"
 .PP
-\fBdnssec\-keygen\fR(8), BIND 9 Administrator Reference Manual, RFC 4033\&.
+\fBdnssec\-keygen\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 4033.
 .SH "AUTHOR"
 .PP
-Internet Systems Consortium 
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2003 Internet Software Consortium.
+.br
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 2ef2e104..22acb044 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.209.12.8 2009/06/08 22:23:06 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.219 2009/06/09 22:54:21 marka Exp $ */
 
 /*! \file */
 
@@ -51,6 +51,7 @@
 #include <isc/os.h>
 #include <isc/print.h>
 #include <isc/random.h>
+#include <isc/rwlock.h>
 #include <isc/serial.h>
 #include <isc/stdio.h>
 #include <isc/stdlib.h>
@@ -106,6 +107,8 @@ struct signer_key_struct {
 	isc_boolean_t issigningkey;
 	isc_boolean_t isdsk;
 	isc_boolean_t isksk;
+	isc_boolean_t wasused;
+	isc_boolean_t commandline;
 	unsigned int position;
 	ISC_LINK(signer_key_t) link;
 };
@@ -127,6 +130,7 @@ struct signer_event {
 
 static ISC_LIST(signer_key_t) keylist;
 static unsigned int keycount = 0;
+isc_rwlock_t keylist_lock;
 static isc_stdtime_t starttime = 0, endtime = 0, now;
 static int cycle = -1;
 static int jitter = 0;
@@ -164,6 +168,7 @@ static dns_master_style_t *dsstyle = NULL;
 static unsigned int serialformat = SOA_SERIAL_KEEP;
 static unsigned int hash_length = 0;
 static isc_boolean_t unknownalg = ISC_FALSE;
+static isc_boolean_t disable_zone_check = ISC_FALSE;
 
 #define INCSTAT(counter)		\
 	if (printstats) {		\
@@ -206,6 +211,8 @@ newkeystruct(dst_key_t *dstkey, isc_boolean_t signwithkey) {
 		key->isksk = ISC_FALSE;
 		key->isdsk = ISC_TRUE;
 	}
+	key->wasused = ISC_FALSE;
+	key->commandline = ISC_FALSE;
 	key->position = keycount++;
 	ISC_LINK_INIT(key, link);
 	return (key);
@@ -255,13 +262,11 @@ iszonekey(signer_key_t *key) {
 }
 
 /*%
- * Finds the key that generated a RRSIG, if possible.  First look at the keys
- * that we've loaded already, and then see if there's a key on disk.
+ * Find the key if it is in our list.  If it is, return it, otherwise null.
+ * No locking is performed here, this must be done by the caller.
  */
 static signer_key_t *
-keythatsigned(dns_rdata_rrsig_t *rrsig) {
-	isc_result_t result;
-	dst_key_t *pubkey = NULL, *privkey = NULL;
+keythatsigned_unlocked(dns_rdata_rrsig_t *rrsig) {
 	signer_key_t *key;
 
 	key = ISC_LIST_HEAD(keylist);
@@ -269,15 +274,50 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) {
 		if (rrsig->keyid == dst_key_id(key->key) &&
 		    rrsig->algorithm == dst_key_alg(key->key) &&
 		    dns_name_equal(&rrsig->signer, dst_key_name(key->key)))
-			return key;
+			return (key);
 		key = ISC_LIST_NEXT(key, link);
 	}
+	return (NULL);
+}
+
+/*%
+ * Finds the key that generated a RRSIG, if possible.  First look at the keys
+ * that we've loaded already, and then see if there's a key on disk.
+ */
+static signer_key_t *
+keythatsigned(dns_rdata_rrsig_t *rrsig) {
+	isc_result_t result;
+	dst_key_t *pubkey = NULL, *privkey = NULL;
+	signer_key_t *key;
+
+	isc_rwlock_lock(&keylist_lock, isc_rwlocktype_read);
+	key = keythatsigned_unlocked(rrsig);
+	isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_read);
+	if (key != NULL)
+		return (key);
+
+	/*
+	 * We did not find the key in our list.  Get a write lock now, since
+	 * we may be modifying the bits.  We could do the tryupgrade() dance,
+	 * but instead just get a write lock and check once again to see if
+	 * it is on our list.  It's possible someone else may have added it
+	 * after all.
+	 */
+	isc_rwlock_lock(&keylist_lock, isc_rwlocktype_write);
+
+	key = keythatsigned_unlocked(rrsig);
+	if (key != NULL) {
+		isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
+		return (key);
+	}
 
 	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
 				  rrsig->algorithm, DST_TYPE_PUBLIC,
 				  NULL, mctx, &pubkey);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
 		return (NULL);
+	}
 
 	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
 				  rrsig->algorithm,
@@ -289,6 +329,8 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) {
 	} else
 		key = newkeystruct(pubkey, ISC_FALSE);
 	ISC_LIST_APPEND(keylist, key, link);
+
+	isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write);
 	return (key);
 }
 
@@ -438,6 +480,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 				keep = ISC_TRUE;
 				wassignedby[key->position] = ISC_TRUE;
 				nowsignedby[key->position] = ISC_TRUE;
+				key->wasused = ISC_TRUE;
 			} else {
 				vbprintf(2, "\trrsig by %s dropped - %s\n",
 					 sigstr,
@@ -453,6 +496,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 				keep = ISC_TRUE;
 				wassignedby[key->position] = ISC_TRUE;
 				nowsignedby[key->position] = ISC_TRUE;
+				key->wasused = ISC_TRUE;
 			} else {
 				vbprintf(2, "\trrsig by %s dropped - %s\n",
 					 sigstr,
@@ -511,6 +555,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 			isc_buffer_init(&b, array, sizeof(array));
 			signwithkey(name, set, &trdata, key->key, &b);
 			nowsignedby[key->position] = ISC_TRUE;
+			key->wasused = ISC_TRUE;
 			tuple = NULL;
 			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
 						      name, ttl, &trdata,
@@ -555,6 +600,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 		dns_rdata_init(&trdata);
 		isc_buffer_init(&b, array, sizeof(array));
 		signwithkey(name, set, &trdata, key->key, &b);
+		key->wasused = ISC_TRUE;
 		tuple = NULL;
 		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name,
 					      ttl, &trdata, &tuple);
@@ -1198,7 +1244,7 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
 	dns_rdataset_t set;
 	isc_result_t result, dresult;
 
-	if (outputformat != dns_masterformat_text)
+	if (outputformat != dns_masterformat_text || !disable_zone_check)
 		return;
 
 	dns_rdataset_init(&set);
@@ -1248,6 +1294,423 @@ postsign(void) {
 	dns_dbiterator_destroy(&gdbiter);
 }
 
+static isc_boolean_t
+goodsig(dns_rdata_t *sigrdata, dns_name_t *name, dns_rdataset_t *keyrdataset,
+	dns_rdataset_t *rdataset)
+{
+	dns_rdata_dnskey_t key;
+	dns_rdata_rrsig_t sig;
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+
+	dns_rdata_tostruct(sigrdata, &sig, NULL);
+
+	for (result = dns_rdataset_first(keyrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(keyrdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(keyrdataset, &rdata);
+		dns_rdata_tostruct(&rdata, &key, NULL);
+		result = dns_dnssec_keyfromrdata(gorigin, &rdata, mctx,
+						 &dstkey);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_FALSE);
+		if (sig.algorithm != key.algorithm ||
+		    sig.keyid != dst_key_id(dstkey) ||
+		    !dns_name_equal(&sig.signer, gorigin)) {
+			dst_key_free(&dstkey);
+			continue;
+		}
+		result = dns_dnssec_verify(name, rdataset, dstkey, ISC_FALSE,
+					   mctx, sigrdata);
+		dst_key_free(&dstkey);
+		if (result == ISC_R_SUCCESS)
+			return(ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
+static void
+verifyset(dns_rdataset_t *rdataset, dns_name_t *name, dns_dbnode_t *node,
+	  dns_rdataset_t *keyrdataset, unsigned char *ksk_algorithms,
+	   char *bad_algorithms)
+{
+	unsigned char set_algorithms[256];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char algbuf[80];
+	char typebuf[80];
+	dns_rdataset_t sigrdataset;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	isc_result_t result;
+	int i;
+
+	dns_rdataset_init(&sigrdataset);
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter)) {
+		dns_rdatasetiter_current(rdsiter, &sigrdataset);
+		if (sigrdataset.type == dns_rdatatype_rrsig &&
+		    sigrdataset.covers == rdataset->type)
+			break;
+		dns_rdataset_disassociate(&sigrdataset);
+	}
+	if (result != ISC_R_SUCCESS) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		type_format(rdataset->type, typebuf, sizeof(typebuf));
+		fprintf(stderr, "no signatures for %s/%s\n", namebuf, typebuf);
+		for (i = 0; i < 256; i++)
+			if (ksk_algorithms[i] != 0)
+				bad_algorithms[i] = 1;
+		return;
+	}
+
+	memset(set_algorithms, 0, sizeof(set_algorithms));
+	for (result = dns_rdataset_first(&sigrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&sigrdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_rrsig_t sig;
+
+		dns_rdataset_current(&sigrdataset, &rdata);
+		dns_rdata_tostruct(&rdata, &sig, NULL);
+		if ((set_algorithms[sig.algorithm] != 0) ||
+		    (ksk_algorithms[sig.algorithm] == 0))
+			continue;
+		if (goodsig(&rdata, name, keyrdataset, rdataset))
+			set_algorithms[sig.algorithm] = 1;
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+	if (memcmp(set_algorithms, ksk_algorithms, sizeof(set_algorithms))) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		type_format(rdataset->type, typebuf, sizeof(typebuf));
+		for (i = 0; i < 256; i++)
+			if ((ksk_algorithms[i] != 0) &&
+			    (set_algorithms[i] == 0)) {
+				alg_format(i, algbuf, sizeof(algbuf));
+				fprintf(stderr, "Missing %s signature for "
+					"%s %s\n", algbuf, namebuf, typebuf);
+				bad_algorithms[i] = 1;
+			}
+	}
+	dns_rdataset_disassociate(&sigrdataset);
+}
+
+static void
+verifynode(dns_name_t *name, dns_dbnode_t *node, isc_boolean_t delegation,
+	   dns_rdataset_t *keyrdataset, unsigned char *ksk_algorithms,
+	   unsigned char *bad_algorithms)
+{
+	dns_rdataset_t rdataset;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	isc_result_t result;
+
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	result = dns_rdatasetiter_first(rdsiter);
+	dns_rdataset_init(&rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		if (rdataset.type != dns_rdatatype_rrsig &&
+		    rdataset.type != dns_rdatatype_dnskey &&
+		    (!delegation || rdataset.type == dns_rdatatype_ds ||
+		     rdataset.type == dns_rdatatype_nsec)) {
+			verifyset(&rdataset, name, node, keyrdataset,
+				  ksk_algorithms, bad_algorithms);
+		}
+		dns_rdataset_disassociate(&rdataset);
+		result = dns_rdatasetiter_next(rdsiter);
+	}
+	if (result != ISC_R_NOMORE)
+		fatal("rdataset iteration failed: %s",
+		      isc_result_totext(result));
+	dns_rdatasetiter_destroy(&rdsiter);
+}
+
+/*%
+ * Verify that certain things are sane:
+ *
+ *   The apex has a DNSKEY record with at least one KSK and at least
+ *   one ZSK.
+ *
+ *   The DNSKEY record was signed with at least one of the KSKs in this
+ *   set.
+ *
+ *   The rest of the zone was signed with at least one of the ZSKs
+ *   present in the DNSKEY RRSET.
+ */
+static void
+verifyzone(void) {
+	char algbuf[80];
+	dns_dbiterator_t *dbiter = NULL;
+	dns_dbnode_t *node = NULL, *nextnode = NULL;
+	dns_fixedname_t fname, fnextname, fzonecut;
+	dns_name_t *name, *nextname, *zonecut;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	dns_rdataset_t sigrdataset;
+	int i;
+	isc_boolean_t done = ISC_FALSE;
+	isc_boolean_t first = ISC_TRUE;
+	isc_boolean_t goodksk = ISC_FALSE;
+	isc_boolean_t goodzsk = ISC_FALSE;
+	isc_result_t result;
+	unsigned char revoked[256];
+	unsigned char standby[256];
+	unsigned char ksk_algorithms[256];
+	unsigned char zsk_algorithms[256];
+	unsigned char bad_algorithms[256];
+#ifdef ALLOW_KSKLESS_ZONES
+	isc_boolean_t allzsksigned = ISC_TRUE;
+	unsigned char self_algorithms[256];
+#endif
+
+	if (disable_zone_check)
+		return;
+
+	result = dns_db_findnode(gdb, gorigin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find the zone's origin: %s",
+		      isc_result_totext(result));
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&sigrdataset);
+	result = dns_db_findrdataset(gdb, node, gversion,
+				     dns_rdatatype_dnskey,
+				     0, 0, &rdataset, &sigrdataset);
+	dns_db_detachnode(gdb, &node);
+	if (result != ISC_R_SUCCESS)
+		fatal("cannot find DNSKEY rrset\n");
+
+	if (!dns_rdataset_isassociated(&sigrdataset))
+		fatal("cannot find DNSKEY RRSIGs\n");
+
+	memset(revoked, 0, sizeof(revoked));
+	memset(standby, 0, sizeof(revoked));
+	memset(ksk_algorithms, 0, sizeof(ksk_algorithms));
+	memset(zsk_algorithms, 0, sizeof(zsk_algorithms));
+	memset(bad_algorithms, 0, sizeof(bad_algorithms));
+#ifdef ALLOW_KSKLESS_ZONES
+	memset(self_algorithms, 0, sizeof(self_algorithms));
+#endif
+
+	/*
+	 * Check that the DNSKEY RR has at least one self signing KSK and
+	 * one ZSK per algorithm in it.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
+		check_result(result, "dns_rdata_tostruct");
+
+		if ((dnskey.flags & DNS_KEYOWNER_ZONE) == 0)
+			;
+		else if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
+			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
+			    !dns_dnssec_selfsigns(&rdata, gorigin, &rdataset,
+						  &sigrdataset, ISC_FALSE,
+						  mctx)) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				char buffer[1024];
+				isc_buffer_t buf;
+
+				dns_name_format(gorigin, namebuf,
+						sizeof(namebuf));
+				isc_buffer_init(&buf, buffer, sizeof(buffer));
+				result = dns_rdata_totext(&rdata, NULL, &buf);
+				check_result(result, "dns_rdata_totext");
+				fatal("revoked KSK is not self signed:\n"
+				      "%s DNSKEY %.*s", namebuf,
+				      (int)isc_buffer_usedlength(&buf), buffer);
+			}
+			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 &&
+			     revoked[dnskey.algorithm] != 255)
+				revoked[dnskey.algorithm]++;
+		} else if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) {
+			if (dns_dnssec_selfsigns(&rdata, gorigin, &rdataset,
+					      &sigrdataset, ISC_FALSE, mctx)) {
+				if (ksk_algorithms[dnskey.algorithm] != 255)
+					ksk_algorithms[dnskey.algorithm]++;
+				goodksk = ISC_TRUE;
+			} else {
+				if (standby[dnskey.algorithm] != 255)
+					standby[dnskey.algorithm]++;
+			}
+		} else if (dns_dnssec_selfsigns(&rdata, gorigin, &rdataset,
+						&sigrdataset, ISC_FALSE,
+						mctx)) {
+#ifdef ALLOW_KSKLESS_ZONES
+			if (self_algorithms[dnskey.algorithm] != 255)
+				self_algorithms[dnskey.algorithm]++;
+#endif
+			if (zsk_algorithms[dnskey.algorithm] != 255)
+				zsk_algorithms[dnskey.algorithm]++;
+			goodzsk = ISC_TRUE;
+		} else {
+			if (zsk_algorithms[dnskey.algorithm] != 255)
+				zsk_algorithms[dnskey.algorithm]++;
+#ifdef ALLOW_KSKLESS_ZONES
+			allzsksigned = ISC_FALSE;
+#endif
+		}
+		dns_rdata_freestruct(&dnskey);
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&sigrdataset);
+
+	if (!goodksk) {
+#ifdef ALLOW_KSKLESS_ZONES
+		if (!goodzsk)
+			fatal("no self signing keys found");
+		fprintf(stderr, "No self signing KSK found. Using self signed "
+			"ZSK's for active algorithm list.\n");
+		memcpy(ksk_algorithms, self_algorithms, sizeof(ksk_algorithms));
+		if (!allzsksigned)
+			fprintf(stderr, "warning: not all ZSK's are self "
+				"signed.\n");
+#else
+		fatal("no self signed KSK's found");
+#endif
+	}
+
+	fprintf(stderr, "Verifying the zone using the following algorithms:");
+	for (i = 0; i < 256; i++) {
+		if (ksk_algorithms[i] != 0) {
+			alg_format(i, algbuf, sizeof(algbuf));
+			fprintf(stderr, " %s", algbuf);
+		}
+	}
+	fprintf(stderr, ".\n");
+
+	for (i = 0; i < 256; i++) {
+		/*
+		 * The counts should both be zero or both be non-zero.
+		 * Mark the algorithm as bad if this is not met.
+		 */
+		if ((ksk_algorithms[i] != 0) == (zsk_algorithms[i] != 0))
+			continue;
+		alg_format(i, algbuf, sizeof(algbuf));
+		fprintf(stderr, "Missing %s for algorithm %s\n",
+			(ksk_algorithms[i] != 0) ? "ZSK" : "self signing KSK",
+			algbuf);
+		bad_algorithms[i] = 1;
+	}
+
+	/*
+	 * Check that all the other records were signed by keys that are
+	 * present in the DNSKEY RRSET.
+	 */
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	dns_fixedname_init(&fnextname);
+	nextname = dns_fixedname_name(&fnextname);
+	dns_fixedname_init(&fzonecut);
+	zonecut = NULL;
+
+	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	result = dns_dbiterator_first(dbiter);
+	check_result(result, "dns_dbiterator_first()");
+
+	while (!done) {
+		isc_boolean_t isdelegation = ISC_FALSE;
+
+		dns_dbiterator_current(dbiter, &node, name);
+		if (delegation(name, node, NULL)) {
+			zonecut = dns_fixedname_name(&fzonecut);
+			dns_name_copy(name, zonecut, NULL);
+			isdelegation = ISC_TRUE;
+		}
+		verifynode(name, node, isdelegation, &rdataset,
+			   ksk_algorithms, bad_algorithms);
+		result = dns_dbiterator_next(dbiter);
+		nextnode = NULL;
+		while (result == ISC_R_SUCCESS) {
+			result = dns_dbiterator_current(dbiter, &nextnode,
+							nextname);
+			if (result != ISC_R_SUCCESS)
+				break;
+			if (!dns_name_issubdomain(nextname, gorigin) ||
+			    (zonecut != NULL &&
+			     dns_name_issubdomain(nextname, zonecut)))
+			{
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			dns_db_detachnode(gdb, &nextnode);
+			break;
+		}
+		if (result == ISC_R_NOMORE) {
+			done = ISC_TRUE;
+		} else if (result != ISC_R_SUCCESS)
+			fatal("iterating through the database failed: %s",
+			      isc_result_totext(result));
+		dns_db_detachnode(gdb, &node);
+	}
+
+	dns_dbiterator_destroy(&dbiter);
+
+	result = dns_db_createiterator(gdb, DNS_DB_NSEC3ONLY, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	for (result = dns_dbiterator_first(dbiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiter) ) {
+		dns_dbiterator_current(dbiter, &node, name);
+		verifynode(name, node, ISC_FALSE, &rdataset,
+			   ksk_algorithms, bad_algorithms);
+		dns_db_detachnode(gdb, &node);
+	}
+	dns_dbiterator_destroy(&dbiter);
+
+	dns_rdataset_disassociate(&rdataset);
+
+	/*
+	 * If we made it this far, we have what we consider a properly signed
+	 * zone.  Set the good flag.
+	 */
+	for (i = 0; i < 256; i++) {
+		if (bad_algorithms[i] != 0) {
+			if (first)
+				fprintf(stderr, "The zone is not fully signed "
+					"for the following algorithms:");
+			alg_format(i, algbuf, sizeof(algbuf));
+			fprintf(stderr, " %s", algbuf);
+			first = ISC_FALSE;
+		}
+	}
+	if (!first) {
+		fprintf(stderr, ".\n");
+		fatal("DNSSEC completeness test failed.");
+	}
+
+	if (goodksk) {
+		/*
+		 * Print the success summary.
+		 */
+		fprintf(stderr, "Zone signing complete:\n");
+		for (i = 0; i < 256; i++) {
+			if ((zsk_algorithms[i] != 0) ||
+			    (ksk_algorithms[i] != 0) ||
+			    (revoked[i] != 0) || (standby[i] != 0)) {
+				alg_format(i, algbuf, sizeof(algbuf));
+				fprintf(stderr, "Algorithm: %s: ZSKs: %u, "
+					"KSKs: %u active, %u revoked, %u "
+					"stand-by\n", algbuf,
+					zsk_algorithms[i], ksk_algorithms[i],
+					revoked[i], standby[i]);
+			}
+		}
+	}
+}
+
 /*%
  * Sign the apex of the zone.
  * Note the origin may not be the first node if there are out of zone
@@ -1764,7 +2227,8 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node,
 	     result = dns_rdataset_next(&rdataset)) {
 		dns_rdata_init(&rdata);
 		dns_rdataset_current(&rdataset, &rdata);
-		dns_rdata_tostruct(&rdata, &nsec3, NULL);
+		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+		check_result(result, "dns_rdata_tostruct");
 		if (nsec3.hash == hashalg &&
 		    nsec3.iterations == iterations &&
 		    nsec3.salt_length == salt_length &&
@@ -2134,7 +2598,7 @@ warnifallksk(dns_db_t *db) {
 	dns_rdataset_t rdataset;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_result_t result;
-	dns_rdata_key_t key;
+	dns_rdata_dnskey_t dnskey;
 	isc_boolean_t have_non_ksk = ISC_FALSE;
 
 	dns_db_currentversion(db, &currentversion);
@@ -2155,21 +2619,27 @@ warnifallksk(dns_db_t *db) {
 	while (result == ISC_R_SUCCESS) {
 		dns_rdata_reset(&rdata);
 		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &key, NULL);
+		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
 		check_result(result, "dns_rdata_tostruct");
-		if ((key.flags & DNS_KEYFLAG_KSK) == 0) {
+		if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0) {
 			have_non_ksk = ISC_TRUE;
 			result = ISC_R_NOMORE;
 		} else
 			result = dns_rdataset_next(&rdataset);
+		dns_rdata_freestruct(&dnskey);
 	}
 	dns_rdataset_disassociate(&rdataset);
 	dns_db_detachnode(db, &node);
 	dns_db_closeversion(db, &currentversion, ISC_FALSE);
-	if (!have_non_ksk && !ignoreksk)
-		fprintf(stderr, "%s: warning: No non-KSK dnskey found. "
-			"Supply non-KSK dnskey or use '-z'.\n",
-			program);
+	if (!have_non_ksk && !ignoreksk) {
+		if (disable_zone_check)
+			fprintf(stderr, "%s: warning: No non-KSK dnskey found. "
+				"Supply non-KSK dnskey or use '-z'.\n",
+				program);
+		else
+			fatal("No non-KSK dnskey found. "
+			      "Supply non-KSK dnskey or use '-z'.");
+	}
 }
 
 static void
@@ -2370,6 +2840,8 @@ usage(void) {
 	fprintf(stderr, "verify generated signatures\n");
 	fprintf(stderr, "\t-p:\t");
 	fprintf(stderr, "use pseudorandom data (faster but less secure)\n");
+	fprintf(stderr, "\t-P:\t");
+	fprintf(stderr, "disable post-sign verification\n");
 	fprintf(stderr, "\t-t:\t");
 	fprintf(stderr, "print statistics\n");
 	fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
@@ -2448,7 +2920,7 @@ main(int argc, char *argv[]) {
 	unsigned char saltbuf[255];
 	hashlist_t hashlist;
 
-#define CMDLINE_FLAGS "3:aAc:d:e:f:ghH:i:I:j:k:l:m:n:N:o:O:pr:s:StUv:z"
+#define CMDLINE_FLAGS "3:aAc:d:e:f:FghH:i:I:j:k:l:m:n:N:o:O:pPr:s:StUv:z"
 
 	/*
 	 * Process memory debugging argument first.
@@ -2535,19 +3007,19 @@ main(int argc, char *argv[]) {
 			generateds = ISC_TRUE;
 			break;
 
-		case '?':
-			if (isc_commandline_option != '?')
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
+		case 'H':
+			iterations = strtoul(isc_commandline_argument,
+					     &endp, 0);
+			if (*endp != '\0')
+				fatal("iterations must be numeric");
+			if (iterations > 0xffffU)
+				fatal("iterations too big");
+			break;
+
 		case 'h':
 			usage();
 			break;
 
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
-			exit(1);
-
 		case 'i':
 			endp = NULL;
 			cycle = strtol(isc_commandline_argument, &endp, 0);
@@ -2567,8 +3039,13 @@ main(int argc, char *argv[]) {
 				fatal("jitter must be numeric and positive");
 			break;
 
+		case 'k':
+			if (ndskeys == MAXDSKEYS)
+				fatal("too many key-signing keys specified");
+			dskeyfile[ndskeys++] = isc_commandline_argument;
+			break;
+
 		case 'l':
-			dns_fixedname_init(&dlv_fixed);
 			len = strlen(isc_commandline_argument);
 			isc_buffer_init(&b, isc_commandline_argument, len);
 			isc_buffer_add(&b, len);
@@ -2580,12 +3057,6 @@ main(int argc, char *argv[]) {
 			check_result(result, "dns_name_fromtext(dlv)");
 			break;
 
-		case 'k':
-			if (ndskeys == MAXDSKEYS)
-				fatal("too many key-signing keys specified");
-			dskeyfile[ndskeys++] = isc_commandline_argument;
-			break;
-
 		case 'm':
 			break;
 
@@ -2600,15 +3071,6 @@ main(int argc, char *argv[]) {
 			serialformatstr = isc_commandline_argument;
 			break;
 
-		case 'H':
-			iterations = strtoul(isc_commandline_argument,
-					     &endp, 0);
-			if (*endp != '\0')
-				fatal("iterations must be numeric");
-			if (iterations > 0xffffU)
-				fatal("iterations too big");
-			break;
-
 		case 'o':
 			origin = isc_commandline_argument;
 			break;
@@ -2621,6 +3083,10 @@ main(int argc, char *argv[]) {
 			pseudorandom = ISC_TRUE;
 			break;
 
+		case 'P':
+			disable_zone_check = ISC_TRUE;
+			break;
+
 		case 'r':
 			setup_entropy(mctx, isc_commandline_argument, &ectx);
 			break;
@@ -2653,6 +3119,21 @@ main(int argc, char *argv[]) {
 		case 'z':
 			ignoreksk = ISC_TRUE;
 			break;
+
+		case 'F':
+			/* Reserved for FIPS mode */
+			/* FALLTHROUGH */
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+			usage();
+			break;
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
 		}
 	}
 
@@ -2769,7 +3250,12 @@ main(int argc, char *argv[]) {
 			      "NSEC only DNSKEY");
 	}
 
+	/*
+	 * We need to do this early on, as we start messing with the list
+	 * of keys rather early.
+	 */
 	ISC_LIST_INIT(keylist);
+	isc_rwlock_init(&keylist_lock, 0, 0);
 
 	if (argc == 0) {
 		loadzonekeys(gdb);
@@ -2806,6 +3292,7 @@ main(int argc, char *argv[]) {
 			}
 			if (key == NULL) {
 				key = newkeystruct(newkey, ISC_TRUE);
+				key->commandline = ISC_TRUE;
 				ISC_LIST_APPEND(keylist, key, link);
 			} else
 				dst_key_free(&newkey);
@@ -2856,8 +3343,11 @@ main(int argc, char *argv[]) {
 	}
 
 	if (ISC_LIST_EMPTY(keylist)) {
-		fprintf(stderr, "%s: warning: No keys specified or found\n",
-			program);
+		if (disable_zone_check)
+			fprintf(stderr, "%s: warning: No keys specified or found\n",
+				program);
+		else
+			fatal("No signing keys specified or found.");
 		nokeys = ISC_TRUE;
 	}
 
@@ -2972,6 +3462,7 @@ main(int argc, char *argv[]) {
 	isc_taskmgr_destroy(&taskmgr);
 	isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *));
 	postsign();
+	verifyzone();
 
 	if (outputformat != dns_masterformat_text) {
 		result = dns_master_dumptostream2(mctx, gdb, gversion,
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 7ed320ad..1d6ba01c 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,10 +18,10 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.docbook,v 1.31.44.6 2009/06/09 01:47:19 each Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.34 2009/06/05 21:59:43 jreed Exp $ -->
 <refentry id="man.dnssec-signzone">
   <refentryinfo>
-    <date>June 08, 2009</date>
+    <date>June 05, 2009</date>
   </refentryinfo>
 
   <refmeta>
@@ -73,6 +73,7 @@
       <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
       <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
       <arg><option>-p</option></arg>
+      <arg><option>-P</option></arg>
       <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
       <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
       <arg><option>-t</option></arg>
@@ -360,6 +361,22 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-P</term>
+        <listitem>
+          <para>
+	    Disable post sign verification tests.
+          </para>
+          <para>
+	    The post sign verification test ensures that for each algorithm
+	    in use there is at least one non revoked self signed KSK key,
+	    that all revoked KSK keys are self signed, and that all records
+	    in the zone are signed by the algorithm.
+	    This option skips these tests.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-r <replaceable class="parameter">randomdev</replaceable></term>
         <listitem>
           <para>
@@ -491,33 +508,6 @@ db.example.com.signed
   </refsect1>
 
   <refsect1>
-    <title>KNOWN BUGS</title>
-    <para>
-        <command>dnssec-signzone</command> was designed so that it could
-        sign a zone partially, using only a subset of the DNSSEC keys
-        needed to produce a fully-signed zone.  This permits a zone
-        administrator, for example, to sign a zone with one key on one
-        machine, move the resulting partially-signed zone to a second
-        machine, and sign it again with a second key.
-    </para>
-    <para>
-        An unfortunate side-effect of this flexibility is that
-        <command>dnssec-signzone</command> does not check to make sure
-        it's signing a zone with any valid keys at all.  An attempt to
-        sign a zone without any keys will appear to succeed, producing
-        a "signed" zone with no signatures.  There is no warning issued
-        when a zone is not fully signed.
-    </para>
-
-    <para>
-        This will be corrected in a future release.  In the meantime, ISC
-        recommends examining the output of <command>dnssec-signzone</command>
-        to confirm that the zone is properly signed by all keys before
-        using it.
-    </para>
-  </refsect1>
-
-  <refsect1>
     <title>SEE ALSO</title>
     <para><citerefentry>
         <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index 5eb8626e..179df23d 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-signzone.html,v 1.33.44.4 2009/06/09 01:47:19 each Exp $ -->
+<!-- $Id: dnssec-signzone.html,v 1.35 2009/06/06 01:12:32 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-signzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
 <a name="man.dnssec-signzone"></a><div class="titlepage"></div>
@@ -29,10 +29,10 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id215236"></a><h2>DESCRIPTION</h2>
+<a name="id2543558"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-signzone</strong></span>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -43,7 +43,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id215253"></a><h2>OPTIONS</h2>
+<a name="id2543573"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
@@ -202,6 +202,19 @@
             may be useful when signing large zones or when the entropy
             source is limited.
           </p></dd>
+<dt><span class="term">-P</span></dt>
+<dd>
+<p>
+	    Disable post sign verification tests.
+          </p>
+<p>
+	    The post sign verification test ensures that for each algorithm
+	    in use there is at least one non revoked self signed KSK key,
+	    that all revoked KSK keys are self signed, and that all records
+	    in the zone are signed by the algorithm.
+	    This option skips these tests.
+          </p>
+</dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
 <dd><p>
             Specifies the source of randomness.  If the operating
@@ -258,7 +271,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id216044"></a><h2>EXAMPLE</h2>
+<a name="id2544428"></a><h2>EXAMPLE</h2>
 <p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
       zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@@ -287,39 +300,14 @@ db.example.com.signed
 %</pre>
 </div>
 <div class="refsect1" lang="en">
-<a name="id216098"></a><h2>KNOWN BUGS</h2>
-<p>
-        <span><strong class="command">dnssec-signzone</strong></span> was designed so that it could
-        sign a zone partially, using only a subset of the DNSSEC keys
-        needed to produce a fully-signed zone.  This permits a zone
-        administrator, for example, to sign a zone with one key on one
-        machine, move the resulting partially-signed zone to a second
-        machine, and sign it again with a second key.
-    </p>
-<p>
-        An unfortunate side-effect of this flexibility is that
-        <span><strong class="command">dnssec-signzone</strong></span> does not check to make sure
-        it's signing a zone with any valid keys at all.  An attempt to
-        sign a zone without any keys will appear to succeed, producing
-        a "signed" zone with no signatures.  There is no warning issued
-        when a zone is not fully signed.
-    </p>
-<p>
-        This will be corrected in a future release.  In the meantime, ISC
-        recommends examining the output of <span><strong class="command">dnssec-signzone</strong></span>
-        to confirm that the zone is properly signed by all keys before
-        using it.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id216132"></a><h2>SEE ALSO</h2>
+<a name="id2544548"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id216155"></a><h2>AUTHOR</h2>
+<a name="id2544641"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index b89d7694..bd1467a7 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.c,v 1.45.334.4 2009/06/08 23:47:00 tbox Exp $ */
+/* $Id: dnssectool.c,v 1.47 2009/06/04 02:56:47 tbox Exp $ */
 
 /*! \file */
 
@@ -65,7 +65,7 @@ void
 fatal(const char *format, ...) {
 	va_list args;
 
-	fprintf(stderr, "%s: ", program);
+	fprintf(stderr, "%s: fatal: ", program);
 	va_start(args, format);
 	vfprintf(stderr, format, args);
 	va_end(args);
diff --git a/bin/dnssec/win32/dnssectool.dsw b/bin/dnssec/win32/dnssectool.dsw
index 10494418..703c5082 100644
--- a/bin/dnssec/win32/dnssectool.dsw
+++ b/bin/dnssec/win32/dnssectool.dsw
@@ -3,7 +3,7 @@ Microsoft Developer Studio Workspace File, Format Version 6.00
 
 ###############################################################################
 
-Project: "dighost"=".\dnssectool.dsp" - Package Owner=<4>
+Project: "dnssectool"=".\dnssectool.dsp" - Package Owner=<4>
 
 Package=<5>
 {{{
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 4d800a69..69438e2f 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.101 2008/09/23 17:25:47 jinmei Exp $
+# $Id: Makefile.in,v 1.104 2009/03/05 23:47:35 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -111,10 +111,14 @@ main.@O@: main.c
 		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
 		-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
 
-config.@O@: config.c
+bind.keys.h: ${top_srcdir}/bind.keys
+	${PERL} ${srcdir}/bindkeys.pl < ${top_srcdir}/bind.keys > $@
+
+config.@O@: config.c bind.keys.h
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
 		-DVERSION=\"${VERSION}\" \
 		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
+		-DNS_SYSCONFDIR=\"${sysconfdir}\" \
 		-c ${srcdir}/config.c
 
 named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
@@ -131,7 +135,7 @@ docclean manclean maintainer-clean::
 	rm -f ${MANOBJS}
 
 clean distclean maintainer-clean::
-	rm -f ${TARGETS} ${OBJS}
+	rm -f ${TARGETS} ${OBJS} bind.keys.h
 
 bind9.xsl.h: bind9.xsl convertxsl.pl
 	${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
diff --git a/bin/named/bind.keys.h b/bin/named/bind.keys.h
new file mode 100644
index 00000000..1b287a51
--- /dev/null
+++ b/bin/named/bind.keys.h
@@ -0,0 +1,7 @@
+#define TRUSTED_KEYS "\
+trusted-keys {\n\
+        # NOTE: This key expires September 2009 \n\
+        # Go to https://www.isc.org/solutions/dlv to download a replacement\n\
+	dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
+};\n\
+"
diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
index 2cadbfd7..8063cc66 100644
--- a/bin/named/bind9.xsl
+++ b/bin/named/bind9.xsl
@@ -15,7 +15,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: bind9.xsl,v 1.19.82.2 2009/01/29 23:47:43 tbox Exp $ -->
+<!-- $Id: bind9.xsl,v 1.21 2009/01/27 23:47:54 tbox Exp $ -->
 
 <xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h
index e42fda08..19a58ff1 100644
--- a/bin/named/bind9.xsl.h
+++ b/bin/named/bind9.xsl.h
@@ -1,6 +1,6 @@
 /*
  * Generated by convertxsl.pl 1.14 2008/07/17 23:43:26 jinmei Exp  
- * From bind9.xsl 1.19.82.2 2009/01/29 23:47:43 tbox Exp 
+ * From bind9.xsl 1.21 2009/01/27 23:47:54 tbox Exp 
  */
 static char xslmsg[] =
 	"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
@@ -20,7 +20,7 @@ static char xslmsg[] =
 	" - PERFORMANCE OF THIS SOFTWARE.\n"
 	"-->\n"
 	"\n"
-	"<!-- \045Id: bind9.xsl,v 1.19.82.2 2009/01/29 23:47:43 tbox Exp \045 -->\n"
+	"<!-- \045Id: bind9.xsl,v 1.21 2009/01/27 23:47:54 tbox Exp \045 -->\n"
 	"\n"
 	"<xsl:stylesheet version=\"1.0\"\n"
 	" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\n"
diff --git a/bin/named/bindkeys.pl b/bin/named/bindkeys.pl
new file mode 100755
index 00000000..c68002b9
--- /dev/null
+++ b/bin/named/bindkeys.pl
@@ -0,0 +1,32 @@
+#!/usr/bin/env perl
+#
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: bindkeys.pl,v 1.2 2009/03/04 02:42:30 each Exp $
+
+use strict;
+use warnings;
+
+my $lines = '#define TRUSTED_KEYS "\\' . "\n";
+
+while (<>) {
+    chomp;
+    s/\"/\\\"/g;
+    s/$/\\n\\/;
+    $lines .= $_ . "\n";
+}
+
+$lines .= '"' . "\n";
+print $lines;
diff --git a/bin/named/builtin.c b/bin/named/builtin.c
index 7927737d..b4a4b1ac 100644
--- a/bin/named/builtin.c
+++ b/bin/named/builtin.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: builtin.c,v 1.12 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: builtin.c,v 1.15 2009/03/01 02:45:38 each Exp $ */
 
 /*! \file
  * \brief
@@ -95,7 +95,7 @@ put_txt(dns_sdblookup_t *lookup, const char *text) {
 
 static isc_result_t
 do_version_lookup(dns_sdblookup_t *lookup) {
-	if (ns_g_server->version_set) {	
+	if (ns_g_server->version_set) {
 		if (ns_g_server->version == NULL)
 			return (ISC_R_SUCCESS);
 		else
@@ -132,10 +132,12 @@ do_authors_lookup(dns_sdblookup_t *lookup) {
 		"Michael Graff",
 		"Andreas Gustafsson",
 		"Bob Halley",
+		"Evan Hunt",
 		"David Lawrence",
 		"Danny Mayer",
 		"Damien Neil",
 		"Matt Nelson",
+		"Jeremy C. Reed",
 		"Michael Sawyer",
 		"Brian Wellington",
 		NULL
@@ -198,7 +200,7 @@ builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) {
 		if (b->contact != NULL)
 			contact = b->contact;
 	}
-	
+
 	result = dns_sdb_putsoa(lookup, server, contact, 0);
 	if (result != ISC_R_SUCCESS)
 		return (ISC_R_FAILURE);
@@ -233,7 +235,7 @@ builtin_create(const char *zone, int argc, char **argv,
 		*dbdata = &authors_builtin;
 	else if (strcmp(argv[0], "id") == 0)
 		*dbdata = &id_builtin;
-	else if (strcmp(argv[0], "empty") == 0) { 
+	else if (strcmp(argv[0], "empty") == 0) {
 		builtin_t *empty;
 		char *server;
 		char *contact;
diff --git a/bin/named/client.c b/bin/named/client.c
index ae5386cb..19fa2251 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.259.12.3 2009/01/29 22:40:33 jinmei Exp $ */
+/* $Id: client.c,v 1.265 2009/05/07 09:41:21 fdupont Exp $ */
 
 #include <config.h>
 
@@ -1355,7 +1355,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	dns_name_t *signame;
 	isc_boolean_t ra;	/* Recursion available. */
 	isc_netaddr_t netaddr;
-	isc_netaddr_t destaddr;
 	int match;
 	dns_messageid_t id;
 	unsigned int flags;
@@ -1473,7 +1472,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 
 	/*
 	 * Silently drop multicast requests for the present.
-	 * XXXMPA look at when/if mDNS spec stabilizes.
+	 * XXXMPA revisit this as mDNS spec was published.
 	 */
 	if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0) {
 		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
@@ -1647,24 +1646,20 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	 * etc), we regard this as an error for safety.
 	 */
 	if ((client->interface->flags & NS_INTERFACEFLAG_ANYADDR) == 0)
-		isc_netaddr_fromsockaddr(&destaddr, &client->interface->addr);
+		isc_netaddr_fromsockaddr(&client->destaddr,
+					 &client->interface->addr);
 	else {
+		isc_sockaddr_t sockaddr;
 		result = ISC_R_FAILURE;
 
-		if (TCP_CLIENT(client)) {
-			isc_sockaddr_t destsockaddr;
-
+		if (TCP_CLIENT(client))
 			result = isc_socket_getsockname(client->tcpsocket,
-							&destsockaddr);
-			if (result == ISC_R_SUCCESS)
-				isc_netaddr_fromsockaddr(&destaddr,
-							 &destsockaddr);
-		}
+							&sockaddr);
+		if (result == ISC_R_SUCCESS)
+			isc_netaddr_fromsockaddr(&client->destaddr, &sockaddr);
 		if (result != ISC_R_SUCCESS &&
 		    client->interface->addr.type.sa.sa_family == AF_INET6 &&
 		    (client->attributes & NS_CLIENTATTR_PKTINFO) != 0) {
-			isc_uint32_t zone = 0;
-
 			/*
 			 * XXXJT technically, we should convert the receiving
 			 * interface ID to a proper scope zone ID.  However,
@@ -1673,12 +1668,11 @@ client_request(isc_task_t *task, isc_event_t *event) {
 			 * interface index as link ID.  Despite the assumption,
 			 * it should cover most typical cases.
 			 */
-			if (IN6_IS_ADDR_LINKLOCAL(&client->pktinfo.ipi6_addr))
-				zone = (isc_uint32_t)client->pktinfo.ipi6_ifindex;
-
-			isc_netaddr_fromin6(&destaddr,
+			isc_netaddr_fromin6(&client->destaddr,
 					    &client->pktinfo.ipi6_addr);
-			isc_netaddr_setzone(&destaddr, zone);
+			if (IN6_IS_ADDR_LINKLOCAL(&client->pktinfo.ipi6_addr))
+				isc_netaddr_setzone(&client->destaddr,
+						client->pktinfo.ipi6_ifindex);
 			result = ISC_R_SUCCESS;
 		}
 		if (result != ISC_R_SUCCESS) {
@@ -1708,7 +1702,8 @@ client_request(isc_task_t *task, isc_event_t *event) {
 				tsig = dns_tsigkey_identity(client->message->tsigkey);
 
 			if (allowed(&netaddr, tsig, view->matchclients) &&
-			    allowed(&destaddr, tsig, view->matchdestinations) &&
+			    allowed(&client->destaddr, tsig,
+				    view->matchdestinations) &&
 			    !((client->message->flags & DNS_MESSAGEFLAG_RD)
 			      == 0 && view->matchrecursiveonly))
 			{
@@ -1861,10 +1856,10 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	    ns_client_checkaclsilent(client, NULL,
 				     client->view->queryacl,
 				     ISC_TRUE) == ISC_R_SUCCESS &&
-	    ns_client_checkaclsilent(client, &client->interface->addr,
+	    ns_client_checkaclsilent(client, &client->destaddr,
 				     client->view->recursiononacl,
 				     ISC_TRUE) == ISC_R_SUCCESS &&
-	    ns_client_checkaclsilent(client, &client->interface->addr,
+	    ns_client_checkaclsilent(client, &client->destaddr,
 				     client->view->queryonacl,
 				     ISC_TRUE) == ISC_R_SUCCESS)
 		ra = ISC_TRUE;
@@ -2600,12 +2595,12 @@ ns_client_getsockaddr(ns_client_t *client) {
 }
 
 isc_result_t
-ns_client_checkaclsilent(ns_client_t *client, isc_sockaddr_t *sockaddr,
+ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,
 			 dns_acl_t *acl, isc_boolean_t default_allow)
 {
 	isc_result_t result;
+	isc_netaddr_t tmpnetaddr;
 	int match;
-	isc_netaddr_t netaddr;
 
 	if (acl == NULL) {
 		if (default_allow)
@@ -2614,15 +2609,13 @@ ns_client_checkaclsilent(ns_client_t *client, isc_sockaddr_t *sockaddr,
 			goto deny;
 	}
 
+	if (netaddr == NULL) {
+		isc_netaddr_fromsockaddr(&tmpnetaddr, &client->peeraddr);
+		netaddr = &tmpnetaddr;
+	}
 
-	if (sockaddr == NULL)
-		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-	else
-		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-
-	result = dns_acl_match(&netaddr, client->signer, acl,
-			       &ns_g_server->aclenv,
-			       &match, NULL);
+	result = dns_acl_match(netaddr, client->signer, acl,
+			       &ns_g_server->aclenv, &match, NULL);
 
 	if (result != ISC_R_SUCCESS)
 		goto deny; /* Internal error, already logged. */
@@ -2642,8 +2635,14 @@ ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
 		   const char *opname, dns_acl_t *acl,
 		   isc_boolean_t default_allow, int log_level)
 {
-	isc_result_t result =
-		ns_client_checkaclsilent(client, sockaddr, acl, default_allow);
+	isc_result_t result;
+	isc_netaddr_t netaddr;
+
+	if (sockaddr != NULL)
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+
+	result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL,
+					  acl, default_allow);
 
 	if (result == ISC_R_SUCCESS)
 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
diff --git a/bin/named/config.c b/bin/named/config.c
index 8b96050e..db650a85 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.93.14.2 2009/03/17 23:47:28 tbox Exp $ */
+/* $Id: config.c,v 1.97 2009/06/10 00:27:21 each Exp $ */
 
 /*! \file */
 
@@ -42,9 +42,13 @@
 #include <dns/tsig.h>
 #include <dns/zone.h>
 
+#include <dst/dst.h>
+
 #include <named/config.h>
 #include <named/globals.h>
 
+#include "bind.keys.h"
+
 /*% default configuration */
 static char defaultconf[] = "\
 options {\n\
@@ -55,7 +59,10 @@ options {\n\
 	files unlimited;\n\
 	stacksize default;\n"
 #endif
-"	deallocate-on-exit true;\n\
+"#	ddns-keyfile \"" NS_LOCALSTATEDIR "/run/named/ddns.key\";\n\
+	ddns-keyname local-ddns;\n\
+	ddns-keyalg hmac-sha256;\n\
+	deallocate-on-exit true;\n\
 #	directory <none>\n\
 	dump-file \"named_dump.db\";\n\
 	fake-iquery no;\n\
@@ -70,6 +77,7 @@ options {\n\
 	multiple-cnames no;\n\
 #	named-xfer <obsolete>;\n\
 #	pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
+	bindkeys-file \"" NS_SYSCONFDIR "/bind.keys\";\n\
 	port 53;\n\
 	recursing-file \"named.recursing\";\n\
 "
@@ -102,6 +110,9 @@ options {\n\
 	request-nsid false;\n\
 	reserved-sockets 512;\n\
 \n\
+	/* DLV */\n\
+	dnssec-lookaside . trust-anchor dlv.isc.org;\n\
+\n\
 	/* view */\n\
 	allow-notify {none;};\n\
 	allow-update-forwarding {none;};\n\
@@ -157,6 +168,7 @@ options {\n\
 	notify-delay 5;\n\
 	notify-to-soa no;\n\
 	dialup no;\n\
+	ddns-autoconf no;\n\
 #	forward <none>\n\
 #	forwarders <none>\n\
 	maintain-ixfr-base no;\n\
@@ -218,6 +230,19 @@ view \"_bind\" chaos {\n\
 		database \"_builtin id\";\n\
 	};\n\
 };\n\
+"
+
+"#\n\
+#  Default trusted key(s) for builtin DLV support\n\
+#  (used if \"dnssec-lookaside auto;\" is set and\n\
+#  sysconfdir/bind.keys doesn't exist).\n\
+#\n\
+# BEGIN TRUSTED KEYS\n"
+
+/* Imported from bind.keys.h: */
+TRUSTED_KEYS
+
+"# END TRUSTED KEYS\n\
 ";
 
 isc_result_t
@@ -747,23 +772,31 @@ struct keyalgorithms {
 	const char *str;
 	enum { hmacnone, hmacmd5, hmacsha1, hmacsha224,
 	       hmacsha256, hmacsha384, hmacsha512 } hmac;
+	unsigned int type;
 	isc_uint16_t size;
 } algorithms[] = {
-	{ "hmac-md5", hmacmd5, 128 },
-	{ "hmac-md5.sig-alg.reg.int", hmacmd5, 0 },
-	{ "hmac-md5.sig-alg.reg.int.", hmacmd5, 0 },
-	{ "hmac-sha1", hmacsha1, 160 },
-	{ "hmac-sha224", hmacsha224, 224 },
-	{ "hmac-sha256", hmacsha256, 256 },
-	{ "hmac-sha384", hmacsha384, 384 },
-	{ "hmac-sha512", hmacsha512, 512 },
-	{  NULL, hmacnone, 0 }
+	{ "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
+	{ "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
+	{ "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
+	{ "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
+	{ "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
+	{ "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
+	{ "hmac-sha384", hmacsha384, DST_ALG_HMACSHA384, 384 },
+	{ "hmac-sha512", hmacsha512, DST_ALG_HMACSHA512, 512 },
+	{  NULL, hmacnone, DST_ALG_UNKNOWN, 0 }
 };
 
 isc_result_t
 ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
 			  isc_uint16_t *digestbits)
 {
+	return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits));
+}
+
+isc_result_t
+ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+			   unsigned int *typep, isc_uint16_t *digestbits)
+{
 	int i;
 	size_t len = 0;
 	isc_uint16_t bits;
@@ -801,6 +834,8 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
 			INSIST(0);
 		}
 	}
+	if (typep != NULL)
+		*typep = algorithms[i].type;
 	if (digestbits != NULL)
 		*digestbits = bits;
 	return (ISC_R_SUCCESS);
diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
index 3ebed3ff..f6956454 100644
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.86.120.2 2009/01/18 23:47:34 tbox Exp $ */
+/* $Id: client.h,v 1.90 2009/05/07 09:41:22 fdupont Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -138,6 +138,7 @@ struct ns_client {
 	ns_interface_t		*interface;
 	isc_sockaddr_t		peeraddr;
 	isc_boolean_t		peeraddr_valid;
+	isc_netaddr_t		destaddr;
 	struct in6_pktinfo	pktinfo;
 	isc_event_t		ctlevent;
 	/*%
@@ -274,10 +275,8 @@ ns_client_getsockaddr(ns_client_t *client);
  */
 
 isc_result_t
-ns_client_checkaclsilent(ns_client_t *client,
-			 isc_sockaddr_t *sockaddr,
-			 dns_acl_t *acl,
-			 isc_boolean_t default_allow);
+ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,
+			 dns_acl_t *acl, isc_boolean_t default_allow);
 
 /*%
  * Convenience function for client request ACL checking.
@@ -296,12 +295,12 @@ ns_client_checkaclsilent(ns_client_t *client,
  *
  * Requires:
  *\li	'client' points to a valid client.
- *\li	'sockaddr' points to a valid address, or is NULL.
+ *\li	'netaddr' points to a valid address, or is NULL.
  *\li	'acl' points to a valid ACL, or is NULL.
  *
  * Returns:
  *\li	ISC_R_SUCCESS	if the request should be allowed
- * \li	ISC_R_REFUSED	if the request should be denied
+ * \li	DNS_R_REFUSED	if the request should be denied
  *\li	No other return values are possible.
  */
 
diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h
index f7ceed81..c16c800f 100644
--- a/bin/named/include/named/config.h
+++ b/bin/named/include/named/config.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h,v 1.14 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: config.h,v 1.16 2009/06/11 23:47:55 tbox Exp $ */
 
 #ifndef NAMED_CONFIG_H
 #define NAMED_CONFIG_H 1
@@ -75,5 +75,8 @@ ns_config_getport(const cfg_obj_t *config, in_port_t *portp);
 isc_result_t
 ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
 			  isc_uint16_t *digestbits);
+isc_result_t
+ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
+			   unsigned int *typep, isc_uint16_t *digestbits);
 
 #endif /* NAMED_CONFIG_H */
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index 6040dc30..7c3dfeb6 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.80 2008/11/16 22:49:18 marka Exp $ */
+/* $Id: globals.h,v 1.83 2009/06/10 00:27:21 each Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
@@ -30,6 +30,8 @@
 
 #include <dns/zone.h>
 
+#include <dst/dst.h>
+
 #include <named/types.h>
 
 #undef EXTERN
@@ -86,8 +88,13 @@ EXTERN cfg_obj_t *		ns_g_config		INIT(NULL);
 EXTERN const cfg_obj_t *	ns_g_defaults		INIT(NULL);
 EXTERN const char *		ns_g_conffile		INIT(NS_SYSCONFDIR
 							     "/named.conf");
+EXTERN cfg_obj_t *		ns_g_bindkeys		INIT(NULL);
 EXTERN const char *		ns_g_keyfile		INIT(NS_SYSCONFDIR
 							     "/rndc.key");
+
+EXTERN dns_tsigkey_t *		ns_g_ddnskey		INIT(NULL);
+EXTERN dns_name_t		ns_g_ddnskeyname;
+
 EXTERN const char *		lwresd_g_conffile	INIT(NS_SYSCONFDIR
 							     "/lwresd.conf");
 EXTERN const char *		lwresd_g_resolvconffile	INIT("/etc"
@@ -112,6 +119,10 @@ EXTERN const char *		ns_g_chrootdir		INIT(NULL);
 EXTERN isc_boolean_t		ns_g_foreground		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_logstderr		INIT(ISC_FALSE);
 
+EXTERN const char *		ns_g_defaultddnskeyfile	INIT(NS_LOCALSTATEDIR
+							     "/run/named/"
+							     "ddns.key");
+
 #if NS_RUN_PID_DIR
 EXTERN const char *		ns_g_defaultpidfile 	INIT(NS_LOCALSTATEDIR
 							     "/run/named/"
diff --git a/bin/named/include/named/log.h b/bin/named/include/named/log.h
index 444fe508..032743ac 100644
--- a/bin/named/include/named/log.h
+++ b/bin/named/include/named/log.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.25.332.2 2009/01/07 23:47:16 tbox Exp $ */
+/* $Id: log.h,v 1.27 2009/01/07 23:47:46 tbox Exp $ */
 
 #ifndef NAMED_LOG_H
 #define NAMED_LOG_H 1
diff --git a/bin/named/include/named/lwdclient.h b/bin/named/include/named/lwdclient.h
index f0ab0576..c345176a 100644
--- a/bin/named/include/named/lwdclient.h
+++ b/bin/named/include/named/lwdclient.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdclient.h,v 1.18.332.2 2009/01/18 23:47:34 tbox Exp $ */
+/* $Id: lwdclient.h,v 1.20 2009/01/17 23:47:42 tbox Exp $ */
 
 #ifndef NAMED_LWDCLIENT_H
 #define NAMED_LWDCLIENT_H 1
diff --git a/bin/named/include/named/notify.h b/bin/named/include/named/notify.h
index e8df0a1f..4e0a57e5 100644
--- a/bin/named/include/named/notify.h
+++ b/bin/named/include/named/notify.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: notify.h,v 1.14.332.2 2009/01/18 23:47:34 tbox Exp $ */
+/* $Id: notify.h,v 1.16 2009/01/17 23:47:42 tbox Exp $ */
 
 #ifndef NAMED_NOTIFY_H
 #define NAMED_NOTIFY_H 1
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index 43eccc4a..9a25a15f 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.93.120.2 2009/01/29 23:47:44 tbox Exp $ */
+/* $Id: server.h,v 1.98 2009/06/10 00:27:21 each Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -54,6 +54,7 @@ struct ns_server {
 	dns_acl_t		*blackholeacl;
 	char *			statsfile;	/*%< Statistics file name */
 	char *			dumpfile;	/*%< Dump file name */
+	char *			bindkeysfile;	/*%< bind.keys file name */
 	char *			recfile;	/*%< Recursive file name */
 	isc_boolean_t		version_set;	/*%< User has set version */
 	char *			version;	/*%< User-specified version */
@@ -91,13 +92,14 @@ struct ns_server {
 	isc_boolean_t		flushonshutdown;
 	isc_boolean_t		log_queries;	/*%< For BIND 8 compatibility */
 
-	isc_stats_t *		nsstats;	/*%< Server statistics */
-	dns_stats_t *		rcvquerystats;	/*% Incoming query statistics */
-	dns_stats_t *		opcodestats;	/*%< Incoming message statistics */
-	isc_stats_t *		zonestats;	/*% Zone management statistics */
-	isc_stats_t *		resolverstats;	/*% Resolver statistics */
+	ns_cachelist_t		cachelist;	/*%< Possibly shared caches */
+	isc_stats_t *		nsstats;	/*%< Server stats */
+	dns_stats_t *		rcvquerystats;	/*% Incoming query stats */
+	dns_stats_t *		opcodestats;	/*%< Incoming message stats */
+	isc_stats_t *		zonestats;	/*% Zone management stats */
+	isc_stats_t  *		resolverstats;	/*% Resolver stats */
+	isc_stats_t *		sockstats;	/*%< Socket stats */
 
-	isc_stats_t *		sockstats;	/*%< Socket statistics */
 	ns_controls_t *		controls;	/*%< Control channels */
 	unsigned int		dispatchgen;
 	ns_dispatchlist_t	dispatches;
@@ -105,6 +107,12 @@ struct ns_server {
 	dns_acache_t		*acache;
 
 	ns_statschannellist_t	statschannels;
+
+	dns_tsigkey_t		*ddnskey;
+	char			*ddns_keyfile;
+	dns_name_t		*ddns_keyname;
+	unsigned int		ddns_keyalg;
+	isc_uint16_t		ddns_keybits;
 };
 
 #define NS_SERVER_MAGIC			ISC_MAGIC('S','V','E','R')
diff --git a/bin/named/include/named/tsigconf.h b/bin/named/include/named/tsigconf.h
index 49ad82af..30bdf319 100644
--- a/bin/named/include/named/tsigconf.h
+++ b/bin/named/include/named/tsigconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.h,v 1.16 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: tsigconf.h,v 1.18 2009/06/11 23:47:55 tbox Exp $ */
 
 #ifndef NS_TSIGCONF_H
 #define NS_TSIGCONF_H 1
@@ -36,8 +36,9 @@ ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
  *
  *	Requires:
  *	\li	'config' is not NULL.
+ *	\li	'vconfig' is not NULL.
  *	\li	'mctx' is not NULL
- *	\li	'ring' is not NULL, and '*ring' is NULL
+ *	\li	'ringp' is not NULL, and '*ringp' is NULL
  *
  *	Returns:
  *	\li	ISC_R_SUCCESS
diff --git a/bin/named/include/named/types.h b/bin/named/include/named/types.h
index eb255201..7a7886e2 100644
--- a/bin/named/include/named/types.h
+++ b/bin/named/include/named/types.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.29 2008/01/17 23:46:59 tbox Exp $ */
+/* $Id: types.h,v 1.31 2009/01/09 23:47:45 tbox Exp $ */
 
 #ifndef NAMED_TYPES_H
 #define NAMED_TYPES_H 1
@@ -24,6 +24,8 @@
 
 #include <dns/types.h>
 
+typedef struct ns_cache			ns_cache_t;
+typedef ISC_LIST(ns_cache_t)		ns_cachelist_t;
 typedef struct ns_client		ns_client_t;
 typedef struct ns_clientmgr		ns_clientmgr_t;
 typedef struct ns_query			ns_query_t;
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index 46eb96e0..7fa59d05 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfacemgr.c,v 1.93.70.2 2009/01/18 23:47:34 tbox Exp $ */
+/* $Id: interfacemgr.c,v 1.95 2009/01/17 23:47:42 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/log.c b/bin/named/log.c
index 359ab9f6..5d19dcb2 100644
--- a/bin/named/log.c
+++ b/bin/named/log.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.46.334.3 2009/01/07 01:50:14 jinmei Exp $ */
+/* $Id: log.c,v 1.49 2009/01/07 01:46:40 jinmei Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwresd.8 b/bin/named/lwresd.8
index c0862aae..6d188d76 100644
--- a/bin/named/lwresd.8
+++ b/bin/named/lwresd.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwresd.8,v 1.29.14.1 2009/01/23 01:53:33 tbox Exp $
+.\" $Id: lwresd.8,v 1.30 2009/01/21 01:12:07 tbox Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/named/lwresd.docbook b/bin/named/lwresd.docbook
index 8d9985a4..dddfe5e5 100644
--- a/bin/named/lwresd.docbook
+++ b/bin/named/lwresd.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwresd.docbook,v 1.18.14.2 2009/01/22 23:47:05 tbox Exp $ -->
+<!-- $Id: lwresd.docbook,v 1.20 2009/01/20 23:47:56 tbox Exp $ -->
 <refentry>
   <refentryinfo>
     <date>June 30, 2000</date>
diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html
index 4c2b059f..1b6183a1 100644
--- a/bin/named/lwresd.html
+++ b/bin/named/lwresd.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwresd.html,v 1.25.14.1 2009/01/23 01:53:33 tbox Exp $ -->
+<!-- $Id: lwresd.html,v 1.26 2009/01/21 01:12:07 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/named/main.c b/bin/named/main.c
index f97ab45a..a05daf15 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.c,v 1.166.34.3 2009/04/03 20:18:59 marka Exp $ */
+/* $Id: main.c,v 1.172 2009/05/07 09:33:52 fdupont Exp $ */
 
 /*! \file */
 
@@ -87,6 +87,7 @@ static char		absolute_conffile[ISC_DIR_PATHMAX];
 static char		saved_command_line[512];
 static char		version[512];
 static unsigned int	maxsocks = 0;
+static int		maxudp = 0;
 
 void
 ns_main_earlywarning(const char *format, ...) {
@@ -358,7 +359,7 @@ parse_command_line(int argc, char *argv[]) {
 
 	isc_commandline_errprint = ISC_FALSE;
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "46c:C:d:fgi:lm:n:N:p:P:"
+					   "46c:C:d:fFgi:lm:n:N:p:P:"
 					   "sS:t:T:u:vVx:")) != -1) {
 		switch (ch) {
 		case '4':
@@ -451,8 +452,12 @@ parse_command_line(int argc, char *argv[]) {
 			 * clienttest: make clients single shot with their
 			 * 	       own memory context.
 			 */
-			if (strcmp(isc_commandline_argument, "clienttest") == 0)
+			if (!strcmp(isc_commandline_argument, "clienttest"))
 				ns_g_clienttest = ISC_TRUE;
+			else if (!strcmp(isc_commandline_argument, "maxudp512"))
+				maxudp = 512;
+			else if (!strcmp(isc_commandline_argument, "maxudp1460"))
+				maxudp = 1460;
 			else
 				fprintf(stderr, "unknown -T flag '%s\n",
 					isc_commandline_argument);
@@ -467,12 +472,16 @@ parse_command_line(int argc, char *argv[]) {
 			printf("BIND %s built with %s\n", ns_g_version,
 				ns_g_configargs);
 			exit(0);
+		case 'F':
+			/* Reserved for FIPS mode */
+			/* FALLTHROUGH */
 		case '?':
 			usage();
 			if (isc_commandline_option == '?')
 				exit(0);
 			ns_main_earlyfatal("unknown option '-%c'",
 					   isc_commandline_option);
+			/* FALLTHROUGH */
 		default:
 			ns_main_earlyfatal("parsing options returned %d", ch);
 		}
@@ -525,6 +534,7 @@ create_managers(void) {
 				 isc_result_totext(result));
 		return (ISC_R_UNEXPECTED);
 	}
+	isc__socketmgr_maxudp(ns_g_socketmgr, maxudp);
 	result = isc_socketmgr_getmaxsockets(ns_g_socketmgr, &socks);
 	if (result == ISC_R_SUCCESS) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
@@ -719,8 +729,8 @@ setup(void) {
 					       absolute_conffile,
 					       sizeof(absolute_conffile));
 		if (result != ISC_R_SUCCESS)
-			ns_main_earlyfatal("could not construct absolute path of "
-					   "configuration file: %s",
+			ns_main_earlyfatal("could not construct absolute path "
+					   "of configuration file: %s",
 					   isc_result_totext(result));
 		ns_g_conffile = absolute_conffile;
 	}
diff --git a/bin/named/named.8 b/bin/named/named.8
index 34084036..bc8832a8 100644
--- a/bin/named/named.8
+++ b/bin/named/named.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,18 +13,18 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.8,v 1.38 2008/11/07 01:11:19 tbox Exp $
+.\" $Id: named.8,v 1.39 2009/05/22 01:14:49 tbox Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: named
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: June 30, 2000
+.\"      Date: May 21, 2009
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "NAMED" "8" "June 30, 2000" "BIND9" "BIND9"
+.TH "NAMED" "8" "May 21, 2009" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -224,6 +224,16 @@ The
 \fBnamed\fR
 configuration file is too complex to describe in detail here. A complete description is provided in the
 BIND 9 Administrator Reference Manual.
+.PP
+\fBnamed\fR
+inherits the
+\fBumask\fR
+(file creation mode mask) from the parent process. If files created by
+\fBnamed\fR, such as journal files, need to have custom permissions, the
+\fBumask\fR
+should be set explicitly in the script used to start the
+\fBnamed\fR
+process.
 .SH "FILES"
 .PP
 \fI/etc/named.conf\fR
@@ -250,7 +260,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2008 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
 .br
diff --git a/bin/named/named.docbook b/bin/named/named.docbook
index f47eae1e..1bbef3e7 100644
--- a/bin/named/named.docbook
+++ b/bin/named/named.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,10 +18,10 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.docbook,v 1.23 2008/11/06 05:30:24 marka Exp $ -->
+<!-- $Id: named.docbook,v 1.25 2009/05/21 23:47:28 tbox Exp $ -->
 <refentry id="man.named">
   <refentryinfo>
-    <date>June 30, 2000</date>
+    <date>May 21, 2009</date>
   </refentryinfo>
 
   <refmeta>
@@ -42,6 +42,7 @@
       <year>2006</year>
       <year>2007</year>
       <year>2008</year>
+      <year>2009</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -374,6 +375,16 @@
       in the
       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
     </para>
+
+    <para>
+      <command>named</command> inherits the <function>umask</function>
+      (file creation mode mask) from the parent process. If files
+      created by <command>named</command>, such as journal files,
+      need to have custom permissions, the <function>umask</function>
+      should be set explicitly in the script used to start the
+      <command>named</command> process.
+    </para>
+
   </refsect1>
 
   <refsect1>
diff --git a/bin/named/named.html b/bin/named/named.html
index 23c9a7c3..7d8aed6a 100644
--- a/bin/named/named.html
+++ b/bin/named/named.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named.html,v 1.30 2008/11/07 01:11:19 tbox Exp $ -->
+<!-- $Id: named.html,v 1.31 2009/05/22 01:14:49 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543468"></a><h2>DESCRIPTION</h2>
+<a name="id2543472"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named</strong></span>
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -47,7 +47,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543493"></a><h2>OPTIONS</h2>
+<a name="id2543496"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
@@ -220,7 +220,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543928"></a><h2>SIGNALS</h2>
+<a name="id2543931"></a><h2>SIGNALS</h2>
 <p>
       In routine operation, signals should not be used to control
       the nameserver; <span><strong class="command">rndc</strong></span> should be used
@@ -241,16 +241,24 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543976"></a><h2>CONFIGURATION</h2>
+<a name="id2543979"></a><h2>CONFIGURATION</h2>
 <p>
       The <span><strong class="command">named</strong></span> configuration file is too complex
       to describe in detail here.  A complete description is provided
       in the
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
+<p>
+      <span><strong class="command">named</strong></span> inherits the <code class="function">umask</code>
+      (file creation mode mask) from the parent process. If files
+      created by <span><strong class="command">named</strong></span>, such as journal files,
+      need to have custom permissions, the <code class="function">umask</code>
+      should be set explicitly in the script used to start the
+      <span><strong class="command">named</strong></span> process.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543993"></a><h2>FILES</h2>
+<a name="id2544016"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
 <dd><p>
@@ -263,7 +271,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544033"></a><h2>SEE ALSO</h2>
+<a name="id2544123"></a><h2>SEE ALSO</h2>
 <p><em class="citetitle">RFC 1033</em>,
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
@@ -276,7 +284,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544171"></a><h2>AUTHOR</h2>
+<a name="id2544194"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/named/query.c b/bin/named/query.c
index ffd9b355..42d036c0 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.313.20.7 2009/03/13 01:38:51 marka Exp $ */
+/* $Id: query.c,v 1.324 2009/05/07 09:41:22 fdupont Exp $ */
 
 /*! \file */
 
@@ -2851,7 +2851,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
 	 *  j.example -> z.i.example NSEC example
 	 *	owner common example
 	 *	next common example
-	 *	wild *.f.example
+	 *	wild *.example
 	 */
 	options = client->query.dboptions | DNS_DBFIND_NOWILD;
 	dns_fixedname_init(&wfixed);
@@ -3220,7 +3220,11 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 					      NS_LOGMODULE_QUERY,
 					      ISC_LOG_WARNING,
 					      "recursive-clients soft limit "
-					      "exceeded, aborting oldest query");
+					      "exceeded (%d/%d/%d), "
+					      "aborting oldest query",
+					      client->recursionquota->used,
+					      client->recursionquota->soft,
+					      client->recursionquota->max);
 			}
 			ns_client_killoldestquery(client);
 			result = ISC_R_SUCCESS;
@@ -3233,7 +3237,11 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 					      NS_LOGMODULE_QUERY,
 					      ISC_LOG_WARNING,
-					      "no more recursive clients: %s",
+					      "no more recursive clients "
+					      "(%d/%d/%d): %s",
+					      ns_g_server->recursionquota.used,
+					      ns_g_server->recursionquota.soft,
+					      ns_g_server->recursionquota.max,
 					      isc_result_totext(result));
 			}
 			ns_client_killoldestquery(client);
@@ -3313,6 +3321,14 @@ do { \
 	line = __LINE__; \
 } while (0)
 
+#define RECURSE_ERROR(r) \
+do { \
+	if ((r) == DNS_R_DUPLICATE || (r) == DNS_R_DROP) \
+		QUERY_ERROR(r); \
+	else \
+		QUERY_ERROR(DNS_R_SERVFAIL); \
+} while (0)
+
 /*
  * Extract a network address from the RDATA of an A or AAAA
  * record.
@@ -3995,14 +4011,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				if (result == ISC_R_SUCCESS)
 					client->query.attributes |=
 						NS_QUERYATTR_RECURSING;
-				else if (result == DNS_R_DUPLICATE ||
-					 result == DNS_R_DROP) {
-					/* Duplicate query. */
-					QUERY_ERROR(result);
-				} else {
-					/* Unable to recurse. */
-					QUERY_ERROR(DNS_R_SERVFAIL);
-				}
+				else
+					RECURSE_ERROR(result);
 				goto cleanup;
 			} else {
 				/* Unable to give root server referral. */
@@ -4181,11 +4191,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				if (result == ISC_R_SUCCESS)
 					client->query.attributes |=
 						NS_QUERYATTR_RECURSING;
-				else if (result == DNS_R_DUPLICATE ||
-					 result == DNS_R_DROP)
-					QUERY_ERROR(result);
 				else
-					QUERY_ERROR(DNS_R_SERVFAIL);
+					RECURSE_ERROR(result);
 			} else {
 				dns_fixedname_t fixed;
 
@@ -4725,7 +4732,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 						    client->query.attributes |=
 							NS_QUERYATTR_RECURSING;
 						else
-						    QUERY_ERROR(DNS_R_SERVFAIL);					}
+						    RECURSE_ERROR(result);
+					}
 					goto addauth;
 				}
 				/*
@@ -4923,6 +4931,7 @@ log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char typename[DNS_RDATATYPE_FORMATSIZE];
 	char classname[DNS_RDATACLASS_FORMATSIZE];
+	char onbuf[ISC_NETADDR_FORMATSIZE];
 	dns_rdataset_t *rdataset;
 	int level = ISC_LOG_INFO;
 
@@ -4934,14 +4943,16 @@ log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
 	dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
 	dns_rdataclass_format(rdataset->rdclass, classname, sizeof(classname));
 	dns_rdatatype_format(rdataset->type, typename, sizeof(typename));
+	isc_netaddr_format(&client->destaddr, onbuf, sizeof(onbuf));
 
 	ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
-		      level, "query: %s %s %s %s%s%s%s%s", namebuf, classname,
-		      typename, WANTRECURSION(client) ? "+" : "-",
+		      level, "query: %s %s %s %s%s%s%s%s (%s)", namebuf,
+		      classname, typename, WANTRECURSION(client) ? "+" : "-",
 		      (client->signer != NULL) ? "S": "",
 		      (client->opt != NULL) ? "E" : "",
 		      ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "",
-		      ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "");
+		      ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "",
+		      onbuf);
 }
 
 static inline void
diff --git a/bin/named/server.c b/bin/named/server.c
index e685e18d..4c92d7d2 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.520.12.7 2009/01/30 03:53:38 marka Exp $ */
+/* $Id: server.c,v 1.534 2009/06/10 23:47:47 tbox Exp $ */
 
 /*! \file */
 
@@ -60,6 +60,7 @@
 #include <dns/forward.h>
 #include <dns/journal.h>
 #include <dns/keytable.h>
+#include <dns/keyvalues.h>
 #include <dns/lib.h>
 #include <dns/master.h>
 #include <dns/masterdump.h>
@@ -143,6 +144,14 @@
 			fatal(msg, result);			  \
 	} while (0)						  \
 
+/*%
+ * Maximum ADB size for views that share a cache.  Use this limit to suppress
+ * the total of memory footprint, which should be the main reason for sharing
+ * a cache.  Only effective when a finite max-cache-size is specified.
+ * This is currently defined to be 8MB.
+ */
+#define MAX_ADB_SIZE_FOR_CACHESHARE	8388608
+
 struct ns_dispatch {
 	isc_sockaddr_t			addr;
 	unsigned int			dispatchgen;
@@ -150,6 +159,14 @@ struct ns_dispatch {
 	ISC_LINK(struct ns_dispatch)	link;
 };
 
+struct ns_cache {
+	dns_cache_t			*cache;
+	dns_view_t			*primaryview;
+	isc_boolean_t			needflush;
+	isc_boolean_t			adbsizeadjusted;
+	ISC_LINK(ns_cache_t)		link;
+};
+
 struct dumpcontext {
 	isc_mem_t			*mctx;
 	isc_boolean_t			dumpcache;
@@ -262,8 +279,8 @@ end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
  */
 static isc_result_t
 configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
-		   const char *aclname, cfg_aclconfctx_t *actx,
-		   isc_mem_t *mctx, dns_acl_t **aclp)
+		   const char *aclname, const char *acltuplename,
+		   cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp)
 {
 	isc_result_t result;
 	const cfg_obj_t *maps[3];
@@ -289,13 +306,21 @@ configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 		 */
 		return (ISC_R_SUCCESS);
 
+	if (acltuplename != NULL) {
+		/*
+		 * If the ACL is given in an optional tuple, retrieve it.
+		 * The parser should have ensured that a valid object be
+		 * returned.
+		 */
+		aclobj = cfg_tuple_get(aclobj, acltuplename);
+	}
+
 	result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
 				    actx, mctx, 0, aclp);
 
 	return (result);
 }
 
-
 /*%
  * Configure a sortlist at '*aclp'.  Essentially the same as
  * configure_view_acl() except it calls cfg_acl_fromconfig with a
@@ -340,6 +365,80 @@ configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 }
 
 static isc_result_t
+configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
+			 const char *confname, const char *conftuplename,
+			 isc_mem_t *mctx, dns_rbt_t **rbtp)
+{
+	isc_result_t result;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *obj = NULL;
+	const cfg_listelt_t *element;
+	int i = 0;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t b;
+	const char *str;
+	const cfg_obj_t *nameobj;
+
+	if (*rbtp != NULL)
+		dns_rbt_destroy(rbtp);
+	if (vconfig != NULL)
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	if (config != NULL) {
+		const cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			maps[i++] = options;
+	}
+	maps[i] = NULL;
+
+	(void)ns_config_get(maps, confname, &obj);
+	if (obj == NULL)
+		/*
+		 * No value available.	*rbtp == NULL.
+		 */
+		return (ISC_R_SUCCESS);
+
+	if (conftuplename != NULL) {
+		obj = cfg_tuple_get(obj, conftuplename);
+		if (cfg_obj_isvoid(obj))
+			return (ISC_R_SUCCESS);
+	}
+
+	result = dns_rbt_create(mctx, NULL, NULL, rbtp);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+		nameobj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(nameobj);
+		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		CHECK(dns_name_fromtext(name, &b, dns_rootname,
+					ISC_FALSE, NULL));
+		/*
+		 * We don't need the node data, but need to set dummy data to
+		 * avoid a partial match with an empty node.  For example, if
+		 * we have foo.example.com and bar.example.com, we'd get a match
+		 * for baz.example.com, which is not the expected result.
+		 * We simply use (void *)1 as the dummy data.
+		 */
+		CHECK(dns_rbt_addname(*rbtp, name, (void *)1));
+	}
+
+	return (result);
+
+  cleanup:
+	dns_rbt_destroy(rbtp);
+	return (result);
+
+}
+
+static isc_result_t
 configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 			 dns_keytable_t *keytable, isc_mem_t *mctx)
 {
@@ -442,58 +541,106 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
 	return (result);
 }
 
+
+static void
+configure_view_dnsseckeylist(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
+			     dns_keytable_t *keytable, isc_mem_t *mctx)
+{
+	const cfg_listelt_t *elt, *elt2;
+	const cfg_obj_t *key;
+	const cfg_obj_t *keylist;
+	isc_result_t result;
+
+	for (elt = cfg_list_first(keys);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		keylist = cfg_listelt_value(elt);
+
+		for (elt2 = cfg_list_first(keylist);
+		     elt2 != NULL;
+		     elt2 = cfg_list_next(elt2)) {
+			key = cfg_listelt_value(elt2);
+			CHECK(configure_view_dnsseckey(vconfig, key,
+						       keytable, mctx));
+		}
+	}
+
+ cleanup:
+	return;
+}
+
 /*%
- * Configure DNSSEC keys for a view.  Currently used only for
- * the security roots.
+ * Configure DNSSEC keys for a view.  Currently used only for the security
+ * roots.
  *
  * The per-view configuration values and the server-global defaults are read
  * from 'vconfig' and 'config'.	 The variable to be configured is '*target'.
  */
 static isc_result_t
 configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config,
+			  const cfg_obj_t *bindkeys, isc_boolean_t auto_dlv,
 			  isc_mem_t *mctx, dns_keytable_t **target)
 {
-	isc_result_t result;
-	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *view_keys = NULL;
+	const cfg_obj_t *global_keys = NULL;
+	const cfg_obj_t *builtin_keys = NULL;
+	const cfg_obj_t *maps[4];
 	const cfg_obj_t *voptions = NULL;
-	const cfg_listelt_t *element, *element2;
-	const cfg_obj_t *keylist;
-	const cfg_obj_t *key;
+	const cfg_obj_t *options = NULL;
 	dns_keytable_t *keytable = NULL;
+	isc_result_t result;
+	int i = 0;
 
 	CHECK(dns_keytable_create(mctx, &keytable));
 
-	if (vconfig != NULL)
+	if (vconfig != NULL) {
 		voptions = cfg_tuple_get(vconfig, "options");
+		if (voptions != NULL) {
+			(void)cfg_map_get(voptions, "trusted-keys", &view_keys);
+			maps[i++] = voptions;
+		}
+	}
 
-	keys = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "trusted-keys", &keys);
-	if (keys == NULL)
-		(void)cfg_map_get(config, "trusted-keys", &keys);
-
-	for (element = cfg_list_first(keys);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		keylist = cfg_listelt_value(element);
-		for (element2 = cfg_list_first(keylist);
-		     element2 != NULL;
-		     element2 = cfg_list_next(element2))
-		{
-			key = cfg_listelt_value(element2);
-			CHECK(configure_view_dnsseckey(vconfig, key,
-						       keytable, mctx));
+	if (config != NULL) {
+		(void)cfg_map_get(config, "trusted-keys", &global_keys);
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			maps[i++] = options;
 		}
 	}
 
+	maps[i++] = ns_g_defaults;
+	maps[i] = NULL;
+
+	if (auto_dlv) {
+		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "using built-in trusted-keys");
+
+		/*
+		 * If bind.keys exists, it overrides the trusted-keys
+		 * clause hard-coded in ns_g_config.
+		 */
+		if (bindkeys != NULL)
+			(void)cfg_map_get(bindkeys, "trusted-keys",
+					  &builtin_keys);
+		else
+			(void)cfg_map_get(ns_g_config, "trusted-keys",
+					  &builtin_keys);
+
+		configure_view_dnsseckeylist(builtin_keys, vconfig,
+					     keytable, mctx);
+	}
+
+	configure_view_dnsseckeylist(global_keys, vconfig, keytable, mctx);
+	configure_view_dnsseckeylist(view_keys, vconfig, keytable, mctx);
+
 	dns_keytable_detach(target);
 	*target = keytable; /* Transfer ownership. */
 	keytable = NULL;
-	result = ISC_R_SUCCESS;
 
  cleanup:
-	return (result);
+	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
@@ -974,6 +1121,20 @@ setquerystats(dns_zone_t *zone, isc_mem_t *mctx, isc_boolean_t on) {
 	return (ISC_R_SUCCESS);
 }
 
+static ns_cache_t *
+cachelist_find(ns_cachelist_t *cachelist, const char *cachename) {
+	ns_cache_t *nsc;
+
+	for (nsc = ISC_LIST_HEAD(*cachelist);
+	     nsc != NULL;
+	     nsc = ISC_LIST_NEXT(nsc, link)) {
+		if (strcmp(dns_cache_getname(nsc->cache), cachename) == 0)
+			return (nsc);
+	}
+
+	return (NULL);
+}
+
 static isc_boolean_t
 cache_reusable(dns_view_t *originview, dns_view_t *view,
 	       isc_boolean_t new_zero_no_soattl)
@@ -991,6 +1152,32 @@ cache_reusable(dns_view_t *originview, dns_view_t *view,
 	return (ISC_TRUE);
 }
 
+static isc_boolean_t
+cache_sharable(dns_view_t *originview, dns_view_t *view,
+	       isc_boolean_t new_zero_no_soattl,
+	       unsigned int new_cleaning_interval,
+	       isc_uint32_t new_max_cache_size)
+{
+	/*
+	 * If the cache cannot even reused for the same view, it cannot be
+	 * shared with other views.
+	 */
+	if (!cache_reusable(originview, view, new_zero_no_soattl))
+		return (ISC_FALSE);
+
+	/*
+	 * Check other cache related parameters that must be consistent among
+	 * the sharing views.
+	 */
+	if (dns_cache_getcleaninginterval(originview->cache) !=
+	    new_cleaning_interval ||
+	    dns_cache_getcachesize(originview->cache) != new_max_cache_size) {
+		return (ISC_FALSE);
+	}
+
+	return (ISC_TRUE);
+}
+
 /*
  * Configure 'view' according to 'vconfig', taking defaults from 'config'
  * where values are missing in 'vconfig'.
@@ -1000,11 +1187,13 @@ cache_reusable(dns_view_t *originview, dns_view_t *view,
  */
 static isc_result_t
 configure_view(dns_view_t *view, const cfg_obj_t *config,
-	       const cfg_obj_t *vconfig, isc_mem_t *mctx,
+	       const cfg_obj_t *vconfig, ns_cachelist_t *cachelist,
+	       const cfg_obj_t *bindkeys, isc_mem_t *mctx,
 	       cfg_aclconfctx_t *actx, isc_boolean_t need_hints)
 {
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *cfgmaps[3];
+	const cfg_obj_t *optionmaps[3];
 	const cfg_obj_t *options = NULL;
 	const cfg_obj_t *voptions = NULL;
 	const cfg_obj_t *forwardtype;
@@ -1023,17 +1212,20 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	dns_cache_t *cache = NULL;
 	isc_result_t result;
 	isc_uint32_t max_adb_size;
+	unsigned int cleaning_interval;
 	isc_uint32_t max_cache_size;
 	isc_uint32_t max_acache_size;
 	isc_uint32_t lame_ttl;
-	dns_tsig_keyring_t *ring;
+	dns_tsig_keyring_t *ring = NULL;
 	dns_view_t *pview = NULL;	/* Production view */
 	isc_mem_t *cmctx;
 	dns_dispatch_t *dispatch4 = NULL;
 	dns_dispatch_t *dispatch6 = NULL;
 	isc_boolean_t reused_cache = ISC_FALSE;
-	int i;
+	isc_boolean_t shared_cache = ISC_FALSE;
+	int i = 0, j = 0, k = 0;
 	const char *str;
+	const char *cachename = NULL;
 	dns_order_t *order = NULL;
 	isc_uint32_t udpsize;
 	unsigned int resopts = 0;
@@ -1047,6 +1239,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	const cfg_obj_t *disablelist = NULL;
 	isc_stats_t *resstats = NULL;
 	dns_stats_t *resquerystats = NULL;
+	isc_boolean_t auto_dlv = ISC_FALSE;
+	ns_cache_t *nsc;
 	isc_boolean_t zero_no_soattl;
 
 	REQUIRE(DNS_VIEW_VALID(view));
@@ -1056,22 +1250,28 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	if (config != NULL)
 		(void)cfg_map_get(config, "options", &options);
 
-	i = 0;
+	/*
+	 * maps: view options, options, defaults
+	 * cfgmaps: view options, config
+	 * optionmaps: view options, options
+	 */
 	if (vconfig != NULL) {
 		voptions = cfg_tuple_get(vconfig, "options");
 		maps[i++] = voptions;
+		optionmaps[j++] = voptions;
+		cfgmaps[k++] = voptions;
 	}
-	if (options != NULL)
+	if (options != NULL) {
 		maps[i++] = options;
+		optionmaps[j++] = options;
+	}
+
 	maps[i++] = ns_g_defaults;
 	maps[i] = NULL;
-
-	i = 0;
-	if (voptions != NULL)
-		cfgmaps[i++] = voptions;
+	optionmaps[j] = NULL;
 	if (config != NULL)
-		cfgmaps[i++] = config;
-	cfgmaps[i] = NULL;
+		cfgmaps[k++] = config;
+	cfgmaps[k] = NULL;
 
 	if (!strcmp(viewname, "_default")) {
 		sep = "";
@@ -1192,6 +1392,32 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 * Obtain configuration parameters that affect the decision of whether
 	 * we can reuse/share an existing cache.
 	 */
+	obj = NULL;
+	result = ns_config_get(maps, "cleaning-interval", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	cleaning_interval = cfg_obj_asuint32(obj) * 60;
+
+	obj = NULL;
+	result = ns_config_get(maps, "max-cache-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	if (cfg_obj_isstring(obj)) {
+		str = cfg_obj_asstring(obj);
+		INSIST(strcasecmp(str, "unlimited") == 0);
+		max_cache_size = ISC_UINT32_MAX;
+	} else {
+		isc_resourcevalue_t value;
+		value = cfg_obj_asuint64(obj);
+		if (value > ISC_UINT32_MAX) {
+			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+				    "'max-cache-size "
+				    "%" ISC_PRINT_QUADFORMAT "d' is too large",
+				    value);
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+		max_cache_size = (isc_uint32_t)value;
+	}
+
 	/* Check-names. */
 	obj = NULL;
 	result = ns_checknames_get(maps, "response", &obj);
@@ -1238,53 +1464,113 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		view->maxncachettl = 7 * 24 * 3600;
 
 	/*
-	 * Configure the view's cache.  Try to reuse an existing
-	 * cache if possible, otherwise create a new cache.
-	 * Note that the ADB is not preserved in either case.
-	 * When a matching view is found, the associated statistics are
-	 * also retrieved and reused.
+	 * Configure the view's cache.
+	 *
+	 * First, check to see if there are any attach-cache options.  If yes,
+	 * attempt to lookup an existing cache at attach it to the view.  If
+	 * there is not one, then try to reuse an existing cache if possible;
+	 * otherwise create a new cache.
 	 *
-	 * XXX Determining when it is safe to reuse a cache is tricky.
+	 * Note that the ADB is not preserved or shared in either case.
+	 *
+	 * When a matching view is found, the associated statistics are also
+	 * retrieved and reused.
+	 *
+	 * XXX Determining when it is safe to reuse or share a cache is tricky.
 	 * When the view's configuration changes, the cached data may become
 	 * invalid because it reflects our old view of the world.  We check
-	 * some of the configuration parameters that could invalidate the cache,
-	 * but there are other configuration options that should be checked.
-	 * For example, if a view uses a forwarder, changes in the forwarder
-	 * configuration may invalidate the cache.  At the moment, it's the
-	 * administrator's responsibility to ensure these configuration options
-	 * don't invalidate reusing.
+	 * some of the configuration parameters that could invalidate the cache
+	 * or otherwise make it unsharable, but there are other configuration
+	 * options that should be checked.  For example, if a view uses a
+	 * forwarder, changes in the forwarder configuration may invalidate
+	 * the cache.  At the moment, it's the administrator's responsibility to
+	 * ensure these configuration options don't invalidate reusing/sharing.
 	 */
-	result = dns_viewlist_find(&ns_g_server->viewlist,
-				   view->name, view->rdclass,
-				   &pview);
-	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (pview != NULL) {
-		if (cache_reusable(pview, view, zero_no_soattl)) {
-			INSIST(pview->cache != NULL);
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(3),
-				      "reusing existing cache");
-			reused_cache = ISC_TRUE;
-			dns_cache_attach(pview->cache, &cache);
-		} else {
+	obj = NULL;
+	result = ns_config_get(maps, "attach-cache", &obj);
+	if (result == ISC_R_SUCCESS)
+		cachename = cfg_obj_asstring(obj);
+	else
+		cachename = view->name;
+	cache = NULL;
+	nsc = cachelist_find(cachelist, cachename);
+	if (nsc != NULL) {
+		if (!cache_sharable(nsc->primaryview, view, zero_no_soattl,
+				    cleaning_interval, max_cache_size)) {
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
-				      "cache cannot be reused for view %s "
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "views %s and %s can't share the cache "
 				      "due to configuration parameter mismatch",
-				      view->name);
+				      nsc->primaryview->name, view->name);
+			result = ISC_R_FAILURE;
+			goto cleanup;
 		}
-		dns_view_getresstats(pview, &resstats);
-		dns_view_getresquerystats(pview, &resquerystats);
-		dns_view_detach(&pview);
-	}
-	if (cache == NULL) {
-		CHECK(isc_mem_create(0, 0, &cmctx));
-		CHECK(dns_cache_create(cmctx, ns_g_taskmgr, ns_g_timermgr,
-				       view->rdclass, "rbt", 0, NULL, &cache));
-		isc_mem_setname(cmctx, "cache", NULL);
+		dns_cache_attach(nsc->cache, &cache);
+		shared_cache = ISC_TRUE;
+	} else {
+		if (strcmp(cachename, view->name) == 0) {
+			result = dns_viewlist_find(&ns_g_server->viewlist,
+						   cachename, view->rdclass,
+						   &pview);
+			if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
+				goto cleanup;
+			if (pview != NULL) {
+				if (cache_reusable(pview, view,
+						   zero_no_soattl)) {
+					isc_log_write(ns_g_lctx,
+						      NS_LOGCATEGORY_GENERAL,
+						      NS_LOGMODULE_SERVER,
+						      ISC_LOG_DEBUG(1),
+						      "cache cannot be reused "
+						      "for view %s due to "
+						      "configuration parameter "
+						      "mismatch", view->name);
+				} else {
+					INSIST(pview->cache != NULL);
+					isc_log_write(ns_g_lctx,
+						      NS_LOGCATEGORY_GENERAL,
+						      NS_LOGMODULE_SERVER,
+						      ISC_LOG_DEBUG(3),
+						      "reusing existing cache");
+					reused_cache = ISC_TRUE;
+					dns_cache_attach(pview->cache, &cache);
+				}
+				dns_view_getresstats(pview, &resstats);
+				dns_view_getresquerystats(pview,
+							  &resquerystats);
+				dns_view_detach(&pview);
+			}
+		}
+		if (cache == NULL) {
+			/*
+			 * Create a cache with the desired name.  This normally
+			 * equals the view name, but may also be a forward
+			 * reference to a view that share the cache with this
+			 * view but is not yet configured.  If it is not the
+			 * view name but not a forward reference either, then it
+			 * is simply a named cache that is not shared.
+			 */
+			CHECK(isc_mem_create(0, 0, &cmctx));
+			isc_mem_setname(cmctx, "cache", NULL);
+			CHECK(dns_cache_create2(cmctx, ns_g_taskmgr,
+						ns_g_timermgr, view->rdclass,
+						cachename, "rbt", 0, NULL,
+						&cache));
+		}
+		nsc = isc_mem_get(mctx, sizeof(*nsc));
+		if (nsc == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		nsc->cache = NULL;
+		dns_cache_attach(cache, &nsc->cache);
+		nsc->primaryview = view;
+		nsc->needflush = ISC_FALSE;
+		nsc->adbsizeadjusted = ISC_FALSE;
+		ISC_LINK_INIT(nsc, link);
+		ISC_LIST_APPEND(*cachelist, nsc, link);
 	}
-	dns_view_setcache(view, cache);
+	dns_view_setcache2(view, cache, shared_cache);
 
 	/*
 	 * cache-file cannot be inherited if views are present, but this
@@ -1294,35 +1580,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	result = ns_config_get(maps, "cache-file", &obj);
 	if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) {
 		CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj)));
-		if (!reused_cache)
+		if (!reused_cache && !shared_cache)
 			CHECK(dns_cache_load(cache));
 	}
 
-	obj = NULL;
-	result = ns_config_get(maps, "cleaning-interval", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_cache_setcleaninginterval(cache, cfg_obj_asuint32(obj) * 60);
-
-	obj = NULL;
-	result = ns_config_get(maps, "max-cache-size", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	if (cfg_obj_isstring(obj)) {
-		str = cfg_obj_asstring(obj);
-		INSIST(strcasecmp(str, "unlimited") == 0);
-		max_cache_size = ISC_UINT32_MAX;
-	} else {
-		isc_resourcevalue_t value;
-		value = cfg_obj_asuint64(obj);
-		if (value > ISC_UINT32_MAX) {
-			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
-				    "'max-cache-size "
-				    "%" ISC_PRINT_QUADFORMAT "d' is too large",
-				    value);
-			result = ISC_R_RANGE;
-			goto cleanup;
-		}
-		max_cache_size = (isc_uint32_t)value;
-	}
+	dns_cache_setcleaninginterval(cache, cleaning_interval);
 	dns_cache_setcachesize(cache, max_cache_size);
 
 	dns_cache_detach(&cache);
@@ -1360,13 +1622,23 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	dns_view_setresquerystats(view, resquerystats);
 
 	/*
-	 * Set the ADB cache size to 1/8th of the max-cache-size.
+	 * Set the ADB cache size to 1/8th of the max-cache-size or
+	 * MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared.
 	 */
 	max_adb_size = 0;
 	if (max_cache_size != 0) {
 		max_adb_size = max_cache_size / 8;
 		if (max_adb_size == 0)
 			max_adb_size = 1;	/* Force minimum. */
+		if (view != nsc->primaryview &&
+		    max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) {
+			max_adb_size = MAX_ADB_SIZE_FOR_CACHESHARE;
+			if (!nsc->adbsizeadjusted) {
+				dns_adb_setadbsize(nsc->primaryview->adb,
+						   MAX_ADB_SIZE_FOR_CACHESHARE);
+				nsc->adbsizeadjusted = ISC_TRUE;
+			}
+		}
 	}
 	dns_adb_setadbsize(view->adb, max_adb_size);
 
@@ -1381,6 +1653,9 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		lame_ttl = 1800;
 	dns_resolver_setlamettl(view->resolver, lame_ttl);
 
+	/* Specify whether to use 0-TTL for negative response for SOA query */
+	dns_resolver_setzeronosoattl(view->resolver, zero_no_soattl);
+
 	/*
 	 * Set the resolver's EDNS UDP size.
 	 */
@@ -1471,9 +1746,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	/*
 	 * Configure the view's TSIG keys.
 	 */
-	ring = NULL;
 	CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring));
+	if (ns_g_server->ddnskey != NULL) {
+		CHECK(dns_tsigkeyring_add(ring, ns_g_server->ddns_keyname,
+					  ns_g_server->ddnskey));
+	}
 	dns_view_setkeyring(view, ring);
+	ring = NULL;		/* ownership transferred */
 
 	/*
 	 * Configure the view's peer list.
@@ -1530,10 +1809,10 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	/*
 	 * Configure the "match-clients" and "match-destinations" ACL.
 	 */
-	CHECK(configure_view_acl(vconfig, config, "match-clients", actx,
+	CHECK(configure_view_acl(vconfig, config, "match-clients", NULL, actx,
 				 ns_g_mctx, &view->matchclients));
-	CHECK(configure_view_acl(vconfig, config, "match-destinations", actx,
-				 ns_g_mctx, &view->matchdestinations));
+	CHECK(configure_view_acl(vconfig, config, "match-destinations", NULL,
+				 actx, ns_g_mctx, &view->matchdestinations));
 
 	/*
 	 * Configure the "match-recursive-only" option.
@@ -1605,20 +1884,20 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 * "allow-recursion", and "allow-recursion-on" acls if
 	 * configured in named.conf.
 	 */
-	CHECK(configure_view_acl(vconfig, config, "allow-query-cache",
+	CHECK(configure_view_acl(vconfig, config, "allow-query-cache", NULL,
 				 actx, ns_g_mctx, &view->queryacl));
-	CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on",
+	CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", NULL,
 				 actx, ns_g_mctx, &view->queryonacl));
 	if (view->queryonacl == NULL)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-query-cache-on", actx,
+					 "allow-query-cache-on", NULL, actx,
 					 ns_g_mctx, &view->queryonacl));
 	if (strcmp(view->name, "_bind") != 0) {
 		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
-					 actx, ns_g_mctx,
+					 NULL, actx, ns_g_mctx,
 					 &view->recursionacl));
 		CHECK(configure_view_acl(vconfig, config, "allow-recursion-on",
-					 actx, ns_g_mctx,
+					 NULL, actx, ns_g_mctx,
 					 &view->recursiononacl));
 	}
 
@@ -1631,7 +1910,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	if (view->queryacl == NULL && view->recursionacl != NULL)
 		dns_acl_attach(view->recursionacl, &view->queryacl);
 	if (view->queryacl == NULL && view->recursion)
-		CHECK(configure_view_acl(vconfig, config, "allow-query",
+		CHECK(configure_view_acl(vconfig, config, "allow-query", NULL,
 					 actx, ns_g_mctx, &view->queryacl));
 	if (view->recursion &&
 	    view->recursionacl == NULL && view->queryacl != NULL)
@@ -1643,19 +1922,20 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 */
 	if (view->recursionacl == NULL && view->recursion)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-recursion",
+					 "allow-recursion", NULL,
 					 actx, ns_g_mctx,
 					 &view->recursionacl));
 	if (view->recursiononacl == NULL && view->recursion)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-recursion-on",
+					 "allow-recursion-on", NULL,
 					 actx, ns_g_mctx,
 					 &view->recursiononacl));
 	if (view->queryacl == NULL) {
 		if (view->recursion)
 			CHECK(configure_view_acl(NULL, ns_g_config,
-						 "allow-query-cache", actx,
-						 ns_g_mctx, &view->queryacl));
+						 "allow-query-cache", NULL,
+						 actx, ns_g_mctx,
+						 &view->queryacl));
 		else {
 			if (view->queryacl != NULL)
 				dns_acl_detach(&view->queryacl);
@@ -1664,6 +1944,25 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	}
 
 	/*
+	 * Filter setting on addresses in the answer section.
+	 */
+	CHECK(configure_view_acl(vconfig, config, "deny-answer-addresses",
+				 "acl", actx, ns_g_mctx, &view->denyansweracl));
+	CHECK(configure_view_nametable(vconfig, config, "deny-answer-addresses",
+				       "except-from", ns_g_mctx,
+				       &view->answeracl_exclude));
+
+	/*
+	 * Filter setting on names (CNAME/DNAME targets) in the answer section.
+	 */
+	CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
+				       "name", ns_g_mctx,
+				       &view->denyanswernames));
+	CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
+				       "except-from", ns_g_mctx,
+				       &view->answernames_exclude));
+
+	/*
 	 * Configure sortlist, if set
 	 */
 	CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx,
@@ -1676,19 +1975,19 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 */
 	if (view->notifyacl == NULL)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-notify", actx,
+					 "allow-notify", NULL, actx,
 					 ns_g_mctx, &view->notifyacl));
 	if (view->transferacl == NULL)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-transfer", actx,
+					 "allow-transfer", NULL, actx,
 					 ns_g_mctx, &view->transferacl));
 	if (view->updateacl == NULL)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-update", actx,
+					 "allow-update", NULL, actx,
 					 ns_g_mctx, &view->updateacl));
 	if (view->upfwdacl == NULL)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-update-forwarding", actx,
+					 "allow-update-forwarding", NULL, actx,
 					 ns_g_mctx, &view->upfwdacl));
 
 	obj = NULL;
@@ -1724,7 +2023,21 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	view->enablednssec = cfg_obj_asboolean(obj);
 
 	obj = NULL;
-	result = ns_config_get(maps, "dnssec-lookaside", &obj);
+	result = ns_config_get(optionmaps, "dnssec-lookaside", &obj);
+	if (result == ISC_R_SUCCESS) {
+		/* If set to "auto", use the version from the defaults */
+		const cfg_obj_t *dlvobj;
+		dlvobj = cfg_listelt_value(cfg_list_first(obj));
+		if (!strcmp(cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain")),
+			    "auto") &&
+		    cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
+			auto_dlv = ISC_TRUE;
+			obj = NULL;
+			result = cfg_map_get(ns_g_defaults,
+					     "dnssec-lookaside", &obj);
+		}
+	}
+
 	if (result == ISC_R_SUCCESS) {
 		for (element = cfg_list_first(obj);
 		     element != NULL;
@@ -1769,8 +2082,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 * For now, there is only one kind of trusted keys, the
 	 * "security roots".
 	 */
-	CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
-					&view->secroots));
+	CHECK(configure_view_dnsseckeys(vconfig, config, bindkeys, auto_dlv,
+					mctx, &view->secroots));
 	dns_resolver_resetmustbesecure(view->resolver);
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
@@ -2005,6 +2318,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	result = ISC_R_SUCCESS;
 
  cleanup:
+	if (ring != NULL)
+		dns_tsigkeyring_destroy(&ring);
 	if (zone != NULL)
 		dns_zone_detach(&zone);
 	if (dispatch4 != NULL)
@@ -2339,7 +2654,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	ztypestr = cfg_obj_asstring(typeobj);
 
 	/*
-	 * "hints zones" aren't zones.  If we've got one,
+	 * "hints zones" aren't zones.	If we've got one,
 	 * configure it and return.
 	 */
 	if (strcasecmp(ztypestr, "hint") == 0) {
@@ -2904,13 +3219,219 @@ removed(dns_zone_t *zone, void *uap) {
 	return (ISC_R_SUCCESS);
 }
 
+static void
+cleanup_session_key(ns_server_t *server, isc_mem_t *mctx) {
+	if (server->ddns_keyfile != NULL) {
+		isc_file_remove(server->ddns_keyfile);
+		isc_mem_free(mctx, server->ddns_keyfile);
+		server->ddns_keyfile = NULL;
+	}
+
+	if (server->ddns_keyname != NULL) {
+		if (dns_name_dynamic(server->ddns_keyname))
+			dns_name_free(server->ddns_keyname, mctx);
+		isc_mem_put(mctx, server->ddns_keyname, sizeof(dns_name_t));
+		server->ddns_keyname = NULL;
+	}
+
+	if (server->ddnskey != NULL)
+		dns_tsigkey_detach(&server->ddnskey);
+
+	server->ddns_keyalg = DST_ALG_UNKNOWN;
+	server->ddns_keybits = 0;
+}
+
+static isc_result_t
+generate_session_key(const char *filename, const char *keynamestr,
+		     dns_name_t *keyname, const char *algstr,
+		     dns_name_t *algname, unsigned int algtype,
+		     isc_uint16_t bits, isc_mem_t *mctx,
+		     dns_tsigkey_t **tsigkeyp)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dst_key_t *key = NULL;
+	isc_buffer_t key_txtbuffer;
+	isc_buffer_t key_rawbuffer;
+	char key_txtsecret[256];
+	char key_rawsecret[64];
+	isc_region_t key_rawregion;
+	isc_stdtime_t now;
+	dns_tsigkey_t *tsigkey = NULL;
+	FILE *fp = NULL;
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "generating session key for dynamic DNS");
+
+	/* generate key */
+	result = dst_key_generate(keyname, algtype, bits, 1, 0,
+				  DNS_KEYPROTO_ANY, dns_rdataclass_in,
+				  mctx, &key);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Dump the key to the buffer for later use.  Should be done before
+	 * we transfer the ownership of key to tsigkey.
+	 */
+	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
+	CHECK(dst_key_tobuffer(key, &key_rawbuffer));
+
+	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
+	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+	CHECK(isc_base64_totext(&key_rawregion, -1, "", &key_txtbuffer));
+
+	/* Store the key in tsigkey. */
+	isc_stdtime_get(&now);
+	CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key,
+					ISC_FALSE, NULL, now, now, mctx, NULL,
+					&tsigkey));
+	key = NULL;		/* ownership of key has been transferred */
+
+	/* Dump the key to the key file. */
+	CHECK(isc_file_safecreate(filename, &fp));
+
+	fprintf(fp, "key \"%s\" {\n"
+		"\talgorithm %s;\n"
+		"\tsecret \"%.*s\";\n};\n", keynamestr, algstr,
+		(int) isc_buffer_usedlength(&key_txtbuffer),
+		(char*) isc_buffer_base(&key_txtbuffer));
+
+	RUNTIME_CHECK(isc_stdio_flush(fp) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_stdio_close(fp) == ISC_R_SUCCESS);
+
+	*tsigkeyp = tsigkey;
+
+	return (ISC_R_SUCCESS);
+
+  cleanup:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+		      "failed to generate session key "
+		      "for dynamic DNS: %s", isc_result_totext(result));
+	if (tsigkey != NULL)
+		dns_tsigkey_detach(&tsigkey);
+	if (key != NULL)
+		dst_key_free(&key);
+
+	return (result);
+}
+
+static isc_result_t
+configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
+		      isc_mem_t *mctx)
+{
+	const char *keyfile, *keynamestr, *algstr;
+	unsigned int algtype;
+	dns_fixedname_t fname;
+	dns_name_t *keyname, *algname;
+	isc_buffer_t buffer;
+	isc_uint16_t bits;
+	const cfg_obj_t *obj;
+	isc_boolean_t need_deleteold = ISC_FALSE;
+	isc_boolean_t need_createnew = ISC_FALSE;
+	isc_result_t result;
+
+	obj = NULL;
+	result = ns_config_get(maps, "ddns-keyfile", &obj);
+	if (result == ISC_R_SUCCESS) {
+		if (cfg_obj_isvoid(obj))
+			keyfile = NULL; /* disable it */
+		else
+			keyfile = cfg_obj_asstring(obj);
+	} else
+		keyfile = ns_g_defaultddnskeyfile;
+
+	obj = NULL;
+	result = ns_config_get(maps, "ddns-keyname", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	keynamestr = cfg_obj_asstring(obj);
+	dns_fixedname_init(&fname);
+	isc_buffer_init(&buffer, keynamestr, strlen(keynamestr));
+	isc_buffer_add(&buffer, strlen(keynamestr));
+	keyname = dns_fixedname_name(&fname);
+	result = dns_name_fromtext(keyname, &buffer, dns_rootname, ISC_FALSE,
+				   NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	obj = NULL;
+	result = ns_config_get(maps, "ddns-keyalg", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	algstr = cfg_obj_asstring(obj);
+	algname = NULL;
+	result = ns_config_getkeyalgorithm2(algstr, &algname, &algtype, &bits);
+	if (result != ISC_R_SUCCESS) {
+		const char *s = " (keeping current key)";
+
+		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, "ddns-keyalg: "
+			    "unsupported or unknown algorithm '%s'%s",
+			    algstr,
+			    server->ddns_keyfile != NULL ? s : "");
+		return (result);
+	}
+
+	/* See if we need to (re)generate a new key. */
+	if (keyfile == NULL) {
+		if (server->ddns_keyfile != NULL)
+			need_deleteold = ISC_TRUE;
+	} else if (server->ddns_keyfile == NULL)
+		need_createnew = ISC_TRUE;
+	else if (strcmp(keyfile, server->ddns_keyfile) != 0 ||
+		 !dns_name_equal(server->ddns_keyname, keyname) ||
+		 server->ddns_keyalg != algtype ||
+		 server->ddns_keybits != bits) {
+		need_deleteold = ISC_TRUE;
+		need_createnew = ISC_TRUE;
+	}
+
+	if (need_deleteold) {
+		INSIST(server->ddns_keyfile != NULL);
+		INSIST(server->ddns_keyname != NULL);
+		INSIST(server->ddnskey != NULL);
+
+		cleanup_session_key(server, mctx);
+	}
+
+	if (need_createnew) {
+		INSIST(server->ddnskey == NULL);
+		INSIST(server->ddns_keyfile == NULL);
+		INSIST(server->ddns_keyname == NULL);
+		INSIST(server->ddns_keyalg == DST_ALG_UNKNOWN);
+		INSIST(server->ddns_keybits == 0);
+
+		server->ddns_keyname = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (server->ddns_keyname == NULL)
+			goto cleanup;
+		dns_name_init(server->ddns_keyname, NULL);
+		CHECK(dns_name_dup(keyname, mctx, server->ddns_keyname));
+
+		server->ddns_keyfile = isc_mem_strdup(mctx, keyfile);
+		if (server->ddns_keyfile == NULL)
+			goto cleanup;
+
+		server->ddns_keyalg = algtype;
+		server->ddns_keybits = bits;
+
+		CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
+					   algname, algtype, bits, mctx,
+					   &server->ddnskey));
+	}
+
+	return (result);
+
+  cleanup:
+	cleanup_session_key(server, mctx);
+	return (result);
+}
+
 static isc_result_t
 load_configuration(const char *filename, ns_server_t *server,
 		   isc_boolean_t first_time)
 {
 	cfg_aclconfctx_t aclconfctx;
-	cfg_obj_t *config;
-	cfg_parser_t *parser = NULL;
+	cfg_obj_t *config = NULL, *bindkeys = NULL;
+	cfg_parser_t *conf_parser = NULL, *bindkeys_parser = NULL;
 	const cfg_listelt_t *element;
 	const cfg_obj_t *builtin_views;
 	const cfg_obj_t *maps[3];
@@ -2933,10 +3454,13 @@ load_configuration(const char *filename, ns_server_t *server,
 	isc_uint32_t interface_interval;
 	isc_uint32_t reserved;
 	isc_uint32_t udpsize;
+	ns_cachelist_t cachelist, tmpcachelist;
 	unsigned int maxsocks;
+	ns_cache_t *nsc;
 
 	cfg_aclconfctx_init(&aclconfctx);
 	ISC_LIST_INIT(viewlist);
+	ISC_LIST_INIT(cachelist);
 
 	/* Ensure exclusive access to configuration data. */
 	result = isc_task_beginexclusive(server->task);
@@ -2948,8 +3472,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	if (first_time) {
 		CHECK(ns_config_parsedefaults(ns_g_parser, &ns_g_config));
 		RUNTIME_CHECK(cfg_map_get(ns_g_config, "options",
-					  &ns_g_defaults) ==
-			      ISC_R_SUCCESS);
+					  &ns_g_defaults) == ISC_R_SUCCESS);
 	}
 
 	/*
@@ -2966,10 +3489,10 @@ load_configuration(const char *filename, ns_server_t *server,
 			      NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
 			      ISC_LOG_INFO, "loading configuration from '%s'",
 			      filename);
-		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &parser));
-		cfg_parser_setcallback(parser, directory_callback, NULL);
-		result = cfg_parse_file(parser, filename, &cfg_type_namedconf,
-					&config);
+		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
+		cfg_parser_setcallback(conf_parser, directory_callback, NULL);
+		result = cfg_parse_file(conf_parser, filename,
+					&cfg_type_namedconf, &config);
 	}
 
 	/*
@@ -2984,10 +3507,10 @@ load_configuration(const char *filename, ns_server_t *server,
 			      NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
 			      ISC_LOG_INFO, "loading configuration from '%s'",
 			      lwresd_g_resolvconffile);
-		if (parser != NULL)
-			cfg_parser_destroy(&parser);
-		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &parser));
-		result = ns_lwresd_parseeresolvconf(ns_g_mctx, parser,
+		if (conf_parser != NULL)
+			cfg_parser_destroy(&conf_parser);
+		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
+		result = ns_lwresd_parseeresolvconf(ns_g_mctx, conf_parser,
 						    &config);
 	}
 	CHECK(result);
@@ -3009,13 +3532,38 @@ load_configuration(const char *filename, ns_server_t *server,
 	maps[i++] = NULL;
 
 	/*
+	 * If bind.keys exists, load it.  If "dnssec-lookaside auto"
+	 * is turned on, the keys found there will be used as default
+	 * trust anchors.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "bindkeys-file", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	CHECKM(setstring(server, &server->bindkeysfile,
+	       cfg_obj_asstring(obj)), "strdup");
+
+	if (access(server->bindkeysfile, R_OK) == 0) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "reading built-in trusted "
+			      "keys from file '%s'", server->bindkeysfile);
+
+		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx,
+					&bindkeys_parser));
+
+		result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
+					&cfg_type_bindkeys, &bindkeys);
+		CHECK(result);
+	}
+
+	/*
 	 * Set process limits, which (usually) needs to be done as root.
 	 */
 	set_limits(maps);
 
 	/*
 	 * Check if max number of open sockets that the system allows is
-	 * sufficiently large.  Failing this condition is not necessarily fatal,
+	 * sufficiently large.	Failing this condition is not necessarily fatal,
 	 * but may cause subsequent runtime failures for a busy recursive
 	 * server.
 	 */
@@ -3068,7 +3616,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	else
 		isc_quota_soft(&server->recursionquota, 0);
 
-	CHECK(configure_view_acl(NULL, config, "blackhole", &aclconfctx,
+	CHECK(configure_view_acl(NULL, config, "blackhole", NULL, &aclconfctx,
 				 ns_g_mctx, &server->blackholeacl));
 	if (server->blackholeacl != NULL)
 		dns_dispatchmgr_setblackhole(ns_g_dispatchmgr,
@@ -3308,6 +3856,15 @@ load_configuration(const char *filename, ns_server_t *server,
 			      &interval, ISC_FALSE));
 
 	/*
+	 * Configure the server-wide session key.  This must be done before
+	 * configure views because zone configuration may require ddns-keyname.
+	 * Failure of session key generation isn't fatal at this time; if it
+	 * turns out that a session key is really needed but doesn't exist,
+	 * we'll treat it as a fatal error then.
+	 */
+	(void)configure_session_key(maps, server, ns_g_mctx);
+
+	/*
 	 * Configure and freeze all explicit views.  Explicit
 	 * views that have zones were already created at parsing
 	 * time, but views with no zones must be created here.
@@ -3324,6 +3881,7 @@ load_configuration(const char *filename, ns_server_t *server,
 		CHECK(create_view(vconfig, &viewlist, &view));
 		INSIST(view != NULL);
 		CHECK(configure_view(view, config, vconfig,
+				     &cachelist, bindkeys,
 				     ns_g_mctx, &aclconfctx, ISC_TRUE));
 		dns_view_freeze(view);
 		dns_view_detach(&view);
@@ -3341,8 +3899,9 @@ load_configuration(const char *filename, ns_server_t *server,
 		 * In either case, we need to configure and freeze it.
 		 */
 		CHECK(create_view(NULL, &viewlist, &view));
-		CHECK(configure_view(view, config, NULL, ns_g_mctx,
-				     &aclconfctx, ISC_TRUE));
+		CHECK(configure_view(view, config, NULL,
+				     &cachelist, bindkeys,
+				     ns_g_mctx, &aclconfctx, ISC_TRUE));
 		dns_view_freeze(view);
 		dns_view_detach(&view);
 	}
@@ -3360,8 +3919,9 @@ load_configuration(const char *filename, ns_server_t *server,
 	{
 		const cfg_obj_t *vconfig = cfg_listelt_value(element);
 		CHECK(create_view(vconfig, &viewlist, &view));
-		CHECK(configure_view(view, config, vconfig, ns_g_mctx,
-				     &aclconfctx, ISC_FALSE));
+		CHECK(configure_view(view, config, vconfig,
+				     &cachelist, bindkeys,
+				     ns_g_mctx, &aclconfctx, ISC_FALSE));
 		dns_view_freeze(view);
 		dns_view_detach(&view);
 		view = NULL;
@@ -3375,6 +3935,13 @@ load_configuration(const char *filename, ns_server_t *server,
 	viewlist = tmpviewlist;
 
 	/*
+	 * Swap our new cache list with the production one.
+	 */
+	tmpcachelist = server->cachelist;
+	server->cachelist = cachelist;
+	cachelist = tmpcachelist;
+
+	/*
 	 * Load the TKEY information from the configuration.
 	 */
 	if (options != NULL) {
@@ -3443,6 +4010,17 @@ load_configuration(const char *filename, ns_server_t *server,
 		}
 	}
 
+	obj = NULL;
+	if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
+		if (cfg_obj_isvoid(obj))
+			ns_os_writepidfile(NULL, first_time);
+		else
+			ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
+	else if (ns_g_lwresdonly)
+		ns_os_writepidfile(lwresd_g_defaultpidfile, first_time);
+	else
+		ns_os_writepidfile(ns_g_defaultpidfile, first_time);
+
 	/*
 	 * Relinquish root privileges.
 	 */
@@ -3541,16 +4119,6 @@ load_configuration(const char *filename, ns_server_t *server,
 		}
 	}
 
-	obj = NULL;
-	if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
-		if (cfg_obj_isvoid(obj))
-			ns_os_writepidfile(NULL, first_time);
-		else
-			ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
-	else if (ns_g_lwresdonly)
-		ns_os_writepidfile(lwresd_g_defaultpidfile, first_time);
-	else
-		ns_os_writepidfile(ns_g_defaultpidfile, first_time);
 
 	obj = NULL;
 	if (options != NULL &&
@@ -3639,10 +4207,16 @@ load_configuration(const char *filename, ns_server_t *server,
 
 	cfg_aclconfctx_destroy(&aclconfctx);
 
-	if (parser != NULL) {
+	if (conf_parser != NULL) {
 		if (config != NULL)
-			cfg_obj_destroy(parser, &config);
-		cfg_parser_destroy(&parser);
+			cfg_obj_destroy(conf_parser, &config);
+		cfg_parser_destroy(&conf_parser);
+	}
+
+	if (bindkeys_parser != NULL) {
+		if (bindkeys  != NULL)
+			cfg_obj_destroy(bindkeys_parser, &bindkeys);
+		cfg_parser_destroy(&bindkeys_parser);
 	}
 
 	if (view != NULL)
@@ -3665,6 +4239,13 @@ load_configuration(const char *filename, ns_server_t *server,
 		dns_view_detach(&view);
 	}
 
+	/* Same cleanup for cache list. */
+	while ((nsc = ISC_LIST_HEAD(cachelist)) != NULL) {
+		ISC_LIST_UNLINK(cachelist, nsc, link);
+		dns_cache_detach(&nsc->cache);
+		isc_mem_put(server->mctx, nsc, sizeof(*nsc));
+	}
+
 	/*
 	 * Adjust the listening interfaces in accordance with the source
 	 * addresses specified in views and zones.
@@ -3810,6 +4391,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 	dns_view_t *view, *view_next;
 	ns_server_t *server = (ns_server_t *)event->ev_arg;
 	isc_boolean_t flush = server->flushonshutdown;
+	ns_cache_t *nsc;
 
 	UNUSED(task);
 	INSIST(task == server->task);
@@ -3824,6 +4406,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 	ns_statschannels_shutdown(server);
 	ns_controls_shutdown(server->controls);
 	end_reserved_dispatches(server, ISC_TRUE);
+	cleanup_session_key(server, server->mctx);
 
 	cfg_obj_destroy(ns_g_parser, &ns_g_config);
 	cfg_parser_destroy(&ns_g_parser);
@@ -3839,6 +4422,12 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 			dns_view_detach(&view);
 	}
 
+	while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) {
+		ISC_LIST_UNLINK(server->cachelist, nsc, link);
+		dns_cache_detach(&nsc->cache);
+		isc_mem_put(server->mctx, nsc, sizeof(*nsc));
+	}
+
 	isc_timer_detach(&server->interface_timer);
 	isc_timer_detach(&server->heartbeat_timer);
 	isc_timer_detach(&server->pps_timer);
@@ -3850,6 +4439,11 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 
 	dns_zonemgr_shutdown(server->zonemgr);
 
+	if (ns_g_ddnskey != NULL) {
+		dns_tsigkey_detach(&ns_g_ddnskey);
+		dns_name_free(&ns_g_ddnskeyname, server->mctx);
+	}
+
 	if (server->blackholeacl != NULL)
 		dns_acl_detach(&server->blackholeacl);
 
@@ -3953,6 +4547,11 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 		   "isc_stats_create");
 	isc_socketmgr_setstats(ns_g_socketmgr, server->sockstats);
 
+	server->bindkeysfile = isc_mem_strdup(server->mctx, "bind.keys");
+	CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY :
+						  ISC_R_SUCCESS,
+		   "isc_mem_strdup");
+
 	server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
 	CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "isc_mem_strdup");
@@ -3998,6 +4597,14 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 
 	ISC_LIST_INIT(server->statschannels);
 
+	ISC_LIST_INIT(server->cachelist);
+
+	server->ddnskey = NULL;
+	server->ddns_keyfile = NULL;
+	server->ddns_keyname = NULL;
+	server->ddns_keyalg = DST_ALG_UNKNOWN;
+	server->ddns_keybits = 0;
+
 	server->magic = NS_SERVER_MAGIC;
 	*serverp = server;
 }
@@ -4017,6 +4624,7 @@ ns_server_destroy(ns_server_t **serverp) {
 	isc_stats_detach(&server->sockstats);
 
 	isc_mem_free(server->mctx, server->statsfile);
+	isc_mem_free(server->mctx, server->bindkeysfile);
 	isc_mem_free(server->mctx, server->dumpfile);
 	isc_mem_free(server->mctx, server->recfile);
 
@@ -4037,6 +4645,7 @@ ns_server_destroy(ns_server_t **serverp) {
 	isc_event_free(&server->reload_event);
 
 	INSIST(ISC_LIST_EMPTY(server->viewlist));
+	INSIST(ISC_LIST_EMPTY(server->cachelist));
 
 	dns_aclenv_destroy(&server->aclenv);
 
@@ -4698,15 +5307,23 @@ dumpdone(void *arg, isc_result_t result) {
  nextview:
 	fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name);
  resume:
-	if (dctx->zone == NULL && dctx->cache == NULL && dctx->dumpcache) {
+	if (dctx->dumpcache && dns_view_iscacheshared(dctx->view->view)) {
+		fprintf(dctx->fp,
+			";\n; Cache of view '%s' is shared as '%s'\n",
+			dctx->view->view->name,
+			dns_cache_getname(dctx->view->view->cache));
+	} else if (dctx->zone == NULL && dctx->cache == NULL &&
+		   dctx->dumpcache)
+	{
 		style = &dns_master_style_cache;
 		/* start cache dump */
 		if (dctx->view->view->cachedb != NULL)
 			dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
 		if (dctx->cache != NULL) {
-
-			fprintf(dctx->fp, ";\n; Cache dump of view '%s'\n;\n",
-				dctx->view->view->name);
+			fprintf(dctx->fp,
+				";\n; Cache dump of view '%s' (cache %s)\n;\n",
+				dctx->view->view->name,
+				dns_cache_getname(dctx->view->view->cache));
 			result = dns_master_dumptostreaminc(dctx->mctx,
 							    dctx->cache, NULL,
 							    style, dctx->fp,
@@ -4983,6 +5600,7 @@ ns_server_flushcache(ns_server_t *server, char *args) {
 	isc_boolean_t flushed;
 	isc_boolean_t found;
 	isc_result_t result;
+	ns_cache_t *nsc;
 
 	/* Skip the command name. */
 	ptr = next_token(&args, " \t");
@@ -4996,22 +5614,96 @@ ns_server_flushcache(ns_server_t *server, char *args) {
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	flushed = ISC_TRUE;
 	found = ISC_FALSE;
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link))
-	{
-		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
-			continue;
+
+	/*
+	 * Flushing a cache is tricky when caches are shared by multiple views.
+	 * We first identify which caches should be flushed in the local cache
+	 * list, flush these caches, and then update other views that refer to
+	 * the flushed cache DB.
+	 */
+	if (viewname != NULL) {
+		/*
+		 * Mark caches that need to be flushed.  This is an O(#view^2)
+		 * operation in the very worst case, but should be normally
+		 * much more lightweight because only a few (most typically just
+		 * one) views will match.
+		 */
+		for (view = ISC_LIST_HEAD(server->viewlist);
+		     view != NULL;
+		     view = ISC_LIST_NEXT(view, link))
+		{
+			if (strcasecmp(viewname, view->name) != 0)
+				continue;
+			found = ISC_TRUE;
+			for (nsc = ISC_LIST_HEAD(server->cachelist);
+			     nsc != NULL;
+			     nsc = ISC_LIST_NEXT(nsc, link)) {
+				if (nsc->cache == view->cache)
+					break;
+			}
+			INSIST(nsc != NULL);
+			nsc->needflush = ISC_TRUE;
+		}
+	} else
 		found = ISC_TRUE;
-		result = dns_view_flushcache(view);
+
+	/* Perform flush */
+	for (nsc = ISC_LIST_HEAD(server->cachelist);
+	     nsc != NULL;
+	     nsc = ISC_LIST_NEXT(nsc, link)) {
+		if (viewname != NULL && !nsc->needflush)
+			continue;
+		nsc->needflush = ISC_TRUE;
+		result = dns_view_flushcache2(nsc->primaryview, ISC_FALSE);
 		if (result != ISC_R_SUCCESS) {
 			flushed = ISC_FALSE;
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 				      "flushing cache in view '%s' failed: %s",
-				      view->name, isc_result_totext(result));
+				      nsc->primaryview->name,
+				      isc_result_totext(result));
+		}
+	}
+
+	/*
+	 * Fix up views that share a flushed cache: let the views update the
+	 * cache DB they're referring to.  This could also be an expensive
+	 * operation, but should typically be marginal: the inner loop is only
+	 * necessary for views that share a cache, and if there are many such
+	 * views the number of shared cache should normally be small.
+	 * A worst case is that we have n views and n/2 caches, each shared by
+	 * two views.  Then this will be a O(n^2/4) operation.
+	 */
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (!dns_view_iscacheshared(view))
+			continue;
+		for (nsc = ISC_LIST_HEAD(server->cachelist);
+		     nsc != NULL;
+		     nsc = ISC_LIST_NEXT(nsc, link)) {
+			if (!nsc->needflush || nsc->cache != view->cache)
+				continue;
+			result = dns_view_flushcache2(view, ISC_TRUE);
+			if (result != ISC_R_SUCCESS) {
+				flushed = ISC_FALSE;
+				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+					      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+					      "fixing cache in view '%s' "
+					      "failed: %s", view->name,
+					      isc_result_totext(result));
+			}
 		}
 	}
+
+	/* Cleanup the cache list. */
+	for (nsc = ISC_LIST_HEAD(server->cachelist);
+	     nsc != NULL;
+	     nsc = ISC_LIST_NEXT(nsc, link)) {
+		nsc->needflush = ISC_FALSE;
+	}
+
 	if (flushed && found) {
 		if (viewname != NULL)
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
@@ -5080,6 +5772,11 @@ ns_server_flushname(ns_server_t *server, char *args) {
 		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
 			continue;
 		found = ISC_TRUE;
+		/*
+		 * It's a little inefficient to try flushing name for all views
+		 * if some of the views share a single cache.  But since the
+		 * operation is lightweight we prefer simplicity here.
+		 */
 		result = dns_view_flushname(view, name);
 		if (result != ISC_R_SUCCESS) {
 			flushed = ISC_FALSE;
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
index 81f40bb2..0540e4e8 100644
--- a/bin/named/statschannel.c
+++ b/bin/named/statschannel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: statschannel.c,v 1.14.64.6 2009/02/17 03:43:07 marka Exp $ */
+/* $Id: statschannel.c,v 1.22 2009/02/17 03:40:28 marka Exp $ */
 
 /*! \file */
 
@@ -29,6 +29,7 @@
 #include <isc/stats.h>
 #include <isc/task.h>
 
+#include <dns/cache.h>
 #include <dns/db.h>
 #include <dns/opcode.h>
 #include <dns/resolver.h>
@@ -728,7 +729,7 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "bind"));
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
 	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
-					 ISC_XMLCHAR "2.0"));
+					 ISC_XMLCHAR "2.1"));
 
 	/* Set common fields for statistics dump */
 	dumparg.type = statsformat_xml;
@@ -766,11 +767,15 @@ generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
 
 		cachestats = dns_db_getrrsetstats(view->cachedb);
 		if (cachestats != NULL) {
-			xmlTextWriterStartElement(writer,
-						  ISC_XMLCHAR "cache");
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "cache"));
+			TRY0(xmlTextWriterWriteAttribute(writer,
+					 ISC_XMLCHAR "name",
+					 ISC_XMLCHAR
+					 dns_cache_getname(view->cache)));
 			dns_rdatasetstats_dump(cachestats, rdatasetstats_dump,
 					       &dumparg, 0);
-			xmlTextWriterEndElement(writer); /* cache */
+			TRY0(xmlTextWriterEndElement(writer)); /* cache */
 		}
 
 		xmlTextWriterEndElement(writer); /* view */
@@ -1314,7 +1319,15 @@ ns_stats_dump(ns_server_t *server, FILE *fp) {
 		if (strcmp(view->name, "_default") == 0)
 			fprintf(fp, "[View: default]\n");
 		else
-			fprintf(fp, "[View: %s]\n", view->name);
+			fprintf(fp, "[View: %s (Cache: %s)]\n", view->name,
+				dns_cache_getname(view->cache));
+		if (dns_view_iscacheshared(view)) {
+			/*
+			 * Avoid dumping redundant statistics when the cache is
+			 * shared.
+			 */
+			continue;
+		}
 		dns_rdatasetstats_dump(cachestats, rdatasetstats_dump, &dumparg,
 				       0);
 	}
diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c
index b3c6e023..f44dcd7e 100644
--- a/bin/named/tsigconf.c
+++ b/bin/named/tsigconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.c,v 1.30 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: tsigconf.c,v 1.32 2009/06/11 23:47:55 tbox Exp $ */
 
 /*! \file */
 
@@ -149,6 +149,8 @@ ns_tsigkeyring_fromconfig(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	isc_result_t result;
 	int i;
 
+	REQUIRE(ringp != NULL && *ringp == NULL);
+
 	i = 0;
 	if (config != NULL)
 		maps[i++] = config;
diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c
index 5e6b98f6..eb8682a4 100644
--- a/bin/named/unix/os.c
+++ b/bin/named/unix/os.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.89.12.5 2009/03/02 03:03:54 marka Exp $ */
+/* $Id: os.c,v 1.95 2009/03/02 03:08:22 marka Exp $ */
 
 /*! \file */
 
@@ -695,6 +695,13 @@ mkdirpath(char *filename, void (*report)(const char *, ...)) {
 					  strbuf);
 				goto error;
 			}
+			if (runas_pw != NULL &&
+			    chown(filename, runas_pw->pw_uid,
+				  runas_pw->pw_gid) == -1) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				(*report)("couldn't chown '%s': %s", filename,
+					  strbuf);
+			}
 		}
 		*slash = '/';
 	}
diff --git a/bin/named/update.c b/bin/named/update.c
index ff073116..d0969efb 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.151.12.5 2009/04/30 07:03:37 marka Exp $ */
+/* $Id: update.c,v 1.157 2009/04/30 06:59:11 marka Exp $ */
 
 #include <config.h>
 
@@ -4136,9 +4136,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	goto common;
 
  failure:
-	if (result == DNS_R_REFUSED)
-		inc_stats(zone, dns_nsstatscounter_updaterej);
-
 	/*
 	 * The reason for failure should have been logged at this point.
 	 */
diff --git a/bin/named/win32/os.c b/bin/named/win32/os.c
index 4df44431..73b65e0d 100644
--- a/bin/named/win32/os.c
+++ b/bin/named/win32/os.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.31 2008/11/17 05:41:10 marka Exp $ */
+/* $Id: os.c,v 1.34 2009/06/12 02:33:21 each Exp $ */
 
 #include <config.h>
 #include <stdarg.h>
@@ -66,6 +66,7 @@ ns_paths_init() {
 	ns_g_defaultpidfile = isc_ntpaths_get(NAMED_PID_PATH);
 	lwresd_g_defaultpidfile = isc_ntpaths_get(LWRESD_PID_PATH);
 	ns_g_keyfile = isc_ntpaths_get(RNDC_KEY_PATH);
+	ns_g_defaultddnskeyfile = isc_ntpaths_get(DDNS_KEY_PATH);
 
 	Initialized = TRUE;
 }
diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c
index 0aa6f794..6236dfa4 100644
--- a/bin/named/xfrout.c
+++ b/bin/named/xfrout.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrout.c,v 1.131.26.4 2009/01/29 22:40:34 jinmei Exp $ */
+/* $Id: xfrout.c,v 1.135 2009/01/27 22:29:58 jinmei Exp $ */
 
 #include <config.h>
 
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 641831d9..8a2edd4d 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.147.50.2 2009/01/29 23:47:44 tbox Exp $ */
+/* $Id: zoneconf.c,v 1.151 2009/06/10 23:47:47 tbox Exp $ */
 
 /*% */
 
@@ -55,16 +55,18 @@ typedef enum {
 	allow_update_forwarding
 } acl_type_t;
 
-/*%
- * These are BIND9 server defaults, not necessarily identical to the
- * library defaults defined in zone.c.
- */
 #define RETERR(x) do { \
 	isc_result_t _r = (x); \
 	if (_r != ISC_R_SUCCESS) \
 		return (_r); \
 	} while (0)
 
+#define CHECK(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto cleanup; \
+	} while (0)
+
 /*%
  * Convenience function for configuring a single zone ACL.
  */
@@ -169,7 +171,9 @@ parse_acl:
  * Parse the zone update-policy statement.
  */
 static isc_result_t
-configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
+configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
+			const char *zname, isc_boolean_t autoddns)
+{
 	const cfg_obj_t *updatepolicy = NULL;
 	const cfg_listelt_t *element, *element2;
 	dns_ssutable_t *table = NULL;
@@ -177,7 +181,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 	isc_result_t result;
 
 	(void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
-	if (updatepolicy == NULL) {
+
+	if (updatepolicy == NULL && !autoddns) {
 		dns_zone_setssutable(zone, NULL);
 		return (ISC_R_SUCCESS);
 	}
@@ -198,6 +203,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 		const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
 		const char *str;
 		isc_boolean_t grant = ISC_FALSE;
+		isc_boolean_t usezone = ISC_FALSE;
 		unsigned int mtype = DNS_SSUMATCHTYPE_NAME;
 		dns_fixedname_t fname, fident;
 		isc_buffer_t b;
@@ -237,7 +243,10 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 			mtype = DNS_SSUMATCHTYPE_TCPSELF;
 		else if (strcasecmp(str, "6to4-self") == 0)
 			mtype = DNS_SSUMATCHTYPE_6TO4SELF;
-		else
+		else if (strcasecmp(str, "zonesub") == 0) {
+			mtype = DNS_SSUMATCHTYPE_SUBDOMAIN;
+			usezone = ISC_TRUE;
+		} else
 			INSIST(0);
 
 		dns_fixedname_init(&fident);
@@ -253,15 +262,28 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 		}
 
 		dns_fixedname_init(&fname);
-		str = cfg_obj_asstring(dname);
-		isc_buffer_init(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
-					   dns_rootname, ISC_FALSE, NULL);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
-				    "'%s' is not a valid name", str);
-			goto cleanup;
+		if (usezone) {
+			result = dns_name_copy(dns_zone_getorigin(zone),
+					       dns_fixedname_name(&fname),
+					       NULL);
+			if (result != ISC_R_SUCCESS) {
+				cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
+					    "error copying origin: %s",
+					    isc_result_totext(result));
+				goto cleanup;
+			}
+		} else {
+			str = cfg_obj_asstring(dname);
+			isc_buffer_init(&b, str, strlen(str));
+			isc_buffer_add(&b, strlen(str));
+			result = dns_name_fromtext(dns_fixedname_name(&fname),
+						   &b, dns_rootname,
+						   ISC_FALSE, NULL);
+			if (result != ISC_R_SUCCESS) {
+				cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
+					    "'%s' is not a valid name", str);
+				goto cleanup;
+			}
 		}
 
 		n = ns_config_listcount(typelist);
@@ -311,7 +333,34 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 		if (result != ISC_R_SUCCESS) {
 			goto cleanup;
 		}
+	}
 
+	/*
+	 * If this is a "ddns-autoconf" zone and a DDNS session key exists,
+	 * then use the default policy, equivalent to:
+	 * update-policy { grant <ddns-keyname> zonesub any; };
+	 */
+	if (autoddns) {
+		dns_rdatatype_t any = dns_rdatatype_any;
+
+		if (ns_g_server->ddns_keyname == NULL) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "failed to enable auto DDNS policy "
+				      "for zone %s: session key not found",
+				      zname);
+			result = ISC_R_NOTFOUND;
+			goto cleanup;
+		}
+
+		result = dns_ssutable_addrule(table, ISC_TRUE,
+					      ns_g_server->ddns_keyname,
+					      DNS_SSUMATCHTYPE_SUBDOMAIN,
+					      dns_zone_getorigin(zone),
+					      1, &any);
+
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
 	}
 
 	result = ISC_R_SUCCESS;
@@ -431,6 +480,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	isc_boolean_t check = ISC_FALSE, fail = ISC_FALSE;
 	isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE;
 	isc_boolean_t ixfrdiff;
+	isc_boolean_t autoddns;
 	dns_masterformat_t masterformat;
 	isc_stats_t *zoneqrystats;
 	isc_boolean_t zonestats_on;
@@ -731,6 +781,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	 */
 	if (ztype == dns_zone_master) {
 		dns_acl_t *updateacl;
+
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
 					  allow_update, ac, zone,
 					  dns_zone_setupdateacl,
@@ -744,7 +795,13 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 				      "address, which is insecure",
 				      zname);
 
-		RETERR(configure_zone_ssutable(zoptions, zone));
+		obj = NULL;
+		result = ns_config_get(maps, "ddns-autoconf", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		autoddns = cfg_obj_asboolean(obj);
+
+		RETERR(configure_zone_ssutable(zoptions, zone, zname,
+					       autoddns));
 
 		obj = NULL;
 		result = ns_config_get(maps, "sig-validity-interval", &obj);
diff --git a/bin/nsupdate/Makefile.in b/bin/nsupdate/Makefile.in
index 6d656978..150bfcf5 100644
--- a/bin/nsupdate/Makefile.in
+++ b/bin/nsupdate/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2006-2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.29 2008/08/29 23:47:22 tbox Exp $
+# $Id: Makefile.in,v 1.31 2009/06/11 23:47:55 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -24,7 +24,7 @@ top_srcdir =	@top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISC_INCLUDES} @DST_GSSAPI_INC@
+		${ISC_INCLUDES} ${ISCCFG_INCLUDES} @DST_GSSAPI_INC@
 
 CDEFINES =	@USE_GSSAPI@
 CWARNINGS =
@@ -43,7 +43,7 @@ ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
 
 DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS}
 
-LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} ${ISCCFGLIBS} @LIBS@
+LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
 
 SUBDIRS =
 
@@ -63,6 +63,11 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
+nsupdate.@O@: nsupdate.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DDDNS_KEYFILE=\"${localstatedir}/run/named/ddns.key\" \
+		-c ${srcdir}/nsupdate.c
+
 nsupdate@EXEEXT@: nsupdate.@O@ ${UOBJS} ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsupdate.@O@ ${UOBJS} ${LIBS}
 
diff --git a/bin/nsupdate/nsupdate.1 b/bin/nsupdate/nsupdate.1
index b0688a3a..6bc7672f 100644
--- a/bin/nsupdate/nsupdate.1
+++ b/bin/nsupdate/nsupdate.1
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nsupdate.1,v 1.3.48.2 2009/03/10 01:54:11 tbox Exp $
+.\" $Id: nsupdate.1,v 1.7 2009/06/10 01:12:50 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -60,6 +60,10 @@ option makes
 report additional debugging information to
 \fB\-d\fR.
 .PP
+The
+\fB\-L\fR
+option with an integer argument of zero or higher sets the logging debug level. If zero, logging is disabled.
+.PP
 Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931 or GSS\-TSIG as described in RFC3645. TSIG relies on a shared secret that should only be known to
 \fBnsupdate\fR
 and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable
@@ -78,15 +82,9 @@ uses the
 \fB\-y\fR
 or
 \fB\-k\fR
-option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC\-MD5. These options are mutually exclusive. With the
-\fB\-k\fR
-option,
-\fBnsupdate\fR
-reads the shared secret from the file
-\fIkeyfile\fR, whose name is of the form
-\fIK{name}.+157.+{random}.private\fR. For historical reasons, the file
-\fIK{name}.+157.+{random}.key\fR
-must also be present. When the
+option to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests, default type HMAC\-MD5. These options are mutually exclusive.
+.PP
+When the
 \fB\-y\fR
 option is used, a signature is generated from
 [\fIhmac:\fR]\fIkeyname:secret.\fR
@@ -99,17 +97,36 @@ option is discouraged because the shared secret is supplied as a command line ar
 \fBps\fR(1)
 or in a history file maintained by the user's shell.
 .PP
-The
+With the
+\fB\-k\fR
+option,
+\fBnsupdate\fR
+reads the shared secret from the file
+\fIkeyfile\fR. Keyfiles may be in two formats: a single file containing a
+\fInamed.conf\fR\-format
+\fBkey\fR
+statement, which may be generated automatically by
+\fBddns\-confgen\fR, or a pair of files whose names are of the format
+\fIK{name}.+157.+{random}.key\fR
+and
+\fIK{name}.+157.+{random}.private\fR, which can be generated by
+\fBdnssec\-keygen\fR. The
 \fB\-k\fR
 may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key.
 .PP
-The
-\fB\-g\fR
-and
-\fB\-o\fR
-specify that GSS\-TSIG is to be used. The
-\fB\-o\fR
-should only be used with old Microsoft Windows 2000 servers.
+\fBnsupdate\fR
+can be run in a local\-host only mode using the
+\fB\-l\fR
+flag. This sets the server address to localhost (disabling the
+\fBserver\fR
+so that the server address cannot be overridden). Connections to the local server will use a TSIG key found in
+\fI/var/run/named/ddns.key\fR, which is automatically generated by
+\fBnamed\fR
+if any local master zone has the
+\fBdynamic\fR
+zone option set to yes. The location of this key file can be overridden with the
+\fB\-k\fR
+option.
 .PP
 By default,
 \fBnsupdate\fR
@@ -120,6 +137,10 @@ option makes
 use a TCP connection. This may be preferable when a batch of update requests is made.
 .PP
 The
+\fB\-p\fR
+sets the default port number to use for connections to a name server. The default is 53.
+.PP
+The
 \fB\-t\fR
 option sets the maximum time an update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.
 .PP
@@ -353,6 +374,11 @@ The prerequisite condition gets the name server to check that there are no resou
 used to identify default name server
 .RE
 .PP
+\fB/var/run/named/ddns.key\fR
+.RS 4
+sets the default TSIG key for use in local\-only mode
+.RE
+.PP
 \fBK{name}.+157.+{random}.key\fR
 .RS 4
 base\-64 encoding of HMAC\-MD5 key created by
@@ -374,6 +400,7 @@ base\-64 encoding of HMAC\-MD5 key created by
 \fBRFC2535\fR(),
 \fBRFC2931\fR(),
 \fBnamed\fR(8),
+\fBddns\-confgen\fR(8),
 \fBdnssec\-keygen\fR(8).
 .SH "BUGS"
 .PP
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 6cf4cf42..7963e7bf 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsupdate.c,v 1.163.48.3 2009/04/30 07:12:49 marka Exp $ */
+/* $Id: nsupdate.c,v 1.168 2009/06/10 01:44:53 each Exp $ */
 
 /*! \file */
 
@@ -33,11 +33,13 @@
 #include <isc/commandline.h>
 #include <isc/entropy.h>
 #include <isc/event.h>
+#include <isc/file.h>
 #include <isc/hash.h>
 #include <isc/lex.h>
 #include <isc/log.h>
 #include <isc/mem.h>
 #include <isc/parseint.h>
+#include <isc/print.h>
 #include <isc/random.h>
 #include <isc/region.h>
 #include <isc/sockaddr.h>
@@ -49,6 +51,8 @@
 #include <isc/types.h>
 #include <isc/util.h>
 
+#include <isccfg/namedconf.h>
+
 #include <dns/callbacks.h>
 #include <dns/dispatch.h>
 #include <dns/dnssec.h>
@@ -105,6 +109,8 @@ extern int h_errno;
 
 #define DNSDEFAULTPORT 53
 
+static isc_uint16_t dnsport = DNSDEFAULTPORT;
+
 #ifndef RESOLV_CONF
 #define RESOLV_CONF "/etc/resolv.conf"
 #endif
@@ -118,6 +124,7 @@ static isc_boolean_t usevc = ISC_FALSE;
 static isc_boolean_t usegsstsig = ISC_FALSE;
 static isc_boolean_t use_win2k_gsstsig = ISC_FALSE;
 static isc_boolean_t tried_other_gsstsig = ISC_FALSE;
+static isc_boolean_t local_only = ISC_FALSE;
 static isc_taskmgr_t *taskmgr = NULL;
 static isc_task_t *global_task = NULL;
 static isc_event_t *global_event = NULL;
@@ -147,7 +154,8 @@ static isc_sockaddr_t *userserver = NULL;
 static isc_sockaddr_t *localaddr = NULL;
 static isc_sockaddr_t *serveraddr = NULL;
 static isc_sockaddr_t tempaddr;
-static char *keystr = NULL, *keyfile = NULL;
+static const char *keyfile = NULL;
+static char *keystr = NULL;
 static isc_entropy_t *entropy = NULL;
 static isc_boolean_t shuttingdown = ISC_FALSE;
 static FILE *input;
@@ -550,22 +558,90 @@ setup_keystr(void) {
 		isc_mem_free(mctx, secret);
 }
 
+/*
+ * Get a key from a named.conf format keyfile
+ */
+static isc_result_t
+read_ddnskey(isc_mem_t *mctx, isc_log_t *lctx) {
+	cfg_parser_t *pctx = NULL;
+	cfg_obj_t *ddnskey = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const cfg_obj_t *algorithmobj = NULL;
+	const char *keyname;
+	const char *secretstr;
+	const char *algorithm;
+	isc_result_t result;
+	int len;
+
+	if (! isc_file_exists(keyfile))
+		return (ISC_R_FILENOTFOUND);
+
+	result = cfg_parser_create(mctx, lctx, &pctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = cfg_parse_file(pctx, keyfile, &cfg_type_ddnskey, &ddnskey);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = cfg_map_get(ddnskey, "key", &key);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	(void) cfg_map_get(key, "secret", &secretobj);
+	(void) cfg_map_get(key, "algorithm", &algorithmobj);
+	if (secretobj == NULL || algorithmobj == NULL)
+		fatal("key must have algorithm and secret");
+
+	keyname = cfg_obj_asstring(cfg_map_getname(key));
+	secretstr = cfg_obj_asstring(secretobj);
+	algorithm = cfg_obj_asstring(algorithmobj);
+
+	len = strlen(algorithm) + strlen(keyname) + strlen(secretstr) + 3;
+	keystr = isc_mem_allocate(mctx, len);
+	snprintf(keystr, len, "%s:%s:%s", algorithm, keyname, secretstr);
+	setup_keystr();
+
+ cleanup:
+	if (pctx != NULL) {
+		if (ddnskey != NULL)
+			cfg_obj_destroy(pctx, &ddnskey);
+		cfg_parser_destroy(&pctx);
+	}
+
+	if (keystr != NULL)
+		isc_mem_free(mctx, keystr);
+
+	return (result);
+}
+
 static void
-setup_keyfile(void) {
+setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
 	dst_key_t *dstkey = NULL;
 	isc_result_t result;
 	dns_name_t *hmacname = NULL;
 
 	debug("Creating key...");
 
+	/* Try reading the key from a K* pair */
 	result = dst_key_fromnamedfile(keyfile,
 				       DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
 				       &dstkey);
+
+	/* If that didn't work, try reading it as a ddns.key keyfile */
+	if (result != ISC_R_SUCCESS) {
+		result = read_ddnskey(mctx, lctx);
+		if (result == ISC_R_SUCCESS)
+			return;
+	}
+
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr, "could not read key from %s: %s\n",
 			keyfile, isc_result_totext(result));
 		return;
 	}
+
 	switch (dst_key_alg(dstkey)) {
 	case DST_ALG_HMACMD5:
 		hmacname = DNS_TSIG_HMACMD5_NAME;
@@ -726,7 +802,7 @@ setup_system(void) {
 		if (servers == NULL)
 			fatal("out of memory");
 		localhost.s_addr = htonl(INADDR_LOOPBACK);
-		isc_sockaddr_fromin(&servers[0], &localhost, DNSDEFAULTPORT);
+		isc_sockaddr_fromin(&servers[0], &localhost, dnsport);
 	} else {
 		servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));
 		if (servers == NULL)
@@ -735,12 +811,12 @@ setup_system(void) {
 			if (lwconf->nameservers[i].family == LWRES_ADDRTYPE_V4) {
 				struct in_addr in4;
 				memcpy(&in4, lwconf->nameservers[i].address, 4);
-				isc_sockaddr_fromin(&servers[i], &in4, DNSDEFAULTPORT);
+				isc_sockaddr_fromin(&servers[i], &in4, dnsport);
 			} else {
 				struct in6_addr in6;
 				memcpy(&in6, lwconf->nameservers[i].address, 16);
 				isc_sockaddr_fromin6(&servers[i], &in6,
-						     DNSDEFAULTPORT);
+						     dnsport);
 			}
 		}
 	}
@@ -807,8 +883,10 @@ setup_system(void) {
 
 	if (keystr != NULL)
 		setup_keystr();
+	else if (local_only)
+		read_ddnskey(mctx, lctx);
 	else if (keyfile != NULL)
-		setup_keyfile();
+		setup_keyfile(mctx, lctx);
 }
 
 static void
@@ -825,7 +903,7 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
 	INSIST(count == 1);
 }
 
-#define PARSE_ARGS_FMT "dDMl:y:govk:rR::t:u:"
+#define PARSE_ARGS_FMT "dDML:y:ghlovk:p:rR::t:u:"
 
 static void
 pre_parse_args(int argc, char **argv) {
@@ -842,10 +920,11 @@ pre_parse_args(int argc, char **argv) {
 			break;
 
 		case '?':
+		case 'h':
 			if (isc_commandline_option != '?')
 				fprintf(stderr, "%s: invalid argument -%c\n",
 					argv[0], isc_commandline_option);
-			fprintf(stderr, "usage: nsupdate [-d] "
+			fprintf(stderr, "usage: nsupdate [-dD] [-L level] [-l]"
 				"[-g | -o | -y keyname:secret | -k keyfile] "
 				"[-v] [filename]\n");
 			exit(1);
@@ -877,6 +956,9 @@ parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
 		case 'M':
 			break;
 		case 'l':
+			local_only = ISC_TRUE;
+			break;
+		case 'L':
 			result = isc_parse_uint32(&i, isc_commandline_argument,
 						  10);
 			if (result != ISC_R_SUCCESS) {
@@ -903,6 +985,15 @@ parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
 			usegsstsig = ISC_TRUE;
 			use_win2k_gsstsig = ISC_TRUE;
 			break;
+		case 'p':
+			result = isc_parse_uint16(&dnsport,
+						  isc_commandline_argument, 10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "bad port number "
+					"'%s'\n", isc_commandline_argument);
+				exit(1);
+			}
+			break;
 		case 't':
 			result = isc_parse_uint32(&timeout,
 						  isc_commandline_argument, 10);
@@ -948,6 +1039,22 @@ parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
 		exit(1);
 	}
 
+	if (local_only) {
+		struct in_addr localhost;
+
+		if (keyfile == NULL)
+			keyfile = DDNS_KEYFILE;
+
+		if (userserver == NULL) {
+			userserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
+			if (userserver == NULL)
+				fatal("out of memory");
+		}
+
+		localhost.s_addr = htonl(INADDR_LOOPBACK);
+		isc_sockaddr_fromin(userserver, &localhost, dnsport);
+	}
+
 #ifdef GSSAPI
 	if (usegsstsig && (keyfile != NULL || keystr != NULL)) {
 		fprintf(stderr, "%s: cannot specify -g with -k or -y\n",
@@ -956,7 +1063,7 @@ parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
 	}
 #else
 	if (usegsstsig) {
-		fprintf(stderr, "%s: cannot specify -g  or -o, " \
+		fprintf(stderr, "%s: cannot specify -g	or -o, " \
 			"program not linked with GSS API Library\n",
 			argv[0]);
 		exit(1);
@@ -1205,6 +1312,11 @@ evaluate_server(char *cmdline) {
 	char *word, *server;
 	long port;
 
+	if (local_only) {
+		fprintf(stderr, "cannot reset server in localhost-only mode\n");
+		return (STATUS_SYNTAX);
+	}
+
 	word = nsu_strsep(&cmdline, " \t\r\n");
 	if (*word == 0) {
 		fprintf(stderr, "could not read server name\n");
@@ -1214,7 +1326,7 @@ evaluate_server(char *cmdline) {
 
 	word = nsu_strsep(&cmdline, " \t\r\n");
 	if (*word == 0)
-		port = DNSDEFAULTPORT;
+		port = dnsport;
 	else {
 		char *endp;
 		port = strtol(word, &endp, 10);
@@ -1803,9 +1915,9 @@ get_next_command(void) {
 "server address [port]     (set master server for zone)\n"
 "send                      (send the update request)\n"
 "show                      (show the update request)\n"
-"answer	                   (show the answer to the last request)\n"
+"answer                    (show the answer to the last request)\n"
 "quit                      (quit, any pending update is not sent\n"
-"help			   (display this message_\n"
+"help                      (display this message_\n"
 "key [hmac:]keyname secret (use TSIG to sign the request)\n"
 "gsstsig                   (use GSS_TSIG to sign the request)\n"
 "oldgsstsig                (use Microsoft's GSS_TSIG to sign the request)\n"
@@ -2195,7 +2307,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		result = dns_name_totext(&master, ISC_TRUE, &buf);
 		check_result(result, "dns_name_totext");
 		serverstr[isc_buffer_usedlength(&buf)] = 0;
-		get_address(serverstr, DNSDEFAULTPORT, &tempaddr);
+		get_address(serverstr, dnsport, &tempaddr);
 		serveraddr = &tempaddr;
 	}
 	dns_rdata_freestruct(&soa);
@@ -2299,7 +2411,7 @@ start_gssrequest(dns_name_t *master)
 			fatal("out of memory");
 	}
 	if (userserver == NULL)
-		get_address(namestr, DNSDEFAULTPORT, kserver);
+		get_address(namestr, dnsport, kserver);
 	else
 		(void)memcpy(kserver, userserver, sizeof(isc_sockaddr_t));
 
diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
index c42a053f..1b515070 100644
--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: nsupdate.docbook,v 1.34.48.3 2009/03/09 04:21:56 marka Exp $ -->
+<!-- $Id: nsupdate.docbook,v 1.38 2009/06/10 00:27:21 each Exp $ -->
 <refentry id="man.nsupdate">
   <refentryinfo>
     <date>Jun 30, 2000</date>
@@ -111,6 +111,10 @@
       report additional debugging information to <option>-d</option>.
     </para>
     <para>
+      The <option>-L</option> option with an integer argument of zero or
+      higher sets the logging debug level.  If zero, logging is disabled.
+    </para>
+    <para>
       Transaction signatures can be used to authenticate the Dynamic
       DNS updates.  These use the TSIG resource record type described
       in RFC2845 or the SIG(0) record described in RFC3535 and
@@ -137,40 +141,50 @@
       uses the <option>-y</option> or <option>-k</option> option
       to provide the shared secret needed to generate a TSIG record
       for authenticating Dynamic DNS update requests, default type
-      HMAC-MD5.  These options are mutually exclusive.  With the
-      <option>-k</option> option, <command>nsupdate</command> reads
-      the shared secret from the file <parameter>keyfile</parameter>,
-      whose name is of the form
-      <filename>K{name}.+157.+{random}.private</filename>.  For
-      historical reasons, the file
-      <filename>K{name}.+157.+{random}.key</filename> must also be
-      present.  When the <option>-y</option> option is used, a
-      signature is generated from
+      HMAC-MD5.  These options are mutually exclusive. 
+    </para>
+    <para>
+      When the <option>-y</option> option is used, a signature is
+      generated from
       <optional><parameter>hmac:</parameter></optional><parameter>keyname:secret.</parameter>
       <parameter>keyname</parameter> is the name of the key, and
-      <parameter>secret</parameter> is the base64 encoded shared
-      secret.  Use of the <option>-y</option> option is discouraged
-      because the shared secret is supplied as a command line
-      argument in clear text.  This may be visible in the output
-      from
+      <parameter>secret</parameter> is the base64 encoded shared secret.
+      Use of the <option>-y</option> option is discouraged because the
+      shared secret is supplied as a command line argument in clear text.
+      This may be visible in the output from
       <citerefentry>
-	<refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
-      </citerefentry> or in a history file maintained by the user's
-      shell.
+        <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>
+      or in a history file maintained by the user's shell.
     </para>
     <para>
+      With the
+      <option>-k</option> option, <command>nsupdate</command> reads
+      the shared secret from the file <parameter>keyfile</parameter>.
+      Keyfiles may be in two formats: a single file containing
+      a <filename>named.conf</filename>-format <command>key</command>
+      statement, which may be generated automatically by
+      <command>ddns-confgen</command>, or a pair of files whose names are
+      of the format <filename>K{name}.+157.+{random}.key</filename> and
+      <filename>K{name}.+157.+{random}.private</filename>, which can be
+      generated by <command>dnssec-keygen</command>.
       The <option>-k</option> may also be used to specify a SIG(0) key used
       to authenticate Dynamic DNS update requests.  In this case, the key
       specified is not an HMAC-MD5 key.
     </para>
     <para>
-      The <option>-g</option> and <option>-o</option> specify that
-      GSS-TSIG is to be used.  The <option>-o</option> should only
-      be used with old Microsoft Windows 2000 servers.
+      <command>nsupdate</command> can be run in a local-host only mode
+      using the <option>-l</option> flag.  This sets the server address to
+      localhost (disabling the <command>server</command> so that the server
+      address cannot be overridden).  Connections to the local server will
+      use a TSIG key found in <filename>/var/run/named/ddns.key</filename>,
+      which is automatically generated by <command>named</command> if any
+      local master zone has the <command>dynamic</command> zone option set
+      to yes.  The location of this key file can be overridden with
+      the <option>-k</option> option.
     </para>
     <para>
-      By default,
-      <command>nsupdate</command>
+      By default, <command>nsupdate</command>
       uses UDP to send update requests to the name server unless they are too
       large to fit in a UDP request in which case TCP will be used.
       The
@@ -181,6 +195,10 @@
       This may be preferable when a batch of update requests is made.
     </para>
     <para>
+      The <option>-p</option> sets the default port number to use for
+      connections to a name server.  The default is 53.
+    </para>
+    <para>
       The <option>-t</option> option sets the maximum time an update request
       can
       take before it is aborted.  The default is 300 seconds.  Zero can be
@@ -631,6 +649,15 @@
       </varlistentry>
 
       <varlistentry>
+        <term><constant>/var/run/named/ddns.key</constant></term>
+        <listitem>
+          <para>
+            sets the default TSIG key for use in local-only mode
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term><constant>K{name}.+157.+{random}.key</constant></term>
         <listitem>
           <para>
@@ -684,6 +711,9 @@
         <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
       <citerefentry>
+        <refentrytitle>ddns-confgen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
         <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>.
     </para>
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index dab7f902..5dc1d925 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: nsupdate.html,v 1.40.48.2 2009/03/10 01:54:11 tbox Exp $ -->
+<!-- $Id: nsupdate.html,v 1.44 2009/06/10 01:12:50 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -70,6 +70,10 @@
       report additional debugging information to <code class="option">-d</code>.
     </p>
 <p>
+      The <code class="option">-L</code> option with an integer argument of zero or
+      higher sets the logging debug level.  If zero, logging is disabled.
+    </p>
+<p>
       Transaction signatures can be used to authenticate the Dynamic
       DNS updates.  These use the TSIG resource record type described
       in RFC2845 or the SIG(0) record described in RFC3535 and
@@ -96,38 +100,48 @@
       uses the <code class="option">-y</code> or <code class="option">-k</code> option
       to provide the shared secret needed to generate a TSIG record
       for authenticating Dynamic DNS update requests, default type
-      HMAC-MD5.  These options are mutually exclusive.  With the
-      <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
-      the shared secret from the file <em class="parameter"><code>keyfile</code></em>,
-      whose name is of the form
-      <code class="filename">K{name}.+157.+{random}.private</code>.  For
-      historical reasons, the file
-      <code class="filename">K{name}.+157.+{random}.key</code> must also be
-      present.  When the <code class="option">-y</code> option is used, a
-      signature is generated from
+      HMAC-MD5.  These options are mutually exclusive. 
+    </p>
+<p>
+      When the <code class="option">-y</code> option is used, a signature is
+      generated from
       [<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>
       <em class="parameter"><code>keyname</code></em> is the name of the key, and
-      <em class="parameter"><code>secret</code></em> is the base64 encoded shared
-      secret.  Use of the <code class="option">-y</code> option is discouraged
-      because the shared secret is supplied as a command line
-      argument in clear text.  This may be visible in the output
-      from
-      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> or in a history file maintained by the user's
-      shell.
+      <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
+      Use of the <code class="option">-y</code> option is discouraged because the
+      shared secret is supplied as a command line argument in clear text.
+      This may be visible in the output from
+      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
+      or in a history file maintained by the user's shell.
     </p>
 <p>
+      With the
+      <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
+      the shared secret from the file <em class="parameter"><code>keyfile</code></em>.
+      Keyfiles may be in two formats: a single file containing
+      a <code class="filename">named.conf</code>-format <span><strong class="command">key</strong></span>
+      statement, which may be generated automatically by
+      <span><strong class="command">ddns-confgen</strong></span>, or a pair of files whose names are
+      of the format <code class="filename">K{name}.+157.+{random}.key</code> and
+      <code class="filename">K{name}.+157.+{random}.private</code>, which can be
+      generated by <span><strong class="command">dnssec-keygen</strong></span>.
       The <code class="option">-k</code> may also be used to specify a SIG(0) key used
       to authenticate Dynamic DNS update requests.  In this case, the key
       specified is not an HMAC-MD5 key.
     </p>
 <p>
-      The <code class="option">-g</code> and <code class="option">-o</code> specify that
-      GSS-TSIG is to be used.  The <code class="option">-o</code> should only
-      be used with old Microsoft Windows 2000 servers.
+      <span><strong class="command">nsupdate</strong></span> can be run in a local-host only mode
+      using the <code class="option">-l</code> flag.  This sets the server address to
+      localhost (disabling the <span><strong class="command">server</strong></span> so that the server
+      address cannot be overridden).  Connections to the local server will
+      use a TSIG key found in <code class="filename">/var/run/named/ddns.key</code>,
+      which is automatically generated by <span><strong class="command">named</strong></span> if any
+      local master zone has the <span><strong class="command">dynamic</strong></span> zone option set
+      to yes.  The location of this key file can be overridden with
+      the <code class="option">-k</code> option.
     </p>
 <p>
-      By default,
-      <span><strong class="command">nsupdate</strong></span>
+      By default, <span><strong class="command">nsupdate</strong></span>
       uses UDP to send update requests to the name server unless they are too
       large to fit in a UDP request in which case TCP will be used.
       The
@@ -138,6 +152,10 @@
       This may be preferable when a batch of update requests is made.
     </p>
 <p>
+      The <code class="option">-p</code> sets the default port number to use for
+      connections to a name server.  The default is 53.
+    </p>
+<p>
       The <code class="option">-t</code> option sets the maximum time an update request
       can
       take before it is aborted.  The default is 300 seconds.  Zero can be
@@ -169,7 +187,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543726"></a><h2>INPUT FORMAT</h2>
+<a name="id2543769"></a><h2>INPUT FORMAT</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       reads input from
       <em class="parameter"><code>filename</code></em>
@@ -433,7 +451,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544567"></a><h2>EXAMPLES</h2>
+<a name="id2544610"></a><h2>EXAMPLES</h2>
 <p>
       The examples below show how
       <span><strong class="command">nsupdate</strong></span>
@@ -487,12 +505,16 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544611"></a><h2>FILES</h2>
+<a name="id2544653"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
 <dd><p>
             used to identify default name server
           </p></dd>
+<dt><span class="term"><code class="constant">/var/run/named/ddns.key</code></span></dt>
+<dd><p>
+            sets the default TSIG key for use in local-only mode
+          </p></dd>
 <dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
 <dd><p>
             base-64 encoding of HMAC-MD5 key created by
@@ -506,7 +528,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544680"></a><h2>SEE ALSO</h2>
+<a name="id2542142"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
       <span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
       <span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,
@@ -515,11 +537,12 @@
       <span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>,
       <span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2542156"></a><h2>BUGS</h2>
+<a name="id2545020"></a><h2>BUGS</h2>
 <p>
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/bin/nsupdate/win32/nsupdate.dsp b/bin/nsupdate/win32/nsupdate.dsp
index 028ed551..d64bc702 100644
--- a/bin/nsupdate/win32/nsupdate.dsp
+++ b/bin/nsupdate/win32/nsupdate.dsp
@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
-# ADD LINK32 ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/lwres/win32/Release/liblwres.lib user32.lib advapi32.lib ws2_32.lib ../../../lib/bind9/win32/Release/libbind9.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/nsupdate.exe"
+# ADD LINK32 ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/lwres/win32/Release/liblwres.lib user32.lib advapi32.lib ws2_32.lib ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/isccfg/win32/Release/libisccfg.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/nsupdate.exe"
 
 !ELSEIF  "$(CFG)" == "nsupdate - Win32 Debug"
 
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
 # SUBTRACT CPP /X /u /YX
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
-# ADD LINK32 ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/lwres/win32/Debug/liblwres.lib user32.lib advapi32.lib ws2_32.lib ../../../lib/bind9/win32/Debug/libbind9.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/nsupdate.exe" /pdbtype:sept
+# ADD LINK32 ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/lwres/win32/Debug/liblwres.lib user32.lib advapi32.lib ws2_32.lib ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/nsupdate.exe" /pdbtype:sept
 
 !ENDIF 
 
diff --git a/bin/nsupdate/win32/nsupdate.mak b/bin/nsupdate/win32/nsupdate.mak
index 1e41c29b..2378c9cd 100644
--- a/bin/nsupdate/win32/nsupdate.mak
+++ b/bin/nsupdate/win32/nsupdate.mak
@@ -131,18 +131,19 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nsupdate.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "__STDC__" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nsupdate.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\nsupdate.bsc" 
 BSC32_SBRS= \
 	
 LINK32=link.exe
-LINK32_FLAGS=../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/lwres/win32/Release/liblwres.lib user32.lib advapi32.lib ws2_32.lib  ../../../lib/bind9/win32/Release/libbind9.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\nsupdate.pdb" /machine:I386 /out:"../../../Build/Release/nsupdate.exe" 
+LINK32_FLAGS=../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/lwres/win32/Release/liblwres.lib user32.lib advapi32.lib ws2_32.lib  ../../../lib/bind9/win32/Release/libbind9.lib ../../../lib/isccfg/win32/Release/libisccfg.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\nsupdate.pdb" /machine:I386 /out:"../../../Build/Release/nsupdate.exe" 
 LINK32_OBJS= \
 	"$(INTDIR)\nsupdate.obj" \
 	"..\..\..\lib\dns\win32\Release\libdns.lib" \
 	"..\..\..\lib\isc\win32\Release\libisc.lib" \
-	"..\..\..\lib\bind9\win32\Release\libbind9.lib"
+	"..\..\..\lib\bind9\win32\Release\libbind9.lib" \
+	"..\..\..\lib\isccfg\win32\Release\libisccfg.lib"
 
 "..\..\..\Build\Release\nsupdate.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
     $(LINK32) @<<
@@ -186,7 +187,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/lwres/win32/include/lwres" /I "../../../lib/dns/include" /I "../../../lib/bind9/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\nsupdate.bsc" 
 BSC32_SBRS= \
@@ -198,12 +199,13 @@ BSC32_SBRS= \
 <<
 
 LINK32=link.exe
-LINK32_FLAGS=../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/lwres/win32/Debug/liblwres.lib user32.lib advapi32.lib ws2_32.lib  ../../../lib/bind9/win32/Debug/libbind9.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\nsupdate.pdb" /debug /machine:I386 /out:"../../../Build/Debug/nsupdate.exe" /pdbtype:sept 
+LINK32_FLAGS=../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/lwres/win32/Debug/liblwres.lib user32.lib advapi32.lib ws2_32.lib  ../../../lib/bind9/win32/Debug/libbind9.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\nsupdate.pdb" /debug /machine:I386 /out:"../../../Build/Debug/nsupdate.exe" /pdbtype:sept 
 LINK32_OBJS= \
 	"$(INTDIR)\nsupdate.obj" \
 	"..\..\..\lib\dns\win32\Debug\libdns.lib" \
 	"..\..\..\lib\isc\win32\Debug\libisc.lib" \
-	"..\..\..\lib\bind9\win32\Debug\libbind9.lib"
+	"..\..\..\lib\bind9\win32\Debug\libbind9.lib" \
+	"..\..\..\lib\isccfg\win32\Release\libisccfg.lib"
 
 "..\..\..\Build\Debug\nsupdate.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
     $(LINK32) @<<
diff --git a/bin/rndc/Makefile.in b/bin/rndc/Makefile.in
index 9b0e20d6..d6892d12 100644
--- a/bin/rndc/Makefile.in
+++ b/bin/rndc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.44 2007/06/18 23:47:22 tbox Exp $
+# $Id: Makefile.in,v 1.46 2009/06/11 23:47:55 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -47,20 +47,16 @@ RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${I
 CONFLIBS =	${DNSLIBS} ${ISCLIBS} @LIBS@
 CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
 
-SRCS=		rndc.c rndc-confgen.c
+SRCS=		rndc.c
 
-SUBDIRS =	unix
+TARGETS =	rndc@EXEEXT@
 
-TARGETS =	rndc@EXEEXT@ rndc-confgen@EXEEXT@
+MANPAGES =	rndc.8 rndc.conf.5
 
-MANPAGES =	rndc.8 rndc-confgen.8 rndc.conf.5
-
-HTMLPAGES =	rndc.html rndc-confgen.html rndc.conf.html
+HTMLPAGES =	rndc.html rndc.conf.html
 
 MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
-UOBJS =		unix/os.@O@
-
 @BIND9_MAKE_RULES@
 
 rndc.@O@: rndc.c
@@ -70,19 +66,10 @@ rndc.@O@: rndc.c
 		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
 		-c ${srcdir}/rndc.c
 
-rndc-confgen.@O@: rndc-confgen.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
-		-c ${srcdir}/rndc-confgen.c
-
 rndc@EXEEXT@: rndc.@O@ util.@O@ ${RNDCDEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc.@O@ util.@O@ \
 		${RNDCLIBS}
 
-rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ ${UOBJS} ${CONFDEPLIBS} 
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc-confgen.@O@ util.@O@ \
-		${UOBJS} ${CONFLIBS}
-
 doc man:: ${MANOBJS}
 
 docclean manclean maintainer-clean::
@@ -93,11 +80,9 @@ installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
 
-install:: rndc@EXEEXT@ rndc-confgen@EXEEXT@ installdirs
+install:: rndc@EXEEXT@ installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc@EXEEXT@ ${DESTDIR}${sbindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
 	${INSTALL_DATA} ${srcdir}/rndc.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
 	${INSTALL_DATA} ${srcdir}/rndc.conf.5 ${DESTDIR}${mandir}/man5
 
 clean distclean maintainer-clean::
diff --git a/bin/rndc/include/rndc/os.h b/bin/rndc/include/rndc/os.h
index 253dcba1..3f2c7767 100644
--- a/bin/rndc/include/rndc/os.h
+++ b/bin/rndc/include/rndc/os.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.9.332.2 2009/01/18 23:47:35 tbox Exp $ */
+/* $Id: os.h,v 1.12 2009/06/10 00:27:21 each Exp $ */
 
 /*! \file */
 
@@ -27,12 +27,6 @@
 
 ISC_LANG_BEGINDECLS
 
-FILE *safe_create(const char *filename);
-/*%<
- * Open 'filename' for writing, truncate if necessary.  If the file was
- * created ensure that only the owner can read/write it.
- */
-
 int set_user(FILE *fd, const char *user);
 /*%<
  * Set the owner of the file referenced by 'fd' to 'user'.
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index c3d4cb79..532ce901 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.122.44.2 2009/01/18 23:47:35 tbox Exp $ */
+/* $Id: rndc.c,v 1.125 2009/05/04 17:38:56 jreed Exp $ */
 
 /*! \file */
 
@@ -79,6 +79,7 @@ static unsigned char databuf[2048];
 static isccc_ccmsg_t ccmsg;
 static isccc_region_t secret;
 static isc_boolean_t failed = ISC_FALSE;
+static isc_boolean_t c_flag = ISC_FALSE;
 static isc_mem_t *mctx;
 static int sends, recvs, connects;
 static char *command;
@@ -455,6 +456,10 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 			fatal("neither %s nor %s was found",
 			      admin_conffile, admin_keyfile);
 		key_only = ISC_TRUE;
+	} else if (! c_flag && isc_file_exists(admin_keyfile)) {
+		fprintf(stderr, "WARNING: key file (%s) exists, but using "
+			"default configuration file (%s)\n",
+			admin_keyfile, admin_conffile);
 	}
 
 	DO("create parser", cfg_parser_create(mctx, log, pctxp));
@@ -709,6 +714,7 @@ main(int argc, char **argv) {
 
 		case 'c':
 			admin_conffile = isc_commandline_argument;
+			c_flag = ISC_TRUE;
 			break;
 
 		case 'k':
diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5
index 9e9bad41..4654dd7a 100644
--- a/bin/rndc/rndc.conf.5
+++ b/bin/rndc/rndc.conf.5
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.conf.5,v 1.38 2007/05/09 13:35:57 marka Exp $
+.\" $Id: rndc.conf.5,v 1.40 2009/06/10 01:12:50 tbox Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html
index 144cd1c9..f1c243c4 100644
--- a/bin/rndc/rndc.conf.html
+++ b/bin/rndc/rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc.conf.html,v 1.29 2007/05/09 13:35:57 marka Exp $ -->
+<!-- $Id: rndc.conf.html,v 1.31 2009/06/10 01:12:50 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/tests/Makefile.in b/bin/tests/Makefile.in
index 93b63f1c..ac3a51ad 100644
--- a/bin/tests/Makefile.in
+++ b/bin/tests/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.131 2008/09/25 04:02:38 tbox Exp $
+# $Id: Makefile.in,v 1.134 2009/03/02 03:53:29 each Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -28,7 +28,7 @@ CDEFINES =
 CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS =	../../lib/isc/libisc.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
 ISCCFGLIBS = 	../../lib/isccfg/libisccfg.@A@
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
 
@@ -41,13 +41,11 @@ LIBS =		@LIBS@
 
 SUBDIRS = db dst master mem names net rbt sockaddr tasks timers system
 
-# A few of the test programs are built by default:
-# cfg_test is needed for regenerating doc/misc/options;
-# genrandom is needed by the system tests
+# Test programs that are built by default:
+# cfg_test is needed for regenerating doc/misc/options
 
 # Alphabetically
-TARGETS =	cfg_test@EXEEXT@ \
-		genrandom@EXEEXT@
+TARGETS =	cfg_test@EXEEXT@
 
 # All the other tests are optional and not built by default.
 
@@ -62,10 +60,8 @@ XTARGETS =	adb_test@EXEEXT@ \
 		gxba_test@EXEEXT@ \
 		gxbn_test@EXEEXT@ \
 		hash_test@EXEEXT@ \
-		nsec3hash@EXEEXT@ \
 		fsaccess_test@EXEEXT@ \
 		inter_test@EXEEXT@ \
-		journalprint@EXEEXT@ \
 		keyboard_test@EXEEXT@ \
 		lex_test@EXEEXT@ \
 		lfsr_test@EXEEXT@ \
@@ -91,7 +87,7 @@ XTARGETS =	adb_test@EXEEXT@ \
 		zone_test@EXEEXT@
 
 # Alphabetically
-SRCS =		cfg_test.c genrandom.c ${XSRCS}
+SRCS =		cfg_test.c ${XSRCS}
 
 XSRCS =		adb_test.c \
 		byaddr_test.c \
@@ -105,7 +101,6 @@ XSRCS =		adb_test.c \
 		hash_test.c \
 		fsaccess_test.c \
 		inter_test.c \
-		journalprint.c \
 		keyboard_test.c \
 		lex_test.c \
 		lfsr_test.c \
@@ -135,9 +130,6 @@ XSRCS =		adb_test.c \
 
 all_tests: ${XTARGETS}
 
-genrandom@EXEEXT@: genrandom.@O@
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
-
 adb_test@EXEEXT@: adb_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ adb_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
@@ -278,18 +270,10 @@ sig0_test@EXEEXT@: sig0_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sig0_test.@O@ \
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-journalprint@EXEEXT@: journalprint.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ journalprint.@O@ \
-		${DNSLIBS} ${ISCLIBS} ${LIBS}
-
 cfg_test@EXEEXT@: cfg_test.@O@ ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
 	${LIBTOOL_MODE_LINK} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ cfg_test.@O@ \
 		${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
 
-nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsec3hash.@O@ \
-	${DNSLIBS} ${ISCLIBS} ${LIBS}
-
 distclean::
 	rm -f headerdep_test.sh
 
diff --git a/bin/tests/cfg_test.c b/bin/tests/cfg_test.c
index 48febad8..25a372cf 100644
--- a/bin/tests/cfg_test.c
+++ b/bin/tests/cfg_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cfg_test.c,v 1.19.332.2 2009/03/02 23:47:11 tbox Exp $ */
+/* $Id: cfg_test.c,v 1.21 2009/03/02 23:47:43 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/tests/db/t_db.c b/bin/tests/db/t_db.c
index f142f0ce..6ec057a5 100644
--- a/bin/tests/db/t_db.c
+++ b/bin/tests/db/t_db.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_db.c,v 1.36.332.2 2009/01/22 23:47:05 tbox Exp $ */
+/* $Id: t_db.c,v 1.38 2009/01/22 23:47:53 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/dnssec-signzone/Kexample.com.+005+07065.key b/bin/tests/dnssec-signzone/Kexample.com.+005+07065.key
new file mode 100644
index 00000000..e4bdce2c
--- /dev/null
+++ b/bin/tests/dnssec-signzone/Kexample.com.+005+07065.key
@@ -0,0 +1 @@
+example.com. IN DNSKEY 256 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpZ
diff --git a/bin/tests/dnssec-signzone/Kexample.com.+005+07065.private b/bin/tests/dnssec-signzone/Kexample.com.+005+07065.private
new file mode 100644
index 00000000..db928c5b
--- /dev/null
+++ b/bin/tests/dnssec-signzone/Kexample.com.+005+07065.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: oXTPXsN2QEAqJhJxU2rOypfDtXP8LHk4LDtP/pGdT8qIa/zXmSUfahvLBFlfZlwSD1HxJTNCI/3KBjSzXEXkgViLfYexZ+01XtX+A3A2sycYLSBXZ7c5rCxDYJhZllXA5uv9+Zwohe5jp5F0m3I6KUxGGW+ugl1dnDUJB2JzGlk=
+PublicExponent: AQAB
+PrivateExponent: QrbJmRabHiFlSSYFvbo8iGn9bFTotlfAZkZ732y72+SMSlLHo3g7atThJoLncJxKuhnZ0s1DXyvW9omAM3iN2lxfVDW58at1amj/lWRDYkjI0fM8z6eyrF4U2lHKDM2YEstg+sGAAs5DUZBbli4Y7+zHjhxSKLYvRf4AJvX8aoE=
+Prime1: 0259CgdF0JW+miedRZXC6tn3FijZJ4/j5edzd8IpTpdUSZupQg9hMP1ot7crreNq7MnzO0Z2ImbowUx8CDOuXQ==
+Prime2: w31/WLM2275Z1tsHEOhrntUQCUk55B4PNOCmM4hjp0vAvA/SVSgAYRNb7rc/ujaLf0DnxnDsnVsFAS2PmvQELQ==
+Exponent1: yKPhJNMh/X8dEUzmglJMVnHheLXq3RA/RL0PZmZqrJoO8os1Y+sUYFkaNr0sRie6IFrE50tGb/8YgdcDHQVuQQ==
+Exponent2: lVhDuGy5RSjnk1eiz0zwIthctutlOZupPFk/P3E7yGv74vAnXH0BxSe3/Oer3MOc0GuyZYyRhyko6px28AbpRQ==
+Coefficient: Hjup1nDnPFkQrxU2qLQBJrDz+ipw0RkNhsjWs6IgAq1Mq4sFV50bR9hOTLDd9oNhhtAwVjF+Oc0WIq+M1Mi6Ow==
diff --git a/bin/tests/dnssec-signzone/Kexample.com.+005+23362.key b/bin/tests/dnssec-signzone/Kexample.com.+005+23362.key
new file mode 100644
index 00000000..6f4fec8c
--- /dev/null
+++ b/bin/tests/dnssec-signzone/Kexample.com.+005+23362.key
@@ -0,0 +1 @@
+example.com. IN DNSKEY 257 3 5 AwEAAbuWh5W3eGwixISqPwxszotQ0246KqhUB2Mb6JqNMJd6cWR66IrX YnevpIHsb6oanqJmVzOcJ6Yj3rXOIYtYYXgLbT7EJ8x7BNCZPHxG+w5C 7I1WsDbT6eGf//FLn2c4odKLOXaWCVITeNy61w43IlteIT9Q1egKdt+8 a7X9605j
diff --git a/bin/tests/dnssec-signzone/Kexample.com.+005+23362.private b/bin/tests/dnssec-signzone/Kexample.com.+005+23362.private
new file mode 100644
index 00000000..2d299d0e
--- /dev/null
+++ b/bin/tests/dnssec-signzone/Kexample.com.+005+23362.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: u5aHlbd4bCLEhKo/DGzOi1DTbjoqqFQHYxvomo0wl3pxZHroitdid6+kgexvqhqeomZXM5wnpiPetc4hi1hheAttPsQnzHsE0Jk8fEb7DkLsjVawNtPp4Z//8UufZzih0os5dpYJUhN43LrXDjciW14hP1DV6Ap237xrtf3rTmM=
+PublicExponent: AQAB
+PrivateExponent: XZSssv3CL3/wtZYQuewV5d4+e8C8wxiYTtL/aQqCcS7+HnhKRelJEBgpYz9GPX/mH3Iakn6WMQW39s6MYW2HwXUnqhsvHoyabGX0Dbc/1LcY4J2VPgzVHwSXYm+j4unOByOOS4KoBtUAQxJsTBokVZrZ5pKsLUK9X2gdywYw+PE=
+Prime1: 9fB7PaygjKoT1nbbeEMy1KYNqetg3zmN49Mk6ilEWxzJXKSSjTIhdkiLGXtYmE8rDBLBiYm8YWNe7YdA9PbQ7Q==
+Prime2: w0L7mTOLDecH3XAkC/wvALv8K9KSoZ31ajidKBxV15u8awj5AxDG7gjerYgCLjU1fq1GulMr11j8r4ftQn3Cjw==
+Exponent1: Up52yEE1rgt0npdPIxdv+//Ml0h7QoITKHXF8OPsEq+Y9YZTtRsiIpo8IFNPb9somuWyHoImxpCbUzAcoi5IAQ==
+Exponent2: uYTbvYx+UsAt9dOFPCnnkqAJEK3qCUomET0m/CQn30mldGC7DpGTIDgnMeLmh3agk/IYIBHDtsBinHfeEe2guw==
+Coefficient: FiHAet8On9Yaz1ksEAlCWulwck3zPWIsgqJBM2J4kHhgHTm17mZyxtVxIzLAMBNMIBcFl40FCpmPmTLY5QK5mw==
diff --git a/bin/tests/dnssec-signzone/bogus-ksk.key b/bin/tests/dnssec-signzone/bogus-ksk.key
new file mode 100644
index 00000000..af4640ba
--- /dev/null
+++ b/bin/tests/dnssec-signzone/bogus-ksk.key
@@ -0,0 +1,6 @@
+;
+; This is a bogus key.  It will not have a .private file.
+;
+; This will be key id 7091
+;
+example.com. IN DNSKEY 257 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpz
diff --git a/bin/tests/dnssec-signzone/bogus-zsk.key b/bin/tests/dnssec-signzone/bogus-zsk.key
new file mode 100644
index 00000000..2e53d5c5
--- /dev/null
+++ b/bin/tests/dnssec-signzone/bogus-zsk.key
@@ -0,0 +1,6 @@
+;
+; This is a bogus key.  It will not have a .private file.
+;
+; This will be key id 7092
+;
+example.com. IN DNSKEY 256 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpz
diff --git a/bin/tests/dnssec-signzone/run-test.sh b/bin/tests/dnssec-signzone/run-test.sh
new file mode 100644
index 00000000..7c287c08
--- /dev/null
+++ b/bin/tests/dnssec-signzone/run-test.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+#
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: run-test.sh,v 1.3 2009/06/04 02:56:47 tbox Exp $
+
+
+sign="../../dnssec/dnssec-signzone -f signed.zone -o example.com."
+
+signit() {
+	rm -f signed.zone
+	grep '^;' $zone
+	$sign $zone
+}
+
+expect_success() {
+	if ! test -f signed.zone ; then
+		echo "Error: expected success, but sign failed for $zone."
+	else
+		echo "Success:  Sign succeeded for $zone."
+	fi
+}
+
+expect_failure() {
+	if test -f signed.zone ; then
+		echo "Error: expected failure, but sign succeeded for $zone."
+	else
+		echo "Success:  Sign failed (expected) for $zone"
+	fi
+}
+
+zone="test1.zone" ; signit ; expect_success
+zone="test2.zone" ; signit ; expect_failure
+zone="test3.zone" ; signit ; expect_failure
+zone="test4.zone" ; signit ; expect_success
+zone="test5.zone" ; signit ; expect_failure
+zone="test6.zone" ; signit ; expect_failure
+zone="test7.zone" ; signit ; expect_failure
+zone="test8.zone" ; signit ; expect_failure
diff --git a/bin/tests/dnssec-signzone/test1.zone b/bin/tests/dnssec-signzone/test1.zone
new file mode 100644
index 00000000..a53fba76
--- /dev/null
+++ b/bin/tests/dnssec-signzone/test1.zone
@@ -0,0 +1,9 @@
+;
+;	This is a zone which has two DNSKEY records, both of which have
+; existing private key files available.  They should be loaded automatically
+; and the zone correctly signed.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+07065.key
+$include Kexample.com.+005+23362.key
diff --git a/bin/tests/dnssec-signzone/test2.zone b/bin/tests/dnssec-signzone/test2.zone
new file mode 100644
index 00000000..731c291c
--- /dev/null
+++ b/bin/tests/dnssec-signzone/test2.zone
@@ -0,0 +1,8 @@
+;
+;	This is a zone which has one non-KSK DNSKEY record for which the
+; private key file exists.  It should be loaded automatically and the zone
+; correctly signed.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+07065.key
diff --git a/bin/tests/dnssec-signzone/test3.zone b/bin/tests/dnssec-signzone/test3.zone
new file mode 100644
index 00000000..ec05bee7
--- /dev/null
+++ b/bin/tests/dnssec-signzone/test3.zone
@@ -0,0 +1,8 @@
+;
+;       This is a zone which has one KSK DNSKEY record for which the
+; private key file exists.  It should be loaded automatically.  As there
+; is no non-KSK DNSKEY the resulting zone should be rejected.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+23362.key
diff --git a/bin/tests/dnssec-signzone/test4.zone b/bin/tests/dnssec-signzone/test4.zone
new file mode 100644
index 00000000..a146736a
--- /dev/null
+++ b/bin/tests/dnssec-signzone/test4.zone
@@ -0,0 +1,10 @@
+;
+;	This is a zone which has three DNSKEY records, two (KSK + ZSK) of
+; which have existing private key files available.  The third is a 
+; pre-published ZSK.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+07065.key
+$include Kexample.com.+005+23362.key
+$include bogus-zsk.key
diff --git a/bin/tests/dnssec-signzone/test5.zone b/bin/tests/dnssec-signzone/test5.zone
new file mode 100644
index 00000000..546ebad4
--- /dev/null
+++ b/bin/tests/dnssec-signzone/test5.zone
@@ -0,0 +1,9 @@
+;
+;	This is a zone which has three DNSKEY records, two (KSK +ZSK) of which
+; have existing private key files available.  The third is a KSK.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+07065.key
+$include Kexample.com.+005+23362.key
+$include bogus-ksk.key
diff --git a/bin/tests/dnssec-signzone/test6.zone b/bin/tests/dnssec-signzone/test6.zone
new file mode 100644
index 00000000..91091f72
--- /dev/null
+++ b/bin/tests/dnssec-signzone/test6.zone
@@ -0,0 +1,11 @@
+;
+;	This is a zone which has four DNSKEY records, two (KK + ZSK) of which
+; have existing private key files available.  There are also a KSK and ZSK
+; for which there will be no signatures.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+07065.key
+$include Kexample.com.+005+23362.key
+$include bogus-ksk.key
+$include bogus-zsk.key
diff --git a/bin/tests/dnssec-signzone/test7.zone b/bin/tests/dnssec-signzone/test7.zone
new file mode 100644
index 00000000..e18e7c60
--- /dev/null
+++ b/bin/tests/dnssec-signzone/test7.zone
@@ -0,0 +1,9 @@
+;
+;	This is a zone which has two DNSKEY records, none of which have 
+; existing private key files available.  The resulting zone should fail
+; the consistancy tests.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include bogus-ksk.key
+$include bogus-zsk.key
diff --git a/bin/tests/dnssec-signzone/test8.zone b/bin/tests/dnssec-signzone/test8.zone
new file mode 100644
index 00000000..cc51f0a1
--- /dev/null
+++ b/bin/tests/dnssec-signzone/test8.zone
@@ -0,0 +1,9 @@
+;
+;	This is a zone which has two DNSKEY records, one of which,
+; the KSK, has a private key.  The resulting zone should be rejected as
+; it has no ZSK signatures.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+23362.key
+$include bogus-zsk.key
diff --git a/bin/tests/dst/Makefile.in b/bin/tests/dst/Makefile.in
index 9b317fc7..fad70d5a 100644
--- a/bin/tests/dst/Makefile.in
+++ b/bin/tests/dst/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2006-2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.46 2008/05/19 23:47:03 tbox Exp $
+# $Id: Makefile.in,v 1.48 2009/03/02 23:47:43 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -58,7 +58,7 @@ gsstest@EXEEXT@: gsstest.@O@ ${DEPLIBS}
 		gsstest.@O@ ${LIBS}
 
 test: t_dst@EXEEXT@
-	../genrandom@EXEEXT@ 100 randomfile
+	../../tools/genrandom@EXEEXT@ 100 randomfile
 	-@ ./t_dst@EXEEXT@ -b @srcdir@ -q 1800 -a
 
 clean distclean::
diff --git a/bin/tests/dst/dst_test.c b/bin/tests/dst/dst_test.c
index 68eeaa93..597e6356 100644
--- a/bin/tests/dst/dst_test.c
+++ b/bin/tests/dst/dst_test.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_test.c,v 1.43.332.2 2009/03/02 23:47:11 tbox Exp $ */
+/* $Id: dst_test.c,v 1.45 2009/03/02 23:47:43 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/dst/t_dst.c b/bin/tests/dst/t_dst.c
index 0c8a1e8d..c8010228 100644
--- a/bin/tests/dst/t_dst.c
+++ b/bin/tests/dst/t_dst.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_dst.c,v 1.55.158.2 2009/01/22 23:47:05 tbox Exp $ */
+/* $Id: t_dst.c,v 1.57 2009/01/22 23:47:54 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/master/t_master.c b/bin/tests/master/t_master.c
index 804e1424..8df588b0 100644
--- a/bin/tests/master/t_master.c
+++ b/bin/tests/master/t_master.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_master.c,v 1.36.332.2 2009/01/22 23:47:05 tbox Exp $ */
+/* $Id: t_master.c,v 1.38 2009/01/22 23:47:54 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/mem/t_mem.c b/bin/tests/mem/t_mem.c
index 570f8015..c99ddd9b 100644
--- a/bin/tests/mem/t_mem.c
+++ b/bin/tests/mem/t_mem.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_mem.c,v 1.13.332.2 2009/01/22 23:47:05 tbox Exp $ */
+/* $Id: t_mem.c,v 1.15 2009/01/22 23:47:54 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/names/t_names.c b/bin/tests/names/t_names.c
index e3d58fef..ce776dec 100644
--- a/bin/tests/names/t_names.c
+++ b/bin/tests/names/t_names.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_names.c,v 1.46.158.2 2009/01/22 23:47:05 tbox Exp $ */
+/* $Id: t_names.c,v 1.48 2009/01/22 23:47:54 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/rbt/t_rbt.c b/bin/tests/rbt/t_rbt.c
index 0757ae00..848e2624 100644
--- a/bin/tests/rbt/t_rbt.c
+++ b/bin/tests/rbt/t_rbt.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_rbt.c,v 1.30.332.2 2009/01/22 23:47:05 tbox Exp $ */
+/* $Id: t_rbt.c,v 1.32 2009/01/22 23:47:54 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/sockaddr/Makefile.in b/bin/tests/sockaddr/Makefile.in
index f0dbbfb3..cdb3626e 100644
--- a/bin/tests/sockaddr/Makefile.in
+++ b/bin/tests/sockaddr/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.21 2007/06/19 23:47:00 tbox Exp $
+# $Id: Makefile.in,v 1.23 2009/02/06 23:47:42 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -26,7 +26,7 @@ CINCLUDES =	${TEST_INCLUDES} ${ISC_INCLUDES}
 CDEFINES =
 CWARNINGS =
 
-ISCLIBS =	../../../lib/isc/libisc.@A@
+ISCLIBS =	../../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
 TAPIDEPLIBS =	../../../lib/tests/libt_api.@A@
 
 ISCDEPLIBS =	../../../lib/isc/libisc.@A@
diff --git a/bin/tests/system/dlv/setup.sh b/bin/tests/system/dlv/setup.sh
index 5f2e5b8e..34e8c174 100644
--- a/bin/tests/system/dlv/setup.sh
+++ b/bin/tests/system/dlv/setup.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -14,8 +14,8 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.4 2007/06/19 23:47:02 tbox Exp $
+# $Id: setup.sh,v 1.6 2009/03/02 23:47:43 tbox Exp $
 
-../../genrandom 400 random.data
+../../../tools/genrandom 400 random.data
 
 (cd ns3 && sh -e sign.sh)
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
index b7c58a9b..a467db9e 100644
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.25.48.4 2009/06/08 23:47:00 tbox Exp $
+# $Id: sign.sh,v 1.27 2009/06/04 02:56:47 tbox Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -35,8 +35,7 @@ keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
 
 cat $infile $keyname.key > $zonefile
 
-echo $SIGNER -g -r $RANDFILE -o $zone $zonefile
-$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
 
 # Configure the resolving server with a trusted key.
 
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 77f5b0b2..4be15df7 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.30.48.4 2009/06/08 23:47:00 tbox Exp $
+# $Id: sign.sh,v 1.32 2009/06/04 02:56:47 tbox Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -40,7 +40,7 @@ keyname2=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
 
 # Sign the privately secure file
 
@@ -52,7 +52,7 @@ privkeyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
 
 cat $privinfile $privkeyname.key >$privzonefile
 
-$SIGNER -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null
+$SIGNER -P -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null
 
 # Sign the DLV secure zone.
 
@@ -65,4 +65,4 @@ dlvkeyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
 
 cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile
 
-$SIGNER -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null
+$SIGNER -P -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index 64a01f93..84ebd21c 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sign.sh,v 1.25.48.4 2009/06/08 23:47:00 tbox Exp $
+# $Id: sign.sh,v 1.27 2009/06/04 02:56:47 tbox Exp $
 
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -30,7 +30,7 @@ keyname=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
 
 zone=bogus.example.
 infile=bogus.example.db.in
@@ -40,7 +40,7 @@ keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
 
 zone=dynamic.example.
 infile=dynamic.example.db.in
@@ -51,7 +51,7 @@ keyname2=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
 
 zone=keyless.example.
 infile=keyless.example.db.in
@@ -61,7 +61,7 @@ keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
 
 # Change the signer field of the a.b.keyless.example SIG A
 # to point to a provably nonexistent KEY record.
@@ -81,7 +81,7 @@ keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
 
 #
 #  NSEC3/NSEC3 test zone
@@ -94,7 +94,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
 
 #
 #  OPTOUT/NSEC3 test zone
@@ -107,7 +107,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
 
 #
 # A nsec3 zone (non-optout).
@@ -120,7 +120,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
 
 #
 #  OPTOUT/NSEC test zone
@@ -133,7 +133,7 @@ keyname=`$KEYGEN -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
 
 #
 #  OPTOUT/NSEC3 test zone
@@ -146,7 +146,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
 
 #
 #  OPTOUT/OPTOUT test zone
@@ -159,7 +159,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
 
 #
 # A optout nsec3 zone.
@@ -172,7 +172,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null
 
 #
 # A nsec3 zone (non-optout) with unknown hash algorithm.
@@ -185,7 +185,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null
 
 #
 # A optout nsec3 zone.
@@ -198,7 +198,7 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null
 
 #
 # A multiple parameter nsec3 zone.
@@ -211,14 +211,14 @@ keyname=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
 mv $zonefile.signed $zonefile
-$SIGNER -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null
 mv $zonefile.signed $zonefile
-$SIGNER -3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null
 mv $zonefile.signed $zonefile
-$SIGNER -3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null
 mv $zonefile.signed $zonefile
-$SIGNER -3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null
 mv $zonefile.signed $zonefile
-$SIGNER -3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null
diff --git a/bin/tests/system/dnssec/prereq.sh b/bin/tests/system/dnssec/prereq.sh
index 8d724f91..78fafebe 100644
--- a/bin/tests/system/dnssec/prereq.sh
+++ b/bin/tests/system/dnssec/prereq.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -15,9 +15,9 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: prereq.sh,v 1.10 2007/06/19 23:47:02 tbox Exp $
+# $Id: prereq.sh,v 1.12 2009/03/02 23:47:43 tbox Exp $
 
-../../genrandom 400 random.data
+../../../tools/genrandom 400 random.data
 
 if $KEYGEN -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
 then
diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh
index 43a6c760..913589b8 100644
--- a/bin/tests/system/dnssec/setup.sh
+++ b/bin/tests/system/dnssec/setup.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -15,9 +15,9 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.14 2007/06/19 23:47:02 tbox Exp $
+# $Id: setup.sh,v 1.16 2009/03/02 23:47:43 tbox Exp $
 
-../../genrandom 400 random.data
+../../../tools/genrandom 400 random.data
 
 cd ns1 && sh sign.sh
 
diff --git a/bin/tests/system/genzone.sh b/bin/tests/system/genzone.sh
index bea95e8a..31ad0134 100644
--- a/bin/tests/system/genzone.sh
+++ b/bin/tests/system/genzone.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: genzone.sh,v 1.8 2007/06/19 23:47:00 tbox Exp $
+# $Id: genzone.sh,v 1.11 2009/02/26 06:09:19 marka Exp $
 
 #
 # Set up a test zone
@@ -193,8 +193,8 @@ srv02			SRV 65535 65535 65535  old-slow-box
 
 ; type 35
 naptr01			NAPTR   0 0 "" "" "" . 
-naptr02			NAPTR   65535 65535 blurgh blorf blegh foo.
-naptr02			NAPTR   65535 65535 "blurgh" "blorf" "blegh" foo.
+naptr02			NAPTR   65535 65535 blurgh blorf blllbb foo.
+naptr02			NAPTR   65535 65535 "blurgh" "blorf" "blllbb" foo.
 
 ; type 36
 kx01			KX	10 kdc
@@ -262,6 +262,14 @@ dnskey01		DNSKEY	512 ( 255 1 AQMFD5raczCJHViKtLYhWGz8hMY
 ;						; other data
 ;				)
 
+hip1			HIP	( 2 200100107B1A74DF365639CC39F1D578
+				AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D )
+
+
+hip2			HIP	( 2 200100107B1A74DF365639CC39F1D578
+                                AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
+				rvs.example.com. )
+
 ; type 255
 ; TSIG is a meta-type and should never occur in master files.
 EOF
diff --git a/bin/tests/system/glue/ns1/named.conf b/bin/tests/system/glue/ns1/named.conf
index 3001f508..51952fba 100644
--- a/bin/tests/system/glue/ns1/named.conf
+++ b/bin/tests/system/glue/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.15.332.2 2009/01/30 23:47:18 tbox Exp $ */
+/* $Id: named.conf,v 1.17 2009/01/30 23:47:50 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/notify/ns2/example1.db b/bin/tests/system/notify/ns2/example1.db
index f0816936..38a3cd5f 100644
--- a/bin/tests/system/notify/ns2/example1.db
+++ b/bin/tests/system/notify/ns2/example1.db
@@ -1,4 +1,4 @@
-; Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 ; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example1.db,v 1.12 2007/06/19 23:47:04 tbox Exp $
+; $Id: example1.db,v 1.14 2009/01/21 23:47:26 tbox Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -93,7 +93,7 @@ mr02			MR	.
 mx01			MX	10 mail
 mx02			MX	10 .
 naptr01			NAPTR	0 0 "" "" "" .
-naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
 nsap-ptr01		NSAP-PTR foo.
 			NSAP-PTR .
 nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
diff --git a/bin/tests/system/notify/ns2/example2.db b/bin/tests/system/notify/ns2/example2.db
index 93ae0405..d728c017 100644
--- a/bin/tests/system/notify/ns2/example2.db
+++ b/bin/tests/system/notify/ns2/example2.db
@@ -1,4 +1,4 @@
-; Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 ; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example2.db,v 1.12 2007/06/19 23:47:04 tbox Exp $
+; $Id: example2.db,v 1.14 2009/01/21 23:47:26 tbox Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -93,7 +93,7 @@ mr02			MR	.
 mx01			MX	10 mail
 mx02			MX	10 .
 naptr01			NAPTR	0 0 "" "" "" .
-naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
 nsap-ptr01		NSAP-PTR foo.
 			NSAP-PTR .
 nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
diff --git a/bin/tests/system/notify/ns2/example3.db b/bin/tests/system/notify/ns2/example3.db
index 3afbaa62..27a64d2e 100644
--- a/bin/tests/system/notify/ns2/example3.db
+++ b/bin/tests/system/notify/ns2/example3.db
@@ -1,4 +1,4 @@
-; Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 ; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example3.db,v 1.12 2007/06/19 23:47:04 tbox Exp $
+; $Id: example3.db,v 1.14 2009/01/21 23:47:26 tbox Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -93,7 +93,7 @@ mr02			MR	.
 mx01			MX	10 mail
 mx02			MX	10 .
 naptr01			NAPTR	0 0 "" "" "" .
-naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
 nsap-ptr01		NSAP-PTR foo.
 			NSAP-PTR .
 nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
diff --git a/bin/tests/system/notify/ns2/example4.db b/bin/tests/system/notify/ns2/example4.db
index 8c18a372..8438f9f5 100644
--- a/bin/tests/system/notify/ns2/example4.db
+++ b/bin/tests/system/notify/ns2/example4.db
@@ -1,4 +1,4 @@
-; Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 ; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example4.db,v 1.12 2007/06/19 23:47:04 tbox Exp $
+; $Id: example4.db,v 1.14 2009/01/21 23:47:26 tbox Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -93,7 +93,7 @@ mr02			MR	.
 mx01			MX	10 mail
 mx02			MX	10 .
 naptr01			NAPTR	0 0 "" "" "" .
-naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
 nsap-ptr01		NSAP-PTR foo.
 			NSAP-PTR .
 nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
diff --git a/bin/tests/system/nsupdate/knowngood.ns1.after b/bin/tests/system/nsupdate/knowngood.ns1.after
index 32e1c8d3..4114159e 100644
--- a/bin/tests/system/nsupdate/knowngood.ns1.after
+++ b/bin/tests/system/nsupdate/knowngood.ns1.after
@@ -52,7 +52,7 @@ mr02.example.nil.	3600	IN	MR	.
 mx01.example.nil.	3600	IN	MX	10 mail.example.nil.
 mx02.example.nil.	3600	IN	MX	10 .
 naptr01.example.nil.	3600	IN	NAPTR	0 0 "" "" "" .
-naptr02.example.nil.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+naptr02.example.nil.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
 ns1.example.nil.	300	IN	A	10.53.0.1
 ns2.example.nil.	300	IN	A	10.53.0.2
 nsap-ptr01.example.nil.	3600	IN	NSAP-PTR .
diff --git a/bin/tests/system/nsupdate/knowngood.ns1.before b/bin/tests/system/nsupdate/knowngood.ns1.before
index e108c2ac..4a5e630d 100644
--- a/bin/tests/system/nsupdate/knowngood.ns1.before
+++ b/bin/tests/system/nsupdate/knowngood.ns1.before
@@ -52,7 +52,7 @@ mr02.example.nil.	3600	IN	MR	.
 mx01.example.nil.	3600	IN	MX	10 mail.example.nil.
 mx02.example.nil.	3600	IN	MX	10 .
 naptr01.example.nil.	3600	IN	NAPTR	0 0 "" "" "" .
-naptr02.example.nil.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+naptr02.example.nil.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
 ns1.example.nil.	300	IN	A	10.53.0.1
 ns2.example.nil.	300	IN	A	10.53.0.2
 nsap-ptr01.example.nil.	3600	IN	NSAP-PTR .
diff --git a/bin/tests/system/nsupdate/ns1/example1.db b/bin/tests/system/nsupdate/ns1/example1.db
index e8856fe2..556bec10 100644
--- a/bin/tests/system/nsupdate/ns1/example1.db
+++ b/bin/tests/system/nsupdate/ns1/example1.db
@@ -1,4 +1,4 @@
-; Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 ; Copyright (C) 2000-2002  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example1.db,v 1.8 2007/06/19 23:47:04 tbox Exp $
+; $Id: example1.db,v 1.10 2009/01/21 23:47:27 tbox Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -95,7 +95,7 @@ mr02			MR	.
 mx01			MX	10 mail
 mx02			MX	10 .
 naptr01			NAPTR	0 0 "" "" "" .
-naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
 nsap-ptr01		NSAP-PTR foo.
 			NSAP-PTR .
 nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
diff --git a/bin/tests/system/resolver/ans2/ans.pl b/bin/tests/system/resolver/ans2/ans.pl
index b41f1986..2d49de83 100644
--- a/bin/tests/system/resolver/ans2/ans.pl
+++ b/bin/tests/system/resolver/ans2/ans.pl
@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: ans.pl,v 1.10 2007/09/24 04:13:25 marka Exp $
+# $Id: ans.pl,v 1.12 2009/05/29 23:47:49 tbox Exp $
 
 #
 # Ad hoc name server
@@ -52,6 +52,7 @@ for (;;) {
 
 	my @questions = $packet->question;
 	my $qname = $questions[0]->qname;
+	my $qtype = $questions[0]->qtype;
 
 	if ($qname eq "cname1.example.com") {
 		# Data for the "cname + other data / 1" test
@@ -61,6 +62,32 @@ for (;;) {
 		# Data for the "cname + other data / 2" test: same RRs in opposite order
 		$packet->push("answer", new Net::DNS::RR("cname2.example.com 300 A 1.2.3.4"));
 		$packet->push("answer", new Net::DNS::RR("cname2.example.com 300 CNAME cname2.example.com"));
+	} elsif ($qname eq "www.example.org" || $qname eq "www.example.net" ||
+		 $qname eq "badcname.example.org" ||
+		 $qname eq "goodcname.example.org" ||
+		 $qname eq "foo.baddname.example.org" ||
+		 $qname eq "foo.gooddname.example.org") {
+		# Data for address/alias filtering.
+		if ($qtype eq "A") {
+			$packet->push("answer",
+				      new Net::DNS::RR($qname .
+						       " 300 A 192.0.2.1"));
+		} elsif ($qtype eq "AAAA") {
+			$packet->push("answer",
+				      new Net::DNS::RR($qname .
+						" 300 AAAA 2001:db8:beef::1"));
+		}
+	} elsif ($qname eq "badcname.example.net" ||
+		 $qname eq "goodcname.example.net") {
+		# Data for CNAME/DNAME filtering.  We need to make one-level
+		# delegation to avoid automatic acceptance for subdomain aliases
+		$packet->push("authority", new Net::DNS::RR("example.net 300 NS ns.example.net"));
+		$packet->push("additional", new Net::DNS::RR("ns.example.net 300 A 10.53.0.3"));
+	} elsif ($qname =~ /sub\.example\.org/) {
+		# Data for CNAME/DNAME filtering.  The final answers are
+		# expected to be accepted regardless of the filter setting.
+		$packet->push("authority", new Net::DNS::RR("sub.example.org 300 NS ns.sub.example.org"));
+		$packet->push("additional", new Net::DNS::RR("ns.sub.example.org 300 A 10.53.0.3"));
 	} else {
 		# Data for the "bogus referrals" test
 		$packet->push("authority", new Net::DNS::RR("below.www.example.com 300 NS ns.below.www.example.com"));
diff --git a/bin/tests/system/resolver/ans3/ans.pl b/bin/tests/system/resolver/ans3/ans.pl
index 3053b25f..30cc3ff6 100644
--- a/bin/tests/system/resolver/ans3/ans.pl
+++ b/bin/tests/system/resolver/ans3/ans.pl
@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: ans.pl,v 1.9 2007/09/24 04:13:25 marka Exp $
+# $Id: ans.pl,v 1.11 2009/05/29 23:47:49 tbox Exp $
 
 #
 # Ad hoc name server
@@ -50,7 +50,42 @@ for (;;) {
 
 	$packet->header->qr(1);
 
-	$packet->push("answer", new Net::DNS::RR("www.example.com 300 A 1.2.3.4"));
+	my @questions = $packet->question;
+	my $qname = $questions[0]->qname;
+
+	if ($qname eq "badcname.example.net") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname .
+				       " 300 CNAME badcname.example.org"));
+	} elsif ($qname eq "foo.baddname.example.net") {
+		$packet->push("answer",
+			      new Net::DNS::RR("baddname.example.net" .
+				       " 300 DNAME baddname.example.org"));
+	} elsif ($qname eq "foo.gooddname.example.net") {
+		$packet->push("answer",
+			      new Net::DNS::RR("gooddname.example.net" .
+				       " 300 DNAME gooddname.example.org"));
+	} elsif ($qname eq "goodcname.example.net") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname .
+				       " 300 CNAME goodcname.example.org"));
+	} elsif ($qname eq "cname.sub.example.org") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname .
+				       " 300 CNAME ok.sub.example.org"));
+	} elsif ($qname eq "ok.sub.example.org") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname . " 300 A 192.0.2.1"));
+	} elsif ($qname eq "www.dname.sub.example.org") {
+		$packet->push("answer",
+			      new Net::DNS::RR("dname.sub.example.org" .
+				       " 300 DNAME ok.sub.example.org"));
+	} elsif ($qname eq "www.ok.sub.example.org") {
+		$packet->push("answer",
+			      new Net::DNS::RR($qname . " 300 A 192.0.2.1"));
+	} else {
+		$packet->push("answer", new Net::DNS::RR("www.example.com 300 A 1.2.3.4"));
+	}
 
 	$sock->send($packet->data);
 
diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh
index c79da928..8589a61d 100644
--- a/bin/tests/system/resolver/clean.sh
+++ b/bin/tests/system/resolver/clean.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -14,9 +14,10 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.1 2008/07/17 01:15:34 marka Exp $
+# $Id: clean.sh,v 1.3 2009/05/29 23:47:49 tbox Exp $
 
 #
 # Clean up after resolver tests.
 #
 rm -f */named.memstats
+rm -f dig.out
diff --git a/bin/tests/system/resolver/ns1/named.conf b/bin/tests/system/resolver/ns1/named.conf
index 4b0c80ab..65068655 100644
--- a/bin/tests/system/resolver/ns1/named.conf
+++ b/bin/tests/system/resolver/ns1/named.conf
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.13 2007/06/18 23:47:30 tbox Exp $ */
+/* $Id: named.conf,v 1.15 2009/05/29 23:47:49 tbox Exp $ */
 
 controls { /* empty */ };
 
@@ -29,6 +29,11 @@ options {
 	listen-on-v6 { none; };
 	recursion yes;
 	acache-enable yes;
+	deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
+		 except-from { "example.org"; };
+	deny-answer-aliases { "example.org"; }
+		except-from { "goodcname.example.net";
+			      "gooddname.example.net"; };
 };
 
 zone "." {
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 585455c9..98c3fc63 100644
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.9 2007/06/19 23:47:05 tbox Exp $
+# $Id: tests.sh,v 1.11 2009/05/29 23:47:49 tbox Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -35,5 +35,75 @@ $DIG +tcp cname2.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1
 echo "I:check that server is still running"
 $DIG +tcp www.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1
 
+echo "I:checking answer IPv4 address filtering (deny)"
+ret=0
+$DIG +tcp www.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
+grep "status: SERVFAIL" dig.out > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking answer IPv6 address filtering (deny)"
+ret=0
+$DIG +tcp www.example.net @10.53.0.1 aaaa -p 5300 > dig.out || ret=1
+grep "status: SERVFAIL" dig.out > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking answer IPv4 address filtering (accept)"
+ret=0
+$DIG +tcp www.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1
+grep "status: NOERROR" dig.out > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking answer IPv6 address filtering (accept)"
+ret=0
+$DIG +tcp www.example.org @10.53.0.1 aaaa -p 5300 > dig.out || ret=1
+grep "status: NOERROR" dig.out > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking CNAME target filtering (deny)"
+ret=0
+$DIG +tcp badcname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
+grep "status: SERVFAIL" dig.out > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking CNAME target filtering (accept)"
+ret=0
+$DIG +tcp goodcname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
+grep "status: NOERROR" dig.out > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking CNAME target filtering (accept due to subdomain)"
+ret=0
+$DIG +tcp cname.sub.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1
+grep "status: NOERROR" dig.out > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking DNAME target filtering (deny)"
+ret=0
+$DIG +tcp foo.baddname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
+grep "status: SERVFAIL" dig.out > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking DNAME target filtering (accept)"
+ret=0
+$DIG +tcp foo.gooddname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
+grep "status: NOERROR" dig.out > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking DNAME target filtering (accept due to subdomain)"
+ret=0
+$DIG +tcp www.dname.sub.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1
+grep "status: NOERROR" dig.out > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status
diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in
index 6bb0d7f9..5de2e418 100644
--- a/bin/tests/system/tkey/ns1/named.conf.in
+++ b/bin/tests/system/tkey/ns1/named.conf.in
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf.in,v 1.6.332.2 2009/01/30 23:47:18 tbox Exp $ */
+/* $Id: named.conf.in,v 1.8 2009/01/30 23:47:50 tbox Exp $ */
 
 controls { /* empty */ };
 
diff --git a/bin/tests/system/tkey/prereq.sh b/bin/tests/system/tkey/prereq.sh
index 9c162a4b..54321e7e 100644
--- a/bin/tests/system/tkey/prereq.sh
+++ b/bin/tests/system/tkey/prereq.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -15,9 +15,9 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: prereq.sh,v 1.10 2007/06/19 23:47:06 tbox Exp $
+# $Id: prereq.sh,v 1.12 2009/03/02 23:47:43 tbox Exp $
 
-../../genrandom 400 random.data
+../../../tools/genrandom 400 random.data
 
 if $KEYGEN -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
 then
diff --git a/bin/tests/system/tkey/setup.sh b/bin/tests/system/tkey/setup.sh
index d4aee8b7..6311bc9e 100644
--- a/bin/tests/system/tkey/setup.sh
+++ b/bin/tests/system/tkey/setup.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -15,10 +15,10 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.5 2007/06/19 23:47:06 tbox Exp $
+# $Id: setup.sh,v 1.7 2009/03/02 23:47:43 tbox Exp $
 
 RANDFILE=random.data
 
-../../genrandom 100 $RANDFILE
+../../../tools/genrandom 100 $RANDFILE
 
 cd ns1 && sh setup.sh
diff --git a/bin/tests/system/tsig/ns1/example.db b/bin/tests/system/tsig/ns1/example.db
index 1dd6522f..a9a0ec88 100644
--- a/bin/tests/system/tsig/ns1/example.db
+++ b/bin/tests/system/tsig/ns1/example.db
@@ -1,4 +1,4 @@
-; Copyright (C) 2005-2007  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2005-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db,v 1.5 2007/06/19 23:47:06 tbox Exp $
+; $Id: example.db,v 1.7 2009/01/21 23:47:27 tbox Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -94,7 +94,7 @@ mr02			MR	.
 mx01			MX	10 mail
 mx02			MX	10 .
 naptr01			NAPTR	0 0 "" "" "" .
-naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" ":(.*):\\1:" foo.
 nsap-ptr01		NSAP-PTR foo.
 			NSAP-PTR .
 nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
diff --git a/bin/tests/system/xfer/dig1.good b/bin/tests/system/xfer/dig1.good
index b7f3f791..4f741791 100644
--- a/bin/tests/system/xfer/dig1.good
+++ b/bin/tests/system/xfer/dig1.good
@@ -20,6 +20,8 @@ gpos01.example.		3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
 gpos02.example.		3600	IN	GPOS	"" "" ""
 hinfo01.example.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"
 hinfo02.example.	3600	IN	HINFO	"PC" "NetBSD"
+hip1.example.		3600	IN	HIP     2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D 
+hip2.example.		3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com.
 isdn01.example.		3600	IN	ISDN	"isdn-address"
 isdn02.example.		3600	IN	ISDN	"isdn-address" "subaddress"
 isdn03.example.		3600	IN	ISDN	"isdn-address"
@@ -40,7 +42,7 @@ mr02.example.		3600	IN	MR	.
 mx01.example.		3600	IN	MX	10 mail.example.
 mx02.example.		3600	IN	MX	10 .
 naptr01.example.	3600	IN	NAPTR	0 0 "" "" "" .
-naptr02.example.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+naptr02.example.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
 ns2.example.		3600	IN	A	10.53.0.2
 ns3.example.		3600	IN	A	10.53.0.3
 nsap-ptr01.example.	3600	IN	NSAP-PTR .
diff --git a/bin/tests/system/xfer/dig2.good b/bin/tests/system/xfer/dig2.good
index 9f2cece6..db3521c4 100644
--- a/bin/tests/system/xfer/dig2.good
+++ b/bin/tests/system/xfer/dig2.good
@@ -24,6 +24,8 @@ isdn01.example.		3600	IN	ISDN	"isdn-address"
 isdn02.example.		3600	IN	ISDN	"isdn-address" "subaddress"
 isdn03.example.		3600	IN	ISDN	"isdn-address"
 isdn04.example.		3600	IN	ISDN	"isdn-address" "subaddress"
+hip1.example.		3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D 
+hip2.example.		3600	IN 	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com.
 dnskey01.example.	3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
 kx01.example.		3600	IN	KX	10 kdc.example.
 kx02.example.		3600	IN	KX	10 .
@@ -40,7 +42,7 @@ mr02.example.		3600	IN	MR	.
 mx01.example.		3600	IN	MX	10 mail.example.
 mx02.example.		3600	IN	MX	10 .
 naptr01.example.	3600	IN	NAPTR	0 0 "" "" "" .
-naptr02.example.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+naptr02.example.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
 ns2.example.		3600	IN	A	10.53.0.2
 ns3.example.		3600	IN	A	10.53.0.3
 nsap-ptr01.example.	3600	IN	NSAP-PTR .
diff --git a/bin/tests/system/xferquota/ns2/example.db b/bin/tests/system/xferquota/ns2/example.db
index 8e5a7be7..083aa1c4 100644
--- a/bin/tests/system/xferquota/ns2/example.db
+++ b/bin/tests/system/xferquota/ns2/example.db
@@ -1,4 +1,4 @@
-; Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 ; Copyright (C) 2000-2003  Internet Software Consortium.
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db,v 1.12 2007/06/19 23:47:07 tbox Exp $
+; $Id: example.db,v 1.14 2009/01/21 23:47:27 tbox Exp $
 
 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -95,7 +95,7 @@ mr02			MR	.
 mx01			MX	10 mail
 mx02			MX	10 .
 naptr01			NAPTR	0 0 "" "" "" .
-naptr02			NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
+naptr02			NAPTR	65535 65535 "blurgh" "blorf" ":(.*):\\1:" foo.
 nsap-ptr01		NSAP-PTR foo.
 			NSAP-PTR .
 nsap01			NSAP	0x47000580005a0000000001e133ffffff00016100
diff --git a/bin/tests/tasks/Makefile.in b/bin/tests/tasks/Makefile.in
index f7fc9089..8f6e236d 100644
--- a/bin/tests/tasks/Makefile.in
+++ b/bin/tests/tasks/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.30 2007/06/19 23:47:07 tbox Exp $
+# $Id: Makefile.in,v 1.32 2009/02/06 23:47:42 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -26,7 +26,7 @@ CINCLUDES =	${TEST_INCLUDES} ${ISC_INCLUDES}
 CDEFINES =
 CWARNINGS =
 
-ISCLIBS =	../../../lib/isc/libisc.@A@
+ISCLIBS =	../../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
 TAPIDEPLIBS =	../../../lib/tests/libt_api.@A@
 
 ISCDEPLIBS =	../../../lib/isc/libisc.@A@
diff --git a/bin/tests/tasks/t_tasks.c b/bin/tests/tasks/t_tasks.c
index 93cf3f8b..2eac54b9 100644
--- a/bin/tests/tasks/t_tasks.c
+++ b/bin/tests/tasks/t_tasks.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_tasks.c,v 1.40.332.2 2009/01/22 23:47:05 tbox Exp $ */
+/* $Id: t_tasks.c,v 1.42 2009/01/22 23:47:54 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tests/timers/Makefile.in b/bin/tests/timers/Makefile.in
index 0ba198a2..19c083d6 100644
--- a/bin/tests/timers/Makefile.in
+++ b/bin/tests/timers/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.28 2007/06/19 23:47:07 tbox Exp $
+# $Id: Makefile.in,v 1.30 2009/02/06 23:47:42 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -26,7 +26,7 @@ CINCLUDES =	${TEST_INCLUDES} ${ISC_INCLUDES}
 CDEFINES =
 CWARNINGS =
 
-ISCLIBS =	../../../lib/isc/libisc.@A@
+ISCLIBS =	../../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
 
 ISCDEPLIBS =	../../../lib/isc/libisc.@A@
 
diff --git a/bin/tests/timers/t_timers.c b/bin/tests/timers/t_timers.c
index e5a8aa52..12e1b76e 100644
--- a/bin/tests/timers/t_timers.c
+++ b/bin/tests/timers/t_timers.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_timers.c,v 1.28.156.2 2009/01/22 23:47:05 tbox Exp $ */
+/* $Id: t_timers.c,v 1.30 2009/01/22 23:47:54 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
new file mode 100644
index 00000000..29b39d8d
--- /dev/null
+++ b/bin/tools/Makefile.in
@@ -0,0 +1,87 @@
+# Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.6 2009/06/18 16:02:25 each Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+		${LWRES_INCLUDES} ${OMAPI_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
+ISCCFGLIBS = 	../../lib/isccfg/libisccfg.@A@
+LWRESLIBS =	../../lib/lwres/liblwres.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
+LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS = 
+
+TARGETS =	arpaname@EXEEXT@ journalprint@EXEEXT@ nsec3hash@EXEEXT@ \
+		genrandom@EXEEXT@
+SRCS =		arpaname.c journalprint.c nsec3hash.c genrandom.c
+
+MANPAGES =	arpaname.1 journalprint.8 nsec3hash.8 genrandom.8
+HTMLPAGES =	arpaname.html journalprint.html nsec3hash.html genrandom.html
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+arpaname@EXEEXT@: arpaname.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ arpaname.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+journalprint@EXEEXT@: journalprint.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ journalprint.@O@ \
+		${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsec3hash.@O@ \
+	${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+genrandom@EXEEXT@: genrandom.@O@
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: journalprint@EXEEXT@ nsec3hash@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} journalprint@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsec3hash@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} genrandom@EXEEXT@ ${DESTDIR}${sbindir}
+	${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
+	${INSTALL_DATA} ${srcdir}/journalprint.8 ${DESTDIR}${mandir}/man8
+	${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8
+	${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8
+
+clean distclean::
+	rm -f ${TARGETS}
diff --git a/bin/tools/arpaname.1 b/bin/tools/arpaname.1
new file mode 100644
index 00000000..f35f994a
--- /dev/null
+++ b/bin/tools/arpaname.1
@@ -0,0 +1,48 @@
+.\" Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: arpaname.1,v 1.3 2009/03/06 01:12:32 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\"     Title: arpaname
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: March 4, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "ARPANAME" "1" "March 4, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+arpaname \- translate IP addresses to the corresponding ARPA names
+.SH "SYNOPSIS"
+.HP 9
+\fBarpaname\fR {\fIipaddress\ \fR...}
+.SH "DESCRIPTION"
+.PP
+\fBarpaname\fR
+translates IP addresses (IPv4 and IPv6) to the corresponding IN\-ADDR.ARPA or IP6.ARPA names.
+.SH "SEE ALSO"
+.PP
+BIND 9 Administrator Reference Manual.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/tools/arpaname.c b/bin/tools/arpaname.c
new file mode 100644
index 00000000..12c4fe94
--- /dev/null
+++ b/bin/tools/arpaname.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: arpaname.c,v 1.3 2009/06/18 16:02:25 each Exp $ */
+
+#include "config.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+
+#define UNUSED(x) (void)(x)
+
+int
+main(int argc, char *argv[]) {
+	unsigned char buf[16];
+	int i;
+
+	UNUSED(argc);
+
+	while (argv[1]) {
+		if (inet_pton(AF_INET6, argv[1], buf) == 1) {
+			for (i = 15; i >= 0; i--)
+				fprintf(stdout, "%X.%X.", buf[i] & 0xf,
+					(buf[i] >> 4) & 0xf);
+			fprintf(stdout, "IP6.ARPA\n");
+			argv++;
+			continue;
+		}
+		if (inet_pton(AF_INET, argv[1], buf) == 1) {
+			fprintf(stdout, "%u.%u.%u.%u.IN-ADDR.ARPA\n",
+				buf[3], buf[2], buf[1], buf[0]);
+			argv++;
+			continue;
+		}
+		return (1);
+	}
+	fflush(stdout);
+	return(ferror(stdout));
+}
diff --git a/bin/tools/arpaname.docbook b/bin/tools/arpaname.docbook
new file mode 100644
index 00000000..6fb3ca29
--- /dev/null
+++ b/bin/tools/arpaname.docbook
@@ -0,0 +1,76 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: arpaname.docbook,v 1.1 2009/03/04 01:30:27 marka Exp $ -->
+<refentry id="man.arpaname">
+  <refentryinfo>
+    <date>March 4, 2009</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>arpaname</application></refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>arpaname</application></refname>
+    <refpurpose>translate IP addresses to the corresponding ARPA names</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>arpaname</command>
+      <arg choice="req" rep="repeat"><replaceable class="parameter">ipaddress </replaceable></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      <command>arpaname</command> translates IP addresses (IPv4 and
+      IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/tools/arpaname.html b/bin/tools/arpaname.html
new file mode 100644
index 00000000..e5f898b2
--- /dev/null
+++ b/bin/tools/arpaname.html
@@ -0,0 +1,53 @@
+<!--
+ - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: arpaname.html,v 1.3 2009/03/06 01:12:32 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>arpaname</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.arpaname"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">arpaname</span> &#8212; translate IP addresses to the corresponding ARPA names</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">arpaname</code>  {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543345"></a><h2>DESCRIPTION</h2>
+<p>
+      <span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
+      IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543357"></a><h2>SEE ALSO</h2>
+<p>
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543371"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/tools/genrandom.8 b/bin/tools/genrandom.8
new file mode 100644
index 00000000..6c49a070
--- /dev/null
+++ b/bin/tools/genrandom.8
@@ -0,0 +1,60 @@
+.\" Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: genrandom.8,v 1.4 2009/03/03 01:12:26 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\"     Title: genrandom
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: Feb 19, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "GENRANDOM" "8" "Feb 19, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+genrandom \- generate a file containing random data
+.SH "SYNOPSIS"
+.HP 10
+\fBgenrandom\fR {\fIsize\fR} {\fIfilename\fR}
+.SH "DESCRIPTION"
+.PP
+\fBgenrandom\fR
+generates a file containing a specified quantity of psuedo\-random data, which can be used as a source of entropy for other commands on systems with no random device.
+.SH "ARGUMENTS"
+.PP
+size
+.RS 4
+The size of the file, in kilobytes, to generate.
+.RE
+.PP
+domain
+.RS 4
+The file name into which random data should be written.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBrand\fR(3),
+\fBarc4random\fR(3)
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/tests/genrandom.c b/bin/tools/genrandom.c
index 34f6ac00..b34416e7 100644
--- a/bin/tests/genrandom.c
+++ b/bin/tools/genrandom.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: genrandom.c,v 1.15 2007/06/19 23:46:59 tbox Exp $ */
+/* $Id: genrandom.c,v 1.4 2009/03/07 23:47:45 tbox Exp $ */
 
 /*! \file */
 #include <config.h>
diff --git a/bin/tools/genrandom.docbook b/bin/tools/genrandom.docbook
new file mode 100644
index 00000000..f17dfd7a
--- /dev/null
+++ b/bin/tools/genrandom.docbook
@@ -0,0 +1,107 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: genrandom.docbook,v 1.3 2009/03/02 23:47:43 tbox Exp $ -->
+<refentry id="man.genrandom">
+  <refentryinfo>
+    <date>Feb 19, 2009</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>genrandom</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>genrandom</application></refname>
+    <refpurpose>generate a file containing random data</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>genrandom</command>
+      <arg choice="req"><replaceable class="parameter">size</replaceable></arg>
+      <arg choice="req"><replaceable class="parameter">filename</replaceable></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      <command>genrandom</command>
+      generates a file containing a specified quantity of psuedo-random
+      data, which can be used as a source of entropy for other commands
+      on systems with no random device.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>ARGUMENTS</title>
+    <variablelist>
+      <varlistentry>
+        <term>size</term>
+        <listitem>
+          <para>
+            The size of the file, in kilobytes, to generate.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>domain</term>
+        <listitem>
+          <para>
+            The file name into which random data should be written.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>rand</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>arc4random</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/tools/genrandom.html b/bin/tools/genrandom.html
new file mode 100644
index 00000000..32fbb841
--- /dev/null
+++ b/bin/tools/genrandom.html
@@ -0,0 +1,69 @@
+<!--
+ - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: genrandom.html,v 1.4 2009/03/03 01:12:26 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>genrandom</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.genrandom"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">genrandom</span> &#8212; generate a file containing random data</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">genrandom</code>  {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543351"></a><h2>DESCRIPTION</h2>
+<p>
+      <span><strong class="command">genrandom</strong></span>
+      generates a file containing a specified quantity of psuedo-random
+      data, which can be used as a source of entropy for other commands
+      on systems with no random device.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543364"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">size</span></dt>
+<dd><p>
+            The size of the file, in kilobytes, to generate.
+          </p></dd>
+<dt><span class="term">domain</span></dt>
+<dd><p>
+            The file name into which random data should be written.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543399"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543426"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/tools/journalprint.8 b/bin/tools/journalprint.8
new file mode 100644
index 00000000..2fa2c4eb
--- /dev/null
+++ b/bin/tools/journalprint.8
@@ -0,0 +1,60 @@
+.\" Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: journalprint.8,v 1.4 2009/03/03 01:12:26 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\"     Title: journalprint
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: Feb 18, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "JOURNALPRINT" "8" "Feb 18, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+journalprint \- print zone journal in human\-readable form
+.SH "SYNOPSIS"
+.HP 13
+\fBjournalprint\fR {\fIjournal\fR}
+.SH "DESCRIPTION"
+.PP
+\fBjournalprint\fR
+prints the contents of a zone journal file in a human\-readable form.
+.PP
+Journal files are automatically created by
+\fBnamed\fR
+when changes are made to dynamic zones (e.g., by
+\fBnsupdate\fR). They record each addition or deletion of a resource record, in binary format, allowing the changes to be re\-applied to the zone when the server is restarted after a shutdown or crash. By default, the name of the journal file is formed by appending the extension
+\fI.jnl\fR
+to the name of the corresponding zone file.
+.PP
+\fBjournalprint\fR
+converts the contents of a given journal file into a human\-readable text format. Each line begins with "add" or "del", to indicate whether the record was added or deleted, and continues with the resource record in master\-file format.
+.SH "SEE ALSO"
+.PP
+\fBnamed\fR(8),
+\fBnsupdate\fR(8),
+BIND 9 Administrator Reference Manual.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/tests/journalprint.c b/bin/tools/journalprint.c
index d8bd72b3..41ee1763 100644
--- a/bin/tests/journalprint.c
+++ b/bin/tools/journalprint.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journalprint.c,v 1.14 2008/09/25 04:02:38 tbox Exp $ */
+/* $Id: journalprint.c,v 1.4 2009/03/07 23:47:45 tbox Exp $ */
 
 /*! \file */
 #include <config.h>
diff --git a/bin/tools/journalprint.docbook b/bin/tools/journalprint.docbook
new file mode 100644
index 00000000..6201f45e
--- /dev/null
+++ b/bin/tools/journalprint.docbook
@@ -0,0 +1,101 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: journalprint.docbook,v 1.3 2009/03/02 23:47:43 tbox Exp $ -->
+<refentry id="man.journalprint">
+  <refentryinfo>
+    <date>Feb 18, 2009</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>journalprint</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>journalprint</application></refname>
+    <refpurpose>print zone journal in human-readable form</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>journalprint</command>
+      <arg choice="req"><replaceable class="parameter">journal</replaceable></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      <command>journalprint</command>
+      prints the contents of a zone journal file in a human-readable
+      form. 
+    </para>
+    <para>
+      Journal files are automatically created by <command>named</command> 
+      when changes are made to dynamic zones (e.g., by
+      <command>nsupdate</command>).  They record each addition
+      or deletion of a resource record, in binary format, allowing the
+      changes to be re-applied to the zone when the server is
+      restarted after a shutdown or crash.  By default, the name of
+      the journal file is formed by appending the extension
+      <filename>.jnl</filename> to the name of the corresponding
+      zone file.
+    </para>
+    <para>
+      <command>journalprint</command> converts the contents of a given
+      journal file into a human-readable text format.  Each line begins
+      with "add" or "del", to indicate whether the record was added or
+      deleted, and continues with the resource record in master-file
+      format.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>nsupdate</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/tools/journalprint.html b/bin/tools/journalprint.html
new file mode 100644
index 00000000..662ca25a
--- /dev/null
+++ b/bin/tools/journalprint.html
@@ -0,0 +1,74 @@
+<!--
+ - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: journalprint.html,v 1.4 2009/03/03 01:12:26 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>journalprint</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.journalprint"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">journalprint</span> &#8212; print zone journal in human-readable form</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">journalprint</code>  {<em class="replaceable"><code>journal</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543342"></a><h2>DESCRIPTION</h2>
+<p>
+      <span><strong class="command">journalprint</strong></span>
+      prints the contents of a zone journal file in a human-readable
+      form. 
+    </p>
+<p>
+      Journal files are automatically created by <span><strong class="command">named</strong></span> 
+      when changes are made to dynamic zones (e.g., by
+      <span><strong class="command">nsupdate</strong></span>).  They record each addition
+      or deletion of a resource record, in binary format, allowing the
+      changes to be re-applied to the zone when the server is
+      restarted after a shutdown or crash.  By default, the name of
+      the journal file is formed by appending the extension
+      <code class="filename">.jnl</code> to the name of the corresponding
+      zone file.
+    </p>
+<p>
+      <span><strong class="command">journalprint</strong></span> converts the contents of a given
+      journal file into a human-readable text format.  Each line begins
+      with "add" or "del", to indicate whether the record was added or
+      deleted, and continues with the resource record in master-file
+      format.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543378"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543409"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/tools/nsec3hash.8 b/bin/tools/nsec3hash.8
new file mode 100644
index 00000000..7ab53b57
--- /dev/null
+++ b/bin/tools/nsec3hash.8
@@ -0,0 +1,70 @@
+.\" Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: nsec3hash.8,v 1.4 2009/03/03 01:12:26 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\"     Title: nsec3hash
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: Feb 18, 2009
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "NSEC3HASH" "8" "Feb 18, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+nsec3hash \- generate NSEC3 hash
+.SH "SYNOPSIS"
+.HP 10
+\fBnsec3hash\fR {\fIsalt\fR} {\fIalgorithm\fR} {\fIiterations\fR} {\fIdomain\fR}
+.SH "DESCRIPTION"
+.PP
+\fBnsec3hash\fR
+generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity of NSEC3 records in a signed zone.
+.SH "ARGUMENTS"
+.PP
+salt
+.RS 4
+The salt provided to the hash algorithm.
+.RE
+.PP
+algorithm
+.RS 4
+A number indicating the hash algorithm. Currently the only supported hash algorithm for NSEC3 is SHA\-1, which is indicated by the number 1; consequently "1" is the only useful value for this argument.
+.RE
+.PP
+iterations
+.RS 4
+The number of additional times the hash should be performed.
+.RE
+.PP
+domain
+.RS 4
+The domain name to be hashed.
+.RE
+.SH "SEE ALSO"
+.PP
+BIND 9 Administrator Reference Manual,
+RFC 5155.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/tests/nsec3hash.c b/bin/tools/nsec3hash.c
index 4a4a782e..65bddf6f 100644
--- a/bin/tests/nsec3hash.c
+++ b/bin/tools/nsec3hash.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2006, 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3hash.c,v 1.4 2008/09/26 01:31:19 marka Exp $ */
+/* $Id: nsec3hash.c,v 1.4 2009/03/07 23:47:45 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/bin/tools/nsec3hash.docbook b/bin/tools/nsec3hash.docbook
new file mode 100644
index 00000000..d20eb83b
--- /dev/null
+++ b/bin/tools/nsec3hash.docbook
@@ -0,0 +1,125 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: nsec3hash.docbook,v 1.3 2009/03/02 23:47:43 tbox Exp $ -->
+<refentry id="man.nsec3hash">
+  <refentryinfo>
+    <date>Feb 18, 2009</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>nsec3hash</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>nsec3hash</application></refname>
+    <refpurpose>generate NSEC3 hash</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2009</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>nsec3hash</command>
+      <arg choice="req"><replaceable class="parameter">salt</replaceable></arg>
+      <arg choice="req"><replaceable class="parameter">algorithm</replaceable></arg>
+      <arg choice="req"><replaceable class="parameter">iterations</replaceable></arg>
+      <arg choice="req"><replaceable class="parameter">domain</replaceable></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      <command>nsec3hash</command> generates an NSEC3 hash based on
+      a set of NSEC3 parameters.  This can be used to check the validity
+      of NSEC3 records in a signed zone.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>ARGUMENTS</title>
+    <variablelist>
+      <varlistentry>
+        <term>salt</term>
+        <listitem>
+          <para>
+            The salt provided to the hash algorithm.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>algorithm</term>
+        <listitem>
+          <para>
+            A number indicating the hash algorithm.  Currently the
+            only supported hash algorithm for NSEC3 is SHA-1, which is
+            indicated by the number 1; consequently "1" is the only
+            useful value for this argument.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>iterations</term>
+        <listitem>
+          <para>
+            The number of additional times the hash should be performed.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>domain</term>
+        <listitem>
+          <para>
+            The domain name to be hashed.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 5155</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/tools/nsec3hash.html b/bin/tools/nsec3hash.html
new file mode 100644
index 00000000..2d3433d0
--- /dev/null
+++ b/bin/tools/nsec3hash.html
@@ -0,0 +1,79 @@
+<!--
+ - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: nsec3hash.html,v 1.4 2009/03/03 01:12:26 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>nsec3hash</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.nsec3hash"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">nsec3hash</span> &#8212; generate NSEC3 hash</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">nsec3hash</code>  {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543367"></a><h2>DESCRIPTION</h2>
+<p>
+      <span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
+      a set of NSEC3 parameters.  This can be used to check the validity
+      of NSEC3 records in a signed zone.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543380"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">salt</span></dt>
+<dd><p>
+            The salt provided to the hash algorithm.
+          </p></dd>
+<dt><span class="term">algorithm</span></dt>
+<dd><p>
+            A number indicating the hash algorithm.  Currently the
+            only supported hash algorithm for NSEC3 is SHA-1, which is
+            indicated by the number 1; consequently "1" is the only
+            useful value for this argument.
+          </p></dd>
+<dt><span class="term">iterations</span></dt>
+<dd><p>
+            The number of additional times the hash should be performed.
+          </p></dd>
+<dt><span class="term">domain</span></dt>
+<dd><p>
+            The domain name to be hashed.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543442"></a><h2>SEE ALSO</h2>
+<p>
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 5155</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543459"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp
index 8d0df7e3..483719bb 100644
--- a/bin/win32/BINDInstall/BINDInstallDlg.cpp
+++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: BINDInstallDlg.cpp,v 1.37.228.4 2009/01/18 23:47:35 tbox Exp $ */
+/* $Id: BINDInstallDlg.cpp,v 1.41 2009/01/17 23:47:42 tbox Exp $ */
 
 /*
  * Copyright (c) 1999-2000 by Nortel Networks Corporation
diff --git a/config.guess b/config.guess
index c79aebcb..f8d6eac4 100644
--- a/config.guess
+++ b/config.guess
@@ -3,7 +3,7 @@
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
 #   2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
 
-timestamp='2004-09-07'
+timestamp='2009-01-17'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
diff --git a/config.h.in b/config.h.in
index 97b13c4a..f789b549 100644
--- a/config.h.in
+++ b/config.h.in
@@ -1,6 +1,6 @@
 /* config.h.in.  Generated from configure.in by autoheader.  */
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.in,v 1.106.40.6 2009/03/13 05:35:43 marka Exp $ */
+/* $Id: config.h.in,v 1.115 2009/06/10 02:23:42 marka Exp $ */
 
 /*! \file */
 
@@ -217,6 +217,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <net/if6.h> header file. */
 #undef HAVE_NET_IF6_H
 
+/* Define to 1 if you have the <regex.h> header file. */
+#undef HAVE_REGEX_H
+
 /* Define to 1 if you have the `setlocale' function. */
 #undef HAVE_SETLOCALE
 
@@ -313,13 +316,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* define if idnkit support is to be included. */
 #undef WITH_IDN
 
-/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
-   significant byte first (like Motorola and SPARC, unlike Intel and VAX). */
-#if defined __BIG_ENDIAN__
-# define WORDS_BIGENDIAN 1
-#elif ! defined __LITTLE_ENDIAN__
-# undef WORDS_BIGENDIAN
-#endif
+/* Define to 1 if your processor stores words with the most significant byte
+   first (like Motorola and SPARC, unlike Intel and VAX). */
+#undef WORDS_BIGENDIAN
 
 /* Define to empty if `const' does not conform to ANSI C. */
 #undef const
diff --git a/configure b/configure
index 0e2803ed..08c60b39 100755
--- a/configure
+++ b/configure
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 #
-# $Id: configure,v 1.443.26.6 2009/03/13 05:35:43 marka Exp $
+# $Id: configure,v 1.456 2009/06/10 02:23:42 marka Exp $
 #
 # Portions Copyright (C) 1996-2001  Nominum, Inc.
 #
@@ -29,12 +29,12 @@
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
 # OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# From configure.in Revision: 1.457.26.9 .
+# From configure.in Revision: 1.471 .
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.62.
+# Generated by GNU Autoconf 2.61.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-# 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
 # This configure script is free software; the Free Software Foundation
 # gives unlimited permission to copy, distribute and modify it.
 ## --------------------- ##
@@ -46,7 +46,7 @@ DUALCASE=1; export DUALCASE # for MKS sh
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
-  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
@@ -68,45 +68,17 @@ as_cr_Letters=$as_cr_letters$as_cr_LETTERS
 as_cr_digits='0123456789'
 as_cr_alnum=$as_cr_Letters$as_cr_digits
 
-as_nl='
-'
-export as_nl
-# Printing a long string crashes Solaris 7 /usr/bin/printf.
-as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
-as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
-as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
-if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
-  as_echo='printf %s\n'
-  as_echo_n='printf %s'
-else
-  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
-    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
-    as_echo_n='/usr/ucb/echo -n'
-  else
-    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
-    as_echo_n_body='eval
-      arg=$1;
-      case $arg in
-      *"$as_nl"*)
-	expr "X$arg" : "X\\(.*\\)$as_nl";
-	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
-      esac;
-      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
-    '
-    export as_echo_n_body
-    as_echo_n='sh -c $as_echo_n_body as_echo'
-  fi
-  export as_echo_body
-  as_echo='sh -c $as_echo_body as_echo'
-fi
-
 # The user is always right.
 if test "${PATH_SEPARATOR+set}" != set; then
-  PATH_SEPARATOR=:
-  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
-    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
-      PATH_SEPARATOR=';'
-  }
+  echo "#! /bin/sh" >conf$$.sh
+  echo  "exit 0"   >>conf$$.sh
+  chmod +x conf$$.sh
+  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+    PATH_SEPARATOR=';'
+  else
+    PATH_SEPARATOR=:
+  fi
+  rm -f conf$$.sh
 fi
 
 # Support unset when possible.
@@ -122,6 +94,8 @@ fi
 # there to prevent editors from complaining about space-tab.
 # (If _AS_PATH_WALK were called with IFS unset, it would disable word
 # splitting by setting IFS to empty value.)
+as_nl='
+'
 IFS=" ""	$as_nl"
 
 # Find who we are.  Look in the path if we contain no directory separator.
@@ -144,7 +118,7 @@ if test "x$as_myself" = x; then
   as_myself=$0
 fi
 if test ! -f "$as_myself"; then
-  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
   { (exit 1); exit 1; }
 fi
 
@@ -157,10 +131,17 @@ PS2='> '
 PS4='+ '
 
 # NLS nuisances.
-LC_ALL=C
-export LC_ALL
-LANGUAGE=C
-export LANGUAGE
+for as_var in \
+  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+  LC_TELEPHONE LC_TIME
+do
+  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+    eval $as_var=C; export $as_var
+  else
+    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+  fi
+done
 
 # Required to use basename.
 if expr a : '\(a\)' >/dev/null 2>&1 &&
@@ -182,7 +163,7 @@ as_me=`$as_basename -- "$0" ||
 $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
 	 X"$0" : 'X\(//\)$' \| \
 	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
-$as_echo X/"$0" |
+echo X/"$0" |
     sed '/^.*\/\([^/][^/]*\)\/*$/{
 	    s//\1/
 	    q
@@ -208,7 +189,7 @@ else
   as_have_required=no
 fi
 
-  if test $as_have_required = yes &&	 (eval ":
+  if test $as_have_required = yes && 	 (eval ":
 (as_func_return () {
   (exit \$1)
 }
@@ -290,7 +271,7 @@ IFS=$as_save_IFS
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
-  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
@@ -311,7 +292,7 @@ _ASEOF
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
-  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
@@ -391,10 +372,10 @@ fi
 
       if test "x$CONFIG_SHELL" != x; then
   for as_var in BASH_ENV ENV
-	do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
-	done
-	export CONFIG_SHELL
-	exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+        do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+        done
+        export CONFIG_SHELL
+        exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
 fi
 
 
@@ -463,10 +444,9 @@ fi
 
 test \$exitcode = 0") || {
   echo No shell found that supports shell functions.
-  echo Please tell bug-autoconf@gnu.org about your system,
-  echo including any error possibly output before this message.
-  echo This can help us improve future autoconf versions.
-  echo Configuration will now proceed without shell functions.
+  echo Please tell autoconf@gnu.org about your system,
+  echo including any error possibly output before this
+  echo message
 }
 
 
@@ -502,7 +482,7 @@ test \$exitcode = 0") || {
       s/-\n.*//
     ' >$as_me.lineno &&
   chmod +x "$as_me.lineno" ||
-    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
    { (exit 1); exit 1; }; }
 
   # Don't try to exec as it changes $[0], causing all sort of problems
@@ -530,6 +510,7 @@ case `echo -n x` in
 *)
   ECHO_N='-n';;
 esac
+
 if expr a : '\(a\)' >/dev/null 2>&1 &&
    test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
@@ -542,22 +523,19 @@ if test -d conf$$.dir; then
   rm -f conf$$.dir/conf$$.file
 else
   rm -f conf$$.dir
-  mkdir conf$$.dir 2>/dev/null
-fi
-if (echo >conf$$.file) 2>/dev/null; then
-  if ln -s conf$$.file conf$$ 2>/dev/null; then
-    as_ln_s='ln -s'
-    # ... but there are two gotchas:
-    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-    # In both cases, we have to default to `cp -p'.
-    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-      as_ln_s='cp -p'
-  elif ln conf$$.file conf$$ 2>/dev/null; then
-    as_ln_s=ln
-  else
+  mkdir conf$$.dir
+fi
+echo >conf$$.file
+if ln -s conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s='ln -s'
+  # ... but there are two gotchas:
+  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+  # In both cases, we have to default to `cp -p'.
+  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
     as_ln_s='cp -p'
-  fi
+elif ln conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s=ln
 else
   as_ln_s='cp -p'
 fi
@@ -582,10 +560,10 @@ else
   as_test_x='
     eval sh -c '\''
       if test -d "$1"; then
-	test -d "$1/.";
+        test -d "$1/.";
       else
 	case $1 in
-	-*)set "./$1";;
+        -*)set "./$1";;
 	esac;
 	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
 	???[sx]*):;;*)false;;esac;fi
@@ -913,6 +891,8 @@ ISC_PLATFORM_NEEDSYSSELECTH
 LWRES_PLATFORM_NEEDSYSSELECTH
 USE_OPENSSL
 DST_OPENSSL_INC
+ISC_PLATFORM_OPENSSLHASH
+ISC_OPENSSL_INC
 USE_PKCS11
 ISC_PLATFORM_HAVEGSSAPI
 ISC_PLATFORM_GSSAPIHEADER
@@ -1061,51 +1041,6 @@ LIBDNS_API
 LIBBIND9_API
 LIBLWRES_API
 DLZ_DRIVER_RULES'
-ac_user_opts='
-enable_option_checking
-enable_shared
-enable_static
-enable_fast_install
-with_gnu_ld
-enable_libtool_lock
-with_pic
-with_tags
-enable_libbind
-enable_kqueue
-enable_epoll
-enable_devpoll
-with_openssl
-enable_openssl_version_check
-with_pkcs11
-with_gssapi
-with_randomdev
-enable_threads
-with_ptl2
-with_libxml2
-enable_largefile
-with_purify
-with_libtool
-enable_ipv6
-with_kame
-enable_getifaddrs
-enable_isc_spnego
-enable_chroot
-enable_linux_caps
-enable_atomic
-enable_fixed_rrset
-with_docbook_xsl
-with_idn
-with_libiconv
-with_iconv
-with_idnlib
-with_dlz_postgres
-with_dlz_mysql
-with_dlz_bdb
-with_dlz_filesystem
-with_dlz_ldap
-with_dlz_odbc
-with_dlz_stub
-'
       ac_precious_vars='build_alias
 host_alias
 target_alias
@@ -1126,8 +1061,6 @@ FFLAGS'
 # Initialize some variables set by options.
 ac_init_help=
 ac_init_version=false
-ac_unrecognized_opts=
-ac_unrecognized_sep=
 # The variables have the same names as the options, with
 # dashes changed to underlines.
 cache_file=/dev/null
@@ -1226,21 +1159,13 @@ do
     datarootdir=$ac_optarg ;;
 
   -disable-* | --disable-*)
-    ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
+    ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2
+    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
    { (exit 1); exit 1; }; }
-    ac_useropt_orig=$ac_useropt
-    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-    case $ac_user_opts in
-      *"
-"enable_$ac_useropt"
-"*) ;;
-      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig"
-	 ac_unrecognized_sep=', ';;
-    esac
-    eval enable_$ac_useropt=no ;;
+    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+    eval enable_$ac_feature=no ;;
 
   -docdir | --docdir | --docdi | --doc | --do)
     ac_prev=docdir ;;
@@ -1253,21 +1178,13 @@ do
     dvidir=$ac_optarg ;;
 
   -enable-* | --enable-*)
-    ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
+    ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      { $as_echo "$as_me: error: invalid feature name: $ac_useropt" >&2
+    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
    { (exit 1); exit 1; }; }
-    ac_useropt_orig=$ac_useropt
-    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-    case $ac_user_opts in
-      *"
-"enable_$ac_useropt"
-"*) ;;
-      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig"
-	 ac_unrecognized_sep=', ';;
-    esac
-    eval enable_$ac_useropt=\$ac_optarg ;;
+    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+    eval enable_$ac_feature=\$ac_optarg ;;
 
   -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
   | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
@@ -1458,38 +1375,22 @@ do
     ac_init_version=: ;;
 
   -with-* | --with-*)
-    ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
+    ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2
+    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid package name: $ac_package" >&2
    { (exit 1); exit 1; }; }
-    ac_useropt_orig=$ac_useropt
-    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-    case $ac_user_opts in
-      *"
-"with_$ac_useropt"
-"*) ;;
-      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig"
-	 ac_unrecognized_sep=', ';;
-    esac
-    eval with_$ac_useropt=\$ac_optarg ;;
+    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+    eval with_$ac_package=\$ac_optarg ;;
 
   -without-* | --without-*)
-    ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
+    ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
     # Reject names that are not valid shell variable names.
-    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
-      { $as_echo "$as_me: error: invalid package name: $ac_useropt" >&2
+    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid package name: $ac_package" >&2
    { (exit 1); exit 1; }; }
-    ac_useropt_orig=$ac_useropt
-    ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
-    case $ac_user_opts in
-      *"
-"with_$ac_useropt"
-"*) ;;
-      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig"
-	 ac_unrecognized_sep=', ';;
-    esac
-    eval with_$ac_useropt=no ;;
+    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+    eval with_$ac_package=no ;;
 
   --x)
     # Obsolete; use --with-x.
@@ -1509,7 +1410,7 @@ do
   | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
     x_libraries=$ac_optarg ;;
 
-  -*) { $as_echo "$as_me: error: unrecognized option: $ac_option
+  -*) { echo "$as_me: error: unrecognized option: $ac_option
 Try \`$0 --help' for more information." >&2
    { (exit 1); exit 1; }; }
     ;;
@@ -1518,16 +1419,16 @@ Try \`$0 --help' for more information." >&2
     ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
     # Reject names that are not valid shell variable names.
     expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
-      { $as_echo "$as_me: error: invalid variable name: $ac_envvar" >&2
+      { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
    { (exit 1); exit 1; }; }
     eval $ac_envvar=\$ac_optarg
     export $ac_envvar ;;
 
   *)
     # FIXME: should be removed in autoconf 3.0.
-    $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
+    echo "$as_me: WARNING: you should use --build, --host, --target" >&2
     expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-      $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
+      echo "$as_me: WARNING: invalid host type: $ac_option" >&2
     : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
     ;;
 
@@ -1536,38 +1437,22 @@ done
 
 if test -n "$ac_prev"; then
   ac_option=--`echo $ac_prev | sed 's/_/-/g'`
-  { $as_echo "$as_me: error: missing argument to $ac_option" >&2
+  { echo "$as_me: error: missing argument to $ac_option" >&2
    { (exit 1); exit 1; }; }
 fi
 
-if test -n "$ac_unrecognized_opts"; then
-  case $enable_option_checking in
-    no) ;;
-    fatal) { $as_echo "$as_me: error: Unrecognized options: $ac_unrecognized_opts" >&2
-   { (exit 1); exit 1; }; } ;;
-    *)     $as_echo "$as_me: WARNING: Unrecognized options: $ac_unrecognized_opts" >&2 ;;
-  esac
-fi
-
-# Check all directory arguments for consistency.
+# Be sure to have absolute directory names.
 for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
 		datadir sysconfdir sharedstatedir localstatedir includedir \
 		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
 		libdir localedir mandir
 do
   eval ac_val=\$$ac_var
-  # Remove trailing slashes.
-  case $ac_val in
-    */ )
-      ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'`
-      eval $ac_var=\$ac_val;;
-  esac
-  # Be sure to have absolute directory names.
   case $ac_val in
     [\\/$]* | ?:[\\/]* )  continue;;
     NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
   esac
-  { $as_echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
    { (exit 1); exit 1; }; }
 done
 
@@ -1582,7 +1467,7 @@ target=$target_alias
 if test "x$host_alias" != x; then
   if test "x$build_alias" = x; then
     cross_compiling=maybe
-    $as_echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
+    echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
     If a cross compiler is detected then cross compile mode will be used." >&2
   elif test "x$build_alias" != "x$host_alias"; then
     cross_compiling=yes
@@ -1598,10 +1483,10 @@ test "$silent" = yes && exec 6>/dev/null
 ac_pwd=`pwd` && test -n "$ac_pwd" &&
 ac_ls_di=`ls -di .` &&
 ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
-  { $as_echo "$as_me: error: Working directory cannot be determined" >&2
+  { echo "$as_me: error: Working directory cannot be determined" >&2
    { (exit 1); exit 1; }; }
 test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
-  { $as_echo "$as_me: error: pwd does not report name of working directory" >&2
+  { echo "$as_me: error: pwd does not report name of working directory" >&2
    { (exit 1); exit 1; }; }
 
 
@@ -1609,12 +1494,12 @@ test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
 if test -z "$srcdir"; then
   ac_srcdir_defaulted=yes
   # Try the directory containing this script, then the parent directory.
-  ac_confdir=`$as_dirname -- "$as_myself" ||
-$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$as_myself" : 'X\(//\)[^/]' \| \
-	 X"$as_myself" : 'X\(//\)$' \| \
-	 X"$as_myself" : 'X\(/\)' \| . 2>/dev/null ||
-$as_echo X"$as_myself" |
+  ac_confdir=`$as_dirname -- "$0" ||
+$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$0" : 'X\(//\)[^/]' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$0" |
     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
 	    s//\1/
 	    q
@@ -1641,12 +1526,12 @@ else
 fi
 if test ! -r "$srcdir/$ac_unique_file"; then
   test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
-  { $as_echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
+  { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
    { (exit 1); exit 1; }; }
 fi
 ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
 ac_abs_confdir=`(
-	cd "$srcdir" && test -r "./$ac_unique_file" || { $as_echo "$as_me: error: $ac_msg" >&2
+	cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
    { (exit 1); exit 1; }; }
 	pwd)`
 # When building in place, set srcdir=.
@@ -1695,9 +1580,9 @@ Configuration:
 
 Installation directories:
   --prefix=PREFIX         install architecture-independent files in PREFIX
-                          [$ac_default_prefix]
+			  [$ac_default_prefix]
   --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
-                          [PREFIX]
+			  [PREFIX]
 
 By default, \`make install' will install all the files in
 \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
@@ -1707,25 +1592,25 @@ for instance \`--prefix=\$HOME'.
 For better control, use the options below.
 
 Fine tuning of the installation directories:
-  --bindir=DIR            user executables [EPREFIX/bin]
-  --sbindir=DIR           system admin executables [EPREFIX/sbin]
-  --libexecdir=DIR        program executables [EPREFIX/libexec]
-  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
-  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
-  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
-  --libdir=DIR            object code libraries [EPREFIX/lib]
-  --includedir=DIR        C header files [PREFIX/include]
-  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
-  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
-  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
-  --infodir=DIR           info documentation [DATAROOTDIR/info]
-  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
-  --mandir=DIR            man documentation [DATAROOTDIR/man]
-  --docdir=DIR            documentation root [DATAROOTDIR/doc/PACKAGE]
-  --htmldir=DIR           html documentation [DOCDIR]
-  --dvidir=DIR            dvi documentation [DOCDIR]
-  --pdfdir=DIR            pdf documentation [DOCDIR]
-  --psdir=DIR             ps documentation [DOCDIR]
+  --bindir=DIR           user executables [EPREFIX/bin]
+  --sbindir=DIR          system admin executables [EPREFIX/sbin]
+  --libexecdir=DIR       program executables [EPREFIX/libexec]
+  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
+  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
+  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
+  --libdir=DIR           object code libraries [EPREFIX/lib]
+  --includedir=DIR       C header files [PREFIX/include]
+  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
+  --datarootdir=DIR      read-only arch.-independent data root [PREFIX/share]
+  --datadir=DIR          read-only architecture-independent data [DATAROOTDIR]
+  --infodir=DIR          info documentation [DATAROOTDIR/info]
+  --localedir=DIR        locale-dependent data [DATAROOTDIR/locale]
+  --mandir=DIR           man documentation [DATAROOTDIR/man]
+  --docdir=DIR           documentation root [DATAROOTDIR/doc/PACKAGE]
+  --htmldir=DIR          html documentation [DOCDIR]
+  --dvidir=DIR           dvi documentation [DOCDIR]
+  --pdfdir=DIR           pdf documentation [DOCDIR]
+  --psdir=DIR            ps documentation [DOCDIR]
 _ACEOF
 
   cat <<\_ACEOF
@@ -1741,7 +1626,6 @@ if test -n "$ac_init_help"; then
   cat <<\_ACEOF
 
 Optional Features:
-  --disable-option-checking  ignore unrecognized --enable/--with options
   --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
   --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
   --enable-shared[=PKGS]  build shared libraries [default=yes]
@@ -1755,6 +1639,7 @@ Optional Features:
   --enable-devpoll        use /dev/poll when available [default=yes]
   --enable-openssl-version-check
                           Check OpenSSL Version [default=yes]
+  --enable-openssl-hash   use OpenSSL for hash functions [default=no]
   --enable-threads	enable multithreading
   --enable-largefile	  64-bit file support
   --enable-ipv6		use IPv6 default=autodetect
@@ -1829,17 +1714,15 @@ fi
 if test "$ac_init_help" = "recursive"; then
   # If there are subdirs, report their specific --help.
   for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
-    test -d "$ac_dir" ||
-      { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } ||
-      continue
+    test -d "$ac_dir" || continue
     ac_builddir=.
 
 case "$ac_dir" in
 .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
 *)
-  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
+  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
   # A ".." for each directory in $ac_dir_suffix.
-  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
+  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
   case $ac_top_builddir_sub in
   "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
   *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
@@ -1875,7 +1758,7 @@ ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
       echo &&
       $SHELL "$ac_srcdir/configure" --help=recursive
     else
-      $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
+      echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
     fi || ac_status=$?
     cd "$ac_pwd" || { ac_status=$?; break; }
   done
@@ -1885,10 +1768,10 @@ test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
 configure
-generated by GNU Autoconf 2.62
+generated by GNU Autoconf 2.61
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
-2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.
 _ACEOF
@@ -1899,7 +1782,7 @@ This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
 It was created by $as_me, which was
-generated by GNU Autoconf 2.62.  Invocation command line was
+generated by GNU Autoconf 2.61.  Invocation command line was
 
   $ $0 $@
 
@@ -1935,7 +1818,7 @@ for as_dir in $PATH
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
-  $as_echo "PATH: $as_dir"
+  echo "PATH: $as_dir"
 done
 IFS=$as_save_IFS
 
@@ -1970,7 +1853,7 @@ do
     | -silent | --silent | --silen | --sile | --sil)
       continue ;;
     *\'*)
-      ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
+      ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
     esac
     case $ac_pass in
     1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
@@ -2022,12 +1905,11 @@ _ASBOX
     case $ac_val in #(
     *${as_nl}*)
       case $ac_var in #(
-      *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
-$as_echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
       esac
       case $ac_var in #(
       _ | IFS | as_nl) ;; #(
-      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
       *) $as_unset $ac_var ;;
       esac ;;
     esac
@@ -2057,9 +1939,9 @@ _ASBOX
     do
       eval ac_val=\$$ac_var
       case $ac_val in
-      *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+      *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
       esac
-      $as_echo "$ac_var='\''$ac_val'\''"
+      echo "$ac_var='\''$ac_val'\''"
     done | sort
     echo
 
@@ -2074,9 +1956,9 @@ _ASBOX
       do
 	eval ac_val=\$$ac_var
 	case $ac_val in
-	*\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+	*\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
 	esac
-	$as_echo "$ac_var='\''$ac_val'\''"
+	echo "$ac_var='\''$ac_val'\''"
       done | sort
       echo
     fi
@@ -2092,8 +1974,8 @@ _ASBOX
       echo
     fi
     test "$ac_signal" != 0 &&
-      $as_echo "$as_me: caught signal $ac_signal"
-    $as_echo "$as_me: exit $exit_status"
+      echo "$as_me: caught signal $ac_signal"
+    echo "$as_me: exit $exit_status"
   } >&5
   rm -f core *.core core.conftest.* &&
     rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
@@ -2135,24 +2017,21 @@ _ACEOF
 
 
 # Let the site file select an alternate cache file if it wants to.
-# Prefer an explicitly selected file to automatically selected ones.
-ac_site_file1=NONE
-ac_site_file2=NONE
+# Prefer explicitly selected file to automatically selected ones.
 if test -n "$CONFIG_SITE"; then
-  ac_site_file1=$CONFIG_SITE
+  set x "$CONFIG_SITE"
 elif test "x$prefix" != xNONE; then
-  ac_site_file1=$prefix/share/config.site
-  ac_site_file2=$prefix/etc/config.site
+  set x "$prefix/share/config.site" "$prefix/etc/config.site"
 else
-  ac_site_file1=$ac_default_prefix/share/config.site
-  ac_site_file2=$ac_default_prefix/etc/config.site
+  set x "$ac_default_prefix/share/config.site" \
+	"$ac_default_prefix/etc/config.site"
 fi
-for ac_site_file in "$ac_site_file1" "$ac_site_file2"
+shift
+for ac_site_file
 do
-  test "x$ac_site_file" = xNONE && continue
   if test -r "$ac_site_file"; then
-    { $as_echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
-$as_echo "$as_me: loading site script $ac_site_file" >&6;}
+    { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
+echo "$as_me: loading site script $ac_site_file" >&6;}
     sed 's/^/| /' "$ac_site_file" >&5
     . "$ac_site_file"
   fi
@@ -2162,16 +2041,16 @@ if test -r "$cache_file"; then
   # Some versions of bash will fail to source /dev/null (special
   # files actually), so we avoid doing that.
   if test -f "$cache_file"; then
-    { $as_echo "$as_me:$LINENO: loading cache $cache_file" >&5
-$as_echo "$as_me: loading cache $cache_file" >&6;}
+    { echo "$as_me:$LINENO: loading cache $cache_file" >&5
+echo "$as_me: loading cache $cache_file" >&6;}
     case $cache_file in
       [\\/]* | ?:[\\/]* ) . "$cache_file";;
       *)                      . "./$cache_file";;
     esac
   fi
 else
-  { $as_echo "$as_me:$LINENO: creating cache $cache_file" >&5
-$as_echo "$as_me: creating cache $cache_file" >&6;}
+  { echo "$as_me:$LINENO: creating cache $cache_file" >&5
+echo "$as_me: creating cache $cache_file" >&6;}
   >$cache_file
 fi
 
@@ -2185,38 +2064,29 @@ for ac_var in $ac_precious_vars; do
   eval ac_new_val=\$ac_env_${ac_var}_value
   case $ac_old_set,$ac_new_set in
     set,)
-      { $as_echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
-$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
+      { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
       ac_cache_corrupted=: ;;
     ,set)
-      { $as_echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
-$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
+      { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
+echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
       ac_cache_corrupted=: ;;
     ,);;
     *)
       if test "x$ac_old_val" != "x$ac_new_val"; then
-	# differences in whitespace do not lead to failure.
-	ac_old_val_w=`echo x $ac_old_val`
-	ac_new_val_w=`echo x $ac_new_val`
-	if test "$ac_old_val_w" != "$ac_new_val_w"; then
-	  { $as_echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
-$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
-	  ac_cache_corrupted=:
-	else
-	  { $as_echo "$as_me:$LINENO: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
-$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
-	  eval $ac_var=\$ac_old_val
-	fi
-	{ $as_echo "$as_me:$LINENO:   former value:  \`$ac_old_val'" >&5
-$as_echo "$as_me:   former value:  \`$ac_old_val'" >&2;}
-	{ $as_echo "$as_me:$LINENO:   current value: \`$ac_new_val'" >&5
-$as_echo "$as_me:   current value: \`$ac_new_val'" >&2;}
+	{ echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
+echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
+	{ echo "$as_me:$LINENO:   former value:  $ac_old_val" >&5
+echo "$as_me:   former value:  $ac_old_val" >&2;}
+	{ echo "$as_me:$LINENO:   current value: $ac_new_val" >&5
+echo "$as_me:   current value: $ac_new_val" >&2;}
+	ac_cache_corrupted=:
       fi;;
   esac
   # Pass precious variables to config.status.
   if test "$ac_new_set" = set; then
     case $ac_new_val in
-    *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+    *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
     *) ac_arg=$ac_var=$ac_new_val ;;
     esac
     case " $ac_configure_args " in
@@ -2226,10 +2096,10 @@ $as_echo "$as_me:   current value: \`$ac_new_val'" >&2;}
   fi
 done
 if $ac_cache_corrupted; then
-  { $as_echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
-$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
-  { { $as_echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
-$as_echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
+  { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
+echo "$as_me: error: changes in the environment can compromise the build" >&2;}
+  { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
+echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -2278,8 +2148,8 @@ for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
   fi
 done
 if test -z "$ac_aux_dir"; then
-  { { $as_echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&5
-$as_echo "$as_me: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&2;}
+  { { echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&5
+echo "$as_me: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -2294,34 +2164,34 @@ ac_configure="$SHELL $ac_aux_dir/configure"  # Please don't use this var.
 
 # Make sure we can run config.sub.
 $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
-  { { $as_echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5
-$as_echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;}
+  { { echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5
+echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;}
    { (exit 1); exit 1; }; }
 
-{ $as_echo "$as_me:$LINENO: checking build system type" >&5
-$as_echo_n "checking build system type... " >&6; }
+{ echo "$as_me:$LINENO: checking build system type" >&5
+echo $ECHO_N "checking build system type... $ECHO_C" >&6; }
 if test "${ac_cv_build+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_build_alias=$build_alias
 test "x$ac_build_alias" = x &&
   ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"`
 test "x$ac_build_alias" = x &&
-  { { $as_echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
-$as_echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
+  { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
+echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
    { (exit 1); exit 1; }; }
 ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` ||
-  { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5
-$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;}
+  { { echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5
+echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;}
    { (exit 1); exit 1; }; }
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_build" >&5
-$as_echo "$ac_cv_build" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_build" >&5
+echo "${ECHO_T}$ac_cv_build" >&6; }
 case $ac_cv_build in
 *-*-*) ;;
-*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical build" >&5
-$as_echo "$as_me: error: invalid value of canonical build" >&2;}
+*) { { echo "$as_me:$LINENO: error: invalid value of canonical build" >&5
+echo "$as_me: error: invalid value of canonical build" >&2;}
    { (exit 1); exit 1; }; };;
 esac
 build=$ac_cv_build
@@ -2338,27 +2208,27 @@ IFS=$ac_save_IFS
 case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
 
 
-{ $as_echo "$as_me:$LINENO: checking host system type" >&5
-$as_echo_n "checking host system type... " >&6; }
+{ echo "$as_me:$LINENO: checking host system type" >&5
+echo $ECHO_N "checking host system type... $ECHO_C" >&6; }
 if test "${ac_cv_host+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test "x$host_alias" = x; then
   ac_cv_host=$ac_cv_build
 else
   ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` ||
-    { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5
-$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;}
+    { { echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5
+echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_host" >&5
-$as_echo "$ac_cv_host" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_host" >&5
+echo "${ECHO_T}$ac_cv_host" >&6; }
 case $ac_cv_host in
 *-*-*) ;;
-*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical host" >&5
-$as_echo "$as_me: error: invalid value of canonical host" >&2;}
+*) { { echo "$as_me:$LINENO: error: invalid value of canonical host" >&5
+echo "$as_me: error: invalid value of canonical host" >&2;}
    { (exit 1); exit 1; }; };;
 esac
 host=$ac_cv_host
@@ -2376,12 +2246,11 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
 
 
 
-{ $as_echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5
-$as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; }
-set x ${MAKE-make}
-ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
+{ echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5
+echo $ECHO_N "checking whether ${MAKE-make} sets \$(MAKE)... $ECHO_C" >&6; }
+set x ${MAKE-make}; ac_make=`echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
 if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.make <<\_ACEOF
 SHELL = /bin/sh
@@ -2398,15 +2267,28 @@ esac
 rm -f conftest.make
 fi
 if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
   SET_MAKE=
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
   SET_MAKE="MAKE=${MAKE-make}"
 fi
 
+
+#
+# GNU libtool support
+#
+case $build_os in
+sunos*)
+    # Just set the maximum command line length for sunos as it otherwise
+    # takes a exceptionally long time to work it out. Required for libtool.
+
+    lt_cv_sys_max_cmd_len=4096;
+    ;;
+esac
+
 # Check whether --enable-shared was given.
 if test "${enable_shared+set}" = set; then
   enableval=$enable_shared; p=${PACKAGE-default}
@@ -2487,10 +2369,10 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
 set dummy ${ac_tool_prefix}gcc; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
@@ -2503,7 +2385,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="${ac_tool_prefix}gcc"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -2514,11 +2396,11 @@ fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  { $as_echo "$as_me:$LINENO: result: $CC" >&5
-$as_echo "$CC" >&6; }
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -2527,10 +2409,10 @@ if test -z "$ac_cv_prog_CC"; then
   ac_ct_CC=$CC
   # Extract the first word of "gcc", so it can be a program name with args.
 set dummy gcc; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$ac_ct_CC"; then
   ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
@@ -2543,7 +2425,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_CC="gcc"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -2554,11 +2436,11 @@ fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-$as_echo "$ac_ct_CC" >&6; }
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
   if test "x$ac_ct_CC" = x; then
@@ -2566,10 +2448,10 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&5
-$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
@@ -2584,10 +2466,10 @@ if test -z "$CC"; then
           if test -n "$ac_tool_prefix"; then
     # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
 set dummy ${ac_tool_prefix}cc; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
@@ -2600,7 +2482,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="${ac_tool_prefix}cc"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -2611,11 +2493,11 @@ fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  { $as_echo "$as_me:$LINENO: result: $CC" >&5
-$as_echo "$CC" >&6; }
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -2624,10 +2506,10 @@ fi
 if test -z "$CC"; then
   # Extract the first word of "cc", so it can be a program name with args.
 set dummy cc; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
@@ -2645,7 +2527,7 @@ do
        continue
      fi
     ac_cv_prog_CC="cc"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -2668,11 +2550,11 @@ fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  { $as_echo "$as_me:$LINENO: result: $CC" >&5
-$as_echo "$CC" >&6; }
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -2683,10 +2565,10 @@ if test -z "$CC"; then
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
@@ -2699,7 +2581,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -2710,11 +2592,11 @@ fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  { $as_echo "$as_me:$LINENO: result: $CC" >&5
-$as_echo "$CC" >&6; }
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -2727,10 +2609,10 @@ if test -z "$CC"; then
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$ac_ct_CC"; then
   ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
@@ -2743,7 +2625,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_CC="$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -2754,11 +2636,11 @@ fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-$as_echo "$ac_ct_CC" >&6; }
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -2770,10 +2652,10 @@ done
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&5
-$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
@@ -2785,48 +2667,44 @@ fi
 fi
 
 
-test -z "$CC" && { { $as_echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
+test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
 See \`config.log' for more details." >&5
-$as_echo "$as_me: error: no acceptable C compiler found in \$PATH
+echo "$as_me: error: no acceptable C compiler found in \$PATH
 See \`config.log' for more details." >&2;}
    { (exit 1); exit 1; }; }
 
 # Provide some information about the compiler.
-$as_echo "$as_me:$LINENO: checking for C compiler version" >&5
-set X $ac_compile
-ac_compiler=$2
+echo "$as_me:$LINENO: checking for C compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
 { (ac_try="$ac_compiler --version >&5"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compiler --version >&5") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
 { (ac_try="$ac_compiler -v >&5"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compiler -v >&5") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
 { (ac_try="$ac_compiler -V >&5"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compiler -V >&5") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
 
 cat >conftest.$ac_ext <<_ACEOF
@@ -2845,22 +2723,27 @@ main ()
 }
 _ACEOF
 ac_clean_files_save=$ac_clean_files
-ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out"
+ac_clean_files="$ac_clean_files a.out a.exe b.out"
 # Try to create an executable without -o first, disregard a.out.
 # It will help us diagnose broken compilers, and finding out an intuition
 # of exeext.
-{ $as_echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
-$as_echo_n "checking for C compiler default output file name... " >&6; }
-ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
-
-# The possible output files:
-ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*"
-
+{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
+echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
+ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
+#
+# List of possible output files, starting from the most likely.
+# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
+# only as a last resort.  b.out is created by i960 compilers.
+ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
+#
+# The IRIX 6 linker writes into existing files which may not be
+# executable, retaining their permissions.  Remove them first so a
+# subsequent execution test works.
 ac_rmfiles=
 for ac_file in $ac_files
 do
   case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
     * ) ac_rmfiles="$ac_rmfiles $ac_file";;
   esac
 done
@@ -2871,11 +2754,10 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link_default") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
   # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
 # So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
@@ -2886,7 +2768,7 @@ for ac_file in $ac_files ''
 do
   test -f "$ac_file" || continue
   case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj )
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
 	;;
     [ab].out )
 	# We found the default executable, but exeext='' is most
@@ -2913,15 +2795,15 @@ else
   ac_file=''
 fi
 
-{ $as_echo "$as_me:$LINENO: result: $ac_file" >&5
-$as_echo "$ac_file" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_file" >&5
+echo "${ECHO_T}$ac_file" >&6; }
 if test -z "$ac_file"; then
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-{ { $as_echo "$as_me:$LINENO: error: C compiler cannot create executables
+{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
 See \`config.log' for more details." >&5
-$as_echo "$as_me: error: C compiler cannot create executables
+echo "$as_me: error: C compiler cannot create executables
 See \`config.log' for more details." >&2;}
    { (exit 77); exit 77; }; }
 fi
@@ -2930,8 +2812,8 @@ ac_exeext=$ac_cv_exeext
 
 # Check that the compiler produces executables we can run.  If not, either
 # the compiler is broken, or we cross compile.
-{ $as_echo "$as_me:$LINENO: checking whether the C compiler works" >&5
-$as_echo_n "checking whether the C compiler works... " >&6; }
+{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
 # FIXME: These cross compiler hacks should be removed for Autoconf 3.0
 # If not cross compiling, check that we can run a simple program.
 if test "$cross_compiling" != yes; then
@@ -2940,51 +2822,49 @@ if test "$cross_compiling" != yes; then
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
     cross_compiling=no
   else
     if test "$cross_compiling" = maybe; then
 	cross_compiling=yes
     else
-	{ { $as_echo "$as_me:$LINENO: error: cannot run C compiled programs.
+	{ { echo "$as_me:$LINENO: error: cannot run C compiled programs.
 If you meant to cross compile, use \`--host'.
 See \`config.log' for more details." >&5
-$as_echo "$as_me: error: cannot run C compiled programs.
+echo "$as_me: error: cannot run C compiled programs.
 If you meant to cross compile, use \`--host'.
 See \`config.log' for more details." >&2;}
    { (exit 1); exit 1; }; }
     fi
   fi
 fi
-{ $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 
-rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out
+rm -f a.out a.exe conftest$ac_cv_exeext b.out
 ac_clean_files=$ac_clean_files_save
 # Check that the compiler produces executables we can run.  If not, either
 # the compiler is broken, or we cross compile.
-{ $as_echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
-$as_echo_n "checking whether we are cross compiling... " >&6; }
-{ $as_echo "$as_me:$LINENO: result: $cross_compiling" >&5
-$as_echo "$cross_compiling" >&6; }
+{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
+echo "${ECHO_T}$cross_compiling" >&6; }
 
-{ $as_echo "$as_me:$LINENO: checking for suffix of executables" >&5
-$as_echo_n "checking for suffix of executables... " >&6; }
+{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
+echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
 if { (ac_try="$ac_link"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
   # If both `conftest.exe' and `conftest' are `present' (well, observable)
 # catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
@@ -2993,31 +2873,31 @@ $as_echo "$ac_try_echo") >&5
 for ac_file in conftest.exe conftest conftest.*; do
   test -f "$ac_file" || continue
   case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
     *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
 	  break;;
     * ) break;;
   esac
 done
 else
-  { { $as_echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
+  { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
 See \`config.log' for more details." >&5
-$as_echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
+echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
 See \`config.log' for more details." >&2;}
    { (exit 1); exit 1; }; }
 fi
 
 rm -f conftest$ac_cv_exeext
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
-$as_echo "$ac_cv_exeext" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+echo "${ECHO_T}$ac_cv_exeext" >&6; }
 
 rm -f conftest.$ac_ext
 EXEEXT=$ac_cv_exeext
 ac_exeext=$EXEEXT
-{ $as_echo "$as_me:$LINENO: checking for suffix of object files" >&5
-$as_echo_n "checking for suffix of object files... " >&6; }
+{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
+echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
 if test "${ac_cv_objext+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -3040,41 +2920,40 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
   for ac_file in conftest.o conftest.obj conftest.*; do
   test -f "$ac_file" || continue;
   case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;;
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
     *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
        break;;
   esac
 done
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-{ { $as_echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
+{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
 See \`config.log' for more details." >&5
-$as_echo "$as_me: error: cannot compute suffix of object files: cannot compile
+echo "$as_me: error: cannot compute suffix of object files: cannot compile
 See \`config.log' for more details." >&2;}
    { (exit 1); exit 1; }; }
 fi
 
 rm -f conftest.$ac_cv_objext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
-$as_echo "$ac_cv_objext" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+echo "${ECHO_T}$ac_cv_objext" >&6; }
 OBJEXT=$ac_cv_objext
 ac_objext=$OBJEXT
-{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
-$as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
+{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
 if test "${ac_cv_c_compiler_gnu+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -3100,21 +2979,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_compiler_gnu=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_compiler_gnu=no
@@ -3124,19 +3002,15 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 ac_cv_c_compiler_gnu=$ac_compiler_gnu
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
-$as_echo "$ac_cv_c_compiler_gnu" >&6; }
-if test $ac_compiler_gnu = yes; then
-  GCC=yes
-else
-  GCC=
-fi
+{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
+GCC=`test $ac_compiler_gnu = yes && echo yes`
 ac_test_CFLAGS=${CFLAGS+set}
 ac_save_CFLAGS=$CFLAGS
-{ $as_echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
-$as_echo_n "checking whether $CC accepts -g... " >&6; }
+{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
 if test "${ac_cv_prog_cc_g+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_save_c_werror_flag=$ac_c_werror_flag
    ac_c_werror_flag=yes
@@ -3163,21 +3037,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_prog_cc_g=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	CFLAGS=""
@@ -3202,21 +3075,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   :
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_c_werror_flag=$ac_save_c_werror_flag
@@ -3242,21 +3114,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_prog_cc_g=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
@@ -3271,8 +3142,8 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
    ac_c_werror_flag=$ac_save_c_werror_flag
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
-$as_echo "$ac_cv_prog_cc_g" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
 if test "$ac_test_CFLAGS" = set; then
   CFLAGS=$ac_save_CFLAGS
 elif test $ac_cv_prog_cc_g = yes; then
@@ -3288,10 +3159,10 @@ else
     CFLAGS=
   fi
 fi
-{ $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
-$as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
+{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
 if test "${ac_cv_prog_cc_c89+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_cv_prog_cc_c89=no
 ac_save_CC=$CC
@@ -3362,21 +3233,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_prog_cc_c89=$ac_arg
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
@@ -3392,15 +3262,15 @@ fi
 # AC_CACHE_VAL
 case "x$ac_cv_prog_cc_c89" in
   x)
-    { $as_echo "$as_me:$LINENO: result: none needed" >&5
-$as_echo "none needed" >&6; } ;;
+    { echo "$as_me:$LINENO: result: none needed" >&5
+echo "${ECHO_T}none needed" >&6; } ;;
   xno)
-    { $as_echo "$as_me:$LINENO: result: unsupported" >&5
-$as_echo "unsupported" >&6; } ;;
+    { echo "$as_me:$LINENO: result: unsupported" >&5
+echo "${ECHO_T}unsupported" >&6; } ;;
   *)
     CC="$CC $ac_cv_prog_cc_c89"
-    { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
-$as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
+    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
 esac
 
 
@@ -3410,10 +3280,10 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
-{ $as_echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5
-$as_echo_n "checking for a sed that does not truncate output... " >&6; }
+{ echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5
+echo $ECHO_N "checking for a sed that does not truncate output... $ECHO_C" >&6; }
 if test "${lt_cv_path_SED+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   # Loop through the user's path and test for sed and gsed.
 # Then use that list of sed's as ones to test for truncation.
@@ -3466,40 +3336,45 @@ fi
 
 SED=$lt_cv_path_SED
 
-{ $as_echo "$as_me:$LINENO: result: $SED" >&5
-$as_echo "$SED" >&6; }
+{ echo "$as_me:$LINENO: result: $SED" >&5
+echo "${ECHO_T}$SED" >&6; }
 
-{ $as_echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5
-$as_echo_n "checking for grep that handles long lines and -e... " >&6; }
+{ echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5
+echo $ECHO_N "checking for grep that handles long lines and -e... $ECHO_C" >&6; }
+if test "${ac_cv_path_GREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # Extract the first word of "grep ggrep" to use in msg output
+if test -z "$GREP"; then
+set dummy grep ggrep; ac_prog_name=$2
 if test "${ac_cv_path_GREP+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  if test -z "$GREP"; then
   ac_path_GREP_found=false
-  # Loop through the user's path and test for each of PROGNAME-LIST
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_prog in grep ggrep; do
-    for ac_exec_ext in '' $ac_executable_extensions; do
-      ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
-# Check for GNU ac_path_GREP and select it if it is found.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+    ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
+    { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+    # Check for GNU ac_path_GREP and select it if it is found.
   # Check for GNU $ac_path_GREP
 case `"$ac_path_GREP" --version 2>&1` in
 *GNU*)
   ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
 *)
   ac_count=0
-  $as_echo_n 0123456789 >"conftest.in"
+  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
   while :
   do
     cat "conftest.in" "conftest.in" >"conftest.tmp"
     mv "conftest.tmp" "conftest.in"
     cp "conftest.in" "conftest.nl"
-    $as_echo 'GREP' >> "conftest.nl"
+    echo 'GREP' >> "conftest.nl"
     "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
     diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
     ac_count=`expr $ac_count + 1`
@@ -3514,60 +3389,74 @@ case `"$ac_path_GREP" --version 2>&1` in
   rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
 esac
 
-      $ac_path_GREP_found && break 3
-    done
+
+    $ac_path_GREP_found && break 3
   done
 done
+
+done
 IFS=$as_save_IFS
-  if test -z "$ac_cv_path_GREP"; then
-    { { $as_echo "$as_me:$LINENO: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
-$as_echo "$as_me: error: no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+
+
+fi
+
+GREP="$ac_cv_path_GREP"
+if test -z "$GREP"; then
+  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
    { (exit 1); exit 1; }; }
-  fi
+fi
+
 else
   ac_cv_path_GREP=$GREP
 fi
 
+
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5
-$as_echo "$ac_cv_path_GREP" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5
+echo "${ECHO_T}$ac_cv_path_GREP" >&6; }
  GREP="$ac_cv_path_GREP"
 
 
-{ $as_echo "$as_me:$LINENO: checking for egrep" >&5
-$as_echo_n "checking for egrep... " >&6; }
+{ echo "$as_me:$LINENO: checking for egrep" >&5
+echo $ECHO_N "checking for egrep... $ECHO_C" >&6; }
 if test "${ac_cv_path_EGREP+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
    then ac_cv_path_EGREP="$GREP -E"
    else
-     if test -z "$EGREP"; then
+     # Extract the first word of "egrep" to use in msg output
+if test -z "$EGREP"; then
+set dummy egrep; ac_prog_name=$2
+if test "${ac_cv_path_EGREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
   ac_path_EGREP_found=false
-  # Loop through the user's path and test for each of PROGNAME-LIST
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
   for ac_prog in egrep; do
-    for ac_exec_ext in '' $ac_executable_extensions; do
-      ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
-      { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
-# Check for GNU ac_path_EGREP and select it if it is found.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+    ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
+    { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+    # Check for GNU ac_path_EGREP and select it if it is found.
   # Check for GNU $ac_path_EGREP
 case `"$ac_path_EGREP" --version 2>&1` in
 *GNU*)
   ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
 *)
   ac_count=0
-  $as_echo_n 0123456789 >"conftest.in"
+  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
   while :
   do
     cat "conftest.in" "conftest.in" >"conftest.tmp"
     mv "conftest.tmp" "conftest.in"
     cp "conftest.in" "conftest.nl"
-    $as_echo 'EGREP' >> "conftest.nl"
+    echo 'EGREP' >> "conftest.nl"
     "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
     diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
     ac_count=`expr $ac_count + 1`
@@ -3582,24 +3471,33 @@ case `"$ac_path_EGREP" --version 2>&1` in
   rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
 esac
 
-      $ac_path_EGREP_found && break 3
-    done
+
+    $ac_path_EGREP_found && break 3
   done
 done
+
+done
 IFS=$as_save_IFS
-  if test -z "$ac_cv_path_EGREP"; then
-    { { $as_echo "$as_me:$LINENO: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
-$as_echo "$as_me: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+
+
+fi
+
+EGREP="$ac_cv_path_EGREP"
+if test -z "$EGREP"; then
+  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
    { (exit 1); exit 1; }; }
-  fi
+fi
+
 else
   ac_cv_path_EGREP=$EGREP
 fi
 
+
    fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
-$as_echo "$ac_cv_path_EGREP" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
+echo "${ECHO_T}$ac_cv_path_EGREP" >&6; }
  EGREP="$ac_cv_path_EGREP"
 
 
@@ -3614,8 +3512,8 @@ fi
 ac_prog=ld
 if test "$GCC" = yes; then
   # Check if gcc -print-prog-name=ld gives a path.
-  { $as_echo "$as_me:$LINENO: checking for ld used by $CC" >&5
-$as_echo_n "checking for ld used by $CC... " >&6; }
+  { echo "$as_me:$LINENO: checking for ld used by $CC" >&5
+echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
   case $host in
   *-*-mingw*)
     # gcc leaves a trailing carriage return which upsets mingw
@@ -3644,14 +3542,14 @@ $as_echo_n "checking for ld used by $CC... " >&6; }
     ;;
   esac
 elif test "$with_gnu_ld" = yes; then
-  { $as_echo "$as_me:$LINENO: checking for GNU ld" >&5
-$as_echo_n "checking for GNU ld... " >&6; }
+  { echo "$as_me:$LINENO: checking for GNU ld" >&5
+echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: checking for non-GNU ld" >&5
-$as_echo_n "checking for non-GNU ld... " >&6; }
+  { echo "$as_me:$LINENO: checking for non-GNU ld" >&5
+echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; }
 fi
 if test "${lt_cv_path_LD+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -z "$LD"; then
   lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
@@ -3681,19 +3579,19 @@ fi
 
 LD="$lt_cv_path_LD"
 if test -n "$LD"; then
-  { $as_echo "$as_me:$LINENO: result: $LD" >&5
-$as_echo "$LD" >&6; }
+  { echo "$as_me:$LINENO: result: $LD" >&5
+echo "${ECHO_T}$LD" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
-test -z "$LD" && { { $as_echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
-$as_echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
+test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
+echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
    { (exit 1); exit 1; }; }
-{ $as_echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
-$as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; }
+{ echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
+echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; }
 if test "${lt_cv_prog_gnu_ld+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   # I'd rather use --version here, but apparently some GNU lds only accept -v.
 case `$LD -v 2>&1 </dev/null` in
@@ -3705,20 +3603,20 @@ case `$LD -v 2>&1 </dev/null` in
   ;;
 esac
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
-$as_echo "$lt_cv_prog_gnu_ld" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
+echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; }
 with_gnu_ld=$lt_cv_prog_gnu_ld
 
 
-{ $as_echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5
-$as_echo_n "checking for $LD option to reload object files... " >&6; }
+{ echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5
+echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6; }
 if test "${lt_cv_ld_reload_flag+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_ld_reload_flag='-r'
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5
-$as_echo "$lt_cv_ld_reload_flag" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5
+echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6; }
 reload_flag=$lt_cv_ld_reload_flag
 case $reload_flag in
 "" | " "*) ;;
@@ -3735,10 +3633,10 @@ case $host_os in
     ;;
 esac
 
-{ $as_echo "$as_me:$LINENO: checking for BSD-compatible nm" >&5
-$as_echo_n "checking for BSD-compatible nm... " >&6; }
+{ echo "$as_me:$LINENO: checking for BSD-compatible nm" >&5
+echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6; }
 if test "${lt_cv_path_NM+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$NM"; then
   # Let the user override the test.
@@ -3784,25 +3682,25 @@ else
   test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
 fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5
-$as_echo "$lt_cv_path_NM" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5
+echo "${ECHO_T}$lt_cv_path_NM" >&6; }
 NM="$lt_cv_path_NM"
 
-{ $as_echo "$as_me:$LINENO: checking whether ln -s works" >&5
-$as_echo_n "checking whether ln -s works... " >&6; }
+{ echo "$as_me:$LINENO: checking whether ln -s works" >&5
+echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6; }
 LN_S=$as_ln_s
 if test "$LN_S" = "ln -s"; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no, using $LN_S" >&5
-$as_echo "no, using $LN_S" >&6; }
+  { echo "$as_me:$LINENO: result: no, using $LN_S" >&5
+echo "${ECHO_T}no, using $LN_S" >&6; }
 fi
 
-{ $as_echo "$as_me:$LINENO: checking how to recognize dependent libraries" >&5
-$as_echo_n "checking how to recognize dependent libraries... " >&6; }
+{ echo "$as_me:$LINENO: checking how to recognize dependent libraries" >&5
+echo $ECHO_N "checking how to recognize dependent libraries... $ECHO_C" >&6; }
 if test "${lt_cv_deplibs_check_method+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_file_magic_cmd='$MAGIC_CMD'
 lt_cv_file_magic_test_file=
@@ -3985,8 +3883,8 @@ sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
 esac
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5
-$as_echo "$lt_cv_deplibs_check_method" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5
+echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6; }
 file_magic_cmd=$lt_cv_file_magic_cmd
 deplibs_check_method=$lt_cv_deplibs_check_method
 test -z "$deplibs_check_method" && deplibs_check_method=unknown
@@ -4020,7 +3918,7 @@ ia64-*-hpux*)
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
     case `/usr/bin/file conftest.$ac_objext` in
     *ELF-32*)
@@ -4035,11 +3933,11 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 4038 "configure"' > conftest.$ac_ext
+  echo '#line 3936 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
    if test "$lt_cv_prog_gnu_ld" = yes; then
     case `/usr/bin/file conftest.$ac_objext` in
@@ -4077,7 +3975,7 @@ s390*-*linux*|sparc*-*linux*)
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
     case `/usr/bin/file conftest.o` in
     *32-bit*)
@@ -4127,10 +4025,10 @@ s390*-*linux*|sparc*-*linux*)
   # On SCO OpenServer 5, we need -belf to get full-featured binaries.
   SAVE_CFLAGS="$CFLAGS"
   CFLAGS="$CFLAGS -belf"
-  { $as_echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5
-$as_echo_n "checking whether the C compiler needs -belf... " >&6; }
+  { echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5
+echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6; }
 if test "${lt_cv_cc_needs_belf+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
@@ -4159,30 +4057,26 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   lt_cv_cc_needs_belf=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	lt_cv_cc_needs_belf=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
      ac_ext=c
@@ -4192,8 +4086,8 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5
-$as_echo "$lt_cv_cc_needs_belf" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5
+echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6; }
   if test x"$lt_cv_cc_needs_belf" != x"yes"; then
     # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
     CFLAGS="$SAVE_CFLAGS"
@@ -4205,7 +4099,7 @@ sparc*-*solaris*)
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
     case `/usr/bin/file conftest.o` in
     *64-bit*)
@@ -4234,15 +4128,15 @@ ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
-{ $as_echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
-$as_echo_n "checking how to run the C preprocessor... " >&6; }
+{ echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
+echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6; }
 # On Suns, sometimes $CPP names a directory.
 if test -n "$CPP" && test -d "$CPP"; then
   CPP=
 fi
 if test -z "$CPP"; then
   if test "${ac_cv_prog_CPP+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
       # Double quotes because CPP needs to be expanded
     for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
@@ -4274,21 +4168,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   :
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   # Broken: fails on valid input.
@@ -4312,14 +4205,13 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
@@ -4327,7 +4219,7 @@ $as_echo "$ac_try_echo") >&5
   # Broken: success on invalid input.
 continue
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   # Passes both tests.
@@ -4352,8 +4244,8 @@ fi
 else
   ac_cv_prog_CPP=$CPP
 fi
-{ $as_echo "$as_me:$LINENO: result: $CPP" >&5
-$as_echo "$CPP" >&6; }
+{ echo "$as_me:$LINENO: result: $CPP" >&5
+echo "${ECHO_T}$CPP" >&6; }
 ac_preproc_ok=false
 for ac_c_preproc_warn_flag in '' yes
 do
@@ -4381,21 +4273,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   :
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   # Broken: fails on valid input.
@@ -4419,14 +4310,13 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
@@ -4434,7 +4324,7 @@ $as_echo "$ac_try_echo") >&5
   # Broken: success on invalid input.
 continue
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   # Passes both tests.
@@ -4450,9 +4340,9 @@ rm -f conftest.err conftest.$ac_ext
 if $ac_preproc_ok; then
   :
 else
-  { { $as_echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check
+  { { echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check
 See \`config.log' for more details." >&5
-$as_echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check
+echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check
 See \`config.log' for more details." >&2;}
    { (exit 1); exit 1; }; }
 fi
@@ -4464,10 +4354,10 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
-{ $as_echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-$as_echo_n "checking for ANSI C header files... " >&6; }
+{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
 if test "${ac_cv_header_stdc+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -4494,21 +4384,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_header_stdc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_header_stdc=no
@@ -4600,40 +4489,37 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
   { (case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
   :
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
 ac_cv_header_stdc=no
 fi
-rm -rf conftest.dSYM
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
 
 fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-$as_echo "$ac_cv_header_stdc" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
 if test $ac_cv_header_stdc = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -4655,11 +4541,11 @@ fi
 for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
 		  inttypes.h stdint.h unistd.h
 do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -4677,21 +4563,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   eval "$as_ac_Header=yes"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	eval "$as_ac_Header=no"
@@ -4699,14 +4584,12 @@ fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-if test `eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'` = yes; then
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
 
 fi
@@ -4717,21 +4600,20 @@ done
 
 for ac_header in dlfcn.h
 do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
-$as_echo_n "checking $ac_header usability... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -4747,33 +4629,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
-$as_echo_n "checking $ac_header presence... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -4787,72 +4668,69 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
-if test `eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'` = yes; then
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
 
 fi
@@ -4873,10 +4751,10 @@ if test -z "$CXX"; then
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CXX+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$CXX"; then
   ac_cv_prog_CXX="$CXX" # Let the user override the test.
@@ -4889,7 +4767,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CXX="$ac_tool_prefix$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -4900,11 +4778,11 @@ fi
 fi
 CXX=$ac_cv_prog_CXX
 if test -n "$CXX"; then
-  { $as_echo "$as_me:$LINENO: result: $CXX" >&5
-$as_echo "$CXX" >&6; }
+  { echo "$as_me:$LINENO: result: $CXX" >&5
+echo "${ECHO_T}$CXX" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -4917,10 +4795,10 @@ if test -z "$CXX"; then
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_CXX+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$ac_ct_CXX"; then
   ac_cv_prog_ac_ct_CXX="$ac_ct_CXX" # Let the user override the test.
@@ -4933,7 +4811,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_CXX="$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -4944,11 +4822,11 @@ fi
 fi
 ac_ct_CXX=$ac_cv_prog_ac_ct_CXX
 if test -n "$ac_ct_CXX"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_CXX" >&5
-$as_echo "$ac_ct_CXX" >&6; }
+  { echo "$as_me:$LINENO: result: $ac_ct_CXX" >&5
+echo "${ECHO_T}$ac_ct_CXX" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -4960,10 +4838,10 @@ done
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&5
-$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
@@ -4975,47 +4853,43 @@ fi
   fi
 fi
 # Provide some information about the compiler.
-$as_echo "$as_me:$LINENO: checking for C++ compiler version" >&5
-set X $ac_compile
-ac_compiler=$2
+echo "$as_me:$LINENO: checking for C++ compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
 { (ac_try="$ac_compiler --version >&5"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compiler --version >&5") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
 { (ac_try="$ac_compiler -v >&5"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compiler -v >&5") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
 { (ac_try="$ac_compiler -V >&5"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compiler -V >&5") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
 
-{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU C++ compiler" >&5
-$as_echo_n "checking whether we are using the GNU C++ compiler... " >&6; }
+{ echo "$as_me:$LINENO: checking whether we are using the GNU C++ compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C++ compiler... $ECHO_C" >&6; }
 if test "${ac_cv_cxx_compiler_gnu+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -5041,21 +4915,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_cxx_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_compiler_gnu=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_compiler_gnu=no
@@ -5065,19 +4938,15 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 ac_cv_cxx_compiler_gnu=$ac_compiler_gnu
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_cxx_compiler_gnu" >&5
-$as_echo "$ac_cv_cxx_compiler_gnu" >&6; }
-if test $ac_compiler_gnu = yes; then
-  GXX=yes
-else
-  GXX=
-fi
+{ echo "$as_me:$LINENO: result: $ac_cv_cxx_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_cxx_compiler_gnu" >&6; }
+GXX=`test $ac_compiler_gnu = yes && echo yes`
 ac_test_CXXFLAGS=${CXXFLAGS+set}
 ac_save_CXXFLAGS=$CXXFLAGS
-{ $as_echo "$as_me:$LINENO: checking whether $CXX accepts -g" >&5
-$as_echo_n "checking whether $CXX accepts -g... " >&6; }
+{ echo "$as_me:$LINENO: checking whether $CXX accepts -g" >&5
+echo $ECHO_N "checking whether $CXX accepts -g... $ECHO_C" >&6; }
 if test "${ac_cv_prog_cxx_g+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_save_cxx_werror_flag=$ac_cxx_werror_flag
    ac_cxx_werror_flag=yes
@@ -5104,21 +4973,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_cxx_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_prog_cxx_g=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	CXXFLAGS=""
@@ -5143,21 +5011,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_cxx_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   :
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cxx_werror_flag=$ac_save_cxx_werror_flag
@@ -5183,21 +5050,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_cxx_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_prog_cxx_g=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
@@ -5212,8 +5078,8 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
    ac_cxx_werror_flag=$ac_save_cxx_werror_flag
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cxx_g" >&5
-$as_echo "$ac_cv_prog_cxx_g" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cxx_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cxx_g" >&6; }
 if test "$ac_test_CXXFLAGS" = set; then
   CXXFLAGS=$ac_save_CXXFLAGS
 elif test $ac_cv_prog_cxx_g = yes; then
@@ -5245,11 +5111,11 @@ ac_cpp='$CXXCPP $CPPFLAGS'
 ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-{ $as_echo "$as_me:$LINENO: checking how to run the C++ preprocessor" >&5
-$as_echo_n "checking how to run the C++ preprocessor... " >&6; }
+{ echo "$as_me:$LINENO: checking how to run the C++ preprocessor" >&5
+echo $ECHO_N "checking how to run the C++ preprocessor... $ECHO_C" >&6; }
 if test -z "$CXXCPP"; then
   if test "${ac_cv_prog_CXXCPP+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
       # Double quotes because CXXCPP needs to be expanded
     for CXXCPP in "$CXX -E" "/lib/cpp"
@@ -5281,21 +5147,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   :
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   # Broken: fails on valid input.
@@ -5319,14 +5184,13 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
 	 test ! -s conftest.err
@@ -5334,7 +5198,7 @@ $as_echo "$ac_try_echo") >&5
   # Broken: success on invalid input.
 continue
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   # Passes both tests.
@@ -5359,8 +5223,8 @@ fi
 else
   ac_cv_prog_CXXCPP=$CXXCPP
 fi
-{ $as_echo "$as_me:$LINENO: result: $CXXCPP" >&5
-$as_echo "$CXXCPP" >&6; }
+{ echo "$as_me:$LINENO: result: $CXXCPP" >&5
+echo "${ECHO_T}$CXXCPP" >&6; }
 ac_preproc_ok=false
 for ac_cxx_preproc_warn_flag in '' yes
 do
@@ -5388,21 +5252,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   :
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   # Broken: fails on valid input.
@@ -5426,14 +5289,13 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
 	 test ! -s conftest.err
@@ -5441,7 +5303,7 @@ $as_echo "$ac_try_echo") >&5
   # Broken: success on invalid input.
 continue
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   # Passes both tests.
@@ -5457,9 +5319,9 @@ rm -f conftest.err conftest.$ac_ext
 if $ac_preproc_ok; then
   :
 else
-  { { $as_echo "$as_me:$LINENO: error: C++ preprocessor \"$CXXCPP\" fails sanity check
+  { { echo "$as_me:$LINENO: error: C++ preprocessor \"$CXXCPP\" fails sanity check
 See \`config.log' for more details." >&5
-$as_echo "$as_me: error: C++ preprocessor \"$CXXCPP\" fails sanity check
+echo "$as_me: error: C++ preprocessor \"$CXXCPP\" fails sanity check
 See \`config.log' for more details." >&2;}
    { (exit 1); exit 1; }; }
 fi
@@ -5482,10 +5344,10 @@ if test -n "$ac_tool_prefix"; then
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_F77+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$F77"; then
   ac_cv_prog_F77="$F77" # Let the user override the test.
@@ -5498,7 +5360,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_F77="$ac_tool_prefix$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -5509,11 +5371,11 @@ fi
 fi
 F77=$ac_cv_prog_F77
 if test -n "$F77"; then
-  { $as_echo "$as_me:$LINENO: result: $F77" >&5
-$as_echo "$F77" >&6; }
+  { echo "$as_me:$LINENO: result: $F77" >&5
+echo "${ECHO_T}$F77" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -5526,10 +5388,10 @@ if test -z "$F77"; then
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_F77+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$ac_ct_F77"; then
   ac_cv_prog_ac_ct_F77="$ac_ct_F77" # Let the user override the test.
@@ -5542,7 +5404,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_F77="$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -5553,11 +5415,11 @@ fi
 fi
 ac_ct_F77=$ac_cv_prog_ac_ct_F77
 if test -n "$ac_ct_F77"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_F77" >&5
-$as_echo "$ac_ct_F77" >&6; }
+  { echo "$as_me:$LINENO: result: $ac_ct_F77" >&5
+echo "${ECHO_T}$ac_ct_F77" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -5569,10 +5431,10 @@ done
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&5
-$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
@@ -5583,41 +5445,37 @@ fi
 
 
 # Provide some information about the compiler.
-$as_echo "$as_me:$LINENO: checking for Fortran 77 compiler version" >&5
-set X $ac_compile
-ac_compiler=$2
+echo "$as_me:$LINENO: checking for Fortran 77 compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
 { (ac_try="$ac_compiler --version >&5"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compiler --version >&5") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
 { (ac_try="$ac_compiler -v >&5"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compiler -v >&5") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
 { (ac_try="$ac_compiler -V >&5"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compiler -V >&5") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
 rm -f a.out
 
@@ -5625,10 +5483,10 @@ rm -f a.out
 # input file.  (Note that this only needs to work for GNU compilers.)
 ac_save_ext=$ac_ext
 ac_ext=F
-{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU Fortran 77 compiler" >&5
-$as_echo_n "checking whether we are using the GNU Fortran 77 compiler... " >&6; }
+{ echo "$as_me:$LINENO: checking whether we are using the GNU Fortran 77 compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU Fortran 77 compiler... $ECHO_C" >&6; }
 if test "${ac_cv_f77_compiler_gnu+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
       program main
@@ -5644,21 +5502,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_f77_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_compiler_gnu=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_compiler_gnu=no
@@ -5668,16 +5525,16 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 ac_cv_f77_compiler_gnu=$ac_compiler_gnu
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_f77_compiler_gnu" >&5
-$as_echo "$ac_cv_f77_compiler_gnu" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_f77_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_f77_compiler_gnu" >&6; }
 ac_ext=$ac_save_ext
 ac_test_FFLAGS=${FFLAGS+set}
 ac_save_FFLAGS=$FFLAGS
 FFLAGS=
-{ $as_echo "$as_me:$LINENO: checking whether $F77 accepts -g" >&5
-$as_echo_n "checking whether $F77 accepts -g... " >&6; }
+{ echo "$as_me:$LINENO: checking whether $F77 accepts -g" >&5
+echo $ECHO_N "checking whether $F77 accepts -g... $ECHO_C" >&6; }
 if test "${ac_cv_prog_f77_g+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   FFLAGS=-g
 cat >conftest.$ac_ext <<_ACEOF
@@ -5691,21 +5548,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_f77_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_prog_f77_g=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_prog_f77_g=no
@@ -5714,8 +5570,8 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_f77_g" >&5
-$as_echo "$ac_cv_prog_f77_g" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_f77_g" >&5
+echo "${ECHO_T}$ac_cv_prog_f77_g" >&6; }
 if test "$ac_test_FFLAGS" = set; then
   FFLAGS=$ac_save_FFLAGS
 elif test $ac_cv_prog_f77_g = yes; then
@@ -5732,11 +5588,7 @@ else
   fi
 fi
 
-if test $ac_compiler_gnu = yes; then
-  G77=yes
-else
-  G77=
-fi
+G77=`test $ac_compiler_gnu = yes && echo yes`
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -5747,10 +5599,10 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 # Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
 # find the maximum length of command line arguments
-{ $as_echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
-$as_echo_n "checking the maximum length of command line arguments... " >&6; }
+{ echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
+echo $ECHO_N "checking the maximum length of command line arguments... $ECHO_C" >&6; }
 if test "${lt_cv_sys_max_cmd_len+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
     i=0
   teststring="ABCD"
@@ -5859,11 +5711,11 @@ else
 fi
 
 if test -n $lt_cv_sys_max_cmd_len ; then
-  { $as_echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5
-$as_echo "$lt_cv_sys_max_cmd_len" >&6; }
+  { echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5
+echo "${ECHO_T}$lt_cv_sys_max_cmd_len" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: none" >&5
-$as_echo "none" >&6; }
+  { echo "$as_me:$LINENO: result: none" >&5
+echo "${ECHO_T}none" >&6; }
 fi
 
 
@@ -5871,10 +5723,10 @@ fi
 
 
 # Check for command to grab the raw symbol name followed by C symbol from nm.
-{ $as_echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5
-$as_echo_n "checking command to parse $NM output from $compiler object... " >&6; }
+{ echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5
+echo $ECHO_N "checking command to parse $NM output from $compiler object... $ECHO_C" >&6; }
 if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
 
 # These are sane defaults that work on at least a few old systems.
@@ -5979,14 +5831,14 @@ EOF
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
     # Now try to grab the symbols.
     nlist=conftest.nm
     if { (eval echo "$as_me:$LINENO: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\"") >&5
   (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && test -s "$nlist"; then
       # Try sorting and uniquifying the output.
       if sort "$nlist" | uniq > "$nlist"T; then
@@ -6041,7 +5893,7 @@ EOF
 	  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
   (eval $ac_link) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && test -s conftest${ac_exeext}; then
 	    pipe_works=yes
 	  fi
@@ -6076,17 +5928,17 @@ if test -z "$lt_cv_sys_global_symbol_pipe"; then
   lt_cv_sys_global_symbol_to_cdecl=
 fi
 if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
-  { $as_echo "$as_me:$LINENO: result: failed" >&5
-$as_echo "failed" >&6; }
+  { echo "$as_me:$LINENO: result: failed" >&5
+echo "${ECHO_T}failed" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: ok" >&5
-$as_echo "ok" >&6; }
+  { echo "$as_me:$LINENO: result: ok" >&5
+echo "${ECHO_T}ok" >&6; }
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for objdir" >&5
-$as_echo_n "checking for objdir... " >&6; }
+{ echo "$as_me:$LINENO: checking for objdir" >&5
+echo $ECHO_N "checking for objdir... $ECHO_C" >&6; }
 if test "${lt_cv_objdir+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   rm -f .libs 2>/dev/null
 mkdir .libs 2>/dev/null
@@ -6098,8 +5950,8 @@ else
 fi
 rmdir .libs 2>/dev/null
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5
-$as_echo "$lt_cv_objdir" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5
+echo "${ECHO_T}$lt_cv_objdir" >&6; }
 objdir=$lt_cv_objdir
 
 
@@ -6150,10 +6002,10 @@ with_gnu_ld="$lt_cv_prog_gnu_ld"
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args.
 set dummy ${ac_tool_prefix}ar; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_AR+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$AR"; then
   ac_cv_prog_AR="$AR" # Let the user override the test.
@@ -6166,7 +6018,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_AR="${ac_tool_prefix}ar"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -6177,11 +6029,11 @@ fi
 fi
 AR=$ac_cv_prog_AR
 if test -n "$AR"; then
-  { $as_echo "$as_me:$LINENO: result: $AR" >&5
-$as_echo "$AR" >&6; }
+  { echo "$as_me:$LINENO: result: $AR" >&5
+echo "${ECHO_T}$AR" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -6190,10 +6042,10 @@ if test -z "$ac_cv_prog_AR"; then
   ac_ct_AR=$AR
   # Extract the first word of "ar", so it can be a program name with args.
 set dummy ar; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_AR+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$ac_ct_AR"; then
   ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test.
@@ -6206,7 +6058,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_AR="ar"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -6217,11 +6069,11 @@ fi
 fi
 ac_ct_AR=$ac_cv_prog_ac_ct_AR
 if test -n "$ac_ct_AR"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_AR" >&5
-$as_echo "$ac_ct_AR" >&6; }
+  { echo "$as_me:$LINENO: result: $ac_ct_AR" >&5
+echo "${ECHO_T}$ac_ct_AR" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
   if test "x$ac_ct_AR" = x; then
@@ -6229,10 +6081,10 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&5
-$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
@@ -6246,10 +6098,10 @@ fi
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
 set dummy ${ac_tool_prefix}ranlib; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_RANLIB+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$RANLIB"; then
   ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
@@ -6262,7 +6114,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -6273,11 +6125,11 @@ fi
 fi
 RANLIB=$ac_cv_prog_RANLIB
 if test -n "$RANLIB"; then
-  { $as_echo "$as_me:$LINENO: result: $RANLIB" >&5
-$as_echo "$RANLIB" >&6; }
+  { echo "$as_me:$LINENO: result: $RANLIB" >&5
+echo "${ECHO_T}$RANLIB" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -6286,10 +6138,10 @@ if test -z "$ac_cv_prog_RANLIB"; then
   ac_ct_RANLIB=$RANLIB
   # Extract the first word of "ranlib", so it can be a program name with args.
 set dummy ranlib; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$ac_ct_RANLIB"; then
   ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
@@ -6302,7 +6154,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_RANLIB="ranlib"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -6313,11 +6165,11 @@ fi
 fi
 ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
 if test -n "$ac_ct_RANLIB"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
-$as_echo "$ac_ct_RANLIB" >&6; }
+  { echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
+echo "${ECHO_T}$ac_ct_RANLIB" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
   if test "x$ac_ct_RANLIB" = x; then
@@ -6325,10 +6177,10 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&5
-$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
@@ -6342,10 +6194,10 @@ fi
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
 set dummy ${ac_tool_prefix}strip; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_STRIP+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$STRIP"; then
   ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
@@ -6358,7 +6210,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_STRIP="${ac_tool_prefix}strip"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -6369,11 +6221,11 @@ fi
 fi
 STRIP=$ac_cv_prog_STRIP
 if test -n "$STRIP"; then
-  { $as_echo "$as_me:$LINENO: result: $STRIP" >&5
-$as_echo "$STRIP" >&6; }
+  { echo "$as_me:$LINENO: result: $STRIP" >&5
+echo "${ECHO_T}$STRIP" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -6382,10 +6234,10 @@ if test -z "$ac_cv_prog_STRIP"; then
   ac_ct_STRIP=$STRIP
   # Extract the first word of "strip", so it can be a program name with args.
 set dummy strip; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$ac_ct_STRIP"; then
   ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
@@ -6398,7 +6250,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_STRIP="strip"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -6409,11 +6261,11 @@ fi
 fi
 ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
 if test -n "$ac_ct_STRIP"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
-$as_echo "$ac_ct_STRIP" >&6; }
+  { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
+echo "${ECHO_T}$ac_ct_STRIP" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
   if test "x$ac_ct_STRIP" = x; then
@@ -6421,10 +6273,10 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&5
-$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
@@ -6489,10 +6341,10 @@ cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
 case $deplibs_check_method in
 file_magic*)
   if test "$file_magic_cmd" = '$MAGIC_CMD'; then
-    { $as_echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5
-$as_echo_n "checking for ${ac_tool_prefix}file... " >&6; }
+    { echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5
+echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6; }
 if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   case $MAGIC_CMD in
 [\\/*] |  ?:[\\/]*)
@@ -6542,19 +6394,19 @@ fi
 
 MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
 if test -n "$MAGIC_CMD"; then
-  { $as_echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
-$as_echo "$MAGIC_CMD" >&6; }
+  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+echo "${ECHO_T}$MAGIC_CMD" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 if test -z "$lt_cv_path_MAGIC_CMD"; then
   if test -n "$ac_tool_prefix"; then
-    { $as_echo "$as_me:$LINENO: checking for file" >&5
-$as_echo_n "checking for file... " >&6; }
+    { echo "$as_me:$LINENO: checking for file" >&5
+echo $ECHO_N "checking for file... $ECHO_C" >&6; }
 if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   case $MAGIC_CMD in
 [\\/*] |  ?:[\\/]*)
@@ -6604,11 +6456,11 @@ fi
 
 MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
 if test -n "$MAGIC_CMD"; then
-  { $as_echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
-$as_echo "$MAGIC_CMD" >&6; }
+  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+echo "${ECHO_T}$MAGIC_CMD" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
   else
@@ -6626,10 +6478,10 @@ esac
     if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args.
 set dummy ${ac_tool_prefix}dsymutil; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_DSYMUTIL+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$DSYMUTIL"; then
   ac_cv_prog_DSYMUTIL="$DSYMUTIL" # Let the user override the test.
@@ -6642,7 +6494,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -6653,11 +6505,11 @@ fi
 fi
 DSYMUTIL=$ac_cv_prog_DSYMUTIL
 if test -n "$DSYMUTIL"; then
-  { $as_echo "$as_me:$LINENO: result: $DSYMUTIL" >&5
-$as_echo "$DSYMUTIL" >&6; }
+  { echo "$as_me:$LINENO: result: $DSYMUTIL" >&5
+echo "${ECHO_T}$DSYMUTIL" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -6666,10 +6518,10 @@ if test -z "$ac_cv_prog_DSYMUTIL"; then
   ac_ct_DSYMUTIL=$DSYMUTIL
   # Extract the first word of "dsymutil", so it can be a program name with args.
 set dummy dsymutil; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_DSYMUTIL+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$ac_ct_DSYMUTIL"; then
   ac_cv_prog_ac_ct_DSYMUTIL="$ac_ct_DSYMUTIL" # Let the user override the test.
@@ -6682,7 +6534,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_DSYMUTIL="dsymutil"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -6693,11 +6545,11 @@ fi
 fi
 ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL
 if test -n "$ac_ct_DSYMUTIL"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_DSYMUTIL" >&5
-$as_echo "$ac_ct_DSYMUTIL" >&6; }
+  { echo "$as_me:$LINENO: result: $ac_ct_DSYMUTIL" >&5
+echo "${ECHO_T}$ac_ct_DSYMUTIL" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
   if test "x$ac_ct_DSYMUTIL" = x; then
@@ -6705,10 +6557,10 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&5
-$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
@@ -6722,10 +6574,10 @@ fi
     if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args.
 set dummy ${ac_tool_prefix}nmedit; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_NMEDIT+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$NMEDIT"; then
   ac_cv_prog_NMEDIT="$NMEDIT" # Let the user override the test.
@@ -6738,7 +6590,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -6749,11 +6601,11 @@ fi
 fi
 NMEDIT=$ac_cv_prog_NMEDIT
 if test -n "$NMEDIT"; then
-  { $as_echo "$as_me:$LINENO: result: $NMEDIT" >&5
-$as_echo "$NMEDIT" >&6; }
+  { echo "$as_me:$LINENO: result: $NMEDIT" >&5
+echo "${ECHO_T}$NMEDIT" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -6762,10 +6614,10 @@ if test -z "$ac_cv_prog_NMEDIT"; then
   ac_ct_NMEDIT=$NMEDIT
   # Extract the first word of "nmedit", so it can be a program name with args.
 set dummy nmedit; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_NMEDIT+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$ac_ct_NMEDIT"; then
   ac_cv_prog_ac_ct_NMEDIT="$ac_ct_NMEDIT" # Let the user override the test.
@@ -6778,7 +6630,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_NMEDIT="nmedit"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -6789,11 +6641,11 @@ fi
 fi
 ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT
 if test -n "$ac_ct_NMEDIT"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_NMEDIT" >&5
-$as_echo "$ac_ct_NMEDIT" >&6; }
+  { echo "$as_me:$LINENO: result: $ac_ct_NMEDIT" >&5
+echo "${ECHO_T}$ac_ct_NMEDIT" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
   if test "x$ac_ct_NMEDIT" = x; then
@@ -6801,10 +6653,10 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&5
-$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
@@ -6816,10 +6668,10 @@ else
 fi
 
 
-    { $as_echo "$as_me:$LINENO: checking for -single_module linker flag" >&5
-$as_echo_n "checking for -single_module linker flag... " >&6; }
+    { echo "$as_me:$LINENO: checking for -single_module linker flag" >&5
+echo $ECHO_N "checking for -single_module linker flag... $ECHO_C" >&6; }
 if test "${lt_cv_apple_cc_single_mod+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_apple_cc_single_mod=no
       if test -z "${LT_MULTI_MODULE}"; then
@@ -6837,12 +6689,12 @@ else
    rm conftest.c
       fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_apple_cc_single_mod" >&5
-$as_echo "$lt_cv_apple_cc_single_mod" >&6; }
-    { $as_echo "$as_me:$LINENO: checking for -exported_symbols_list linker flag" >&5
-$as_echo_n "checking for -exported_symbols_list linker flag... " >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_apple_cc_single_mod" >&5
+echo "${ECHO_T}$lt_cv_apple_cc_single_mod" >&6; }
+    { echo "$as_me:$LINENO: checking for -exported_symbols_list linker flag" >&5
+echo $ECHO_N "checking for -exported_symbols_list linker flag... $ECHO_C" >&6; }
 if test "${lt_cv_ld_exported_symbols_list+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_ld_exported_symbols_list=no
       save_LDFLAGS=$LDFLAGS
@@ -6869,37 +6721,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   lt_cv_ld_exported_symbols_list=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	lt_cv_ld_exported_symbols_list=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
    LDFLAGS="$save_LDFLAGS"
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_ld_exported_symbols_list" >&5
-$as_echo "$lt_cv_ld_exported_symbols_list" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_ld_exported_symbols_list" >&5
+echo "${ECHO_T}$lt_cv_ld_exported_symbols_list" >&6; }
     case $host_os in
     rhapsody* | darwin1.[0123])
       _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
@@ -7015,10 +6863,10 @@ if test "$GCC" = yes; then
   lt_prog_compiler_no_builtin_flag=' -fno-builtin'
 
 
-{ $as_echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
-$as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; }
+{ echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_prog_compiler_rtti_exceptions=no
   ac_outfile=conftest.$ac_objext
@@ -7033,11 +6881,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7036: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:6884: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7040: \$? = $ac_status" >&5
+   echo "$as_me:6888: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7050,8 +6898,8 @@ else
    $rm conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
-$as_echo "$lt_cv_prog_compiler_rtti_exceptions" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; }
 
 if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
     lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions"
@@ -7065,8 +6913,8 @@ lt_prog_compiler_wl=
 lt_prog_compiler_pic=
 lt_prog_compiler_static=
 
-{ $as_echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-$as_echo_n "checking for $compiler option to produce PIC... " >&6; }
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 
   if test "$GCC" = yes; then
     lt_prog_compiler_wl='-Wl,'
@@ -7297,18 +7145,18 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
     esac
   fi
 
-{ $as_echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5
-$as_echo "$lt_prog_compiler_pic" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic" >&6; }
 
 #
 # Check to make sure the PIC flag actually works.
 #
 if test -n "$lt_prog_compiler_pic"; then
 
-{ $as_echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
-$as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic works... " >&6; }
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic works... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_pic_works+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_prog_compiler_pic_works=no
   ac_outfile=conftest.$ac_objext
@@ -7323,11 +7171,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7326: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7174: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:7330: \$? = $ac_status" >&5
+   echo "$as_me:7178: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -7340,8 +7188,8 @@ else
    $rm conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works" >&5
-$as_echo "$lt_cv_prog_compiler_pic_works" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_pic_works" >&6; }
 
 if test x"$lt_cv_prog_compiler_pic_works" = xyes; then
     case $lt_prog_compiler_pic in
@@ -7368,10 +7216,10 @@ esac
 # Check to make sure the static flag actually works.
 #
 wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\"
-{ $as_echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
-$as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; }
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_static_works+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_prog_compiler_static_works=no
    save_LDFLAGS="$LDFLAGS"
@@ -7396,8 +7244,8 @@ else
    LDFLAGS="$save_LDFLAGS"
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works" >&5
-$as_echo "$lt_cv_prog_compiler_static_works" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_static_works" >&6; }
 
 if test x"$lt_cv_prog_compiler_static_works" = xyes; then
     :
@@ -7406,10 +7254,10 @@ else
 fi
 
 
-{ $as_echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-$as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_c_o+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_prog_compiler_c_o=no
    $rm -r conftest 2>/dev/null
@@ -7427,11 +7275,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7430: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7278: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:7434: \$? = $ac_status" >&5
+   echo "$as_me:7282: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -7453,34 +7301,34 @@ else
    $rm conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
-$as_echo "$lt_cv_prog_compiler_c_o" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6; }
 
 
 hard_links="nottested"
 if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then
   # do not overwrite the value of need_locks provided by the user
-  { $as_echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-$as_echo_n "checking if we can lock with hard links... " >&6; }
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
   hard_links=yes
   $rm conftest*
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
   touch conftest.a
   ln conftest.a conftest.b 2>&5 || hard_links=no
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  { $as_echo "$as_me:$LINENO: result: $hard_links" >&5
-$as_echo "$hard_links" >&6; }
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
   if test "$hard_links" = no; then
-    { $as_echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-$as_echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
     need_locks=warn
   fi
 else
   need_locks=no
 fi
 
-{ $as_echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-$as_echo_n "checking whether the $compiler linker ($LD) supports shared libraries... " >&6; }
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
 
   runpath_var=
   allow_undefined_flag=
@@ -7910,21 +7758,18 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 lt_aix_libpath_sed='
     /Import File Strings/,/^$/ {
@@ -7939,13 +7784,12 @@ if test -z "$aix_libpath"; then
   aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 fi
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
@@ -7980,21 +7824,18 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 lt_aix_libpath_sed='
     /Import File Strings/,/^$/ {
@@ -8009,13 +7850,12 @@ if test -z "$aix_libpath"; then
   aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 fi
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
@@ -8467,8 +8307,8 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     esac
   fi
 
-{ $as_echo "$as_me:$LINENO: result: $ld_shlibs" >&5
-$as_echo "$ld_shlibs" >&6; }
+{ echo "$as_me:$LINENO: result: $ld_shlibs" >&5
+echo "${ECHO_T}$ld_shlibs" >&6; }
 test "$ld_shlibs" = no && can_build_shared=no
 
 #
@@ -8488,15 +8328,15 @@ x|xyes)
       # Test whether the compiler implicitly links with -lc since on some
       # systems, -lgcc has to come before -lc. If gcc already passes -lc
       # to ld, don't add -lc before -lgcc.
-      { $as_echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-$as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
       $rm conftest*
       echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
       if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } 2>conftest.err; then
         soname=conftest
         lib=conftest
@@ -8514,7 +8354,7 @@ $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
         if { (eval echo "$as_me:$LINENO: \"$archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
   (eval $archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
         then
 	  archive_cmds_need_lc=no
@@ -8526,16 +8366,16 @@ $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
         cat conftest.err 1>&5
       fi
       $rm conftest*
-      { $as_echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5
-$as_echo "$archive_cmds_need_lc" >&6; }
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5
+echo "${ECHO_T}$archive_cmds_need_lc" >&6; }
       ;;
     esac
   fi
   ;;
 esac
 
-{ $as_echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-$as_echo_n "checking dynamic linker characteristics... " >&6; }
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
@@ -9136,19 +8976,19 @@ uts4*)
   dynamic_linker=no
   ;;
 esac
-{ $as_echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-$as_echo "$dynamic_linker" >&6; }
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
 test "$dynamic_linker" = no && can_build_shared=no
 
 if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
 fi
 
 sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
 if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
 fi
@@ -9160,8 +9000,8 @@ if test "$GCC" = yes; then
   variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
 fi
 
-{ $as_echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-$as_echo_n "checking how to hardcode library paths into programs... " >&6; }
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
 hardcode_action=
 if test -n "$hardcode_libdir_flag_spec" || \
    test -n "$runpath_var" || \
@@ -9185,8 +9025,8 @@ else
   # directories.
   hardcode_action=unsupported
 fi
-{ $as_echo "$as_me:$LINENO: result: $hardcode_action" >&5
-$as_echo "$hardcode_action" >&6; }
+{ echo "$as_me:$LINENO: result: $hardcode_action" >&5
+echo "${ECHO_T}$hardcode_action" >&6; }
 
 if test "$hardcode_action" = relink; then
   # Fast installation is not supported
@@ -9199,13 +9039,13 @@ fi
 
 striplib=
 old_striplib=
-{ $as_echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
-$as_echo_n "checking whether stripping libraries is possible... " >&6; }
+{ echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
+echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6; }
 if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
   test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
   test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 else
 # FIXME - insert some real tests, host_os isn't really good enough
   case $host_os in
@@ -9213,16 +9053,16 @@ else
        if test -n "$STRIP" ; then
          striplib="$STRIP -x"
          old_striplib="$STRIP -S"
-         { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+         { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
        else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
        ;;
    *)
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
     ;;
   esac
 fi
@@ -9254,10 +9094,10 @@ else
 
   darwin*)
   # if libdl is installed we need to link against it
-    { $as_echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-$as_echo_n "checking for dlopen in -ldl... " >&6; }
+    { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
 if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-ldl  $LIBS"
@@ -9289,36 +9129,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_dl_dlopen=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_dl_dlopen=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-$as_echo "$ac_cv_lib_dl_dlopen" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
 if test $ac_cv_lib_dl_dlopen = yes; then
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
 else
@@ -9332,10 +9168,10 @@ fi
    ;;
 
   *)
-    { $as_echo "$as_me:$LINENO: checking for shl_load" >&5
-$as_echo_n "checking for shl_load... " >&6; }
+    { echo "$as_me:$LINENO: checking for shl_load" >&5
+echo $ECHO_N "checking for shl_load... $ECHO_C" >&6; }
 if test "${ac_cv_func_shl_load+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -9388,42 +9224,38 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_shl_load=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_shl_load=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
-$as_echo "$ac_cv_func_shl_load" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
+echo "${ECHO_T}$ac_cv_func_shl_load" >&6; }
 if test $ac_cv_func_shl_load = yes; then
   lt_cv_dlopen="shl_load"
 else
-  { $as_echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
-$as_echo_n "checking for shl_load in -ldld... " >&6; }
+  { echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
+echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6; }
 if test "${ac_cv_lib_dld_shl_load+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-ldld  $LIBS"
@@ -9455,43 +9287,39 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_dld_shl_load=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_dld_shl_load=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
-$as_echo "$ac_cv_lib_dld_shl_load" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6; }
 if test $ac_cv_lib_dld_shl_load = yes; then
   lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"
 else
-  { $as_echo "$as_me:$LINENO: checking for dlopen" >&5
-$as_echo_n "checking for dlopen... " >&6; }
+  { echo "$as_me:$LINENO: checking for dlopen" >&5
+echo $ECHO_N "checking for dlopen... $ECHO_C" >&6; }
 if test "${ac_cv_func_dlopen+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -9544,42 +9372,38 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_dlopen=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_dlopen=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
-$as_echo "$ac_cv_func_dlopen" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
+echo "${ECHO_T}$ac_cv_func_dlopen" >&6; }
 if test $ac_cv_func_dlopen = yes; then
   lt_cv_dlopen="dlopen"
 else
-  { $as_echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-$as_echo_n "checking for dlopen in -ldl... " >&6; }
+  { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
 if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-ldl  $LIBS"
@@ -9611,43 +9435,39 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_dl_dlopen=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_dl_dlopen=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-$as_echo "$ac_cv_lib_dl_dlopen" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
 if test $ac_cv_lib_dl_dlopen = yes; then
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
 else
-  { $as_echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
-$as_echo_n "checking for dlopen in -lsvld... " >&6; }
+  { echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
+echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6; }
 if test "${ac_cv_lib_svld_dlopen+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lsvld  $LIBS"
@@ -9679,43 +9499,39 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_svld_dlopen=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_svld_dlopen=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
-$as_echo "$ac_cv_lib_svld_dlopen" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6; }
 if test $ac_cv_lib_svld_dlopen = yes; then
   lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
 else
-  { $as_echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
-$as_echo_n "checking for dld_link in -ldld... " >&6; }
+  { echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
+echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6; }
 if test "${ac_cv_lib_dld_dld_link+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-ldld  $LIBS"
@@ -9747,36 +9563,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_dld_dld_link=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_dld_dld_link=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
-$as_echo "$ac_cv_lib_dld_dld_link" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6; }
 if test $ac_cv_lib_dld_dld_link = yes; then
   lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"
 fi
@@ -9816,10 +9628,10 @@ fi
     save_LIBS="$LIBS"
     LIBS="$lt_cv_dlopen_libs $LIBS"
 
-    { $as_echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
-$as_echo_n "checking whether a program can dlopen itself... " >&6; }
+    { echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
+echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6; }
 if test "${lt_cv_dlopen_self+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   	  if test "$cross_compiling" = yes; then :
   lt_cv_dlopen_self=cross
@@ -9827,7 +9639,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 9830 "configure"
+#line 9642 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -9893,7 +9705,7 @@ EOF
   if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
   (eval $ac_link) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
     (./conftest; exit; ) >&5 2>/dev/null
     lt_status=$?
@@ -9911,15 +9723,15 @@ rm -fr conftest*
 
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
-$as_echo "$lt_cv_dlopen_self" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self" >&6; }
 
     if test "x$lt_cv_dlopen_self" = xyes; then
       wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
-      { $as_echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
-$as_echo_n "checking whether a statically linked program can dlopen itself... " >&6; }
+      { echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
+echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6; }
 if test "${lt_cv_dlopen_self_static+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   	  if test "$cross_compiling" = yes; then :
   lt_cv_dlopen_self_static=cross
@@ -9927,7 +9739,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 9930 "configure"
+#line 9742 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -9993,7 +9805,7 @@ EOF
   if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
   (eval $ac_link) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
     (./conftest; exit; ) >&5 2>/dev/null
     lt_status=$?
@@ -10011,8 +9823,8 @@ rm -fr conftest*
 
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
-$as_echo "$lt_cv_dlopen_self_static" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6; }
     fi
 
     CPPFLAGS="$save_CPPFLAGS"
@@ -10034,13 +9846,13 @@ fi
 
 
 # Report which library types will actually be built
-{ $as_echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
-$as_echo_n "checking if libtool supports shared libraries... " >&6; }
-{ $as_echo "$as_me:$LINENO: result: $can_build_shared" >&5
-$as_echo "$can_build_shared" >&6; }
+{ echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
+echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $can_build_shared" >&5
+echo "${ECHO_T}$can_build_shared" >&6; }
 
-{ $as_echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
-$as_echo_n "checking whether to build shared libraries... " >&6; }
+{ echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
+echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
 test "$can_build_shared" = "no" && enable_shared=no
 
 # On AIX, shared libraries and static libraries use the same namespace, and
@@ -10060,15 +9872,15 @@ aix[4-9]*)
   fi
     ;;
 esac
-{ $as_echo "$as_me:$LINENO: result: $enable_shared" >&5
-$as_echo "$enable_shared" >&6; }
+{ echo "$as_me:$LINENO: result: $enable_shared" >&5
+echo "${ECHO_T}$enable_shared" >&6; }
 
-{ $as_echo "$as_me:$LINENO: checking whether to build static libraries" >&5
-$as_echo_n "checking whether to build static libraries... " >&6; }
+{ echo "$as_me:$LINENO: checking whether to build static libraries" >&5
+echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; }
 # Make sure either enable_shared or enable_static is yes.
 test "$enable_shared" = yes || enable_static=yes
-{ $as_echo "$as_me:$LINENO: result: $enable_static" >&5
-$as_echo "$enable_static" >&6; }
+{ echo "$as_me:$LINENO: result: $enable_static" >&5
+echo "${ECHO_T}$enable_static" >&6; }
 
 # The else clause should only fire when bootstrapping the
 # libtool distribution, otherwise you forgot to ship ltmain.sh
@@ -10161,8 +9973,8 @@ if test -f "$ltmain"; then
 cfgfile="${ofile}T"
   trap "$rm \"$cfgfile\"; exit 1" 1 2 15
   $rm -f "$cfgfile"
-  { $as_echo "$as_me:$LINENO: creating $ofile" >&5
-$as_echo "$as_me: creating $ofile" >&6;}
+  { echo "$as_me:$LINENO: creating $ofile" >&5
+echo "$as_me: creating $ofile" >&6;}
 
   cat <<__EOF__ >> "$cfgfile"
 #! $SHELL
@@ -10574,18 +10386,18 @@ fi
 
 if test -f "$ltmain" && test -n "$tagnames"; then
   if test ! -f "${ofile}"; then
-    { $as_echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not exist" >&5
-$as_echo "$as_me: WARNING: output file \`$ofile' does not exist" >&2;}
+    { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not exist" >&5
+echo "$as_me: WARNING: output file \`$ofile' does not exist" >&2;}
   fi
 
   if test -z "$LTCC"; then
     eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
     if test -z "$LTCC"; then
-      { $as_echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not look like a libtool script" >&5
-$as_echo "$as_me: WARNING: output file \`$ofile' does not look like a libtool script" >&2;}
+      { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not look like a libtool script" >&5
+echo "$as_me: WARNING: output file \`$ofile' does not look like a libtool script" >&2;}
     else
-      { $as_echo "$as_me:$LINENO: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&5
-$as_echo "$as_me: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&2;}
+      { echo "$as_me:$LINENO: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&5
+echo "$as_me: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&2;}
     fi
   fi
   if test -z "$LTCFLAGS"; then
@@ -10602,16 +10414,16 @@ $as_echo "$as_me: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&2;}
     # Check whether tagname contains only valid characters
     case `$echo "X$tagname" | $Xsed -e 's:[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]::g'` in
     "") ;;
-    *)  { { $as_echo "$as_me:$LINENO: error: invalid tag name: $tagname" >&5
-$as_echo "$as_me: error: invalid tag name: $tagname" >&2;}
+    *)  { { echo "$as_me:$LINENO: error: invalid tag name: $tagname" >&5
+echo "$as_me: error: invalid tag name: $tagname" >&2;}
    { (exit 1); exit 1; }; }
 	;;
     esac
 
     if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
     then
-      { { $as_echo "$as_me:$LINENO: error: tag name \"$tagname\" already exists" >&5
-$as_echo "$as_me: error: tag name \"$tagname\" already exists" >&2;}
+      { { echo "$as_me:$LINENO: error: tag name \"$tagname\" already exists" >&5
+echo "$as_me: error: tag name \"$tagname\" already exists" >&2;}
    { (exit 1); exit 1; }; }
     fi
 
@@ -10754,8 +10566,8 @@ fi
 ac_prog=ld
 if test "$GCC" = yes; then
   # Check if gcc -print-prog-name=ld gives a path.
-  { $as_echo "$as_me:$LINENO: checking for ld used by $CC" >&5
-$as_echo_n "checking for ld used by $CC... " >&6; }
+  { echo "$as_me:$LINENO: checking for ld used by $CC" >&5
+echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
   case $host in
   *-*-mingw*)
     # gcc leaves a trailing carriage return which upsets mingw
@@ -10784,14 +10596,14 @@ $as_echo_n "checking for ld used by $CC... " >&6; }
     ;;
   esac
 elif test "$with_gnu_ld" = yes; then
-  { $as_echo "$as_me:$LINENO: checking for GNU ld" >&5
-$as_echo_n "checking for GNU ld... " >&6; }
+  { echo "$as_me:$LINENO: checking for GNU ld" >&5
+echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: checking for non-GNU ld" >&5
-$as_echo_n "checking for non-GNU ld... " >&6; }
+  { echo "$as_me:$LINENO: checking for non-GNU ld" >&5
+echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; }
 fi
 if test "${lt_cv_path_LD+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -z "$LD"; then
   lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
@@ -10821,19 +10633,19 @@ fi
 
 LD="$lt_cv_path_LD"
 if test -n "$LD"; then
-  { $as_echo "$as_me:$LINENO: result: $LD" >&5
-$as_echo "$LD" >&6; }
+  { echo "$as_me:$LINENO: result: $LD" >&5
+echo "${ECHO_T}$LD" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
-test -z "$LD" && { { $as_echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
-$as_echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
+test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
+echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
    { (exit 1); exit 1; }; }
-{ $as_echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
-$as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; }
+{ echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
+echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; }
 if test "${lt_cv_prog_gnu_ld+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   # I'd rather use --version here, but apparently some GNU lds only accept -v.
 case `$LD -v 2>&1 </dev/null` in
@@ -10845,8 +10657,8 @@ case `$LD -v 2>&1 </dev/null` in
   ;;
 esac
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
-$as_echo "$lt_cv_prog_gnu_ld" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
+echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; }
 with_gnu_ld=$lt_cv_prog_gnu_ld
 
 
@@ -10896,8 +10708,8 @@ else
 fi
 
 # PORTME: fill in a description of your system's C++ link characteristics
-{ $as_echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-$as_echo_n "checking whether the $compiler linker ($LD) supports shared libraries... " >&6; }
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
 ld_shlibs_CXX=yes
 case $host_os in
   aix3*)
@@ -11014,21 +10826,18 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_cxx_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 lt_aix_libpath_sed='
     /Import File Strings/,/^$/ {
@@ -11043,13 +10852,12 @@ if test -z "$aix_libpath"; then
   aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 fi
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
@@ -11085,21 +10893,18 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_cxx_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 lt_aix_libpath_sed='
     /Import File Strings/,/^$/ {
@@ -11114,13 +10919,12 @@ if test -z "$aix_libpath"; then
   aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 fi
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
@@ -11850,8 +11654,8 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     ld_shlibs_CXX=no
     ;;
 esac
-{ $as_echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
-$as_echo "$ld_shlibs_CXX" >&6; }
+{ echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
+echo "${ECHO_T}$ld_shlibs_CXX" >&6; }
 test "$ld_shlibs_CXX" = no && can_build_shared=no
 
 GCC_CXX="$GXX"
@@ -11874,7 +11678,7 @@ EOF
 if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; then
   # Parse the compiler output and extract the necessary
   # objects, libraries and library flags.
@@ -12030,8 +11834,8 @@ lt_prog_compiler_wl_CXX=
 lt_prog_compiler_pic_CXX=
 lt_prog_compiler_static_CXX=
 
-{ $as_echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-$as_echo_n "checking for $compiler option to produce PIC... " >&6; }
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 
   # C++ specific cases for pic, static, wl, etc.
   if test "$GXX" = yes; then
@@ -12314,18 +12118,18 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
     esac
   fi
 
-{ $as_echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_CXX" >&5
-$as_echo "$lt_prog_compiler_pic_CXX" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_CXX" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_CXX" >&6; }
 
 #
 # Check to make sure the PIC flag actually works.
 #
 if test -n "$lt_prog_compiler_pic_CXX"; then
 
-{ $as_echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works" >&5
-$as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works... " >&6; }
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_pic_works_CXX+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_prog_compiler_pic_works_CXX=no
   ac_outfile=conftest.$ac_objext
@@ -12340,11 +12144,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:12343: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:12147: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:12347: \$? = $ac_status" >&5
+   echo "$as_me:12151: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -12357,8 +12161,8 @@ else
    $rm conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_CXX" >&5
-$as_echo "$lt_cv_prog_compiler_pic_works_CXX" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_CXX" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_pic_works_CXX" >&6; }
 
 if test x"$lt_cv_prog_compiler_pic_works_CXX" = xyes; then
     case $lt_prog_compiler_pic_CXX in
@@ -12385,10 +12189,10 @@ esac
 # Check to make sure the static flag actually works.
 #
 wl=$lt_prog_compiler_wl_CXX eval lt_tmp_static_flag=\"$lt_prog_compiler_static_CXX\"
-{ $as_echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
-$as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; }
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_static_works_CXX+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_prog_compiler_static_works_CXX=no
    save_LDFLAGS="$LDFLAGS"
@@ -12413,8 +12217,8 @@ else
    LDFLAGS="$save_LDFLAGS"
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_CXX" >&5
-$as_echo "$lt_cv_prog_compiler_static_works_CXX" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_CXX" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_static_works_CXX" >&6; }
 
 if test x"$lt_cv_prog_compiler_static_works_CXX" = xyes; then
     :
@@ -12423,10 +12227,10 @@ else
 fi
 
 
-{ $as_echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-$as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_c_o_CXX+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_prog_compiler_c_o_CXX=no
    $rm -r conftest 2>/dev/null
@@ -12444,11 +12248,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:12447: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:12251: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:12451: \$? = $ac_status" >&5
+   echo "$as_me:12255: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12470,34 +12274,34 @@ else
    $rm conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_CXX" >&5
-$as_echo "$lt_cv_prog_compiler_c_o_CXX" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_CXX" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_CXX" >&6; }
 
 
 hard_links="nottested"
 if test "$lt_cv_prog_compiler_c_o_CXX" = no && test "$need_locks" != no; then
   # do not overwrite the value of need_locks provided by the user
-  { $as_echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-$as_echo_n "checking if we can lock with hard links... " >&6; }
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
   hard_links=yes
   $rm conftest*
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
   touch conftest.a
   ln conftest.a conftest.b 2>&5 || hard_links=no
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  { $as_echo "$as_me:$LINENO: result: $hard_links" >&5
-$as_echo "$hard_links" >&6; }
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
   if test "$hard_links" = no; then
-    { $as_echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-$as_echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
     need_locks=warn
   fi
 else
   need_locks=no
 fi
 
-{ $as_echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-$as_echo_n "checking whether the $compiler linker ($LD) supports shared libraries... " >&6; }
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
 
   export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
   case $host_os in
@@ -12522,8 +12326,8 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie
   esac
   exclude_expsyms_CXX='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'
 
-{ $as_echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
-$as_echo "$ld_shlibs_CXX" >&6; }
+{ echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
+echo "${ECHO_T}$ld_shlibs_CXX" >&6; }
 test "$ld_shlibs_CXX" = no && can_build_shared=no
 
 #
@@ -12543,15 +12347,15 @@ x|xyes)
       # Test whether the compiler implicitly links with -lc since on some
       # systems, -lgcc has to come before -lc. If gcc already passes -lc
       # to ld, don't add -lc before -lgcc.
-      { $as_echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-$as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
       $rm conftest*
       echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
       if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } 2>conftest.err; then
         soname=conftest
         lib=conftest
@@ -12569,7 +12373,7 @@ $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
         if { (eval echo "$as_me:$LINENO: \"$archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
   (eval $archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
         then
 	  archive_cmds_need_lc_CXX=no
@@ -12581,16 +12385,16 @@ $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
         cat conftest.err 1>&5
       fi
       $rm conftest*
-      { $as_echo "$as_me:$LINENO: result: $archive_cmds_need_lc_CXX" >&5
-$as_echo "$archive_cmds_need_lc_CXX" >&6; }
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_CXX" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_CXX" >&6; }
       ;;
     esac
   fi
   ;;
 esac
 
-{ $as_echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-$as_echo_n "checking dynamic linker characteristics... " >&6; }
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
@@ -13139,19 +12943,19 @@ uts4*)
   dynamic_linker=no
   ;;
 esac
-{ $as_echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-$as_echo "$dynamic_linker" >&6; }
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
 test "$dynamic_linker" = no && can_build_shared=no
 
 if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
 fi
 
 sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
 if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
 fi
@@ -13163,8 +12967,8 @@ if test "$GCC" = yes; then
   variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
 fi
 
-{ $as_echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-$as_echo_n "checking how to hardcode library paths into programs... " >&6; }
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
 hardcode_action_CXX=
 if test -n "$hardcode_libdir_flag_spec_CXX" || \
    test -n "$runpath_var_CXX" || \
@@ -13188,8 +12992,8 @@ else
   # directories.
   hardcode_action_CXX=unsupported
 fi
-{ $as_echo "$as_me:$LINENO: result: $hardcode_action_CXX" >&5
-$as_echo "$hardcode_action_CXX" >&6; }
+{ echo "$as_me:$LINENO: result: $hardcode_action_CXX" >&5
+echo "${ECHO_T}$hardcode_action_CXX" >&6; }
 
 if test "$hardcode_action_CXX" = relink; then
   # Fast installation is not supported
@@ -13727,13 +13531,13 @@ done
 cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
 
 
-{ $as_echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
-$as_echo_n "checking if libtool supports shared libraries... " >&6; }
-{ $as_echo "$as_me:$LINENO: result: $can_build_shared" >&5
-$as_echo "$can_build_shared" >&6; }
+{ echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
+echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $can_build_shared" >&5
+echo "${ECHO_T}$can_build_shared" >&6; }
 
-{ $as_echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
-$as_echo_n "checking whether to build shared libraries... " >&6; }
+{ echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
+echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
 test "$can_build_shared" = "no" && enable_shared=no
 
 # On AIX, shared libraries and static libraries use the same namespace, and
@@ -13752,15 +13556,15 @@ aix[4-9]*)
   fi
   ;;
 esac
-{ $as_echo "$as_me:$LINENO: result: $enable_shared" >&5
-$as_echo "$enable_shared" >&6; }
+{ echo "$as_me:$LINENO: result: $enable_shared" >&5
+echo "${ECHO_T}$enable_shared" >&6; }
 
-{ $as_echo "$as_me:$LINENO: checking whether to build static libraries" >&5
-$as_echo_n "checking whether to build static libraries... " >&6; }
+{ echo "$as_me:$LINENO: checking whether to build static libraries" >&5
+echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; }
 # Make sure either enable_shared or enable_static is yes.
 test "$enable_shared" = yes || enable_static=yes
-{ $as_echo "$as_me:$LINENO: result: $enable_static" >&5
-$as_echo "$enable_static" >&6; }
+{ echo "$as_me:$LINENO: result: $enable_static" >&5
+echo "${ECHO_T}$enable_static" >&6; }
 
 GCC_F77="$G77"
 LD_F77="$LD"
@@ -13769,8 +13573,8 @@ lt_prog_compiler_wl_F77=
 lt_prog_compiler_pic_F77=
 lt_prog_compiler_static_F77=
 
-{ $as_echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-$as_echo_n "checking for $compiler option to produce PIC... " >&6; }
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 
   if test "$GCC" = yes; then
     lt_prog_compiler_wl_F77='-Wl,'
@@ -14001,18 +13805,18 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
     esac
   fi
 
-{ $as_echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_F77" >&5
-$as_echo "$lt_prog_compiler_pic_F77" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_F77" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_F77" >&6; }
 
 #
 # Check to make sure the PIC flag actually works.
 #
 if test -n "$lt_prog_compiler_pic_F77"; then
 
-{ $as_echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works" >&5
-$as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works... " >&6; }
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_pic_works_F77+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_prog_compiler_pic_works_F77=no
   ac_outfile=conftest.$ac_objext
@@ -14027,11 +13831,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14030: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13834: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:14034: \$? = $ac_status" >&5
+   echo "$as_me:13838: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -14044,8 +13848,8 @@ else
    $rm conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_F77" >&5
-$as_echo "$lt_cv_prog_compiler_pic_works_F77" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_F77" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_pic_works_F77" >&6; }
 
 if test x"$lt_cv_prog_compiler_pic_works_F77" = xyes; then
     case $lt_prog_compiler_pic_F77 in
@@ -14072,10 +13876,10 @@ esac
 # Check to make sure the static flag actually works.
 #
 wl=$lt_prog_compiler_wl_F77 eval lt_tmp_static_flag=\"$lt_prog_compiler_static_F77\"
-{ $as_echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
-$as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; }
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_static_works_F77+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_prog_compiler_static_works_F77=no
    save_LDFLAGS="$LDFLAGS"
@@ -14100,8 +13904,8 @@ else
    LDFLAGS="$save_LDFLAGS"
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_F77" >&5
-$as_echo "$lt_cv_prog_compiler_static_works_F77" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_F77" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_static_works_F77" >&6; }
 
 if test x"$lt_cv_prog_compiler_static_works_F77" = xyes; then
     :
@@ -14110,10 +13914,10 @@ else
 fi
 
 
-{ $as_echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-$as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_c_o_F77+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_prog_compiler_c_o_F77=no
    $rm -r conftest 2>/dev/null
@@ -14131,11 +13935,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14134: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13938: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:14138: \$? = $ac_status" >&5
+   echo "$as_me:13942: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -14157,34 +13961,34 @@ else
    $rm conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_F77" >&5
-$as_echo "$lt_cv_prog_compiler_c_o_F77" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_F77" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_F77" >&6; }
 
 
 hard_links="nottested"
 if test "$lt_cv_prog_compiler_c_o_F77" = no && test "$need_locks" != no; then
   # do not overwrite the value of need_locks provided by the user
-  { $as_echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-$as_echo_n "checking if we can lock with hard links... " >&6; }
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
   hard_links=yes
   $rm conftest*
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
   touch conftest.a
   ln conftest.a conftest.b 2>&5 || hard_links=no
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  { $as_echo "$as_me:$LINENO: result: $hard_links" >&5
-$as_echo "$hard_links" >&6; }
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
   if test "$hard_links" = no; then
-    { $as_echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-$as_echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
     need_locks=warn
   fi
 else
   need_locks=no
 fi
 
-{ $as_echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-$as_echo_n "checking whether the $compiler linker ($LD) supports shared libraries... " >&6; }
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
 
   runpath_var=
   allow_undefined_flag_F77=
@@ -14604,21 +14408,18 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_f77_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 lt_aix_libpath_sed='
     /Import File Strings/,/^$/ {
@@ -14633,13 +14434,12 @@ if test -z "$aix_libpath"; then
   aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 fi
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
@@ -14664,21 +14464,18 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_f77_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 lt_aix_libpath_sed='
     /Import File Strings/,/^$/ {
@@ -14693,13 +14490,12 @@ if test -z "$aix_libpath"; then
   aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 fi
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
@@ -15151,8 +14947,8 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     esac
   fi
 
-{ $as_echo "$as_me:$LINENO: result: $ld_shlibs_F77" >&5
-$as_echo "$ld_shlibs_F77" >&6; }
+{ echo "$as_me:$LINENO: result: $ld_shlibs_F77" >&5
+echo "${ECHO_T}$ld_shlibs_F77" >&6; }
 test "$ld_shlibs_F77" = no && can_build_shared=no
 
 #
@@ -15172,15 +14968,15 @@ x|xyes)
       # Test whether the compiler implicitly links with -lc since on some
       # systems, -lgcc has to come before -lc. If gcc already passes -lc
       # to ld, don't add -lc before -lgcc.
-      { $as_echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-$as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
       $rm conftest*
       echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
       if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } 2>conftest.err; then
         soname=conftest
         lib=conftest
@@ -15198,7 +14994,7 @@ $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
         if { (eval echo "$as_me:$LINENO: \"$archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
   (eval $archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
         then
 	  archive_cmds_need_lc_F77=no
@@ -15210,16 +15006,16 @@ $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
         cat conftest.err 1>&5
       fi
       $rm conftest*
-      { $as_echo "$as_me:$LINENO: result: $archive_cmds_need_lc_F77" >&5
-$as_echo "$archive_cmds_need_lc_F77" >&6; }
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_F77" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_F77" >&6; }
       ;;
     esac
   fi
   ;;
 esac
 
-{ $as_echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-$as_echo_n "checking dynamic linker characteristics... " >&6; }
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
@@ -15768,19 +15564,19 @@ uts4*)
   dynamic_linker=no
   ;;
 esac
-{ $as_echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-$as_echo "$dynamic_linker" >&6; }
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
 test "$dynamic_linker" = no && can_build_shared=no
 
 if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
 fi
 
 sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
 if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
 fi
@@ -15792,8 +15588,8 @@ if test "$GCC" = yes; then
   variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
 fi
 
-{ $as_echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-$as_echo_n "checking how to hardcode library paths into programs... " >&6; }
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
 hardcode_action_F77=
 if test -n "$hardcode_libdir_flag_spec_F77" || \
    test -n "$runpath_var_F77" || \
@@ -15817,8 +15613,8 @@ else
   # directories.
   hardcode_action_F77=unsupported
 fi
-{ $as_echo "$as_me:$LINENO: result: $hardcode_action_F77" >&5
-$as_echo "$hardcode_action_F77" >&6; }
+{ echo "$as_me:$LINENO: result: $hardcode_action_F77" >&5
+echo "${ECHO_T}$hardcode_action_F77" >&6; }
 
 if test "$hardcode_action_F77" = relink; then
   # Fast installation is not supported
@@ -16332,10 +16128,10 @@ if test "$GCC" = yes; then
   lt_prog_compiler_no_builtin_flag_GCJ=' -fno-builtin'
 
 
-{ $as_echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
-$as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; }
+{ echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_prog_compiler_rtti_exceptions=no
   ac_outfile=conftest.$ac_objext
@@ -16350,11 +16146,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16353: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16149: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16357: \$? = $ac_status" >&5
+   echo "$as_me:16153: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -16367,8 +16163,8 @@ else
    $rm conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
-$as_echo "$lt_cv_prog_compiler_rtti_exceptions" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; }
 
 if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
     lt_prog_compiler_no_builtin_flag_GCJ="$lt_prog_compiler_no_builtin_flag_GCJ -fno-rtti -fno-exceptions"
@@ -16382,8 +16178,8 @@ lt_prog_compiler_wl_GCJ=
 lt_prog_compiler_pic_GCJ=
 lt_prog_compiler_static_GCJ=
 
-{ $as_echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-$as_echo_n "checking for $compiler option to produce PIC... " >&6; }
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
 
   if test "$GCC" = yes; then
     lt_prog_compiler_wl_GCJ='-Wl,'
@@ -16614,18 +16410,18 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; }
     esac
   fi
 
-{ $as_echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_GCJ" >&5
-$as_echo "$lt_prog_compiler_pic_GCJ" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_GCJ" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_GCJ" >&6; }
 
 #
 # Check to make sure the PIC flag actually works.
 #
 if test -n "$lt_prog_compiler_pic_GCJ"; then
 
-{ $as_echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works" >&5
-$as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works... " >&6; }
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_pic_works_GCJ+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_prog_compiler_pic_works_GCJ=no
   ac_outfile=conftest.$ac_objext
@@ -16640,11 +16436,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16643: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16439: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16647: \$? = $ac_status" >&5
+   echo "$as_me:16443: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -16657,8 +16453,8 @@ else
    $rm conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_GCJ" >&5
-$as_echo "$lt_cv_prog_compiler_pic_works_GCJ" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_pic_works_GCJ" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_pic_works_GCJ" >&6; }
 
 if test x"$lt_cv_prog_compiler_pic_works_GCJ" = xyes; then
     case $lt_prog_compiler_pic_GCJ in
@@ -16685,10 +16481,10 @@ esac
 # Check to make sure the static flag actually works.
 #
 wl=$lt_prog_compiler_wl_GCJ eval lt_tmp_static_flag=\"$lt_prog_compiler_static_GCJ\"
-{ $as_echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
-$as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; }
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_static_works_GCJ+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_prog_compiler_static_works_GCJ=no
    save_LDFLAGS="$LDFLAGS"
@@ -16713,8 +16509,8 @@ else
    LDFLAGS="$save_LDFLAGS"
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_GCJ" >&5
-$as_echo "$lt_cv_prog_compiler_static_works_GCJ" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_static_works_GCJ" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_static_works_GCJ" >&6; }
 
 if test x"$lt_cv_prog_compiler_static_works_GCJ" = xyes; then
     :
@@ -16723,10 +16519,10 @@ else
 fi
 
 
-{ $as_echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-$as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; }
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
 if test "${lt_cv_prog_compiler_c_o_GCJ+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_prog_compiler_c_o_GCJ=no
    $rm -r conftest 2>/dev/null
@@ -16744,11 +16540,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16747: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16543: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:16751: \$? = $ac_status" >&5
+   echo "$as_me:16547: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -16770,34 +16566,34 @@ else
    $rm conftest*
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_GCJ" >&5
-$as_echo "$lt_cv_prog_compiler_c_o_GCJ" >&6; }
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_GCJ" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_GCJ" >&6; }
 
 
 hard_links="nottested"
 if test "$lt_cv_prog_compiler_c_o_GCJ" = no && test "$need_locks" != no; then
   # do not overwrite the value of need_locks provided by the user
-  { $as_echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-$as_echo_n "checking if we can lock with hard links... " >&6; }
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
   hard_links=yes
   $rm conftest*
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
   touch conftest.a
   ln conftest.a conftest.b 2>&5 || hard_links=no
   ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  { $as_echo "$as_me:$LINENO: result: $hard_links" >&5
-$as_echo "$hard_links" >&6; }
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
   if test "$hard_links" = no; then
-    { $as_echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-$as_echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
     need_locks=warn
   fi
 else
   need_locks=no
 fi
 
-{ $as_echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-$as_echo_n "checking whether the $compiler linker ($LD) supports shared libraries... " >&6; }
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
 
   runpath_var=
   allow_undefined_flag_GCJ=
@@ -17227,21 +17023,18 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 lt_aix_libpath_sed='
     /Import File Strings/,/^$/ {
@@ -17256,13 +17049,12 @@ if test -z "$aix_libpath"; then
   aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 fi
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
@@ -17297,21 +17089,18 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
 
 lt_aix_libpath_sed='
     /Import File Strings/,/^$/ {
@@ -17326,13 +17115,12 @@ if test -z "$aix_libpath"; then
   aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 fi
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
@@ -17784,8 +17572,8 @@ if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
     esac
   fi
 
-{ $as_echo "$as_me:$LINENO: result: $ld_shlibs_GCJ" >&5
-$as_echo "$ld_shlibs_GCJ" >&6; }
+{ echo "$as_me:$LINENO: result: $ld_shlibs_GCJ" >&5
+echo "${ECHO_T}$ld_shlibs_GCJ" >&6; }
 test "$ld_shlibs_GCJ" = no && can_build_shared=no
 
 #
@@ -17805,15 +17593,15 @@ x|xyes)
       # Test whether the compiler implicitly links with -lc since on some
       # systems, -lgcc has to come before -lc. If gcc already passes -lc
       # to ld, don't add -lc before -lgcc.
-      { $as_echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-$as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
       $rm conftest*
       echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
       if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } 2>conftest.err; then
         soname=conftest
         lib=conftest
@@ -17831,7 +17619,7 @@ $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
         if { (eval echo "$as_me:$LINENO: \"$archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
   (eval $archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
         then
 	  archive_cmds_need_lc_GCJ=no
@@ -17843,16 +17631,16 @@ $as_echo_n "checking whether -lc should be explicitly linked in... " >&6; }
         cat conftest.err 1>&5
       fi
       $rm conftest*
-      { $as_echo "$as_me:$LINENO: result: $archive_cmds_need_lc_GCJ" >&5
-$as_echo "$archive_cmds_need_lc_GCJ" >&6; }
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_GCJ" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_GCJ" >&6; }
       ;;
     esac
   fi
   ;;
 esac
 
-{ $as_echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-$as_echo_n "checking dynamic linker characteristics... " >&6; }
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
@@ -18401,19 +18189,19 @@ uts4*)
   dynamic_linker=no
   ;;
 esac
-{ $as_echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-$as_echo "$dynamic_linker" >&6; }
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
 test "$dynamic_linker" = no && can_build_shared=no
 
 if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"
 fi
 
 sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
 if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"
 fi
@@ -18425,8 +18213,8 @@ if test "$GCC" = yes; then
   variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
 fi
 
-{ $as_echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-$as_echo_n "checking how to hardcode library paths into programs... " >&6; }
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
 hardcode_action_GCJ=
 if test -n "$hardcode_libdir_flag_spec_GCJ" || \
    test -n "$runpath_var_GCJ" || \
@@ -18450,8 +18238,8 @@ else
   # directories.
   hardcode_action_GCJ=unsupported
 fi
-{ $as_echo "$as_me:$LINENO: result: $hardcode_action_GCJ" >&5
-$as_echo "$hardcode_action_GCJ" >&6; }
+{ echo "$as_me:$LINENO: result: $hardcode_action_GCJ" >&5
+echo "${ECHO_T}$hardcode_action_GCJ" >&6; }
 
 if test "$hardcode_action_GCJ" = relink; then
   # Fast installation is not supported
@@ -19374,8 +19162,8 @@ CC="$lt_save_CC"
 	;;
 
       *)
-	{ { $as_echo "$as_me:$LINENO: error: Unsupported tag name: $tagname" >&5
-$as_echo "$as_me: error: Unsupported tag name: $tagname" >&2;}
+	{ { echo "$as_me:$LINENO: error: Unsupported tag name: $tagname" >&5
+echo "$as_me: error: Unsupported tag name: $tagname" >&2;}
    { (exit 1); exit 1; }; }
 	;;
       esac
@@ -19394,8 +19182,8 @@ $as_echo "$as_me: error: Unsupported tag name: $tagname" >&2;}
     chmod +x "$ofile"
   else
     rm -f "${ofile}T"
-    { { $as_echo "$as_me:$LINENO: error: unable to update list of available tagged configurations." >&5
-$as_echo "$as_me: error: unable to update list of available tagged configurations." >&2;}
+    { { echo "$as_me:$LINENO: error: unable to update list of available tagged configurations." >&5
+echo "$as_me: error: unable to update list of available tagged configurations." >&2;}
    { (exit 1); exit 1; }; }
   fi
 fi
@@ -19442,12 +19230,11 @@ LIBTOOL='$(SHELL) $(top_builddir)/libtool'
 # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
 # OS/2's system install, which has a completely different semantic
 # ./install, which can be erroneously created by make from ./install.sh.
-# Reject install programs that cannot install multiple files.
-{ $as_echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
-$as_echo_n "checking for a BSD-compatible install... " >&6; }
+{ echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
+echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6; }
 if test -z "$INSTALL"; then
 if test "${ac_cv_path_install+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
 for as_dir in $PATH
@@ -19476,29 +19263,17 @@ case $as_dir/ in
 	    # program-specific install script used by HP pwplus--don't use.
 	    :
 	  else
-	    rm -rf conftest.one conftest.two conftest.dir
-	    echo one > conftest.one
-	    echo two > conftest.two
-	    mkdir conftest.dir
-	    if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" &&
-	      test -s conftest.one && test -s conftest.two &&
-	      test -s conftest.dir/conftest.one &&
-	      test -s conftest.dir/conftest.two
-	    then
-	      ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
-	      break 3
-	    fi
+	    ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
+	    break 3
 	  fi
 	fi
       done
     done
     ;;
 esac
-
 done
 IFS=$as_save_IFS
 
-rm -rf conftest.one conftest.two conftest.dir
 
 fi
   if test "${ac_cv_path_install+set}" = set; then
@@ -19511,8 +19286,8 @@ fi
     INSTALL=$ac_install_sh
   fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $INSTALL" >&5
-$as_echo "$INSTALL" >&6; }
+{ echo "$as_me:$LINENO: result: $INSTALL" >&5
+echo "${ECHO_T}$INSTALL" >&6; }
 
 # Use test -z because SunOS4 sh mishandles braces in ${var-val}.
 # It thinks the first close brace ends the variable substitution.
@@ -19522,15 +19297,15 @@ test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
 
 test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
 
-{ $as_echo "$as_me:$LINENO: checking whether ln -s works" >&5
-$as_echo_n "checking whether ln -s works... " >&6; }
+{ echo "$as_me:$LINENO: checking whether ln -s works" >&5
+echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6; }
 LN_S=$as_ln_s
 if test "$LN_S" = "ln -s"; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no, using $LN_S" >&5
-$as_echo "no, using $LN_S" >&6; }
+  { echo "$as_me:$LINENO: result: no, using $LN_S" >&5
+echo "${ECHO_T}no, using $LN_S" >&6; }
 fi
 
 
@@ -19548,9 +19323,9 @@ fi
 
 case "$enable_libbind" in
 	yes)
-		{ { $as_echo "$as_me:$LINENO: error: 'libbind' is no longer part of the BIND 9 distribution.
+		{ { echo "$as_me:$LINENO: error: 'libbind' is no longer part of the BIND 9 distribution.
 It is available from http://www.isc.org as a separate download." >&5
-$as_echo "$as_me: error: 'libbind' is no longer part of the BIND 9 distribution.
+echo "$as_me: error: 'libbind' is no longer part of the BIND 9 distribution.
 It is available from http://www.isc.org as a separate download." >&2;}
    { (exit 1); exit 1; }; }
 		;;
@@ -19569,10 +19344,10 @@ ac_config_files="$ac_config_files make/rules make/includes"
 
 # Extract the first word of "ar", so it can be a program name with args.
 set dummy ar; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_AR+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   case $AR in
   [\\/]* | ?:[\\/]*)
@@ -19587,7 +19362,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_AR="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -19599,11 +19374,11 @@ esac
 fi
 AR=$ac_cv_path_AR
 if test -n "$AR"; then
-  { $as_echo "$as_me:$LINENO: result: $AR" >&5
-$as_echo "$AR" >&6; }
+  { echo "$as_me:$LINENO: result: $AR" >&5
+echo "${ECHO_T}$AR" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -19618,11 +19393,11 @@ LN=ln
 
 case "$AR" in
 	"")
-		{ { $as_echo "$as_me:$LINENO: error:
+		{ { echo "$as_me:$LINENO: error:
 ar program not found.  Please fix your PATH to include the directory in
 which ar resides, or set AR in the environment with the full path to ar.
 " >&5
-$as_echo "$as_me: error:
+echo "$as_me: error:
 ar program not found.  Please fix your PATH to include the directory in
 which ar resides, or set AR in the environment with the full path to ar.
 " >&2;}
@@ -19638,10 +19413,10 @@ for ac_prog in etags emacs-etags
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_ETAGS+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   case $ETAGS in
   [\\/]* | ?:[\\/]*)
@@ -19656,7 +19431,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_ETAGS="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -19668,11 +19443,11 @@ esac
 fi
 ETAGS=$ac_cv_path_ETAGS
 if test -n "$ETAGS"; then
-  { $as_echo "$as_me:$LINENO: result: $ETAGS" >&5
-$as_echo "$ETAGS" >&6; }
+  { echo "$as_me:$LINENO: result: $ETAGS" >&5
+echo "${ECHO_T}$ETAGS" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -19685,15 +19460,15 @@ done
 # GNU emacs etags, and it requires the -L flag.
 #
 if test "X$ETAGS" != "X"; then
-	{ $as_echo "$as_me:$LINENO: checking for Exuberant Ctags etags" >&5
-$as_echo_n "checking for Exuberant Ctags etags... " >&6; }
+	{ echo "$as_me:$LINENO: checking for Exuberant Ctags etags" >&5
+echo $ECHO_N "checking for Exuberant Ctags etags... $ECHO_C" >&6; }
 	if $ETAGS --version 2>&1 | grep 'Exuberant Ctags' >/dev/null 2>&1; then
-		{ $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+		{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 		ETAGS="$ETAGS -L"
 	else
-		{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+		{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	fi
 fi
 
@@ -19705,10 +19480,10 @@ for ac_prog in perl5 perl
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_PERL+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   case $PERL in
   [\\/]* | ?:[\\/]*)
@@ -19723,7 +19498,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -19735,11 +19510,11 @@ esac
 fi
 PERL=$ac_cv_path_PERL
 if test -n "$PERL"; then
-  { $as_echo "$as_me:$LINENO: result: $PERL" >&5
-$as_echo "$PERL" >&6; }
+  { echo "$as_me:$LINENO: result: $PERL" >&5
+echo "${ECHO_T}$PERL" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -19863,10 +19638,10 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
 set dummy ${ac_tool_prefix}gcc; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
@@ -19879,7 +19654,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="${ac_tool_prefix}gcc"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -19890,11 +19665,11 @@ fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  { $as_echo "$as_me:$LINENO: result: $CC" >&5
-$as_echo "$CC" >&6; }
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -19903,10 +19678,10 @@ if test -z "$ac_cv_prog_CC"; then
   ac_ct_CC=$CC
   # Extract the first word of "gcc", so it can be a program name with args.
 set dummy gcc; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$ac_ct_CC"; then
   ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
@@ -19919,7 +19694,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_CC="gcc"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -19930,11 +19705,11 @@ fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-$as_echo "$ac_ct_CC" >&6; }
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
   if test "x$ac_ct_CC" = x; then
@@ -19942,10 +19717,10 @@ fi
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&5
-$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
@@ -19960,10 +19735,10 @@ if test -z "$CC"; then
           if test -n "$ac_tool_prefix"; then
     # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
 set dummy ${ac_tool_prefix}cc; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
@@ -19976,7 +19751,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="${ac_tool_prefix}cc"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -19987,11 +19762,11 @@ fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  { $as_echo "$as_me:$LINENO: result: $CC" >&5
-$as_echo "$CC" >&6; }
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -20000,10 +19775,10 @@ fi
 if test -z "$CC"; then
   # Extract the first word of "cc", so it can be a program name with args.
 set dummy cc; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
@@ -20021,7 +19796,7 @@ do
        continue
      fi
     ac_cv_prog_CC="cc"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -20044,11 +19819,11 @@ fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  { $as_echo "$as_me:$LINENO: result: $CC" >&5
-$as_echo "$CC" >&6; }
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -20059,10 +19834,10 @@ if test -z "$CC"; then
   do
     # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
 set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_CC+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$CC"; then
   ac_cv_prog_CC="$CC" # Let the user override the test.
@@ -20075,7 +19850,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -20086,11 +19861,11 @@ fi
 fi
 CC=$ac_cv_prog_CC
 if test -n "$CC"; then
-  { $as_echo "$as_me:$LINENO: result: $CC" >&5
-$as_echo "$CC" >&6; }
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -20103,10 +19878,10 @@ if test -z "$CC"; then
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   if test -n "$ac_ct_CC"; then
   ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
@@ -20119,7 +19894,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_prog_ac_ct_CC="$ac_prog"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -20130,11 +19905,11 @@ fi
 fi
 ac_ct_CC=$ac_cv_prog_ac_ct_CC
 if test -n "$ac_ct_CC"; then
-  { $as_echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-$as_echo "$ac_ct_CC" >&6; }
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -20146,10 +19921,10 @@ done
   else
     case $cross_compiling:$ac_tool_warned in
 yes:)
-{ $as_echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&5
-$as_echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
 whose name does not start with the host triplet.  If you think this
 configuration is useful to you, please write to autoconf@gnu.org." >&2;}
 ac_tool_warned=yes ;;
@@ -20161,54 +19936,50 @@ fi
 fi
 
 
-test -z "$CC" && { { $as_echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
+test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
 See \`config.log' for more details." >&5
-$as_echo "$as_me: error: no acceptable C compiler found in \$PATH
+echo "$as_me: error: no acceptable C compiler found in \$PATH
 See \`config.log' for more details." >&2;}
    { (exit 1); exit 1; }; }
 
 # Provide some information about the compiler.
-$as_echo "$as_me:$LINENO: checking for C compiler version" >&5
-set X $ac_compile
-ac_compiler=$2
+echo "$as_me:$LINENO: checking for C compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
 { (ac_try="$ac_compiler --version >&5"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compiler --version >&5") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
 { (ac_try="$ac_compiler -v >&5"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compiler -v >&5") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
 { (ac_try="$ac_compiler -V >&5"
 case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compiler -V >&5") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }
 
-{ $as_echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
-$as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
+{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
 if test "${ac_cv_c_compiler_gnu+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -20234,21 +20005,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_compiler_gnu=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_compiler_gnu=no
@@ -20258,19 +20028,15 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 ac_cv_c_compiler_gnu=$ac_compiler_gnu
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
-$as_echo "$ac_cv_c_compiler_gnu" >&6; }
-if test $ac_compiler_gnu = yes; then
-  GCC=yes
-else
-  GCC=
-fi
+{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
+GCC=`test $ac_compiler_gnu = yes && echo yes`
 ac_test_CFLAGS=${CFLAGS+set}
 ac_save_CFLAGS=$CFLAGS
-{ $as_echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
-$as_echo_n "checking whether $CC accepts -g... " >&6; }
+{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
 if test "${ac_cv_prog_cc_g+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_save_c_werror_flag=$ac_c_werror_flag
    ac_c_werror_flag=yes
@@ -20297,21 +20063,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_prog_cc_g=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	CFLAGS=""
@@ -20336,21 +20101,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   :
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_c_werror_flag=$ac_save_c_werror_flag
@@ -20376,21 +20140,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_prog_cc_g=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
@@ -20405,8 +20168,8 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
    ac_c_werror_flag=$ac_save_c_werror_flag
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
-$as_echo "$ac_cv_prog_cc_g" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
 if test "$ac_test_CFLAGS" = set; then
   CFLAGS=$ac_save_CFLAGS
 elif test $ac_cv_prog_cc_g = yes; then
@@ -20422,10 +20185,10 @@ else
     CFLAGS=
   fi
 fi
-{ $as_echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
-$as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
+{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
 if test "${ac_cv_prog_cc_c89+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_cv_prog_cc_c89=no
 ac_save_CC=$CC
@@ -20496,21 +20259,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_prog_cc_c89=$ac_arg
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
@@ -20526,15 +20288,15 @@ fi
 # AC_CACHE_VAL
 case "x$ac_cv_prog_cc_c89" in
   x)
-    { $as_echo "$as_me:$LINENO: result: none needed" >&5
-$as_echo "none needed" >&6; } ;;
+    { echo "$as_me:$LINENO: result: none needed" >&5
+echo "${ECHO_T}none needed" >&6; } ;;
   xno)
-    { $as_echo "$as_me:$LINENO: result: unsupported" >&5
-$as_echo "unsupported" >&6; } ;;
+    { echo "$as_me:$LINENO: result: unsupported" >&5
+echo "${ECHO_T}unsupported" >&6; } ;;
   *)
     CC="$CC $ac_cv_prog_cc_c89"
-    { $as_echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
-$as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
+    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
 esac
 
 
@@ -20588,10 +20350,10 @@ case "$host" in
 		;;
 esac
 
-{ $as_echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-$as_echo_n "checking for ANSI C header files... " >&6; }
+{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
 if test "${ac_cv_header_stdc+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -20618,21 +20380,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_header_stdc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_header_stdc=no
@@ -20724,40 +20485,37 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
   { (case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
   :
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
 ac_cv_header_stdc=no
 fi
-rm -rf conftest.dSYM
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
 
 fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-$as_echo "$ac_cv_header_stdc" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
 if test $ac_cv_header_stdc = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -20775,13 +20533,14 @@ fi
 
 
 
-for ac_header in fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h
+
+for ac_header in fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h
 do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -20803,21 +20562,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   eval "$as_ac_Header=yes"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	eval "$as_ac_Header=no"
@@ -20825,14 +20583,12 @@ fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-if test `eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'` = yes; then
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
 
 fi
@@ -20840,10 +20596,10 @@ fi
 done
 
 
-{ $as_echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
-$as_echo_n "checking for an ANSI C-conforming const... " >&6; }
+{ echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
+echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6; }
 if test "${ac_cv_c_const+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -20915,21 +20671,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_c_const=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_c_const=no
@@ -20937,20 +20692,20 @@ fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
-$as_echo "$ac_cv_c_const" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
+echo "${ECHO_T}$ac_cv_c_const" >&6; }
 if test $ac_cv_c_const = no; then
 
 cat >>confdefs.h <<\_ACEOF
-#define const /**/
+#define const
 _ACEOF
 
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for inline" >&5
-$as_echo_n "checking for inline... " >&6; }
+{ echo "$as_me:$LINENO: checking for inline" >&5
+echo $ECHO_N "checking for inline... $ECHO_C" >&6; }
 if test "${ac_cv_c_inline+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_cv_c_inline=no
 for ac_kw in inline __inline__ __inline; do
@@ -20973,21 +20728,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_c_inline=$ac_kw
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
@@ -20998,8 +20752,8 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 done
 
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_inline" >&5
-$as_echo "$ac_cv_c_inline" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_c_inline" >&5
+echo "${ECHO_T}$ac_cv_c_inline" >&6; }
 
 
 case $ac_cv_c_inline in
@@ -21017,10 +20771,10 @@ _ACEOF
     ;;
 esac
 
-{ $as_echo "$as_me:$LINENO: checking for working volatile" >&5
-$as_echo_n "checking for working volatile... " >&6; }
+{ echo "$as_me:$LINENO: checking for working volatile" >&5
+echo $ECHO_N "checking for working volatile... $ECHO_C" >&6; }
 if test "${ac_cv_c_volatile+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -21046,21 +20800,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_c_volatile=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_c_volatile=no
@@ -21068,20 +20821,20 @@ fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_volatile" >&5
-$as_echo "$ac_cv_c_volatile" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_c_volatile" >&5
+echo "${ECHO_T}$ac_cv_c_volatile" >&6; }
 if test $ac_cv_c_volatile = no; then
 
 cat >>confdefs.h <<\_ACEOF
-#define volatile /**/
+#define volatile
 _ACEOF
 
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for sysctlbyname" >&5
-$as_echo_n "checking for sysctlbyname... " >&6; }
+{ echo "$as_me:$LINENO: checking for sysctlbyname" >&5
+echo $ECHO_N "checking for sysctlbyname... $ECHO_C" >&6; }
 if test "${ac_cv_func_sysctlbyname+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -21134,35 +20887,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_sysctlbyname=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_sysctlbyname=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_sysctlbyname" >&5
-$as_echo "$ac_cv_func_sysctlbyname" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_sysctlbyname" >&5
+echo "${ECHO_T}$ac_cv_func_sysctlbyname" >&6; }
 if test $ac_cv_func_sysctlbyname = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_SYSCTLBYNAME 1
@@ -21175,8 +20924,8 @@ fi
 # UnixWare 7.1.1 with the feature supplement to the UDK compiler
 # is reported to not support "static inline" (RT #1212).
 #
-{ $as_echo "$as_me:$LINENO: checking for static inline breakage" >&5
-$as_echo_n "checking for static inline breakage... " >&6; }
+{ echo "$as_me:$LINENO: checking for static inline breakage" >&5
+echo $ECHO_N "checking for static inline breakage... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -21208,74 +20957,38 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	 cat >>confdefs.h <<\_ACEOF
-#define inline /**/
+#define inline
 _ACEOF
 
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
-{ $as_echo "$as_me:$LINENO: checking for size_t" >&5
-$as_echo_n "checking for size_t... " >&6; }
+{ echo "$as_me:$LINENO: checking for size_t" >&5
+echo $ECHO_N "checking for size_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_size_t+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_cv_type_size_t=no
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-if (sizeof (size_t))
-       return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -21283,11 +20996,14 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef size_t ac__type_new_;
 int
 main ()
 {
-if (sizeof ((size_t)))
-	  return 0;
+if ((ac__type_new_ *) 0)
+  return 0;
+if (sizeof (ac__type_new_))
+  return 0;
   ;
   return 0;
 }
@@ -21298,38 +21014,29 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  :
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_type_size_t=yes
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  ac_cv_type_size_t=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-
+	ac_cv_type_size_t=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_size_t" >&5
-$as_echo "$ac_cv_type_size_t" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_type_size_t" >&5
+echo "${ECHO_T}$ac_cv_type_size_t" >&6; }
 if test $ac_cv_type_size_t = yes; then
   :
 else
@@ -21340,46 +21047,11 @@ _ACEOF
 
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for ssize_t" >&5
-$as_echo_n "checking for ssize_t... " >&6; }
+{ echo "$as_me:$LINENO: checking for ssize_t" >&5
+echo $ECHO_N "checking for ssize_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_ssize_t+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_cv_type_ssize_t=no
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-if (sizeof (ssize_t))
-       return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -21387,11 +21059,14 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef ssize_t ac__type_new_;
 int
 main ()
 {
-if (sizeof ((ssize_t)))
-	  return 0;
+if ((ac__type_new_ *) 0)
+  return 0;
+if (sizeof (ac__type_new_))
+  return 0;
   ;
   return 0;
 }
@@ -21402,38 +21077,29 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  :
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_type_ssize_t=yes
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  ac_cv_type_ssize_t=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-
+	ac_cv_type_ssize_t=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_ssize_t" >&5
-$as_echo "$ac_cv_type_ssize_t" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_type_ssize_t" >&5
+echo "${ECHO_T}$ac_cv_type_ssize_t" >&6; }
 if test $ac_cv_type_ssize_t = yes; then
   :
 else
@@ -21444,46 +21110,11 @@ _ACEOF
 
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for uintptr_t" >&5
-$as_echo_n "checking for uintptr_t... " >&6; }
+{ echo "$as_me:$LINENO: checking for uintptr_t" >&5
+echo $ECHO_N "checking for uintptr_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_uintptr_t+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_cv_type_uintptr_t=no
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-if (sizeof (uintptr_t))
-       return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -21491,11 +21122,14 @@ cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 $ac_includes_default
+typedef uintptr_t ac__type_new_;
 int
 main ()
 {
-if (sizeof ((uintptr_t)))
-	  return 0;
+if ((ac__type_new_ *) 0)
+  return 0;
+if (sizeof (ac__type_new_))
+  return 0;
   ;
   return 0;
 }
@@ -21506,38 +21140,29 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  :
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_type_uintptr_t=yes
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  ac_cv_type_uintptr_t=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-
+	ac_cv_type_uintptr_t=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_uintptr_t" >&5
-$as_echo "$ac_cv_type_uintptr_t" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_type_uintptr_t" >&5
+echo "${ECHO_T}$ac_cv_type_uintptr_t" >&6; }
 if test $ac_cv_type_uintptr_t = yes; then
   :
 else
@@ -21548,50 +21173,11 @@ _ACEOF
 
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for socklen_t" >&5
-$as_echo_n "checking for socklen_t... " >&6; }
+{ echo "$as_me:$LINENO: checking for socklen_t" >&5
+echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6; }
 if test "${ac_cv_type_socklen_t+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_cv_type_socklen_t=no
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-
-int
-main ()
-{
-if (sizeof (socklen_t))
-       return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -21603,11 +21189,14 @@ cat >>conftest.$ac_ext <<_ACEOF
 #include <sys/socket.h>
 
 
+typedef socklen_t ac__type_new_;
 int
 main ()
 {
-if (sizeof ((socklen_t)))
-	  return 0;
+if ((ac__type_new_ *) 0)
+  return 0;
+if (sizeof (ac__type_new_))
+  return 0;
   ;
   return 0;
 }
@@ -21618,38 +21207,29 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  :
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_type_socklen_t=yes
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+  ac_cv_type_socklen_t=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-
+	ac_cv_type_socklen_t=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_type_socklen_t" >&5
-$as_echo "$ac_cv_type_socklen_t" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_type_socklen_t" >&5
+echo "${ECHO_T}$ac_cv_type_socklen_t" >&6; }
 if test $ac_cv_type_socklen_t = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define ISC_SOCKADDR_LEN_T socklen_t
@@ -21682,14 +21262,13 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
@@ -21699,7 +21278,7 @@ $as_echo "$ac_try_echo") >&5
 _ACEOF
 
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	cat >>confdefs.h <<\_ACEOF
@@ -21713,10 +21292,10 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 
-{ $as_echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
-$as_echo_n "checking whether time.h and sys/time.h may both be included... " >&6; }
+{ echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
+echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6; }
 if test "${ac_cv_header_time+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -21743,21 +21322,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_header_time=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_header_time=no
@@ -21765,8 +21343,8 @@ fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
-$as_echo "$ac_cv_header_time" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
+echo "${ECHO_T}$ac_cv_header_time" >&6; }
 if test $ac_cv_header_time = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -21775,8 +21353,8 @@ _ACEOF
 
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for long long" >&5
-$as_echo_n "checking for long long... " >&6; }
+{ echo "$as_me:$LINENO: checking for long long" >&5
+echo $ECHO_N "checking for long long... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -21798,27 +21376,26 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 		ISC_PLATFORM_HAVELONGLONG="#define ISC_PLATFORM_HAVELONGLONG 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 		ISC_PLATFORM_HAVELONGLONG="#undef ISC_PLATFORM_HAVELONGLONG"
 fi
 
@@ -21828,8 +21405,8 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 #
 # check if we have lifconf
 #
-{ $as_echo "$as_me:$LINENO: checking for struct lifconf" >&5
-$as_echo_n "checking for struct lifconf... " >&6; }
+{ echo "$as_me:$LINENO: checking for struct lifconf" >&5
+echo $ECHO_N "checking for struct lifconf... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -21859,27 +21436,26 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 		ISC_PLATFORM_HAVELIFCONF="#define ISC_PLATFORM_HAVELIFCONF 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 		ISC_PLATFORM_HAVELIFCONF="#undef ISC_PLATFORM_HAVELIFCONF"
 fi
 
@@ -21898,10 +21474,10 @@ fi
 
 case $want_kqueue in
 yes)
-	{ $as_echo "$as_me:$LINENO: checking for kqueue" >&5
-$as_echo_n "checking for kqueue... " >&6; }
+	{ echo "$as_me:$LINENO: checking for kqueue" >&5
+echo $ECHO_N "checking for kqueue... $ECHO_C" >&6; }
 if test "${ac_cv_func_kqueue+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -21954,35 +21530,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_kqueue=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_kqueue=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_kqueue" >&5
-$as_echo "$ac_cv_func_kqueue" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_kqueue" >&5
+echo "${ECHO_T}$ac_cv_func_kqueue" >&6; }
 if test $ac_cv_func_kqueue = yes; then
   ac_cv_have_kqueue=yes
 else
@@ -22017,12 +21589,12 @@ fi
 
 case $want_epoll in
 auto)
-	{ $as_echo "$as_me:$LINENO: checking epoll support" >&5
-$as_echo_n "checking epoll support... " >&6; }
+	{ echo "$as_me:$LINENO: checking epoll support" >&5
+echo $ECHO_N "checking epoll support... $ECHO_C" >&6; }
 	if test "$cross_compiling" = yes; then
-  { { $as_echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+  { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
 See \`config.log' for more details." >&5
-$as_echo "$as_me: error: cannot run test program while cross compiling
+echo "$as_me: error: cannot run test program while cross compiling
 See \`config.log' for more details." >&2;}
    { (exit 1); exit 1; }; }
 else
@@ -22047,36 +21619,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
   { (case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_PLATFORM_HAVEEPOLL="#define ISC_PLATFORM_HAVEEPOLL 1"
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
-{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_PLATFORM_HAVEEPOLL="#undef ISC_PLATFORM_HAVEEPOLL"
 fi
-rm -rf conftest.dSYM
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
@@ -22106,21 +21675,20 @@ yes)
 
 for ac_header in sys/devpoll.h
 do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
-$as_echo_n "checking $ac_header usability... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -22136,33 +21704,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
-$as_echo_n "checking $ac_header presence... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -22176,72 +21743,69 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
-if test `eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'` = yes; then
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
  ISC_PLATFORM_HAVEDEVPOLL="#define ISC_PLATFORM_HAVEDEVPOLL 1"
 
@@ -22264,8 +21828,8 @@ esac
 #
 case $ac_cv_header_unistd_h in
 yes)
-{ $as_echo "$as_me:$LINENO: checking if unistd.h or sys/types.h defines fd_set" >&5
-$as_echo_n "checking if unistd.h or sys/types.h defines fd_set... " >&6; }
+{ echo "$as_me:$LINENO: checking if unistd.h or sys/types.h defines fd_set" >&5
+echo $ECHO_N "checking if unistd.h or sys/types.h defines fd_set... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -22289,36 +21853,35 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	 ISC_PLATFORM_NEEDSYSSELECTH="#undef ISC_PLATFORM_NEEDSYSSELECTH"
 	 LWRES_PLATFORM_NEEDSYSSELECTH="#undef LWRES_PLATFORM_NEEDSYSSELECTH"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	case $ac_cv_header_sys_select_h in
 	yes)
 	 ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
 	 LWRES_PLATFORM_NEEDSYSSELECTH="#define LWRES_PLATFORM_NEEDSYSSELECTH 1"
 		;;
 	no)
-		{ { $as_echo "$as_me:$LINENO: error: need either working unistd.h or sys/select.h" >&5
-$as_echo "$as_me: error: need either working unistd.h or sys/select.h" >&2;}
+		{ { echo "$as_me:$LINENO: error: need either working unistd.h or sys/select.h" >&5
+echo "$as_me: error: need either working unistd.h or sys/select.h" >&2;}
    { (exit 1); exit 1; }; }
 		;;
 	esac
@@ -22334,8 +21897,8 @@ no)
 	     LWRES_PLATFORM_NEEDSYSSELECTH="#define LWRES_PLATFORM_NEEDSYSSELECTH 1"
 		;;
 	no)
-		{ { $as_echo "$as_me:$LINENO: error: need either unistd.h or sys/select.h" >&5
-$as_echo "$as_me: error: need either unistd.h or sys/select.h" >&2;}
+		{ { echo "$as_me:$LINENO: error: need either unistd.h or sys/select.h" >&5
+echo "$as_me: error: need either unistd.h or sys/select.h" >&2;}
    { (exit 1); exit 1; }; }
 		;;
 	esac
@@ -22347,72 +21910,28 @@ esac
 #
 # Find the machine's endian flavor.
 #
-
- { $as_echo "$as_me:$LINENO: checking whether byte ordering is bigendian" >&5
-$as_echo_n "checking whether byte ordering is bigendian... " >&6; }
+{ echo "$as_me:$LINENO: checking whether byte ordering is bigendian" >&5
+echo $ECHO_N "checking whether byte ordering is bigendian... $ECHO_C" >&6; }
 if test "${ac_cv_c_bigendian+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
-  ac_cv_c_bigendian=unknown
-    # See if __BIG_ENDIAN__ or __LITTLE_ENDIAN__ is defined.
-       cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#if ! (defined __BIG_ENDIAN__ || defined __LITTLE_ENDIAN__)
-	       neither is defined;
-	     #endif
-	     typedef int dummy;
-
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  ac_cv_c_bigendian=universal
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-    if test $ac_cv_c_bigendian = unknown; then
-      # See if sys/param.h defines the BYTE_ORDER macro.
-      cat >conftest.$ac_ext <<_ACEOF
+  # See if sys/param.h defines the BYTE_ORDER macro.
+cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <sys/types.h>
-	     #include <sys/param.h>
+#include <sys/param.h>
 
 int
 main ()
 {
-#if ! (defined BYTE_ORDER && defined BIG_ENDIAN \
-		     && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \
-		     && LITTLE_ENDIAN)
-	      bogus endian macros
-	     #endif
+#if  ! (defined BYTE_ORDER && defined BIG_ENDIAN && defined LITTLE_ENDIAN \
+	&& BYTE_ORDER && BIG_ENDIAN && LITTLE_ENDIAN)
+ bogus endian macros
+#endif
 
   ;
   return 0;
@@ -22424,34 +21943,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   # It does; now see whether it defined to BIG_ENDIAN or not.
-	 cat >conftest.$ac_ext <<_ACEOF
+cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
 #include <sys/types.h>
-		#include <sys/param.h>
+#include <sys/param.h>
 
 int
 main ()
 {
 #if BYTE_ORDER != BIG_ENDIAN
-		 not big endian
-		#endif
+ not big endian
+#endif
 
   ;
   return 0;
@@ -22463,21 +21981,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_cv_c_bigendian=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_c_bigendian=no
@@ -22485,69 +22002,29 @@ fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-
-fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-    fi
-    if test $ac_cv_c_bigendian = unknown; then
-      # See if <limits.h> defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris).
-      cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <limits.h>
-
-int
-main ()
-{
-#if ! (defined _LITTLE_ENDIAN || defined _BIG_ENDIAN)
-	      bogus endian macros
-	     #endif
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  # It does; now see whether it defined to _BIG_ENDIAN or not.
-	 cat >conftest.$ac_ext <<_ACEOF
+	# It does not; compile a test program.
+if test "$cross_compiling" = yes; then
+  # try to guess the endianness by grepping values into an object file
+  ac_cv_c_bigendian=unknown
+  cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
 cat confdefs.h >>conftest.$ac_ext
 cat >>conftest.$ac_ext <<_ACEOF
 /* end confdefs.h.  */
-#include <limits.h>
-
+short int ascii_mm[] = { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 };
+short int ascii_ii[] = { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 };
+void _ascii () { char *s = (char *) ascii_mm; s = (char *) ascii_ii; }
+short int ebcdic_ii[] = { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 };
+short int ebcdic_mm[] = { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 };
+void _ebcdic () { char *s = (char *) ebcdic_mm; s = (char *) ebcdic_ii; }
 int
 main ()
 {
-#ifndef _BIG_ENDIAN
-		 not big endian
-		#endif
-
+ _ascii (); _ebcdic ();
   ;
   return 0;
 }
@@ -22558,101 +22035,30 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
+  if grep BIGenDianSyS conftest.$ac_objext >/dev/null ; then
   ac_cv_c_bigendian=yes
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-	ac_cv_c_bigendian=no
 fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-else
-  $as_echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-
+if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then
+  if test "$ac_cv_c_bigendian" = unknown; then
+    ac_cv_c_bigendian=no
+  else
+    # finding both strings is unlikely to happen, but who knows?
+    ac_cv_c_bigendian=unknown
+  fi
 fi
-
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-    fi
-    if test $ac_cv_c_bigendian = unknown; then
-      # Compile a test program.
-      if test "$cross_compiling" = yes; then
-  # Try to guess by grepping values from an object file.
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-short int ascii_mm[] =
-		  { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 };
-		short int ascii_ii[] =
-		  { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 };
-		int use_ascii (int i) {
-		  return ascii_mm[i] + ascii_ii[i];
-		}
-		short int ebcdic_ii[] =
-		  { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 };
-		short int ebcdic_mm[] =
-		  { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 };
-		int use_ebcdic (int i) {
-		  return ebcdic_mm[i] + ebcdic_ii[i];
-		}
-		extern int foo;
-
-int
-main ()
-{
-return use_ascii (foo) == use_ebcdic (foo);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (ac_try="$ac_compile"
-case "(($ac_try" in
-  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
-  *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
-  (eval "$ac_compile") 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && {
-	 test -z "$ac_c_werror_flag" ||
-	 test ! -s conftest.err
-       } && test -s conftest.$ac_objext; then
-  if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then
-	      ac_cv_c_bigendian=yes
-	    fi
-	    if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then
-	      if test "$ac_cv_c_bigendian" = unknown; then
-		ac_cv_c_bigendian=no
-	      else
-		# finding both strings is unlikely to happen, but who knows?
-		ac_cv_c_bigendian=unknown
-	      fi
-	    fi
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
@@ -22671,14 +22077,14 @@ int
 main ()
 {
 
-	     /* Are we little or big endian?  From Harbison&Steele.  */
-	     union
-	     {
-	       long int l;
-	       char c[sizeof (long int)];
-	     } u;
-	     u.l = 1;
-	     return u.c[sizeof (long int) - 1] == 1;
+  /* Are we little or big endian?  From Harbison&Steele.  */
+  union
+  {
+    long int l;
+    char c[sizeof (long int)];
+  } u;
+  u.l = 1;
+  return u.c[sizeof (long int) - 1] == 1;
 
   ;
   return 0;
@@ -22690,57 +22096,55 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
   { (case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
   ac_cv_c_bigendian=no
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
 ac_cv_c_bigendian=yes
 fi
-rm -rf conftest.dSYM
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
 
-    fi
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_bigendian" >&5
-$as_echo "$ac_cv_c_bigendian" >&6; }
- case $ac_cv_c_bigendian in #(
-   yes)
-     cat >>confdefs.h <<\_ACEOF
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_c_bigendian" >&5
+echo "${ECHO_T}$ac_cv_c_bigendian" >&6; }
+case $ac_cv_c_bigendian in
+  yes)
+
+cat >>confdefs.h <<\_ACEOF
 #define WORDS_BIGENDIAN 1
 _ACEOF
-;; #(
-   no)
-      ;; #(
-   universal)
-      ;; #(
-   *)
-     { { $as_echo "$as_me:$LINENO: error: unknown endianness
- presetting ac_cv_c_bigendian=no (or yes) will help" >&5
-$as_echo "$as_me: error: unknown endianness
- presetting ac_cv_c_bigendian=no (or yes) will help" >&2;}
+ ;;
+  no)
+     ;;
+  *)
+    { { echo "$as_me:$LINENO: error: unknown endianness
+presetting ac_cv_c_bigendian=no (or yes) will help" >&5
+echo "$as_me: error: unknown endianness
+presetting ac_cv_c_bigendian=no (or yes) will help" >&2;}
    { (exit 1); exit 1; }; } ;;
- esac
+esac
 
 
 
@@ -22748,8 +22152,8 @@ $as_echo "$as_me: error: unknown endianness
 # was --with-openssl specified?
 #
 OPENSSL_WARNING=
-{ $as_echo "$as_me:$LINENO: checking for OpenSSL library" >&5
-$as_echo_n "checking for OpenSSL library... " >&6; }
+{ echo "$as_me:$LINENO: checking for OpenSSL library" >&5
+echo $ECHO_N "checking for OpenSSL library... $ECHO_C" >&6; }
 
 # Check whether --with-openssl was given.
 if test "${with_openssl+set}" = set; then
@@ -22773,16 +22177,16 @@ then
 fi
 case "$use_openssl" in
 	no)
-		{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+		{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 		DST_OPENSSL_INC=""
 		USE_OPENSSL=""
 		;;
 	auto)
 		DST_OPENSSL_INC=""
 		USE_OPENSSL=""
-		{ $as_echo "$as_me:$LINENO: result: not found" >&5
-$as_echo "not found" >&6; }
+		{ echo "$as_me:$LINENO: result: not found" >&5
+echo "${ECHO_T}not found" >&6; }
 		;;
 	*)
 		if test "$use_openssl" = "yes"
@@ -22798,16 +22202,16 @@ $as_echo "not found" >&6; }
 			done
 			if test "$use_openssl" = "yes"
 			then
-				{ $as_echo "$as_me:$LINENO: result: not found" >&5
-$as_echo "not found" >&6; }
-				{ { $as_echo "$as_me:$LINENO: error: OpenSSL was not found in any of $openssldirs; use --with-openssl=/path" >&5
-$as_echo "$as_me: error: OpenSSL was not found in any of $openssldirs; use --with-openssl=/path" >&2;}
+				{ echo "$as_me:$LINENO: result: not found" >&5
+echo "${ECHO_T}not found" >&6; }
+				{ { echo "$as_me:$LINENO: error: OpenSSL was not found in any of $openssldirs; use --with-openssl=/path" >&5
+echo "$as_me: error: OpenSSL was not found in any of $openssldirs; use --with-openssl=/path" >&2;}
    { (exit 1); exit 1; }; }
 			fi
 		elif ! test -f "$use_openssl"/include/openssl/opensslv.h
 		then
-			{ { $as_echo "$as_me:$LINENO: error: \"$use_openssl/include/openssl/opensslv.h\" not found" >&5
-$as_echo "$as_me: error: \"$use_openssl/include/openssl/opensslv.h\" not found" >&2;}
+			{ { echo "$as_me:$LINENO: error: \"$use_openssl/include/openssl/opensslv.h\" not found" >&5
+echo "$as_me: error: \"$use_openssl/include/openssl/opensslv.h\" not found" >&2;}
    { (exit 1); exit 1; }; }
 		fi
 		USE_OPENSSL='-DOPENSSL'
@@ -22844,18 +22248,18 @@ $as_echo "$as_me: error: \"$use_openssl/include/openssl/opensslv.h\" not found"
 				;;
 			esac
 		fi
-		{ $as_echo "$as_me:$LINENO: result: using OpenSSL from $use_openssl/lib and $use_openssl/include" >&5
-$as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; }
+		{ echo "$as_me:$LINENO: result: using OpenSSL from $use_openssl/lib and $use_openssl/include" >&5
+echo "${ECHO_T}using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; }
 
 		saved_cflags="$CFLAGS"
 		saved_libs="$LIBS"
 		CFLAGS="$CFLAGS $DST_OPENSSL_INC"
 		LIBS="$LIBS $DNS_OPENSSL_LIBS"
-		{ $as_echo "$as_me:$LINENO: checking whether linking with OpenSSL works" >&5
-$as_echo_n "checking whether linking with OpenSSL works... " >&6; }
+		{ echo "$as_me:$LINENO: checking whether linking with OpenSSL works" >&5
+echo $ECHO_N "checking whether linking with OpenSSL works... $ECHO_C" >&6; }
 		if test "$cross_compiling" = yes; then
-  { $as_echo "$as_me:$LINENO: result: assuming it does work on target platform" >&5
-$as_echo "assuming it does work on target platform" >&6; }
+  { echo "$as_me:$LINENO: result: assuming it does work on target platform" >&5
+echo "${ECHO_T}assuming it does work on target platform" >&6; }
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -22877,50 +22281,47 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
   { (case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
-{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
-		 { { $as_echo "$as_me:$LINENO: error: Could not run test program using OpenSSL from
+{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+		 { { echo "$as_me:$LINENO: error: Could not run test program using OpenSSL from
 $use_openssl/lib and $use_openssl/include.
 Please check the argument to --with-openssl and your
 shared library configuration (e.g., LD_LIBRARY_PATH)." >&5
-$as_echo "$as_me: error: Could not run test program using OpenSSL from
+echo "$as_me: error: Could not run test program using OpenSSL from
 $use_openssl/lib and $use_openssl/include.
 Please check the argument to --with-openssl and your
 shared library configuration (e.g., LD_LIBRARY_PATH)." >&2;}
    { (exit 1); exit 1; }; }
 fi
-rm -rf conftest.dSYM
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
 
 
-		{ $as_echo "$as_me:$LINENO: checking whether linking with OpenSSL requires -ldl" >&5
-$as_echo_n "checking whether linking with OpenSSL requires -ldl... " >&6; }
+		{ echo "$as_me:$LINENO: checking whether linking with OpenSSL requires -ldl" >&5
+echo $ECHO_N "checking whether linking with OpenSSL requires -ldl... $ECHO_C" >&6; }
 		cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -22943,25 +22344,22 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	LIBS="$LIBS -ldl"
@@ -22988,43 +22386,38 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 		DNS_OPENSSL_LIBS="$DNS_OPENSSL_LIBS -ldl"
 
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: unknown" >&5
-$as_echo "unknown" >&6; }
-		 { { $as_echo "$as_me:$LINENO: error: OpenSSL has unsupported dynamic loading" >&5
-$as_echo "$as_me: error: OpenSSL has unsupported dynamic loading" >&2;}
+	{ echo "$as_me:$LINENO: result: unknown" >&5
+echo "${ECHO_T}unknown" >&6; }
+		 { { echo "$as_me:$LINENO: error: OpenSSL has unsupported dynamic loading" >&5
+echo "$as_me: error: OpenSSL has unsupported dynamic loading" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 
@@ -23035,11 +22428,11 @@ fi
 
 case "$enable_openssl_version_check" in
 yes|'')
-		{ $as_echo "$as_me:$LINENO: checking OpenSSL library version" >&5
-$as_echo_n "checking OpenSSL library version... " >&6; }
+		{ echo "$as_me:$LINENO: checking OpenSSL library version" >&5
+echo $ECHO_N "checking OpenSSL library version... $ECHO_C" >&6; }
 		if test "$cross_compiling" = yes; then
-  { $as_echo "$as_me:$LINENO: result: assuming target platform has compatible version" >&5
-$as_echo "assuming target platform has compatible version" >&6; }
+  { echo "$as_me:$LINENO: result: assuming target platform has compatible version" >&5
+echo "${ECHO_T}assuming target platform has compatible version" >&6; }
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -23069,60 +22462,57 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
   { (case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  { $as_echo "$as_me:$LINENO: result: ok" >&5
-$as_echo "ok" >&6; }
+  { echo "$as_me:$LINENO: result: ok" >&5
+echo "${ECHO_T}ok" >&6; }
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
-{ $as_echo "$as_me:$LINENO: result: not compatible" >&5
-$as_echo "not compatible" >&6; }
+{ echo "$as_me:$LINENO: result: not compatible" >&5
+echo "${ECHO_T}not compatible" >&6; }
 		 OPENSSL_WARNING=yes
 
 fi
-rm -rf conftest.dSYM
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
 
 ;;
 no)
-	{ $as_echo "$as_me:$LINENO: result: Skipped OpenSSL version check" >&5
-$as_echo "Skipped OpenSSL version check" >&6; }
+	{ echo "$as_me:$LINENO: result: Skipped OpenSSL version check" >&5
+echo "${ECHO_T}Skipped OpenSSL version check" >&6; }
 ;;
 esac
 
-		{ $as_echo "$as_me:$LINENO: checking for OpenSSL DSA support" >&5
-$as_echo_n "checking for OpenSSL DSA support... " >&6; }
+		{ echo "$as_me:$LINENO: checking for OpenSSL DSA support" >&5
+echo $ECHO_N "checking for OpenSSL DSA support... $ECHO_C" >&6; }
 		if test -f $use_openssl/include/openssl/dsa.h
 		then
 			cat >>confdefs.h <<\_ACEOF
 #define HAVE_OPENSSL_DSA 1
 _ACEOF
 
-			{ $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+			{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 		else
-			{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+			{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 		fi
 		CFLAGS="$saved_cflags"
 		LIBS="$saved_libs"
@@ -23139,13 +22529,43 @@ esac
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
 
 #
+# Use OpenSSL for hash functions
+#
+
+# Check whether --enable-openssl-hash was given.
+if test "${enable_openssl_hash+set}" = set; then
+  enableval=$enable_openssl_hash; want_openssl_hash="$enableval"
+else
+  want_openssl_hash="no"
+fi
+
+case $want_openssl_hash in
+	yes)
+		if test "$USE_OPENSSL" = ""
+		then
+			{ { echo "$as_me:$LINENO: error: No OpenSSL for hash functions" >&5
+echo "$as_me: error: No OpenSSL for hash functions" >&2;}
+   { (exit 1); exit 1; }; }
+		fi
+		ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
+		ISC_OPENSSL_INC="$DST_OPENSSL_INC"
+		;;
+	no)
+		ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
+		ISC_OPENSSL_INC=""
+		;;
+esac
+
+
+
+#
 # PKCS11 (aka crypto hardware) support
 #
 # This works only with the right OpenSSL with PKCS11 engine!
 #
 
-{ $as_echo "$as_me:$LINENO: checking for PKCS11 support" >&5
-$as_echo_n "checking for PKCS11 support... " >&6; }
+{ echo "$as_me:$LINENO: checking for PKCS11 support" >&5
+echo $ECHO_N "checking for PKCS11 support... $ECHO_C" >&6; }
 
 # Check whether --with-pkcs11 was given.
 if test "${with_pkcs11+set}" = set; then
@@ -23157,21 +22577,21 @@ fi
 
 case "$use_pkcs11" in
 	no)
-		{ $as_echo "$as_me:$LINENO: result: disabled" >&5
-$as_echo "disabled" >&6; }
+		{ echo "$as_me:$LINENO: result: disabled" >&5
+echo "${ECHO_T}disabled" >&6; }
 		USE_PKCS11=""
 		;;
 	yes)
-		{ $as_echo "$as_me:$LINENO: result: using OpenSSL with PKCS11 support" >&5
-$as_echo "using OpenSSL with PKCS11 support" >&6; }
+		{ echo "$as_me:$LINENO: result: using OpenSSL with PKCS11 support" >&5
+echo "${ECHO_T}using OpenSSL with PKCS11 support" >&6; }
 		USE_PKCS11='-DUSE_PKCS11'
 		;;
 esac
 
 
 
-{ $as_echo "$as_me:$LINENO: checking for GSSAPI library" >&5
-$as_echo_n "checking for GSSAPI library... " >&6; }
+{ echo "$as_me:$LINENO: checking for GSSAPI library" >&5
+echo $ECHO_N "checking for GSSAPI library... $ECHO_C" >&6; }
 
 # Check whether --with-gssapi was given.
 if test "${with_gssapi+set}" = set; then
@@ -23196,18 +22616,18 @@ fi
 
 case "$use_gssapi" in
 	no)
-		{ $as_echo "$as_me:$LINENO: result: disabled" >&5
-$as_echo "disabled" >&6; }
+		{ echo "$as_me:$LINENO: result: disabled" >&5
+echo "${ECHO_T}disabled" >&6; }
 		USE_GSSAPI=''
 		;;
 	yes)
-		{ { $as_echo "$as_me:$LINENO: error: --with-gssapi must specify a path" >&5
-$as_echo "$as_me: error: --with-gssapi must specify a path" >&2;}
+		{ { echo "$as_me:$LINENO: error: --with-gssapi must specify a path" >&5
+echo "$as_me: error: --with-gssapi must specify a path" >&2;}
    { (exit 1); exit 1; }; }
 		;;
 	*)
-		{ $as_echo "$as_me:$LINENO: result: looking in $use_gssapi/lib" >&5
-$as_echo "looking in $use_gssapi/lib" >&6; }
+		{ echo "$as_me:$LINENO: result: looking in $use_gssapi/lib" >&5
+echo "${ECHO_T}looking in $use_gssapi/lib" >&6; }
 		USE_GSSAPI='-DGSSAPI'
 		saved_cppflags="$CPPFLAGS"
 		CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
@@ -23215,21 +22635,20 @@ $as_echo "looking in $use_gssapi/lib" >&6; }
 
 for ac_header in gssapi.h gssapi/gssapi.h
 do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
-$as_echo_n "checking $ac_header usability... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -23245,33 +22664,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
-$as_echo_n "checking $ac_header presence... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -23285,72 +22703,69 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
-if test `eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'` = yes; then
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
  ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
 fi
@@ -23359,8 +22774,8 @@ done
 
 
 		if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then
-		    { { $as_echo "$as_me:$LINENO: error: gssapi.h not found" >&5
-$as_echo "$as_me: error: gssapi.h not found" >&2;}
+		    { { echo "$as_me:$LINENO: error: gssapi.h not found" >&5
+echo "$as_me: error: gssapi.h not found" >&2;}
    { (exit 1); exit 1; }; }
 		fi
 
@@ -23402,8 +22817,8 @@ $as_echo "$as_me: error: gssapi.h not found" >&2;}
 		    # -lgssapi_krb5 test succeed with shared libraries even
 		    # when you are trying to build with KTH in /usr/lib.
 		    LIBS="-L$use_gssapi/lib $TRY_LIBS"
-		    { $as_echo "$as_me:$LINENO: checking linking as $TRY_LIBS" >&5
-$as_echo_n "checking linking as $TRY_LIBS... " >&6; }
+		    { echo "$as_me:$LINENO: checking linking as $TRY_LIBS" >&5
+echo $ECHO_N "checking linking as $TRY_LIBS... $ECHO_C" >&6; }
 		    cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -23425,43 +22840,39 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   gssapi_linked=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	gssapi_linked=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 		    case $gssapi_linked in
-		    yes) { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }; break ;;
-		    no)  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; } ;;
+		    yes) { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }; break ;;
+		    no)  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; } ;;
 		    esac
 		done
 
 		case $gssapi_linked in
-		no) { { $as_echo "$as_me:$LINENO: error: could not determine proper GSSAPI linkage" >&5
-$as_echo "$as_me: error: could not determine proper GSSAPI linkage" >&2;}
+		no) { { echo "$as_me:$LINENO: error: could not determine proper GSSAPI linkage" >&5
+echo "$as_me: error: could not determine proper GSSAPI linkage" >&2;}
    { (exit 1); exit 1; }; } ;;
 		esac
 
@@ -23497,8 +22908,8 @@ $as_echo "$as_me: error: could not determine proper GSSAPI linkage" >&2;}
 			    NEW_LIBS="$NEW_LIBS $new_lib"
 			    ;;
 			*)
-			   { { $as_echo "$as_me:$LINENO: error: KTH vs MIT Kerberos confusion!" >&5
-$as_echo "$as_me: error: KTH vs MIT Kerberos confusion!" >&2;}
+			   { { echo "$as_me:$LINENO: error: KTH vs MIT Kerberos confusion!" >&5
+echo "$as_me: error: KTH vs MIT Kerberos confusion!" >&2;}
    { (exit 1); exit 1; }; }
 			    ;;
 			esac
@@ -23510,8 +22921,8 @@ $as_echo "$as_me: error: KTH vs MIT Kerberos confusion!" >&2;}
 		DST_GSSAPI_INC="-I$use_gssapi/include"
 		DNS_GSSAPI_LIBS="$LIBS"
 
-		{ $as_echo "$as_me:$LINENO: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
-$as_echo "using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&6; }
+		{ echo "$as_me:$LINENO: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
+echo "${ECHO_T}using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&6; }
 		LIBS="$saved_libs"
 		;;
 esac
@@ -23533,8 +22944,8 @@ DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
 #
 # was --with-randomdev specified?
 #
-{ $as_echo "$as_me:$LINENO: checking for random device" >&5
-$as_echo_n "checking for random device... " >&6; }
+{ echo "$as_me:$LINENO: checking for random device" >&5
+echo $ECHO_N "checking for random device... $ECHO_C" >&6; }
 
 # Check whether --with-randomdev was given.
 if test "${with_randomdev+set}" = set; then
@@ -23554,17 +22965,17 @@ case "$use_randomdev" in
 				devrandom=/dev/random
 				;;
 		esac
-		{ $as_echo "$as_me:$LINENO: result: $devrandom" >&5
-$as_echo "$devrandom" >&6; }
-		as_ac_File=`$as_echo "ac_cv_file_$devrandom" | $as_tr_sh`
-{ $as_echo "$as_me:$LINENO: checking for $devrandom" >&5
-$as_echo_n "checking for $devrandom... " >&6; }
+		{ echo "$as_me:$LINENO: result: $devrandom" >&5
+echo "${ECHO_T}$devrandom" >&6; }
+		as_ac_File=`echo "ac_cv_file_$devrandom" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $devrandom" >&5
+echo $ECHO_N "checking for $devrandom... $ECHO_C" >&6; }
 if { as_var=$as_ac_File; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   test "$cross_compiling" = yes &&
-  { { $as_echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5
-$as_echo "$as_me: error: cannot check for file existence when cross compiling" >&2;}
+  { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5
+echo "$as_me: error: cannot check for file existence when cross compiling" >&2;}
    { (exit 1); exit 1; }; }
 if test -r "$devrandom"; then
   eval "$as_ac_File=yes"
@@ -23572,12 +22983,10 @@ else
   eval "$as_ac_File=no"
 fi
 fi
-ac_res=`eval 'as_val=${'$as_ac_File'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-if test `eval 'as_val=${'$as_ac_File'}
-		 $as_echo "$as_val"'` = yes; then
+ac_res=`eval echo '${'$as_ac_File'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_File'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
 #define PATH_RANDOMDEV "$devrandom"
 _ACEOF
@@ -23586,31 +22995,31 @@ fi
 
 		;;
 	yes)
-		{ { $as_echo "$as_me:$LINENO: error: --with-randomdev must specify a path" >&5
-$as_echo "$as_me: error: --with-randomdev must specify a path" >&2;}
+		{ { echo "$as_me:$LINENO: error: --with-randomdev must specify a path" >&5
+echo "$as_me: error: --with-randomdev must specify a path" >&2;}
    { (exit 1); exit 1; }; }
 		;;
 	no)
-		{ $as_echo "$as_me:$LINENO: result: disabled" >&5
-$as_echo "disabled" >&6; }
+		{ echo "$as_me:$LINENO: result: disabled" >&5
+echo "${ECHO_T}disabled" >&6; }
 		;;
 	*)
 		cat >>confdefs.h <<_ACEOF
 #define PATH_RANDOMDEV "$use_randomdev"
 _ACEOF
 
-		{ $as_echo "$as_me:$LINENO: result: using \"$use_randomdev\"" >&5
-$as_echo "using \"$use_randomdev\"" >&6; }
+		{ echo "$as_me:$LINENO: result: using \"$use_randomdev\"" >&5
+echo "${ECHO_T}using \"$use_randomdev\"" >&6; }
 		;;
 esac
 
 #
 # Do we have arc4random() ?
 #
-{ $as_echo "$as_me:$LINENO: checking for arc4random" >&5
-$as_echo_n "checking for arc4random... " >&6; }
+{ echo "$as_me:$LINENO: checking for arc4random" >&5
+echo $ECHO_N "checking for arc4random... $ECHO_C" >&6; }
 if test "${ac_cv_func_arc4random+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -23663,35 +23072,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_arc4random=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_arc4random=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_arc4random" >&5
-$as_echo "$ac_cv_func_arc4random" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_arc4random" >&5
+echo "${ECHO_T}$ac_cv_func_arc4random" >&6; }
 if test $ac_cv_func_arc4random = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_ARC4RANDOM 1
@@ -23710,8 +23115,8 @@ fi
 # is supported.
 #
 
-{ $as_echo "$as_me:$LINENO: checking whether to build with thread support" >&5
-$as_echo_n "checking whether to build with thread support... " >&6; }
+{ echo "$as_me:$LINENO: checking whether to build with thread support" >&5
+echo $ECHO_N "checking whether to build with thread support... $ECHO_C" >&6; }
 
 case $host in
 *-dec-osf*)
@@ -23781,19 +23186,19 @@ case "$enable_threads" in
 		# Use system-dependent default
 		;;
 	*)
-	    	{ { $as_echo "$as_me:$LINENO: error: --enable-threads takes yes or no" >&5
-$as_echo "$as_me: error: --enable-threads takes yes or no" >&2;}
+	    	{ { echo "$as_me:$LINENO: error: --enable-threads takes yes or no" >&5
+echo "$as_me: error: --enable-threads takes yes or no" >&2;}
    { (exit 1); exit 1; }; }
 		;;
 esac
 
 if $use_threads
 then
-	{ $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 else
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 if $use_threads
@@ -23811,8 +23216,8 @@ then
 		# the --with-ptl2 option for those who wish to
 		# experiment with it.
 		CC="gcc"
-		{ $as_echo "$as_me:$LINENO: checking which NetBSD thread library to use" >&5
-$as_echo_n "checking which NetBSD thread library to use... " >&6; }
+		{ echo "$as_me:$LINENO: checking which NetBSD thread library to use" >&5
+echo $ECHO_N "checking which NetBSD thread library to use... $ECHO_C" >&6; }
 
 
 # Check whether --with-ptl2 was given.
@@ -23827,31 +23232,31 @@ fi
 
 		if test "X$use_ptl2" = "Xyes"
 		then
-			{ $as_echo "$as_me:$LINENO: result: PTL2" >&5
-$as_echo "PTL2" >&6; }
-			{ $as_echo "$as_me:$LINENO: WARNING: linking with PTL2 is highly experimental and not expected to work" >&5
-$as_echo "$as_me: WARNING: linking with PTL2 is highly experimental and not expected to work" >&2;}
+			{ echo "$as_me:$LINENO: result: PTL2" >&5
+echo "${ECHO_T}PTL2" >&6; }
+			{ echo "$as_me:$LINENO: WARNING: linking with PTL2 is highly experimental and not expected to work" >&5
+echo "$as_me: WARNING: linking with PTL2 is highly experimental and not expected to work" >&2;}
 			CC=ptlgcc
 		else
 			if test -r /usr/lib/libpthread.so
 			then
-				{ $as_echo "$as_me:$LINENO: result: native" >&5
-$as_echo "native" >&6; }
+				{ echo "$as_me:$LINENO: result: native" >&5
+echo "${ECHO_T}native" >&6; }
 				LIBS="-lpthread $LIBS"
 			else
 				if test ! -d $LOCALBASE/pthreads
 				then
-					{ $as_echo "$as_me:$LINENO: result: none" >&5
-$as_echo "none" >&6; }
-					{ { $as_echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5
-$as_echo "$as_me: error: \"could not find thread libraries\"" >&2;}
+					{ echo "$as_me:$LINENO: result: none" >&5
+echo "${ECHO_T}none" >&6; }
+					{ { echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5
+echo "$as_me: error: \"could not find thread libraries\"" >&2;}
    { (exit 1); exit 1; }; }
 				fi
 
 				if $use_threads
 				then
-					{ $as_echo "$as_me:$LINENO: result: mit-pthreads/unproven-pthreads" >&5
-$as_echo "mit-pthreads/unproven-pthreads" >&6; }
+					{ echo "$as_me:$LINENO: result: mit-pthreads/unproven-pthreads" >&5
+echo "${ECHO_T}mit-pthreads/unproven-pthreads" >&6; }
 					pkg="$LOCALBASE/pthreads"
 					lib1="-L$pkg/lib -Wl,-R$pkg/lib"
 					lib2="-lpthread -lm -lgcc -lpthread"
@@ -23871,8 +23276,8 @@ $as_echo "mit-pthreads/unproven-pthreads" >&6; }
 			if test "X$GCC" = "Xyes"; then
 				saved_cc="$CC"
 				CC="$CC -pthread"
-				{ $as_echo "$as_me:$LINENO: checking for gcc -pthread support" >&5
-$as_echo_n "checking for gcc -pthread support... " >&6; };
+				{ echo "$as_me:$LINENO: checking for gcc -pthread support" >&5
+echo $ECHO_N "checking for gcc -pthread support... $ECHO_C" >&6; };
 				cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -23894,43 +23299,39 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   PTHREAD="yes"
-					    { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+					    { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 				CC="$saved_cc"
 			fi
 			if test "X$PTHREAD" != "Xyes"; then
 
-{ $as_echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5
-$as_echo_n "checking for pthread_create in -lpthread... " >&6; }
+{ echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5
+echo $ECHO_N "checking for pthread_create in -lpthread... $ECHO_C" >&6; }
 if test "${ac_cv_lib_pthread_pthread_create+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lpthread  $LIBS"
@@ -23962,36 +23363,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_pthread_pthread_create=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_pthread_pthread_create=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_pthread_create" >&5
-$as_echo "$ac_cv_lib_pthread_pthread_create" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_pthread_create" >&5
+echo "${ECHO_T}$ac_cv_lib_pthread_pthread_create" >&6; }
 if test $ac_cv_lib_pthread_pthread_create = yes; then
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBPTHREAD 1
@@ -24001,10 +23398,10 @@ _ACEOF
 
 else
 
-{ $as_echo "$as_me:$LINENO: checking for thread_create in -lthr" >&5
-$as_echo_n "checking for thread_create in -lthr... " >&6; }
+{ echo "$as_me:$LINENO: checking for thread_create in -lthr" >&5
+echo $ECHO_N "checking for thread_create in -lthr... $ECHO_C" >&6; }
 if test "${ac_cv_lib_thr_thread_create+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lthr  $LIBS"
@@ -24036,36 +23433,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_thr_thread_create=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_thr_thread_create=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_thr_thread_create" >&5
-$as_echo "$ac_cv_lib_thr_thread_create" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_thr_thread_create" >&5
+echo "${ECHO_T}$ac_cv_lib_thr_thread_create" >&6; }
 if test $ac_cv_lib_thr_thread_create = yes; then
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBTHR 1
@@ -24075,10 +23468,10 @@ _ACEOF
 
 else
 
-{ $as_echo "$as_me:$LINENO: checking for pthread_create in -lc_r" >&5
-$as_echo_n "checking for pthread_create in -lc_r... " >&6; }
+{ echo "$as_me:$LINENO: checking for pthread_create in -lc_r" >&5
+echo $ECHO_N "checking for pthread_create in -lc_r... $ECHO_C" >&6; }
 if test "${ac_cv_lib_c_r_pthread_create+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lc_r  $LIBS"
@@ -24110,36 +23503,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_c_r_pthread_create=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_c_r_pthread_create=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_pthread_create" >&5
-$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_pthread_create" >&5
+echo "${ECHO_T}$ac_cv_lib_c_r_pthread_create" >&6; }
 if test $ac_cv_lib_c_r_pthread_create = yes; then
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBC_R 1
@@ -24149,10 +23538,10 @@ _ACEOF
 
 else
 
-{ $as_echo "$as_me:$LINENO: checking for pthread_create in -lc" >&5
-$as_echo_n "checking for pthread_create in -lc... " >&6; }
+{ echo "$as_me:$LINENO: checking for pthread_create in -lc" >&5
+echo $ECHO_N "checking for pthread_create in -lc... $ECHO_C" >&6; }
 if test "${ac_cv_lib_c_pthread_create+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lc  $LIBS"
@@ -24184,36 +23573,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_c_pthread_create=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_c_pthread_create=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_c_pthread_create" >&5
-$as_echo "$ac_cv_lib_c_pthread_create" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_c_pthread_create" >&5
+echo "${ECHO_T}$ac_cv_lib_c_pthread_create" >&6; }
 if test $ac_cv_lib_c_pthread_create = yes; then
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBC 1
@@ -24222,8 +23607,8 @@ _ACEOF
   LIBS="-lc $LIBS"
 
 else
-  { { $as_echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5
-$as_echo "$as_me: error: \"could not find thread libraries\"" >&2;}
+  { { echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5
+echo "$as_me: error: \"could not find thread libraries\"" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -24237,10 +23622,10 @@ fi
 			;;
 		*)
 
-{ $as_echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5
-$as_echo_n "checking for pthread_create in -lpthread... " >&6; }
+{ echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5
+echo $ECHO_N "checking for pthread_create in -lpthread... $ECHO_C" >&6; }
 if test "${ac_cv_lib_pthread_pthread_create+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lpthread  $LIBS"
@@ -24272,36 +23657,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_pthread_pthread_create=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_pthread_pthread_create=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_pthread_create" >&5
-$as_echo "$ac_cv_lib_pthread_pthread_create" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_pthread_create" >&5
+echo "${ECHO_T}$ac_cv_lib_pthread_pthread_create" >&6; }
 if test $ac_cv_lib_pthread_pthread_create = yes; then
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBPTHREAD 1
@@ -24311,10 +23692,10 @@ _ACEOF
 
 else
 
-{ $as_echo "$as_me:$LINENO: checking for __pthread_create in -lpthread" >&5
-$as_echo_n "checking for __pthread_create in -lpthread... " >&6; }
+{ echo "$as_me:$LINENO: checking for __pthread_create in -lpthread" >&5
+echo $ECHO_N "checking for __pthread_create in -lpthread... $ECHO_C" >&6; }
 if test "${ac_cv_lib_pthread___pthread_create+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lpthread  $LIBS"
@@ -24346,36 +23727,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_pthread___pthread_create=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_pthread___pthread_create=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pthread___pthread_create" >&5
-$as_echo "$ac_cv_lib_pthread___pthread_create" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_pthread___pthread_create" >&5
+echo "${ECHO_T}$ac_cv_lib_pthread___pthread_create" >&6; }
 if test $ac_cv_lib_pthread___pthread_create = yes; then
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBPTHREAD 1
@@ -24385,10 +23762,10 @@ _ACEOF
 
 else
 
-{ $as_echo "$as_me:$LINENO: checking for __pthread_create_system in -lpthread" >&5
-$as_echo_n "checking for __pthread_create_system in -lpthread... " >&6; }
+{ echo "$as_me:$LINENO: checking for __pthread_create_system in -lpthread" >&5
+echo $ECHO_N "checking for __pthread_create_system in -lpthread... $ECHO_C" >&6; }
 if test "${ac_cv_lib_pthread___pthread_create_system+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lpthread  $LIBS"
@@ -24420,36 +23797,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_pthread___pthread_create_system=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_pthread___pthread_create_system=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pthread___pthread_create_system" >&5
-$as_echo "$ac_cv_lib_pthread___pthread_create_system" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_pthread___pthread_create_system" >&5
+echo "${ECHO_T}$ac_cv_lib_pthread___pthread_create_system" >&6; }
 if test $ac_cv_lib_pthread___pthread_create_system = yes; then
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBPTHREAD 1
@@ -24459,10 +23832,10 @@ _ACEOF
 
 else
 
-{ $as_echo "$as_me:$LINENO: checking for pthread_create in -lc_r" >&5
-$as_echo_n "checking for pthread_create in -lc_r... " >&6; }
+{ echo "$as_me:$LINENO: checking for pthread_create in -lc_r" >&5
+echo $ECHO_N "checking for pthread_create in -lc_r... $ECHO_C" >&6; }
 if test "${ac_cv_lib_c_r_pthread_create+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lc_r  $LIBS"
@@ -24494,36 +23867,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_c_r_pthread_create=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_c_r_pthread_create=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_pthread_create" >&5
-$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_pthread_create" >&5
+echo "${ECHO_T}$ac_cv_lib_c_r_pthread_create" >&6; }
 if test $ac_cv_lib_c_r_pthread_create = yes; then
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBC_R 1
@@ -24533,10 +23902,10 @@ _ACEOF
 
 else
 
-{ $as_echo "$as_me:$LINENO: checking for pthread_create in -lc" >&5
-$as_echo_n "checking for pthread_create in -lc... " >&6; }
+{ echo "$as_me:$LINENO: checking for pthread_create in -lc" >&5
+echo $ECHO_N "checking for pthread_create in -lc... $ECHO_C" >&6; }
 if test "${ac_cv_lib_c_pthread_create+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lc  $LIBS"
@@ -24568,36 +23937,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_c_pthread_create=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_c_pthread_create=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_c_pthread_create" >&5
-$as_echo "$ac_cv_lib_c_pthread_create" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_c_pthread_create" >&5
+echo "${ECHO_T}$ac_cv_lib_c_pthread_create" >&6; }
 if test $ac_cv_lib_c_pthread_create = yes; then
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBC 1
@@ -24606,8 +23971,8 @@ _ACEOF
   LIBS="-lc $LIBS"
 
 else
-  { { $as_echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5
-$as_echo "$as_me: error: \"could not find thread libraries\"" >&2;}
+  { { echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5
+echo "$as_me: error: \"could not find thread libraries\"" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -24672,10 +24037,10 @@ then
 	#
 	# We'd like to use sigwait() too
 	#
-	{ $as_echo "$as_me:$LINENO: checking for sigwait" >&5
-$as_echo_n "checking for sigwait... " >&6; }
+	{ echo "$as_me:$LINENO: checking for sigwait" >&5
+echo $ECHO_N "checking for sigwait... $ECHO_C" >&6; }
 if test "${ac_cv_func_sigwait+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -24728,45 +24093,41 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_sigwait=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_sigwait=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_sigwait" >&5
-$as_echo "$ac_cv_func_sigwait" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_sigwait" >&5
+echo "${ECHO_T}$ac_cv_func_sigwait" >&6; }
 if test $ac_cv_func_sigwait = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_SIGWAIT 1
 _ACEOF
 
 else
-  { $as_echo "$as_me:$LINENO: checking for sigwait in -lc" >&5
-$as_echo_n "checking for sigwait in -lc... " >&6; }
+  { echo "$as_me:$LINENO: checking for sigwait in -lc" >&5
+echo $ECHO_N "checking for sigwait in -lc... $ECHO_C" >&6; }
 if test "${ac_cv_lib_c_sigwait+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lc  $LIBS"
@@ -24798,46 +24159,42 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_c_sigwait=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_c_sigwait=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_c_sigwait" >&5
-$as_echo "$ac_cv_lib_c_sigwait" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_c_sigwait" >&5
+echo "${ECHO_T}$ac_cv_lib_c_sigwait" >&6; }
 if test $ac_cv_lib_c_sigwait = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_SIGWAIT 1
 _ACEOF
 
 else
-  { $as_echo "$as_me:$LINENO: checking for sigwait in -lpthread" >&5
-$as_echo_n "checking for sigwait in -lpthread... " >&6; }
+  { echo "$as_me:$LINENO: checking for sigwait in -lpthread" >&5
+echo $ECHO_N "checking for sigwait in -lpthread... $ECHO_C" >&6; }
 if test "${ac_cv_lib_pthread_sigwait+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lpthread  $LIBS"
@@ -24869,46 +24226,42 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_pthread_sigwait=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_pthread_sigwait=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_sigwait" >&5
-$as_echo "$ac_cv_lib_pthread_sigwait" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_sigwait" >&5
+echo "${ECHO_T}$ac_cv_lib_pthread_sigwait" >&6; }
 if test $ac_cv_lib_pthread_sigwait = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_SIGWAIT 1
 _ACEOF
 
 else
-  { $as_echo "$as_me:$LINENO: checking for _Psigwait in -lpthread" >&5
-$as_echo_n "checking for _Psigwait in -lpthread... " >&6; }
+  { echo "$as_me:$LINENO: checking for _Psigwait in -lpthread" >&5
+echo $ECHO_N "checking for _Psigwait in -lpthread... $ECHO_C" >&6; }
 if test "${ac_cv_lib_pthread__Psigwait+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lpthread  $LIBS"
@@ -24940,36 +24293,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_pthread__Psigwait=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_pthread__Psigwait=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_pthread__Psigwait" >&5
-$as_echo "$ac_cv_lib_pthread__Psigwait" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_pthread__Psigwait" >&5
+echo "${ECHO_T}$ac_cv_lib_pthread__Psigwait" >&6; }
 if test $ac_cv_lib_pthread__Psigwait = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_SIGWAIT 1
@@ -24984,10 +24333,10 @@ fi
 fi
 
 
-	{ $as_echo "$as_me:$LINENO: checking for pthread_attr_getstacksize" >&5
-$as_echo_n "checking for pthread_attr_getstacksize... " >&6; }
+	{ echo "$as_me:$LINENO: checking for pthread_attr_getstacksize" >&5
+echo $ECHO_N "checking for pthread_attr_getstacksize... $ECHO_C" >&6; }
 if test "${ac_cv_func_pthread_attr_getstacksize+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -25040,35 +24389,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_pthread_attr_getstacksize=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_pthread_attr_getstacksize=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_pthread_attr_getstacksize" >&5
-$as_echo "$ac_cv_func_pthread_attr_getstacksize" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_pthread_attr_getstacksize" >&5
+echo "${ECHO_T}$ac_cv_func_pthread_attr_getstacksize" >&6; }
 if test $ac_cv_func_pthread_attr_getstacksize = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_PTHREAD_ATTR_GETSTACKSIZE 1
@@ -25077,10 +24422,10 @@ _ACEOF
 fi
 
 
-	{ $as_echo "$as_me:$LINENO: checking for pthread_attr_setstacksize" >&5
-$as_echo_n "checking for pthread_attr_setstacksize... " >&6; }
+	{ echo "$as_me:$LINENO: checking for pthread_attr_setstacksize" >&5
+echo $ECHO_N "checking for pthread_attr_setstacksize... $ECHO_C" >&6; }
 if test "${ac_cv_func_pthread_attr_setstacksize+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -25133,35 +24478,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_pthread_attr_setstacksize=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_pthread_attr_setstacksize=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_pthread_attr_setstacksize" >&5
-$as_echo "$ac_cv_func_pthread_attr_setstacksize" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_pthread_attr_setstacksize" >&5
+echo "${ECHO_T}$ac_cv_func_pthread_attr_setstacksize" >&6; }
 if test $ac_cv_func_pthread_attr_setstacksize = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_PTHREAD_ATTR_SETSTACKSIZE 1
@@ -25178,10 +24519,10 @@ fi
 		# One more place to look for sigwait.
 		#
 		*-freebsd*)
-			{ $as_echo "$as_me:$LINENO: checking for sigwait in -lc_r" >&5
-$as_echo_n "checking for sigwait in -lc_r... " >&6; }
+			{ echo "$as_me:$LINENO: checking for sigwait in -lc_r" >&5
+echo $ECHO_N "checking for sigwait in -lc_r... $ECHO_C" >&6; }
 if test "${ac_cv_lib_c_r_sigwait+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lc_r  $LIBS"
@@ -25213,36 +24554,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_c_r_sigwait=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_c_r_sigwait=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_sigwait" >&5
-$as_echo "$ac_cv_lib_c_r_sigwait" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_sigwait" >&5
+echo "${ECHO_T}$ac_cv_lib_c_r_sigwait" >&6; }
 if test $ac_cv_lib_c_r_sigwait = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_SIGWAIT 1
@@ -25296,10 +24633,10 @@ _ACEOF
 #define _POSIX_PTHREAD_SEMANTICS 1
 _ACEOF
 
-			{ $as_echo "$as_me:$LINENO: checking for pthread_setconcurrency" >&5
-$as_echo_n "checking for pthread_setconcurrency... " >&6; }
+			{ echo "$as_me:$LINENO: checking for pthread_setconcurrency" >&5
+echo $ECHO_N "checking for pthread_setconcurrency... $ECHO_C" >&6; }
 if test "${ac_cv_func_pthread_setconcurrency+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -25352,35 +24689,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_pthread_setconcurrency=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_pthread_setconcurrency=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_pthread_setconcurrency" >&5
-$as_echo "$ac_cv_func_pthread_setconcurrency" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_pthread_setconcurrency" >&5
+echo "${ECHO_T}$ac_cv_func_pthread_setconcurrency" >&6; }
 if test $ac_cv_func_pthread_setconcurrency = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define CALL_PTHREAD_SETCONCURRENCY 1
@@ -25403,10 +24736,10 @@ _ACEOF
 	#
 	# Look for sysconf to allow detection of the number of processors.
 	#
-	{ $as_echo "$as_me:$LINENO: checking for sysconf" >&5
-$as_echo_n "checking for sysconf... " >&6; }
+	{ echo "$as_me:$LINENO: checking for sysconf" >&5
+echo $ECHO_N "checking for sysconf... $ECHO_C" >&6; }
 if test "${ac_cv_func_sysconf+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -25459,35 +24792,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_sysconf=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_sysconf=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_sysconf" >&5
-$as_echo "$ac_cv_func_sysconf" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_sysconf" >&5
+echo "${ECHO_T}$ac_cv_func_sysconf" >&6; }
 if test $ac_cv_func_sysconf = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_SYSCONF 1
@@ -25510,8 +24839,8 @@ ISC_THREAD_DIR=$thread_dir
 #
 # was --with-libxml2 specified?
 #
-{ $as_echo "$as_me:$LINENO: checking for libxml2 library" >&5
-$as_echo_n "checking for libxml2 library... " >&6; }
+{ echo "$as_me:$LINENO: checking for libxml2 library" >&5
+echo $ECHO_N "checking for libxml2 library... $ECHO_C" >&6; }
 
 # Check whether --with-libxml2 was given.
 if test "${with_libxml2+set}" = set; then
@@ -25547,8 +24876,8 @@ esac
 
 if test "X$libxml2_libs" != "X"
 then
-	{ $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	CFLAGS="$CFLAGS $libxml2_cflags"
 	LIBS="$LIBS $libxml2_libs"
 
@@ -25557,18 +24886,18 @@ cat >>confdefs.h <<\_ACEOF
 _ACEOF
 
 else
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 #
 # In solaris 10, SMF can manage named service
 #
 
-{ $as_echo "$as_me:$LINENO: checking for smf_enable_instance in -lscf" >&5
-$as_echo_n "checking for smf_enable_instance in -lscf... " >&6; }
+{ echo "$as_me:$LINENO: checking for smf_enable_instance in -lscf" >&5
+echo $ECHO_N "checking for smf_enable_instance in -lscf... $ECHO_C" >&6; }
 if test "${ac_cv_lib_scf_smf_enable_instance+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lscf  $LIBS"
@@ -25600,36 +24929,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_scf_smf_enable_instance=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_scf_smf_enable_instance=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_scf_smf_enable_instance" >&5
-$as_echo "$ac_cv_lib_scf_smf_enable_instance" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_scf_smf_enable_instance" >&5
+echo "${ECHO_T}$ac_cv_lib_scf_smf_enable_instance" >&6; }
 if test $ac_cv_lib_scf_smf_enable_instance = yes; then
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBSCF 1
@@ -25645,10 +24970,10 @@ fi
 # even if compiled with --disable-threads.  getc_unlocked might also not
 # be defined.
 #
-{ $as_echo "$as_me:$LINENO: checking for flockfile" >&5
-$as_echo_n "checking for flockfile... " >&6; }
+{ echo "$as_me:$LINENO: checking for flockfile" >&5
+echo $ECHO_N "checking for flockfile... $ECHO_C" >&6; }
 if test "${ac_cv_func_flockfile+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -25701,35 +25026,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_flockfile=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_flockfile=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_flockfile" >&5
-$as_echo "$ac_cv_func_flockfile" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_flockfile" >&5
+echo "${ECHO_T}$ac_cv_func_flockfile" >&6; }
 if test $ac_cv_func_flockfile = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_FLOCKFILE 1
@@ -25737,10 +25058,10 @@ _ACEOF
 
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for getc_unlocked" >&5
-$as_echo_n "checking for getc_unlocked... " >&6; }
+{ echo "$as_me:$LINENO: checking for getc_unlocked" >&5
+echo $ECHO_N "checking for getc_unlocked... $ECHO_C" >&6; }
 if test "${ac_cv_func_getc_unlocked+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -25793,35 +25114,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getc_unlocked=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_getc_unlocked=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_getc_unlocked" >&5
-$as_echo "$ac_cv_func_getc_unlocked" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getc_unlocked" >&5
+echo "${ECHO_T}$ac_cv_func_getc_unlocked" >&6; }
 if test $ac_cv_func_getc_unlocked = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_GETCUNLOCKED 1
@@ -25833,14 +25150,14 @@ fi
 #
 # Indicate what the final decision was regarding threads.
 #
-{ $as_echo "$as_me:$LINENO: checking whether to build with threads" >&5
-$as_echo_n "checking whether to build with threads... " >&6; }
+{ echo "$as_me:$LINENO: checking whether to build with threads" >&5
+echo $ECHO_N "checking whether to build with threads... $ECHO_C" >&6; }
 if $use_threads; then
-	{ $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 else
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 #
@@ -25873,8 +25190,8 @@ MKDEPCFLAGS="-M"
 IRIX_DNSSEC_WARNINGS_HACK=""
 
 if test "X$GCC" = "Xyes"; then
-	{ $as_echo "$as_me:$LINENO: checking if \"$CC\" supports -fno-strict-aliasing" >&5
-$as_echo_n "checking if \"$CC\" supports -fno-strict-aliasing... " >&6; }
+	{ echo "$as_me:$LINENO: checking if \"$CC\" supports -fno-strict-aliasing" >&5
+echo $ECHO_N "checking if \"$CC\" supports -fno-strict-aliasing... $ECHO_C" >&6; }
 	SAVE_CFLAGS=$CFLAGS
 	CFLAGS=-fno-strict-aliasing
 	cat >conftest.$ac_ext <<_ACEOF
@@ -25898,21 +25215,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   FNOSTRICTALIASING=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	FNOSTRICTALIASING=no
@@ -25921,12 +25237,12 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 	CFLAGS=$SAVE_CFLAGS
 	if test "$FNOSTRICTALIASING" = "yes"; then
-		{ $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+		{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing"
 	else
-		{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+		{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith"
 	fi
 	case "$host" in
@@ -25989,10 +25305,10 @@ fi
 #
 # NLS
 #
-{ $as_echo "$as_me:$LINENO: checking for catgets" >&5
-$as_echo_n "checking for catgets... " >&6; }
+{ echo "$as_me:$LINENO: checking for catgets" >&5
+echo $ECHO_N "checking for catgets... $ECHO_C" >&6; }
 if test "${ac_cv_func_catgets+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -26045,35 +25361,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_catgets=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_catgets=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_catgets" >&5
-$as_echo "$ac_cv_func_catgets" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_catgets" >&5
+echo "${ECHO_T}$ac_cv_func_catgets" >&6; }
 if test $ac_cv_func_catgets = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_CATGETS 1
@@ -26098,10 +25410,10 @@ case "$host" in
 		;;
 	*)
 
-{ $as_echo "$as_me:$LINENO: checking for socket in -lsocket" >&5
-$as_echo_n "checking for socket in -lsocket... " >&6; }
+{ echo "$as_me:$LINENO: checking for socket in -lsocket" >&5
+echo $ECHO_N "checking for socket in -lsocket... $ECHO_C" >&6; }
 if test "${ac_cv_lib_socket_socket+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lsocket  $LIBS"
@@ -26133,36 +25445,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_socket_socket=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_socket_socket=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5
-$as_echo "$ac_cv_lib_socket_socket" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5
+echo "${ECHO_T}$ac_cv_lib_socket_socket" >&6; }
 if test $ac_cv_lib_socket_socket = yes; then
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBSOCKET 1
@@ -26173,10 +25481,10 @@ _ACEOF
 fi
 
 
-{ $as_echo "$as_me:$LINENO: checking for inet_addr in -lnsl" >&5
-$as_echo_n "checking for inet_addr in -lnsl... " >&6; }
+{ echo "$as_me:$LINENO: checking for inet_addr in -lnsl" >&5
+echo $ECHO_N "checking for inet_addr in -lnsl... $ECHO_C" >&6; }
 if test "${ac_cv_lib_nsl_inet_addr+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lnsl  $LIBS"
@@ -26208,36 +25516,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_nsl_inet_addr=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_nsl_inet_addr=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_inet_addr" >&5
-$as_echo "$ac_cv_lib_nsl_inet_addr" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_inet_addr" >&5
+echo "${ECHO_T}$ac_cv_lib_nsl_inet_addr" >&6; }
 if test $ac_cv_lib_nsl_inet_addr = yes; then
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBNSL 1
@@ -26266,8 +25570,8 @@ esac
 #
 # Purify support
 #
-{ $as_echo "$as_me:$LINENO: checking whether to use purify" >&5
-$as_echo_n "checking whether to use purify... " >&6; }
+{ echo "$as_me:$LINENO: checking whether to use purify" >&5
+echo $ECHO_N "checking whether to use purify... $ECHO_C" >&6; }
 
 # Check whether --with-purify was given.
 if test "${with_purify+set}" = set; then
@@ -26283,10 +25587,10 @@ case "$use_purify" in
 	yes)
 		# Extract the first word of "purify", so it can be a program name with args.
 set dummy purify; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_purify_path+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   case $purify_path in
   [\\/]* | ?:[\\/]*)
@@ -26301,7 +25605,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_purify_path="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -26314,11 +25618,11 @@ esac
 fi
 purify_path=$ac_cv_path_purify_path
 if test -n "$purify_path"; then
-  { $as_echo "$as_me:$LINENO: result: $purify_path" >&5
-$as_echo "$purify_path" >&6; }
+  { echo "$as_me:$LINENO: result: $purify_path" >&5
+echo "${ECHO_T}$purify_path" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -26330,24 +25634,24 @@ esac
 
 case "$use_purify" in
 	no)
-		{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+		{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 		PURIFY=""
 		;;
 	*)
 		if test -f $purify_path || test $purify_path = purify; then
-			{ $as_echo "$as_me:$LINENO: result: $purify_path" >&5
-$as_echo "$purify_path" >&6; }
+			{ echo "$as_me:$LINENO: result: $purify_path" >&5
+echo "${ECHO_T}$purify_path" >&6; }
 			PURIFYFLAGS="`echo $PURIFYOPTIONS`"
 			PURIFY="$purify_path $PURIFYFLAGS"
 		else
-			{ { $as_echo "$as_me:$LINENO: error: $purify_path not found.
+			{ { echo "$as_me:$LINENO: error: $purify_path not found.
 
 Please choose the proper path with the following command:
 
     configure --with-purify=PATH
 " >&5
-$as_echo "$as_me: error: $purify_path not found.
+echo "$as_me: error: $purify_path not found.
 
 Please choose the proper path with the following command:
 
@@ -26360,16 +25664,6 @@ esac
 
 
 
-#
-# GNU libtool support
-#
-case $build_os in
-sunos*)
-    # Just set the maximum command line length for sunos as it otherwise
-    # takes a exceptionally long time to work it out. Required for libtool.
-    lt_cv_sys_max_cmd_len=4096;
-    ;;
-esac
 
 
 # Check whether --with-libtool was given.
@@ -26456,8 +25750,8 @@ esac
 # We do the IPv6 compilation checking after libtool so that we can put
 # the right suffix on the files.
 #
-{ $as_echo "$as_me:$LINENO: checking for IPv6 structures" >&5
-$as_echo_n "checking for IPv6 structures... " >&6; }
+{ echo "$as_me:$LINENO: checking for IPv6 structures" >&5
+echo $ECHO_N "checking for IPv6 structures... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -26482,27 +25776,26 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	 found_ipv6=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	 found_ipv6=no
 fi
 
@@ -26512,8 +25805,8 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 # See whether IPv6 support is provided via a Kame add-on.
 # This is done before other IPv6 linking tests to LIBS is properly set.
 #
-{ $as_echo "$as_me:$LINENO: checking for Kame IPv6 support" >&5
-$as_echo_n "checking for Kame IPv6 support... " >&6; }
+{ echo "$as_me:$LINENO: checking for Kame IPv6 support" >&5
+echo $ECHO_N "checking for Kame IPv6 support... $ECHO_C" >&6; }
 
 # Check whether --with-kame was given.
 if test "${with_kame+set}" = set; then
@@ -26536,22 +25829,22 @@ esac
 
 case "$use_kame" in
 	no)
-		{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+		{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 		;;
 	*)
 		if test -f $kame_path/lib/libinet6.a; then
-			{ $as_echo "$as_me:$LINENO: result: $kame_path/lib/libinet6.a" >&5
-$as_echo "$kame_path/lib/libinet6.a" >&6; }
+			{ echo "$as_me:$LINENO: result: $kame_path/lib/libinet6.a" >&5
+echo "${ECHO_T}$kame_path/lib/libinet6.a" >&6; }
 			LIBS="-L$kame_path/lib -linet6 $LIBS"
 		else
-			{ { $as_echo "$as_me:$LINENO: error: $kame_path/lib/libinet6.a not found.
+			{ { echo "$as_me:$LINENO: error: $kame_path/lib/libinet6.a not found.
 
 Please choose the proper path with the following command:
 
     configure --with-kame=PATH
 " >&5
-$as_echo "$as_me: error: $kame_path/lib/libinet6.a not found.
+echo "$as_me: error: $kame_path/lib/libinet6.a not found.
 
 Please choose the proper path with the following command:
 
@@ -26612,8 +25905,8 @@ case "$found_ipv6" in
 		ISC_PLATFORM_HAVEIPV6="#define ISC_PLATFORM_HAVEIPV6 1"
 		LWRES_PLATFORM_HAVEIPV6="#define LWRES_PLATFORM_HAVEIPV6 1"
 
-		{ $as_echo "$as_me:$LINENO: checking for in6_addr" >&5
-$as_echo_n "checking for in6_addr... " >&6; }
+		{ echo "$as_me:$LINENO: checking for in6_addr" >&5
+echo $ECHO_N "checking for in6_addr... $ECHO_C" >&6; }
 		cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -26641,29 +25934,28 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 		 ISC_PLATFORM_HAVEINADDR6="#undef ISC_PLATFORM_HAVEINADDR6"
 		 LWRES_PLATFORM_HAVEINADDR6="#undef LWRES_PLATFORM_HAVEINADDR6"
 		 isc_in_addr6_hack=""
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 		 ISC_PLATFORM_HAVEINADDR6="#define ISC_PLATFORM_HAVEINADDR6 1"
 		 LWRES_PLATFORM_HAVEINADDR6="#define LWRES_PLATFORM_HAVEINADDR6 1"
 		 isc_in_addr6_hack="#define in6_addr in_addr6"
@@ -26671,8 +25963,8 @@ fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
-		{ $as_echo "$as_me:$LINENO: checking for in6addr_any" >&5
-$as_echo_n "checking for in6addr_any... " >&6; }
+		{ echo "$as_me:$LINENO: checking for in6addr_any" >&5
+echo $ECHO_N "checking for in6addr_any... $ECHO_C" >&6; }
 		cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -26701,41 +25993,37 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 			 ISC_PLATFORM_NEEDIN6ADDRANY="#undef ISC_PLATFORM_NEEDIN6ADDRANY"
 			 LWRES_PLATFORM_NEEDIN6ADDRANY="#undef LWRES_PLATFORM_NEEDIN6ADDRANY"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 			 ISC_PLATFORM_NEEDIN6ADDRANY="#define ISC_PLATFORM_NEEDIN6ADDRANY 1"
 			 LWRES_PLATFORM_NEEDIN6ADDRANY="#define LWRES_PLATFORM_NEEDIN6ADDRANY 1"
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 
-		{ $as_echo "$as_me:$LINENO: checking for in6addr_loopback" >&5
-$as_echo_n "checking for in6addr_loopback... " >&6; }
+		{ echo "$as_me:$LINENO: checking for in6addr_loopback" >&5
+echo $ECHO_N "checking for in6addr_loopback... $ECHO_C" >&6; }
 		cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -26764,41 +26052,37 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 			 ISC_PLATFORM_NEEDIN6ADDRLOOPBACK="#undef ISC_PLATFORM_NEEDIN6ADDRLOOPBACK"
 			 LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK="#undef LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 			 ISC_PLATFORM_NEEDIN6ADDRLOOPBACK="#define ISC_PLATFORM_NEEDIN6ADDRLOOPBACK 1"
 			 LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK="#define LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK 1"
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 
-		{ $as_echo "$as_me:$LINENO: checking for sin6_scope_id in struct sockaddr_in6" >&5
-$as_echo_n "checking for sin6_scope_id in struct sockaddr_in6... " >&6; }
+		{ echo "$as_me:$LINENO: checking for sin6_scope_id in struct sockaddr_in6" >&5
+echo $ECHO_N "checking for sin6_scope_id in struct sockaddr_in6... $ECHO_C" >&6; }
 		cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -26826,28 +26110,27 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 			 ISC_PLATFORM_HAVESCOPEID="#define ISC_PLATFORM_HAVESCOPEID 1"
 			 result="#define LWRES_HAVE_SIN6_SCOPE_ID 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 			 ISC_PLATFORM_HAVESCOPEID="#undef ISC_PLATFORM_HAVESCOPEID"
 			 result="#undef LWRES_HAVE_SIN6_SCOPE_ID"
 fi
@@ -26855,8 +26138,8 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 		LWRES_HAVE_SIN6_SCOPE_ID="$result"
 
-		{ $as_echo "$as_me:$LINENO: checking for in6_pktinfo" >&5
-$as_echo_n "checking for in6_pktinfo... " >&6; }
+		{ echo "$as_me:$LINENO: checking for in6_pktinfo" >&5
+echo $ECHO_N "checking for in6_pktinfo... $ECHO_C" >&6; }
 		cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -26884,27 +26167,26 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 			 ISC_PLATFORM_HAVEIN6PKTINFO="#define ISC_PLATFORM_HAVEIN6PKTINFO 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no -- disabling runtime ipv6 support" >&5
-$as_echo "no -- disabling runtime ipv6 support" >&6; }
+	{ echo "$as_me:$LINENO: result: no -- disabling runtime ipv6 support" >&5
+echo "${ECHO_T}no -- disabling runtime ipv6 support" >&6; }
 			 ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
 fi
 
@@ -26946,8 +26228,8 @@ esac
 
 
 
-{ $as_echo "$as_me:$LINENO: checking for struct if_laddrreq" >&5
-$as_echo_n "checking for struct if_laddrreq... " >&6; }
+{ echo "$as_me:$LINENO: checking for struct if_laddrreq" >&5
+echo $ECHO_N "checking for struct if_laddrreq... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -26972,40 +26254,36 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_PLATFORM_HAVEIF_LADDRREQ="#define ISC_PLATFORM_HAVEIF_LADDRREQ 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_PLATFORM_HAVEIF_LADDRREQ="#undef ISC_PLATFORM_HAVEIF_LADDRREQ"
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 
 
-{ $as_echo "$as_me:$LINENO: checking for struct if_laddrconf" >&5
-$as_echo_n "checking for struct if_laddrconf... " >&6; }
+{ echo "$as_me:$LINENO: checking for struct if_laddrconf" >&5
+echo $ECHO_N "checking for struct if_laddrconf... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -27030,34 +26308,30 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_PLATFORM_HAVEIF_LADDRCONF="#define ISC_PLATFORM_HAVEIF_LADDRCONF 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_PLATFORM_HAVEIF_LADDRCONF="#undef ISC_PLATFORM_HAVEIF_LADDRCONF"
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 
@@ -27069,11 +26343,11 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
 # which provides some (all?) of the desired functions.
 #
 
-{ $as_echo "$as_me:$LINENO: checking for inet_ntop with IPv6 support" >&5
-$as_echo_n "checking for inet_ntop with IPv6 support... " >&6; }
+{ echo "$as_me:$LINENO: checking for inet_ntop with IPv6 support" >&5
+echo $ECHO_N "checking for inet_ntop with IPv6 support... $ECHO_C" >&6; }
 if test "$cross_compiling" = yes; then
-  { $as_echo "$as_me:$LINENO: result: assuming inet_ntop needed" >&5
-$as_echo "assuming inet_ntop needed" >&6; }
+  { echo "$as_me:$LINENO: result: assuming inet_ntop needed" >&5
+echo "${ECHO_T}assuming inet_ntop needed" >&6; }
 	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
 	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
 	ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"
@@ -27098,38 +26372,35 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
   { (case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
-{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
 	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
 	ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"
 fi
-rm -rf conftest.dSYM
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
@@ -27140,11 +26411,11 @@ fi
 # addresses with less than four octets, like "1.2.3".  Also leading
 # zeros should also be rejected.
 
-{ $as_echo "$as_me:$LINENO: checking for working inet_pton with IPv6 support" >&5
-$as_echo_n "checking for working inet_pton with IPv6 support... " >&6; }
+{ echo "$as_me:$LINENO: checking for working inet_pton with IPv6 support" >&5
+echo $ECHO_N "checking for working inet_pton with IPv6 support... $ECHO_C" >&6; }
 if test "$cross_compiling" = yes; then
-  { $as_echo "$as_me:$LINENO: result: assuming target platform has working inet_pton" >&5
-$as_echo "assuming target platform has working inet_pton" >&6; }
+  { echo "$as_me:$LINENO: result: assuming target platform has working inet_pton" >&5
+echo "${ECHO_T}assuming target platform has working inet_pton" >&6; }
 	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -27168,38 +26439,35 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
   { (case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
-{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
 	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
 	ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"
 fi
-rm -rf conftest.dSYM
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
@@ -27221,8 +26489,8 @@ _ACEOF
 		;;
 esac
 
-{ $as_echo "$as_me:$LINENO: checking for sa_len in struct sockaddr" >&5
-$as_echo_n "checking for sa_len in struct sockaddr... " >&6; }
+{ echo "$as_me:$LINENO: checking for sa_len in struct sockaddr" >&5
+echo $ECHO_N "checking for sa_len in struct sockaddr... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -27246,28 +26514,27 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_PLATFORM_HAVESALEN="#define ISC_PLATFORM_HAVESALEN 1"
 	LWRES_PLATFORM_HAVESALEN="#define LWRES_PLATFORM_HAVESALEN 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_PLATFORM_HAVESALEN="#undef ISC_PLATFORM_HAVESALEN"
 	LWRES_PLATFORM_HAVESALEN="#undef LWRES_PLATFORM_HAVESALEN"
 fi
@@ -27279,8 +26546,8 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 #
 # Look for a 4.4BSD or 4.3BSD struct msghdr
 #
-{ $as_echo "$as_me:$LINENO: checking for struct msghdr flavor" >&5
-$as_echo_n "checking for struct msghdr flavor... " >&6; }
+{ echo "$as_me:$LINENO: checking for struct msghdr flavor" >&5
+echo $ECHO_N "checking for struct msghdr flavor... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -27304,27 +26571,26 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: 4.4BSD" >&5
-$as_echo "4.4BSD" >&6; }
+  { echo "$as_me:$LINENO: result: 4.4BSD" >&5
+echo "${ECHO_T}4.4BSD" >&6; }
 	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD44MSGHDR 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: 4.3BSD" >&5
-$as_echo "4.3BSD" >&6; }
+	{ echo "$as_me:$LINENO: result: 4.3BSD" >&5
+echo "${ECHO_T}4.3BSD" >&6; }
 	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD43MSGHDR 1"
 fi
 
@@ -27334,8 +26600,8 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 #
 # Look for in_port_t.
 #
-{ $as_echo "$as_me:$LINENO: checking for type in_port_t" >&5
-$as_echo_n "checking for type in_port_t... " >&6; }
+{ echo "$as_me:$LINENO: checking for type in_port_t" >&5
+echo $ECHO_N "checking for type in_port_t... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -27359,27 +26625,26 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1"
 fi
 
@@ -27389,8 +26654,8 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 #
 # Check for addrinfo
 #
-{ $as_echo "$as_me:$LINENO: checking for struct addrinfo" >&5
-$as_echo_n "checking for struct addrinfo... " >&6; }
+{ echo "$as_me:$LINENO: checking for struct addrinfo" >&5
+echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -27413,31 +26678,30 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_LWRES_NEEDADDRINFO="#undef ISC_LWRES_NEEDADDRINFO"
 	cat >>confdefs.h <<\_ACEOF
 #define HAVE_ADDRINFO 1
 _ACEOF
 
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_LWRES_NEEDADDRINFO="#define ISC_LWRES_NEEDADDRINFO 1"
 fi
 
@@ -27447,8 +26711,8 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 #
 # Check for rrsetinfo
 #
-{ $as_echo "$as_me:$LINENO: checking for struct rrsetinfo" >&5
-$as_echo_n "checking for struct rrsetinfo... " >&6; }
+{ echo "$as_me:$LINENO: checking for struct rrsetinfo" >&5
+echo $ECHO_N "checking for struct rrsetinfo... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -27471,35 +26735,34 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_LWRES_NEEDRRSETINFO="#undef ISC_LWRES_NEEDRRSETINFO"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_LWRES_NEEDRRSETINFO="#define ISC_LWRES_NEEDRRSETINFO 1"
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
-{ $as_echo "$as_me:$LINENO: checking for int sethostent" >&5
-$as_echo_n "checking for int sethostent... " >&6; }
+{ echo "$as_me:$LINENO: checking for int sethostent" >&5
+echo $ECHO_N "checking for int sethostent... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -27522,35 +26785,34 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_LWRES_SETHOSTENTINT="#define ISC_LWRES_SETHOSTENTINT 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_LWRES_SETHOSTENTINT="#undef ISC_LWRES_SETHOSTENTINT"
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
-{ $as_echo "$as_me:$LINENO: checking for int endhostent" >&5
-$as_echo_n "checking for int endhostent... " >&6; }
+{ echo "$as_me:$LINENO: checking for int endhostent" >&5
+echo $ECHO_N "checking for int endhostent... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -27573,35 +26835,34 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_LWRES_ENDHOSTENTINT="#define ISC_LWRES_ENDHOSTENTINT 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_LWRES_ENDHOSTENTINT="#undef ISC_LWRES_ENDHOSTENTINT"
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
-{ $as_echo "$as_me:$LINENO: checking for getnetbyaddr(in_addr_t, ...)" >&5
-$as_echo_n "checking for getnetbyaddr(in_addr_t, ...)... " >&6; }
+{ echo "$as_me:$LINENO: checking for getnetbyaddr(in_addr_t, ...)" >&5
+echo $ECHO_N "checking for getnetbyaddr(in_addr_t, ...)... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -27625,35 +26886,34 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_LWRES_GETNETBYADDRINADDR="#define ISC_LWRES_GETNETBYADDRINADDR 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_LWRES_GETNETBYADDRINADDR="#undef ISC_LWRES_GETNETBYADDRINADDR"
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
-{ $as_echo "$as_me:$LINENO: checking for int setnetent" >&5
-$as_echo_n "checking for int setnetent... " >&6; }
+{ echo "$as_me:$LINENO: checking for int setnetent" >&5
+echo $ECHO_N "checking for int setnetent... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -27676,35 +26936,34 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_LWRES_SETNETENTINT="#define ISC_LWRES_SETNETENTINT 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_LWRES_SETNETENTINT="#undef ISC_LWRES_SETNETENTINT"
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
-{ $as_echo "$as_me:$LINENO: checking for int endnetent" >&5
-$as_echo_n "checking for int endnetent... " >&6; }
+{ echo "$as_me:$LINENO: checking for int endnetent" >&5
+echo $ECHO_N "checking for int endnetent... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -27727,35 +26986,34 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_LWRES_ENDNETENTINT="#define ISC_LWRES_ENDNETENTINT 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_LWRES_ENDNETENTINT="#undef ISC_LWRES_ENDNETENTINT"
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
-{ $as_echo "$as_me:$LINENO: checking for gethostbyaddr(const void *, size_t, ...)" >&5
-$as_echo_n "checking for gethostbyaddr(const void *, size_t, ...)... " >&6; }
+{ echo "$as_me:$LINENO: checking for gethostbyaddr(const void *, size_t, ...)" >&5
+echo $ECHO_N "checking for gethostbyaddr(const void *, size_t, ...)... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -27779,35 +27037,34 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_LWRES_GETHOSTBYADDRVOID="#define ISC_LWRES_GETHOSTBYADDRVOID 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_LWRES_GETHOSTBYADDRVOID="#undef ISC_LWRES_GETHOSTBYADDRVOID"
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
-{ $as_echo "$as_me:$LINENO: checking for h_errno in netdb.h" >&5
-$as_echo_n "checking for h_errno in netdb.h... " >&6; }
+{ echo "$as_me:$LINENO: checking for h_errno in netdb.h" >&5
+echo $ECHO_N "checking for h_errno in netdb.h... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -27830,37 +27087,36 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	ISC_LWRES_NEEDHERRNO="#undef ISC_LWRES_NEEDHERRNO"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	ISC_LWRES_NEEDHERRNO="#define ISC_LWRES_NEEDHERRNO 1"
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
-{ $as_echo "$as_me:$LINENO: checking for getipnodebyname" >&5
-$as_echo_n "checking for getipnodebyname... " >&6; }
+{ echo "$as_me:$LINENO: checking for getipnodebyname" >&5
+echo $ECHO_N "checking for getipnodebyname... $ECHO_C" >&6; }
 if test "${ac_cv_func_getipnodebyname+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -27913,45 +27169,41 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getipnodebyname=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_getipnodebyname=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_getipnodebyname" >&5
-$as_echo "$ac_cv_func_getipnodebyname" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getipnodebyname" >&5
+echo "${ECHO_T}$ac_cv_func_getipnodebyname" >&6; }
 if test $ac_cv_func_getipnodebyname = yes; then
   ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"
 else
   ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for getnameinfo" >&5
-$as_echo_n "checking for getnameinfo... " >&6; }
+{ echo "$as_me:$LINENO: checking for getnameinfo" >&5
+echo $ECHO_N "checking for getnameinfo... $ECHO_C" >&6; }
 if test "${ac_cv_func_getnameinfo+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -28004,45 +27256,41 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getnameinfo=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_getnameinfo=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_getnameinfo" >&5
-$as_echo "$ac_cv_func_getnameinfo" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getnameinfo" >&5
+echo "${ECHO_T}$ac_cv_func_getnameinfo" >&6; }
 if test $ac_cv_func_getnameinfo = yes; then
   ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO"
 else
   ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for getaddrinfo" >&5
-$as_echo_n "checking for getaddrinfo... " >&6; }
+{ echo "$as_me:$LINENO: checking for getaddrinfo" >&5
+echo $ECHO_N "checking for getaddrinfo... $ECHO_C" >&6; }
 if test "${ac_cv_func_getaddrinfo+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -28095,35 +27343,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getaddrinfo=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_getaddrinfo=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_getaddrinfo" >&5
-$as_echo "$ac_cv_func_getaddrinfo" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getaddrinfo" >&5
+echo "${ECHO_T}$ac_cv_func_getaddrinfo" >&6; }
 if test $ac_cv_func_getaddrinfo = yes; then
   ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO"
 	cat >>confdefs.h <<\_ACEOF
@@ -28134,10 +27378,10 @@ else
   ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1"
 fi
 
-{ $as_echo "$as_me:$LINENO: checking for gai_strerror" >&5
-$as_echo_n "checking for gai_strerror... " >&6; }
+{ echo "$as_me:$LINENO: checking for gai_strerror" >&5
+echo $ECHO_N "checking for gai_strerror... $ECHO_C" >&6; }
 if test "${ac_cv_func_gai_strerror+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -28190,35 +27434,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_gai_strerror=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_gai_strerror=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_gai_strerror" >&5
-$as_echo "$ac_cv_func_gai_strerror" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_gai_strerror" >&5
+echo "${ECHO_T}$ac_cv_func_gai_strerror" >&6; }
 if test $ac_cv_func_gai_strerror = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_GAISTRERROR 1
@@ -28245,12 +27485,12 @@ fi
 #
 case $want_getifaddrs in
 glibc)
-{ $as_echo "$as_me:$LINENO: WARNING: \"--enable-getifaddrs=glibc is no longer required\"" >&5
-$as_echo "$as_me: WARNING: \"--enable-getifaddrs=glibc is no longer required\"" >&2;}
-{ $as_echo "$as_me:$LINENO: checking for getifaddrs" >&5
-$as_echo_n "checking for getifaddrs... " >&6; }
+{ echo "$as_me:$LINENO: WARNING: \"--enable-getifaddrs=glibc is no longer required\"" >&5
+echo "$as_me: WARNING: \"--enable-getifaddrs=glibc is no longer required\"" >&2;}
+{ echo "$as_me:$LINENO: checking for getifaddrs" >&5
+echo $ECHO_N "checking for getifaddrs... $ECHO_C" >&6; }
 if test "${ac_cv_func_getifaddrs+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -28303,35 +27543,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getifaddrs=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_getifaddrs=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_getifaddrs" >&5
-$as_echo "$ac_cv_func_getifaddrs" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getifaddrs" >&5
+echo "${ECHO_T}$ac_cv_func_getifaddrs" >&6; }
 if test $ac_cv_func_getifaddrs = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_GETIFADDRS 1
@@ -28341,10 +27577,10 @@ fi
 
 ;;
 yes)
-{ $as_echo "$as_me:$LINENO: checking for getifaddrs" >&5
-$as_echo_n "checking for getifaddrs... " >&6; }
+{ echo "$as_me:$LINENO: checking for getifaddrs" >&5
+echo $ECHO_N "checking for getifaddrs... $ECHO_C" >&6; }
 if test "${ac_cv_func_getifaddrs+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -28397,35 +27633,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_getifaddrs=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_getifaddrs=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_getifaddrs" >&5
-$as_echo "$ac_cv_func_getifaddrs" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_getifaddrs" >&5
+echo "${ECHO_T}$ac_cv_func_getifaddrs" >&6; }
 if test $ac_cv_func_getifaddrs = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_GETIFADDRS 1
@@ -28443,8 +27675,8 @@ esac
 #
 case $ac_cv_header_sys_sysctl_h in
 yes)
-{ $as_echo "$as_me:$LINENO: checking for interface list sysctl" >&5
-$as_echo_n "checking for interface list sysctl... " >&6; }
+{ echo "$as_me:$LINENO: checking for interface list sysctl" >&5
+echo $ECHO_N "checking for interface list sysctl... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -28462,15 +27694,15 @@ found_rt_iflist
 _ACEOF
 if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
   $EGREP "found_rt_iflist" >/dev/null 2>&1; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	 cat >>confdefs.h <<\_ACEOF
 #define HAVE_IFLIST_SYSCTL 1
 _ACEOF
 
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 rm -f conftest*
 
@@ -28487,8 +27719,8 @@ esac
 # -D_LINUX_SOURCE_COMPAT is not defined [RT #2190], and
 # AC_CHECK_FUNC() incorrectly succeeds because it declares
 # the function itself.
-{ $as_echo "$as_me:$LINENO: checking for correctly declared strsep()" >&5
-$as_echo_n "checking for correctly declared strsep()... " >&6; }
+{ echo "$as_me:$LINENO: checking for correctly declared strsep()" >&5
+echo $ECHO_N "checking for correctly declared strsep()... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -28510,40 +27742,36 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }; ISC_PLATFORM_NEEDSTRSEP="#undef ISC_PLATFORM_NEEDSTRSEP"
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }; ISC_PLATFORM_NEEDSTRSEP="#undef ISC_PLATFORM_NEEDSTRSEP"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }; ISC_PLATFORM_NEEDSTRSEP="#define ISC_PLATFORM_NEEDSTRSEP 1"
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }; ISC_PLATFORM_NEEDSTRSEP="#define ISC_PLATFORM_NEEDSTRSEP 1"
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 
 
-{ $as_echo "$as_me:$LINENO: checking for memmove" >&5
-$as_echo_n "checking for memmove... " >&6; }
+{ echo "$as_me:$LINENO: checking for memmove" >&5
+echo $ECHO_N "checking for memmove... $ECHO_C" >&6; }
 if test "${ac_cv_func_memmove+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -28596,35 +27824,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_memmove=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_memmove=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_memmove" >&5
-$as_echo "$ac_cv_func_memmove" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_memmove" >&5
+echo "${ECHO_T}$ac_cv_func_memmove" >&6; }
 if test $ac_cv_func_memmove = yes; then
   ISC_PLATFORM_NEEDMEMMOVE="#undef ISC_PLATFORM_NEEDMEMMOVE"
 else
@@ -28633,10 +27857,10 @@ fi
 
 
 
-{ $as_echo "$as_me:$LINENO: checking for strtoul" >&5
-$as_echo_n "checking for strtoul... " >&6; }
+{ echo "$as_me:$LINENO: checking for strtoul" >&5
+echo $ECHO_N "checking for strtoul... $ECHO_C" >&6; }
 if test "${ac_cv_func_strtoul+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -28689,35 +27913,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strtoul=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_strtoul=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_strtoul" >&5
-$as_echo "$ac_cv_func_strtoul" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strtoul" >&5
+echo "${ECHO_T}$ac_cv_func_strtoul" >&6; }
 if test $ac_cv_func_strtoul = yes; then
   ISC_PLATFORM_NEEDSTRTOUL="#undef ISC_PLATFORM_NEEDSTRTOUL"
 	 LWRES_PLATFORM_NEEDSTRTOUL="#undef LWRES_PLATFORM_NEEDSTRTOUL"
@@ -28732,10 +27952,10 @@ fi
 
 
 
-{ $as_echo "$as_me:$LINENO: checking for strlcpy" >&5
-$as_echo_n "checking for strlcpy... " >&6; }
+{ echo "$as_me:$LINENO: checking for strlcpy" >&5
+echo $ECHO_N "checking for strlcpy... $ECHO_C" >&6; }
 if test "${ac_cv_func_strlcpy+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -28788,35 +28008,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strlcpy=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_strlcpy=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_strlcpy" >&5
-$as_echo "$ac_cv_func_strlcpy" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strlcpy" >&5
+echo "${ECHO_T}$ac_cv_func_strlcpy" >&6; }
 if test $ac_cv_func_strlcpy = yes; then
   ISC_PLATFORM_NEEDSTRLCPY="#undef ISC_PLATFORM_NEEDSTRLCPY"
 else
@@ -28825,10 +28041,10 @@ fi
 
 
 
-{ $as_echo "$as_me:$LINENO: checking for strlcat" >&5
-$as_echo_n "checking for strlcat... " >&6; }
+{ echo "$as_me:$LINENO: checking for strlcat" >&5
+echo $ECHO_N "checking for strlcat... $ECHO_C" >&6; }
 if test "${ac_cv_func_strlcat+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -28881,35 +28097,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strlcat=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_strlcat=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_strlcat" >&5
-$as_echo "$ac_cv_func_strlcat" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strlcat" >&5
+echo "${ECHO_T}$ac_cv_func_strlcat" >&6; }
 if test $ac_cv_func_strlcat = yes; then
   ISC_PLATFORM_NEEDSTRLCAT="#undef ISC_PLATFORM_NEEDSTRLCAT"
 else
@@ -28920,8 +28132,8 @@ fi
 
 ISC_PRINT_OBJS=
 ISC_PRINT_SRCS=
-{ $as_echo "$as_me:$LINENO: checking sprintf" >&5
-$as_echo_n "checking sprintf... " >&6; }
+{ echo "$as_me:$LINENO: checking sprintf" >&5
+echo $ECHO_N "checking sprintf... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -28945,14 +28157,13 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
@@ -28964,7 +28175,7 @@ ISC_PLATFORM_NEEDSPRINTF="#define ISC_PLATFORM_NEEDSPRINTF"
 LWRES_PLATFORM_NEEDSPRINTF="#define LWRES_PLATFORM_NEEDSPRINTF"
 
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ISC_PLATFORM_NEEDSPRINTF="#undef ISC_PLATFORM_NEEDSPRINTF"
@@ -28976,10 +28187,10 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 
 
-{ $as_echo "$as_me:$LINENO: checking for vsnprintf" >&5
-$as_echo_n "checking for vsnprintf... " >&6; }
+{ echo "$as_me:$LINENO: checking for vsnprintf" >&5
+echo $ECHO_N "checking for vsnprintf... $ECHO_C" >&6; }
 if test "${ac_cv_func_vsnprintf+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -29032,35 +28243,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_vsnprintf=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_vsnprintf=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_vsnprintf" >&5
-$as_echo "$ac_cv_func_vsnprintf" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_vsnprintf" >&5
+echo "${ECHO_T}$ac_cv_func_vsnprintf" >&6; }
 if test $ac_cv_func_vsnprintf = yes; then
   ISC_PLATFORM_NEEDVSNPRINTF="#undef ISC_PLATFORM_NEEDVSNPRINTF"
 	 LWRES_PLATFORM_NEEDVSNPRINTF="#undef LWRES_PLATFORM_NEEDVSNPRINTF"
@@ -29076,10 +28283,10 @@ fi
 ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS $ISC_PRINT_OBJS"
 ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS $ISC_PRINT_SRCS"
 
-{ $as_echo "$as_me:$LINENO: checking for strerror" >&5
-$as_echo_n "checking for strerror... " >&6; }
+{ echo "$as_me:$LINENO: checking for strerror" >&5
+echo $ECHO_N "checking for strerror... $ECHO_C" >&6; }
 if test "${ac_cv_func_strerror+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -29132,35 +28339,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_strerror=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_strerror=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_strerror" >&5
-$as_echo "$ac_cv_func_strerror" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_strerror" >&5
+echo "${ECHO_T}$ac_cv_func_strerror" >&6; }
 if test $ac_cv_func_strerror = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_STRERROR 1
@@ -29188,12 +28391,12 @@ then
 			USE_ISC_SPNEGO='-DUSE_ISC_SPNEGO'
 			DST_EXTRA_OBJS="$DST_EXTRA_OBJS spnego.$O"
 			DST_EXTRA_SRCS="$DST_EXTRA_SRCS spnego.c"
-			{ $as_echo "$as_me:$LINENO: result: using SPNEGO from lib/dns" >&5
-$as_echo "using SPNEGO from lib/dns" >&6; }
+			{ echo "$as_me:$LINENO: result: using SPNEGO from lib/dns" >&5
+echo "${ECHO_T}using SPNEGO from lib/dns" >&6; }
 			;;
 		no)
-			{ $as_echo "$as_me:$LINENO: result: using SPNEGO from GSSAPI library" >&5
-$as_echo "using SPNEGO from GSSAPI library" >&6; }
+			{ echo "$as_me:$LINENO: result: using SPNEGO from GSSAPI library" >&5
+echo "${ECHO_T}using SPNEGO from GSSAPI library" >&6; }
 			;;
 	esac
 fi
@@ -29216,11 +28419,11 @@ fi
 # Win32 uses "%I64d", but that's defined elsewhere since we don't use
 # configure on Win32.
 #
-{ $as_echo "$as_me:$LINENO: checking printf format modifier for 64-bit integers" >&5
-$as_echo_n "checking printf format modifier for 64-bit integers... " >&6; }
+{ echo "$as_me:$LINENO: checking printf format modifier for 64-bit integers" >&5
+echo $ECHO_N "checking printf format modifier for 64-bit integers... $ECHO_C" >&6; }
 if test "$cross_compiling" = yes; then
-  { $as_echo "$as_me:$LINENO: result: assuming target platform uses ll" >&5
-$as_echo "assuming target platform uses ll" >&6; }
+  { echo "$as_me:$LINENO: result: assuming target platform uses ll" >&5
+echo "${ECHO_T}assuming target platform uses ll" >&6; }
 	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
 	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "ll"'
 else
@@ -29248,38 +28451,35 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
   { (case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  { $as_echo "$as_me:$LINENO: result: ll" >&5
-$as_echo "ll" >&6; }
+  { echo "$as_me:$LINENO: result: ll" >&5
+echo "${ECHO_T}ll" >&6; }
 	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
 	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "ll"'
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
-{ $as_echo "$as_me:$LINENO: result: l" >&5
-$as_echo "l" >&6; }
+{ echo "$as_me:$LINENO: result: l" >&5
+echo "${ECHO_T}l" >&6; }
 	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "l"'
 	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "l"'
 fi
-rm -rf conftest.dSYM
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
@@ -29302,11 +28502,11 @@ case "$enable_chroot" in
 
 for ac_func in chroot
 do
-as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
-$as_echo_n "checking for $ac_func... " >&6; }
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
 if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -29359,41 +28559,35 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	eval "$as_ac_var=no"
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-ac_res=`eval 'as_val=${'$as_ac_var'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-if test `eval 'as_val=${'$as_ac_var'}
-		 $as_echo "$as_val"'` = yes; then
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
 _ACEOF
 
 fi
@@ -29414,21 +28608,20 @@ case "$enable_linux_caps" in
 
 for ac_header in linux/capability.h sys/capability.h
 do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
-$as_echo_n "checking $ac_header usability... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -29444,33 +28637,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
-$as_echo_n "checking $ac_header presence... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -29484,72 +28676,69 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
-if test `eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'` = yes; then
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
 
 fi
@@ -29557,10 +28746,10 @@ fi
 done
 
 
-{ $as_echo "$as_me:$LINENO: checking for cap_set_proc in -lcap" >&5
-$as_echo_n "checking for cap_set_proc in -lcap... " >&6; }
+{ echo "$as_me:$LINENO: checking for cap_set_proc in -lcap" >&5
+echo $ECHO_N "checking for cap_set_proc in -lcap... $ECHO_C" >&6; }
 if test "${ac_cv_lib_cap_cap_set_proc+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lcap  $LIBS"
@@ -29592,36 +28781,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_cap_cap_set_proc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_cap_cap_set_proc=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_cap_cap_set_proc" >&5
-$as_echo "$ac_cv_lib_cap_cap_set_proc" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_cap_cap_set_proc" >&5
+echo "${ECHO_T}$ac_cv_lib_cap_cap_set_proc" >&6; }
 if test $ac_cv_lib_cap_cap_set_proc = yes; then
   cat >>confdefs.h <<_ACEOF
 #define HAVE_LIBCAP 1
@@ -29638,21 +28823,20 @@ esac
 
 for ac_header in sys/prctl.h
 do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
-$as_echo_n "checking $ac_header usability... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -29668,33 +28852,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
-$as_echo_n "checking $ac_header presence... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -29708,72 +28891,69 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
-if test `eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'` = yes; then
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
 
 fi
@@ -29784,21 +28964,20 @@ done
 
 for ac_header in sys/un.h
 do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
-$as_echo_n "checking $ac_header usability... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -29814,33 +28993,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
-$as_echo_n "checking $ac_header presence... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -29854,72 +29032,69 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
-if test `eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'` = yes; then
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
  ISC_PLATFORM_HAVESYSUNH="#define ISC_PLATFORM_HAVESYSUNH 1"
 
@@ -29952,10 +29127,10 @@ esac
 #
 # Time Zone Stuff
 #
-{ $as_echo "$as_me:$LINENO: checking for tzset" >&5
-$as_echo_n "checking for tzset... " >&6; }
+{ echo "$as_me:$LINENO: checking for tzset" >&5
+echo $ECHO_N "checking for tzset... $ECHO_C" >&6; }
 if test "${ac_cv_func_tzset+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -30008,35 +29183,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_tzset=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_tzset=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_tzset" >&5
-$as_echo "$ac_cv_func_tzset" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_tzset" >&5
+echo "${ECHO_T}$ac_cv_func_tzset" >&6; }
 if test $ac_cv_func_tzset = yes; then
   cat >>confdefs.h <<\_ACEOF
 #define HAVE_TZSET 1
@@ -30045,8 +29216,8 @@ _ACEOF
 fi
 
 
-{ $as_echo "$as_me:$LINENO: checking for optarg declaration" >&5
-$as_echo_n "checking for optarg declaration... " >&6; }
+{ echo "$as_me:$LINENO: checking for optarg declaration" >&5
+echo $ECHO_N "checking for optarg declaration... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -30070,26 +29241,25 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 GEN_NEED_OPTARG="-DNEED_OPTARG=1"
 
 cat >>confdefs.h <<\_ACEOF
@@ -30103,8 +29273,8 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 #
 # BSD/OS, and perhaps some others, don't define rlim_t.
 #
-{ $as_echo "$as_me:$LINENO: checking for type rlim_t" >&5
-$as_echo_n "checking for type rlim_t... " >&6; }
+{ echo "$as_me:$LINENO: checking for type rlim_t" >&5
+echo $ECHO_N "checking for type rlim_t... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -30129,35 +29299,34 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
-  { $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
  ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE rlim_t"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 
-{ $as_echo "$as_me:$LINENO: checking type of rlim_cur" >&5
-$as_echo_n "checking type of rlim_cur... " >&6; }
+{ echo "$as_me:$LINENO: checking type of rlim_cur" >&5
+echo $ECHO_N "checking type of rlim_cur... $ECHO_C" >&6; }
 if test "$cross_compiling" = yes; then
 
 ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE long long int"
-{ $as_echo "$as_me:$LINENO: result: cannot determine type of rlim_cur when cross compiling - assuming long long int" >&5
-$as_echo "cannot determine type of rlim_cur when cross compiling - assuming long long int" >&6; }
+{ echo "$as_me:$LINENO: result: cannot determine type of rlim_cur when cross compiling - assuming long long int" >&5
+echo "${ECHO_T}cannot determine type of rlim_cur when cross compiling - assuming long long int" >&6; }
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -30177,35 +29346,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
   { (case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  { $as_echo "$as_me:$LINENO: result: int" >&5
-$as_echo "int" >&6; }
+  { echo "$as_me:$LINENO: result: int" >&5
+echo "${ECHO_T}int" >&6; }
 ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE int"
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
 
 if test "$cross_compiling" = yes; then
-  { { $as_echo "$as_me:$LINENO: error: this cannot happen" >&5
-$as_echo "$as_me: error: this cannot happen" >&2;}
+  { { echo "$as_me:$LINENO: error: this cannot happen" >&5
+echo "$as_me: error: this cannot happen" >&2;}
    { (exit 1); exit 1; }; }
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -30226,35 +29393,33 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
   { (case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  { $as_echo "$as_me:$LINENO: result: long int" >&5
-$as_echo "long int" >&6; }
+  { echo "$as_me:$LINENO: result: long int" >&5
+echo "${ECHO_T}long int" >&6; }
 ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE long int"
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
 
 if test "$cross_compiling" = yes; then
-  { { $as_echo "$as_me:$LINENO: error: this cannot happen" >&5
-$as_echo "$as_me: error: this cannot happen" >&2;}
+  { { echo "$as_me:$LINENO: error: this cannot happen" >&5
+echo "$as_me: error: this cannot happen" >&2;}
    { (exit 1); exit 1; }; }
 else
   cat >conftest.$ac_ext <<_ACEOF
@@ -30275,51 +29440,46 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
   { (case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
-  { $as_echo "$as_me:$LINENO: result: long long int" >&5
-$as_echo "long long int" >&6; }
+  { echo "$as_me:$LINENO: result: long long int" >&5
+echo "${ECHO_T}long long int" >&6; }
 ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE long long int"
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
-{ { $as_echo "$as_me:$LINENO: error: unable to determine sizeof rlim_cur" >&5
-$as_echo "$as_me: error: unable to determine sizeof rlim_cur" >&2;}
+{ { echo "$as_me:$LINENO: error: unable to determine sizeof rlim_cur" >&5
+echo "$as_me: error: unable to determine sizeof rlim_cur" >&2;}
    { (exit 1); exit 1; }; }
 
 fi
-rm -rf conftest.dSYM
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
 
 
 fi
-rm -rf conftest.dSYM
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
 
 
 fi
-rm -rf conftest.dSYM
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
@@ -30338,21 +29498,20 @@ case "$host" in
 
 for ac_header in sys/dyntune.h
 do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
-$as_echo_n "checking $ac_header usability... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -30368,33 +29527,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
-$as_echo_n "checking $ac_header presence... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -30408,72 +29566,69 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
-if test `eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'` = yes; then
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
 
 fi
@@ -30491,10 +29646,10 @@ esac
 #
 case "$host" in
 	*-dec-osf*)
-		{ $as_echo "$as_me:$LINENO: checking for clua_getaliasaddress in -lclua" >&5
-$as_echo_n "checking for clua_getaliasaddress in -lclua... " >&6; }
+		{ echo "$as_me:$LINENO: checking for clua_getaliasaddress in -lclua" >&5
+echo $ECHO_N "checking for clua_getaliasaddress in -lclua... $ECHO_C" >&6; }
 if test "${ac_cv_lib_clua_clua_getaliasaddress+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lclua  $LIBS"
@@ -30526,44 +29681,40 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_clua_clua_getaliasaddress=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_clua_clua_getaliasaddress=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_clua_clua_getaliasaddress" >&5
-$as_echo "$ac_cv_lib_clua_clua_getaliasaddress" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_clua_clua_getaliasaddress" >&5
+echo "${ECHO_T}$ac_cv_lib_clua_clua_getaliasaddress" >&6; }
 if test $ac_cv_lib_clua_clua_getaliasaddress = yes; then
   LIBS="-lclua $LIBS"
 fi
 
-		{ $as_echo "$as_me:$LINENO: checking for clua_getaliasaddress" >&5
-$as_echo_n "checking for clua_getaliasaddress... " >&6; }
+		{ echo "$as_me:$LINENO: checking for clua_getaliasaddress" >&5
+echo $ECHO_N "checking for clua_getaliasaddress... $ECHO_C" >&6; }
 if test "${ac_cv_func_clua_getaliasaddress+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -30616,35 +29767,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_clua_getaliasaddress=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_clua_getaliasaddress=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_clua_getaliasaddress" >&5
-$as_echo "$ac_cv_func_clua_getaliasaddress" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_clua_getaliasaddress" >&5
+echo "${ECHO_T}$ac_cv_func_clua_getaliasaddress" >&6; }
 if test $ac_cv_func_clua_getaliasaddress = yes; then
 
 cat >>confdefs.h <<\_ACEOF
@@ -30727,21 +29874,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   hack_shutup_pthreadonceinit=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
@@ -30799,21 +29945,20 @@ esac
 
 for ac_header in strings.h
 do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
-$as_echo_n "checking $ac_header usability... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -30829,33 +29974,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
-$as_echo_n "checking $ac_header presence... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -30869,72 +30013,69 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
-if test `eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'` = yes; then
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
  ISC_PLATFORM_HAVESTRINGSH="#define ISC_PLATFORM_HAVESTRINGSH 1"
 
@@ -30950,10 +30091,10 @@ done
 #
 # Check for if_nametoindex() for IPv6 scoped addresses support
 #
-{ $as_echo "$as_me:$LINENO: checking for if_nametoindex" >&5
-$as_echo_n "checking for if_nametoindex... " >&6; }
+{ echo "$as_me:$LINENO: checking for if_nametoindex" >&5
+echo $ECHO_N "checking for if_nametoindex... $ECHO_C" >&6; }
 if test "${ac_cv_func_if_nametoindex+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -31006,35 +30147,31 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_func_if_nametoindex=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_func_if_nametoindex=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_if_nametoindex" >&5
-$as_echo "$ac_cv_func_if_nametoindex" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_func_if_nametoindex" >&5
+echo "${ECHO_T}$ac_cv_func_if_nametoindex" >&6; }
 if test $ac_cv_func_if_nametoindex = yes; then
   ac_cv_have_if_nametoindex=yes
 else
@@ -31045,10 +30182,10 @@ case $ac_cv_have_if_nametoindex in
 no)
 	case "$host" in
 	*-hp-hpux*)
-		{ $as_echo "$as_me:$LINENO: checking for if_nametoindex in -lipv6" >&5
-$as_echo_n "checking for if_nametoindex in -lipv6... " >&6; }
+		{ echo "$as_me:$LINENO: checking for if_nametoindex in -lipv6" >&5
+echo $ECHO_N "checking for if_nametoindex in -lipv6... $ECHO_C" >&6; }
 if test "${ac_cv_lib_ipv6_if_nametoindex+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   ac_check_lib_save_LIBS=$LIBS
 LIBS="-lipv6  $LIBS"
@@ -31080,36 +30217,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   ac_cv_lib_ipv6_if_nametoindex=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_cv_lib_ipv6_if_nametoindex=no
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_ipv6_if_nametoindex" >&5
-$as_echo "$ac_cv_lib_ipv6_if_nametoindex" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_ipv6_if_nametoindex" >&5
+echo "${ECHO_T}$ac_cv_lib_ipv6_if_nametoindex" >&6; }
 if test $ac_cv_lib_ipv6_if_nametoindex = yes; then
   ac_cv_have_if_nametoindex=yes
 				LIBS="-lipv6 $LIBS"
@@ -31131,11 +30264,11 @@ esac
 
 for ac_func in nanosleep
 do
-as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
-$as_echo_n "checking for $ac_func... " >&6; }
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
 if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -31188,41 +30321,35 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	eval "$as_ac_var=no"
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-ac_res=`eval 'as_val=${'$as_ac_var'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-if test `eval 'as_val=${'$as_ac_var'}
-		 $as_echo "$as_val"'` = yes; then
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
 _ACEOF
 
 fi
@@ -31251,8 +30378,8 @@ esac
 
 ISC_PLATFORM_USEOSFASM="#undef ISC_PLATFORM_USEOSFASM"
 if test "$use_atomic" = "yes"; then
-	{ $as_echo "$as_me:$LINENO: checking architecture type for atomic operations" >&5
-$as_echo_n "checking architecture type for atomic operations... " >&6; }
+	{ echo "$as_me:$LINENO: checking architecture type for atomic operations" >&5
+echo $ECHO_N "checking architecture type for atomic operations... $ECHO_C" >&6; }
 	have_atomic=yes		# set default
 	case "$host" in
 	i[3456]86-*)
@@ -31279,33 +30406,30 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
   { (case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_try") 2>&5
   ac_status=$?
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); }; }; then
   arch=x86_64
 		have_xaddq=yes
 else
-  $as_echo "$as_me: program exited with status $ac_status" >&5
-$as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 ( exit $ac_status )
 arch=x86_32
 fi
-rm -rf conftest.dSYM
 rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
 fi
 
@@ -31332,13 +30456,13 @@ fi
 		arch=noatomic
 	;;
 	esac
-	{ $as_echo "$as_me:$LINENO: result: $arch" >&5
-$as_echo "$arch" >&6; }
+	{ echo "$as_me:$LINENO: result: $arch" >&5
+echo "${ECHO_T}$arch" >&6; }
 fi
 
 if test "$have_atomic" = "yes"; then
-	{ $as_echo "$as_me:$LINENO: checking compiler support for inline assembly code" >&5
-$as_echo_n "checking compiler support for inline assembly code... " >&6; }
+	{ echo "$as_me:$LINENO: checking compiler support for inline assembly code" >&5
+echo $ECHO_N "checking compiler support for inline assembly code... $ECHO_C" >&6; }
 
 	compiler=generic
 	# Check whether the compiler supports the assembly syntax we provide.
@@ -31355,8 +30479,8 @@ $as_echo_n "checking compiler support for inline assembly code... " >&6; }
 			# zero. Under linux/ibm it is "0" for register 0.
 			# Probe to see if we have a MacOS style assembler.
 			#
-			{ $as_echo "$as_me:$LINENO: checking Checking for MacOS style assembler syntax" >&5
-$as_echo_n "checking Checking for MacOS style assembler syntax... " >&6; }
+			{ echo "$as_me:$LINENO: checking Checking for MacOS style assembler syntax" >&5
+echo $ECHO_N "checking Checking for MacOS style assembler syntax... $ECHO_C" >&6; }
 			cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -31380,30 +30504,29 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
 
-			{ $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+			{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 			compiler="mac"
 			ISC_PLATFORM_USEMACASM="#define ISC_PLATFORM_USEMACASM 1"
 
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
@@ -31438,21 +30561,20 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   compiler=osf
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 
@@ -31502,25 +30624,22 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   compiler="standard"
 		ISC_PLATFORM_USESTDASM="#define ISC_PLATFORM_USESTDASM 1"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	compiler="not supported (atomic operations disabled)"
@@ -31528,14 +30647,13 @@ sed 's/^/| /' conftest.$ac_ext >&5
 		arch=noatomic
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext;
 		;;
 	esac
 
-	{ $as_echo "$as_me:$LINENO: result: $compiler" >&5
-$as_echo "$compiler" >&6; }
+	{ echo "$as_me:$LINENO: result: $compiler" >&5
+echo "${ECHO_T}$compiler" >&6; }
 fi
 
 if test "$have_atomic" = "yes"; then
@@ -31649,10 +30767,10 @@ for ac_prog in latex
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_LATEX+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   case $LATEX in
   [\\/]* | ?:[\\/]*)
@@ -31667,7 +30785,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_LATEX="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -31679,11 +30797,11 @@ esac
 fi
 LATEX=$ac_cv_path_LATEX
 if test -n "$LATEX"; then
-  { $as_echo "$as_me:$LINENO: result: $LATEX" >&5
-$as_echo "$LATEX" >&6; }
+  { echo "$as_me:$LINENO: result: $LATEX" >&5
+echo "${ECHO_T}$LATEX" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -31697,10 +30815,10 @@ for ac_prog in pdflatex
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_PDFLATEX+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   case $PDFLATEX in
   [\\/]* | ?:[\\/]*)
@@ -31715,7 +30833,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_PDFLATEX="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -31727,11 +30845,11 @@ esac
 fi
 PDFLATEX=$ac_cv_path_PDFLATEX
 if test -n "$PDFLATEX"; then
-  { $as_echo "$as_me:$LINENO: result: $PDFLATEX" >&5
-$as_echo "$PDFLATEX" >&6; }
+  { echo "$as_me:$LINENO: result: $PDFLATEX" >&5
+echo "${ECHO_T}$PDFLATEX" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -31749,10 +30867,10 @@ for ac_prog in w3m
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_W3M+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   case $W3M in
   [\\/]* | ?:[\\/]*)
@@ -31767,7 +30885,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_W3M="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -31779,11 +30897,11 @@ esac
 fi
 W3M=$ac_cv_path_W3M
 if test -n "$W3M"; then
-  { $as_echo "$as_me:$LINENO: result: $W3M" >&5
-$as_echo "$W3M" >&6; }
+  { echo "$as_me:$LINENO: result: $W3M" >&5
+echo "${ECHO_T}$W3M" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -31799,10 +30917,10 @@ test -n "$W3M" || W3M="w3m"
 
 # Extract the first word of "xsltproc", so it can be a program name with args.
 set dummy xsltproc; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_XSLTPROC+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   case $XSLTPROC in
   [\\/]* | ?:[\\/]*)
@@ -31817,7 +30935,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_XSLTPROC="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -31830,11 +30948,11 @@ esac
 fi
 XSLTPROC=$ac_cv_path_XSLTPROC
 if test -n "$XSLTPROC"; then
-  { $as_echo "$as_me:$LINENO: result: $XSLTPROC" >&5
-$as_echo "$XSLTPROC" >&6; }
+  { echo "$as_me:$LINENO: result: $XSLTPROC" >&5
+echo "${ECHO_T}$XSLTPROC" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -31846,10 +30964,10 @@ fi
 
 # Extract the first word of "xmllint", so it can be a program name with args.
 set dummy xmllint; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_XMLLINT+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   case $XMLLINT in
   [\\/]* | ?:[\\/]*)
@@ -31864,7 +30982,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_XMLLINT="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -31877,11 +30995,11 @@ esac
 fi
 XMLLINT=$ac_cv_path_XMLLINT
 if test -n "$XMLLINT"; then
-  { $as_echo "$as_me:$LINENO: result: $XMLLINT" >&5
-$as_echo "$XMLLINT" >&6; }
+  { echo "$as_me:$LINENO: result: $XMLLINT" >&5
+echo "${ECHO_T}$XMLLINT" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -31893,10 +31011,10 @@ fi
 
 # Extract the first word of "doxygen", so it can be a program name with args.
 set dummy doxygen; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_DOXYGEN+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   case $DOXYGEN in
   [\\/]* | ?:[\\/]*)
@@ -31911,7 +31029,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_DOXYGEN="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -31924,11 +31042,11 @@ esac
 fi
 DOXYGEN=$ac_cv_path_DOXYGEN
 if test -n "$DOXYGEN"; then
-  { $as_echo "$as_me:$LINENO: result: $DOXYGEN" >&5
-$as_echo "$DOXYGEN" >&6; }
+  { echo "$as_me:$LINENO: result: $DOXYGEN" >&5
+echo "${ECHO_T}$DOXYGEN" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -31955,8 +31073,8 @@ fi
 # where SGML stuff lives on some systems (FreeBSD is the only one we're sure
 # of at the moment).
 #
-{ $as_echo "$as_me:$LINENO: checking for Docbook-XSL path" >&5
-$as_echo_n "checking for Docbook-XSL path... " >&6; }
+{ echo "$as_me:$LINENO: checking for Docbook-XSL path" >&5
+echo $ECHO_N "checking for Docbook-XSL path... $ECHO_C" >&6; }
 
 # Check whether --with-docbook-xsl was given.
 if test "${with_docbook_xsl+set}" = set; then
@@ -31967,14 +31085,14 @@ fi
 
 case "$docbook_path" in
 auto)
-	{ $as_echo "$as_me:$LINENO: result: auto" >&5
-$as_echo "auto" >&6; }
+	{ echo "$as_me:$LINENO: result: auto" >&5
+echo "${ECHO_T}auto" >&6; }
 	docbook_xsl_trees="/usr/pkg/share/xsl/docbook /usr/local/share/xsl/docbook /usr/share/xsl/docbook"
 	;;
 *)
 	docbook_xsl_trees="$withval"
-    	{ $as_echo "$as_me:$LINENO: result: $docbook_xsl_trees" >&5
-$as_echo "$docbook_xsl_trees" >&6; }
+    	{ echo "$as_me:$LINENO: result: $docbook_xsl_trees" >&5
+echo "${ECHO_T}$docbook_xsl_trees" >&6; }
 	;;
 esac
 
@@ -31984,207 +31102,207 @@ esac
 
 
 XSLT_DOCBOOK_STYLE_HTML=""
-{ $as_echo "$as_me:$LINENO: checking for html/docbook.xsl" >&5
-$as_echo_n "checking for html/docbook.xsl... " >&6; }
+{ echo "$as_me:$LINENO: checking for html/docbook.xsl" >&5
+echo $ECHO_N "checking for html/docbook.xsl... $ECHO_C" >&6; }
 for d in $docbook_xsl_trees
 do
 	f=$d/html/docbook.xsl
 	if test -f $f
 	then
 		XSLT_DOCBOOK_STYLE_HTML=$f
-		{ $as_echo "$as_me:$LINENO: result: $f" >&5
-$as_echo "$f" >&6; }
+		{ echo "$as_me:$LINENO: result: $f" >&5
+echo "${ECHO_T}$f" >&6; }
 		break
 	fi
 done
 if test "X$XSLT_DOCBOOK_STYLE_HTML" = "X"
 then
-	{ $as_echo "$as_me:$LINENO: result: \"not found\"" >&5
-$as_echo "\"not found\"" >&6; };
+	{ echo "$as_me:$LINENO: result: \"not found\"" >&5
+echo "${ECHO_T}\"not found\"" >&6; };
 	XSLT_DOCBOOK_STYLE_HTML=html/docbook.xsl
 fi
 
 
 
 XSLT_DOCBOOK_STYLE_XHTML=""
-{ $as_echo "$as_me:$LINENO: checking for xhtml/docbook.xsl" >&5
-$as_echo_n "checking for xhtml/docbook.xsl... " >&6; }
+{ echo "$as_me:$LINENO: checking for xhtml/docbook.xsl" >&5
+echo $ECHO_N "checking for xhtml/docbook.xsl... $ECHO_C" >&6; }
 for d in $docbook_xsl_trees
 do
 	f=$d/xhtml/docbook.xsl
 	if test -f $f
 	then
 		XSLT_DOCBOOK_STYLE_XHTML=$f
-		{ $as_echo "$as_me:$LINENO: result: $f" >&5
-$as_echo "$f" >&6; }
+		{ echo "$as_me:$LINENO: result: $f" >&5
+echo "${ECHO_T}$f" >&6; }
 		break
 	fi
 done
 if test "X$XSLT_DOCBOOK_STYLE_XHTML" = "X"
 then
-	{ $as_echo "$as_me:$LINENO: result: \"not found\"" >&5
-$as_echo "\"not found\"" >&6; };
+	{ echo "$as_me:$LINENO: result: \"not found\"" >&5
+echo "${ECHO_T}\"not found\"" >&6; };
 	XSLT_DOCBOOK_STYLE_XHTML=xhtml/docbook.xsl
 fi
 
 
 
 XSLT_DOCBOOK_STYLE_MAN=""
-{ $as_echo "$as_me:$LINENO: checking for manpages/docbook.xsl" >&5
-$as_echo_n "checking for manpages/docbook.xsl... " >&6; }
+{ echo "$as_me:$LINENO: checking for manpages/docbook.xsl" >&5
+echo $ECHO_N "checking for manpages/docbook.xsl... $ECHO_C" >&6; }
 for d in $docbook_xsl_trees
 do
 	f=$d/manpages/docbook.xsl
 	if test -f $f
 	then
 		XSLT_DOCBOOK_STYLE_MAN=$f
-		{ $as_echo "$as_me:$LINENO: result: $f" >&5
-$as_echo "$f" >&6; }
+		{ echo "$as_me:$LINENO: result: $f" >&5
+echo "${ECHO_T}$f" >&6; }
 		break
 	fi
 done
 if test "X$XSLT_DOCBOOK_STYLE_MAN" = "X"
 then
-	{ $as_echo "$as_me:$LINENO: result: \"not found\"" >&5
-$as_echo "\"not found\"" >&6; };
+	{ echo "$as_me:$LINENO: result: \"not found\"" >&5
+echo "${ECHO_T}\"not found\"" >&6; };
 	XSLT_DOCBOOK_STYLE_MAN=manpages/docbook.xsl
 fi
 
 
 
 XSLT_DOCBOOK_CHUNK_HTML=""
-{ $as_echo "$as_me:$LINENO: checking for html/chunk.xsl" >&5
-$as_echo_n "checking for html/chunk.xsl... " >&6; }
+{ echo "$as_me:$LINENO: checking for html/chunk.xsl" >&5
+echo $ECHO_N "checking for html/chunk.xsl... $ECHO_C" >&6; }
 for d in $docbook_xsl_trees
 do
 	f=$d/html/chunk.xsl
 	if test -f $f
 	then
 		XSLT_DOCBOOK_CHUNK_HTML=$f
-		{ $as_echo "$as_me:$LINENO: result: $f" >&5
-$as_echo "$f" >&6; }
+		{ echo "$as_me:$LINENO: result: $f" >&5
+echo "${ECHO_T}$f" >&6; }
 		break
 	fi
 done
 if test "X$XSLT_DOCBOOK_CHUNK_HTML" = "X"
 then
-	{ $as_echo "$as_me:$LINENO: result: \"not found\"" >&5
-$as_echo "\"not found\"" >&6; };
+	{ echo "$as_me:$LINENO: result: \"not found\"" >&5
+echo "${ECHO_T}\"not found\"" >&6; };
 	XSLT_DOCBOOK_CHUNK_HTML=html/chunk.xsl
 fi
 
 
 
 XSLT_DOCBOOK_CHUNK_XHTML=""
-{ $as_echo "$as_me:$LINENO: checking for xhtml/chunk.xsl" >&5
-$as_echo_n "checking for xhtml/chunk.xsl... " >&6; }
+{ echo "$as_me:$LINENO: checking for xhtml/chunk.xsl" >&5
+echo $ECHO_N "checking for xhtml/chunk.xsl... $ECHO_C" >&6; }
 for d in $docbook_xsl_trees
 do
 	f=$d/xhtml/chunk.xsl
 	if test -f $f
 	then
 		XSLT_DOCBOOK_CHUNK_XHTML=$f
-		{ $as_echo "$as_me:$LINENO: result: $f" >&5
-$as_echo "$f" >&6; }
+		{ echo "$as_me:$LINENO: result: $f" >&5
+echo "${ECHO_T}$f" >&6; }
 		break
 	fi
 done
 if test "X$XSLT_DOCBOOK_CHUNK_XHTML" = "X"
 then
-	{ $as_echo "$as_me:$LINENO: result: \"not found\"" >&5
-$as_echo "\"not found\"" >&6; };
+	{ echo "$as_me:$LINENO: result: \"not found\"" >&5
+echo "${ECHO_T}\"not found\"" >&6; };
 	XSLT_DOCBOOK_CHUNK_XHTML=xhtml/chunk.xsl
 fi
 
 
 
 XSLT_DOCBOOK_CHUNKTOC_HTML=""
-{ $as_echo "$as_me:$LINENO: checking for html/chunktoc.xsl" >&5
-$as_echo_n "checking for html/chunktoc.xsl... " >&6; }
+{ echo "$as_me:$LINENO: checking for html/chunktoc.xsl" >&5
+echo $ECHO_N "checking for html/chunktoc.xsl... $ECHO_C" >&6; }
 for d in $docbook_xsl_trees
 do
 	f=$d/html/chunktoc.xsl
 	if test -f $f
 	then
 		XSLT_DOCBOOK_CHUNKTOC_HTML=$f
-		{ $as_echo "$as_me:$LINENO: result: $f" >&5
-$as_echo "$f" >&6; }
+		{ echo "$as_me:$LINENO: result: $f" >&5
+echo "${ECHO_T}$f" >&6; }
 		break
 	fi
 done
 if test "X$XSLT_DOCBOOK_CHUNKTOC_HTML" = "X"
 then
-	{ $as_echo "$as_me:$LINENO: result: \"not found\"" >&5
-$as_echo "\"not found\"" >&6; };
+	{ echo "$as_me:$LINENO: result: \"not found\"" >&5
+echo "${ECHO_T}\"not found\"" >&6; };
 	XSLT_DOCBOOK_CHUNKTOC_HTML=html/chunktoc.xsl
 fi
 
 
 
 XSLT_DOCBOOK_CHUNKTOC_XHTML=""
-{ $as_echo "$as_me:$LINENO: checking for xhtml/chunktoc.xsl" >&5
-$as_echo_n "checking for xhtml/chunktoc.xsl... " >&6; }
+{ echo "$as_me:$LINENO: checking for xhtml/chunktoc.xsl" >&5
+echo $ECHO_N "checking for xhtml/chunktoc.xsl... $ECHO_C" >&6; }
 for d in $docbook_xsl_trees
 do
 	f=$d/xhtml/chunktoc.xsl
 	if test -f $f
 	then
 		XSLT_DOCBOOK_CHUNKTOC_XHTML=$f
-		{ $as_echo "$as_me:$LINENO: result: $f" >&5
-$as_echo "$f" >&6; }
+		{ echo "$as_me:$LINENO: result: $f" >&5
+echo "${ECHO_T}$f" >&6; }
 		break
 	fi
 done
 if test "X$XSLT_DOCBOOK_CHUNKTOC_XHTML" = "X"
 then
-	{ $as_echo "$as_me:$LINENO: result: \"not found\"" >&5
-$as_echo "\"not found\"" >&6; };
+	{ echo "$as_me:$LINENO: result: \"not found\"" >&5
+echo "${ECHO_T}\"not found\"" >&6; };
 	XSLT_DOCBOOK_CHUNKTOC_XHTML=xhtml/chunktoc.xsl
 fi
 
 
 
 XSLT_DOCBOOK_MAKETOC_HTML=""
-{ $as_echo "$as_me:$LINENO: checking for html/maketoc.xsl" >&5
-$as_echo_n "checking for html/maketoc.xsl... " >&6; }
+{ echo "$as_me:$LINENO: checking for html/maketoc.xsl" >&5
+echo $ECHO_N "checking for html/maketoc.xsl... $ECHO_C" >&6; }
 for d in $docbook_xsl_trees
 do
 	f=$d/html/maketoc.xsl
 	if test -f $f
 	then
 		XSLT_DOCBOOK_MAKETOC_HTML=$f
-		{ $as_echo "$as_me:$LINENO: result: $f" >&5
-$as_echo "$f" >&6; }
+		{ echo "$as_me:$LINENO: result: $f" >&5
+echo "${ECHO_T}$f" >&6; }
 		break
 	fi
 done
 if test "X$XSLT_DOCBOOK_MAKETOC_HTML" = "X"
 then
-	{ $as_echo "$as_me:$LINENO: result: \"not found\"" >&5
-$as_echo "\"not found\"" >&6; };
+	{ echo "$as_me:$LINENO: result: \"not found\"" >&5
+echo "${ECHO_T}\"not found\"" >&6; };
 	XSLT_DOCBOOK_MAKETOC_HTML=html/maketoc.xsl
 fi
 
 
 
 XSLT_DOCBOOK_MAKETOC_XHTML=""
-{ $as_echo "$as_me:$LINENO: checking for xhtml/maketoc.xsl" >&5
-$as_echo_n "checking for xhtml/maketoc.xsl... " >&6; }
+{ echo "$as_me:$LINENO: checking for xhtml/maketoc.xsl" >&5
+echo $ECHO_N "checking for xhtml/maketoc.xsl... $ECHO_C" >&6; }
 for d in $docbook_xsl_trees
 do
 	f=$d/xhtml/maketoc.xsl
 	if test -f $f
 	then
 		XSLT_DOCBOOK_MAKETOC_XHTML=$f
-		{ $as_echo "$as_me:$LINENO: result: $f" >&5
-$as_echo "$f" >&6; }
+		{ echo "$as_me:$LINENO: result: $f" >&5
+echo "${ECHO_T}$f" >&6; }
 		break
 	fi
 done
 if test "X$XSLT_DOCBOOK_MAKETOC_XHTML" = "X"
 then
-	{ $as_echo "$as_me:$LINENO: result: \"not found\"" >&5
-$as_echo "\"not found\"" >&6; };
+	{ echo "$as_me:$LINENO: result: \"not found\"" >&5
+echo "${ECHO_T}\"not found\"" >&6; };
 	XSLT_DOCBOOK_MAKETOC_XHTML=xhtml/maketoc.xsl
 fi
 
@@ -32204,23 +31322,23 @@ db2latex_xsl_trees="/usr/local/share"
 
 
 XSLT_DB2LATEX_STYLE=""
-{ $as_echo "$as_me:$LINENO: checking for db2latex/xsl/docbook.xsl" >&5
-$as_echo_n "checking for db2latex/xsl/docbook.xsl... " >&6; }
+{ echo "$as_me:$LINENO: checking for db2latex/xsl/docbook.xsl" >&5
+echo $ECHO_N "checking for db2latex/xsl/docbook.xsl... $ECHO_C" >&6; }
 for d in $db2latex_xsl_trees
 do
 	f=$d/db2latex/xsl/docbook.xsl
 	if test -f $f
 	then
 		XSLT_DB2LATEX_STYLE=$f
-		{ $as_echo "$as_me:$LINENO: result: $f" >&5
-$as_echo "$f" >&6; }
+		{ echo "$as_me:$LINENO: result: $f" >&5
+echo "${ECHO_T}$f" >&6; }
 		break
 	fi
 done
 if test "X$XSLT_DB2LATEX_STYLE" = "X"
 then
-	{ $as_echo "$as_me:$LINENO: result: \"not found\"" >&5
-$as_echo "\"not found\"" >&6; };
+	{ echo "$as_me:$LINENO: result: \"not found\"" >&5
+echo "${ECHO_T}\"not found\"" >&6; };
 	XSLT_DB2LATEX_STYLE=db2latex/xsl/docbook.xsl
 fi
 
@@ -32231,23 +31349,23 @@ fi
 # because it's a directory, so just do the same things, inline.
 #
 
-{ $as_echo "$as_me:$LINENO: checking for db2latex/xsl/figures" >&5
-$as_echo_n "checking for db2latex/xsl/figures... " >&6; }
+{ echo "$as_me:$LINENO: checking for db2latex/xsl/figures" >&5
+echo $ECHO_N "checking for db2latex/xsl/figures... $ECHO_C" >&6; }
 for d in $db2latex_xsl_trees
 do
 	dd=$d/db2latex/xsl/figures
 	if test -d $dd
 	then
 		XSLT_DB2LATEX_ADMONITIONS=$dd
-		{ $as_echo "$as_me:$LINENO: result: $dd" >&5
-$as_echo "$dd" >&6; }
+		{ echo "$as_me:$LINENO: result: $dd" >&5
+echo "${ECHO_T}$dd" >&6; }
 		break
 	fi
 done
 if test "X$XSLT_DB2LATEX_ADMONITIONS" = "X"
 then
-	{ $as_echo "$as_me:$LINENO: result: not found" >&5
-$as_echo "not found" >&6; }
+	{ echo "$as_me:$LINENO: result: not found" >&5
+echo "${ECHO_T}not found" >&6; }
 	XSLT_DB2LATEX_ADMONITIONS=db2latex/xsl/figures
 fi
 
@@ -32328,8 +31446,8 @@ else
 fi
 
 if test "$idnlib" = yes; then
-	{ { $as_echo "$as_me:$LINENO: error: You must specify ARG for --with-idnlib." >&5
-$as_echo "$as_me: error: You must specify ARG for --with-idnlib." >&2;}
+	{ { echo "$as_me:$LINENO: error: You must specify ARG for --with-idnlib." >&5
+echo "$as_me: error: You must specify ARG for --with-idnlib." >&2;}
    { (exit 1); exit 1; }; }
 fi
 
@@ -32352,21 +31470,20 @@ fi
 
 for ac_header in locale.h
 do
-as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 else
   # Is the header compilable?
-{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5
-$as_echo_n "checking $ac_header usability... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -32382,33 +31499,32 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_compile") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        } && test -s conftest.$ac_objext; then
   ac_header_compiler=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	ac_header_compiler=no
 fi
 
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-$as_echo "$ac_header_compiler" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
 
 # Is the header present?
-{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5
-$as_echo_n "checking $ac_header presence... " >&6; }
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
 cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
 _ACEOF
@@ -32422,72 +31538,69 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } >/dev/null && {
 	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
 	 test ! -s conftest.err
        }; then
   ac_header_preproc=yes
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
   ac_header_preproc=no
 fi
 
 rm -f conftest.err conftest.$ac_ext
-{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-$as_echo "$ac_header_preproc" >&6; }
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
 
 # So?  What about this header?
 case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
   yes:no: )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
     ac_header_preproc=yes
     ;;
   no:yes:* )
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-$as_echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-$as_echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
 
     ;;
 esac
-{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5
-$as_echo_n "checking for $ac_header... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
 if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   eval "$as_ac_Header=\$ac_header_preproc"
 fi
-ac_res=`eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
 
 fi
-if test `eval 'as_val=${'$as_ac_Header'}
-		 $as_echo "$as_val"'` = yes; then
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
 
 fi
@@ -32497,11 +31610,11 @@ done
 
 for ac_func in setlocale
 do
-as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5
-$as_echo_n "checking for $ac_func... " >&6; }
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
 if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   cat >conftest.$ac_ext <<_ACEOF
 /* confdefs.h.  */
@@ -32554,41 +31667,35 @@ case "(($ac_try" in
   *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
   *) ac_try_echo=$ac_try;;
 esac
-eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\""
-$as_echo "$ac_try_echo") >&5
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
   (eval "$ac_link") 2>conftest.er1
   ac_status=$?
   grep -v '^ *+' conftest.er1 >conftest.err
   rm -f conftest.er1
   cat conftest.err >&5
-  $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
   (exit $ac_status); } && {
 	 test -z "$ac_c_werror_flag" ||
 	 test ! -s conftest.err
-       } && test -s conftest$ac_exeext && {
-	 test "$cross_compiling" = yes ||
-	 $as_test_x conftest$ac_exeext
-       }; then
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
   eval "$as_ac_var=yes"
 else
-  $as_echo "$as_me: failed program was:" >&5
+  echo "$as_me: failed program was:" >&5
 sed 's/^/| /' conftest.$ac_ext >&5
 
 	eval "$as_ac_var=no"
 fi
 
-rm -rf conftest.dSYM
 rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
       conftest$ac_exeext conftest.$ac_ext
 fi
-ac_res=`eval 'as_val=${'$as_ac_var'}
-		 $as_echo "$as_val"'`
-	       { $as_echo "$as_me:$LINENO: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-if test `eval 'as_val=${'$as_ac_var'}
-		 $as_echo "$as_val"'` = yes; then
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
   cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
 _ACEOF
 
 fi
@@ -32720,8 +31827,8 @@ dlzdir='${DLZ_DRIVER_DIR}'
 # Was --with-dlz-postgres specified?
 #
 
-{ $as_echo "$as_me:$LINENO: checking for Postgres DLZ driver" >&5
-$as_echo_n "checking for Postgres DLZ driver... " >&6; }
+{ echo "$as_me:$LINENO: checking for Postgres DLZ driver" >&5
+echo $ECHO_N "checking for Postgres DLZ driver... $ECHO_C" >&6; }
 
 # Check whether --with-dlz_postgres was given.
 if test "${with_dlz_postgres+set}" = set; then
@@ -32740,10 +31847,10 @@ then
 do
   # Extract the first word of "$ac_prog", so it can be a program name with args.
 set dummy $ac_prog; ac_word=$2
-{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
 if test "${ac_cv_path_PG_CONFIG+set}" = set; then
-  $as_echo_n "(cached) " >&6
+  echo $ECHO_N "(cached) $ECHO_C" >&6
 else
   case $PG_CONFIG in
   [\\/]* | ?:[\\/]*)
@@ -32758,7 +31865,7 @@ do
   for ac_exec_ext in '' $ac_executable_extensions; do
   if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
     ac_cv_path_PG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
-    $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
     break 2
   fi
 done
@@ -32770,11 +31877,11 @@ esac
 fi
 PG_CONFIG=$ac_cv_path_PG_CONFIG
 if test -n "$PG_CONFIG"; then
-  { $as_echo "$as_me:$LINENO: result: $PG_CONFIG" >&5
-$as_echo "$PG_CONFIG" >&6; }
+  { echo "$as_me:$LINENO: result: $PG_CONFIG" >&5
+echo "${ECHO_T}$PG_CONFIG" >&6; }
 else
-  { $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 fi
 
 
@@ -32810,17 +31917,17 @@ if test "$use_dlz_postgres" = "yes"
 then
 	# Still no joy, give up
 
-	{ $as_echo "$as_me:$LINENO: result: not found" >&5
-$as_echo "not found" >&6; }
-	{ { $as_echo "$as_me:$LINENO: error: No pg_config and PostgreSQL was not found in any of $pgdirs; use --with-dlz-postgres=/path or put pg_config in your path" >&5
-$as_echo "$as_me: error: No pg_config and PostgreSQL was not found in any of $pgdirs; use --with-dlz-postgres=/path or put pg_config in your path" >&2;}
+	{ echo "$as_me:$LINENO: result: not found" >&5
+echo "${ECHO_T}not found" >&6; }
+	{ { echo "$as_me:$LINENO: error: No pg_config and PostgreSQL was not found in any of $pgdirs; use --with-dlz-postgres=/path or put pg_config in your path" >&5
+echo "$as_me: error: No pg_config and PostgreSQL was not found in any of $pgdirs; use --with-dlz-postgres=/path or put pg_config in your path" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
 case "$use_dlz_postgres" in
 	no)
-		{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+		{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 		;;
 	*)
 
@@ -32840,8 +31947,8 @@ $as_echo "no" >&6; }
 	fi
 
 
-		{ $as_echo "$as_me:$LINENO: result: using PostgreSQL from $use_dlz_postgres_lib and $use_dlz_postgres" >&5
-$as_echo "using PostgreSQL from $use_dlz_postgres_lib and $use_dlz_postgres" >&6; }
+		{ echo "$as_me:$LINENO: result: using PostgreSQL from $use_dlz_postgres_lib and $use_dlz_postgres" >&5
+echo "${ECHO_T}using PostgreSQL from $use_dlz_postgres_lib and $use_dlz_postgres" >&6; }
 		;;
 esac
 
@@ -32850,8 +31957,8 @@ esac
 # Was --with-dlz-mysql specified?
 #
 
-{ $as_echo "$as_me:$LINENO: checking for MySQL DLZ driver" >&5
-$as_echo_n "checking for MySQL DLZ driver... " >&6; }
+{ echo "$as_me:$LINENO: checking for MySQL DLZ driver" >&5
+echo $ECHO_N "checking for MySQL DLZ driver... $ECHO_C" >&6; }
 
 # Check whether --with-dlz_mysql was given.
 if test "${with_dlz_mysql+set}" = set; then
@@ -32919,17 +32026,17 @@ fi
 
 if test "$use_dlz_mysql" = "yes"
 then
-	{ $as_echo "$as_me:$LINENO: result: not found" >&5
-$as_echo "not found" >&6; }
-	{ { $as_echo "$as_me:$LINENO: error: MySQL was not found in any of $mysqldirs; use --with-dlz-mysql=/path" >&5
-$as_echo "$as_me: error: MySQL was not found in any of $mysqldirs; use --with-dlz-mysql=/path" >&2;}
+	{ echo "$as_me:$LINENO: result: not found" >&5
+echo "${ECHO_T}not found" >&6; }
+	{ { echo "$as_me:$LINENO: error: MySQL was not found in any of $mysqldirs; use --with-dlz-mysql=/path" >&5
+echo "$as_me: error: MySQL was not found in any of $mysqldirs; use --with-dlz-mysql=/path" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
 case "$use_dlz_mysql" in
 	no)
-		{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+		{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 		;;
 	*)
 
@@ -32949,8 +32056,8 @@ $as_echo "no" >&6; }
 	fi
 
 
-		{ $as_echo "$as_me:$LINENO: result: using mysql from ${mysql_lib} and ${mysql_include}" >&5
-$as_echo "using mysql from ${mysql_lib} and ${mysql_include}" >&6; }
+		{ echo "$as_me:$LINENO: result: using mysql from ${mysql_lib} and ${mysql_include}" >&5
+echo "${ECHO_T}using mysql from ${mysql_lib} and ${mysql_include}" >&6; }
 		;;
 esac
 
@@ -32959,8 +32066,8 @@ esac
 # Was --with-dlz-bdb specified?
 #
 
-{ $as_echo "$as_me:$LINENO: checking for Berkeley DB DLZ driver" >&5
-$as_echo_n "checking for Berkeley DB DLZ driver... " >&6; }
+{ echo "$as_me:$LINENO: checking for Berkeley DB DLZ driver" >&5
+echo $ECHO_N "checking for Berkeley DB DLZ driver... $ECHO_C" >&6; }
 
 # Check whether --with-dlz_bdb was given.
 if test "${with_dlz_bdb+set}" = set; then
@@ -32972,8 +32079,8 @@ fi
 
 case "$use_dlz_bdb" in
 	no)
-		{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+		{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 		;;
 	*)
 		if test "$use_dlz_bdb" = "yes"
@@ -32985,10 +32092,10 @@ $as_echo "no" >&6; }
 			# User specified directory and it exists
 			bdbdirs="$use_dlz_bdb"
 		else
-			{ $as_echo "$as_me:$LINENO: result: not found" >&5
-$as_echo "not found" >&6; }
-			{ { $as_echo "$as_me:$LINENO: error: path $use_dlz_bdb does not exist" >&5
-$as_echo "$as_me: error: path $use_dlz_bdb does not exist" >&2;}
+			{ echo "$as_me:$LINENO: result: not found" >&5
+echo "${ECHO_T}not found" >&6; }
+			{ { echo "$as_me:$LINENO: error: path $use_dlz_bdb does not exist" >&5
+echo "$as_me: error: path $use_dlz_bdb does not exist" >&2;}
    { (exit 1); exit 1; }; }
 			bdbdirs=""
 		fi
@@ -33066,19 +32173,19 @@ $as_echo "$as_me: error: path $use_dlz_bdb does not exist" >&2;}
 
 		if test "$dlz_bdb_inc" = "yes"
 		then
-			{ $as_echo "$as_me:$LINENO: result: not found" >&5
-$as_echo "not found" >&6; }
-			{ { $as_echo "$as_me:$LINENO: error: could not find Berkeley DB include directory" >&5
-$as_echo "$as_me: error: could not find Berkeley DB include directory" >&2;}
+			{ echo "$as_me:$LINENO: result: not found" >&5
+echo "${ECHO_T}not found" >&6; }
+			{ { echo "$as_me:$LINENO: error: could not find Berkeley DB include directory" >&5
+echo "$as_me: error: could not find Berkeley DB include directory" >&2;}
    { (exit 1); exit 1; }; }
 		fi
 
 		if test "$dlz_bdb_libs" = "yes"
 		then
-			{ $as_echo "$as_me:$LINENO: result: not found" >&5
-$as_echo "not found" >&6; }
-			{ { $as_echo "$as_me:$LINENO: error: could not find Berkeley DB library" >&5
-$as_echo "$as_me: error: could not find Berkeley DB library" >&2;}
+			{ echo "$as_me:$LINENO: result: not found" >&5
+echo "${ECHO_T}not found" >&6; }
+			{ { echo "$as_me:$LINENO: error: could not find Berkeley DB library" >&5
+echo "$as_me: error: could not find Berkeley DB library" >&2;}
    { (exit 1); exit 1; }; }
 		fi
 
@@ -33099,8 +32206,8 @@ $as_echo "$as_me: error: could not find Berkeley DB library" >&2;}
 	fi
 
 
-		{ $as_echo "$as_me:$LINENO: result: using Berkeley DB: $dlz_bdb_inc $dlz_bdb_libs" >&5
-$as_echo "using Berkeley DB: $dlz_bdb_inc $dlz_bdb_libs" >&6; }
+		{ echo "$as_me:$LINENO: result: using Berkeley DB: $dlz_bdb_inc $dlz_bdb_libs" >&5
+echo "${ECHO_T}using Berkeley DB: $dlz_bdb_inc $dlz_bdb_libs" >&6; }
 
 		ac_config_files="$ac_config_files contrib/dlz/bin/dlzbdb/Makefile"
 
@@ -33112,8 +32219,8 @@ esac
 # Was --with-dlz-filesystem specified?
 #
 
-{ $as_echo "$as_me:$LINENO: checking for file system DLZ driver" >&5
-$as_echo_n "checking for file system DLZ driver... " >&6; }
+{ echo "$as_me:$LINENO: checking for file system DLZ driver" >&5
+echo $ECHO_N "checking for file system DLZ driver... $ECHO_C" >&6; }
 
 # Check whether --with-dlz_filesystem was given.
 if test "${with_dlz_filesystem+set}" = set; then
@@ -33125,8 +32232,8 @@ fi
 
 case "$use_dlz_filesystem" in
 	no)
-		{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+		{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 		;;
 	*)
 
@@ -33146,8 +32253,8 @@ $as_echo "no" >&6; }
 	fi
 
 
-		{ $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+		{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 		;;
 esac
 
@@ -33156,8 +32263,8 @@ esac
 # Was --with-dlz-ldap specified?
 #
 
-{ $as_echo "$as_me:$LINENO: checking for LDAP DLZ driver" >&5
-$as_echo_n "checking for LDAP DLZ driver... " >&6; }
+{ echo "$as_me:$LINENO: checking for LDAP DLZ driver" >&5
+echo $ECHO_N "checking for LDAP DLZ driver... $ECHO_C" >&6; }
 
 # Check whether --with-dlz_ldap was given.
 if test "${with_dlz_ldap+set}" = set; then
@@ -33183,17 +32290,17 @@ fi
 
 if test "$use_dlz_ldap" = "yes"
 then
-	{ $as_echo "$as_me:$LINENO: result: not found" >&5
-$as_echo "not found" >&6; }
-	{ { $as_echo "$as_me:$LINENO: error: LDAP headers were not found in any of $ldapdirs; use --with-dlz-ldap=/path" >&5
-$as_echo "$as_me: error: LDAP headers were not found in any of $ldapdirs; use --with-dlz-ldap=/path" >&2;}
+	{ echo "$as_me:$LINENO: result: not found" >&5
+echo "${ECHO_T}not found" >&6; }
+	{ { echo "$as_me:$LINENO: error: LDAP headers were not found in any of $ldapdirs; use --with-dlz-ldap=/path" >&5
+echo "$as_me: error: LDAP headers were not found in any of $ldapdirs; use --with-dlz-ldap=/path" >&2;}
    { (exit 1); exit 1; }; }
 fi
 
 case "$use_dlz_ldap" in
 	no)
-		{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+		{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 		;;
 	*)
 
@@ -33213,8 +32320,8 @@ $as_echo "no" >&6; }
 	fi
 
 
-		{ $as_echo "$as_me:$LINENO: result: using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include" >&5
-$as_echo "using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include" >&6; }
+		{ echo "$as_me:$LINENO: result: using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include" >&5
+echo "${ECHO_T}using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include" >&6; }
 		;;
 esac
 
@@ -33223,8 +32330,8 @@ esac
 # Was --with-dlz-odbc specified?
 #
 
-{ $as_echo "$as_me:$LINENO: checking for ODBC DLZ driver" >&5
-$as_echo_n "checking for ODBC DLZ driver... " >&6; }
+{ echo "$as_me:$LINENO: checking for ODBC DLZ driver" >&5
+echo $ECHO_N "checking for ODBC DLZ driver... $ECHO_C" >&6; }
 
 # Check whether --with-dlz_odbc was given.
 if test "${with_dlz_odbc+set}" = set; then
@@ -33250,14 +32357,14 @@ fi
 
 case "$use_dlz_odbc" in
 	no)
-		{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+		{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 		;;
 	yes)
-		{ $as_echo "$as_me:$LINENO: result: not found" >&5
-$as_echo "not found" >&6; }
-		{ { $as_echo "$as_me:$LINENO: error: ODBC headers were not found in any of $odbcdirs; use --with-dlz-odbc=/path" >&5
-$as_echo "$as_me: error: ODBC headers were not found in any of $odbcdirs; use --with-dlz-odbc=/path" >&2;}
+		{ echo "$as_me:$LINENO: result: not found" >&5
+echo "${ECHO_T}not found" >&6; }
+		{ { echo "$as_me:$LINENO: error: ODBC headers were not found in any of $odbcdirs; use --with-dlz-odbc=/path" >&5
+echo "$as_me: error: ODBC headers were not found in any of $odbcdirs; use --with-dlz-odbc=/path" >&2;}
    { (exit 1); exit 1; }; }
 		;;
 	*)
@@ -33278,8 +32385,8 @@ $as_echo "$as_me: error: ODBC headers were not found in any of $odbcdirs; use --
 	fi
 
 
-		{ $as_echo "$as_me:$LINENO: result: using ODBC from $use_dlz_odbc" >&5
-$as_echo "using ODBC from $use_dlz_odbc" >&6; }
+		{ echo "$as_me:$LINENO: result: using ODBC from $use_dlz_odbc" >&5
+echo "${ECHO_T}using ODBC from $use_dlz_odbc" >&6; }
 		;;
 esac
 
@@ -33288,8 +32395,8 @@ esac
 # Was --with-dlz-stub specified?
 #
 
-{ $as_echo "$as_me:$LINENO: checking for stub DLZ driver" >&5
-$as_echo_n "checking for stub DLZ driver... " >&6; }
+{ echo "$as_me:$LINENO: checking for stub DLZ driver" >&5
+echo $ECHO_N "checking for stub DLZ driver... $ECHO_C" >&6; }
 
 # Check whether --with-dlz_stub was given.
 if test "${with_dlz_stub+set}" = set; then
@@ -33301,8 +32408,8 @@ fi
 
 case "$use_dlz_stub" in
 	no)
-		{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+		{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 		;;
 	*)
 
@@ -33323,8 +32430,8 @@ $as_echo "no" >&6; }
 	fi
 
 
-		{ $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+		{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 		;;
 esac
 
@@ -33350,20 +32457,20 @@ then
 fi
 
 
-{ $as_echo "$as_me:$LINENO: checking for DLZ" >&5
-$as_echo_n "checking for DLZ... " >&6; }
+{ echo "$as_me:$LINENO: checking for DLZ" >&5
+echo $ECHO_N "checking for DLZ... $ECHO_C" >&6; }
 
 if test -n "$USE_DLZ"
 then
-	{ $as_echo "$as_me:$LINENO: result: yes" >&5
-$as_echo "yes" >&6; }
+	{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
 	USE_DLZ="-DDLZ $USE_DLZ"
 	DLZ_DRIVER_RULES=contrib/dlz/drivers/rules
 	ac_config_files="$ac_config_files $DLZ_DRIVER_RULES"
 
 else
-	{ $as_echo "$as_me:$LINENO: result: no" >&5
-$as_echo "no" >&6; }
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
 	DLZ_DRIVER_RULES=/dev/null
 fi
 
@@ -33376,8 +32483,8 @@ fi
 
 if test "$cross_compiling" = "yes"; then
 	if test -z "$BUILD_CC"; then
-		{ { $as_echo "$as_me:$LINENO: error: BUILD_CC not set" >&5
-$as_echo "$as_me: error: BUILD_CC not set" >&2;}
+		{ { echo "$as_me:$LINENO: error: BUILD_CC not set" >&5
+echo "$as_me: error: BUILD_CC not set" >&2;}
    { (exit 1); exit 1; }; }
 	fi
 	BUILD_CFLAGS="$BUILD_CFLAGS"
@@ -33500,7 +32607,7 @@ ac_config_commands="$ac_config_commands chmod"
 # elsewhere if there's a good reason for doing so.
 #
 
-ac_config_files="$ac_config_files Makefile make/Makefile make/mkdep lib/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/nls/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile bin/Makefile bin/check/Makefile bin/named/Makefile bin/named/unix/Makefile bin/rndc/Makefile bin/rndc/unix/Makefile bin/dig/Makefile bin/nsupdate/Makefile bin/tests/Makefile bin/tests/names/Makefile bin/tests/master/Makefile bin/tests/rbt/Makefile bin/tests/db/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/dst/Makefile bin/tests/mem/Makefile bin/tests/net/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/lwresd/Makefile bin/tests/system/tkey/Makefile bin/tests/headerdep_test.sh bin/dnssec/Makefile doc/Makefile doc/arm/Makefile doc/misc/Makefile isc-config.sh doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter"
+ac_config_files="$ac_config_files Makefile make/Makefile make/mkdep lib/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/nls/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/named/Makefile bin/named/unix/Makefile bin/rndc/Makefile bin/dig/Makefile bin/nsupdate/Makefile bin/tests/Makefile bin/tests/names/Makefile bin/tests/master/Makefile bin/tests/rbt/Makefile bin/tests/db/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/dst/Makefile bin/tests/mem/Makefile bin/tests/net/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/lwresd/Makefile bin/tests/system/tkey/Makefile bin/tests/headerdep_test.sh bin/tools/Makefile bin/dnssec/Makefile doc/Makefile doc/arm/Makefile doc/misc/Makefile isc-config.sh doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter"
 
 
 #
@@ -33534,12 +32641,11 @@ _ACEOF
     case $ac_val in #(
     *${as_nl}*)
       case $ac_var in #(
-      *_cv_*) { $as_echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
-$as_echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
       esac
       case $ac_var in #(
       _ | IFS | as_nl) ;; #(
-      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
       *) $as_unset $ac_var ;;
       esac ;;
     esac
@@ -33572,12 +32678,12 @@ $as_echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
 if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
   if test -w "$cache_file"; then
     test "x$cache_file" != "x/dev/null" &&
-      { $as_echo "$as_me:$LINENO: updating cache $cache_file" >&5
-$as_echo "$as_me: updating cache $cache_file" >&6;}
+      { echo "$as_me:$LINENO: updating cache $cache_file" >&5
+echo "$as_me: updating cache $cache_file" >&6;}
     cat confcache >$cache_file
   else
-    { $as_echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
-$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
+    { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
+echo "$as_me: not updating unwritable cache $cache_file" >&6;}
   fi
 fi
 rm -f confcache
@@ -33593,7 +32699,7 @@ ac_ltlibobjs=
 for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
   # 1. Remove the extension, and $U if already installed.
   ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
-  ac_i=`$as_echo "$ac_i" | sed "$ac_script"`
+  ac_i=`echo "$ac_i" | sed "$ac_script"`
   # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
   #    will be set to the directory where LIBOBJS objects are built.
   ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
@@ -33606,12 +32712,11 @@ LTLIBOBJS=$ac_ltlibobjs
 
 
 : ${CONFIG_STATUS=./config.status}
-ac_write_fail=0
 ac_clean_files_save=$ac_clean_files
 ac_clean_files="$ac_clean_files $CONFIG_STATUS"
-{ $as_echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
-$as_echo "$as_me: creating $CONFIG_STATUS" >&6;}
-cat >$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
+echo "$as_me: creating $CONFIG_STATUS" >&6;}
+cat >$CONFIG_STATUS <<_ACEOF
 #! $SHELL
 # Generated by $as_me.
 # Run this file to recreate the current configuration.
@@ -33624,7 +32729,7 @@ ac_cs_silent=false
 SHELL=\${CONFIG_SHELL-$SHELL}
 _ACEOF
 
-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+cat >>$CONFIG_STATUS <<\_ACEOF
 ## --------------------- ##
 ## M4sh Initialization.  ##
 ## --------------------- ##
@@ -33634,7 +32739,7 @@ DUALCASE=1; export DUALCASE # for MKS sh
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
   emulate sh
   NULLCMD=:
-  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
@@ -33656,45 +32761,17 @@ as_cr_Letters=$as_cr_letters$as_cr_LETTERS
 as_cr_digits='0123456789'
 as_cr_alnum=$as_cr_Letters$as_cr_digits
 
-as_nl='
-'
-export as_nl
-# Printing a long string crashes Solaris 7 /usr/bin/printf.
-as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
-as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
-as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
-if (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
-  as_echo='printf %s\n'
-  as_echo_n='printf %s'
-else
-  if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
-    as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
-    as_echo_n='/usr/ucb/echo -n'
-  else
-    as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
-    as_echo_n_body='eval
-      arg=$1;
-      case $arg in
-      *"$as_nl"*)
-	expr "X$arg" : "X\\(.*\\)$as_nl";
-	arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
-      esac;
-      expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
-    '
-    export as_echo_n_body
-    as_echo_n='sh -c $as_echo_n_body as_echo'
-  fi
-  export as_echo_body
-  as_echo='sh -c $as_echo_body as_echo'
-fi
-
 # The user is always right.
 if test "${PATH_SEPARATOR+set}" != set; then
-  PATH_SEPARATOR=:
-  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
-    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
-      PATH_SEPARATOR=';'
-  }
+  echo "#! /bin/sh" >conf$$.sh
+  echo  "exit 0"   >>conf$$.sh
+  chmod +x conf$$.sh
+  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+    PATH_SEPARATOR=';'
+  else
+    PATH_SEPARATOR=:
+  fi
+  rm -f conf$$.sh
 fi
 
 # Support unset when possible.
@@ -33710,6 +32787,8 @@ fi
 # there to prevent editors from complaining about space-tab.
 # (If _AS_PATH_WALK were called with IFS unset, it would disable word
 # splitting by setting IFS to empty value.)
+as_nl='
+'
 IFS=" ""	$as_nl"
 
 # Find who we are.  Look in the path if we contain no directory separator.
@@ -33732,7 +32811,7 @@ if test "x$as_myself" = x; then
   as_myself=$0
 fi
 if test ! -f "$as_myself"; then
-  $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
   { (exit 1); exit 1; }
 fi
 
@@ -33745,10 +32824,17 @@ PS2='> '
 PS4='+ '
 
 # NLS nuisances.
-LC_ALL=C
-export LC_ALL
-LANGUAGE=C
-export LANGUAGE
+for as_var in \
+  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+  LC_TELEPHONE LC_TIME
+do
+  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+    eval $as_var=C; export $as_var
+  else
+    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+  fi
+done
 
 # Required to use basename.
 if expr a : '\(a\)' >/dev/null 2>&1 &&
@@ -33770,7 +32856,7 @@ as_me=`$as_basename -- "$0" ||
 $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
 	 X"$0" : 'X\(//\)$' \| \
 	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
-$as_echo X/"$0" |
+echo X/"$0" |
     sed '/^.*\/\([^/][^/]*\)\/*$/{
 	    s//\1/
 	    q
@@ -33821,7 +32907,7 @@ $as_unset CDPATH
       s/-\n.*//
     ' >$as_me.lineno &&
   chmod +x "$as_me.lineno" ||
-    { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
    { (exit 1); exit 1; }; }
 
   # Don't try to exec as it changes $[0], causing all sort of problems
@@ -33849,6 +32935,7 @@ case `echo -n x` in
 *)
   ECHO_N='-n';;
 esac
+
 if expr a : '\(a\)' >/dev/null 2>&1 &&
    test "X`expr 00001 : '.*\(...\)'`" = X001; then
   as_expr=expr
@@ -33861,22 +32948,19 @@ if test -d conf$$.dir; then
   rm -f conf$$.dir/conf$$.file
 else
   rm -f conf$$.dir
-  mkdir conf$$.dir 2>/dev/null
-fi
-if (echo >conf$$.file) 2>/dev/null; then
-  if ln -s conf$$.file conf$$ 2>/dev/null; then
-    as_ln_s='ln -s'
-    # ... but there are two gotchas:
-    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
-    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
-    # In both cases, we have to default to `cp -p'.
-    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
-      as_ln_s='cp -p'
-  elif ln conf$$.file conf$$ 2>/dev/null; then
-    as_ln_s=ln
-  else
+  mkdir conf$$.dir
+fi
+echo >conf$$.file
+if ln -s conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s='ln -s'
+  # ... but there are two gotchas:
+  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+  # In both cases, we have to default to `cp -p'.
+  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
     as_ln_s='cp -p'
-  fi
+elif ln conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s=ln
 else
   as_ln_s='cp -p'
 fi
@@ -33901,10 +32985,10 @@ else
   as_test_x='
     eval sh -c '\''
       if test -d "$1"; then
-	test -d "$1/.";
+        test -d "$1/.";
       else
 	case $1 in
-	-*)set "./$1";;
+        -*)set "./$1";;
 	esac;
 	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
 	???[sx]*):;;*)false;;esac;fi
@@ -33927,7 +33011,7 @@ exec 6>&1
 # values after options handling.
 ac_log="
 This file was extended by $as_me, which was
-generated by GNU Autoconf 2.62.  Invocation command line was
+generated by GNU Autoconf 2.61.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -33940,7 +33024,7 @@ on `(hostname || uname -n) 2>/dev/null | sed 1q`
 
 _ACEOF
 
-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+cat >>$CONFIG_STATUS <<_ACEOF
 # Files that config.status was made for.
 config_files="$ac_config_files"
 config_headers="$ac_config_headers"
@@ -33948,7 +33032,7 @@ config_commands="$ac_config_commands"
 
 _ACEOF
 
-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+cat >>$CONFIG_STATUS <<\_ACEOF
 ac_cs_usage="\
 \`$as_me' instantiates files from templates according to the
 current configuration.
@@ -33961,9 +33045,9 @@ Usage: $0 [OPTIONS] [FILE]...
   -d, --debug      don't remove temporary files
       --recheck    update $as_me by reconfiguring in the same conditions
   --file=FILE[:TEMPLATE]
-                   instantiate the configuration file FILE
+		   instantiate the configuration file FILE
   --header=FILE[:TEMPLATE]
-                   instantiate the configuration header FILE
+		   instantiate the configuration header FILE
 
 Configuration files:
 $config_files
@@ -33977,24 +33061,24 @@ $config_commands
 Report bugs to <bug-autoconf@gnu.org>."
 
 _ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
 config.status
-configured by $0, generated by GNU Autoconf 2.62,
-  with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
+configured by $0, generated by GNU Autoconf 2.61,
+  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
-Copyright (C) 2008 Free Software Foundation, Inc.
+Copyright (C) 2006 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."
 
 ac_pwd='$ac_pwd'
 srcdir='$srcdir'
 INSTALL='$INSTALL'
-test -n "\$AWK" || AWK=awk
 _ACEOF
 
-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-# The default lists apply if the user does not specify any file.
+cat >>$CONFIG_STATUS <<\_ACEOF
+# If no file are specified by the user, then we need to provide default
+# value.  By we need to know if files were specified by the user.
 ac_need_defaults=:
 while test $# != 0
 do
@@ -34016,36 +33100,30 @@ do
   -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
     ac_cs_recheck=: ;;
   --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
-    $as_echo "$ac_cs_version"; exit ;;
+    echo "$ac_cs_version"; exit ;;
   --debug | --debu | --deb | --de | --d | -d )
     debug=: ;;
   --file | --fil | --fi | --f )
     $ac_shift
-    case $ac_optarg in
-    *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
-    esac
-    CONFIG_FILES="$CONFIG_FILES '$ac_optarg'"
+    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
     ac_need_defaults=false;;
   --header | --heade | --head | --hea )
     $ac_shift
-    case $ac_optarg in
-    *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
-    esac
-    CONFIG_HEADERS="$CONFIG_HEADERS '$ac_optarg'"
+    CONFIG_HEADERS="$CONFIG_HEADERS $ac_optarg"
     ac_need_defaults=false;;
   --he | --h)
     # Conflict between --help and --header
-    { $as_echo "$as_me: error: ambiguous option: $1
+    { echo "$as_me: error: ambiguous option: $1
 Try \`$0 --help' for more information." >&2
    { (exit 1); exit 1; }; };;
   --help | --hel | -h )
-    $as_echo "$ac_cs_usage"; exit ;;
+    echo "$ac_cs_usage"; exit ;;
   -q | -quiet | --quiet | --quie | --qui | --qu | --q \
   | -silent | --silent | --silen | --sile | --sil | --si | --s)
     ac_cs_silent=: ;;
 
   # This is an error.
-  -*) { $as_echo "$as_me: error: unrecognized option: $1
+  -*) { echo "$as_me: error: unrecognized option: $1
 Try \`$0 --help' for more information." >&2
    { (exit 1); exit 1; }; } ;;
 
@@ -34064,32 +33142,30 @@ if $ac_cs_silent; then
 fi
 
 _ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+cat >>$CONFIG_STATUS <<_ACEOF
 if \$ac_cs_recheck; then
-  set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
-  shift
-  \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
-  CONFIG_SHELL='$SHELL'
+  echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
+  CONFIG_SHELL=$SHELL
   export CONFIG_SHELL
-  exec "\$@"
+  exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
 fi
 
 _ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+cat >>$CONFIG_STATUS <<\_ACEOF
 exec 5>>config.log
 {
   echo
   sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
 ## Running $as_me. ##
 _ASBOX
-  $as_echo "$ac_log"
+  echo "$ac_log"
 } >&5
 
 _ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+cat >>$CONFIG_STATUS <<_ACEOF
 _ACEOF
 
-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+cat >>$CONFIG_STATUS <<\_ACEOF
 
 # Handling of arguments.
 for ac_config_target in $ac_config_targets
@@ -34146,10 +33222,11 @@ do
     "lib/tests/include/tests/Makefile") CONFIG_FILES="$CONFIG_FILES lib/tests/include/tests/Makefile" ;;
     "bin/Makefile") CONFIG_FILES="$CONFIG_FILES bin/Makefile" ;;
     "bin/check/Makefile") CONFIG_FILES="$CONFIG_FILES bin/check/Makefile" ;;
+    "bin/confgen/Makefile") CONFIG_FILES="$CONFIG_FILES bin/confgen/Makefile" ;;
+    "bin/confgen/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/confgen/unix/Makefile" ;;
     "bin/named/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named/Makefile" ;;
     "bin/named/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named/unix/Makefile" ;;
     "bin/rndc/Makefile") CONFIG_FILES="$CONFIG_FILES bin/rndc/Makefile" ;;
-    "bin/rndc/unix/Makefile") CONFIG_FILES="$CONFIG_FILES bin/rndc/unix/Makefile" ;;
     "bin/dig/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dig/Makefile" ;;
     "bin/nsupdate/Makefile") CONFIG_FILES="$CONFIG_FILES bin/nsupdate/Makefile" ;;
     "bin/tests/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/Makefile" ;;
@@ -34168,6 +33245,7 @@ do
     "bin/tests/system/lwresd/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/lwresd/Makefile" ;;
     "bin/tests/system/tkey/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/system/tkey/Makefile" ;;
     "bin/tests/headerdep_test.sh") CONFIG_FILES="$CONFIG_FILES bin/tests/headerdep_test.sh" ;;
+    "bin/tools/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tools/Makefile" ;;
     "bin/dnssec/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dnssec/Makefile" ;;
     "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile" ;;
     "doc/arm/Makefile") CONFIG_FILES="$CONFIG_FILES doc/arm/Makefile" ;;
@@ -34182,8 +33260,8 @@ do
     "doc/doxygen/Makefile") CONFIG_FILES="$CONFIG_FILES doc/doxygen/Makefile" ;;
     "doc/doxygen/doxygen-input-filter") CONFIG_FILES="$CONFIG_FILES doc/doxygen/doxygen-input-filter" ;;
 
-  *) { { $as_echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
-$as_echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
+  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
+echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
    { (exit 1); exit 1; }; };;
   esac
 done
@@ -34224,178 +33302,421 @@ $debug ||
   (umask 077 && mkdir "$tmp")
 } ||
 {
-   $as_echo "$as_me: cannot create a temporary directory in ." >&2
+   echo "$me: cannot create a temporary directory in ." >&2
    { (exit 1); exit 1; }
 }
 
-# Set up the scripts for CONFIG_FILES section.
-# No need to generate them if there are no CONFIG_FILES.
-# This happens for instance with `./config.status config.h'.
-if test -n "$CONFIG_FILES"; then
+#
+# Set up the sed scripts for CONFIG_FILES section.
+#
 
-if $AWK 'BEGIN { getline <"/dev/null" }' </dev/null 2>/dev/null; then
-  ac_cs_awk_getline=:
-  ac_cs_awk_pipe_init=
-  ac_cs_awk_read_file='
-      while ((getline aline < (F[key])) > 0)
-	print(aline)
-      close(F[key])'
-  ac_cs_awk_pipe_fini=
-else
-  ac_cs_awk_getline=false
-  ac_cs_awk_pipe_init="print \"cat <<'|#_!!_#|' &&\""
-  ac_cs_awk_read_file='
-      print "|#_!!_#|"
-      print "cat " F[key] " &&"
-      '$ac_cs_awk_pipe_init
-  # The final `:' finishes the AND list.
-  ac_cs_awk_pipe_fini='END { print "|#_!!_#|"; print ":" }'
-fi
-ac_cr='
-'
-ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null`
-if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
-  ac_cs_awk_cr='\\r'
-else
-  ac_cs_awk_cr=$ac_cr
-fi
+# No need to generate the scripts if there are no CONFIG_FILES.
+# This happens for instance when ./config.status config.h
+if test -n "$CONFIG_FILES"; then
 
-echo 'BEGIN {' >"$tmp/subs1.awk" &&
 _ACEOF
 
-# Create commands to substitute file output variables.
-{
-  echo "cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1" &&
-  echo 'cat >>"\$tmp/subs1.awk" <<\\_ACAWK &&' &&
-  echo "$ac_subst_files" | sed 's/.*/F["&"]="$&"/' &&
-  echo "_ACAWK" &&
-  echo "_ACEOF"
-} >conf$$files.sh &&
-. ./conf$$files.sh ||
-  { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
-rm -f conf$$files.sh
+# Create sed commands to just substitute file output variables.
+
+# Remaining file output variables are in a fragment that also has non-file
+# output varibles.
+
+
 
-{
-  echo "cat >conf$$subs.awk <<_ACEOF" &&
-  echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
-  echo "_ACEOF"
-} >conf$$subs.sh ||
-  { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
-ac_delim_num=`echo "$ac_subst_vars" | grep -c '$'`
 ac_delim='%!_!# '
 for ac_last_try in false false false false false :; do
-  . ./conf$$subs.sh ||
-    { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
-
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` = $ac_delim_num; then
+  cat >conf$$subs.sed <<_ACEOF
+SHELL!$SHELL$ac_delim
+PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
+PACKAGE_NAME!$PACKAGE_NAME$ac_delim
+PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
+PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
+PACKAGE_STRING!$PACKAGE_STRING$ac_delim
+PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
+exec_prefix!$exec_prefix$ac_delim
+prefix!$prefix$ac_delim
+program_transform_name!$program_transform_name$ac_delim
+bindir!$bindir$ac_delim
+sbindir!$sbindir$ac_delim
+libexecdir!$libexecdir$ac_delim
+datarootdir!$datarootdir$ac_delim
+datadir!$datadir$ac_delim
+sysconfdir!$sysconfdir$ac_delim
+sharedstatedir!$sharedstatedir$ac_delim
+localstatedir!$localstatedir$ac_delim
+includedir!$includedir$ac_delim
+oldincludedir!$oldincludedir$ac_delim
+docdir!$docdir$ac_delim
+infodir!$infodir$ac_delim
+htmldir!$htmldir$ac_delim
+dvidir!$dvidir$ac_delim
+pdfdir!$pdfdir$ac_delim
+psdir!$psdir$ac_delim
+libdir!$libdir$ac_delim
+localedir!$localedir$ac_delim
+mandir!$mandir$ac_delim
+DEFS!$DEFS$ac_delim
+ECHO_C!$ECHO_C$ac_delim
+ECHO_N!$ECHO_N$ac_delim
+ECHO_T!$ECHO_T$ac_delim
+LIBS!$LIBS$ac_delim
+build_alias!$build_alias$ac_delim
+host_alias!$host_alias$ac_delim
+target_alias!$target_alias$ac_delim
+build!$build$ac_delim
+build_cpu!$build_cpu$ac_delim
+build_vendor!$build_vendor$ac_delim
+build_os!$build_os$ac_delim
+host!$host$ac_delim
+host_cpu!$host_cpu$ac_delim
+host_vendor!$host_vendor$ac_delim
+host_os!$host_os$ac_delim
+SET_MAKE!$SET_MAKE$ac_delim
+CC!$CC$ac_delim
+CFLAGS!$CFLAGS$ac_delim
+LDFLAGS!$LDFLAGS$ac_delim
+CPPFLAGS!$CPPFLAGS$ac_delim
+ac_ct_CC!$ac_ct_CC$ac_delim
+EXEEXT!$EXEEXT$ac_delim
+OBJEXT!$OBJEXT$ac_delim
+SED!$SED$ac_delim
+GREP!$GREP$ac_delim
+EGREP!$EGREP$ac_delim
+LN_S!$LN_S$ac_delim
+ECHO!$ECHO$ac_delim
+AR!$AR$ac_delim
+RANLIB!$RANLIB$ac_delim
+STRIP!$STRIP$ac_delim
+DSYMUTIL!$DSYMUTIL$ac_delim
+NMEDIT!$NMEDIT$ac_delim
+CPP!$CPP$ac_delim
+CXX!$CXX$ac_delim
+CXXFLAGS!$CXXFLAGS$ac_delim
+ac_ct_CXX!$ac_ct_CXX$ac_delim
+CXXCPP!$CXXCPP$ac_delim
+F77!$F77$ac_delim
+FFLAGS!$FFLAGS$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 70; then
     break
   elif $ac_last_try; then
-    { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
-$as_echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
    { (exit 1); exit 1; }; }
   else
     ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
   fi
 done
-rm -f conf$$subs.sh
-
-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-cat >>"\$tmp/subs1.awk" <<\\_ACAWK &&
-_ACEOF
-sed -n '
-h
-s/^/S["/; s/!.*/"]=/
-p
-g
-s/^[^!]*!//
-:repl
-t repl
-s/'"$ac_delim"'$//
-t delim
-:nl
-h
-s/\(.\{148\}\).*/\1/
-t more1
-s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
-p
-n
-b repl
-:more1
-s/["\\]/\\&/g; s/^/"/; s/$/"\\/
-p
-g
-s/.\{148\}//
-t nl
-:delim
-h
-s/\(.\{148\}\).*/\1/
-t more2
-s/["\\]/\\&/g; s/^/"/; s/$/"/
-p
-b
-:more2
-s/["\\]/\\&/g; s/^/"/; s/$/"\\/
-p
-g
-s/.\{148\}//
-t delim
-' <conf$$subs.awk | sed '
-/^[^""]/{
-  N
-  s/\n//
+
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
+fi
+
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+/^[	 ]*@BIND9_MAKE_INCLUDES@[	 ]*$/{
+r $BIND9_MAKE_INCLUDES
+d
 }
-' >>$CONFIG_STATUS || ac_write_fail=1
-rm -f conf$$subs.awk
-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-_ACAWK
-cat >>"\$tmp/subs1.awk" <<_ACAWK &&
-  for (key in S) S_is_set[key] = 1
-  FS = ""
-  \$ac_cs_awk_pipe_init
+/^[	 ]*@BIND9_MAKE_RULES@[	 ]*$/{
+r $BIND9_MAKE_RULES
+d
 }
-{
-  line = $ 0
-  nfields = split(line, field, "@")
-  substed = 0
-  len = length(field[1])
-  for (i = 2; i < nfields; i++) {
-    key = field[i]
-    keylen = length(key)
-    if (S_is_set[key]) {
-      value = S[key]
-      line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3)
-      len += length(value) + length(field[++i])
-      substed = 1
-    } else
-      len += 1 + keylen
-  }
-  if (nfields == 3 && !substed) {
-    key = field[2]
-    if (F[key] != "" && line ~ /^[	 ]*@.*@[	 ]*$/) {
-      \$ac_cs_awk_read_file
-      next
-    }
-  }
-  print line
+/^[	 ]*@LIBISC_API@[	 ]*$/{
+r $LIBISC_API
+d
+}
+/^[	 ]*@LIBISCCC_API@[	 ]*$/{
+r $LIBISCCC_API
+d
+}
+/^[	 ]*@LIBISCCFG_API@[	 ]*$/{
+r $LIBISCCFG_API
+d
+}
+/^[	 ]*@LIBDNS_API@[	 ]*$/{
+r $LIBDNS_API
+d
+}
+/^[	 ]*@LIBBIND9_API@[	 ]*$/{
+r $LIBBIND9_API
+d
+}
+/^[	 ]*@LIBLWRES_API@[	 ]*$/{
+r $LIBLWRES_API
+d
+}
+/^[	 ]*@DLZ_DRIVER_RULES@[	 ]*$/{
+r $DLZ_DRIVER_RULES
+d
 }
-\$ac_cs_awk_pipe_fini
-_ACAWK
 _ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
-  sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
-else
-  cat
-fi < "$tmp/subs1.awk" > "$tmp/subs.awk" \
-  || { { $as_echo "$as_me:$LINENO: error: could not setup config files machinery" >&5
-$as_echo "$as_me: error: could not setup config files machinery" >&2;}
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+CEOF$ac_eof
+_ACEOF
+
+
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+ac_ct_F77!$ac_ct_F77$ac_delim
+LIBTOOL!$LIBTOOL$ac_delim
+INSTALL_PROGRAM!$INSTALL_PROGRAM$ac_delim
+INSTALL_SCRIPT!$INSTALL_SCRIPT$ac_delim
+INSTALL_DATA!$INSTALL_DATA$ac_delim
+STD_CINCLUDES!$STD_CINCLUDES$ac_delim
+STD_CDEFINES!$STD_CDEFINES$ac_delim
+STD_CWARNINGS!$STD_CWARNINGS$ac_delim
+CCOPT!$CCOPT$ac_delim
+ARFLAGS!$ARFLAGS$ac_delim
+LN!$LN$ac_delim
+ETAGS!$ETAGS$ac_delim
+PERL!$PERL$ac_delim
+ISC_SOCKADDR_LEN_T!$ISC_SOCKADDR_LEN_T$ac_delim
+ISC_PLATFORM_HAVELONGLONG!$ISC_PLATFORM_HAVELONGLONG$ac_delim
+ISC_PLATFORM_HAVELIFCONF!$ISC_PLATFORM_HAVELIFCONF$ac_delim
+ISC_PLATFORM_HAVEKQUEUE!$ISC_PLATFORM_HAVEKQUEUE$ac_delim
+ISC_PLATFORM_HAVEEPOLL!$ISC_PLATFORM_HAVEEPOLL$ac_delim
+ISC_PLATFORM_HAVEDEVPOLL!$ISC_PLATFORM_HAVEDEVPOLL$ac_delim
+ISC_PLATFORM_NEEDSYSSELECTH!$ISC_PLATFORM_NEEDSYSSELECTH$ac_delim
+LWRES_PLATFORM_NEEDSYSSELECTH!$LWRES_PLATFORM_NEEDSYSSELECTH$ac_delim
+USE_OPENSSL!$USE_OPENSSL$ac_delim
+DST_OPENSSL_INC!$DST_OPENSSL_INC$ac_delim
+ISC_PLATFORM_OPENSSLHASH!$ISC_PLATFORM_OPENSSLHASH$ac_delim
+ISC_OPENSSL_INC!$ISC_OPENSSL_INC$ac_delim
+USE_PKCS11!$USE_PKCS11$ac_delim
+ISC_PLATFORM_HAVEGSSAPI!$ISC_PLATFORM_HAVEGSSAPI$ac_delim
+ISC_PLATFORM_GSSAPIHEADER!$ISC_PLATFORM_GSSAPIHEADER$ac_delim
+USE_GSSAPI!$USE_GSSAPI$ac_delim
+DST_GSSAPI_INC!$DST_GSSAPI_INC$ac_delim
+DNS_GSSAPI_LIBS!$DNS_GSSAPI_LIBS$ac_delim
+DNS_CRYPTO_LIBS!$DNS_CRYPTO_LIBS$ac_delim
+ALWAYS_DEFINES!$ALWAYS_DEFINES$ac_delim
+ISC_PLATFORM_USETHREADS!$ISC_PLATFORM_USETHREADS$ac_delim
+ISC_THREAD_DIR!$ISC_THREAD_DIR$ac_delim
+MKDEPCC!$MKDEPCC$ac_delim
+MKDEPCFLAGS!$MKDEPCFLAGS$ac_delim
+MKDEPPROG!$MKDEPPROG$ac_delim
+IRIX_DNSSEC_WARNINGS_HACK!$IRIX_DNSSEC_WARNINGS_HACK$ac_delim
+purify_path!$purify_path$ac_delim
+PURIFY!$PURIFY$ac_delim
+O!$O$ac_delim
+A!$A$ac_delim
+SA!$SA$ac_delim
+LIBTOOL_MKDEP_SED!$LIBTOOL_MKDEP_SED$ac_delim
+LIBTOOL_MODE_COMPILE!$LIBTOOL_MODE_COMPILE$ac_delim
+LIBTOOL_MODE_INSTALL!$LIBTOOL_MODE_INSTALL$ac_delim
+LIBTOOL_MODE_LINK!$LIBTOOL_MODE_LINK$ac_delim
+LIBTOOL_ALLOW_UNDEFINED!$LIBTOOL_ALLOW_UNDEFINED$ac_delim
+LIBTOOL_IN_MAIN!$LIBTOOL_IN_MAIN$ac_delim
+ISC_PLATFORM_HAVEIPV6!$ISC_PLATFORM_HAVEIPV6$ac_delim
+LWRES_PLATFORM_HAVEIPV6!$LWRES_PLATFORM_HAVEIPV6$ac_delim
+ISC_PLATFORM_NEEDNETINETIN6H!$ISC_PLATFORM_NEEDNETINETIN6H$ac_delim
+LWRES_PLATFORM_NEEDNETINETIN6H!$LWRES_PLATFORM_NEEDNETINETIN6H$ac_delim
+ISC_PLATFORM_NEEDNETINET6IN6H!$ISC_PLATFORM_NEEDNETINET6IN6H$ac_delim
+LWRES_PLATFORM_NEEDNETINET6IN6H!$LWRES_PLATFORM_NEEDNETINET6IN6H$ac_delim
+ISC_PLATFORM_HAVEINADDR6!$ISC_PLATFORM_HAVEINADDR6$ac_delim
+LWRES_PLATFORM_HAVEINADDR6!$LWRES_PLATFORM_HAVEINADDR6$ac_delim
+ISC_PLATFORM_NEEDIN6ADDRANY!$ISC_PLATFORM_NEEDIN6ADDRANY$ac_delim
+LWRES_PLATFORM_NEEDIN6ADDRANY!$LWRES_PLATFORM_NEEDIN6ADDRANY$ac_delim
+ISC_PLATFORM_NEEDIN6ADDRLOOPBACK!$ISC_PLATFORM_NEEDIN6ADDRLOOPBACK$ac_delim
+LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK!$LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK$ac_delim
+ISC_PLATFORM_HAVEIN6PKTINFO!$ISC_PLATFORM_HAVEIN6PKTINFO$ac_delim
+ISC_PLATFORM_FIXIN6ISADDR!$ISC_PLATFORM_FIXIN6ISADDR$ac_delim
+ISC_IPV6_H!$ISC_IPV6_H$ac_delim
+ISC_IPV6_O!$ISC_IPV6_O$ac_delim
+ISC_ISCIPV6_O!$ISC_ISCIPV6_O$ac_delim
+ISC_IPV6_C!$ISC_IPV6_C$ac_delim
+LWRES_HAVE_SIN6_SCOPE_ID!$LWRES_HAVE_SIN6_SCOPE_ID$ac_delim
+ISC_PLATFORM_HAVESCOPEID!$ISC_PLATFORM_HAVESCOPEID$ac_delim
+ISC_PLATFORM_HAVEIF_LADDRREQ!$ISC_PLATFORM_HAVEIF_LADDRREQ$ac_delim
+ISC_PLATFORM_HAVEIF_LADDRCONF!$ISC_PLATFORM_HAVEIF_LADDRCONF$ac_delim
+ISC_PLATFORM_NEEDNTOP!$ISC_PLATFORM_NEEDNTOP$ac_delim
+ISC_PLATFORM_NEEDPTON!$ISC_PLATFORM_NEEDPTON$ac_delim
+ISC_PLATFORM_HAVESALEN!$ISC_PLATFORM_HAVESALEN$ac_delim
+LWRES_PLATFORM_HAVESALEN!$LWRES_PLATFORM_HAVESALEN$ac_delim
+ISC_PLATFORM_MSGHDRFLAVOR!$ISC_PLATFORM_MSGHDRFLAVOR$ac_delim
+ISC_PLATFORM_NEEDPORTT!$ISC_PLATFORM_NEEDPORTT$ac_delim
+ISC_LWRES_NEEDADDRINFO!$ISC_LWRES_NEEDADDRINFO$ac_delim
+ISC_LWRES_NEEDRRSETINFO!$ISC_LWRES_NEEDRRSETINFO$ac_delim
+ISC_LWRES_SETHOSTENTINT!$ISC_LWRES_SETHOSTENTINT$ac_delim
+ISC_LWRES_ENDHOSTENTINT!$ISC_LWRES_ENDHOSTENTINT$ac_delim
+ISC_LWRES_GETNETBYADDRINADDR!$ISC_LWRES_GETNETBYADDRINADDR$ac_delim
+ISC_LWRES_SETNETENTINT!$ISC_LWRES_SETNETENTINT$ac_delim
+ISC_LWRES_ENDNETENTINT!$ISC_LWRES_ENDNETENTINT$ac_delim
+ISC_LWRES_GETHOSTBYADDRVOID!$ISC_LWRES_GETHOSTBYADDRVOID$ac_delim
+ISC_LWRES_NEEDHERRNO!$ISC_LWRES_NEEDHERRNO$ac_delim
+ISC_LWRES_GETIPNODEPROTO!$ISC_LWRES_GETIPNODEPROTO$ac_delim
+ISC_LWRES_GETADDRINFOPROTO!$ISC_LWRES_GETADDRINFOPROTO$ac_delim
+ISC_LWRES_GETNAMEINFOPROTO!$ISC_LWRES_GETNAMEINFOPROTO$ac_delim
+ISC_PLATFORM_NEEDSTRSEP!$ISC_PLATFORM_NEEDSTRSEP$ac_delim
+ISC_PLATFORM_NEEDMEMMOVE!$ISC_PLATFORM_NEEDMEMMOVE$ac_delim
+ISC_PLATFORM_NEEDSTRTOUL!$ISC_PLATFORM_NEEDSTRTOUL$ac_delim
+LWRES_PLATFORM_NEEDSTRTOUL!$LWRES_PLATFORM_NEEDSTRTOUL$ac_delim
+GENRANDOMLIB!$GENRANDOMLIB$ac_delim
+ISC_PLATFORM_NEEDSTRLCPY!$ISC_PLATFORM_NEEDSTRLCPY$ac_delim
+ISC_PLATFORM_NEEDSTRLCAT!$ISC_PLATFORM_NEEDSTRLCAT$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
    { (exit 1); exit 1; }; }
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
+
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
+fi
+
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-2.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
 _ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+CEOF$ac_eof
+_ACEOF
+
+
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+ISC_PLATFORM_NEEDSPRINTF!$ISC_PLATFORM_NEEDSPRINTF$ac_delim
+LWRES_PLATFORM_NEEDSPRINTF!$LWRES_PLATFORM_NEEDSPRINTF$ac_delim
+ISC_PLATFORM_NEEDVSNPRINTF!$ISC_PLATFORM_NEEDVSNPRINTF$ac_delim
+LWRES_PLATFORM_NEEDVSNPRINTF!$LWRES_PLATFORM_NEEDVSNPRINTF$ac_delim
+ISC_EXTRA_OBJS!$ISC_EXTRA_OBJS$ac_delim
+ISC_EXTRA_SRCS!$ISC_EXTRA_SRCS$ac_delim
+USE_ISC_SPNEGO!$USE_ISC_SPNEGO$ac_delim
+DST_EXTRA_OBJS!$DST_EXTRA_OBJS$ac_delim
+DST_EXTRA_SRCS!$DST_EXTRA_SRCS$ac_delim
+ISC_PLATFORM_QUADFORMAT!$ISC_PLATFORM_QUADFORMAT$ac_delim
+LWRES_PLATFORM_QUADFORMAT!$LWRES_PLATFORM_QUADFORMAT$ac_delim
+ISC_PLATFORM_HAVESYSUNH!$ISC_PLATFORM_HAVESYSUNH$ac_delim
+ISC_PLATFORM_RLIMITTYPE!$ISC_PLATFORM_RLIMITTYPE$ac_delim
+ISC_PLATFORM_USEDECLSPEC!$ISC_PLATFORM_USEDECLSPEC$ac_delim
+LWRES_PLATFORM_USEDECLSPEC!$LWRES_PLATFORM_USEDECLSPEC$ac_delim
+ISC_PLATFORM_BRACEPTHREADONCEINIT!$ISC_PLATFORM_BRACEPTHREADONCEINIT$ac_delim
+ISC_PLATFORM_HAVESTRINGSH!$ISC_PLATFORM_HAVESTRINGSH$ac_delim
+ISC_PLATFORM_HAVEIFNAMETOINDEX!$ISC_PLATFORM_HAVEIFNAMETOINDEX$ac_delim
+ISC_PLATFORM_HAVEXADD!$ISC_PLATFORM_HAVEXADD$ac_delim
+ISC_PLATFORM_HAVEXADDQ!$ISC_PLATFORM_HAVEXADDQ$ac_delim
+ISC_PLATFORM_HAVECMPXCHG!$ISC_PLATFORM_HAVECMPXCHG$ac_delim
+ISC_PLATFORM_HAVEATOMICSTORE!$ISC_PLATFORM_HAVEATOMICSTORE$ac_delim
+ISC_PLATFORM_USEGCCASM!$ISC_PLATFORM_USEGCCASM$ac_delim
+ISC_PLATFORM_USEOSFASM!$ISC_PLATFORM_USEOSFASM$ac_delim
+ISC_PLATFORM_USESTDASM!$ISC_PLATFORM_USESTDASM$ac_delim
+ISC_PLATFORM_USEMACASM!$ISC_PLATFORM_USEMACASM$ac_delim
+ISC_ARCH_DIR!$ISC_ARCH_DIR$ac_delim
+LATEX!$LATEX$ac_delim
+PDFLATEX!$PDFLATEX$ac_delim
+W3M!$W3M$ac_delim
+XSLTPROC!$XSLTPROC$ac_delim
+XMLLINT!$XMLLINT$ac_delim
+DOXYGEN!$DOXYGEN$ac_delim
+XSLT_DOCBOOK_STYLE_HTML!$XSLT_DOCBOOK_STYLE_HTML$ac_delim
+XSLT_DOCBOOK_STYLE_XHTML!$XSLT_DOCBOOK_STYLE_XHTML$ac_delim
+XSLT_DOCBOOK_STYLE_MAN!$XSLT_DOCBOOK_STYLE_MAN$ac_delim
+XSLT_DOCBOOK_CHUNK_HTML!$XSLT_DOCBOOK_CHUNK_HTML$ac_delim
+XSLT_DOCBOOK_CHUNK_XHTML!$XSLT_DOCBOOK_CHUNK_XHTML$ac_delim
+XSLT_DOCBOOK_CHUNKTOC_HTML!$XSLT_DOCBOOK_CHUNKTOC_HTML$ac_delim
+XSLT_DOCBOOK_CHUNKTOC_XHTML!$XSLT_DOCBOOK_CHUNKTOC_XHTML$ac_delim
+XSLT_DOCBOOK_MAKETOC_HTML!$XSLT_DOCBOOK_MAKETOC_HTML$ac_delim
+XSLT_DOCBOOK_MAKETOC_XHTML!$XSLT_DOCBOOK_MAKETOC_XHTML$ac_delim
+XSLT_DB2LATEX_STYLE!$XSLT_DB2LATEX_STYLE$ac_delim
+XSLT_DB2LATEX_ADMONITIONS!$XSLT_DB2LATEX_ADMONITIONS$ac_delim
+IDNLIBS!$IDNLIBS$ac_delim
+BIND9_TOP_BUILDDIR!$BIND9_TOP_BUILDDIR$ac_delim
+BIND9_ISC_BUILDINCLUDE!$BIND9_ISC_BUILDINCLUDE$ac_delim
+BIND9_ISCCC_BUILDINCLUDE!$BIND9_ISCCC_BUILDINCLUDE$ac_delim
+BIND9_ISCCFG_BUILDINCLUDE!$BIND9_ISCCFG_BUILDINCLUDE$ac_delim
+BIND9_DNS_BUILDINCLUDE!$BIND9_DNS_BUILDINCLUDE$ac_delim
+BIND9_LWRES_BUILDINCLUDE!$BIND9_LWRES_BUILDINCLUDE$ac_delim
+BIND9_BIND9_BUILDINCLUDE!$BIND9_BIND9_BUILDINCLUDE$ac_delim
+BIND9_VERSION!$BIND9_VERSION$ac_delim
+BIND9_CONFIGARGS!$BIND9_CONFIGARGS$ac_delim
+PG_CONFIG!$PG_CONFIG$ac_delim
+USE_DLZ!$USE_DLZ$ac_delim
+DLZ_DRIVER_INCLUDES!$DLZ_DRIVER_INCLUDES$ac_delim
+DLZ_DRIVER_LIBS!$DLZ_DRIVER_LIBS$ac_delim
+DLZ_DRIVER_SRCS!$DLZ_DRIVER_SRCS$ac_delim
+DLZ_DRIVER_OBJS!$DLZ_DRIVER_OBJS$ac_delim
+BUILD_CC!$BUILD_CC$ac_delim
+BUILD_CFLAGS!$BUILD_CFLAGS$ac_delim
+BUILD_CPPFLAGS!$BUILD_CPPFLAGS$ac_delim
+BUILD_LDFLAGS!$BUILD_LDFLAGS$ac_delim
+BUILD_LIBS!$BUILD_LIBS$ac_delim
+LIBOBJS!$LIBOBJS$ac_delim
+LTLIBOBJS!$LTLIBOBJS$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 67; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+   { (exit 1); exit 1; }; }
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
+
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
+fi
+
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-3.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
+_ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+:end
+s/|#_!!_#|//g
+CEOF$ac_eof
+_ACEOF
+
 
 # VPATH may cause trouble with some makes, so we remove $(srcdir),
 # ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
@@ -34412,133 +33733,19 @@ s/^[^=]*=[	 ]*$//
 }'
 fi
 
-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+cat >>$CONFIG_STATUS <<\_ACEOF
 fi # test -n "$CONFIG_FILES"
 
-# Set up the scripts for CONFIG_HEADERS section.
-# No need to generate them if there are no CONFIG_HEADERS.
-# This happens for instance with `./config.status Makefile'.
-if test -n "$CONFIG_HEADERS"; then
-cat >"$tmp/defines.awk" <<\_ACAWK ||
-BEGIN {
-_ACEOF
-
-# Transform confdefs.h into an awk script `defines.awk', embedded as
-# here-document in config.status, that substitutes the proper values into
-# config.h.in to produce config.h.
-
-# Create a delimiter string that does not exist in confdefs.h, to ease
-# handling of long lines.
-ac_delim='%!_!# '
-for ac_last_try in false false :; do
-  ac_t=`sed -n "/$ac_delim/p" confdefs.h`
-  if test -z "$ac_t"; then
-    break
-  elif $ac_last_try; then
-    { { $as_echo "$as_me:$LINENO: error: could not make $CONFIG_HEADERS" >&5
-$as_echo "$as_me: error: could not make $CONFIG_HEADERS" >&2;}
-   { (exit 1); exit 1; }; }
-  else
-    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
-  fi
-done
-
-# For the awk script, D is an array of macro values keyed by name,
-# likewise P contains macro parameters if any.  Preserve backslash
-# newline sequences.
 
-ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]*
-sed -n '
-s/.\{148\}/&'"$ac_delim"'/g
-t rset
-:rset
-s/^[	 ]*#[	 ]*define[	 ][	 ]*/ /
-t def
-d
-:def
-s/\\$//
-t bsnl
-s/["\\]/\\&/g
-s/^ \('"$ac_word_re"'\)\(([^()]*)\)[	 ]*\(.*\)/P["\1"]="\2"\
-D["\1"]=" \3"/p
-s/^ \('"$ac_word_re"'\)[	 ]*\(.*\)/D["\1"]=" \2"/p
-d
-:bsnl
-s/["\\]/\\&/g
-s/^ \('"$ac_word_re"'\)\(([^()]*)\)[	 ]*\(.*\)/P["\1"]="\2"\
-D["\1"]=" \3\\\\\\n"\\/p
-t cont
-s/^ \('"$ac_word_re"'\)[	 ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p
-t cont
-d
-:cont
-n
-s/.\{148\}/&'"$ac_delim"'/g
-t clear
-:clear
-s/\\$//
-t bsnlc
-s/["\\]/\\&/g; s/^/"/; s/$/"/p
-d
-:bsnlc
-s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p
-b cont
-' <confdefs.h | sed '
-s/'"$ac_delim"'/"\\\
-"/g' >>$CONFIG_STATUS || ac_write_fail=1
-
-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-  for (key in D) D_is_set[key] = 1
-  FS = ""
-}
-/^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ {
-  line = \$ 0
-  split(line, arg, " ")
-  if (arg[1] == "#") {
-    defundef = arg[2]
-    mac1 = arg[3]
-  } else {
-    defundef = substr(arg[1], 2)
-    mac1 = arg[2]
-  }
-  split(mac1, mac2, "(") #)
-  macro = mac2[1]
-  if (D_is_set[macro]) {
-    # Preserve the white space surrounding the "#".
-    prefix = substr(line, 1, index(line, defundef) - 1)
-    print prefix "define", macro P[macro] D[macro]
-    next
-  } else {
-    # Replace #undef with comments.  This is necessary, for example,
-    # in the case of _POSIX_SOURCE, which is predefined and required
-    # on some systems where configure will not decide to define it.
-    if (defundef == "undef") {
-      print "/*", line, "*/"
-      next
-    }
-  }
-}
-{ print }
-_ACAWK
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
-  { { $as_echo "$as_me:$LINENO: error: could not setup config headers machinery" >&5
-$as_echo "$as_me: error: could not setup config headers machinery" >&2;}
-   { (exit 1); exit 1; }; }
-fi # test -n "$CONFIG_HEADERS"
-
-
-eval set X "  :F $CONFIG_FILES  :H $CONFIG_HEADERS    :C $CONFIG_COMMANDS"
-shift
-for ac_tag
+for ac_tag in  :F $CONFIG_FILES  :H $CONFIG_HEADERS    :C $CONFIG_COMMANDS
 do
   case $ac_tag in
   :[FHLC]) ac_mode=$ac_tag; continue;;
   esac
   case $ac_mode$ac_tag in
   :[FHL]*:*);;
-  :L* | :C*:*) { { $as_echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
-$as_echo "$as_me: error: Invalid tag $ac_tag." >&2;}
+  :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
+echo "$as_me: error: Invalid tag $ac_tag." >&2;}
    { (exit 1); exit 1; }; };;
   :[FH]-) ac_tag=-:-;;
   :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
@@ -34567,38 +33774,26 @@ $as_echo "$as_me: error: Invalid tag $ac_tag." >&2;}
 	   [\\/$]*) false;;
 	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
 	   esac ||
-	   { { $as_echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
-$as_echo "$as_me: error: cannot find input file: $ac_f" >&2;}
+	   { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
+echo "$as_me: error: cannot find input file: $ac_f" >&2;}
    { (exit 1); exit 1; }; };;
       esac
-      case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
-      ac_file_inputs="$ac_file_inputs '$ac_f'"
+      ac_file_inputs="$ac_file_inputs $ac_f"
     done
 
     # Let's still pretend it is `configure' which instantiates (i.e., don't
     # use $as_me), people would be surprised to read:
     #    /* config.h.  Generated by config.status.  */
-    configure_input='Generated from '`
-	  $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g'
-	`' by configure.'
+    configure_input="Generated from "`IFS=:
+	  echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
     if test x"$ac_file" != x-; then
       configure_input="$ac_file.  $configure_input"
-      { $as_echo "$as_me:$LINENO: creating $ac_file" >&5
-$as_echo "$as_me: creating $ac_file" >&6;}
+      { echo "$as_me:$LINENO: creating $ac_file" >&5
+echo "$as_me: creating $ac_file" >&6;}
     fi
-    # Neutralize special characters interpreted by sed in replacement strings.
-    case $configure_input in #(
-    *\&* | *\|* | *\\* )
-       ac_sed_conf_input=`$as_echo "$configure_input" |
-       sed 's/[\\\\&|]/\\\\&/g'`;; #(
-    *) ac_sed_conf_input=$configure_input;;
-    esac
 
     case $ac_tag in
-    *:-:* | *:-) cat >"$tmp/stdin" \
-      || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5
-$as_echo "$as_me: error: could not create $ac_file" >&2;}
-   { (exit 1); exit 1; }; } ;;
+    *:-:* | *:-) cat >"$tmp/stdin";;
     esac
     ;;
   esac
@@ -34608,7 +33803,7 @@ $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$ac_file" : 'X\(//\)[^/]' \| \
 	 X"$ac_file" : 'X\(//\)$' \| \
 	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
-$as_echo X"$ac_file" |
+echo X"$ac_file" |
     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
 	    s//\1/
 	    q
@@ -34634,7 +33829,7 @@ $as_echo X"$ac_file" |
     as_dirs=
     while :; do
       case $as_dir in #(
-      *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
+      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
       *) as_qdir=$as_dir;;
       esac
       as_dirs="'$as_qdir' $as_dirs"
@@ -34643,7 +33838,7 @@ $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
 	 X"$as_dir" : 'X\(//\)[^/]' \| \
 	 X"$as_dir" : 'X\(//\)$' \| \
 	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
-$as_echo X"$as_dir" |
+echo X"$as_dir" |
     sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
 	    s//\1/
 	    q
@@ -34664,17 +33859,17 @@ $as_echo X"$as_dir" |
       test -d "$as_dir" && break
     done
     test -z "$as_dirs" || eval "mkdir $as_dirs"
-  } || test -d "$as_dir" || { { $as_echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
-$as_echo "$as_me: error: cannot create directory $as_dir" >&2;}
+  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+echo "$as_me: error: cannot create directory $as_dir" >&2;}
    { (exit 1); exit 1; }; }; }
   ac_builddir=.
 
 case "$ac_dir" in
 .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
 *)
-  ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
+  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
   # A ".." for each directory in $ac_dir_suffix.
-  ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
+  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
   case $ac_top_builddir_sub in
   "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
   *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
@@ -34714,13 +33909,12 @@ ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
   esac
 _ACEOF
 
-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+cat >>$CONFIG_STATUS <<\_ACEOF
 # If the template does not know about datarootdir, expand it.
 # FIXME: This hack should be removed a few years after 2.60.
 ac_datarootdir_hack=; ac_datarootdir_seen=
 
-ac_sed_dataroot='
-/datarootdir/ {
+case `sed -n '/datarootdir/ {
   p
   q
 }
@@ -34729,14 +33923,13 @@ ac_sed_dataroot='
 /@infodir@/p
 /@localedir@/p
 /@mandir@/p
-'
-case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
+' $ac_file_inputs` in
 *datarootdir*) ac_datarootdir_seen=yes;;
 *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
-  { $as_echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
-$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
+  { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
 _ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+cat >>$CONFIG_STATUS <<_ACEOF
   ac_datarootdir_hack='
   s&@datadir@&$datadir&g
   s&@docdir@&$docdir&g
@@ -34750,16 +33943,15 @@ _ACEOF
 # Neutralize VPATH when `$srcdir' = `.'.
 # Shell code in configure.ac might set extrasub.
 # FIXME: do we really want to maintain this feature?
-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
-ac_sed_extra="$ac_vpsub
+cat >>$CONFIG_STATUS <<_ACEOF
+  sed "$ac_vpsub
 $extrasub
 _ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+cat >>$CONFIG_STATUS <<\_ACEOF
 :t
 /@[a-zA-Z_][a-zA-Z_0-9]*@/!b
-s|@configure_input@|$ac_sed_conf_input|;t t
+s&@configure_input@&$configure_input&;t t
 s&@top_builddir@&$ac_top_builddir_sub&;t t
-s&@top_build_prefix@&$ac_top_build_prefix&;t t
 s&@srcdir@&$ac_srcdir&;t t
 s&@abs_srcdir@&$ac_abs_srcdir&;t t
 s&@top_srcdir@&$ac_top_srcdir&;t t
@@ -34769,67 +33961,123 @@ s&@abs_builddir@&$ac_abs_builddir&;t t
 s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
 s&@INSTALL@&$ac_INSTALL&;t t
 $ac_datarootdir_hack
-"
-eval sed \"\$ac_sed_extra\" "$ac_file_inputs" |
-if $ac_cs_awk_getline; then
-  $AWK -f "$tmp/subs.awk"
-else
-  $AWK -f "$tmp/subs.awk" | $SHELL
-fi >$tmp/out \
-  || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5
-$as_echo "$as_me: error: could not create $ac_file" >&2;}
-   { (exit 1); exit 1; }; }
+" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" | sed -f "$tmp/subs-3.sed" >$tmp/out
 
 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
   { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
   { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
-  { $as_echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+  { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
 which seems to be undefined.  Please make sure it is defined." >&5
-$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
 which seems to be undefined.  Please make sure it is defined." >&2;}
 
   rm -f "$tmp/stdin"
   case $ac_file in
-  -) cat "$tmp/out" && rm -f "$tmp/out";;
-  *) rm -f "$ac_file" && mv "$tmp/out" "$ac_file";;
-  esac \
-  || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5
-$as_echo "$as_me: error: could not create $ac_file" >&2;}
-   { (exit 1); exit 1; }; }
+  -) cat "$tmp/out"; rm -f "$tmp/out";;
+  *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
+  esac
  ;;
   :H)
   #
   # CONFIG_HEADER
   #
+_ACEOF
+
+# Transform confdefs.h into a sed script `conftest.defines', that
+# substitutes the proper values into config.h.in to produce config.h.
+rm -f conftest.defines conftest.tail
+# First, append a space to every undef/define line, to ease matching.
+echo 's/$/ /' >conftest.defines
+# Then, protect against being on the right side of a sed subst, or in
+# an unquoted here document, in config.status.  If some macros were
+# called several times there might be several #defines for the same
+# symbol, which is useless.  But do not sort them, since the last
+# AC_DEFINE must be honored.
+ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]*
+# These sed commands are passed to sed as "A NAME B PARAMS C VALUE D", where
+# NAME is the cpp macro being defined, VALUE is the value it is being given.
+# PARAMS is the parameter list in the macro definition--in most cases, it's
+# just an empty string.
+ac_dA='s,^\\([	 #]*\\)[^	 ]*\\([	 ]*'
+ac_dB='\\)[	 (].*,\\1define\\2'
+ac_dC=' '
+ac_dD=' ,'
+
+uniq confdefs.h |
+  sed -n '
+	t rset
+	:rset
+	s/^[	 ]*#[	 ]*define[	 ][	 ]*//
+	t ok
+	d
+	:ok
+	s/[\\&,]/\\&/g
+	s/^\('"$ac_word_re"'\)\(([^()]*)\)[	 ]*\(.*\)/ '"$ac_dA"'\1'"$ac_dB"'\2'"${ac_dC}"'\3'"$ac_dD"'/p
+	s/^\('"$ac_word_re"'\)[	 ]*\(.*\)/'"$ac_dA"'\1'"$ac_dB$ac_dC"'\2'"$ac_dD"'/p
+  ' >>conftest.defines
+
+# Remove the space that was appended to ease matching.
+# Then replace #undef with comments.  This is necessary, for
+# example, in the case of _POSIX_SOURCE, which is predefined and required
+# on some systems where configure will not decide to define it.
+# (The regexp can be short, since the line contains either #define or #undef.)
+echo 's/ $//
+s,^[	 #]*u.*,/* & */,' >>conftest.defines
+
+# Break up conftest.defines:
+ac_max_sed_lines=50
+
+# First sed command is:	 sed -f defines.sed $ac_file_inputs >"$tmp/out1"
+# Second one is:	 sed -f defines.sed "$tmp/out1" >"$tmp/out2"
+# Third one will be:	 sed -f defines.sed "$tmp/out2" >"$tmp/out1"
+# et cetera.
+ac_in='$ac_file_inputs'
+ac_out='"$tmp/out1"'
+ac_nxt='"$tmp/out2"'
+
+while :
+do
+  # Write a here document:
+    cat >>$CONFIG_STATUS <<_ACEOF
+    # First, check the format of the line:
+    cat >"\$tmp/defines.sed" <<\\CEOF
+/^[	 ]*#[	 ]*undef[	 ][	 ]*$ac_word_re[	 ]*\$/b def
+/^[	 ]*#[	 ]*define[	 ][	 ]*$ac_word_re[(	 ]/b def
+b
+:def
+_ACEOF
+  sed ${ac_max_sed_lines}q conftest.defines >>$CONFIG_STATUS
+  echo 'CEOF
+    sed -f "$tmp/defines.sed"' "$ac_in >$ac_out" >>$CONFIG_STATUS
+  ac_in=$ac_out; ac_out=$ac_nxt; ac_nxt=$ac_in
+  sed 1,${ac_max_sed_lines}d conftest.defines >conftest.tail
+  grep . conftest.tail >/dev/null || break
+  rm -f conftest.defines
+  mv conftest.tail conftest.defines
+done
+rm -f conftest.defines conftest.tail
+
+echo "ac_result=$ac_in" >>$CONFIG_STATUS
+cat >>$CONFIG_STATUS <<\_ACEOF
   if test x"$ac_file" != x-; then
-    {
-      $as_echo "/* $configure_input  */" \
-      && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs"
-    } >"$tmp/config.h" \
-      || { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5
-$as_echo "$as_me: error: could not create $ac_file" >&2;}
-   { (exit 1); exit 1; }; }
-    if diff "$ac_file" "$tmp/config.h" >/dev/null 2>&1; then
-      { $as_echo "$as_me:$LINENO: $ac_file is unchanged" >&5
-$as_echo "$as_me: $ac_file is unchanged" >&6;}
+    echo "/* $configure_input  */" >"$tmp/config.h"
+    cat "$ac_result" >>"$tmp/config.h"
+    if diff $ac_file "$tmp/config.h" >/dev/null 2>&1; then
+      { echo "$as_me:$LINENO: $ac_file is unchanged" >&5
+echo "$as_me: $ac_file is unchanged" >&6;}
     else
-      rm -f "$ac_file"
-      mv "$tmp/config.h" "$ac_file" \
-	|| { { $as_echo "$as_me:$LINENO: error: could not create $ac_file" >&5
-$as_echo "$as_me: error: could not create $ac_file" >&2;}
-   { (exit 1); exit 1; }; }
+      rm -f $ac_file
+      mv "$tmp/config.h" $ac_file
     fi
   else
-    $as_echo "/* $configure_input  */" \
-      && eval '$AWK -f "$tmp/defines.awk"' "$ac_file_inputs" \
-      || { { $as_echo "$as_me:$LINENO: error: could not create -" >&5
-$as_echo "$as_me: error: could not create -" >&2;}
-   { (exit 1); exit 1; }; }
+    echo "/* $configure_input  */"
+    cat "$ac_result"
   fi
+  rm -f "$tmp/out12"
  ;;
 
-  :C)  { $as_echo "$as_me:$LINENO: executing $ac_file commands" >&5
-$as_echo "$as_me: executing $ac_file commands" >&6;}
+  :C)  { echo "$as_me:$LINENO: executing $ac_file commands" >&5
+echo "$as_me: executing $ac_file commands" >&6;}
  ;;
   esac
 
@@ -34846,11 +34094,6 @@ _ACEOF
 chmod +x $CONFIG_STATUS
 ac_clean_files=$ac_clean_files_save
 
-test $ac_write_fail = 0 ||
-  { { $as_echo "$as_me:$LINENO: error: write failure creating $CONFIG_STATUS" >&5
-$as_echo "$as_me: error: write failure creating $CONFIG_STATUS" >&2;}
-   { (exit 1); exit 1; }; }
-
 
 # configure is writing to config.log, and then calls config.status.
 # config.status does its own redirection, appending to config.log.
@@ -34872,10 +34115,6 @@ if test "$no_create" != yes; then
   # would make configure fail if this is the last instruction.
   $ac_cs_success || { (exit 1); exit 1; }
 fi
-if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
-  { $as_echo "$as_me:$LINENO: WARNING: Unrecognized options: $ac_unrecognized_opts" >&5
-$as_echo "$as_me: WARNING: Unrecognized options: $ac_unrecognized_opts" >&2;}
-fi
 
 
 if test "X$OPENSSL_WARNING" != "X"; then
diff --git a/configure.in b/configure.in
index 6ebdfddc..e9eeacf9 100644
--- a/configure.in
+++ b/configure.in
@@ -18,7 +18,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.457.26.9 $)
+AC_REVISION($Revision: 1.471 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
@@ -28,6 +28,19 @@ AC_CONFIG_HEADER(config.h)
 AC_CANONICAL_HOST
 
 AC_PROG_MAKE_SET
+
+#
+# GNU libtool support
+#
+case $build_os in
+sunos*)
+    # Just set the maximum command line length for sunos as it otherwise
+    # takes a exceptionally long time to work it out. Required for libtool.
+     
+    lt_cv_sys_max_cmd_len=4096;
+    ;;
+esac
+
 AC_PROG_LIBTOOL
 AC_PROG_INSTALL
 AC_PROG_LN_S
@@ -257,7 +270,7 @@ esac
 
 AC_HEADER_STDC
 
-AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
+AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
 [$ac_includes_default
 #ifdef HAVE_SYS_PARAM_H
 # include <sys/param.h>
@@ -645,6 +658,30 @@ AC_SUBST(DST_OPENSSL_INC)
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
 
 #
+# Use OpenSSL for hash functions
+#
+
+AC_ARG_ENABLE(openssl-hash,
+	[  --enable-openssl-hash   use OpenSSL for hash functions [[default=no]]],
+	want_openssl_hash="$enableval", want_openssl_hash="no")
+case $want_openssl_hash in
+	yes)
+		if test "$USE_OPENSSL" = ""
+		then
+			AC_MSG_ERROR([No OpenSSL for hash functions])
+		fi
+		ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
+		ISC_OPENSSL_INC="$DST_OPENSSL_INC"
+		;;
+	no)
+		ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
+		ISC_OPENSSL_INC=""
+		;;
+esac
+AC_SUBST(ISC_PLATFORM_OPENSSLHASH)
+AC_SUBST(ISC_OPENSSL_INC)
+
+#
 # PKCS11 (aka crypto hardware) support
 #
 # This works only with the right OpenSSL with PKCS11 engine!
@@ -1228,16 +1265,6 @@ esac
 
 AC_SUBST(PURIFY)
 
-#
-# GNU libtool support
-#
-case $build_os in
-sunos*)
-    # Just set the maximum command line length for sunos as it otherwise
-    # takes a exceptionally long time to work it out. Required for libtool.
-    lt_cv_sys_max_cmd_len=4096;
-    ;;
-esac
 
 AC_ARG_WITH(libtool,
 	    [  --with-libtool	use GNU libtool (following indented options supported)],
@@ -2921,10 +2948,11 @@ AC_CONFIG_FILES([
 	lib/tests/include/tests/Makefile
 	bin/Makefile
 	bin/check/Makefile
+	bin/confgen/Makefile
+	bin/confgen/unix/Makefile
 	bin/named/Makefile
 	bin/named/unix/Makefile
 	bin/rndc/Makefile
-	bin/rndc/unix/Makefile
 	bin/dig/Makefile
 	bin/nsupdate/Makefile
 	bin/tests/Makefile
@@ -2943,6 +2971,7 @@ AC_CONFIG_FILES([
 	bin/tests/system/lwresd/Makefile
 	bin/tests/system/tkey/Makefile
 	bin/tests/headerdep_test.sh
+	bin/tools/Makefile
 	bin/dnssec/Makefile
 	doc/Makefile
 	doc/arm/Makefile
diff --git a/contrib/dlz/drivers/dlz_bdb_driver.c b/contrib/dlz/drivers/dlz_bdb_driver.c
index 5aa96a59..ebbb6dda 100644
--- a/contrib/dlz/drivers/dlz_bdb_driver.c
+++ b/contrib/dlz/drivers/dlz_bdb_driver.c
@@ -558,8 +558,6 @@ bdb_lookup(const char *zone, const char *name, void *driverarg,
 		host_cursor->c_close(host_cursor);
 
 	return result;
-
-	return ISC_R_NOTFOUND;
 }
 
 
diff --git a/contrib/dlz/drivers/dlz_mysql_driver.c b/contrib/dlz/drivers/dlz_mysql_driver.c
index ea32d39e..5d2739b1 100644
--- a/contrib/dlz/drivers/dlz_mysql_driver.c
+++ b/contrib/dlz/drivers/dlz_mysql_driver.c
@@ -792,6 +792,9 @@ mysql_create(const char *dlzname, unsigned int argc, char *argv[],
 	char *endp;
 	int j;
 	unsigned int flags = 0;
+#ifdef MYSQL_OPT_RECONNECT
+        my_bool auto_reconnect = 1;
+#endif
 
 	UNUSED(driverarg);
 	UNUSED(dlzname);
@@ -923,6 +926,17 @@ mysql_create(const char *dlzname, unsigned int argc, char *argv[],
 	pass = getParameterValue(argv[1], "pass=");
 	socket = getParameterValue(argv[1], "socket=");
 
+#ifdef MYSQL_OPT_RECONNECT
+	/* enable automatic reconnection. */
+        if (mysql_options((MYSQL *) dbi->dbconn, MYSQL_OPT_RECONNECT,
+			  &auto_reconnect) != 0) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_WARNING,
+			      "mysql driver failed to set "
+			      "MYSQL_OPT_RECONNECT option, continuing");
+	}
+#endif
+
 	for (j=0; dbc == NULL && j < 4; j++)
 		dbc = mysql_real_connect((MYSQL *) dbi->dbconn, host,
 					 user, pass, dbname, port, socket,
diff --git a/contrib/dnssec-tools/README b/contrib/dnssec-tools/README
deleted file mode 100644
index d45b75ab..00000000
--- a/contrib/dnssec-tools/README
+++ /dev/null
@@ -1,9 +0,0 @@
-
-		DNSSEC Tools
-
-	DNSSEC tools from SPARTA is a useful tools set in particular
-	"trustman" which can be used to manage trusted-keys in named.conf.
-
-	http://www.dnssec-tools.org/
-
-	http://www.dnssec-tools.org/wiki/index.php/Recursive_Server#Trustman
diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c
index ba93027c..61ec2644 100644
--- a/contrib/sdb/pgsql/zonetodb.c
+++ b/contrib/sdb/pgsql/zonetodb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonetodb.c,v 1.20 2008/09/25 04:02:38 tbox Exp $ */
+/* $Id: zonetodb.c,v 1.21 2008/11/27 06:14:22 marka Exp $ */
 
 #include <stdlib.h>
 #include <string.h>
@@ -165,10 +165,10 @@ main(int argc, char **argv) {
 	check_result(result, "isc_mem_create");
 
 	result = isc_entropy_create(mctx, &ectx);
-	result_check (result, "isc_entropy_create");
+	check_result(result, "isc_entropy_create");
 
 	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	check_result (result, "isc_hash_create");
+	check_result(result, "isc_hash_create");
 
 	isc_buffer_init(&b, porigin, strlen(porigin));
 	isc_buffer_add(&b, strlen(porigin));
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 0875e57f..9748e0cf 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.380.14.15 2009/06/02 05:56:27 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.414 2009/06/17 07:02:45 each Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -643,9 +643,9 @@
       <para>
         ISC <acronym>BIND</acronym> 9 compiles and runs on a large
         number
-        of Unix-like operating systems and on NT-derived versions of
-        Microsoft Windows such as Windows 2000 and Windows XP.  For an
-        up-to-date
+        of Unix-like operating systems and on 
+        Microsoft Windows Server 2003 and 2008, and Windows XP and Vista.
+        For an up-to-date
         list of supported systems, see the README file in the top level
         directory
         of the BIND 9 source distribution.
@@ -679,10 +679,13 @@
 // Two corporate subnets we wish to allow queries from.
 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
 options {
-     directory "/etc/namedb";           // Working directory
+     // Working directory
+     directory "/etc/namedb";
+
      allow-query { corpnets; };
 };
-// Provide a reverse mapping for the loopback address 127.0.0.1
+// Provide a reverse mapping for the loopback
+// address 127.0.0.1
 zone "0.0.127.in-addr.arpa" {
      type master;
      file "localhost.rev";
@@ -702,13 +705,18 @@ zone "0.0.127.in-addr.arpa" {
 
 <programlisting>
 options {
-     directory "/etc/namedb";           // Working directory
-     allow-query-cache { none; };       // Do not allow access to cache
-     allow-query { any; };              // This is the default
-     recursion no;                      // Do not provide recursive service
+     // Working directory
+     directory "/etc/namedb";
+     // Do not allow access to cache
+     allow-query-cache { none; };
+     // This is the default
+     allow-query { any; };
+     // Do not provide recursive service
+     recursion no;
 };
 
-// Provide a reverse mapping for the loopback address 127.0.0.1
+// Provide a reverse mapping for the loopback
+// address 127.0.0.1
 zone "0.0.127.in-addr.arpa" {
      type master;
      file "localhost.rev";
@@ -718,7 +726,8 @@ zone "0.0.127.in-addr.arpa" {
 zone "example.com" {
      type master;
      file "example.com.db";
-     // IP addresses of slave servers allowed to transfer example.com
+     // IP addresses of slave servers allowed to
+     // transfer example.com
      allow-transfer {
           192.168.4.14;
           192.168.5.53;
@@ -1487,7 +1496,8 @@ zone "eng.example.com" {
 <programlisting>
 key rndc_key {
      algorithm "hmac-md5";
-     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+     secret
+       "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
 };
 options {
      default-server 127.0.0.1;
@@ -1513,7 +1523,8 @@ options {
 
 <programlisting>
 controls {
-        inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
+        inet 127.0.0.1
+            allow { localhost; } keys { rndc_key; };
 };
 </programlisting>
 
@@ -1640,11 +1651,22 @@ controls {
 
       <para>
 	Dynamic update is enabled by including an
-	<command>allow-update</command> or <command>update-policy</command>
-	clause in the <command>zone</command> statement.  The
-	<command>tkey-gssapi-credential</command> and
+	<command>allow-update</command>, <command>update-policy</command>
+	clause in the <command>zone</command> statement, or by setting the
+	<command>ddns-autconf</command> option to <userinput>yes</userinput>.
+      </para>
+      
+      <para>
+	If the zone's <command>ddns-autoconf</command> option is set to
+	<userinput>yes</userinput>, then updates to the zone
+	will be permitted for the key <filename>ddns.key</filename>,
+        which will be generated by <command>named</command> at startup.
+      </para>
+
+      <para>
+        The <command>tkey-gssapi-credential</command> and
 	<command>tkey-domain</command> clauses in the
-	<command>options</command>        statement enable the
+	<command>options</command> statement enable the
 	server to negotiate keys that can be matched against those
 	in <command>update-policy</command> or
 	<command>allow-update</command>.
@@ -1659,7 +1681,7 @@ controls {
       </para>
 
       <sect2 id="journal">
-        <title>The journal file</title>
+	<title>The journal file</title>
 
         <para>
           All changes made to a zone using dynamic update are stored
@@ -1808,7 +1830,7 @@ controls {
         and <filename>site2.example.com</filename>, to the servers
         in the
         DMZ. These internal servers will have complete sets of information
-        for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis/> <filename>site1.internal</filename>,
+        for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>, <filename>site1.internal</filename>,
         and <filename>site2.internal</filename>.
       </para>
       <para>
@@ -1921,26 +1943,32 @@ options {
     ...
     ...
     forward only;
-    forwarders {                                // forward to external servers
+    // forward to external servers
+    forwarders {
         <varname>bastion-ips-go-here</varname>;
     };
-    allow-transfer { none; };                   // sample allow-transfer (no one)
-    allow-query { internals; externals; };      // restrict query access
-    allow-recursion { internals; };             // restrict recursion
+    // sample allow-transfer (no one)
+    allow-transfer { none; };
+    // restrict query access
+    allow-query { internals; externals; };
+    // restrict recursion
+    allow-recursion { internals; };
     ...
     ...
 };
 
-zone "site1.example.com" {                      // sample master zone
+// sample master zone
+zone "site1.example.com" {
   type master;
   file "m/site1.example.com";
-  forwarders { };                               // do normal iterative
-                                                // resolution (do not forward)
+  // do normal iterative resolution (do not forward)
+  forwarders { };
   allow-query { internals; externals; };
   allow-transfer { internals; };
 };
 
-zone "site2.example.com" {                      // sample slave zone
+// sample slave zone
+zone "site2.example.com" {
   type slave;
   file "s/site2.example.com";
   masters { 172.16.72.3; };
@@ -1979,15 +2007,20 @@ acl externals { bastion-ips-go-here; };
 options {
   ...
   ...
-  allow-transfer { none; };                     // sample allow-transfer (no one)
-  allow-query { any; };                         // default query access
-  allow-query-cache { internals; externals; };  // restrict cache access
-  allow-recursion { internals; externals; };    // restrict recursion
+  // sample allow-transfer (no one)
+  allow-transfer { none; };
+  // default query access
+  allow-query { any; };
+  // restrict cache access
+  allow-query-cache { internals; externals; };
+  // restrict recursion
+  allow-recursion { internals; externals; };
   ...
   ...
 };
 
-zone "site1.example.com" {                      // sample slave zone
+// sample slave zone
+zone "site1.example.com" {
   type master;
   file "m/site1.foo.com";
   allow-transfer { internals; externals; };
@@ -2445,14 +2478,17 @@ allow-update { key host1-host2. ;};
 	  To enable <command>named</command> to respond appropriately
 	  to DNS requests from DNSSEC aware clients,
 	  <command>dnssec-enable</command> must be set to yes.
+          (This is the default setting.)
         </para>
 
 	<para>
 	  To enable <command>named</command> to validate answers from
-	  other servers both <command>dnssec-enable</command> and
-	  <command>dnssec-validation</command> must be set and some
-	  <command>trusted-keys</command> must be configured
-	  into <filename>named.conf</filename>.
+	  other servers, the <command>dnssec-enable</command> and
+	  <command>dnssec-validation</command> options must both be
+          set to yes (the default setting in <acronym>BIND</acronym> 9.5
+          and later), and at least one trust anchor must be configured
+          with a <command>trusted-keys</command> statement in
+          <filename>named.conf</filename>.
         </para>
 	  
 	<para>
@@ -2491,32 +2527,45 @@ allow-update { key host1-host2. ;};
 trusted-keys {
 
 	/* Root Key */
-"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
-	     E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
-	     zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
-	     MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
-	     /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
-	     iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
-	     Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
+"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
+             JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
+             aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
+             4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
+             hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
+             5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
+             g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
+             66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
+             97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
+             dgxbcDTClU0CRBdiieyLMNzXG3";
 
 /* Key for our organization's forward zone */
-example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
-                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
-	              OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
-		      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
-		      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
-		      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
-		      SCThlHf3xiYleDbt/o1OTQ09A0=";
+example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
+                      5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
+                      GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
+                      4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
+                      kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
+                      g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
+                      TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
+                      FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
+                      F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
+                      /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
+                      1OTQ09A0=";
 
 /* Key for our reverse zone. */
-2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
-                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
-				tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
-				yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
-				4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
-			        zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
-				7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
-				52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
+2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
+                               xOdNax071L18QqZnQQQAVVr+i
+                               LhGTnNGp3HoWQLUIzKrJVZ3zg
+                               gy3WwNT6kZo6c0tszYqbtvchm
+                               gQC8CzKojM/W16i6MG/eafGU3
+                               siaOdS0yOI6BgPsw+YZdzlYMa
+                               IJGf4M4dyoKIhzdZyQ2bYQrjy
+                               Q4LB0lC7aOnsMyYKHHYeRvPxj
+                               IQXmdqgOJGq+vsevG06zW+1xg
+                               YJh9rCIfnm1GX/KMgxLPG2vXT
+                               D/RnLX+D3T3UL7HJYHJhAZD5L
+                               59VvjSPsZJHeDCUyWYrvPZesZ
+                               DIRvhDD52SKvbheeTJUm6Ehkz
+                               ytNN2SN96QRk8j/iI8ib";
 };
 
 options {
@@ -2531,6 +2580,41 @@ options {
 	  the root key is not valid.
 	</note>
 
+	<para>
+	  When DNSSEC validation is enabled and properly configured,
+	  the resolver will reject any answers from signed, secure zones
+	  which fail to validate, and will return SERVFAIL to the client.
+	</para>
+
+	<para>
+	  Responses may fail to validate for any of several reasons,
+	  including missing, expired, or invalid signatures, a key which
+	  does not match the DS RRset in the parent zone, or an insecure
+	  response from a zone which, according to its parent, should have
+	  been secure.  
+	</para>
+
+	<note>
+	  <para>
+	    When the validator receives a response from an unsigned zone
+	    that has a signed parent, it must confirm with the parent
+	    that the zone was intentionally left unsigned.  It does
+	    this by verifying, via signed and validated NSEC/NSEC3 records,
+	    that the parent zone contains no DS records for the child.
+	  </para>
+	  <para>
+	    If the validator <emphasis>can</emphasis> prove that the zone
+	    is insecure, then the response is accepted.  However, if it
+	    cannot, then it must assume an insecure response to be a
+	    forgery; it rejects the response and logs an error.
+	  </para>
+	  <para>
+            The logged error reads "insecurity proof failed" and
+            "got insecure response; parent indicates it should be secure".
+	    (Prior to BIND 9.7, the logged error was "not insecure".
+            This referred to the zone, not the response.)
+	  </para>
+	</note>
       </sect2>
 
     </sect1>
@@ -2539,10 +2623,9 @@ options {
 
       <para>
         <acronym>BIND</acronym> 9 fully supports all currently
-        defined forms of IPv6
-        name to address and address to name lookups.  It will also use
-        IPv6 addresses to make queries when running on an IPv6 capable
-        system.
+        defined forms of IPv6 name to address and address to name
+        lookups.  It will also use IPv6 addresses to make queries when
+        running on an IPv6 capable system.
       </para>
 
       <para>
@@ -2613,7 +2696,8 @@ host            3600    IN      AAAA    2001:db8::1
 
 <programlisting>
 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
+1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  14400   IN    PTR    (
+                                    host.example.com. )
 </programlisting>
 
       </sect2>
@@ -2791,6 +2875,19 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
             <row rowsep="0">
               <entry colname="1">
                 <para>
+                  <varname>namelist</varname>
+                </para>
+              </entry>
+              <entry colname="2">
+                <para>
+                  A list of one or more <varname>domain_name</varname>
+                  elements.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
+                <para>
                   <varname>dotted_decimal</varname>
                 </para>
               </entry>
@@ -3184,7 +3281,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
           <para>
             <programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
             <programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
-            <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
+            <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells
+# and perl</programlisting>
           </para>
         </sect3>
         <sect3>
@@ -3519,10 +3617,12 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
         <title><command>controls</command> Statement Grammar</title>
 
 <programlisting><command>controls</command> {
-   [ inet ( ip_addr | * ) [ port ip_port ] allow { <replaceable> address_match_list </replaceable> }
+   [ inet ( ip_addr | * ) [ port ip_port ]
+                allow { <replaceable> address_match_list </replaceable> }
                 keys { <replaceable>key_list</replaceable> }; ]
    [ inet ...; ]
-   [ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable> keys { <replaceable>key_list</replaceable> }; ]
+   [ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable>
+     keys { <replaceable>key_list</replaceable> }; ]
    [ unix ...; ]
 };
 </programlisting>
@@ -3991,32 +4091,30 @@ notrace</command>. All debugging messages in the server have a debug
           </para>
 
 <programlisting>channel default_syslog {
-    syslog daemon;                      // send to syslog's daemon
-                                        // facility
-    severity info;                      // only send priority info
-                                        // and higher
-};
+    // send to syslog's daemon facility
+    syslog daemon;
+    // only send priority info and higher
+    severity info;
 
 channel default_debug {
-    file "named.run";                   // write to named.run in
-                                        // the working directory
-                                        // Note: stderr is used instead
-                                        // of "named.run"
-                                        // if the server is started
-                                        // with the '-f' option.
-    severity dynamic;                   // log at the server's
-                                        // current debug level
+    // write to named.run in the working directory
+    // Note: stderr is used instead of "named.run" if
+    // the server is started with the '-f' option.
+    file "named.run";
+    // log at the server's current debug level
+    severity dynamic;
 };
 
 channel default_stderr {
-    stderr;                             // writes to stderr
-    severity info;                      // only send priority info
-                                        // and higher
+    // writes to stderr
+    stderr;
+    // only send priority info and higher
+    severity info;
 };
 
 channel null {
-   null;                                // toss anything sent to
-                                        // this channel
+   // toss anything sent to this channel
+   null;
 };
 </programlisting>
 
@@ -4268,12 +4366,13 @@ category notify { null; };
 		    <para>
 		      The query log entry reports the client's IP
 		      address and port number, and the query name,
-		      class and type.  It also reports whether the
+		      class and type.  Next it reports whether the
 		      Recursion Desired flag was set (+ if set, -
 		      if not set), if the query was signed (S),
 		      EDNS was in use (E), if DO (DNSSEC Ok) was
 		      set (D), or if CD (Checking Disabled) was set
-		      (C).
+		      (C).  After this the destination address the
+		      query was sent to is reported.
 		    </para>
 
                     <para>
@@ -4324,8 +4423,7 @@ category notify { null; };
                     <para>
                       Lame servers.  These are misconfigurations
                       in remote servers, discovered by BIND 9 when trying to
-                      query
-                      those servers during resolution.
+                      query those servers during resolution.
                     </para>
                   </entry>
                 </row>
@@ -4414,7 +4512,13 @@ category notify { null; };
 	    The log message will look like as follows:
 	  </para>
 	  <para>
-	    <computeroutput>fetch completed at resolver.c:2970 for www.example.com/A in 30.000183: timed out/success [domain:example.com,referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]</computeroutput>
+<!-- NOTE: newlines and some spaces added so this would fit on page -->
+            <programlisting>
+fetch completed at resolver.c:2970 for www.example.com/A
+in 30.000183: timed out/success [domain:example.com,
+referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
+badresp:1,adberr:0,findfail:0,valfail:0]
+            </programlisting>
 	  </para>
 	  <para>
 	    The first part before the colon shows that a recursive
@@ -4446,8 +4550,8 @@ category notify { null; };
 
           <informaltable colsep="0" rowsep="0">
             <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-              <colspec colname="1" colnum="1" colsep="0" />
-              <colspec colname="2" colnum="2" colsep="0" />
+              <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+              <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
               <tbody>
                 <row rowsep="0">
                   <entry colname="1">
@@ -4612,7 +4716,8 @@ category notify { null; };
         </para>
 
 <programlisting><command>lwres</command> {
-    <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
+                <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> view <replaceable>view_name</replaceable>; </optional>
     <optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>domain_name</replaceable> ; ... </optional> }; </optional>
     <optional> ndots <replaceable>number</replaceable>; </optional>
@@ -4679,7 +4784,8 @@ category notify { null; };
         <title><command>masters</command> Statement Grammar</title>
 
 <programlisting>
-<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
+<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | 
+      <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
 </programlisting>
 
       </sect2>
@@ -4702,6 +4808,7 @@ category notify { null; };
         </para>
 
 <programlisting><command>options</command> {
+    <optional> attach-cache <replaceable>cache_name</replaceable>; </optional>
     <optional> version <replaceable>version_string</replaceable>; </optional>
     <optional> hostname <replaceable>hostname_string</replaceable>; </optional>
     <optional> server-id <replaceable>server_id_string</replaceable>; </optional>
@@ -4713,6 +4820,7 @@ category notify { null; };
     <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
     <optional> cache-file <replaceable>path_name</replaceable>; </optional>
     <optional> dump-file <replaceable>path_name</replaceable>; </optional>
+    <optional> bindkeys-file <replaceable>path_name</replaceable>; </optional>
     <optional> memstatistics <replaceable>yes_or_no</replaceable>; </optional>
     <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
     <optional> pid-file <replaceable>path_name</replaceable>; </optional>
@@ -4738,7 +4846,8 @@ category notify { null; };
     <optional> ixfr-from-differences (<replaceable>yes_or_no</replaceable> | <constant>master</constant> | <constant>slave</constant>); </optional>
     <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
     <optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
+    <optional> dnssec-lookaside ( <replaceable>auto</replaceable> | 
+                        <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> ); </optional>
     <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
     <optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
     <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
@@ -4777,12 +4886,12 @@ category notify { null; };
     <optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> query-source ( ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> )
         <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
-	<optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
-	<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
+        <optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
+        <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
     <optional> query-source-v6 ( ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> )
-	<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> | 
-	<optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional> 
-	<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
+        <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> | 
+        <optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional> 
+        <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
     <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
     <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
     <optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
@@ -4803,13 +4912,15 @@ category notify { null; };
     <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
+                             <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
     <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
     <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-to-soa <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
+                  <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
     <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
     <optional> coresize <replaceable>size_spec</replaceable> ; </optional>
@@ -4850,7 +4961,8 @@ category notify { null; };
     <optional> max-udp-size <replaceable>number</replaceable>; </optional>
     <optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
     <optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
+    <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>;
+                                <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
     <optional> acache-enable <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> acache-cleaning-interval <replaceable>number</replaceable>; </optional>
     <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
@@ -4863,6 +4975,8 @@ category notify { null; };
     <optional> disable-empty-zone <replaceable>zone_name</replaceable> ; </optional>
     <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> zero-no-soa-ttl-cache <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> deny-answer-addresses { <replaceable>address_match_list</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
+    <optional> deny-answer-aliases { <replaceable>namelist</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
 };
 </programlisting>
 
@@ -4884,6 +4998,102 @@ category notify { null; };
 
         <variablelist>
 
+            <varlistentry>
+              <term><command>attach-cache</command></term>
+              <listitem>
+                <para>
+		  Allows multiple views to share a single cache
+		  database.
+		  Each view has its own cache database by default, but
+		  if multiple views have the same operational policy
+		  for name resolution and caching, those views can
+		  share a single cache to save memory and possibly
+		  improve resolution efficiency by using this option.
+                </para>
+
+                <para>
+                  The <command>attach-cache</command> option
+                  may also be specified in <command>view</command>
+                  statements, in which case it overrides the
+                  global <command>attach-cache</command> option.
+                </para>
+
+		<para>
+		  The <replaceable>cache_name</replaceable> specifies
+		  the cache to be shared.
+		  When the <command>named</command> server configures
+		  views which are supposed to share a cache, it
+		  creates a cache with the specified name for the
+		  first view of these sharing views.
+		  The rest of the views will simply refer to the
+		  already created cache.
+		</para>
+
+		<para>
+		  One common configuration to share a cache would be to
+		  allow all views to share a single cache.
+		  This can be done by specifying
+		  the <command>attach-cache</command> as a global
+		  option with an arbitrary name.
+		</para>
+
+		<para>
+		  Another possible operation is to allow a subset of
+		  all views to share a cache while the others to
+		  retain their own caches.
+		  For example, if there are three views A, B, and C,
+		  and only A and B should share a cache, specify the
+		  <command>attach-cache</command> option as a view A (or
+		  B)'s option, referring to the other view name:
+		</para>
+
+<programlisting>
+  view "A" {
+    // this view has its own cache
+    ...
+  };
+  view "B" {
+    // this view refers to A's cache
+    attach-cache "A";
+  };
+  view "C" {
+    // this view has its own cache
+    ...
+  };
+</programlisting>
+
+		<para>
+		  Views that share a cache must have the same policy
+		  on configurable parameters that may affect caching.
+		  The current implementation requires the following
+		  configurable options be consistent among these
+		  views:
+		  <command>check-names</command>,
+		  <command>cleaning-interval</command>,
+		  <command>dnssec-accept-expired</command>,
+		  <command>dnssec-validation</command>,
+		  <command>max-cache-ttl</command>,
+		  <command>max-ncache-ttl</command>,
+		  <command>max-cache-size</command>, and
+		  <command>zero-no-soa-ttl</command>.
+		</para>
+
+		<para>
+		  Note that there may be other parameters that may
+		  cause confusion if they are inconsistent for
+		  different views that share a single cache.
+		  For example, if these views define different sets of
+		  forwarders that can return different answers for the
+		  same question, sharing the answer does not make
+		  sense or could even be harmful.
+		  It is administrator's responsibility to ensure
+		  configuration differences in different views do
+		  not cause disruption with a shared cache.
+		</para>
+              </listitem>
+
+            </varlistentry>
+
           <varlistentry>
             <term><command>directory</command></term>
             <listitem>
@@ -5066,6 +5276,19 @@ category notify { null; };
           </varlistentry>
 
           <varlistentry>
+            <term><command>bindkeys-file</command></term>
+            <listitem>
+              <para>
+                The pathname of a file to override the built-in trusted
+		keys provided by named.  See the discussion of
+		<command>dnssec-lookaside</command> for details.
+                If not specified, the default is
+		<filename>/etc/bind.keys</filename>.
+              </para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
             <term><command>port</command></term>
             <listitem>
               <para>
@@ -5183,21 +5406,27 @@ options {
             <term><command>dnssec-lookaside</command></term>
             <listitem>
               <para>
-                When set, <command>dnssec-lookaside</command>
-                provides the
-                validator with an alternate method to validate DNSKEY records
-                at the
-                top of a zone.  When a DNSKEY is at or below a domain
-                specified by the
-                deepest <command>dnssec-lookaside</command>, and
-                the normal DNSSEC validation
-                has left the key untrusted, the trust-anchor will be append to
-                the key
-                name and a DLV record will be looked up to see if it can
-                validate the
-                key.  If the DLV record validates a DNSKEY (similarly to the
-                way a DS
-                record does) the DNSKEY RRset is deemed to be trusted.
+		When set, <command>dnssec-lookaside</command> provides the
+		validator with an alternate method to validate DNSKEY
+		records at the top of a zone.  When a DNSKEY is at or
+		below a domain specified by the deepest
+		<command>dnssec-lookaside</command>, and the normal dnssec
+		validation has left the key untrusted, the trust-anchor
+		will be append to the key name and a DLV record will be
+		looked up to see if it can validate the key.  If the DLV
+		record validates a DNSKEY (similarly to the way a DS record
+		does) the DNSKEY RRset is deemed to be trusted.
+	      </para>
+	      <para>
+		If <command>dnssec-lookaside</command> is set to
+		"auto", then built-in default values for
+		the domain and trust anchor will be used, along
+		with a built-in key for validation.
+	      </para>
+	      <para>
+		NOTE: Since the built-in key may expire, it can be
+		overridden without recompiling named by placing a new key
+		in the file <filename>bind.keys</filename>.
               </para>
             </listitem>
           </varlistentry>
@@ -5206,17 +5435,14 @@ options {
             <term><command>dnssec-must-be-secure</command></term>
             <listitem>
               <para>
-                Specify hierarchies which must be or may not be secure (signed and
-                validated).
-                If <userinput>yes</userinput>, then <command>named</command> will only accept
-                answers if they
-                are secure.
-                If <userinput>no</userinput>, then normal DNSSEC validation
-                applies
-                allowing for insecure answers to be accepted.
-                The specified domain must be under a <command>trusted-key</command> or
-                <command>dnssec-lookaside</command> must be
-                active.
+                Specify hierarchies which must be or may not be secure
+                (signed and validated).  If <userinput>yes</userinput>,
+                then <command>named</command> will only accept answers if
+                they are secure.  If <userinput>no</userinput>, then normal
+                DNSSEC validation applies allowing for insecure answers to
+                be accepted.  The specified domain must be under a
+                <command>trusted-key</command> or
+                <command>dnssec-lookaside</command> must be active.
               </para>
             </listitem>
           </varlistentry>
@@ -7500,20 +7726,26 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
           </para>
 
 <programlisting>sortlist {
-    { localhost;                                   // IF   the local host
-        { localnets;                               // THEN first fit on the
-            192.168.1/24;                          //   following nets
+    // IF the local host
+    // THEN first fit on the following nets
+    { localhost;
+        { localnets;
+            192.168.1/24;
             { 192.168.2/24; 192.168.3/24; }; }; };
-    { 192.168.1/24;                                // IF   on class C 192.168.1
-        { 192.168.1/24;                            // THEN use .1, or .2 or .3
+    // IF on class C 192.168.1 THEN use .1, or .2 or .3
+    { 192.168.1/24;
+        { 192.168.1/24;
             { 192.168.2/24; 192.168.3/24; }; }; };
-    { 192.168.2/24;                                // IF   on class C 192.168.2
-        { 192.168.2/24;                            // THEN use .2, or .1 or .3
+    // IF on class C 192.168.2 THEN use .2, or .1 or .3
+    { 192.168.2/24;
+        { 192.168.2/24;
             { 192.168.1/24; 192.168.3/24; }; }; };
-    { 192.168.3/24;                                // IF   on class C 192.168.3
-        { 192.168.3/24;                            // THEN use .3, or .1 or .2
+    // IF on class C 192.168.3 THEN use .3, or .1 or .2
+    { 192.168.3/24;
+        { 192.168.3/24;
             { 192.168.1/24; 192.168.2/24; }; }; };
-    { { 192.168.4/24; 192.168.5/24; };             // if .4 or .5, prefer that net
+    // IF .4 or .5 THEN prefer that net
+    { { 192.168.4/24; 192.168.5/24; };
     };
 };</programlisting>
 
@@ -8248,6 +8480,142 @@ XXX: end of RFC1918 addresses #defined out -->
 
         </sect3>
 
+        <sect3>
+          <title>Content Filtering</title>
+	  <para>
+	    <acronym>BIND</acronym> 9 provides the ability to filter
+	    out DNS responses from external DNS servers containing
+	    certain types of data in the answer section.
+	    Specifically, it can reject address (A or AAAA) records if
+	    the corresponding IPv4 or IPv6 addresses match the given
+	    <varname>address_match_list</varname> of the
+	    <command>deny-answer-addresses</command> option.
+	    It can also reject CNAME or DNAME records if the "alias"
+	    name (i.e., the CNAME alias or the substituted query name
+	    due to DNAME) matches the
+	    given <varname>namelist</varname> of the
+	    <command>deny-answer-aliases</command> option, where
+	    "match" means the alias name is a subdomain of one of
+	    the <varname>name_list</varname> elements.
+	    If the optional <varname>namelist</varname> is specified
+	    with <command>except-from</command>, records whose query name
+	    matches the list will be accepted regardless of the filter
+	    setting.
+	    Likewise, if the alias name is a subdomain of the
+	    corresponding zone, the <command>deny-answer-aliases</command>
+	    filter will not apply;
+	    for example, even if "example.com" is specified for
+	    <command>deny-answer-aliases</command>,
+	  </para>
+<programlisting>www.example.com. CNAME xxx.example.com.</programlisting>
+
+	  <para>
+	    returned by an "example.com" server will be accepted.
+	  </para>
+
+	  <para>
+	    In the <varname>address_match_list</varname> of the
+	    <command>deny-answer-addresses</command> option, only
+            <varname>ip_addr</varname>
+	    and <varname>ip_prefix</varname>
+	    are meaningful;
+	    any <varname>key_id</varname> will be silently ignored.
+	  </para>
+
+	  <para>
+	    If a response message is rejected due to the filtering,
+	    the entire message is discarded without being cached, and
+	    a SERVFAIL error will be returned to the client.
+	  </para>
+
+	  <para>
+	    This filtering is intended to prevent "DNS rebinding attacks," in
+	    which an attacker, in response to a query for a domain name the
+	    attacker controls, returns an IP address within your own network or
+	    an alias name within your own domain.
+	    A naive web browser or script could then serve as an
+	    unintended proxy, allowing the attacker
+	    to get access to an internal node of your local network
+	    that couldn't be externally accessed otherwise.
+	    See the paper available at
+	    <ulink>
+	    http://portal.acm.org/citation.cfm?id=1315245.1315298
+	    </ulink>
+	    for more details about the attacks.
+	  </para>
+
+	  <para>
+	    For example, if you own a domain named "example.net" and
+	    your internal network uses an IPv4 prefix 192.0.2.0/24,
+	    you might specify the following rules:
+	  </para>
+
+<programlisting>deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
+deny-answer-aliases { "example.net"; };
+</programlisting>
+
+	  <para>
+	    If an external attacker lets a web browser in your local
+	    network look up an IPv4 address of "attacker.example.com",
+	    the attacker's DNS server would return a response like this:
+	  </para>
+
+<programlisting>attacker.example.com. A 192.0.2.1</programlisting>
+
+	  <para>
+	    in the answer section.
+	    Since the rdata of this record (the IPv4 address) matches
+	    the specified prefix 192.0.2.0/24, this response will be
+	    ignored.
+	  </para>
+
+	  <para>
+	    On the other hand, if the browser looks up a legitimate
+	    internal web server "www.example.net" and the
+	    following response is returned to
+	    the <acronym>BIND</acronym> 9 server
+	  </para>
+
+<programlisting>www.example.net. A 192.0.2.2</programlisting>
+
+	  <para>
+	    it will be accepted since the owner name "www.example.net"
+	    matches the <command>except-from</command> element,
+	    "example.net".
+	  </para>
+
+	  <para>
+	    Note that this is not really an attack on the DNS per se.
+	    In fact, there is nothing wrong for an "external" name to
+	    be mapped to your "internal" IP address or domain name
+	    from the DNS point of view.
+	    It might actually be provided for a legitimate purpose,
+	    such as for debugging.
+	    As long as the mapping is provided by the correct owner,
+	    it is not possible or does not make sense to detect
+	    whether the intent of the mapping is legitimate or not
+	    within the DNS.
+	    The "rebinding" attack must primarily be protected at the
+	    application that uses the DNS.
+	    For a large site, however, it may be difficult to protect
+	    all possible applications at once.
+	    This filtering feature is provided only to help such an
+	    operational environment;
+	    it is generally discouraged to turn it on unless you are
+	    very sure you have no other choice and the attack is a
+	    real threat for your applications.
+	  </para>
+
+	  <para>
+	    Care should be particularly taken if you want to use this
+	    option for addresses within 127.0.0.0/8.
+	    These addresses are obviously "internal", but many
+	    applications conventionally rely on a DNS mapping from
+	    some name to such an address.
+	    Filtering out DNS records containing this address
+	    spuriously can break such applications.
+	  </para>
+	</sect3>
       </sect2>
 
       <sect2 id="server_statement_grammar">
@@ -8267,8 +8635,10 @@ XXX: end of RFC1918 addresses #defined out -->
     <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
-    <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
+    <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
+                  <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
+    <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
+                     <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
     <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
     <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
     <optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
@@ -8466,7 +8836,8 @@ XXX: end of RFC1918 addresses #defined out -->
         <title><command>statistics-channels</command> Statement Grammar</title>
 
 <programlisting><command>statistics-channels</command> {
-   [ inet ( ip_addr | * ) [ port ip_port ] [allow { <replaceable> address_match_list </replaceable> } ]; ]
+   [ inet ( ip_addr | * ) [ port ip_port ]
+   [ allow { <replaceable> address_match_list </replaceable> } ]; ]
    [ inet ...; ]
 };
 </programlisting>
@@ -8572,6 +8943,19 @@ XXX: end of RFC1918 addresses #defined out -->
 	    in the key data, so the configuration may be split up into
 	    multiple lines.
 	  </para>
+	  <para>
+	    <command>trusted-keys</command> may be set at the top level
+	    of <filename>named.conf</filename> or within a view.  If it is
+	    set in both places, they are additive: keys defined at the top
+	    level are inherited by all views, but keys defined in a view
+	    are only used within that view.
+	  </para>
+	  <para>
+	    In addition to keys specified in
+	    <command>trusted-keys</command> statements, if the
+	    <command>dnssec-lookaside</command> option is set to "auto",
+	    named will also load a built-in trusted key for dlv.isc.org.
+	  </para>
 	</sect2>
 
         <sect2 id="view_statement_grammar">
@@ -8686,11 +9070,12 @@ XXX: end of RFC1918 addresses #defined out -->
       // This should match our internal networks.
       match-clients { 10.0.0.0/8; };
 
-      // Provide recursive service to internal clients only.
+      // Provide recursive service to internal
+      // clients only.
       recursion yes;
 
-      // Provide a complete view of the example.com zone
-      // including addresses of internal hosts.
+      // Provide a complete view of the example.com
+      // zone including addresses of internal hosts.
       zone "example.com" {
             type master;
             file "example-internal.db";
@@ -8698,14 +9083,15 @@ XXX: end of RFC1918 addresses #defined out -->
 };
 
 view "external" {
-      // Match all clients not matched by the previous view.
+      // Match all clients not matched by the
+      // previous view.
       match-clients { any; };
 
       // Refuse recursive service to external clients.
       recursion no;
 
-      // Provide a restricted view of the example.com zone
-      // containing only publicly accessible hosts.
+      // Provide a restricted view of the example.com
+      // zone containing only publicly accessible hosts.
       zone "example.com" {
            type master;
            file "example-external.db";
@@ -8725,7 +9111,8 @@ view "external" {
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
-    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
+                  <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
     <optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
     <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
@@ -8773,7 +9160,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
     <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
+                  <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
     <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
     <optional> file <replaceable>string</replaceable> ; </optional>
@@ -8786,7 +9174,9 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> ixfr-from-differences <replaceable>yes_or_no</replaceable>; </optional>
     <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
     <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
+    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable>
+                              <optional>port <replaceable>ip_port</replaceable></optional>
+                              <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
     <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
@@ -8799,7 +9189,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
+                             <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
     <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
@@ -8817,7 +9208,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     type hint;
     file <replaceable>string</replaceable> ;
     <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; // Not Implemented. </optional>
+    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional> // Not Implemented.
 };
 
 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
@@ -8831,14 +9222,18 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
     <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
     <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
+    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable>
+                              <optional>port <replaceable>ip_port</replaceable></optional>
+                              <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
     <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
     <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
     <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
+                         <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
+                            <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
     <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> database <replaceable>string</replaceable> ; </optional>
@@ -9338,6 +9733,19 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
               </varlistentry>
 
               <varlistentry>
+                <term><command>ddns-autoconf</command></term>
+                <listitem>
+                  <para>
+                    If this flag is set to <userinput>yes</userinput> in
+                    a master zone, the zone will be set to allow dynamic
+                    updates using a TSIG session key generated by
+                    <command>named</command> and stored in a file for use
+                    by <command>nsupdate -l</command> on the local system,
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
                 <term><command>forward</command></term>
                 <listitem>
                   <para>
@@ -9719,7 +10127,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
             </para>
 
 <programlisting>
-( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
+( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <optional> <replaceable>name</replaceable> </optional> <optional> <replaceable>types</replaceable> </optional>
 </programlisting>
 
             <para>
@@ -9765,7 +10173,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 	      <varname>krb5-self</varname>, <varname>ms-self</varname>,
 	      <varname>krb5-subdomain</varname>,
 	      <varname>ms-subdomain</varname>,
-	      <varname>tcp-self</varname> and <varname>6to4-self</varname>.
+	      <varname>tcp-self</varname>, <varname>6to4-self</varname>,
+	      and <varname>zonesub</varname>.
             </para>
             <informaltable>
               <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
@@ -9803,6 +10212,28 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 		  <row rowsep="0">
 		    <entry colname="1">
 		      <para>
+			<varname>zonesub</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			This rule is similar to subdomain, except that
+			it matches when the name being updated is a
+			subdomain of the zone in which the
+			<command>update-policy</command> statement
+			appears.  This obviates the need to type the zone
+			name twice, and enables the use of a standard
+			<command>update-policy</command> statement in
+			multiple zones without modification.
+		      </para>
+		      <para>
+                        When this rule is used, the
+                        <replaceable>name</replaceable> field is omitted.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
 			<varname>wildcard</varname>
 		      </para>
 		    </entry> <entry colname="2">
@@ -11206,6 +11637,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
             and <command>$TTL.</command>
           </para>
           <sect3>
+            <title>The <command>@</command> (at-sign)</title>
+            <para>
+              When used in the label (or name) field, the asperand or
+              at-sign (@) symbol represents the current origin.
+              At the start of the zone file, it is the 
+              &lt;<varname>zone_name</varname>&gt; (followed by
+              trailing dot).
+            </para>
+          </sect3>
+          <sect3>
             <title>The <command>$ORIGIN</command> Directive</title>
             <para>
               Syntax: <command>$ORIGIN</command>
@@ -11216,7 +11657,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 	      sets the domain name that will be appended to any
               unqualified records. When a zone is first read in there
               is an implicit <command>$ORIGIN</command>
-              &lt;<varname>zone-name</varname>&gt;<command>.</command>
+              &lt;<varname>zone_name</varname>&gt;<command>.</command>
+              (followed by trailing dot).
               The current <command>$ORIGIN</command> is appended to
               the domain specified in the <command>$ORIGIN</command>
               argument if it is not absolute.
@@ -11310,7 +11752,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
           </para>
 
 <programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
-$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
+$GENERATE 1-2 @ NS SERVER$.EXAMPLE.
 $GENERATE 1-127 $ CNAME $.0</programlisting>
 
           <para>
@@ -11325,6 +11767,32 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
 </programlisting>
 
+	   <para>
+	    Generate a set of A and MX records.  Note the MX's right hand
+	    side is a quoted string.  The quotes will be stripped when the
+	    right hand side is processed.
+	   </para>
+
+<programlisting>
+$ORIGIN EXAMPLE.
+$GENERATE 1-127 HOST-$ A 1.2.3.$
+$GENERATE 1-127 HOST-$ MX "0 ."</programlisting>
+
+          <para>
+            is equivalent to
+          </para>
+
+<programlisting>HOST-1.EXAMPLE.   A  1.2.3.1
+HOST-1.EXAMPLE.   MX 0 .
+HOST-2.EXAMPLE.   A  1.2.3.2
+HOST-2.EXAMPLE.   MX 0 .
+HOST-3.EXAMPLE.   A  1.2.3.3
+HOST-3.EXAMPLE.   MX 0 .
+...
+HOST-127.EXAMPLE. A  1.2.3.127
+HOST-127.EXAMPLE. MX 0 .
+</programlisting>
+
           <informaltable colsep="0" rowsep="0">
             <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
                         <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
@@ -11374,20 +11842,30 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
 
 		      Available output forms are decimal
                       (<command>d</command>), octal
-                      (<command>o</command>) and hexadecimal
+                      (<command>o</command>), hexadecimal
                       (<command>x</command> or <command>X</command>
-                      for uppercase).  The default modifier is
+                      for uppercase) and nibble
+		      (<command>n</command> or <command>N</command>\
+		      for uppercase).  The default modifier is
                       <command>${0,0,d}</command>.  If the
                       <command>lhs</command> is not absolute, the
                       current <command>$ORIGIN</command> is appended
                       to the name.
                     </para>
-                    <para>
-                      For compatibility with earlier versions, <command>$$</command> is still
-                      recognized as indicating a literal $ in the output.
-                    </para>
-                  </entry>
-                </row>
+		    <para>
+		      In nibble mode the value will be treated as
+		      a if it was a reversed hexadecimal string
+		      with each hexadecimal digit as a seperate
+		      label.  The width field includes the label
+		      seperator.
+		    </para>
+		    <para>
+		      For compatibility with earlier versions,
+		      <command>$$</command> is still recognized as
+		      indicating a literal $ in the output.
+		    </para>
+		  </entry>
+		</row>
                 <row rowsep="0">
                   <entry colname="1">
                     <para><command>ttl</command></para>
@@ -11426,8 +11904,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
                   </entry>
                   <entry colname="2">
                     <para>
-                      At present the only supported types are
-                      PTR, CNAME, DNAME, A, AAAA and NS.
+		      Any valid type.
                     </para>
                   </entry>
                 </row>
@@ -11437,8 +11914,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
                   </entry>
                   <entry colname="2">
                     <para>
-                      <command>rhs</command> is a domain name. It is processed
-                      similarly to lhs.
+                      <command>rhs</command>, optionally, quoted string.
                     </para>
                   </entry>
                 </row>
@@ -11597,9 +12073,12 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
                 </entry>
                 <entry colname="2">
                   <para>
-                    The number of RRsets per RR type (positive
-                    or negative) and nonexistent names stored in the
-                    cache database.
+		    The number of RRsets per RR type and nonexistent
+		    names stored in the cache database.
+		    If the exclamation mark (!) is printed for a RR
+		    type, it means that particular type of RRset is
+		    known to be nonexistent (this is also known as
+		    "NXRRSET").
 		    Maintained per view.
                   </para>
                 </entry>
@@ -12568,6 +13047,13 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
 		    <entry colname="3">
 		      <para>
 			Mismatch responses received.
+			The DNS ID, response's source address,
+			and/or the response's source port does not
+			match what was expected.
+			(The port must be 53 or as defined by
+			the <command>port</command> option.)
+			This may be an indication of a cache
+			poisoning attempt.
 		      </para>
 		    </entry>
 		  </row>
@@ -13035,14 +13521,17 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
         </para>
 
 <programlisting>
-// Set up an ACL named "bogusnets" that will block RFC1918 space
-// and some reserved space, which is commonly used in spoofing attacks.
+// Set up an ACL named "bogusnets" that will block
+// RFC1918 space and some reserved space, which is
+// commonly used in spoofing attacks.
 acl bogusnets {
-	0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
-	10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
+        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
+        224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12;
+        192.168.0.0/16;
 };
 
-// Set up an ACL called our-nets. Replace this with the real IP numbers.
+// Set up an ACL called our-nets. Replace this with the
+// real IP numbers.
 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
 options {
   ...
@@ -14702,7 +15191,8 @@ zone "example.com" {
       <xi:include href="../../bin/nsupdate/nsupdate.docbook"/>
       <xi:include href="../../bin/rndc/rndc.docbook"/>
       <xi:include href="../../bin/rndc/rndc.conf.docbook"/>
-      <xi:include href="../../bin/rndc/rndc-confgen.docbook"/>
+      <xi:include href="../../bin/confgen/rndc-confgen.docbook"/>
+      <xi:include href="../../bin/confgen/ddns-confgen.docbook"/>
     </reference>
 
   </book>
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 320a8675..6a565dc0 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch01.html,v 1.43.48.2 2009/04/03 01:52:22 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch01.html,v 1.45 2009/02/26 01:12:16 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index 831e7a12..84d4a189 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch02.html,v 1.38.56.1 2009/01/08 01:50:59 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch02.html,v 1.40 2009/02/24 01:12:23 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -128,9 +128,9 @@
 <p>
         ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
         number
-        of Unix-like operating systems and on NT-derived versions of
-        Microsoft Windows such as Windows 2000 and Windows XP.  For an
-        up-to-date
+        of Unix-like operating systems and on 
+        Microsoft Windows Server 2003 and 2008, and Windows XP and Vista.
+        For an up-to-date
         list of supported systems, see the README file in the top level
         directory
         of the BIND 9 source distribution.
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index 99648231..f0ce4745 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch03.html,v 1.71.48.2 2009/04/03 01:52:21 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch03.html,v 1.75 2009/05/15 01:15:46 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -82,10 +82,13 @@
 // Two corporate subnets we wish to allow queries from.
 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
 options {
-     directory "/etc/namedb";           // Working directory
+     // Working directory
+     directory "/etc/namedb";
+
      allow-query { corpnets; };
 };
-// Provide a reverse mapping for the loopback address 127.0.0.1
+// Provide a reverse mapping for the loopback
+// address 127.0.0.1
 zone "0.0.127.in-addr.arpa" {
      type master;
      file "localhost.rev";
@@ -103,13 +106,18 @@ zone "0.0.127.in-addr.arpa" {
         </p>
 <pre class="programlisting">
 options {
-     directory "/etc/namedb";           // Working directory
-     allow-query-cache { none; };       // Do not allow access to cache
-     allow-query { any; };              // This is the default
-     recursion no;                      // Do not provide recursive service
+     // Working directory
+     directory "/etc/namedb";
+     // Do not allow access to cache
+     allow-query-cache { none; };
+     // This is the default
+     allow-query { any; };
+     // Do not provide recursive service
+     recursion no;
 };
 
-// Provide a reverse mapping for the loopback address 127.0.0.1
+// Provide a reverse mapping for the loopback
+// address 127.0.0.1
 zone "0.0.127.in-addr.arpa" {
      type master;
      file "localhost.rev";
@@ -119,7 +127,8 @@ zone "0.0.127.in-addr.arpa" {
 zone "example.com" {
      type master;
      file "example.com.db";
-     // IP addresses of slave servers allowed to transfer example.com
+     // IP addresses of slave servers allowed to
+     // transfer example.com
      allow-transfer {
           192.168.4.14;
           192.168.5.53;
@@ -699,7 +708,8 @@ zone "eng.example.com" {
 <pre class="programlisting">
 key rndc_key {
      algorithm "hmac-md5";
-     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+     secret
+       "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
 };
 options {
      default-server 127.0.0.1;
@@ -721,7 +731,8 @@ options {
                 </p>
 <pre class="programlisting">
 controls {
-        inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
+        inet 127.0.0.1
+            allow { localhost; } keys { rndc_key; };
 };
 </pre>
 <p>
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 123098e1..6d3980ef 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch04.html,v 1.87.48.2 2009/04/03 01:52:21 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch04.html,v 1.96 2009/06/17 23:12:09 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -49,29 +49,29 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2564066">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564084">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570510">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570529">Example split DNS setup</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571141">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571214">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571225">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571268">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571325">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571510">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571030">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571104">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571114">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563989">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564115">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564163">Errors</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571524">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571709">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571549">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571598">SIG(0)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571778">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571925">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572006">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571803">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571950">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572032">Configuring Servers</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572220">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572201">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572282">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572304">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572400">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572421">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl>
 </div>
@@ -113,11 +113,20 @@
       </p>
 <p>
         Dynamic update is enabled by including an
-        <span><strong class="command">allow-update</strong></span> or <span><strong class="command">update-policy</strong></span>
-        clause in the <span><strong class="command">zone</strong></span> statement.  The
-        <span><strong class="command">tkey-gssapi-credential</strong></span> and
+        <span><strong class="command">allow-update</strong></span>, <span><strong class="command">update-policy</strong></span>
+        clause in the <span><strong class="command">zone</strong></span> statement, or by setting the
+        <span><strong class="command">ddns-autconf</strong></span> option to <strong class="userinput"><code>yes</code></strong>.
+      </p>
+<p>
+        If the zone's <span><strong class="command">ddns-autoconf</strong></span> option is set to
+        <strong class="userinput"><code>yes</code></strong>, then updates to the zone
+        will be permitted for the key <code class="filename">ddns.key</code>,
+        which will be generated by <span><strong class="command">named</strong></span> at startup.
+      </p>
+<p>
+        The <span><strong class="command">tkey-gssapi-credential</strong></span> and
         <span><strong class="command">tkey-domain</strong></span> clauses in the
-        <span><strong class="command">options</strong></span>        statement enable the
+        <span><strong class="command">options</strong></span> statement enable the
         server to negotiate keys that can be matched against those
         in <span><strong class="command">update-policy</strong></span> or
         <span><strong class="command">allow-update</strong></span>.
@@ -210,7 +219,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564066"></a>Split DNS</h2></div></div></div>
+<a name="id2570510"></a>Split DNS</h2></div></div></div>
 <p>
         Setting up different views, or visibility, of the DNS space to
         internal and external resolvers is usually referred to as a
@@ -240,7 +249,7 @@
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2564084"></a>Example split DNS setup</h3></div></div></div>
+<a name="id2570529"></a>Example split DNS setup</h3></div></div></div>
 <p>
         Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
         (<code class="literal">example.com</code>)
@@ -270,7 +279,7 @@
         and <code class="filename">site2.example.com</code>, to the servers
         in the
         DMZ. These internal servers will have complete sets of information
-        for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>,<span class="emphasis"><em></em></span> <code class="filename">site1.internal</code>,
+        for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>, <code class="filename">site1.internal</code>,
         and <code class="filename">site2.internal</code>.
       </p>
 <p>
@@ -368,26 +377,32 @@ options {
     ...
     ...
     forward only;
-    forwarders {                                // forward to external servers
+    // forward to external servers
+    forwarders {
         <code class="varname">bastion-ips-go-here</code>;
     };
-    allow-transfer { none; };                   // sample allow-transfer (no one)
-    allow-query { internals; externals; };      // restrict query access
-    allow-recursion { internals; };             // restrict recursion
+    // sample allow-transfer (no one)
+    allow-transfer { none; };
+    // restrict query access
+    allow-query { internals; externals; };
+    // restrict recursion
+    allow-recursion { internals; };
     ...
     ...
 };
 
-zone "site1.example.com" {                      // sample master zone
+// sample master zone
+zone "site1.example.com" {
   type master;
   file "m/site1.example.com";
-  forwarders { };                               // do normal iterative
-                                                // resolution (do not forward)
+  // do normal iterative resolution (do not forward)
+  forwarders { };
   allow-query { internals; externals; };
   allow-transfer { internals; };
 };
 
-zone "site2.example.com" {                      // sample slave zone
+// sample slave zone
+zone "site2.example.com" {
   type slave;
   file "s/site2.example.com";
   masters { 172.16.72.3; };
@@ -424,15 +439,20 @@ acl externals { bastion-ips-go-here; };
 options {
   ...
   ...
-  allow-transfer { none; };                     // sample allow-transfer (no one)
-  allow-query { any; };                         // default query access
-  allow-query-cache { internals; externals; };  // restrict cache access
-  allow-recursion { internals; externals; };    // restrict recursion
+  // sample allow-transfer (no one)
+  allow-transfer { none; };
+  // default query access
+  allow-query { any; };
+  // restrict cache access
+  allow-query-cache { internals; externals; };
+  // restrict recursion
+  allow-recursion { internals; externals; };
   ...
   ...
 };
 
-zone "site1.example.com" {                      // sample slave zone
+// sample slave zone
+zone "site1.example.com" {
   type master;
   file "m/site1.foo.com";
   allow-transfer { internals; externals; };
@@ -486,7 +506,7 @@ nameserver 172.16.72.4
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571141"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
+<a name="id2571030"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
 <p>
           A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
           An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -494,7 +514,7 @@ nameserver 172.16.72.4
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2571158"></a>Automatic Generation</h4></div></div></div>
+<a name="id2571047"></a>Automatic Generation</h4></div></div></div>
 <p>
             The following command will generate a 128-bit (16 byte) HMAC-MD5
             key as described above. Longer keys are better, but shorter keys
@@ -519,7 +539,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2571196"></a>Manual Generation</h4></div></div></div>
+<a name="id2571085"></a>Manual Generation</h4></div></div></div>
 <p>
             The shared secret is simply a random sequence of bits, encoded
             in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -534,7 +554,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571214"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
+<a name="id2571104"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
 <p>
           This is beyond the scope of DNS. A secure transport mechanism
           should be used. This could be secure FTP, ssh, telephone, etc.
@@ -542,7 +562,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571225"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
+<a name="id2571114"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
 <p>
           Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
           are
@@ -571,7 +591,7 @@ key host1-host2. {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571268"></a>Instructing the Server to Use the Key</h3></div></div></div>
+<a name="id2563989"></a>Instructing the Server to Use the Key</h3></div></div></div>
 <p>
           Since keys are shared between two hosts only, the server must
           be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
@@ -603,7 +623,7 @@ server 10.1.2.3 {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571325"></a>TSIG Key Based Access Control</h3></div></div></div>
+<a name="id2564115"></a>TSIG Key Based Access Control</h3></div></div></div>
 <p>
           <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
           to be specified in ACL
@@ -631,7 +651,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571510"></a>Errors</h3></div></div></div>
+<a name="id2564163"></a>Errors</h3></div></div></div>
 <p>
           The processing of TSIG signed messages can result in
           several errors. If a signed message is sent to a non-TSIG aware
@@ -657,7 +677,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571524"></a>TKEY</h2></div></div></div>
+<a name="id2571549"></a>TKEY</h2></div></div></div>
 <p><span><strong class="command">TKEY</strong></span>
         is a mechanism for automatically generating a shared secret
         between two hosts.  There are several "modes" of
@@ -693,7 +713,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571709"></a>SIG(0)</h2></div></div></div>
+<a name="id2571598"></a>SIG(0)</h2></div></div></div>
 <p>
         <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
             transaction signatures as specified in RFC 2535 and RFC 2931.
@@ -754,7 +774,7 @@ allow-update { key host1-host2. ;};
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571778"></a>Generating Keys</h3></div></div></div>
+<a name="id2571803"></a>Generating Keys</h3></div></div></div>
 <p>
           The <span><strong class="command">dnssec-keygen</strong></span> program is used to
           generate keys.
@@ -810,7 +830,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571925"></a>Signing the Zone</h3></div></div></div>
+<a name="id2571950"></a>Signing the Zone</h3></div></div></div>
 <p>
           The <span><strong class="command">dnssec-signzone</strong></span> program is used
           to sign a zone.
@@ -852,18 +872,21 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2572006"></a>Configuring Servers</h3></div></div></div>
+<a name="id2572032"></a>Configuring Servers</h3></div></div></div>
 <p>
           To enable <span><strong class="command">named</strong></span> to respond appropriately
           to DNS requests from DNSSEC aware clients,
           <span><strong class="command">dnssec-enable</strong></span> must be set to yes.
+          (This is the default setting.)
         </p>
 <p>
           To enable <span><strong class="command">named</strong></span> to validate answers from
-          other servers both <span><strong class="command">dnssec-enable</strong></span> and
-          <span><strong class="command">dnssec-validation</strong></span> must be set and some
-          <span><strong class="command">trusted-keys</strong></span> must be configured
-          into <code class="filename">named.conf</code>.
+          other servers, the <span><strong class="command">dnssec-enable</strong></span> and
+          <span><strong class="command">dnssec-validation</strong></span> options must both be
+          set to yes (the default setting in <acronym class="acronym">BIND</acronym> 9.5
+          and later), and at least one trust anchor must be configured
+          with a <span><strong class="command">trusted-keys</strong></span> statement in
+          <code class="filename">named.conf</code>.
         </p>
 <p>
           <span><strong class="command">trusted-keys</strong></span> are copies of DNSKEY RRs
@@ -897,32 +920,45 @@ allow-update { key host1-host2. ;};
 trusted-keys {
 
         /* Root Key */
-"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
-             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
-             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
-             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
-             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
-             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
-             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
+"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
+             JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
+             aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
+             4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
+             hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
+             5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
+             g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
+             66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
+             97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
+             dgxbcDTClU0CRBdiieyLMNzXG3";
 
 /* Key for our organization's forward zone */
-example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
-                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
-                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
-                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
-                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
-                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
-                      SCThlHf3xiYleDbt/o1OTQ09A0=";
+example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
+                      5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
+                      GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
+                      4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
+                      kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
+                      g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
+                      TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
+                      FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
+                      F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
+                      /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
+                      1OTQ09A0=";
 
 /* Key for our reverse zone. */
-2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
-                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
-                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
-                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
-                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
-                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
-                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
-                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
+2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
+                               xOdNax071L18QqZnQQQAVVr+i
+                               LhGTnNGp3HoWQLUIzKrJVZ3zg
+                               gy3WwNT6kZo6c0tszYqbtvchm
+                               gQC8CzKojM/W16i6MG/eafGU3
+                               siaOdS0yOI6BgPsw+YZdzlYMa
+                               IJGf4M4dyoKIhzdZyQ2bYQrjy
+                               Q4LB0lC7aOnsMyYKHHYeRvPxj
+                               IQXmdqgOJGq+vsevG06zW+1xg
+                               YJh9rCIfnm1GX/KMgxLPG2vXT
+                               D/RnLX+D3T3UL7HJYHJhAZD5L
+                               59VvjSPsZJHeDCUyWYrvPZesZ
+                               DIRvhDD52SKvbheeTJUm6Ehkz
+                               ytNN2SN96QRk8j/iI8ib";
 };
 
 options {
@@ -936,17 +972,50 @@ options {
           None of the keys listed in this example are valid.  In particular,
           the root key is not valid.
         </div>
+<p>
+          When DNSSEC validation is enabled and properly configured,
+          the resolver will reject any answers from signed, secure zones
+          which fail to validate, and will return SERVFAIL to the client.
+        </p>
+<p>
+          Responses may fail to validate for any of several reasons,
+          including missing, expired, or invalid signatures, a key which
+          does not match the DS RRset in the parent zone, or an insecure
+          response from a zone which, according to its parent, should have
+          been secure.  
+        </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+            When the validator receives a response from an unsigned zone
+            that has a signed parent, it must confirm with the parent
+            that the zone was intentionally left unsigned.  It does
+            this by verifying, via signed and validated NSEC/NSEC3 records,
+            that the parent zone contains no DS records for the child.
+          </p>
+<p>
+            If the validator <span class="emphasis"><em>can</em></span> prove that the zone
+            is insecure, then the response is accepted.  However, if it
+            cannot, then it must assume an insecure response to be a
+            forgery; it rejects the response and logs an error.
+          </p>
+<p>
+            The logged error reads "insecurity proof failed" and
+            "got insecure response; parent indicates it should be secure".
+            (Prior to BIND 9.7, the logged error was "not insecure".
+            This referred to the zone, not the response.)
+          </p>
+</div>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572220"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
+<a name="id2572201"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
 <p>
         <acronym class="acronym">BIND</acronym> 9 fully supports all currently
-        defined forms of IPv6
-        name to address and address to name lookups.  It will also use
-        IPv6 addresses to make queries when running on an IPv6 capable
-        system.
+        defined forms of IPv6 name to address and address to name
+        lookups.  It will also use IPv6 addresses to make queries when
+        running on an IPv6 capable system.
       </p>
 <p>
         For forward lookups, <acronym class="acronym">BIND</acronym> 9 supports
@@ -979,7 +1048,7 @@ options {
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2572282"></a>Address Lookups Using AAAA Records</h3></div></div></div>
+<a name="id2572400"></a>Address Lookups Using AAAA Records</h3></div></div></div>
 <p>
           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -998,7 +1067,7 @@ host            3600    IN      AAAA    2001:db8::1
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2572304"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
+<a name="id2572421"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
 <p>
           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
@@ -1010,7 +1079,8 @@ host            3600    IN      AAAA    2001:db8::1
         </p>
 <pre class="programlisting">
 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
+1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  14400   IN    PTR    (
+                                    host.example.com. )
 </pre>
 </div>
 </div>
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index addc97ac..26a0100a 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch05.html,v 1.71.48.2 2009/04/03 01:52:21 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch05.html,v 1.78 2009/06/17 23:12:08 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,13 +45,13 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572337">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572454">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572337"></a>The Lightweight Resolver Library</h2></div></div></div>
+<a name="id2572454"></a>The Lightweight Resolver Library</h2></div></div></div>
 <p>
         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 46fd0dd1..569aafb1 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch06.html,v 1.201.14.9 2009/06/03 01:54:40 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch06.html,v 1.224 2009/06/17 23:12:09 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -48,55 +48,55 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573716">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573864">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574346"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574563"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574536"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574753"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574965"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574982"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575180"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575197"><span><strong class="command">include</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575005"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575029"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575120"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575245"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575221"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575244"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575335"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575461"><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577306"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577448"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577512"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577556"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577596"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577670"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577734"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577778"><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577571"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577793"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
             Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586902"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587543"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586988"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587040"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587629"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587681"><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587122"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587853"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
             Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588659"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589322"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2591138">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2591942">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593300">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594036">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593915">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594042">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594368"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594788">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594915">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595120"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
@@ -193,6 +193,19 @@
 <tr>
 <td>
                 <p>
+                  <code class="varname">namelist</code>
+                </p>
+              </td>
+<td>
+                <p>
+                  A list of one or more <code class="varname">domain_name</code>
+                  elements.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
+                <p>
                   <code class="varname">dotted_decimal</code>
                 </p>
               </td>
@@ -461,7 +474,7 @@
 <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573414"></a>Syntax</h4></div></div></div>
+<a name="id2573630"></a>Syntax</h4></div></div></div>
 <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
   [<span class="optional"> address_match_list_element; ... </span>]
 <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
@@ -470,7 +483,7 @@
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573442"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573726"></a>Definition and Usage</h4></div></div></div>
 <p>
             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
@@ -554,7 +567,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2573716"></a>Comment Syntax</h3></div></div></div>
+<a name="id2573864"></a>Comment Syntax</h3></div></div></div>
 <p>
           The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
           comments to appear
@@ -564,7 +577,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573731"></a>Syntax</h4></div></div></div>
+<a name="id2573879"></a>Syntax</h4></div></div></div>
 <p>
             </p>
 <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
@@ -573,13 +586,14 @@
 <pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
 <p>
             </p>
-<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells and perl</pre>
+<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
+# and perl</pre>
 <p>
           </p>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573761"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573909"></a>Definition and Usage</h4></div></div></div>
 <p>
             Comments may appear anywhere that whitespace may appear in
             a <acronym class="acronym">BIND</acronym> configuration file.
@@ -820,7 +834,7 @@
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574346"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574563"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
     address_match_list
 };
@@ -902,12 +916,14 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574536"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574753"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">controls</strong></span> {
-   [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
+   [ inet ( ip_addr | * ) [ port ip_port ]
+                allow { <em class="replaceable"><code> address_match_list </code></em> }
                 keys { <em class="replaceable"><code>key_list</code></em> }; ]
    [ inet ...; ]
-   [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em> keys { <em class="replaceable"><code>key_list</code></em> }; ]
+   [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
+     keys { <em class="replaceable"><code>key_list</code></em> }; ]
    [ unix ...; ]
 };
 </pre>
@@ -1024,12 +1040,12 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574965"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575180"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574982"></a><span><strong class="command">include</strong></span> Statement Definition and
+<a name="id2575197"></a><span><strong class="command">include</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">include</strong></span> statement inserts the
@@ -1044,7 +1060,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575005"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575221"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
     algorithm <em class="replaceable"><code>string</code></em>;
     secret <em class="replaceable"><code>string</code></em>;
@@ -1053,7 +1069,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575029"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2575244"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">key</strong></span> statement defines a shared
           secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
@@ -1100,7 +1116,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575120"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575335"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">logging</strong></span> {
    [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
      ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
@@ -1124,7 +1140,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575245"></a><span><strong class="command">logging</strong></span> Statement Definition and
+<a name="id2575461"></a><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">logging</strong></span> statement configures a
@@ -1158,7 +1174,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2575298"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
+<a name="id2575513"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
 <p>
             All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
             you can make as many of them as you want.
@@ -1342,32 +1358,30 @@ notrace</strong></span>. All debugging messages in the server have a debug
             used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span><strong class="command">category</strong></span> Phrase&#8221;</a>.
           </p>
 <pre class="programlisting">channel default_syslog {
-    syslog daemon;                      // send to syslog's daemon
-                                        // facility
-    severity info;                      // only send priority info
-                                        // and higher
-};
+    // send to syslog's daemon facility
+    syslog daemon;
+    // only send priority info and higher
+    severity info;
 
 channel default_debug {
-    file "named.run";                   // write to named.run in
-                                        // the working directory
-                                        // Note: stderr is used instead
-                                        // of "named.run"
-                                        // if the server is started
-                                        // with the '-f' option.
-    severity dynamic;                   // log at the server's
-                                        // current debug level
+    // write to named.run in the working directory
+    // Note: stderr is used instead of "named.run" if
+    // the server is started with the '-f' option.
+    file "named.run";
+    // log at the server's current debug level
+    severity dynamic;
 };
 
 channel default_stderr {
-    stderr;                             // writes to stderr
-    severity info;                      // only send priority info
-                                        // and higher
+    // writes to stderr
+    stderr;
+    // only send priority info and higher
+    severity info;
 };
 
 channel null {
-   null;                                // toss anything sent to
-                                        // this channel
+   // toss anything sent to this channel
+   null;
 };
 </pre>
 <p>
@@ -1610,12 +1624,13 @@ category notify { null; };
                     <p>
                       The query log entry reports the client's IP
                       address and port number, and the query name,
-                      class and type.  It also reports whether the
+                      class and type.  Next it reports whether the
                       Recursion Desired flag was set (+ if set, -
                       if not set), if the query was signed (S),
                       EDNS was in use (E), if DO (DNSSEC Ok) was
                       set (D), or if CD (Checking Disabled) was set
-                      (C).
+                      (C).  After this the destination address the
+                      query was sent to is reported.
                     </p>
 
                     <p>
@@ -1666,8 +1681,7 @@ category notify { null; };
                     <p>
                       Lame servers.  These are misconfigurations
                       in remote servers, discovered by BIND 9 when trying to
-                      query
-                      those servers during resolution.
+                      query those servers during resolution.
                     </p>
                   </td>
 </tr>
@@ -1724,7 +1738,7 @@ category notify { null; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2576793"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
+<a name="id2577077"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
 <p>
             The <span><strong class="command">query-errors</strong></span> category is
             specifically intended for debugging purposes: To identify
@@ -1755,7 +1769,15 @@ category notify { null; };
             The log message will look like as follows:
           </p>
 <p>
-            <code class="computeroutput">fetch completed at resolver.c:2970 for www.example.com/A in 30.000183: timed out/success [domain:example.com,referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]</code>
+
+            </p>
+<pre class="programlisting">
+fetch completed at resolver.c:2970 for www.example.com/A
+in 30.000183: timed out/success [domain:example.com,
+referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
+badresp:1,adberr:0,findfail:0,valfail:0]
+            </pre>
+<p>
           </p>
 <p>
             The first part before the colon shows that a recursive
@@ -1944,13 +1966,14 @@ category notify { null; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577306"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577596"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
 <p>
            This is the grammar of the <span><strong class="command">lwres</strong></span>
           statement in the <code class="filename">named.conf</code> file:
         </p>
 <pre class="programlisting"><span><strong class="command">lwres</strong></span> {
-    [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
+    [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
+                [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
     [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
     [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
@@ -1959,7 +1982,7 @@ category notify { null; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577448"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2577670"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">lwres</strong></span> statement configures the
           name
@@ -2010,14 +2033,15 @@ category notify { null; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577512"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577734"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting">
-<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
+<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | 
+      <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577556"></a><span><strong class="command">masters</strong></span> Statement Definition and
+<a name="id2577778"></a><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p><span><strong class="command">masters</strong></span>
           lists allow for a common set of masters to be easily used by
@@ -2026,12 +2050,13 @@ category notify { null; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2577571"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577793"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
 <p>
           This is the grammar of the <span><strong class="command">options</strong></span>
           statement in the <code class="filename">named.conf</code> file:
         </p>
 <pre class="programlisting"><span><strong class="command">options</strong></span> {
+    [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
     [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
     [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
     [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
@@ -2043,6 +2068,7 @@ category notify { null; };
     [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
     [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
+    [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
@@ -2068,7 +2094,8 @@ category notify { null; };
     [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
     [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>]
+    [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | 
+                        <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
     [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
@@ -2133,13 +2160,15 @@ category notify { null; };
     [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
+                             [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
     [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
+    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
+                  [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
     [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
@@ -2180,7 +2209,8 @@ category notify { null; };
     [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
     [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
+    [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
+                                [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
     [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
@@ -2193,6 +2223,8 @@ category notify { null; };
     [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
     [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+    [<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
+    [<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
 };
 </pre>
 </div>
@@ -2210,6 +2242,91 @@ category notify { null; };
           be used.
         </p>
 <div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt>
+<dd>
+<p>
+                  Allows multiple views to share a single cache
+                  database.
+                  Each view has its own cache database by default, but
+                  if multiple views have the same operational policy
+                  for name resolution and caching, those views can
+                  share a single cache to save memory and possibly
+                  improve resolution efficiency by using this option.
+                </p>
+<p>
+                  The <span><strong class="command">attach-cache</strong></span> option
+                  may also be specified in <span><strong class="command">view</strong></span>
+                  statements, in which case it overrides the
+                  global <span><strong class="command">attach-cache</strong></span> option.
+                </p>
+<p>
+                  The <em class="replaceable"><code>cache_name</code></em> specifies
+                  the cache to be shared.
+                  When the <span><strong class="command">named</strong></span> server configures
+                  views which are supposed to share a cache, it
+                  creates a cache with the specified name for the
+                  first view of these sharing views.
+                  The rest of the views will simply refer to the
+                  already created cache.
+                </p>
+<p>
+                  One common configuration to share a cache would be to
+                  allow all views to share a single cache.
+                  This can be done by specifying
+                  the <span><strong class="command">attach-cache</strong></span> as a global
+                  option with an arbitrary name.
+                </p>
+<p>
+                  Another possible operation is to allow a subset of
+                  all views to share a cache while the others to
+                  retain their own caches.
+                  For example, if there are three views A, B, and C,
+                  and only A and B should share a cache, specify the
+                  <span><strong class="command">attach-cache</strong></span> option as a view A (or
+                  B)'s option, referring to the other view name:
+                </p>
+<pre class="programlisting">
+  view "A" {
+    // this view has its own cache
+    ...
+  };
+  view "B" {
+    // this view refers to A's cache
+    attach-cache "A";
+  };
+  view "C" {
+    // this view has its own cache
+    ...
+  };
+</pre>
+<p>
+                  Views that share a cache must have the same policy
+                  on configurable parameters that may affect caching.
+                  The current implementation requires the following
+                  configurable options be consistent among these
+                  views:
+                  <span><strong class="command">check-names</strong></span>,
+                  <span><strong class="command">cleaning-interval</strong></span>,
+                  <span><strong class="command">dnssec-accept-expired</strong></span>,
+                  <span><strong class="command">dnssec-validation</strong></span>,
+                  <span><strong class="command">max-cache-ttl</strong></span>,
+                  <span><strong class="command">max-ncache-ttl</strong></span>,
+                  <span><strong class="command">max-cache-size</strong></span>, and
+                  <span><strong class="command">zero-no-soa-ttl</strong></span>.
+                </p>
+<p>
+                  Note that there may be other parameters that may
+                  cause confusion if they are inconsistent for
+                  different views that share a single cache.
+                  For example, if these views define different sets of
+                  forwarders that can return different answers for the
+                  same question, sharing the answer does not make
+                  sense or could even be harmful.
+                  It is administrator's responsibility to ensure
+                  configuration differences in different views do
+                  not cause disruption with a shared cache.
+                </p>
+</dd>
 <dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
 <dd><p>
                 The working directory of the server.
@@ -2331,6 +2448,14 @@ category notify { null; };
                 described
                 in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
               </p></dd>
+<dt><span class="term"><span><strong class="command">bindkeys-file</strong></span></span></dt>
+<dd><p>
+                The pathname of a file to override the built-in trusted
+                keys provided by named.  See the discussion of
+                <span><strong class="command">dnssec-lookaside</strong></span> for details.
+                If not specified, the default is
+                <code class="filename">/etc/bind.keys</code>.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
 <dd><p>
                 The UDP/TCP port number the server uses for
@@ -2423,36 +2548,41 @@ options {
                 Only the most specific will be applied.
               </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
-<dd><p>
-                When set, <span><strong class="command">dnssec-lookaside</strong></span>
-                provides the
-                validator with an alternate method to validate DNSKEY records
-                at the
-                top of a zone.  When a DNSKEY is at or below a domain
-                specified by the
-                deepest <span><strong class="command">dnssec-lookaside</strong></span>, and
-                the normal DNSSEC validation
-                has left the key untrusted, the trust-anchor will be append to
-                the key
-                name and a DLV record will be looked up to see if it can
-                validate the
-                key.  If the DLV record validates a DNSKEY (similarly to the
-                way a DS
-                record does) the DNSKEY RRset is deemed to be trusted.
-              </p></dd>
+<dd>
+<p>
+                When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the
+                validator with an alternate method to validate DNSKEY
+                records at the top of a zone.  When a DNSKEY is at or
+                below a domain specified by the deepest
+                <span><strong class="command">dnssec-lookaside</strong></span>, and the normal dnssec
+                validation has left the key untrusted, the trust-anchor
+                will be append to the key name and a DLV record will be
+                looked up to see if it can validate the key.  If the DLV
+                record validates a DNSKEY (similarly to the way a DS record
+                does) the DNSKEY RRset is deemed to be trusted.
+              </p>
+<p>
+                If <span><strong class="command">dnssec-lookaside</strong></span> is set to
+                "auto", then built-in default values for
+                the domain and trust anchor will be used, along
+                with a built-in key for validation.
+              </p>
+<p>
+                NOTE: Since the built-in key may expire, it can be
+                overridden without recompiling named by placing a new key
+                in the file <code class="filename">bind.keys</code>.
+              </p>
+</dd>
 <dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
 <dd><p>
-                Specify hierarchies which must be or may not be secure (signed and
-                validated).
-                If <strong class="userinput"><code>yes</code></strong>, then <span><strong class="command">named</strong></span> will only accept
-                answers if they
-                are secure.
-                If <strong class="userinput"><code>no</code></strong>, then normal DNSSEC validation
-                applies
-                allowing for insecure answers to be accepted.
-                The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
-                <span><strong class="command">dnssec-lookaside</strong></span> must be
-                active.
+                Specify hierarchies which must be or may not be secure
+                (signed and validated).  If <strong class="userinput"><code>yes</code></strong>,
+                then <span><strong class="command">named</strong></span> will only accept answers if
+                they are secure.  If <strong class="userinput"><code>no</code></strong>, then normal
+                DNSSEC validation applies allowing for insecure answers to
+                be accepted.  The specified domain must be under a
+                <span><strong class="command">trusted-key</strong></span> or
+                <span><strong class="command">dnssec-lookaside</strong></span> must be active.
               </p></dd>
 </dl></div>
 <div class="sect3" lang="en">
@@ -3181,7 +3311,7 @@ options {
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2581747"></a>Forwarding</h4></div></div></div>
+<a name="id2582129"></a>Forwarding</h4></div></div></div>
 <p>
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -3225,7 +3355,7 @@ options {
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2581874"></a>Dual-stack Servers</h4></div></div></div>
+<a name="id2582324"></a>Dual-stack Servers</h4></div></div></div>
 <p>
             Dual-stack servers are used as servers of last resort to work
             around
@@ -3422,7 +3552,7 @@ options {
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2582379"></a>Interfaces</h4></div></div></div>
+<a name="id2582898"></a>Interfaces</h4></div></div></div>
 <p>
             The interfaces and ports that the server will answer queries
             from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
@@ -3874,7 +4004,7 @@ avoid-v6-udp-ports {};
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2583582"></a>UDP Port Lists</h4></div></div></div>
+<a name="id2584033"></a>UDP Port Lists</h4></div></div></div>
 <p>
             <span><strong class="command">use-v4-udp-ports</strong></span>,
             <span><strong class="command">avoid-v4-udp-ports</strong></span>,
@@ -3916,7 +4046,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2583642"></a>Operating System Resource Limits</h4></div></div></div>
+<a name="id2584092"></a>Operating System Resource Limits</h4></div></div></div>
 <p>
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -4078,7 +4208,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2584065"></a>Periodic Task Intervals</h4></div></div></div>
+<a name="id2584583"></a>Periodic Task Intervals</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
 <dd><p>
@@ -4248,20 +4378,26 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
             their directly connected networks.
           </p>
 <pre class="programlisting">sortlist {
-    { localhost;                                   // IF   the local host
-        { localnets;                               // THEN first fit on the
-            192.168.1/24;                          //   following nets
+    // IF the local host
+    // THEN first fit on the following nets
+    { localhost;
+        { localnets;
+            192.168.1/24;
             { 192.168.2/24; 192.168.3/24; }; }; };
-    { 192.168.1/24;                                // IF   on class C 192.168.1
-        { 192.168.1/24;                            // THEN use .1, or .2 or .3
+    // IF on class C 192.168.1 THEN use .1, or .2 or .3
+    { 192.168.1/24;
+        { 192.168.1/24;
             { 192.168.2/24; 192.168.3/24; }; }; };
-    { 192.168.2/24;                                // IF   on class C 192.168.2
-        { 192.168.2/24;                            // THEN use .2, or .1 or .3
+    // IF on class C 192.168.2 THEN use .2, or .1 or .3
+    { 192.168.2/24;
+        { 192.168.2/24;
             { 192.168.1/24; 192.168.3/24; }; }; };
-    { 192.168.3/24;                                // IF   on class C 192.168.3
-        { 192.168.3/24;                            // THEN use .3, or .1 or .2
+    // IF on class C 192.168.3 THEN use .3, or .1 or .2
+    { 192.168.3/24;
+        { 192.168.3/24;
             { 192.168.1/24; 192.168.2/24; }; }; };
-    { { 192.168.4/24; 192.168.5/24; };             // if .4 or .5, prefer that net
+    // IF .4 or .5 THEN prefer that net
+    { { 192.168.4/24; 192.168.5/24; };
     };
 };</pre>
 <p>
@@ -4850,6 +4986,129 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                 </p></dd>
 </dl></div>
 </div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2586654"></a>Content Filtering</h4></div></div></div>
+<p>
+            <acronym class="acronym">BIND</acronym> 9 provides the ability to filter
+            out DNS responses from external DNS servers containing
+            certain types of data in the answer section.
+            Specifically, it can reject address (A or AAAA) records if
+            the corresponding IPv4 or IPv6 addresses match the given
+            <code class="varname">address_match_list</code> of the
+            <span><strong class="command">deny-answer-addresses</strong></span> option.
+            It can also reject CNAME or DNAME records if the "alias"
+            name (i.e., the CNAME alias or the substituted query name
+            due to DNAME) matches the
+            given <code class="varname">namelist</code> of the
+            <span><strong class="command">deny-answer-aliases</strong></span> option, where
+            "match" means the alias name is a subdomain of one of
+            the <code class="varname">name_list</code> elements.
+            If the optional <code class="varname">namelist</code> is specified
+            with <span><strong class="command">except-from</strong></span>, records whose query name
+            matches the list will be accepted regardless of the filter
+            setting.
+            Likewise, if the alias name is a subdomain of the
+            corresponding zone, the <span><strong class="command">deny-answer-aliases</strong></span>
+            filter will not apply;
+            for example, even if "example.com" is specified for
+            <span><strong class="command">deny-answer-aliases</strong></span>,
+          </p>
+<pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre>
+<p>
+            returned by an "example.com" server will be accepted.
+          </p>
+<p>
+            In the <code class="varname">address_match_list</code> of the
+            <span><strong class="command">deny-answer-addresses</strong></span> option, only
+            <code class="varname">ip_addr</code>
+            and <code class="varname">ip_prefix</code>
+            are meaningful;
+            any <code class="varname">key_id</code> will be silently ignored.
+          </p>
+<p>
+            If a response message is rejected due to the filtering,
+            the entire message is discarded without being cached, and
+            a SERVFAIL error will be returned to the client.
+          </p>
+<p>
+            This filtering is intended to prevent "DNS rebinding attacks," in
+            which an attacker, in response to a query for a domain name the
+            attacker controls, returns an IP address within your own network or
+            an alias name within your own domain.
+            A naive web browser or script could then serve as an
+            unintended proxy, allowing the attacker
+            to get access to an internal node of your local network
+            that couldn't be externally accessed otherwise.
+            See the paper available at
+            <a href="" target="_top">
+            http://portal.acm.org/citation.cfm?id=1315245.1315298
+            </a>
+            for more details about the attacks.
+          </p>
+<p>
+            For example, if you own a domain named "example.net" and
+            your internal network uses an IPv4 prefix 192.0.2.0/24,
+            you might specify the following rules:
+          </p>
+<pre class="programlisting">deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
+deny-answer-aliases { "example.net"; };
+</pre>
+<p>
+            If an external attacker lets a web browser in your local
+            network look up an IPv4 address of "attacker.example.com",
+            the attacker's DNS server would return a response like this:
+          </p>
+<pre class="programlisting">attacker.example.com. A 192.0.2.1</pre>
+<p>
+            in the answer section.
+            Since the rdata of this record (the IPv4 address) matches
+            the specified prefix 192.0.2.0/24, this response will be
+            ignored.
+          </p>
+<p>
+            On the other hand, if the browser looks up a legitimate
+            internal web server "www.example.net" and the
+            following response is returned to
+            the <acronym class="acronym">BIND</acronym> 9 server
+          </p>
+<pre class="programlisting">www.example.net. A 192.0.2.2</pre>
+<p>
+            it will be accepted since the owner name "www.example.net"
+            matches the <span><strong class="command">except-from</strong></span> element,
+            "example.net".
+          </p>
+<p>
+            Note that this is not really an attack on the DNS per se.
+            In fact, there is nothing wrong for an "external" name to
+            be mapped to your "internal" IP address or domain name
+            from the DNS point of view.
+            It might actually be provided for a legitimate purpose,
+            such as for debugging.
+            As long as the mapping is provided by the correct owner,
+            it is not possible or does not make sense to detect
+            whether the intent of the mapping is legitimate or not
+            within the DNS.
+            The "rebinding" attack must primarily be protected at the
+            application that uses the DNS.
+            For a large site, however, it may be difficult to protect
+            all possible applications at once.
+            This filtering feature is provided only to help such an
+            operational environment;
+            it is generally discouraged to turn it on unless you are
+            very sure you have no other choice and the attack is a
+            real threat for your applications.
+          </p>
+<p>
+            Care should be particularly taken if you want to use this
+            option for addresses within 127.0.0.0/8.
+            These addresses are obviously "internal", but many
+            applications conventionally rely on a DNS mapping from
+            some name to such an address.
+            Filtering out DNS records containing this address
+            spuriously can break such applications.
+          </p>
+</div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
@@ -4868,8 +5127,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
     [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
-    [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
+    [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
+                  [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
+    [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
+                     [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
     [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> queryport-pool-interval <em class="replaceable"><code>number</code></em>; </span>]
@@ -5049,14 +5310,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 <div class="titlepage"><div><div><h3 class="title">
 <a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> {
-   [ inet ( ip_addr | * ) [ port ip_port ] [allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ]
+   [ inet ( ip_addr | * ) [ port ip_port ]
+   [ allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ]
    [ inet ...; ]
 };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2586902"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<a name="id2587543"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">statistics-channels</strong></span> statement
@@ -5107,7 +5369,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2586988"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2587629"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> {
     <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
     [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
@@ -5116,7 +5378,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2587040"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<a name="id2587681"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">trusted-keys</strong></span> statement defines
@@ -5146,6 +5408,19 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
             in the key data, so the configuration may be split up into
             multiple lines.
           </p>
+<p>
+            <span><strong class="command">trusted-keys</strong></span> may be set at the top level
+            of <code class="filename">named.conf</code> or within a view.  If it is
+            set in both places, they are additive: keys defined at the top
+            level are inherited by all views, but keys defined in a view
+            are only used within that view.
+          </p>
+<p>
+            In addition to keys specified in
+            <span><strong class="command">trusted-keys</strong></span> statements, if the
+            <span><strong class="command">dnssec-lookaside</strong></span> option is set to "auto",
+            named will also load a built-in trusted key for dlv.isc.org.
+          </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
@@ -5162,7 +5437,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2587122"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2587853"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">view</strong></span> statement is a powerful
             feature
@@ -5251,11 +5526,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
       // This should match our internal networks.
       match-clients { 10.0.0.0/8; };
 
-      // Provide recursive service to internal clients only.
+      // Provide recursive service to internal
+      // clients only.
       recursion yes;
 
-      // Provide a complete view of the example.com zone
-      // including addresses of internal hosts.
+      // Provide a complete view of the example.com
+      // zone including addresses of internal hosts.
       zone "example.com" {
             type master;
             file "example-internal.db";
@@ -5263,14 +5539,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 };
 
 view "external" {
-      // Match all clients not matched by the previous view.
+      // Match all clients not matched by the
+      // previous view.
       match-clients { any; };
 
       // Refuse recursive service to external clients.
       recursion no;
 
-      // Provide a restricted view of the example.com zone
-      // containing only publicly accessible hosts.
+      // Provide a restricted view of the example.com
+      // zone containing only publicly accessible hosts.
       zone "example.com" {
            type master;
            file "example-external.db";
@@ -5289,7 +5566,8 @@ view "external" {
     [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
-    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
+    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
+                  [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
@@ -5337,7 +5615,8 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
+    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
+                  [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
     [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
@@ -5350,7 +5629,9 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
+    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
+                              [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
+                              [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
     [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
@@ -5363,7 +5644,8 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
+                             [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
@@ -5381,7 +5663,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     type hint;
     file <em class="replaceable"><code>string</code></em> ;
     [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; // Not Implemented. </span>]
+    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
 };
 
 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
@@ -5395,14 +5677,18 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
     [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
+    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
+                              [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
+                              [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
     [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
+                         [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
+                            [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
@@ -5428,10 +5714,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2588659"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2589322"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2588666"></a>Zone Types</h4></div></div></div>
+<a name="id2589330"></a>Zone Types</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -5642,7 +5928,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2589094"></a>Class</h4></div></div></div>
+<a name="id2589757"></a>Class</h4></div></div></div>
 <p>
               The zone's name may optionally be followed by a class. If
               a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
@@ -5664,7 +5950,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2589127"></a>Zone Options</h4></div></div></div>
+<a name="id2589859"></a>Zone Options</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
 <dd><p>
@@ -5807,6 +6093,14 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                     See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
                   </p>
 </dd>
+<dt><span class="term"><span><strong class="command">ddns-autoconf</strong></span></span></dt>
+<dd><p>
+                    If this flag is set to <strong class="userinput"><code>yes</code></strong> in
+                    a master zone, the zone will be set to allow dynamic
+                    updates using a TSIG session key generated by
+                    <span><strong class="command">named</strong></span> and stored in a file for use
+                    by <span><strong class="command">nsupdate -l</strong></span> on the local system,
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
 <dd><p>
                     Only meaningful if the zone has a forwarders
@@ -6032,7 +6326,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
               This is how a rule definition looks:
             </p>
 <pre class="programlisting">
-( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
+( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
 </pre>
 <p>
               Each rule grants or denies privileges.  Once a message has
@@ -6076,7 +6370,8 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
               <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
               <code class="varname">krb5-subdomain</code>,
               <code class="varname">ms-subdomain</code>,
-              <code class="varname">tcp-self</code> and <code class="varname">6to4-self</code>.
+              <code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>,
+              and <code class="varname">zonesub</code>.
             </p>
 <div class="informaltable"><table border="1">
 <colgroup>
@@ -6117,6 +6412,29 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 <tr>
 <td>
                       <p>
+                        <code class="varname">zonesub</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        This rule is similar to subdomain, except that
+                        it matches when the name being updated is a
+                        subdomain of the zone in which the
+                        <span><strong class="command">update-policy</strong></span> statement
+                        appears.  This obviates the need to type the zone
+                        name twice, and enables the use of a standard
+                        <span><strong class="command">update-policy</strong></span> statement in
+                        multiple zones without modification.
+                      </p>
+                      <p>
+                        When this rule is used, the
+                        <em class="replaceable"><code>name</code></em> field is omitted.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
                         <code class="varname">wildcard</code>
                       </p>
                     </td>
@@ -6243,7 +6561,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2591138"></a>Zone File</h2></div></div></div>
+<a name="id2591942"></a>Zone File</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
@@ -6256,7 +6574,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2591156"></a>Resource Records</h4></div></div></div>
+<a name="id2592028"></a>Resource Records</h4></div></div></div>
 <p>
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -6993,7 +7311,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2592779"></a>Textual expression of RRs</h4></div></div></div>
+<a name="id2593515"></a>Textual expression of RRs</h4></div></div></div>
 <p>
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -7196,7 +7514,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2593300"></a>Discussion of MX Records</h3></div></div></div>
+<a name="id2594036"></a>Discussion of MX Records</h3></div></div></div>
 <p>
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -7452,7 +7770,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2593915"></a>Inverse Mapping in IPv4</h3></div></div></div>
+<a name="id2594788"></a>Inverse Mapping in IPv4</h3></div></div></div>
 <p>
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
@@ -7513,7 +7831,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2594042"></a>Other Zone File Directives</h3></div></div></div>
+<a name="id2594915"></a>Other Zone File Directives</h3></div></div></div>
 <p>
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -7528,7 +7846,18 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2594201"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
+<a name="id2594937"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
+<p>
+              When used in the label (or name) field, the asperand or
+              at-sign (@) symbol represents the current origin.
+              At the start of the zone file, it is the 
+              &lt;<code class="varname">zone_name</code>&gt; (followed by
+              trailing dot).
+            </p>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2594953"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$ORIGIN</strong></span>
               <em class="replaceable"><code>domain-name</code></em>
@@ -7538,7 +7867,8 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
               sets the domain name that will be appended to any
               unqualified records. When a zone is first read in there
               is an implicit <span><strong class="command">$ORIGIN</strong></span>
-              &lt;<code class="varname">zone-name</code>&gt;<span><strong class="command">.</strong></span>
+              &lt;<code class="varname">zone_name</code>&gt;<span><strong class="command">.</strong></span>
+              (followed by trailing dot).
               The current <span><strong class="command">$ORIGIN</strong></span> is appended to
               the domain specified in the <span><strong class="command">$ORIGIN</strong></span>
               argument if it is not absolute.
@@ -7556,7 +7886,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2594262"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
+<a name="id2595014"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$INCLUDE</strong></span>
               <em class="replaceable"><code>filename</code></em>
@@ -7592,7 +7922,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2594331"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
+<a name="id2595083"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$TTL</strong></span>
               <em class="replaceable"><code>default-ttl</code></em>
@@ -7611,7 +7941,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2594368"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
+<a name="id2595120"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
 <p>
             Syntax: <span><strong class="command">$GENERATE</strong></span>
             <em class="replaceable"><code>range</code></em>
@@ -7631,7 +7961,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
             Classless IN-ADDR.ARPA delegation.
           </p>
 <pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
-$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
+$GENERATE 1-2 @ NS SERVER$.EXAMPLE.
 $GENERATE 1-127 $ CNAME $.0</pre>
 <p>
             is equivalent to
@@ -7643,6 +7973,28 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 ...
 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
 </pre>
+<p>
+            Generate a set of A and MX records.  Note the MX's right hand
+            side is a quoted string.  The quotes will be stripped when the
+            right hand side is processed.
+           </p>
+<pre class="programlisting">
+$ORIGIN EXAMPLE.
+$GENERATE 1-127 HOST-$ A 1.2.3.$
+$GENERATE 1-127 HOST-$ MX "0 ."</pre>
+<p>
+            is equivalent to
+          </p>
+<pre class="programlisting">HOST-1.EXAMPLE.   A  1.2.3.1
+HOST-1.EXAMPLE.   MX 0 .
+HOST-2.EXAMPLE.   A  1.2.3.2
+HOST-2.EXAMPLE.   MX 0 .
+HOST-3.EXAMPLE.   A  1.2.3.3
+HOST-3.EXAMPLE.   MX 0 .
+...
+HOST-127.EXAMPLE. A  1.2.3.127
+HOST-127.EXAMPLE. MX 0 .
+</pre>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -7693,8 +8045,10 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 
                       Available output forms are decimal
                       (<span><strong class="command">d</strong></span>), octal
-                      (<span><strong class="command">o</strong></span>) and hexadecimal
+                      (<span><strong class="command">o</strong></span>), hexadecimal
                       (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span>
+                      for uppercase) and nibble
+                      (<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
                       for uppercase).  The default modifier is
                       <span><strong class="command">${0,0,d}</strong></span>.  If the
                       <span><strong class="command">lhs</strong></span> is not absolute, the
@@ -7702,8 +8056,16 @@ $GENERATE 1-127 $ CNAME $.0</pre>
                       to the name.
                     </p>
                     <p>
-                      For compatibility with earlier versions, <span><strong class="command">$$</strong></span> is still
-                      recognized as indicating a literal $ in the output.
+                      In nibble mode the value will be treated as
+                      a if it was a reversed hexadecimal string
+                      with each hexadecimal digit as a seperate
+                      label.  The width field includes the label
+                      seperator.
+                    </p>
+                    <p>
+                      For compatibility with earlier versions,
+                      <span><strong class="command">$$</strong></span> is still recognized as
+                      indicating a literal $ in the output.
                     </p>
                   </td>
 </tr>
@@ -7745,8 +8107,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
                   </td>
 <td>
                     <p>
-                      At present the only supported types are
-                      PTR, CNAME, DNAME, A, AAAA and NS.
+                      Any valid type.
                     </p>
                   </td>
 </tr>
@@ -7756,8 +8117,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
                   </td>
 <td>
                     <p>
-                      <span><strong class="command">rhs</strong></span> is a domain name. It is processed
-                      similarly to lhs.
+                      <span><strong class="command">rhs</strong></span>, optionally, quoted string.
                     </p>
                   </td>
 </tr>
@@ -7907,9 +8267,12 @@ $GENERATE 1-127 $ CNAME $.0</pre>
                 </td>
 <td>
                   <p>
-                    The number of RRsets per RR type (positive
-                    or negative) and nonexistent names stored in the
-                    cache database.
+                    The number of RRsets per RR type and nonexistent
+                    names stored in the cache database.
+                    If the exclamation mark (!) is printed for a RR
+                    type, it means that particular type of RRset is
+                    known to be nonexistent (this is also known as
+                    "NXRRSET").
                     Maintained per view.
                   </p>
                 </td>
@@ -8002,7 +8365,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2595364"></a>Name Server Statistics Counters</h4></div></div></div>
+<a name="id2596141"></a>Name Server Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -8559,7 +8922,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2596905"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
+<a name="id2597614"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -8713,7 +9076,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2597288"></a>Resolver Statistics Counters</h4></div></div></div>
+<a name="id2598066"></a>Resolver Statistics Counters</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -8865,6 +9228,13 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 <td>
                       <p>
                         Mismatch responses received.
+                        The DNS ID, response's source address,
+                        and/or the response's source port does not
+                        match what was expected.
+                        (The port must be 53 or as defined by
+                        the <span><strong class="command">port</strong></span> option.)
+                        This may be an indication of a cache
+                        poisoning attempt.
                       </p>
                     </td>
 </tr>
@@ -9089,7 +9459,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2598307"></a>Socket I/O Statistics Counters</h4></div></div></div>
+<a name="id2599088"></a>Socket I/O Statistics Counters</h4></div></div></div>
 <p>
               Socket I/O statistics counters are defined per socket
               types, which are
@@ -9244,7 +9614,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2598817"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
+<a name="id2599666"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
 <p>
               Most statistics counters that were available
               in <span><strong class="command">BIND</strong></span> 8 are also supported in
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index ca12cb3c..3aa6f18f 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch07.html,v 1.178.14.6 2009/06/03 01:54:39 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch07.html,v 1.199 2009/06/17 23:12:08 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -46,10 +46,10 @@
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2598990"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2599840"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599072">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599268">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599989">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2600049">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl>
@@ -80,14 +80,17 @@
           Here is an example of how to properly apply ACLs:
         </p>
 <pre class="programlisting">
-// Set up an ACL named "bogusnets" that will block RFC1918 space
-// and some reserved space, which is commonly used in spoofing attacks.
+// Set up an ACL named "bogusnets" that will block
+// RFC1918 space and some reserved space, which is
+// commonly used in spoofing attacks.
 acl bogusnets {
-        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
-        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
+        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
+        224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12;
+        192.168.0.0/16;
 };
 
-// Set up an ACL called our-nets. Replace this with the real IP numbers.
+// Set up an ACL called our-nets. Replace this with the
+// real IP numbers.
 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
 options {
   ...
@@ -119,7 +122,7 @@ zone "example.com" {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2598990"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
+<a name="id2599840"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
 </h2></div></div></div>
 <p>
           On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
@@ -145,7 +148,7 @@ zone "example.com" {
         </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2599072"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
+<a name="id2599989"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
 <p>
             In order for a <span><strong class="command">chroot</strong></span> environment
             to
@@ -173,7 +176,7 @@ zone "example.com" {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2599268"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
+<a name="id2600049"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
 <p>
             Prior to running the <span><strong class="command">named</strong></span> daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 5e547eb4..16ba346f 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch08.html,v 1.178.14.6 2009/06/03 01:54:39 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch08.html,v 1.198 2009/06/17 23:12:09 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,18 +45,18 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599348">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2599353">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599365">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599382">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2600129">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2600134">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2600146">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2600163">Where Can I Get Help?</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599348"></a>Common Problems</h2></div></div></div>
+<a name="id2600129"></a>Common Problems</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2599353"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
+<a name="id2600134"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
 <p>
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599365"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
+<a name="id2600146"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
 <p>
           Zone serial numbers are just numbers &#8212; they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599382"></a>Where Can I Get Help?</h2></div></div></div>
+<a name="id2600163"></a>Where Can I Get Help?</h2></div></div></div>
 <p>
           The Internet Systems Consortium
           (<acronym class="acronym">ISC</acronym>) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 87134e05..f62a0333 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch09.html,v 1.180.16.6 2009/06/03 01:54:39 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch09.html,v 1.200 2009/06/17 23:12:08 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,21 +45,21 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599444">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2600361">Acknowledgments</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599684">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2600533">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2602896">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2603745">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599444"></a>Acknowledgments</h2></div></div></div>
+<a name="id2600361"></a>Acknowledgments</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
@@ -162,7 +162,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2599684"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
+<a name="id2600533"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
@@ -250,17 +250,17 @@
           </p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2599872"></a>Bibliography</h4></div></div></div>
+<a name="id2600652"></a>Bibliography</h4></div></div></div>
 <div class="bibliodiv">
 <h3 class="title">Standards</h3>
 <div class="biblioentry">
-<a name="id2599882"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
+<a name="id2600663"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2599906"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2600686"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2599929"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
+<a name="id2600710"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
                   Specification</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 </div>
@@ -268,42 +268,42 @@
 <h3 class="title">
 <a name="proposed_standards"></a>Proposed Standards</h3>
 <div class="biblioentry">
-<a name="id2599965"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
+<a name="id2600746"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
                   Specification</i>. </span><span class="pubdate">July 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2599992"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
+<a name="id2600841"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
                   Queries</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600018"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2600867"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600042"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2600891"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600066"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2600915"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600121"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
+<a name="id2600970"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600148"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2600997"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600174"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2601024"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600236"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2601085"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600266"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2601115"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600296"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
+<a name="id2601145"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600323"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
+<a name="id2601172"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
@@ -312,19 +312,19 @@
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
 <div class="biblioentry">
-<a name="id2600405"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
+<a name="id2601254"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600432"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2601281"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600468"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2601317"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600533"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2601382"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600598"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
+<a name="id2601447"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
                        Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 </div>
@@ -332,146 +332,146 @@
 <h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
                 Implementation</h3>
 <div class="biblioentry">
-<a name="id2600672"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
+<a name="id2601521"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
                   Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600697"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
+<a name="id2601546"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
                   Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600765"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2601614"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600801"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
+<a name="id2601650"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
                 Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Resource Record Types</h3>
 <div class="biblioentry">
-<a name="id2600846"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+<a name="id2601696"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600904"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+<a name="id2601753"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600941"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
+<a name="id2601859"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
                   the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2600977"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
+<a name="id2601894"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
                   Domain
                   Name System</i>. </span><span class="pubdate">January 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601031"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
+<a name="id2601948"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
                   Location of
                   Services.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601069"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
+<a name="id2601987"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
                   Distribute MIXER
                   Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601095"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+<a name="id2602012"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601121"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2602038"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601147"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2602065"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601174"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2602091"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601213"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2602131"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601243"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2602161"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601273"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
+<a name="id2602190"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601316"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2602233"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601349"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
+<a name="id2602266"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601376"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
+<a name="id2602293"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601399"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
+<a name="id2602316"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
                   version 6</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601457"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
+<a name="id2602374"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> and the Internet</h3>
 <div class="biblioentry">
-<a name="id2601489"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
+<a name="id2602406"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
                   and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601582"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
+<a name="id2602432"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
                   Support</i>. </span><span class="pubdate">October 1989. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601605"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
+<a name="id2602454"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601628"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+<a name="id2602477"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601674"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2602523"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601698"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2602547"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Operations</h3>
 <div class="biblioentry">
-<a name="id2601755"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2602604"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601779"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
+<a name="id2602628"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
                   Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601805"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
+<a name="id2602654"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
                   Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601832"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
+<a name="id2602681"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601868"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
+<a name="id2602717"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
                   Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Internationalized Domain Names</h3>
 <div class="biblioentry">
-<a name="id2601914"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
+<a name="id2602763"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601946"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2602795"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2601992"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2602841"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602027"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
+<a name="id2602876"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
@@ -487,47 +487,47 @@
                 </p>
 </div>
 <div class="biblioentry">
-<a name="id2602072"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
+<a name="id2602921"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
                   Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602094"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+<a name="id2602944"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602120"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
+<a name="id2602969"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
                   Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602146"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
+<a name="id2602995"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602169"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2603018"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602215"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2603064"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602238"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
+<a name="id2603088"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602265"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
+<a name="id2603114"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
                        Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602291"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
+<a name="id2603140"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
 <div class="biblioentry">
-<a name="id2602334"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
+<a name="id2603184"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
                   Location</i>. </span><span class="pubdate">November 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602392"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2603241"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602419"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
+<a name="id2603268"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
 </div>
 </div>
@@ -541,39 +541,39 @@
                 </p>
 </div>
 <div class="biblioentry">
-<a name="id2602467"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+<a name="id2603316"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602506"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2603424"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602533"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2603450"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602563"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
+<a name="id2603480"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
                        Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602588"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
+<a name="id2603506"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602683"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
+<a name="id2603532"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602720"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
+<a name="id2603569"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602756"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
+<a name="id2603605"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602782"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
+<a name="id2603632"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602809"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
+<a name="id2603658"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2602854"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2603703"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 </div>
 </div>
@@ -594,14 +594,14 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2602896"></a>Other Documents About <acronym class="acronym">BIND</acronym>
+<a name="id2603745"></a>Other Documents About <acronym class="acronym">BIND</acronym>
 </h3></div></div></div>
 <p></p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2602905"></a>Bibliography</h4></div></div></div>
+<a name="id2603754"></a>Bibliography</h4></div></div></div>
 <div class="biblioentry">
-<a name="id2602907"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright � 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+<a name="id2603756"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright � 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
 </div>
 </div>
 </div>
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index 5fbeb3de..a04bb374 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch10.html,v 1.11.14.1 2009/01/08 01:51:00 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch10.html,v 1.14 2009/06/12 02:48:00 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -87,6 +87,9 @@
 <dt>
 <span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
 </dt>
+<dt>
+<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> &#8212; ddns key generation tool</span>
+</dt>
 </dl>
 </div>
 </div>
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index ffb7b624..e1b54ef6 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.html,v 1.193.14.6 2009/06/03 01:54:40 tbox Exp $ -->
+<!-- $Id: Bv9ARM.html,v 1.216 2009/06/17 23:12:08 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -92,34 +92,34 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2564066">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564084">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570510">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570529">Example split DNS setup</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571141">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571214">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571225">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571268">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571325">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571510">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571030">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571104">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571114">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2563989">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564115">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564163">Errors</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571524">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571709">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571549">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571598">SIG(0)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571778">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571925">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572006">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571803">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571950">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572032">Configuring Servers</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572220">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572201">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572282">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572304">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572400">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572421">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572337">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572454">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
@@ -127,55 +127,55 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573716">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573864">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574346"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574563"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574536"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574753"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574965"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574982"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575180"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575197"><span><strong class="command">include</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575005"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575029"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575120"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575245"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575221"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575244"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575335"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575461"><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577306"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577448"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577512"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577556"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577596"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577670"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577734"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577778"><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577571"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577793"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
             Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586902"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587543"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
             Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586988"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587040"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587629"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587681"><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587122"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587853"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
             Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588659"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589322"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2591138">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2591942">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593300">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594036">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593915">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594042">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594368"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594788">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594915">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595120"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
@@ -184,31 +184,31 @@
 <dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2598990"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2599840"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599072">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599268">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599989">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2600049">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599348">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2599353">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599365">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599382">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2600129">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2600134">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2600146">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2600163">Where Can I Get Help?</a></span></dt>
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599444">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2600361">Acknowledgments</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599684">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2600533">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2602896">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2603745">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>
@@ -252,6 +252,9 @@
 <dt>
 <span class="refentrytitle"><a href="man.rndc-confgen.html"><span class="application">rndc-confgen</span></a></span><span class="refpurpose"> &#8212; rndc key generation tool</span>
 </dt>
+<dt>
+<span class="refentrytitle"><a href="man.ddns-confgen.html"><span class="application">ddns-confgen</span></a></span><span class="refpurpose"> &#8212; ddns key generation tool</span>
+</dt>
 </dl></dd>
 </dl>
 </div>
diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in
index 5fa267ea..c003e929 100644
--- a/doc/arm/Makefile.in
+++ b/doc/arm/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.20.332.2 2009/02/12 23:47:22 tbox Exp $
+# $Id: Makefile.in,v 1.22 2009/02/12 23:47:56 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
new file mode 100644
index 00000000..e5491f74
--- /dev/null
+++ b/doc/arm/man.ddns-confgen.html
@@ -0,0 +1,174 @@
+<!--
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.ddns-confgen.html,v 1.7 2009/06/18 01:13:02 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>ddns-confgen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.rndc-confgen.html" title="rndc-confgen">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">ddns-confgen</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.rndc-confgen.html">Prev</a>�</td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right">�</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.ddns-confgen"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s name | -z zone</code>] [<code class="option">-q</code>] [name]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2635466"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">ddns-confgen</strong></span>
+      generates a key for use by <span><strong class="command">nsupdate</strong></span>
+      and <span><strong class="command">named</strong></span>.  It simplifies configuration
+      of dynamic zones by generating a key and providing the
+      <span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span>
+      syntax that will be needed to use it, including an example
+      <span><strong class="command">update-policy</strong></span> statement.
+    </p>
+<p>
+      If a domain name is specified on the command line, it will
+      be used in the name of the generated key and in the sample
+      <span><strong class="command">named.conf</strong></span> syntax.  For example,
+      <span><strong class="command">ddns-confgen example.com</strong></span> would
+      generate a key called "ddns-key.example.com", and sample
+      <span><strong class="command">named.conf</strong></span> command that could be used
+      in the zone definition for "example.com".
+    </p>
+<p>
+      Note that <span><strong class="command">named</strong></span> itself can configure a
+      local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>.
+      <span><strong class="command">ddns-confgen</strong></span> is only needed when a 
+      more elaborate configuration is required: for instance, if
+      <span><strong class="command">nsupdate</strong></span> is to be used from a remote system.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2635554"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd><p>
+            Specifies the algorithm to use for the TSIG key.  Available
+            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+            hmac-sha384 and hmac-sha512.  The default is hmac-sha256.
+	  </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+	    Prints a short summary of the options and arguments to
+	    <span><strong class="command">ddns-confgen</strong></span>.
+	  </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
+<dd><p>
+	    Specifies the key name of the DDNS authentication key.
+	    The default is <code class="constant">ddns-key</code> when neither
+	    the <span><strong class="command">-s</strong></span> nor <span><strong class="command">-z</strong></span> option is
+	    specified; otherwise, the default
+	    is <code class="constant">ddns-key</code> as a separate label
+	    followed by the argument of the option, e.g.,
+	    <code class="constant">ddns-key.example.com.</code>
+	    The key name must have the format of a valid domain name,
+	    consisting of letters, digits, hyphens and periods.
+	  </p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+	    Quiet mode:  Print only the key, with no explanatory text or
+            usage examples.
+	  </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
+<dd><p>
+            Specifies a source of random data for generating the
+            authorization.  If the operating system does not provide a
+            <code class="filename">/dev/random</code> or equivalent device, the
+            default source of randomness is keyboard input.
+            <code class="filename">randomdev</code> specifies the name of a
+            character device or file containing random data to be used
+            instead of the default.  The special value
+            <code class="filename">keyboard</code> indicates that keyboard input
+            should be used.
+	  </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
+<dd><p>
+	    Self mode:  The example <span><strong class="command">named.conf</strong></span> text
+            shows how to set an update policy for the specified
+	    <em class="replaceable"><code>name</code></em>
+	    using the "self" nametype, instead of the "subdomain"
+	    nametype which allows matching on any name within a
+	    specified domain.
+	    This option cannot be used with the <span><strong class="command">-z</strong></span> option.
+	  </p></dd>
+<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
+<dd><p>
+	    zone mode:  The example <span><strong class="command">named.conf</strong></span> text
+            shows how to set an update policy for the specified
+	    <em class="replaceable"><code>zone</code></em>
+	    using the "zonesub" nametype, allowing updates to all subdomain
+	    names within
+	    that <em class="replaceable"><code>zone</code></em>.
+	    This option cannot be used with the <span><strong class="command">-s</strong></span> option.
+	  </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2635825"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2635863"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.rndc-confgen.html">Prev</a>�</td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right">�</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">rndc-confgen</span>�</td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top">�</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 2758a8f0..961452c3 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dig.html,v 1.93.14.8 2009/06/03 01:54:40 tbox Exp $ -->
+<!-- $Id: man.dig.html,v 1.116 2009/06/17 23:12:09 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -52,7 +52,7 @@
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2563899"></a><h2>DESCRIPTION</h2>
+<a name="id2563937"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dig</strong></span>
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2570411"></a><h2>SIMPLE USAGE</h2>
+<a name="id2571200"></a><h2>SIMPLE USAGE</h2>
 <p>
       A typical invocation of <span><strong class="command">dig</strong></span> looks like:
       </p>
@@ -144,7 +144,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2570522"></a><h2>OPTIONS</h2>
+<a name="id2571310"></a><h2>OPTIONS</h2>
 <p>
       The <code class="option">-b</code> option sets the source IP address of the query
       to <em class="parameter"><code>address</code></em>.  This must be a valid
@@ -248,7 +248,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2630188"></a><h2>QUERY OPTIONS</h2>
+<a name="id2631113"></a><h2>QUERY OPTIONS</h2>
 <p><span><strong class="command">dig</strong></span>
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -573,7 +573,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2631257"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2632045"></a><h2>MULTIPLE QUERIES</h2>
 <p>
       The BIND 9 implementation of <span><strong class="command">dig </strong></span>
       supports
@@ -619,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2631342"></a><h2>IDN SUPPORT</h2>
+<a name="id2632267"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -633,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2631371"></a><h2>FILES</h2>
+<a name="id2632296"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 <p><code class="filename">${HOME}/.digrc</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2631393"></a><h2>SEE ALSO</h2>
+<a name="id2632317"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -648,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2631430"></a><h2>BUGS</h2>
+<a name="id2632355"></a><h2>BUGS</h2>
 <p>
       There are probably too many query options.
     </p>
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index f9a20e36..1a6af013 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-dsfromkey.html,v 1.6.14.7 2009/06/03 01:54:41 tbox Exp $ -->
+<!-- $Id: man.dnssec-dsfromkey.html,v 1.28 2009/06/18 01:13:02 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -51,14 +51,14 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603928"></a><h2>DESCRIPTION</h2>
+<a name="id2604811"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-dsfromkey</strong></span>
       outputs the Delegation Signer (DS) resource record (RR), as defined in
       RFC 3658 and RFC 4509, for the given key(s).
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603942"></a><h2>OPTIONS</h2>
+<a name="id2604825"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-1</span></dt>
 <dd><p>
@@ -79,6 +79,12 @@
 <dd><p>
             Sets the debugging level.
           </p></dd>
+<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
+<dd><p>
+            Generate a DLV set instead of a DS set.  The specified
+            <code class="option">domain</code> is appended to the name for each
+            record in the set.
+          </p></dd>
 <dt><span class="term">-s</span></dt>
 <dd><p>
             Keyset mode: in place of the keyfile name, the argument is
@@ -99,7 +105,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604072"></a><h2>EXAMPLE</h2>
+<a name="id2604976"></a><h2>EXAMPLE</h2>
 <p>
       To build the SHA-256 DS RR from the
       <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
@@ -114,7 +120,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604108"></a><h2>FILES</h2>
+<a name="id2605080"></a><h2>FILES</h2>
 <p>
       The keyfile can be designed by the key identification
       <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
@@ -128,13 +134,13 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604150"></a><h2>CAVEAT</h2>
+<a name="id2605122"></a><h2>CAVEAT</h2>
 <p>
       A keyfile error can give a "file not found" even if the file exists.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604160"></a><h2>SEE ALSO</h2>
+<a name="id2605131"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -143,7 +149,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604196"></a><h2>AUTHOR</h2>
+<a name="id2605168"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index c885dbec..308c2382 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-keyfromlabel.html,v 1.31.14.7 2009/06/03 01:54:41 tbox Exp $ -->
+<!-- $Id: man.dnssec-keyfromlabel.html,v 1.53 2009/06/18 01:13:02 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604515"></a><h2>DESCRIPTION</h2>
+<a name="id2605395"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keyfromlabel</strong></span>
       gets keys with the given label from a crypto hardware and builds
       key files for DNSSEC (Secure DNS), as defined in RFC 2535
@@ -58,7 +58,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604529"></a><h2>OPTIONS</h2>
+<a name="id2605409"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
@@ -131,7 +131,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604930"></a><h2>GENERATED KEY FILES</h2>
+<a name="id2605741"></a><h2>GENERATED KEY FILES</h2>
 <p>
       When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
       successfully,
@@ -172,7 +172,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605024"></a><h2>SEE ALSO</h2>
+<a name="id2605835"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
@@ -182,7 +182,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605063"></a><h2>AUTHOR</h2>
+<a name="id2606353"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 17d08e2f..f274a4e0 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-keygen.html,v 1.97.14.7 2009/06/03 01:54:40 tbox Exp $ -->
+<!-- $Id: man.dnssec-keygen.html,v 1.120 2009/06/18 01:13:02 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -47,10 +47,10 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605709"></a><h2>DESCRIPTION</h2>
+<a name="id2606674"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keygen</strong></span>
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -58,7 +58,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605723"></a><h2>OPTIONS</h2>
+<a name="id2606688"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
@@ -66,7 +66,8 @@
             Selects the cryptographic algorithm.  The value of
             <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
 	    DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
-	    These values are case insensitive.
+	    These values are case insensitive.  The default is RSASHA1 for
+            DNSSEC key generation.
           </p>
 <p>
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
@@ -78,15 +79,20 @@
           </p>
 </dd>
 <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd><p>
+<dd>
+<p>
             Specifies the number of bits in the key.  The choice of key
             size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
-            between
-            512 and 2048 bits.  Diffie Hellman keys must be between
+            between 512 and 2048 bits.  Diffie Hellman keys must be between
             128 and 4096 bits.  DSA keys must be between 512 and 1024
             bits and an exact multiple of 64.  HMAC-MD5 keys must be
             between 1 and 512 bits.
-          </p></dd>
+          </p>
+            When generating a DNSSEC key with the default algorithm, this
+            value defaults to 1024, or 2048 if the KSK flag is set.
+          <p>
+          </p>
+</dd>
 <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
 <dd><p>
             Specifies the owner type of the key.  The value of
@@ -109,7 +115,7 @@
 <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
 <dd><p>
             Set the specified flag in the flag field of the KEY/DNSKEY record.
-            		The only recognized flag is KSK (Key Signing Key) DNSKEY.
+    	    The only recognized flag is KSK (Key Signing Key) DNSKEY.
           </p></dd>
 <dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
 <dd><p>
@@ -166,7 +172,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2606408"></a><h2>GENERATED KEYS</h2>
+<a name="id2607034"></a><h2>GENERATED KEYS</h2>
 <p>
       When <span><strong class="command">dnssec-keygen</strong></span> completes
       successfully,
@@ -212,7 +218,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608564"></a><h2>EXAMPLE</h2>
+<a name="id2607142"></a><h2>EXAMPLE</h2>
 <p>
       To generate a 768-bit DSA key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -233,7 +239,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608893"></a><h2>SEE ALSO</h2>
+<a name="id2609315"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2539</em>,
@@ -242,7 +248,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608924"></a><h2>AUTHOR</h2>
+<a name="id2609346"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 9e4b00f5..ab26b86a 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -14,12 +14,12 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-signzone.html,v 1.94.14.11 2009/06/09 02:47:43 each Exp $ -->
+<!-- $Id: man.dnssec-signzone.html,v 1.119 2009/06/18 01:13:02 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dnssec-signzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
 <link rel="prev" href="man.dnssec-keygen.html" title="dnssec-keygen">
@@ -47,10 +47,10 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id306704"></a><h2>DESCRIPTION</h2>
+<a name="id2607552"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-signzone</strong></span>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id306727"></a><h2>OPTIONS</h2>
+<a name="id2607571"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
@@ -220,6 +220,19 @@
             may be useful when signing large zones or when the entropy
             source is limited.
           </p></dd>
+<dt><span class="term">-P</span></dt>
+<dd>
+<p>
+	    Disable post sign verification tests.
+          </p>
+<p>
+	    The post sign verification test ensures that for each algorithm
+	    in use there is at least one non revoked self signed KSK key,
+	    that all revoked KSK keys are self signed, and that all records
+	    in the zone are signed by the algorithm.
+	    This option skips these tests.
+          </p>
+</dd>
 <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
 <dd><p>
             Specifies the source of randomness.  If the operating
@@ -276,7 +289,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id307453"></a><h2>EXAMPLE</h2>
+<a name="id2661779"></a><h2>EXAMPLE</h2>
 <p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
       zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@@ -305,39 +318,14 @@ db.example.com.signed
 %</pre>
 </div>
 <div class="refsect1" lang="en">
-<a name="id307535"></a><h2>KNOWN BUGS</h2>
-<p>
-        <span><strong class="command">dnssec-signzone</strong></span> was designed so that it could
-        sign a zone partially, using only a subset of the DNSSEC keys
-        needed to produce a fully-signed zone.  This permits a zone
-        administrator, for example, to sign a zone with one key on one
-        machine, move the resulting partially-signed zone to a second
-        machine, and sign it again with a second key.
-    </p>
-<p>
-        An unfortunate side-effect of this flexibility is that
-        <span><strong class="command">dnssec-signzone</strong></span> does not check to make sure
-        it's signing a zone with any valid keys at all.  An attempt to
-        sign a zone without any keys will appear to succeed, producing
-        a "signed" zone with no signatures.  There is no warning issued
-        when a zone is not fully signed.
-    </p>
-<p>
-        This will be corrected in a future release.  In the meantime, ISC
-        recommends examining the output of <span><strong class="command">dnssec-signzone</strong></span>
-        to confirm that the zone is properly signed by all keys before
-        using it.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id307579"></a><h2>SEE ALSO</h2>
+<a name="id2661851"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id307606"></a><h2>AUTHOR</h2>
+<a name="id2661876"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 22f6731d..b716e4a1 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.host.html,v 1.93.14.7 2009/06/03 01:54:40 tbox Exp $ -->
+<!-- $Id: man.host.html,v 1.114 2009/06/17 23:12:09 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603221"></a><h2>DESCRIPTION</h2>
+<a name="id2604009"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">host</strong></span>
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -202,7 +202,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603735"></a><h2>IDN SUPPORT</h2>
+<a name="id2604455"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603764"></a><h2>FILES</h2>
+<a name="id2604484"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603778"></a><h2>SEE ALSO</h2>
+<a name="id2604498"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
     </p>
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index c6aeb32b..0d54fe20 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named-checkconf.html,v 1.92.14.8 2009/06/04 03:07:24 tbox Exp $ -->
+<!-- $Id: man.named-checkconf.html,v 1.115 2009/06/18 01:13:02 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,14 +50,14 @@
 <div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608653"></a><h2>DESCRIPTION</h2>
+<a name="id2608792"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       checks the syntax, but not the semantics, of a named
       configuration file.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608667"></a><h2>OPTIONS</h2>
+<a name="id2608806"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-h</span></dt>
 <dd><p>
@@ -92,21 +92,21 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608784"></a><h2>RETURN VALUES</h2>
+<a name="id2608922"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608797"></a><h2>SEE ALSO</h2>
+<a name="id2608936"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2608827"></a><h2>AUTHOR</h2>
+<a name="id2609580"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 4cee97f3..f0599879 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named-checkzone.html,v 1.98.14.8 2009/06/04 03:07:24 tbox Exp $ -->
+<!-- $Id: man.named-checkzone.html,v 1.122 2009/06/18 01:13:02 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -51,7 +51,7 @@
 <div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609642"></a><h2>DESCRIPTION</h2>
+<a name="id2610668"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       checks the syntax and integrity of a zone file.  It performs the
       same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -71,7 +71,7 @@
      </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2609692"></a><h2>OPTIONS</h2>
+<a name="id2610718"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-d</span></dt>
 <dd><p>
@@ -257,14 +257,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660197"></a><h2>RETURN VALUES</h2>
+<a name="id2662725"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660211"></a><h2>SEE ALSO</h2>
+<a name="id2662739"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
@@ -272,7 +272,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2660244"></a><h2>AUTHOR</h2>
+<a name="id2662772"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 3e338877..a9cf4d59 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named.html,v 1.99.14.8 2009/06/04 03:07:24 tbox Exp $ -->
+<!-- $Id: man.named.html,v 1.124 2009/06/18 01:13:02 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610090"></a><h2>DESCRIPTION</h2>
+<a name="id2610880"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named</strong></span>
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610121"></a><h2>OPTIONS</h2>
+<a name="id2610910"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
@@ -238,7 +238,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610584"></a><h2>SIGNALS</h2>
+<a name="id2613285"></a><h2>SIGNALS</h2>
 <p>
       In routine operation, signals should not be used to control
       the nameserver; <span><strong class="command">rndc</strong></span> should be used
@@ -259,16 +259,24 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612204"></a><h2>CONFIGURATION</h2>
+<a name="id2613608"></a><h2>CONFIGURATION</h2>
 <p>
       The <span><strong class="command">named</strong></span> configuration file is too complex
       to describe in detail here.  A complete description is provided
       in the
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
+<p>
+      <span><strong class="command">named</strong></span> inherits the <code class="function">umask</code>
+      (file creation mode mask) from the parent process. If files
+      created by <span><strong class="command">named</strong></span>, such as journal files,
+      need to have custom permissions, the <code class="function">umask</code>
+      should be set explicitly in the script used to start the
+      <span><strong class="command">named</strong></span> process.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612292"></a><h2>FILES</h2>
+<a name="id2665472"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
 <dd><p>
@@ -281,7 +289,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612336"></a><h2>SEE ALSO</h2>
+<a name="id2665515"></a><h2>SEE ALSO</h2>
 <p><em class="citetitle">RFC 1033</em>,
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
@@ -294,7 +302,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612406"></a><h2>AUTHOR</h2>
+<a name="id2665654"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index a0ce8661..17c4c114 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.nsupdate.html,v 1.22.14.9 2009/06/04 03:07:24 tbox Exp $ -->
+<!-- $Id: man.nsupdate.html,v 1.48 2009/06/18 01:13:02 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2610840"></a><h2>DESCRIPTION</h2>
+<a name="id2611915"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -88,6 +88,10 @@
       report additional debugging information to <code class="option">-d</code>.
     </p>
 <p>
+      The <code class="option">-L</code> option with an integer argument of zero or
+      higher sets the logging debug level.  If zero, logging is disabled.
+    </p>
+<p>
       Transaction signatures can be used to authenticate the Dynamic
       DNS updates.  These use the TSIG resource record type described
       in RFC2845 or the SIG(0) record described in RFC3535 and
@@ -114,38 +118,48 @@
       uses the <code class="option">-y</code> or <code class="option">-k</code> option
       to provide the shared secret needed to generate a TSIG record
       for authenticating Dynamic DNS update requests, default type
-      HMAC-MD5.  These options are mutually exclusive.  With the
-      <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
-      the shared secret from the file <em class="parameter"><code>keyfile</code></em>,
-      whose name is of the form
-      <code class="filename">K{name}.+157.+{random}.private</code>.  For
-      historical reasons, the file
-      <code class="filename">K{name}.+157.+{random}.key</code> must also be
-      present.  When the <code class="option">-y</code> option is used, a
-      signature is generated from
+      HMAC-MD5.  These options are mutually exclusive. 
+    </p>
+<p>
+      When the <code class="option">-y</code> option is used, a signature is
+      generated from
       [<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>
       <em class="parameter"><code>keyname</code></em> is the name of the key, and
-      <em class="parameter"><code>secret</code></em> is the base64 encoded shared
-      secret.  Use of the <code class="option">-y</code> option is discouraged
-      because the shared secret is supplied as a command line
-      argument in clear text.  This may be visible in the output
-      from
-      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> or in a history file maintained by the user's
-      shell.
+      <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
+      Use of the <code class="option">-y</code> option is discouraged because the
+      shared secret is supplied as a command line argument in clear text.
+      This may be visible in the output from
+      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
+      or in a history file maintained by the user's shell.
     </p>
 <p>
+      With the
+      <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
+      the shared secret from the file <em class="parameter"><code>keyfile</code></em>.
+      Keyfiles may be in two formats: a single file containing
+      a <code class="filename">named.conf</code>-format <span><strong class="command">key</strong></span>
+      statement, which may be generated automatically by
+      <span><strong class="command">ddns-confgen</strong></span>, or a pair of files whose names are
+      of the format <code class="filename">K{name}.+157.+{random}.key</code> and
+      <code class="filename">K{name}.+157.+{random}.private</code>, which can be
+      generated by <span><strong class="command">dnssec-keygen</strong></span>.
       The <code class="option">-k</code> may also be used to specify a SIG(0) key used
       to authenticate Dynamic DNS update requests.  In this case, the key
       specified is not an HMAC-MD5 key.
     </p>
 <p>
-      The <code class="option">-g</code> and <code class="option">-o</code> specify that
-      GSS-TSIG is to be used.  The <code class="option">-o</code> should only
-      be used with old Microsoft Windows 2000 servers.
+      <span><strong class="command">nsupdate</strong></span> can be run in a local-host only mode
+      using the <code class="option">-l</code> flag.  This sets the server address to
+      localhost (disabling the <span><strong class="command">server</strong></span> so that the server
+      address cannot be overridden).  Connections to the local server will
+      use a TSIG key found in <code class="filename">/var/run/named/ddns.key</code>,
+      which is automatically generated by <span><strong class="command">named</strong></span> if any
+      local master zone has the <span><strong class="command">dynamic</strong></span> zone option set
+      to yes.  The location of this key file can be overridden with
+      the <code class="option">-k</code> option.
     </p>
 <p>
-      By default,
-      <span><strong class="command">nsupdate</strong></span>
+      By default, <span><strong class="command">nsupdate</strong></span>
       uses UDP to send update requests to the name server unless they are too
       large to fit in a UDP request in which case TCP will be used.
       The
@@ -156,6 +170,10 @@
       This may be preferable when a batch of update requests is made.
     </p>
 <p>
+      The <code class="option">-p</code> sets the default port number to use for
+      connections to a name server.  The default is 53.
+    </p>
+<p>
       The <code class="option">-t</code> option sets the maximum time an update request
       can
       take before it is aborted.  The default is 300 seconds.  Zero can be
@@ -187,7 +205,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2611166"></a><h2>INPUT FORMAT</h2>
+<a name="id2612440"></a><h2>INPUT FORMAT</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       reads input from
       <em class="parameter"><code>filename</code></em>
@@ -451,7 +469,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2667085"></a><h2>EXAMPLES</h2>
+<a name="id2668086"></a><h2>EXAMPLES</h2>
 <p>
       The examples below show how
       <span><strong class="command">nsupdate</strong></span>
@@ -505,12 +523,16 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2667136"></a><h2>FILES</h2>
+<a name="id2668136"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
 <dd><p>
             used to identify default name server
           </p></dd>
+<dt><span class="term"><code class="constant">/var/run/named/ddns.key</code></span></dt>
+<dd><p>
+            sets the default TSIG key for use in local-only mode
+          </p></dd>
 <dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
 <dd><p>
             base-64 encoding of HMAC-MD5 key created by
@@ -524,7 +546,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2667273"></a><h2>SEE ALSO</h2>
+<a name="id2668288"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
       <span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
       <span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,
@@ -533,11 +555,12 @@
       <span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>,
       <span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2667344"></a><h2>BUGS</h2>
+<a name="id2668366"></a><h2>BUGS</h2>
 <p>
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 485e6f4b..9914e6c0 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc-confgen.html,v 1.102.14.9 2009/06/04 03:07:24 tbox Exp $ -->
+<!-- $Id: man.rndc-confgen.html,v 1.128 2009/06/18 01:13:02 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -23,6 +23,7 @@
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
 <link rel="prev" href="man.rndc.conf.html" title="rndc.conf">
+<link rel="next" href="man.ddns-confgen.html" title="ddns-confgen">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -32,7 +33,8 @@
 <td width="20%" align="left">
 <a accesskey="p" href="man.rndc.conf.html">Prev</a>�</td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right">�</td>
+<td width="20%" align="right">�<a accesskey="n" href="man.ddns-confgen.html">Next</a>
+</td>
 </tr>
 </table>
 <hr>
@@ -48,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2615400"></a><h2>DESCRIPTION</h2>
+<a name="id2622148"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc-confgen</strong></span>
       generates configuration files
       for <span><strong class="command">rndc</strong></span>.  It can be used as a
@@ -64,7 +66,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2633216"></a><h2>OPTIONS</h2>
+<a name="id2622214"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd>
@@ -171,7 +173,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2634899"></a><h2>EXAMPLES</h2>
+<a name="id2634547"></a><h2>EXAMPLES</h2>
 <p>
       To allow <span><strong class="command">rndc</strong></span> to be used with
       no manual configuration, run
@@ -188,7 +190,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2634955"></a><h2>SEE ALSO</h2>
+<a name="id2634603"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -196,7 +198,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2634994"></a><h2>AUTHOR</h2>
+<a name="id2636212"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
@@ -208,13 +210,15 @@
 <td width="40%" align="left">
 <a accesskey="p" href="man.rndc.conf.html">Prev</a>�</td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right">�</td>
+<td width="40%" align="right">�<a accesskey="n" href="man.ddns-confgen.html">Next</a>
+</td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <code class="filename">rndc.conf</code>�</td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">�</td>
+<td width="40%" align="right" valign="top">�<span class="application">ddns-confgen</span>
+</td>
 </tr>
 </table>
 </div>
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index b4c08012..b0a42772 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc.conf.html,v 1.103.14.9 2009/06/04 03:07:24 tbox Exp $ -->
+<!-- $Id: man.rndc.conf.html,v 1.129 2009/06/18 01:13:02 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2607272"></a><h2>DESCRIPTION</h2>
+<a name="id2608552"></a><h2>DESCRIPTION</h2>
 <p><code class="filename">rndc.conf</code> is the configuration file
       for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613315"></a><h2>EXAMPLE</h2>
+<a name="id2614049"></a><h2>EXAMPLE</h2>
 <pre class="programlisting">
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613573"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2621611"></a><h2>NAME SERVER CONFIGURATION</h2>
 <p>
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the <code class="filename">rndc.conf</code>
@@ -219,7 +219,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613598"></a><h2>SEE ALSO</h2>
+<a name="id2621637"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@@ -227,7 +227,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613637"></a><h2>AUTHOR</h2>
+<a name="id2621744"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index ae38ad16..2e8a602d 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc.html,v 1.101.14.9 2009/06/04 03:07:24 tbox Exp $ -->
+<!-- $Id: man.rndc.html,v 1.127 2009/06/18 01:13:02 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2611406"></a><h2>DESCRIPTION</h2>
+<a name="id2612618"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc</strong></span>
       controls the operation of a name
       server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
@@ -79,7 +79,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2611457"></a><h2>OPTIONS</h2>
+<a name="id2612668"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
 <dd><p>
@@ -151,7 +151,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2612979"></a><h2>LIMITATIONS</h2>
+<a name="id2613713"></a><h2>LIMITATIONS</h2>
 <p><span><strong class="command">rndc</strong></span>
       does not yet support all the commands of
       the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@@ -165,7 +165,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613010"></a><h2>SEE ALSO</h2>
+<a name="id2613744"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -175,7 +175,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2613065"></a><h2>AUTHOR</h2>
+<a name="id2613799"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/draft/draft-dolmatov-dnsext-dnssec-gost-00.txt b/doc/draft/draft-dolmatov-dnsext-dnssec-gost-00.txt
new file mode 100644
index 00000000..3e08247f
--- /dev/null
+++ b/doc/draft/draft-dolmatov-dnsext-dnssec-gost-00.txt
@@ -0,0 +1,370 @@
+DNS Extensions working group                               V.Dolmatov, Ed.  
+Internet-Draft                                             Cryptocom Ltd.    
+Intended status: Standards Track                           April 8, 2009
+Expires: December 31, 2009                                 
+
+
+ Use of GOST signature algorithms in DNSKEY and RRSIG Resource Records
+                               for DNSSEC
+                 draft-dolmatov-dnsext-dnssec-gost-00
+
+Status of this Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on 31 December 2009.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
+
+Abstract
+
+   This document describes how to produce GOST signature and hash algorithms
+   DNSKEY and RRSIG resource records for use in the Domain Name System
+   Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035).
+
+
+Table of Contents
+
+   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 
+   2.  DNSKEY Resource Records . . . . . . . . . . . . . . . . . . . . 
+     2.1.  Using a public key with existing cryptographic libraries. .
+     2.2.  GOST DNSKEY RR Example  . . . . . . . . . . . . . . . . . .
+   3.  RRSIG Resource Records  . . . . . . . . . . . . . . . . . . . . 
+   4.  DS Resource Records . . . . . . . . . . . . . . . . . . . . . .
+   5.  NSEC3 Resource Records  . . . . . . . . . . . . . . . . . . . .
+   6.  Deployment Considerations . . . . . . . . . . . . . . . . . . . 
+     6.1.  Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . 
+     6.2.  Signature Sizes . . . . . . . . . . . . . . . . . . . . . . 
+     6.3.  Digest Sizes  . . . . . . . . . . . . . . . . . . . . . . .
+   7.  Implementation Considerations . . . . . . . . . . . . . . . . . 
+     7.1.  Support for GOST signatures . . . . . . . . . . . . . . . . 
+     7.2.  Support for NSEC3 Denial of Existence . . . . . . . . . . . 
+       7.2.1.  NSEC3 in Authoritative servers  . . . . . . . . . . . . 
+       7.2.2.  NSEC3 in Validators . . . . . . . . . . . . . . . . . . 
+   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 
+   9.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 
+   10.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 
+     10.1.  Normative References  . . . . . . . . . . . . . . . . . . . 
+     10.2.  Informative References  . . . . . . . . . . . . . . . . . . 
+   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 
+
+
+1.  Introduction
+
+   The Domain Name System (DNS) is the global hierarchical distributed
+   database for Internet Naming.  The DNS has been extended to use
+   cryptographic keys and digital signatures for the verification of the
+   authenticity and integrity of its data.  RFC 4033 [RFC4033], RFC 4034
+   [RFC4034], and RFC 4035 [RFC4035] describe these DNS Security
+   Extensions, called DNSSEC.
+
+   RFC 4034 describes how to store DNSKEY and RRSIG resource records,
+   and specifies a list of cryptographic algorithms to use.  This
+   document extends that list with the signature and hash algorithms 
+   GOST [GOST3410, GOST3411],
+   and specifies how to store DNSKEY data and how to produce
+   RRSIG resource records with these hash algorithms.
+
+   Familiarity with DNSSEC  and GOST signature and hash
+   algorithms is assumed in this document.
+
+   The term "GOST" is not officially defined, but is usually used to
+   refer to the collection of the Russian cryptographic algorithms
+   GOST R 34.10-2001, GOST R 34.11-94, GOST 28147-89. Since GOST 28147-89
+   is not used in DNSSEC, GOST will only refer to GOST R 34.10-2001 
+   (signatire algorithm) and GOST R 34.11-94 (hash algorithm) in this
+   document.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+
+2.  DNSKEY Resource Records
+
+   The format of the DNSKEY RR can be found in RFC 4034 [RFC4034].
+
+   GOST R 34.10-2001 public keys are stored with the algorithm number {TBA1}.
+   
+   The public key parameters are those identified by
+   id-GostR3410-2001-CryptoPro-A-ParamSet (1.2.643.2.2.35.1) [RFC4357].
+   The digest parameters for signature are those identified by
+   id-GostR3411-94-CryptoProParamSet (1.2.643.2.2.30.1) [RFC4357].
+   
+   The wire format of the public key is compatible with RFC 4491 [RFC4491]:
+
+   According to [GOSTR341001], a public key is a point on the elliptic
+   curve Q = (x,y).
+
+   The wire representation of a public key MUST contain 64 octets, where the
+   first 32 octets contain the little-endian representation of x and the
+   second 32 octets contain the little-endian representation of y.  This
+   corresponds to the binary representation of (<y>256||<x>256) from
+   [GOSTR341001], ch.  5.3.
+
+2.1.  Using a public key with existing cryptographic libraries
+
+   Existing GOST-aware cryptographic libraries at time of this document
+   writing are capable to read GOST public keys via generic X509 API if the
+   key is encoded according to RFC 4491 [RFC4491], section 2.3.2.
+
+   To make this encoding from the wire format of a GOST public key, prepend
+   a key data with the following 37-byte sequence:
+
+   0x30 0x63 0x30 0x1c 0x06 0x06 0x2a 0x85 0x03 0x02 0x02 0x13 0x30 0x12
+   0x06 0x07 0x2a 0x85 0x03 0x02 0x02 0x23 0x01 0x06 0x07 0x2a 0x85 0x03
+   0x02 0x02 0x1e 0x01 0x03 0x43 0x00 0x04 0x40
+  
+2.2.  GOST DNSKEY RR Example
+
+   The following DNSKEY RR stores a DNS zone key for example.com
+
+   example.com. 86400 IN DNSKEY 256 3 {TBA1} ( RamuUwTG1r4RUqsgXu/xF6B+Y
+                                               tJLzZEykiZ4C2Fa1gV1pI/8GA
+                                               el2Wm69Cz5h1T9eYAQKFAGwzW
+                                               m4Lke0E26aw== )
+
+3.  RRSIG Resource Records
+
+   The value of the signature field in the RRSIG RR follows the RFC 4490
+   [RFC4490] and is calculated as follows.  The values for the RDATA fields
+   that precede the signature data are specified in RFC 4034 [RFC4034].
+
+   hash = GOSTR3411(data)
+
+   where "data" is the wire format data of the resource record set that is
+   signed, as specified in RFC 4034 [RFC4034].  Hash MUST be calculated with
+   GOST R 34.11-94 parameters identified by
+   id-GostR3411-94-CryptoProParamSet [RFC4357].
+
+   Signature is calculated from the hash according to the GOST R 34.10-2001
+   standard and its wire format is compatible with RFC 4490 [RFC4490].
+   Quoting RFC 4490:
+
+   "The signature algorithm GOST R 34.10-2001 generates a digital
+   signature in the form of two 256-bit numbers, r and s.  Its octet
+   string representation consists of 64 octets, where the first 32
+   octets contain the big-endian representation of s and the second 32
+   octets contain the big-endian representation of r."
+
+4.  DS Resource Records
+
+   GOST R 34.11-94 digest algorithm is denoted in DS RR by the digest type
+   {TBA2}.  The wire format of a digest value is compatible with RFC 4490
+   [RFC4490].  Quoting RFC 4490: 
+   
+   "A 32-byte digest in little-endian representation."
+
+   The digest MUST always be calculated with GOST R 34.11-94 parameters
+   identified by id-GostR3411-94-CryptoProParamSet [RFC4357].
+
+5.  NSEC3 Resource Records
+
+   GOST R 34.11-94 digest algorithm is denoted in NSEC3 RR by the digest type
+   {TBA2}.  The wire format of a digest value is compatible with RFC 4490
+   [RFC4490].  Quoting RFC 4490: 
+   
+   "A 32-byte digest in little-endian representation."
+
+   The digest MUST always be calculated with GOST R 34.11-94 parameters
+   identified by id-GostR3411-94-CryptoProParamSet [RFC4357].
+
+6.  Deployment Considerations
+
+6.1.  Key Sizes
+
+   According to RFC4357 [RFC4357] key size of GOST public keys MUST 
+   be 512 bits.
+
+6.2.  Signature Sizes
+
+   According to GOST signature algorithm [GOST3410] size of GOST signature 
+   is 512 bit.
+
+6.3.  Digest Sizes
+
+   According to GOST R 34.11-94 [GOST3411] size of GOST digest is 256 bit.
+
+7.  Implementation Considerations
+
+7.1.  Support for GOST signatures
+
+   DNSSEC aware implementations SHOULD be able to support RRSIG and
+   DNSKEY resource records created with the GOST algorithms as
+   defined in this document.
+
+7.2.  Support for NSEC3 Denial of Existence
+
+   RFC5155 [RFC5155] defines new algorithm identifiers for existing
+   signing algorithms, to indicate that zones signed with these
+   algorithm identifiers use NSEC3 instead of NSEC records to provide
+   denial of existence.  That mechanism was chosen to protect
+   implementations predating RFC5155 from encountering resource records
+   they could not know about.  This document does not define such
+   algorithm aliases, and support for NSEC3 denial of existence is
+   implicitly signaled with support for one of the algorithms defined in
+   this document.
+
+7.2.1.  NSEC3 in Authoritative servers
+
+   An authoritative server that does not implement NSEC3 MAY still serve
+   zones that use GOST with NSEC denial of existence.
+
+7.2.2.  NSEC3 in Validators
+
+   A DNSSEC validator that implements GOST MUST be able to handle
+   both NSEC and NSEC3 [RFC5155] negative answers.  If this is not the
+   case, the validator MUST treat a zone signed with GOST
+   as signed with an unknown algorithm, and thus as insecure.
+
+
+8.  IANA Considerations
+
+   This document updates the IANA registry "DNS SECURITY ALGORITHM
+   NUMBERS -- per [RFC4035] "
+   (http://www.iana.org/assignments/dns-sec-alg-numbers).  The following
+   entries are added to the registry:
+                                        Zone     Trans.
+   Value   Algorithm          Mnemonic  Signing  Sec.   References   Status
+   {TBA1}  GOST R 34.10-2001  GOST      Y        *      (this memo)  OPTIONAL
+
+   This document updates the RFC 4034 [RFC4034] Digest Types assignment
+   (RFC 4034, section A.2):
+
+   Value   Algorithm        Status
+   {TBA2}  GOST R 34.11-94  OPTIONAL
+
+9. Acknowledgments
+
+   This document is a minor extension to RFC 4034 [RFC4034].  Also, we
+   try to follow the documents RFC 3110 [RFC3110], RFC 4509 [RFC4509]
+   and RFC 4357 [RFC4357] for consistency. The authors of and 
+   contributors to these documents are gratefully acknowledged for 
+   their hard work.
+
+   The following people provided additional feedback and text: Dmitry 
+   Burkov, Jaap Akkerhuis, Jelte Jansen and Wouter Wijngaards.
+
+
+10.  References
+
+10.1.  Normative References
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", RFC 2119, March 1997.
+
+   [RFC3110]  Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
+              Name System (DNS)", RFC 3110, May 2001.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "DNS Security Introduction and Requirements",
+              RFC 4033, March 2005.
+
+   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Resource Records for the DNS Security Extensions",
+              RFC 4034, March 2005.
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+   [GOST3410] "Information technology.  Cryptographic data security.
+              Signature and verification processes of [electronic]
+              digital signature.", GOST R 34.10-2001, Gosudarstvennyi
+              Standard of Russian Federation, Government Committee of
+              the Russia for Standards, 2001.  (In Russian)
+
+   [GOST3411] "Information technology.  Cryptographic Data Security.
+              Hashing function.", GOST R 34.11-94, Gosudarstvennyi
+              Standard of Russian Federation, Government Committee of
+              the Russia for Standards, 1994.  (In Russian)
+
+   [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional
+             Cryptographic Algorithms for Use with GOST 28147-89,
+             GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94
+             Algorithms", RFC 4357, January 2006.
+
+   [RFC4490] S. Leontiev and G. Chudov, "Using the GOST 28147-89, 
+	     GOST R 34.11-94, GOST R 34.10-94, and GOST R 34.10-2001 
+             Algorithms with Cryptographic Message Syntax (CMS)",
+             RFC 4490, May 2006.
+
+   [RFC4491] S. Leontiev and D. Shefanovski, "Using the GOST 
+             R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 
+             Algorithms with the Internet X.509 Public Key 
+             Infrastructure Certificate and CRL Profile", RFC 4491,
+             May 2006. 
+
+
+
+10.2.  Informative References
+
+   [NIST800-57]
+              Barker, E., Barker, W., Burr, W., Polk, W., and M. Smid,
+              "Recommendations for Key Management", NIST SP 800-57,
+              March 2007.
+
+   [RFC3447]  Jonsson, J. and B. Kaliski, "Public-Key Cryptography
+              Standards (PKCS) #1: RSA Cryptography Specifications
+              Version 2.1", RFC 3447, February 2003.
+
+   [RFC4509]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
+              (DS) Resource Records (RRs)", RFC 4509, May 2006.
+
+   [RFC5155]  Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
+              Security (DNSSEC) Hashed Authenticated Denial of
+              Existence", RFC 5155, March 2008.
+
+Authors' Addresses
+
+
+Vasily Dolmatov, Ed.
+Cryptocom Ltd.
+Bolotnikovskaya, 23
+Moscow, 117303, Russian Federation
+
+EMail: dol@cryptocom.ru
+
+Artem Chuprina
+Cryptocom Ltd.
+Bolotnikovskaya, 23
+Moscow, 117303, Russian Federation
+
+EMail: ran@cryptocom.ru
+
+Igor Ustinov
+Cryptocom Ltd.
+Bolotnikovskaya, 23
+Moscow, 117303, Russian Federation
+
+EMail: igus@cryptocom.ru
+
+                  Expires December 31, 2009                [Page ]
+
+
diff --git a/doc/draft/draft-ietf-dnsext-axfr-clarify-09.txt b/doc/draft/draft-ietf-dnsext-axfr-clarify-11.txt
index 94c08ec8..5278587d 100644
--- a/doc/draft/draft-ietf-dnsext-axfr-clarify-09.txt
+++ b/doc/draft/draft-ietf-dnsext-axfr-clarify-11.txt
@@ -1,37 +1,46 @@
-INTERNET-DRAFT                                            Edward Lewis
-draft-ietf-dnsext-axfr-clarify-09.txt                    NeuStar, Inc.
-DNSEXT WG                                                    July 2008
-Updates: 1034, 1035 (if approved)     Intended status: Standards Track
+DNS Extensions Working Group                               Edward Lewis
+INTERNET-DRAFT                                            NeuStar, Inc.
+Expires: Octopber 1, 2009                                  April 2009
+Updates: 1034, 1035 (if approved)
+Intended status: Standards Track
+
+                    DNS Zone Transfer Protocol (AXFR)
+                  draft-ietf-dnsext-axfr-clarify-11.txt
 
-                      DNS Zone Transfer Protocol (AXFR)
 Status of this Memo
 
-By submitting this Internet-Draft, each author represents that any
-applicable patent or other IPR claims of which he or she is aware
-have been or will be disclosed, and any of which he or she becomes
-aware will be disclosed, in accordance with Section 6 of BCP 79.
+  This Internet-Draft is submitted to IETF in full conformance with the
+  provisions of BCP 78 and BCP 79.
 
-Internet-Drafts are working documents of the Internet Engineering
-Task Force (IETF), its areas, and its working groups.  Note that
-other groups may also distribute working documents as Internet-
-Drafts.
+  Internet-Drafts are working documents of the Internet Engineering
+  Task Force (IETF), its areas, and its working groups.  Note that
+  other groups may also distribute working documents as Internet-
+  Drafts.
 
-Internet-Drafts are draft documents valid for a maximum of six months
-and may be updated, replaced, or obsoleted by other documents at any
-time.  It is inappropriate to use Internet-Drafts as reference
-material or to cite them other than as "work in progress."
+  Internet-Drafts are draft documents valid for a maximum of six months
+  and may be updated, replaced, or obsoleted by other documents at any
+  time.  It is inappropriate to use Internet-Drafts as reference
+  material or to cite them other than as "work in progress."
 
-The list of current Internet-Drafts can be accessed at
-http://www.ietf.org/ietf/1id-abstracts.txt.
+  The list of current Internet-Drafts can be accessed at
+  http://www.ietf.org/1id-abstracts.html
 
-The list of Internet-Draft Shadow Directories can be accessed at
-http://www.ietf.org/shadow.html.
+  The list of Internet-Draft Shadow Directories can be accessed at
+  http://www.ietf.org/shadow.html
 
-This Internet-Draft will expire on December 31, 2008.
+  This Internet-Draft will expire on October 1, 2009.
 
 Copyright Notice
 
-Copyright (C) The IETF Trust (2008).
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents
+   (http://trustee.ietf.org/license-info) in effect on the date of
+   publication of this document.  Please review these documents
+   carefully, as they describe your rights and restrictions with
+   respect to this document.
 
 Abstract
 
@@ -120,16 +129,6 @@ appeared on the access to an entire zone's contents.  In this document,
 the basic mechanisms will be discussed separately from the permission
 to use these mechanisms.
 
-1.4 Coverage
-
-This document concentrates on just the definition of AXFR.  Any effort
-to update the IXFR or NOTIFY mechanisms would be done in different
-documents.  This is not strictly a clarification of the definition in
-RFC 1034 and RFC 1035.  This document will update those sections, and
-invalidate at least one part of that definition.  The goal of this
-document is to define AXFR as it exists, or is supposed to exist,
-currently.
-
 1.4 Coverage and Relationship to Original AXFR Specification
  
 This document concentrates on just the definition of AXFR.  Any effort
@@ -139,16 +138,17 @@ documents.
 The original "specification" of the AXFR sub-protocol is scattered
 through RFC 1034 and RFC 1035.  Section 2.2 of RFC 1035 on page 5
 depicts the scenario for which AXFR has been designed.  Section 4.3.5
-of RFC 1034 describes the zone synchronisation strategies in general
+of RFC 1034 describes the zone synchronization strategies in general
 and rules for the invocation of a full zone transfer via AXFR; the
 fifth paragraph of that section contains a very short sketch of the
-AXFR protocol.  Section 3.2.3 of RFC 1035 has assigned the code point
-for the AXFR QTYPE (see section 2.1.2 below for more details).
-Section 4.2 of RFC 1035 discusses the transport layer use of DNS and
-shortly explains why UDP transport is deemed inappropriate for AXFR;
-the last paragraph of Section 4.2.2 gives details for the TCP
-connection management with AXFR.  Finally, the second paragraph of
-Section 6.3 in RFC 1035 mandates server behavior when zone data
+AXFR protocol; Section 5.5 of RFC 2181 has corrected a significant
+flaw in that specification.  Section 3.2.3 of RFC 1035 has assigned
+the code point for the AXFR QTYPE (see section 2.1.2 below for more
+details).  Section 4.2 of RFC 1035 discusses the transport layer use
+of DNS and shortly explains why UDP transport is deemed inappropriate
+for AXFR; the last paragraph of Section 4.2.2 gives details for the
+TCP connection management with AXFR.  Finally, the second paragraph
+of Section 6.3 in RFC 1035 mandates server behavior when zone data
 changes occur during an ongoing zone transfer using AXFR.
 
 This document will update the specification of AXFR in fully
@@ -162,13 +162,12 @@ define AXFR as it exists, or is supposed to exist, currently.
 
 2 AXFR Messages
 
-An AXFR message exchange (or session) consists of an AXFR query message
-and a set of AXFR response messages.  In this document, AXFR client is
-the sender of the AXFR query and the AXFR server is the responder. 
-(Use of terms such as master, slave, primary, secondary are not
-important to defining the AXFR exchange.)  The reason for the imbalance
-in number of messages derives from large zones whose contents cannot be
-fit into the limited permissible size of a DNS message.
+An AXFR session consists of an AXFR query message and the sequence of
+AXFR response messages returned for it.  In this document, the AXFR
+client is the sender of the AXFR query and the AXFR server is the
+responder.  (Use of terms such as master, slave, primary, secondary
+are not important to defining AXFR.)  The use of the word "session"
+without qualification refers to an AXFR session.
 
 An important aspect to keep in mind is that the definition of AXFR is
 restricted to TCP [RFC0793].  The design of the AXFR process has
@@ -177,19 +176,37 @@ certain inherent features that are not easily ported to UDP [RFC0768].
 The basic format of an AXFR message is the DNS message as defined in
 RFC 1035, Section 4 ("MESSAGES") [RFC1035], updated by the following:
 - "A Mechanism for Prompt Notification of Zone Changes (...)" [RFC1996]
-- "Domain Name System (DNS) IANA Considerations" [RFC2929]
+- "Domain Name System (DNS) IANA Considerations" [RFC5395]
 - "Dynamic Updates in the Domain Name System (DNS UPDATE)" [RFC2136]
+- "Clarifications to the DNS Specification" [RFC2181]
 - "Extension Mechanisms for DNS (EDNS0)" [RFC2671]
 - "Secret Key Transaction Authentication for DNS (TSIG)" [RFC2845]
 - "Secret Key Establishment for DNS (TKEY RR)" [RFC2930]
 - "Obsoleting IQUERY" [RFC3425]
 - "Handling of Unknown DNS Resource Record (RR) Types" [RFC3597]
+- "Resource Records for the DNS Security Extensions" [RFC4034]
 - "Protocol Modifications for the DNS Security Extensions" [RFC4035]
+- "Use of SHA-256 in DNSSEC ... (DS) ... (RRs)" [RFC4509]
 - "HMAC SHA TSIG Algorithm Identifiers" [RFC4635]
+- "... (DNSSEC) Hashed Authenticated Denial of Existence" [RFC5155]
+
+For completeness, the following, in process, documents contain
+information about the DNS message.  These documents ought not interfere
+with AXFR but these documents are helpful in understanding what will
+be carried via AXFR.
+
+- "Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource
+  Records for DNSSEC" [DRAFT1]
+- "Clarifications and Implementation Notes for DNSSECbis" [DRAFT2]
 
 The upper limit on the permissible size of a DNS message over TCP is
-defined in RFC 1035, section 4.2.2.  Unlike DNS messages over UDP,
-this limit is not changed by EDNS0.
+only restricted by the TCP framing defined in RFC 1035, section 4.2.2
+which specifies a two-octet message length field, understood to be
+unsigned, and thus causing a limit of 65535 octets.  Unlike DNS
+messages over UDP, this limit is not changed by EDNS0.
+
+Note that the TC (truncation) bit is never set by an AXFR server nor
+considered/read by an AXFR client.
 
 Field names used in this document will correspond to the names as they
 appear in the IANA registry for DNS Header Flags [DNSFLGS].
@@ -200,6 +217,12 @@ An AXFR query is sent by a client whenever there is a reason to ask.
 This might be because of zone maintenance activities or as a result of
 a command line request, say for debugging.
 
+An AXFR query is sent by a client whenever there is a reason to ask.
+This might be because of scheduled or triggered zone maintenance
+activities (see section 4.3.5 of RFC 1034 and DNS NOTIFY [RFC1996],
+respectively) or as a result of a command line request, say for
+debugging.
+
 2.1.1 Header Values
 
 These are the DNS message header values for an AXFR query.
@@ -294,7 +317,7 @@ additional section might change over time.  If either a change to an
 existing resource record (like the OPT RR for EDNS0) is made or
 a new additional section record is created, the new definitions ought
 to include a discussion on the impact upon AXFR.  Although this is not
-predictale, future additional section residing records may have an
+predictable, future additional section residing records may have an
 effect that is orthogonal to AXFR, so can ride through the session as
 opaque data.  In this case, a "wise" implementation ought to be able
 to pass these records through without disruption.
@@ -315,15 +338,14 @@ message's query section.  Subsequent messages MAY do the same.
 
 An AXFR response that is indicating an error MUST consist of a single
 DNS message with the return code set to the appropriate value for the
-condition encountered - once the error condition is detected.  Such
-a message MUST copy the AXFR query Query Section into its Query
-Section.  The inclusion of the terminating SOA resource record is not
-necessary.
+condition encountered - once the error condition is detected. Such
+a message MUST terminate the AXFR session; it MUST copy the Query
+Section from the AXFR query into its Query Section, but the inclusion
+of the terminating SOA resource record is not necessary.
 
 An AXFR client might receive a number of AXFR response messages
 free of an error condition before the message indicating an error
-is received.  But once an error is reported, the AXFR client can
-assume that the error reporting message is the last.
+is received.
 
 2.2.1 "0 Message" Response
 
@@ -333,33 +355,16 @@ is unhealthy for there to be 0 responses in a protocol that is designed
 around a query - response paradigm over an unreliable transport.  The
 lack of a response could be a sign of underlying network problems and
 cause the protocol state machine to react accordingly.  However, AXFR
-uses TCP and not UDP, eliminating undetected network errors.
+uses TCP and not UDP, eliminating undetectable network errors.
 
 A "0 message response" is reserved for situations in which the server
 has a reason to suspect that the query is sent for the purpose of
 abuse.  Due to the use of this being so controversial, a "0 message
 response" is not being defined as a legitimate part of the protocol
-but the use of it is being acknowledge as a warning to AXFR client
+but the use of it is being acknowledged as a warning to AXFR client
 implementations.  Any earnest query has the expectation of some
 response but may not get one.
 
-If an AXFR client sends a query on a TCP connection and the connection
-is closed at any point, the AXFR client MUST consider the session
-terminated.  The message ID MAY be used again on a new connection,
-even if the question and AXFR server are the same.  Facing a dropped
-connection a client SHOULD try to make some determination whether the
-connection closure was the result of network activity or a decision
-by the AXFR server.  This determination is not an exact science.  It
-is up to the AXFR client implementor to react, but the reaction
-SHOULD NOT be an endless cycle of retires nor an increasing (in
-frequency) retry rate.
-
-An AXFR server implementor SHOULD take into consideration what this
-dilemma described above when a connection is closed with an outstanding
-query in the pipeline.  For this reason, a server ought to reserve
-this course of action for situations in which it believes beyond a
-doubt that the AXFR client is attemping abusive behavior.
-
 2.2.2 Header Values
 
 ID          See note 2.2.2.a
@@ -422,6 +427,14 @@ documents:
 - "DNS Security Introduction and Requirements" [RFC4033]
 - "Resource Records for the DNS Security Extensions" [RFC4034]
 - "Protocol Modifications for the DNS Security Extensions" [RFC4035]
+- "Use of SHA-256 in DNSSEC Delegation Signer RRs" [RFC4509]
+- "DNS Security Hashed Authenticated Denial of Existence" [RFC5155]
+
+as well pending documents, such as these:
+
+- "Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource
+  Records for DNSSEC" [DRAFT1]
+- "Clarifications and Implementation Notes for DNSSECbis" [DRAFT2]
 
 Note 2.2.2.f In the absence of an error, the server MUST set the value
 of this field to NoError.  If a server is not authoritative for the
@@ -430,8 +443,8 @@ consult the appropriate IANA registry [DNSVALS].)  If a client
 receives any other value in response, it MUST act according to the
 error.  For example, a malformed AXFR query or the presence of an EDNS0
 OPT resource record sent to an old server will garner a FormErr value.
-This value is not set as part of the AXFR response processing.  The
-same is true for other error-indicating values.
+This value is not set as part of the AXFR-specific response processing.
+The same is true for other error-indicating values.
 
 Note 2.2.2.g The count of answer records MUST equal the number of
 resource records in the AXFR Answer Section.  When a server is aware
@@ -440,14 +453,15 @@ message, then the value MUST be 1.  A server MAY be made aware of a
 client's limitations via configuration data.
 
 Note 2.2.2.h The client MUST set this field to be the number of
-resource records appearing in the additional section.  See Section
-2.1.5 "Additional Section" for details.
+resource records appearing in the additional section.  The
+considerations in Note 2.1.1.d above apply equally; see Section
+2.2.6 "Additional Section" below for more details.
 
 2.2.3 Query Section
 
 In the first response message, this section MUST be copied from the
-query.  In subsequent messages this section MAY be copied from the
-query, MAY be empty.  The content of this section MAY be used to
+query.  In subsequent messages, this section MAY be copied from the
+query or it MAY be empty.  The content of this section MAY be used to
 determine the context of the message, that is, the name of the zone
 being transferred.
 
@@ -460,44 +474,60 @@ encoding zone contents.
 
 MUST be empty.
 
-2.2.5 Additional Section
+2.2.6 Additional Section
 
 The contents of this section MUST follow the guidelines for EDNS0,
 TSIG, SIG(0), or what ever other future record is possible here.  The
 contents of section 2.1.5 apply here as well.
 
-Note that TSIG and SIG(0), if in use, will treat each individual
-AXFR response message within a session as a unit of data.  That is,
-each message will have a TSIG or SIG(0) (if in use) and the
-crytpographic check will cover just that message.  The same rule
-will apply to future alternatives and documents covering them ought
-to consider the impact on AXFR response messages.
+2.3 TCP Connection Aborts
+
+If an AXFR client sends a query on a TCP connection and the connection
+is closed at any point, the AXFR client MUST consider the AXFR session
+terminated.  The message ID MAY be used again on a new connection,
+even if the question and AXFR server are the same.  Facing a dropped
+connection a client SHOULD try to make some determination whether the
+connection closure was the result of network activity or a decision
+by the AXFR server.  This determination is not an exact science.  It
+is up to the AXFR client implementor to react, but the reaction
+SHOULD NOT be an endless cycle of retries nor an increasing (in
+frequency) retry rate.
+
+An AXFR server implementor SHOULD take into consideration the dilemma
+described above when a connection is closed with an outstanding query
+in the pipeline.  For this reason, a server ought to reserve this
+course of action for situations in which it believes beyond a doubt
+that the AXFR client is attempting abusive behavior.
 
 3 Zone Contents
 
 The objective of the AXFR session is to request and transfer the
-contents of a zone.  The objective is to permit the client to
+contents of a zone.  The objective is to permit the AXFR client to
 reconstruct the zone as it exists at the server for the given zone
-serial number.  Over time the definition of a zone has evolved from a
-static set of records to a dynamically updated set of records to a
-continually regenerated set of records.
+serial number.  Over time the definition of a zone has evolved from
+denoting a static set of records to also cover a dynamically updated
+set of records, and then a potentially continually regenerated set of
+records as well.
 
 3.1 Records to Include
 
 In the answer section of AXFR response messages the resource records
 within a zone for the given serial number MUST appear.  The definition
 of what belongs in a zone is described in RFC 1034, Section 4.2, "How
-the database is divided into zones", and in particular, section 4.2.1,
-"Technical considerations".
+the database is divided into zones", in particular, section 4.2.1,
+"Technical considerations", and it has been clarified in Section 6 of
+RFC 2181.
 
-Unless the AXFR server knows that the AXFR client expects just one
-resource record per AXFR response message, an AXFR server SHOULD
-populate an AXFR response message with as many complete resource
-records as will fit within a DNS message.
+Unless the AXFR server knows that the AXFR client is old and expects
+just one resource record per AXFR response message, an AXFR server
+SHOULD populate an AXFR response message with as many complete
+resource record sets as will fit within a DNS message.
 
 Zones for which it is impractical to list the entire zones for a serial
-number (because changes happen too quickly) are not suitable for AXFR
-retrieval.
+number are not suitable for AXFR retrieval.  A typical (but not
+limiting) description of such a zone is a zone consisting of responses
+generated via other database lookups and/or computed based upon ever
+changing data.
 
 3.2 Delegation Records
 
@@ -509,13 +539,38 @@ over this statement and the impact on which NS resource records are
 included in a zone transfer.
 
 The phrase "that describe cuts" is a reference to the NS set and
-applicable glue records.  It does not mean that the cut points and the
-apex resource records are identical.  For example, the SOA resource
-record is only found at the apex, as well as a slew of DNSSEC resource
-records.  There are also some DNSSEC resource record sets that are
-explicitly different between the cut point and the apex.  The
-discussion here is restricted to just the NS resource record set and
-glue as these "describe cuts."
+applicable glue records.  It does not mean that the cut point and apex
+resource records are identical.  For example, the SOA resource record
+is only found at the apex.  The discussion here is restricted to just
+the NS resource record set and glue as these "describe cuts".
+
+DNSSEC resource records have special specifications regarding their
+occurrence at a zone cut and the apex of a zone.  This has for the
+first time been described in Sections 5.3 ff. and 6.2 of RFC 2181
+(for the initial specification of DNSSEC), which now is historical.
+The current DNSSEC core document set (see Note 2.2.2.e above) gives
+the full details for DNSSEC(bis) resource record placement, and
+Section 3.1.5 of RFC 4035 normatively specifies their treatment during
+AXFR; the alternate NSEC3 resource record defined later in RFC 5155
+behaves identically as the NSEC RR, for the purpose of AXFR.
+
+Informally:
+o  The DS RRSet only occurs at the parental side of a zone cut and is
+   authoritative data in the parent zone, not the secure child zone.
+o  The DNSKEY RRSet only occurs at the APEX of a signed zone and is
+   authoritative part of the zone it serves.
+o  Independent RRSIG RRSets occur at the signed parent side and of a
+   zone cut and at the apex of a signed zone; they are authoritative
+   part of the respective zone; simple queries for RRSIG resource
+   records may return bth RRSets at once if the same server is
+   authoritative for the parent zone and the child zone (Section
+   3.1.5 of RFC 4035 describes how to distinguish these RRs); this
+   seeming ambiguity does not occur for AXFR, since each such RRSIG
+   RRset belongs to a single zone.
+o  Different NSEC [RFC4034] or NSEC3 [RFC5155] resource records
+   equally may occur at the parental siede of a zone cut and at the
+   apex of a zone; each such resource record belongs to exactly one
+   of these zones and is to be included in the AXFR of that zone.
 
 The issue is that in operations there are times when the NS resource
 records for a zone might be different at a cut point in the parent and
@@ -525,7 +580,7 @@ protocol is robust enough to overcome inconsistencies up to (but not
 including) there being no parent indicated NS resource record
 referencing a server that is able to serve the child zone.  This
 robustness is one quality that has fueled the success of the DNS. 
-Still, the inconsistency is a error state and steps need to be taken
+Still, the inconsistency is an error state and steps need to be taken
 to make it apparent (if it is unplanned) and to make it clear once
 the inconsistency has been removed.
 
@@ -538,7 +593,7 @@ the cut point.
 The question that arises is, when facing a situation in which a cut
 point's NS resource records do not match the authoritative set, whether
 an AXFR server responds with the NS resource record set that is in the
-zone or is at the authoritative location.
+zone being transferred or is at the authoritative location.
 
 The AXFR response MUST contain the cut point NS resource record set
 registered with the zone whether it agrees with the authoritative set
@@ -565,20 +620,30 @@ authoritative set, concealing the error.)
 3) The inconsistent NS resource record set might indicate a problem
 in a registration database.
 
-4) Beginning with an error state of two servers for a zone having
-inconsistent zone contents for a given zone serial number, if a client
-requests and recieves an IXFR transfer from one server followed by 
-another IXFR transfer from the other server, the client can encounter
-an IXFR protocol error state where an attempt is made to incrementally
-add a record that already exists or to delete a record that does not
-exist.
-
-(Editorial note, the 4th reason was suggested, but I don't see how
-it relates.  A nudge for updated text on this.)
+4) This requirement is necessary to ensure that retrieving a given
+(zone,serial) pair by AXFR yields the exact same set of resource
+records no matter which of the zone's authoritative servers is
+chosen as the source of the transfer.
+
+If an AXFR server were allowed to respond with the authoritative
+NS RRset of a child zone instead of a glue NS RRset in the zone
+being transferred, the set of records returned could vary depending
+on whether or not the server happens to also be authoritative for 
+the child zone.
+
+The property that a given (zone,serial) pair corresponds to a
+single, well-defined set of records is necessary for the correct
+operation of incremental transfer protocols such as IXFR
+[RFC1995].  For example, a client may retrieve a zone by AXFR from
+one server, and then apply an incremental change obtained by IXFR
+from a different server.  If the two servers have different ideas
+of the zone contents, the client can end up attempting to
+incrementally add records that already exist or to delete records
+that do not exist.
 
 3.3 Glue Records
 
-As quoted in the previous section, RFC 1034, section 4.2.1, provides
+As quoted in the previous section, section 4.2.1 of RFC 1034 provides
 guidance and rationale for the inclusion of glue records as part of
 an AXFR transfer.  And, as also argued in the previous section of this
 document, even when there is an inconsistency between the address in a
@@ -586,7 +651,7 @@ glue record and the authoritative copy of the name server's address,
 the glue resource record that is registered as part of the zone for
 that serial number is to be included.
 
-This applies for glue records for any address family.
+This applies to glue records for any address family [RFC1700].
 
 The AXFR response MUST contain the appropriate glue records as
 registered with the zone.  The interpretation of "registered with"
@@ -615,12 +680,13 @@ Compression."
 
 3.5 Occluded Names
 
-Dynamic Update [RFC2136] (and including DNAME [2672]) operations can
-have a side effect of occluding names in a zone.  The addition of a
-delegation point via dynamic update will render all subordinate domain
-names to be in a limbo, still part of the zone but not available for to
-the look up process.  The addition of a DNAME resource record set has
-the same impact.  The subordinate names are said to be "occluded."
+Dynamic Update [RFC2136] operations, and in particular its interaction
+with DNAME [RFC2672], can have a side effect of occluding names in a
+zone.  The addition of a delegation point via dynamic update will
+render all subordinate domain names to be in a limbo, still part of
+the zone but not available to the lookup process.  The addition of a
+DNAME resource record has the same impact.  The subordinate names are
+said to be "occluded."
 
 Occluded names MUST be included in AXFR responses.  An AXFR client MUST
 be able to identify and handle occluded names.  The rationale for this
@@ -631,20 +697,20 @@ was in error and is to be undone.
 
 AXFR sessions are currently restricted to TCP by section 4.3.5 of RFC
 1034 that states: "Because accuracy is essential, TCP or some other
-reliable protocol must be used for AXFR requests." The most common
-scenario is for an AXFR client to open a TCP connection to the AXFR
-server, send an AXFR query, receive the AXFR response, and then
-close the connection.  There are variations on this, such as a query
-for the zone's SOA resource record first, and so on.
-
-Two issues have emerged since the original specification of AXFR.
-One is that lack of specificity has yielded some implementations
-that assume the TCP connection is dedicated to the single AXFR
-session, which has led to implementation choices that prevent either
-multiple concurrent zone transfers or the use of the open connection
-for other queries.  The other issue is the prospect of using UDP as a
-transport has come to look promising because of trends in the past
-two decades.
+reliable protocol must be used for AXFR requests."  The restriction to
+TCP is also mentioned in section 6.1.3.2. of "Requirements for Internet
+Hosts - Application and Support" [RFC1123].
+
+The most common scenario is for an AXFR client to open a TCP connection
+to the AXFR server, send an AXFR query, receive the AXFR response, and
+then close the connection.  There are variations on this, such as a
+query for the zone's SOA resource record first, and so on.  Note that
+this is documented as a most common scenario.
+
+The assumption that a TCP connection is dedicated to the single AXFR
+session is incorrect, this has led to implementation choices that
+prevent either multiple concurrent zone transfers or the use of the
+open connection for other queries.
 
 Being able to have multiple concurrent zone transfers is considered
 desirable by operators who have sets of name servers that are
@@ -660,8 +726,8 @@ multiple concurrent AXFR sessions.
 
 With the addition of EDNS0 and applications which require many
 small zones such as in web hosting and some ENUM scenarios, AXFR
-sessions on UDP are now possible and desirable.  However, there
-are still some aspects of the AXFR session that are not easily
+sessions on UDP would now be possible and seem desirable.  However,
+there are still some aspects of the AXFR session that are not easily
 translated to UDP.  This document leaves AXFR over UDP undefined.
 
 4.1 TCP
@@ -678,22 +744,23 @@ The guidance given here is intended to enable better performance of
 the AXFR exchange as well as guidelines on interactions with older
 software.  Better performance includes being able to multiplex DNS
 message exchanges including zone transfer sessions.  Guidelines for
-interacting with older software are generally applicable to AXFR
-clients as reversing the situation, older AXFR client and newer
-AXFR server ought to induce the server to operate within the
-specification for an older server.
+interacting with older software are generally applicable to new AXFR
+clients.  In the reverse situation, older AXFR client and newer AXFR
+server ought to induce the server to operate within the specification
+for an older server.
 
 4.1.1 AXFR client TCP
 
-An AXFR client MAY request an connection to an AXFR server for any
+An AXFR client MAY request a connection to an AXFR server for any
 reason.  An AXFR client SHOULD close the connection when there is
 no apparent need to use the connection for some time period. The
 AXFR server ought not have to maintain idle connections, the burden
 of connection closure ought to be on the client.  Apparent need for
-the connection is a judgement for the AXFR client and the DNS
-client. If the connection is used for multiple sessions, or it is
-known sessions will be coming or is there is other query/response
-traffic on the open connection, that is "apparent need."
+the connection is a judgment for the AXFR client and the DNS
+client. If the connection is used for multiple sessions, or if it is
+known sessions will be coming or if there is other query/response
+traffic anticipated or currently on the open connection, then there
+is "apparent need."
 
 An AXFR client MAY cancel delivery of a zone only by closing the
 connection. However, this action will also cancel all other outstanding
@@ -702,16 +769,17 @@ an AXFR response can be cancelled.
 
 When a TCP connection is closed remotely (relative to the client),
 whether by the AXFR server or due to a network event, the AXFR client
-MUST cancel all outstanding sessions.  Recovery from this situation
-is not straightforward.  If the disruption was a spurious event,
-attempting to restart the connection would be proper.  If the
-disruption was caused by a medium or long term disruption, the AXFR
-client would be wise to not spend too many resources trying to rebuild
-the connection.  Finally, if the connection was dropped because of a
-policy at the AXFR server (as can be the case with older AXFR servers),
-the AXFR client would be wise to not retry the connection. 
-Unfortunately, knowing which of the three cases above applies is not
-clear (momentary disruption, failure, policy).
+MUST cancel all outstanding sessions and non-AXFR transactions. 
+Recovery from this situation is not straightforward.  If the disruption
+was a spurious event, attempting to restart the connection would be
+proper.  If the disruption was caused by a medium or long term
+disruption, the AXFR client would be wise to not spend too many
+resources trying to rebuild the connection.  Finally, if the connection
+was dropped because of a policy at the AXFR server (as can be the case
+with older AXFR servers), the AXFR client would be wise to not retry
+the connection.  Unfortunately, knowing which of the three cases above
+(momentary disruption, failure, policy) applies is not possible with
+certainty, and can only be assessed by heuristics.
 
 An AXFR client MAY use an already opened TCP connection to start an
 AXFR session.  Using an existing open connection is RECOMMENDED over
@@ -719,7 +787,7 @@ opening a new connection.  (Non-AXFR session traffic can also use an
 open connection.)  If in doing so the AXFR client realizes that
 the responses cannot be properly differentiated (lack of matching
 query IDs for example) or the connection is terminated for a remote
-reason, then the AXFR client SHOULD not attempt to reuse an open
+reason, then the AXFR client SHOULD NOT attempt to reuse an open
 connection with the specific AXFR server until the AXFR server is
 updated (which is of course, not an event captured in the DNS
 protocol).
@@ -727,14 +795,15 @@ protocol).
 4.1.2  AXFR server TCP
 
 An AXFR server MUST be able to handle multiple AXFR sessions on a
-single TCP connection, as well as handle other query/response sessions.
+single TCP connection, as well as handle other query/response 
+transactions.
 
 If a TCP connection is closed remotely, the AXFR server MUST cancel
-all AXFR sessions in place.  No retry activity is necessary, that is
+all AXFR sessions in place.  No retry activity is necessary; that is
 initiated by the AXFR client.
 
 Local policy MAY dictate that a TCP connection is to be closed.  Such
-as action SHOULD be in reaction to limits such as those placed on
+an action SHOULD be in reaction to limits such as those placed on
 the number of outstanding open connections.  Closing a connection in
 response to a suspected security event SHOULD be done only in extreme
 cases, when the server is certain the action is warranted.  An
@@ -758,8 +827,7 @@ serving AXFR.  All reasons are arguable, but the fact remains that
 there is a requirement to provide mechanisms to restrict AXFR.
 
 A DNS implementation SHOULD provide means to restrict AXFR sessions to
-specific clients.  By default, a DNS implementation SHOULD only allow
-the designated authoritative servers to have access to the zone.
+specific clients.
 
 An implementation SHOULD allow access to be granted to Internet
 Protocol addresses and ranges, regardless of whether a source address
@@ -777,10 +845,36 @@ all AXFR requests.  I.e., an operator ought to be able to allow any
 AXFR query to be granted.
 
 A general purpose implementation SHOULD NOT have a default policy
-for AXFR requests to be "open to all."
+for AXFR requests to be "open to all."  For example, a default could
+be to restrict transfers to addresses selected by the DNS
+administrator(s) for zones on the server.
 
 6 Zone Integrity
 
+An AXFR client MUST ensure that only a successfully transferred
+copy of the zone data can be used to serve this zone.  Previous
+description and implementation practice have introduced a two-stage
+model of the whole zone synchronization procedure: Upon a trigger
+event (e.g., polling of SOA resource record detects change in the
+SOA serial number, or via DNS NOTIFY [RFC1996]), the AXFR session
+is initiated, whereby the zone data are saved in a zone file or
+data base (this latter step is necessary anyway to ensure proper
+restart of the server); upon successful completion of the AXFR
+operation and some sanity checks, this data set is 'loaded' and
+made available for serving the zone in an atomic operation, and
+flagged 'valid' for use during the next restart of the DNS server;
+if any error is detected, this data set MUST be deleted, and the
+AXFR client MUST continue to serve the previous version of the zone,
+if it did before.  The externally visible behavior of an AXFR client
+implementation MUST be equivalent to that of this two-stage model.
+
+If a server rejects data contained in an AXFR session, the server
+SHOULD remember the serial number and MAY attempt to retrieve the
+same zone version again.  The reason the same retrieval could make
+sense is that the reason for the rejection could be rooted in an
+implementation detail of one AXFR server used for the zone and not
+in another AXFR server used for the zone.
+
 Ensuring that an AXFR client does not accept a forged copy of a zone is
 important to the security of a zone.  If a zone operator has the
 opportunity, protection can be afforded via dedicated links, physical
@@ -788,7 +882,7 @@ or virtual via a VPN among the authoritative servers.  But there are
 instances in which zone operators have no choice but to run AXFR
 sessions over the global public Internet.
 
-Besides best attempts at securing TCP sessions, DNS implementations
+Besides best attempts at securing TCP connections, DNS implementations
 SHOULD provide means to make use of "Secret Key Transaction
 Authentication for DNS" [RFC2845] and/or "DNS Request and Transaction
 Signatures ( SIG(0)s )" [RFC2931] to allow AXFR clients to verify the
@@ -801,9 +895,9 @@ specifics in the original definition.  In this section some hints at
 building in backwards compatibility are given, mostly repeated from the
 earlier sections.
 
-Backwards compatibility is not necessary, but the greater extent of an
-implementation's compatibility increases it's interoperability.  For
-turnkey implementations this is not usually a concern.  For general
+Backwards compatibility is not necessary, but the greater the extent of
+an implementation's compatibility the greater it's interoperability. 
+For turnkey implementations this is not usually a concern.  For general
 purpose implementations this takes on varying levels of importance
 depending on the implementer's desire to maintain interoperability.
 
@@ -821,17 +915,17 @@ accept multiple resource records per AXFR response message.  The
 knowledge that a client is so restricted apparently cannot be
 discovered, hence it has to be set by configuration.
 
-An implementation of an AXFR server SHOULD permit configuring, on a per
+An implementation of an AXFR server MAY permit configuring, on a per
 AXFR client basis, a need to revert to single resource record per
-message.  The default SHOULD be to use multiple records per message.
+message; in that case, the default SHOULD be to use multiple records
 
 7.2 Client
 
-An AXFR client has the opportunity to try extensions when querying
-an AXFR server.
+An AXFR client has the opportunity to try other features (i.e., those
+not defined by this document) when querying an AXFR server.
 
 Attempting to issue multiple DNS queries over a TCP transport for an
-AXFR session SHOULD be aborted if it interrupts the original request
+AXFR session SHOULD be aborted if it interrupts the original request,
 and SHOULD take into consideration whether the AXFR server intends to
 close the connection immediately upon completion of the original
 (connection-causing) zone transfer.
@@ -840,7 +934,7 @@ close the connection immediately upon completion of the original
 
 Concerns regarding authorization, traffic flooding, and message
 integrity are mentioned in "Authorization" (section 5), "TCP" (section
-4.2) and Zone Integrity (section 6).
+4.2) and "Zone Integrity" (section 6).
 
 9 IANA Considerations
 
@@ -848,10 +942,13 @@ No new registries or new registrations are included in this document.
 
 10 Internationalization Considerations
 
-It is assumed that supporting of international domain names has been
+The AXFR protocol is transparent to the parts of DNS zone content that
+can possibly be subject to Internationalization considerations.
+It is assumed that for DNS labels and domain names, the issue has been
 solved via "Internationalizing Domain Names in Applications (IDNA)"
 [RFC3490].
 
+
 11 Acknowledgements
 
 Earlier editions of this document have been edited by Andreas
@@ -866,15 +963,15 @@ and Brian Wellington."
 Comments since the -05 version have come from these individuals:
 Alfred Hoenes, Mark Andrews, Paul Vixie, Wouter Wijngaards, Iain
 Calder, Tony Finch, Ian Jackson, Andreas Gustafsson, Brian Wellington,
-...
+and other participants of the DNSEXT working group.
 
 12 References
 
-All references prefixed by "RFC" can be obtained from the RFC Editor,
+All references prefixed by "RFC" can be obtained from the RFC Editor
+web site at the URLs:   http://rfc-editor.org/rfc.html
+or                      http://rfc-editor.org/rfcsearch.html ;
 information regarding this organization can be found at the following
-URL:
-     http://rfc-editor.org/
-Additionally, these documents can be obtained via the IETF web site.
+URL:                    http://rfc-editor.org/
 
 12.1 Normative
 
@@ -886,6 +983,8 @@ Additionally, these documents can be obtained via the IETF web site.
           STD 13, RFC 1034, November 1987.
 [RFC1035] Mockapetris, P., "Domain names - implementation and
           specification", STD 13, RFC 1035, November 1987.
+[RFC1123] Braden, R., "Requirements for Internet Hosts - Application
+          and Support", STD 3, RFC 1123, October 1989.
 [RFC1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
           August 1996.
 [RFC1996] Vixie, P., "A Mechanism for Prompt Notification of Zone
@@ -893,6 +992,8 @@ Additionally, these documents can be obtained via the IETF web site.
 [RFC2136] Vixie, P., Ed., Thomson, S., Rekhter, Y., and J. Bound,
           "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC
           2136, April 1997.
+[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
+          Specification", RFC 2181, July 1997.
 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
           August 1999.
 [RFC2672] Crawford, M., "Non-Terminal DNS Name Redirection", RFC 2672,
@@ -900,9 +1001,8 @@ Additionally, these documents can be obtained via the IETF web site.
 [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
           Wellington, "Secret Key Transaction Authentication for DNS
           (TSIG)", RFC 2845, May 2000.
-[RFC2929] Eastlake 3rd, D., Brunner-Williams, E., and B. Manning,
-          "Domain Name System (DNS) IANA Considerations", BCP 42, RFC
-          2929, September 2000.
+[RFC5395] Eastlake 3rd, "Domain Name System (DNS) IANA Considerations",
+          BCP 42, RFC 5395, November 2008.
 [RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY
           RR)", RFC 2930, September 2000.
 [RFC2931] Eastlake 3rd, D., "DNS Request and Transaction Signatures
@@ -916,6 +1016,11 @@ Additionally, these documents can be obtained via the IETF web site.
 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
           Rose, "Resource Records for the DNS Security Extensions",
           RFC 4034, March 2005.
+[RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
+          (DS) Resource Records (RRs)", RFC 4509, May 2006
+[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
+          Security (DNSSEC) Hashed Authenticated Denial of Existence",
+          RFC 5155, March 2008
 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
           Rose, "Protocol Modifications for the DNS Security
           Extensions", RFC 4035, March 2005.
@@ -929,12 +1034,20 @@ Additionally, these documents can be obtained via the IETF web site.
 
 [BCP14]   Bradner, S., "Key words for use in RFCs to Indicate
           Requirement Levels", BCP 14, RFC 2119, March 1997.
+[RFC1700] J. Reynolds and J. Postel, "Assigned Numbers", RFC 1700,
+          October 1994.
 [RFC2764] Gleeson, B., Lin, A., Heinanen, J., Armitage, G., and A.
           Malis, "A Framework for IP Based Virtual Private Networks",
           RFC 2764, February 2000.
 [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
           "Internationalizing Domain Names in Applications (IDNA)", RFC
           3490, March 2003.
+[DRAFT1]  Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY and
+          RRSIG Resource Records for DNSSEC",
+          draft-ietf-dnsext-dnssec-rsasha256-12, work in progress.
+[DRAFT2]  Weiler, S., and D. Blacka, "Clarifications and Implementation
+          Notes for DNSSECbis",
+          draft-ietf-dnsext-dnssec-bis-updates-08, work in progress.
 
 13 Editor's Address
 
@@ -943,50 +1056,3 @@ Edward Lewis
 Sterling, VA, 22033, US
 +1-571-434-5468
 ed.lewis@neustar.biz
-
-Full Copyright Statement
-
-Copyright (C) The IETF Trust (2008).
-
-This document is subject to the rights, licenses and restrictions
-contained in BCP 78, and except as set forth therein, the authors
-retain all their rights.
-
-This document and the information contained herein are provided on an
-"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
-THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
-OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
-THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-The IETF takes no position regarding the validity or scope of any
-Intellectual Property Rights or other rights that might be claimed to
-pertain to the implementation or use of the technology described in
-this document or the extent to which any license under such rights
-might or might not be available; nor does it represent that it has
-made any independent effort to identify any such rights.  Information
-on the procedures with respect to rights in RFC documents can be
-found in BCP 78 and BCP 79.
-
-Copies of IPR disclosures made to the IETF Secretariat and any
-assurances of licenses to be made available, or the result of an
-attempt made to obtain a general license or permission for the use of
-such proprietary rights by implementers or users of this
-specification can be obtained from the IETF on-line IPR repository at
-http://www.ietf.org/ipr.
-
-The IETF invites any interested party to bring to its attention any
-copyrights, patents or patent applications, or other proprietary
-rights that may cover technology that may be required to implement
-this standard.  Please address the information to the IETF at
-ietf-ipr@ietf.org.
-
-Acknowledgment
-
-Funding for the RFC Editor function is provided by the IETF
-Administrative Support Activity (IASA).
-
-
diff --git a/doc/draft/draft-ietf-dnsext-dnsproxy-05.txt b/doc/draft/draft-ietf-dnsext-dnsproxy-05.txt
new file mode 100644
index 00000000..c5858c00
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-dnsproxy-05.txt
@@ -0,0 +1,728 @@
+
+
+
+DNSEXT                                                         R. Bellis
+Internet-Draft                                                Nominet UK
+Intended status: BCP                                      April 23, 2009
+Expires: October 25, 2009
+
+
+                  DNS Proxy Implementation Guidelines
+                     draft-ietf-dnsext-dnsproxy-05
+
+Status of this Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on October 25, 2009.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
+
+Abstract
+
+   This document provides guidelines for the implementation of DNS
+   proxies, as found in broadband gateways and other similar network
+   devices.
+
+
+
+Bellis                  Expires October 25, 2009                [Page 1]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+
+   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
+
+   3.  The Transparency Principle . . . . . . . . . . . . . . . . . .  3
+
+   4.  Protocol Conformance . . . . . . . . . . . . . . . . . . . . .  4
+     4.1.  Unexpected Flags and Data  . . . . . . . . . . . . . . . .  4
+     4.2.  Label Compression  . . . . . . . . . . . . . . . . . . . .  4
+     4.3.  Unknown Resource Record Types  . . . . . . . . . . . . . .  5
+     4.4.  Packet Size Limits . . . . . . . . . . . . . . . . . . . .  5
+       4.4.1.  TCP Transport  . . . . . . . . . . . . . . . . . . . .  6
+       4.4.2.  Extension Mechanisms for DNS (EDNS0) . . . . . . . . .  6
+       4.4.3.  IP Fragmentation . . . . . . . . . . . . . . . . . . .  6
+     4.5.  Secret Key Transaction Authentication for DNS (TSIG) . . .  7
+
+   5.  DHCP's Interaction with DNS  . . . . . . . . . . . . . . . . .  7
+     5.1.  Domain Name Server (DHCP Option 6) . . . . . . . . . . . .  8
+     5.2.  Domain Name (DHCP Option 15) . . . . . . . . . . . . . . .  8
+     5.3.  DHCP Leases  . . . . . . . . . . . . . . . . . . . . . . .  8
+
+   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  9
+     6.1.  Forgery Resilience . . . . . . . . . . . . . . . . . . . .  9
+     6.2.  Interface Binding  . . . . . . . . . . . . . . . . . . . . 10
+     6.3.  Packet Filtering . . . . . . . . . . . . . . . . . . . . . 10
+
+   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
+
+   8.  Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 11
+
+   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
+
+   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
+     10.1. Normative References . . . . . . . . . . . . . . . . . . . 12
+     10.2. Informative References . . . . . . . . . . . . . . . . . . 13
+
+   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13
+
+
+
+
+
+
+
+
+
+
+
+
+Bellis                  Expires October 25, 2009                [Page 2]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+1.  Introduction
+
+   Research has found ([SAC035], [DOTSE]) that many commonly-used
+   broadband gateways (and similar devices) contain DNS proxies which
+   are incompatible in various ways with current DNS standards.
+
+   These proxies are usually simple DNS forwarders, but typically do not
+   have any caching capabilities.  The proxy serves as a convenient
+   default DNS resolver for clients on the LAN, but relies on an
+   upstream resolver (e.g. at an ISP) to perform recursive DNS lookups.
+
+   Note that to ensure full DNS protocol interoperability it is
+   preferred that client stub resolvers should communicate directly with
+   full-feature upstream recursive resolvers wherever possible.
+
+   That notwithstanding, this document describes the incompatibilities
+   that have been discovered and offers guidelines to implementors on
+   how to provide better interoperability in those cases where the
+   client must use the broadband gateway's DNS proxy.
+
+
+2.  Terminology
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+
+3.  The Transparency Principle
+
+   It is not considered practical for a simple DNS proxy to implement
+   all current and future DNS features.
+
+   There are several reasons why this is the case:
+
+   o  broadband gateways usually have limited hardware resources
+   o  firmware upgrade cycles are long, and many users do not routinely
+      apply upgrades when they become available
+   o  no-one knows what those future DNS features will be, nor how they
+      might be implemented
+   o  it would substantially complicate the configuration UI of the
+      device
+
+   Furthermore some modern DNS protocol extensions (see e.g.  EDNS0,
+   below) are intended to be used as "hop-by-hop" mechanisms.  If the
+   DNS proxy is considered to be such a "hop" in the resolution chain,
+   then for it to function correctly, it would need to be fully
+   compliant with all such mechanisms.
+
+
+
+Bellis                  Expires October 25, 2009                [Page 3]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+   [SAC035] shows that the more actively a proxy participates in the DNS
+   protocol then the more likely it is that it will somehow interfere
+   with the flow of messages between the DNS client and the upstream
+   recursive resolvers.
+
+   The role of the proxy should therefore be no more and no less than to
+   receive DNS requests from clients on the LAN side, forward those
+   verbatim to one of the known upstream recursive resolvers on the WAN
+   side, and ensure that the whole response is returned verbatim to the
+   original client.
+
+   It is RECOMMENDED that proxies should be as transparent as possible,
+   such that any "hop-by-hop" mechanisms or newly introduced protocol
+   extensions operate as if the proxy were not there.
+
+   Except when required to enforce an active security or network policy
+   (such as maintaining a pre-authentication "walled garden"), end-users
+   SHOULD be able to send their DNS queries to specified upstream
+   resolvers, thereby bypassing the proxy altogether.  In this case, the
+   gateway SHOULD NOT modify the DNS request or response packets in any
+   way.
+
+
+4.  Protocol Conformance
+
+4.1.  Unexpected Flags and Data
+
+   The Transparency Principle above, when combined with Postel's
+   Robustness Principle [RFC0793], suggests that DNS proxies should not
+   arbitrarily reject or otherwise drop requests or responses based on
+   perceived non-compliance with standards.
+
+   For example, some proxies have been observed to drop any packet
+   containing either the "Authentic Data" (AD) or "Checking Disabled"
+   (CD) bits from DNSSEC [RFC4035].  This may be because [RFC1035]
+   originally specified that these unused "Z" flag bits "MUST" be zero.
+   However these flag bits were always intended to be reserved for
+   future use, so refusing to proxy any packet containing these flags
+   (now that uses for those flags have indeed been defined) is not
+   appropriate.
+
+   Therefore it is RECOMMENDED that proxies SHOULD ignore any unknown
+   DNS flags and proxy those packets as usual.
+
+4.2.  Label Compression
+
+   Compression of labels as per Section 4.1.4 of [RFC1035] is optional.
+
+
+
+
+Bellis                  Expires October 25, 2009                [Page 4]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+   Proxies MUST forward packets regardless of the presence or absence of
+   compressed labels therein.
+
+4.3.  Unknown Resource Record Types
+
+   [RFC3597] requires that resolvers MUST handle Resource Records (RRs)
+   of unknown type transparently.
+
+   All requests and responses MUST be proxied regardless of the values
+   of the QTYPE and QCLASS fields.
+
+   Similarly all responses MUST be proxied regardless of the values of
+   the TYPE and CLASS fields of any Resource Record therein.
+
+4.4.  Packet Size Limits
+
+   [RFC1035] specifies that the maximum size of the DNS payload in a UDP
+   packet is 512 octets.  Where the required portions of a response
+   would not fit inside that limit the DNS server MUST set the
+   "TrunCation" (TC) bit in the DNS response header to indicate that
+   truncation has occurred.  There are however two standard mechanisms
+   (described in Section 4.4.1 and Section 4.4.2) for transporting
+   responses larger than 512 octets.
+
+   Many proxies have been observed to truncate all responses at 512
+   octets, and others at a packet size related to the WAN MTU, in either
+   case doing so without correctly setting the TC bit.
+
+   Other proxies have been observed to remove the TC bit in server
+   responses which correctly had the TC bit set by the server.
+
+   If a DNS response is truncated but the TC bit is not set then client
+   failures may result.  In particular a naive DNS client library might
+   suffer crashes due to reading beyond the end of the data actually
+   received.
+
+   Since UDP packets larger than 512 octets are now expected in normal
+   operation, proxies SHOULD NOT truncate UDP packets that exceed that
+   size.  See Section 4.4.3 for recommendations for packet sizes
+   exceeding the WAN MTU.
+
+   If a proxy must unilaterally truncate a response then the proxy MUST
+   set the TC bit.  Similarly, proxies MUST NOT remove the TC bit from
+   responses.
+
+
+
+
+
+
+
+Bellis                  Expires October 25, 2009                [Page 5]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+4.4.1.  TCP Transport
+
+   Should a UDP query fail because of truncation, the standard fail-over
+   mechanism is to retry the query using TCP, as described in section
+   6.1.3.2 of [RFC1123].
+
+   DNS proxies SHOULD therefore be prepared to receive and forward
+   queries over TCP.
+
+   Note that it is unlikely that a client would send a request over TCP
+   unless it had already received a truncated UDP response.  Some
+   "smart" proxies have been observed to first forward any request
+   received over TCP to an upstream resolver over UDP, only for the
+   response to be truncated, causing the proxy to retry over TCP.  Such
+   behaviour increases network traffic and causes delay in DNS
+   resolution since the initial UDP request is doomed to fail.
+
+   Therefore whenever a proxy receives a request over TCP, the proxy
+   SHOULD forward the query over TCP and SHOULD NOT attempt the same
+   query over UDP first.
+
+4.4.2.  Extension Mechanisms for DNS (EDNS0)
+
+   The Extension Mechanism for DNS [RFC2671] was introduced to allow the
+   transport of larger DNS packets over UDP and also to allow for
+   additional request and response flags.
+
+   A client may send an OPT Resource Record (OPT RR) in the Additional
+   Section of a request to indicate that it supports a specific receive
+   buffer size.  The OPT RR also includes the "DNSSEC OK" (DO) flag used
+   by DNSSEC to indicate that DNSSEC-related RRs should be returned to
+   the client.
+
+   However some proxies have been observed to either reject (with a
+   FORMERR response code) or black-hole any packet containing an OPT RR.
+   As per Section 4.1 proxies SHOULD NOT refuse to proxy such packets.
+
+4.4.3.  IP Fragmentation
+
+   Support for UDP packet sizes exceeding the WAN MTU depends on the
+   gateway's algorithm for handling fragmented IP packets.  Several
+   methods are possible:
+
+   1.  fragments are dropped
+   2.  fragments are forwarded individually as they're received
+   3.  complete packets are reassembled on the gateway, and then re-
+       fragmented (if necessary) as they're forwarded to the client
+
+
+
+
+Bellis                  Expires October 25, 2009                [Page 6]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+   Method 1 above will cause compatibility problems with EDNS0 unless
+   the DNS client is configured to advertise an EDNS0 buffer size
+   limited to the WAN MTU less the size of the IP header.  Note that RFC
+   2671 does recommend that the path MTU should be taken into account
+   when using EDNS0.
+
+   Also, whilst the EDNS0 specification allows for a buffer size of up
+   to 65535 octets, most common DNS server implementations do not
+   support a buffer size above 4096 octets.
+
+   Therefore (irrespective of which of the methods above is in use)
+   proxies SHOULD be capable of forwarding UDP packets up to a payload
+   size of at least 4096 octets.
+
+   NB: in theory IP fragmentation may also occur if the LAN MTU is
+   smaller than the WAN MTU, although the author has not observed such a
+   configuration in use on any residential broadband service.
+
+4.5.  Secret Key Transaction Authentication for DNS (TSIG)
+
+   [RFC2845] defines TSIG, which is a mechanism for authenticating DNS
+   requests and responses at the packet level.
+
+   Any modifications made to the DNS portions of a TSIG-signed query or
+   response packet (with the exception of the Query ID) will cause a
+   TSIG authentication failure.
+
+   DNS proxies MUST implement Section 4.7 of [RFC2845] and either
+   forward packets unchanged (as recommended above) or fully implement
+   TSIG.
+
+   As per Section 4.3, DNS proxies MUST be capable of proxying packets
+   containing TKEY [RFC2930] Resource Records.
+
+   NB: any DNS proxy (such as those commonly found in WiFi hotspot
+   "walled gardens") which transparently intercepts all DNS queries, and
+   which returns unsigned responses to signed queries, will also cause
+   TSIG authentication failures.
+
+
+5.  DHCP's Interaction with DNS
+
+   Whilst this document is primarily about DNS proxies, most consumers
+   rely on DHCP [RFC2131] to obtain network configuration settings.
+   Such settings include the client machine's IP address, subnet mask
+   and default gateway, but also include DNS related settings.
+
+   It is therefore appropriate to examine how DHCP affects client DNS
+
+
+
+Bellis                  Expires October 25, 2009                [Page 7]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+   configuration.
+
+5.1.  Domain Name Server (DHCP Option 6)
+
+   Most gateways default to supplying their own IP address in the DHCP
+   "Domain Name Server" option [RFC2132].  The net result is that
+   without explicit re-configuration many DNS clients will by default
+   send queries to the gateway's DNS proxy.  This is understandable
+   behaviour given that the correct upstream settings are not usually
+   known at boot time.
+
+   Most gateways learn their own DNS settings via values supplied by an
+   ISP via DHCP or PPP over the WAN interface.  However whilst many
+   gateways do allow the device administrator to override those values,
+   some gateways only use those supplied values to affect the proxy's
+   own forwarding function, and do not offer these values via DHCP.
+
+   When using such a device the only way to avoid using the DNS proxy is
+   to hard-code the required values in the client operating system.
+   This may be acceptable for a desktop system but it is inappropriate
+   for mobile devices which are regularly used on many different
+   networks.
+
+   As per Section 3, end-users SHOULD be able to send their DNS queries
+   directly to specified upstream resolvers, ideally without hard-coding
+   those settings in their stub resolver.
+
+   It is therefore RECOMMENDED that gateways SHOULD support device
+   administrator configuration of values for the "Domain Name Server"
+   DHCP option.
+
+5.2.  Domain Name (DHCP Option 15)
+
+   A significant amount of traffic to the DNS Root Name Servers is for
+   invalid top-level domain names, and some of that traffic can be
+   attributed to particular equipment vendors whose firmware defaults
+   this DHCP option to specific values.
+
+   Since no standard exists for a "local" scoped domain name suffix it
+   is RECOMMENDED that the default value for this option SHOULD be
+   empty, and that this option MUST NOT be sent to clients when no value
+   is configured.
+
+5.3.  DHCP Leases
+
+   It is noted that some DHCP servers in broadband gateways by default
+   offer their own IP address for the "Domain Name Server" option (as
+   described above) but then automatically start offering the upstream
+
+
+
+Bellis                  Expires October 25, 2009                [Page 8]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+   servers' addresses once they've been learnt over the WAN interface.
+
+   In general this behaviour is highly desirable, but the effect for the
+   end-user is that the settings used depend on whether the DHCP lease
+   was obtained before or after the WAN link was established.
+
+   If the DHCP lease is obtained whilst the WAN link is down then the
+   DHCP client (and hence the DNS client) will not receive the correct
+   values until the DHCP lease is renewed.
+
+   Whilst no specific recommendations are given here, vendors may wish
+   to give consideration to the length of DHCP leases, and whether some
+   mechanism for forcing a DHCP lease renewal might be appropriate.
+
+   Another possibility is that the learnt upstream values might be
+   persisted in non-volatile memory such that on reboot the same values
+   can be automatically offered via DHCP.  However this does run the
+   risk that incorrect values are initially offered if the device is
+   moved or connected to another ISP.
+
+   Alternatively, the DHCP server might only issue very short (i.e. 60
+   second) leases while the WAN link is down, only reverting to more
+   typical lease lengths once the WAN link is up and the upstream DNS
+   servers are known.  Indeed with such a configuration it may be
+   possible to avoid the need to implement a DNS proxy function in the
+   broadband gateway at all.
+
+
+6.  Security Considerations
+
+   This document introduces no new protocols.  However there are some
+   security related recommendations for vendors that are listed here.
+
+6.1.  Forgery Resilience
+
+   Whilst DNS proxies are not usually full-feature resolvers they
+   nevertheless share some characteristics with them.
+
+   Notwithstanding the recommendations above about transparency many DNS
+   proxies are observed to pick a new Query ID for outbound requests to
+   ensure that responses are directed to the correct client.
+
+   NB: Changing the Query ID is acceptable and compatible with proxying
+   TSIG-signed packets since the TSIG signature calculation is based on
+   the original message ID which is carried in the TSIG RR.
+
+   It has been standard guidance for many years that each DNS query
+   should use a randomly generated Query ID.  However many proxies have
+
+
+
+Bellis                  Expires October 25, 2009                [Page 9]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+   been observed picking sequential Query IDs for successive requests.
+
+   It is strongly RECOMMENDED that DNS proxies follow the relevant
+   recommendations in [RFC5452], particularly those in Section 9.2
+   relating to randomisation of Query IDs and source ports.  This also
+   applies to source port selection within any NAT function.
+
+   If a DNS proxy is running on a broadband gateway with NAT that is
+   compliant with [RFC4787] then it SHOULD also follow the
+   recommendations in Section 10 of [RFC5452] concerning how long DNS
+   state is kept.
+
+6.2.  Interface Binding
+
+   Some gateways have been observed to have their DNS proxy listening on
+   both internal (LAN) and external (WAN) interfaces.  In this
+   configuration it is possible for the proxy to be used to mount
+   reflector attacks as described in [RFC5358].
+
+   The DNS proxy in a gateway SHOULD NOT by default be accessible from
+   the WAN interfaces of the device.
+
+6.3.  Packet Filtering
+
+   The Transparency and Robustness Principles are not entirely
+   compatible with the deep packet inspection features of security
+   appliances such as firewalls which are intended to protect systems on
+   the inside of a network from rogue traffic.
+
+   However a clear distinction may be made between traffic that is
+   intrinsically malformed and that which merely contains unexpected
+   data.
+
+   Examples of malformed packets which MAY be dropped include:
+
+   o  invalid compression pointers (i.e. those that point outside of the
+      current packet, or which might cause a parsing loop).
+   o  incorrect counts for the Question, Answer, Authority and
+      Additional Sections (although care should be taken where
+      truncation is a possibility).
+
+   Since dropped packets will cause the client to repeatedly retransmit
+   the original request, it is RECOMMENDED that proxies SHOULD instead
+   return a suitable DNS error response to the client (i.e.  SERVFAIL)
+   instead of dropping the packet completely.
+
+
+
+
+
+
+Bellis                  Expires October 25, 2009               [Page 10]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+7.  IANA Considerations
+
+   This document requests no IANA actions.
+
+
+8.  Change Log
+
+   NB: to be removed by the RFC Editor before publication.
+
+   draft-ietf-dnsproxy-05
+      Removed specific reference to 28 byte IP headers (from Mark
+      Andrews)
+
+   draft-ietf-dnsproxy-04 - post WGLC
+      Introduction expanded
+      Section 5.2 - changed SHOULD to MUST
+      Section 4.5 - changed SHOULD to MUST (Alex Bligh)
+      Editorial nits (from Andrew Sullivan, Alfred Hones)
+      Clarificaton on end-user vs device administrator (Alan Barrett,
+      Paul Selkirk)
+
+   draft-ietf-dnsproxy-03
+      Editorial nits and mention of LAN MTU (from Alex Bligh)
+
+   draft-ietf-dnsproxy-02
+      Changed "router" to "gateway" throughout (David Oran)
+      Updated forgery resilience reference
+      Elaboration on bypassability (from Nicholas W.)
+      Elaboration on NAT source port randomisation (from Nicholas W.)
+      Mention of using short DHCP leases while the WAN link is down
+      (from Ralph Droms)
+      Further clarification on permissibility of altering QID when using
+      TSIG
+
+   draft-ietf-dnsproxy-01
+      Strengthened recommendations about truncation (from Shane Kerr)
+      New TSIG text (with help from Olafur)
+      Additional forgery resilience text (from Olafur)
+      Compression support (from Olafur)
+      Correction of text re: QID changes and compatibility with TSIG
+
+   draft-ietf-dnsproxy-00
+      Changed recommended DPI error to SERVFAIL (from Jelte)
+      Changed example for invalid compression pointers (from Wouter).
+      Note about TSIG implications of changing Query ID (from Wouter).
+      Clarified TC-bit text (from Wouter)
+
+
+
+
+
+Bellis                  Expires October 25, 2009               [Page 11]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+      Extra text about proxy bypass (Nicholas W.)
+
+   draft-bellis-dnsproxy-00
+      Initial draft
+
+
+9.  Acknowledgements
+
+   The author would particularly like to acknowledge the assistance of
+   Lisa Phifer of Core Competence.  In addition the author is grateful
+   for the feedback from the members of the DNSEXT Working Group.
+
+
+10.  References
+
+10.1.  Normative References
+
+   [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7,
+              RFC 793, September 1981.
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1123]  Braden, R., "Requirements for Internet Hosts - Application
+              and Support", STD 3, RFC 1123, October 1989.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2131]  Droms, R., "Dynamic Host Configuration Protocol",
+              RFC 2131, March 1997.
+
+   [RFC2132]  Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
+              Extensions", RFC 2132, March 1997.
+
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
+              RFC 2671, August 1999.
+
+   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D., and B.
+              Wellington, "Secret Key Transaction Authentication for DNS
+              (TSIG)", RFC 2845, May 2000.
+
+   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY
+              RR)", RFC 2930, September 2000.
+
+   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
+              (RR) Types", RFC 3597, September 2003.
+
+
+
+
+Bellis                  Expires October 25, 2009               [Page 12]
+
+Internet-Draft     DNS Proxy Implementation Guidelines        April 2009
+
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+   [RFC4787]  Audet, F. and C. Jennings, "Network Address Translation
+              (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
+              RFC 4787, January 2007.
+
+   [RFC5358]  Damas, J. and F. Neves, "Preventing Use of Recursive
+              Nameservers in Reflector Attacks", BCP 140, RFC 5358,
+              October 2008.
+
+   [RFC5452]  Hubert, A. and R. van Mook, "Measures for Making DNS More
+              Resilient against Forged Answers", RFC 5452, January 2009.
+
+10.2.  Informative References
+
+   [DOTSE]    Ahlund and Wallstrom, "DNSSEC Tests of Consumer Broadband
+              Routers", February 2008,
+              <http://www.iis.se/docs/Routertester_en.pdf>.
+
+   [SAC035]   Bellis, R. and L. Phifer, "Test Report: DNSSEC Impact on
+              Broadband Routers and Firewalls", September 2008,
+              <http://www.icann.org/committees/security/sac035.pdf>.
+
+
+Author's Address
+
+   Ray Bellis
+   Nominet UK
+   Edmund Halley Road
+   Oxford  OX4 4DQ
+   United Kingdom
+
+   Phone: +44 1865 332211
+   Email: ray.bellis@nominet.org.uk
+   URI:   http://www.nominet.org.uk/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bellis                  Expires October 25, 2009               [Page 13]
+
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-01.txt b/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-01.txt
deleted file mode 100644
index 3a800f98..00000000
--- a/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-01.txt
+++ /dev/null
@@ -1,616 +0,0 @@
-
-
-
-Network Working Group                                          S. Weiler
-Internet-Draft                                               SPARTA, Inc
-Updates: 4034, 4035 (if approved)                           May 23, 2005
-Expires: November 24, 2005
-
-
-         Clarifications and Implementation Notes for DNSSECbis
-                draft-ietf-dnsext-dnssec-bis-updates-01
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on November 24, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document is a collection of minor technical clarifications to
-   the DNSSECbis document set.  It is meant to serve as a resource to
-   implementors as well as an interim repository of possible DNSSECbis
-   errata.
-
-
-
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 1]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-Proposed additions in future versions
-
-   An index sorted by the section of DNSSECbis being clarified.
-
-   A list of proposed protocol changes being made in other documents,
-   such as NSEC3 and Epsilon.  This document would not make those
-   changes, merely provide an index into the documents that are making
-   changes.
-
-Changes between -00 and -01
-
-   Document significantly restructured.
-
-   Added section on QTYPE=ANY.
-
-Changes between personal submission and first WG draft
-
-   Added Section 2.1 based on namedroppers discussions from March 9-10,
-   2005.
-
-   Added Section 3.4, Section 3.3, Section 4.3, and Section 2.2.
-
-   Added the DNSSECbis RFC numbers.
-
-   Figured out the confusion in Section 4.1.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 2]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-Table of Contents
-
-   1.  Introduction and Terminology . . . . . . . . . . . . . . . . .  4
-     1.1   Structure of this Document . . . . . . . . . . . . . . . .  4
-     1.2   Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
-   2.  Significant Concerns . . . . . . . . . . . . . . . . . . . . .  4
-     2.1   Clarifications on Non-Existence Proofs . . . . . . . . . .  4
-     2.2   Empty Non-Terminal Proofs  . . . . . . . . . . . . . . . .  5
-     2.3   Validating Responses to an ANY Query . . . . . . . . . . .  5
-   3.  Interoperability Concerns  . . . . . . . . . . . . . . . . . .  5
-     3.1   Unknown DS Message Digest Algorithms . . . . . . . . . . .  5
-     3.2   Private Algorithms . . . . . . . . . . . . . . . . . . . .  6
-     3.3   Caution About Local Policy and Multiple RRSIGs . . . . . .  6
-     3.4   Key Tag Calculation  . . . . . . . . . . . . . . . . . . .  7
-   4.  Minor Corrections and Clarifications . . . . . . . . . . . . .  7
-     4.1   Finding Zone Cuts  . . . . . . . . . . . . . . . . . . . .  7
-     4.2   Clarifications on DNSKEY Usage . . . . . . . . . . . . . .  7
-     4.3   Errors in Examples . . . . . . . . . . . . . . . . . . . .  8
-   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
-   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-     7.1   Normative References . . . . . . . . . . . . . . . . . . .  8
-     7.2   Informative References . . . . . . . . . . . . . . . . . .  9
-       Author's Address . . . . . . . . . . . . . . . . . . . . . . .  9
-   A.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . .  9
-       Intellectual Property and Copyright Statements . . . . . . . . 11
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 3]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-1.  Introduction and Terminology
-
-   This document lists some minor clarifications and corrections to
-   DNSSECbis, as described in [1], [2], and [3].
-
-   It is intended to serve as a resource for implementors and as a
-   repository of items that need to be addressed when advancing the
-   DNSSECbis documents from Proposed Standard to Draft Standard.
-
-   In this version (-01 of the WG document), feedback is particularly
-   solicited on the structure of the document and whether the text in
-   the recently added sections is correct and sufficient.
-
-   Proposed substantive additions to this document should be sent to the
-   namedroppers mailing list as well as to the editor of this document.
-   The editor would greatly prefer text suitable for direct inclusion in
-   this document.
-
-1.1  Structure of this Document
-
-   The clarifications to DNSSECbis are sorted according to the editor's
-   impression of their importance, starting with ones which could, if
-   ignored, lead to security and stability problems and progressing down
-   to clarifications that are likely to have little operational impact.
-   Mere typos and awkward phrasings are not addressed unless they could
-   lead to misinterpretation of the DNSSECbis documents.
-
-1.2  Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [4].
-
-2.  Significant Concerns
-
-   This section provides clarifications that, if overlooked, could lead
-   to security issues or major interoperability problems.
-
-2.1  Clarifications on Non-Existence Proofs
-
-   RFC4035 Section 5.4 slightly underspecifies the algorithm for
-   checking non-existence proofs.  In particular, the algorithm there
-   might incorrectly allow the NSEC from the parent side of a zone cut
-   to prove the non-existence of either other RRs at that name in the
-   child zone or other names in the child zone.  It might also allow a
-   NSEC at the same name as a DNAME to prove the non-existence of names
-   beneath that DNAME.
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 4]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   A parent-side delegation NSEC (one with the NS bit set, but no SOA
-   bit set, and with a singer field that's shorter than the owner name)
-   must not be used to assume non-existence of any RRs below that zone
-   cut (both RRs at that ownername and at ownernames with more leading
-   labels, no matter their content).  Similarly, an NSEC with the DNAME
-   bit set must not be used to assume the non-existence of any
-   descendant of that NSEC's owner name.
-
-2.2  Empty Non-Terminal Proofs
-
-   To be written, based on Roy Arends' May 11th message to namedroppers.
-
-2.3  Validating Responses to an ANY Query
-
-   RFC4035 does not address now to validate responses when QTYPE=*.  As
-   described in Section 6.2.2 of RFC1034, a proper response to QTYPE=*
-   may include a subset of the RRsets at a given name -- it is not
-   necessary to include all RRsets at the QNAME in the response.
-
-   When validating a response to QTYPE=*, validate all received RRsets
-   that match QNAME and QCLASS.  If any of those RRsets fail validation,
-   treat the answer as Bogus.  If there are no RRsets matching QNAME and
-   QCLASS, validate that fact using the rules in RFC4035 Section 5.4 (as
-   clarified in this document).  To be clear, a validator must not
-   insist on receiving all records at the QNAME in response to QTYPE=*.
-
-3.  Interoperability Concerns
-
-3.1  Unknown DS Message Digest Algorithms
-
-   Section 5.2 of RFC4035 includes rules for how to handle delegations
-   to zones that are signed with entirely unsupported algorithms, as
-   indicated by the algorithms shown in those zone's DS RRsets.  It does
-   not explicitly address how to handle DS records that use unsupported
-   message digest algorithms.  In brief, DS records using unknown or
-   unsupported message digest algorithms MUST be treated the same way as
-   DS records referring to DNSKEY RRs of unknown or unsupported
-   algorithms.
-
-   The existing text says:
-
-      If the validator does not support any of the algorithms listed
-      in an authenticated DS RRset, then the resolver has no supported
-      authentication path leading from the parent to the child.  The
-      resolver should treat this case as it would the case of an
-      authenticated NSEC RRset proving that no DS RRset exists, as
-      described above.
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 5]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   To paraphrase the above, when determining the security status of a
-   zone, a validator discards (for this purpose only) any DS records
-   listing unknown or unsupported algorithms.  If none are left, the
-   zone is treated as if it were unsigned.
-
-   Modified to consider DS message digest algorithms, a validator also
-   discards any DS records using unknown or unsupported message digest
-   algorithms.
-
-3.2  Private Algorithms
-
-   As discussed above, section 5.2 of RFC4035 requires that validators
-   make decisions about the security status of zones based on the public
-   key algorithms shown in the DS records for those zones.  In the case
-   of private algorithms, as described in RFC4034 Appendix A.1.1, the
-   eight-bit algorithm field in the DS RR is not conclusive about what
-   algorithm(s) is actually in use.
-
-   If no private algorithms appear in the DS set or if any supported
-   algorithm appears in the DS set, no special processing will be
-   needed.  In the remaining cases, the security status of the zone
-   depends on whether or not the resolver supports any of the private
-   algorithms in use (provided that these DS records use supported hash
-   functions, as discussed in Section 3.1).  In these cases, the
-   resolver MUST retrieve the corresponding DNSKEY for each private
-   algorithm DS record and examine the public key field to determine the
-   algorithm in use.  The security-aware resolver MUST ensure that the
-   hash of the DNSKEY RR's owner name and RDATA matches the digest in
-   the DS RR.  If they do not match, and no other DS establishes that
-   the zone is secure, the referral should be considered BAD data, as
-   discussed in RFC4035.
-
-   This clarification facilitates the broader use of private algorithms,
-   as suggested by [5].
-
-3.3  Caution About Local Policy and Multiple RRSIGs
-
-   When multiple RRSIGs cover a given RRset, RFC4035 Section 5.3.3
-   suggests that "the local resolver security policy determines whether
-   the resolver also has to test these RRSIG RRs and how to resolve
-   conflicts if these RRSIG RRs lead to differing results."  In most
-   cases, a resolver would be well advised to accept any valid RRSIG as
-   sufficient.  If the first RRSIG tested fails validation, a resolver
-   would be well advised to try others, giving a successful validation
-   result if any can be validated and giving a failure only if all
-   RRSIGs fail validation.
-
-   If a resolver adopts a more restrictive policy, there's a danger that
-
-
-
-Weiler                  Expires November 24, 2005               [Page 6]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   properly-signed data might unnecessarily fail validation, perhaps
-   because of cache timing issues.  Furthermore, certain zone management
-   techniques, like the Double Signature Zone-signing Key Rollover
-   method described in section 4.2.1.2 of [6] might not work reliably.
-
-3.4  Key Tag Calculation
-
-   RFC4034 Appendix B.1 incorrectly defines the Key Tag field
-   calculation for algorithm 1.  It correctly says that the Key Tag is
-   the most significant 16 of the least significant 24 bits of the
-   public key modulus.  However, RFC4034 then goes on to incorrectly say
-   that this is 4th to last and 3rd to last octets of the public key
-   modulus.  It is, in fact, the 3rd to last and 2nd to last octets.
-
-4.  Minor Corrections and Clarifications
-
-4.1  Finding Zone Cuts
-
-   Appendix C.8 of RFC4035 discusses sending DS queries to the servers
-   for a parent zone.  To do that, a resolver may first need to apply
-   special rules to discover what those servers are.
-
-   As explained in Section 3.1.4.1 of RFC4035, security-aware name
-   servers need to apply special processing rules to handle the DS RR,
-   and in some situations the resolver may also need to apply special
-   rules to locate the name servers for the parent zone if the resolver
-   does not already have the parent's NS RRset.  Section 4.2 of RFC4035
-   specifies a mechanism for doing that.
-
-4.2  Clarifications on DNSKEY Usage
-
-   Questions of the form "can I use a different DNSKEY for signing the
-   X" have occasionally arisen.
-
-   The short answer is "yes, absolutely".  You can even use a different
-   DNSKEY for each RRset in a zone, subject only to practical limits on
-   the size of the DNSKEY RRset.  However, be aware that there is no way
-   to tell resolvers what a particularly DNSKEY is supposed to be used
-   for -- any DNSKEY in the zone's signed DNSKEY RRset may be used to
-   authenticate any RRset in the zone.  For example, if a weaker or less
-   trusted DNSKEY is being used to authenticate NSEC RRsets or all
-   dynamically updated records, that same DNSKEY can also be used to
-   sign any other RRsets from the zone.
-
-   Furthermore, note that the SEP bit setting has no effect on how a
-   DNSKEY may be used -- the validation process is specifically
-   prohibited from using that bit by RFC4034 section 2.1.2.  It possible
-   to use a DNSKEY without the SEP bit set as the sole secure entry
-
-
-
-Weiler                  Expires November 24, 2005               [Page 7]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   point to the zone, yet use a DNSKEY with the SEP bit set to sign all
-   RRsets in the zone (other than the DNSKEY RRset).  It's also possible
-   to use a single DNSKEY, with or without the SEP bit set, to sign the
-   entire zone, including the DNSKEY RRset itself.
-
-4.3  Errors in Examples
-
-   The text in RFC4035 Section C.1 refers to the examples in B.1 as
-   "x.w.example.com" while B.1 uses "x.w.example".  This is painfully
-   obvious in the second paragraph where it states that the RRSIG labels
-   field value of 3 indicates that the answer was not the result of
-   wildcard expansion.  This is true for "x.w.example" but not for
-   "x.w.example.com", which of course has a label count of 4
-   (antithetically, a label count of 3 would imply the answer was the
-   result of a wildcard expansion).
-
-   The first paragraph of RFC4035 Section C.6 also has a minor error:
-   the reference to "a.z.w.w.example" should instead be "a.z.w.example",
-   as in the previous line.
-
-5.  IANA Considerations
-
-   This document specifies no IANA Actions.
-
-6.  Security Considerations
-
-   This document does not make fundamental changes to the DNSSEC
-   protocol, as it was generally understood when DNSSECbis was
-   published.  It does, however, address some ambiguities and omissions
-   in those documents that, if not recognized and addressed in
-   implementations, could lead to security failures.  In particular, the
-   validation algorithm clarifications in Section 2 are critical for
-   preserving the security properties DNSSEC offers.  Furthermore,
-   failure to address some of the interoperability concerns in Section 3
-   could limit the ability to later change or expand DNSSEC, including
-   by adding new algorithms.
-
-7.  References
-
-7.1  Normative References
-
-   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-
-
-Weiler                  Expires November 24, 2005               [Page 8]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-   [4]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-7.2  Informative References
-
-   [5]  Blacka, D., "DNSSEC Experiments",
-        draft-blacka-dnssec-experiments-00 (work in progress),
-        December 2004.
-
-   [6]  Gieben, R. and O. Kolkman, "DNSSEC Operational Practices",
-        draft-ietf-dnsop-dnssec-operational-practices-04 (work in
-        progress), May 2005.
-
-
-Author's Address
-
-   Samuel Weiler
-   SPARTA, Inc
-   7075 Samuel Morse Drive
-   Columbia, Maryland  21046
-   US
-
-   Email: weiler@tislabs.com
-
-Appendix A.  Acknowledgments
-
-   The editor is extremely grateful to those who, in addition to finding
-   errors and omissions in the DNSSECbis document set, have provided
-   text suitable for inclusion in this document.
-
-   The lack of specificity about handling private algorithms, as
-   described in Section 3.2, and the lack of specificity in handling ANY
-   queries, as described in Section 2.3, were discovered by David
-   Blacka.
-
-   The error in algorithm 1 key tag calculation, as described in
-   Section 3.4, was found by Abhijit Hayatnagarkar.  Donald Eastlake
-   contributed text for Section 3.4.
-
-   The bug relating to delegation NSEC RR's in Section 2.1 was found by
-   Roy Badami.  Roy Arends found the related problem with DNAME.
-
-   The errors in the RFC4035 examples were found by Roy Arends, who also
-   contributed text for Section 4.3 of this document.
-
-
-
-Weiler                  Expires November 24, 2005               [Page 9]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   The editor would like to thank Olafur Gudmundsson and Scott Rose for
-   their substantive comments on the text of this document.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler                  Expires November 24, 2005              [Page 10]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Weiler                  Expires November 24, 2005              [Page 11]
-
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-08.txt b/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-08.txt
new file mode 100644
index 00000000..dc108cbf
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-08.txt
@@ -0,0 +1,672 @@
+
+
+
+Network Working Group                                          S. Weiler
+Internet-Draft                                              SPARTA, Inc.
+Updates: 4033, 4034, 4035, 5155                                D. Blacka
+(if approved)                                             VeriSign, Inc.
+Intended status: Standards Track                        January 14, 2009
+Expires: July 18, 2009
+
+
+         Clarifications and Implementation Notes for DNSSECbis
+                draft-ietf-dnsext-dnssec-bis-updates-08
+
+Status of this Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on July 18, 2009.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents
+   (http://trustee.ietf.org/license-info) in effect on the date of
+   publication of this document.  Please review these documents
+   carefully, as they describe your rights and restrictions with respect
+   to this document.
+
+
+
+
+
+
+Weiler & Blacka           Expires July 18, 2009                 [Page 1]
+
+Internet-Draft       DNSSECbis Implementation Notes         January 2009
+
+
+Abstract
+
+   This document is a collection of technical clarifications to the
+   DNSSECbis document set.  It is meant to serve as a resource to
+   implementors as well as a repository of DNSSECbis errata.
+
+
+Table of Contents
+
+   1.  Introduction and Terminology . . . . . . . . . . . . . . . . .  3
+     1.1.  Structure of this Document . . . . . . . . . . . . . . . .  3
+     1.2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.  Important Additions to DNSSSECbis  . . . . . . . . . . . . . .  3
+     2.1.  NSEC3 Support  . . . . . . . . . . . . . . . . . . . . . .  3
+     2.2.  SHA-256 Support  . . . . . . . . . . . . . . . . . . . . .  3
+   3.  Significant Concerns . . . . . . . . . . . . . . . . . . . . .  4
+     3.1.  Clarifications on Non-Existence Proofs . . . . . . . . . .  4
+     3.2.  Validating Responses to an ANY Query . . . . . . . . . . .  4
+     3.3.  Check for CNAME  . . . . . . . . . . . . . . . . . . . . .  5
+     3.4.  Insecure Delegation Proofs . . . . . . . . . . . . . . . .  5
+     3.5.  Errors in Canonical Form Type Code List  . . . . . . . . .  5
+   4.  Interoperability Concerns  . . . . . . . . . . . . . . . . . .  5
+     4.1.  Unknown DS Message Digest Algorithms . . . . . . . . . . .  5
+     4.2.  Private Algorithms . . . . . . . . . . . . . . . . . . . .  6
+     4.3.  Caution About Local Policy and Multiple RRSIGs . . . . . .  6
+     4.4.  Key Tag Calculation  . . . . . . . . . . . . . . . . . . .  7
+     4.5.  Setting the DO Bit on Replies  . . . . . . . . . . . . . .  7
+     4.6.  Setting the AD bit on Replies  . . . . . . . . . . . . . .  7
+     4.7.  Setting the CD bit on Requests . . . . . . . . . . . . . .  8
+     4.8.  Nested Trust Anchors . . . . . . . . . . . . . . . . . . .  8
+   5.  Minor Corrections and Clarifications . . . . . . . . . . . . .  8
+     5.1.  Finding Zone Cuts  . . . . . . . . . . . . . . . . . . . .  8
+     5.2.  Clarifications on DNSKEY Usage . . . . . . . . . . . . . .  8
+     5.3.  Errors in Examples . . . . . . . . . . . . . . . . . . . .  9
+     5.4.  Errors in RFC 5155 . . . . . . . . . . . . . . . . . . . .  9
+   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10
+   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
+   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
+     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 10
+     8.2.  Informative References . . . . . . . . . . . . . . . . . . 11
+   Appendix A.  Acknowledgments . . . . . . . . . . . . . . . . . . . 11
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
+
+
+
+
+
+
+
+
+
+Weiler & Blacka           Expires July 18, 2009                 [Page 2]
+
+Internet-Draft       DNSSECbis Implementation Notes         January 2009
+
+
+1.  Introduction and Terminology
+
+   This document lists some clarifications and corrections to DNSSECbis,
+   as described in [RFC4033], [RFC4034], and [RFC4035].
+
+   It is intended to serve as a resource for implementors and as a
+   repository of items that need to be addressed when advancing the
+   DNSSECbis documents from Proposed Standard to Draft Standard.
+
+1.1.  Structure of this Document
+
+   The clarifications to DNSSECbis are sorted according to their
+   importance, starting with ones which could, if ignored, lead to
+   security and stability problems and progressing down to
+   clarifications that are expected to have little operational impact.
+
+1.2.  Terminology
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+
+2.  Important Additions to DNSSSECbis
+
+   This section provides
+
+2.1.  NSEC3 Support
+
+   [RFC5155] describes the use and behavior of the NSEC3 and NSEC3PARAM
+   records for hashed denial of existence.  Validator implementations
+   are strongly encouraged to include support for NSEC3 as a number of
+   highly visible zones are expected to use it.  Validators that do not
+   support validation of responses using NSEC3 will likely be hampered
+   in validating large portions of the DNS space.
+
+   [RFC5155] should be considered part of the DNS Security Document
+   Family as described by [RFC4033], Section 10.
+
+2.2.  SHA-256 Support
+
+   [RFC4509] describes the use of SHA-256 as a digest algorithm for use
+   with Delegation Signer (DS) RRs.  [I-D.ietf-dnsext-dnssec-rsasha256]
+   describes the use of the RSASHA256 algorthim for use in DNSKEY and
+   RRSIG RRs.  Validator implementations are strongly encouraged to
+   include support for this algorithm for DS, DNSKEY, and RRSIG records.
+
+   Both [RFC4509] and [I-D.ietf-dnsext-dnssec-rsasha256] should also be
+
+
+
+Weiler & Blacka           Expires July 18, 2009                 [Page 3]
+
+Internet-Draft       DNSSECbis Implementation Notes         January 2009
+
+
+   considered part of the DNS Security Document Family as described by
+   [RFC4033], Section 10.
+
+
+3.  Significant Concerns
+
+   This section provides clarifications that, if overlooked, could lead
+   to security issues or major interoperability problems.
+
+3.1.  Clarifications on Non-Existence Proofs
+
+   [RFC4035] Section 5.4 underspecifies the algorithm for checking non-
+   existence proofs.  In particular, the algorithm as presented would
+   incorrectly allow an NSEC or NSEC3 RR from an ancestor zone to prove
+   the non-existence of other RRs at that name in the child zone or
+   other names in the child zone.
+
+   An "ancestor delegation" NSEC RR (or NSEC3 RR) is one with:
+
+   o  the NS bit set,
+   o  the SOA bit clear, and
+   o  a signer field that is shorter than the owner name of the NSEC RR,
+      or the original owner name for the NSEC3 RR.
+
+   Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume non-
+   existence of any RRs below that zone cut, which include all RRs at
+   that (original) owner name other than DS RRs, and all RRs below that
+   owner name regardless of type.
+
+   Similarly, the algorithm would also allow an NSEC RR at the same
+   owner name as a DNAME RR, or an NSEC3 RR at the same original owner
+   name as a DNAME, to prove the non-existence of names beneath that
+   DNAME.  An NSEC or NSEC3 RR with the DNAME bit set MUST NOT be used
+   to assume the non-existence of any subdomain of that NSEC/NSEC3 RR's
+   (original) owner name.
+
+3.2.  Validating Responses to an ANY Query
+
+   [RFC4035] does not address how to validate responses when QTYPE=*.
+   As described in Section 6.2.2 of [RFC1034], a proper response to
+   QTYPE=* may include a subset of the RRsets at a given name -- it is
+   not necessary to include all RRsets at the QNAME in the response.
+
+   When validating a response to QTYPE=*, validate all received RRsets
+   that match QNAME and QCLASS.  If any of those RRsets fail validation,
+   treat the answer as Bogus.  If there are no RRsets matching QNAME and
+   QCLASS, validate that fact using the rules in [RFC4035] Section 5.4
+   (as clarified in this document).  To be clear, a validator must not
+
+
+
+Weiler & Blacka           Expires July 18, 2009                 [Page 4]
+
+Internet-Draft       DNSSECbis Implementation Notes         January 2009
+
+
+   expect to receive all records at the QNAME in response to QTYPE=*.
+
+3.3.  Check for CNAME
+
+   Section 5 of [RFC4035] says little about validating responses based
+   on (or that should be based on) CNAMEs.  When validating a NOERROR/
+   NODATA response, validators MUST check the CNAME bit in the matching
+   NSEC or NSEC3 RR's type bitmap.  If the CNAME bit is set, the
+   validator MUST validate the CNAME RR and follow it, as appropriate.
+
+3.4.  Insecure Delegation Proofs
+
+   [RFC4035] Section 5.2 specifies that a validator, when proving a
+   delegation is not secure, needs to check for the absence of the DS
+   and SOA bits in the NSEC (or NSEC3) type bitmap.  The validator also
+   needs to check for the presence of the NS bit in the NSEC (or NSEC3)
+   RR (proving that there is, indeed, a delegation).  If this is not
+   checked, spoofed unsigned delegations might be used to claim that an
+   existing signed record is not signed.
+
+3.5.  Errors in Canonical Form Type Code List
+
+   When canonicalizing DNS names, DNS names in the RDATA section of NSEC
+   and RRSIG resource records are not downcased.
+
+   [RFC4034] Section 6.2 item 3 has a list of resource record types for
+   which DNS names in the RDATA are downcased for purposes of DNSSEC
+   canonical form (for both ordering and signing).  That list
+   erroneously contains NSEC and RRSIG.  According to [RFC3755], DNS
+   names in the RDATA of NSEC and RRSIG should not be downcased.
+
+   The same section also erroneously lists HINFO, and twice at that.
+   Since HINFO records contain no domain names, they are not subject to
+   downcasing.
+
+
+4.  Interoperability Concerns
+
+4.1.  Unknown DS Message Digest Algorithms
+
+   Section 5.2 of [RFC4035] includes rules for how to handle delegations
+   to zones that are signed with entirely unsupported algorithms, as
+   indicated by the algorithms shown in those zone's DS RRsets.  It does
+   not explicitly address how to handle DS records that use unsupported
+   message digest algorithms.  In brief, DS records using unknown or
+   unsupported message digest algorithms MUST be treated the same way as
+   DS records referring to DNSKEY RRs of unknown or unsupported
+   algorithms.
+
+
+
+Weiler & Blacka           Expires July 18, 2009                 [Page 5]
+
+Internet-Draft       DNSSECbis Implementation Notes         January 2009
+
+
+   The existing text says:
+
+      If the validator does not support any of the algorithms listed in
+      an authenticated DS RRset, then the resolver has no supported
+      authentication path leading from the parent to the child.  The
+      resolver should treat this case as it would the case of an
+      authenticated NSEC RRset proving that no DS RRset exists, as
+      described above.
+
+   To paraphrase the above, when determining the security status of a
+   zone, a validator discards (for this purpose only) any DS records
+   listing unknown or unsupported algorithms.  If none are left, the
+   zone is treated as if it were unsigned.
+
+   Modified to consider DS message digest algorithms, a validator also
+   discards any DS records using unknown or unsupported message digest
+   algorithms.
+
+4.2.  Private Algorithms
+
+   As discussed above, section 5.2 of [RFC4035] requires that validators
+   make decisions about the security status of zones based on the public
+   key algorithms shown in the DS records for those zones.  In the case
+   of private algorithms, as described in [RFC4034] Appendix A.1.1, the
+   eight-bit algorithm field in the DS RR is not conclusive about what
+   algorithm(s) is actually in use.
+
+   If no private algorithms appear in the DS set or if any supported
+   algorithm appears in the DS set, no special processing will be
+   needed.  In the remaining cases, the security status of the zone
+   depends on whether or not the resolver supports any of the private
+   algorithms in use (provided that these DS records use supported hash
+   functions, as discussed in Section 4.1).  In these cases, the
+   resolver MUST retrieve the corresponding DNSKEY for each private
+   algorithm DS record and examine the public key field to determine the
+   algorithm in use.  The security-aware resolver MUST ensure that the
+   hash of the DNSKEY RR's owner name and RDATA matches the digest in
+   the DS RR.  If they do not match, and no other DS establishes that
+   the zone is secure, the referral should be considered BAD data, as
+   discussed in [RFC4035].
+
+   This clarification facilitates the broader use of private algorithms,
+   as suggested by [RFC4955].
+
+4.3.  Caution About Local Policy and Multiple RRSIGs
+
+   When multiple RRSIGs cover a given RRset, [RFC4035] Section 5.3.3
+   suggests that "the local resolver security policy determines whether
+
+
+
+Weiler & Blacka           Expires July 18, 2009                 [Page 6]
+
+Internet-Draft       DNSSECbis Implementation Notes         January 2009
+
+
+   the resolver also has to test these RRSIG RRs and how to resolve
+   conflicts if these RRSIG RRs lead to differing results."  In most
+   cases, a resolver would be well advised to accept any valid RRSIG as
+   sufficient.  If the first RRSIG tested fails validation, a resolver
+   would be well advised to try others, giving a successful validation
+   result if any can be validated and giving a failure only if all
+   RRSIGs fail validation.
+
+   If a resolver adopts a more restrictive policy, there's a danger that
+   properly-signed data might unnecessarily fail validation, perhaps
+   because of cache timing issues.  Furthermore, certain zone management
+   techniques, like the Double Signature Zone-signing Key Rollover
+   method described in section 4.2.1.2 of [RFC4641] might not work
+   reliably.
+
+4.4.  Key Tag Calculation
+
+   [RFC4034] Appendix B.1 incorrectly defines the Key Tag field
+   calculation for algorithm 1.  It correctly says that the Key Tag is
+   the most significant 16 of the least significant 24 bits of the
+   public key modulus.  However, [RFC4034] then goes on to incorrectly
+   say that this is 4th to last and 3rd to last octets of the public key
+   modulus.  It is, in fact, the 3rd to last and 2nd to last octets.
+
+4.5.  Setting the DO Bit on Replies
+
+   [RFC4035] does not provide any instructions to servers as to how to
+   set the DO bit.  Some authoritative server implementations have
+   chosen to copy the DO bit settings from the incoming query to the
+   outgoing response.  Others have chosen to never set the DO bit in
+   responses.  Either behavior is permitted.  To be clear, in replies to
+   queries with the DO-bit set servers may or may not set the DO bit.
+
+4.6.  Setting the AD bit on Replies
+
+   Section 3.2.3 of [RFC4035] describes under which conditions a
+   validating resolver should set or clear the AD bit in a response.  In
+   order to protect legacy stub resolvers and middleboxes, validating
+   resolvers SHOULD only set the AD bit when a response both meets the
+   conditions listed in RFC 4035, section 3.2.3, and the request
+   contained either a set DO bit or a set AD bit.
+
+   Note that the use of the AD bit in the query was previously
+   undefined.  This document defines it as a signal indicating that the
+   requester understands and is interested in the value of the AD bit in
+   the response.  This allows a requestor to indicate that it
+   understands the AD bit without also requesting DNSSEC data via the DO
+   bit.
+
+
+
+Weiler & Blacka           Expires July 18, 2009                 [Page 7]
+
+Internet-Draft       DNSSECbis Implementation Notes         January 2009
+
+
+4.7.  Setting the CD bit on Requests
+
+   When processing a request with the CD bit set, the resolver MUST set
+   the CD bit on its upstream queries.
+
+4.8.  Nested Trust Anchors
+
+   A DNSSEC validator may be configured such that, for a given response,
+   more than one trust anchor could be used to validate the chain of
+   trust to the response zone.  For example, imagine a validor
+   configured with trust anchors for "example." and "zone.example."
+   When the validator is asked to validate a response to
+   "www.sub.zone.example.", either trust anchor could apply.
+
+   When presented with this situation, DNSSEC validators SHOULD try all
+   applicable trust anchors until one succeeds.
+
+   There are some scenarios where different behaviors, such as choosing
+   the trust anchor closest to the QNAME of the response, may be
+   desired.  A DNSSEC validator MAY enable such behaviors as
+   configurable overrides.
+
+
+5.  Minor Corrections and Clarifications
+
+5.1.  Finding Zone Cuts
+
+   Appendix C.8 of [RFC4035] discusses sending DS queries to the servers
+   for a parent zone.  To do that, a resolver may first need to apply
+   special rules to discover what those servers are.
+
+   As explained in Section 3.1.4.1 of [RFC4035], security-aware name
+   servers need to apply special processing rules to handle the DS RR,
+   and in some situations the resolver may also need to apply special
+   rules to locate the name servers for the parent zone if the resolver
+   does not already have the parent's NS RRset.  Section 4.2 of
+   [RFC4035] specifies a mechanism for doing that.
+
+5.2.  Clarifications on DNSKEY Usage
+
+   Questions of the form "can I use a different DNSKEY for signing this
+   RRset" have occasionally arisen.
+
+   The short answer is "yes, absolutely".  You can even use a different
+   DNSKEY for each RRset in a zone, subject only to practical limits on
+   the size of the DNSKEY RRset.  However, be aware that there is no way
+   to tell resolvers what a particularly DNSKEY is supposed to be used
+   for -- any DNSKEY in the zone's signed DNSKEY RRset may be used to
+
+
+
+Weiler & Blacka           Expires July 18, 2009                 [Page 8]
+
+Internet-Draft       DNSSECbis Implementation Notes         January 2009
+
+
+   authenticate any RRset in the zone.  For example, if a weaker or less
+   trusted DNSKEY is being used to authenticate NSEC RRsets or all
+   dynamically updated records, that same DNSKEY can also be used to
+   sign any other RRsets from the zone.
+
+   Furthermore, note that the SEP bit setting has no effect on how a
+   DNSKEY may be used -- the validation process is specifically
+   prohibited from using that bit by [RFC4034] section 2.1.2.  It is
+   possible to use a DNSKEY without the SEP bit set as the sole secure
+   entry point to the zone, yet use a DNSKEY with the SEP bit set to
+   sign all RRsets in the zone (other than the DNSKEY RRset).  It's also
+   possible to use a single DNSKEY, with or without the SEP bit set, to
+   sign the entire zone, including the DNSKEY RRset itself.
+
+5.3.  Errors in Examples
+
+   The text in [RFC4035] Section C.1 refers to the examples in B.1 as
+   "x.w.example.com" while B.1 uses "x.w.example".  This is painfully
+   obvious in the second paragraph where it states that the RRSIG labels
+   field value of 3 indicates that the answer was not the result of
+   wildcard expansion.  This is true for "x.w.example" but not for
+   "x.w.example.com", which of course has a label count of 4
+   (antithetically, a label count of 3 would imply the answer was the
+   result of a wildcard expansion).
+
+   The first paragraph of [RFC4035] Section C.6 also has a minor error:
+   the reference to "a.z.w.w.example" should instead be "a.z.w.example",
+   as in the previous line.
+
+5.4.  Errors in RFC 5155
+
+   A NSEC3 record, that matches an Empty Non-Terminal, effectively has
+   no type associated with it.  This NSEC3 record has an empty type bit
+   map.  Section 3.2.1 of [RFC5155] contains the statement:
+
+      Blocks with no types present MUST NOT be included.
+
+   However, the same section contains a regular expression:
+
+      Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+
+
+   The plus sign in the regular expression indicates that there is one
+   or more of the preceding element.  This means that there must be at
+   least one window block.  If this window block has no types, it
+   contradicts with the first statement.  Therefore, the correct text in
+   RFC 5155 3.2.1 should be:
+
+
+
+
+
+Weiler & Blacka           Expires July 18, 2009                 [Page 9]
+
+Internet-Draft       DNSSECbis Implementation Notes         January 2009
+
+
+      Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )*
+
+
+6.  IANA Considerations
+
+   This document specifies no IANA Actions.
+
+
+7.  Security Considerations
+
+   This document does not make fundamental changes to the DNSSEC
+   protocol, as it was generally understood when DNSSECbis was
+   published.  It does, however, address some ambiguities and omissions
+   in those documents that, if not recognized and addressed in
+   implementations, could lead to security failures.  In particular, the
+   validation algorithm clarifications in Section 3 are critical for
+   preserving the security properties DNSSEC offers.  Furthermore,
+   failure to address some of the interoperability concerns in Section 4
+   could limit the ability to later change or expand DNSSEC, including
+   by adding new algorithms.
+
+
+8.  References
+
+8.1.  Normative References
+
+   [I-D.ietf-dnsext-dnssec-rsasha256]
+              Jansen, J., "Use of SHA-2 algorithms with RSA in DNSKEY
+              and RRSIG Resource Records for DNSSEC",
+              draft-ietf-dnsext-dnssec-rsasha256-10 (work in progress),
+              January 2009.
+
+   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
+              RFC 1034, STD 13, November 1987.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", RFC 2119, BCP 14, March 1997.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "DNS Security Introduction and Requirements",
+              RFC 4033, March 2005.
+
+   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Resource Records for the DNS Security Extensions",
+              RFC 4034, March 2005.
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+
+
+
+Weiler & Blacka           Expires July 18, 2009                [Page 10]
+
+Internet-Draft       DNSSECbis Implementation Notes         January 2009
+
+
+              Extensions", RFC 4035, March 2005.
+
+   [RFC4509]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
+              (DS) Resource Records (RRs)", RFC 4509, May 2006.
+
+   [RFC5155]  Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
+              Security (DNSSEC) Hashed Authenticated Denial of
+              Existence", RFC 5155, March 2008.
+
+8.2.  Informative References
+
+   [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
+              Signer (DS)", RFC 3755, May 2004.
+
+   [RFC4641]  Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
+              RFC 4641, September 2006.
+
+   [RFC4955]  Blacka, D., "DNS Security (DNSSEC) Experiments", RFC 4955,
+              July 2007.
+
+
+Appendix A.  Acknowledgments
+
+   The editors would like the thank Rob Austein for his previous work as
+   an editor of this document.
+
+   The editors are extremely grateful to those who, in addition to
+   finding errors and omissions in the DNSSECbis document set, have
+   provided text suitable for inclusion in this document.
+
+   The lack of specificity about handling private algorithms, as
+   described in Section 4.2, and the lack of specificity in handling ANY
+   queries, as described in Section 3.2, were discovered by David
+   Blacka.
+
+   The error in algorithm 1 key tag calculation, as described in
+   Section 4.4, was found by Abhijit Hayatnagarkar.  Donald Eastlake
+   contributed text for Section 4.4.
+
+   The bug relating to delegation NSEC RR's in Section 3.1 was found by
+   Roy Badami.  Roy Arends found the related problem with DNAME.
+
+   The errors in the [RFC4035] examples were found by Roy Arends, who
+   also contributed text for Section 5.3 of this document.
+
+   The editors would like to thank Ed Lewis, Danny Mayer, Olafur
+   Gudmundsson, Suzanne Woolf, and Scott Rose for their substantive
+   comments on the text of this document.
+
+
+
+Weiler & Blacka           Expires July 18, 2009                [Page 11]
+
+Internet-Draft       DNSSECbis Implementation Notes         January 2009
+
+
+Authors' Addresses
+
+   Samuel Weiler
+   SPARTA, Inc.
+   7110 Samuel Morse Drive
+   Columbia, Maryland  21046
+   US
+
+   Email: weiler@tislabs.com
+
+
+   David Blacka
+   VeriSign, Inc.
+   21345 Ridgetop Circle
+   Dulles, VA  20166
+   US
+
+   Email: davidb@verisign.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Weiler & Blacka           Expires July 18, 2009                [Page 12]
+
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-06.txt b/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-06.txt
deleted file mode 100644
index 1dc90708..00000000
--- a/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-06.txt
+++ /dev/null
@@ -1,504 +0,0 @@
-
-
-
-DNS Extensions working group                                   J. Jansen
-Internet-Draft                                                NLnet Labs
-Intended status: Standards Track                        October 23, 2008
-Expires: April 26, 2009
-
-
- Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records
-                               for DNSSEC
-                 draft-ietf-dnsext-dnssec-rsasha256-06
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on April 26, 2009.
-
-Abstract
-
-   This document describes how to produce RSA/SHA-256 and RSA/SHA-512
-   DNSKEY and RRSIG resource records for use in the Domain Name System
-   Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035).
-
-
-
-
-
-
-
-
-
-
-
-Jansen                   Expires April 26, 2009                 [Page 1]
-
-Internet-Draft              DNSSEC RSA/SHA-2                October 2008
-
-
-Table of Contents
-
-   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
-   2.  DNSKEY Resource Records . . . . . . . . . . . . . . . . . . . . 3
-     2.1.  RSA/SHA-256 DNSKEY Resource Records . . . . . . . . . . . . 3
-     2.2.  RSA/SHA-512 DNSKEY Resource Records . . . . . . . . . . . . 3
-   3.  RRSIG Resource Records  . . . . . . . . . . . . . . . . . . . . 4
-     3.1.  RSA/SHA-256 RRSIG Resource Records  . . . . . . . . . . . . 4
-     3.2.  RSA/SHA-512 RRSIG Resource Records  . . . . . . . . . . . . 5
-   4.  Deployment Considerations . . . . . . . . . . . . . . . . . . . 5
-     4.1.  Key Sizes . . . . . . . . . . . . . . . . . . . . . . . . . 5
-     4.2.  Signature Sizes . . . . . . . . . . . . . . . . . . . . . . 5
-   5.  Implementation Considerations . . . . . . . . . . . . . . . . . 5
-     5.1.  Support for SHA-2 signatures  . . . . . . . . . . . . . . . 5
-   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
-   7.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
-     7.1.  SHA-1 versus SHA-2 Considerations for RRSIG Resource
-           Records . . . . . . . . . . . . . . . . . . . . . . . . . . 6
-     7.2.  Signature Type Downgrade Attacks  . . . . . . . . . . . . . 6
-   8.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
-   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
-     9.1.  Normative References  . . . . . . . . . . . . . . . . . . . 7
-     9.2.  Informative References  . . . . . . . . . . . . . . . . . . 7
-   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 8
-   Intellectual Property and Copyright Statements  . . . . . . . . . . 9
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jansen                   Expires April 26, 2009                 [Page 2]
-
-Internet-Draft              DNSSEC RSA/SHA-2                October 2008
-
-
-1.  Introduction
-
-   The Domain Name System (DNS) is the global hierarchical distributed
-   database for Internet Naming.  The DNS has been extended to use
-   cryptographic keys and digital signatures for the verification of the
-   authenticity and integrity of its data.  RFC 4033 [RFC4033], RFC 4034
-   [RFC4034], and RFC 4035 [RFC4035] describe these DNS Security
-   Extensions, called DNSSEC.
-
-   RFC 4034 describes how to store DNSKEY and RRSIG resource records,
-   and specifies a list of cryptographic algorithms to use.  This
-   document extends that list with the algorithms RSA/SHA-256 and RSA/
-   SHA-512, and specifies how to store DNSKEY data and how to produce
-   RRSIG resource records with these hash algorithms.
-
-   Familiarity with DNSSEC, RSA and the SHA-2 [FIPS.180-2.2002] family
-   of algorithms is assumed in this document.
-
-   To refer to both SHA-256 and SHA-512, this document will use the name
-   SHA-2.  This is done to improve readability.  When a part of text is
-   specific for either SHA-256 or SHA-512, their specific names are
-   used.  The same goes for RSA/SHA-256 and RSA/SHA-512, which will be
-   grouped using the name RSA/SHA-2.
-
-
-2.  DNSKEY Resource Records
-
-   The format of the DNSKEY RR can be found in RFC 4034 [RFC4034], RFC
-   3110 [RFC3110] describes the use of RSA/SHA-1 for DNSSEC signatures.
-
-2.1.  RSA/SHA-256 DNSKEY Resource Records
-
-   RSA public keys for use with RSA/SHA-256 are stored in DNSKEY
-   resource records (RRs) with the algorithm number {TBA1}.
-
-   For use with NSEC3 [RFC5155], the algorithm number for RSA/SHA-256
-   will be {TBA2}.  The use of a different algorithm number to
-   differentiate between the use of NSEC and NSEC3 is in keeping with
-   the approach adopted in RFC5155.
-
-   For interoperability, as in RFC 3110 [RFC3110], the key size of RSA/
-   SHA-256 keys MUST NOT be less than 512 bits, and MUST NOT be more
-   than 4096 bits.
-
-2.2.  RSA/SHA-512 DNSKEY Resource Records
-
-   RSA public keys for use with RSA/SHA-512 are stored in DNSKEY
-   resource records (RRs) with the algorithm number {TBA3}.
-
-
-
-Jansen                   Expires April 26, 2009                 [Page 3]
-
-Internet-Draft              DNSSEC RSA/SHA-2                October 2008
-
-
-   For use with NSEC3, the algorithm number for RSA/SHA-512 will be
-   {TBA4}.  The use of a different algorithm number to differentiate
-   between the use of NSEC and NSEC3 is in keeping with the approach
-   adopted in RFC5155.
-
-   The key size of RSA/SHA-512 keys MUST NOT be less than 1024 bits, and
-   MUST NOT be more than 4096 bits.
-
-
-3.  RRSIG Resource Records
-
-   The value of the signature field in the RRSIG RR follows the RSASSA-
-   PKCS1-v1_5 signature scheme, and is calculated as follows.  The
-   values for the RDATA fields that precede the signature data are
-   specified in RFC 4034 [RFC4034].
-
-   hash = SHA-XXX(data)
-
-   Here XXX is either 256 or 512, depending on the algorithm used, as
-   specified in FIPS PUB 180-2 [FIPS.180-2.2002], and "data" is the wire
-   format data of the resource record set that is signed, as specified
-   in RFC 4034 [RFC4034].
-
-   signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n)
-
-   Here "|" is concatenation, "00", "01", "FF" and "00" are fixed octets
-   of corresponding hexadecimal value, "e" is the private exponent of
-   the signing RSA key, and "n" is the public modulus of the signing
-   key.  The FF octet MUST be repeated the exact number of times so that
-   the total length of the concatenated term in parentheses equals the
-   length of the modulus of the signer's public key ("n").
-
-   The "prefix" is intended to make the use of standard cryptographic
-   libraries easier.  These specifications are taken directly from the
-   specifications of RSASSA-PKCS1-v1_5 in PKCS #1 v2.1 section 8.2
-   [RFC3447], and EMSA-PKCS1-v1_5 encoding in PKCS #1 v2.1 section 9.2
-   [RFC3447].  The prefixes for the different algorithms are specified
-   below.
-
-3.1.  RSA/SHA-256 RRSIG Resource Records
-
-   RSA/SHA-256 signatures are stored in the DNS using RRSIG resource
-   records (RRs) with algorithm number {TBA1} for use with NSEC, or
-   {TBA2} for use with NSEC3.
-
-   The prefix is the ASN.1 BER SHA-256 algorithm designator prefix as
-   specified in PKCS #1 v2.1 [RFC3447]:
-
-
-
-
-Jansen                   Expires April 26, 2009                 [Page 4]
-
-Internet-Draft              DNSSEC RSA/SHA-2                October 2008
-
-
-   hex 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20
-
-3.2.  RSA/SHA-512 RRSIG Resource Records
-
-   RSA/SHA-512 signatures are stored in the DNS using RRSIG resource
-   records (RRs) with algorithm number {TBA3} for use with NSEC, or
-   {TBA4} for use with NSEC3.
-
-   The prefix is the ASN.1 BER SHA-512 algorithm designator prefix as
-   specified in PKCS #1 v2.1 [RFC3447]:
-
-   hex 30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40
-
-
-4.  Deployment Considerations
-
-4.1.  Key Sizes
-
-   Apart from the restrictions specified in section 2, this document
-   will not specify what size of keys to use.  That is an operational
-   issue and depends largely on the environment and intended use.  A
-   good starting point for more information would be NIST SP 800-57
-   [NIST800-57].
-
-4.2.  Signature Sizes
-
-   In this family of signing algorithms, the size of signatures is
-   related to the size of the key, and not the hashing algorithm used in
-   the signing process.  Therefore, RRSIG resource records produced with
-   RSA/SHA256 or RSA/SHA512 will have the same size as those produced
-   with RSA/SHA1, if the keys have the same length.
-
-
-5.  Implementation Considerations
-
-5.1.  Support for SHA-2 signatures
-
-   DNSSEC aware implementations SHOULD be able to support RRSIG resource
-   records with the RSA/SHA-2 algorithms.
-
-
-6.  IANA Considerations
-
-   IANA has assigned DNS Security Algorithm Numbers {TBA1} for RSA/
-   SHA-256 with NSEC, {TBA2} for RSA/SHA-256 with NSEC3, {TBA3} for RSA/
-   SHA-512 with NSEC, and {TBA4} for RSA/SHA-512 with NSEC3.
-
-   The algorithm list from RFC 4034 Appendix A.1 [RFC4034] is extended
-
-
-
-Jansen                   Expires April 26, 2009                 [Page 5]
-
-Internet-Draft              DNSSEC RSA/SHA-2                October 2008
-
-
-   with the following entries:
-
-                                                     Zone
-   Value      Algorithm             [Mnemonic]    Signing  References
-   {TBA1}   RSA/SHA-256              RSASHA256          y {this memo}
-   {TBA2}   RSA/SHA-256-NSEC3   RSASHA256NSEC3          y {this memo}
-   {TBA3}   RSA/SHA-512              RSASHA512          y {this memo}
-   {TBA4}   RSA/SHA-512-NSEC3   RSASHA512NSEC3          y {this memo}
-
-
-
-7.  Security Considerations
-
-7.1.  SHA-1 versus SHA-2 Considerations for RRSIG Resource Records
-
-   Users of DNSSEC are encouraged to deploy SHA-2 as soon as software
-   implementations allow for it.  SHA-2 is widely believed to be more
-   resilient to attack than SHA-1, and confidence in SHA-1's strength is
-   being eroded by recently-announced attacks.  Regardless of whether or
-   not the attacks on SHA-1 will affect DNSSEC, it is believed (at the
-   time of this writing) that SHA-2 is the better choice for use in
-   DNSSEC records.
-
-   SHA-2 is considered sufficiently strong for the immediate future, but
-   predictions about future development in cryptography and
-   cryptanalysis are beyond the scope of this document.
-
-   The signature scheme RSASSA-PKCS1-v1_5 is chosen to match the one
-   used for RSA/SHA-1 signatures.  This should ease implementation of
-   the new hashing algorithms in DNSSEC software.
-
-7.2.  Signature Type Downgrade Attacks
-
-   Since each RRSet MUST be signed with each algorithm present in the
-   DNSKEY RRSet at the zone apex (see [RFC4035] Section 2.2), a
-   malicious party cannot filter out the RSA/SHA-2 RRSIG, and force the
-   validator to use the RSA/SHA-1 signature if both are present in the
-   zone.  This should provide resilience against algorithm downgrade
-   attacks, if the validator supports RSA/SHA-2.
-
-
-8.  Acknowledgments
-
-   This document is a minor extension to RFC 4034 [RFC4034].  Also, we
-   try to follow the documents RFC 3110 [RFC3110] and RFC 4509 [RFC4509]
-   for consistency.  The authors of and contributors to these documents
-   are gratefully acknowledged for their hard work.
-
-
-
-
-Jansen                   Expires April 26, 2009                 [Page 6]
-
-Internet-Draft              DNSSEC RSA/SHA-2                October 2008
-
-
-   The following people provided additional feedback and text: Jaap
-   Akkerhuis, Roy Arends, Rob Austein, Francis Dupont, Miek Gieben,
-   Alfred Hoenes, Paul Hoffman, Peter Koch, Michael St. Johns, Scott
-   Rose and Wouter Wijngaards.
-
-
-9.  References
-
-9.1.  Normative References
-
-   [FIPS.180-2.2002]
-              National Institute of Standards and Technology, "Secure
-              Hash Standard", FIPS PUB 180-2, August 2002.
-
-   [RFC3110]  Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
-              Name System (DNS)", RFC 3110, May 2001.
-
-   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "DNS Security Introduction and Requirements",
-              RFC 4033, March 2005.
-
-   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Resource Records for the DNS Security Extensions",
-              RFC 4034, March 2005.
-
-   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Protocol Modifications for the DNS Security
-              Extensions", RFC 4035, March 2005.
-
-9.2.  Informative References
-
-   [NIST800-57]
-              Barker, E., Barker, W., Burr, W., Polk, W., and M. Smid,
-              "Recommendations for Key Management", NIST SP 800-57,
-              March 2007.
-
-   [RFC3447]  Jonsson, J. and B. Kaliski, "Public-Key Cryptography
-              Standards (PKCS) #1: RSA Cryptography Specifications
-              Version 2.1", RFC 3447, February 2003.
-
-   [RFC4509]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
-              (DS) Resource Records (RRs)", RFC 4509, May 2006.
-
-   [RFC5155]  Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
-              Security (DNSSEC) Hashed Authenticated Denial of
-              Existence", RFC 5155, March 2008.
-
-
-
-
-
-Jansen                   Expires April 26, 2009                 [Page 7]
-
-Internet-Draft              DNSSEC RSA/SHA-2                October 2008
-
-
-Author's Address
-
-   Jelte Jansen
-   NLnet Labs
-   Kruislaan 419
-   Amsterdam  1098VA
-   NL
-
-   Email: jelte@NLnetLabs.nl
-   URI:   http://www.nlnetlabs.nl/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jansen                   Expires April 26, 2009                 [Page 8]
-
-Internet-Draft              DNSSEC RSA/SHA-2                October 2008
-
-
-Full Copyright Statement
-
-   Copyright (C) The IETF Trust (2008).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
-   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
-   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
-   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-
-
-
-
-
-
-
-
-
-Jansen                   Expires April 26, 2009                 [Page 9]
-
diff --git a/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-13.txt b/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-13.txt
new file mode 100644
index 00000000..bab65653
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-dnssec-rsasha256-13.txt
@@ -0,0 +1,560 @@
+
+
+
+DNS Extensions working group                                   J. Jansen
+Internet-Draft                                                NLnet Labs
+Intended status: Standards Track                          April 24, 2009
+Expires: October 26, 2009
+
+
+ Use of SHA-2 algorithms with RSA in DNSKEY and RRSIG Resource Records
+                               for DNSSEC
+                 draft-ietf-dnsext-dnssec-rsasha256-13
+
+Status of this Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on October 26, 2009.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
+
+Abstract
+
+   This document describes how to produce RSA/SHA-256 and RSA/SHA-512
+   DNSKEY and RRSIG resource records for use in the Domain Name System
+
+
+
+Jansen                  Expires October 26, 2009                [Page 1]
+
+Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+
+
+   Security Extensions (DNSSEC, RFC 4033, RFC 4034, and RFC 4035).
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.  DNSKEY Resource Records  . . . . . . . . . . . . . . . . . . .  3
+     2.1.  RSA/SHA-256 DNSKEY Resource Records  . . . . . . . . . . .  3
+     2.2.  RSA/SHA-512 DNSKEY Resource Records  . . . . . . . . . . .  4
+   3.  RRSIG Resource Records . . . . . . . . . . . . . . . . . . . .  4
+     3.1.  RSA/SHA-256 RRSIG Resource Records . . . . . . . . . . . .  4
+     3.2.  RSA/SHA-512 RRSIG Resource Records . . . . . . . . . . . .  5
+   4.  Deployment Considerations  . . . . . . . . . . . . . . . . . .  5
+     4.1.  Key Sizes  . . . . . . . . . . . . . . . . . . . . . . . .  5
+     4.2.  Signature Sizes  . . . . . . . . . . . . . . . . . . . . .  5
+   5.  Implementation Considerations  . . . . . . . . . . . . . . . .  5
+     5.1.  Support for SHA-2 signatures . . . . . . . . . . . . . . .  5
+     5.2.  Support for NSEC3 Denial of Existence  . . . . . . . . . .  5
+   6.  Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .  6
+     6.1.  RSA/SHA-256 Key and Signature  . . . . . . . . . . . . . .  6
+     6.2.  RSA/SHA-512 Key and Signature  . . . . . . . . . . . . . .  6
+   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
+   8.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
+     8.1.  SHA-1 versus SHA-2 Considerations for RRSIG Resource
+           Records  . . . . . . . . . . . . . . . . . . . . . . . . .  8
+     8.2.  Signature Type Downgrade Attacks . . . . . . . . . . . . .  8
+   9.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . .  9
+   10. References . . . . . . . . . . . . . . . . . . . . . . . . . .  9
+     10.1. Normative References . . . . . . . . . . . . . . . . . . .  9
+     10.2. Informative References . . . . . . . . . . . . . . . . . .  9
+   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jansen                  Expires October 26, 2009                [Page 2]
+
+Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+
+
+1.  Introduction
+
+   The Domain Name System (DNS) is the global hierarchical distributed
+   database for Internet Naming.  The DNS has been extended to use
+   cryptographic keys and digital signatures for the verification of the
+   authenticity and integrity of its data.  RFC 4033 [RFC4033], RFC 4034
+   [RFC4034], and RFC 4035 [RFC4035] describe these DNS Security
+   Extensions, called DNSSEC.
+
+   RFC 4034 describes how to store DNSKEY and RRSIG resource records,
+   and specifies a list of cryptographic algorithms to use.  This
+   document extends that list with the algorithms RSA/SHA-256 and RSA/
+   SHA-512, and specifies how to store DNSKEY data and how to produce
+   RRSIG resource records with these hash algorithms.
+
+   Familiarity with DNSSEC, RSA and the SHA-2 [FIPS.180-3.2008] family
+   of algorithms is assumed in this document.
+
+   To refer to both SHA-256 and SHA-512, this document will use the name
+   SHA-2.  This is done to improve readability.  When a part of text is
+   specific for either SHA-256 or SHA-512, their specific names are
+   used.  The same goes for RSA/SHA-256 and RSA/SHA-512, which will be
+   grouped using the name RSA/SHA-2.
+
+   The term "SHA-2" is not officially defined, but is usually used to
+   refer to the collection of the algorithms SHA-224, SHA-256, SHA-384
+   and SHA-512.  Since SHA-224 and SHA-384 are not used in DNSSEC, SHA-2
+   will only refer to SHA-256 and SHA-512 in this document.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+
+2.  DNSKEY Resource Records
+
+   The format of the DNSKEY RR can be found in RFC 4034 [RFC4034].  RFC
+   3110 [RFC3110] describes the use of RSA/SHA-1 for DNSSEC signatures.
+
+2.1.  RSA/SHA-256 DNSKEY Resource Records
+
+   RSA public keys for use with RSA/SHA-256 are stored in DNSKEY
+   resource records (RRs) with the algorithm number {TBA1}.
+
+   For interoperability, as in RFC 3110 [RFC3110], the key size of RSA/
+   SHA-256 keys MUST NOT be less than 512 bits, and MUST NOT be more
+   than 4096 bits.
+
+
+
+
+Jansen                  Expires October 26, 2009                [Page 3]
+
+Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+
+
+2.2.  RSA/SHA-512 DNSKEY Resource Records
+
+   RSA public keys for use with RSA/SHA-512 are stored in DNSKEY
+   resource records (RRs) with the algorithm number {TBA2}.
+
+   The key size of RSA/SHA-512 keys MUST NOT be less than 1024 bits, and
+   MUST NOT be more than 4096 bits.
+
+
+3.  RRSIG Resource Records
+
+   The value of the signature field in the RRSIG RR follows the RSASSA-
+   PKCS1-v1_5 signature scheme, and is calculated as follows.  The
+   values for the RDATA fields that precede the signature data are
+   specified in RFC 4034 [RFC4034].
+
+   hash = SHA-XXX(data)
+
+   Here XXX is either 256 or 512, depending on the algorithm used, as
+   specified in FIPS PUB 180-3 [FIPS.180-3.2008], and "data" is the wire
+   format data of the resource record set that is signed, as specified
+   in RFC 4034 [RFC4034].
+
+   signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n)
+
+   Here "|" is concatenation, "00", "01", "FF" and "00" are fixed octets
+   of corresponding hexadecimal value, "e" is the private exponent of
+   the signing RSA key, and "n" is the public modulus of the signing
+   key.  The FF octet MUST be repeated the exact number of times so that
+   the total length of the concatenated term in parentheses equals the
+   length of the modulus of the signer's public key ("n").
+
+   The "prefix" is intended to make the use of standard cryptographic
+   libraries easier.  These specifications are taken directly from the
+   specifications of RSASSA-PKCS1-v1_5 in PKCS #1 v2.1 section 8.2
+   [RFC3447], and EMSA-PKCS1-v1_5 encoding in PKCS #1 v2.1 section 9.2
+   [RFC3447].  The prefixes for the different algorithms are specified
+   below.
+
+3.1.  RSA/SHA-256 RRSIG Resource Records
+
+   RSA/SHA-256 signatures are stored in the DNS using RRSIG resource
+   records (RRs) with algorithm number {TBA1}.
+
+   The prefix is the ASN.1 DER SHA-256 algorithm designator prefix as
+   specified in PKCS #1 v2.1 [RFC3447]:
+
+   hex 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20
+
+
+
+Jansen                  Expires October 26, 2009                [Page 4]
+
+Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+
+
+3.2.  RSA/SHA-512 RRSIG Resource Records
+
+   RSA/SHA-512 signatures are stored in the DNS using RRSIG resource
+   records (RRs) with algorithm number {TBA2}.
+
+   The prefix is the ASN.1 DER SHA-512 algorithm designator prefix as
+   specified in PKCS #1 v2.1 [RFC3447]:
+
+   hex 30 51 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 04 40
+
+
+4.  Deployment Considerations
+
+4.1.  Key Sizes
+
+   Apart from the restrictions in section 2, this document will not
+   specify what size of keys to use.  That is an operational issue and
+   depends largely on the environment and intended use.  A good starting
+   point for more information would be NIST SP 800-57 [NIST800-57].
+
+4.2.  Signature Sizes
+
+   In this family of signing algorithms, the size of signatures is
+   related to the size of the key, and not the hashing algorithm used in
+   the signing process.  Therefore, RRSIG resource records produced with
+   RSA/SHA-256 or RSA/SHA-512 will have the same size as those produced
+   with RSA/SHA-1, if the keys have the same length.
+
+
+5.  Implementation Considerations
+
+5.1.  Support for SHA-2 signatures
+
+   DNSSEC aware implementations SHOULD be able to support RRSIG and
+   DNSKEY resource records created with the RSA/SHA-2 algorithms as
+   defined in this document.
+
+5.2.  Support for NSEC3 Denial of Existence
+
+   RFC 5155 [RFC5155] defines new algorithm identifiers for existing
+   signing algorithms, to indicate that zones signed with these
+   algorithm identifiers can use NSEC3 as well as NSEC records to
+   provide denial of existence.  That mechanism was chosen to protect
+   implementations predating RFC5155 from encountering resource records
+   they could not know about.  This document does not define such
+   algorithm aliases.
+
+   A DNSSEC validator that implements RSA/SHA-2 MUST be able to validate
+
+
+
+Jansen                  Expires October 26, 2009                [Page 5]
+
+Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+
+
+   both NSEC and NSEC3 [RFC5155] negative answers.  An authoritative
+   server that does not implement NSEC3 MAY still serve zones that use
+   RSA/SHA-2 with NSEC denial of existence.
+
+
+6.  Examples
+
+6.1.  RSA/SHA-256 Key and Signature
+
+   Given a private key with the following values (in Base64):
+
+   Private-key-format: v1.2
+   Algorithm:       8 (RSASHA256)
+   Modulus:         wVwaxrHF2CK64aYKRUibLiH30KpPuPBjel7E8ZydQW1HYWHfoGm
+                    idzC2RnhwCC293hCzw+TFR2nqn8OVSY5t2Q==
+   PublicExponent:  AQAB
+   PrivateExponent: UR44xX6zB3eaeyvTRzmskHADrPCmPWnr8dxsNwiDGHzrMKLN+i/
+                    HAam+97HxIKVWNDH2ba9Mf1SA8xu9dcHZAQ==
+   Prime1:          4c8IvFu1AVXGWeFLLFh5vs7fbdzdC6U82fduE6KkSWk=
+   Prime2:          2zZpBE8ZXVnL74QjG4zINlDfH+EOEtjJJ3RtaYDugvE=
+   Exponent1:       G2xAPFfK0KGxGANDVNxd1K1c9wOmmJ51mGbzKFFNMFk=
+   Exponent2:       GYxP1Pa7CAwtHm8SAGX594qZVofOMhgd6YFCNyeVpKE=
+   Coefficient:     icQdNRjlZGPmuJm2TIadubcO8X7V4y07aVhX464tx8Q=
+
+   The DNSKEY record for this key would be:
+
+   example.net.     3600  IN  DNSKEY  (256 3 8 AwEAAcFcGsaxxdgiuuGmCkVI
+                    my4h99CqT7jwY3pexPGcnUFtR2Fh36BponcwtkZ4cAgtvd4Qs8P
+                    kxUdp6p/DlUmObdk= );{id = 9033 (zsk), size = 512b}
+
+   With this key, sign the following RRSet, consisting of 1 A record:
+
+   www.example.net. 3600  IN  A  123.123.123.123
+
+   If the inception date is set at 00:00 hours on January 1st, 2000, and
+   the expiration date at 00:00 hours on January 1st, 2030, the
+   following signature should be created:
+
+   www.example.net. 3600  IN  RRSIG  (A 8 3 3600 20300101000000
+                    20000101000000 9033 example.net. KWgSIg3khRfyrHmtJU
+                    5pzpsANyy27+HOZ6waMQ5kV690ljVmbHmGc8ULOfXw3aWmP0wJB
+                    ND/TQhjCvrb3T9ffQ== );{id = 9033}
+
+6.2.  RSA/SHA-512 Key and Signature
+
+   Given a private key with the following values (in Base64):
+
+
+
+
+
+Jansen                  Expires October 26, 2009                [Page 6]
+
+Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+
+
+   Private-key-format: v1.2
+   Algorithm:       9 (RSASHA512)
+   Modulus:         8Du9YHEwFNjO5iG9jrrNyKwRs5mAzJgXBrjbA49R/ESWJKw6eHH
+                    XfZaxnP+gVhZBDmqwND/SFwrEkN5LyH3HZ+/d/ECW+vT8Lxprqf
+                    haTfxQkV4OFjw/ikuTcBMoUIYfhO1NVPBcH1mWh34DWmu6eedzH
+                    IbdeNZnIkWSv4muchs=
+   PublicExponent:  AQAB
+   PrivateExponent: sRm5YLHQ2m2DCdDx55j7P+bqHdcaRroQr5nzi8pKjIkbjumRKV3
+                    zmNhRFAa3cv9w8mnggIRUIzyC8LGQeLuRFjbv6uXDzoPX2O321j
+                    PlTUOwCYMTVnbkZUem6c+7iRd2v5zNNe9uiXex6T8CDXyhQhqYb
+                    8q2AajPrTlRzv6uW8E=
+   Prime1:          +DPVg2OlfYqcNlm67T42608gjyqWFdVc0UtDDDBo+ABWavqp+Yk
+                    Fb/z/Ig+iBE901Q8RWdqVLND3PtGwWipIyw==
+   Prime2:          98fQbOaWH3D/WFhnu47f1qOgaob/ss3FQ12QbUdRDpgfmdryHH7
+                    j1UGR2Xs0aRPwBASXYhgtamXtxLorXIFh8Q==
+   Exponent1:       j0UsbGlqr6sBPQZStnuBLBdCziFg/T1qFI4DJ9gR34YiXCJRV29
+                    Wqiw6AalQdnh/EjVeaKWaEoKVFbfoukNKPQ==
+   Exponent2:       4YTy9ftVjd5p+f3UxEgBATnCatLebd6NeYfySRQM+YyJzp4RmNA
+                    BC/t3BQv3IuBrpyyKoFTDGUEWjOSpTLPR8Q==
+   Coefficient:     BpIAEwh5rlw9M8FpGHjpF5TxSdhCjnA8NT0tB+MB/k0msceyBbx
+                    avjzJXTi/QPk9PIO8Wv6eCzMQEM0QDZO53Q==
+
+   The DNSKEY record for this key would be:
+
+   example.net.    3600  IN  DNSKEY  (256 3 9 AwEAAfA7vWBxMBTYzuYhvY66z
+                   cisEbOZgMyYFwa42wOPUfxEliSsOnhx132WsZz/oFYWQQ5qsDQ/0
+                   hcKxJDeS8h9x2fv3fxAlvr0/C8aa6n4Wk38UJFeDhY8P4pLk3ATK
+                   FCGH4TtTVTwXB9Zlod+A1prunnncxyG3XjWZyJFkr+JrnIb
+                   );{id = 28237 (zsk), size = 1024b}
+
+   With this key, sign the following RRSet, consisting of 1 A record:
+
+   www.example.net. 3600  IN  A  123.123.123.123
+
+   If the inception date is set at 00:00 hours on January 1st, 2000, and
+   the expiration date at 00:00 hours on January 1st, 2030, the
+   following signature should be created:
+
+   www.example.net. 3600  IN  RRSIG  (A 9 3 3600 20300101000000
+                    20000101000000 28237 example.net. mCanSdkQztEUOmslG
+                    z7VvfkKPMp4ftz3K1PTf2jdla4vUu/tRE585xymurMB+wXhrFcK
+                    dhm0egnPq8X/gmm0cmui/GQwFT5hmP5bL1ETuQsM3HOu3j9E3tq
+                    4sFWIsUv3N6ohpYEbhj5jk0b/01EMUPM9y5rLzFHmYYujzKQwqu
+                    M= );{id = 28237}
+
+
+
+
+
+
+
+Jansen                  Expires October 26, 2009                [Page 7]
+
+Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+
+
+7.  IANA Considerations
+
+   This document updates the IANA registry "DNS SECURITY ALGORITHM
+   NUMBERS -- per [RFC4035] "
+   (http://www.iana.org/assignments/dns-sec-alg-numbers).  The following
+   entries are added to the registry:
+
+                                           Zone  Trans.
+  Value   Description       Mnemonic    Signing    Sec.   References
+ {TBA1}   RSA/SHA-256      RSASHA256          y      *   {this memo}
+ {TBA2}   RSA/SHA-512      RSASHA512          y      *   {this memo}
+
+ * There has been no determination of standardization of the use of this
+   algorithm with Transaction Security.
+
+
+8.  Security Considerations
+
+8.1.  SHA-1 versus SHA-2 Considerations for RRSIG Resource Records
+
+   Users of DNSSEC are encouraged to deploy SHA-2 as soon as software
+   implementations allow for it.  SHA-2 is widely believed to be more
+   resilient to attack than SHA-1, and confidence in SHA-1's strength is
+   being eroded by recently-announced attacks.  Regardless of whether or
+   not the attacks on SHA-1 will affect DNSSEC, it is believed (at the
+   time of this writing) that SHA-2 is the better choice for use in
+   DNSSEC records.
+
+   SHA-2 is considered sufficiently strong for the immediate future, but
+   predictions about future development in cryptography and
+   cryptanalysis are beyond the scope of this document.
+
+   The signature scheme RSASSA-PKCS1-v1_5 is chosen to match the one
+   used for RSA/SHA-1 signatures.  This should ease implementation of
+   the new hashing algorithms in DNSSEC software.
+
+8.2.  Signature Type Downgrade Attacks
+
+   Since each RRSet MUST be signed with each algorithm present in the
+   DNSKEY RRSet at the zone apex (see [RFC4035] Section 2.2), a
+   malicious party cannot filter out the RSA/SHA-2 RRSIG, and force the
+   validator to use the RSA/SHA-1 signature if both are present in the
+   zone.  This should provide resilience against algorithm downgrade
+   attacks, if the validator supports RSA/SHA-2.
+
+
+
+
+
+
+
+Jansen                  Expires October 26, 2009                [Page 8]
+
+Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+
+
+9.  Acknowledgments
+
+   This document is a minor extension to RFC 4034 [RFC4034].  Also, we
+   try to follow the documents RFC 3110 [RFC3110] and RFC 4509 [RFC4509]
+   for consistency.  The authors of and contributors to these documents
+   are gratefully acknowledged for their hard work.
+
+   The following people provided additional feedback and text: Jaap
+   Akkerhuis, Mark Andrews, Roy Arends, Rob Austein, Francis Dupont,
+   Miek Gieben, Alfred Hoenes, Paul Hoffman, Peter Koch, Michael St.
+   Johns, Scott Rose and Wouter Wijngaards.
+
+
+10.  References
+
+10.1.  Normative References
+
+   [FIPS.180-3.2008]
+              National Institute of Standards and Technology, "Secure
+              Hash Standard", FIPS PUB 180-3, October 2008.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", RFC 2119, March 1997.
+
+   [RFC3110]  Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
+              Name System (DNS)", RFC 3110, May 2001.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "DNS Security Introduction and Requirements",
+              RFC 4033, March 2005.
+
+   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Resource Records for the DNS Security Extensions",
+              RFC 4034, March 2005.
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
+10.2.  Informative References
+
+   [NIST800-57]
+              Barker, E., Barker, W., Burr, W., Polk, W., and M. Smid,
+              "Recommendations for Key Management", NIST SP 800-57,
+              March 2007.
+
+   [RFC3447]  Jonsson, J. and B. Kaliski, "Public-Key Cryptography
+              Standards (PKCS) #1: RSA Cryptography Specifications
+
+
+
+Jansen                  Expires October 26, 2009                [Page 9]
+
+Internet-Draft              DNSSEC RSA/SHA-2                  April 2009
+
+
+              Version 2.1", RFC 3447, February 2003.
+
+   [RFC4509]  Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer
+              (DS) Resource Records (RRs)", RFC 4509, May 2006.
+
+   [RFC5155]  Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
+              Security (DNSSEC) Hashed Authenticated Denial of
+              Existence", RFC 5155, March 2008.
+
+
+Author's Address
+
+   Jelte Jansen
+   NLnet Labs
+   Kruislaan 419
+   Amsterdam  1098VA
+   NL
+
+   Email: jelte@NLnetLabs.nl
+   URI:   http://www.nlnetlabs.nl/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jansen                  Expires October 26, 2009               [Page 10]
+
diff --git a/doc/draft/draft-ietf-dnsext-tsig-md5-deprecated-03.txt b/doc/draft/draft-ietf-dnsext-tsig-md5-deprecated-03.txt
new file mode 100644
index 00000000..72d38aa2
--- /dev/null
+++ b/doc/draft/draft-ietf-dnsext-tsig-md5-deprecated-03.txt
@@ -0,0 +1,336 @@
+
+
+
+DNSext Working Group                                           F. Dupont
+Internet-Draft                                                       ISC
+Updates: 2845,2930,4635                                      May 8, 2009
+(if approved)
+Intended status: Standards Track
+Expires: November 9, 2009
+
+
+     Deprecation of HMAC-MD5 in DNS TSIG and TKEY Resource Records
+              draft-ietf-dnsext-tsig-md5-deprecated-03.txt
+
+Status of this Memo
+
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.  This document may contain material
+   from IETF Documents or IETF Contributions published or made publicly
+   available before November 10, 2008.  The person(s) controlling the
+   copyright in some of this material may not have granted the IETF
+   Trust the right to allow modifications of such material outside the
+   IETF Standards Process.  Without obtaining an adequate license from
+   the person(s) controlling the copyright in such materials, this
+   document may not be modified outside the IETF Standards Process, and
+   derivative works of it may not be created outside the IETF Standards
+   Process, except to format it for publication as an RFC or to
+   translate it into languages other than English.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on November 9, 2009.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+
+
+Dupont                  Expires November 9, 2009                [Page 1]
+
+Internet-Draft        Deprecating HMAC-MD5 in TSIG              May 2009
+
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents in effect on the date of
+   publication of this document (http://trustee.ietf.org/license-info).
+   Please review these documents carefully, as they describe your rights
+   and restrictions with respect to this document.
+
+Abstract
+
+   The main purpose of this document is to deprecate the use of HMAC-MD5
+   as an algorithm for the TSIG (secret key transaction authentication)
+   resource record in the DNS (domain name system), and the use of MD5
+   in TKEY (secret key establishment for DNS).
+
+
+1.  Introduction
+
+   The secret key transaction authentication for DNS (TSIG, [RFC2845])
+   was defined with the HMAC-MD5 [RFC2104] cryptographic algorithm.
+   When the MD5 [RFC1321] security came to be considered lower than
+   expected, [RFC4635] standardized new TSIG algorithms based on SHA
+   [RFC3174][RFC3874][RFC4634] digests.
+
+   But [RFC4635] did not deprecate the HMAC-MD5 algorithm.  This
+   document is targeted to complete the process, in detail:
+   1.  Mark HMAC-MD5.SIG-ALG.REG.INT as optional in the TSIG algorithm
+       name registry managed by the IANA under the IETF Review Policy
+       [RFC5226]
+   2.  Make HMAC-MD5.SIG-ALG.REG.INT support "not Mandatory" for
+       implementations
+   3.  Provide a keying material derivation for the secret key
+       establishment for DNS (TKEY, [RFC2930]) using a Diffie-Hellman
+       exchange with SHA256 [RFC4634] in place of MD5 [RFC1321]
+   4.  Finally recommend the use of HMAC-SHA256.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+
+2.  Implementation Requirements
+
+   The table of section 3 of [RFC4635] is replaced by:
+
+
+
+
+
+
+
+
+
+Dupont                  Expires November 9, 2009                [Page 2]
+
+Internet-Draft        Deprecating HMAC-MD5 in TSIG              May 2009
+
+
+             +-------------------+--------------------------+
+             | Requirement Level | Algorithm Name           |
+             +-------------------+--------------------------+
+             | Optional          | HMAC-MD5.SIG-ALG.REG.INT |
+             | Optional          | gss-tsig                 |
+             | Mandatory         | hmac-sha1                |
+             | Optional          | hmac-sha224              |
+             | Mandatory         | hmac-sha256              |
+             | Optional          | hmac-sha384              |
+             | Optional          | hmac-sha512              |
+             +-------------------+--------------------------+
+
+   Implementations that support TSIG MUST also implement HMAC-SHA1 and
+   HMAC-SHA256 (i.e., algorithms at the "Mandatory" requirement level)
+   and MAY implement GSS-TSIG and the other algorithms listed above
+   (i.e., algorithms at a "not Mandatory" requirement level).
+
+
+3.  TKEY keying material derivation
+
+   When the TKEY [RFC2930] uses a Diffie-Hellman exchange, the keying
+   material is derived from the shared secret and TKEY resource record
+   data using MD5 [RFC1321] at the end of section 4.1 page 9.
+
+   This is amended into:
+
+         keying material =
+              XOR ( DH value, SHA256 ( query data | DH value ) |
+                              SHA256 ( server data | DH value ) )
+
+   using the same conventions.
+
+
+4.  IANA Consideration
+
+   This document extends the "TSIG Algorithm Names - per [] and
+   [RFC2845]" located at
+   http://www.iana.org/assignments/tsig-algorithm-names by adding a new
+   column to the registry "Compliance Requirement".
+
+   The registry should contain the following:
+
+
+
+
+
+
+
+
+
+
+Dupont                  Expires November 9, 2009                [Page 3]
+
+Internet-Draft        Deprecating HMAC-MD5 in TSIG              May 2009
+
+
+    +--------------------------+------------------------+-------------+
+    | Algorithm Name           | Compliance Requirement | Reference   |
+    +--------------------------+------------------------+-------------+
+    | gss-tsig                 | Optional               | [RFC3645]   |
+    | HMAC-MD5.SIG-ALG.REG.INT | Optional               | [][RFC2845] |
+    | hmac-sha1                | Mandatory              | [RFC4635]   |
+    | hmac-sha224              | Optional               | [RFC4635]   |
+    | hmac-sha256              | Mandatory              | [RFC4635]   |
+    | hmac-sha384              | Optional               | [RFC4635]   |
+    | hmac-sha512              | Optional               | [RFC4635]   |
+    +--------------------------+------------------------+-------------+
+
+   where [] is this document.
+
+
+5.  Availability Considerations
+
+   MD5 is no longer universally available and its use may lead to
+   increasing operation issues.  SHA1 is likely to suffer from the same
+   kind of problem.  In summary MD5 has reached end-of-life and SHA1
+   will likely follow in the near term.
+
+   According to [RFC4635], implementations which support TSIG are
+   REQUIRED to implement HMAC-SHA256.
+
+
+6.  Security Considerations
+
+   This document does not assume anything about the cryptographic
+   security of different hash algorithms.  Its purpose is a better
+   availability of some security mechanisms in a predictable time frame.
+
+   Requirement levels are adjusted for TSIG and related specifications
+   (i.e., TKEY):
+      The support of HMAC-MD5 is changed from mandatory to optional.
+      The use of MD5 and HMAC-MD5 is NOT RECOMMENDED.
+      The use of HMAC-SHA256 is RECOMMENDED.
+
+
+7.  Acknowledgments
+
+   Olafur Gudmundsson kindly helped in the procedure to deprecate the
+   MD5 use in TSIG, i.e., the procedure which led to this memo.  Alfred
+   Hoenes, Peter Koch, Paul Hoffman and Edward Lewis proposed some
+   improvements.
+
+
+8.  References
+
+
+
+Dupont                  Expires November 9, 2009                [Page 4]
+
+Internet-Draft        Deprecating HMAC-MD5 in TSIG              May 2009
+
+
+8.1.  Normative References
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", RFC 2119, BCP 14, March 1997.
+
+   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D., and B.
+              Wellington, "Secret Key Transaction Authentication for DNS
+              (TSIG)", RFC 2845, May 2000.
+
+   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY
+              RR)", RFC 2930, September 2000.
+
+   [RFC4635]  Eastlake, D., "HMAC SHA TSIG Algorithm Identifiers",
+              RFC 4635, August 2006.
+
+8.2.  Informative References
+
+   [RFC1321]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
+              April 1992.
+
+   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
+              Hashing for Message Authentication", RFC 2104,
+              February 1997.
+
+   [RFC3174]  Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1
+              (SHA1)", RFC 3174, September 2001.
+
+   [RFC3645]  Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead, J.,
+              and R. Hall, "Generic Security Service Algorithm for
+              Secret Key Transaction Authentication for DNS (GSS-TSIG)",
+              RFC 3645, October 2003.
+
+   [RFC3874]  Housley, R., "A 224-bit One-way Hash Function: SHA-224",
+              RFC 3874, September 2004.
+
+   [RFC4634]  Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
+              (SHA and HMAC-SHA)", RFC 4634, July 2006.
+
+   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
+              IANA Considerations Section in RFCs", RFC 5226, BCP 26,
+              May 2008.
+
+
+
+
+
+
+
+
+
+
+Dupont                  Expires November 9, 2009                [Page 5]
+
+Internet-Draft        Deprecating HMAC-MD5 in TSIG              May 2009
+
+
+Author's Address
+
+   Francis Dupont
+   ISC
+
+   Email: Francis.Dupont@fdupont.fr
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dupont                  Expires November 9, 2009                [Page 6]
+
diff --git a/doc/draft/draft-ietf-dnsop-name-server-management-reqs-01.txt b/doc/draft/draft-ietf-dnsop-name-server-management-reqs-02.txt
index 8298bb25..f64e8dd5 100644
--- a/doc/draft/draft-ietf-dnsop-name-server-management-reqs-01.txt
+++ b/doc/draft/draft-ietf-dnsop-name-server-management-reqs-02.txt
@@ -3,19 +3,17 @@
 
 DNSOP                                                        W. Hardaker
 Internet-Draft                                              Sparta, Inc.
-Intended status: Informational                         September 3, 2008
-Expires: March 7, 2009
+Intended status: Informational                         February 12, 2009
+Expires: August 16, 2009
 
 
         Requirements for Management of Name Servers for the DNS
-          draft-ietf-dnsop-name-server-management-reqs-01.txt
+          draft-ietf-dnsop-name-server-management-reqs-02.txt
 
 Status of this Memo
 
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
+   This Internet-Draft is submitted to IETF in full conformance with the
+   provisions of BCP 78 and BCP 79.
 
    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF), its areas, and its working groups.  Note that
@@ -33,12 +31,32 @@ Status of this Memo
    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.
 
-   This Internet-Draft will expire on March 7, 2009.
+   This Internet-Draft will expire on August 16, 2009.
+
+Copyright Notice
+
+   Copyright (c) 2009 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents
+   (http://trustee.ietf.org/license-info) in effect on the date of
+   publication of this document.  Please review these documents
+   carefully, as they describe your rights and restrictions with respect
+   to this document.
 
 Abstract
 
    Management of name servers for the Domain Name Service (DNS) has
    traditionally been done using vendor-specific monitoring,
+
+
+
+Hardaker                 Expires August 16, 2009                [Page 1]
+
+Internet-Draft     Name Server Management Requirements     February 2009
+
+
    configuration and control methods.  Although some service monitoring
    platforms can test the functionality of the DNS itself there is not a
    interoperable way to manage (monitor, control and configure) the
@@ -49,14 +67,6 @@ Abstract
    the DNS can use this document as a shopping list of needed features.
 
 
-
-
-
-Hardaker                  Expires March 7, 2009                 [Page 1]
-
-Internet-Draft     Name Server Management Requirements    September 2008
-
-
 Table of Contents
 
    1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
@@ -94,7 +104,15 @@ Table of Contents
      5.1.  Extensibility  . . . . . . . . . . . . . . . . . . . . . . 12
        5.1.1.  Vendor Extensions  . . . . . . . . . . . . . . . . . . 13
        5.1.2.  Extension Identification . . . . . . . . . . . . . . . 13
-       5.1.3.  Namespace Collision Protection . . . . . . . . . . . . 13
+       5.1.3.  Name-Space Collision Protection  . . . . . . . . . . . 13
+
+
+
+Hardaker                 Expires August 16, 2009                [Page 2]
+
+Internet-Draft     Name Server Management Requirements     February 2009
+
+
    6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 13
    7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 13
    8.  Document History . . . . . . . . . . . . . . . . . . . . . . . 13
@@ -105,22 +123,8 @@ Table of Contents
    Appendix A.  Deployment Scenarios  . . . . . . . . . . . . . . . . 15
      A.1.  Non-Standard Zones . . . . . . . . . . . . . . . . . . . . 16
      A.2.  Redundancy Sharing . . . . . . . . . . . . . . . . . . . . 16
-
-
-
-Hardaker                  Expires March 7, 2009                 [Page 2]
-
-Internet-Draft     Name Server Management Requirements    September 2008
-
-
      A.3.  DNSSEC Management  . . . . . . . . . . . . . . . . . . . . 16
    Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17
-   Intellectual Property and Copyright Statements . . . . . . . . . . 18
-
-
-
-
-
 
 
 
@@ -160,13 +164,9 @@ Internet-Draft     Name Server Management Requirements    September 2008
 
 
 
-
-
-
-
-Hardaker                  Expires March 7, 2009                 [Page 3]
+Hardaker                 Expires August 16, 2009                [Page 3]
 
-Internet-Draft     Name Server Management Requirements    September 2008
+Internet-Draft     Name Server Management Requirements     February 2009
 
 
 1.  Introduction
@@ -220,9 +220,9 @@ Internet-Draft     Name Server Management Requirements    September 2008
 
 
 
-Hardaker                  Expires March 7, 2009                 [Page 4]
+Hardaker                 Expires August 16, 2009                [Page 4]
 
-Internet-Draft     Name Server Management Requirements    September 2008
+Internet-Draft     Name Server Management Requirements     February 2009
 
 
 1.1.1.  Terminology
@@ -276,9 +276,9 @@ Internet-Draft     Name Server Management Requirements    September 2008
 
 
 
-Hardaker                  Expires March 7, 2009                 [Page 5]
+Hardaker                 Expires August 16, 2009                [Page 5]
 
-Internet-Draft     Name Server Management Requirements    September 2008
+Internet-Draft     Name Server Management Requirements     February 2009
 
 
    Level Domains (TLDs)) as well as name servers that are serving a very
@@ -332,9 +332,9 @@ Internet-Draft     Name Server Management Requirements    September 2008
 
 
 
-Hardaker                  Expires March 7, 2009                 [Page 6]
+Hardaker                 Expires August 16, 2009                [Page 6]
 
-Internet-Draft     Name Server Management Requirements    September 2008
+Internet-Draft     Name Server Management Requirements     February 2009
 
 
    model is needed for of the operations discussion in Section 3.  Note
@@ -370,9 +370,8 @@ Internet-Draft     Name Server Management Requirements    September 2008
    might implement, as defined in section 2 of [RFC4033].  These sub-
    roles are also important to support within any management solution.
 
-   The requirements in this document explicitly exclude dealing with
-   management of stub resolvers.  Management of stub resolvers is
-   considered specifically out of scope of this document.
+   As stated earlier, the management of stub resolvers is considered out
+   of scope for this documents.
 
 
 3.  Management Operation Types
@@ -384,16 +383,15 @@ Internet-Draft     Name Server Management Requirements    September 2008
 
    o  Configuration
 
+   o  Health and Monitoring
 
 
 
 
-Hardaker                  Expires March 7, 2009                 [Page 7]
+Hardaker                 Expires August 16, 2009                [Page 7]
 
-Internet-Draft     Name Server Management Requirements    September 2008
-
+Internet-Draft     Name Server Management Requirements     February 2009
 
-   o  Health and Monitoring
 
    o  Alarms and Events
 
@@ -444,9 +442,11 @@ Internet-Draft     Name Server Management Requirements    September 2008
 
 
 
-Hardaker                  Expires March 7, 2009                 [Page 8]
+
+
+Hardaker                 Expires August 16, 2009                [Page 8]
 
-Internet-Draft     Name Server Management Requirements    September 2008
+Internet-Draft     Name Server Management Requirements     February 2009
 
 
 3.2.  Configuration Requirements
@@ -500,9 +500,9 @@ Internet-Draft     Name Server Management Requirements    September 2008
 
 
 
-Hardaker                  Expires March 7, 2009                 [Page 9]
+Hardaker                 Expires August 16, 2009                [Page 9]
 
-Internet-Draft     Name Server Management Requirements    September 2008
+Internet-Draft     Name Server Management Requirements     February 2009
 
 
    confuse this with the ability to manage the authorization associated
@@ -556,9 +556,9 @@ Internet-Draft     Name Server Management Requirements    September 2008
 
 
 
-Hardaker                  Expires March 7, 2009                [Page 10]
+Hardaker                 Expires August 16, 2009               [Page 10]
 
-Internet-Draft     Name Server Management Requirements    September 2008
+Internet-Draft     Name Server Management Requirements     February 2009
 
 
    management solution SHOULD include support for delivery of alarm
@@ -612,9 +612,9 @@ Internet-Draft     Name Server Management Requirements    September 2008
 
 
 
-Hardaker                  Expires March 7, 2009                [Page 11]
+Hardaker                 Expires August 16, 2009               [Page 11]
 
-Internet-Draft     Name Server Management Requirements    September 2008
+Internet-Draft     Name Server Management Requirements     February 2009
 
 
    completed system.  This authorization differs from the authorization
@@ -668,9 +668,9 @@ Internet-Draft     Name Server Management Requirements    September 2008
 
 
 
-Hardaker                  Expires March 7, 2009                [Page 12]
+Hardaker                 Expires August 16, 2009               [Page 12]
 
-Internet-Draft     Name Server Management Requirements    September 2008
+Internet-Draft     Name Server Management Requirements     February 2009
 
 
 5.1.1.  Vendor Extensions
@@ -689,7 +689,7 @@ Internet-Draft     Name Server Management Requirements    September 2008
    extension data without needing to understand the extension data
    itself.
 
-5.1.3.  Namespace Collision Protection
+5.1.3.  Name-Space Collision Protection
 
    It MUST be possible to protect against multiple extensions
    conflicting with each other.  The use of name-space protection
@@ -724,9 +724,9 @@ Internet-Draft     Name Server Management Requirements    September 2008
 
 
 
-Hardaker                  Expires March 7, 2009                [Page 13]
+Hardaker                 Expires August 16, 2009               [Page 13]
 
-Internet-Draft     Name Server Management Requirements    September 2008
+Internet-Draft     Name Server Management Requirements     February 2009
 
 
    compilation of the results of those discussions as well as
@@ -753,7 +753,7 @@ Internet-Draft     Name Server Management Requirements    September 2008
       Phil Regnauld
 
    Further editing contributions and wording suggestions were made by:
-   Alfred Hines.
+   Alfred Hoenes.
 
 
 10.  References
@@ -780,9 +780,9 @@ Internet-Draft     Name Server Management Requirements    September 2008
 
 
 
-Hardaker                  Expires March 7, 2009                [Page 14]
+Hardaker                 Expires August 16, 2009               [Page 14]
 
-Internet-Draft     Name Server Management Requirements    September 2008
+Internet-Draft     Name Server Management Requirements     February 2009
 
 
               Wellington, "Secret Key Transaction Authentication for DNS
@@ -836,9 +836,9 @@ Appendix A.  Deployment Scenarios
 
 
 
-Hardaker                  Expires March 7, 2009                [Page 15]
+Hardaker                 Expires August 16, 2009               [Page 15]
 
-Internet-Draft     Name Server Management Requirements    September 2008
+Internet-Draft     Name Server Management Requirements     February 2009
 
 
    guidance to protocol developers as data points of real-world name
@@ -847,7 +847,7 @@ Internet-Draft     Name Server Management Requirements    September 2008
 A.1.  Non-Standard Zones
 
    If an organization uses non-standard zones (for example a purely-
-   local TLD), synchronizing all the nameservers for these zones is
+   local TLD), synchronizing all the name servers for these zones is
    usually a time-consuming task.  It is made worse when two
    organizations with conflicting zones merge.  This situation is not a
    recommended deployment scenario (and is even heavily discouraged) but
@@ -892,9 +892,9 @@ A.3.  DNSSEC Management
 
 
 
-Hardaker                  Expires March 7, 2009                [Page 16]
+Hardaker                 Expires August 16, 2009               [Page 16]
 
-Internet-Draft     Name Server Management Requirements    September 2008
+Internet-Draft     Name Server Management Requirements     February 2009
 
 
    strategies.
@@ -948,61 +948,5 @@ Author's Address
 
 
 
-Hardaker                  Expires March 7, 2009                [Page 17]
-
-Internet-Draft     Name Server Management Requirements    September 2008
-
-
-Full Copyright Statement
-
-   Copyright (C) The IETF Trust (2008).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
-   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
-   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
-   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-
-
-
-
-
-
-
-
-
-Hardaker                  Expires March 7, 2009                [Page 18]
+Hardaker                 Expires August 16, 2009               [Page 17]
 
diff --git a/doc/misc/options b/doc/misc/options
index 3416a3b1..c3f2f84c 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -2,90 +2,36 @@
 This is a summary of the named.conf options supported by 
 this version of BIND 9.
 
-acl <string> { <address_match_element>; ... };
-
-controls {
-        inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | *
-            ) ] allow { <address_match_element>; ... } [ keys { <string>;
-            ... } ];
-        unix <quoted_string> perm <integer> owner <integer> group <integer>
-            [ keys { <string>; ... } ];
-};
-
-dlz <string> {
-        database <string>;
-};
-
-key <string> {
-        algorithm <string>;
-        secret <string>;
-};
-
-logging {
-        category <string> { <string>; ... };
-        channel <string> {
-                file <quoted_string> [ versions ( "unlimited" | <integer> )
-                    ] [ size <size> ];
-                null;
-                print-category <boolean>;
-                print-severity <boolean>;
-                print-time <boolean>;
-                severity <log_severity>;
-                stderr;
-                syslog <optional_facility>;
-        };
-};
-
-lwres {
-        listen-on [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
-            [ port <integer> ]; ... };
-        ndots <integer>;
-        search { <string>; ... };
-        view <string> <optional_class>;
-};
-
-masters <string> [ port <integer> ] { ( <masters> | <ipv4_address> [ port
-    <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
-
 options {
         acache-cleaning-interval <integer>;
         acache-enable <boolean>;
         additional-from-auth <boolean>;
         additional-from-cache <boolean>;
-        allow-notify { <address_match_element>; ... };
-        allow-query { <address_match_element>; ... };
         allow-query-cache { <address_match_element>; ... };
         allow-query-cache-on { <address_match_element>; ... };
-        allow-query-on { <address_match_element>; ... };
         allow-recursion { <address_match_element>; ... };
         allow-recursion-on { <address_match_element>; ... };
-        allow-transfer { <address_match_element>; ... };
-        allow-update { <address_match_element>; ... };
-        allow-update-forwarding { <address_match_element>; ... };
         allow-v6-synthesis { <address_match_element>; ... }; // obsolete
-        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
-            ) [ port <integer> ]; ... };
-        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
-            * ) ];
+        attach-cache <string>;
         auth-nxdomain <boolean>; // default changed
         avoid-v4-udp-ports { <portrange>; ... };
         avoid-v6-udp-ports { <portrange>; ... };
+        bindkeys-file <quoted_string>;
         blackhole { <address_match_element>; ... };
         cache-file <quoted_string>;
-        check-integrity <boolean>;
-        check-mx ( fail | warn | ignore );
-        check-mx-cname ( fail | warn | ignore );
         check-names ( master | slave | response ) ( fail | warn | ignore );
-        check-sibling <boolean>;
-        check-srv-cname ( fail | warn | ignore );
-        check-wildcard <boolean>;
         cleaning-interval <integer>;
         clients-per-query <integer>;
         coresize <size>;
         datasize <size>;
+        ddns-keyalg <string>;
+        ddns-keyfile ( <quoted_string> | none );
+        ddns-keyname <string>;
         deallocate-on-exit <boolean>; // obsolete
-        dialup <dialuptype>;
+        deny-answer-addresses { <address_match_element>; ... } [
+            except-from { <quoted_string>; ... } ];
+        deny-answer-aliases { <quoted_string>; ... } [ except-from {
+            <quoted_string>; ... } ];
         directory <quoted_string>;
         disable-algorithms <string> { <string>; ... };
         disable-empty-zone <string>;
@@ -106,9 +52,6 @@ options {
         fetch-glue <boolean>; // obsolete
         files <size>;
         flush-zones-on-shutdown <boolean>;
-        forward ( first | only );
-        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
-            [ port <integer> ]; ... };
         has-old-clients <boolean>; // obsolete
         heartbeat-interval <integer>;
         host-statistics <boolean>; // not implemented
@@ -116,42 +59,22 @@ options {
         hostname ( <quoted_string> | none );
         interface-interval <integer>;
         ixfr-from-differences <ixfrdiff>;
-        key-directory <quoted_string>;
         lame-ttl <integer>;
         listen-on [ port <integer> ] { <address_match_element>; ... };
         listen-on-v6 [ port <integer> ] { <address_match_element>; ... };
-        maintain-ixfr-base <boolean>; // obsolete
-        masterfile-format ( text | raw );
         match-mapped-addresses <boolean>;
         max-acache-size <size_no_default>;
         max-cache-size <size_no_default>;
         max-cache-ttl <integer>;
         max-clients-per-query <integer>;
-        max-ixfr-log-size <size>; // obsolete
-        max-journal-size <size_no_default>;
         max-ncache-ttl <integer>;
-        max-refresh-time <integer>;
-        max-retry-time <integer>;
-        max-transfer-idle-in <integer>;
-        max-transfer-idle-out <integer>;
-        max-transfer-time-in <integer>;
-        max-transfer-time-out <integer>;
         max-udp-size <integer>;
         memstatistics <boolean>;
         memstatistics-file <quoted_string>;
-        min-refresh-time <integer>;
-        min-retry-time <integer>;
         min-roots <integer>; // not implemented
         minimal-responses <boolean>;
-        multi-master <boolean>;
         multiple-cnames <boolean>; // obsolete
         named-xfer <quoted_string>; // obsolete
-        notify <notifytype>;
-        notify-delay <integer>;
-        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        notify-to-soa <boolean>;
-        nsec3-test-zone <boolean>; // test only
         pid-file ( <quoted_string> | none );
         port <integer>;
         preferred-glue <string>;
@@ -170,368 +93,26 @@ options {
         reserved-sockets <integer>;
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <quoted_string>; ... } ];
-        rrset-order { [ class <string> ] [ type <string> ] [ name
-            <quoted_string> ] <string> <string>; ... };
-        serial-queries <integer>; // obsolete
+        rrset-order { [ class <string> ] [ type <string> ] [
+            name <quoted_string> ] <string> <string>; ... };    
+               serial-queries <integer>; // obsolete
         serial-query-rate <integer>;
         server-id ( <quoted_string> | none |;
-        sig-signing-nodes <integer>;
-        sig-signing-signatures <integer>;
-        sig-signing-type <integer>;
-        sig-validity-interval <integer> [ <integer> ];
-        sortlist { <address_match_element>; ... };
         stacksize <size>;
         statistics-file <quoted_string>;
         statistics-interval <integer>; // not yet implemented
-        suppress-initial-notify <boolean>; // not yet implemented
         tcp-clients <integer>;
         tcp-listen-queue <integer>;
         tkey-dhkey <quoted_string> <integer>;
         tkey-domain <quoted_string>;
         tkey-gssapi-credential <quoted_string>;
-        topology { <address_match_element>; ... }; // not implemented
-        transfer-format ( many-answers | one-answer );
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
         transfers-in <integer>;
         transfers-out <integer>;
         transfers-per-ns <integer>;
         treat-cr-as-space <boolean>; // obsolete
-        try-tcp-refresh <boolean>;
-        update-check-ksk <boolean>;
-        use-alt-transfer-source <boolean>;
         use-id-pool <boolean>; // obsolete
         use-ixfr <boolean>;
-        use-queryport-pool <boolean>; // obsolete
         use-v4-udp-ports { <portrange>; ... };
         use-v6-udp-ports { <portrange>; ... };
         version ( <quoted_string> | none );
-        zero-no-soa-ttl <boolean>;
-        zero-no-soa-ttl-cache <boolean>;
-        zone-statistics <boolean>;
-};
-
-server <netprefix> {
-        bogus <boolean>;
-        edns <boolean>;
-        edns-udp-size <integer>;
-        keys <server_key>;
-        max-udp-size <integer>;
-        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        provide-ixfr <boolean>;
-        query-source <querysource4>;
-        query-source-v6 <querysource6>;
-        request-ixfr <boolean>;
-        support-ixfr <boolean>; // obsolete
-        transfer-format ( many-answers | one-answer );
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        transfers <integer>;
-};
-
-statistics-channels {
-        inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | *
-            ) ] [ allow { <address_match_element>; ... } ];
-};
-
-trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... };
-
-view <string> <optional_class> {
-        acache-cleaning-interval <integer>;
-        acache-enable <boolean>;
-        additional-from-auth <boolean>;
-        additional-from-cache <boolean>;
-        allow-notify { <address_match_element>; ... };
-        allow-query { <address_match_element>; ... };
-        allow-query-cache { <address_match_element>; ... };
-        allow-query-cache-on { <address_match_element>; ... };
-        allow-query-on { <address_match_element>; ... };
-        allow-recursion { <address_match_element>; ... };
-        allow-recursion-on { <address_match_element>; ... };
-        allow-transfer { <address_match_element>; ... };
-        allow-update { <address_match_element>; ... };
-        allow-update-forwarding { <address_match_element>; ... };
-        allow-v6-synthesis { <address_match_element>; ... }; // obsolete
-        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
-            ) [ port <integer> ]; ... };
-        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
-            * ) ];
-        auth-nxdomain <boolean>; // default changed
-        cache-file <quoted_string>;
-        check-integrity <boolean>;
-        check-mx ( fail | warn | ignore );
-        check-mx-cname ( fail | warn | ignore );
-        check-names ( master | slave | response ) ( fail | warn | ignore );
-        check-sibling <boolean>;
-        check-srv-cname ( fail | warn | ignore );
-        check-wildcard <boolean>;
-        cleaning-interval <integer>;
-        clients-per-query <integer>;
-        database <string>;
-        dialup <dialuptype>;
-        disable-algorithms <string> { <string>; ... };
-        disable-empty-zone <string>;
-        dlz <string> {
-                database <string>;
-        };
-        dnssec-accept-expired <boolean>;
-        dnssec-enable <boolean>;
-        dnssec-lookaside <string> trust-anchor <string>;
-        dnssec-must-be-secure <string> <boolean>;
-        dnssec-validation <boolean>;
-        dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
-            <integer> ] | <ipv4_address> [ port <integer> ] |
-            <ipv6_address> [ port <integer> ] ); ... };
-        edns-udp-size <integer>;
-        empty-contact <string>;
-        empty-server <string>;
-        empty-zones-enable <boolean>;
-        fetch-glue <boolean>; // obsolete
-        forward ( first | only );
-        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
-            [ port <integer> ]; ... };
-        ixfr-from-differences <ixfrdiff>;
-        key <string> {
-                algorithm <string>;
-                secret <string>;
-        };
-        key-directory <quoted_string>;
-        lame-ttl <integer>;
-        maintain-ixfr-base <boolean>; // obsolete
-        masterfile-format ( text | raw );
-        match-clients { <address_match_element>; ... };
-        match-destinations { <address_match_element>; ... };
-        match-recursive-only <boolean>;
-        max-acache-size <size_no_default>;
-        max-cache-size <size_no_default>;
-        max-cache-ttl <integer>;
-        max-clients-per-query <integer>;
-        max-ixfr-log-size <size>; // obsolete
-        max-journal-size <size_no_default>;
-        max-ncache-ttl <integer>;
-        max-refresh-time <integer>;
-        max-retry-time <integer>;
-        max-transfer-idle-in <integer>;
-        max-transfer-idle-out <integer>;
-        max-transfer-time-in <integer>;
-        max-transfer-time-out <integer>;
-        max-udp-size <integer>;
-        min-refresh-time <integer>;
-        min-retry-time <integer>;
-        min-roots <integer>; // not implemented
-        minimal-responses <boolean>;
-        multi-master <boolean>;
-        notify <notifytype>;
-        notify-delay <integer>;
-        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        notify-to-soa <boolean>;
-        nsec3-test-zone <boolean>; // test only
-        preferred-glue <string>;
-        provide-ixfr <boolean>;
-        query-source <querysource4>;
-        query-source-v6 <querysource6>;
-        queryport-pool-ports <integer>; // obsolete
-        queryport-pool-updateinterval <integer>; // obsolete
-        recursion <boolean>;
-        request-ixfr <boolean>;
-        request-nsid <boolean>;
-        rfc2308-type1 <boolean>; // not yet implemented
-        root-delegation-only [ exclude { <quoted_string>; ... } ];
-        rrset-order { [ class <string> ] [ type <string> ] [ name
-            <quoted_string> ] <string> <string>; ... };
-        server <netprefix> {
-                bogus <boolean>;
-                edns <boolean>;
-                edns-udp-size <integer>;
-                keys <server_key>;
-                max-udp-size <integer>;
-                notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
-                    ) ];
-                notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
-                    | * ) ];
-                provide-ixfr <boolean>;
-                query-source <querysource4>;
-                query-source-v6 <querysource6>;
-                request-ixfr <boolean>;
-                support-ixfr <boolean>; // obsolete
-                transfer-format ( many-answers | one-answer );
-                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
-                    * ) ];
-                transfer-source-v6 ( <ipv6_address> | * ) [ port (
-                    <integer> | * ) ];
-                transfers <integer>;
-        };
-        sig-signing-nodes <integer>;
-        sig-signing-signatures <integer>;
-        sig-signing-type <integer>;
-        sig-validity-interval <integer> [ <integer> ];
-        sortlist { <address_match_element>; ... };
-        suppress-initial-notify <boolean>; // not yet implemented
-        topology { <address_match_element>; ... }; // not implemented
-        transfer-format ( many-answers | one-answer );
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        trusted-keys { <string> <integer> <integer> <integer>
-            <quoted_string>; ... };
-        try-tcp-refresh <boolean>;
-        update-check-ksk <boolean>;
-        use-alt-transfer-source <boolean>;
-        use-queryport-pool <boolean>; // obsolete
-        zero-no-soa-ttl <boolean>;
-        zero-no-soa-ttl-cache <boolean>;
-        zone <string> <optional_class> {
-                allow-notify { <address_match_element>; ... };
-                allow-query { <address_match_element>; ... };
-                allow-query-on { <address_match_element>; ... };
-                allow-transfer { <address_match_element>; ... };
-                allow-update { <address_match_element>; ... };
-                allow-update-forwarding { <address_match_element>; ... };
-                also-notify [ port <integer> ] { ( <ipv4_address> |
-                    <ipv6_address> ) [ port <integer> ]; ... };
-                alt-transfer-source ( <ipv4_address> | * ) [ port (
-                    <integer> | * ) ];
-                alt-transfer-source-v6 ( <ipv6_address> | * ) [ port (
-                    <integer> | * ) ];
-                check-integrity <boolean>;
-                check-mx ( fail | warn | ignore );
-                check-mx-cname ( fail | warn | ignore );
-                check-names ( fail | warn | ignore );
-                check-sibling <boolean>;
-                check-srv-cname ( fail | warn | ignore );
-                check-wildcard <boolean>;
-                database <string>;
-                delegation-only <boolean>;
-                dialup <dialuptype>;
-                file <quoted_string>;
-                forward ( first | only );
-                forwarders [ port <integer> ] { ( <ipv4_address> |
-                    <ipv6_address> ) [ port <integer> ]; ... };
-                ixfr-base <quoted_string>; // obsolete
-                ixfr-from-differences <boolean>;
-                ixfr-tmp-file <quoted_string>; // obsolete
-                journal <quoted_string>;
-                key-directory <quoted_string>;
-                maintain-ixfr-base <boolean>; // obsolete
-                masterfile-format ( text | raw );
-                masters [ port <integer> ] { ( <masters> | <ipv4_address> [
-                    port <integer> ] | <ipv6_address> [ port <integer> ] )
-                    [ key <string> ]; ... };
-                max-ixfr-log-size <size>; // obsolete
-                max-journal-size <size_no_default>;
-                max-refresh-time <integer>;
-                max-retry-time <integer>;
-                max-transfer-idle-in <integer>;
-                max-transfer-idle-out <integer>;
-                max-transfer-time-in <integer>;
-                max-transfer-time-out <integer>;
-                min-refresh-time <integer>;
-                min-retry-time <integer>;
-                multi-master <boolean>;
-                notify <notifytype>;
-                notify-delay <integer>;
-                notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
-                    ) ];
-                notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
-                    | * ) ];
-                notify-to-soa <boolean>;
-                nsec3-test-zone <boolean>; // test only
-                pubkey <integer> <integer> <integer>
-                    <quoted_string>; // obsolete
-                sig-signing-nodes <integer>;
-                sig-signing-signatures <integer>;
-                sig-signing-type <integer>;
-                sig-validity-interval <integer> [ <integer> ];
-                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
-                    * ) ];
-                transfer-source-v6 ( <ipv6_address> | * ) [ port (
-                    <integer> | * ) ];
-                try-tcp-refresh <boolean>;
-                type ( master | slave | stub | hint | forward |
-                    delegation-only );
-                update-check-ksk <boolean>;
-                update-policy { ( grant | deny ) <string> ( name |
-                    subdomain | wildcard | self | selfsub | selfwild |
-                    krb5-self | ms-self | krb5-subdomain | ms-subdomain |
-                    tcp-self | 6to4-self ) <string> <rrtypelist>; ... };
-                use-alt-transfer-source <boolean>;
-                zero-no-soa-ttl <boolean>;
-                zone-statistics <boolean>;
-        };
-        zone-statistics <boolean>;
-};
-
-zone <string> <optional_class> {
-        allow-notify { <address_match_element>; ... };
-        allow-query { <address_match_element>; ... };
-        allow-query-on { <address_match_element>; ... };
-        allow-transfer { <address_match_element>; ... };
-        allow-update { <address_match_element>; ... };
-        allow-update-forwarding { <address_match_element>; ... };
-        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
-            ) [ port <integer> ]; ... };
-        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
-            * ) ];
-        check-integrity <boolean>;
-        check-mx ( fail | warn | ignore );
-        check-mx-cname ( fail | warn | ignore );
-        check-names ( fail | warn | ignore );
-        check-sibling <boolean>;
-        check-srv-cname ( fail | warn | ignore );
-        check-wildcard <boolean>;
-        database <string>;
-        delegation-only <boolean>;
-        dialup <dialuptype>;
-        file <quoted_string>;
-        forward ( first | only );
-        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
-            [ port <integer> ]; ... };
-        ixfr-base <quoted_string>; // obsolete
-        ixfr-from-differences <boolean>;
-        ixfr-tmp-file <quoted_string>; // obsolete
-        journal <quoted_string>;
-        key-directory <quoted_string>;
-        maintain-ixfr-base <boolean>; // obsolete
-        masterfile-format ( text | raw );
-        masters [ port <integer> ] { ( <masters> | <ipv4_address> [ port
-            <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
-            <string> ]; ... };
-        max-ixfr-log-size <size>; // obsolete
-        max-journal-size <size_no_default>;
-        max-refresh-time <integer>;
-        max-retry-time <integer>;
-        max-transfer-idle-in <integer>;
-        max-transfer-idle-out <integer>;
-        max-transfer-time-in <integer>;
-        max-transfer-time-out <integer>;
-        min-refresh-time <integer>;
-        min-retry-time <integer>;
-        multi-master <boolean>;
-        notify <notifytype>;
-        notify-delay <integer>;
-        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        notify-to-soa <boolean>;
-        nsec3-test-zone <boolean>; // test only
-        pubkey <integer> <integer> <integer> <quoted_string>; // obsolete
-        sig-signing-nodes <integer>;
-        sig-signing-signatures <integer>;
-        sig-signing-type <integer>;
-        sig-validity-interval <integer> [ <integer> ];
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        try-tcp-refresh <boolean>;
-        type ( master | slave | stub | hint | forward | delegation-only );
-        update-check-ksk <boolean>;
-        update-policy { ( grant | deny ) <string> ( name | subdomain |
-            wildcard | self | selfsub | selfwild | krb5-self | ms-self |
-            krb5-subdomain | ms-subdomain | tcp-self | 6to4-self ) <string>
-            <rrtypelist>; ... };
-        use-alt-transfer-source <boolean>;
-        zero-no-soa-ttl <boolean>;
-        zone-statistics <boolean>;
-};
 
diff --git a/doc/rfc/index b/doc/rfc/index
index 684b135c..7c1dfbc9 100644
--- a/doc/rfc/index
+++ b/doc/rfc/index
@@ -116,6 +116,7 @@
 4648:	The Base16, Base32, and Base64 Data Encodings
 4701:	A DNS Resource Record (RR) for Encoding
          Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR)
+4892:	Requirements for a Mechanism Identifying a Name Server Instance
 5155:	DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
 5295:	Host Identity Protocol (HIP) Domain Name System (DNS) Extension
 5507:	Design Choices When Expanding the DNS
diff --git a/doc/rfc/rfc4892.txt b/doc/rfc/rfc4892.txt
new file mode 100644
index 00000000..a89d3fb0
--- /dev/null
+++ b/doc/rfc/rfc4892.txt
@@ -0,0 +1,451 @@
+
+
+
+
+
+
+Network Working Group                                           S. Woolf
+Request for Comments: 4892             Internet Systems Consortium, Inc.
+Category: Informational                                        D. Conrad
+                                                                   ICANN
+                                                               June 2007
+
+
+    Requirements for a Mechanism Identifying a Name Server Instance
+
+Status of This Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The IETF Trust (2007).
+
+Abstract
+
+   With the increased use of DNS anycast, load balancing, and other
+   mechanisms allowing more than one DNS name server to share a single
+   IP address, it is sometimes difficult to tell which of a pool of name
+   servers has answered a particular query.  A standardized mechanism to
+   determine the identity of a name server responding to a particular
+   query would be useful, particularly as a diagnostic aid for
+   administrators.  Existing ad hoc mechanisms for addressing this need
+   have some shortcomings, not the least of which is the lack of prior
+   analysis of exactly how such a mechanism should be designed and
+   deployed.  This document describes the existing convention used in
+   some widely deployed implementations of the DNS protocol, including
+   advantages and disadvantages, and discusses some attributes of an
+   improved mechanism.
+
+1.  Introduction and Rationale
+
+   Identifying which name server is responding to queries is often
+   useful, particularly in attempting to diagnose name server
+   difficulties.  This is most obviously useful for authoritative
+   nameservers in the attempt to diagnose the source or prevalence of
+   inaccurate data, but can also conceivably be useful for caching
+   resolvers in similar and other situations.  Furthermore, the ability
+   to identify which server is responding to a query has become more
+   useful as DNS has become more critical to more Internet users, and as
+   network and server deployment topologies have become more complex.
+
+
+
+
+
+Woolf & Conrad               Informational                      [Page 1]
+
+RFC 4892                        Serverid                       June 2007
+
+
+   The conventional means for determining which of several possible
+   servers is answering a query has traditionally been based on the use
+   of the server's IP address as a unique identifier.  However, the
+   modern Internet has seen the deployment of various load balancing,
+   fault-tolerance, or attack-resistance schemes such as shared use of
+   unicast IP addresses as documented in [RFC3258].  An unfortunate side
+   effect of these schemes has been to make the use of IP addresses as
+   identifiers associated with DNS (or any other) service somewhat
+   problematic.  Specifically, multiple dedicated DNS queries may not go
+   to the same server even though sent to the same IP address.  Non-DNS
+   methods such as ICMP ping, TCP connections, or non-DNS UDP packets
+   (such as those generated by tools like "traceroute"), etc., may well
+   be even less certain to reach the same server as the one which
+   receives the DNS queries.
+
+   There is a well-known and frequently-used technique for determining
+   an identity for a nameserver more specific than the possibly-non-
+   unique "server that answered the query I sent to IP address A.B.C.D".
+   The widespread use of the existing convention suggests a need for a
+   documented, interoperable means of querying the identity of a
+   nameserver that may be part of an anycast or load-balancing cluster.
+   At the same time, however, it also has some drawbacks that argue
+   against standardizing it as it's been practiced so far.
+
+2.  Existing Conventions
+
+   For some time, the commonly deployed Berkeley Internet Name Domain
+   (BIND) implementation of the DNS protocol suite from the Internet
+   Systems Consortium [BIND] has supported a way of identifying a
+   particular server via the use of a standards-compliant, if somewhat
+   unusual, DNS query.  Specifically, a query to a recent BIND server
+   for a TXT resource record in class 3 (CHAOS) for the domain name
+   "HOSTNAME.BIND." will return a string that can be configured by the
+   name server administrator to provide a unique identifier for the
+   responding server.  (The value defaults to the result of a
+   gethostname() call).  This mechanism, which is an extension of the
+   BIND convention of using CHAOS class TXT RR queries to sub-domains of
+   the "BIND." domain for version information, has been copied by
+   several name server vendors.
+
+   A refinement to the BIND-based mechanism, which dropped the
+   implementation-specific label, replaces "BIND." with "SERVER.".  Thus
+   the query label to learn the unique name of a server may appear as
+   "ID.SERVER.".
+
+   (For reference, the other well-known name used by recent versions of
+   BIND within the CHAOS class "BIND." domain is "VERSION.BIND.".  A
+   query for a CHAOS TXT RR for this name will return an
+
+
+
+Woolf & Conrad               Informational                      [Page 2]
+
+RFC 4892                        Serverid                       June 2007
+
+
+   administratively defined string which defaults to the software
+   version of the server responding.  This is, however, not generally
+   implemented by other vendors.)
+
+2.1.  Advantages
+
+   There are several valuable attributes to this mechanism, which
+   account for its usefulness.
+
+   1.  The "HOSTNAME.BIND." or "ID.SERVER." query response mechanism is
+       within the DNS protocol itself.  An identification mechanism that
+       relies on the DNS protocol is more likely to be successful
+       (although not guaranteed) in going to the same system as a
+       "normal" DNS query.
+
+   2.  Since the identity information is requested and returned within
+       the DNS protocol, it doesn't require allowing any other query
+       mechanism to the server, such as holes in firewalls for
+       otherwise-unallowed ICMP Echo requests.  Thus it is likely to
+       reach the same server over a path subject to the same routing,
+       resource, and security policy as the query, without any special
+       exceptions to site security policy.
+
+   3.  It is simple to configure.  An administrator can easily turn on
+       this feature and control the results of the relevant query.
+
+   4.  It allows the administrator complete control of what information
+       is given out in the response, minimizing passive leakage of
+       implementation or configuration details.  Such details are often
+       considered sensitive by infrastructure operators.
+
+2.2.  Disadvantages
+
+   At the same time, there are some serious drawbacks to the CHAOS/TXT
+   query mechanism that argue against standardizing it as it currently
+   operates.
+
+   1.  It requires an additional query to correlate between the answer
+       to a DNS query under normal conditions and the supposed identity
+       of the server receiving the query.  There are a number of
+       situations in which this simply isn't reliable.
+
+   2.  It reserves an entire class in the DNS (CHAOS) for what amounts
+       to one zone.  While CHAOS class is defined in [RFC1034] and
+       [RFC1035], it's not clear that supporting it solely for this
+       purpose is a good use of the namespace or of implementation
+       effort.
+
+
+
+
+Woolf & Conrad               Informational                      [Page 3]
+
+RFC 4892                        Serverid                       June 2007
+
+
+   3.  The initial and still common form, using "BIND.", is
+       implementation specific.  BIND is one DNS implementation.  At the
+       time of this writing, it is probably most prevalent for
+       authoritative servers.  This does not justify standardizing on
+       its ad hoc solution to a problem shared across many operators and
+       implementors.  Meanwhile, the aforementioned refinement changes
+       the query label but preserves the ad hoc CHAOS/TXT mechanism.
+
+   4.  There is no convention or shared understanding of what
+       information an answer to such a query for a server identity could
+       or should contain, including a possible encoding or
+       authentication mechanism.
+
+   5.  Hypothetically, since DNSSEC has been defined to cover all DNS
+       classes, the TXT RRs returned in response to the "ID.SERVER."
+       query could be signed, which has the advantages described in
+       [RFC4033].  However, since DNSSEC deployment for the CHAOS class
+       is neither existent nor foreseeable, and since the "ID.SERVER."
+       TXT RR is expected to be unique per server, this would be
+       impossible in practice.
+
+   The first of the listed disadvantages may be technically the most
+   serious.  It argues for an attempt to design a good answer to the
+   problem, "I need to know what nameserver is answering my queries",
+   not simply a convenient one.
+
+3.  Characteristics of an Implementation Neutral Convention
+
+   The discussion above of advantages and disadvantages to the
+   "HOSTNAME.BIND." mechanism suggest some requirements for a better
+   solution to the server identification problem.  These are summarized
+   here as guidelines for any effort to provide appropriate protocol
+   extensions:
+
+   1.  The mechanism adopted must be in-band for the DNS protocol.  That
+       is, it needs to allow the query for the server's identifying
+       information to be part of a normal, operational query.  It should
+       also permit a separate, dedicated query for the server's
+       identifying information.  But it should preserve the ability of
+       the CHAOS/TXT query-based mechanism to work through firewalls and
+       in other situations where only DNS can be relied upon to reach
+       the server of interest.
+
+   2.  The new mechanism should not require dedicated namespaces or
+       other reserved values outside of the existing protocol mechanisms
+       for these, i.e., the OPT pseudo-RR.  In particular, it should not
+       propagate the existing drawback of requiring support for a CLASS
+
+
+
+
+Woolf & Conrad               Informational                      [Page 4]
+
+RFC 4892                        Serverid                       June 2007
+
+
+       and top level domain in the authoritative server (or the querying
+       tool) to be useful.
+
+   3.  Support for the identification functionality should be easy to
+       implement and easy to enable.  It must be easy to disable and
+       should lend itself to access controls on who can query for it.
+
+   4.  It should be possible to return a unique identifier for a server
+       without requiring the exposure of information that may be non-
+       public and considered sensitive by the operator, such as a
+       hostname or unicast IP address maintained for administrative
+       purposes.
+
+   5.  It should be possible to authenticate the received data by some
+       mechanism analogous to those provided by DNSSEC.  In this
+       context, the need could be met by including encryption options in
+       the specification of a new mechanism.
+
+   6.  The identification mechanism should not be implementation-
+       specific.
+
+4.  IANA Considerations
+
+   This document proposes no specific IANA action.  Protocol extensions,
+   if any, to meet the requirements described are out of scope for this
+   document.  A proposed extension, specified and adopted by normal IETF
+   process, is described in [NSID], including relevant IANA action.
+
+5.  Security Considerations
+
+   Providing identifying information as to which server is responding to
+   a particular query from a particular location in the Internet can be
+   seen as information leakage and thus a security risk.  This motivates
+   the suggestion above that a new mechanism for server identification
+   allow the administrator to disable the functionality altogether or
+   partially restrict availability of the data.  It also suggests that
+   the server identification data should not be readily correlated with
+   a hostname or unicast IP address that may be considered private to
+   the nameserver operator's management infrastructure.
+
+   Propagation of protocol or service meta-data can sometimes expose the
+   application to denial of service or other attack.  As the DNS is a
+   critically important infrastructure service for the production
+   Internet, extra care needs to be taken against this risk for
+   designers, implementors, and operators of a new mechanism for server
+   identification.
+
+
+
+
+
+Woolf & Conrad               Informational                      [Page 5]
+
+RFC 4892                        Serverid                       June 2007
+
+
+   Both authentication and confidentiality of server identification data
+   are potentially of interest to administrators -- that is, operators
+   may wish to make such data available and reliable to themselves and
+   their chosen associates only.  This constraint would imply both an
+   ability to authenticate it to themselves and to keep it private from
+   arbitrary other parties, which leads to characteristics 4 and 5 of an
+   improved solution.
+
+6.  Acknowledgements
+
+   The technique for host identification documented here was initially
+   implemented by Paul Vixie of the Internet Software Consortium in the
+   Berkeley Internet Name Daemon package.  Comments and questions on
+   earlier versions were provided by Bob Halley, Brian Wellington,
+   Andreas Gustafsson, Ted Hardie, Chris Yarnell, Randy Bush, and
+   members of the ICANN Root Server System Advisory Committee.  The
+   newest version takes a significantly different direction from
+   previous versions, owing to discussion among contributors to the
+   DNSOP working group and others, particularly Olafur Gudmundsson, Ed
+   Lewis, Bill Manning, Sam Weiler, and Rob Austein.
+
+7.  References
+
+7.1.  Normative References
+
+   [RFC1034]  Mockapetris, P., "Domain Names - Concepts and Facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
+              Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC3258]  Hardie, T., "Distributing Authoritative Name Servers via
+              Shared Unicast Addresses", RFC 3258, April 2002.
+
+7.2.  Informative References
+
+   [BIND]     ISC, "BIND 9 Configuration Reference".
+
+   [NSID]     Austein, R., "DNS Name Server Identifier Option (NSID)",
+              Work in Progress, June 2006.
+
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "DNS Security Introduction and Requirements", RFC
+              4033, March 2005.
+
+
+
+
+
+
+
+Woolf & Conrad               Informational                      [Page 6]
+
+RFC 4892                        Serverid                       June 2007
+
+
+Authors' Addresses
+
+   Suzanne Woolf
+   Internet Systems Consortium, Inc.
+   950 Charter Street
+   Redwood City, CA  94063
+   US
+
+   Phone: +1 650 423-1333
+   EMail: woolf@isc.org
+   URI:   http://www.isc.org/
+
+
+   David Conrad
+   ICANN
+   4676 Admiralty Way
+   Marina del Rey, CA  90292
+   US
+
+   Phone: +1 310 823 9358
+   EMail: david.conrad@icann.org
+   URI:   http://www.iana.org/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad               Informational                      [Page 7]
+
+RFC 4892                        Serverid                       June 2007
+
+
+Full Copyright Statement
+
+   Copyright (C) The IETF Trust (2007).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+Woolf & Conrad               Informational                      [Page 8]
+
diff --git a/isc-config.sh.1 b/isc-config.sh.1
index b0da5ad9..a0f21956 100644
--- a/isc-config.sh.1
+++ b/isc-config.sh.1
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: isc-config.sh.1,v 1.1.2.2 2009/02/20 23:47:23 tbox Exp $
+.\" $Id: isc-config.sh.1,v 1.2 2009/02/20 23:48:02 tbox Exp $
 .\"
 .hy 0
 .ad l
diff --git a/isc-config.sh.docbook b/isc-config.sh.docbook
index f0ad4ee1..4a06c170 100644
--- a/isc-config.sh.docbook
+++ b/isc-config.sh.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: isc-config.sh.docbook,v 1.2.6.2 2009/02/20 23:47:23 tbox Exp $ -->
+<!-- $Id: isc-config.sh.docbook,v 1.2 2009/02/18 23:47:48 tbox Exp $ -->
 <refentry id="man.isc-config.sh">
   <refentryinfo>
     <date>December 19, 2008</date>
diff --git a/isc-config.sh.html b/isc-config.sh.html
index 682e79a6..6f278c0b 100644
--- a/isc-config.sh.html
+++ b/isc-config.sh.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: isc-config.sh.html,v 1.1.2.2 2009/02/20 23:47:23 tbox Exp $ -->
+<!-- $Id: isc-config.sh.html,v 1.2 2009/02/20 23:48:02 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/bind9/api b/lib/bind9/api
index fbbf923b..2240cdda 100644
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 50
-LIBREVISION = 3
+LIBREVISION = 1
 LIBAGE = 0
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 753db9ce..66dd12fc 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.95.12.4 2009/06/03 00:06:01 marka Exp $ */
+/* $Id: check.c,v 1.103 2009/06/10 23:47:47 tbox Exp $ */
 
 /*! \file */
 
@@ -663,10 +663,20 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 		     element = cfg_list_next(element))
 		{
 			const char *dlv;
+			const cfg_obj_t *anchor;
 
 			obj = cfg_listelt_value(element);
 
 			dlv = cfg_obj_asstring(cfg_tuple_get(obj, "domain"));
+			anchor = cfg_tuple_get(obj, "trust-anchor");
+
+			/*
+			 * If domain is "auto" and trust anchor is missing,
+			 * skip remaining tests
+			 */
+			if (!strcmp(dlv, "auto") && cfg_obj_isvoid(anchor))
+				continue;
+
 			isc_buffer_init(&b, dlv, strlen(dlv));
 			isc_buffer_add(&b, strlen(dlv));
 			tresult = dns_name_fromtext(name, &b, dns_rootname,
@@ -698,19 +708,31 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 				if (result == ISC_R_SUCCESS)
 					result = ISC_R_FAILURE;
 			}
-			dlv = cfg_obj_asstring(cfg_tuple_get(obj,
-					       "trust-anchor"));
-			isc_buffer_init(&b, dlv, strlen(dlv));
-			isc_buffer_add(&b, strlen(dlv));
-			tresult = dns_name_fromtext(name, &b, dns_rootname,
-						    ISC_TRUE, NULL);
-			if (tresult != ISC_R_SUCCESS) {
+
+			if(!cfg_obj_isvoid(anchor)) {
+				dlv = cfg_obj_asstring(anchor);
+				isc_buffer_init(&b, dlv, strlen(dlv));
+				isc_buffer_add(&b, strlen(dlv));
+				tresult = dns_name_fromtext(name, &b,
+							    dns_rootname,
+							    ISC_TRUE, NULL);
+				if (tresult != ISC_R_SUCCESS) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "bad domain name '%s'",
+						    dlv);
+					if (result == ISC_R_SUCCESS)
+						result = tresult;
+				}
+			} else {
 				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "bad domain name '%s'", dlv);
+					"dnssec-lookaside requires "
+					"either 'auto' or a domain and "
+					"trust anchor");
 				if (result == ISC_R_SUCCESS)
-					result = tresult;
+					result = ISC_R_FAILURE;
 			}
 		}
+
 		if (symtab != NULL)
 			isc_symtab_destroy(&symtab);
 	}
@@ -969,17 +991,22 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 			result = tresult;
 		}
 
-		dns_fixedname_init(&fixed);
-		str = cfg_obj_asstring(dname);
-		isc_buffer_init(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, ISC_FALSE, NULL);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
-				    "'%s' is not a valid name", str);
-			result = tresult;
+		if (tresult == ISC_R_SUCCESS &&
+		    strcasecmp(cfg_obj_asstring(matchtype), "zonesub") != 0) {
+			dns_fixedname_init(&fixed);
+			str = cfg_obj_asstring(dname);
+			isc_buffer_init(&b, str, strlen(str));
+			isc_buffer_add(&b, strlen(str));
+			tresult = dns_name_fromtext(dns_fixedname_name(&fixed),
+						    &b, dns_rootname,
+						    ISC_FALSE, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
+					    "'%s' is not a valid name", str);
+				result = tresult;
+			}
 		}
+
 		if (tresult == ISC_R_SUCCESS &&
 		    strcasecmp(cfg_obj_asstring(matchtype), "wildcard") == 0 &&
 		    !dns_name_iswildcard(dns_fixedname_name(&fixed))) {
@@ -1050,6 +1077,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "notify", MASTERZONE | SLAVEZONE },
 	{ "also-notify", MASTERZONE | SLAVEZONE },
 	{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE },
+	{ "ddns-autoconf", MASTERZONE },
 	{ "delegation-only", HINTZONE | STUBZONE | DELEGATIONZONE },
 	{ "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
 	{ "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
diff --git a/lib/bind9/include/bind9/getaddresses.h b/lib/bind9/include/bind9/getaddresses.h
index 736feb68..01aa67a4 100644
--- a/lib/bind9/include/bind9/getaddresses.h
+++ b/lib/bind9/include/bind9/getaddresses.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddresses.h,v 1.9.332.2 2009/01/18 23:47:35 tbox Exp $ */
+/* $Id: getaddresses.h,v 1.11 2009/01/17 23:47:42 tbox Exp $ */
 
 #ifndef BIND9_GETADDRESSES_H
 #define BIND9_GETADDRESSES_H 1
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index 3af8dd39..838356a7 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.c,v 1.50.44.3 2009/01/18 23:47:35 tbox Exp $ */
+/* $Id: acl.c,v 1.53 2009/01/17 23:47:42 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index 70562159..2e1c607a 100644
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb.c,v 1.243.42.4 2009/02/03 22:34:28 jinmei Exp $ */
+/* $Id: adb.c,v 1.247 2009/02/03 22:33:13 jinmei Exp $ */
 
 /*! \file
  *
diff --git a/lib/dns/api b/lib/dns/api
index af155ca8..fbbf923b 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 52
-LIBREVISION = 0
-LIBAGE = 2
+LIBINTERFACE = 50
+LIBREVISION = 3
+LIBAGE = 0
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index aee824e5..59098799 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.c,v 1.80.50.3 2009/05/06 23:34:30 jinmei Exp $ */
+/* $Id: cache.c,v 1.84 2009/05/06 22:53:54 jinmei Exp $ */
 
 /*! \file */
 
@@ -122,6 +122,7 @@ struct dns_cache {
 	isc_mutex_t		lock;
 	isc_mutex_t		filelock;
 	isc_mem_t		*mctx;
+	char			*name;
 
 	/* Locked by 'lock'. */
 	int			references;
@@ -132,6 +133,7 @@ struct dns_cache {
 	char			*db_type;
 	int			db_argc;
 	char			**db_argv;
+	isc_uint32_t		size;
 
 	/* Locked by 'filelock'. */
 	char			*filename;
@@ -171,6 +173,16 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 		 const char *db_type, unsigned int db_argc, char **db_argv,
 		 dns_cache_t **cachep)
 {
+	return (dns_cache_create2(mctx, taskmgr, timermgr, rdclass, "",
+				  db_type, db_argc, db_argv, cachep));
+}
+
+isc_result_t
+dns_cache_create2(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		  isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
+		  const char *cachename, const char *db_type,
+		  unsigned int db_argc, char **db_argv, dns_cache_t **cachep)
+{
 	isc_result_t result;
 	dns_cache_t *cache;
 	int i;
@@ -179,6 +191,7 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	REQUIRE(cachep != NULL);
 	REQUIRE(*cachep == NULL);
 	REQUIRE(mctx != NULL);
+	REQUIRE(cachename != NULL);
 
 	cache = isc_mem_get(mctx, sizeof(*cache));
 	if (cache == NULL)
@@ -187,6 +200,15 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	cache->mctx = NULL;
 	isc_mem_attach(mctx, &cache->mctx);
 
+	cache->name = NULL;
+	if (cachename != NULL) {
+		cache->name = isc_mem_strdup(mctx, cachename);
+		if (cache->name == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup_mem;
+		}
+	}
+
 	result = isc_mutex_init(&cache->lock);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_mem;
@@ -275,6 +297,8 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
  cleanup_lock:
 	DESTROYLOCK(&cache->lock);
  cleanup_mem:
+	if (cache->name != NULL)
+		isc_mem_free(mctx, cache->name);
 	isc_mem_put(mctx, cache, sizeof(*cache));
 	isc_mem_detach(&mctx);
 	return (result);
@@ -323,6 +347,9 @@ cache_free(dns_cache_t *cache) {
 	if (cache->db_type != NULL)
 		isc_mem_free(cache->mctx, cache->db_type);
 
+	if (cache->name != NULL)
+		isc_mem_free(cache->mctx, cache->name);
+
 	DESTROYLOCK(&cache->lock);
 	DESTROYLOCK(&cache->filelock);
 	cache->magic = 0;
@@ -493,6 +520,26 @@ dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int t) {
 	UNLOCK(&cache->lock);
 }
 
+unsigned int
+dns_cache_getcleaninginterval(dns_cache_t *cache) {
+	unsigned int t;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	LOCK(&cache->lock);
+	t = cache->cleaner.cleaning_interval;
+	UNLOCK(&cache->lock);
+
+	return (t);
+}
+
+const char *
+dns_cache_getname(dns_cache_t *cache) {
+	REQUIRE(VALID_CACHE(cache));
+
+	return (cache->name);
+}
+
 /*
  * Initialize the cache cleaner object at *cleaner.
  * Space for the object must be allocated by the caller.
@@ -519,6 +566,7 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
 	cleaner->cleaning_timer = NULL;
 	cleaner->resched_event = NULL;
 	cleaner->overmem_event = NULL;
+	cleaner->cleaning_interval = 0; /* Initially turned off. */
 
 	result = dns_db_createiterator(cleaner->cache->db, ISC_FALSE,
 				       &cleaner->iterator);
@@ -547,7 +595,6 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
 			goto cleanup;
 		}
 
-		cleaner->cleaning_interval = 0; /* Initially turned off. */
 		result = isc_timer_create(timermgr, isc_timertype_inactive,
 					   NULL, NULL, cleaner->task,
 					   cleaning_timer_action, cleaner,
@@ -949,6 +996,10 @@ dns_cache_setcachesize(dns_cache_t *cache, isc_uint32_t size) {
 	if (size != 0 && size < DNS_CACHE_MINSIZE)
 		size = DNS_CACHE_MINSIZE;
 
+	LOCK(&cache->lock);
+	cache->size = size;
+	UNLOCK(&cache->lock);
+
 	hiwater = size - (size >> 3);	/* Approximately 7/8ths. */
 	lowater = size - (size >> 2);	/* Approximately 3/4ths. */
 
@@ -972,6 +1023,19 @@ dns_cache_setcachesize(dns_cache_t *cache, isc_uint32_t size) {
 		isc_mem_setwater(cache->mctx, water, cache, hiwater, lowater);
 }
 
+isc_uint32_t
+dns_cache_getcachesize(dns_cache_t *cache) {
+	isc_uint32_t size;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	LOCK(&cache->lock);
+	size = cache->size;
+	UNLOCK(&cache->lock);
+
+	return (size);
+}
+
 /*
  * The cleaner task is shutting down; do the necessary cleanup.
  */
diff --git a/lib/dns/db.c b/lib/dns/db.c
index a4c28641..83430c0b 100644
--- a/lib/dns/db.c
+++ b/lib/dns/db.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db.c,v 1.88 2008/09/24 02:46:22 marka Exp $ */
+/* $Id: db.c,v 1.90 2009/04/29 23:48:02 tbox Exp $ */
 
 /*! \file */
 
@@ -854,12 +854,14 @@ dns_db_unregister(dns_dbimplementation_t **dbimp) {
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
 
 	imp = *dbimp;
+	*dbimp = NULL;
 	RWLOCK(&implock, isc_rwlocktype_write);
 	ISC_LIST_UNLINK(implementations, imp, link);
 	mctx = imp->mctx;
 	isc_mem_put(mctx, imp, sizeof(dns_dbimplementation_t));
 	isc_mem_detach(&mctx);
 	RWUNLOCK(&implock, isc_rwlocktype_write);
+	ENSURE(*dbimp == NULL);
 }
 
 isc_result_t
diff --git a/lib/dns/diff.c b/lib/dns/diff.c
index 9489821c..a64da709 100644
--- a/lib/dns/diff.c
+++ b/lib/dns/diff.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: diff.c,v 1.18.50.2 2009/01/05 23:47:22 tbox Exp $ */
+/* $Id: diff.c,v 1.21 2009/04/30 06:53:10 marka Exp $ */
 
 /*! \file */
 
@@ -387,10 +387,22 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
 				 * from a server that is not as careful.
 				 * Issue a warning and continue.
 				 */
-				if (warn)
+				if (warn) {
+					char classbuf[DNS_RDATATYPE_FORMATSIZE];
+					char namebuf[DNS_NAME_FORMATSIZE];
+
+					dns_name_format(dns_db_origin(db),
+							namebuf,
+							sizeof(namebuf));
+					dns_rdataclass_format(dns_db_class(db),
+							      classbuf,
+							      sizeof(classbuf));
 					isc_log_write(DIFF_COMMON_LOGARGS,
 						      ISC_LOG_WARNING,
-						      "update with no effect");
+						      "%s/%s: update with no "
+						      " effect", namebuf,
+						      classbuf);
+				}
 			} else if (result == DNS_R_NXRRSET) {
 				/*
 				 * OK.
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index 9b4e9685..9103dd69 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dispatch.c,v 1.155.12.7 2009/04/28 21:39:45 jinmei Exp $ */
+/* $Id: dispatch.c,v 1.163 2009/04/28 21:39:00 jinmei Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/dlz.c b/lib/dns/dlz.c
index 75486af4..66c8fc51 100644
--- a/lib/dns/dlz.c
+++ b/lib/dns/dlz.c
@@ -50,7 +50,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlz.c,v 1.5.332.2 2009/01/18 23:47:35 tbox Exp $ */
+/* $Id: dlz.c,v 1.7 2009/01/17 23:47:42 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index baf3ec5b..1bfee7c6 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.93.12.4 2009/06/08 23:47:00 tbox Exp $
+ * $Id: dnssec.c,v 1.95 2009/06/04 02:56:47 tbox Exp $
  */
 
 /*! \file */
@@ -93,6 +93,7 @@ rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
 	isc_result_t ret;
 	int i = 0, n;
 	dns_rdata_t *data;
+	dns_rdataset_t rdataset;
 
 	n = dns_rdataset_count(set);
 
@@ -100,8 +101,11 @@ rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
 	if (data == NULL)
 		return (ISC_R_NOMEMORY);
 
-	ret = dns_rdataset_first(set);
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_clone(set, &rdataset);
+	ret = dns_rdataset_first(&rdataset);
 	if (ret != ISC_R_SUCCESS) {
+		dns_rdataset_disassociate(&rdataset);
 		isc_mem_put(mctx, data, n * sizeof(dns_rdata_t));
 		return (ret);
 	}
@@ -111,8 +115,8 @@ rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
 	 */
 	do {
 		dns_rdata_init(&data[i]);
-		dns_rdataset_current(set, &data[i++]);
-	} while (dns_rdataset_next(set) == ISC_R_SUCCESS);
+		dns_rdataset_current(&rdataset, &data[i++]);
+	} while (dns_rdataset_next(&rdataset) == ISC_R_SUCCESS);
 
 	/*
 	 * Sort the array.
@@ -120,6 +124,7 @@ rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
 	qsort(data, n, sizeof(dns_rdata_t), rdata_compare_wrapper);
 	*rdata = data;
 	*nrdata = n;
+	dns_rdataset_disassociate(&rdataset);
 	return (ISC_R_SUCCESS);
 }
 
@@ -890,3 +895,59 @@ failure:
 
 	return (result);
 }
+
+/*%
+ * Does this key ('rdata') self sign the rrset ('rdataset')?
+ */
+isc_boolean_t
+dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     isc_boolean_t ignoretime, isc_mem_t *mctx)
+{
+	dst_key_t *dstkey = NULL;
+	dns_keytag_t keytag;
+	dns_rdata_dnskey_t key;
+	dns_rdata_rrsig_t sig;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	isc_result_t result;
+
+	INSIST(rdataset->type == dns_rdatatype_key ||
+	       rdataset->type == dns_rdatatype_dnskey);
+	if (rdataset->type == dns_rdatatype_key) {
+		INSIST(sigrdataset->type == dns_rdatatype_sig);
+		INSIST(sigrdataset->covers == dns_rdatatype_key);
+	} else {
+		INSIST(sigrdataset->type == dns_rdatatype_rrsig);
+		INSIST(sigrdataset->covers == dns_rdatatype_dnskey);
+	}
+
+	result = dns_dnssec_keyfromrdata(name, rdata, mctx, &dstkey);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+	result = dns_rdata_tostruct(rdata, &key, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	keytag = dst_key_id(dstkey);
+	for (result = dns_rdataset_first(sigrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(sigrdataset))
+	{
+		dns_rdata_reset(&sigrdata);
+		dns_rdataset_current(sigrdataset, &sigrdata);
+		result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (sig.algorithm == key.algorithm &&
+		    sig.keyid == keytag) {
+			result = dns_dnssec_verify2(name, rdataset, dstkey,
+						    ignoretime, mctx,
+						    &sigrdata, NULL);
+			if (result == ISC_R_SUCCESS) {
+				dst_key_free(&dstkey);
+				return (ISC_TRUE);
+			}
+		}
+	}
+	dst_key_free(&dstkey);
+	return (ISC_FALSE);
+}
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 144c685e..4fccc216 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.16.12.3 2009/03/02 02:00:34 marka Exp $
+ * $Id: dst_api.c,v 1.20 2009/06/10 00:27:22 each Exp $
  */
 
 /*! \file */
@@ -110,7 +110,7 @@ static isc_result_t	algorithm_status(unsigned int alg);
 static isc_result_t	addsuffix(char *filename, unsigned int len,
 				  const char *ofilename, const char *suffix);
 
-#define RETERR(x) 				\
+#define RETERR(x)				\
 	do {					\
 		result = (x);			\
 		if (result != ISC_R_SUCCESS)	\
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index 0c1a71c2..f531ad06 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.11 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: dst_internal.h,v 1.13 2009/06/11 23:47:55 tbox Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -58,8 +58,8 @@
 
 ISC_LANG_BEGINDECLS
 
-#define KEY_MAGIC       ISC_MAGIC('D','S','T','K')
-#define CTX_MAGIC       ISC_MAGIC('D','S','T','C')
+#define KEY_MAGIC	ISC_MAGIC('D','S','T','K')
+#define CTX_MAGIC	ISC_MAGIC('D','S','T','C')
 
 #define VALID_KEY(x) ISC_MAGIC_VALID(x, KEY_MAGIC)
 #define VALID_CTX(x) ISC_MAGIC_VALID(x, CTX_MAGIC)
@@ -72,7 +72,7 @@ extern isc_mem_t *dst__memory_pool;
 
 typedef struct dst_func dst_func_t;
 
-typedef struct dst_hmacmd5_key    dst_hmacmd5_key_t;
+typedef struct dst_hmacmd5_key	  dst_hmacmd5_key_t;
 typedef struct dst_hmacsha1_key   dst_hmacsha1_key_t;
 typedef struct dst_hmacsha224_key dst_hmacsha224_key_t;
 typedef struct dst_hmacsha256_key dst_hmacsha256_key_t;
@@ -112,7 +112,7 @@ struct dst_key {
 		dst_hmacsha512_key_t *hmacsha512;
 
 	} keydata;			/*%< pointer to key in crypto pkg fmt */
-	dst_func_t *	func;		/*%< crypto package specific functions */
+	dst_func_t *	func;	       /*%< crypto package specific functions */
 };
 
 struct dst_context {
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index 2da72ae6..2fe626c5 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -31,7 +31,7 @@
 
 /*%
  * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.14.120.2 2009/03/02 23:47:11 tbox Exp $
+ * $Id: dst_parse.c,v 1.17 2009/06/17 06:51:44 each Exp $
  */
 
 #include <config.h>
@@ -498,6 +498,12 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	case DST_ALG_HMACSHA512:
 		fprintf(fp, "(HMAC_SHA512)\n");
 		break;
+	case DST_ALG_NSEC3DSA:
+		fprintf(fp, "(NSEC3DSA)\n");
+		break;
+	case DST_ALG_NSEC3RSASHA1:
+		fprintf(fp, "(NSEC3RSASHA1)\n");
+		break;
 	default:
 		fprintf(fp, "(?)\n");
 		break;
diff --git a/lib/dns/gen-unix.h b/lib/dns/gen-unix.h
index 4186f634..87529d4e 100644
--- a/lib/dns/gen-unix.h
+++ b/lib/dns/gen-unix.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gen-unix.h,v 1.19.332.2 2009/01/18 23:47:35 tbox Exp $ */
+/* $Id: gen-unix.h,v 1.21 2009/01/17 23:47:42 tbox Exp $ */
 
 /*! \file
  * \brief
diff --git a/lib/dns/gen-win32.h b/lib/dns/gen-win32.h
index 83025c80..58954d8d 100644
--- a/lib/dns/gen-win32.h
+++ b/lib/dns/gen-win32.h
@@ -48,7 +48,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: gen-win32.h,v 1.23.332.2 2009/01/18 23:47:35 tbox Exp $ */
+/* $Id: gen-win32.h,v 1.25 2009/01/17 23:47:42 tbox Exp $ */
 
 /*! \file
  * \author Principal Authors: Computer Systems Research Group at UC Berkeley
diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h
index 721fe51d..37bd4c91 100644
--- a/lib/dns/include/dns/acl.h
+++ b/lib/dns/include/dns/acl.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.h,v 1.31.206.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: acl.h,v 1.33 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_ACL_H
 #define DNS_ACL_H 1
diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h
index 7b372357..1a59ea9e 100644
--- a/lib/dns/include/dns/cache.h
+++ b/lib/dns/include/dns/cache.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.h,v 1.26 2007/06/19 23:47:16 tbox Exp $ */
+/* $Id: cache.h,v 1.28 2009/01/09 23:47:46 tbox Exp $ */
 
 #ifndef DNS_CACHE_H
 #define DNS_CACHE_H 1
@@ -65,8 +65,15 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 		 isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
 		 const char *db_type, unsigned int db_argc, char **db_argv,
 		 dns_cache_t **cachep);
+isc_result_t
+dns_cache_create2(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		  isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
+		  const char *cachename, const char *db_type,
+		  unsigned int db_argc, char **db_argv, dns_cache_t **cachep);
 /*%<
- * Create a new DNS cache.
+ * Create a new DNS cache.  dns_cache_create2() will create a named cache.
+ * dns_cache_create() is a backward compatible version that internally specifies
+ * an empty name.
  *
  * Requires:
  *
@@ -76,6 +83,8 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
  * 	manager, or both are NULL.  If NULL, no periodic cleaning of the
  * 	cache will take place.
  *
+ *\li	'cachename' is a valid string.  This must not be NULL.
+ *
  *\li	'cachep' is a valid pointer, and *cachep == NULL
  *
  * Ensures:
@@ -217,12 +226,36 @@ dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int interval);
  * Set the periodic cache cleaning interval to 'interval' seconds.
  */
 
+unsigned int
+dns_cache_getcleaninginterval(dns_cache_t *cache);
+/*%<
+ * Get the periodic cache cleaning interval to 'interval' seconds.
+ */
+
+isc_uint32_t
+dns_cache_getcachesize(dns_cache_t *cache);
+/*%<
+ * Get the maximum cache size.
+ */
+
+const char *
+dns_cache_getname(dns_cache_t *cache);
+/*%<
+ * Get the cache name.
+ */
+
 void
 dns_cache_setcachesize(dns_cache_t *cache, isc_uint32_t size);
 /*%<
  * Set the maximum cache size.  0 means unlimited.
  */
 
+isc_uint32_t
+dns_cache_getcachesize(dns_cache_t *cache);
+/*%<
+ * Get the maximum cache size.
+ */
+
 isc_result_t
 dns_cache_flush(dns_cache_t *cache);
 /*%<
diff --git a/lib/dns/include/dns/compress.h b/lib/dns/include/dns/compress.h
index 4632aff4..a10f4d39 100644
--- a/lib/dns/include/dns/compress.h
+++ b/lib/dns/include/dns/compress.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.h,v 1.40.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: compress.h,v 1.42 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_COMPRESS_H
 #define DNS_COMPRESS_H 1
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
index 3b782089..e4e89efe 100644
--- a/lib/dns/include/dns/db.h
+++ b/lib/dns/include/dns/db.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db.h,v 1.93.50.3 2009/01/18 23:25:17 marka Exp $ */
+/* $Id: db.h,v 1.97 2009/05/07 09:41:23 fdupont Exp $ */
 
 #ifndef DNS_DB_H
 #define DNS_DB_H 1
@@ -836,6 +836,9 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *	\li	#DNS_R_COVERINGNSEC		The returned data is a NSEC
  *						that potentially covers 'name'.
  *
+ *	\li	#DNS_R_EMPTYWILD		The name is a wildcard without
+ *						resource records.
+ *
  *	Error results:
  *
  *	\li	#ISC_R_NOMEMORY
diff --git a/lib/dns/include/dns/diff.h b/lib/dns/include/dns/diff.h
index a13b6780..a3b96963 100644
--- a/lib/dns/include/dns/diff.h
+++ b/lib/dns/include/dns/diff.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: diff.h,v 1.15.120.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: diff.h,v 1.17 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_DIFF_H
 #define DNS_DIFF_H 1
diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h
index 96a44fee..b9f68426 100644
--- a/lib/dns/include/dns/dispatch.h
+++ b/lib/dns/include/dns/dispatch.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dispatch.h,v 1.60.82.2 2009/01/29 23:47:44 tbox Exp $ */
+/* $Id: dispatch.h,v 1.62 2009/01/27 23:47:54 tbox Exp $ */
 
 #ifndef DNS_DISPATCH_H
 #define DNS_DISPATCH_H 1
diff --git a/lib/dns/include/dns/dlz.h b/lib/dns/include/dns/dlz.h
index 75ba99fb..461d1620 100644
--- a/lib/dns/include/dns/dlz.h
+++ b/lib/dns/include/dns/dlz.h
@@ -50,7 +50,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlz.h,v 1.7.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: dlz.h,v 1.9 2009/01/17 23:47:43 tbox Exp $ */
 
 /*! \file dns/dlz.h */
 
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index c5206be6..09ada3cd 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec.h,v 1.32.332.4 2009/06/08 23:47:00 tbox Exp $ */
+/* $Id: dnssec.h,v 1.34 2009/06/04 02:56:47 tbox Exp $ */
 
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
@@ -178,6 +178,12 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
  *\li		DST_R_*
  */
 
+isc_boolean_t
+dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     isc_boolean_t ignoretime, isc_mem_t *mctx);
+
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_DNSSEC_H */
diff --git a/lib/dns/include/dns/events.h b/lib/dns/include/dns/events.h
index bb61b9d4..18659e27 100644
--- a/lib/dns/include/dns/events.h
+++ b/lib/dns/include/dns/events.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: events.h,v 1.49.332.2 2009/05/07 23:47:12 tbox Exp $ */
+/* $Id: events.h,v 1.51 2009/05/06 23:47:50 tbox Exp $ */
 
 #ifndef DNS_EVENTS_H
 #define DNS_EVENTS_H 1
diff --git a/lib/dns/include/dns/journal.h b/lib/dns/include/dns/journal.h
index 3917d8db..04ab4c69 100644
--- a/lib/dns/include/dns/journal.h
+++ b/lib/dns/include/dns/journal.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journal.h,v 1.33.120.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: journal.h,v 1.35 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_JOURNAL_H
 #define DNS_JOURNAL_H 1
diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
index 7f509e6e..eef496c9 100644
--- a/lib/dns/include/dns/keyvalues.h
+++ b/lib/dns/include/dns/keyvalues.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyvalues.h,v 1.23.48.2 2009/06/04 02:56:14 tbox Exp $ */
+/* $Id: keyvalues.h,v 1.25 2009/06/04 02:56:47 tbox Exp $ */
 
 #ifndef DNS_KEYVALUES_H
 #define DNS_KEYVALUES_H 1
diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h
index b7aed42c..5eac7dfb 100644
--- a/lib/dns/include/dns/log.h
+++ b/lib/dns/include/dns/log.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.42.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: log.h,v 1.44 2009/01/17 23:47:43 tbox Exp $ */
 
 /*! \file dns/log.h
  * \author  Principal Authors: DCL */
diff --git a/lib/dns/include/dns/lookup.h b/lib/dns/include/dns/lookup.h
index 0e9a327c..e825e00b 100644
--- a/lib/dns/include/dns/lookup.h
+++ b/lib/dns/include/dns/lookup.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lookup.h,v 1.12.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: lookup.h,v 1.14 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_LOOKUP_H
 #define DNS_LOOKUP_H 1
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index f880095c..c499e5a2 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.125.118.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: message.h,v 1.127 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index 0149301d..f42fcbb2 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.126.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: name.h,v 1.129 2009/03/11 07:02:34 each Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -1130,6 +1130,42 @@ dns_name_format(dns_name_t *name, char *cp, unsigned int size);
  */
 
 isc_result_t
+dns_name_tostring(dns_name_t *source, char **target, isc_mem_t *mctx);
+/*%<
+ * Convert 'name' to string format, allocating sufficient memory to
+ * hold it (free with isc_mem_free()).
+ *
+ * Differs from dns_name_format in that it allocates its own memory.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name.
+ *\li	'target' is not NULL.
+ *\li	'*target' is NULL.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_name_totext() can return.
+ */
+
+isc_result_t
+dns_name_fromstring(dns_name_t *target, const char *src, isc_mem_t *mctx);
+/*%<
+ * Convert a string to a name and place it in target, allocating memory
+ * as necessary.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_name_fromtext() can return.
+ *
+ *\li	Any error that dns_name_dup() can return.
+ */
+
+isc_result_t
 dns_name_settotextfilter(dns_name_totextfilter_t proc);
 /*%<
  * Set / clear a thread specific function 'proc' to be called at the
diff --git a/lib/dns/include/dns/nsec3.h b/lib/dns/include/dns/nsec3.h
index 2d6a8dde..6eaa6d2f 100644
--- a/lib/dns/include/dns/nsec3.h
+++ b/lib/dns/include/dns/nsec3.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.h,v 1.5.48.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: nsec3.h,v 1.7 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_NSEC3_H
 #define DNS_NSEC3_H 1
diff --git a/lib/dns/include/dns/peer.h b/lib/dns/include/dns/peer.h
index 9e7a1886..86324a3d 100644
--- a/lib/dns/include/dns/peer.h
+++ b/lib/dns/include/dns/peer.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.h,v 1.33.118.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: peer.h,v 1.35 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_PEER_H
 #define DNS_PEER_H 1
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
index 6eea787a..bd11f40b 100644
--- a/lib/dns/include/dns/rbt.h
+++ b/lib/dns/include/dns/rbt.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.h,v 1.71.48.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: rbt.h,v 1.73 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_RBT_H
 #define DNS_RBT_H 1
diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
index 126bc96c..7b1d7f2c 100644
--- a/lib/dns/include/dns/rdata.h
+++ b/lib/dns/include/dns/rdata.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.h,v 1.70.120.3 2009/02/16 00:29:27 marka Exp $ */
+/* $Id: rdata.h,v 1.73 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_RDATA_H
 #define DNS_RDATA_H 1
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index baff146f..3d416a5b 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.65.50.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: rdataset.h,v 1.67 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
diff --git a/lib/dns/include/dns/request.h b/lib/dns/include/dns/request.h
index 62a83caf..adadce3e 100644
--- a/lib/dns/include/dns/request.h
+++ b/lib/dns/include/dns/request.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: request.h,v 1.27.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: request.h,v 1.29 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_REQUEST_H
 #define DNS_REQUEST_H 1
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index fa837c1d..04a7a1e0 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.h,v 1.60.56.3 2009/01/29 22:40:35 jinmei Exp $ */
+/* $Id: resolver.h,v 1.63 2009/01/27 22:29:59 jinmei Exp $ */
 
 #ifndef DNS_RESOLVER_H
 #define DNS_RESOLVER_H 1
diff --git a/lib/dns/include/dns/sdb.h b/lib/dns/include/dns/sdb.h
index c8500287..b7fbc99e 100644
--- a/lib/dns/include/dns/sdb.h
+++ b/lib/dns/include/dns/sdb.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.h,v 1.21.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: sdb.h,v 1.23 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_SDB_H
 #define DNS_SDB_H 1
diff --git a/lib/dns/include/dns/sdlz.h b/lib/dns/include/dns/sdlz.h
index acb0437b..c452f463 100644
--- a/lib/dns/include/dns/sdlz.h
+++ b/lib/dns/include/dns/sdlz.h
@@ -50,7 +50,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdlz.h,v 1.7.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: sdlz.h,v 1.9 2009/01/17 23:47:43 tbox Exp $ */
 
 /*! \file dns/sdlz.h */
 
diff --git a/lib/dns/include/dns/stats.h b/lib/dns/include/dns/stats.h
index 0b35aa82..fee9e1b3 100644
--- a/lib/dns/include/dns/stats.h
+++ b/lib/dns/include/dns/stats.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.h,v 1.18.56.2 2009/01/29 23:47:44 tbox Exp $ */
+/* $Id: stats.h,v 1.20 2009/01/27 23:47:54 tbox Exp $ */
 
 #ifndef DNS_STATS_H
 #define DNS_STATS_H 1
diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h
index 3511f2f3..6a002a9a 100644
--- a/lib/dns/include/dns/tkey.h
+++ b/lib/dns/include/dns/tkey.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkey.h,v 1.26.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: tkey.h,v 1.28 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_TKEY_H
 #define DNS_TKEY_H 1
diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h
index e8c0e2ca..b4770b4e 100644
--- a/lib/dns/include/dns/tsig.h
+++ b/lib/dns/include/dns/tsig.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig.h,v 1.51 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: tsig.h,v 1.53 2009/06/11 23:47:55 tbox Exp $ */
 
 #ifndef DNS_TSIG_H
 #define DNS_TSIG_H 1
@@ -81,8 +81,8 @@ struct dns_tsigkey {
 
 #define dns_tsigkey_identity(tsigkey) \
 	((tsigkey) == NULL ? NULL : \
-         (tsigkey)->generated ? ((tsigkey)->creator) : \
-         (&((tsigkey)->name)))
+	 (tsigkey)->generated ? ((tsigkey)->creator) : \
+	 (&((tsigkey)->name)))
 
 ISC_LANG_BEGINDECLS
 
@@ -242,6 +242,20 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
  *\li		#ISC_R_NOMEMORY
  */
 
+isc_result_t
+dns_tsigkeyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
+		    dns_tsigkey_t *tkey);
+/*%<
+ *      Place a TSIG key onto a key ring.
+ *
+ *	Requires:
+ *\li		'ring', 'name' and 'tkey' are not NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		Any other value indicates failure.
+ */
+
 
 void
 dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp);
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index e07a7965..292ec600 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.130.50.3 2009/01/29 22:40:35 jinmei Exp $ */
+/* $Id: types.h,v 1.133 2009/01/27 22:29:59 jinmei Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index 2555214b..7f57877e 100644
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.h,v 1.41.48.3 2009/01/18 23:25:17 marka Exp $ */
+/* $Id: validator.h,v 1.44 2009/01/17 13:20:45 fdupont Exp $ */
 
 #ifndef DNS_VALIDATOR_H
 #define DNS_VALIDATOR_H 1
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index 5b53c164..d275b10f 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.111.88.4 2009/01/29 22:40:35 jinmei Exp $ */
+/* $Id: view.h,v 1.117 2009/05/29 22:22:37 jinmei Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -102,6 +102,7 @@ struct dns_view {
 	isc_event_t			reqevent;
 	isc_stats_t *			resstats;
 	dns_stats_t *			resquerystats;
+	isc_boolean_t			cacheshared;
 
 	/* Configurable data. */
 	dns_tsig_keyring_t *		statickeys;
@@ -127,6 +128,10 @@ struct dns_view {
 	dns_acl_t *			transferacl;
 	dns_acl_t *			updateacl;
 	dns_acl_t *			upfwdacl;
+	dns_acl_t *			denyansweracl;
+	dns_rbt_t *			answeracl_exclude;
+	dns_rbt_t *			denyanswernames;
+	dns_rbt_t *			answernames_exclude;
 	isc_boolean_t			requestixfr;
 	isc_boolean_t			provideixfr;
 	isc_boolean_t			requestnsid;
@@ -308,8 +313,12 @@ dns_view_createresolver(dns_view_t *view,
 
 void
 dns_view_setcache(dns_view_t *view, dns_cache_t *cache);
+void
+dns_view_setcache2(dns_view_t *view, dns_cache_t *cache, isc_boolean_t shared);
 /*%<
- * Set the view's cache database.
+ * Set the view's cache database.  If 'shared' is true, this means the cache
+ * is created by another view and is shared with that view.  dns_view_setcache()
+ * is a backward compatible version equivalent to setcache2(..., ISC_FALSE).
  *
  * Requires:
  *
@@ -726,8 +735,14 @@ dns_view_dumpdbtostream(dns_view_t *view, FILE *fp);
 
 isc_result_t
 dns_view_flushcache(dns_view_t *view);
+isc_result_t
+dns_view_flushcache2(dns_view_t *view, isc_boolean_t fixuponly);
 /*%<
- * Flush the view's cache (and ADB).
+ * Flush the view's cache (and ADB).  If 'fixuponly' is true, it only updates
+ * the internal reference to the cache DB with omitting actual flush operation.
+ * 'fixuponly' is intended to be used for a view that shares a cache with
+ * a different view.  dns_view_flushcache() is a backward compatible version
+ * that always sets fixuponly to false.
  *
  * Requires:
  * 	'view' is valid.
@@ -876,4 +891,17 @@ dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp);
  *\li	'statsp' != NULL && '*statsp' != NULL
  */
 
+isc_boolean_t
+dns_view_iscacheshared(dns_view_t *view);
+/*%<
+ * Check if the view shares the cache created by another view.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	#ISC_TRUE if the cache is shared.
+ *\li	#ISC_FALSE otherwise.
+ */
+
 #endif /* DNS_VIEW_H */
diff --git a/lib/dns/include/dns/xfrin.h b/lib/dns/include/dns/xfrin.h
index 04866eea..2f20c35f 100644
--- a/lib/dns/include/dns/xfrin.h
+++ b/lib/dns/include/dns/xfrin.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.h,v 1.28.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: xfrin.h,v 1.30 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DNS_XFRIN_H
 #define DNS_XFRIN_H 1
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index e2859ae5..b917b4d6 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.160.50.4 2009/01/29 22:40:35 jinmei Exp $ */
+/* $Id: zone.h,v 1.164 2009/01/27 22:29:59 jinmei Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 702ad719..0708e5fb 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.12 2008/09/24 02:46:23 marka Exp $ */
+/* $Id: dst.h,v 1.14 2009/06/11 23:47:55 tbox Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -509,10 +509,12 @@ dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2);
 void
 dst_key_free(dst_key_t **keyp);
 /*%<
- * Release all memory associated with the key.
+ * Decrement the key's reference counter and, when it reaches zero,
+ * release all memory associated with the key.
  *
  * Requires:
  *\li	"keyp" is not NULL and "*keyp" is a valid key.
+ *\li	reference counter greater than zero.
  *
  * Ensures:
  *\li	All memory associated with "*keyp" will be freed.
diff --git a/lib/dns/include/dst/gssapi.h b/lib/dns/include/dst/gssapi.h
index 446b76da..31e454a4 100644
--- a/lib/dns/include/dst/gssapi.h
+++ b/lib/dns/include/dst/gssapi.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapi.h,v 1.9.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: gssapi.h,v 1.11 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef DST_GSSAPI_H
 #define DST_GSSAPI_H 1
diff --git a/lib/dns/iptable.c b/lib/dns/iptable.c
index 55a5351a..e960d5c4 100644
--- a/lib/dns/iptable.c
+++ b/lib/dns/iptable.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: iptable.c,v 1.12.44.3 2009/02/18 23:47:12 tbox Exp $ */
+/* $Id: iptable.c,v 1.15 2009/02/18 23:47:48 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/journal.c b/lib/dns/journal.c
index 8c21f1ec..b7970215 100644
--- a/lib/dns/journal.c
+++ b/lib/dns/journal.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journal.c,v 1.103.48.2 2009/01/18 23:47:37 tbox Exp $ */
+/* $Id: journal.c,v 1.105 2009/01/17 23:47:42 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/master.c b/lib/dns/master.c
index 462269e1..ec45a720 100644
--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.c,v 1.171.120.2 2009/01/18 23:47:40 tbox Exp $ */
+/* $Id: master.c,v 1.176 2009/02/16 03:19:40 marka Exp $ */
 
 /*! \file */
 
@@ -85,7 +85,11 @@
  */
 #define TOKENSIZ (8*1024)
 
-#define DNS_MASTER_BUFSZ 2048
+/*%
+ * Buffers sizes for $GENERATE.
+ */
+#define DNS_MASTER_LHS 2048
+#define DNS_MASTER_RHS MINTSIZ
 
 typedef ISC_LIST(dns_rdatalist_t) rdatalist_head_t;
 
@@ -614,6 +618,57 @@ loadctx_create(dns_masterformat_t format, isc_mem_t *mctx,
 	return (result);
 }
 
+static const char *hex = "0123456789abcdef0123456789ABCDEF";
+
+/*%
+ * Convert value into a nibble sequence from least significant to most
+ * significant nibble.  Zero fill upper most significant nibbles if
+ * required to make the width.
+ *
+ * Returns the number of characters that should have been written without
+ * counting the terminating NUL.
+ */
+static unsigned int
+nibbles(char *numbuf, size_t length, unsigned int width, char mode, int value) {
+	unsigned int count = 0;
+
+	/*
+	 * This reserve space for the NUL string terminator.
+	 */
+	if (length > 0U) {
+		*numbuf = '\0';
+		length--;
+	}
+	do {
+		char val = hex[(value & 0x0f) + ((mode == 'n') ? 0 : 16)];
+		value >>= 4;
+		if (length > 0U) {
+			*numbuf++ = val;
+			*numbuf = '\0';
+			length--;
+		}
+		if (width > 0)
+			width--;
+		count++;
+		/*
+		 * If width is non zero then we need to add a label seperator.
+		 * If value is non zero then we need to add another label and
+		 * that requires a label seperator.
+		 */
+		if (width > 0 || value != 0) {
+			if (length > 0U) {
+				*numbuf++ = '.';
+				*numbuf = '\0';
+				length--;
+			}
+			if (width > 0)
+				width--;
+			count++;
+		}
+	} while (value != 0 || width > 0);
+	return (count);
+}
+
 static isc_result_t
 genname(char *name, int it, char *buffer, size_t length) {
 	char fmt[sizeof("%04000000000d")];
@@ -624,6 +679,7 @@ genname(char *name, int it, char *buffer, size_t length) {
 	isc_textregion_t r;
 	unsigned int n;
 	unsigned int width;
+	isc_boolean_t nibblemode;
 
 	r.base = buffer;
 	r.length = length;
@@ -638,10 +694,11 @@ genname(char *name, int it, char *buffer, size_t length) {
 				isc_textregion_consume(&r, 1);
 				continue;
 			}
+			nibblemode = ISC_FALSE;
 			strcpy(fmt, "%d");
 			/* Get format specifier. */
 			if (*name == '{' ) {
-				n = sscanf(name, "{%d,%u,%1[doxX]}",
+				n = sscanf(name, "{%d,%u,%1[doxXnN]}",
 					   &delta, &width, mode);
 				switch (n) {
 				case 1:
@@ -651,6 +708,8 @@ genname(char *name, int it, char *buffer, size_t length) {
 						     "%%0%ud", width);
 					break;
 				case 3:
+					if (mode[0] == 'n' || mode[0] == 'N')
+						nibblemode = ISC_TRUE;
 					n = snprintf(fmt, sizeof(fmt),
 						     "%%0%u%c", width, mode[0]);
 					break;
@@ -663,7 +722,12 @@ genname(char *name, int it, char *buffer, size_t length) {
 				while (*name != '\0' && *name++ != '}')
 					continue;
 			}
-			n = snprintf(numbuf, sizeof(numbuf), fmt, it + delta);
+			if (nibblemode)
+				n = nibbles(numbuf, sizeof(numbuf), width,
+					    mode[0], it + delta);
+			else
+				n = snprintf(numbuf, sizeof(numbuf), fmt,
+					     it + delta);
 			if (n >= sizeof(numbuf))
 				return (ISC_R_NOSPACE);
 			cp = numbuf;
@@ -746,8 +810,8 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 	ISC_LIST_INIT(head);
 
 	target_mem = isc_mem_get(lctx->mctx, target_size);
-	rhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_BUFSZ);
-	lhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_BUFSZ);
+	rhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_RHS);
+	lhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_LHS);
 	if (target_mem == NULL || rhsbuf == NULL || lhsbuf == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto error_cleanup;
@@ -778,35 +842,13 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 		goto insist_cleanup;
 	}
 
-	switch (type) {
-	case dns_rdatatype_ns:
-	case dns_rdatatype_ptr:
-	case dns_rdatatype_cname:
-	case dns_rdatatype_dname:
-		break;
-
-	case dns_rdatatype_a:
-	case dns_rdatatype_aaaa:
-		if (lctx->zclass == dns_rdataclass_in ||
-		    lctx->zclass == dns_rdataclass_ch ||
-		    lctx->zclass == dns_rdataclass_hs)
-			break;
-		/* FALLTHROUGH */
-	default:
-	       (*callbacks->error)(callbacks,
-				  "%s: %s:%lu: unsupported type '%s'",
-				  "$GENERATE", source, line, gtype);
-		result = ISC_R_NOTIMPLEMENTED;
-		goto error_cleanup;
-	}
-
 	ISC_LIST_INIT(rdatalist.rdata);
 	ISC_LINK_INIT(&rdatalist, link);
 	for (i = start; i <= stop; i += step) {
-		result = genname(lhs, i, lhsbuf, DNS_MASTER_BUFSZ);
+		result = genname(lhs, i, lhsbuf, DNS_MASTER_LHS);
 		if (result != ISC_R_SUCCESS)
 			goto error_cleanup;
-		result = genname(rhs, i, rhsbuf, DNS_MASTER_BUFSZ);
+		result = genname(rhs, i, rhsbuf, DNS_MASTER_RHS);
 		if (result != ISC_R_SUCCESS)
 			goto error_cleanup;
 
@@ -880,9 +922,9 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 	if (target_mem != NULL)
 		isc_mem_put(lctx->mctx, target_mem, target_size);
 	if (lhsbuf != NULL)
-		isc_mem_put(lctx->mctx, lhsbuf, DNS_MASTER_BUFSZ);
+		isc_mem_put(lctx->mctx, lhsbuf, DNS_MASTER_LHS);
 	if (rhsbuf != NULL)
-		isc_mem_put(lctx->mctx, rhsbuf, DNS_MASTER_BUFSZ);
+		isc_mem_put(lctx->mctx, rhsbuf, DNS_MASTER_RHS);
 	return (result);
 }
 
@@ -1270,7 +1312,8 @@ load_text(dns_loadctx_t *lctx) {
 					goto log_and_cleanup;
 				}
 				/* RHS */
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+				GETTOKEN(lctx->lex, ISC_LEXOPT_QSTRING,
+					 &token, ISC_FALSE);
 				rhs = isc_mem_strdup(mctx, DNS_AS_STR(token));
 				if (rhs == NULL) {
 					result = ISC_R_NOMEMORY;
diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
index 5eac96ff..ce949627 100644
--- a/lib/dns/masterdump.c
+++ b/lib/dns/masterdump.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.c,v 1.94.50.2 2009/01/18 23:47:40 tbox Exp $ */
+/* $Id: masterdump.c,v 1.97 2009/01/17 23:47:42 tbox Exp $ */
 
 /*! \file */
 
@@ -42,6 +42,7 @@
 #include <dns/log.h>
 #include <dns/master.h>
 #include <dns/masterdump.h>
+#include <dns/ncache.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
@@ -60,6 +61,11 @@
 		return (_r); \
 	} while (0)
 
+#define CHECK(x) do { \
+	if ((x) != ISC_R_SUCCESS) \
+		goto cleanup; \
+	} while (0)
+
 struct dns_master_style {
 	unsigned int flags;		/* DNS_STYLEFLAG_* */
 	unsigned int ttl_column;
@@ -336,6 +342,52 @@ str_totext(const char *source, isc_buffer_t *target) {
 	return (ISC_R_SUCCESS);
 }
 
+static isc_result_t
+ncache_summary(dns_rdataset_t *rdataset, isc_boolean_t omit_final_dot,
+	       isc_buffer_t *target)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdataset_t rds;
+	dns_name_t name;
+
+	dns_rdataset_init(&rds);
+	dns_name_init(&name, NULL);
+
+	do {
+		dns_ncache_current(rdataset, &name, &rds);
+		for (result = dns_rdataset_first(&rds);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&rds)) {
+			CHECK(str_totext("; ", target));
+			CHECK(dns_name_totext(&name, omit_final_dot, target));
+			CHECK(str_totext(" ", target));
+			CHECK(dns_rdatatype_totext(rds.type, target));
+			if (rds.type == dns_rdatatype_rrsig) {
+				CHECK(str_totext(" ", target));
+				CHECK(dns_rdatatype_totext(rds.covers, target));
+				CHECK(str_totext(" ...\n", target));
+			} else {
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdataset_current(&rds, &rdata);
+				CHECK(str_totext(" ", target));
+				CHECK(dns_rdata_tofmttext(&rdata, dns_rootname,
+							  0, 0, " ", target));
+				CHECK(str_totext("\n", target));
+			}
+		}
+		dns_rdataset_disassociate(&rds);
+		result = dns_rdataset_next(rdataset);
+	} while (result == ISC_R_SUCCESS);
+
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ cleanup:
+	if (dns_rdataset_isassociated(&rds))
+		dns_rdataset_disassociate(&rds);
+
+	return (result);
+}
+
 /*
  * Convert 'rdataset' to master file text format according to 'ctx',
  * storing the result in 'target'.  If 'owner_name' is NULL, it
@@ -464,6 +516,13 @@ rdataset_totext(dns_rdataset_t *rdataset,
 				RETERR(str_totext(";-$NXDOMAIN\n", target));
 			else
 				RETERR(str_totext(";-$NXRRSET\n", target));
+			/*
+			 * Print a summary of the cached records which make
+			 * up the negative response.
+			 */
+			RETERR(ncache_summary(rdataset, omit_final_dot,
+					      target));
+			break;
 		} else {
 			dns_rdata_t rdata = DNS_RDATA_INIT;
 			isc_region_t r;
diff --git a/lib/dns/message.c b/lib/dns/message.c
index b541635a..302a7545 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.245.50.2 2009/01/18 23:47:40 tbox Exp $ */
+/* $Id: message.c,v 1.247 2009/01/17 23:47:42 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/name.c b/lib/dns/name.c
index f4ea3e91..c5c37404 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.165 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: name.c,v 1.167 2009/03/11 23:47:35 tbox Exp $ */
 
 /*! \file */
 
@@ -34,6 +34,7 @@
 #include <isc/util.h>
 
 #include <dns/compress.h>
+#include <dns/fixedname.h>
 #include <dns/name.h>
 #include <dns/result.h>
 
@@ -2340,6 +2341,58 @@ dns_name_format(dns_name_t *name, char *cp, unsigned int size) {
 		snprintf(cp, size, "<unknown>");
 }
 
+/*
+ * dns_name_tostring() -- similar to dns_name_format() but allocates its own
+ * memory.
+ */
+isc_result_t
+dns_name_tostring(dns_name_t *name, char **target, isc_mem_t *mctx) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	isc_region_t reg;
+	char *p, txt[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(target != NULL && *target == NULL);
+
+	isc_buffer_init(&buf, txt, sizeof(txt));
+	result = dns_name_totext(name, ISC_FALSE, &buf);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isc_buffer_usedregion(&buf, &reg);
+	p = isc_mem_allocate(mctx, reg.length + 1);
+	memcpy(p, (char *) reg.base, (int) reg.length);
+	p[reg.length] = '\0';
+
+	*target = p;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * dns_name_fromstring() -- convert directly from a string to a name,
+ * allocating memory as needed
+ */
+isc_result_t
+dns_name_fromstring(dns_name_t *target, const char *src, isc_mem_t *mctx) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	dns_fixedname_t fn;
+	dns_name_t *name;
+
+	isc_buffer_init(&buf, src, strlen(src));
+	isc_buffer_add(&buf, strlen(src));
+	dns_fixedname_init(&fn);
+	name = dns_fixedname_name(&fn);
+
+	result = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_name_dup(name, mctx, target);
+	return (result);
+}
+
 isc_result_t
 dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target) {
 	unsigned char *ndata;
diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
index 39f409c7..7e953966 100644
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec.c,v 1.11.48.2 2009/01/06 23:47:26 tbox Exp $ */
+/* $Id: nsec.c,v 1.13 2009/01/06 23:47:57 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index f9b8cad2..d3209b10 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.c,v 1.6.12.2 2009/06/04 02:56:14 tbox Exp $ */
+/* $Id: nsec3.c,v 1.8 2009/06/04 02:56:47 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 2dc7d7e4..41e9e2f5 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.22.112.3 2009/02/11 03:07:01 jinmei Exp $
+ * $Id: openssl_link.c,v 1.25 2009/02/11 03:04:18 jinmei Exp $
  */
 #ifdef OPENSSL
 
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
index 14e89e1a..815eff1d 100644
--- a/lib/dns/openssldsa_link.c
+++ b/lib/dns/openssldsa_link.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: openssldsa_link.c,v 1.13.120.2 2009/01/14 23:47:26 tbox Exp $ */
+/* $Id: openssldsa_link.c,v 1.15 2009/01/14 23:48:00 tbox Exp $ */
 
 #ifdef OPENSSL
 #ifndef USE_EVP
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index d557c43d..8f0733d2 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.20.50.3 2009/01/18 23:25:16 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.23 2009/01/17 14:41:43 fdupont Exp $
  */
 #ifdef OPENSSL
 #ifndef USE_EVP
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index ff8b3a36..81911816 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.c,v 1.142.50.2 2009/01/18 23:47:40 tbox Exp $ */
+/* $Id: rbt.c,v 1.144 2009/01/17 23:47:42 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 9741c157..cc17d815 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.270.12.6 2009/05/06 23:34:30 jinmei Exp $ */
+/* $Id: rbtdb.c,v 1.276 2009/05/06 22:53:54 jinmei Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index 58ade858..faa1d528 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rcode.c,v 1.8 2008/09/25 04:02:38 tbox Exp $ */
+/* $Id: rcode.c,v 1.9 2008/12/16 05:04:47 marka Exp $ */
 
 #include <config.h>
 #include <ctype.h>
@@ -79,12 +79,17 @@
 	{ dns_tsigerror_badtrunc, "BADTRUNC", 0}, \
 	{ 0, NULL, 0 }
 
-/* RFC2538 section 2.1 */
+/* RFC4398 section 2.1 */
 
 #define CERTNAMES \
 	{ 1, "PKIX", 0}, \
 	{ 2, "SPKI", 0}, \
 	{ 3, "PGP", 0}, \
+	{ 4, "IPKIX", 0}, \
+	{ 5, "ISPKI", 0}, \
+	{ 6, "IPGP", 0}, \
+	{ 7, "ACPKIX", 0}, \
+	{ 8, "IACPKIX", 0}, \
 	{ 253, "URI", 0}, \
 	{ 254, "OID", 0}, \
 	{ 0, NULL, 0}
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
index ab9df8b7..032c3d8c 100644
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.c,v 1.199.50.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: rdata.c,v 1.200 2008/12/12 04:37:23 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rdata/generic/hip_55.c b/lib/dns/rdata/generic/hip_55.c
new file mode 100644
index 00000000..c5e0687e
--- /dev/null
+++ b/lib/dns/rdata/generic/hip_55.c
@@ -0,0 +1,452 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: hip_55.c,v 1.3 2009/02/26 11:18:56 tbox Exp $ */
+
+/* reviewed: TBC */
+
+/* RFC 5205 */
+
+#ifndef RDATA_GENERIC_HIP_5_C
+#define RDATA_GENERIC_HIP_5_C
+
+#define RRTYPE_HIP_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_hip(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	isc_buffer_t hit_len;
+	isc_buffer_t key_len;
+	unsigned char *start;
+	size_t len;
+
+	REQUIRE(type == 55);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Dummy HIT len.
+	 */
+	hit_len = *target;
+	RETERR(uint8_tobuffer(0, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Dummy KEY len.
+	 */
+	key_len = *target;
+	RETERR(uint16_tobuffer(0, target));
+
+	/*
+	 * HIT (base16).
+	 */
+	start = isc_buffer_used(target);
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(isc_hex_decodestring(DNS_AS_STR(token), target));
+
+	/*
+	 * Fill in HIT len.
+	 */
+	len = (unsigned char *)isc_buffer_used(target) - start;
+	if (len > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(len, &hit_len));
+
+	/*
+	 * Public key (base64).
+	 */
+	start = isc_buffer_used(target);
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(isc_base64_decodestring(DNS_AS_STR(token), target));
+
+	/*
+	 * Fill in KEY len.
+	 */
+	len = (unsigned char *)isc_buffer_used(target) - start;
+	if (len > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(len, &key_len));
+
+	/*
+	 * Rendezvous Servers.
+	 */
+	dns_name_init(&name, NULL);
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string,
+					      ISC_TRUE));
+		if (token.type != isc_tokentype_string)
+			break;
+		buffer_fromregion(&buffer, &token.value.as_region);
+		origin = (origin != NULL) ? origin : dns_rootname;
+		RETTOK(dns_name_fromtext(&name, &buffer, origin, options,
+					 target));
+	} while (1);
+
+	/*
+	 * Let upper layer handle eol/eof.
+	 */
+	isc_lex_ungettoken(lexer, &token);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_hip(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+	size_t length, key_len, hit_len;
+	unsigned char algorithm;
+	char buf[sizeof("225 ")];
+
+	REQUIRE(rdata->type == 55);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+
+	hit_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	key_len = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext("( ", target));
+
+	/*
+	 * Algorithm
+	 */
+	sprintf(buf, "%u ", algorithm);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * HIT.
+	 */
+	INSIST(hit_len < region.length);
+	length = region.length;
+	region.length = hit_len;
+	RETERR(isc_hex_totext(&region, 1, "", target));
+	region.length = length - hit_len;
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/*
+	 * Public KEY.
+	 */
+	INSIST(key_len <= region.length);
+	length = region.length;
+	region.length = key_len;
+	RETERR(isc_base64_totext(&region, 1, "", target));
+	region.length = length - key_len;
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/*
+	 * Rendezvous Servers.
+	 */
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	while (region.length > 0) {
+		dns_name_fromregion(&name, &region);
+
+		sub = name_prefix(&name, tctx->origin, &prefix);
+		RETERR(dns_name_totext(&prefix, sub, target));
+		isc_region_consume(&region, name.length);
+		if (region.length > 0)
+			RETERR(str_totext(tctx->linebreak, target));
+	}
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_hip(ARGS_FROMWIRE) {
+	isc_region_t region, rr;
+	dns_name_t name;
+	isc_uint8_t hit_len;
+	isc_uint16_t key_len;
+
+	REQUIRE(type == 55);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 4U)
+		RETERR(DNS_R_FORMERR);
+
+	rr = region;
+	hit_len = uint8_fromregion(&region);
+	if (hit_len == 0)
+		RETERR(DNS_R_FORMERR);
+	isc_region_consume(&region, 2);  	/* hit length + algorithm */
+	key_len = uint16_fromregion(&region);
+	if (key_len == 0)
+		RETERR(DNS_R_FORMERR);
+	isc_region_consume(&region, 2);
+	if (region.length < hit_len + key_len)
+		RETERR(DNS_R_FORMERR);
+
+	RETERR(mem_tobuffer(target, rr.base, 4 + hit_len + key_len));
+	isc_buffer_forward(source, 4 + hit_len + key_len);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	while (isc_buffer_activelength(source) > 0) {
+		dns_name_init(&name, NULL);
+		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_hip(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 55);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static inline int
+compare_hip(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 55);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static inline isc_result_t
+fromstruct_hip(ARGS_FROMSTRUCT) {
+	dns_rdata_hip_t *hip = source;
+	dns_rdata_hip_t myhip;
+	isc_result_t result;
+
+	REQUIRE(type == 55);
+	REQUIRE(source != NULL);
+	REQUIRE(hip->common.rdtype == type);
+	REQUIRE(hip->common.rdclass == rdclass);
+	REQUIRE(hip->hit_len > 0 && hip->hit != NULL);
+	REQUIRE(hip->key_len > 0 && hip->key != NULL);
+	REQUIRE((hip->servers == NULL && hip->servers_len == 0) ||
+		 (hip->servers != NULL && hip->servers_len != 0));
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(hip->hit_len, target));
+	RETERR(uint8_tobuffer(hip->algorithm, target));
+	RETERR(uint16_tobuffer(hip->key_len, target));
+	RETERR(mem_tobuffer(target, hip->hit, hip->hit_len));
+	RETERR(mem_tobuffer(target, hip->key, hip->key_len));
+
+	myhip = *hip;
+	for (result = dns_rdata_hip_first(&myhip);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdata_hip_next(&myhip))
+		/* empty */;
+
+	return(mem_tobuffer(target, hip->servers, hip->servers_len));
+}
+
+static inline isc_result_t
+tostruct_hip(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_hip_t *hip = target;
+
+	REQUIRE(rdata->type == 55);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	hip->common.rdclass = rdata->rdclass;
+	hip->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&hip->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	hip->hit_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	hip->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	hip->key_len = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	hip->hit = hip->key = hip->servers = NULL;
+
+	hip->hit = mem_maybedup(mctx, region.base, hip->hit_len);
+	if (hip->hit == NULL)
+		goto cleanup;
+	isc_region_consume(&region, hip->hit_len);
+
+	hip->key = mem_maybedup(mctx, region.base, hip->key_len);
+	if (hip->key == NULL)
+		goto cleanup;
+	isc_region_consume(&region, hip->key_len);
+
+	hip->servers_len = region.length;
+	if (hip->servers_len != 0) {
+		hip->servers = mem_maybedup(mctx, region.base, region.length);
+		if (hip->servers == NULL)
+			goto cleanup;
+	}
+
+	hip->offset = hip->servers_len;
+	hip->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (hip->hit != NULL)
+		isc_mem_free(mctx, hip->hit);
+	if (hip->key != NULL)
+		isc_mem_free(mctx, hip->key);
+	if (hip->servers != NULL)
+		isc_mem_free(mctx, hip->servers);
+	return (ISC_R_NOMEMORY);
+
+}
+
+static inline void
+freestruct_hip(ARGS_FREESTRUCT) {
+	dns_rdata_hip_t *hip = source;
+
+	REQUIRE(source != NULL);
+
+	if (hip->mctx == NULL)
+		return;
+
+	isc_mem_free(hip->mctx, hip->hit);
+	isc_mem_free(hip->mctx, hip->key);
+	if (hip->servers != NULL)
+		isc_mem_free(hip->mctx, hip->servers);
+	hip->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_hip(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == 55);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_hip(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 55);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_hip(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 55);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_hip(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 55);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+isc_result_t
+dns_rdata_hip_first(dns_rdata_hip_t *hip) {
+	if (hip->servers_len == 0)
+		return (ISC_R_NOMORE);
+	hip->offset = 0;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdata_hip_next(dns_rdata_hip_t *hip) {
+	isc_region_t region;
+	dns_name_t name;
+
+	if (hip->offset >= hip->servers_len)
+		return (ISC_R_NOMORE);
+
+	region.base = hip->servers + hip->offset;
+	region.length = hip->servers_len - hip->offset;
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	hip->offset += name.length;
+	INSIST(hip->offset <= hip->servers_len);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_rdata_hip_current(dns_rdata_hip_t *hip, dns_name_t *name) {
+	isc_region_t region;
+
+	REQUIRE(hip->offset < hip->servers_len);
+
+	region.base = hip->servers + hip->offset;
+	region.length = hip->servers_len - hip->offset;
+	dns_name_fromregion(name, &region);
+
+	INSIST(name->length + hip->offset <= hip->servers_len);
+}
+
+#endif	/* RDATA_GENERIC_HIP_5_C */
diff --git a/lib/dns/rdata/generic/hip_55.h b/lib/dns/rdata/generic/hip_55.h
new file mode 100644
index 00000000..69f2eba8
--- /dev/null
+++ b/lib/dns/rdata/generic/hip_55.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: hip_55.h,v 1.2 2009/02/26 06:09:19 marka Exp $ */
+
+#ifndef GENERIC_HIP_5_H
+#define GENERIC_HIP_5_H 1
+
+/* RFC 5205 */
+
+typedef struct dns_rdata_hip {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	unsigned char *		hit;
+	unsigned char *		key;
+	unsigned char *		servers;
+	isc_uint8_t		algorithm;
+	isc_uint8_t		hit_len;
+	isc_uint16_t		key_len;
+	isc_uint16_t		servers_len;
+	/* Private */
+	isc_uint16_t		offset;
+} dns_rdata_hip_t;
+
+isc_result_t
+dns_rdata_hip_first(dns_rdata_hip_t *);
+
+isc_result_t
+dns_rdata_hip_next(dns_rdata_hip_t *);
+
+void
+dns_rdata_hip_current(dns_rdata_hip_t *, dns_name_t *);
+
+#endif /* GENERIC_HIP_5_H */
diff --git a/lib/dns/rdata/generic/ipseckey_45.c b/lib/dns/rdata/generic/ipseckey_45.c
index bc2b4e88..15c7cdcf 100644
--- a/lib/dns/rdata/generic/ipseckey_45.c
+++ b/lib/dns/rdata/generic/ipseckey_45.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipseckey_45.c,v 1.4.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: ipseckey_45.c,v 1.6 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef RDATA_GENERIC_IPSECKEY_45_C
 #define RDATA_GENERIC_IPSECKEY_45_C
diff --git a/lib/dns/rdata/generic/loc_29.c b/lib/dns/rdata/generic/loc_29.c
index a5d7f728..f5b84576 100644
--- a/lib/dns/rdata/generic/loc_29.c
+++ b/lib/dns/rdata/generic/loc_29.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: loc_29.c,v 1.45.332.4 2009/02/17 05:54:12 marka Exp $ */
+/* $Id: loc_29.c,v 1.49 2009/02/17 05:53:13 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 18:13:09 PST 2000 by explorer */
 
diff --git a/lib/dns/rdata/generic/nsec3_50.c b/lib/dns/rdata/generic/nsec3_50.c
index c5f0acb9..271c74e5 100644
--- a/lib/dns/rdata/generic/nsec3_50.c
+++ b/lib/dns/rdata/generic/nsec3_50.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3_50.c,v 1.4.48.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: nsec3_50.c,v 1.6 2009/01/17 23:47:43 tbox Exp $ */
 
 /*
  * Copyright (C) 2004  Nominet, Ltd.
diff --git a/lib/dns/rdata/generic/nsec3param_51.c b/lib/dns/rdata/generic/nsec3param_51.c
index 607ce6a9..9186ccf0 100644
--- a/lib/dns/rdata/generic/nsec3param_51.c
+++ b/lib/dns/rdata/generic/nsec3param_51.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3param_51.c,v 1.4.48.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: nsec3param_51.c,v 1.6 2009/01/17 23:47:43 tbox Exp $ */
 
 /*
  * Copyright (C) 2004  Nominet, Ltd.
diff --git a/lib/dns/rdata/generic/soa_6.c b/lib/dns/rdata/generic/soa_6.c
index 921aead9..b573a546 100644
--- a/lib/dns/rdata/generic/soa_6.c
+++ b/lib/dns/rdata/generic/soa_6.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa_6.c,v 1.61.332.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: soa_6.c,v 1.63 2009/02/16 23:48:04 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 15:18:32 PST 2000 by explorer */
 
diff --git a/lib/dns/rdata/in_1/naptr_35.c b/lib/dns/rdata/in_1/naptr_35.c
index 21ab44c4..a9e1e899 100644
--- a/lib/dns/rdata/in_1/naptr_35.c
+++ b/lib/dns/rdata/in_1/naptr_35.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: naptr_35.c,v 1.53 2008/02/15 23:46:51 tbox Exp $ */
+/* $Id: naptr_35.c,v 1.55 2009/01/21 23:47:27 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
@@ -25,12 +25,134 @@
 #define RDATA_IN_1_NAPTR_35_C
 
 #define RRTYPE_NAPTR_ATTRIBUTES (0)
+#ifdef HAVE_REGEX_H
+#include <regex.h>
+#endif
+
+/*
+ * Check the wire format of the Regexp field.
+ * Don't allow embeded NUL's.
+ */
+static inline isc_result_t
+txt_valid_regex(const unsigned char *txt) {
+#ifdef HAVE_REGEX_H
+	regex_t preg;
+	unsigned int regflags = REG_EXTENDED;
+	unsigned int nsub = 0;
+	char regex[256];
+	char *cp;
+#endif
+	isc_boolean_t flags = ISC_FALSE;
+	isc_boolean_t replace = ISC_FALSE;
+	unsigned char c;
+	unsigned char delim;
+	unsigned int len;
+
+	len = *txt++;
+	if (len == 0U)
+		return (ISC_R_SUCCESS);
+
+	delim = *txt++;
+	len--;
+
+	/*
+	 * Digits, backslash and flags can't be delimiters.
+	 */
+	switch (delim) {
+	case '0': case '1': case '2': case '3': case '4':
+	case '5': case '6': case '7': case '8': case '9':
+	case '\\': case 'i': case 0:
+		return (DNS_R_SYNTAX);
+	}
+
+#ifdef HAVE_REGEX_H
+	memset(&preg, 0, sizeof(preg));
+	cp = regex;
+#endif
+
+	while (len-- > 0) {
+		c = *txt++;
+		if (c == 0)
+			return (DNS_R_SYNTAX);
+		if (c == delim && !replace) {
+			replace = ISC_TRUE;
+			continue;
+		} else if (c == delim && !flags) {
+			flags = ISC_TRUE;
+			continue;
+		} else if (c == delim)
+			return (DNS_R_SYNTAX);
+		/*
+		 * Flags are not escaped.
+		 */
+		if (flags) {
+			switch (c) {
+			case 'i':
+#ifdef HAVE_REGEX_H
+				regflags |= REG_ICASE;
+#endif
+				continue;
+			default:
+				return (DNS_R_SYNTAX);
+			}
+		}
+#ifdef HAVE_REGEX_H
+		if (!replace)
+			*cp++ = c;
+#endif
+		if (c == '\\') {
+			if (len == 0)
+				return (DNS_R_SYNTAX);
+			c = *txt++;
+			if (c == 0)
+				return (DNS_R_SYNTAX);
+			len--;
+			if (replace)
+				switch (c) {
+				case '0': return (DNS_R_SYNTAX);
+#ifdef HAVE_REGEX_H
+				case '1': if (nsub < 1) nsub = 1; break;
+				case '2': if (nsub < 2) nsub = 2; break;
+				case '3': if (nsub < 3) nsub = 3; break;
+				case '4': if (nsub < 4) nsub = 4; break;
+				case '5': if (nsub < 5) nsub = 5; break;
+				case '6': if (nsub < 6) nsub = 6; break;
+				case '7': if (nsub < 7) nsub = 7; break;
+				case '8': if (nsub < 8) nsub = 8; break;
+				case '9': if (nsub < 9) nsub = 9; break;
+#endif
+				}
+#ifdef HAVE_REGEX_H
+			if (!replace)
+				*cp++ = c;
+#endif
+		}
+	}
+	if (!flags)
+		return (DNS_R_SYNTAX);
+#ifdef HAVE_REGEX_H
+	*cp = '\0';
+	if (regcomp(&preg, regex, regflags))
+		return (DNS_R_SYNTAX);
+	/*
+	 * Check that substitutions in the replacement string are consistant
+	 * with the regular expression.
+	 */
+	if (preg.re_nsub < nsub) {
+		regfree(&preg);
+		return (DNS_R_SYNTAX);
+	}
+	regfree(&preg);
+#endif
+	return (ISC_R_SUCCESS);
+}
 
 static inline isc_result_t
 fromtext_in_naptr(ARGS_FROMTEXT) {
 	isc_token_t token;
 	dns_name_t name;
 	isc_buffer_t buffer;
+	unsigned char *regex;
 
 	REQUIRE(type == 35);
 	REQUIRE(rdclass == 1);
@@ -74,9 +196,11 @@ fromtext_in_naptr(ARGS_FROMTEXT) {
 	/*
 	 * Regexp.
 	 */
+	regex = isc_buffer_used(target);
 	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
 				      ISC_FALSE));
 	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	RETTOK(txt_valid_regex(regex));
 
 	/*
 	 * Replacement.
@@ -156,6 +280,7 @@ static inline isc_result_t
 fromwire_in_naptr(ARGS_FROMWIRE) {
 	dns_name_t name;
 	isc_region_t sr;
+	unsigned char *regex;
 
 	REQUIRE(type == 35);
 	REQUIRE(rdclass == 1);
@@ -189,7 +314,9 @@ fromwire_in_naptr(ARGS_FROMWIRE) {
 	/*
 	 * Regexp.
 	 */
+	regex = isc_buffer_used(target);
 	RETERR(txt_fromwire(source, target));
+	RETERR(txt_valid_regex(regex));
 
 	/*
 	 * Replacement.
diff --git a/lib/dns/rdata/in_1/wks_11.c b/lib/dns/rdata/in_1/wks_11.c
index 55859c4b..19bad0af 100644
--- a/lib/dns/rdata/in_1/wks_11.c
+++ b/lib/dns/rdata/in_1/wks_11.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: wks_11.c,v 1.54.332.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: wks_11.c,v 1.56 2009/02/16 23:48:04 tbox Exp $ */
 
 /* Reviewed: Fri Mar 17 15:01:49 PST 2000 by explorer */
 
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index 6088a068..1e59a053 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.82.50.2 2009/01/18 23:47:40 tbox Exp $ */
+/* $Id: rdataset.c,v 1.84 2009/01/17 23:47:43 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index b22868d6..04d8504b 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataslab.c,v 1.48.50.2 2009/01/18 23:47:40 tbox Exp $ */
+/* $Id: rdataslab.c,v 1.50 2009/01/17 23:47:43 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/request.c b/lib/dns/request.c
index ac844e18..d0637ad6 100644
--- a/lib/dns/request.c
+++ b/lib/dns/request.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: request.c,v 1.82.72.2 2009/01/18 23:47:40 tbox Exp $ */
+/* $Id: request.c,v 1.84 2009/01/17 23:47:43 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index a5d7c250..12cdb568 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.384.14.14 2009/06/02 23:47:13 tbox Exp $ */
+/* $Id: resolver.c,v 1.402 2009/06/02 23:47:50 tbox Exp $ */
 
 /*! \file */
 
@@ -2233,7 +2233,7 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
 	char code[64];
 	isc_buffer_t b;
 	isc_sockaddr_t *sa;
-	const char *sep1, *sep2;
+	const char *spc = "";
 	isc_sockaddr_t *address = &addrinfo->sockaddr;
 
 	if (reason == DNS_R_LAME)
@@ -2279,18 +2279,14 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
 		isc_buffer_init(&b, code, sizeof(code) - 1);
 		dns_rcode_totext(fctx->rmessage->rcode, &b);
 		code[isc_buffer_usedlength(&b)] = '\0';
-		sep1 = "(";
-		sep2 = ") ";
+		spc = " ";
 	} else if (reason == DNS_R_UNEXPECTEDOPCODE) {
 		isc_buffer_init(&b, code, sizeof(code) - 1);
 		dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b);
 		code[isc_buffer_usedlength(&b)] = '\0';
-		sep1 = "(";
-		sep2 = ") ";
+		spc = " ";
 	} else {
 		code[0] = '\0';
-		sep1 = "";
-		sep2 = "";
 	}
 	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
 	dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
@@ -2298,8 +2294,8 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
 	isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
 		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
-		      "%s %s%s%sresolving '%s/%s/%s': %s",
-		      dns_result_totext(reason), sep1, code, sep2,
+		      "error (%s%s%s) resolving '%s/%s/%s': %s",
+		      dns_result_totext(reason), spc, code,
 		      namebuf, typebuf, classbuf, addrbuf);
 }
 
@@ -4948,6 +4944,134 @@ dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, dns_name_t *oname,
 	return (result);
 }
 
+static isc_boolean_t
+is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
+			 dns_rdataset_t *rdataset)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct in_addr ina;
+	struct in6_addr in6a;
+	isc_netaddr_t netaddr;
+	char addrbuf[ISC_NETADDR_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[64];
+	char typebuf[64];
+	int match;
+
+	/* By default, we allow any addresses. */
+	if (view->denyansweracl == NULL)
+		return (ISC_TRUE);
+
+	/*
+	 * If the owner name matches one in the exclusion list, either exactly
+	 * or partially, allow it.
+	 */
+	if (view->answeracl_exclude != NULL) {
+		dns_rbtnode_t *node = NULL;
+
+		result = dns_rbt_findnode(view->answeracl_exclude, name, NULL,
+					  &node, NULL, 0, NULL, NULL);
+
+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+			return (ISC_TRUE);
+	}
+
+	/*
+	 * Otherwise, search the filter list for a match for each address
+	 * record.  If a match is found, the address should be filtered,
+	 * so should the entire answer.
+	 */
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		if (rdataset->type == dns_rdatatype_a) {
+			INSIST(rdata.length == sizeof(ina.s_addr));
+			memcpy(&ina.s_addr, rdata.data, sizeof(ina.s_addr));
+			isc_netaddr_fromin(&netaddr, &ina);
+		} else {
+			INSIST(rdata.length == sizeof(in6a.s6_addr));
+			memcpy(in6a.s6_addr, rdata.data, sizeof(in6a.s6_addr));
+			isc_netaddr_fromin6(&netaddr, &in6a);
+		}
+
+		result = dns_acl_match(&netaddr, NULL, view->denyansweracl,
+				       &view->aclenv, &match, NULL);
+
+		if (result == ISC_R_SUCCESS && match > 0) {
+			isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			dns_rdatatype_format(rdataset->type, typebuf,
+					     sizeof(typebuf));
+			dns_rdataclass_format(rdataset->rdclass, classbuf,
+					      sizeof(classbuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+				      "answer address %s denied for %s/%s/%s",
+				      addrbuf, namebuf, typebuf, classbuf);
+			return (ISC_FALSE);
+		}
+	}
+
+	return (ISC_TRUE);
+}
+
+static isc_boolean_t
+is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
+			dns_rdatatype_t type, dns_name_t *tname,
+			dns_name_t *domain)
+{
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+	char qnamebuf[DNS_NAME_FORMATSIZE];
+	char tnamebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[64];
+	char typebuf[64];
+
+	/* By default, we allow any target name. */
+	if (view->denyanswernames == NULL)
+		return (ISC_TRUE);
+
+	/*
+	 * If the owner name matches one in the exclusion list, either exactly
+	 * or partially, allow it.
+	 */
+	if (view->answernames_exclude != NULL) {
+		result = dns_rbt_findnode(view->answernames_exclude, name, NULL,
+					  &node, NULL, 0, NULL, NULL);
+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+			return (ISC_TRUE);
+	}
+
+	/*
+	 * If the target name is a subdomain of the search domain, allow it.
+	 */
+	if (dns_name_issubdomain(tname, domain))
+		return (ISC_TRUE);
+
+	/*
+	 * Otherwise, apply filters.
+	 */
+	result = dns_rbt_findnode(view->denyanswernames, tname, NULL, &node,
+				  NULL, 0, NULL, NULL);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		dns_name_format(name, qnamebuf, sizeof(qnamebuf));
+		dns_name_format(tname, tnamebuf, sizeof(tnamebuf));
+		dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+		dns_rdataclass_format(view->rdclass, classbuf,
+				      sizeof(classbuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+			      "%s target %s denied for %s/%s",
+			      typebuf, tnamebuf, qnamebuf, classbuf);
+		return (ISC_FALSE);
+	}
+
+	return (ISC_TRUE);
+}
+
 /*
  * Handle a no-answer response (NXDOMAIN, NXRRSET, or referral).
  * If bind8_ns_resp is ISC_TRUE, this is a suspected BIND 8
@@ -5150,7 +5274,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 					 *
 					 * These should only be here if
 					 * this is a referral, and there
-					 * should only be one DS.
+					 * should only be one DS RRset.
 					 */
 					if (ns_name == NULL)
 						return (DNS_R_FORMERR);
@@ -5305,6 +5429,7 @@ answer_response(fetchctx_t *fctx) {
 	unsigned int aflag;
 	dns_rdatatype_t type;
 	dns_fixedname_t dname, fqname;
+	dns_view_t *view;
 
 	FCTXTRACE("answer_response");
 
@@ -5327,6 +5452,7 @@ answer_response(fetchctx_t *fctx) {
 		aa = ISC_FALSE;
 	qname = &fctx->name;
 	type = fctx->type;
+	view = fctx->res->view;
 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
 	while (!done && result == ISC_R_SUCCESS) {
 		name = NULL;
@@ -5347,6 +5473,18 @@ answer_response(fetchctx_t *fctx) {
 					 */
 					return (DNS_R_FORMERR);
 				}
+
+				/*
+				 * Apply filters, if given, on answers to reject
+				 * a malicious attempt of rebinding.
+				 */
+				if ((rdataset->type == dns_rdatatype_a ||
+				     rdataset->type == dns_rdatatype_aaaa) &&
+				    !is_answeraddress_allowed(view, name,
+							      rdataset)) {
+					return (DNS_R_SERVFAIL);
+				}
+
 				if (rdataset->type == type && !found_cname) {
 					/*
 					 * We've found an ordinary answer.
@@ -5395,6 +5533,14 @@ answer_response(fetchctx_t *fctx) {
 							      &tname);
 					if (result != ISC_R_SUCCESS)
 						return (result);
+					/* Apply filters on the target name. */
+					if (!is_answertarget_allowed(view,
+							name,
+							rdataset->type,
+							&tname,
+							&fctx->domain)) {
+						return (DNS_R_SERVFAIL);
+					}
 				} else if (rdataset->type == dns_rdatatype_rrsig
 					   && rdataset->covers ==
 					   dns_rdatatype_cname
@@ -5497,6 +5643,8 @@ answer_response(fetchctx_t *fctx) {
 			     rdataset != NULL;
 			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
 				isc_boolean_t found_dname = ISC_FALSE;
+				dns_name_t *dname_name;
+
 				found = ISC_FALSE;
 				aflag = 0;
 				if (rdataset->type == dns_rdatatype_dname) {
@@ -5526,6 +5674,15 @@ answer_response(fetchctx_t *fctx) {
 						return (result);
 					else
 						found_dname = ISC_TRUE;
+
+					dname_name = dns_fixedname_name(&dname);
+					if (!is_answertarget_allowed(view,
+							qname,
+							rdataset->type,
+							dname_name,
+							&fctx->domain)) {
+						return (DNS_R_SERVFAIL);
+					}
 				} else if (rdataset->type == dns_rdatatype_rrsig
 					   && rdataset->covers ==
 					   dns_rdatatype_dname) {
diff --git a/lib/dns/result.c b/lib/dns/result.c
index 54c70e0e..c5ab3009 100644
--- a/lib/dns/result.c
+++ b/lib/dns/result.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.125 2008/09/25 04:02:38 tbox Exp $ */
+/* $Id: result.c,v 1.127 2009/03/01 23:47:25 tbox Exp $ */
 
 /*! \file */
 
@@ -105,7 +105,7 @@ static const char *text[DNS_R_NRESULTS] = {
 	"no valid RRSIG",		       /*%< 59 DNS_R_NOVALIDSIG */
 
 	"no valid NSEC",		       /*%< 60 DNS_R_NOVALIDNSEC */
-	"not insecure",			       /*%< 61 DNS_R_NOTINSECURE */
+	"insecurity proof failed",	       /*%< 61 DNS_R_NOTINSECURE */
 	"unknown service",		       /*%< 62 DNS_R_UNKNOWNSERVICE */
 	"recoverable error occurred",	       /*%< 63 DNS_R_RECOVERABLE */
 	"unknown opt attribute record",	       /*%< 64 DNS_R_UNKNOWNOPT */
diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
index 03fca9ed..2777ca35 100644
--- a/lib/dns/sdb.c
+++ b/lib/dns/sdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.c,v 1.66.48.2 2009/04/21 23:47:18 tbox Exp $ */
+/* $Id: sdb.c,v 1.68 2009/04/21 23:48:04 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
index 89cd0eea..163791a9 100644
--- a/lib/dns/sdlz.c
+++ b/lib/dns/sdlz.c
@@ -50,7 +50,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdlz.c,v 1.18.50.2 2009/04/21 23:47:18 tbox Exp $ */
+/* $Id: sdlz.c,v 1.20 2009/04/21 23:48:04 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
index 0ae6ea23..d22b8f49 100644
--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: spnego.c,v 1.8.118.2 2009/01/18 23:47:40 tbox Exp $ */
+/* $Id: spnego.c,v 1.10 2009/01/17 23:47:43 tbox Exp $ */
 
 /*! \file
  * \brief
diff --git a/lib/dns/stats.c b/lib/dns/stats.c
index 60fed35f..a59dde63 100644
--- a/lib/dns/stats.c
+++ b/lib/dns/stats.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.c,v 1.16.118.2 2009/01/29 23:47:44 tbox Exp $ */
+/* $Id: stats.c,v 1.18 2009/01/27 23:47:54 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/time.c b/lib/dns/time.c
index 62414ddb..c20242a5 100644
--- a/lib/dns/time.c
+++ b/lib/dns/time.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.31.332.2 2009/01/18 23:47:40 tbox Exp $ */
+/* $Id: time.c,v 1.33 2009/01/17 23:47:43 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 74a7af32..d1645306 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.136 2008/11/04 21:23:14 marka Exp $
+ * $Id: tsig.c,v 1.138 2009/06/11 23:47:55 tbox Exp $
  */
 /*! \file */
 #include <config.h>
@@ -215,6 +215,37 @@ tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
 			      level, "tsig key '%s': %s", namestr, message);
 }
 
+/*
+ * A supplemental routine just to add a key to ring.  Note that reference
+ * counter should be counted separately because we may be adding the key
+ * as part of creation of the key, in which case the reference counter was
+ * already initialized.  Also note we don't need RWLOCK for the reference
+ * counter: it's protected by a separate lock.
+ */
+static isc_result_t
+keyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
+	    dns_tsigkey_t *tkey)
+{
+	isc_result_t result;
+
+	RWLOCK(&ring->lock, isc_rwlocktype_write);
+	ring->writecount++;
+
+	/*
+	 * Do on the fly cleaning.  Find some nodes we might not
+	 * want around any more.
+	 */
+	if (ring->writecount > 10) {
+		cleanup_ring(ring);
+		ring->writecount = 0;
+	}
+
+	result = dns_rbt_addname(ring->keys, name, tkey);
+	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+
+	return (result);
+}
+
 isc_result_t
 dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 			  dst_key_t *dstkey, isc_boolean_t generated,
@@ -331,7 +362,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 	tkey->ring = ring;
 
 	if (key != NULL)
-		refs++;
+		refs = 1;
 	if (ring != NULL)
 		refs++;
 	ret = isc_refcount_init(&tkey->refs, refs);
@@ -347,23 +378,9 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 	tkey->magic = TSIG_MAGIC;
 
 	if (ring != NULL) {
-		RWLOCK(&ring->lock, isc_rwlocktype_write);
-		ring->writecount++;
-
-		/*
-		 * Do on the fly cleaning.  Find some nodes we might not
-		 * want around any more.
-		 */
-		if (ring->writecount > 10) {
-			cleanup_ring(ring);
-			ring->writecount = 0;
-		}
-		ret = dns_rbt_addname(ring->keys, name, tkey);
-		if (ret != ISC_R_SUCCESS) {
-			RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+		ret = keyring_add(ring, name, tkey);
+		if (ret != ISC_R_SUCCESS)
 			goto cleanup_refs;
-		}
-		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
 	}
 
 	/*
@@ -379,6 +396,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 			      "the key '%s' is too short to be secure",
 			      namestr);
 	}
+
 	if (key != NULL)
 		*key = tkey;
 
@@ -1533,6 +1551,19 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
 	return (ISC_R_SUCCESS);
 }
 
+isc_result_t
+dns_tsigkeyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
+		    dns_tsigkey_t *tkey)
+{
+	isc_result_t result;
+
+	result = keyring_add(ring, name, tkey);
+	if (result == ISC_R_SUCCESS)
+		isc_refcount_increment(&tkey->refs, NULL);
+
+	return (result);
+}
+
 void
 dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp) {
 	dns_tsig_keyring_t *ring;
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index c62b7141..88f661a7 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.164.12.9 2009/05/07 23:47:12 tbox Exp $ */
+/* $Id: validator.c,v 1.177 2009/06/09 22:57:09 marka Exp $ */
 
 #include <config.h>
 
@@ -368,7 +368,7 @@ isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
 }
 
 /*%
- * We have been asked to to look for a key.
+ * We have been asked to look for a key.
  * If found resume the validation process.
  * If not found fail the validation process.
  */
@@ -1014,7 +1014,7 @@ nsec3noexistnodata(dns_validator_t *val, dns_name_t* name,
 			if (ns && !soa) {
 				if (!atparent) {
 					/*
-					 * This NSEC record is from somewhere
+					 * This NSEC3 record is from somewhere
 					 * higher in the DNS, and at the
 					 * parent of a delegation. It can not
 					 * be legitimately used here.
@@ -1025,7 +1025,7 @@ nsec3noexistnodata(dns_validator_t *val, dns_name_t* name,
 				}
 			} else if (atparent && ns && soa) {
 				/*
-				 * This NSEC record is from the child.
+				 * This NSEC3 record is from the child.
 				 * It can not be legitimately used here.
 				 */
 				validator_log(val, ISC_LOG_DEBUG(3),
@@ -2921,7 +2921,6 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 			      "nonexistence proof(s) found");
 		return (ISC_R_SUCCESS);
 	}
-		findnsec3proofs(val);
 
 	validator_log(val, ISC_LOG_DEBUG(3),
 		      "nonexistence proof(s) not found");
@@ -3281,7 +3280,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 		/*
 		 * If we have a DS rdataset and it is secure then check if
 		 * the DS rdataset has a supported algorithm combination.
-		 * If not this is a insecure delegation as far as this
+		 * If not this is an insecure delegation as far as this
 		 * resolver is concerned.  Fall back to DLV if available.
 		 */
 		if (have_ds && val->frdataset.trust >= dns_trust_secure &&
@@ -3335,7 +3334,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 		if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
 			/*
 			 * There is no DS.  If this is a delegation,
-			 * we maybe done.
+			 * we may be done.
 			 */
 			if (val->frdataset.trust == dns_trust_pending) {
 				result = create_fetch(val, tname,
@@ -3475,9 +3474,9 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 		return (nsecvalidate(val, ISC_FALSE));
 	}
 */
-
+	/* Couldn't complete insecurity proof */
 	validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
-	return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */
+	return (DNS_R_NOTINSECURE);
 
  out:
 	if (dns_rdataset_isassociated(&val->frdataset))
@@ -3516,7 +3515,7 @@ dlv_validator_start(dns_validator_t *val) {
  * \li	3. a negative answer (secure or unsecure).
  *
  * Note a answer that appears to be a secure positive answer may actually
- * be a unsecure positive answer.
+ * be an unsecure positive answer.
  */
 static void
 validator_start(isc_task_t *task, isc_event_t *event) {
@@ -3581,6 +3580,10 @@ validator_start(isc_task_t *task, isc_event_t *event) {
 
 		val->attributes |= VALATTR_INSECURITY;
 		result = proveunsecure(val, ISC_FALSE, ISC_FALSE);
+		if (result == DNS_R_NOTINSECURE)
+			validator_log(val, ISC_LOG_INFO,
+				      "got insecure response; "
+				      "parent indicates it should be secure");
 	} else if (val->event->rdataset == NULL &&
 		   val->event->sigrdataset == NULL)
 	{
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 5f1447ae..b5414d4c 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.150.84.2 2009/01/29 23:47:44 tbox Exp $ */
+/* $Id: view.c,v 1.154 2009/05/29 22:22:37 jinmei Exp $ */
 
 /*! \file */
 
@@ -40,6 +40,7 @@
 #include <dns/masterdump.h>
 #include <dns/order.h>
 #include <dns/peer.h>
+#include <dns/rbt.h>
 #include <dns/rdataset.h>
 #include <dns/request.h>
 #include <dns/resolver.h>
@@ -155,6 +156,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->rootexclude = NULL;
 	view->resstats = NULL;
 	view->resquerystats = NULL;
+	view->cacheshared = ISC_FALSE;
 
 	/*
 	 * Initialize configuration data with default values.
@@ -177,6 +179,10 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->notifyacl = NULL;
 	view->updateacl = NULL;
 	view->upfwdacl = NULL;
+	view->denyansweracl = NULL;
+	view->answeracl_exclude = NULL;
+	view->denyanswernames = NULL;
+	view->answernames_exclude = NULL;
 	view->requestixfr = ISC_TRUE;
 	view->provideixfr = ISC_TRUE;
 	view->maxcachettl = 7 * 24 * 3600;
@@ -312,6 +318,14 @@ destroy(dns_view_t *view) {
 		dns_acl_detach(&view->updateacl);
 	if (view->upfwdacl != NULL)
 		dns_acl_detach(&view->upfwdacl);
+	if (view->denyansweracl != NULL)
+		dns_acl_detach(&view->denyansweracl);
+	if (view->answeracl_exclude != NULL)
+		dns_rbt_destroy(&view->answeracl_exclude);
+	if (view->denyanswernames != NULL)
+		dns_rbt_destroy(&view->denyanswernames);
+	if (view->answernames_exclude != NULL)
+		dns_rbt_destroy(&view->answernames_exclude);
 	if (view->delonly != NULL) {
 		dns_name_t *name;
 		int i;
@@ -627,9 +641,15 @@ dns_view_createresolver(dns_view_t *view,
 
 void
 dns_view_setcache(dns_view_t *view, dns_cache_t *cache) {
+	dns_view_setcache2(view, cache, ISC_FALSE);
+}
+
+void
+dns_view_setcache2(dns_view_t *view, dns_cache_t *cache, isc_boolean_t shared) {
 	REQUIRE(DNS_VIEW_VALID(view));
 	REQUIRE(!view->frozen);
 
+	view->cacheshared = shared;
 	if (view->cache != NULL) {
 		if (view->acache != NULL)
 			dns_acache_putdb(view->acache, view->cachedb);
@@ -644,6 +664,13 @@ dns_view_setcache(dns_view_t *view, dns_cache_t *cache) {
 		dns_acache_setdb(view->acache, view->cachedb);
 }
 
+isc_boolean_t
+dns_view_iscacheshared(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	return (view->cacheshared);
+}
+
 void
 dns_view_sethints(dns_view_t *view, dns_db_t *hints) {
 	REQUIRE(DNS_VIEW_VALID(view));
@@ -1279,15 +1306,22 @@ dns_view_dumpdbtostream(dns_view_t *view, FILE *fp) {
 
 isc_result_t
 dns_view_flushcache(dns_view_t *view) {
+	return (dns_view_flushcache2(view, ISC_FALSE));
+}
+
+isc_result_t
+dns_view_flushcache2(dns_view_t *view, isc_boolean_t fixuponly) {
 	isc_result_t result;
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
 	if (view->cachedb == NULL)
 		return (ISC_R_SUCCESS);
-	result = dns_cache_flush(view->cache);
-	if (result != ISC_R_SUCCESS)
-		return (result);
+	if (!fixuponly) {
+		result = dns_cache_flush(view->cache);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
 	if (view->acache != NULL)
 		dns_acache_putdb(view->acache, view->cachedb);
 	dns_db_detach(&view->cachedb);
diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index 55228120..4a568588 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -57,9 +57,13 @@ dns_cache_attach
 dns_cache_attachdb
 dns_cache_clean
 dns_cache_create
+dns_cache_create2
 dns_cache_detach
 dns_cache_dump
 dns_cache_flush
+dns_cache_getcachesize
+dns_cache_getcleaninginterval
+dns_cache_getname
 dns_cache_load
 dns_cache_setcachesize
 dns_cache_setcleaninginterval
@@ -187,6 +191,7 @@ dns_dlzunregister
 dns_dnssec_findzonekeys
 dns_dnssec_findzonekeys2
 dns_dnssec_keyfromrdata
+dns_dnssec_selfsigns
 dns_dnssec_sign
 dns_dnssec_signmessage
 dns_dnssec_verify
@@ -608,6 +613,7 @@ dns_tsigkey_createfromkey
 dns_tsigkey_detach
 dns_tsigkey_find
 dns_tsigkey_setdeleted
+dns_tsigkeyring_add
 dns_tsigkeyring_create
 dns_tsigkeyring_destroy
 dns_tsigrcode_fromtext
@@ -633,6 +639,7 @@ dns_view_findzone
 dns_view_findzonecut
 dns_view_flushanddetach
 dns_view_flushcache
+dns_view_flushcache2
 dns_view_flushname
 dns_view_freeze
 dns_view_freezezones
@@ -640,9 +647,11 @@ dns_view_getpeertsig
 dns_view_getresquerystats
 dns_view_getresstats
 dns_view_gettsig
+dns_view_iscacheshared
 dns_view_load
 dns_view_loadnew
 dns_view_setcache
+dns_view_setcache2
 dns_view_setdstport
 dns_view_sethints
 dns_view_setkeyring
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 423b0057..ea8d1a1f 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.483.36.6 2009/03/26 22:57:07 marka Exp $ */
+/* $Id: zone.c,v 1.493 2009/06/17 04:29:43 marka Exp $ */
 
 /*! \file */
 
@@ -2148,7 +2148,8 @@ resume_signingwithkey(dns_zone_t *zone) {
 		}
 
 		result = zone_signwithkey(zone, rdata.data[0],
-					  (rdata.data[1] << 8) | rdata.data[2],						  ISC_TF(rdata.data[3]));
+					  (rdata.data[1] << 8) | rdata.data[2],
+					  ISC_TF(rdata.data[3]));
 		if (result != ISC_R_SUCCESS) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "zone_signwithkey failed: %s",
@@ -2562,12 +2563,13 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 				goto cleanup;
 			} else if (!isc_serial_ge(serial, zone->serial))
 				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone serial has gone backwards");
+					     "zone serial (%u/%u) has gone "
+					     "backwards", serial, zone->serial);
 			else if (serial == zone->serial && !hasinclude)
 				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone serial unchanged. "
+					     "zone serial (%u) unchanged. "
 					     "zone may fail to transfer "
-					     "to slaves.");
+					     "to slaves.", serial);
 		}
 
 		if (zone->type == dns_zone_master &&
@@ -4374,7 +4376,8 @@ updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
 			seen_done = ISC_TRUE;
 		else
 			CHECK(update_one_rr(signing->db, version, diff,
-					    DNS_DIFFOP_DEL, name,							    rdataset.ttl, &rdata));
+					    DNS_DIFFOP_DEL, name,
+					    rdataset.ttl, &rdata));
 		dns_rdata_reset(&rdata);
 	}
 	if (result == ISC_R_NOMORE)
@@ -8685,7 +8688,7 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	/*
-	 * If type != T_SOA return DNS_R_REFUSED.  We don't yet support
+	 * If type != T_SOA return DNS_R_NOTIMP.  We don't yet support
 	 * ROLLOVER.
 	 *
 	 * SOA:	RFC1996
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index 6fa284bc..2eba9409 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.96.50.3 2009/02/16 01:02:58 marka Exp $
+# $Id: Makefile.in,v 1.100 2009/02/06 12:26:22 fdupont Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -27,8 +27,8 @@ CINCLUDES =	-I${srcdir}/unix/include \
 		-I${srcdir}/@ISC_THREAD_DIR@/include \
 		-I${srcdir}/@ISC_ARCH_DIR@/include \
 		-I./include \
-		-I${srcdir}/include
-CDEFINES =
+		-I${srcdir}/include @ISC_OPENSSL_INC@
+CDEFINES =	@USE_OPENSSL@
 CWARNINGS =
 
 # Alphabetically
diff --git a/lib/isc/alpha/include/isc/atomic.h b/lib/isc/alpha/include/isc/atomic.h
index bc1510ff..a6232ada 100644
--- a/lib/isc/alpha/include/isc/atomic.h
+++ b/lib/isc/alpha/include/isc/atomic.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.5.332.2 2009/04/08 06:47:32 tbox Exp $ */
+/* $Id: atomic.h,v 1.7 2009/04/08 06:48:23 tbox Exp $ */
 
 /*
  * This code was written based on FreeBSD's kernel source whose copyright
diff --git a/lib/isc/api b/lib/isc/api
index 5ef8dc03..2240cdda 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 51
+LIBINTERFACE = 50
 LIBREVISION = 1
-LIBAGE = 1
+LIBAGE = 0
diff --git a/lib/isc/base32.c b/lib/isc/base32.c
index 3000a84f..67398c6b 100644
--- a/lib/isc/base32.c
+++ b/lib/isc/base32.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base32.c,v 1.3.116.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: base32.c,v 1.5 2009/01/18 23:48:14 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
index 25ab0021..2d817c6a 100644
--- a/lib/isc/entropy.c
+++ b/lib/isc/entropy.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.18.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: entropy.c,v 1.20 2009/01/18 23:48:14 tbox Exp $ */
 
 /*! \file
  * \brief
diff --git a/lib/isc/hash.c b/lib/isc/hash.c
index 9911bdee..2a1c112b 100644
--- a/lib/isc/hash.c
+++ b/lib/isc/hash.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash.c,v 1.13.332.3 2009/05/07 23:47:12 tbox Exp $ */
+/* $Id: hash.c,v 1.15 2009/05/06 23:47:50 tbox Exp $ */
 
 /*! \file
  * Some portion of this code was derived from universal hash function
@@ -293,6 +293,7 @@ static void
 destroy(isc_hash_t **hctxp) {
 	isc_hash_t *hctx;
 	isc_mem_t *mctx;
+	unsigned char canary0[4], canary1[4];
 
 	REQUIRE(hctxp != NULL && *hctxp != NULL);
 	hctx = *hctxp;
@@ -312,7 +313,10 @@ destroy(isc_hash_t **hctxp) {
 
 	DESTROYLOCK(&hctx->lock);
 
+	memcpy(canary0, hctx + 1, sizeof(canary0));
 	memset(hctx, 0, sizeof(isc_hash_t));
+	memcpy(canary1, hctx + 1, sizeof(canary1));
+	INSIST(memcmp(canary0, canary1, sizeof(canary0)) == 0);
 	isc_mem_put(mctx, hctx, sizeof(isc_hash_t));
 	isc_mem_detach(&mctx);
 }
diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c
index 63853dcd..6abe6e27 100644
--- a/lib/isc/hmacmd5.c
+++ b/lib/isc/hmacmd5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.c,v 1.14 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: hmacmd5.c,v 1.16 2009/02/06 23:47:42 tbox Exp $ */
 
 /*! \file
  * This code implements the HMAC-MD5 keyed hash algorithm
@@ -27,10 +27,40 @@
 #include <isc/assertions.h>
 #include <isc/hmacmd5.h>
 #include <isc/md5.h>
+#include <isc/platform.h>
 #include <isc/string.h>
 #include <isc/types.h>
 #include <isc/util.h>
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+
+void
+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
+		 unsigned int len)
+{
+	HMAC_Init(ctx, (const void *) key, (int) len, EVP_md5());
+}
+
+void
+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
+	HMAC_CTX_cleanup(ctx);
+}
+
+void
+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	HMAC_Update(ctx, buf, (int) len);
+}
+
+void
+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
+	HMAC_Final(ctx, digest, NULL);
+	HMAC_CTX_cleanup(ctx);
+}
+
+#else
+
 #define PADLEN 64
 #define IPAD 0x36
 #define OPAD 0x5C
@@ -98,6 +128,7 @@ isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
 	isc_md5_final(&ctx->md5ctx, digest);
 	isc_hmacmd5_invalidate(ctx);
 }
+#endif /* !ISC_PLATFORM_OPENSSLHASH */
 
 /*!
  * Verify signature - finalize MD5 operation and reapply MD5, then
diff --git a/lib/isc/hmacsha.c b/lib/isc/hmacsha.c
index dfcd8bf5..aba869ec 100644
--- a/lib/isc/hmacsha.c
+++ b/lib/isc/hmacsha.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacsha.c,v 1.8 2007/08/27 03:27:53 marka Exp $ */
+/* $Id: hmacsha.c,v 1.10 2009/02/06 23:47:42 tbox Exp $ */
 
 /*
  * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384
@@ -26,12 +26,172 @@
 
 #include <isc/assertions.h>
 #include <isc/hmacsha.h>
+#include <isc/platform.h>
 #include <isc/sha1.h>
 #include <isc/sha2.h>
 #include <isc/string.h>
 #include <isc/types.h>
 #include <isc/util.h>
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+
+void
+isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
+		  unsigned int len)
+{
+	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha1());
+}
+
+void
+isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
+	HMAC_CTX_cleanup(ctx);
+}
+
+void
+isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	HMAC_Update(ctx, buf, (int) len);
+}
+
+void
+isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+
+	HMAC_Final(ctx, newdigest, NULL);
+	HMAC_CTX_cleanup(ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha224());
+}
+
+void
+isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
+	HMAC_CTX_cleanup(ctx);
+}
+
+void
+isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	HMAC_Update(ctx, buf, (int) len);
+}
+
+void
+isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+
+	HMAC_Final(ctx, newdigest, NULL);
+	HMAC_CTX_cleanup(ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha256());
+}
+
+void
+isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
+	HMAC_CTX_cleanup(ctx);
+}
+
+void
+isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	HMAC_Update(ctx, buf, (int) len);
+}
+
+void
+isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+
+	HMAC_Final(ctx, newdigest, NULL);
+	HMAC_CTX_cleanup(ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha384());
+}
+
+void
+isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
+	HMAC_CTX_cleanup(ctx);
+}
+
+void
+isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	HMAC_Update(ctx, buf, (int) len);
+}
+
+void
+isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+
+	HMAC_Final(ctx, newdigest, NULL);
+	HMAC_CTX_cleanup(ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha512());
+}
+
+void
+isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
+	HMAC_CTX_cleanup(ctx);
+}
+
+void
+isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	HMAC_Update(ctx, buf, (int) len);
+}
+
+void
+isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
+
+	HMAC_Final(ctx, newdigest, NULL);
+	HMAC_CTX_cleanup(ctx);
+	memcpy(digest, newdigest, len);
+	memset(newdigest, 0, sizeof(newdigest));
+}
+
+#else
+
 #define IPAD 0x36
 #define OPAD 0x5C
 
@@ -105,19 +265,6 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
 }
 
 /*
- * Verify signature - finalize SHA1 operation and reapply SHA1, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
-	isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
-	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
-}
-
-/*
  * Start HMAC-SHA224 process.  Initialize an sha224 context and digest the key.
  */
 void
@@ -185,19 +332,6 @@ isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
 }
 
 /*
- * Verify signature - finalize SHA224 operation and reapply SHA224, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
-	isc_hmacsha224_sign(ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
-	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
-}
-
-/*
  * Start HMAC-SHA256 process.  Initialize an sha256 context and digest the key.
  */
 void
@@ -265,19 +399,6 @@ isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
 }
 
 /*
- * Verify signature - finalize SHA256 operation and reapply SHA256, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
-	isc_hmacsha256_sign(ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
-	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
-}
-
-/*
  * Start HMAC-SHA384 process.  Initialize an sha384 context and digest the key.
  */
 void
@@ -345,19 +466,6 @@ isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
 }
 
 /*
- * Verify signature - finalize SHA384 operation and reapply SHA384, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
-	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
-
-	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
-	isc_hmacsha384_sign(ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
-	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
-}
-
-/*
  * Start HMAC-SHA512 process.  Initialize an sha512 context and digest the key.
  */
 void
@@ -423,6 +531,59 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
 	memcpy(digest, newdigest, len);
 	memset(newdigest, 0, sizeof(newdigest));
 }
+#endif /* !ISC_PLATFORM_OPENSSLHASH */
+
+/*
+ * Verify signature - finalize SHA1 operation and reapply SHA1, then
+ * compare to the supplied digest.
+ */
+isc_boolean_t
+isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+	isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
+	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
+}
+
+/*
+ * Verify signature - finalize SHA224 operation and reapply SHA224, then
+ * compare to the supplied digest.
+ */
+isc_boolean_t
+isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+	isc_hmacsha224_sign(ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
+	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
+}
+
+/*
+ * Verify signature - finalize SHA256 operation and reapply SHA256, then
+ * compare to the supplied digest.
+ */
+isc_boolean_t
+isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+	isc_hmacsha256_sign(ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
+	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
+}
+
+/*
+ * Verify signature - finalize SHA384 operation and reapply SHA384, then
+ * compare to the supplied digest.
+ */
+isc_boolean_t
+isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+	isc_hmacsha384_sign(ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
+	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
+}
 
 /*
  * Verify signature - finalize SHA512 operation and reapply SHA512, then
diff --git a/lib/isc/ia64/include/isc/atomic.h b/lib/isc/ia64/include/isc/atomic.h
index 4c467977..d94bab0d 100644
--- a/lib/isc/ia64/include/isc/atomic.h
+++ b/lib/isc/ia64/include/isc/atomic.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.4.326.2 2009/02/06 23:47:11 tbox Exp $ */
+/* $Id: atomic.h,v 1.6 2009/02/04 23:48:09 tbox Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
diff --git a/lib/isc/include/isc/Makefile.in b/lib/isc/include/isc/Makefile.in
index def11800..b3eb2b4c 100644
--- a/lib/isc/include/isc/Makefile.in
+++ b/lib/isc/include/isc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.64.12.2 2009/02/12 23:47:22 tbox Exp $
+# $Id: Makefile.in,v 1.66 2009/02/12 23:47:56 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
index e9e59c49..13ec0e70 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.h,v 1.32.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: entropy.h,v 1.34 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef ISC_ENTROPY_H
 #define ISC_ENTROPY_H 1
diff --git a/lib/isc/include/isc/file.h b/lib/isc/include/isc/file.h
index c9457343..e64c7fac 100644
--- a/lib/isc/include/isc/file.h
+++ b/lib/isc/include/isc/file.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: file.h,v 1.33.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: file.h,v 1.36 2009/06/10 00:27:22 each Exp $ */
 
 #ifndef ISC_FILE_H
 #define ISC_FILE_H 1
@@ -251,6 +251,14 @@ isc_file_truncate(const char *filename, isc_offset_t size);
  * Truncate/extend the file specified to 'size' bytes.
  */
 
+isc_result_t
+isc_file_safecreate(const char *filename, FILE **fp);
+/*%<
+ * Open 'filename' for writing, truncating if necessary.  Ensure that
+ * if it existed it was a normal file.  If creating the file, ensure
+ * that only the owner can read/write it.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_FILE_H */
diff --git a/lib/isc/include/isc/fsaccess.h b/lib/isc/include/isc/fsaccess.h
index 3b455e5d..7962bbe2 100644
--- a/lib/isc/include/isc/fsaccess.h
+++ b/lib/isc/include/isc/fsaccess.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.h,v 1.14.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: fsaccess.h,v 1.16 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef ISC_FSACCESS_H
 #define ISC_FSACCESS_H 1
diff --git a/lib/isc/include/isc/hash.h b/lib/isc/include/isc/hash.h
index da30a19c..ca04b4e4 100644
--- a/lib/isc/include/isc/hash.h
+++ b/lib/isc/include/isc/hash.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash.h,v 1.10.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: hash.h,v 1.12 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef ISC_HASH_H
 #define ISC_HASH_H 1
diff --git a/lib/isc/include/isc/heap.h b/lib/isc/include/isc/heap.h
index 82c59826..77bf07c3 100644
--- a/lib/isc/include/isc/heap.h
+++ b/lib/isc/include/isc/heap.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.h,v 1.24.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: heap.h,v 1.26 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef ISC_HEAP_H
 #define ISC_HEAP_H 1
diff --git a/lib/isc/include/isc/hmacmd5.h b/lib/isc/include/isc/hmacmd5.h
index fab9c580..9ecad453 100644
--- a/lib/isc/include/isc/hmacmd5.h
+++ b/lib/isc/include/isc/hmacmd5.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.h,v 1.12 2007/06/19 23:47:18 tbox Exp $ */
+/* $Id: hmacmd5.h,v 1.14 2009/02/06 23:47:42 tbox Exp $ */
 
 /*! \file isc/hmacmd5.h
  * \brief This is the header file for the HMAC-MD5 keyed hash algorithm
@@ -27,14 +27,23 @@
 
 #include <isc/lang.h>
 #include <isc/md5.h>
+#include <isc/platform.h>
 #include <isc/types.h>
 
 #define ISC_HMACMD5_KEYLENGTH 64
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#include <openssl/hmac.h>
+
+typedef HMAC_CTX isc_hmacmd5_t;
+
+#else
+
 typedef struct {
 	isc_md5_t md5ctx;
 	unsigned char key[ISC_HMACMD5_KEYLENGTH];
 } isc_hmacmd5_t;
+#endif
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/isc/include/isc/hmacsha.h b/lib/isc/include/isc/hmacsha.h
index 362b37f8..1d0e1840 100644
--- a/lib/isc/include/isc/hmacsha.h
+++ b/lib/isc/include/isc/hmacsha.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacsha.h,v 1.7 2007/06/19 23:47:18 tbox Exp $ */
+/* $Id: hmacsha.h,v 1.9 2009/02/06 23:47:42 tbox Exp $ */
 
 /*! \file isc/hmacsha.h
  * This is the header file for the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
@@ -25,6 +25,7 @@
 #define ISC_HMACSHA_H 1
 
 #include <isc/lang.h>
+#include <isc/platform.h>
 #include <isc/sha1.h>
 #include <isc/sha2.h>
 #include <isc/types.h>
@@ -35,6 +36,17 @@
 #define ISC_HMACSHA384_KEYLENGTH ISC_SHA384_BLOCK_LENGTH
 #define ISC_HMACSHA512_KEYLENGTH ISC_SHA512_BLOCK_LENGTH
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#include <openssl/hmac.h>
+
+typedef HMAC_CTX isc_hmacsha1_t;
+typedef HMAC_CTX isc_hmacsha224_t;
+typedef HMAC_CTX isc_hmacsha256_t;
+typedef HMAC_CTX isc_hmacsha384_t;
+typedef HMAC_CTX isc_hmacsha512_t;
+
+#else
+
 typedef struct {
 	isc_sha1_t sha1ctx;
 	unsigned char key[ISC_HMACSHA1_KEYLENGTH];
@@ -59,6 +71,7 @@ typedef struct {
 	isc_sha512_t sha512ctx;
 	unsigned char key[ISC_HMACSHA512_KEYLENGTH];
 } isc_hmacsha512_t;
+#endif
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/isc/include/isc/log.h b/lib/isc/include/isc/log.h
index c9ba8082..741c5324 100644
--- a/lib/isc/include/isc/log.h
+++ b/lib/isc/include/isc/log.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.54.332.5 2009/02/16 02:04:05 marka Exp $ */
+/* $Id: log.h,v 1.59 2009/02/16 02:01:16 marka Exp $ */
 
 #ifndef ISC_LOG_H
 #define ISC_LOG_H 1
diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h
index 5b0d785c..0a176e8f 100644
--- a/lib/isc/include/isc/md5.h
+++ b/lib/isc/include/isc/md5.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md5.h,v 1.16 2007/06/19 23:47:18 tbox Exp $ */
+/* $Id: md5.h,v 1.18 2009/02/06 23:47:42 tbox Exp $ */
 
 /*! \file isc/md5.h
  * \brief This is the header file for the MD5 message-digest algorithm.
@@ -44,15 +44,24 @@
 #define ISC_MD5_H 1
 
 #include <isc/lang.h>
+#include <isc/platform.h>
 #include <isc/types.h>
 
 #define ISC_MD5_DIGESTLENGTH 16U
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#include <openssl/evp.h>
+
+typedef EVP_MD_CTX isc_md5_t;
+
+#else
+
 typedef struct {
 	isc_uint32_t buf[4];
 	isc_uint32_t bytes[2];
 	isc_uint32_t in[16];
 } isc_md5_t;
+#endif
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h
index 480a9340..a114d3eb 100644
--- a/lib/isc/include/isc/mem.h
+++ b/lib/isc/include/isc/mem.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.h,v 1.78.120.3 2009/02/11 03:07:01 jinmei Exp $ */
+/* $Id: mem.h,v 1.81 2009/02/11 03:04:18 jinmei Exp $ */
 
 #ifndef ISC_MEM_H
 #define ISC_MEM_H 1
diff --git a/lib/isc/include/isc/netaddr.h b/lib/isc/include/isc/netaddr.h
index 8bfdbce2..954d7701 100644
--- a/lib/isc/include/isc/netaddr.h
+++ b/lib/isc/include/isc/netaddr.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netaddr.h,v 1.35.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: netaddr.h,v 1.37 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef ISC_NETADDR_H
 #define ISC_NETADDR_H 1
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
index 1ed76b85..fd5461e4 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.48.84.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: platform.h.in,v 1.51 2009/02/06 23:47:42 tbox Exp $ */
 
 #ifndef ISC_PLATFORM_H
 #define ISC_PLATFORM_H 1
@@ -284,6 +284,11 @@
  */
 @ISC_PLATFORM_HAVESTRINGSH@
 
+/*
+ * Define if the hash functions must be provided by OpenSSL.
+ */
+@ISC_PLATFORM_OPENSSLHASH@
+
 /***
  ***	Windows dll support.
  ***/
diff --git a/lib/isc/include/isc/portset.h b/lib/isc/include/isc/portset.h
index dc1f8561..29703e6e 100644
--- a/lib/isc/include/isc/portset.h
+++ b/lib/isc/include/isc/portset.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: portset.h,v 1.3.90.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: portset.h,v 1.5 2009/01/17 23:47:43 tbox Exp $ */
 
 /*! \file isc/portset.h
  * \brief Transport Protocol Port Manipulation Module
diff --git a/lib/isc/include/isc/radix.h b/lib/isc/include/isc/radix.h
index fbb1893d..6b413a23 100644
--- a/lib/isc/include/isc/radix.h
+++ b/lib/isc/include/isc/radix.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: radix.h,v 1.11.44.2 2008/12/24 23:47:02 tbox Exp $ */
+/* $Id: radix.h,v 1.13 2008/12/01 23:47:45 tbox Exp $ */
 
 /*
  * This source was adapted from MRT's RCS Ids:
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
index 9b6ca64e..1f9572d3 100644
--- a/lib/isc/include/isc/random.h
+++ b/lib/isc/include/isc/random.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: random.h,v 1.18.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */
 
 #ifndef ISC_RANDOM_H
 #define ISC_RANDOM_H 1
diff --git a/lib/isc/include/isc/ratelimiter.h b/lib/isc/include/isc/ratelimiter.h
index d18cf25b..00a72097 100644
--- a/lib/isc/include/isc/ratelimiter.h
+++ b/lib/isc/include/isc/ratelimiter.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ratelimiter.h,v 1.21.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: ratelimiter.h,v 1.23 2009/01/18 23:48:14 tbox Exp $ */
 
 #ifndef ISC_RATELIMITER_H
 #define ISC_RATELIMITER_H 1
diff --git a/lib/isc/include/isc/serial.h b/lib/isc/include/isc/serial.h
index f7e3049e..a5e03970 100644
--- a/lib/isc/include/isc/serial.h
+++ b/lib/isc/include/isc/serial.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: serial.h,v 1.16.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: serial.h,v 1.18 2009/01/18 23:48:14 tbox Exp $ */
 
 #ifndef ISC_SERIAL_H
 #define ISC_SERIAL_H 1
diff --git a/lib/isc/include/isc/sha1.h b/lib/isc/include/isc/sha1.h
index 63f12bb1..313ff963 100644
--- a/lib/isc/include/isc/sha1.h
+++ b/lib/isc/include/isc/sha1.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
 #ifndef ISC_SHA1_H
 #define ISC_SHA1_H 1
 
-/* $Id: sha1.h,v 1.17 2007/06/19 23:47:18 tbox Exp $ */
+/* $Id: sha1.h,v 1.19 2009/02/06 23:47:42 tbox Exp $ */
 
 /*	$NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $	*/
 
@@ -29,16 +29,25 @@
  */
 
 #include <isc/lang.h>
+#include <isc/platform.h>
 #include <isc/types.h>
 
 #define ISC_SHA1_DIGESTLENGTH 20U
 #define ISC_SHA1_BLOCK_LENGTH 64U
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#include <openssl/evp.h>
+
+typedef EVP_MD_CTX isc_sha1_t;
+
+#else
+
 typedef struct {
 	isc_uint32_t state[5];
 	isc_uint32_t count[2];
 	unsigned char buffer[ISC_SHA1_BLOCK_LENGTH];
 } isc_sha1_t;
+#endif
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/isc/include/isc/sha2.h b/lib/isc/include/isc/sha2.h
index 203600fd..c2c94cb9 100644
--- a/lib/isc/include/isc/sha2.h
+++ b/lib/isc/include/isc/sha2.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha2.h,v 1.9 2007/06/19 23:47:18 tbox Exp $ */
+/* $Id: sha2.h,v 1.11 2009/02/06 23:47:42 tbox Exp $ */
 
 /*	$FreeBSD: src/sys/crypto/sha2/sha2.h,v 1.1.2.1 2001/07/03 11:01:36 ume Exp $	*/
 /*	$KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $	*/
@@ -39,7 +39,7 @@
  * 3. Neither the name of the copyright holder nor the names of contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -58,6 +58,7 @@
 #define ISC_SHA2_H
 
 #include <isc/lang.h>
+#include <isc/platform.h>
 #include <isc/types.h>
 
 /*** SHA-224/256/384/512 Various Length Definitions ***********************/
@@ -75,10 +76,15 @@
 #define ISC_SHA512_DIGESTLENGTH	64U
 #define ISC_SHA512_DIGESTSTRINGLENGTH	(ISC_SHA512_DIGESTLENGTH * 2 + 1)
 
+/*** SHA-256/384/512 Context Structures *******************************/
 
-ISC_LANG_BEGINDECLS
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#include <openssl/evp.h>
 
-/*** SHA-256/384/512 Context Structures *******************************/
+typedef EVP_MD_CTX isc_sha256_t;
+typedef EVP_MD_CTX isc_sha512_t;
+
+#else
 
 /*
  * Keep buffer immediately after bitcount to preserve alignment.
@@ -97,10 +103,13 @@ typedef struct {
 	isc_uint64_t	bitcount[2];
 	isc_uint8_t	buffer[ISC_SHA512_BLOCK_LENGTH];
 } isc_sha512_t;
+#endif
 
 typedef isc_sha256_t isc_sha224_t;
 typedef isc_sha512_t isc_sha384_t;
 
+ISC_LANG_BEGINDECLS
+
 /*** SHA-224/256/384/512 Function Prototypes ******************************/
 
 void isc_sha224_init (isc_sha224_t *);
diff --git a/lib/isc/include/isc/sockaddr.h b/lib/isc/include/isc/sockaddr.h
index 62cc7739..1e691422 100644
--- a/lib/isc/include/isc/sockaddr.h
+++ b/lib/isc/include/isc/sockaddr.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.h,v 1.55.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: sockaddr.h,v 1.57 2009/01/18 23:48:14 tbox Exp $ */
 
 #ifndef ISC_SOCKADDR_H
 #define ISC_SOCKADDR_H 1
diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h
index 035c9948..4f654a29 100644
--- a/lib/isc/include/isc/socket.h
+++ b/lib/isc/include/isc/socket.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.h,v 1.85.58.3 2009/01/29 22:40:35 jinmei Exp $ */
+/* $Id: socket.h,v 1.89 2009/03/05 03:13:55 marka Exp $ */
 
 #ifndef ISC_SOCKET_H
 #define ISC_SOCKET_H 1
@@ -992,6 +992,12 @@ isc__socketmgr_setreserved(isc_socketmgr_t *mgr, isc_uint32_t);
  * Temporary.  For use by named only.
  */
 
+void
+isc__socketmgr_maxudp(isc_socketmgr_t *mgr, int maxudp);
+/*%<
+ * Test interface. Drop UDP packet > 'maxudp'.
+ */
+
 #ifdef HAVE_LIBXML2
 
 void
diff --git a/lib/isc/include/isc/stats.h b/lib/isc/include/isc/stats.h
index a6156d86..d61afcc6 100644
--- a/lib/isc/include/isc/stats.h
+++ b/lib/isc/include/isc/stats.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.h,v 1.4.2.2 2009/01/29 23:47:44 tbox Exp $ */
+/* $Id: stats.h,v 1.4 2009/01/29 01:03:56 jinmei Exp $ */
 
 #ifndef ISC_STATS_H
 #define ISC_STATS_H 1
diff --git a/lib/isc/include/isc/symtab.h b/lib/isc/include/isc/symtab.h
index 396d6453..886d3b2d 100644
--- a/lib/isc/include/isc/symtab.h
+++ b/lib/isc/include/isc/symtab.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.24.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: symtab.h,v 1.26 2009/01/18 23:48:14 tbox Exp $ */
 
 #ifndef ISC_SYMTAB_H
 #define ISC_SYMTAB_H 1
diff --git a/lib/isc/include/isc/task.h b/lib/isc/include/isc/task.h
index 8106571c..bf90281e 100644
--- a/lib/isc/include/isc/task.h
+++ b/lib/isc/include/isc/task.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.h,v 1.61.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: task.h,v 1.63 2009/01/18 23:48:14 tbox Exp $ */
 
 #ifndef ISC_TASK_H
 #define ISC_TASK_H 1
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
index 4dccbf98..469e7d62 100644
--- a/lib/isc/include/isc/types.h
+++ b/lib/isc/include/isc/types.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.46.84.2 2009/01/29 23:47:44 tbox Exp $ */
+/* $Id: types.h,v 1.48 2009/01/27 23:47:54 tbox Exp $ */
 
 #ifndef ISC_TYPES_H
 #define ISC_TYPES_H 1
diff --git a/lib/isc/inet_aton.c b/lib/isc/inet_aton.c
index ad9401f6..14b4887f 100644
--- a/lib/isc/inet_aton.c
+++ b/lib/isc/inet_aton.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1996-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -71,7 +71,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: inet_aton.c,v 1.21.332.2 2009/03/05 23:47:03 tbox Exp $";
+static char rcsid[] = "$Id: inet_aton.c,v 1.23 2008/12/01 23:47:45 tbox Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/isc/iterated_hash.c b/lib/isc/iterated_hash.c
index 16743143..86dedde2 100644
--- a/lib/isc/iterated_hash.c
+++ b/lib/isc/iterated_hash.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: iterated_hash.c,v 1.4.48.2 2009/02/18 23:47:12 tbox Exp $ */
+/* $Id: iterated_hash.c,v 1.6 2009/02/18 23:47:48 tbox Exp $ */
 
 #include "config.h"
 
diff --git a/lib/isc/log.c b/lib/isc/log.c
index e19c9ba9..79ca4f2a 100644
--- a/lib/isc/log.c
+++ b/lib/isc/log.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.94.332.5 2009/02/16 02:04:05 marka Exp $ */
+/* $Id: log.c,v 1.99 2009/02/16 02:01:16 marka Exp $ */
 
 /*! \file
  * \author  Principal Authors: DCL */
diff --git a/lib/isc/md5.c b/lib/isc/md5.c
index 5004c3e4..7c6419b2 100644
--- a/lib/isc/md5.c
+++ b/lib/isc/md5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md5.c,v 1.14 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: md5.c,v 1.16 2009/02/06 23:47:42 tbox Exp $ */
 
 /*! \file
  * This code implements the MD5 message-digest algorithm.
@@ -38,10 +38,35 @@
 
 #include <isc/assertions.h>
 #include <isc/md5.h>
+#include <isc/platform.h>
 #include <isc/string.h>
 #include <isc/types.h>
 #include <isc/util.h>
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+
+void
+isc_md5_init(isc_md5_t *ctx) {
+	EVP_DigestInit(ctx, EVP_md5());
+}
+
+void
+isc_md5_invalidate(isc_md5_t *ctx) {
+	EVP_MD_CTX_cleanup(ctx);
+}
+
+void
+isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
+	EVP_DigestUpdate(ctx, (const void *) buf, (size_t) len);
+}
+
+void
+isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
+	EVP_DigestFinal(ctx, digest, NULL);
+}
+
+#else
+
 static void
 byteSwap(isc_uint32_t *buf, unsigned words)
 {
@@ -249,3 +274,4 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
 	memcpy(digest, ctx->buf, 16);
 	memset(ctx, 0, sizeof(isc_md5_t));	/* In case it's sensitive */
 }
+#endif
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index 9c37d747..2ee8c89e 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.c,v 1.145.120.4 2009/02/16 03:17:05 marka Exp $ */
+/* $Id: mem.c,v 1.149 2009/02/16 03:16:10 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/radix.c b/lib/isc/radix.c
index 77869841..7015aa93 100644
--- a/lib/isc/radix.c
+++ b/lib/isc/radix.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: radix.c,v 1.20.36.3 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: radix.c,v 1.23 2009/01/18 23:48:14 tbox Exp $ */
 
 /*
  * This source was adapted from MRT's RCS Ids:
diff --git a/lib/isc/rwlock.c b/lib/isc/rwlock.c
index ca8e83df..315fd25f 100644
--- a/lib/isc/rwlock.c
+++ b/lib/isc/rwlock.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rwlock.c,v 1.44.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: rwlock.c,v 1.46 2009/01/18 23:48:14 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/sha1.c b/lib/isc/sha1.c
index 35752884..f2dd19c6 100644
--- a/lib/isc/sha1.c
+++ b/lib/isc/sha1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha1.c,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: sha1.c,v 1.20 2009/02/06 23:47:42 tbox Exp $ */
 
 /*	$NetBSD: sha1.c,v 1.5 2000/01/22 22:19:14 mycroft Exp $	*/
 /*	$OpenBSD: sha1.c,v 1.9 1997/07/23 21:12:32 kstailey Exp $	*/
@@ -38,11 +38,47 @@
 #include "config.h"
 
 #include <isc/assertions.h>
+#include <isc/platform.h>
 #include <isc/sha1.h>
 #include <isc/string.h>
 #include <isc/types.h>
 #include <isc/util.h>
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+
+void
+isc_sha1_init(isc_sha1_t *context)
+{
+	INSIST(context != NULL);
+
+	EVP_DigestInit(context, EVP_sha1());
+}
+
+void
+isc_sha1_invalidate(isc_sha1_t *context) {
+	EVP_MD_CTX_cleanup(context);
+}
+
+void
+isc_sha1_update(isc_sha1_t *context, const unsigned char *data,
+		unsigned int len)
+{
+	INSIST(context != 0);
+	INSIST(data != 0);
+
+	EVP_DigestUpdate(context, (const void *) data, (size_t) len);
+}
+
+void
+isc_sha1_final(isc_sha1_t *context, unsigned char *digest) {
+	INSIST(digest != 0);
+	INSIST(context != 0);
+
+	EVP_DigestFinal(context, digest, NULL);
+}
+
+#else
+
 #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
 
 /*@{*/
@@ -313,3 +349,4 @@ isc_sha1_final(isc_sha1_t *context, unsigned char *digest) {
 
 	memset(context, 0, sizeof(isc_sha1_t));
 }
+#endif
diff --git a/lib/isc/sha2.c b/lib/isc/sha2.c
index 6cd900dd..e33a1026 100644
--- a/lib/isc/sha2.c
+++ b/lib/isc/sha2.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha2.c,v 1.13.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: sha2.c,v 1.17 2009/02/06 23:47:42 tbox Exp $ */
 
 /*	$FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $	*/
 /*	$KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $	*/
@@ -58,10 +58,149 @@
 #include <config.h>
 
 #include <isc/assertions.h>
+#include <isc/platform.h>
 #include <isc/sha2.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
+
+void
+isc_sha224_init(isc_sha224_t *context) {
+	if (context == (isc_sha224_t *)0) {
+		return;
+	}
+	EVP_DigestInit(context, EVP_sha224());
+}
+
+void
+isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0);
+
+	EVP_DigestUpdate(context, (const void *) data, len);
+}
+
+void
+isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha224_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (isc_uint8_t*)0) {
+		EVP_DigestFinal(context, digest, NULL);
+	} else {
+		EVP_MD_CTX_cleanup(context);
+	}
+}
+
+void
+isc_sha256_init(isc_sha256_t *context) {
+	if (context == (isc_sha256_t *)0) {
+		return;
+	}
+	EVP_DigestInit(context, EVP_sha256());
+}
+
+void
+isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0);
+
+	EVP_DigestUpdate(context, (const void *) data, len);
+}
+
+void
+isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (isc_uint8_t*)0) {
+		EVP_DigestFinal(context, digest, NULL);
+	} else {
+		EVP_MD_CTX_cleanup(context);
+	}
+}
+
+void
+isc_sha512_init(isc_sha512_t *context) {
+	if (context == (isc_sha512_t *)0) {
+		return;
+	}
+	EVP_DigestInit(context, EVP_sha512());
+}
+
+void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) {
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
+
+	EVP_DigestUpdate(context, (const void *) data, len);
+}
+
+void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (isc_uint8_t*)0) {
+		EVP_DigestFinal(context, digest, NULL);
+	} else {
+		EVP_MD_CTX_cleanup(context);
+	}
+}
+
+void
+isc_sha384_init(isc_sha384_t *context) {
+	if (context == (isc_sha384_t *)0) {
+		return;
+	}
+	EVP_DigestInit(context, EVP_sha384());
+}
+
+void
+isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
+
+	EVP_DigestUpdate(context, (const void *) data, len);
+}
+
+void
+isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha384_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (isc_uint8_t*)0) {
+		EVP_DigestFinal(context, digest, NULL);
+	} else {
+		EVP_MD_CTX_cleanup(context);
+	}
+}
+
+#else
+
 /*
  * UNROLLED TRANSFORM LOOP NOTE:
  * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
@@ -394,13 +533,6 @@ static const isc_uint64_t sha512_initial_hash_value[8] = {
 };
 #endif
 
-/*
- * Constant used by SHA256/384/512_End() functions for converting the
- * digest to a readable hexadecimal character string:
- */
-static const char *sha2_hex_digits = "0123456789abcdef";
-
-
 
 /*** SHA-224: *********************************************************/
 void
@@ -427,41 +559,6 @@ isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
 	memset(sha256_digest, 0, ISC_SHA256_DIGESTLENGTH);
 }
 
-char *
-isc_sha224_end(isc_sha224_t *context, char buffer[]) {
-	isc_uint8_t	digest[ISC_SHA224_DIGESTLENGTH], *d = digest;
-	unsigned int	i;
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha224_t *)0);
-
-	if (buffer != (char*)0) {
-		isc_sha224_final(digest, context);
-
-		for (i = 0; i < ISC_SHA224_DIGESTLENGTH; i++) {
-			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
-			*buffer++ = sha2_hex_digits[*d & 0x0f];
-			d++;
-		}
-		*buffer = (char)0;
-	} else {
-		memset(context, 0, sizeof(context));
-	}
-	memset(digest, 0, ISC_SHA224_DIGESTLENGTH);
-	return buffer;
-}
-
-char*
-isc_sha224_data(const isc_uint8_t *data, size_t len,
-		char digest[ISC_SHA224_DIGESTSTRINGLENGTH])
-{
-	isc_sha224_t context;
-
-	isc_sha224_init(&context);
-	isc_sha224_update(&context, data, len);
-	return (isc_sha224_end(&context, digest));
-}
-
 /*** SHA-256: *********************************************************/
 void
 isc_sha256_init(isc_sha256_t *context) {
@@ -772,42 +869,6 @@ isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
 	usedspace = 0;
 }
 
-char *
-isc_sha256_end(isc_sha256_t *context, char buffer[]) {
-	isc_uint8_t	digest[ISC_SHA256_DIGESTLENGTH], *d = digest;
-	unsigned int	i;
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha256_t *)0);
-
-	if (buffer != (char*)0) {
-		isc_sha256_final(digest, context);
-
-		for (i = 0; i < ISC_SHA256_DIGESTLENGTH; i++) {
-			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
-			*buffer++ = sha2_hex_digits[*d & 0x0f];
-			d++;
-		}
-		*buffer = (char)0;
-	} else {
-		memset(context, 0, sizeof(context));
-	}
-	memset(digest, 0, ISC_SHA256_DIGESTLENGTH);
-	return buffer;
-}
-
-char *
-isc_sha256_data(const isc_uint8_t* data, size_t len,
-		char digest[ISC_SHA256_DIGESTSTRINGLENGTH])
-{
-	isc_sha256_t context;
-
-	isc_sha256_init(&context);
-	isc_sha256_update(&context, data, len);
-	return (isc_sha256_end(&context, digest));
-}
-
-
 /*** SHA-512: *********************************************************/
 void
 isc_sha512_init(isc_sha512_t *context) {
@@ -1115,41 +1176,6 @@ void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
 	memset(context, 0, sizeof(context));
 }
 
-char *
-isc_sha512_end(isc_sha512_t *context, char buffer[]) {
-	isc_uint8_t	digest[ISC_SHA512_DIGESTLENGTH], *d = digest;
-	unsigned int	i;
-
-	/* Sanity check: */
-	REQUIRE(context != (isc_sha512_t *)0);
-
-	if (buffer != (char*)0) {
-		isc_sha512_final(digest, context);
-
-		for (i = 0; i < ISC_SHA512_DIGESTLENGTH; i++) {
-			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
-			*buffer++ = sha2_hex_digits[*d & 0x0f];
-			d++;
-		}
-		*buffer = (char)0;
-	} else {
-		memset(context, 0, sizeof(context));
-	}
-	memset(digest, 0, ISC_SHA512_DIGESTLENGTH);
-	return buffer;
-}
-
-char *
-isc_sha512_data(const isc_uint8_t *data, size_t len,
-		char digest[ISC_SHA512_DIGESTSTRINGLENGTH])
-{
-	isc_sha512_t 	context;
-
-	isc_sha512_init(&context);
-	isc_sha512_update(&context, data, len);
-	return (isc_sha512_end(&context, digest));
-}
-
 
 /*** SHA-384: *********************************************************/
 void
@@ -1197,6 +1223,130 @@ isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
 	/* Zero out state data */
 	memset(context, 0, sizeof(context));
 }
+#endif /* !ISC_PLATFORM_OPENSSLHASH */
+
+/*
+ * Constant used by SHA256/384/512_End() functions for converting the
+ * digest to a readable hexadecimal character string:
+ */
+static const char *sha2_hex_digits = "0123456789abcdef";
+
+char *
+isc_sha224_end(isc_sha224_t *context, char buffer[]) {
+	isc_uint8_t	digest[ISC_SHA224_DIGESTLENGTH], *d = digest;
+	unsigned int	i;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha224_t *)0);
+
+	if (buffer != (char*)0) {
+		isc_sha224_final(digest, context);
+
+		for (i = 0; i < ISC_SHA224_DIGESTLENGTH; i++) {
+			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+			*buffer++ = sha2_hex_digits[*d & 0x0f];
+			d++;
+		}
+		*buffer = (char)0;
+	} else {
+#ifdef ISC_PLATFORM_OPENSSLHASH
+		EVP_MD_CTX_cleanup(context);
+#else
+		memset(context, 0, sizeof(context));
+#endif
+	}
+	memset(digest, 0, ISC_SHA224_DIGESTLENGTH);
+	return buffer;
+}
+
+char *
+isc_sha224_data(const isc_uint8_t *data, size_t len,
+		char digest[ISC_SHA224_DIGESTSTRINGLENGTH])
+{
+	isc_sha224_t context;
+
+	isc_sha224_init(&context);
+	isc_sha224_update(&context, data, len);
+	return (isc_sha224_end(&context, digest));
+}
+
+char *
+isc_sha256_end(isc_sha256_t *context, char buffer[]) {
+	isc_uint8_t	digest[ISC_SHA256_DIGESTLENGTH], *d = digest;
+	unsigned int	i;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0);
+
+	if (buffer != (char*)0) {
+		isc_sha256_final(digest, context);
+
+		for (i = 0; i < ISC_SHA256_DIGESTLENGTH; i++) {
+			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+			*buffer++ = sha2_hex_digits[*d & 0x0f];
+			d++;
+		}
+		*buffer = (char)0;
+	} else {
+#ifdef ISC_PLATFORM_OPENSSLHASH
+		EVP_MD_CTX_cleanup(context);
+#else
+		memset(context, 0, sizeof(context));
+#endif
+	}
+	memset(digest, 0, ISC_SHA256_DIGESTLENGTH);
+	return buffer;
+}
+
+char *
+isc_sha256_data(const isc_uint8_t* data, size_t len,
+		char digest[ISC_SHA256_DIGESTSTRINGLENGTH])
+{
+	isc_sha256_t context;
+
+	isc_sha256_init(&context);
+	isc_sha256_update(&context, data, len);
+	return (isc_sha256_end(&context, digest));
+}
+
+char *
+isc_sha512_end(isc_sha512_t *context, char buffer[]) {
+	isc_uint8_t	digest[ISC_SHA512_DIGESTLENGTH], *d = digest;
+	unsigned int	i;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0);
+
+	if (buffer != (char*)0) {
+		isc_sha512_final(digest, context);
+
+		for (i = 0; i < ISC_SHA512_DIGESTLENGTH; i++) {
+			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+			*buffer++ = sha2_hex_digits[*d & 0x0f];
+			d++;
+		}
+		*buffer = (char)0;
+	} else {
+#ifdef ISC_PLATFORM_OPENSSLHASH
+		EVP_MD_CTX_cleanup(context);
+#else
+		memset(context, 0, sizeof(context));
+#endif
+	}
+	memset(digest, 0, ISC_SHA512_DIGESTLENGTH);
+	return buffer;
+}
+
+char *
+isc_sha512_data(const isc_uint8_t *data, size_t len,
+		char digest[ISC_SHA512_DIGESTSTRINGLENGTH])
+{
+	isc_sha512_t 	context;
+
+	isc_sha512_init(&context);
+	isc_sha512_update(&context, data, len);
+	return (isc_sha512_end(&context, digest));
+}
 
 char *
 isc_sha384_end(isc_sha384_t *context, char buffer[]) {
@@ -1216,13 +1366,17 @@ isc_sha384_end(isc_sha384_t *context, char buffer[]) {
 		}
 		*buffer = (char)0;
 	} else {
+#ifdef ISC_PLATFORM_OPENSSLHASH
+		EVP_MD_CTX_cleanup(context);
+#else
 		memset(context, 0, sizeof(context));
+#endif
 	}
 	memset(digest, 0, ISC_SHA384_DIGESTLENGTH);
 	return buffer;
 }
 
-char*
+char *
 isc_sha384_data(const isc_uint8_t *data, size_t len,
 		char digest[ISC_SHA384_DIGESTSTRINGLENGTH])
 {
diff --git a/lib/isc/stats.c b/lib/isc/stats.c
index 9e4e089b..35e8f843 100644
--- a/lib/isc/stats.c
+++ b/lib/isc/stats.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.c,v 1.3.6.2 2009/01/29 23:47:44 tbox Exp $ */
+/* $Id: stats.c,v 1.3 2009/01/27 23:47:54 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/timer.c b/lib/isc/timer.c
index 21fcd694..b40f404c 100644
--- a/lib/isc/timer.c
+++ b/lib/isc/timer.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.84.58.4 2009/01/23 23:47:21 tbox Exp $ */
+/* $Id: timer.c,v 1.89 2009/01/23 23:47:54 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/dir.c b/lib/isc/unix/dir.c
index 92441475..6ddb97bd 100644
--- a/lib/isc/unix/dir.c
+++ b/lib/isc/unix/dir.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dir.c,v 1.25.332.3 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: dir.c,v 1.29 2009/02/16 23:48:04 tbox Exp $ */
 
 /*! \file
  * \author  Principal Authors: DCL */
diff --git a/lib/isc/unix/entropy.c b/lib/isc/unix/entropy.c
index 0e9e2979..ab53faf6 100644
--- a/lib/isc/unix/entropy.c
+++ b/lib/isc/unix/entropy.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.80.332.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: entropy.c,v 1.82 2008/12/01 23:47:45 tbox Exp $ */
 
 /* \file unix/entropy.c
  * \brief
diff --git a/lib/isc/unix/file.c b/lib/isc/unix/file.c
index 748aee88..b7156c3a 100644
--- a/lib/isc/unix/file.c
+++ b/lib/isc/unix/file.c
@@ -48,7 +48,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: file.c,v 1.51.332.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: file.c,v 1.54 2009/06/10 00:27:22 each Exp $ */
 
 /*! \file */
 
@@ -442,3 +442,39 @@ isc_file_truncate(const char *filename, isc_offset_t size) {
 		result = isc__errno2result(errno);
 	return (result);
 }
+
+isc_result_t
+isc_file_safecreate(const char *filename, FILE **fp) {
+	isc_result_t result;
+	int flags;
+	struct stat sb;
+	FILE *f;
+	int fd;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(fp != NULL && *fp == NULL);
+
+	result = file_stats(filename, &sb);
+	if (result == ISC_R_SUCCESS) {
+		if ((sb.st_mode & S_IFREG) == 0)
+			return (ISC_R_INVALIDFILE);
+		flags = O_WRONLY | O_TRUNC;
+	} else if (result == ISC_R_FILENOTFOUND) {
+		flags = O_WRONLY | O_CREAT | O_EXCL;
+	} else
+		return (result);
+
+	fd = open(filename, flags, S_IRUSR | S_IWUSR);
+	if (fd == -1)
+		return (isc__errno2result(errno));
+
+	f = fdopen(fd, "w");
+	if (f == NULL) {
+		result = isc__errno2result(errno);
+		close(fd);
+		return (result);
+	}
+
+	*fp = f;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/unix/ifiter_ioctl.c b/lib/isc/unix/ifiter_ioctl.c
index a9d29bca..38c34fd6 100644
--- a/lib/isc/unix/ifiter_ioctl.c
+++ b/lib/isc/unix/ifiter_ioctl.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_ioctl.c,v 1.60.120.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: ifiter_ioctl.c,v 1.62 2009/01/18 23:48:14 tbox Exp $ */
 
 /*! \file
  * \brief
diff --git a/lib/isc/unix/include/isc/net.h b/lib/isc/unix/include/isc/net.h
index 53bebd75..2f70ae0e 100644
--- a/lib/isc/unix/include/isc/net.h
+++ b/lib/isc/unix/include/isc/net.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.48.84.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: net.h,v 1.50 2008/12/01 04:14:54 marka Exp $ */
 
 #ifndef ISC_NET_H
 #define ISC_NET_H 1
diff --git a/lib/isc/unix/include/isc/offset.h b/lib/isc/unix/include/isc/offset.h
index 0e484bec..8bf37799 100644
--- a/lib/isc/unix/include/isc/offset.h
+++ b/lib/isc/unix/include/isc/offset.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: offset.h,v 1.15.332.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: offset.h,v 1.17 2008/12/01 23:47:45 tbox Exp $ */
 
 #ifndef ISC_OFFSET_H
 #define ISC_OFFSET_H 1
diff --git a/lib/isc/unix/include/isc/strerror.h b/lib/isc/unix/include/isc/strerror.h
index 2953f71c..899043bb 100644
--- a/lib/isc/unix/include/isc/strerror.h
+++ b/lib/isc/unix/include/isc/strerror.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: strerror.h,v 1.8.332.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: strerror.h,v 1.10 2008/12/01 23:47:45 tbox Exp $ */
 
 #ifndef ISC_STRERROR_H
 #define ISC_STRERROR_H
diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
index 45c4510e..dc1cef9a 100644
--- a/lib/isc/unix/include/isc/time.h
+++ b/lib/isc/unix/include/isc/time.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.38.56.2 2009/01/05 23:47:23 tbox Exp $ */
+/* $Id: time.h,v 1.40 2009/01/05 23:47:54 tbox Exp $ */
 
 #ifndef ISC_TIME_H
 #define ISC_TIME_H 1
diff --git a/lib/isc/unix/interfaceiter.c b/lib/isc/unix/interfaceiter.c
index 4cfc8217..af2b06d0 100644
--- a/lib/isc/unix/interfaceiter.c
+++ b/lib/isc/unix/interfaceiter.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfaceiter.c,v 1.44.120.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: interfaceiter.c,v 1.45 2008/12/01 03:51:47 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/resource.c b/lib/isc/unix/resource.c
index 8bd8885b..29596e2a 100644
--- a/lib/isc/unix/resource.c
+++ b/lib/isc/unix/resource.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resource.c,v 1.21.66.2 2009/02/13 23:47:39 tbox Exp $ */
+/* $Id: resource.c,v 1.23 2009/02/13 23:48:14 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index d09fe51a..4955b786 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.308.12.8 2009/04/18 01:29:26 jinmei Exp $ */
+/* $Id: socket.c,v 1.318 2009/04/18 01:28:17 jinmei Exp $ */
 
 /*! \file */
 
@@ -388,6 +388,7 @@ struct isc_socketmgr {
 #else /* ISC_PLATFORM_USETHREADS */
 	unsigned int		refs;
 #endif /* ISC_PLATFORM_USETHREADS */
+	int			maxudp;
 };
 
 #ifndef ISC_PLATFORM_USETHREADS
@@ -1538,6 +1539,12 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
 			}
 			return (DOIO_SOFT);
 		}
+		/*
+		 * Simulate a firewall blocking UDP responses bigger than
+		 * 512 bytes.
+		 */
+		if (sock->manager->maxudp != 0 && cc > sock->manager->maxudp)
+			return (DOIO_SOFT);
 	}
 
 	socket_log(sock, &dev->address, IOEVENT,
@@ -3559,6 +3566,13 @@ isc__socketmgr_setreserved(isc_socketmgr_t *manager, isc_uint32_t reserved) {
 	manager->reserved = reserved;
 }
 
+void
+isc__socketmgr_maxudp(isc_socketmgr_t *manager, int maxudp) {
+	REQUIRE(VALID_MANAGER(manager));
+
+	manager->maxudp = maxudp;
+}
+
 /*
  * Create a new socket manager.
  */
@@ -3814,6 +3828,7 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 	memset(manager, 0, sizeof(*manager));
 	manager->maxsocks = maxsocks;
 	manager->reserved = 0;
+	manager->maxudp = 0;
 	manager->fds = isc_mem_get(mctx,
 				   manager->maxsocks * sizeof(isc_socket_t *));
 	if (manager->fds == NULL) {
diff --git a/lib/isc/unix/strerror.c b/lib/isc/unix/strerror.c
index 349c8bd9..caa66591 100644
--- a/lib/isc/unix/strerror.c
+++ b/lib/isc/unix/strerror.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: strerror.c,v 1.8.332.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: strerror.c,v 1.10 2009/02/16 23:48:04 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/win32/dir.c b/lib/isc/win32/dir.c
index cbeacbaa..6ec22846 100644
--- a/lib/isc/win32/dir.c
+++ b/lib/isc/win32/dir.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dir.c,v 1.16.22.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: dir.c,v 1.18 2009/01/18 23:48:14 tbox Exp $ */
 
 /* Principal Authors: DCL */
 
diff --git a/lib/isc/win32/entropy.c b/lib/isc/win32/entropy.c
index 7f4bb3fb..5a316e6e 100644
--- a/lib/isc/win32/entropy.c
+++ b/lib/isc/win32/entropy.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.8.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: entropy.c,v 1.10 2009/01/18 23:48:14 tbox Exp $ */
 
 /*
  * This is the system dependent part of the ISC entropy API.
diff --git a/lib/isc/win32/file.c b/lib/isc/win32/file.c
index baf7953a..026182e4 100644
--- a/lib/isc/win32/file.c
+++ b/lib/isc/win32/file.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: file.c,v 1.31 2007/06/19 23:47:19 tbox Exp $ */
+/* $Id: file.c,v 1.33 2009/06/11 23:47:55 tbox Exp $ */
 
 #include <config.h>
 
@@ -213,9 +213,9 @@ isc_file_getmodtime(const char *file, isc_time_t *time) {
 			 &time->absolute))
 	{
 		close(fh);
-                errno = EINVAL;
-                return (isc__errno2result(errno));
-        }
+		errno = EINVAL;
+		return (isc__errno2result(errno));
+	}
 	close(fh);
 	return (ISC_R_SUCCESS);
 }
@@ -229,23 +229,23 @@ isc_file_settime(const char *file, isc_time_t *time) {
 	if ((fh = open(file, _O_RDWR | _O_BINARY)) < 0)
 		return (isc__errno2result(errno));
 
-        /*
+	/*
 	 * Set the date via the filedate system call and return.  Failing
-         * this call implies the new file times are not supported by the
-         * underlying file system.
-         */
+	 * this call implies the new file times are not supported by the
+	 * underlying file system.
+	 */
 	if (!SetFileTime((HANDLE) _get_osfhandle(fh),
 			 NULL,
 			 &time->absolute,
 			 &time->absolute))
 	{
 		close(fh);
-                errno = EINVAL;
-                return (isc__errno2result(errno));
-        }
+		errno = EINVAL;
+		return (isc__errno2result(errno));
+	}
 
 	close(fh);
-        return (ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 
 }
 
@@ -457,7 +457,7 @@ isc_file_progname(const char *filename, char *progname, size_t namelen) {
 		return (ISC_R_SUCCESS);
 	}
 
-	/* 
+	/*
 	 * Copy the result to the buffer
 	 */
 	len = p - s;
@@ -505,3 +505,39 @@ isc_file_truncate(const char *filename, isc_offset_t size) {
 
 	return (ISC_R_SUCCESS);
 }
+
+isc_result_t
+isc_file_safecreate(const char *filename, FILE **fp) {
+	isc_result_t result;
+	int flags;
+	struct stat sb;
+	FILE *f;
+	int fd;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(fp != NULL && *fp == NULL);
+
+	result = file_stats(filename, &sb);
+	if (result == ISC_R_SUCCESS) {
+		if ((sb.st_mode & S_IFREG) == 0)
+			return (ISC_R_INVALIDFILE);
+		flags = O_WRONLY | O_TRUNC;
+	} else if (result == ISC_R_FILENOTFOUND) {
+		flags = O_WRONLY | O_CREAT | O_EXCL;
+	} else
+		return (result);
+
+	fd = open(filename, flags, S_IRUSR | S_IWUSR);
+	if (fd == -1)
+		return (isc__errno2result(errno));
+
+	f = fdopen(fd, "w");
+	if (f == NULL) {
+		result = isc__errno2result(errno);
+		close(fd);
+		return (result);
+	}
+
+	*fp = f;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/win32/include/isc/mutex.h b/lib/isc/win32/include/isc/mutex.h
index 921c1e93..5cf1bae1 100644
--- a/lib/isc/win32/include/isc/mutex.h
+++ b/lib/isc/win32/include/isc/mutex.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.h,v 1.20.56.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: mutex.h,v 1.22 2009/01/18 23:48:14 tbox Exp $ */
 
 #ifndef ISC_MUTEX_H
 #define ISC_MUTEX_H 1
diff --git a/lib/isc/win32/include/isc/net.h b/lib/isc/win32/include/isc/net.h
index 249a50a8..ba8402e0 100644
--- a/lib/isc/win32/include/isc/net.h
+++ b/lib/isc/win32/include/isc/net.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.30.82.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: net.h,v 1.31 2008/12/01 03:51:47 marka Exp $ */
 
 #ifndef ISC_NET_H
 #define ISC_NET_H 1
diff --git a/lib/isc/win32/include/isc/ntpaths.h b/lib/isc/win32/include/isc/ntpaths.h
index 7cd185a0..ffcf48b2 100644
--- a/lib/isc/win32/include/isc/ntpaths.h
+++ b/lib/isc/win32/include/isc/ntpaths.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ntpaths.h,v 1.16 2007/06/19 23:47:20 tbox Exp $ */
+/* $Id: ntpaths.h,v 1.19 2009/06/12 02:33:21 each Exp $ */
 
 /*
  * Windows-specific path definitions
@@ -40,7 +40,8 @@ enum NtPaths {
 	LWRESD_PID_PATH,
 	LOCAL_STATE_DIR,
 	SYS_CONF_DIR,
-	RNDC_KEY_PATH
+	RNDC_KEY_PATH,
+	DDNS_KEY_PATH
 };
 
 /*
@@ -49,9 +50,9 @@ enum NtPaths {
 #define NAMED_CONFFILE isc_ntpaths_get(NAMED_CONF_PATH)
 #define RNDC_CONFFILE isc_ntpaths_get(RNDC_CONF_PATH)
 #define RNDC_KEYFILE isc_ntpaths_get(RNDC_KEY_PATH)
+#define DDNS_KEYFILE isc_ntpaths_get(DDNS_KEY_PATH)
 #define RESOLV_CONF isc_ntpaths_get(RESOLV_CONF_PATH)
 
-
 /*
  * Information about where the files are on disk
  */
diff --git a/lib/isc/win32/include/isc/platform.h b/lib/isc/win32/include/isc/platform.h
index c93b50c7..3e23fe2b 100644
--- a/lib/isc/win32/include/isc/platform.h
+++ b/lib/isc/win32/include/isc/platform.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h,v 1.16.118.2 2009/02/16 23:47:15 tbox Exp $ */
+/* $Id: platform.h,v 1.17 2008/12/01 03:51:47 marka Exp $ */
 
 #ifndef ISC_PLATFORM_H
 #define ISC_PLATFORM_H 1
diff --git a/lib/isc/win32/include/isc/time.h b/lib/isc/win32/include/isc/time.h
index ce3c4c6a..8ffb24b1 100644
--- a/lib/isc/win32/include/isc/time.h
+++ b/lib/isc/win32/include/isc/time.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.33.56.2 2009/01/05 23:47:23 tbox Exp $ */
+/* $Id: time.h,v 1.35 2009/01/05 23:47:54 tbox Exp $ */
 
 #ifndef ISC_TIME_H
 #define ISC_TIME_H 1
diff --git a/lib/isc/win32/interfaceiter.c b/lib/isc/win32/interfaceiter.c
index a69b7026..58ef8836 100644
--- a/lib/isc/win32/interfaceiter.c
+++ b/lib/isc/win32/interfaceiter.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfaceiter.c,v 1.13.110.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: interfaceiter.c,v 1.15 2009/01/18 23:48:14 tbox Exp $ */
 
 /*
  * Note that this code will need to be revisited to support IPv6 Interfaces.
diff --git a/lib/isc/win32/libisc.def b/lib/isc/win32/libisc.def
index 19a2fef6..cabd2566 100644
--- a/lib/isc/win32/libisc.def
+++ b/lib/isc/win32/libisc.def
@@ -35,6 +35,7 @@ isc__mem_reallocate
 isc__mem_strdup
 isc__mempool_get
 isc__mempool_put
+isc__socketmgr_maxudp
 isc__socketmgr_setreserved
 isc__strerror
 isc_app_block
@@ -120,6 +121,7 @@ isc_file_progname
 isc_file_remove
 isc_file_rename
 isc_file_renameunique
+isc_file_safecreate
 isc_file_safemovefile
 isc_file_settime
 isc_file_template
diff --git a/lib/isc/win32/netdb.h b/lib/isc/win32/netdb.h
index fa941800..f8d936a9 100644
--- a/lib/isc/win32/netdb.h
+++ b/lib/isc/win32/netdb.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h,v 1.7.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: netdb.h,v 1.9 2009/01/18 23:48:14 tbox Exp $ */
 
 #ifndef NETDB_H
 #define NETDB_H 1
diff --git a/lib/isc/win32/ntpaths.c b/lib/isc/win32/ntpaths.c
index d1c622fa..f52aeb97 100644
--- a/lib/isc/win32/ntpaths.c
+++ b/lib/isc/win32/ntpaths.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ntpaths.c,v 1.11 2007/06/18 23:47:49 tbox Exp $ */
+/* $Id: ntpaths.c,v 1.14 2009/06/12 02:33:21 each Exp $ */
 
 /*
  * This module fetches the required path information that is specific
@@ -44,6 +44,7 @@ static char lwresd_defaultpidfile[MAX_PATH];
 static char local_state_dir[MAX_PATH];
 static char sys_conf_dir[MAX_PATH];
 static char rndc_keyFile[MAX_PATH];
+static char ddns_keyFile[MAX_PATH];
 
 static DWORD baseLen = MAX_PATH;
 static BOOL Initialized = FALSE;
@@ -57,7 +58,7 @@ isc_ntpaths_init() {
 	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, BIND_SUBKEY, 0, KEY_READ, &hKey)
 		!= ERROR_SUCCESS)
 		keyFound = FALSE;
-	
+
 	if (keyFound == TRUE) {
 		/* Get the named directory */
 		if (RegQueryValueEx(hKey, "InstallDir", NULL, NULL,
@@ -84,6 +85,9 @@ isc_ntpaths_init() {
 	strcpy(rndc_keyFile, namedBase);
 	strcat(rndc_keyFile, "\\etc\\rndc.key");
 
+	strcpy(ddns_keyFile, namedBase);
+	strcat(ddns_keyFile, "\\etc\\ddns.key");
+
 	strcpy(rndc_confFile, namedBase);
 	strcat(rndc_confFile, "\\etc\\rndc.conf");
 	strcpy(ns_defaultpidfile, namedBase);
@@ -97,7 +101,7 @@ isc_ntpaths_init() {
 
 	strcpy(sys_conf_dir, namedBase);
 	strcat(sys_conf_dir, "\\etc");
-	
+
 	Initialized = TRUE;
 }
 
@@ -134,6 +138,9 @@ isc_ntpaths_get(int ind) {
 	case RNDC_KEY_PATH:
 		return (rndc_keyFile);
 		break;
+	case DDNS_KEY_PATH:
+		return (ddns_keyFile);
+		break;
 	default:
 		return (NULL);
 	}
diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c
index 7c4068fb..96c469a9 100644
--- a/lib/isc/win32/socket.c
+++ b/lib/isc/win32/socket.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.70.54.4 2009/01/29 22:40:36 jinmei Exp $ */
+/* $Id: socket.c,v 1.75 2009/03/05 03:13:55 marka Exp $ */
 
 /* This code uses functions which are only available on Server 2003 and
  * higher, and Windows XP and higher.
@@ -3672,3 +3672,10 @@ isc__socketmgr_setreserved(isc_socketmgr_t *manager, isc_uint32_t reserved) {
 	UNUSED(manager);
 	UNUSED(reserved);
 }
+
+void
+isc__socketmgr_maxudp(isc_socketmgr_t *manager, int maxudp) {
+
+	UNUSED(manager);
+	UNUSED(maxudp);
+}
diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c
index ad3d58e2..3fc1070a 100644
--- a/lib/isccfg/aclconf.c
+++ b/lib/isccfg/aclconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.c,v 1.22.34.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: aclconf.c,v 1.24 2009/01/18 23:48:14 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h
index f194d4cc..c07cee53 100644
--- a/lib/isccfg/include/isccfg/grammar.h
+++ b/lib/isccfg/include/isccfg/grammar.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: grammar.h,v 1.17 2008/09/25 04:02:39 tbox Exp $ */
+/* $Id: grammar.h,v 1.19 2009/06/11 23:47:55 tbox Exp $ */
 
 #ifndef ISCCFG_GRAMMAR_H
 #define ISCCFG_GRAMMAR_H 1
@@ -210,10 +210,18 @@ struct cfg_parser {
 	 */
 	unsigned int	line;
 
+	/*%
+	 * Parser context flags, used for maintaining state
+	 * from one token to the next.
+	 */
+	unsigned int flags;
+
 	cfg_parsecallback_t callback;
 	void *callbackarg;
 };
 
+/* Parser context flags */
+#define CFG_PCTX_SKIP		0x1
 
 /*@{*/
 /*%
diff --git a/lib/isccfg/include/isccfg/log.h b/lib/isccfg/include/isccfg/log.h
index 9750a521..1f9fc21e 100644
--- a/lib/isccfg/include/isccfg/log.h
+++ b/lib/isccfg/include/isccfg/log.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.12.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: log.h,v 1.14 2009/01/18 23:48:14 tbox Exp $ */
 
 #ifndef ISCCFG_LOG_H
 #define ISCCFG_LOG_H 1
diff --git a/lib/isccfg/include/isccfg/namedconf.h b/lib/isccfg/include/isccfg/namedconf.h
index 9689a2ae..a5fc840c 100644
--- a/lib/isccfg/include/isccfg/namedconf.h
+++ b/lib/isccfg/include/isccfg/namedconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.h,v 1.9 2007/06/19 23:47:22 tbox Exp $ */
+/* $Id: namedconf.h,v 1.12 2009/06/10 00:27:22 each Exp $ */
 
 #ifndef ISCCFG_NAMEDCONF_H
 #define ISCCFG_NAMEDCONF_H 1
@@ -33,12 +33,18 @@
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_namedconf;
 /*%< A complete named.conf file. */
 
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_bindkeys;
+/*%< A bind.keys file. */
+
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndcconf;
 /*%< A complete rndc.conf file. */
 
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndckey;
 /*%< A complete rndc.key file. */
 
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ddnskey;
+/*%< A complete ddns.key file. */
+
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
 /*%< A key reference, used as an ACL element */
 
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 06104894..48f7913e 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.92 2008/09/27 23:35:31 jinmei Exp $ */
+/* $Id: namedconf.c,v 1.98 2009/06/10 23:47:47 tbox Exp $ */
 
 /*! \file */
 
@@ -248,8 +248,8 @@ static cfg_type_t cfg_type_pubkey = {
  * Note that the old parser allows quotes around the RR type names.
  */
 static cfg_type_t cfg_type_rrtypelist = {
-	"rrtypelist", cfg_parse_spacelist, cfg_print_spacelist, cfg_doc_terminal,
-	&cfg_rep_list, &cfg_type_astring
+	"rrtypelist", cfg_parse_spacelist, cfg_print_spacelist,
+	cfg_doc_terminal, &cfg_rep_list, &cfg_type_astring
 };
 
 static const char *mode_enums[] = { "grant", "deny", NULL };
@@ -258,13 +258,51 @@ static cfg_type_t cfg_type_mode = {
 	&mode_enums
 };
 
+static isc_result_t
+parse_matchtype(cfg_parser_t *pctx, const cfg_type_t *type,
+		cfg_obj_t **ret) {
+	isc_result_t result;
+
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "zonesub") == 0) {
+		pctx->flags |= CFG_PCTX_SKIP;
+	}
+	return (cfg_parse_enum(pctx, type, ret));
+
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_matchname(cfg_parser_t *pctx, const cfg_type_t *type,
+			 cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+
+	if ((pctx->flags & CFG_PCTX_SKIP) != 0) {
+		pctx->flags &= ~CFG_PCTX_SKIP;
+		CHECK(cfg_parse_void(pctx, NULL, &obj));
+	} else
+		result = cfg_parse_astring(pctx, type, &obj);
+
+	*ret = obj;
+ cleanup:
+	return (result);
+}
+
 static const char *matchtype_enums[] = {
 	"name", "subdomain", "wildcard", "self", "selfsub", "selfwild",
 	"krb5-self", "ms-self", "krb5-subdomain", "ms-subdomain",
-	"tcp-self", "6to4-self", NULL };
+	"tcp-self", "6to4-self", "zonesub", NULL };
 static cfg_type_t cfg_type_matchtype = {
-	"matchtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
-	&matchtype_enums
+	"matchtype", parse_matchtype, cfg_print_ustring,
+	cfg_doc_enum, &cfg_rep_string, &matchtype_enums
+};
+
+static cfg_type_t cfg_type_matchname = {
+	"optional_matchname", parse_matchname, cfg_print_ustring,
+	cfg_doc_tuple, &cfg_rep_tuple, &cfg_type_ustring
 };
 
 /*%
@@ -274,7 +312,7 @@ static cfg_tuplefielddef_t grant_fields[] = {
 	{ "mode", &cfg_type_mode, 0 },
 	{ "identity", &cfg_type_astring, 0 }, /* domain name */
 	{ "matchtype", &cfg_type_matchtype, 0 },
-	{ "name", &cfg_type_astring, 0 }, /* domain name */
+	{ "name", &cfg_type_matchname, 0 }, /* domain name */
 	{ "types", &cfg_type_rrtypelist, 0 },
 	{ NULL, NULL, 0 }
 };
@@ -657,6 +695,15 @@ namedconf_or_view_clauses[] = {
 };
 
 /*%
+ * Clauses that can occur in the bind.keys file.
+ */
+static cfg_clausedef_t
+bindkeys_clauses[] = {
+	{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*%
  * Clauses that can be found within the 'options' statement.
  */
 static cfg_clausedef_t
@@ -665,9 +712,13 @@ options_clauses[] = {
 	{ "use-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
 	{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
 	{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "bindkeys-file", &cfg_type_qstring, 0 },
 	{ "blackhole", &cfg_type_bracketed_aml, 0 },
 	{ "coresize", &cfg_type_size, 0 },
 	{ "datasize", &cfg_type_size, 0 },
+	{ "ddns-keyfile", &cfg_type_qstringornone, 0 },
+	{ "ddns-keyname", &cfg_type_astring, 0 },
+	{ "ddns-keyalg", &cfg_type_astring, 0 },
 	{ "deallocate-on-exit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
 	{ "dump-file", &cfg_type_qstring, 0 },
@@ -726,6 +777,34 @@ static cfg_type_t cfg_type_optional_exclude = {
 	"optional_exclude", parse_optional_keyvalue, print_keyvalue,
 	doc_optional_keyvalue, &cfg_rep_list, &exclude_kw };
 
+static keyword_type_t exceptionnames_kw = { "except-from", &cfg_type_namelist };
+
+static cfg_type_t cfg_type_optional_exceptionnames = {
+	"optional_allow", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_list, &exceptionnames_kw };
+
+static cfg_tuplefielddef_t denyaddresses_fields[] = {
+	{ "acl", &cfg_type_bracketed_aml, 0 },
+	{ "except-from", &cfg_type_optional_exceptionnames, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_denyaddresses = {
+	"denyaddresses", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, denyaddresses_fields
+};
+
+static cfg_tuplefielddef_t denyaliases_fields[] = {
+	{ "name", &cfg_type_namelist, 0 },
+	{ "except-from", &cfg_type_optional_exceptionnames, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_denyaliases = {
+	"denyaliases", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, denyaliases_fields
+};
+
 static cfg_type_t cfg_type_algorithmlist = {
 	"algorithmlist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
 	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring };
@@ -764,14 +843,14 @@ static cfg_type_t cfg_type_masterformat = {
 
 static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring };
 
-static cfg_type_t cfg_type_trustanchor = {
-	"trust-anchor", parse_keyvalue, print_keyvalue, doc_keyvalue,
-	&cfg_rep_string, &trustanchor_kw
+static cfg_type_t cfg_type_optional_trustanchor = {
+	"optional_trustanchor", parse_optional_keyvalue, print_keyvalue,
+	doc_keyvalue, &cfg_rep_string, &trustanchor_kw
 };
 
 static cfg_tuplefielddef_t lookaside_fields[] = {
 	{ "domain", &cfg_type_astring, 0 },
-	{ "trust-anchor", &cfg_type_trustanchor, 0 },
+	{ "trust-anchor", &cfg_type_optional_trustanchor, 0 },
 	{ NULL, NULL, 0 }
 };
 
@@ -797,11 +876,14 @@ view_clauses[] = {
 	{ "allow-recursion-on", &cfg_type_bracketed_aml, 0 },
 	{ "allow-v6-synthesis", &cfg_type_bracketed_aml,
 	  CFG_CLAUSEFLAG_OBSOLETE },
+	{ "attach-cache", &cfg_type_astring, 0 },
 	{ "auth-nxdomain", &cfg_type_boolean, CFG_CLAUSEFLAG_NEWDEFAULT },
 	{ "cache-file", &cfg_type_qstring, 0 },
 	{ "check-names", &cfg_type_checknames, CFG_CLAUSEFLAG_MULTI },
 	{ "cleaning-interval", &cfg_type_uint32, 0 },
 	{ "clients-per-query", &cfg_type_uint32, 0 },
+	{ "deny-answer-addresses", &cfg_type_denyaddresses, 0 },
+	{ "deny-answer-aliases", &cfg_type_denyaliases, 0 },
 	{ "disable-algorithms", &cfg_type_disablealgorithm,
 	  CFG_CLAUSEFLAG_MULTI },
 	{ "disable-empty-zone", &cfg_type_astring, CFG_CLAUSEFLAG_MULTI },
@@ -926,6 +1008,7 @@ zone_clauses[] = {
 	{ "check-sibling", &cfg_type_boolean, 0 },
 	{ "check-srv-cname", &cfg_type_checkmode, 0 },
 	{ "check-wildcard", &cfg_type_boolean, 0 },
+	{ "ddns-autoconf", &cfg_type_boolean, 0 },
 	{ "dialup", &cfg_type_dialuptype, 0 },
 	{ "forward", &cfg_type_forwardtype, 0 },
 	{ "forwarders", &cfg_type_portiplist, 0 },
@@ -998,12 +1081,22 @@ namedconf_clausesets[] = {
 	namedconf_or_view_clauses,
 	NULL
 };
-
 LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = {
 	"namedconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
 	&cfg_rep_map, namedconf_clausesets
 };
 
+/*% The bind.keys syntax (trusted-keys only). */
+static cfg_clausedef_t *
+bindkeys_clausesets[] = {
+	bindkeys_clauses,
+	NULL
+};
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_bindkeys = {
+	"bindkeys", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, bindkeys_clausesets
+};
+
 /*% The "options" statement syntax. */
 
 static cfg_clausedef_t *
@@ -2082,6 +2175,15 @@ LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndckey = {
 	&cfg_rep_map, rndckey_clausesets
 };
 
+/*
+ * ddns.key has exactly the same syntax as rndc.key, but it's defined
+ * separately for clarity (and so we can extend it someday, if needed).
+ */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_ddnskey = {
+	"ddnskey", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, rndckey_clausesets
+};
+
 static cfg_tuplefielddef_t nameport_fields[] = {
 	{ "name", &cfg_type_astring, 0 },
 	{ "port", &cfg_type_optional_port, 0 },
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index ee19cf54..1314e7a5 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parser.c,v 1.129 2008/09/25 04:02:39 tbox Exp $ */
+/* $Id: parser.c,v 1.131 2009/06/11 23:47:55 tbox Exp $ */
 
 /*! \file */
 
@@ -400,6 +400,7 @@ cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret) {
 	pctx->callback = NULL;
 	pctx->callbackarg = NULL;
 	pctx->token.type = isc_tokentype_unknown;
+	pctx->flags = 0;
 
 	memset(specials, 0, sizeof(specials));
 	specials['{'] = 1;
diff --git a/lib/lwres/api b/lib/lwres/api
index 39934b4f..8459d423 100644
--- a/lib/lwres/api
+++ b/lib/lwres/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 50
-LIBREVISION = 2
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/lwres/context.c b/lib/lwres/context.c
index 464a2cf9..32233ff7 100644
--- a/lib/lwres/context.c
+++ b/lib/lwres/context.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.c,v 1.50.332.2 2008/12/30 23:46:49 tbox Exp $ */
+/* $Id: context.c,v 1.52 2008/12/17 23:47:58 tbox Exp $ */
 
 /*! \file context.c
    lwres_context_create() creates a #lwres_context_t structure for use in
diff --git a/lib/lwres/context_p.h b/lib/lwres/context_p.h
index dd6f2b61..baac07f8 100644
--- a/lib/lwres/context_p.h
+++ b/lib/lwres/context_p.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context_p.h,v 1.17.332.2 2008/12/30 23:46:49 tbox Exp $ */
+/* $Id: context_p.h,v 1.19 2008/12/17 23:47:58 tbox Exp $ */
 
 #ifndef LWRES_CONTEXT_P_H
 #define LWRES_CONTEXT_P_H 1
diff --git a/lib/lwres/getaddrinfo.c b/lib/lwres/getaddrinfo.c
index fc53e63a..8e916f34 100644
--- a/lib/lwres/getaddrinfo.c
+++ b/lib/lwres/getaddrinfo.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * This code is derived from software contributed to ISC by
@@ -18,7 +18,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddrinfo.c,v 1.52.254.2 2009/03/31 23:47:16 tbox Exp $ */
+/* $Id: getaddrinfo.c,v 1.54 2008/11/25 23:47:23 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/include/lwres/context.h b/lib/lwres/include/lwres/context.h
index 5ae0b37c..434573ca 100644
--- a/lib/lwres/include/lwres/context.h
+++ b/lib/lwres/include/lwres/context.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.h,v 1.21.332.2 2008/12/30 23:46:49 tbox Exp $ */
+/* $Id: context.h,v 1.23 2008/12/17 23:47:58 tbox Exp $ */
 
 #ifndef LWRES_CONTEXT_H
 #define LWRES_CONTEXT_H 1
diff --git a/lib/lwres/include/lwres/netdb.h.in b/lib/lwres/include/lwres/netdb.h.in
index 37ab0396..0844384e 100644
--- a/lib/lwres/include/lwres/netdb.h.in
+++ b/lib/lwres/include/lwres/netdb.h.in
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h.in,v 1.39.332.2 2009/01/18 23:47:41 tbox Exp $ */
+/* $Id: netdb.h.in,v 1.41 2009/01/18 23:48:14 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/lwconfig.c b/lib/lwres/lwconfig.c
index 7ededdfa..ca099b6b 100644
--- a/lib/lwres/lwconfig.c
+++ b/lib/lwres/lwconfig.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwconfig.c,v 1.46.332.2 2008/12/30 23:46:49 tbox Exp $ */
+/* $Id: lwconfig.c,v 1.48 2008/12/17 23:47:58 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/tests/t_api.c b/lib/tests/t_api.c
index ea8f45b7..07f06390 100644
--- a/lib/tests/t_api.c
+++ b/lib/tests/t_api.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: t_api.c,v 1.63.156.2 2009/03/02 23:47:11 tbox Exp $ */
+/* $Id: t_api.c,v 1.65 2009/03/02 23:47:43 tbox Exp $ */
 
 /*! \file */
 
diff --git a/make/rules.in b/make/rules.in
index 0b07980a..2effeef1 100644
--- a/make/rules.in
+++ b/make/rules.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: rules.in,v 1.64.130.2 2009/01/10 23:46:57 tbox Exp $
+# $Id: rules.in,v 1.66 2009/01/10 23:47:28 tbox Exp $
 
 ###
 ### Common Makefile rules for BIND 9.
diff --git a/version b/version
index 1b3080fc..8ff4c904 100644
--- a/version
+++ b/version
@@ -1,10 +1,10 @@
-# $Id: version,v 1.43.12.5 2009/06/04 04:02:41 marka Exp $
+# $Id: version,v 1.45 2009/06/12 02:33:21 each Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
 MAJORVER=9
-MINORVER=6
-PATCHVER=1
-RELEASETYPE=
-RELEASEVER=
+MINORVER=7
+PATCHVER=0
+RELEASETYPE=a
+RELEASEVER=1
diff --git a/win32utils/BINDBuild.dsw b/win32utils/BINDBuild.dsw
index 481c17f2..a33b5556 100644
--- a/win32utils/BINDBuild.dsw
+++ b/win32utils/BINDBuild.dsw
@@ -375,7 +375,7 @@ Package=<4>
 
 ###############################################################################
 
-Project: "rndcconfgen"="..\bin\rndc\win32\confgen.dsp" - Package Owner=<4>
+Project: "rndcconfgen"="..\bin\confgen\win32\rndcconfgen.dsp" - Package Owner=<4>
 
 Package=<5>
 {{{
@@ -384,7 +384,43 @@ Package=<5>
 Package=<4>
 {{{
     Begin Project Dependency
-    Project_Dep_Name rndcutil
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libisccfg
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libbind9
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name confgentool
+    End Project Dependency
+}}}
+
+###############################################################################
+
+Project: "ddnsconfgen"="..\bin\confgen\win32\ddnsconfgen.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+    Begin Project Dependency
+    Project_Dep_Name libisc
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name libdns
+    End Project Dependency
+    Begin Project Dependency
+    Project_Dep_Name confgentool
     End Project Dependency
 }}}
 
@@ -456,6 +492,18 @@ Package=<4>
 
 ###############################################################################
 
+Project: "confgentool"="..\bin\confgen\win32\confgentool.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
 Project: "checktool"="..\bin\check\win32\checktool.dsp" - Package Owner=<4>
 
 Package=<5>
diff --git a/win32utils/BuildAll.bat b/win32utils/BuildAll.bat
index 8abecc4b..18c880fb 100644
--- a/win32utils/BuildAll.bat
+++ b/win32utils/BuildAll.bat
@@ -80,7 +80,12 @@ cd ..\..
 
 cd rndc\win32
 nmake /nologo -f rndc.mak CFG="rndc - Win32 Release"  NO_EXTERNAL_DEPS="1"
-nmake /nologo -f confgen.mak CFG="rndcconfgen - Win32 Release"  NO_EXTERNAL_DEPS="1"
+
+cd ..\..
+
+cd confgen\win32
+nmake /nologo -f rndcconfgen.mak CFG="rndcconfgen - Win32 Release"  NO_EXTERNAL_DEPS="1"
+nmake /nologo -f ddnsconfgen.mak CFG="ddnsconfgen - Win32 Release"  NO_EXTERNAL_DEPS="1"
 
 cd ..\..
 
diff --git a/win32utils/BuildSetup.bat b/win32utils/BuildSetup.bat
index 49beb58c..d2a6936a 100644
--- a/win32utils/BuildSetup.bat
+++ b/win32utils/BuildSetup.bat
@@ -55,6 +55,7 @@ echo Copying the standalone manual pages.
 
 copy ..\bin\named\named.html ..\Build\Release
 copy ..\bin\rndc\*.html ..\Build\Release
+copy ..\bin\confgen\*.html ..\Build\Release
 copy ..\bin\dig\*.html ..\Build\Release
 copy ..\bin\nsupdate\*.html ..\Build\Release
 copy ..\bin\check\*.html ..\Build\Release
@@ -79,8 +80,7 @@ if Defined FrameworkSDKDir (
 
 rem
 rem vcredist_x86.exe path relative to FrameworkSDKDir
-rem
-
+rem 
 if Exist "%FrameworkSDKDir%\%vcredist%" (
 
 echo Copying Visual C x86 Redistributable Installer
diff --git a/win32utils/index.html b/win32utils/index.html
index afc9798e..05e50499 100644
--- a/win32utils/index.html
+++ b/win32utils/index.html
@@ -14,7 +14,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: index.html,v 1.6.332.2 2008/12/14 21:33:07 tbox Exp $ -->
+<!-- $Id: index.html,v 1.8 2008/12/14 21:33:25 tbox Exp $ -->
 
 <html>
 <head>
diff --git a/win32utils/makedefs.pl b/win32utils/makedefs.pl
index 6a84299e..c0940e5c 100644
--- a/win32utils/makedefs.pl
+++ b/win32utils/makedefs.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: makedefs.pl,v 1.8.332.2 2009/01/18 23:47:41 tbox Exp $
+# $Id: makedefs.pl,v 1.10 2009/01/17 23:47:43 tbox Exp $
 
 # makedefs.pl
 # This script goes through all of the lib header files and creates a .def file
diff --git a/win32utils/readme1st.txt b/win32utils/readme1st.txt
index a56e7296..d36155f8 100644
--- a/win32utils/readme1st.txt
+++ b/win32utils/readme1st.txt
@@ -2,7 +2,7 @@ Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2001, 2003  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-$Id: readme1st.txt,v 1.18.372.2 2008/12/14 21:33:07 tbox Exp $
+$Id: readme1st.txt,v 1.20 2008/12/14 21:33:25 tbox Exp $
 
 	   Release of BIND 9.5 for Window 2000/XP/2003
 
diff --git a/win32utils/win32-build.txt b/win32utils/win32-build.txt
index 97a20385..c3a52af4 100644
--- a/win32utils/win32-build.txt
+++ b/win32utils/win32-build.txt
@@ -2,7 +2,7 @@ Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 2001, 2002  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
-$Id: win32-build.txt,v 1.11.692.2 2008/12/14 21:33:07 tbox Exp $
+$Id: win32-build.txt,v 1.13 2008/12/14 21:33:25 tbox Exp $
 
        BIND 9.4 for Win32 Source Build Instructions.  28-May-2005